analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

http://dev.anorthosisfc.com.cy/4o7icc/dcj-p83wgbfnq-box/security-lpa1n-3v5m98u/BsHTRs-nmxmKggx7/

Full analysis: https://app.any.run/tasks/19b72358-9d94-4c61-aae5-9f6d4d01aec3
Verdict: Malicious activity
Threats:

Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns.

Analysis date: December 06, 2019, 21:50:58
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
emotet-doc
emotet
loader
trojan
Indicators:
MD5:

F7B8431304234829E5356645EA69193A

SHA1:

300D097424F8497767274CACC1582F421EA99A2F

SHA256:

516D53712CFD8E63D36A4FBC5A554B33B69EFFF1B8E8A81719A97B7667B65553

SSDEEP:

3:N1KaATwLQ7QdSGDGY2hGNsgFESwhSHrUTCYn:CalLWQ4gG/dg4hIk

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Drops known malicious document

      • chrome.exe (PID: 2576)
      • chrome.exe (PID: 1584)
      • WINWORD.EXE (PID: 3328)
    • Application was dropped or rewritten from another process

      • 904.exe (PID: 1768)
      • serialfunc.exe (PID: 2520)
      • 904.exe (PID: 3336)
      • serialfunc.exe (PID: 3168)
    • Downloads executable files from the Internet

      • powershell.exe (PID: 2096)
    • Emotet process was detected

      • 904.exe (PID: 1768)
    • Connects to CnC server

      • serialfunc.exe (PID: 3168)
    • Changes the autorun value in the registry

      • serialfunc.exe (PID: 3168)
      • CCleaner.exe (PID: 688)
    • EMOTET was detected

      • serialfunc.exe (PID: 3168)
    • Loads the Task Scheduler COM API

      • CCleaner.exe (PID: 3164)
      • CCleaner.exe (PID: 688)
      • CCleaner.exe (PID: 2732)
    • Actions looks like stealing of personal data

      • CCleaner.exe (PID: 2732)
      • CCleaner.exe (PID: 688)
  • SUSPICIOUS

    • Starts Microsoft Office Application

      • chrome.exe (PID: 1584)
      • WINWORD.EXE (PID: 3328)
    • Modifies files in Chrome extension folder

      • chrome.exe (PID: 1584)
    • Application launched itself

      • WINWORD.EXE (PID: 3328)
      • CCleaner.exe (PID: 2732)
    • Executed via WMI

      • powershell.exe (PID: 2096)
    • PowerShell script executed

      • powershell.exe (PID: 2096)
    • Creates files in the user directory

      • powershell.exe (PID: 2096)
      • CCleaner.exe (PID: 2732)
    • Executable content was dropped or overwritten

      • powershell.exe (PID: 2096)
      • 904.exe (PID: 1768)
    • Starts itself from another location

      • 904.exe (PID: 1768)
    • Connects to server without host name

      • serialfunc.exe (PID: 3168)
    • Executed via Task Scheduler

      • CCleaner.exe (PID: 2732)
    • Reads internet explorer settings

      • CCleaner.exe (PID: 2732)
      • CCleaner.exe (PID: 688)
    • Reads the cookies of Mozilla Firefox

      • CCleaner.exe (PID: 2732)
    • Reads the cookies of Google Chrome

      • CCleaner.exe (PID: 2732)
    • Low-level read access rights to disk partition

      • CCleaner.exe (PID: 2732)
    • Executed as Windows Service

      • vssvc.exe (PID: 2824)
    • Executed via COM

      • DllHost.exe (PID: 3500)
    • Starts Internet Explorer

      • CCleaner.exe (PID: 2732)
    • Searches for installed software

      • CCleaner.exe (PID: 2732)
  • INFO

    • Changes internet zones settings

      • iexplore.exe (PID: 2172)
      • iexplore.exe (PID: 3008)
    • Creates files in the user directory

      • iexplore.exe (PID: 3060)
      • iexplore.exe (PID: 2172)
      • WINWORD.EXE (PID: 3328)
      • iexplore.exe (PID: 4060)
    • Manual execution by user

      • chrome.exe (PID: 1584)
      • taskmgr.exe (PID: 2028)
      • CCleaner.exe (PID: 3164)
    • Reads Internet Cache Settings

      • iexplore.exe (PID: 3060)
      • chrome.exe (PID: 1584)
    • Application launched itself

      • iexplore.exe (PID: 2172)
      • chrome.exe (PID: 1584)
    • Reads the hosts file

      • chrome.exe (PID: 1584)
      • chrome.exe (PID: 2576)
    • Reads internet explorer settings

      • iexplore.exe (PID: 3060)
      • iexplore.exe (PID: 4060)
    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 284)
      • WINWORD.EXE (PID: 3328)
    • Reads settings of System Certificates

      • chrome.exe (PID: 2576)
      • CCleaner.exe (PID: 2732)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
90
Monitored processes
48
Malicious processes
9
Suspicious processes
1

Behavior graph

Click at the process to see the details
start drop and start drop and start iexplore.exe iexplore.exe chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs winword.exe no specs winword.exe no specs powershell.exe 904.exe no specs #EMOTET 904.exe chrome.exe no specs serialfunc.exe no specs #EMOTET serialfunc.exe chrome.exe no specs taskmgr.exe no specs ccleaner.exe no specs ccleaner.exe ccleaner.exe SPPSurrogate no specs vssvc.exe no specs iexplore.exe no specs iexplore.exe

Process information

PID
CMD
Path
Indicators
Parent process
2172"C:\Program Files\Internet Explorer\iexplore.exe" -nohomeC:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
1
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
3060"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2172 CREDAT:71937C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
1584"C:\Program Files\Google\Chrome\Application\chrome.exe" C:\Program Files\Google\Chrome\Application\chrome.exe
explorer.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
3221225547
Version:
75.0.3770.100
3012"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win32 --annotation=prod=Chrome --annotation=ver=75.0.3770.100 --initial-client-data=0x7c,0x80,0x84,0x78,0x88,0x6d90a9d0,0x6d90a9e0,0x6d90a9ecC:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
1728"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=1096 --on-initialized-event-handle=312 --parent-handle=316 /prefetch:6C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
792"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=996,1827523103337776892,14221237348283553336,131072 --enable-features=PasswordImport --gpu-preferences=KAAAAAAAAADgAAAgAQAAAAAAAAAAAGAAAAAAAAAAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --service-request-channel-token=7827386662032339382 --mojo-platform-channel-handle=1048 --ignored=" --type=renderer " /prefetch:2C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
2576"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --field-trial-handle=996,1827523103337776892,14221237348283553336,131072 --enable-features=PasswordImport --lang=en-US --service-sandbox-type=network --service-request-channel-token=7299499286557328423 --mojo-platform-channel-handle=1584 /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exe
chrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
2204"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=996,1827523103337776892,14221237348283553336,131072 --enable-features=PasswordImport --lang=en-US --instant-process --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=6712989087008518756 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2224 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
2396"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=996,1827523103337776892,14221237348283553336,131072 --enable-features=PasswordImport --lang=en-US --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=13478450471621540702 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2476 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
2748"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=996,1827523103337776892,14221237348283553336,131072 --enable-features=PasswordImport --lang=en-US --extension-process --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=5048373623527086111 --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2552 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
Total events
7 461
Read events
6 133
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
69
Text files
244
Unknown types
28

Dropped files

PID
Process
Filename
Type
2172iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\favicon[1].ico
MD5:
SHA256:
2172iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
2172iexplore.exeC:\Users\admin\AppData\Local\Temp\~DFDA545A1C367EFA32.TMP
MD5:
SHA256:
1584chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG.old
MD5:
SHA256:
1584chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\LOG.old
MD5:
SHA256:
3060iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txttext
MD5:436A658DE84770A44B9F3BBADE2B6D71
SHA256:241C561CF3CF882B0882C9B0B527E37BC2F684097BB0EF1F44549D2913E20261
1584chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG.old~RF39f353.TMPtext
MD5:DC32343F45B01764B6267AD36548102A
SHA256:A250F5AD57D4BD58AAE92810D50278E3BE2DBF869F126A3A3519691BCDFC2075
3060iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.datdat
MD5:2605C54C78D3FEB551148C3E10F9EE17
SHA256:A5B3EB9725457324AB2E6B3807356F91C079C8EDC487393AC7E676C8C7DBC589
1584chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\06a3846e-eb14-42c4-9253-9f9fa6cd278d.tmp
MD5:
SHA256:
1584chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\LOG.oldtext
MD5:768258EEE3510091C97ADE3BCA3DC828
SHA256:1F00CCEBA22A3FA7D0FFFDEBB99B95F0DFE19D2CDA162ABC09FC0D8A6E8FF21D
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
40
DNS requests
26
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2732
CCleaner.exe
GET
301
151.101.0.64:80
http://www.piriform.com/auto?a=0&p=cc&v=5.35.6210&l=1033&lk=&mk=IJR6-W5SV-5KYR-QBZD-6BY4-RN5Z-WAV9-RVK2-VJCA&o=6.1W3&au=1&mx=97B7721C4994E2556FF6A439510F665DB45337A341A47E15F4997584423BF714&gu=00000000-0000-4000-8000-d6f7f2be5127
US
whitelisted
2576
chrome.exe
GET
200
104.31.88.250:80
http://dev.anorthosisfc.com.cy/4o7icc/dcj-p83wgbfnq-box/security-lpa1n-3v5m98u/BsHTRs-nmxmKggx7/
US
document
190 Kb
suspicious
2096
powershell.exe
GET
200
68.66.224.42:80
http://jdcc-stu.com/wp-includes/168386/
US
executable
308 Kb
suspicious
3168
serialfunc.exe
POST
200
47.146.42.234:80
http://47.146.42.234/08y3PDZ2ha01f2hc1W
US
flc
132 b
malicious
2576
chrome.exe
GET
200
185.180.12.141:80
http://r2---sn-n02xgoxufvg3-8pxe.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvOTRmQUFXVHlhaGJaUTdMLWtCSkNJUl9ZQQ/1.0.0.5_nmmhkkegccagdldgiimedpiccmgmieda.crx?cms_redirect=yes&mip=185.183.107.227&mm=28&mn=sn-n02xgoxufvg3-8pxe&ms=nvh&mt=1575668927&mv=u&mvi=1&pl=24&shardbypass=yes
AT
crx
293 Kb
whitelisted
2576
chrome.exe
GET
302
172.217.18.174:80
http://redirector.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvOTRmQUFXVHlhaGJaUTdMLWtCSkNJUl9ZQQ/1.0.0.5_nmmhkkegccagdldgiimedpiccmgmieda.crx
US
html
529 b
whitelisted
2576
chrome.exe
GET
302
172.217.18.174:80
http://redirector.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvOWVmQUFXS041NV9ZVXlJVWwxbGc5TUM4dw/7519.422.0.3_pkedcjkdefgpdelpbcmbmeomcjbeemfm.crx
US
html
534 b
whitelisted
2172
iexplore.exe
GET
200
204.79.197.200:80
http://www.bing.com/favicon.ico
US
image
237 b
whitelisted
2576
chrome.exe
GET
200
185.180.12.140:80
http://r1---sn-n02xgoxufvg3-8pxe.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvOWVmQUFXS041NV9ZVXlJVWwxbGc5TUM4dw/7519.422.0.3_pkedcjkdefgpdelpbcmbmeomcjbeemfm.crx?cms_redirect=yes&mip=185.183.107.227&mm=28&mn=sn-n02xgoxufvg3-8pxe&ms=nvh&mt=1575668927&mv=u&mvi=0&pl=24&shardbypass=yes
AT
crx
862 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2172
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
2576
chrome.exe
172.217.23.99:443
clientservices.googleapis.com
Google Inc.
US
whitelisted
2576
chrome.exe
172.217.22.35:443
www.google.com.ua
Google Inc.
US
whitelisted
2576
chrome.exe
172.217.22.78:443
clients2.google.com
Google Inc.
US
whitelisted
2576
chrome.exe
172.217.22.99:443
fonts.gstatic.com
Google Inc.
US
whitelisted
2576
chrome.exe
216.58.210.3:443
www.gstatic.com
Google Inc.
US
whitelisted
2576
chrome.exe
172.217.23.106:443
fonts.googleapis.com
Google Inc.
US
whitelisted
2576
chrome.exe
172.217.21.238:443
ogs.google.com
Google Inc.
US
whitelisted
2576
chrome.exe
216.58.207.36:443
www.google.com
Google Inc.
US
whitelisted
2576
chrome.exe
172.217.18.174:80
redirector.gvt1.com
Google Inc.
US
whitelisted

DNS requests

Domain
IP
Reputation
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
dev.anorthosisfc.com.cy
  • 104.31.89.250
  • 104.31.88.250
suspicious
clientservices.googleapis.com
  • 172.217.23.99
whitelisted
accounts.google.com
  • 172.217.16.141
shared
www.google.com.ua
  • 172.217.22.35
whitelisted
fonts.googleapis.com
  • 172.217.23.106
whitelisted
www.gstatic.com
  • 216.58.210.3
whitelisted
fonts.gstatic.com
  • 172.217.22.99
whitelisted
apis.google.com
  • 172.217.21.206
whitelisted
ogs.google.com
  • 172.217.21.238
whitelisted

Threats

PID
Process
Class
Message
2576
chrome.exe
Misc activity
SUSPICIOUS [PTsecurity] Download DOC file with VBAScript
2096
powershell.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
2096
powershell.exe
Potentially Bad Traffic
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
2096
powershell.exe
Misc activity
ET INFO EXE - Served Attached HTTP
3060
iexplore.exe
Misc activity
SUSPICIOUS [PTsecurity] Download DOC file with VBAScript
3168
serialfunc.exe
A Network Trojan was detected
ET CNC Feodo Tracker Reported CnC Server group 20
3168
serialfunc.exe
A Network Trojan was detected
ET TROJAN Win32/Emotet CnC Activity (POST) M5
3168
serialfunc.exe
A Network Trojan was detected
ET TROJAN Win32/Emotet CnC Activity (POST) M6
3168
serialfunc.exe
A Network Trojan was detected
MALWARE [PTsecurity] Feodo/Emotet
1 ETPRO signatures available at the full report
No debug info