analyze malware
- Huge database of samples and IOCs
- Custom VM setup
- Unlimited submissions
- Interactive approach
| File name: | dovidka.chm |
| Full analysis: | https://app.any.run/tasks/d898e3a6-1d39-4de5-be9d-bade445274e5 |
| Verdict: | Malicious activity |
| Threats: | Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email. |
| Analysis date: | October 05, 2022, 02:01:47 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/octet-stream |
| File info: | MS Windows HtmlHelp Data |
| MD5: | 2556A9E1D5E9874171F51620E5C5E09A |
| SHA1: | AFFC2B19D9FB8080A7211C3ED0718F2C3D3887DF |
| SHA256: | 7F0511B09B1AB3A64C8827DD8AF017ACBF7D2688DB31A5D98FEA8A5029A89D56 |
| SSDEEP: | 6144:6hK9QF9IF78JuiKgnheEVfh+x6I/c0mGkBZ6w5+2yrBnx:d9QFq78JuiBnheEVqvcBZ6ws7nx |
MALICIOUS
Drops executable file immediately after starts
- WScript.exe (PID: 1280)
Writes to a start menu file
- WScript.exe (PID: 1280)
Loads dropped or rewritten executable
- regasm.exe (PID: 2696)
SUSPICIOUS
Executes scripts
- hh.exe (PID: 3456)
Reads Microsoft Outlook installation path
- hh.exe (PID: 3456)
Reads internet explorer settings
- hh.exe (PID: 3456)
Checks supported languages
- WScript.exe (PID: 1280)
- wscript.exe (PID: 2972)
- regasm.exe (PID: 2696)
Reads the computer name
- WScript.exe (PID: 1280)
- wscript.exe (PID: 2972)
- regasm.exe (PID: 2696)
Writes to a desktop.ini file (may be used to cloak folders)
- WScript.exe (PID: 1280)
Executable content was dropped or overwritten
- WScript.exe (PID: 1280)
Drops a file with a compile date too recent
- WScript.exe (PID: 1280)
Creates files in the user directory
- WScript.exe (PID: 1280)
INFO
Checks supported languages
- hh.exe (PID: 3456)
- WINWORD.EXE (PID: 3484)
- WINWORD.EXE (PID: 1012)
Reads the computer name
- hh.exe (PID: 3456)
- WINWORD.EXE (PID: 3484)
- WINWORD.EXE (PID: 1012)
Checks Windows Trust Settings
- WScript.exe (PID: 1280)
- wscript.exe (PID: 2972)
Manual execution by user
- WINWORD.EXE (PID: 3484)
- WINWORD.EXE (PID: 1012)
Creates files in the user directory
- WINWORD.EXE (PID: 3484)
- WINWORD.EXE (PID: 1012)
Reads Microsoft Office registry keys
- WINWORD.EXE (PID: 3484)
- WINWORD.EXE (PID: 1012)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .chm | | | Windows HELP File (18.9) |
|---|
Total processes
44
Monitored processes
6
Malicious processes
3
Suspicious processes
1
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process |
|---|---|---|---|---|
| 3456 | "C:\Windows\hh.exe" "C:\Users\admin\Desktop\dovidka.chm" | C:\Windows\hh.exe | — | Explorer.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft® HTML Help Executable Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
| 1280 | "C:\Windows\System32\WScript.exe" "C:\Users\Public\ignit.vbs" | C:\Windows\System32\WScript.exe | hh.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 | ||||
| 2972 | "C:\Windows\System32\wscript.exe" //B //E:vbs C:\Users\Public\Favorites\desktop.ini | C:\Windows\System32\wscript.exe | — | hh.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 | ||||
| 2696 | "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe" /U C:\Users\Public\Libraries\core.dll | C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe | wscript.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft .NET Assembly Registration Utility Version: 4.0.30319.34209 built by: FX452RTMGDR | ||||
| 3484 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\northernyourself.rtf" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | Explorer.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Exit code: 0 Version: 14.0.6024.1000 | ||||
| 1012 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\solutionsteachers.rtf" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | Explorer.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Exit code: 0 Version: 14.0.6024.1000 | ||||
Total events
6 953
Read events
6 303
Write events
0
Delete events
0
Modification events
Executable files
1
Suspicious files
4
Text files
5
Unknown types
15
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 3484 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR6A05.tmp.cvr | — | |
MD5:— | SHA256:— | |||
| 1012 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRDE1C.tmp.cvr | — | |
MD5:— | SHA256:— | |||
| 3484 | WINWORD.EXE | C:\Users\admin\Desktop\~$rthernyourself.rtf | pgc | |
MD5:793ECD931377FAEA7546CB422ECE0C0D | SHA256:7CAC4E50AD8E140E8D5B05BCDE952D878A75F6D1C6A8E46EB9A485705CD89190 | |||
| 3484 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:F6B0EFE9F74DACE20BB3574B70C2F0B6 | SHA256:6F21B0618C07F648D4F3581CF0174FC0FF8AD001CC067CA711944C8CC5E029AA | |||
| 3484 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{78EB866F-2205-43DF-9783-0B1B62A56176}.tmp | dbf | |
MD5:5F2F5AC5F7F9F2AA9CEADE8428EF08E9 | SHA256:9F27EDD3D07EA807AE84D1215FCF64C76D22218AEFE3CC0966C035D2FC914050 | |||
| 1280 | WScript.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Prefetch.lNk | lnk | |
MD5:FB418BB5BD3E592651D0A4F9AE668962 | SHA256:C76FB28B6910BB0714FAB5B84363EBF2082FD59DDB0BB95166635583554D7AB4 | |||
| 3484 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\northernyourself.rtf.LNK | lnk | |
MD5:0F834D7C85227FE756E3F9E5DD9F7002 | SHA256:AE012ADCE0DFFDD779F279F559772CE1A5F8EF39E0A746C1A52237F737424651 | |||
| 1012 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\solutionsteachers.rtf.LNK | lnk | |
MD5:BCC5705D4B93D4AB53993383390C7324 | SHA256:73A3F9EC92FC900070332282BB656BFA1B677A50589639C8D631C1FB15042EA1 | |||
| 3484 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dat | ini | |
MD5:5D6364F631C83147CCFEEC9F01C0784A | SHA256:D4EB4F8048C4C49C5B64C489BFEC179767EE7CF3EDAFDFE774176D721BB636F5 | |||
| 1012 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:FBAD269F92C58221D1078EA014FEA5F0 | SHA256:9999CD1CF3234BC18A154A6521413CDC019F8D6B914124DAC34177EED7CA4A2B | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
1
DNS requests
1
Threats
0
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
2696 | regasm.exe | 194.195.211.98:8443 | xbeta.online | Linode, LLC | US | malicious |
DNS requests
Domain | IP | Reputation |
|---|---|---|
xbeta.online |
| unknown |
Threats
PID | Process | Class | Message |
|---|---|---|---|
— | — | A Network Trojan was detected | ET TROJAN TA445/Ghostwrite APT Related Domain in DNS Lookup (xbeta .online) |