analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
download:

w8hVYpn53es

Full analysis: https://app.any.run/tasks/2871ae5e-3192-4f68-85f1-edc16da3a7bc
Verdict: Malicious activity
Threats:

Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns.

Analysis date: April 25, 2019, 10:11:14
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
loader
emotet
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

2D35F55AAAFCC32B501C71DF3E241BD6

SHA1:

41F7A0914B99112BEB34AA4B7B74325FB751FB36

SHA256:

B4664BF01A545B92B5FF125B8FDF22E32BF26F85C63AF60B4D02E3EF54C19D3F

SSDEEP:

192:JitolUPQ8ZKNLZyJTm9nA2FAekiRE+D4c66xOUEz+LYgOgqBnoibo69XVWlxH7Nt:cTZyIiRF4c6HzM3Y39yHZy3Gb

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Downloads executable files from the Internet

      • WScript.exe (PID: 2164)
      • WScript.exe (PID: 2688)
    • Application was dropped or rewritten from another process

      • c6v4pihlc.exe (PID: 2672)
      • ui2i260hh.exe (PID: 2248)
      • c6v4pihlc.exe (PID: 1832)
      • ui2i260hh.exe (PID: 592)
      • soundser.exe (PID: 1344)
      • soundser.exe (PID: 3308)
    • Emotet process was detected

      • soundser.exe (PID: 1344)
  • SUSPICIOUS

    • Executes scripts

      • WinRAR.exe (PID: 1700)
    • Creates files in the user directory

      • WScript.exe (PID: 2164)
      • WScript.exe (PID: 2688)
    • Executable content was dropped or overwritten

      • WScript.exe (PID: 2164)
      • ui2i260hh.exe (PID: 2248)
      • WScript.exe (PID: 2688)
    • Application launched itself

      • ui2i260hh.exe (PID: 592)
    • Connects to server without host name

      • soundser.exe (PID: 3308)
    • Starts itself from another location

      • ui2i260hh.exe (PID: 2248)
  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: 0x0002
ZipCompression: Deflated
ZipModifyDate: 2019:04:25 12:55:00
ZipCRC: 0xd227da86
ZipCompressedSize: 13734
ZipUncompressedSize: 47164
ZipFileName: FILE_35760556291US_Apr_25_2019.js
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
39
Monitored processes
9
Malicious processes
5
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start drop and start drop and start winrar.exe no specs wscript.exe wscript.exe c6v4pihlc.exe no specs c6v4pihlc.exe no specs ui2i260hh.exe no specs ui2i260hh.exe #EMOTET soundser.exe no specs soundser.exe

Process information

PID
CMD
Path
Indicators
Parent process
1700"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\w8hVYpn53es.zip"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
2688"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\Rar$DIa1700.9445\FILE_35760556291US_Apr_25_2019.js" C:\Windows\System32\WScript.exe
WinRAR.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
2164"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\Rar$DIa1700.9826\FILE_35760556291US_Apr_25_2019.js" C:\Windows\System32\WScript.exe
WinRAR.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
2672"C:\Users\admin\AppData\Local\Temp\c6v4pihlc.exe" C:\Users\admin\AppData\Local\Temp\c6v4pihlc.exeWScript.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
1832--965284f9C:\Users\admin\AppData\Local\Temp\c6v4pihlc.exec6v4pihlc.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
592"C:\Users\admin\AppData\Local\Temp\ui2i260hh.exe" C:\Users\admin\AppData\Local\Temp\ui2i260hh.exeWScript.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
2248--8f882865C:\Users\admin\AppData\Local\Temp\ui2i260hh.exe
ui2i260hh.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
1344"C:\Users\admin\AppData\Local\soundser\soundser.exe"C:\Users\admin\AppData\Local\soundser\soundser.exe
ui2i260hh.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
3308--3ab57678C:\Users\admin\AppData\Local\soundser\soundser.exe
soundser.exe
User:
admin
Integrity Level:
MEDIUM
Total events
1 329
Read events
1 266
Write events
0
Delete events
0

