analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Invoice.41032.xls.zip

Full analysis: https://app.any.run/tasks/05af787b-2657-428d-ab82-cd7f71902eec
Verdict: Malicious activity
Threats:

Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns.

Analysis date: February 21, 2020, 16:35:50
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
macros
maldoc-48
emotet-doc
emotet
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

7B1764EAFA411E820F9FBC737AB7B4DD

SHA1:

B560F2D936BF0D9F798FFE61F2B2C3A050662841

SHA256:

91CDE62FBAB942A7DC511314799F0EDCE6BE6E0D24FF60F68FFFC509315D809F

SSDEEP:

3072:l0k3hbdlylKsgqopeJBWhZFGkE+cL2NdHzyF0Vi4m+Oi9l1isYgmNWl1oH2HUU:Kk3hbdlylKsgqopeJBWhZFVE+W2Nd+Fm

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    No malicious indicators.
  • SUSPICIOUS

    • Reads Internet Cache Settings

      • EXCEL.EXE (PID: 3552)
      • EXCEL.EXE (PID: 1248)
    • Starts Microsoft Office Application

      • WinRAR.exe (PID: 2564)
    • Unusual connect from Microsoft Office

      • EXCEL.EXE (PID: 3552)
    • Modifies files in Chrome extension folder

      • chrome.exe (PID: 3356)
  • INFO

    • Creates files in the user directory

      • EXCEL.EXE (PID: 3552)
      • WINWORD.EXE (PID: 2576)
      • EXCEL.EXE (PID: 1248)
    • Manual execution by user

      • WINWORD.EXE (PID: 2576)
      • chrome.exe (PID: 3356)
      • explorer.exe (PID: 3432)
    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 2576)
      • EXCEL.EXE (PID: 1248)
      • EXCEL.EXE (PID: 3552)
    • Reads the hosts file

      • chrome.exe (PID: 3356)
      • chrome.exe (PID: 3108)
    • Application launched itself

      • chrome.exe (PID: 3356)
    • Connects to unusual port

      • chrome.exe (PID: 3108)
    • Reads settings of System Certificates

      • chrome.exe (PID: 3108)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | Open Packaging Conventions container (81.3)
.zip | ZIP compressed archive (18.6)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: None
ZipModifyDate: 2020:02:17 12:38:26
ZipCRC: 0x15e991ff
ZipCompressedSize: 185344
ZipUncompressedSize: 185344
ZipFileName: Invoice.41032.xls
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
84
Monitored processes
44
Malicious processes
0
Suspicious processes
2

Behavior graph

Click at the process to see the details
start winrar.exe no specs excel.exe winword.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs excel.exe explorer.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2564"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Invoice.41032.xls.zip"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
3552"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /ddeC:\Program Files\Microsoft Office\Office14\EXCEL.EXE
WinRAR.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Excel
Exit code:
0
Version:
14.0.6024.1000
2576"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\independentkids.rtf"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
0
Version:
14.0.6024.1000
3356"C:\Program Files\Google\Chrome\Application\chrome.exe" C:\Program Files\Google\Chrome\Application\chrome.exe
explorer.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
75.0.3770.100
3776"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win32 --annotation=prod=Chrome --annotation=ver=75.0.3770.100 --initial-client-data=0x7c,0x80,0x84,0x78,0x88,0x6d50a9d0,0x6d50a9e0,0x6d50a9ecC:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
75.0.3770.100
1400"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=3484 --on-initialized-event-handle=324 --parent-handle=328 /prefetch:6C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
75.0.3770.100
2208"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1036,7684710814361207776,1555017648007056136,131072 --enable-features=PasswordImport --gpu-preferences=KAAAAAAAAADgAAAgAQAAAAAAAAAAAGAAAAAAAAAAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --service-request-channel-token=8249593036155825805 --mojo-platform-channel-handle=1052 --ignored=" --type=renderer " /prefetch:2C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Version:
75.0.3770.100
3108"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --field-trial-handle=1036,7684710814361207776,1555017648007056136,131072 --enable-features=PasswordImport --lang=en-US --service-sandbox-type=network --service-request-channel-token=8959311196807588429 --mojo-platform-channel-handle=1648 /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exe
chrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
75.0.3770.100
1904"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1036,7684710814361207776,1555017648007056136,131072 --enable-features=PasswordImport --lang=en-US --instant-process --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=8190731428150196079 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2272 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
2692"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1036,7684710814361207776,1555017648007056136,131072 --enable-features=PasswordImport --lang=en-US --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=12437796557633793317 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2468 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
Total events
19 931
Read events
9 730
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
142
Text files
277
Unknown types
18

