Cobalt Strike Beacon dropped by HTML Application (HTA)

VTI SCORE: 100/100

Target:

win10_64 | html_application

Classification:

Trojan, Keylogger, Downloader

d8ef1c4f64a05b1abf100044fcb7048c9526d175a114cb90bd134b80783da146 (SHA256)

Secure_Document_Plugin.hta

HTML Application

Created at 2018-02-15 18:28:00

Notifications (2/3)

Some memory dumps may be missing in the reports since the maximum number of dumps was reached during the analysis. You can increase the limit in the configuration settings.

Some memory dumps may be missing in the reports since the total dump size limit was reached during the analysis. You can increase the limit in the configuration settings.

The overall sleep time of all monitored processes was truncated from "11 minutes, 47 seconds" to "8 minutes, 50 seconds" to reveal dormant functionality.

Severity	Category	Operation	Classification
5/5	Injection	Writes into the memory of another running process	-
"c:\windows\system32\wscript.exe" modifies memory of "c:\windows\syswow64\explorer.exe" ... VTI Actions Go to Function Call
"c:\windows\syswow64\explorer.exe" modifies memory of "c:\windows\syswow64\rundll32.exe" ... VTI Actions Go to Function Call
5/5	Injection	Modifies control flow of another process	-
"c:\windows\syswow64\explorer.exe" alters context of "c:\windows\syswow64\rundll32.exe" ... VTI Actions Go to Function Call
"c:\windows\system32\wscript.exe" creates thread in "c:\windows\syswow64\explorer.exe" ... VTI Actions Go to Function Call
4/5	File System	Associated with malicious files	Trojan
File "c:\users\ciihmnxmn6ps\appdata\locallow\microsoft\cryptneturlcache\content\0cf27c2989dc9db1c5967c252cccaa32" is a known malicious file. ... VTI Actions Go to File Details
3/5	Device	Monitors keyboard input	Keylogger
Frequently reads the state of a keyboard key by API. ... VTI Actions Go to Function Call
3/5	Anti Analysis	Delays execution	-
One thread sleeps more than 5 minutes. ... VTI Actions Go to Function Call
2/5	Network	Performs DNS request	-
Resolves host name "LHnIwsj". ... VTI Actions Go to Function Call
2/5	Network	Downloads data	Downloader
URL "https://dl6zxn23r8r14.cloudfront.net:443/en-US". ... VTI Actions Go to Function Call
URL "maptile.usnews.com/safebrowsing/rd/ij34Feg034rf4-p34". ... VTI Actions Go to Function Call
URL "asset.wsj.net/safebrowsing/rd/ij34Feg034rf4-p34". ... VTI Actions Go to Function Call
URL "www.reutersmedia.net/safebrowsing/rd/ij34Feg034rf4-p34". ... VTI Actions Go to Function Call
URL "www.reutersmedia.net/safebrowsing/rd/g349f3qf45t5g-k32". ... VTI Actions Go to Function Call
2/5	Network	Connects to HTTP server	-
URL "https://dl6zxn23r8r14.cloudfront.net:443/en-US". ... VTI Actions Go to Function Call
URL "maptile.usnews.com/safebrowsing/rd/ij34Feg034rf4-p34". ... VTI Actions Go to Function Call
URL "asset.wsj.net/safebrowsing/rd/ij34Feg034rf4-p34". ... VTI Actions Go to Function Call
URL "www.reutersmedia.net/safebrowsing/rd/ij34Feg034rf4-p34". ... VTI Actions Go to Function Call
URL "www.reutersmedia.net/safebrowsing/rd/g349f3qf45t5g-k32". ... VTI Actions Go to Function Call

Function Logfile

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".

Notifications (2/3)

Before

After