Windows Analysis Report
eLoll8t7fq.hta

Overview

General Information

Sample name: eLoll8t7fq.hta
renamed because original name is a hash value
Original sample name: 592a152a8b32c1754b007f8657a188fd.hta
Analysis ID: 1546606
MD5: 592a152a8b32c1754b007f8657a188fd
SHA1: 05ba57764207bfdb5a3e4d6f6797195af7fb49bc
SHA256: 57b91c4fa2c260a45897a7896e76aa219b757e528f92c3aa51fb5313c6ac77f4
Tags: Grandoreirohtauser-abuse_ch
Infos:

Detection

Score: 2
Range: 0 - 100
Whitelisted: false
Confidence: 60%

Signatures

JA3 SSL client fingerprint seen in connection with other malware
Queries the volume information (name, serial number etc) of a device
Searches for the Microsoft Outlook file path
Suricata IDS alerts with low severity for network traffic
Uses a known web browser user agent for HTTP communication

Classification

Source: unknown HTTPS traffic detected: 104.21.60.109:443 -> 192.168.2.7:49703 version: TLS 1.2
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 52.149.20.212:443 -> 192.168.2.7:49750
Source: Network traffic Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 52.149.20.212:443 -> 192.168.2.7:49961
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET //672350cabd2c8/js/672350cabd242.js HTTP/1.1Accept: */*Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: acess.mailcffemx.comConnection: Keep-Alive
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET //672350cabd2c8/js/672350cabd242.js HTTP/1.1Accept: */*Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: acess.mailcffemx.comConnection: Keep-Alive
Source: global traffic DNS traffic detected: DNS query: acess.mailcffemx.com
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 01 Nov 2024 07:34:07 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closeCache-Control: max-age=14400CF-Cache-Status: EXPIREDReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=fNcab4NQmZfz06XMFBpg5S9Buw7zcHrG74pqrTcULBLqgk%2BZeyb62d2BvrwMfDYgO27xVdM4WqbNRy7jSRk6F51YzT%2B1QRpR5PHW1GqakFIw5GhT7ap9%2BgQeN4PjkQHFFMOd4sj6Zw%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8dba3356fe49e972-DFWalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1752&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2835&recv_bytes=920&delivery_rate=1675925&cwnd=251&unsent_bytes=0&cid=2b6ca4858bbb054a&ts=506&x=0"
Source: mshta.exe, 00000000.00000003.1259509556.000000000317C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.2486758713.000000000317C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://acess.mailcffemx.com/
Source: mshta.exe, 00000000.00000002.2486758713.0000000003142000.00000004.00000020.00020000.00000000.sdmp, eLoll8t7fq.hta String found in binary or memory: https://acess.mailcffemx.com//672350cabd2c8/js/672350cabd242.js
Source: mshta.exe, 00000000.00000003.1259509556.00000000031C6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://acess.mailcffemx.com//672350cabd2c8/js/672350cabd242.jsH-
Source: mshta.exe, 00000000.00000003.1259509556.00000000031C6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://acess.mailcffemx.com//672350cabd2c8/js/672350cabd242.jsZ
Source: mshta.exe, 00000000.00000003.1259509556.00000000031C6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://acess.mailcffemx.com//672350cabd2c8/js/672350cabd242.jsn-
Source: mshta.exe, 00000000.00000002.2486758713.00000000031DD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com
Source: unknown Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown HTTPS traffic detected: 104.21.60.109:443 -> 192.168.2.7:49703 version: TLS 1.2
Searches for the Microsoft Outlook file path
Source: C:\Windows\SysWOW64\mshta.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE Jump to behavior
Source: classification engine Classification label: clean2.winHTA@1/0@1/1
Source: C:\Windows\SysWOW64\mshta.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: mshtml.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: msiso.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: srpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: msimtf.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: dxgi.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: resourcepolicyclient.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: dataexchange.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: d3d11.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: dcomp.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: twinapi.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: jscript9.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: msls31.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: d2d1.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: d3d10warp.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: dxcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\InProcServer32 Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Settings Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: mshta.exe, 00000000.00000003.1259244931.00000000031E3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.2486758713.00000000031E3000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: mshta.exe, 00000000.00000003.1259509556.000000000317C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.2486758713.000000000317C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWen-GBn
Source: mshta.exe, 00000000.00000003.1259509556.00000000031B3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.2486758713.00000000031B3000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWh
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\SysWOW64\mshta.exe Queries volume information: C:\Windows\Fonts\times.ttf VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1546606 Sample: eLoll8t7fq.hta Startdate: 01/11/2024 Architecture: WINDOWS Score: 2 8 acess.mailcffemx.com 2->8 5 mshta.exe 12 2->5         started        process3 dnsIp4 10 acess.mailcffemx.com 104.21.60.109, 443, 49703 CLOUDFLARENETUS United States 5->10
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
104.21.60.109
 acess.mailcffemx.com United States
13335 CLOUDFLARENETUS false

Contacted Domains

Name IP Active
acess.mailcffemx.com 104.21.60.109 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://acess.mailcffemx.com//672350cabd2c8/js/672350cabd242.js false
    		unknown