Extracted

• • Target

    2909d91ea68773d217427682f60fc6acd00a18ce44629db77a3e4c74d6ee1ace.hta

  • Size

    130KB

  • MD5

    044731c733f45405761bdca10462abb3

  • SHA1

    8e04de6c19e4e1336a88fdbf3008a912055c4f5d

  • SHA256

    2909d91ea68773d217427682f60fc6acd00a18ce44629db77a3e4c74d6ee1ace

  • SHA512

    4fa5a1a7c896f0a15f04049f9c92cecfe9910c4c5b9dcfd84a047b50595064b772d1401cf48723b47a7d4285119ff1a9c6fb1ad4b771a398e3f6f2da1928d9d2

  • SSDEEP

    96:Eam7hkF0pF7OXfn7g32Kfd8KusjoU9FZ/87T:Ea2he0/qP7gGKCqoUDZ/CT

  Score

  10^/10

  defense_evasiondiscoveryexecution

  • Blocklisted process makes network request

  • Command and Scripting Interpreter: PowerShell

    Run Powershell and hide display window.

    execution

  • Evasion via Device Credential Deployment

    defense_evasionexecution

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Legitimate hosting services abused for malware hosting/C2

  behavioral1behavioral2