Extracted

• • Target

    c96daaf1a1dc9722c4a06193e1d651b4604384d0afd2eba041cb67bbbc4a24bd.hta

  • Size

    130KB

  • MD5

    1fd620bfc1434f416a86c5ab0ca98c41

  • SHA1

    d2aab0e25bfa3e35f8ed5e8c4a772b7c5c083dcf

  • SHA256

    c96daaf1a1dc9722c4a06193e1d651b4604384d0afd2eba041cb67bbbc4a24bd

  • SHA512

    46aebd9323692bc22eaf4c5c615acccf73695a82812c0facec9f7017ef0304d48f76a84a1a8a021411e180ec357301c1a1e1c245a7178f73ef34ce13f89f2bc9

  • SSDEEP

    96:Eam73ELEyboOrLEy7oOBnN0qfaJdoP8oLSLweoOpWLEy+c7T:Ea23iJaC8hiT

  Score

  10^/10

  defense_evasiondiscoveryexecution

  • Blocklisted process makes network request

  • Command and Scripting Interpreter: PowerShell

    Run Powershell and hide display window.

    execution

  • Evasion via Device Credential Deployment

    defense_evasionexecution

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Legitimate hosting services abused for malware hosting/C2

  behavioral1behavioral2