Edit tour

Windows Analysis Report
xvrrvf.hta

Overview

General Information

Sample name:	xvrrvf.hta
Analysis ID:	1675521
MD5:	f2b7b570f413210fa26d15a1bd267322
SHA1:	d103407ca9952fe1a38ac8707e70585c3ce1a2ed
SHA256:	fcc3a5b3cd04159a3c7cdbbba74f658869412a353a7fe6e6be86855584997f7a
Tags:	htauser-abuse_ch
Infos:

Detection

Score:	48
Range:	0 - 100
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Searches for the Microsoft Outlook file path

Classification

×

Process Tree

System is w10x64

mshta.exe (PID: 7720 cmdline: mshta.exe "C:\Users\user\Desktop\xvrrvf.hta" MD5: 06B02D5C097C7DB1F109749C45F3F505)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: xvrrvf.hta

ReversingLabs: Detection: 13%

Source: mshta.exe, 00000000.00000002.2396474228.0000000002E31000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1597356455.0000000004D90000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1384739748.0000000002E46000.00000004.00000020.00020000.00000000.sdmp, xvrrvf.hta

String found in binary or memory: http://ifdnzact.com/?dn=pomfe.co&pid=9PO755G95

Source: C:\Windows\SysWOW64\mshta.exe

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE

Jump to behavior

Source: classification engine

Classification label: mal48.winHTA@1/1@0/0

Source: C:\Windows\SysWOW64\mshta.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH

Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: xvrrvf.hta

ReversingLabs: Detection: 13%

Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: iertutil.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wldp.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: mshtml.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: sspicli.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: powrprof.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: winhttp.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wkscli.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: netutils.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: umpdc.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: cryptbase.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: urlmon.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: srvcli.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: kernel.appcore.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msiso.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: uxtheme.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: srpapi.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: windows.storage.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wldp.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: propsys.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msimtf.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dxgi.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: textinputframework.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: coreuicomponents.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: coremessaging.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: ntmarta.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: coremessaging.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wintypes.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wintypes.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wintypes.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: jscript9.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: resourcepolicyclient.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dataexchange.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: d3d11.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dcomp.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: twinapi.appcore.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msls31.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: ieframe.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: netapi32.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: version.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: userenv.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wininet.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: profapi.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: d2d1.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: ondemandconnroutehelper.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dwrite.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: iphlpapi.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: mswsock.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: winnsi.dll			Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Settings

Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe

Window / User API: threadDelayed 6154

Jump to behavior

Source: mshta.exe, 00000000.00000002.2396474228.0000000002E9B000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllZ

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Masquerading	OS Credential Dumping	1 Security Software Discovery	Remote Services	1 Email Collection	Data Obfuscation	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 DLL Side-Loading	LSASS Memory	1 Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	2 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
xvrrvf.hta	14%	ReversingLabs	Script-JS.Trojan.Redirector

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://ifdnzact.com/?dn=pomfe.co&pid=9PO755G95	mshta.exe, 00000000.00000002.2396474228.0000000002E31000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1597356455.0000000004D90000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1384739748.0000000002E46000.00000004.00000020.00020000.00000000.sdmp, xvrrvf.hta	false		high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1675521
Start date and time:	2025-04-27 17:41:43 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 11s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	xvrrvf.hta
Detection:	MAL
Classification:	mal48.winHTA@1/1@0/0
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 3 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .hta

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 72.247.98.173, 184.29.183.29, 52.149.20.212
Excluded domains from analysis (whitelisted): a-ring-fallback.msedge.net, e11290.dspg.akamaiedge.net, fs.microsoft.com, go.microsoft.com, slscr.update.microsoft.com, go.microsoft.com.edgekey.net, d38psrni17bvxu.cloudfront.net, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target mshta.exe, PID 7720 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\error[1]

Process:	C:\Windows\SysWOW64\mshta.exe
File Type:	HTML document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	3249
Entropy (8bit):	5.4598794938059125
Encrypted:	false
SSDEEP:	96:vKFrZ/kxjqD9zqp36wxVJddFAdd5Ydddopdyddv+dd865FhlleXckVDuca:CGpv+GkduSDl6LRa
MD5:	939A9FBD880F8B22D4CDD65B7324C6DB
SHA1:	62167D495B0993DD0396056B814ABAE415A996EE
SHA-256:	156E7226C757414F8FD450E28E19D0A404FDBA2571425B203FDC9C185CF7FF0E
SHA-512:	91428FFA2A79F3D05EBDB19ED7F6490A4CEE788DF709AB32E2CDC06AEC948CDCCCDAEBF12555BE4AD315234D30F44C477823A2592258E12D77091FA01308197B
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	...<HTML id=dlgError STYLE="font-family: ms sans serif; font-size: 8pt;..width: 41.4em; height: 24em">..<HEAD>..<meta http-equiv="Content-Type" content="text/html; charset=utf-8">..<META HTTP-EQUIV="MSThemeCompatible" CONTENT="Yes">..<TITLE id=dialogTitle>..Script Error..</TITLE>..<SCRIPT>..var L_Dialog_ErrorMessage = "An error has occurred in this dialogue.";..var L_ErrorNumber_Text = "Error: ";..var L_ContinueScript_Message = "Do you want to debug the current page?";..var L_AffirmativeKeyCodeLowerCase_Number = 121;..var L_AffirmativeKeyCodeUpperCase_Number = 89;..var L_NegativeKeyCodeLowerCase_Number = 110;..var L_NegativeKeyCodeUpperCase_Number = 78;..</SCRIPT>..<SCRIPT LANGUAGE="JavaScript" src="error.js" defer></SCRIPT>..</HEAD>..<BODY ID=bdy onLoad="loadBdy()" style="font-family: 'ms sans serif';..font-size: 8pt; background: threedface; color: windowtext;" topmargin=0>..<CENTER id=ctrErrorMessage>..<table id=tbl1 cellPadding=3 cellspacing=3 border=0..style="background: buttonfa

