Analysis
-
max time kernel
146s -
max time network
94s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
13-09-2021 17:15
Static task
static1
Behavioral task
behavioral1
Sample
currCurrPl.hta
Resource
win7-en
Behavioral task
behavioral2
Sample
currCurrPl.hta
Resource
win10v20210408
General
-
Target
currCurrPl.hta
-
Size
2KB
-
MD5
29218d420ce0c0f84c301c035801f6ff
-
SHA1
e61258fb5fc9ce9b814b276298885fee5e16083d
-
SHA256
d869fccdb3807528fb62cabc388d4ad9da641fc3354c4432ce2a93ce99e43d3c
-
SHA512
591ee976ab70304faf1283dedea6101cd0b592560984dd60d70e5aabd0e20bb1e24e8f281414a51f7eff842802bd1901b118170431b50720cfad80e4e0c29ea3
Malware Config
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
mshta.exeflow pid process 4 808 mshta.exe -
Downloads MZ/PE file
-
Loads dropped DLL 1 IoCs
Processes:
regsvr32.exepid process 1180 regsvr32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1844 1180 WerFault.exe regsvr32.exe -
Suspicious behavior: EnumeratesProcesses 13 IoCs
Processes:
WerFault.exepid process 1844 WerFault.exe 1844 WerFault.exe 1844 WerFault.exe 1844 WerFault.exe 1844 WerFault.exe 1844 WerFault.exe 1844 WerFault.exe 1844 WerFault.exe 1844 WerFault.exe 1844 WerFault.exe 1844 WerFault.exe 1844 WerFault.exe 1844 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 1844 WerFault.exe Token: SeBackupPrivilege 1844 WerFault.exe Token: SeDebugPrivilege 1844 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
mshta.exedescription pid process target process PID 808 wrote to memory of 1180 808 mshta.exe regsvr32.exe PID 808 wrote to memory of 1180 808 mshta.exe regsvr32.exe PID 808 wrote to memory of 1180 808 mshta.exe regsvr32.exe
Processes
-
C:\Windows\SysWOW64\mshta.exeC:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\currCurrPl.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\System32\regsvr32.exe" c:\users\public\currCurrPl.jpg2⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1180 -s 6163⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\??\c:\users\public\currCurrPl.jpgMD5
165522e8cb0945dbf3a60c921df1ba07
SHA14f10a6f422523ca036554f91cc32da51870b03a9
SHA2568917043b066a499355584bc93535ff98388c702dc9af145df2db1133a21d4f57
SHA512388d6bc4b2241d36e019c0453ba375d5b7c345247b5804368705cb6eaca7326aa64330d024d3437db49e8cac9626a124e3d94bdb1035f67a8ca69e877254d453
-
\Users\Public\currCurrPl.jpgMD5
165522e8cb0945dbf3a60c921df1ba07
SHA14f10a6f422523ca036554f91cc32da51870b03a9
SHA2568917043b066a499355584bc93535ff98388c702dc9af145df2db1133a21d4f57
SHA512388d6bc4b2241d36e019c0453ba375d5b7c345247b5804368705cb6eaca7326aa64330d024d3437db49e8cac9626a124e3d94bdb1035f67a8ca69e877254d453
-
memory/1180-114-0x0000000000000000-mapping.dmp
-
memory/1180-117-0x0000000010000000-0x0000000010004000-memory.dmpFilesize
16KB
-
memory/1180-120-0x0000000003380000-0x00000000033B8000-memory.dmpFilesize
224KB
-
memory/1180-122-0x0000000003400000-0x0000000003445000-memory.dmpFilesize
276KB