Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
na.hta

Overview

General Information

Sample name:na.hta
Analysis ID:1528840
MD5:439ba39a07845e334c3c4422a96bc72b
SHA1:20d5b07d9d525e003886c8ed82dc5bf98d52f99c
SHA256:836c97307357a8f7a318cf0206b6f1aff82cc71c80fd37ebbfd0777a2dff483a
Tags:CobaltStrikehtauser-abuse_ch
Infos:

Detection

Score:76
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Generic Dropper
Sigma detected: Legitimate Application Dropped Executable
Dropped file seen in connection with other malware
Drops PE files
Found dropped PE file which has not been started or loaded
Queries the volume information (name, serial number etc) of a device
Searches for the Microsoft Outlook file path
Yara signature match

Classification

Process Tree

  • System is w10x64
  • mshta.exe (PID: 7364 cmdline: mshta.exe "C:\Users\user\Desktop\na.hta" MD5: 06B02D5C097C7DB1F109749C45F3F505)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
na.htaJoeSecurity_GenericDropper_2Yara detected Generic DropperJoe Security
    na.htaMsfpayloads_msf_6Metasploit Payloads - file msf.vbsFlorian Roth
    • 0x7685:$s1: = CreateObject("Wscript.Shell")
    • 0x7464:$s2: = CreateObject("Scripting.FileSystemObject")
    • 0x74f3:$s3: .GetSpecialFolder(2)
    • 0x761b:$s4: .Write Chr(CLng("
    • 0x42:$s5: = "4d5a90000300000004000000ffff00
    • 0x75e4:$s6: For i = 1 to Len(
    • 0x7602:$s7: ) Step 2

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000002.2909717424.00000000008CC000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_GenericDropper_2Yara detected Generic DropperJoe Security
      00000000.00000003.1680857958.0000000005CBE000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_GenericDropper_2Yara detected Generic DropperJoe Security
        00000000.00000002.2911812542.0000000005CBE000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_GenericDropper_2Yara detected Generic DropperJoe Security
          00000000.00000002.2909717424.000000000087F000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_GenericDropper_2Yara detected Generic DropperJoe Security
            00000000.00000002.2909717424.000000000087F000.00000004.00000020.00020000.00000000.sdmpMsfpayloads_msf_6Metasploit Payloads - file msf.vbsFlorian Roth
            • 0x735:$s1: = CreateObject("Wscript.Shell")
            • 0x108e9:$s1: = CreateObject("Wscript.Shell")
            • 0x514:$s2: = CreateObject("Scripting.FileSystemObject")
            • 0x106c8:$s2: = CreateObject("Scripting.FileSystemObject")
            • 0x5a3:$s3: .GetSpecialFolder(2)
            • 0x10757:$s3: .GetSpecialFolder(2)
            • 0x6cb:$s4: .Write Chr(CLng("
            • 0x1087f:$s4: .Write Chr(CLng("
            • 0x110e:$s5: = "4d5a90000300000004000000ffff00
            • 0x694:$s6: For i = 1 to Len(
            • 0x10848:$s6: For i = 1 to Len(
            • 0x6b2:$s7: ) Step 2
            • 0x10866:$s7: ) Step 2
            Click to see the 4 entries

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: Legitimate Application Dropped Executable
            Source: File createdAuthor: frack113, Florian Roth (Nextron Systems): Data: EventID: 11, Image: C:\Windows\SysWOW64\mshta.exe, ProcessId: 7364, TargetFilename: C:\Users\user\AppData\Local\Temp\rad4338C.tmp\Journal-http.exe

            Suricata Signatures

            No Suricata rule has matched

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus / Scanner detection for submitted sample
            Source: na.htaAvira: detected
            Multi AV Scanner detection for submitted file
            Source: na.htaReversingLabs: Detection: 65%
            Source: na.htaVirustotal: Detection: 65%Perma Link

