analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
download:

gx9nu

Full analysis: https://app.any.run/tasks/32047b13-4e71-4883-8a07-711fbe156da0
Verdict: Malicious activity
Threats:

Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns.

Malware Trends Tracker     >>>
Analysis date: December 06, 2019, 17:19:25
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
loader
emotet
trojan
Indicators:
MIME: text/html
File info: HTML document, ASCII text
MD5:

7EAA8F92FE5B647FACFC7D5EC57BFCCE

SHA1:

7838154BE9E2863B36B6AA5CF802575C92F77E73

SHA256:

C56AEE019D4DBB0D971A02ED883386579B0B058A5A3AC3A88AD1FC0F52709387

SSDEEP:

96:1j9jwIjYjy2K/DZD8jEKVk10vJADh/pRSYEbGD:1j9jhjYjHK/lyEKVk0RADh/pmGD

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • gx9nu[1].exe (PID: 504)
      • gx9nu[1].exe (PID: 3272)
      • serialfunc.exe (PID: 2404)
      • serialfunc.exe (PID: 3028)

    • Downloads executable files from the Internet

      • iexplore.exe (PID: 2356)

    • EMOTET was detected

      • serialfunc.exe (PID: 2404)

    • Connects to CnC server

      • serialfunc.exe (PID: 2404)

    • Emotet process was detected

      • gx9nu[1].exe (PID: 504)

  • SUSPICIOUS

    • Application launched itself

      • gx9nu[1].exe (PID: 3272)

    • Executable content was dropped or overwritten

      • iexplore.exe (PID: 2132)
      • iexplore.exe (PID: 2356)
      • gx9nu[1].exe (PID: 504)

    • Starts itself from another location

      • gx9nu[1].exe (PID: 504)

    • Cleans NTFS data-stream (Zone Identifier)

      • gx9nu[1].exe (PID: 504)

    • Starts Microsoft Office Application

      • iexplore.exe (PID: 2356)
      • iexplore.exe (PID: 2132)
      • IEContentService.exe (PID: 3972)

    • Connects to server without host name

      • serialfunc.exe (PID: 2404)

  • INFO

    • Reads internet explorer settings

      • iexplore.exe (PID: 3408)
      • iexplore.exe (PID: 2356)

    • Application launched itself

      • iexplore.exe (PID: 2132)

    • Changes internet zones settings

      • iexplore.exe (PID: 2132)

    • Creates files in the user directory

      • iexplore.exe (PID: 3408)
      • iexplore.exe (PID: 2356)
      • iexplore.exe (PID: 2132)

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 2356)

    • Reads Microsoft Office registry keys

      • ONENOTE.EXE (PID: 1552)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.html | HyperText Markup Language (100)

EXIF

HTML

viewport: width=device-width,initial-scale=1,maximum-scale=1
Robots: noindex, nofollow
HTTPEquivXUACompatible: IE=Edge,chrome=1
ContentType: text/html; charset=UTF-8
Title: Suspected phishing site | Cloudflare
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
52
Monitored processes
10
Malicious processes
5
Suspicious processes
1

Behavior graph

Click at the process to see the details
drop and start start drop and start iexplore.exe iexplore.exe no specs iexplore.exe gx9nu[1].exe no specs #EMOTET gx9nu[1].exe serialfunc.exe no specs #EMOTET serialfunc.exe iecontentservice.exe no specs iecontentservice.exe no specs onenote.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2132"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\admin\AppData\Local\Temp\gx9nu.htmlC:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
3408"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2132 CREDAT:79873C:\Program Files\Internet Explorer\iexplore.exeiexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
0
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
2356"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2132 CREDAT:203009C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
3272"C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\gx9nu[1].exe" C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\gx9nu[1].exeiexplore.exe
User:
admin
Integrity Level:
MEDIUM
Description:
OPENGL MFC Application
Exit code:
0
Version:
1, 0, 0, 1
504--29b2bc9fC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\gx9nu[1].exe
gx9nu[1].exe
User:
admin
Integrity Level:
MEDIUM
Description:
OPENGL MFC Application
Exit code:
0
Version:
1, 0, 0, 1
3028"C:\Users\admin\AppData\Local\serialfunc\serialfunc.exe"C:\Users\admin\AppData\Local\serialfunc\serialfunc.exegx9nu[1].exe
User:
admin
Integrity Level:
MEDIUM
Description:
OPENGL MFC Application
Exit code:
0
Version:
1, 0, 0, 1
2404--d6864438C:\Users\admin\AppData\Local\serialfunc\serialfunc.exe
serialfunc.exe
User:
admin
Integrity Level:
MEDIUM
Description:
OPENGL MFC Application
Version:
1, 0, 0, 1
3932"C:\Program Files\Microsoft Office\Office14\IEContentService.exe" /startsnotetaking "http://trangphucbieudienyenle.com/wp-content/cache/gx9nu/" "Suspected phishing site | Cloudflare"C:\Program Files\Microsoft Office\Office14\IEContentService.exeiexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft OneNote Internet Explorer Content Service
Exit code:
0
Version:
14.0.6015.1000
3972"C:\Program Files\Microsoft Office\Office14\IEContentService.exe" /startsnotetaking "http://trangphucbieudienyenle.com/wp-content/cache/gx9nu/" "Suspected phishing site | Cloudflare"C:\Program Files\Microsoft Office\Office14\IEContentService.exeiexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft OneNote Internet Explorer Content Service
Exit code:
1
Version:
14.0.6015.1000
1552"C:\Program Files\Microsoft Office\Office14\ONENOTE.EXE" /dockedC:\Program Files\Microsoft Office\Office14\ONENOTE.EXEIEContentService.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft OneNote
Exit code:
0
Version:
14.0.6022.1000
Total events
1 818
Read events
1 536
Write events
0
Delete events
0

Modification events

No data
Executable files
5
Suspicious files
2
Text files
51
Unknown types
12

Dropped files

PID
Process
Filename
Type
2132iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\favicon[1].ico
MD5:
SHA256:
2132iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
3408iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012019120620191207\index.datdat
MD5:3F88C284E636696D70881F17B5EBE6C5
SHA256:8EBB8A631DB0AD20332D7258E0B7BF7719106DE9E2B186155563C85346E18D3A
3408iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\tools[1]image
MD5:6F20BA58551E13CFD87EC059327EFFD0
SHA256:62A7038CC42C1482D70465192318F21FC1CE0F0C737CB8804137F38A1F9D680B
3408iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\httpErrorPagesScripts[1]text
MD5:E7CA76A3C9EE0564471671D500E3F0F3
SHA256:58268CA71A28973B756A48BBD7C9DC2F6B87B62AE343E582CE067C725275B63C
3408iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\down[1]image
MD5:555E83CE7F5D280D7454AF334571FB25
SHA256:70F316A5492848BB8242D49539468830B353DDAA850964DB4E60A6D2D7DB4880
3408iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JGRR2OYX\down[1]image
MD5:555E83CE7F5D280D7454AF334571FB25
SHA256:70F316A5492848BB8242D49539468830B353DDAA850964DB4E60A6D2D7DB4880
3408iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\dnserror[1]html
MD5:68E03ED57EC741A4AFBBCD11FAB1BDBE
SHA256:1FF3334C3EB27033F8F37029FD72F648EDD4551FCE85FC1F5159FEAEA1439630
3408iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\noConnect[1]image
MD5:3CB8FACCD5DE434D415AB75C17E8FD86
SHA256:6976C426E3AC66D66303C114B22B2B41109A7DE648BA55FFC3E5A53BD0DB09E7
2132iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\favicon[1].pngimage
MD5:9FB559A691078558E77D6848202F6541
SHA256:6D8A01DC7647BC218D003B58FE04049E24A9359900B7E0CEBAE76EDF85B8B914
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
19
TCP/UDP connections
12
DNS requests
3
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2356
iexplore.exe
GET
200
104.18.56.46:80
http://trangphucbieudienyenle.com/cdn-cgi/styles/fonts/opensans-300.eot
US
eot
18.1 Kb
suspicious
2356
iexplore.exe
GET
104.18.56.46:80
http://trangphucbieudienyenle.com/wp-content/cache/gx9nu/
US
suspicious
2356
iexplore.exe
GET
200
104.18.56.46:80
http://trangphucbieudienyenle.com/wp-content/cache/gx9nu/
US
html
1.51 Kb
suspicious
2356
iexplore.exe
GET
200
104.18.56.46:80
http://trangphucbieudienyenle.com/wp-content/cache/gx9nu/
US
executable
492 Kb
suspicious
2356
iexplore.exe
GET
200
104.18.56.46:80
http://trangphucbieudienyenle.com/cdn-cgi/styles/cf.errors.css
US
text
4.77 Kb
suspicious
2404
serialfunc.exe
POST
12.229.155.122:80
http://12.229.155.122/BKkHGlSbi9Ut0
US
malicious
2356
iexplore.exe
GET
200
104.18.56.46:80
http://trangphucbieudienyenle.com/cdn-cgi/styles/fonts/opensans-700.eot
US
eot
19.3 Kb
suspicious
2356
iexplore.exe
GET
200
104.18.56.46:80
http://trangphucbieudienyenle.com/wp-content/cache/gx9nu/
US
executable
492 Kb
suspicious
2404
serialfunc.exe
POST
107.2.2.28:80
http://107.2.2.28/woLtFDSl7OMS
US
malicious
2356
iexplore.exe
GET
200
104.18.56.46:80
http://trangphucbieudienyenle.com/cdn-cgi/styles/fonts/opensans-300i.eot
US
eot
20.9 Kb
suspicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2132
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
2404
serialfunc.exe
12.229.155.122:80
AT&T Services, Inc.
US
malicious
2356
iexplore.exe
104.18.56.46:80
trangphucbieudienyenle.com
Cloudflare Inc
US
shared
2404
serialfunc.exe
107.2.2.28:80
Comcast Cable Communications, LLC
US
malicious
2132
iexplore.exe
104.18.56.46:80
trangphucbieudienyenle.com
Cloudflare Inc
US
shared

DNS requests

Domain
IP
Reputation
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
trangphucbieudienyenle.com
  • 104.18.56.46
  • 104.18.57.46
suspicious
vifrustotal.com
unknown

Threats

PID
Process
Class
Message
2356
iexplore.exe
A Network Trojan was detected
ET POLICY Terse Named Filename EXE Download - Possibly Hostile
2356
iexplore.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
2356
iexplore.exe
Misc activity
ET INFO EXE - Served Attached HTTP
2404
serialfunc.exe
A Network Trojan was detected
ET CNC Feodo Tracker Reported CnC Server group 2
2404
serialfunc.exe
A Network Trojan was detected
ET TROJAN Win32/Emotet CnC Activity (POST) M5
2404
serialfunc.exe
A Network Trojan was detected
ET TROJAN Win32/Emotet CnC Activity (POST) M6
2404
serialfunc.exe
A Network Trojan was detected
MALWARE [PTsecurity] Feodo/Emotet
2404
serialfunc.exe
A Network Trojan was detected
MALWARE [PTsecurity] Feodo/Emotet
2356
iexplore.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
2356
iexplore.exe
Misc activity
ET INFO EXE - Served Attached HTTP
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
gx9nu