d312c079c51f2bf011902df86e1ca4cac84eb7c74ff104fa48a505caa88ef2fe

Analysis

max time kernel
142s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20220722-en
resource tags

arch:x64arch:x86image:win10v2004-20220722-enlocale:en-usos:windows10-2004-x64system
submitted
10-08-2022 19:06

Target

challenge-files/challenge-files/collectionBoxConst.hta
Size

3KB
MD5

99a1a4391c6be3ac5f137c0a092d8edd
SHA1

34afc663a569d0ba183c73ab40ae8d682273d193
SHA256

b25865183c5cd2c5e550aca8476e592b62ed3e37e6b628f955bbed454fdbb100
SHA512

45e5b38d72add4d28234b539071a3cb4059c9c104b5389a43190fd3197843e103fdaf7552c1edcb9bbbabe15b122a8bef0389ce39d6130b438a835c4c2d4f345

Score

7^/10

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

mshta.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\Control Panel\International\Geo\Nation mshta.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\Control Panel\International\Geo\Nation	mshta.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

mshta.exe

description	pid	process	target process
PID 1044 wrote to memory of 3620	1044	mshta.exe	rundll32.exe
PID 1044 wrote to memory of 3620	1044	mshta.exe	rundll32.exe
PID 1044 wrote to memory of 3620	1044	mshta.exe	rundll32.exe

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" c:\users\public\collectionBoxConst.jpg,PluginInit
2⤵
PID:3620

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact