Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
na.hta

Overview

General Information

Sample name:na.hta
Analysis ID:1532432
MD5:33425007f0016d3a818d27539ba17a90
SHA1:2e864bd0246e10b0a99681303439a988999b2015
SHA256:f4a208b490ce6094b8fa61c226db5f8f1eb01e95dc478b175a57a121a5f812e6
Tags:CobaltStrikehtauser-abuse_ch
Infos:

Detection

Score:76
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Generic Dropper
Sigma detected: Legitimate Application Dropped Executable
Dropped file seen in connection with other malware
Drops PE files
Found dropped PE file which has not been started or loaded
Queries the volume information (name, serial number etc) of a device
Searches for the Microsoft Outlook file path
Yara signature match

Classification

Process Tree

  • System is w10x64
  • mshta.exe (PID: 4500 cmdline: mshta.exe "C:\Users\user\Desktop\na.hta" MD5: 06B02D5C097C7DB1F109749C45F3F505)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
na.htaJoeSecurity_GenericDropper_2Yara detected Generic DropperJoe Security
    na.htaMsfpayloads_msf_6Metasploit Payloads - file msf.vbsFlorian Roth
    • 0x7680:$s1: = CreateObject("Wscript.Shell")
    • 0x7464:$s2: = CreateObject("Scripting.FileSystemObject")
    • 0x74f3:$s3: .GetSpecialFolder(2)
    • 0x7616:$s4: .Write Chr(CLng("
    • 0x42:$s5: = "4d5a90000300000004000000ffff00
    • 0x75df:$s6: For i = 1 to Len(
    • 0x75fd:$s7: ) Step 2

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000003.1698419140.00000000069BE000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_GenericDropper_2Yara detected Generic DropperJoe Security
      00000000.00000003.1708227795.00000000069BE000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_GenericDropper_2Yara detected Generic DropperJoe Security
        00000000.00000002.2937593299.00000000069BE000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_GenericDropper_2Yara detected Generic DropperJoe Security
          00000000.00000002.2935901869.000000000353E000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_GenericDropper_2Yara detected Generic DropperJoe Security
            00000000.00000002.2935901869.000000000353E000.00000004.00000020.00020000.00000000.sdmpMsfpayloads_msf_6Metasploit Payloads - file msf.vbsFlorian Roth
            • 0x7c0:$s1: = CreateObject("Wscript.Shell")
            • 0x10974:$s1: = CreateObject("Wscript.Shell")
            • 0x10758:$s2: = CreateObject("Scripting.FileSystemObject")
            • 0x107e7:$s3: .GetSpecialFolder(2)
            • 0x1090a:$s4: .Write Chr(CLng("
            • 0x119e:$s5: = "4d5a90000300000004000000ffff00
            • 0x108d3:$s6: For i = 1 to Len(
            • 0x108f1:$s7: ) Step 2
            Click to see the 9 entries

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: Legitimate Application Dropped Executable
            Source: File createdAuthor: frack113, Florian Roth (Nextron Systems): Data: EventID: 11, Image: C:\Windows\SysWOW64\mshta.exe, ProcessId: 4500, TargetFilename: C:\Users\user\AppData\Local\Temp\rad5F45E.tmp\Session.exe

            Suricata Signatures

            No Suricata rule has matched

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus / Scanner detection for submitted sample
            Source: na.htaAvira: detected
            Multi AV Scanner detection for submitted file
            Source: na.htaVirustotal: Detection: 62%Perma Link
            Source: na.htaReversingLabs: Detection: 65%

