analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

http://turningspeech.com/rm44r5z/usg/

Full analysis: https://app.any.run/tasks/78f01b4f-8e48-4c55-91fa-95e4c7e24818
Verdict: Malicious activity
Threats:

Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns.

Analysis date: March 14, 2019, 18:19:15
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
emotet
trojan
feodo
Indicators:
MD5:

76913BDC217147AF86B95793A6F86C3C

SHA1:

363DAFFA13183B99E925DF7F6AA0C40E4595DBC4

SHA256:

4DDE14EB7B26CD29CDD93FD6EBF24F7F9DA35B45C387C4E4D4C184B7238BE467

SSDEEP:

3:N1KKQ0YwXRV:CKJYwhV

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • tDj9i.exe (PID: 3136)
      • tDj9i.exe (PID: 3980)
      • wabmetagen.exe (PID: 2996)
      • wabmetagen.exe (PID: 3712)
      • tDj9i.exe (PID: 3592)
      • tDj9i.exe (PID: 2464)
      • wabmetagen.exe (PID: 4052)
      • wabmetagen.exe (PID: 3500)
    • Emotet process was detected

      • wabmetagen.exe (PID: 3712)
    • EMOTET was detected

      • wabmetagen.exe (PID: 2996)
      • wabmetagen.exe (PID: 4052)
    • Connects to CnC server

      • wabmetagen.exe (PID: 2996)
      • wabmetagen.exe (PID: 4052)
    • Downloads executable files from the Internet

      • firefox.exe (PID: 4060)
      • chrome.exe (PID: 2720)
  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • chrome.exe (PID: 2720)
      • firefox.exe (PID: 4060)
      • tDj9i.exe (PID: 3980)
      • tDj9i.exe (PID: 2464)
    • Application launched itself

      • tDj9i.exe (PID: 3136)
      • wabmetagen.exe (PID: 3712)
      • tDj9i.exe (PID: 3592)
      • wabmetagen.exe (PID: 3500)
    • Cleans NTFS data-stream (Zone Identifier)

      • tDj9i.exe (PID: 3980)
      • tDj9i.exe (PID: 2464)
    • Starts itself from another location

      • tDj9i.exe (PID: 3980)
    • Removes files from Windows directory

      • tDj9i.exe (PID: 2464)
  • INFO

    • Reads CPU info

      • firefox.exe (PID: 3012)
      • firefox.exe (PID: 3728)
      • firefox.exe (PID: 4060)
      • firefox.exe (PID: 3868)
    • Reads Internet Cache Settings

      • firefox.exe (PID: 4060)
    • Application launched itself

      • firefox.exe (PID: 4060)
      • chrome.exe (PID: 2720)
    • Dropped object may contain Bitcoin addresses

      • firefox.exe (PID: 4060)
    • Reads settings of System Certificates

      • chrome.exe (PID: 2720)
      • firefox.exe (PID: 4060)
    • Creates files in the user directory

      • firefox.exe (PID: 4060)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
59
Monitored processes
22
Malicious processes
8
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start drop and start chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs firefox.exe firefox.exe firefox.exe firefox.exe tdj9i.exe no specs tdj9i.exe #EMOTET wabmetagen.exe no specs #EMOTET wabmetagen.exe explorer.exe no specs tdj9i.exe tdj9i.exe wabmetagen.exe no specs #EMOTET wabmetagen.exe PhotoViewer.dll no specs taskmgr.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2720"C:\Program Files\Google\Chrome\Application\chrome.exe" http://turningspeech.com/rm44r5z/usg/C:\Program Files\Google\Chrome\Application\chrome.exe
explorer.exe
User:
admin
Company:
Google Inc.
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
3221225547
Version:
68.0.3440.106
3560"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win32 --annotation=prod=Chrome --annotation=ver=68.0.3440.106 --initial-client-data=0x78,0x7c,0x80,0x74,0x84,0x6fe000b0,0x6fe000c0,0x6fe000ccC:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google Inc.
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
68.0.3440.106
2796"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=2724 --on-initialized-event-handle=304 --parent-handle=308 /prefetch:6C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google Inc.
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
68.0.3440.106
3928"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=976,7358489227563244169,12394431903020360121,131072 --enable-features=PasswordImport --gpu-preferences=KAAAAAAAAACAAwBAAQAAAAAAAAAAAGAAEAAAAAAAAAAAAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAKAAAAEAAAAAAAAAAAAAAACwAAABAAAAAAAAAAAQAAAAoAAAAQAAAAAAAAAAEAAAALAAAA --service-request-channel-token=8593F8F35E58DC355323114D3D5705DE --mojo-platform-channel-handle=992 --ignored=" --type=renderer " /prefetch:2C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google Inc.
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
68.0.3440.106
2868"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=976,7358489227563244169,12394431903020360121,131072 --enable-features=PasswordImport --service-pipe-token=19AB4E5C600EE1E38D9CE321EB1B1376 --lang=en-US --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=19AB4E5C600EE1E38D9CE321EB1B1376 --renderer-client-id=4 --mojo-platform-channel-handle=1856 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google Inc.
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
68.0.3440.106
3216"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=976,7358489227563244169,12394431903020360121,131072 --enable-features=PasswordImport --service-pipe-token=8CE6459909630871E402E93051F602F7 --lang=en-US --extension-process --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=8CE6459909630871E402E93051F602F7 --renderer-client-id=3 --mojo-platform-channel-handle=2088 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google Inc.
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
68.0.3440.106
1236"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=976,7358489227563244169,12394431903020360121,131072 --enable-features=PasswordImport --disable-gpu-sandbox --gpu-preferences=KAAAAAAAAACAAwBAAQAAAAAAAAAAAGAAEAAAAAAAAAAAAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAKAAAAEAAAAAAAAAAAAAAACwAAABAAAAAAAAAAAQAAAAoAAAAQAAAAAAAAAAEAAAALAAAA --service-request-channel-token=84A7C5614B6737460D15900C2685F927 --mojo-platform-channel-handle=1680 /prefetch:2C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google Inc.
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
68.0.3440.106
4060"C:\Program Files\Mozilla Firefox\firefox.exe" C:\Program Files\Mozilla Firefox\firefox.exe
explorer.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Version:
61.0.2
3868"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4060.0.1802621202\1019517774" -childID 1 -isForBrowser -prefsHandle 1360 -prefsLen 8309 -schedulerPrefs 0001,2 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 4060 "\\.\pipe\gecko-crash-server-pipe.4060" 1484 tabC:\Program Files\Mozilla Firefox\firefox.exe
firefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Version:
61.0.2
3012"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4060.6.1721429660\186918859" -childID 2 -isForBrowser -prefsHandle 2496 -prefsLen 11442 -schedulerPrefs 0001,2 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 4060 "\\.\pipe\gecko-crash-server-pipe.4060" 2528 tabC:\Program Files\Mozilla Firefox\firefox.exe
firefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Version:
61.0.2
Total events
1 470
Read events
1 394
Write events
0
Delete events
0

Modification events

No data
Executable files
10
Suspicious files
77
Text files
89
Unknown types
47

Dropped files

PID
Process
Filename
Type
2720chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\aa9fc74b-2fd4-47ce-8f31-42e7cab3b320.tmp
MD5:
SHA256:
2720chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Download Service\EntryDB\000016.dbtmp
MD5:
SHA256:
2720chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\000016.dbtmp
MD5:
SHA256:
2720chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\3f3cf24d-7756-4c7f-8cf2-e8b67792e327.tmp
MD5:
SHA256:
2720chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG.old~RF1ada73.TMPtext
MD5:197882774A7ECEC9046BC48F63189B66
SHA256:27377B0D5F989997C2C3F74ACF163EED44B60631DDAA768F6655D7BE555742B2
2720chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\LOG.old~RF1ada34.TMPtext
MD5:92BE6B127E72365885AD4C3FB6534EE2
SHA256:54302A2573ACC775720E7DB0AD85873276713302B4F72596A8DCC44B01C70E51
2720chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG.oldtext
MD5:197882774A7ECEC9046BC48F63189B66
SHA256:27377B0D5F989997C2C3F74ACF163EED44B60631DDAA768F6655D7BE555742B2
2720chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\Database\LOG.old~RF1ada92.TMPtext
MD5:1AA66EFDB743FB0A8DCC1CD79B0B6542
SHA256:28D56532CCED7375A2A1C7731E57C1A1C2EC1AC9827F3E5BEEE7F8069A5F87DD
2720chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\LOG.oldtext
MD5:92BE6B127E72365885AD4C3FB6534EE2
SHA256:54302A2573ACC775720E7DB0AD85873276713302B4F72596A8DCC44B01C70E51
2720chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\Database\LOG.oldtext
MD5:1AA66EFDB743FB0A8DCC1CD79B0B6542
SHA256:28D56532CCED7375A2A1C7731E57C1A1C2EC1AC9827F3E5BEEE7F8069A5F87DD
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
20
TCP/UDP connections
38
DNS requests
94
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2996
wabmetagen.exe
GET
50.80.248.108:443
http://50.80.248.108:443/
US
malicious
2996
wabmetagen.exe
GET
187.233.152.78:443
http://187.233.152.78:443/
MX
malicious
4052
wabmetagen.exe
GET
50.80.248.108:443
http://50.80.248.108:443/
US
malicious
4052
wabmetagen.exe
GET
187.233.152.78:443
http://187.233.152.78:443/
MX
malicious
4052
wabmetagen.exe
GET
41.220.119.246:80
http://41.220.119.246/
KE
malicious
4060
firefox.exe
GET
200
178.128.41.189:80
http://turningspeech.com/rm44r5z/usg/
GR
executable
359 Kb
suspicious
4060
firefox.exe
GET
200
205.185.216.10:80
http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
US
compressed
55.2 Kb
whitelisted
2720
chrome.exe
GET
200
178.128.41.189:80
http://turningspeech.com/rm44r5z/usg/
GR
executable
359 Kb
suspicious
4060
firefox.exe
GET
200
178.128.41.189:80
http://turningspeech.com/rm44r5z/usg/
GR
executable
359 Kb
suspicious
4060
firefox.exe
POST
200
93.184.220.29:80
http://ocsp.digicert.com/
US
der
471 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2720
chrome.exe
172.217.23.131:443
clientservices.googleapis.com
Google Inc.
US
whitelisted
2720
chrome.exe
216.58.210.4:443
www.google.com
Google Inc.
US
whitelisted
2720
chrome.exe
216.58.210.14:443
sb-ssl.google.com
Google Inc.
US
whitelisted
4060
firefox.exe
2.16.186.112:80
detectportal.firefox.com
Akamai International B.V.
whitelisted
4060
firefox.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
2720
chrome.exe
178.128.41.189:80
turningspeech.com
Forthnet
GR
suspicious
2720
chrome.exe
216.58.208.35:443
www.gstatic.com
Google Inc.
US
whitelisted
4060
firefox.exe
35.164.130.113:443
tiles.services.mozilla.com
Amazon.com, Inc.
US
unknown
4060
firefox.exe
34.213.175.109:443
search.services.mozilla.com
Amazon.com, Inc.
US
unknown
2720
chrome.exe
172.217.18.13:443
accounts.google.com
Google Inc.
US
whitelisted

DNS requests

Domain
IP
Reputation
clientservices.googleapis.com
  • 172.217.23.131
whitelisted
turningspeech.com
  • 178.128.41.189
suspicious
www.gstatic.com
  • 216.58.208.35
whitelisted
accounts.google.com
  • 172.217.18.13
shared
sb-ssl.google.com
  • 216.58.210.14
whitelisted
ssl.gstatic.com
  • 216.58.207.35
whitelisted
www.google.com
  • 216.58.210.4
whitelisted
www.google.de
  • 216.58.207.35
whitelisted
search.services.mozilla.com
  • 34.213.175.109
  • 35.166.112.39
  • 52.88.150.81
whitelisted
detectportal.firefox.com
  • 2.16.186.112
  • 2.16.186.50
whitelisted

Threats

PID
Process
Class
Message
2720
chrome.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
2720
chrome.exe
Misc activity
ET INFO EXE - Served Attached HTTP
2720
chrome.exe
Misc activity
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
4060
firefox.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
4060
firefox.exe
Misc activity
ET INFO EXE - Served Attached HTTP
4060
firefox.exe
Misc activity
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
2996
wabmetagen.exe
A Network Trojan was detected
MALWARE [PTsecurity] Feodo HTTP request
4060
firefox.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
4060
firefox.exe
Misc activity
ET INFO EXE - Served Attached HTTP
4060
firefox.exe
Misc activity
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
4 ETPRO signatures available at the full report
No debug info