Dropped files

PID
Process
Filename
Type
3552EXCEL.EXEC:\Users\admin\AppData\Local\Temp\CVRA1D6.tmp.cvr
MD5:
SHA256:
3552EXCEL.EXEC:\Users\admin\AppData\Local\Temp\CabE103.tmp
MD5:
SHA256:
3552EXCEL.EXEC:\Users\admin\AppData\Local\Temp\TarE104.tmp
MD5:
SHA256:
3552EXCEL.EXEC:\Users\admin\AppData\Local\Temp\{72BCF0BC-2379-45AA-9636-92EC9340F8EA}
MD5:
SHA256:
3552EXCEL.EXEC:\Users\admin\AppData\Local\Temp\{643E34A0-BB19-4C1A-BF08-4F2117704E0C}
MD5:
SHA256:
3552EXCEL.EXEC:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{F0275925-9A67-4B1D-AC14-FCCB25EF8221}.FSDbinary
MD5:53F48D52D4248034A65BD903795A130A
SHA256:6F66B077BC52048159B15CAD096121F33C2CF7ADC75F87917E3A190DFD97054A
2564WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DIa2564.48174\Invoice.41032.xlsdocument
MD5:142633FAFBB732E99EC17C51B557DB39
SHA256:CA64C6DBECD1AD97A63A9430D34BAED2C1BBD74E74A9E4B3353C22DEDDADF1B5
3552EXCEL.EXEC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\D6DE0D5EE92F9F75D3B57BBF6B0702FAbinary
MD5:CD042AABDD388A06FCA9D904F5AAC2BA
SHA256:30DE2A67EC6C4DEC6AD11E37C4E5F62142E2A9672FD668D0E4B566C4C6ACB7A0
3552EXCEL.EXEC:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-CNRY.FSDbinary
MD5:89BF062181F7A40B14C18ACB613D3350
SHA256:18898D8A627CBE7360BF8ED5F0F178085168BA8E934D01C7490BC9DC87886058
3552EXCEL.EXEC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\KQ1NN4Y4.txt
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
12
TCP/UDP connections
104
DNS requests
83
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3552
EXCEL.EXE
GET
200
216.58.205.227:80
http://ocsp.pki.goog/gsr2/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBTgXIsxbvr2lBkPpoIEVRE6gHlCnAQUm%2BIHV2ccHsBqBt5ZtJot39wZhi4CDQHjtJqhjYqpgSVpULg%3D
US
der
468 b
whitelisted
3552
EXCEL.EXE
GET
200
2.16.186.11:80
http://isrg.trustid.ocsp.identrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRv9GhNQxLSSGKBnMArPUcsHYovpgQUxKexpHsscfrb4UuQdf%2FEFWCFiRACEAoBQUIAAAFThXNqC4Xspwg%3D
unknown
der
1.37 Kb
whitelisted
3552
EXCEL.EXE
GET
200
216.58.205.227:80
http://ocsp.pki.goog/gts1o1/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRCRjDCJxnb3nDwj%2Fxz5aZfZjgXvAQUmNH4bhDrz5vsYJ8YkBug630J%2FSsCEQDu3mVgzTXArwIAAAAAWXG3
US
der
472 b
whitelisted
3108
chrome.exe
GET
200
173.194.183.134:80
http://r1---sn-aigl6ner.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvOTRmQUFXVHlhaGJaUTdMLWtCSkNJUl9ZQQ/1.0.0.5_nmmhkkegccagdldgiimedpiccmgmieda.crx?cms_redirect=yes&mip=185.217.117.157&mm=28&mn=sn-aigl6ner&ms=nvh&mt=1582303035&mv=m&mvi=0&pl=24&shardbypass=yes
US
crx
293 Kb
whitelisted
3552
EXCEL.EXE
GET
200
216.58.205.227:80
http://ocsp.pki.goog/gts1o1/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRCRjDCJxnb3nDwj%2Fxz5aZfZjgXvAQUmNH4bhDrz5vsYJ8YkBug630J%2FSsCEQDvdxhhS3x8DggAAAAALnGY
US
der
472 b
whitelisted
3108
chrome.exe
GET
302
172.217.16.142:80
http://redirector.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvOWVmQUFXS041NV9ZVXlJVWwxbGc5TUM4dw/7519.422.0.3_pkedcjkdefgpdelpbcmbmeomcjbeemfm.crx
US
html
516 b
whitelisted
3552
EXCEL.EXE
GET
200
52.109.76.6:80
http://office14client.microsoft.com/config14?UILCID=1033&CLCID=1033&ILCID=1033&HelpLCID=1033&App={538F6C89-2AD5-4006-8154-C6670774E980}&build=14.0.6023
IE
xml
1.99 Kb
whitelisted
3108
chrome.exe
GET
302
172.217.16.142:80
http://redirector.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvOTRmQUFXVHlhaGJaUTdMLWtCSkNJUl9ZQQ/1.0.0.5_nmmhkkegccagdldgiimedpiccmgmieda.crx
US
html
511 b
whitelisted
3552
EXCEL.EXE
GET
200
2.16.186.27:80
http://ocsp.int-x3.letsencrypt.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBR%2B5mrncpqz%2FPiiIGRsFqEtYHEIXQQUqEpqYwR93brm0Tm3pkVl7%2FOo7KECEgPUFGc9jG53plGcZxTtYusmrA%3D%3D
unknown
der
527 b
whitelisted
3552
EXCEL.EXE
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAtqs7A%2Bsan2xGCSaqjN%2FrM%3D
US
der
1.47 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3108
chrome.exe
216.58.208.35:443
clientservices.googleapis.com
Google Inc.
US
whitelisted
3552
EXCEL.EXE
161.117.177.248:443
merystol.xyz
SG
suspicious
3552
EXCEL.EXE
216.58.205.227:80
ocsp.pki.goog
Google Inc.
US
whitelisted
3552
EXCEL.EXE
2.16.186.27:80
ocsp.int-x3.letsencrypt.org
Akamai International B.V.
whitelisted
3552
EXCEL.EXE
172.217.22.100:443
www.google.com
Google Inc.
US
whitelisted
3108
chrome.exe
216.58.205.227:443
ocsp.pki.goog
Google Inc.
US
whitelisted
3108
chrome.exe
172.217.23.170:443
fonts.googleapis.com
Google Inc.
US
whitelisted
3552
EXCEL.EXE
2.16.186.11:80
isrg.trustid.ocsp.identrust.com
Akamai International B.V.
whitelisted
3552
EXCEL.EXE
172.217.23.110:443
google.com
Google Inc.
US
whitelisted
3108
chrome.exe
172.217.22.3:443
www.google.com.ua
Google Inc.
US
whitelisted

DNS requests

Domain
IP
Reputation
merystol.xyz
  • 161.117.177.248
suspicious
isrg.trustid.ocsp.identrust.com
  • 2.16.186.11
  • 2.16.186.9
whitelisted
ocsp.int-x3.letsencrypt.org
  • 2.16.186.27
  • 2.16.186.11
whitelisted
google.com
  • 172.217.23.110
whitelisted
ocsp.pki.goog
  • 216.58.205.227
whitelisted
www.google.com
  • 172.217.22.100
whitelisted
clientservices.googleapis.com
  • 216.58.208.35
whitelisted
accounts.google.com
  • 216.58.206.13
shared
www.google.com.ua
  • 172.217.22.3
whitelisted
fonts.googleapis.com
  • 172.217.23.170
whitelisted

Threats

PID
Process
Class
Message
3552
EXCEL.EXE
Potentially Bad Traffic
ET INFO Observed Let's Encrypt Certificate for Suspicious TLD (.xyz)
1248
EXCEL.EXE
Potentially Bad Traffic
ET INFO Observed Let's Encrypt Certificate for Suspicious TLD (.xyz)
No debug info