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: na.hta, type: SAMPLEMatched rule: Metasploit Payloads - file msf.vbs Author: Florian Roth
            Source: 00000000.00000002.2935901869.000000000353E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Metasploit Payloads - file msf.vbs Author: Florian Roth
            Source: Process Memory Space: mshta.exe PID: 4500, type: MEMORYSTRMatched rule: Metasploit Payloads - file msf.vbs Author: Florian Roth
            Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\rad5F45E.tmp\Session.exe CF270EDC59DAFA6D10C184E07BE53D4C27C9918BDCBFDBB84DFE0E68D1DBB082
            Source: C:\Windows\SysWOW64\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXEJump to behavior
            Source: na.hta, type: SAMPLEMatched rule: Msfpayloads_msf_6 date = 2017-02-09, hash1 = 8d6f55c6715c4a2023087c3d0d7abfa21e31a629393e4dc179d31bb25b166b3f, author = Florian Roth, description = Metasploit Payloads - file msf.vbs, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 00000000.00000002.2935901869.000000000353E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Msfpayloads_msf_6 date = 2017-02-09, hash1 = 8d6f55c6715c4a2023087c3d0d7abfa21e31a629393e4dc179d31bb25b166b3f, author = Florian Roth, description = Metasploit Payloads - file msf.vbs, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: Process Memory Space: mshta.exe PID: 4500, type: MEMORYSTRMatched rule: Msfpayloads_msf_6 date = 2017-02-09, hash1 = 8d6f55c6715c4a2023087c3d0d7abfa21e31a629393e4dc179d31bb25b166b3f, author = Florian Roth, description = Metasploit Payloads - file msf.vbs, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: classification engineClassification label: mal76.spyw.winHTA@1/5@0/0
            Source: C:\Windows\SysWOW64\mshta.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\error[1]Jump to behavior
            Source: C:\Windows\SysWOW64\mshta.exeFile created: C:\Users\user\AppData\Local\Temp\rad5F45E.tmpJump to behavior
            Source: C:\Windows\SysWOW64\mshta.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: na.htaVirustotal: Detection: 62%
            Source: na.htaReversingLabs: Detection: 65%
            Source: C:\Windows\SysWOW64\mshta.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\mshta.exeSection loaded: mshtml.dllJump to behavior
            Source: C:\Windows\SysWOW64\mshta.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\mshta.exeSection loaded: powrprof.dllJump to behavior
            Source: C:\Windows\SysWOW64\mshta.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wkscli.dllJump to behavior
            Source: C:\Windows\SysWOW64\mshta.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\mshta.exeSection loaded: umpdc.dllJump to behavior
            Source: C:\Windows\SysWOW64\mshta.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\SysWOW64\mshta.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\SysWOW64\mshta.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\mshta.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\mshta.exeSection loaded: msiso.dllJump to behavior
            Source: C:\Windows\SysWOW64\mshta.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\mshta.exeSection loaded: srpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\mshta.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\mshta.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\SysWOW64\mshta.exeSection loaded: msimtf.dllJump to behavior
            Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dxgi.dllJump to behavior
            Source: C:\Windows\SysWOW64\mshta.exeSection loaded: resourcepolicyclient.dllJump to behavior
            Source: C:\Windows\SysWOW64\mshta.exeSection loaded: textinputframework.dllJump to behavior
            Source: C:\Windows\SysWOW64\mshta.exeSection loaded: coreuicomponents.dllJump to behavior
            Source: C:\Windows\SysWOW64\mshta.exeSection loaded: coremessaging.dllJump to behavior
            Source: C:\Windows\SysWOW64\mshta.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dataexchange.dllJump to behavior
            Source: C:\Windows\SysWOW64\mshta.exeSection loaded: d3d11.dllJump to behavior
            Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dcomp.dllJump to behavior
            Source: C:\Windows\SysWOW64\mshta.exeSection loaded: twinapi.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\mshta.exeSection loaded: vbscript.dllJump to behavior
            Source: C:\Windows\SysWOW64\mshta.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\SysWOW64\mshta.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\mshta.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\mshta.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\mshta.exeSection loaded: scrrun.dllJump to behavior
            Source: C:\Windows\SysWOW64\mshta.exeSection loaded: sxs.dllJump to behavior
            Source: C:\Windows\SysWOW64\mshta.exeSection loaded: ieframe.dllJump to behavior
            Source: C:\Windows\SysWOW64\mshta.exeSection loaded: netapi32.dllJump to behavior
            Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\SysWOW64\mshta.exeSection loaded: jscript9.dllJump to behavior
            Source: C:\Windows\SysWOW64\mshta.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\SysWOW64\mshta.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\mshta.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Windows\SysWOW64\mshta.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Windows\SysWOW64\mshta.exeSection loaded: d2d1.dllJump to behavior
            Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dwrite.dllJump to behavior
            Source: C:\Windows\SysWOW64\mshta.exeSection loaded: d3d10warp.dllJump to behavior
            Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dxcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\mshta.exeSection loaded: msls31.dllJump to behavior
            Source: C:\Windows\SysWOW64\mshta.exeSection loaded: windowscodecs.dllJump to behavior
            Source: C:\Windows\SysWOW64\mshta.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\InProcServer32Jump to behavior
            Source: C:\Windows\SysWOW64\mshta.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SettingsJump to behavior
            Source: C:\Windows\SysWOW64\mshta.exeFile created: C:\Users\user\AppData\Local\Temp\rad5F45E.tmp\Session.exeJump to dropped file
            Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\mshta.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\rad5F45E.tmp\Session.exeJump to dropped file
            Source: mshta.exe, 00000000.00000002.2935901869.000000000357C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllamily: ms sans serif; font-size: 8pt;
            Source: C:\Windows\SysWOW64\mshta.exeMemory allocated: page read and write | page guardJump to behavior
            Source: C:\Windows\SysWOW64\mshta.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\mshta.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\mshta.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\mshta.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\mshta.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\mshta.exeQueries volume information: C:\Windows\Fonts\times.ttf VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\mshta.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\mshta.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\mshta.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior

            Stealing of Sensitive Information

            barindex
            Yara detected Generic Dropper
            Source: Yara matchFile source: na.hta, type: SAMPLE
            Source: Yara matchFile source: 00000000.00000003.1698419140.00000000069BE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.1708227795.00000000069BE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.2937593299.00000000069BE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.2935901869.000000000353E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.1707959124.00000000035B7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.1698502405.00000000069BE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.2936245668.00000000035B7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.1707959124.0000000003597000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.2936220452.00000000035A5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.2935901869.000000000357C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.1708098991.00000000035B7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: mshta.exe PID: 4500, type: MEMORYSTR

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
            DLL Side-Loading            		1
            DLL Side-Loading            		1
            Masquerading            		OS Credential Dumping1
            Security Software Discovery            		Remote Services1
            Email Collection            		Data ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
            Disable or Modify Tools            		LSASS Memory12
            System Information Discovery            		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
            DLL Side-Loading            		Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            na.hta62%VirustotalBrowse
            na.hta66%ReversingLabsScript-WScript.Trojan.CobaltStrike
            na.hta100%AviraHTML/ExpKit.Gen2

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Users\user\AppData\Local\Temp\rad5F45E.tmp\Session.exe0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\rad5F45E.tmp\Session.exe0%VirustotalBrowse

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            No Antivirus matches

            Domains and IPs

            Contacted Domains

            No contacted domains info

            World Map of Contacted IPs

            No contacted IP infos

            General Information

            Joe Sandbox version:41.0.0 Charoite
            Analysis ID:1532432
            Start date and time:2024-10-13 07:14:08 +02:00
            Joe Sandbox product:CloudBasic
            Overall analysis duration:0h 4m 2s
            Hypervisor based Inspection enabled:false
            Report type:full
            Cookbook file name:default.jbs
            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
            Number of analysed new started processes analysed:6
            Number of new started drivers analysed:0
            Number of existing processes analysed:0
            Number of existing drivers analysed:0
            Number of injected processes analysed:0
            Technologies:
            • HCA enabled
            • EGA enabled
            • AMSI enabled
            Analysis Mode:default
            Analysis stop reason:Timeout
            Sample name:na.hta
            Detection:MAL
            Classification:mal76.spyw.winHTA@1/5@0/0
            EGA Information:Failed
            HCA Information:
            • Successful, ratio: 100%
            • Number of executed functions: 6
            • Number of non-executed functions: 0
            Cookbook Comments:
            • Found application associated with file extension: .hta

            Warnings

            • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
            • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
            • Execution Graph export aborted for target mshta.exe, PID 4500 because there are no executed function
            • Not all processes where analyzed, report is missing behavior information
            • Report size getting too big, too many NtOpenKeyEx calls found.
            • Report size getting too big, too many NtProtectVirtualMemory calls found.
            • Report size getting too big, too many NtQueryValueKey calls found.