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: na.hta, type: SAMPLEMatched rule: Metasploit Payloads - file msf.vbs Author: Florian Roth
            Source: 00000000.00000002.2909717424.000000000087F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Metasploit Payloads - file msf.vbs Author: Florian Roth
            Source: Process Memory Space: mshta.exe PID: 7364, type: MEMORYSTRMatched rule: Metasploit Payloads - file msf.vbs Author: Florian Roth
            Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\rad4338C.tmp\Journal-http.exe CF270EDC59DAFA6D10C184E07BE53D4C27C9918BDCBFDBB84DFE0E68D1DBB082
            Source: C:\Windows\SysWOW64\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXEJump to behavior
            Source: na.hta, type: SAMPLEMatched rule: Msfpayloads_msf_6 date = 2017-02-09, hash1 = 8d6f55c6715c4a2023087c3d0d7abfa21e31a629393e4dc179d31bb25b166b3f, author = Florian Roth, description = Metasploit Payloads - file msf.vbs, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 00000000.00000002.2909717424.000000000087F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Msfpayloads_msf_6 date = 2017-02-09, hash1 = 8d6f55c6715c4a2023087c3d0d7abfa21e31a629393e4dc179d31bb25b166b3f, author = Florian Roth, description = Metasploit Payloads - file msf.vbs, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: Process Memory Space: mshta.exe PID: 7364, type: MEMORYSTRMatched rule: Msfpayloads_msf_6 date = 2017-02-09, hash1 = 8d6f55c6715c4a2023087c3d0d7abfa21e31a629393e4dc179d31bb25b166b3f, author = Florian Roth, description = Metasploit Payloads - file msf.vbs, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: classification engineClassification label: mal76.spyw.winHTA@1/5@0/0
            Source: C:\Windows\SysWOW64\mshta.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\error[1]Jump to behavior
            Source: C:\Windows\SysWOW64\mshta.exeFile created: C:\Users\user\AppData\Local\Temp\rad4338C.tmpJump to behavior
            Source: C:\Windows\SysWOW64\mshta.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: na.htaReversingLabs: Detection: 65%
            Source: na.htaVirustotal: Detection: 65%
            Source: C:\Windows\SysWOW64\mshta.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\mshta.exeSection loaded: mshtml.dllJump to behavior
            Source: C:\Windows\SysWOW64\mshta.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\mshta.exeSection loaded: powrprof.dllJump to behavior
            Source: C:\Windows\SysWOW64\mshta.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wkscli.dllJump to behavior
            Source: C:\Windows\SysWOW64\mshta.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\mshta.exeSection loaded: umpdc.dllJump to behavior
            Source: C:\Windows\SysWOW64\mshta.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\SysWOW64\mshta.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\SysWOW64\mshta.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\mshta.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\mshta.exeSection loaded: msiso.dllJump to behavior
            Source: C:\Windows\SysWOW64\mshta.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\mshta.exeSection loaded: srpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\mshta.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\mshta.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\SysWOW64\mshta.exeSection loaded: msimtf.dllJump to behavior
            Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dxgi.dllJump to behavior
            Source: C:\Windows\SysWOW64\mshta.exeSection loaded: textinputframework.dllJump to behavior
            Source: C:\Windows\SysWOW64\mshta.exeSection loaded: coreuicomponents.dllJump to behavior
            Source: C:\Windows\SysWOW64\mshta.exeSection loaded: coremessaging.dllJump to behavior
            Source: C:\Windows\SysWOW64\mshta.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Windows\SysWOW64\mshta.exeSection loaded: coremessaging.dllJump to behavior
            Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\SysWOW64\mshta.exeSection loaded: resourcepolicyclient.dllJump to behavior
            Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dataexchange.dllJump to behavior
            Source: C:\Windows\SysWOW64\mshta.exeSection loaded: d3d11.dllJump to behavior
            Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dcomp.dllJump to behavior
            Source: C:\Windows\SysWOW64\mshta.exeSection loaded: twinapi.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\mshta.exeSection loaded: vbscript.dllJump to behavior
            Source: C:\Windows\SysWOW64\mshta.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\SysWOW64\mshta.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\mshta.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\mshta.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\mshta.exeSection loaded: scrrun.dllJump to behavior
            Source: C:\Windows\SysWOW64\mshta.exeSection loaded: sxs.dllJump to behavior
            Source: C:\Windows\SysWOW64\mshta.exeSection loaded: ieframe.dllJump to behavior
            Source: C:\Windows\SysWOW64\mshta.exeSection loaded: netapi32.dllJump to behavior
            Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\SysWOW64\mshta.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\SysWOW64\mshta.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\mshta.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Windows\SysWOW64\mshta.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Windows\SysWOW64\mshta.exeSection loaded: jscript9.dllJump to behavior
            Source: C:\Windows\SysWOW64\mshta.exeSection loaded: d2d1.dllJump to behavior
            Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dwrite.dllJump to behavior
            Source: C:\Windows\SysWOW64\mshta.exeSection loaded: d3d10warp.dllJump to behavior
            Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dxcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\mshta.exeSection loaded: windowscodecs.dllJump to behavior
            Source: C:\Windows\SysWOW64\mshta.exeSection loaded: msls31.dllJump to behavior
            Source: C:\Windows\SysWOW64\mshta.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\InProcServer32Jump to behavior
            Source: C:\Windows\SysWOW64\mshta.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SettingsJump to behavior
            Source: C:\Windows\SysWOW64\mshta.exeFile created: C:\Users\user\AppData\Local\Temp\rad4338C.tmp\Journal-http.exeJump to dropped file
            Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\mshta.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\rad4338C.tmp\Journal-http.exeJump to dropped file
            Source: mshta.exe, 00000000.00000002.2909717424.0000000000909000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: C:\Windows\SysWOW64\mshta.exeMemory allocated: page read and write | page guardJump to behavior
            Source: C:\Windows\SysWOW64\mshta.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\mshta.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior

