Edit tour

Windows Analysis Report
xvrrvf.hta

Overview

General Information

Sample name:	xvrrvf.hta
Analysis ID:	1676539
MD5:	bbe342cbd61d484e054da82b2eeac27e
SHA1:	2f64e4183198de1be44dcf966171688af7f5a9a2
SHA256:	056c1a3c45905d9ccc91431f6ca7386f1a4bd77978fa039e9f5901cc5815e90c
Tags:	htauser-abuse_ch
Infos:

Detection

Score:	48
Range:	0 - 100
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Searches for the Microsoft Outlook file path

Classification

×

Process Tree

System is w10x64

mshta.exe (PID: 7320 cmdline: mshta.exe "C:\Users\user\Desktop\xvrrvf.hta" MD5: 06B02D5C097C7DB1F109749C45F3F505)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

• AV Detection
• Networking
• System Summary
• Hooking and other Techniques for Hiding and Protection
• Malware Analysis System Evasion

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: xvrrvf.hta

ReversingLabs: Detection: 13%

Source: mshta.exe, 00000000.00000002.2437132953.0000000004F90000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.2436251842.0000000002EA1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.2436251842.0000000002EBD000.00000004.00000020.00020000.00000000.sdmp, xvrrvf.hta

String found in binary or memory: http://ifdnzact.com/?dn=pomfe.co&pid=9PO755G95

Source: C:\Windows\SysWOW64\mshta.exe

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE

Jump to behavior

Source: classification engine

Classification label: mal48.winHTA@1/1@0/0

Source: C:\Windows\SysWOW64\mshta.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH

Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: xvrrvf.hta

ReversingLabs: Detection: 13%

Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: iertutil.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wldp.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: mshtml.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: sspicli.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: powrprof.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: winhttp.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wkscli.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: netutils.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: umpdc.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: cryptbase.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: urlmon.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: srvcli.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: kernel.appcore.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msiso.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: uxtheme.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: srpapi.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: windows.storage.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wldp.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: propsys.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msimtf.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dxgi.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: resourcepolicyclient.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: textinputframework.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: coreuicomponents.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: coremessaging.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: ntmarta.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wintypes.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wintypes.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wintypes.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dataexchange.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: d3d11.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dcomp.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: twinapi.appcore.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: jscript9.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msls31.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: ieframe.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: netapi32.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: version.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: userenv.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wininet.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: profapi.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: d2d1.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: ondemandconnroutehelper.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dwrite.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: iphlpapi.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: mswsock.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: winnsi.dll			Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Settings

Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe

Window / User API: threadDelayed 6177

Jump to behavior

Source: mshta.exe, 00000000.00000002.2436251842.0000000002EFA000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Masquerading	OS Credential Dumping	1 Security Software Discovery	Remote Services	1 Email Collection	Data Obfuscation	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 DLL Side-Loading	LSASS Memory	1 Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	2 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
xvrrvf.hta	14%	ReversingLabs	Script-JS.Trojan.Redirector

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://ifdnzact.com/?dn=pomfe.co&pid=9PO755G95	mshta.exe, 00000000.00000002.2437132953.0000000004F90000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.2436251842.0000000002EA1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.2436251842.0000000002EBD000.00000004.00000020.00020000.00000000.sdmp, xvrrvf.hta	false		high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1676539
Start date and time:	2025-04-28 19:42:14 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 9s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	9
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	xvrrvf.hta
Detection:	MAL
Classification:	mal48.winHTA@1/1@0/0
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 3 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .hta

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 184.29.183.29
Excluded domains from analysis (whitelisted): a-ring-fallback.msedge.net, fs.microsoft.com, slscr.update.microsoft.com, d38psrni17bvxu.cloudfront.net, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target mshta.exe, PID 7320 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\error[1]

Process:	C:\Windows\SysWOW64\mshta.exe
File Type:	HTML document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	3249
Entropy (8bit):	5.4598794938059125
Encrypted:	false
SSDEEP:	96:vKFrZ/kxjqD9zqp36wxVJddFAdd5Ydddopdyddv+dd865FhlleXckVDuca:CGpv+GkduSDl6LRa
MD5:	939A9FBD880F8B22D4CDD65B7324C6DB
SHA1:	62167D495B0993DD0396056B814ABAE415A996EE
SHA-256:	156E7226C757414F8FD450E28E19D0A404FDBA2571425B203FDC9C185CF7FF0E
SHA-512:	91428FFA2A79F3D05EBDB19ED7F6490A4CEE788DF709AB32E2CDC06AEC948CDCCCDAEBF12555BE4AD315234D30F44C477823A2592258E12D77091FA01308197B
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	...<HTML id=dlgError STYLE="font-family: ms sans serif; font-size: 8pt;..width: 41.4em; height: 24em">..<HEAD>..<meta http-equiv="Content-Type" content="text/html; charset=utf-8">..<META HTTP-EQUIV="MSThemeCompatible" CONTENT="Yes">..<TITLE id=dialogTitle>..Script Error..</TITLE>..<SCRIPT>..var L_Dialog_ErrorMessage = "An error has occurred in this dialogue.";..var L_ErrorNumber_Text = "Error: ";..var L_ContinueScript_Message = "Do you want to debug the current page?";..var L_AffirmativeKeyCodeLowerCase_Number = 121;..var L_AffirmativeKeyCodeUpperCase_Number = 89;..var L_NegativeKeyCodeLowerCase_Number = 110;..var L_NegativeKeyCodeUpperCase_Number = 78;..</SCRIPT>..<SCRIPT LANGUAGE="JavaScript" src="error.js" defer></SCRIPT>..</HEAD>..<BODY ID=bdy onLoad="loadBdy()" style="font-family: 'ms sans serif';..font-size: 8pt; background: threedface; color: windowtext;" topmargin=0>..<CENTER id=ctrErrorMessage>..<table id=tbl1 cellPadding=3 cellspacing=3 border=0..style="background: buttonfa