            Simulations

            Behavior and APIs

            TimeTypeDescription
            01:15:01API Interceptor1x Sleep call for process: mshta.exe modified

            Joe Sandbox View / Context

            IPs

            No context

            Domains

            No context

            ASNs

            No context

            JA3 Fingerprints

            No context

            Dropped Files

            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
            C:\Users\user\AppData\Local\Temp\rad5F45E.tmp\Session.exena.htaGet hashmaliciousUnknownBrowse
              xi2IfOAZOO.htaGet hashmaliciousUnknownBrowse
                OVrOdcu8ym.htaGet hashmaliciousUnknownBrowse
                  Office365Users_and_Passwords.htaGet hashmaliciousUnknownBrowse

                    Created / dropped Files

                    C:\Users\user\AppData\Local\Microsoft\Internet Explorer\MSIMGSIZ.DAT

                    Download File
                    Process:C:\Windows\SysWOW64\mshta.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):49120
                    Entropy (8bit):0.0017331682157558962
                    Encrypted:false
                    SSDEEP:3:Ztt:T
                    MD5:0392ADA071EB68355BED625D8F9695F3
                    SHA1:777253141235B6C6AC92E17E297A1482E82252CC
                    SHA-256:B1313DD95EAF63F33F86F72F09E2ECD700D11159A8693210C37470FCB84038F7
                    SHA-512:EF659EEFCAB16221783ECB258D19801A1FF063478698CF4FCE3C9F98059CA7B1D060B0449E6FD89D3B70439D9735FA1D50088568FF46C9927DE45808250AEC2E
                    Malicious:false
                    Reputation:high, very likely benign file
                    Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\error[1]

                    Download File
                    Process:C:\Windows\SysWOW64\mshta.exe
                    File Type:HTML document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):3249
                    Entropy (8bit):5.4598794938059125
                    Encrypted:false
                    SSDEEP:96:vKFrZ/kxjqD9zqp36wxVJddFAdd5Ydddopdyddv+dd865FhlleXckVDuca:CGpv+GkduSDl6LRa
                    MD5:939A9FBD880F8B22D4CDD65B7324C6DB
                    SHA1:62167D495B0993DD0396056B814ABAE415A996EE
                    SHA-256:156E7226C757414F8FD450E28E19D0A404FDBA2571425B203FDC9C185CF7FF0E
                    SHA-512:91428FFA2A79F3D05EBDB19ED7F6490A4CEE788DF709AB32E2CDC06AEC948CDCCCDAEBF12555BE4AD315234D30F44C477823A2592258E12D77091FA01308197B
                    Malicious:false
                    Reputation:moderate, very likely benign file
                    Preview:...<HTML id=dlgError STYLE="font-family: ms sans serif; font-size: 8pt;..width: 41.4em; height: 24em">..<HEAD>..<meta http-equiv="Content-Type" content="text/html; charset=utf-8">..<META HTTP-EQUIV="MSThemeCompatible" CONTENT="Yes">..<TITLE id=dialogTitle>..Script Error..</TITLE>..<SCRIPT>..var L_Dialog_ErrorMessage = "An error has occurred in this dialogue.";..var L_ErrorNumber_Text = "Error: ";..var L_ContinueScript_Message = "Do you want to debug the current page?";..var L_AffirmativeKeyCodeLowerCase_Number = 121;..var L_AffirmativeKeyCodeUpperCase_Number = 89;..var L_NegativeKeyCodeLowerCase_Number = 110;..var L_NegativeKeyCodeUpperCase_Number = 78;..</SCRIPT>..<SCRIPT LANGUAGE="JavaScript" src="error.js" defer></SCRIPT>..</HEAD>..<BODY ID=bdy onLoad="loadBdy()" style="font-family: 'ms sans serif';..font-size: 8pt; background: threedface; color: windowtext;" topmargin=0>..<CENTER id=ctrErrorMessage>..<table id=tbl1 cellPadding=3 cellspacing=3 border=0..style="background: buttonfa

                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\warning[1]