            Stealing of Sensitive Information

            barindex
            Yara detected Generic Dropper
            Source: Yara matchFile source: na.hta, type: SAMPLE
            Source: Yara matchFile source: 00000000.00000002.2909717424.00000000008CC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.1680857958.0000000005CBE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.2911812542.0000000005CBE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.2909717424.000000000087F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.1680741471.0000000005CBE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.2909717424.00000000008CE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: mshta.exe PID: 7364, type: MEMORYSTR

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
            DLL Side-Loading            		1
            DLL Side-Loading            		1
            Masquerading            		OS Credential Dumping1
            Security Software Discovery            		Remote Services1
            Email Collection            		Data ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
            Disable or Modify Tools            		LSASS Memory12
            System Information Discovery            		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
            DLL Side-Loading            		Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            na.hta66%ReversingLabsScript-WScript.Trojan.CobaltStrike
            na.hta65%VirustotalBrowse
            na.hta100%AviraHTML/ExpKit.Gen2

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Users\user\AppData\Local\Temp\rad4338C.tmp\Journal-http.exe0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\rad4338C.tmp\Journal-http.exe0%VirustotalBrowse

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            No Antivirus matches

            Domains and IPs

            Contacted Domains

            No contacted domains info

            World Map of Contacted IPs

            No contacted IP infos

            General Information

            Joe Sandbox version:41.0.0 Charoite
            Analysis ID:1528840
            Start date and time:2024-10-08 10:38:19 +02:00
            Joe Sandbox product:CloudBasic
            Overall analysis duration:0h 11m 3s
            Hypervisor based Inspection enabled:false
            Report type:full
            Cookbook file name:default.jbs
            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
            Number of analysed new started processes analysed:7
            Number of new started drivers analysed:0
            Number of existing processes analysed:0
            Number of existing drivers analysed:0
            Number of injected processes analysed:0
            Technologies:
            • HCA enabled
            • EGA enabled
            • AMSI enabled
            Analysis Mode:default
            Analysis stop reason:Timeout
            Sample name:na.hta
            Detection:MAL
            Classification:mal76.spyw.winHTA@1/5@0/0
            EGA Information:Failed
            HCA Information:
            • Successful, ratio: 100%
            • Number of executed functions: 2
            • Number of non-executed functions: 0
            Cookbook Comments:
            • Found application associated with file extension: .hta

            Warnings

            • Max analysis timeout: 600s exceeded, the analysis took too long
            • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
            • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
            • Execution Graph export aborted for target mshta.exe, PID 7364 because it is empty
            • Not all processes where analyzed, report is missing behavior information
            • Report size getting too big, too many NtOpenKeyEx calls found.
            • Report size getting too big, too many NtProtectVirtualMemory calls found.
            • Report size getting too big, too many NtQueryValueKey calls found.

            Simulations

            Behavior and APIs

            TimeTypeDescription
            04:39:12API Interceptor1x Sleep call for process: mshta.exe modified

            Joe Sandbox View / Context

            IPs

            No context

            Domains

            No context

            ASNs

            No context

            JA3 Fingerprints

            No context

            Dropped Files

            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
            C:\Users\user\AppData\Local\Temp\rad4338C.tmp\Journal-http.exexi2IfOAZOO.htaGet hashmaliciousUnknownBrowse
              OVrOdcu8ym.htaGet hashmaliciousUnknownBrowse
                Office365Users_and_Passwords.htaGet hashmaliciousUnknownBrowse