Static File Info

General

File type:	HTML document, ASCII text, with very long lines (850)
Entropy (8bit):	5.88134061355143
TrID:	HyperText Markup Language with DOCTYPE (12503/2) 17.73% HyperText Markup Language (12001/1) 17.02% HyperText Markup Language (12001/1) 17.02% HyperText Markup Language (11501/1) 16.31% HyperText Markup Language (11501/1) 16.31%
File name:	xvrrvf.hta
File size:	2'752 bytes
MD5:	bbe342cbd61d484e054da82b2eeac27e
SHA1:	2f64e4183198de1be44dcf966171688af7f5a9a2
SHA256:	056c1a3c45905d9ccc91431f6ca7386f1a4bd77978fa039e9f5901cc5815e90c
SHA512:	1760011bbd5cd50f08fa7b06efe42ae7f79c5bb0b83a50fc1349f914e7abb52547cf80651911dc3e8094724454dfc91461f6adfc4c42a4bbb5fc5a11da543961
SSDEEP:	48:+maTpF1kQyoMqUtmtE9i6eaxtBolM2ZuXflHZM7ioaxyi6C1tiA0MTf995bwP:VaUh99eax7COflHoi1yirVl998
TLSH:	3E51B5498CF3E25588145516C4AFF51C3C49907A1381C81CF68CC4C6AFC6AAE8955FFE
File Content Preview:	<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN". "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">.<html xmlns="http://www.w3.org/1999/xhtml">..<head>...<title>pomfe.co</title>...<meta http-equiv="Content-Type" content="

Network Behavior

⊘No network behavior found

Statistics

CPU Usage

• mshta.exe

Click to jump to process

Memory Usage

• mshta.exe

Click to jump to process

System Behavior

Analysis Process: mshta.exePID: 7320, Parent PID: 4328

General

Target ID:	0
Start time:	13:43:14
Start date:	28/04/2025
Path:	C:\Windows\SysWOW64\mshta.exe
Wow64 process (32bit):	true
Commandline:	mshta.exe "C:\Users\user\Desktop\xvrrvf.hta"
Imagebase:	0x220000
File size:	13'312 bytes
MD5 hash:	06B02D5C097C7DB1F109749C45F3F505
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

File Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Section Activities

Sections loaded by Windows

Sections loaded by Program

Show Windows behavior

Registry Activities

Key Opened

Key Value Queried

Show Windows behavior

COM Activities

COM Object Queried

Show Windows behavior

Mutex Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Process Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Thread Activities

Thread Information Set

Show Windows behavior

Memory Activities

Memory Usage Statistics

Show Windows behavior

System Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Timing Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Windows UI Activities

Window UI Enumerated

Show Windows behavior

Object Security Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

LPC Port Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Chronological Activities

Disassembly

Analysis Process: mshta.exePID: 7320, Parent PID: 4328COMMON

Executed Functions

Function 065C0FCF Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2437925086.00000000065C0000.00000010.00000800.00020000.00000000.sdmp, Offset: 065C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_65c0000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57ac055f077beea20eb1848ebeeb1978f180cdc0d061263d96475911880e5786
Instruction ID: 8cb362ac6c060577e42f033c4cb6bdf0d64c24bb455c22634a8763712e4c4f18
Opcode Fuzzy Hash: 57ac055f077beea20eb1848ebeeb1978f180cdc0d061263d96475911880e5786
Instruction Fuzzy Hash:

Function 065C0FC7 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2437925086.00000000065C0000.00000010.00000800.00020000.00000000.sdmp, Offset: 065C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_65c0000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57ac055f077beea20eb1848ebeeb1978f180cdc0d061263d96475911880e5786
Instruction ID: 8cb362ac6c060577e42f033c4cb6bdf0d64c24bb455c22634a8763712e4c4f18
Opcode Fuzzy Hash: 57ac055f077beea20eb1848ebeeb1978f180cdc0d061263d96475911880e5786
Instruction Fuzzy Hash:

Function 065C0FE7 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2437925086.00000000065C0000.00000010.00000800.00020000.00000000.sdmp, Offset: 065C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_65c0000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57ac055f077beea20eb1848ebeeb1978f180cdc0d061263d96475911880e5786
Instruction ID: 8cb362ac6c060577e42f033c4cb6bdf0d64c24bb455c22634a8763712e4c4f18
Opcode Fuzzy Hash: 57ac055f077beea20eb1848ebeeb1978f180cdc0d061263d96475911880e5786
Instruction Fuzzy Hash: