Cobalt Strike Beacon dropped by HTML Application (HTA) | IOCs
Logo
Try VMRay Analyzer
VTI SCORE: 100/100
Target: win10_64 | html_application
Classification: Trojan, Keylogger, Downloader

d8ef1c4f64a05b1abf100044fcb7048c9526d175a114cb90bd134b80783da146 (SHA256)

Secure_Document_Plugin.hta

HTML Application

Created at 2018-02-15 18:28:00

...

Notifications (2/3)

Some memory dumps may be missing in the reports since the maximum number of dumps was reached during the analysis. You can increase the limit in the configuration settings.

Some memory dumps may be missing in the reports since the total dump size limit was reached during the analysis. You can increase the limit in the configuration settings.

The overall sleep time of all monitored processes was truncated from "11 minutes, 47 seconds" to "8 minutes, 50 seconds" to reveal dormant functionality.

Indicators

File (5)
»
Filename Hash Operations
\\.\pipe\29a7ba79f8 - Access, Read
C:\Windows\cerCF51.tmp MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 		Access
C:\Windows\system32 - Access
certutil.exe - Access
wscript.exe - Access
Registry (16)
»
Registry Key Name Operations
HKEY_CLASSES_ROOT\clsid\{25336920-03f9-11cf-8fd0-00aa00686f13}\InProcServer32 Access, Read
HKEY_CURRENT_USER\EUDC\1252 Access
HKEY_CURRENT_USER\Software\Microsoft\Command Processor Access, Read
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\ChakraRecycler Access
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\JScriptLegacy Access
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer Read
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System Access
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\AutoEnrollment Access
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script\Features Access
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE Read
HKEY_LOCAL_MACHINE\Software\Microsoft\COM3 Access, Read
HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor Access, Read
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Application Compatibility Read
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\ChakraRecycler Access
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\JScriptLegacy Access
HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Scripting Access, Read
URL (5)
»
URL Operations
https://dl6zxn23r8r14.cloudfront.net:443/en-US GET
maptile.usnews.com/safebrowsing/rd/ij34Feg034rf4-p34 GET
asset.wsj.net/safebrowsing/rd/ij34Feg034rf4-p34 GET
www.reutersmedia.net/safebrowsing/rd/ij34Feg034rf4-p34 GET
www.reutersmedia.net/safebrowsing/rd/g349f3qf45t5g-k32 POST
Export IOCs
Function Logfile
Download-Icon
Exit-Icon

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy". 


    

   

   

    Before
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    After
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    

     
      

       
       
       
       
      

     
     
     
    

   

  

  

   

    
    

     Screenshot
    

    

     Expand-Icon
    

    

     Exit-Icon
    

   

   

    

     icon_left
    

    

     icon_left
    

   

   

   

   

    image