File name:	morfo.ps1
Full analysis:	https://app.any.run/tasks/5f94fcb9-047b-40bd-b7af-04721fc87269
Verdict:	Malicious activity
Analysis date:	August 19, 2024, 11:47:25
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	uac
Indicators:
MIME:	text/plain
File info:	awk or perl script, ASCII text, with very long lines (456), with CRLF line terminators
MD5:	917EFED758540421969CE3BC1D2E9F3C
SHA1:	57D8DFAB38778BB641A81D3C8B41235B76CDA331
SHA256:	56F1D4991DB55921F1521AFAF6102EF45CBBE50643DC26FDC0B842F9809BA956
SSDEEP:	768:GN/VnhcaKWyW+ud7/r6jbw8GlftuLGuIwIcLMV8GGGMrGMbGb7Y4X5uGLMVadRrr:A/VnhcaKWyW+ud7/r6jbw8GlftuLGuI7


(PID) Process:	(6772) powershell.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
Operation:	write	Name:	EnableFileTracing
Value: 0
(PID) Process:	(6772) powershell.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
Operation:	write	Name:	EnableAutoFileTracing
Value: 0
(PID) Process:	(6772) powershell.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
Operation:	write	Name:	EnableConsoleTracing
Value: 0
(PID) Process:	(6772) powershell.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
Operation:	write	Name:	FileTracingMask
Value:
(PID) Process:	(6772) powershell.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
Operation:	write	Name:	ConsoleTracingMask
Value:
(PID) Process:	(6772) powershell.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
Operation:	write	Name:	MaxFileSize
Value: 1048576
(PID) Process:	(6772) powershell.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
Operation:	write	Name:	FileDirectory
Value: %windir%\tracing
(PID) Process:	(6772) powershell.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
Operation:	write	Name:	EnableFileTracing
Value: 0
(PID) Process:	(6772) powershell.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
Operation:	write	Name:	EnableAutoFileTracing
Value: 0
(PID) Process:	(6772) powershell.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
Operation:	write	Name:	EnableConsoleTracing
Value: 0

PID	Process	Filename		Type
6772	powershell.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_kecvwt6_E.lnk		binary
		MD5:5FF8369696B0888B97449370224356DE	SHA256:DAF09C1842FF20AAE9EA9675A55D4E87120E0B1B0DE6BAF7B865B3AADF9EDDE4
6772	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_hhe51nzp.zyd.ps1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6772	powershell.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF11e675.TMP		binary
		MD5:D040F64E9E7A2BB91ABCA5613424598E	SHA256:D04E0A6940609BD6F3B561B0F6027F5CA4E8C5CF0FB0D0874B380A0374A8D670
6772	powershell.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_kecvwt6_EEX.lnk		binary
		MD5:949A05866AFF6019CA778E6B063FF953	SHA256:7AA502D1C78C537E30820DA751C73DEA6046D50C6C0A9C0DFAAFC238A45F95EA
1544	PLUGScheduler.exe	C:\ProgramData\PLUG\Logs\RUXIMLog.034.etl		etl
		MD5:673727AF7C6805E869C9F8BE1E468F4A	SHA256:6B16B7DE97F397BCEC36EB3F18C7B64CD3DB6D2974DDF319A251CE27B80D837B
6772	powershell.exe	C:\Users\Public\DESKTOP-JGLLJLD_kecvwt6_E.cmd		text
		MD5:2B57F2FFEA260CF78D312C1D4604554B	SHA256:42C8B0946954216D011F0324F24428DE4D588896666619A266CFBEB92E2D771F
6772	powershell.exe	C:\_kecvwt6_E\DESKTOP-JGLLJLD_kecvwt6_E		text
		MD5:F33BB3F1B71C05FC8DAA3B0908BE3DCA	SHA256:EBDA232FC01D4837B77EC30597945B103B45245714A6FE6AFE0D198010F21195
6772	powershell.exe	C:\_kecvwt6_E\DESKTOP-JGLLJLD_kecvwt6_Ey		text
		MD5:9C2D3D09140EEEB2EFE40F876D44E1B0	SHA256:72B3480265246FB30775BD6C6DF814C48D07FF8A2AF3CD3BB28AC61119D88734
6772	powershell.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\HSARJUIIQK6TIZ3M55NF.temp		binary
		MD5:FF57E1539533D974E39E4BEA24E3A3F5	SHA256:C3B0ED2B81420B38D60B61041A567DF7D26251A76F60C35053447F3DCDEC3C73
6772	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_npajmttx.mdq.psm1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
—	—	GET	—	142.250.181.234:443	https://firebasestorage.googleapis.com/v0/b/fir-24d72.appspot.com/o/m3107_2.zip?alt=media&token=723cb6de-15d5-4a22-ae2f-d2cc55a932bd	unknown	—	—	—
—	—	GET	—	52.109.28.46:443	https://officeclient.microsoft.com/config16/?syslcid=1033&build=16.0.16026&crev=3	unknown	—	—	—
—	—	GET	—	104.126.37.139:443	https://r.bing.com/rp/-UAIppANYxiGpRWJy2NDph4qOEw.gz.js	unknown	—	—	—
—	—	GET	—	52.113.194.132:443	https://ecs.office.com/config/v2/Office/officeclicktorun/16.0.16026.20140/Production/CC?&Clientid=%7b48BA7FDF-353C-4FE5-8D8F-9E31911A3891%7d&Application=officeclicktorun&Platform=win32&Version=16.0.16026.20140&MsoVersion=16.0.16026.20140&ProcessName=officeclicktorun.exe&Audience=Production&Build=ship&Architecture=x64&OsVersion=10.0&OsBuild=19045&Channel=CC&InstallType=C2R&SessionId=%7bDAFC659E-E159-42E3-B1D1-CA8C8FBC9E12%7d&LabMachine=false	unknown	—	—	—
—	—	GET	—	104.126.37.153:443	https://r.bing.com/rb/4N/jnc,nj/Btu7tBP0vQIHDIMxag4vCxAtQuY.js?bu=FrUs9Sr8AYYriiuMK44rsyu8LIIs_BGeLKQswCz8AfwBpCjlK_oR8RH5K-or&or=w	unknown	—	—	—
—	—	GET	—	104.126.37.146:443	https://www.bing.com/fd/ls/l?IG=20335616391A4B11A19BD0AB436D38BF&Type=Event.ClientInst&DATA=[{%22T%22:%22CI.ClientInst%22,%22FID%22:%22CI%22,%22Name%22:%22max%20errors%20reached%22}]	unknown	—	—	—
—	—	GET	—	104.126.37.160:443	https://www.bing.com/manifest/threshold.appcache	unknown	—	—	—
—	—	GET	—	104.126.37.153:443	https://www.bing.com/rb/18/jnc,nj/6hU_LneafI_NFLeDvM367ebFaKQ.js?bu=DyIrb3t-gQF4cnWyAbUBK6UBK7gB&or=w	unknown	—	—	—
—	—	GET	—	104.126.37.139:443	https://www.bing.com/manifest/threshold.appcache	unknown	—	—	—
—	—	GET	—	93.127.200.211:443	https://fsnat.shop/a/08/150822/up/up	unknown	—	—	—

