analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

download.hta

Full analysis: https://app.any.run/tasks/a629c843-541d-412f-ba36-50816e4b9db7
Verdict: Malicious activity
Threats:

Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email.

Analysis date: September 10, 2019, 22:24:35
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
Indicators:
MIME: text/html
File info: HTML document, ASCII text, with very long lines, with no line terminators
MD5:

E51043BF1BF879D0CE1AB935C70DE78A

SHA1:

083E641FC78D577B575378DA749412B48259F2F4

SHA256:

3817706B237687437613E6538CE72194B6D1D8C38DA781B6C97587C7656642EA

SSDEEP:

768:DYTQhO6E8K/UByaZTfT0R3IxU/0Fbt3XV+oNs+Ew6jApXC4M1bXJ8EkkFok4ZGX+:D7GxDNo

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Connects to CnC server

      • WScript.exe (PID: 3180)
  • SUSPICIOUS

    • Executes scripts

      • mshta.exe (PID: 3548)
  • INFO

    • Manual execution by user

      • chrome.exe (PID: 2752)
    • Reads internet explorer settings

      • mshta.exe (PID: 3548)
    • Reads the hosts file

      • chrome.exe (PID: 3560)
      • chrome.exe (PID: 2752)
    • Application launched itself

      • chrome.exe (PID: 2752)
    • Reads settings of System Certificates

      • chrome.exe (PID: 3560)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.html | HyperText Markup Language (100)
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
44
Monitored processes
12
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start mshta.exe no specs wscript.exe chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3548"C:\Windows\System32\mshta.exe" "C:\Users\admin\AppData\Local\Temp\download.hta"C:\Windows\System32\mshta.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft (R) HTML Application host
Exit code:
0
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
3180"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\Chrome.js" C:\Windows\System32\WScript.exe
mshta.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
2752"C:\Program Files\Google\Chrome\Application\chrome.exe" C:\Program Files\Google\Chrome\Application\chrome.exe
explorer.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
3221225547
Version:
75.0.3770.100
3296"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win32 --annotation=prod=Chrome --annotation=ver=75.0.3770.100 --initial-client-data=0x7c,0x80,0x84,0x78,0x88,0x6fdca9d0,0x6fdca9e0,0x6fdca9ecC:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
2408"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=2760 --on-initialized-event-handle=312 --parent-handle=316 /prefetch:6C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
3428"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=984,15162766203314612144,9670425695923846227,131072 --enable-features=PasswordImport --gpu-preferences=KAAAAAAAAADgAAAgAQAAAAAAAAAAAGAAAAAAAAAAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --service-request-channel-token=17713144192746419874 --mojo-platform-channel-handle=932 --ignored=" --type=renderer " /prefetch:2C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
3560"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --field-trial-handle=984,15162766203314612144,9670425695923846227,131072 --enable-features=PasswordImport --lang=en-US --service-sandbox-type=network --service-request-channel-token=313874020479111225 --mojo-platform-channel-handle=1640 /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exe
chrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
1952"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=984,15162766203314612144,9670425695923846227,131072 --enable-features=PasswordImport --lang=en-US --instant-process --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=15896123532694203692 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2236 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
3464"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=984,15162766203314612144,9670425695923846227,131072 --enable-features=PasswordImport --lang=en-US --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=2555969347530637163 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2452 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
924"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=984,15162766203314612144,9670425695923846227,131072 --enable-features=PasswordImport --lang=en-US --extension-process --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=16933939897496196154 --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2460 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
Total events
638
Read events
582
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
23
Text files
59
Unknown types
2

