analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
download:

bxGGLSCLNBAuEfVDUYVDjqW

Full analysis: https://app.any.run/tasks/bb4ccefb-1a39-46c9-be11-050d4ebc31ce
Verdict: Malicious activity
Threats:

Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns.

Analysis date: May 24, 2019, 08:10:37
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
emotet
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

F9C73DA94609DE38CD04940AC67DD738

SHA1:

1528E8562CC1363418EAC7E19D5C02204CD31838

SHA256:

A854CDF3706C20FCB02ADAE21E2F0E2831AF363847E89DAE74685E35495B12B6

SSDEEP:

24:9eVpTFdS9P5IItOApueMqRaiA2mh8myTetjAF0Zr3ve/Cq1lcIVt:9ITFcR5/tOBeMKaiZhbOZUCp8

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • dlstll97x.exe (PID: 3944)
      • dlstll97x.exe (PID: 3976)
      • soundser.exe (PID: 4072)
      • soundser.exe (PID: 2568)
    • Changes settings of System certificates

      • WScript.exe (PID: 3916)
    • Emotet process was detected

      • soundser.exe (PID: 4072)
  • SUSPICIOUS

    • Creates files in the user directory

      • WScript.exe (PID: 3916)
    • Executable content was dropped or overwritten

      • WScript.exe (PID: 3916)
      • dlstll97x.exe (PID: 3976)
    • Adds / modifies Windows certificates

      • WScript.exe (PID: 3916)
    • Starts itself from another location

      • dlstll97x.exe (PID: 3976)
    • Connects to server without host name

      • soundser.exe (PID: 2568)
  • INFO

    • Manual execution by user

      • WScript.exe (PID: 3916)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: 0x0002
ZipCompression: Deflated
ZipModifyDate: 2019:05:24 11:09:00
ZipCRC: 0xcb334b68
ZipCompressedSize: 1325
ZipUncompressedSize: 5860
ZipFileName: DOC_8467273954US_May_24_2019.js
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
38
Monitored processes
6
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start drop and start winrar.exe no specs wscript.exe dlstll97x.exe no specs dlstll97x.exe #EMOTET soundser.exe no specs soundser.exe

Process information

PID
CMD
Path
Indicators
Parent process
868"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\bxGGLSCLNBAuEfVDUYVDjqW.zip"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
3916"C:\Windows\System32\WScript.exe" "C:\Users\admin\Desktop\DOC_8467273954US_May_24_2019.js" C:\Windows\System32\WScript.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
3944"C:\Users\admin\AppData\Local\Temp\dlstll97x.exe" C:\Users\admin\AppData\Local\Temp\dlstll97x.exeWScript.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
3976--8eb1ba15C:\Users\admin\AppData\Local\Temp\dlstll97x.exe
dlstll97x.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
4072"C:\Users\admin\AppData\Local\soundser\soundser.exe"C:\Users\admin\AppData\Local\soundser\soundser.exe
dlstll97x.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
2568--3ab57678C:\Users\admin\AppData\Local\soundser\soundser.exe
soundser.exe
User:
admin
Integrity Level:
MEDIUM
Total events
948
Read events
887
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
0
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
868WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa868.46938\DOC_8467273954US_May_24_2019.js
MD5:
SHA256:
3916WScript.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@dnmartin[1].txttext
MD5:A2017A3DBDDC33DAB01BFD30C34659AD
SHA256:20A7600D0F1F897BD34D6C17CD5C2AB8324D1CAB211297D54084D104EF76CB10
3976dlstll97x.exeC:\Users\admin\AppData\Local\soundser\soundser.exeexecutable
MD5:DD424B112F023D97C2CF437B75338E21
SHA256:90AD956E082F45F7DE26F3FF5BCEEE1A56BCFF73DD9A489472E9290ECAD0B320
3916WScript.exeC:\Users\admin\AppData\Local\Temp\dlstll97x.exeexecutable
MD5:DD424B112F023D97C2CF437B75338E21
SHA256:90AD956E082F45F7DE26F3FF5BCEEE1A56BCFF73DD9A489472E9290ECAD0B320
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
4
DNS requests
1
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2568
soundser.exe
POST
76.86.20.103:80
http://76.86.20.103/add/scripts/ringin/
US
malicious
2568
soundser.exe
POST
144.139.247.220:80
http://144.139.247.220/srvc/sym/
AU
malicious
2568
soundser.exe
POST
5.67.205.99:80
http://5.67.205.99/publish/merge/ringin/
GB
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2568
soundser.exe
76.86.20.103:80
Time Warner Cable Internet LLC
US
malicious
2568
soundser.exe
5.67.205.99:80
Sky UK Limited
GB
malicious
3916
WScript.exe
51.38.185.91:443
dnmartin.net
GB
unknown
2568
soundser.exe
144.139.247.220:80
Telstra Pty Ltd
AU
malicious

DNS requests

Domain
IP
Reputation
dnmartin.net
  • 51.38.185.91
unknown

Threats

No threats detected
No debug info