                    Download File
                    Process:C:\Windows\SysWOW64\mshta.exe
                    File Type:GIF image data, version 89a, 36 x 38
                    Category:modified
                    Size (bytes):1062
                    Entropy (8bit):4.517838839626174
                    Encrypted:false
                    SSDEEP:12:z4ENetWsdvCMtkEFk+t2cd3ikIbOViGZVsMLfE4DMWUcC/GFvyVEZd6vcmadxVtS:nA/ag/QSi6/LKZzqKVQgJOexQkYfG6E
                    MD5:124A9E7B6976F7570134B7034EE28D2B
                    SHA1:E889BFC2A2E57491016B05DB966FC6297A174F55
                    SHA-256:5F95EFF2BCAAEA82D0AE34A007DE3595C0D830AC4810EA4854E6526E261108E9
                    SHA-512:EA1B3CC56BD41FC534AAC00F186180345CB2C06705B57C88C8A6953E6CE8B9A2E3809DDB01DAAC66FA9C424D517D2D14FA45FBEF9D74FEF8A809B71550C7C145
                    Malicious:false
                    Reputation:moderate, very likely benign file
                    Preview:GIF89a$.&.......h...............h.hh..h..h..h..h....h................h.................h.................h................hh.h..h..h..h..h.hhhhh.hh.hh.hh.hh..hh.h..h..h.h..h..hh.h..h..h..h..h..hh.h..h..h..h..h..hh.h..h..h..h..h...h...............h.hh..h..h..h..h....h...............h................h...........h.................h...............h.hh..h..h..h..h....h................h.................h.................h.................h..............h.hh.h..h..h..h....h..............h................h................h................h...............h.hh..h..h..h..h....h................h.................h.................h......................................................................................................................................!.......,....$.&.@......H.......<0.....VXQH..C..1>.(..@..C.t.q"B..S.\.r.D...Z.. .M.41.".......<.r.;.r4..P..]....+.T-...N...x....1.:..TdD...^.j..W.r...y....V...Lx0..):8p q.4.;...f`.r-K...(..P....t.].~..l..

                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\error[1]

                    Download File
                    Process:C:\Windows\SysWOW64\mshta.exe
                    File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):1706
                    Entropy (8bit):5.274543201400288
                    Encrypted:false
                    SSDEEP:48:NIAbzyYh8rRLkRVNaktqavP61GJZoF+SMy:xWqxztqaHO
                    MD5:B9BEC45642FF7A2588DC6CB4131EA833
                    SHA1:4D150A53276C9B72457AE35320187A3C45F2F021
                    SHA-256:B0ABE318200DCDE42E2125DF1F0239AE1EFA648C742DBF9A5B0D3397B903C21D
                    SHA-512:C119F5625F1FC2BCDB20EE87E51FC73B31F130094947AC728636451C46DCED7B30954A059B24FEF99E1DB434581FD9E830ABCEB30D013404AAC4A7BB1186AD3A
                    Malicious:false
                    Reputation:moderate, very likely benign file
                    Preview:...window.onerror = HandleError..function HandleError(message, url, line)..{..var str = L_Dialog_ErrorMessage + "\n\n"..+ L_ErrorNumber_Text + line + "\n"..+ message;..alert (str);..window.close();..return true;..}..function loadBdy()..{..var objOptions = window.dialogArguments;..btnNo.onclick = new Function("btnOKClick()");..btnNo.onkeydown = new Function("SwitchFocus()");..btnYes.onclick = new Function("btnYesClick()");..btnYes.onkeydown = new Function("SwitchFocus()");..document.onkeypress = new Function("docKeypress()");..spnLine.innerText = objOptions.getAttribute("errorLine");..spnCharacter.innerText = objOptions.getAttribute("errorCharacter");..spnError.innerText = objOptions.getAttribute("errorMessage");..spnCode.innerText = objOptions.getAttribute("errorCode");..txaURL.innerText = objOptions.getAttribute("errorUrl");..if (objOptions.errorDebug)..{..divDebug.innerText = L_ContinueScript_Message;..}..btnYes.focus();..}..function SwitchFocus()..{..var HTML_KEY_ARROWLEFT = 37;..

                    C:\Users\user\AppData\Local\Temp\rad5F45E.tmp\Session.exe

                    Download File
                    Process:C:\Windows\SysWOW64\mshta.exe
                    File Type:MS-DOS executable
                    Category:dropped
                    Size (bytes):60
                    Entropy (8bit):1.0519957215994138
                    Encrypted:false
                    SSDEEP:3:WlWUqt/vll:idq
                    MD5:7E158008BC213450F59E7A940434EA65
                    SHA1:B333D9B98C5174CCDE6D14E793F3AA338E4F99A9
                    SHA-256:CF270EDC59DAFA6D10C184E07BE53D4C27C9918BDCBFDBB84DFE0E68D1DBB082
                    SHA-512:908D2C22AEBF6BC96A6331E04377395EC4347A27F518B3E46FD3E1C9DED497CDD3D62CAD5050856DD35DB0C5A82F811CF09C09EE422EE9CDAD08CBE48079E184
                    Malicious:true
                    Antivirus:
                    • Antivirus: ReversingLabs, Detection: 0%
                    • Antivirus: Virustotal, Detection: 0%, Browse
                    Joe Sandbox View:
                    • Filename: na.hta, Detection: malicious, Browse
                    • Filename: xi2IfOAZOO.hta, Detection: malicious, Browse
                    • Filename: OVrOdcu8ym.hta, Detection: malicious, Browse
                    • Filename: Office365Users_and_Passwords.hta, Detection: malicious, Browse
                    Reputation:low
                    Preview:MZ......................@...................................

                    Static File Info

                    General

                    File type:HTML document, ASCII text, with very long lines (29716)
                    Entropy (8bit):3.2564113877940764
                    TrID:
                    • Visual Basic Script (13500/0) 100.00%
                    File name:na.hta
                    File size:30'522 bytes
                    MD5:33425007f0016d3a818d27539ba17a90
                    SHA1:2e864bd0246e10b0a99681303439a988999b2015
                    SHA256:f4a208b490ce6094b8fa61c226db5f8f1eb01e95dc478b175a57a121a5f812e6
                    SHA512:54af40fe899d0a69caf9be890047294745a0f14fab55cfac44f79d1e17e1b06e5d894211ca03391a12540deac42dda711198853964fd59cc1c6e8c3cbfe0de02
                    SSDEEP:384:KeiNYnl3Q/2irLwQbyACD1Ja9SIkh3sfUD2O3Al3l0YKxAVk/a:T3Q/T/weyrIa4s2O3Al3lqxJS
                    TLSH:0FD2F1F434CC6442D6A6ED09B64CFF52062B3A5B9EC59F40437DFA701BEB911B612A0E
                    File Content Preview:<script language="VBScript">..Function var_func()...var_shellcode = "4d5a90000300000004000000ffff0000b800000000000000400000000000000000000000000000000000000000000000000000000000000000000000800000000e1fba0e00b409cd21b8014ccd21546869732070726f6772616d206361

                    Network Behavior

                    No network behavior found

                    Statistics

                    CPU Usage

                    Click to jump to process

                    Memory Usage

                    Click to jump to process

                    High Level Behavior Distribution

                    Click to dive into process behavior distribution

                    System Behavior

                    General

                    Target ID:0
                    Start time:01:15:01
                    Start date:13/10/2024
                    Path:C:\Windows\SysWOW64\mshta.exe
                    Wow64 process (32bit):true
                    Commandline:mshta.exe "C:\Users\user\Desktop\na.hta"
                    Imagebase:0x630000
                    File size:13'312 bytes
                    MD5 hash:06B02D5C097C7DB1F109749C45F3F505
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Yara matches:
                    • Rule: JoeSecurity_GenericDropper_2, Description: Yara detected Generic Dropper, Source: 00000000.00000003.1698419140.00000000069BE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_GenericDropper_2, Description: Yara detected Generic Dropper, Source: 00000000.00000003.1708227795.00000000069BE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_GenericDropper_2, Description: Yara detected Generic Dropper, Source: 00000000.00000002.2937593299.00000000069BE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_GenericDropper_2, Description: Yara detected Generic Dropper, Source: 00000000.00000002.2935901869.000000000353E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: Msfpayloads_msf_6, Description: Metasploit Payloads - file msf.vbs, Source: 00000000.00000002.2935901869.000000000353E000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth
                    • Rule: JoeSecurity_GenericDropper_2, Description: Yara detected Generic Dropper, Source: 00000000.00000003.1707959124.00000000035B7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_GenericDropper_2, Description: Yara detected Generic Dropper, Source: 00000000.00000003.1698502405.00000000069BE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_GenericDropper_2, Description: Yara detected Generic Dropper, Source: 00000000.00000002.2936245668.00000000035B7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_GenericDropper_2, Description: Yara detected Generic Dropper, Source: 00000000.00000003.1707959124.0000000003597000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_GenericDropper_2, Description: Yara detected Generic Dropper, Source: 00000000.00000002.2936220452.00000000035A5000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_GenericDropper_2, Description: Yara detected Generic Dropper, Source: 00000000.00000002.2935901869.000000000357C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_GenericDropper_2, Description: Yara detected Generic Dropper, Source: 00000000.00000003.1708098991.00000000035B7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                    Reputation:moderate
                    Has exited:false

                    Disassembly

                    Reset < >

                      Executed Functions

                      Function 07640FC7 Relevance: .0, Instructions: 4COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000003.1707678984.0000000007640000.00000010.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_3_7640000_mshta.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 3f0c7ada9f97049e94b5a3b009dc851e18c92a16d03b77f27e0fa18a9adcb566
                      • Instruction ID: 5252a5e935b542cb13c0008078a0761add6d60e6eb758d5ad05d8ae979947c1b
                      • Opcode Fuzzy Hash: 3f0c7ada9f97049e94b5a3b009dc851e18c92a16d03b77f27e0fa18a9adcb566
                      • Instruction Fuzzy Hash:
                      Function 07640FCF Relevance: .0, Instructions: 4COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000003.1707678984.0000000007640000.00000010.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_3_7640000_mshta.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 3f0c7ada9f97049e94b5a3b009dc851e18c92a16d03b77f27e0fa18a9adcb566
                      • Instruction ID: 5252a5e935b542cb13c0008078a0761add6d60e6eb758d5ad05d8ae979947c1b
                      • Opcode Fuzzy Hash: 3f0c7ada9f97049e94b5a3b009dc851e18c92a16d03b77f27e0fa18a9adcb566
                      • Instruction Fuzzy Hash:
                      Function 07640FD7 Relevance: .0, Instructions: 4COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000003.1707678984.0000000007640000.00000010.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_3_7640000_mshta.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 3f0c7ada9f97049e94b5a3b009dc851e18c92a16d03b77f27e0fa18a9adcb566
                      • Instruction ID: 5252a5e935b542cb13c0008078a0761add6d60e6eb758d5ad05d8ae979947c1b
                      • Opcode Fuzzy Hash: 3f0c7ada9f97049e94b5a3b009dc851e18c92a16d03b77f27e0fa18a9adcb566
                      • Instruction Fuzzy Hash:
                      Function 07640FAF Relevance: .0, Instructions: 4COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000003.1707678984.0000000007640000.00000010.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_3_7640000_mshta.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 3f0c7ada9f97049e94b5a3b009dc851e18c92a16d03b77f27e0fa18a9adcb566
                      • Instruction ID: 5252a5e935b542cb13c0008078a0761add6d60e6eb758d5ad05d8ae979947c1b
                      • Opcode Fuzzy Hash: 3f0c7ada9f97049e94b5a3b009dc851e18c92a16d03b77f27e0fa18a9adcb566
                      • Instruction Fuzzy Hash:
                      Function 07640FB7 Relevance: .0, Instructions: 4COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000003.1707678984.0000000007640000.00000010.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_3_7640000_mshta.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 3f0c7ada9f97049e94b5a3b009dc851e18c92a16d03b77f27e0fa18a9adcb566
                      • Instruction ID: 5252a5e935b542cb13c0008078a0761add6d60e6eb758d5ad05d8ae979947c1b
                      • Opcode Fuzzy Hash: 3f0c7ada9f97049e94b5a3b009dc851e18c92a16d03b77f27e0fa18a9adcb566
                      • Instruction Fuzzy Hash:
                      Function 07640FBF Relevance: .0, Instructions: 4COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000003.1707678984.0000000007640000.00000010.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_3_7640000_mshta.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 3f0c7ada9f97049e94b5a3b009dc851e18c92a16d03b77f27e0fa18a9adcb566
                      • Instruction ID: 5252a5e935b542cb13c0008078a0761add6d60e6eb758d5ad05d8ae979947c1b
                      • Opcode Fuzzy Hash: 3f0c7ada9f97049e94b5a3b009dc851e18c92a16d03b77f27e0fa18a9adcb566
                      • Instruction Fuzzy Hash: