analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

dovidka.chm

Full analysis: https://app.any.run/tasks/beb408c1-0f03-40ba-bd1b-5ca3c67193f5
Verdict: Malicious activity
Threats:

Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email.

Analysis date: October 04, 2022, 22:42:13
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
Indicators:
MIME: application/octet-stream
File info: MS Windows HtmlHelp Data
MD5:

2556A9E1D5E9874171F51620E5C5E09A

SHA1:

AFFC2B19D9FB8080A7211C3ED0718F2C3D3887DF

SHA256:

7F0511B09B1AB3A64C8827DD8AF017ACBF7D2688DB31A5D98FEA8A5029A89D56

SSDEEP:

6144:6hK9QF9IF78JuiKgnheEVfh+x6I/c0mGkBZ6w5+2yrBnx:d9QFq78JuiBnheEVqvcBZ6ws7nx

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Drops executable file immediately after starts

      • WScript.exe (PID: 4004)
    • Writes to a start menu file

      • WScript.exe (PID: 4004)
    • Loads dropped or rewritten executable

      • regasm.exe (PID: 3740)
  • SUSPICIOUS

    • Reads internet explorer settings

      • hh.exe (PID: 296)
    • Executes scripts

      • hh.exe (PID: 296)
    • Reads Microsoft Outlook installation path

      • hh.exe (PID: 296)
    • Reads the computer name

      • WScript.exe (PID: 4004)
      • wscript.exe (PID: 416)
      • regasm.exe (PID: 3740)
    • Checks supported languages

      • WScript.exe (PID: 4004)
      • wscript.exe (PID: 416)
      • regasm.exe (PID: 3740)
    • Executable content was dropped or overwritten

      • WScript.exe (PID: 4004)
    • Writes to a desktop.ini file (may be used to cloak folders)

      • WScript.exe (PID: 4004)
    • Drops a file with a compile date too recent

      • WScript.exe (PID: 4004)
    • Creates files in the user directory

      • WScript.exe (PID: 4004)
  • INFO

    • Checks supported languages

      • hh.exe (PID: 296)
    • Reads the computer name

      • hh.exe (PID: 296)
    • Checks Windows Trust Settings

      • WScript.exe (PID: 4004)
      • wscript.exe (PID: 416)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.chm | Windows HELP File (18.9)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
41
Monitored processes
4
Malicious processes
2
Suspicious processes
1

Behavior graph

Click at the process to see the details
start hh.exe no specs wscript.exe wscript.exe no specs regasm.exe

Process information

PID
CMD
Path
Indicators
Parent process
296"C:\Windows\hh.exe" "C:\Users\admin\Desktop\dovidka.chm"C:\Windows\hh.exeExplorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft® HTML Help Executable
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
4004"C:\Windows\System32\WScript.exe" "C:\Users\Public\ignit.vbs" C:\Windows\System32\WScript.exe
hh.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
416"C:\Windows\System32\wscript.exe" //B //E:vbs C:\Users\Public\Favorites\desktop.iniC:\Windows\System32\wscript.exehh.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
3740"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe" /U C:\Users\Public\Libraries\core.dllC:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
wscript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft .NET Assembly Registration Utility
Version:
4.0.30319.34209 built by: FX452RTMGDR
Total events
1 186
Read events
1 159
Write events
27
Delete events
0

Modification events

(PID) Process:(296) hh.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(296) hh.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(296) hh.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(296) hh.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(296) hh.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(296) hh.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(296) hh.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(416) wscript.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(416) wscript.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(416) wscript.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
Executable files
1
Suspicious files
0
Text files
4
Unknown types
1

Dropped files

PID
Process
Filename
Type
296hh.exeC:\Users\Public\ignit.vbstext
MD5:BD65D0D59F6127B28F0AF8A7F2619588
SHA256:92F69DE0D45AD88654A6EEF720A6F6B6DB090AFB67BA0EBA5F9B77F504EA6280
4004WScript.exeC:\UsErs\pUbLIc\LIbRARiES\core.dllexecutable
MD5:D2A795AF12E937EB8A89D470A96F15A5
SHA256:E97F1D6EC1AA3F7C7973D57074D1D623833F0E9B1C1E53F81AF92C057A1FDD72
4004WScript.exeC:\usErs\puBLIC\fAVORIteS\desktop.initext
MD5:A9DCAF1C709F96BC125C8D1262BAC4B6
SHA256:570EBD7F9951485B7415F685AE3349E62580309C9955B14DDA4734A318EDECA9
3740regasm.exeC:\Users\admin\AppData\Local\Temp\TmpF3E2.tmptext
MD5:990E17CD51D14BBEACEE89F21B28705D
SHA256:DE22544C2A009F4ED7FAA2645CB6A4B889B81B1852F3FECDFEBB2D63A2078D72
296hh.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\78RFYB7Z\image[1].jpgimage
MD5:9CF2EE018A565C00E811897E6056A5A2
SHA256:CFD05F02C88A5E0385580E4DCE40F346713C6949DB34AC99E1AE15BB5B1591DD
4004WScript.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Prefetch.lNklnk
MD5:FB418BB5BD3E592651D0A4F9AE668962
SHA256:C76FB28B6910BB0714FAB5B84363EBF2082FD59DDB0BB95166635583554D7AB4
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
1
DNS requests
1
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3740
regasm.exe
194.195.211.98:8443
xbeta.online
Linode, LLC
US
malicious

DNS requests

Domain
IP
Reputation
xbeta.online
  • 194.195.211.98
unknown

Threats

PID
Process
Class
Message
A Network Trojan was detected
ET TROJAN TA445/Ghostwrite APT Related Domain in DNS Lookup (xbeta .online)
No debug info