analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

dovidka.chm

Full analysis: https://app.any.run/tasks/925369af-b34c-4663-8c3d-9c45114a13cc
Verdict: Malicious activity
Threats:

Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email.

Malware Trends Tracker     >>>
Analysis date: October 04, 2022, 19:43:36
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
Indicators:
MIME: application/octet-stream
File info: MS Windows HtmlHelp Data
MD5:

2556A9E1D5E9874171F51620E5C5E09A

SHA1:

AFFC2B19D9FB8080A7211C3ED0718F2C3D3887DF

SHA256:

7F0511B09B1AB3A64C8827DD8AF017ACBF7D2688DB31A5D98FEA8A5029A89D56

SSDEEP:

6144:6hK9QF9IF78JuiKgnheEVfh+x6I/c0mGkBZ6w5+2yrBnx:d9QFq78JuiBnheEVqvcBZ6ws7nx

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops executable file immediately after starts

      • WScript.exe (PID: 972)

    • Loads dropped or rewritten executable

      • regasm.exe (PID: 2832)

    • Writes to a start menu file

      • WScript.exe (PID: 972)

  • SUSPICIOUS

    • Reads the computer name

      • WScript.exe (PID: 972)
      • wscript.exe (PID: 3208)
      • regasm.exe (PID: 2832)

    • Executes scripts

      • hh.exe (PID: 1824)

    • Reads Microsoft Outlook installation path

      • hh.exe (PID: 1824)

    • Reads internet explorer settings

      • hh.exe (PID: 1824)

    • Checks supported languages

      • WScript.exe (PID: 972)
      • wscript.exe (PID: 3208)
      • regasm.exe (PID: 2832)

    • Writes to a desktop.ini file (may be used to cloak folders)

      • WScript.exe (PID: 972)

    • Executable content was dropped or overwritten

      • WScript.exe (PID: 972)

    • Drops a file with a compile date too recent

      • WScript.exe (PID: 972)

    • Creates files in the user directory

      • WScript.exe (PID: 972)

  • INFO

    • Reads the computer name

      • hh.exe (PID: 1824)
      • WINWORD.EXE (PID: 2652)

    • Checks supported languages

      • hh.exe (PID: 1824)
      • WINWORD.EXE (PID: 2652)

    • Checks Windows Trust Settings

      • WScript.exe (PID: 972)
      • wscript.exe (PID: 3208)

    • Manual execution by user

      • WINWORD.EXE (PID: 2652)

    • Creates files in the user directory

      • WINWORD.EXE (PID: 2652)

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 2652)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.chm | Windows HELP File (18.9)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
42
Monitored processes
5
Malicious processes
2
Suspicious processes
1

Behavior graph

Click at the process to see the details
start hh.exe no specs wscript.exe wscript.exe no specs regasm.exe winword.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1824"C:\Windows\hh.exe" "C:\Users\admin\Desktop\dovidka.chm"C:\Windows\hh.exeExplorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft® HTML Help Executable
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
972"C:\Windows\System32\WScript.exe" "C:\Users\Public\ignit.vbs" C:\Windows\System32\WScript.exe
hh.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
3208"C:\Windows\System32\wscript.exe" //B //E:vbs C:\Users\Public\Favorites\desktop.iniC:\Windows\System32\wscript.exehh.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
2832"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe" /U C:\Users\Public\Libraries\core.dllC:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
wscript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft .NET Assembly Registration Utility
Version:
4.0.30319.34209 built by: FX452RTMGDR
2652"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\standardimplementation.rtf"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEExplorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
0
Version:
14.0.6024.1000
Total events
4 188
Read events
3 842
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
3
Text files
5
Unknown types
9

Dropped files

PID
Process
Filename
Type
2652WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR4FD1.tmp.cvr
MD5:
SHA256:
2652WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\standardimplementation.rtf.LNKlnk
MD5:C76FB94405B0F3113E4F5D8D9337E18C
SHA256:B27E7AD4152545D97BB1509127859D2EE76125B38E2753F2FC1049232DF33871
2652WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:410D9AA98DA10346E1D591B7FAF876EB
SHA256:DF729A04FF2E8A0620E4FFC3BA9DEAB588023ED04DD57B4E3A17186C7A397971
2652WINWORD.EXEC:\Users\admin\Desktop\~$andardimplementation.rtfpgc
MD5:26685CD8B1863BCB2BFDB02E9C6AF368
SHA256:BA7296F3E40336FCFB67F4D13F239C00921BFA36D5476934267621D1BFB35BB5
2652WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.datini
MD5:D729FFC448904C31B90B435930FBAA3F
SHA256:8A4E7F285947D74A3B2F413D9FA6935B16A36D83AD019BFC8CBD5ED6D6A19376
2652WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{29BC8943-55CD-43FC-A534-20455A241161}.tmpdbf
MD5:F7C4A60D7150A51EC5941A6AEC385209
SHA256:A826B950D40F4D81A54CAD6F50F3A1FEB5FB944575AE42B2DB3234CE29D9A938
2652WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{6B81C1EA-8314-4F42-ADF7-86B8BC9D47B9}.tmpbinary
MD5:FFCA6DC5DE5BD4BA588C247D844EA06B
SHA256:3CC36AF331C90EECE3C55FA853B4F257B8A92288D0CFA3A94BC5C3F47FFFE902
1824hh.exeC:\Users\admin\AppData\Local\Temp\~DF9DE44CB24808A2BD.TMPbinary
MD5:72F5C05B7EA8DD6059BF59F50B22DF33
SHA256:1DC0C8D7304C177AD0E74D3D2F1002EB773F4B180685A7DF6BBE75CCC24B0164
972WScript.exeC:\usErs\puBLIC\fAVORIteS\desktop.initext
MD5:A9DCAF1C709F96BC125C8D1262BAC4B6
SHA256:570EBD7F9951485B7415F685AE3349E62580309C9955B14DDA4734A318EDECA9
1824hh.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\78RFYB7Z\image[1].jpgimage
MD5:9CF2EE018A565C00E811897E6056A5A2
SHA256:CFD05F02C88A5E0385580E4DCE40F346713C6949DB34AC99E1AE15BB5B1591DD
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
1
DNS requests
1
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2832
regasm.exe
194.195.211.98:8443
xbeta.online
Linode, LLC
US
malicious

DNS requests

Domain
IP
Reputation
xbeta.online
  • 194.195.211.98
unknown

Threats

PID
Process
Class
Message
A Network Trojan was detected
ET TROJAN TA445/Ghostwrite APT Related Domain in DNS Lookup (xbeta .online)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
dovidka.chm