ScreenShot
| Created | 2024.08.09 10:47 | Machine | s1_win7_x6401 |
| Filename | 89.hta | ||
| Type | HTML document, ASCII text, with very long lines, with CRLF line terminators | ||
| AI Score | Not founds | Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 18 detected (ExpKitGen2, Asthma, gen80, iacgm, PowerShell, Detected, ai score=88, Eldorado, Probably Heur, HTMLUnescape) | ||
| md5 | f904e8a5141b08f3f8e2121459f539fe | ||
| sha256 | d4cb60a0e93c856f642f862e51cf4af34f626c8d1e1b995b5e9dfb3e72db1101 | ||
| ssdeep | 768:tZ6A3yXNA0AGAzUGq4Lcl64c/9tB2KCgFPBh1VQiXAZO:t7 | ||
| imphash | |||
| impfuzzy | |||
Network IP location
Signature (27cnts)
| Level | Description |
|---|---|
| watch | An executable file was downloaded by the process powershell.exe |
| watch | Communicates with host for which no DNS query was performed |
| watch | Creates a suspicious Powershell process |
| watch | File has been identified by 18 AntiVirus engines on VirusTotal as malicious |
| watch | Network communications indicative of a potential document or script payload download was initiated by the process powershell.exe |
| watch | One or more non-whitelisted processes were created |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| watch | The process powershell.exe wrote an executable file to disk |
| notice | A process created a hidden window |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | Creates a shortcut to an executable file |
| notice | Creates a suspicious process |
| notice | Creates executable files on the filesystem |
| notice | Drops an executable to the user AppData folder |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | Performs some HTTP requests |
| notice | Poweshell is sending data to a remote host |
| notice | URL downloaded by powershell script |
| notice | Uses Windows utilities for basic Windows functionality |
| notice | Yara rule detected in process memory |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | Collects information to fingerprint the system (MachineGuid |
| info | Queries for the computername |
| info | Uses Windows APIs to generate a cryptographic key |
Rules (16cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| warning | Generic_Malware_Zero | Generic Malware | binaries (download) |
| watch | Antivirus | Contains references to security software | binaries (download) |
| watch | Network_Downloader | File Downloader | binaries (download) |
| info | anti_dbg | Checks if being debugged | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | Is_DotNET_DLL | (no description) | binaries (download) |
| info | IsDLL | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (download) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
| info | Obscatation_URL_Zero | Obscatation URL | scripts |
Suricata ids
ET INFO Executable Download from dotted-quad Host
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response