File name:

PROD_Start_DriverPack.hta.zip

Full analysis: https://app.any.run/tasks/90149905-598a-444d-a385-d217c9f308d6
Verdict: Malicious activity
Analysis date: July 19, 2023, 10:46:31
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

F9E5B8C4B36D9AD6E85D4D4B46D642C6

SHA1:

8D91D7BFE52A10EBC18680730A39490153D890CD

SHA256:

EB593312D7A731CF576CA065B5EF3EB44FBEF84C5BE6ED95D3C0E4FD896A116C

SSDEEP:

24:JC+zC0IKLdOgZI6zgQDWKHrBR697HbT0E0baAFfQdCpddp:JCmHXocIwaK9ofybaA6CpN

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Reads the Internet Settings

      • mshta.exe (PID: 1416)

    • Process requests binary or script from the Internet

      • mshta.exe (PID: 1416)

  • INFO

    • Checks proxy server information

      • mshta.exe (PID: 1416)

    • Manual execution by a user

      • mshta.exe (PID: 1416)

    • Reads Internet Explorer settings

      • mshta.exe (PID: 1416)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipFileName: PROD_Start_DriverPack.hta
ZipUncompressedSize: 1672
ZipCompressedSize: 726
ZipCRC: 0x26c4cab9
ZipModifyDate: 2023:07:19 09:54:52
ZipCompression: Deflated
ZipBitFlag: 0x0001
ZipRequiredVersion: 788
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
40
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe no specs mshta.exe

Process information

PID
CMD
Path
Indicators
Parent process
1416"C:\Windows\System32\mshta.exe" "C:\Users\admin\Desktop\PROD_Start_DriverPack.hta" C:\Windows\System32\mshta.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft (R) HTML Application host
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\windows\system32\sechost.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\version.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
3468"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\PROD_Start_DriverPack.hta.zip"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
Total events
1 725
Read events
1 692
Write events
33
Delete events
0

Modification events

(PID) Process:(3468) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\178\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3468) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip
(PID) Process:(3468) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(3468) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(3468) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3468) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3468) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(3468) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(3468) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface
Operation:writeName:ShowPassword
Value:
0
(PID) Process:(1416) mshta.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
Executable files
0
Suspicious files
0
Text files
16
Unknown types
0

Dropped files

PID
Process
Filename
Type
1416mshta.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\4[1].jstext
MD5:B21247B2428E6D9F72405EB1A2F5F75C
SHA256:9DDF298484BD63F71CFF04DD81E00913266FA8D71793E2C26F3B7B215067812C
1416mshta.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\5[1].jstext
MD5:AEEE81BB12D7059393E42828191765C2
SHA256:F9156E0C0A06207EB66A51AB364A05E37E0273242F9373F8378F6E0DEB705D0B
3468WinRAR.exeC:\Users\admin\Desktop\PROD_Start_DriverPack.htahtml
MD5:DDA846A4704EFC2A03E1F8392E6F1FFC
SHA256:E9DC9648D8FB7D943431459F49A7D9926197C2D60B3C2B6A58294FD75B672B25
1416mshta.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\matomo[1].htmtext
MD5:51C8E2EC2D4A042736B88F1BE1BE5B7E
SHA256:481BEEA6F83C5C784276DF3BFB8693CC60C0CE8EF0A2CB8F47D624E2D6C9B076
1416mshta.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\lang[1].jshtml
MD5:0F8AA7C95F02FF49F1FBAE3D5817F2F9
SHA256:685F7D5BF2AF77F561B24F8E4B2363503A76690D70B179BB55B161317BA47676
1416mshta.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\missing-scripts-detector[1].jstext
MD5:5BB70933199563BD95A85E9D58D0920B
SHA256:915A03DDD5D887CE43185A21FD9927FFCFC6E8F373D80D6FB0BFE96E65C029CD
1416mshta.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\style[1].csstext
MD5:817F995CDDC5BB427032EB7286FCDA39
SHA256:F3BDB1D94F79EFD344620028E69EB6BC4AADCA69081E9A9E91D5389E6BFD6DFB
1416mshta.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\download_and_av[1].htmhtml
MD5:DAE972AFAE277C877DBD1373B2202BAB
SHA256:87569B2EEC82C09EB4828761B1B95D58016924EDB54BE2BBD72014E7B3A41EF7
1416mshta.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\step1_av[1].htmhtml
MD5:D9C4EDD8648B146931B486C8FC4853F1
SHA256:C36CFE0BBA2E4B111968E9899B82A5FD6829949D8BA4BF31D0448C86904D7AA0
1416mshta.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\1[1].jstext
MD5:4BDB642A191FD4BF5A806A7B7478633A
SHA256:494AACB6BA9D44FED47D20ADEA0FF2C597E6E1439C4D0694BC9EECB4AF77D096
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
26
TCP/UDP connections
9
DNS requests
2
Threats
4

