analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

http://psicologiagrupal.cl/wp-admin/Document/RmzptR0Aqc/

Full analysis: https://app.any.run/tasks/695d0c5f-0579-41cc-824b-747844a10454
Verdict: Malicious activity
Threats:

Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns.

Malware Trends Tracker     >>>
Analysis date: April 25, 2019, 04:22:42
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
opendir
loader
emotet
trojan
evasion
Indicators:
MD5:

51C3C14C47190341D2C1D38EABF4B78D

SHA1:

AB0997D7CD4864D42C3F9614224C1F78B9478BBA

SHA256:

3CEA886872101ECBF93C090D8C915FF9C994F3452BD4B326864A5A9AFB1F8AFF

SSDEEP:

3:N1KOWZPMUSVgHSIesIfVR+Ud:CO6PMLVgXi

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes settings of System certificates

      • WScript.exe (PID: 3252)

    • Application was dropped or rewritten from another process

      • s5ucq1gez.exe (PID: 3452)
      • soundser.exe (PID: 1488)
      • soundser.exe (PID: 2328)
      • s5ucq1gez.exe (PID: 2584)
      • soundser.exe (PID: 2436)
      • irh9ujw7p.exe (PID: 3564)
      • irh9ujw7p.exe (PID: 2824)
      • soundser.exe (PID: 2236)
      • soundser.exe (PID: 1824)

    • Downloads executable files from the Internet

      • WScript.exe (PID: 3252)
      • WScript.exe (PID: 3344)

    • Emotet process was detected

      • soundser.exe (PID: 2328)
      • soundser.exe (PID: 1488)
      • soundser.exe (PID: 2236)

    • EMOTET was detected

      • soundser.exe (PID: 1488)
      • soundser.exe (PID: 1824)

    • Changes the autorun value in the registry

      • soundser.exe (PID: 1488)

    • Connects to CnC server

      • soundser.exe (PID: 1488)
      • soundser.exe (PID: 1824)

    • Actions looks like stealing of personal data

      • soundser.exe (PID: 2436)

  • SUSPICIOUS

    • Executes scripts

      • WinRAR.exe (PID: 2800)

    • Creates files in the user directory

      • WScript.exe (PID: 3252)
      • notepad++.exe (PID: 3648)
      • WScript.exe (PID: 3344)
      • notepad++.exe (PID: 1636)

    • Executable content was dropped or overwritten

      • WScript.exe (PID: 3252)
      • s5ucq1gez.exe (PID: 2584)
      • WScript.exe (PID: 3344)
      • irh9ujw7p.exe (PID: 2824)

    • Application launched itself

      • s5ucq1gez.exe (PID: 3452)
      • soundser.exe (PID: 1488)
      • irh9ujw7p.exe (PID: 3564)

    • Adds / modifies Windows certificates

      • WScript.exe (PID: 3252)

    • Starts itself from another location

      • s5ucq1gez.exe (PID: 2584)
      • irh9ujw7p.exe (PID: 2824)

    • Connects to server without host name

      • soundser.exe (PID: 1488)
      • soundser.exe (PID: 1824)

    • Modifies files in Chrome extension folder

      • chrome.exe (PID: 2652)

  • INFO

    • Application launched itself

      • firefox.exe (PID: 3860)
      • chrome.exe (PID: 2652)

    • Reads CPU info

      • firefox.exe (PID: 3860)

    • Creates files in the user directory

      • firefox.exe (PID: 3860)

    • Dropped object may contain Bitcoin addresses

      • firefox.exe (PID: 3860)

    • Reads settings of System Certificates

      • firefox.exe (PID: 3860)
      • chrome.exe (PID: 2652)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
80
Monitored processes
45
Malicious processes
12
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start drop and start drop and start drop and start firefox.exe firefox.exe no specs firefox.exe firefox.exe firefox.exe winrar.exe no specs winrar.exe no specs wscript.exe wscript.exe s5ucq1gez.exe no specs s5ucq1gez.exe #EMOTET soundser.exe no specs #EMOTET soundser.exe notepad++.exe gup.exe notepad.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs soundser.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs irh9ujw7p.exe no specs irh9ujw7p.exe chrome.exe no specs #EMOTET soundser.exe no specs #EMOTET soundser.exe notepad++.exe

