Windows Analysis Report
ocyMAsPrHV.hta

Overview

General Information

Sample name: ocyMAsPrHV.hta
renamed because original name is a hash value
Original sample name: eaaae627c7132407cc3c5ce97185fcb5.hta
Analysis ID: 1546605
MD5: eaaae627c7132407cc3c5ce97185fcb5
SHA1: e0864843dfae0a1e05d7bd959280ac23acada77b
SHA256: e32cfcf494b591446f54a36f37ecc401dcdf6be3dddb076b521c385cb5dbf6af
Tags: Grandoreirohtauser-abuse_ch
Infos:

Detection

Score: 48
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for domain / URL
Queries the volume information (name, serial number etc) of a device
Searches for the Microsoft Outlook file path
Suricata IDS alerts with low severity for network traffic
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)

Classification

AV Detection
barindex
Multi AV Scanner detection for domain / URL
Source: https://descargassdownloadmx.pro/ Virustotal: Detection: 12% Perma Link
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 4.175.87.197:443 -> 192.168.2.6:49767
Source: Network traffic Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 4.175.87.197:443 -> 192.168.2.6:49974
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Source: unknown DNS traffic detected: query: descargassdownloadmx.pro replaycode: Name error (3)
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic DNS traffic detected: DNS query: descargassdownloadmx.pro
Source: mshta.exe, 00000000.00000002.3339580944.0000000000916000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://descargassdownloadmx.pro/
Source: mshta.exe, 00000000.00000002.3339580944.00000000008CE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.3339580944.000000000091C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.3339580944.0000000000892000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.3340974015.000000000493E000.00000004.00000800.00020000.00000000.sdmp, ocyMAsPrHV.hta String found in binary or memory: https://descargassdownloadmx.pro/6723637d10aa6/js/6723637d10a3e.js
Source: mshta.exe, 00000000.00000002.3339580944.00000000008CE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://descargassdownloadmx.pro/6723637d10aa6/js/6723637d10a3e.js0
Source: mshta.exe, 00000000.00000002.3339580944.000000000091C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://descargassdownloadmx.pro/6723637d10aa6/js/6723637d10a3e.js7?
Source: mshta.exe, 00000000.00000002.3339580944.0000000000892000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://descargassdownloadmx.pro/6723637d10aa6/js/6723637d10a3e.jsSC
Source: mshta.exe, 00000000.00000002.3339580944.000000000091C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://descargassdownloadmx.pro/6723637d10aa6/js/6723637d10a3e.jsW8
Source: mshta.exe, 00000000.00000002.3339580944.0000000000892000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://descargassdownloadmx.pro/6723637d10aa6/js/6723637d10a3e.jseL
Source: mshta.exe, 00000000.00000002.3342589797.0000000006205000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://descargassdownloadmx.pro/6723637d10aa6/js/6723637d10a3e.jsh
Searches for the Microsoft Outlook file path
Source: C:\Windows\SysWOW64\mshta.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE Jump to behavior
Source: classification engine Classification label: mal48.winHTA@1/0@1/0
Source: C:\Windows\SysWOW64\mshta.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: mshtml.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: msiso.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: srpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: msimtf.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: dxgi.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: resourcepolicyclient.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: dataexchange.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: d3d11.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: dcomp.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: twinapi.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: jscript9.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: msls31.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: d2d1.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: d3d10warp.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: dxcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\InProcServer32 Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Settings Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: mshta.exe, 00000000.00000002.3339580944.00000000008F4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll"
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\SysWOW64\mshta.exe Queries volume information: C:\Windows\Fonts\times.ttf VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1546605 Sample: ocyMAsPrHV.hta Startdate: 01/11/2024 Architecture: WINDOWS Score: 48 8 descargassdownloadmx.pro 2->8 10 Multi AV Scanner detection for domain / URL 2->10 6 mshta.exe 12 2->6         started        signatures3 process4
No contacted IP infos

Contacted Domains

Name IP Active
descargassdownloadmx.pro unknown unknown