                  Created / dropped Files

                  C:\Users\user\AppData\Local\Microsoft\Internet Explorer\MSIMGSIZ.DAT

                  Download File
                  Process:C:\Windows\SysWOW64\mshta.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):49120
                  Entropy (8bit):0.0017331682157558962
                  Encrypted:false
                  SSDEEP:3:Ztt:T
                  MD5:0392ADA071EB68355BED625D8F9695F3
                  SHA1:777253141235B6C6AC92E17E297A1482E82252CC
                  SHA-256:B1313DD95EAF63F33F86F72F09E2ECD700D11159A8693210C37470FCB84038F7
                  SHA-512:EF659EEFCAB16221783ECB258D19801A1FF063478698CF4FCE3C9F98059CA7B1D060B0449E6FD89D3B70439D9735FA1D50088568FF46C9927DE45808250AEC2E
                  Malicious:false
                  Reputation:high, very likely benign file
                  Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\error[1]

                  Download File
                  Process:C:\Windows\SysWOW64\mshta.exe
                  File Type:HTML document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):3249
                  Entropy (8bit):5.4598794938059125
                  Encrypted:false
                  SSDEEP:96:vKFrZ/kxjqD9zqp36wxVJddFAdd5Ydddopdyddv+dd865FhlleXckVDuca:CGpv+GkduSDl6LRa
                  MD5:939A9FBD880F8B22D4CDD65B7324C6DB
                  SHA1:62167D495B0993DD0396056B814ABAE415A996EE
                  SHA-256:156E7226C757414F8FD450E28E19D0A404FDBA2571425B203FDC9C185CF7FF0E
                  SHA-512:91428FFA2A79F3D05EBDB19ED7F6490A4CEE788DF709AB32E2CDC06AEC948CDCCCDAEBF12555BE4AD315234D30F44C477823A2592258E12D77091FA01308197B
                  Malicious:false
                  Reputation:moderate, very likely benign file
                  Preview:...<HTML id=dlgError STYLE="font-family: ms sans serif; font-size: 8pt;..width: 41.4em; height: 24em">..<HEAD>..<meta http-equiv="Content-Type" content="text/html; charset=utf-8">..<META HTTP-EQUIV="MSThemeCompatible" CONTENT="Yes">..<TITLE id=dialogTitle>..Script Error..</TITLE>..<SCRIPT>..var L_Dialog_ErrorMessage = "An error has occurred in this dialogue.";..var L_ErrorNumber_Text = "Error: ";..var L_ContinueScript_Message = "Do you want to debug the current page?";..var L_AffirmativeKeyCodeLowerCase_Number = 121;..var L_AffirmativeKeyCodeUpperCase_Number = 89;..var L_NegativeKeyCodeLowerCase_Number = 110;..var L_NegativeKeyCodeUpperCase_Number = 78;..</SCRIPT>..<SCRIPT LANGUAGE="JavaScript" src="error.js" defer></SCRIPT>..</HEAD>..<BODY ID=bdy onLoad="loadBdy()" style="font-family: 'ms sans serif';..font-size: 8pt; background: threedface; color: windowtext;" topmargin=0>..<CENTER id=ctrErrorMessage>..<table id=tbl1 cellPadding=3 cellspacing=3 border=0..style="background: buttonfa

                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\warning[1]

                  Download File
                  Process:C:\Windows\SysWOW64\mshta.exe
                  File Type:GIF image data, version 89a, 36 x 38
                  Category:modified
                  Size (bytes):1062
                  Entropy (8bit):4.517838839626174
                  Encrypted:false
                  SSDEEP:12:z4ENetWsdvCMtkEFk+t2cd3ikIbOViGZVsMLfE4DMWUcC/GFvyVEZd6vcmadxVtS:nA/ag/QSi6/LKZzqKVQgJOexQkYfG6E
                  MD5:124A9E7B6976F7570134B7034EE28D2B
                  SHA1:E889BFC2A2E57491016B05DB966FC6297A174F55
                  SHA-256:5F95EFF2BCAAEA82D0AE34A007DE3595C0D830AC4810EA4854E6526E261108E9
                  SHA-512:EA1B3CC56BD41FC534AAC00F186180345CB2C06705B57C88C8A6953E6CE8B9A2E3809DDB01DAAC66FA9C424D517D2D14FA45FBEF9D74FEF8A809B71550C7C145
                  Malicious:false
                  Reputation:moderate, very likely benign file
                  Preview:GIF89a$.&.......h...............h.hh..h..h..h..h....h................h.................h.................h................hh.h..h..h..h..h.hhhhh.hh.hh.hh.hh..hh.h..h..h.h..h..hh.h..h..h..h..h..hh.h..h..h..h..h..hh.h..h..h..h..h...h...............h.hh..h..h..h..h....h...............h................h...........h.................h...............h.hh..h..h..h..h....h................h.................h.................h.................h..............h.hh.h..h..h..h....h..............h................h................h................h...............h.hh..h..h..h..h....h................h.................h.................h......................................................................................................................................!.......,....$.&.@......H.......<0.....VXQH..C..1>.(..@..C.t.q"B..S.\.r.D...Z.. .M.41.".......<.r.;.r4..P..]....+.T-...N...x....1.:..TdD...^.j..W.r...y....V...Lx0..):8p q.4.;...f`.r-K...(..P....t.].~..l..

