Source: na.hta |
Virustotal: Detection: 62% |
Perma Link |
Source: na.hta |
ReversingLabs: Detection: 65% |
Source: na.hta, type: SAMPLE |
Matched rule: Metasploit Payloads - file msf.vbs Author: Florian Roth |
Source: 00000000.00000002.2935901869.000000000353E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Metasploit Payloads - file msf.vbs Author: Florian Roth |
Source: Process Memory Space: mshta.exe PID: 4500, type: MEMORYSTR |
Matched rule: Metasploit Payloads - file msf.vbs Author: Florian Roth |
Source: Joe Sandbox View |
Dropped File: C:\Users\user\AppData\Local\Temp\rad5F45E.tmp\Session.exe CF270EDC59DAFA6D10C184E07BE53D4C27C9918BDCBFDBB84DFE0E68D1DBB082 |
Source: C:\Windows\SysWOW64\mshta.exe |
Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE |
Jump to behavior |
Source: na.hta, type: SAMPLE |
Matched rule: Msfpayloads_msf_6 date = 2017-02-09, hash1 = 8d6f55c6715c4a2023087c3d0d7abfa21e31a629393e4dc179d31bb25b166b3f, author = Florian Roth, description = Metasploit Payloads - file msf.vbs, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/ |
Source: 00000000.00000002.2935901869.000000000353E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Msfpayloads_msf_6 date = 2017-02-09, hash1 = 8d6f55c6715c4a2023087c3d0d7abfa21e31a629393e4dc179d31bb25b166b3f, author = Florian Roth, description = Metasploit Payloads - file msf.vbs, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/ |
Source: Process Memory Space: mshta.exe PID: 4500, type: MEMORYSTR |
Matched rule: Msfpayloads_msf_6 date = 2017-02-09, hash1 = 8d6f55c6715c4a2023087c3d0d7abfa21e31a629393e4dc179d31bb25b166b3f, author = Florian Roth, description = Metasploit Payloads - file msf.vbs, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/ |
Source: classification engine |
Classification label: mal76.spyw.winHTA@1/5@0/0 |
Source: C:\Windows\SysWOW64\mshta.exe |
File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\error[1] |
Jump to behavior |
Source: C:\Windows\SysWOW64\mshta.exe |
File created: C:\Users\user\AppData\Local\Temp\rad5F45E.tmp |
Jump to behavior |
Source: C:\Windows\SysWOW64\mshta.exe |
Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: na.hta |
Virustotal: Detection: 62% |
Source: na.hta |
ReversingLabs: Detection: 65% |
Source: C:\Windows\SysWOW64\mshta.exe |
Section loaded: iertutil.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\mshta.exe |
Section loaded: wldp.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\mshta.exe |
Section loaded: mshtml.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\mshta.exe |
Section loaded: sspicli.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\mshta.exe |
Section loaded: powrprof.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\mshta.exe |
Section loaded: winhttp.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\mshta.exe |
Section loaded: wkscli.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\mshta.exe |
Section loaded: netutils.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\mshta.exe |
Section loaded: umpdc.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\mshta.exe |
Section loaded: cryptbase.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\mshta.exe |
Section loaded: urlmon.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\mshta.exe |
Section loaded: srvcli.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\mshta.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\mshta.exe |
Section loaded: msiso.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\mshta.exe |
Section loaded: uxtheme.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\mshta.exe |
Section loaded: srpapi.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\mshta.exe |
Section loaded: windows.storage.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\mshta.exe |
Section loaded: wldp.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\mshta.exe |
Section loaded: propsys.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\mshta.exe |
Section loaded: msimtf.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\mshta.exe |
Section loaded: dxgi.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\mshta.exe |
Section loaded: resourcepolicyclient.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\mshta.exe |
Section loaded: textinputframework.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\mshta.exe |
Section loaded: coreuicomponents.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\mshta.exe |
Section loaded: coremessaging.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\mshta.exe |
Section loaded: ntmarta.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\mshta.exe |
Section loaded: wintypes.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\mshta.exe |
Section loaded: wintypes.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\mshta.exe |
Section loaded: wintypes.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\mshta.exe |
Section loaded: dataexchange.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\mshta.exe |
Section loaded: d3d11.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\mshta.exe |
Section loaded: dcomp.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\mshta.exe |
Section loaded: twinapi.appcore.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\mshta.exe |
Section loaded: vbscript.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\mshta.exe |
Section loaded: amsi.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\mshta.exe |
Section loaded: userenv.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\mshta.exe |
Section loaded: profapi.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\mshta.exe |
Section loaded: version.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\mshta.exe |
Section loaded: scrrun.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\mshta.exe |
Section loaded: sxs.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\mshta.exe |
Section loaded: ieframe.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\mshta.exe |
Section loaded: netapi32.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\mshta.exe |
Section loaded: wininet.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\mshta.exe |
Section loaded: jscript9.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\mshta.exe |
Section loaded: ondemandconnroutehelper.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\mshta.exe |
Section loaded: iphlpapi.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\mshta.exe |
Section loaded: mswsock.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\mshta.exe |
Section loaded: winnsi.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\mshta.exe |
Section loaded: d2d1.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\mshta.exe |
Section loaded: dwrite.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\mshta.exe |
Section loaded: d3d10warp.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\mshta.exe |
Section loaded: dxcore.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\mshta.exe |
Section loaded: msls31.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\mshta.exe |
Section loaded: windowscodecs.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\mshta.exe |
Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\InProcServer32 |
Jump to behavior |
Source: C:\Windows\SysWOW64\mshta.exe |
Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Settings |
Jump to behavior |
Source: C:\Windows\SysWOW64\mshta.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\mshta.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\mshta.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\mshta.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\mshta.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\mshta.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\mshta.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\mshta.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\mshta.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\mshta.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\mshta.exe |
Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\rad5F45E.tmp\Session.exe |
Jump to dropped file |
Source: mshta.exe, 00000000.00000002.2935901869.000000000357C000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllamily: ms sans serif; font-size: 8pt; |
Source: C:\Windows\SysWOW64\mshta.exe |
Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation |
Jump to behavior |
Source: C:\Windows\SysWOW64\mshta.exe |
Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation |
Jump to behavior |
Source: C:\Windows\SysWOW64\mshta.exe |
Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation |
Jump to behavior |
Source: C:\Windows\SysWOW64\mshta.exe |
Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation |
Jump to behavior |
Source: C:\Windows\SysWOW64\mshta.exe |
Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation |
Jump to behavior |
Source: C:\Windows\SysWOW64\mshta.exe |
Queries volume information: C:\Windows\Fonts\times.ttf VolumeInformation |
Jump to behavior |
Source: C:\Windows\SysWOW64\mshta.exe |
Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation |
Jump to behavior |
Source: C:\Windows\SysWOW64\mshta.exe |
Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation |
Jump to behavior |
Source: C:\Windows\SysWOW64\mshta.exe |
Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation |
Jump to behavior |
Source: Yara match |
File source: na.hta, type: SAMPLE |
Source: Yara match |
File source: 00000000.00000003.1698419140.00000000069BE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.1708227795.00000000069BE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.2937593299.00000000069BE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.2935901869.000000000353E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.1707959124.00000000035B7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.1698502405.00000000069BE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.2936245668.00000000035B7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.1707959124.0000000003597000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.2936220452.00000000035A5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.2935901869.000000000357C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.1708098991.00000000035B7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: mshta.exe PID: 4500, type: MEMORYSTR |