c7f40608ce8a3dda25c13d117790d08ef757b07b8c2ccb645a27a71adc322fb2

Analysis

Target

youTube.hta
Size

3KB
MD5

55d9eab53d4063a53b6ed05f7b1e75e7
SHA1

e6b4c81676d3ef0d2f7d08a6cc2ad90eb54908c3
SHA256

c7f40608ce8a3dda25c13d117790d08ef757b07b8c2ccb645a27a71adc322fb2
SHA512

e90768d87c7b191d41d3944957725db0e1f29fa865e24fd7308656fc9249ca0a5d1bd0abeda3bbc68528efc0ce6bc3a79eb434c375fd5c6ec90455c6e19a74f9

Score

8^/10

Blocklisted process makes network request 1 IoCs

Processes:

mshta.exe

flow pid process

13 2704 mshta.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

flow	pid	process
13	2704	mshta.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

mshta.exe

description	pid	process	target process
PID 2704 wrote to memory of 1528	2704	mshta.exe	regsvr32.exe
PID 2704 wrote to memory of 1528	2704	mshta.exe	regsvr32.exe
PID 2704 wrote to memory of 1528	2704	mshta.exe	regsvr32.exe

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\youTube.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:2704
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe" c:\users\public\dowNext.jpg
  2⤵
  PID:1528

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

\??\c:\users\public\dowNext.jpg

MD5
b5ff4c0f214fdf079ae6d835f046b7c5

SHA1
fc1f09a696c92d366e4868a35a5afa79129b12be

SHA256
aaf04ecb4c67de5a7833184f5abeec5f48a2fc17bb8167637a421596e00c7e4c

SHA512
5dcfa31dd1a704ae698673763a2c3e96f0c7e70d06d4790033b6eccaff7e6a55d7d4f2913649915e1ad430e4fa9c68143d82a95a38c2b0bc315ad91099aeab3a

Download Submit
memory/1528-115-0x0000000000000000-mapping.dmp

Download