Dropped files

PID
Process
Filename
Type
2752chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\bf9ecb06-2961-4a9b-98c9-16a3a2773e88.tmp
MD5:
SHA256:
2752chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\000020.dbtmp
MD5:
SHA256:
2752chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG.old~RF17d939.TMPtext
MD5:DC32343F45B01764B6267AD36548102A
SHA256:A250F5AD57D4BD58AAE92810D50278E3BE2DBF869F126A3A3519691BCDFC2075
3548mshta.exeC:\Users\admin\AppData\Local\Temp\Chrome.jstext
MD5:B8D4F881B9EE2BC2F54936AD92A2F6FC
SHA256:7C838CF19EB6DF006E80D8FAACAD7D745CB9B40757BB6A19A6B98184A019F961
2752chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase\LOG.old~RF17d968.TMPtext
MD5:A519780ED0A2F4336DB4F5651D79C369
SHA256:DA5B71BD0075B55757BF757BF5F4D4A1DCBCF0762CDA5B31B28680963E068C75
2752chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\LOG.oldtext
MD5:213AE3DA120D7862D60B5763B6C9D466
SHA256:5736534D6EE654C1BF1A8E79E73330AF58F622E8657285330D2C7189A55604F4
2752chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG.oldtext
MD5:DC32343F45B01764B6267AD36548102A
SHA256:A250F5AD57D4BD58AAE92810D50278E3BE2DBF869F126A3A3519691BCDFC2075
2752chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase\LOG.oldtext
MD5:A519780ED0A2F4336DB4F5651D79C369
SHA256:DA5B71BD0075B55757BF757BF5F4D4A1DCBCF0762CDA5B31B28680963E068C75
2752chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\LOG.old~RF17d91a.TMPtext
MD5:C4D6CBB269C626168A5D6D0D8CCE6C30
SHA256:B62CDBB758278A0C2E50593357390119441D8DE09428EB29027F3DFD1332E348
3548mshta.exeC:\Users\admin\AppData\Local\Temp\download.htahtml
MD5:E3C74677927B09A0BF34C03450E12FEB
SHA256:6FDBFB60B7BF77AC834E6338E1CA58B51B20C46B83034CFE911067C2DA1A57D4
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
9
DNS requests
9
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3180
WScript.exe
POST
200
130.0.233.178:80
http://63ce76c6.user3.altcoinfan.com/1x1.gif
UA
binary
1 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3560
chrome.exe
216.58.205.227:443
clientservices.googleapis.com
Google Inc.
US
whitelisted
3560
chrome.exe
172.217.22.110:443
ogs.google.com
Google Inc.
US
whitelisted
3560
chrome.exe
172.217.21.237:443
accounts.google.com
Google Inc.
US
whitelisted
3560
chrome.exe
172.217.21.234:443
fonts.googleapis.com
Google Inc.
US
whitelisted
3560
chrome.exe
172.217.22.35:443
www.gstatic.com
Google Inc.
US
whitelisted
3560
chrome.exe
216.58.208.35:443
www.google.com.ua
Google Inc.
US
whitelisted
3560
chrome.exe
216.58.207.46:443
apis.google.com
Google Inc.
US
whitelisted
3560
chrome.exe
172.217.18.99:443
fonts.gstatic.com
Google Inc.
US
whitelisted
3180
WScript.exe
130.0.233.178:80
63ce76c6.user3.altcoinfan.com
ITL Company
UA
malicious

DNS requests

Domain
IP
Reputation
63ce76c6.user3.altcoinfan.com
  • 130.0.233.178
malicious
clientservices.googleapis.com
  • 216.58.205.227
whitelisted
accounts.google.com
  • 172.217.21.237
shared
www.google.com.ua
  • 216.58.208.35
whitelisted
fonts.googleapis.com
  • 172.217.21.234
whitelisted
www.gstatic.com
  • 172.217.22.35
whitelisted
fonts.gstatic.com
  • 172.217.18.99
whitelisted
apis.google.com
  • 216.58.207.46
whitelisted
ogs.google.com
  • 172.217.22.110
whitelisted

Threats

PID
Process
Class
Message
3180
WScript.exe
A Network Trojan was detected
ET POLICY Data POST to an image file (gif)
3180
WScript.exe
A Network Trojan was detected
AV TROJAN TrojanDownloader.Agent CnC Request v1
3180
WScript.exe
A Network Trojan was detected
MALWARE [PTsecurity] Trojan.JS.Agent.dwz XORed id/timestamp v2
No debug info