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
46.137.15.86:80
http://dwrapper-prod.herokuapp.com/bin/src/variables/3.js
IE
text
2.48 Kb
malicious
GET
200
46.137.15.86:80
http://dwrapper-prod.herokuapp.com/bin/src/variables/1.js
IE
text
1.27 Kb
malicious
1416
mshta.exe
GET
200
18.157.122.248:80
http://example-dwrapper.matomo.cloud/matomo.php?idsite=1&rec=1&rand=48181058&apiv=1&cookie=1&bots=1&res=1280x720&h=11&m=47&s=51&uid=4586200752023719&e_c=Wrapper%20%2F%20Errors%20%2F%20Missing%20scripts&e_a=%D0%92%D1%81%D0%B5%20%D1%81%D0%BA%D1%80%D0%B8%D0%BF%D1%82%D1%8B%20%D1%83%D1%81%D0%BF%D0%B5%D1%88%D0%BD%D0%BE%20%D0%B7%D0%B0%D0%B3%D1%80%D1%83%D0%B7%D0%B8%D0%BB%D0%B8%D1%81%D1%8C&e_n=&e_v=&ca=1
US
text
101 b
suspicious
1416
mshta.exe
GET
200
46.137.15.86:80
http://dwrapper-prod.herokuapp.com/bin/src/lang.js
IE
html
65.6 Kb
malicious
1416
mshta.exe
GET
200
46.137.15.86:80
http://dwrapper-prod.herokuapp.com/bin/src/variables/4.js
IE
text
1.13 Kb
malicious
1416
mshta.exe
GET
200
46.137.15.86:80
http://dwrapper-prod.herokuapp.com/bin/src/script.js
IE
text
3.47 Kb
malicious
1416
mshta.exe
GET
200
46.137.15.86:80
http://dwrapper-prod.herokuapp.com/bin/src/statistics.js
IE
text
7.94 Kb
malicious
1416
mshta.exe
GET
200
54.73.53.134:80
http://dwrapper-prod.herokuapp.com/bin/src/variables/1.js
IE
text
1.27 Kb
malicious
1416
mshta.exe
GET
200
54.73.53.134:80
http://dwrapper-prod.herokuapp.com/bin/src/missing-scripts-detector.js
IE
text
1.76 Kb
malicious
1416
mshta.exe
GET
200
54.73.53.134:80
http://dwrapper-prod.herokuapp.com/bin/download_and_av.html
IE
html
2.33 Kb
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
1416
mshta.exe
46.137.15.86:80
dwrapper-prod.herokuapp.com
AMAZON-02
IE
suspicious
2640
svchost.exe
239.255.255.250:1900
whitelisted
1416
mshta.exe
54.73.53.134:80
dwrapper-prod.herokuapp.com
AMAZON-02
IE
suspicious
1416
mshta.exe
18.157.122.248:80
example-dwrapper.matomo.cloud
AMAZON-02
DE
suspicious
1416
mshta.exe
3.126.133.169:80
example-dwrapper.matomo.cloud
AMAZON-02
DE
suspicious

DNS requests

Domain
IP
Reputation
dwrapper-prod.herokuapp.com
  • 46.137.15.86
  • 54.73.53.134
  • 54.220.192.176
malicious
example-dwrapper.matomo.cloud
  • 18.157.122.248
  • 3.126.133.169
  • 18.195.235.189
suspicious

Threats

PID
Process
Class
Message
1416
mshta.exe
A Network Trojan was detected
SUSPICIOUS [ANY.RUN] VBS is used to run Shell
1416
mshta.exe
A Network Trojan was detected
SUSPICIOUS [ANY.RUN] VBS is used to run Shell
2 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
PROD_Start_DriverPack.hta.zip