analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

2-HPN-2019-G18436.js

Full analysis: https://app.any.run/tasks/9ffd5bf6-2984-4420-8e85-df8231bd09bf
Verdict: Malicious activity
Threats:

Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns.

Malware Trends Tracker     >>>
Analysis date: May 24, 2019, 19:32:35
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
opendir
loader
emotet
trojan
feodo
evasion
Indicators:
MIME: text/plain
File info: ASCII text, with very long lines
MD5:

C3B85967B800F9F28D040F8C91A8F9AD

SHA1:

552E9792700824E9ECBF0A065ED522868637158E

SHA256:

0088ADB4E86956B8B15A3CB45156F74A95644C88CE5572EC601E10DE5BA1BADD

SSDEEP:

3072:4DqwRZ04gpIaGgZIpTRDNRNHfA6wkG1TEd93dnJ+cEmw4K:vp4K

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • zdvtodvh1.exe (PID: 2424)
      • zdvtodvh1.exe (PID: 2940)
      • soundser.exe (PID: 4024)
      • soundser.exe (PID: 3700)
      • SSDGB43XiH.exe (PID: 2456)
      • SSDGB43XiH.exe (PID: 2652)
      • soundser.exe (PID: 4048)
      • soundser.exe (PID: 4036)

    • Downloads executable files from the Internet

      • WScript.exe (PID: 1812)

    • Emotet process was detected

      • soundser.exe (PID: 3700)
      • soundser.exe (PID: 4048)

    • EMOTET was detected

      • soundser.exe (PID: 4024)
      • soundser.exe (PID: 4036)

    • Connects to CnC server

      • soundser.exe (PID: 4024)
      • soundser.exe (PID: 4036)

    • Changes the autorun value in the registry

      • soundser.exe (PID: 4024)
      • soundser.exe (PID: 4036)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • WScript.exe (PID: 1812)
      • zdvtodvh1.exe (PID: 2424)
      • soundser.exe (PID: 4024)
      • SSDGB43XiH.exe (PID: 2652)

    • Creates files in the user directory

      • WScript.exe (PID: 1812)

    • Application launched itself

      • zdvtodvh1.exe (PID: 2940)
      • soundser.exe (PID: 3700)
      • SSDGB43XiH.exe (PID: 2456)
      • soundser.exe (PID: 4048)

    • Starts itself from another location

      • zdvtodvh1.exe (PID: 2424)
      • SSDGB43XiH.exe (PID: 2652)

    • Connects to server without host name

      • soundser.exe (PID: 4024)

  • INFO

    • Creates files in the user directory

      • WINWORD.EXE (PID: 2804)
      • WINWORD.EXE (PID: 3004)
      • WINWORD.EXE (PID: 772)
      • WINWORD.EXE (PID: 2772)
      • WINWORD.EXE (PID: 580)
      • WINWORD.EXE (PID: 1828)
      • WINWORD.EXE (PID: 1012)
      • WINWORD.EXE (PID: 2892)
      • WINWORD.EXE (PID: 2744)
      • WINWORD.EXE (PID: 2676)
      • WINWORD.EXE (PID: 2972)
      • WINWORD.EXE (PID: 392)

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 2804)
      • WINWORD.EXE (PID: 772)
      • WINWORD.EXE (PID: 3004)
      • WINWORD.EXE (PID: 2772)
      • WINWORD.EXE (PID: 580)
      • WINWORD.EXE (PID: 1828)
      • WINWORD.EXE (PID: 1012)
      • WINWORD.EXE (PID: 2744)
      • WINWORD.EXE (PID: 2892)
      • WINWORD.EXE (PID: 392)
      • WINWORD.EXE (PID: 2972)
      • WINWORD.EXE (PID: 2676)

    • Manual execution by user

      • WINWORD.EXE (PID: 2804)
      • WINWORD.EXE (PID: 3004)
      • WINWORD.EXE (PID: 772)
      • WINWORD.EXE (PID: 2772)
      • WINWORD.EXE (PID: 580)
      • WINWORD.EXE (PID: 1012)
      • WINWORD.EXE (PID: 1828)
      • WINWORD.EXE (PID: 2676)
      • WINWORD.EXE (PID: 2892)
      • WINWORD.EXE (PID: 2744)
      • WINWORD.EXE (PID: 2972)
      • WINWORD.EXE (PID: 392)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
67
Monitored processes
21
Malicious processes
9
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start start drop and start drop and start drop and start wscript.exe zdvtodvh1.exe no specs zdvtodvh1.exe #EMOTET soundser.exe no specs #EMOTET soundser.exe winword.exe no specs winword.exe no specs winword.exe no specs winword.exe no specs winword.exe no specs winword.exe no specs winword.exe no specs ssdgb43xih.exe no specs ssdgb43xih.exe #EMOTET soundser.exe no specs #EMOTET soundser.exe winword.exe no specs winword.exe no specs winword.exe no specs winword.exe no specs winword.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1812"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\2-HPN-2019-G18436.js"C:\Windows\System32\WScript.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
2940"C:\Users\admin\AppData\Local\Temp\zdvtodvh1.exe" C:\Users\admin\AppData\Local\Temp\zdvtodvh1.exeWScript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
2007 Microsoft Office component
Exit code:
0
Version:
12.0.6500.5000
2424--be3ccf46C:\Users\admin\AppData\Local\Temp\zdvtodvh1.exe
zdvtodvh1.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
2007 Microsoft Office component
Exit code:
0
Version:
12.0.6500.5000
3700"C:\Users\admin\AppData\Local\soundser\soundser.exe"C:\Users\admin\AppData\Local\soundser\soundser.exe
zdvtodvh1.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
2007 Microsoft Office component
Exit code:
0
Version:
12.0.6500.5000
4024--3ab57678C:\Users\admin\AppData\Local\soundser\soundser.exe
soundser.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
2007 Microsoft Office component
Exit code:
0
Version:
12.0.6500.5000
2804"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\surveyonly.rtf"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
0
Version:
14.0.6024.1000
772"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\~$rveyonly.rtf"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
0
Version:
14.0.6024.1000
3004"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\setsfields.rtf"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
0
Version:
14.0.6024.1000
2772"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\~$tsfields.rtf"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
0
Version:
14.0.6024.1000
580"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\ncaccounting.rtf"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
0
Version:
14.0.6024.1000
Total events
10 104
Read events
9 109
Write events
0
Delete events
0

Modification events

No data
Executable files
4
Suspicious files
0
Text files
25
Unknown types
30

Dropped files

PID
Process
Filename
Type
1812WScript.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\iskhgo7poeevzj2[1].exe
MD5:
SHA256:
2804WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR5924.tmp.cvr
MD5:
SHA256:
2804WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{D855A6DE-4211-4FF1-8FAB-1638C78264FA}.tmp
MD5:
SHA256:
2804WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{F5E603C8-1F7D-4973-B0AD-A8BD9DC694DB}.tmp
MD5:
SHA256:
772WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR8739.tmp.cvr
MD5:
SHA256:
772WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{5DA1B531-068E-49BB-9F86-7AAEBF30E29A}.tmp
MD5:
SHA256:
3004WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVRAFA1.tmp.cvr
MD5:
SHA256:
3004WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{711070AA-E2C8-4A3B-B399-CD3F80FC4284}.tmp
MD5:
SHA256:
3004WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{C65DD13F-7FE9-4F93-9BCC-F3D895CBFA7D}.tmp
MD5:
SHA256:
2772WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVRD24C.tmp.cvr
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
15
TCP/UDP connections
16
DNS requests
3
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1812
WScript.exe
GET
302
103.117.212.217:80
http://thepngbusiness.com/wp-content/5ecnu9155/
unknown
suspicious
4024
soundser.exe
POST
186.150.97.69:8080
http://186.150.97.69:8080/sess/devices/ringin/merge/
DO
malicious
1812
WScript.exe
GET
200
45.119.213.95:80
http://mitsubishi-3s.com/wp-content/languages/ly28/
VN
executable
76.6 Kb
suspicious
4024
soundser.exe
POST
201.217.67.3:80
http://201.217.67.3/stubs/jit/ringin/merge/
EC
malicious
4024
soundser.exe
POST
38.143.223.215:8080
http://38.143.223.215:8080/prep/
US
malicious
4024
soundser.exe
POST
181.110.239.26:80
http://181.110.239.26/taskbar/mult/
AR
malicious
4024
soundser.exe
POST
181.16.127.226:443
http://181.16.127.226:443/odbc/
AR
malicious
4024
soundser.exe
POST
181.39.134.122:80
http://181.39.134.122/odbc/ban/
EC
malicious
4036
soundser.exe
GET
200
216.98.148.157:8080
http://216.98.148.157:8080/whoami.php
US
text
13 b
malicious
4036
soundser.exe
POST
200
198.50.170.27:8080
http://198.50.170.27:8080/schema/health/ringin/merge/
CA
binary
148 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4024
soundser.exe
201.217.67.3:80
Satnet
EC
malicious
1812
WScript.exe
134.249.116.78:80
Kyivstar PJSC
UA
suspicious
185.224.138.173:443
seethalekshmiconstructions.com
malicious
181.16.127.226:443
Ver Tv S.A.
AR
malicious
1812
WScript.exe
45.119.213.95:80
mitsubishi-3s.com
VN
suspicious
1812
WScript.exe
103.117.212.217:80
thepngbusiness.com
suspicious
4024
soundser.exe
186.150.97.69:8080
TRICOM
DO
malicious
4036
soundser.exe
159.65.241.220:8080
US
malicious
4024
soundser.exe
38.143.223.215:8080
Cogent Communications
US
malicious
4024
soundser.exe
218.161.88.253:8080
Data Communication Business Group
TW
malicious

DNS requests

Domain
IP
Reputation
seethalekshmiconstructions.com
  • 185.224.138.173
malicious
thepngbusiness.com
  • 103.117.212.217
suspicious
mitsubishi-3s.com
  • 45.119.213.95
suspicious

Threats

PID
Process
Class
Message
1812
WScript.exe
Misc activity
SUSPICIOUS [PTsecurity] Cmd.Powershell.Download HTTP UserAgent (Win7)
1812
WScript.exe
Misc activity
SUSPICIOUS [PTsecurity] Cmd.Powershell.Download HTTP UserAgent (Win7)
1812
WScript.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
1812
WScript.exe
A Network Trojan was detected
ET CURRENT_EVENTS Likely Evil EXE download from MSXMLHTTP non-exe extension M2
1812
WScript.exe
Misc activity
ET INFO EXE - Served Attached HTTP
4024
soundser.exe
A Network Trojan was detected
ET CNC Feodo Tracker Reported CnC Server group 6
4024
soundser.exe
A Network Trojan was detected
ET CNC Feodo Tracker Reported CnC Server group 14
4024
soundser.exe
A Network Trojan was detected
MALWARE [PTsecurity] Feodo/Emotet
4024
soundser.exe
A Network Trojan was detected
MALWARE [PTsecurity] Feodo/Emotet
4024
soundser.exe
A Network Trojan was detected
MALWARE [PTsecurity] Feodo/Emotet
26 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
2-HPN-2019-G18436.js