                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\error[1]

                  Download File
                  Process:C:\Windows\SysWOW64\mshta.exe
                  File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):1706
                  Entropy (8bit):5.274543201400288
                  Encrypted:false
                  SSDEEP:48:NIAbzyYh8rRLkRVNaktqavP61GJZoF+SMy:xWqxztqaHO
                  MD5:B9BEC45642FF7A2588DC6CB4131EA833
                  SHA1:4D150A53276C9B72457AE35320187A3C45F2F021
                  SHA-256:B0ABE318200DCDE42E2125DF1F0239AE1EFA648C742DBF9A5B0D3397B903C21D
                  SHA-512:C119F5625F1FC2BCDB20EE87E51FC73B31F130094947AC728636451C46DCED7B30954A059B24FEF99E1DB434581FD9E830ABCEB30D013404AAC4A7BB1186AD3A
                  Malicious:false
                  Reputation:moderate, very likely benign file
                  Preview:...window.onerror = HandleError..function HandleError(message, url, line)..{..var str = L_Dialog_ErrorMessage + "\n\n"..+ L_ErrorNumber_Text + line + "\n"..+ message;..alert (str);..window.close();..return true;..}..function loadBdy()..{..var objOptions = window.dialogArguments;..btnNo.onclick = new Function("btnOKClick()");..btnNo.onkeydown = new Function("SwitchFocus()");..btnYes.onclick = new Function("btnYesClick()");..btnYes.onkeydown = new Function("SwitchFocus()");..document.onkeypress = new Function("docKeypress()");..spnLine.innerText = objOptions.getAttribute("errorLine");..spnCharacter.innerText = objOptions.getAttribute("errorCharacter");..spnError.innerText = objOptions.getAttribute("errorMessage");..spnCode.innerText = objOptions.getAttribute("errorCode");..txaURL.innerText = objOptions.getAttribute("errorUrl");..if (objOptions.errorDebug)..{..divDebug.innerText = L_ContinueScript_Message;..}..btnYes.focus();..}..function SwitchFocus()..{..var HTML_KEY_ARROWLEFT = 37;..

                  C:\Users\user\AppData\Local\Temp\rad4338C.tmp\Journal-http.exe

                  Download File
                  Process:C:\Windows\SysWOW64\mshta.exe
                  File Type:MS-DOS executable
                  Category:dropped
                  Size (bytes):60
                  Entropy (8bit):1.0519957215994138
                  Encrypted:false
                  SSDEEP:3:WlWUqt/vll:idq
                  MD5:7E158008BC213450F59E7A940434EA65
                  SHA1:B333D9B98C5174CCDE6D14E793F3AA338E4F99A9
                  SHA-256:CF270EDC59DAFA6D10C184E07BE53D4C27C9918BDCBFDBB84DFE0E68D1DBB082
                  SHA-512:908D2C22AEBF6BC96A6331E04377395EC4347A27F518B3E46FD3E1C9DED497CDD3D62CAD5050856DD35DB0C5A82F811CF09C09EE422EE9CDAD08CBE48079E184
                  Malicious:true
                  Antivirus:
                  • Antivirus: ReversingLabs, Detection: 0%
                  • Antivirus: Virustotal, Detection: 0%, Browse
                  Joe Sandbox View:
                  • Filename: xi2IfOAZOO.hta, Detection: malicious, Browse
                  • Filename: OVrOdcu8ym.hta, Detection: malicious, Browse
                  • Filename: Office365Users_and_Passwords.hta, Detection: malicious, Browse
                  Reputation:low
                  Preview:MZ......................@...................................

