analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

https://lsmanga.com/migration/Documentation/3il51eedt/

Full analysis: https://app.any.run/tasks/3d644f42-935a-4b5a-88be-d027839249c2
Verdict: Malicious activity
Threats:

Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns.

Malware Trends Tracker     >>>
Analysis date: September 30, 2020, 09:54:11
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
loader
trojan
emotet
emotet-doc
Indicators:
MD5:

18060B8D00F6238A36C74EC56A886C86

SHA1:

3256D6566F8D851C24440619E4AE3AC81EDDCB69

SHA256:

486CD9B503B6DFEB428E6F3EEEFD4C386677BB286F83C5DE9DD94F1E7326B442

SSDEEP:

3:N8W5L5lMf3deBfL0nn:2W5L5lCuL0nn

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • R0cx8yuqw.exe (PID: 2800)
      • logagent.exe (PID: 3168)

    • Downloads executable files from the Internet

      • POwersheLL.exe (PID: 4040)

    • Changes the autorun value in the registry

      • logagent.exe (PID: 3168)

    • EMOTET was detected

      • logagent.exe (PID: 3168)

    • Connects to CnC server

      • logagent.exe (PID: 3168)

  • SUSPICIOUS

    • Starts Microsoft Office Application

      • chrome.exe (PID: 2180)
      • WINWORD.EXE (PID: 2484)

    • Executed via WMI

      • POwersheLL.exe (PID: 4040)

    • Application launched itself

      • WINWORD.EXE (PID: 2484)

    • PowerShell script executed

      • POwersheLL.exe (PID: 4040)

    • Creates files in the user directory

      • POwersheLL.exe (PID: 4040)

    • Starts itself from another location

      • R0cx8yuqw.exe (PID: 2800)

    • Executable content was dropped or overwritten

      • POwersheLL.exe (PID: 4040)
      • R0cx8yuqw.exe (PID: 2800)

    • Reads Internet Cache Settings

      • logagent.exe (PID: 3168)

    • Connects to server without host name

      • logagent.exe (PID: 3168)

  • INFO

    • Reads the hosts file

      • chrome.exe (PID: 2180)
      • chrome.exe (PID: 312)

    • Reads Internet Cache Settings

      • chrome.exe (PID: 2180)

    • Application launched itself

      • chrome.exe (PID: 2180)

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 2452)
      • WINWORD.EXE (PID: 2484)

    • Creates files in the user directory

      • WINWORD.EXE (PID: 2484)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
61
Monitored processes
23
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start drop and start chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs winword.exe no specs winword.exe no specs powershell.exe chrome.exe no specs r0cx8yuqw.exe #EMOTET logagent.exe chrome.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2180"C:\Program Files\Google\Chrome\Application\chrome.exe" "https://lsmanga.com/migration/Documentation/3il51eedt/"C:\Program Files\Google\Chrome\Application\chrome.exe
explorer.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
75.0.3770.100
3468"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win32 --annotation=prod=Chrome --annotation=ver=75.0.3770.100 --initial-client-data=0x7c,0x80,0x84,0x78,0x88,0x6f15a9d0,0x6f15a9e0,0x6f15a9ecC:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
75.0.3770.100
760"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=1132 --on-initialized-event-handle=324 --parent-handle=328 /prefetch:6C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
75.0.3770.100
3892"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1020,16576500779170203290,16853254496559968880,131072 --enable-features=PasswordImport --gpu-preferences=KAAAAAAAAADgAAAgAQAAAAAAAAAAAGAAAAAAAAAAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --service-request-channel-token=17191927959528747929 --mojo-platform-channel-handle=968 --ignored=" --type=renderer " /prefetch:2C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Version:
75.0.3770.100
312"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --field-trial-handle=1020,16576500779170203290,16853254496559968880,131072 --enable-features=PasswordImport --lang=en-US --service-sandbox-type=network --service-request-channel-token=14963924282178254788 --mojo-platform-channel-handle=1644 /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exe
chrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
75.0.3770.100
748"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1020,16576500779170203290,16853254496559968880,131072 --enable-features=PasswordImport --lang=en-US --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=8787435580482550042 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2244 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Version:
75.0.3770.100
4080"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1020,16576500779170203290,16853254496559968880,131072 --enable-features=PasswordImport --lang=en-US --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=8815520218967758566 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2176 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Version:
75.0.3770.100
3604"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1020,16576500779170203290,16853254496559968880,131072 --enable-features=PasswordImport --lang=en-US --extension-process --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=2009572070850946910 --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1784 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
3388"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --field-trial-handle=1020,16576500779170203290,16853254496559968880,131072 --enable-features=PasswordImport --lang=en-US --no-sandbox --service-request-channel-token=7484848336569016575 --mojo-platform-channel-handle=3404 /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
1980"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --field-trial-handle=1020,16576500779170203290,16853254496559968880,131072 --enable-features=PasswordImport --lang=en-US --service-sandbox-type=utility --service-request-channel-token=5502718508223718962 --mojo-platform-channel-handle=3500 --ignored=" --type=renderer " /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
Total events
3 875
Read events
2 842
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
24
Text files
77
Unknown types
8

Dropped files

PID
Process
Filename
Type
2180chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\BrowserMetrics\BrowserMetrics-5F7455D3-884.pma
MD5:
SHA256:
2180chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\997f4066-62ca-458e-bef5-d58e49751bce.tmp
MD5:
SHA256:
2180chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\000046.dbtmp
MD5:
SHA256:
2180chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\LOG.oldtext
MD5:D33038DC70A58F2AC0EA1823980691AE
SHA256:6EE5DB5588EB879D13CE5A0DB3CA1744079C1BE3F73959A3B900684C56061D97
2180chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\LOG.old~RF3ba588.TMPtext
MD5:D33038DC70A58F2AC0EA1823980691AE
SHA256:6EE5DB5588EB879D13CE5A0DB3CA1744079C1BE3F73959A3B900684C56061D97
2180chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG.old~RF3ba578.TMPtext
MD5:D55489ED6031D8B188E37B0B59F5CED3
SHA256:365B01D1B3333E366EEA50106551AAC8721156CB2572C173E2F501D8255093F4
2180chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\LOG.oldtext
MD5:4AFC066387D33D5264F8E796393B223B
SHA256:BB3E0F925E883318FB09FC498CACEA57F0F71548C9D42FF07634DC30D87F2D86
2180chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\AutofillStrikeDatabase\LOG.old~RF3ba5f5.TMPtext
MD5:3401B14F6B2624E5E44EB20FB8735443
SHA256:E32F20AE6528B8952EE2FF112DACEE4E9005868B7DAF85D3533B6F0135403875
2180chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\LOG.old~RF3ba588.TMPtext
MD5:4AFC066387D33D5264F8E796393B223B
SHA256:BB3E0F925E883318FB09FC498CACEA57F0F71548C9D42FF07634DC30D87F2D86
2180chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.datbinary
MD5:9C016064A1F864C8140915D77CF3389A
SHA256:0E7265D4A8C16223538EDD8CD620B8820611C74538E420A88E333BE7F62AC787
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
21
DNS requests
10
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4040
POwersheLL.exe
GET
200
103.97.125.60:80
http://datvietquan.com/wp-content/wra6K/
VN
executable
400 Kb
suspicious
3168
logagent.exe
POST
200
104.131.123.136:443
http://104.131.123.136:443/sC9UhlF0TzRbGHIh/
US
binary
132 b
malicious
3168
logagent.exe
POST
104.193.103.61:80
http://104.193.103.61/sWhfNbX2bf5X35Kp/
US
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
312
chrome.exe
216.58.207.46:443
clients2.google.com
Google Inc.
US
whitelisted
312
chrome.exe
104.24.105.214:443
lsmanga.com
Cloudflare Inc
US
suspicious
312
chrome.exe
35.190.80.1:443
a.nel.cloudflare.com
Google Inc.
US
suspicious
312
chrome.exe
172.217.22.3:443
ssl.gstatic.com
Google Inc.
US
whitelisted
312
chrome.exe
172.217.22.67:443
clientservices.googleapis.com
Google Inc.
US
whitelisted
312
chrome.exe
142.250.74.205:443
accounts.google.com
Google Inc.
US
whitelisted
35.190.80.1:443
a.nel.cloudflare.com
Google Inc.
US
suspicious
312
chrome.exe
172.217.16.206:443
sb-ssl.google.com
Google Inc.
US
whitelisted
312
chrome.exe
104.24.104.214:443
lsmanga.com
Cloudflare Inc
US
unknown
3168
logagent.exe
104.131.123.136:443
Digital Ocean, Inc.
US
malicious

DNS requests

Domain
IP
Reputation
clientservices.googleapis.com
  • 172.217.22.67
whitelisted
lsmanga.com
  • 104.24.105.214
  • 104.24.104.214
  • 172.67.168.23
unknown
accounts.google.com
  • 142.250.74.205
shared
ssl.gstatic.com
  • 172.217.22.3
whitelisted
clients2.google.com
  • 216.58.207.46
whitelisted
a.nel.cloudflare.com
  • 35.190.80.1
whitelisted
sb-ssl.google.com
  • 172.217.16.206
whitelisted
datvietquan.com
  • 103.97.125.60
suspicious
www.gstatic.com
  • 216.58.206.3
whitelisted
safebrowsing.googleapis.com
  • 216.58.212.138
whitelisted

Threats

PID
Process
Class
Message
4040
POwersheLL.exe
A Network Trojan was detected
ET POLICY Terse Named Filename EXE Download - Possibly Hostile
4040
POwersheLL.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
4040
POwersheLL.exe
Potentially Bad Traffic
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
4040
POwersheLL.exe
Misc activity
ET INFO EXE - Served Attached HTTP
3168
logagent.exe
A Network Trojan was detected
ET TROJAN Win32/Emotet CnC Activity (POST) M10
3168
logagent.exe
Potentially Bad Traffic
ET POLICY HTTP traffic on port 443 (POST)
4040
POwersheLL.exe
A Network Trojan was detected
ET POLICY Terse Named Filename EXE Download - Possibly Hostile
3168
logagent.exe
A Network Trojan was detected
ET TROJAN Win32/Emotet CnC Activity (POST) M10
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
https://lsmanga.com/migration/Documentation/3il51eedt/