analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

http://stylefix.co/guillotine-cross/CTRNOQ/

Full analysis: https://app.any.run/tasks/55526c83-3b7c-47f3-af4f-08c3c311612f
Verdict: Malicious activity
Threats:

Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns.

Malware Trends Tracker     >>>
Analysis date: October 19, 2020, 23:49:03
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
opendir
loader
trojan
emotet
Indicators:
MD5:

278D45969F3977EE8ABCCDE1DD75E29A

SHA1:

6A9CCBB6C8824468309115EA6E40CBE101D4BA08

SHA256:

B6267682185447125D614D2EC3347C5CADBB8654B30967DED48D8FD6AECCF4C1

SSDEEP:

3:N1KNR8GK2XN0x3LKn:Cz/axbK

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • 2MOQ2MKzpvc3D.exe (PID: 1204)
      • AzSqlExt.exe (PID: 1876)

    • Downloads executable files from the Internet

      • iexplore.exe (PID: 1956)

    • EMOTET was detected

      • AzSqlExt.exe (PID: 1876)

    • Changes the autorun value in the registry

      • AzSqlExt.exe (PID: 1876)

    • Connects to CnC server

      • AzSqlExt.exe (PID: 1876)

  • SUSPICIOUS

    • Starts itself from another location

      • 2MOQ2MKzpvc3D.exe (PID: 1204)

    • Executable content was dropped or overwritten

      • 2MOQ2MKzpvc3D.exe (PID: 1204)
      • iexplore.exe (PID: 2080)
      • iexplore.exe (PID: 1956)
      • chrome.exe (PID: 2536)
      • chrome.exe (PID: 3320)

    • Reads Internet Cache Settings

      • AzSqlExt.exe (PID: 1876)

    • Cleans NTFS data-stream (Zone Identifier)

      • 2MOQ2MKzpvc3D.exe (PID: 1204)

  • INFO

    • Modifies the phishing filter of IE

      • iexplore.exe (PID: 2080)

    • Changes internet zones settings

      • iexplore.exe (PID: 2080)

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 2080)
      • iexplore.exe (PID: 1956)

    • Creates files in the user directory

      • iexplore.exe (PID: 1956)
      • iexplore.exe (PID: 2080)

    • Application launched itself

      • iexplore.exe (PID: 2080)
      • chrome.exe (PID: 2536)

    • Reads settings of System Certificates

      • iexplore.exe (PID: 2080)

    • Reads the hosts file

      • chrome.exe (PID: 3320)
      • chrome.exe (PID: 2536)

    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 2080)

    • Manual execution by user

      • chrome.exe (PID: 2536)
      • explorer.exe (PID: 256)

    • Changes settings of System certificates

      • iexplore.exe (PID: 2080)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
71
Monitored processes
31
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start start drop and start iexplore.exe iexplore.exe 2moq2mkzpvc3d.exe #EMOTET azsqlext.exe chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs explorer.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs iexplore.exe no specs iexplore.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2080"C:\Program Files\Internet Explorer\iexplore.exe" "http://stylefix.co/guillotine-cross/CTRNOQ/"C:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
1956"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2080 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
1204"C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\2MOQ2MKzpvc3D.exe" C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\2MOQ2MKzpvc3D.exe
iexplore.exe
User:
admin
Company:
TODO: <Co
Integrity Level:
MEDIUM
Description:
TODO: <File descri
Exit code:
0
Version:
1.0.0.1
1876"C:\Users\admin\AppData\Local\ddrawex\AzSqlExt.exe"C:\Users\admin\AppData\Local\ddrawex\AzSqlExt.exe
2MOQ2MKzpvc3D.exe
User:
admin
Company:
TODO: <Co
Integrity Level:
MEDIUM
Description:
TODO: <File descri
Version:
1.0.0.1
2536"C:\Program Files\Google\Chrome\Application\chrome.exe" C:\Program Files\Google\Chrome\Application\chrome.exe
explorer.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
75.0.3770.100
3040"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win32 --annotation=prod=Chrome --annotation=ver=75.0.3770.100 --initial-client-data=0x7c,0x80,0x84,0x78,0x88,0x6ea1a9d0,0x6ea1a9e0,0x6ea1a9ecC:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
75.0.3770.100
1036"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=2496 --on-initialized-event-handle=324 --parent-handle=328 /prefetch:6C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
75.0.3770.100
768"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1016,6160380183750622276,1394277728618949282,131072 --enable-features=PasswordImport --gpu-preferences=KAAAAAAAAADgAAAgAQAAAAAAAAAAAGAAAAAAAAAAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --service-request-channel-token=7197030722732749832 --mojo-platform-channel-handle=1012 --ignored=" --type=renderer " /prefetch:2C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Version:
75.0.3770.100
3320"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --field-trial-handle=1016,6160380183750622276,1394277728618949282,131072 --enable-features=PasswordImport --lang=en-US --service-sandbox-type=network --service-request-channel-token=16917982144195266929 --mojo-platform-channel-handle=1632 /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exe
chrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
75.0.3770.100
1852"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1016,6160380183750622276,1394277728618949282,131072 --enable-features=PasswordImport --lang=en-US --instant-process --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=18403249094754788103 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2260 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Version:
75.0.3770.100
Total events
2 164
Read events
2 005
Write events
0
Delete events
0

Modification events

No data
Executable files
7
Suspicious files
39
Text files
114
Unknown types
3

Dropped files

PID
Process
Filename
Type
1956iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\MFAQUS6V\2MOQ2MKzpvc3D[1].exe
MD5:
SHA256:
2080iexplore.exeC:\Users\admin\AppData\Local\Temp\~DF4F44987333238363.TMP
MD5:
SHA256:
2080iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\2MOQ2MKzpvc3D.exe.r73sbw3.partial:Zone.Identifier
MD5:
SHA256:
2080iexplore.exeC:\Users\admin\AppData\Local\Temp\CabBBD6.tmp
MD5:
SHA256:
2080iexplore.exeC:\Users\admin\AppData\Local\Temp\TarBBD7.tmp
MD5:
SHA256:
2080iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\verBBF7.tmp
MD5:
SHA256:
2536chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\BrowserMetrics\BrowserMetrics-5F8E2641-9E8.pma
MD5:
SHA256:
2080iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\2MOQ2MKzpvc3D.exeexecutable
MD5:A494CC3654C86ECCF5796B451BDB0B8E
SHA256:D4CC5D9EA6E691F861489749AC8092918112DE219BA98CEDDE30C45B10B11905
1956iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\2MOQ2MKzpvc3D.exe.r73sbw3.partialexecutable
MD5:A494CC3654C86ECCF5796B451BDB0B8E
SHA256:D4CC5D9EA6E691F861489749AC8092918112DE219BA98CEDDE30C45B10B11905
2080iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_D9817BD5013875AD517DA73475345203der
MD5:96E2151662555236660BCF9FA188A843
SHA256:8A7B23F9A171A2932A466C4253EC59A0D5F2A3D63A167057E6F407708002B13F
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
15
TCP/UDP connections
37
DNS requests
24
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3320
chrome.exe
GET
212.34.158.133:80
http://newtabletmall.com/
ES
malicious
3320
chrome.exe
GET
212.34.158.133:80
http://newtabletmall.com/
ES
malicious
1956
iexplore.exe
GET
200
35.189.10.17:80
http://stylefix.co/guillotine-cross/CTRNOQ/
US
executable
505 Kb
malicious
1876
AzSqlExt.exe
POST
200
104.131.144.215:8080
http://104.131.144.215:8080/QGl7e4MUqCe/LJWTt38FXUofEw8GpZ/
US
binary
132 b
malicious
2080
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8sEMlbBsCTf7jUSfg%2BhWk%3D
US
der
1.47 Kb
whitelisted
2080
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8sEMlbBsCTf7jUSfg%2BhWk%3D
US
der
1.47 Kb
whitelisted
2080
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8sEMlbBsCTf7jUSfg%2BhWk%3D
US
der
1.47 Kb
whitelisted
3320
chrome.exe
GET
200
104.28.13.193:80
http://dp-womenbasket.com/cdn-cgi/styles/cf.errors.css
US
text
4.32 Kb
suspicious
3320
chrome.exe
GET
200
104.28.13.193:80
http://dp-womenbasket.com/wp-admin/Li/
US
html
1.68 Kb
suspicious
3320
chrome.exe
GET
200
35.189.10.17:80
http://stylefix.co/guillotine-cross/CTRNOQ/
US
executable
505 Kb
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2080
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
3320
chrome.exe
172.217.21.205:443
accounts.google.com
Google Inc.
US
whitelisted
2080
iexplore.exe
152.199.19.161:443
iecvlist.microsoft.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
3320
chrome.exe
216.58.212.142:443
apis.google.com
Google Inc.
US
whitelisted
3320
chrome.exe
172.217.18.99:443
clientservices.googleapis.com
Google Inc.
US
whitelisted
1876
AzSqlExt.exe
177.130.51.198:80
Wsp Serviços de Telecomunicações Ltda
BR
malicious
3320
chrome.exe
172.217.22.42:443
fonts.googleapis.com
Google Inc.
US
whitelisted
1876
AzSqlExt.exe
91.121.87.90:8080
OVH SAS
FR
malicious
1956
iexplore.exe
35.189.10.17:80
stylefix.co
Google Inc.
US
suspicious
3320
chrome.exe
172.217.18.3:443
fonts.gstatic.com
Google Inc.
US
whitelisted

DNS requests

Domain
IP
Reputation
stylefix.co
  • 35.189.10.17
malicious
iecvlist.microsoft.com
  • 152.199.19.161
whitelisted
r20swj13mr.microsoft.com
  • 152.199.19.161
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted
clientservices.googleapis.com
  • 172.217.18.99
whitelisted
accounts.google.com
  • 172.217.21.205
shared
www.google.com
  • 173.194.201.104
  • 173.194.201.105
  • 173.194.201.106
  • 173.194.201.103
  • 173.194.201.99
  • 173.194.201.147
whitelisted
fonts.googleapis.com
  • 172.217.22.42
whitelisted
www.gstatic.com
  • 216.58.212.131
whitelisted
fonts.gstatic.com
  • 172.217.18.3
whitelisted

Threats

PID
Process
Class
Message
1956
iexplore.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
1956
iexplore.exe
Misc activity
ET INFO EXE - Served Attached HTTP
1876
AzSqlExt.exe
A Network Trojan was detected
MALWARE [PTsecurity] Emotet
1876
AzSqlExt.exe
A Network Trojan was detected
MALWARE [PTsecurity] Emotet
1876
AzSqlExt.exe
A Network Trojan was detected
MALWARE [PTsecurity] Emotet
3320
chrome.exe
A Network Trojan was detected
AV POLICY CloudFlare Anti-Phishing Protection Warning in HTML Inbound
3320
chrome.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
3320
chrome.exe
Misc activity
ET INFO EXE - Served Attached HTTP
3 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
http://stylefix.co/guillotine-cross/CTRNOQ/