analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

https://mbve.org/cctn/Scan/jog52jas2_i4bs9a-22970863048126

Full analysis: https://app.any.run/tasks/66a24055-26f6-4d56-b946-a4cdd00f1e44
Verdict: Malicious activity
Threats:

Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns.

Malware Trends Tracker     >>>
Analysis date: October 09, 2019, 13:47:54
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
emotet-doc
emotet
trojan
Indicators:
MD5:

EA3762E1FBB432F9B798DEA14892D68B

SHA1:

A5E0C317AB4C72F1BD77BF3D4936D9C6BA6EDDBA

SHA256:

B7DB2971BB77C81D792CEE911FE666C1A9F1AC09ACBE91AB3F4DDC5C92E7527A

SSDEEP:

3:N87KXJw6/hHbhzTiG:256/p5TP

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops known malicious document

      • firefox.exe (PID: 3716)
      • WINWORD.EXE (PID: 3760)
      • WINWORD.EXE (PID: 2224)

    • Application was dropped or rewritten from another process

      • 178.exe (PID: 3584)
      • 178.exe (PID: 3152)
      • msptermsizes.exe (PID: 3348)
      • msptermsizes.exe (PID: 3592)

    • Emotet process was detected

      • 178.exe (PID: 3584)

    • EMOTET was detected

      • msptermsizes.exe (PID: 3592)

    • Changes the autorun value in the registry

      • msptermsizes.exe (PID: 3592)

    • Connects to CnC server

      • msptermsizes.exe (PID: 3592)

  • SUSPICIOUS

    • Creates files in the program directory

      • firefox.exe (PID: 3716)

    • Starts Microsoft Office Application

      • firefox.exe (PID: 3716)
      • WINWORD.EXE (PID: 3760)
      • WINWORD.EXE (PID: 2224)

    • Application launched itself

      • WINWORD.EXE (PID: 3760)
      • WINWORD.EXE (PID: 2224)
      • 178.exe (PID: 3152)
      • msptermsizes.exe (PID: 3348)

    • Executed via WMI

      • powershell.exe (PID: 4000)

    • Executable content was dropped or overwritten

      • powershell.exe (PID: 4000)
      • 178.exe (PID: 3584)

    • Creates files in the user directory

      • powershell.exe (PID: 4000)

    • PowerShell script executed

      • powershell.exe (PID: 4000)

    • Starts itself from another location

      • 178.exe (PID: 3584)

  • INFO

    • Reads CPU info

      • firefox.exe (PID: 3716)

    • Application launched itself

      • firefox.exe (PID: 2836)
      • firefox.exe (PID: 3716)

    • Creates files in the user directory

      • firefox.exe (PID: 3716)
      • WINWORD.EXE (PID: 3760)

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 3760)
      • WINWORD.EXE (PID: 2224)
      • WINWORD.EXE (PID: 3208)
      • WINWORD.EXE (PID: 2760)

    • Reads settings of System Certificates

      • powershell.exe (PID: 4000)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
49
Monitored processes
15
Malicious processes
9
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start drop and start firefox.exe no specs firefox.exe firefox.exe no specs firefox.exe firefox.exe firefox.exe winword.exe no specs winword.exe no specs winword.exe no specs winword.exe no specs powershell.exe 178.exe no specs #EMOTET 178.exe msptermsizes.exe no specs #EMOTET msptermsizes.exe

Process information

PID
CMD
Path
Indicators
Parent process
2836"C:\Program Files\Mozilla Firefox\firefox.exe" "https://mbve.org/cctn/Scan/jog52jas2_i4bs9a-22970863048126"C:\Program Files\Mozilla Firefox\firefox.exeexplorer.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Exit code:
0
Version:
68.0.1
3716"C:\Program Files\Mozilla Firefox\firefox.exe" https://mbve.org/cctn/Scan/jog52jas2_i4bs9a-22970863048126C:\Program Files\Mozilla Firefox\firefox.exe
firefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Version:
68.0.1
3300"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3716.0.913506516\655913923" -parentBuildID 20190717172542 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 3716 "\\.\pipe\gecko-crash-server-pipe.3716" 1160 gpuC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Version:
68.0.1
3684"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3716.3.1551499195\14097066" -childID 1 -isForBrowser -prefsHandle 1708 -prefMapHandle 1704 -prefsLen 1 -prefMapSize 191824 -parentBuildID 20190717172542 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 3716 "\\.\pipe\gecko-crash-server-pipe.3716" 1728 tabC:\Program Files\Mozilla Firefox\firefox.exe
firefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Version:
68.0.1
2228"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3716.13.1055532280\393569027" -childID 2 -isForBrowser -prefsHandle 2652 -prefMapHandle 2656 -prefsLen 5997 -prefMapSize 191824 -parentBuildID 20190717172542 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 3716 "\\.\pipe\gecko-crash-server-pipe.3716" 2668 tabC:\Program Files\Mozilla Firefox\firefox.exe
firefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Version:
68.0.1
328"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3716.20.1845465228\549166308" -childID 3 -isForBrowser -prefsHandle 3756 -prefMapHandle 3760 -prefsLen 7130 -prefMapSize 191824 -parentBuildID 20190717172542 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 3716 "\\.\pipe\gecko-crash-server-pipe.3716" 3772 tabC:\Program Files\Mozilla Firefox\firefox.exe
firefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Version:
68.0.1
3760"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\RE_7472746432597407.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEfirefox.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
2224"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\RE_7472746432597407.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEfirefox.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
2760"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /EmbeddingC:\Program Files\Microsoft Office\Office14\WINWORD.EXEWINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Word
Exit code:
0
Version:
14.0.6024.1000
3208"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /EmbeddingC:\Program Files\Microsoft Office\Office14\WINWORD.EXEWINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Word
Version:
14.0.6024.1000
Total events
4 326
Read events
3 448
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
72
Text files
24
Unknown types
68

Dropped files

PID
Process
Filename
Type
3716firefox.exeC:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\startupCache\scriptCache-current.bin
MD5:
SHA256:
3716firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\cookies.sqlite-shm
MD5:
SHA256:
3716firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\prefs-1.js
MD5:
SHA256:
3716firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\sessionCheckpoints.json.tmp
MD5:
SHA256:
3716firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\search.json.mozlz4.tmp
MD5:
SHA256:
3716firefox.exeC:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\safebrowsing-updating\allow-flashallow-digest256.sbstore
MD5:
SHA256:
3716firefox.exeC:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\safebrowsing-updating\base-track-digest256.pset
MD5:
SHA256:
3716firefox.exeC:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\safebrowsing-updating\base-track-digest256.sbstore
MD5:
SHA256:
3716firefox.exeC:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\safebrowsing-updating\block-flash-digest256.pset
MD5:
SHA256:
3716firefox.exeC:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\safebrowsing-updating\block-flash-digest256.sbstore
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
37
DNS requests
76
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3592
msptermsizes.exe
POST
200
198.199.114.69:8080
http://198.199.114.69:8080/arizona/
US
binary
132 b
malicious
3716
firefox.exe
POST
200
72.21.91.29:80
http://ocsp.digicert.com/
US
der
471 b
whitelisted
3716
firefox.exe
POST
200
72.21.91.29:80
http://ocsp.digicert.com/
US
der
471 b
whitelisted
3716
firefox.exe
POST
200
216.58.205.227:80
http://ocsp.pki.goog/gts1o1
US
der
471 b
whitelisted
3716
firefox.exe
POST
200
72.21.91.29:80
http://ocsp.digicert.com/
US
der
471 b
whitelisted
4000
powershell.exe
GET
403
146.88.234.116:80
http://stephporn.com/cgi-bin/oSWSyiKNzf/
FR
html
318 b
suspicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3716
firefox.exe
35.166.89.106:443
tiles.services.mozilla.com
Amazon.com, Inc.
US
unknown
3716
firefox.exe
2.16.186.112:80
detectportal.firefox.com
Akamai International B.V.
whitelisted
3716
firefox.exe
188.121.36.239:80
ocsp.godaddy.com
GoDaddy.com, LLC
NL
unknown
3716
firefox.exe
72.21.91.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
3716
firefox.exe
52.26.8.178:443
search.services.mozilla.com
Amazon.com, Inc.
US
unknown
3716
firefox.exe
160.153.137.218:443
mbve.org
GoDaddy.com, LLC
US
malicious
3716
firefox.exe
13.32.141.130:443
snippets.cdn.mozilla.net
Amazon.com, Inc.
US
unknown
3716
firefox.exe
54.149.205.191:443
push.services.mozilla.com
Amazon.com, Inc.
US
malicious
3716
firefox.exe
172.217.18.10:443
safebrowsing.googleapis.com
Google Inc.
US
whitelisted
3716
firefox.exe
143.204.214.123:443
firefox.settings.services.mozilla.com
US
suspicious

DNS requests

Domain
IP
Reputation
detectportal.firefox.com
  • 2.16.186.112
  • 2.16.186.50
whitelisted
a1089.dscd.akamai.net
  • 2.16.186.50
  • 2.16.186.112
whitelisted
search.services.mozilla.com
  • 52.26.8.178
  • 34.210.145.79
  • 52.36.193.139
whitelisted
search.r53-2.services.mozilla.com
  • 52.36.193.139
  • 34.210.145.79
  • 52.26.8.178
whitelisted
push.services.mozilla.com
  • 54.149.205.191
whitelisted
autopush.prod.mozaws.net
  • 54.149.205.191
whitelisted
mbve.org
  • 160.153.137.218
malicious
ocsp.godaddy.com
  • 188.121.36.239
whitelisted
snippets.cdn.mozilla.net
  • 13.32.141.130
whitelisted
d228z91au11ukj.cloudfront.net
  • 13.32.141.130
whitelisted

Threats

PID
Process
Class
Message
Potentially Bad Traffic
ET INFO Observed DNS Query to .cloud TLD
Potentially Bad Traffic
ET INFO Observed DNS Query to .cloud TLD
3592
msptermsizes.exe
A Network Trojan was detected
AV TROJAN W32/Emotet CnC Checkin (Apr 2019)
3592
msptermsizes.exe
A Network Trojan was detected
MALWARE [PTsecurity] Feodo/Emotet
3592
msptermsizes.exe
Potentially Bad Traffic
ET POLICY HTTP traffic on port 443 (POST)
3592
msptermsizes.exe
A Network Trojan was detected
MALWARE [PTsecurity] Feodo/Emotet
7 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
https://mbve.org/cctn/Scan/jog52jas2_i4bs9a-22970863048126