analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

yiGt-RZXt7eA5v69nyWP_iVHIWlUfQ-SD

Full analysis: https://app.any.run/tasks/ec844b74-ec95-461c-bb25-6647aeaad3c4
Verdict: Malicious activity
Threats:

Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns.

Analysis date: April 25, 2019, 05:37:42
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
loader
emotet
trojan
feodo
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

11F1DCF2495E7EB2CF238334C7657357

SHA1:

120752F684893B2322398E076C31C85D2155069B

SHA256:

8250D12BFCD40EACD10CD6BA5A4F66D4BBF56D26B9E49099A0BA9E7FBC21E1B5

SSDEEP:

192:H8koDAV86iwRD6fcNOZ6ayphj2q/BXY5DTyZS0mOSm5oQfuwK:ckoDB6DRmENS6Rhj2qoDWS0mOSu2F

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • y3w9h9mb2.exe (PID: 1848)
      • soundser.exe (PID: 3364)
      • y3w9h9mb2.exe (PID: 3532)
      • soundser.exe (PID: 1080)
    • Downloads executable files from the Internet

      • WScript.exe (PID: 832)
    • EMOTET was detected

      • soundser.exe (PID: 3364)
    • Emotet process was detected

      • soundser.exe (PID: 1080)
    • Connects to CnC server

      • soundser.exe (PID: 3364)
  • SUSPICIOUS

    • Executes scripts

      • WinRAR.exe (PID: 636)
    • Executable content was dropped or overwritten

      • WScript.exe (PID: 832)
      • y3w9h9mb2.exe (PID: 3532)
    • Creates files in the user directory

      • WScript.exe (PID: 832)
    • Starts itself from another location

      • y3w9h9mb2.exe (PID: 3532)
    • Connects to server without host name

      • soundser.exe (PID: 3364)
  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: 0x0002
ZipCompression: Deflated
ZipModifyDate: 2019:04:25 08:23:04
ZipCRC: 0x6b18eab8
ZipCompressedSize: 6680
ZipUncompressedSize: 28422
ZipFileName: ID_9949653_04252019.js
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
37
Monitored processes
6
Malicious processes
5
Suspicious processes
1

Behavior graph

Click at the process to see the details
start drop and start drop and start winrar.exe no specs wscript.exe y3w9h9mb2.exe no specs y3w9h9mb2.exe #EMOTET soundser.exe no specs #EMOTET soundser.exe

Process information

PID
CMD
Path
Indicators
Parent process
636"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\yiGt-RZXt7eA5v69nyWP_iVHIWlUfQ-SD.zip"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
832"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\Rar$DIa636.19762\ID_9949653_04252019.js" C:\Windows\System32\WScript.exe
WinRAR.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
1848"C:\Users\admin\AppData\Local\Temp\y3w9h9mb2.exe" C:\Users\admin\AppData\Local\Temp\y3w9h9mb2.exeWScript.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
3532--4ba4c94C:\Users\admin\AppData\Local\Temp\y3w9h9mb2.exe
y3w9h9mb2.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
1080"C:\Users\admin\AppData\Local\soundser\soundser.exe"C:\Users\admin\AppData\Local\soundser\soundser.exe
y3w9h9mb2.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
3364--3ab57678C:\Users\admin\AppData\Local\soundser\soundser.exe
soundser.exe
User:
admin
Integrity Level:
MEDIUM
Total events
909
Read events
863
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
0
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
832WScript.exeC:\Users\admin\AppData\Local\Temp\y3w9h9mb2.exeexecutable
MD5:0E7DA3EB5E6D3D0E49C91F2108BB647C
SHA256:358685BD63F4E40864316F226A77E67FA99DA1329FEBA49A6E2D99DD7B6A7A63
3532y3w9h9mb2.exeC:\Users\admin\AppData\Local\soundser\soundser.exeexecutable
MD5:0E7DA3EB5E6D3D0E49C91F2108BB647C
SHA256:358685BD63F4E40864316F226A77E67FA99DA1329FEBA49A6E2D99DD7B6A7A63
636WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DIa636.19762\ID_9949653_04252019.jstext
MD5:B4C8024C33C0DEA394C99D0DEF9719AF
SHA256:B7FD23FEB71F19A87E0130334F8DCBC28479DB18FBD6BA0A89E9A64DC525C919
832WScript.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@al-awalcentre[1].txttext
MD5:1A91E20B5E25030A3154D432EA4A19AD
SHA256:EE88079CCA9EB12758EF68F8B023A2F18FF46D13315CBD0BDEBBDA4BC15BF335
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
2
DNS requests
1
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3364
soundser.exe
POST
24.150.44.53:80
http://24.150.44.53/vermont/cab/
CA
malicious
832
WScript.exe
GET
200
108.167.140.175:80
http://al-awalcentre.com/wp-content/Q2sF/
US
executable
78.0 Kb
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3364
soundser.exe
24.150.44.53:80
Cogeco Cable
CA
malicious
832
WScript.exe
108.167.140.175:80
al-awalcentre.com
CyrusOne LLC
US
malicious

DNS requests

Domain
IP
Reputation
al-awalcentre.com
  • 108.167.140.175
malicious

Threats

PID
Process
Class
Message
832
WScript.exe
Misc activity
SUSPICIOUS [PTsecurity] Cmd.Powershell.Download HTTP UserAgent (Win7)
832
WScript.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
832
WScript.exe
A Network Trojan was detected
ET CURRENT_EVENTS Likely Evil EXE download from MSXMLHTTP non-exe extension M2
832
WScript.exe
Misc activity
ET INFO EXE - Served Attached HTTP
3364
soundser.exe
A Network Trojan was detected
ET CNC Feodo Tracker Reported CnC Server group 17
No debug info