URL: | http://stylefix.co/guillotine-cross/CTRNOQ/ |
Full analysis: | https://app.any.run/tasks/55526c83-3b7c-47f3-af4f-08c3c311612f |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | October 19, 2020, 23:49:03 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MD5: | 278D45969F3977EE8ABCCDE1DD75E29A |
SHA1: | 6A9CCBB6C8824468309115EA6E40CBE101D4BA08 |
SHA256: | B6267682185447125D614D2EC3347C5CADBB8654B30967DED48D8FD6AECCF4C1 |
SSDEEP: | 3:N1KNR8GK2XN0x3LKn:Cz/axbK |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2080 | "C:\Program Files\Internet Explorer\iexplore.exe" "http://stylefix.co/guillotine-cross/CTRNOQ/" | C:\Program Files\Internet Explorer\iexplore.exe | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Version: 11.00.9600.16428 (winblue_gdr.131013-1700) | ||||
1956 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2080 CREDAT:267521 /prefetch:2 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | |
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Exit code: 0 Version: 11.00.9600.16428 (winblue_gdr.131013-1700) | ||||
1204 | "C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\2MOQ2MKzpvc3D.exe" | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\2MOQ2MKzpvc3D.exe | iexplore.exe | |
User: admin Company: TODO: <Co Integrity Level: MEDIUM Description: TODO: <File descri Exit code: 0 Version: 1.0.0.1 | ||||
1876 | "C:\Users\admin\AppData\Local\ddrawex\AzSqlExt.exe" | C:\Users\admin\AppData\Local\ddrawex\AzSqlExt.exe | 2MOQ2MKzpvc3D.exe | |
User: admin Company: TODO: <Co Integrity Level: MEDIUM Description: TODO: <File descri Version: 1.0.0.1 | ||||
2536 | "C:\Program Files\Google\Chrome\Application\chrome.exe" | C:\Program Files\Google\Chrome\Application\chrome.exe | explorer.exe | |
User: admin Company: Google LLC Integrity Level: MEDIUM Description: Google Chrome Version: 75.0.3770.100 | ||||
3040 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win32 --annotation=prod=Chrome --annotation=ver=75.0.3770.100 --initial-client-data=0x7c,0x80,0x84,0x78,0x88,0x6ea1a9d0,0x6ea1a9e0,0x6ea1a9ec | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe |
User: admin Company: Google LLC Integrity Level: MEDIUM Description: Google Chrome Version: 75.0.3770.100 | ||||
1036 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=2496 --on-initialized-event-handle=324 --parent-handle=328 /prefetch:6 | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe |
User: admin Company: Google LLC Integrity Level: MEDIUM Description: Google Chrome Version: 75.0.3770.100 | ||||
768 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1016,6160380183750622276,1394277728618949282,131072 --enable-features=PasswordImport --gpu-preferences=KAAAAAAAAADgAAAgAQAAAAAAAAAAAGAAAAAAAAAAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --service-request-channel-token=7197030722732749832 --mojo-platform-channel-handle=1012 --ignored=" --type=renderer " /prefetch:2 | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe |
User: admin Company: Google LLC Integrity Level: LOW Description: Google Chrome Version: 75.0.3770.100 | ||||
3320 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --field-trial-handle=1016,6160380183750622276,1394277728618949282,131072 --enable-features=PasswordImport --lang=en-US --service-sandbox-type=network --service-request-channel-token=16917982144195266929 --mojo-platform-channel-handle=1632 /prefetch:8 | C:\Program Files\Google\Chrome\Application\chrome.exe | chrome.exe | |
User: admin Company: Google LLC Integrity Level: MEDIUM Description: Google Chrome Version: 75.0.3770.100 | ||||
1852 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1016,6160380183750622276,1394277728618949282,131072 --enable-features=PasswordImport --lang=en-US --instant-process --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=18403249094754788103 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2260 /prefetch:1 | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe |
User: admin Company: Google LLC Integrity Level: LOW Description: Google Chrome Version: 75.0.3770.100 |
PID | Process | Filename | Type | |
---|---|---|---|---|
1956 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\MFAQUS6V\2MOQ2MKzpvc3D[1].exe | — | |
MD5:— | SHA256:— | |||
2080 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\~DF4F44987333238363.TMP | — | |
MD5:— | SHA256:— | |||
2080 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\2MOQ2MKzpvc3D.exe.r73sbw3.partial:Zone.Identifier | — | |
MD5:— | SHA256:— | |||