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:138	—	—	—	whitelisted
5464	svchost.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
5904	RUXIMICS.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
2120	MoUsoCoreWorker.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
3888	svchost.exe	239.255.255.250:1900	—	—	—	whitelisted
2120	MoUsoCoreWorker.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
5464	svchost.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4324	svchost.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
6772	powershell.exe	195.35.14.157:80	—	—	US	unknown
6772	powershell.exe	172.217.18.10:443	firebasestorage.googleapis.com	GOOGLE	US	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	20.73.194.208 51.124.78.146	whitelisted
google.com	142.250.186.142	whitelisted
firebasestorage.googleapis.com	172.217.18.10 142.250.184.202 142.250.185.170 142.250.186.170 172.217.16.202 142.250.74.202 142.250.184.234 142.250.185.202 142.250.185.138 142.250.185.234 142.250.181.234 142.250.186.42 142.250.186.74 142.250.186.106 142.250.185.74 142.250.185.106	whitelisted
self.events.data.microsoft.com	51.116.246.104 20.42.73.28	whitelisted
officeclient.microsoft.com	52.109.28.46	whitelisted
ecs.office.com	52.113.194.132	whitelisted
r.bing.com	104.126.37.153 104.126.37.147 104.126.37.152 104.126.37.155 104.126.37.161 104.126.37.162 104.126.37.146 104.126.37.160 104.126.37.139	whitelisted
www.bing.com	104.126.37.153 104.126.37.147 104.126.37.152 104.126.37.155 104.126.37.161 104.126.37.162 104.126.37.146 104.126.37.160 104.126.37.139	whitelisted
fsnat.shop	93.127.200.211	unknown

General Info

morfo.ps1

917EFED758540421969CE3BC1D2E9F3C

57D8DFAB38778BB641A81D3C8B41235B76CDA331

56F1D4991DB55921F1521AFAF6102EF45CBBE50643DC26FDC0B842F9809BA956

768:GN/VnhcaKWyW+ud7/r6jbw8GlftuLGuIwIcLMV8GGGMrGMbGb7Y4X5uGLMVadRrr:A/VnhcaKWyW+ud7/r6jbw8GlftuLGuI7

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Bypass execution policy to execute commands

Bypass User Account Control (Modify registry)

Create files in the Startup directory

SUSPICIOUS

Uses base64 encoding (POWERSHELL)

Process drops legitimate windows executable

Drops the executable file immediately after the start

The process executes via Task Scheduler

Executable content was dropped or overwritten

Starts CMD.EXE for commands execution

Likely accesses (executes) a file from the Public directory

Application launched itself

Starts POWERSHELL.EXE for commands execution

The system shut down or reboot

The process bypasses the loading of PowerShell profile settings

Changes default file association

Extracts files to a directory (POWERSHELL)

INFO

Disables trace logs

Checks proxy server information

Converts byte array into Unicode string (POWERSHELL)

Script raised an exception (POWERSHELL)

Uses string replace method (POWERSHELL)

Creates files in the program directory

Checks if a key exists in the options dictionary (POWERSHELL)

Checks supported languages

Reads the computer name

Manual execution by a user

Gets or sets the time when the file was last written to (POWERSHELL)

Gets data length (POWERSHELL)

Malware configuration

Static information

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings