File name:

htseelaaa.hta

Full analysis: https://app.any.run/tasks/7a81c4a3-36da-4ea5-940c-58606d0ebf5e
Verdict: Malicious activity
Analysis date: June 23, 2024, 15:25:32
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
apt
sidewinder
Indicators:
MIME: text/html
File info: HTML document, ASCII text, with very long lines (52395)
MD5:

D79C33759C17AC7C2525E701D12A9B9C

SHA1:

8A5D2772A040C520729F53A9E9C27BD391D514FB

SHA256:

C2045851A5F974B5ADFE54EBC76B5FE9EE0412B376C62AB789434FB2AAE7F580

SSDEEP:

1536:gMU5QR2+vdjCquuATTxzXzpPC8RSYsBeriOgqoZc6b2JGlBmRGzu:gMoQR2+nuPTxrlC8rsQri9B6W2JGlMRJ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • mshta.exe (PID: 3344)

  • SUSPICIOUS

    • Reads the Internet Settings

      • mshta.exe (PID: 3344)

    • Adds/modifies Windows certificates

      • mshta.exe (PID: 3344)

    • Process drops legitimate windows executable

      • mshta.exe (PID: 3344)

    • Executable content was dropped or overwritten

      • mshta.exe (PID: 3344)

  • INFO

    • Disables trace logs

      • mshta.exe (PID: 3344)

    • Reads Internet Explorer settings

      • mshta.exe (PID: 3344)

    • Creates files in the program directory

      • mshta.exe (PID: 3344)

    • Checks supported languages

      • credwiz.exe (PID: 3220)

    • Reads the computer name

      • credwiz.exe (PID: 3220)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
39
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start mshta.exe credwiz.exe

Process information

PID
CMD
Path
Indicators
Parent process
3220"C:\ProgramData\dsk\dat2.1\credwiz.exe" C:\ProgramData\dsk\dat2.1\credwiz.exe
mshta.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Credential Backup and Restore Wizard
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\programdata\dsk\dat2.1\credwiz.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
3344"C:\Windows\System32\mshta.exe" C:\Users\admin\AppData\Local\Temp\htseelaaa.htaC:\Windows\System32\mshta.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft (R) HTML Application host
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\windows\system32\mshta.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
Total events
4 589
Read events
4 551
Write events
30
Delete events
8

Modification events

(PID) Process:(3344) mshta.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(3344) mshta.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(3344) mshta.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(3344) mshta.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(3344) mshta.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3344) mshta.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates
Operation:delete valueName:2A1D6027D94AB10A1C4D915CCD33A0CB3E2D54CB
Value:
(PID) Process:(3344) mshta.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2A1D6027D94AB10A1C4D915CCD33A0CB3E2D54CB
Operation:writeName:Blob
Value:
0400000001000000100000005DB66AC46017246A1A99A84BEE5EB42619000000010000001000000086665B2DECDDA69376F98E02CD5FA29A62000000010000002000000071CCA5391F9E794B04802530B363E121DA8A3043BB26662FEA4DCA7FC951A4BD0B0000000100000018000000470054005300200052006F006F0074002000520034000000140000000100000014000000804CD6EB74FF4936A3D5D8FCB53EC56AF0941D8C1D00000001000000100000006D81CF5A57E7A81939F2FA048E7CB9500300000001000000140000002A1D6027D94AB10A1C4D915CCD33A0CB3E2D54CB0F0000000100000030000000DF03EE17776FAE07203AE956F6094206455C833A06297419E38793A34C4E010E8E0DD06107E0CD574F970FB35FB7C04E09000000010000002A000000302806082B0601050507030206082B0601050507030406082B0601050507030106082B0601050507030820000000010000000E0200003082020A30820191A00302010202106E47A9C88B94B6E8BB3B2AD8A2B2C199300A06082A8648CE3D0403033047310B300906035504061302555331223020060355040A1319476F6F676C65205472757374205365727669636573204C4C43311430120603550403130B47545320526F6F74205234301E170D3136303632323030303030305A170D3336303632323030303030305A3047310B300906035504061302555331223020060355040A1319476F6F676C65205472757374205365727669636573204C4C43311430120603550403130B47545320526F6F742052343076301006072A8648CE3D020106052B8104002203620004F37473A7688B60AE43B835C581307B4B499DFBC161CEE6DE46BD6BD5611835AE40DD73F78991305AEB3CEE857CA240763BA9C6B847D82AE792916A73E9B172399F299FA298D35F5E5886650FA1846506D1DC8BC9C773C88C6A2FE5C4ABD11D8AA3423040300E0603551D0F0101FF040403020106300F0603551D130101FF040530030101FF301D0603551D0E04160414804CD6EB74FF4936A3D5D8FCB53EC56AF0941D8C300A06082A8648CE3D040303036700306402306A50527408C470DC9E507421E88D7A21C34F966E15D12235612DFA0837EE196DADDBB2CC7D0734F560192CB534D96F2002300371B1BAA3600B86ED9A086A95689FE2B3E193647C5E93A6DF792D8D85E394CF235D71CCF2B04DD6FE99C894A975A2E3
(PID) Process:(3344) mshta.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2A1D6027D94AB10A1C4D915CCD33A0CB3E2D54CB
Operation:delete valueName:File
Value:
(PID) Process:(3344) mshta.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2A1D6027D94AB10A1C4D915CCD33A0CB3E2D54CB
Operation:delete keyName:(default)
Value:
(PID) Process:(3344) mshta.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2A1D6027D94AB10A1C4D915CCD33A0CB3E2D54CB
Operation:writeName:Blob
Value:
5C00000001000000040000008001000019000000010000001000000086665B2DECDDA69376F98E02CD5FA29A62000000010000002000000071CCA5391F9E794B04802530B363E121DA8A3043BB26662FEA4DCA7FC951A4BD0B0000000100000018000000470054005300200052006F006F0074002000520034000000140000000100000014000000804CD6EB74FF4936A3D5D8FCB53EC56AF0941D8C1D00000001000000100000006D81CF5A57E7A81939F2FA048E7CB9500300000001000000140000002A1D6027D94AB10A1C4D915CCD33A0CB3E2D54CB0F0000000100000030000000DF03EE17776FAE07203AE956F6094206455C833A06297419E38793A34C4E010E8E0DD06107E0CD574F970FB35FB7C04E09000000010000002A000000302806082B0601050507030206082B0601050507030406082B0601050507030106082B0601050507030820000000010000000E0200003082020A30820191A00302010202106E47A9C88B94B6E8BB3B2AD8A2B2C199300A06082A8648CE3D0403033047310B300906035504061302555331223020060355040A1319476F6F676C65205472757374205365727669636573204C4C43311430120603550403130B47545320526F6F74205234301E170D3136303632323030303030305A170D3336303632323030303030305A3047310B300906035504061302555331223020060355040A1319476F6F676C65205472757374205365727669636573204C4C43311430120603550403130B47545320526F6F742052343076301006072A8648CE3D020106052B8104002203620004F37473A7688B60AE43B835C581307B4B499DFBC161CEE6DE46BD6BD5611835AE40DD73F78991305AEB3CEE857CA240763BA9C6B847D82AE792916A73E9B172399F299FA298D35F5E5886650FA1846506D1DC8BC9C773C88C6A2FE5C4ABD11D8AA3423040300E0603551D0F0101FF040403020106300F0603551D130101FF040530030101FF301D0603551D0E04160414804CD6EB74FF4936A3D5D8FCB53EC56AF0941D8C300A06082A8648CE3D040303036700306402306A50527408C470DC9E507421E88D7A21C34F966E15D12235612DFA0837EE196DADDBB2CC7D0734F560192CB534D96F2002300371B1BAA3600B86ED9A086A95689FE2B3E193647C5E93A6DF792D8D85E394CF235D71CCF2B04DD6FE99C894A975A2E3
Executable files
2
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
3344mshta.exeC:\ProgramData\dsk\dat2.1\credwiz.exeexecutable
MD5:15CF85C3D904A7D8650164B0B831A318
SHA256:17EABFB88A164AA95731F198BD69A7285CC7F64ACD7C289062CD3979A4A2F5BF
3344mshta.exeC:\ProgramData\dsk\dat2.1\Duser.dllexecutable
MD5:28FE94D2521132A5BE0D651DDE8090FC
SHA256:819198BB26C023972934402F54BC3BE2A092CB0E20039C2F2061182CF53AD83C
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
14
DNS requests
8
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3220
credwiz.exe
GET
184.30.21.171:80
http://www.microsoft.com/
unknown
unknown
1372
svchost.exe
GET
304
23.50.131.203:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?33775f6043c93e33
unknown
unknown
1372
svchost.exe
GET
200
23.48.23.156:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
1372
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
unknown
1060
svchost.exe
GET
304
23.50.131.203:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?11acddbe1ebd82b3
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
1372
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3344
mshta.exe
188.114.96.3:443
www.cdn-aws.net
CLOUDFLARENET
NL
unknown
3344
mshta.exe
52.46.157.11:443
aws.amazon.com
AMAZON-02
US
unknown
1060
svchost.exe
224.0.0.252:5355
unknown
3220
credwiz.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
unknown
3220
credwiz.exe
49.13.77.253:443
cdn-src.net
Hetzner Online GmbH
DE
unknown
1372
svchost.exe
23.50.131.203:80
ctldl.windowsupdate.com
Akamai International B.V.
DE
unknown
1372
svchost.exe
23.48.23.156:80
crl.microsoft.com
Akamai International B.V.
DE
unknown

DNS requests

Domain
IP
Reputation
www.cdn-aws.net
  • 188.114.96.3
  • 188.114.97.3
unknown
aws.amazon.com
  • 52.46.157.11
shared
www.microsoft.com
  • 184.30.21.171
whitelisted
cdn-src.net
  • 49.13.77.253
unknown
settings-win.data.microsoft.com
  • 51.104.136.2
whitelisted
ctldl.windowsupdate.com
  • 23.50.131.203
  • 23.50.131.223
  • 23.50.131.207
  • 23.50.131.201
  • 23.50.131.200
  • 23.50.131.202
  • 23.50.131.218
  • 23.50.131.216
  • 23.50.131.221
  • 23.50.131.199
  • 23.50.131.219
  • 23.50.131.196
  • 23.50.131.205
whitelisted
crl.microsoft.com
  • 23.48.23.156
  • 23.48.23.143
whitelisted

Threats

PID
Process
Class
Message
1060
svchost.exe
Targeted Malicious Activity was Detected
ET MALWARE Sidewinder APT Related Domain in DNS Lookup (cdn-aws .net)
1060
svchost.exe
Targeted Malicious Activity was Detected
ET MALWARE Sidewinder APT Related Domain in DNS Lookup (cdn-src .net)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
htseelaaa.hta