Process information

PID
CMD
Path
Indicators
Parent process
3860"C:\Program Files\Mozilla Firefox\firefox.exe" http://psicologiagrupal.cl/wp-admin/Document/RmzptR0Aqc/C:\Program Files\Mozilla Firefox\firefox.exe
explorer.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Version:
65.0.2
3576"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3860.0.1901447722\1602548640" -parentBuildID 20190225143501 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - "C:\Users\admin\AppData\LocalLow\Mozilla\Temp-{ce348e4c-7d33-445e-89f9-60108c51bcaf}" 3860 "\\.\pipe\gecko-crash-server-pipe.3860" 1096 gpuC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Version:
65.0.2
2844"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3860.6.2133247515\1421928084" -childID 1 -isForBrowser -prefsHandle 1592 -prefMapHandle 1620 -prefsLen 1 -prefMapSize 180950 -schedulerPrefs 0001,2 -parentBuildID 20190225143501 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 3860 "\\.\pipe\gecko-crash-server-pipe.3860" 1656 tabC:\Program Files\Mozilla Firefox\firefox.exe
firefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Version:
65.0.2
1976"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3860.13.96294375\918596104" -childID 2 -isForBrowser -prefsHandle 2576 -prefMapHandle 2580 -prefsLen 216 -prefMapSize 180950 -schedulerPrefs 0001,2 -parentBuildID 20190225143501 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 3860 "\\.\pipe\gecko-crash-server-pipe.3860" 2592 tabC:\Program Files\Mozilla Firefox\firefox.exe
firefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Version:
65.0.2
2036"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3860.20.914971783\1810452744" -childID 3 -isForBrowser -prefsHandle 3112 -prefMapHandle 2696 -prefsLen 5824 -prefMapSize 180950 -schedulerPrefs 0001,2 -parentBuildID 20190225143501 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 3860 "\\.\pipe\gecko-crash-server-pipe.3860" 3492 tabC:\Program Files\Mozilla Firefox\firefox.exe
firefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Version:
65.0.2
2368"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Document_71555621849US_Apr_24_2019.zip"C:\Program Files\WinRAR\WinRAR.exefirefox.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
2800"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Document_71555621849US_Apr_24_2019.zip"C:\Program Files\WinRAR\WinRAR.exefirefox.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
3344"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\Rar$DIa2800.24965\Document_71555621849US_Apr_24_2019.js" C:\Windows\System32\WScript.exe
WinRAR.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
3252"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\Rar$DIa2800.25329\Document_71555621849US_Apr_24_2019.js" C:\Windows\System32\WScript.exe
WinRAR.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
3452"C:\Users\admin\AppData\Local\Temp\s5ucq1gez.exe" C:\Users\admin\AppData\Local\Temp\s5ucq1gez.exeWScript.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Total events
3 574
Read events
3 338
Write events
0
Delete events
0

Modification events

No data
Executable files
4
Suspicious files
179
Text files
143
Unknown types
39

Dropped files

PID
Process
Filename
Type
3860firefox.exeC:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\startupCache\scriptCache-current.bin
MD5:
SHA256:
3860firefox.exeC:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\cache2\trash6227
MD5:
SHA256:
3860firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\prefs-1.js
MD5:
SHA256:
3860firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\sessionCheckpoints.json.tmp
MD5:
SHA256:
3860firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite-shm
MD5:
SHA256:
3860firefox.exeC:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\startupCache\urlCache-current.binbinary
MD5:2EDB16BAAB71D3A265960F122CC9A3D8
SHA256:3A3C81D31180EB9A36856792D4D6FE72FDDA61AF20DA1FEC484F1D3BDFC8B1B7
3860firefox.exeC:\Users\admin\AppData\Local\Temp\Q7C4Lc9c.zip.partcompressed
MD5:6027A36937B66BBE3318905649FF08E2
SHA256:3E2E9BF53512E54612C743E939E05201C2935E46D97AC682D0473A1682E8211C
3860firefox.exeC:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\startupCache\scriptCache-child-current.binbinary
MD5:D9ED8FC36E44323FC4D590096318834E
SHA256:541A10EF812806C4A23386FFFFDCB5352B2F35E373681788774A27CB82581EE5
3860firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\cookies.sqlite-shmbinary
MD5:B7C14EC6110FA820CA6B65F5AEC85911
SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
3860firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\prefs.jstext
MD5:6BA0DD87A8D8DA5F9BDD3C635AA035E4
SHA256:D3AEE1EE9848245D1C41AD416BD0ED21C6CC2C4E6B991DA361443ED656FE897B
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
27
TCP/UDP connections
79
DNS requests
87
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3252
WScript.exe
GET
200
192.254.250.49:80
http://lisasdoggydaycare.com/wp-includes/zq_e/
US
executable
78.0 Kb
malicious
1488
soundser.exe
POST
70.116.68.186:80
http://70.116.68.186/mult/balloon/
US
malicious
1488
soundser.exe
POST
68.229.130.39:80
http://68.229.130.39/enable/schema/ringin/merge/
US
malicious
3860
firefox.exe
POST
200
93.184.220.29:80
http://ocsp.digicert.com/
US
der
471 b
whitelisted
3860
firefox.exe
POST
200
216.58.210.3:80
http://ocsp.pki.goog/GTSGIAG3
US
der
471 b
whitelisted
GET
200
2.20.190.11:80
http://isrg.trustid.ocsp.identrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRv9GhNQxLSSGKBnMArPUcsHYovpgQUxKexpHsscfrb4UuQdf%2FEFWCFiRACEAoBQUIAAAFThXNqC4Xspwg%3D
unknown
der
1.37 Kb
whitelisted
3860
firefox.exe
GET
200
199.102.227.230:80
http://psicologiagrupal.cl/wp-admin/Document/RmzptR0Aqc/
US
compressed
14.4 Kb
unknown
2652
chrome.exe
GET
302
216.58.205.238:80
http://redirector.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvMjJlQUFXRC12Ny1ldUFnMXF3SDlXZDlFZw/7319.128.0.1_pkedcjkdefgpdelpbcmbmeomcjbeemfm.crx
US
html
505 b
whitelisted
3860
firefox.exe
GET
200
95.101.0.43:80
http://detectportal.firefox.com/success.txt
unknown
text
8 b
whitelisted
3860
firefox.exe
POST
200
93.184.220.29:80
http://ocsp.digicert.com/
US
der
471 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3860
firefox.exe
172.217.23.170:443
safebrowsing.googleapis.com
Google Inc.
US
whitelisted
3860
firefox.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
3860
firefox.exe
52.10.42.204:443
search.services.mozilla.com
Amazon.com, Inc.
US
unknown
3860
firefox.exe
95.101.0.43:80
detectportal.firefox.com
Akamai International B.V.
whitelisted
3860
firefox.exe
199.102.227.230:80
psicologiagrupal.cl
ServInt
US
unknown
3860
firefox.exe
54.149.115.79:443
tiles.services.mozilla.com
Amazon.com, Inc.
US
unknown
3860
firefox.exe
52.85.184.119:443
snippets.cdn.mozilla.net
Amazon.com, Inc.
US
unknown
3860
firefox.exe
54.230.93.21:443
content-signature.cdn.mozilla.net
Amazon.com, Inc.
US
unknown
3860
firefox.exe
52.27.128.21:443
incoming.telemetry.mozilla.org
Amazon.com, Inc.
US
unknown
3860
firefox.exe
54.230.93.116:443
tracking-protection.cdn.mozilla.net
Amazon.com, Inc.
US
unknown

DNS requests

Domain
IP
Reputation
detectportal.firefox.com
  • 95.101.0.43
  • 95.101.0.210
  • 2.16.186.50
  • 2.16.186.112
whitelisted
psicologiagrupal.cl
  • 199.102.227.230
unknown
a1089.dscd.akamai.net
  • 95.101.0.210
  • 95.101.0.43
  • 2.16.186.112
  • 2.16.186.50
whitelisted
search.services.mozilla.com
  • 52.10.42.204
  • 52.27.229.90
  • 54.200.51.65
whitelisted
search.r53-2.services.mozilla.com
  • 54.200.51.65
  • 52.27.229.90
  • 52.10.42.204
whitelisted
tiles.services.mozilla.com
  • 54.149.115.79
  • 52.34.132.219
  • 52.35.250.5
  • 52.43.91.152
  • 52.26.103.165
  • 52.42.232.148
  • 52.88.59.160
  • 52.43.40.243
whitelisted
tiles.r53-2.services.mozilla.com
  • 52.43.40.243
  • 52.88.59.160
  • 52.42.232.148
  • 52.26.103.165
  • 52.43.91.152
  • 52.35.250.5
  • 52.34.132.219
  • 54.149.115.79
whitelisted
snippets.cdn.mozilla.net
  • 52.85.184.119
whitelisted
drcwo519tnci7.cloudfront.net
  • 52.85.184.119
shared
ocsp.digicert.com
  • 93.184.220.29
whitelisted

Threats

PID
Process
Class
Message
3860
firefox.exe
Misc activity
ET INFO SUSPICIOUS Single JS file inside of ZIP Download (Observed as lure in malspam campaigns)
3252
WScript.exe
Misc activity
SUSPICIOUS [PTsecurity] Cmd.Powershell.Download HTTP UserAgent (Win7)
3252
WScript.exe
Misc activity
SUSPICIOUS [PTsecurity] Cmd.Powershell.Download HTTP UserAgent (Win7)
3252
WScript.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
3252
WScript.exe
A Network Trojan was detected
ET CURRENT_EVENTS Likely Evil EXE download from MSXMLHTTP non-exe extension M2
3252
WScript.exe
Misc activity
ET INFO EXE - Served Attached HTTP
1488
soundser.exe
A Network Trojan was detected
MALWARE [PTsecurity] Feodo/Emotet
1488
soundser.exe
A Network Trojan was detected
MALWARE [PTsecurity] Feodo/Emotet
1488
soundser.exe
A Network Trojan was detected
MALWARE [PTsecurity] Feodo/Emotet
1488
soundser.exe
Potentially Bad Traffic
ET POLICY HTTP traffic on port 443 (POST)
10 ETPRO signatures available at the full report
Process
Message
notepad++.exe
VerifyLibrary: certificate revocation checking is disabled
notepad++.exe
VerifyLibrary: certificate revocation checking is disabled
notepad++.exe
42C4C5846BB675C74E2B2C90C69AB44366401093
notepad++.exe
VerifyLibrary: certificate revocation checking is disabled
notepad++.exe
VerifyLibrary: certificate revocation checking is disabled
notepad++.exe
42C4C5846BB675C74E2B2C90C69AB44366401093
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
http://psicologiagrupal.cl/wp-admin/Document/RmzptR0Aqc/