File name:

ExeFile (377).exe

Full analysis: https://app.any.run/tasks/8eaee283-ba9e-4533-9d18-47bb61e28df7
Verdict: Malicious activity
Threats:

Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns.

Malware Trends Tracker     >>>
Analysis date: August 20, 2024, 16:52:41
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
emotet
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

1EE794F126D182703594042ECD1F53FF

SHA1:

26FE92D7F41BE24230047A746F17725CA733D8F8

SHA256:

F39AB231EB58DD1270A76A3171F7785151A4C5CCCA654AC8A6BF8E6A7129FCF7

SSDEEP:

6144:k03RG3HgnF/dmqQ06vopB8EwmJROwcEP5lvnNMlR5P3Tiuw4nUZi0x:k0ogF1zB8EFjo0fNgR57iwUP

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • EMOTET has been detected (YARA)

      • Windows.StateRepositoryPS.exe (PID: 6580)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • ExeFile (377).exe (PID: 6512)
      • Windows.StateRepositoryPS.exe (PID: 6580)

    • Drops the executable file immediately after the start

      • ExeFile (377).exe (PID: 6512)

    • Starts itself from another location

      • ExeFile (377).exe (PID: 6512)

    • Executable content was dropped or overwritten

      • ExeFile (377).exe (PID: 6512)

    • Connects to unusual port

      • Windows.StateRepositoryPS.exe (PID: 6580)

  • INFO

    • Checks supported languages

      • ExeFile (377).exe (PID: 6512)
      • Windows.StateRepositoryPS.exe (PID: 6580)

    • Reads the computer name

      • Windows.StateRepositoryPS.exe (PID: 6580)
      • ExeFile (377).exe (PID: 6512)

    • Reads the machine GUID from the registry

      • Windows.StateRepositoryPS.exe (PID: 6580)

    • Checks proxy server information

      • Windows.StateRepositoryPS.exe (PID: 6580)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (67.4)
.dll | Win32 Dynamic Link Library (generic) (14.2)
.exe | Win32 Executable (generic) (9.7)
.exe | Generic Win/DOS Executable (4.3)
.exe | DOS Executable Generic (4.3)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2020:09:18 19:25:49+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 10
CodeSize: 97280
InitializedDataSize: 339456
UninitializedDataSize: -
EntryPoint: 0x10a9b
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
135
Monitored processes
2
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start exefile (377).exe #EMOTET windows.staterepositoryps.exe

Process information

PID
CMD
Path
Indicators
Parent process
6512"C:\Users\admin\AppData\Local\Temp\ExeFile (377).exe" C:\Users\admin\AppData\Local\Temp\ExeFile (377).exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\exefile (377).exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
6580"C:\Users\admin\AppData\Local\cryptui\Windows.StateRepositoryPS.exe"C:\Users\admin\AppData\Local\cryptui\Windows.StateRepositoryPS.exe
ExeFile (377).exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\appdata\local\cryptui\windows.staterepositoryps.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
Total events
3 970
Read events
3 967
Write events
3
Delete events
0

Modification events

(PID) Process:(6580) Windows.StateRepositoryPS.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(6580) Windows.StateRepositoryPS.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(6580) Windows.StateRepositoryPS.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
Executable files
1
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
6512ExeFile (377).exeC:\Users\admin\AppData\Local\cryptui\Windows.StateRepositoryPS.exeexecutable
MD5:1EE794F126D182703594042ECD1F53FF
SHA256:F39AB231EB58DD1270A76A3171F7785151A4C5CCCA654AC8A6BF8E6A7129FCF7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
35
DNS requests
15
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1692
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
6912
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
6336
SIHClient.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
5144
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5880
RUXIMICS.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2120
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5144
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
3260
svchost.exe
40.113.110.67:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1692
svchost.exe
20.190.159.73:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1692
svchost.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
6580
Windows.StateRepositoryPS.exe
190.192.39.136:80
Telecom Argentina S.A.
AR
malicious
2120
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 216.58.212.142
whitelisted
settings-win.data.microsoft.com
  • 40.127.240.158
  • 20.73.194.208
  • 51.104.136.2
whitelisted
client.wns.windows.com
  • 40.113.110.67
whitelisted
login.live.com
  • 20.190.159.73
  • 20.190.159.2
  • 20.190.159.75
  • 40.126.31.73
  • 20.190.159.68
  • 20.190.159.71
  • 20.190.159.23
  • 40.126.31.69
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
arc.msn.com
  • 20.105.99.58
whitelisted
slscr.update.microsoft.com
  • 20.114.59.183
whitelisted
www.microsoft.com
  • 88.221.169.152
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.3.187.198
whitelisted
nexusrules.officeapps.live.com
  • 52.111.243.30
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
ExeFile (377).exe