2080 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\CabBBD6.tmp | — | |
MD5:— | SHA256:— | |||
2080 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\TarBBD7.tmp | — | |
MD5:— | SHA256:— | |||
2080 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\verBBF7.tmp | — | |
MD5:— | SHA256:— | |||
2536 | chrome.exe | C:\Users\admin\AppData\Local\Google\Chrome\User Data\BrowserMetrics\BrowserMetrics-5F8E2641-9E8.pma | — | |
MD5:— | SHA256:— | |||
2080 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\2MOQ2MKzpvc3D.exe | executable | |
MD5:A494CC3654C86ECCF5796B451BDB0B8E | SHA256:D4CC5D9EA6E691F861489749AC8092918112DE219BA98CEDDE30C45B10B11905 | |||
1956 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\2MOQ2MKzpvc3D.exe.r73sbw3.partial | executable | |
MD5:A494CC3654C86ECCF5796B451BDB0B8E | SHA256:D4CC5D9EA6E691F861489749AC8092918112DE219BA98CEDDE30C45B10B11905 | |||
2080 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_D9817BD5013875AD517DA73475345203 | der | |
MD5:96E2151662555236660BCF9FA188A843 | SHA256:8A7B23F9A171A2932A466C4253EC59A0D5F2A3D63A167057E6F407708002B13F |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3320 | chrome.exe | GET | — | 212.34.158.133:80 | http://newtabletmall.com/ | ES | — | — | malicious |
3320 | chrome.exe | GET | — | 212.34.158.133:80 | http://newtabletmall.com/ | ES | — | — | malicious |
1956 | iexplore.exe | GET | 200 | 35.189.10.17:80 | http://stylefix.co/guillotine-cross/CTRNOQ/ | US | executable | 505 Kb | malicious |
1876 | AzSqlExt.exe | POST | 200 | 104.131.144.215:8080 | http://104.131.144.215:8080/QGl7e4MUqCe/LJWTt38FXUofEw8GpZ/ | US | binary | 132 b | malicious |
2080 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8sEMlbBsCTf7jUSfg%2BhWk%3D | US | der | 1.47 Kb | whitelisted |
2080 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8sEMlbBsCTf7jUSfg%2BhWk%3D | US | der | 1.47 Kb | whitelisted |
2080 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8sEMlbBsCTf7jUSfg%2BhWk%3D | US | der | 1.47 Kb | whitelisted |
3320 | chrome.exe | GET | 200 | 104.28.13.193:80 | http://dp-womenbasket.com/cdn-cgi/styles/cf.errors.css | US | text | 4.32 Kb | suspicious |
3320 | chrome.exe | GET | 200 | 104.28.13.193:80 | http://dp-womenbasket.com/wp-admin/Li/ | US | html | 1.68 Kb | suspicious |
3320 | chrome.exe | GET | 200 | 35.189.10.17:80 | http://stylefix.co/guillotine-cross/CTRNOQ/ | US | executable | 505 Kb | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2080 | iexplore.exe | 93.184.220.29:80 | ocsp.digicert.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
3320 | chrome.exe | 172.217.21.205:443 | accounts.google.com | Google Inc. | US | whitelisted |
2080 | iexplore.exe | 152.199.19.161:443 | iecvlist.microsoft.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
3320 | chrome.exe | 216.58.212.142:443 | apis.google.com | Google Inc. | US | whitelisted |
3320 | chrome.exe | 172.217.18.99:443 | clientservices.googleapis.com | Google Inc. | US | whitelisted |
1876 | AzSqlExt.exe | 177.130.51.198:80 | — | Wsp Serviços de Telecomunicações Ltda | BR | malicious |
3320 | chrome.exe | 172.217.22.42:443 | fonts.googleapis.com | Google Inc. | US | whitelisted |
1876 | AzSqlExt.exe | 91.121.87.90:8080 | — | OVH SAS | FR | malicious |
1956 | iexplore.exe | 35.189.10.17:80 | stylefix.co | Google Inc. | US | suspicious |
3320 | chrome.exe | 172.217.18.3:443 | fonts.gstatic.com | Google Inc. | US | whitelisted |
Domain | IP | Reputation |
---|---|---|
stylefix.co |
| malicious |
iecvlist.microsoft.com |
| whitelisted |
r20swj13mr.microsoft.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
clientservices.googleapis.com |
| whitelisted |
accounts.google.com |
| shared |
www.google.com |
| whitelisted |
fonts.googleapis.com |
| whitelisted |
www.gstatic.com |
| whitelisted |
fonts.gstatic.com |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
1956 | iexplore.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
1956 | iexplore.exe | Misc activity | ET INFO EXE - Served Attached HTTP |
1876 | AzSqlExt.exe | A Network Trojan was detected | MALWARE [PTsecurity] Emotet |
1876 | AzSqlExt.exe | A Network Trojan was detected | MALWARE [PTsecurity] Emotet |
1876 | AzSqlExt.exe | A Network Trojan was detected | MALWARE [PTsecurity] Emotet |
3320 | chrome.exe | A Network Trojan was detected | AV POLICY CloudFlare Anti-Phishing Protection Warning in HTML Inbound |
3320 | chrome.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
3320 | chrome.exe | Misc activity | ET INFO EXE - Served Attached HTTP |