analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

http://timestampindia.com/citech/Document/

Full analysis: https://app.any.run/tasks/8d1404e1-125b-423b-a648-d532e41fd680
Verdict: Malicious activity
Threats:

Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns.

Malware Trends Tracker     >>>
Analysis date: December 06, 2019, 17:13:36
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
opendir
loader
emotet
trojan
Indicators:
MD5:

655DDCA4392674E5387057FA5237932D

SHA1:

A439646A6A082CB1E492A5DF1B17AED0A2614A62

SHA256:

21AEC177786AF1C0690E96D0EFA22E969C436E3F080FD3D8063872B906A35DF5

SSDEEP:

3:N1KKMZR1xGKrxMyK:CK8R1v0

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Downloads executable files from the Internet

      • iexplore.exe (PID: 2372)

    • Application was dropped or rewritten from another process

      • LrOqh[1].exe (PID: 436)
      • LrOqh[1].exe (PID: 3476)
      • serialfunc.exe (PID: 2764)
      • serialfunc.exe (PID: 3564)

    • Emotet process was detected

      • LrOqh[1].exe (PID: 3476)

    • Connects to CnC server

      • serialfunc.exe (PID: 2764)

    • EMOTET was detected

      • serialfunc.exe (PID: 2764)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • iexplore.exe (PID: 2372)
      • iexplore.exe (PID: 4000)
      • LrOqh[1].exe (PID: 3476)

    • Cleans NTFS data-stream (Zone Identifier)

      • LrOqh[1].exe (PID: 3476)

    • Starts itself from another location

      • LrOqh[1].exe (PID: 3476)

    • Application launched itself

      • serialfunc.exe (PID: 3564)

    • Connects to server without host name

      • serialfunc.exe (PID: 2764)

  • INFO

    • Application launched itself

      • iexplore.exe (PID: 4000)

    • Reads internet explorer settings

      • iexplore.exe (PID: 2372)

    • Creates files in the user directory

      • iexplore.exe (PID: 2372)

    • Changes internet zones settings

      • iexplore.exe (PID: 4000)

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 2372)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
39
Monitored processes
6
Malicious processes
5
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start start drop and start iexplore.exe iexplore.exe lroqh[1].exe no specs #EMOTET lroqh[1].exe serialfunc.exe no specs #EMOTET serialfunc.exe

Process information

PID
CMD
Path
Indicators
Parent process
4000"C:\Program Files\Internet Explorer\iexplore.exe" "http://timestampindia.com/citech/Document/"C:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
2372"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:4000 CREDAT:71937C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
436"C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\LrOqh[1].exe" C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\LrOqh[1].exeiexplore.exe
User:
admin
Integrity Level:
MEDIUM
Description:
OPENGL MFC Application
Exit code:
0
Version:
1, 0, 0, 1
3476--67cb4401C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\LrOqh[1].exe
LrOqh[1].exe
User:
admin
Integrity Level:
MEDIUM
Description:
OPENGL MFC Application
Exit code:
0
Version:
1, 0, 0, 1
3564"C:\Users\admin\AppData\Local\serialfunc\serialfunc.exe"C:\Users\admin\AppData\Local\serialfunc\serialfunc.exeLrOqh[1].exe
User:
admin
Integrity Level:
MEDIUM
Description:
OPENGL MFC Application
Exit code:
0
Version:
1, 0, 0, 1
2764--d6864438C:\Users\admin\AppData\Local\serialfunc\serialfunc.exe
serialfunc.exe
User:
admin
Integrity Level:
MEDIUM
Description:
OPENGL MFC Application
Version:
1, 0, 0, 1
Total events
735
Read events
675
Write events
60
Delete events
0

Modification events

(PID) Process:(4000) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Operation:writeName:CompatibilityFlags
Value:
0
(PID) Process:(4000) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(4000) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
(PID) Process:(4000) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
Operation:writeName:SecuritySafe
Value:
1
(PID) Process:(4000) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
(PID) Process:(4000) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:writeName:SavedLegacySettings
Value:
4600000092000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
(PID) Process:(4000) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Recovery\Active
Operation:writeName:{C66E0CBD-184B-11EA-AB41-5254004A04AF}
Value:
0
(PID) Process:(4000) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Operation:writeName:Type
Value:
4
(PID) Process:(4000) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Operation:writeName:Count
Value:
2
(PID) Process:(4000) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Operation:writeName:Time
Value:
E3070C000500060011000D0035008F00
Executable files
3
Suspicious files
0
Text files
28
Unknown types
4

Dropped files

PID
Process
Filename
Type
4000iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\favicon[1].ico
MD5:
SHA256:
4000iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
2372iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.datdat
MD5:FB61509DCE4C1F6473AB74C67E5AA30D
SHA256:93944F3FF56D0003D5DD9ABD6DDB9CB4496F609B80FE3E31F6E8D80FAD2695DE
2372iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.datdat
MD5:1EBC792FE724C0C5C9BFAF7E47A8AA96
SHA256:54544ABAA0D3D9554D57E2ECE8F1B597B65EC1603193D131ECDFB4DEBC23AED5
2372iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\MSIMGSIZ.DATsmt
MD5:5B62C13D97D3E9A8A72D46CA5136DCAB
SHA256:4F053C5055E702BB748E9931D4931CC3474C241F98C488FD3D9F49D2B0DDB238
2372iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\9UXVF8AI\desktop.iniini
MD5:4A3DEB274BB5F0212C2419D3D8D08612
SHA256:2842973D15A14323E08598BE1DFB87E54BF88A76BE8C7BC94C56B079446EDF38
2372iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\66TUW33G\desktop.iniini
MD5:4A3DEB274BB5F0212C2419D3D8D08612
SHA256:2842973D15A14323E08598BE1DFB87E54BF88A76BE8C7BC94C56B079446EDF38
2372iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\1LLZCCW3\favcenter[1]image
MD5:25D76EE5FB5B890F2CC022D94A42FE19
SHA256:07D07A467E4988D3C377ACD6DC9E53ABCA6B64E8FBF70F6BE19D795A1619289B
2372iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\1DUXQ40Q\desktop.iniini
MD5:4A3DEB274BB5F0212C2419D3D8D08612
SHA256:2842973D15A14323E08598BE1DFB87E54BF88A76BE8C7BC94C56B079446EDF38
4000iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\favicon[1].pngimage
MD5:9FB559A691078558E77D6848202F6541
SHA256:6D8A01DC7647BC218D003B58FE04049E24A9359900B7E0CEBAE76EDF85B8B914
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
11
TCP/UDP connections
19
DNS requests
3
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2372
iexplore.exe
GET
200
206.221.182.74:80
http://rmcentre.bigfilmproduction.com/wp-includes/LrOqh/
US
executable
492 Kb
malicious
2372
iexplore.exe
GET
200
206.221.182.74:80
http://rmcentre.bigfilmproduction.com/wp-includes/LrOqh/
US
executable
492 Kb
malicious
2372
iexplore.exe
GET
301
103.117.180.4:80
http://timestampindia.com/citech/Document/
unknown
html
251 b
suspicious
2372
iexplore.exe
GET
301
103.117.180.4:80
http://timestampindia.com/citech/Document/
unknown
html
251 b
suspicious
2764
serialfunc.exe
POST
108.179.206.219:8080
http://108.179.206.219:8080/iUjGM5tBa5k5rAi
US
malicious
2764
serialfunc.exe
POST
107.2.2.28:80
http://107.2.2.28/U67eF
US
malicious
2764
serialfunc.exe
POST
59.110.18.236:443
http://59.110.18.236:443/dms1RIeQsq3yvHHkTL
CN
malicious
2764
serialfunc.exe
POST
12.229.155.122:80
http://12.229.155.122/nDveaAINp9vjZ10p4nM
US
malicious
2764
serialfunc.exe
POST
45.56.88.91:443
http://45.56.88.91:443/Ded9o1gWn46UeiR
US
malicious
2764
serialfunc.exe
POST
108.191.2.72:80
http://108.191.2.72/T6CPzaDd5kUvjON
US
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2764
serialfunc.exe
107.2.2.28:80
Comcast Cable Communications, LLC
US
malicious
4000
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
2372
iexplore.exe
103.117.180.4:443
timestampindia.com
suspicious
2372
iexplore.exe
206.221.182.74:80
rmcentre.bigfilmproduction.com
Choopa, LLC
US
malicious
2764
serialfunc.exe
12.229.155.122:80
AT&T Services, Inc.
US
malicious
2372
iexplore.exe
103.117.180.4:80
timestampindia.com
suspicious
2764
serialfunc.exe
108.179.206.219:8080
CyrusOne LLC
US
malicious
2764
serialfunc.exe
45.56.88.91:443
Linode, LLC
US
malicious
2764
serialfunc.exe
108.191.2.72:80
BRIGHT HOUSE NETWORKS, LLC
US
malicious
2764
serialfunc.exe
59.110.18.236:443
Hangzhou Alibaba Advertising Co.,Ltd.
CN
malicious

DNS requests

Domain
IP
Reputation
timestampindia.com
  • 103.117.180.4
suspicious
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
rmcentre.bigfilmproduction.com
  • 206.221.182.74
malicious

Threats

PID
Process
Class
Message
2372
iexplore.exe
A Network Trojan was detected
ET POLICY Terse Named Filename EXE Download - Possibly Hostile
2372
iexplore.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
2372
iexplore.exe
Misc activity
ET INFO EXE - Served Attached HTTP
2372
iexplore.exe
A Network Trojan was detected
ET POLICY Terse Named Filename EXE Download - Possibly Hostile
2372
iexplore.exe
A Network Trojan was detected
ET POLICY Terse Named Filename EXE Download - Possibly Hostile
2372
iexplore.exe
Misc activity
ET INFO EXE - Served Attached HTTP
2372
iexplore.exe
A Network Trojan was detected
ET POLICY Terse Named Filename EXE Download - Possibly Hostile
2764
serialfunc.exe
A Network Trojan was detected
ET CNC Feodo Tracker Reported CnC Server group 2
2764
serialfunc.exe
A Network Trojan was detected
ET TROJAN Win32/Emotet CnC Activity (POST) M5
2764
serialfunc.exe
A Network Trojan was detected
ET TROJAN Win32/Emotet CnC Activity (POST) M6
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
http://timestampindia.com/citech/Document/