Modification events

No data
Executable files
3
Suspicious files
0
Text files
4
Unknown types
0

Dropped files

PID
Process
Filename
Type
1700WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DIa1700.9826\FILE_35760556291US_Apr_25_2019.jstext
MD5:DCA68FFB6BA8C0B6F5F61C865F43DD76
SHA256:EE65C61941B260403E66E0B141CD9BA307540F8BDC79375C8F4609148E5F6CEF
2164WScript.exeC:\Users\admin\AppData\Local\Temp\c6v4pihlc.exeexecutable
MD5:F0EF0F3A77E75C08855269D092AB5A35
SHA256:26D3B33686B7A4440A986D56200D53D680A2D2643ADF30DFCE629F6F5FD24AF1
2248ui2i260hh.exeC:\Users\admin\AppData\Local\soundser\soundser.exeexecutable
MD5:F0EF0F3A77E75C08855269D092AB5A35
SHA256:26D3B33686B7A4440A986D56200D53D680A2D2643ADF30DFCE629F6F5FD24AF1
1700WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DIa1700.9445\FILE_35760556291US_Apr_25_2019.jstext
MD5:DCA68FFB6BA8C0B6F5F61C865F43DD76
SHA256:EE65C61941B260403E66E0B141CD9BA307540F8BDC79375C8F4609148E5F6CEF
2688WScript.exeC:\Users\admin\AppData\Local\Temp\ui2i260hh.exeexecutable
MD5:F0EF0F3A77E75C08855269D092AB5A35
SHA256:26D3B33686B7A4440A986D56200D53D680A2D2643ADF30DFCE629F6F5FD24AF1
2164WScript.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@tcmnow[2].txttext
MD5:A112AAA41C4C0DFF6BADDA8D8EBEBBCF
SHA256:A7B5C282075C10CE9833301CB35624515E8A18976D43BDA7589FA6C0193AB9C2
2688WScript.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@tcmnow[1].txttext
MD5:35C81E7724A88F8501E01AEE0D6E5388
SHA256:C5E3DC77993B9A22E7B9E4013A5F585ABDFE24ADCDFE08357AC145931FFCED7E
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
3
DNS requests
1
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2688
WScript.exe
GET
200
69.65.3.176:80
http://tcmnow.com/cgi-bin/J4_5/
US
executable
78.0 Kb
suspicious
2164
WScript.exe
GET
200
69.65.3.176:80
http://tcmnow.com/cgi-bin/J4_5/
US
executable
78.0 Kb
suspicious
3308
soundser.exe
POST
68.229.130.39:80
http://68.229.130.39/splash/
US
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2688
WScript.exe
69.65.3.176:80
tcmnow.com
GigeNET
US
malicious
3308
soundser.exe
68.229.130.39:80
Cox Communications Inc.
US
malicious
2164
WScript.exe
69.65.3.176:80
tcmnow.com
GigeNET
US
malicious

DNS requests

Domain
IP
Reputation
tcmnow.com
  • 69.65.3.176
suspicious

Threats

PID
Process
Class
Message
2688
WScript.exe
Misc activity
SUSPICIOUS [PTsecurity] Cmd.Powershell.Download HTTP UserAgent (Win7)
2688
WScript.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
2688
WScript.exe
A Network Trojan was detected
ET CURRENT_EVENTS Likely Evil EXE download from MSXMLHTTP non-exe extension M2
2688
WScript.exe
Misc activity
ET INFO EXE - Served Attached HTTP
2164
WScript.exe
Misc activity
SUSPICIOUS [PTsecurity] Cmd.Powershell.Download HTTP UserAgent (Win7)
2164
WScript.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
2164
WScript.exe
Misc activity
ET INFO EXE - Served Attached HTTP
No debug info