d869fccdb3807528fb62cabc388d4ad9da641fc3354c4432ce2a93ce99e43d3c

General

Target

currCurrPl.hta
Size

2KB
MD5

29218d420ce0c0f84c301c035801f6ff
SHA1

e61258fb5fc9ce9b814b276298885fee5e16083d
SHA256

d869fccdb3807528fb62cabc388d4ad9da641fc3354c4432ce2a93ce99e43d3c
SHA512

591ee976ab70304faf1283dedea6101cd0b592560984dd60d70e5aabd0e20bb1e24e8f281414a51f7eff842802bd1901b118170431b50720cfad80e4e0c29ea3

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

Processes:

mshta.exe

flow pid process

4 808 mshta.exe
Downloads MZ/PE file
Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

1180 regsvr32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1844 1180 WerFault.exe regsvr32.exe

flow	pid	process
4	808	mshta.exe

pid	process
1180	regsvr32.exe

pid	pid_target	process	target process
1844	1180	WerFault.exe	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

WerFault.exe

pid	process
1844	WerFault.exe
1844	WerFault.exe
1844	WerFault.exe
1844	WerFault.exe
1844	WerFault.exe
1844	WerFault.exe
1844	WerFault.exe
1844	WerFault.exe
1844	WerFault.exe
1844	WerFault.exe
1844	WerFault.exe
1844	WerFault.exe
1844	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 1844 WerFault.exe
Token: SeBackupPrivilege 1844 WerFault.exe
Token: SeDebugPrivilege 1844 WerFault.exe

description	pid	process
Token: SeRestorePrivilege	1844	WerFault.exe
Token: SeBackupPrivilege	1844	WerFault.exe
Token: SeDebugPrivilege	1844	WerFault.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

mshta.exe

description	pid	process	target process
PID 808 wrote to memory of 1180	808	mshta.exe	regsvr32.exe
PID 808 wrote to memory of 1180	808	mshta.exe	regsvr32.exe
PID 808 wrote to memory of 1180	808	mshta.exe	regsvr32.exe

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\currCurrPl.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:808

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" c:\users\public\currCurrPl.jpg
2⤵
- Loads dropped DLL
PID:1180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1180 -s 616
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1844

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\??\c:\users\public\currCurrPl.jpg
MD5
165522e8cb0945dbf3a60c921df1ba07

SHA1
4f10a6f422523ca036554f91cc32da51870b03a9

SHA256
8917043b066a499355584bc93535ff98388c702dc9af145df2db1133a21d4f57

SHA512
388d6bc4b2241d36e019c0453ba375d5b7c345247b5804368705cb6eaca7326aa64330d024d3437db49e8cac9626a124e3d94bdb1035f67a8ca69e877254d453

Download Submit
\Users\Public\currCurrPl.jpg
MD5
165522e8cb0945dbf3a60c921df1ba07

SHA1
4f10a6f422523ca036554f91cc32da51870b03a9

SHA256
8917043b066a499355584bc93535ff98388c702dc9af145df2db1133a21d4f57

SHA512
388d6bc4b2241d36e019c0453ba375d5b7c345247b5804368705cb6eaca7326aa64330d024d3437db49e8cac9626a124e3d94bdb1035f67a8ca69e877254d453

Download Submit
memory/1180-114-0x0000000000000000-mapping.dmp

Download
memory/1180-117-0x0000000010000000-0x0000000010004000-memory.dmp

Filesize
16KB

Download
memory/1180-120-0x0000000003380000-0x00000000033B8000-memory.dmp

Filesize
224KB

Download
memory/1180-122-0x0000000003400000-0x0000000003445000-memory.dmp

Filesize
276KB

Download

Analysis

Sharing