Windows Analysis Report
na.hta

Overview

General Information

Sample name: na.hta
Analysis ID: 1528840
MD5: 439ba39a07845e334c3c4422a96bc72b
SHA1: 20d5b07d9d525e003886c8ed82dc5bf98d52f99c
SHA256: 836c97307357a8f7a318cf0206b6f1aff82cc71c80fd37ebbfd0777a2dff483a
Tags: CobaltStrikehtauser-abuse_ch
Infos:

Detection

Score: 76
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Generic Dropper
Sigma detected: Legitimate Application Dropped Executable
Dropped file seen in connection with other malware
Drops PE files
Found dropped PE file which has not been started or loaded
Queries the volume information (name, serial number etc) of a device
Searches for the Microsoft Outlook file path
Yara signature match

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: na.hta Avira: detected
Multi AV Scanner detection for submitted file
Source: na.hta ReversingLabs: Detection: 65%
Source: na.hta Virustotal: Detection: 65% Perma Link

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: na.hta, type: SAMPLE Matched rule: Metasploit Payloads - file msf.vbs Author: Florian Roth
Source: 00000000.00000002.2909717424.000000000087F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Metasploit Payloads - file msf.vbs Author: Florian Roth
Source: Process Memory Space: mshta.exe PID: 7364, type: MEMORYSTR Matched rule: Metasploit Payloads - file msf.vbs Author: Florian Roth
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\rad4338C.tmp\Journal-http.exe CF270EDC59DAFA6D10C184E07BE53D4C27C9918BDCBFDBB84DFE0E68D1DBB082
Searches for the Microsoft Outlook file path
Source: C:\Windows\SysWOW64\mshta.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE Jump to behavior
Yara signature match
Source: na.hta, type: SAMPLE Matched rule: Msfpayloads_msf_6 date = 2017-02-09, hash1 = 8d6f55c6715c4a2023087c3d0d7abfa21e31a629393e4dc179d31bb25b166b3f, author = Florian Roth, description = Metasploit Payloads - file msf.vbs, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000002.2909717424.000000000087F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Msfpayloads_msf_6 date = 2017-02-09, hash1 = 8d6f55c6715c4a2023087c3d0d7abfa21e31a629393e4dc179d31bb25b166b3f, author = Florian Roth, description = Metasploit Payloads - file msf.vbs, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: Process Memory Space: mshta.exe PID: 7364, type: MEMORYSTR Matched rule: Msfpayloads_msf_6 date = 2017-02-09, hash1 = 8d6f55c6715c4a2023087c3d0d7abfa21e31a629393e4dc179d31bb25b166b3f, author = Florian Roth, description = Metasploit Payloads - file msf.vbs, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: classification engine Classification label: mal76.spyw.winHTA@1/5@0/0
Source: C:\Windows\SysWOW64\mshta.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\error[1] Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe File created: C:\Users\user\AppData\Local\Temp\rad4338C.tmp Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: na.hta ReversingLabs: Detection: 65%
Source: na.hta Virustotal: Detection: 65%
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: mshtml.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: msiso.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: srpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: msimtf.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: dxgi.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: resourcepolicyclient.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: dataexchange.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: d3d11.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: dcomp.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: twinapi.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: vbscript.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: scrrun.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: ieframe.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: jscript9.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: d2d1.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: d3d10warp.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: dxcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: msls31.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\InProcServer32 Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Settings Jump to behavior
Drops PE files
Source: C:\Windows\SysWOW64\mshta.exe File created: C:\Users\user\AppData\Local\Temp\rad4338C.tmp\Journal-http.exe Jump to dropped file
Source: C:\Windows\SysWOW64\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Windows\SysWOW64\mshta.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\rad4338C.tmp\Journal-http.exe Jump to dropped file
Source: mshta.exe, 00000000.00000002.2909717424.0000000000909000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Windows\SysWOW64\mshta.exe Memory allocated: page read and write | page guard Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\SysWOW64\mshta.exe Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected Generic Dropper
Source: Yara match File source: na.hta, type: SAMPLE
Source: Yara match File source: 00000000.00000002.2909717424.00000000008CC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1680857958.0000000005CBE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2911812542.0000000005CBE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2909717424.000000000087F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1680741471.0000000005CBE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2909717424.00000000008CE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: mshta.exe PID: 7364, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1528840 Sample: na.hta Startdate: 08/10/2024 Architecture: WINDOWS Score: 76 10 Malicious sample detected (through community Yara rule) 2->10 12 Antivirus / Scanner detection for submitted sample 2->12 14 Multi AV Scanner detection for submitted file 2->14 16 2 other signatures 2->16 5 mshta.exe 20 2->5         started        process3 file4 8 C:\Users\user\AppData\...\Journal-http.exe, MS-DOS 5->8 dropped
No contacted IP infos