                  Static File Info

                  General

                  File type:HTML document, ASCII text, with very long lines (29716)
                  Entropy (8bit):3.255402391270834
                  TrID:
                  • Visual Basic Script (13500/0) 100.00%
                  File name:na.hta
                  File size:30'527 bytes
                  MD5:439ba39a07845e334c3c4422a96bc72b
                  SHA1:20d5b07d9d525e003886c8ed82dc5bf98d52f99c
                  SHA256:836c97307357a8f7a318cf0206b6f1aff82cc71c80fd37ebbfd0777a2dff483a
                  SHA512:3f7145abe604c6ba48dfe175dc4311cb7f399b49b5707e8d03df5dc3e68458c156ab0ceee34be558a603524575767bfb23eec9ef8fba1fa48ab8cbf3c1373d4f
                  SSDEEP:384:kdeiNYnl3Q/2irLwQbyACD1JaSisfUD2O3Al3l0YKxAV6/a:kE3Q/T/weydi4s2O3Al3lqxRS
                  TLSH:02D2F0F434CC6442D6A6ED19B64CFB61062B3A5B9EC59F40437CFA701BEB910B712A0E
                  File Content Preview:<script language="VBScript">..Function var_func()...var_shellcode = "4d5a90000300000004000000ffff0000b800000000000000400000000000000000000000000000000000000000000000000000000000000000000000800000000e1fba0e00b409cd21b8014ccd21546869732070726f6772616d206361

                  Network Behavior

                  No network behavior found

                  Statistics

                  CPU Usage

                  Click to jump to process

                  Memory Usage

                  Click to jump to process

                  High Level Behavior Distribution

                  Click to dive into process behavior distribution

                  System Behavior

                  General

                  Target ID:0
                  Start time:04:39:10
                  Start date:08/10/2024
                  Path:C:\Windows\SysWOW64\mshta.exe
                  Wow64 process (32bit):true
                  Commandline:mshta.exe "C:\Users\user\Desktop\na.hta"
                  Imagebase:0xe20000
                  File size:13'312 bytes
                  MD5 hash:06B02D5C097C7DB1F109749C45F3F505
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_GenericDropper_2, Description: Yara detected Generic Dropper, Source: 00000000.00000002.2909717424.00000000008CC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_GenericDropper_2, Description: Yara detected Generic Dropper, Source: 00000000.00000003.1680857958.0000000005CBE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_GenericDropper_2, Description: Yara detected Generic Dropper, Source: 00000000.00000002.2911812542.0000000005CBE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_GenericDropper_2, Description: Yara detected Generic Dropper, Source: 00000000.00000002.2909717424.000000000087F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: Msfpayloads_msf_6, Description: Metasploit Payloads - file msf.vbs, Source: 00000000.00000002.2909717424.000000000087F000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth
                  • Rule: JoeSecurity_GenericDropper_2, Description: Yara detected Generic Dropper, Source: 00000000.00000003.1680741471.0000000005CBE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_GenericDropper_2, Description: Yara detected Generic Dropper, Source: 00000000.00000002.2909717424.00000000008CE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                  Reputation:moderate
                  Has exited:false

                  Disassembly

                  Reset < >

                    Executed Functions

                    Function 06B80FD7 Relevance: .0, Instructions: 4COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2912769822.0000000006B80000.00000010.00000800.00020000.00000000.sdmp, Offset: 06B80000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_6b80000_mshta.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: c3a15be25e73e0af5cd098aeb9f1030a3306e00c055dd63b442d0747fe722849
                    • Instruction ID: 6cf44237c6c416492fbb8c43f07610b694383551f28f0a30260d6128779a97e5
                    • Opcode Fuzzy Hash: c3a15be25e73e0af5cd098aeb9f1030a3306e00c055dd63b442d0747fe722849
                    • Instruction Fuzzy Hash:
                    Function 06B80FCF Relevance: .0, Instructions: 4COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2912769822.0000000006B80000.00000010.00000800.00020000.00000000.sdmp, Offset: 06B80000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_6b80000_mshta.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: c3a15be25e73e0af5cd098aeb9f1030a3306e00c055dd63b442d0747fe722849
                    • Instruction ID: 6cf44237c6c416492fbb8c43f07610b694383551f28f0a30260d6128779a97e5
                    • Opcode Fuzzy Hash: c3a15be25e73e0af5cd098aeb9f1030a3306e00c055dd63b442d0747fe722849
                    • Instruction Fuzzy Hash: