analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

emotet.exe

Full analysis: https://app.any.run/tasks/fb868ba8-9954-405c-808b-d2d68d6a768a
Verdict: Malicious activity
Threats:

Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns.

Malware Trends Tracker     >>>
Analysis date: March 31, 2023, 23:46:35
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
emotet
trojan
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

1BB7313AF8F390E115E22E32E9932A55

SHA1:

63B007744FA635DFF01B31CC1FD4BCD6D0B66BF5

SHA256:

CD13A9A774197BF84BD25A30F4CD51DBC4908138E2E008C81FC1FEEF881C6DA7

SSDEEP:

3072:XGCuBxwr5cw9TzBfW1fuDpzFEPx5QuW2/Gu+tD/3bxeY:FUSrewsWDgPx2Zdu+tD/3bx

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • EMOTET detected by memory dumps

      • dccw.exe (PID: 3244)

    • Connects to the CnC server

      • dccw.exe (PID: 3244)

    • EMOTET was detected

      • dccw.exe (PID: 3244)

  • SUSPICIOUS

    • Starts itself from another location

      • emotet.exe (PID: 2368)

    • Executable content was dropped or overwritten

      • emotet.exe (PID: 2368)

    • Reads the Internet Settings

      • dccw.exe (PID: 3244)

    • Connects to the server without a host name

      • dccw.exe (PID: 3244)

  • INFO

    • Checks supported languages

      • emotet.exe (PID: 2368)
      • dccw.exe (PID: 3244)

    • Reads the machine GUID from the registry

      • emotet.exe (PID: 2368)
      • dccw.exe (PID: 3244)

    • The process checks LSA protection

      • emotet.exe (PID: 2368)
      • dccw.exe (PID: 3244)

    • Reads the computer name

      • emotet.exe (PID: 2368)
      • dccw.exe (PID: 3244)

    • Checks proxy server information

      • dccw.exe (PID: 3244)

    • Manual execution by a user

      • taskmgr.exe (PID: 3804)
      • WINWORD.EXE (PID: 2864)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.dll | Win32 Dynamic Link Library (generic) (43.5)
.exe | Win32 Executable (generic) (29.8)
.exe | Generic Win/DOS Executable (13.2)
.exe | DOS Executable Generic (13.2)

EXIF

EXE

ProductVersion: 1, 0, 0, 1
ProductName: SkinDialog_Demo Application
OriginalFileName: SkinDialog_Demo.EXE
LegalTrademarks: -
LegalCopyright: Copyright (C) 2003
InternalName: SkinDialog_Demo
FileVersion: 1, 0, 0, 1
FileDescription: SkinDialog_Demo MFC Application
CompanyName: -
CharacterSet: Unicode
LanguageCode: English (U.S.)
FileSubtype: -
ObjectFileType: Executable application
FileOS: Win32
FileFlags: (none)
FileFlagsMask: 0x003f
ProductVersionNumber: 1.0.0.1
FileVersionNumber: 1.0.0.1
Subsystem: Windows GUI
SubsystemVersion: 4
ImageVersion: -
OSVersion: 4
EntryPoint: 0x1d8c
UninitializedDataSize: -
InitializedDataSize: 245760
CodeSize: 8192
LinkerVersion: 6
PEType: PE32
ImageFileCharacteristics: Executable, No line numbers, No symbols, 32-bit
TimeStamp: 2020:06:16 12:36:18+00:00
MachineType: Intel 386 or later, and compatibles

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 16-Jun-2020 12:36:18
Detected languages:
  • English - United States
CompanyName: -
FileDescription: SkinDialog_Demo MFC Application
FileVersion: 1, 0, 0, 1
InternalName: SkinDialog_Demo
LegalCopyright: Copyright (C) 2003
LegalTrademarks: -
OriginalFilename: SkinDialog_Demo.EXE
ProductName: SkinDialog_Demo Application
ProductVersion: 1, 0, 0, 1

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x000000D8

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 6
Time date stamp: 16-Jun-2020 12:36:18
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_LINE_NUMS_STRIPPED
  • IMAGE_FILE_LOCAL_SYMS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x00001042
0x00002000
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.84838
.rdata
0x00003000
0x000005E0
0x00001000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
1.68212
.data
0x00004000
0x0000020C
0x00001000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0.550976
.idata
0x00005000
0x000009DE
0x00001000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
3.82616
.rsrc
0x00006000
0x00037240
0x00038000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
4.96083
.reloc
0x0003E000
0x000007E8
0x00001000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
2.21175

Resources

Title
Entropy
Size
Codepage
Language
Type
1
3.35682
820
UNKNOWN
English - United States
RT_VERSION
2
2.55844
296
UNKNOWN
English - United States
RT_ICON
7
2.2268
82
UNKNOWN
English - United States
RT_STRING
100
3.44432
298
UNKNOWN
English - United States
RT_DIALOG
102
2.40823
66
UNKNOWN
English - United States
RT_DIALOG
128
2.37086
34
UNKNOWN
English - United States
RT_GROUP_ICON
129
3.92478
180040
UNKNOWN
English - United States
RT_BITMAP
7107
7.99241
42820
UNKNOWN
English - United States
RT_RCDATA

Imports

GDI32.dll
KERNEL32.dll
MFC42.DLL
MSVCP60.dll
MSVCRT.dll
USER32.dll
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
41
Monitored processes
4
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start start emotet.exe #EMOTET dccw.exe taskmgr.exe no specs winword.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2368"C:\Users\admin\AppData\Local\Temp\emotet.exe" C:\Users\admin\AppData\Local\Temp\emotet.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
SkinDialog_Demo MFC Application
Exit code:
0
Version:
1, 0, 0, 1
Modules
Images
c:\windows\system32\kernel32.dll
c:\users\admin\appdata\local\temp\emotet.exe
c:\windows\system32\kernelbase.dll
c:\windows\system32\mfc42.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
3244"C:\Users\admin\AppData\Local\qasf\dccw.exe"C:\Users\admin\AppData\Local\qasf\dccw.exe
emotet.exe
User:
admin
Integrity Level:
MEDIUM
Description:
SkinDialog_Demo MFC Application
Version:
1, 0, 0, 1
Modules
Images
c:\users\admin\appdata\local\qasf\dccw.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\mfc42.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\ole32.dll
3804"C:\Windows\system32\taskmgr.exe" C:\Windows\System32\taskmgr.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Task Manager
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\taskmgr.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
2864"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\livingpurchase.rtf"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
Modules
Images
c:\program files\microsoft office\office14\winword.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\lpk.dll
c:\windows\system32\gdi32.dll
Total events
6 138
Read events
5 210
Write events
642
Delete events
286

Modification events

(PID) Process:(3244) dccw.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(3244) dccw.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(3244) dccw.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
(PID) Process:(3244) dccw.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:writeName:SavedLegacySettings
Value:
460000003D010000090000000000000000000000000000000400000000000000C0E333BBEAB1D3010000000000000000000000000100000002000000C0A80164000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(2864) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1033
Value:
On
(PID) Process:(2864) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1041
Value:
On
(PID) Process:(2864) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1046
Value:
On
(PID) Process:(2864) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1036
Value:
On
(PID) Process:(2864) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1031
Value:
On
(PID) Process:(2864) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1040
Value:
On
Executable files
2
Suspicious files
0
Text files
2
Unknown types
8

Dropped files

PID
Process
Filename
Type
2864WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR73D4.tmp.cvr
MD5:
SHA256:
2864WINWORD.EXEC:\Users\admin\Desktop\~$vingpurchase.rtfpgc
MD5:A7058467336A7566D9832179AE275F85
SHA256:D7166F27C2976BB20DB67B244D115AB1313135C2F36B06D9B5055BD6AA6AE70A
2864WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\livingpurchase.rtf.LNKlnk
MD5:7DDB2BD7AB6382A01E7FEAC40F4EB879
SHA256:45A10FF70CA3299AA87AE4C04B392F12094DEAADA2566FEDB24270F722087B79
2864WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.datini
MD5:0F2B34BD16487A208DC2732AC3ED0B62
SHA256:EEA6BBBB5167C67E070B83027A97B75A27E62D2A4158CD8A90AC26EDA86C2104
2864WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:8B3B5481C0CE09C1A3F70D24B00B21EA
SHA256:3037CDFFC92112B468C8349DFA0D33C2BF51F73E6E0C2A6149416AEF48714DB2
2368emotet.exeC:\Users\admin\AppData\Local\qasf\dccw.exeexecutable
MD5:1BB7313AF8F390E115E22E32E9932A55
SHA256:CD13A9A774197BF84BD25A30F4CD51DBC4908138E2E008C81FC1FEEF881C6DA7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
2
DNS requests
0
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3244
dccw.exe
POST
41.203.62.170:80
http://41.203.62.170/GBhMzddkhp0zeVWcHE/ChiMullJ/TvxKCSEo58Bu/AASMzqD/GzgvX/
ZA
malicious
3244
dccw.exe
POST
46.105.131.87:80
http://46.105.131.87/JUs5halhk8/HMjYkhrm3iOTJo/DgWGiXwCfUGYBP7x80f/QuoRrwkr70c/v3GoIcr1gK/
FR
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
41.203.62.170:80
ECN Telecommunications
ZA
malicious
3244
dccw.exe
46.105.131.87:80
OVH SAS
FR
malicious

DNS requests

No data

Threats

PID
Process
Class
Message
3244
dccw.exe
A Network Trojan was detected
ET MALWARE Win32/Emotet CnC Activity (POST) M9
3244
dccw.exe
A Network Trojan was detected
AV TROJAN W32/Emotet CnC Checkin M3
3244
dccw.exe
Unknown Classtype
ET MALWARE Win32/Emotet CnC Activity (POST) M8
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
emotet.exe