Static File Info

General

File type:	HTML document, ASCII text, with very long lines (872)
Entropy (8bit):	5.871071500905946
TrID:	HyperText Markup Language with DOCTYPE (12503/2) 17.73% HyperText Markup Language (12001/1) 17.02% HyperText Markup Language (12001/1) 17.02% HyperText Markup Language (11501/1) 16.31% HyperText Markup Language (11501/1) 16.31%
File name:	xvrrvf.hta
File size:	2'774 bytes
MD5:	f2b7b570f413210fa26d15a1bd267322
SHA1:	d103407ca9952fe1a38ac8707e70585c3ce1a2ed
SHA256:	fcc3a5b3cd04159a3c7cdbbba74f658869412a353a7fe6e6be86855584997f7a
SHA512:	6f614627ebf08b08c01f112029cd36dfe2a5ef7d7109cfd8c836411b49a5ff0a7f9fb61d93ae21cc96eba851e76f50fd54078d65dcd09775ee74cdfeaa5ae62f
SSDEEP:	48:+maTpF1D4Ya1PMqUtmtE9i6e8e9r3wjTP+rvMj6gAM7ioaxyi6C1JMTf99AwP:I4Ya1NUh99eH9zK+rc6g3i1yi0l9A8
TLSH:	ED51B5899CE2E12141514992C8ABF42CB889D4360285CD4CF6CCD8C62FC5BDD8B65FCE
File Content Preview:	<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN". "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">.<html xmlns="http://www.w3.org/1999/xhtml">..<head>...<title>pomfe.co</title>...<meta http-equiv="Content-Type" content="

Network Behavior

⊘No network behavior found

Statistics

CPU Usage

• mshta.exe

Click to jump to process

Memory Usage

• mshta.exe

Click to jump to process

System Behavior

Analysis Process: mshta.exePID: 7720, Parent PID: 3448

General

Target ID:	0
Start time:	11:42:38
Start date:	27/04/2025
Path:	C:\Windows\SysWOW64\mshta.exe
Wow64 process (32bit):	true
Commandline:	mshta.exe "C:\Users\user\Desktop\xvrrvf.hta"
Imagebase:	0x470000
File size:	13'312 bytes
MD5 hash:	06B02D5C097C7DB1F109749C45F3F505
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

File Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Section Activities

Sections loaded by Windows

Sections loaded by Program

Show Windows behavior

Registry Activities

Key Opened

Key Value Queried

Show Windows behavior

COM Activities

COM Object Queried

Show Windows behavior

Mutex Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Process Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Thread Activities

Thread Information Set

Show Windows behavior

Memory Activities

Memory Usage Statistics

Show Windows behavior

System Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Timing Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Windows UI Activities

Window UI Enumerated

Show Windows behavior

Object Security Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

LPC Port Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Chronological Activities

Disassembly

Analysis Process: mshta.exePID: 7720, Parent PID: 3448COMMON

Executed Functions

Function 06240FE7 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2398784545.0000000006240000.00000010.00000800.00020000.00000000.sdmp, Offset: 06240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6240000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a9ce593b8061fe11d005a8fadf4466c64fb9f615bec526e67dbe7247faadaf0
Instruction ID: 350680dd924ab0741dd5ff781642d807ab1cbe8400170d6f37026e4fb3261a25
Opcode Fuzzy Hash: 1a9ce593b8061fe11d005a8fadf4466c64fb9f615bec526e67dbe7247faadaf0
Instruction Fuzzy Hash:

Function 06240FC7 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2398784545.0000000006240000.00000010.00000800.00020000.00000000.sdmp, Offset: 06240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6240000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a9ce593b8061fe11d005a8fadf4466c64fb9f615bec526e67dbe7247faadaf0
Instruction ID: 350680dd924ab0741dd5ff781642d807ab1cbe8400170d6f37026e4fb3261a25
Opcode Fuzzy Hash: 1a9ce593b8061fe11d005a8fadf4466c64fb9f615bec526e67dbe7247faadaf0
Instruction Fuzzy Hash:

Function 06240FCF Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2398784545.0000000006240000.00000010.00000800.00020000.00000000.sdmp, Offset: 06240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6240000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a9ce593b8061fe11d005a8fadf4466c64fb9f615bec526e67dbe7247faadaf0
Instruction ID: 350680dd924ab0741dd5ff781642d807ab1cbe8400170d6f37026e4fb3261a25
Opcode Fuzzy Hash: 1a9ce593b8061fe11d005a8fadf4466c64fb9f615bec526e67dbe7247faadaf0
Instruction Fuzzy Hash: