analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

http://kunstraum.fh-mainz.de/US/ACH/11_18/

Full analysis: https://app.any.run/tasks/e6e6ee69-063f-4dfe-869b-f899071f0f59
Verdict: Malicious activity
Threats:

Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns.

Malware Trends Tracker     >>>
Analysis date: November 14, 2018, 21:34:06
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
loader
emotet
trojan
feodo
Indicators:
MD5:

31F37DE208BEDAB78BD6DAD7010C43CA

SHA1:

08A22D6FED35C6B80D9083D4ED4FC163B51B5087

SHA256:

298362C995A7065C4EE4D3C4D02DE88AC162D8107C56E2C5D1516A7A26B4D30D

SSDEEP:

3:N1KVQfkMrKyojn:C69fGn

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Starts CMD.EXE for commands execution

      • WINWORD.EXE (PID: 556)

    • Unusual execution from Microsoft Office

      • WINWORD.EXE (PID: 556)

    • Application was dropped or rewritten from another process

      • lpiograd.exe (PID: 2068)
      • mjY.exe (PID: 2072)
      • lpiograd.exe (PID: 3328)
      • mjY.exe (PID: 3948)

    • Downloads executable files from the Internet

      • powershell.exe (PID: 1508)

    • Emotet process was detected

      • lpiograd.exe (PID: 2068)

    • EMOTET was detected

      • lpiograd.exe (PID: 3328)

    • Changes the autorun value in the registry

      • lpiograd.exe (PID: 3328)

    • Connects to CnC server

      • lpiograd.exe (PID: 3328)

  • SUSPICIOUS

    • Starts Microsoft Office Application

      • firefox.exe (PID: 3464)
      • WINWORD.EXE (PID: 2764)
      • WINWORD.EXE (PID: 556)

    • Application launched itself

      • WINWORD.EXE (PID: 2764)
      • WINWORD.EXE (PID: 556)

    • Executes PowerShell scripts

      • cmd.exe (PID: 3336)

    • Creates files in the user directory

      • powershell.exe (PID: 1508)

    • Executable content was dropped or overwritten

      • powershell.exe (PID: 1508)
      • mjY.exe (PID: 3948)

    • Starts itself from another location

      • mjY.exe (PID: 3948)

    • Connects to unusual port

      • lpiograd.exe (PID: 3328)

  • INFO

    • Creates files in the user directory

      • iexplore.exe (PID: 3700)
      • iexplore.exe (PID: 4084)
      • firefox.exe (PID: 3464)
      • WINWORD.EXE (PID: 2764)

    • Changes internet zones settings

      • iexplore.exe (PID: 3700)

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 4084)

    • Application launched itself

      • iexplore.exe (PID: 3700)
      • firefox.exe (PID: 3464)

    • Reads internet explorer settings

      • iexplore.exe (PID: 4084)

    • Reads CPU info

      • firefox.exe (PID: 3464)
      • firefox.exe (PID: 3880)
      • firefox.exe (PID: 2612)
      • firefox.exe (PID: 2448)

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 556)
      • WINWORD.EXE (PID: 2764)
      • WINWORD.EXE (PID: 3220)
      • WINWORD.EXE (PID: 3672)

    • Dropped object may contain Bitcoin addresses

      • firefox.exe (PID: 3464)

    • Reads settings of System Certificates

      • firefox.exe (PID: 3464)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
49
Monitored processes
16
Malicious processes
8
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start drop and start iexplore.exe iexplore.exe firefox.exe firefox.exe firefox.exe firefox.exe winword.exe no specs winword.exe no specs winword.exe no specs winword.exe no specs cmd.exe no specs powershell.exe mjy.exe no specs mjy.exe #EMOTET lpiograd.exe no specs #EMOTET lpiograd.exe

Process information

PID
CMD
Path
Indicators
Parent process
3700"C:\Program Files\Internet Explorer\iexplore.exe" -nohomeC:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
1
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
4084"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3700 CREDAT:71937C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
3464"C:\Program Files\Mozilla Firefox\firefox.exe" C:\Program Files\Mozilla Firefox\firefox.exe
explorer.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Version:
61.0.2
3880"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3464.0.1987087499\1018762239" -childID 1 -isForBrowser -prefsHandle 708 -prefsLen 8309 -schedulerPrefs 0001,2 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 3464 "\\.\pipe\gecko-crash-server-pipe.3464" 1472 tabC:\Program Files\Mozilla Firefox\firefox.exe
firefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Version:
61.0.2
2612"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3464.6.166535309\2030531806" -childID 2 -isForBrowser -prefsHandle 2324 -prefsLen 11442 -schedulerPrefs 0001,2 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 3464 "\\.\pipe\gecko-crash-server-pipe.3464" 2292 tabC:\Program Files\Mozilla Firefox\firefox.exe
firefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Version:
61.0.2
2448"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3464.12.2086468396\763244134" -childID 3 -isForBrowser -prefsHandle 2944 -prefsLen 11808 -schedulerPrefs 0001,2 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 3464 "\\.\pipe\gecko-crash-server-pipe.3464" 2940 tabC:\Program Files\Mozilla Firefox\firefox.exe
firefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Version:
61.0.2
2764"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\FORM-27305778790206.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEfirefox.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
556"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\FORM-27305778790206.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEfirefox.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
3220"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /EmbeddingC:\Program Files\Microsoft Office\Office14\WINWORD.EXEWINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Word
Version:
14.0.6024.1000
3672"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /EmbeddingC:\Program Files\Microsoft Office\Office14\WINWORD.EXEWINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Word
Exit code:
0
Version:
14.0.6024.1000
Total events
5 012
Read events
4 209
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
66
Text files
26
Unknown types
37

Dropped files

PID
Process
Filename
Type
3700iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RB73MZ6Y\favicon[1].ico
MD5:
SHA256:
3700iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
3700iexplore.exeC:\Users\admin\AppData\Local\Temp\~DF0E4EBD9A3879FB7E.TMP
MD5:
SHA256:
3700iexplore.exeC:\Users\admin\AppData\Local\Temp\~DF24A9487A91213BFE.TMP
MD5:
SHA256:
3700iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{0CB69D61-E855-11E8-A505-5254004AAD11}.dat
MD5:
SHA256:
3464firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\cookies.sqlite-shm
MD5:
SHA256:
3464firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\sessionCheckpoints.json.tmp
MD5:
SHA256:
3464firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\prefs-1.js
MD5:
SHA256:
3464firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\3561288849sdhlie.sqlite-shm
MD5:
SHA256:
3464firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\prefs.jstext
MD5:B9A273E2C1DABBB6D989632EABE0AEC7
SHA256:FA716C7437DFD3688BD580176DF8F4EDE804A862AADDF43E7E0405D235D26B10
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
14
TCP/UDP connections
20
DNS requests
67
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1508
powershell.exe
GET
301
185.216.113.5:80
http://vovsigorta.com/JSG351p
TR
html
238 b
malicious
3464
firefox.exe
POST
200
93.184.220.29:80
http://ocsp.digicert.com/
US
der
471 b
whitelisted
4084
iexplore.exe
GET
200
143.93.113.47:80
http://kunstraum.fh-mainz.de/US/ACH/11_18/
DE
document
84.3 Kb
suspicious
1508
powershell.exe
GET
200
185.216.113.5:80
http://vovsigorta.com/JSG351p/
TR
executable
424 Kb
malicious
3464
firefox.exe
GET
200
143.93.113.47:80
http://kunstraum.fh-mainz.de/US/ACH/11_18/
DE
document
84.3 Kb
suspicious
3464
firefox.exe
POST
200
93.184.220.29:80
http://ocsp.digicert.com/
US
der
471 b
whitelisted
3464
firefox.exe
POST
200
93.184.220.29:80
http://ocsp.digicert.com/
US
der
471 b
whitelisted
3464
firefox.exe
POST
200
216.58.206.14:80
http://ocsp.pki.goog/GTSGIAG3
US
der
463 b
whitelisted
3328
lpiograd.exe
GET
200
50.78.167.65:7080
http://50.78.167.65:7080/
US
binary
148 b
malicious
3464
firefox.exe
POST
200
93.184.220.29:80
http://ocsp.digicert.com/
US
der
471 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3700
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
3464
firefox.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
4084
iexplore.exe
143.93.113.47:80
kunstraum.fh-mainz.de
Johannes Gutenberg-Universitaet Mainz
DE
suspicious
1508
powershell.exe
185.216.113.5:80
vovsigorta.com
TR
malicious
3464
firefox.exe
216.58.206.14:80
ocsp.pki.goog
Google Inc.
US
whitelisted
3328
lpiograd.exe
50.78.167.65:7080
Comcast Cable Communications, LLC
US
malicious
3464
firefox.exe
52.37.207.140:443
tiles.services.mozilla.com
Amazon.com, Inc.
US
unknown
3464
firefox.exe
216.58.206.10:443
safebrowsing.googleapis.com
Google Inc.
US
whitelisted
3464
firefox.exe
54.230.202.238:443
tracking-protection.cdn.mozilla.net
Amazon.com, Inc.
US
unknown
3464
firefox.exe
52.34.90.23:443
shavar.services.mozilla.com
Amazon.com, Inc.
US
unknown

DNS requests

Domain
IP
Reputation
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
kunstraum.fh-mainz.de
  • 143.93.113.47
suspicious
detectportal.firefox.com
  • 2.16.186.50
  • 2.16.186.112
  • 2.18.213.65
  • 2.18.213.82
whitelisted
a1089.dscd.akamai.net
  • 2.16.186.112
  • 2.16.186.50
  • 2.18.213.82
  • 2.18.213.65
whitelisted
search.services.mozilla.com
  • 34.208.206.25
  • 52.39.244.38
  • 34.213.14.244
whitelisted
search.r53-2.services.mozilla.com
  • 34.213.14.244
  • 52.39.244.38
  • 34.208.206.25
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted
cs9.wac.phicdn.net
  • 93.184.220.29
whitelisted
tiles.services.mozilla.com
  • 52.37.207.140
  • 52.41.60.30
  • 52.39.131.77
  • 52.40.109.206
  • 54.186.208.153
  • 52.41.78.152
  • 52.34.107.172
  • 52.43.40.243
  • 54.218.239.186
  • 34.208.7.98
  • 34.209.108.219
  • 54.187.46.234
whitelisted
tiles.r53-2.services.mozilla.com
  • 52.43.40.243
  • 52.34.107.172
  • 52.41.78.152
  • 54.186.208.153
  • 52.40.109.206
  • 52.39.131.77
  • 52.41.60.30
  • 52.37.207.140
  • 54.187.46.234
  • 34.209.108.219
  • 34.208.7.98
  • 54.218.239.186
whitelisted

Threats

PID
Process
Class
Message
4084
iexplore.exe
Potential Corporate Privacy Violation
ET POLICY Office Document Download Containing AutoOpen Macro
4084
iexplore.exe
Attempted User Privilege Gain
SC ATTEMPTED_USER Microsoft Word 2016 use after free attempt
4084
iexplore.exe
Potentially Bad Traffic
ET WEB_CLIENT SUSPICIOUS Possible Office Doc with Embedded VBA Project (Wide)
4084
iexplore.exe
Misc activity
SUSPICIOUS [PTsecurity] Download DOC file with VBAScript
3464
firefox.exe
Attempted User Privilege Gain
SC ATTEMPTED_USER Microsoft Word 2016 use after free attempt
3464
firefox.exe
Potential Corporate Privacy Violation
ET POLICY Office Document Download Containing AutoOpen Macro
3464
firefox.exe
Potentially Bad Traffic
ET WEB_CLIENT SUSPICIOUS Possible Office Doc with Embedded VBA Project (Wide)
3464
firefox.exe
Misc activity
SUSPICIOUS [PTsecurity] Download DOC file with VBAScript
1508
powershell.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
1508
powershell.exe
A Network Trojan was detected
ET CURRENT_EVENTS Likely Evil EXE download from MSXMLHTTP non-exe extension M2
1 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
http://kunstraum.fh-mainz.de/US/ACH/11_18/