analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

http://bricolambert.com/wp-admin/8716_84622/

Full analysis: https://app.any.run/tasks/98db6604-f07c-4301-baf6-c363c97dbdd6
Verdict: Malicious activity
Threats:

Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns.

Analysis date: January 15, 2022, 03:32:17
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
emotet
loader
emotet-doc
Indicators:
MD5:

688E778223F9F5E93C58C13A51B57FFE

SHA1:

39DBAB9D93E3824DAC6F0BA5DF823DD3B3DFCA20

SHA256:

F3B92C68D664B9F6F8E5A3CC020B2E18E045D09182755D0CBFD83207884CECAA

SSDEEP:

3:N1Kc6TiLRmgfn:Cc6etmgfn

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • EMOTET was detected

      • chrome.exe (PID: 4092)
    • Loads dropped or rewritten executable

      • rundll32.exe (PID: 2120)
      • rundll32.exe (PID: 3020)
      • SearchProtocolHost.exe (PID: 3640)
      • rundll32.exe (PID: 1716)
      • rundll32.exe (PID: 3592)
    • Executable content was dropped or overwritten

      • EXCEL.EXE (PID: 380)
    • Unusual execution from Microsoft Office

      • EXCEL.EXE (PID: 380)
    • Connects to CnC server

      • rundll32.exe (PID: 3592)
    • Changes the autorun value in the registry

      • rundll32.exe (PID: 3592)
    • Loads the Task Scheduler COM API

      • mmc.exe (PID: 2988)
  • SUSPICIOUS

    • Starts Microsoft Office Application

      • EXCEL.EXE (PID: 1968)
    • Application launched itself

      • EXCEL.EXE (PID: 1968)
      • rundll32.exe (PID: 1716)
      • rundll32.exe (PID: 3020)
    • Reads default file associations for system extensions

      • SearchProtocolHost.exe (PID: 3640)
      • rundll32.exe (PID: 3020)
    • Uses RUNDLL32.EXE to load library

      • EXCEL.EXE (PID: 380)
      • rundll32.exe (PID: 2120)
      • rundll32.exe (PID: 3020)
      • rundll32.exe (PID: 1716)
    • Drops a file with a compile date too recent

      • EXCEL.EXE (PID: 380)
      • rundll32.exe (PID: 3020)
    • Starts itself from another location

      • rundll32.exe (PID: 2120)
    • Executable content was dropped or overwritten

      • rundll32.exe (PID: 3020)
  • INFO

    • Reads the computer name

      • chrome.exe (PID: 4092)
      • chrome.exe (PID: 1056)
      • chrome.exe (PID: 4056)
      • chrome.exe (PID: 1368)
      • chrome.exe (PID: 2608)
      • chrome.exe (PID: 1320)
      • explorer.exe (PID: 3064)
      • chrome.exe (PID: 2660)
      • EXCEL.EXE (PID: 1968)
      • EXCEL.EXE (PID: 3248)
      • EXCEL.EXE (PID: 380)
      • rundll32.exe (PID: 3020)
      • chrome.exe (PID: 2256)
      • chrome.exe (PID: 824)
      • rundll32.exe (PID: 3592)
      • taskmgr.exe (PID: 1344)
      • mmc.exe (PID: 2988)
    • Checks supported languages

      • chrome.exe (PID: 4056)
      • chrome.exe (PID: 1056)
      • chrome.exe (PID: 3496)
      • chrome.exe (PID: 4092)
      • chrome.exe (PID: 2432)
      • chrome.exe (PID: 1368)
      • chrome.exe (PID: 2664)
      • chrome.exe (PID: 784)
      • chrome.exe (PID: 2608)
      • explorer.exe (PID: 3064)
      • chrome.exe (PID: 1320)
      • EXCEL.EXE (PID: 1968)
      • chrome.exe (PID: 2660)
      • EXCEL.EXE (PID: 3248)
      • EXCEL.EXE (PID: 380)
      • rundll32.exe (PID: 3020)
      • rundll32.exe (PID: 2120)
      • chrome.exe (PID: 2256)
      • rundll32.exe (PID: 1716)
      • rundll32.exe (PID: 3592)
      • chrome.exe (PID: 824)
      • mmc.exe (PID: 2988)
      • taskmgr.exe (PID: 1344)
    • Reads the hosts file

      • chrome.exe (PID: 4092)
      • chrome.exe (PID: 1056)
    • Application launched itself

      • chrome.exe (PID: 1056)
    • Reads settings of System Certificates

      • chrome.exe (PID: 4092)
      • rundll32.exe (PID: 3592)
    • Checks Windows Trust Settings

      • chrome.exe (PID: 1056)
      • rundll32.exe (PID: 3592)
    • Manual execution by user

      • explorer.exe (PID: 3064)
      • EXCEL.EXE (PID: 1968)
      • EXCEL.EXE (PID: 380)
      • taskmgr.exe (PID: 1344)
      • mmc.exe (PID: 1616)
      • mmc.exe (PID: 2988)
    • Creates files in the user directory

      • EXCEL.EXE (PID: 1968)
      • EXCEL.EXE (PID: 380)
    • Reads Microsoft Office registry keys

      • EXCEL.EXE (PID: 3248)
      • EXCEL.EXE (PID: 1968)
      • EXCEL.EXE (PID: 380)
    • Reads the date of Windows installation

      • chrome.exe (PID: 824)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
71
Monitored processes
25
Malicious processes
3
Suspicious processes
3

Behavior graph

Click at the process to see the details
start chrome.exe chrome.exe no specs chrome.exe no specs #EMOTET chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs explorer.exe no specs chrome.exe no specs excel.exe no specs excel.exe no specs excel.exe rundll32.exe no specs searchprotocolhost.exe no specs rundll32.exe chrome.exe no specs rundll32.exe no specs rundll32.exe chrome.exe no specs taskmgr.exe no specs mmc.exe no specs mmc.exe

Process information

PID
CMD
Path
Indicators
Parent process
1056"C:\Program Files\Google\Chrome\Application\chrome.exe" --disk-cache-dir=null --disk-cache-size=1 --media-cache-size=1 --disable-gpu-shader-disk-cache --disable-background-networking "http://bricolambert.com/wp-admin/8716_84622/"C:\Program Files\Google\Chrome\Application\chrome.exe
Explorer.EXE
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
3221225547
Version:
86.0.4240.198
3496"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win32 --annotation=prod=Chrome --annotation=ver=86.0.4240.198 --initial-client-data=0xc8,0xcc,0xd0,0x9c,0xd4,0x6e7ed988,0x6e7ed998,0x6e7ed9a4C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
86.0.4240.198
4056"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1052,6310239344549221109,16280871944150092008,131072 --enable-features=PasswordImport --gpu-preferences=MAAAAAAAAADgACAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1060 /prefetch:2C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
86.0.4240.198
4092"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1052,6310239344549221109,16280871944150092008,131072 --enable-features=PasswordImport --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1248 /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exe
chrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
86.0.4240.198
784"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1052,6310239344549221109,16280871944150092008,131072 --enable-features=PasswordImport --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1848 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
86.0.4240.198
2432"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1052,6310239344549221109,16280871944150092008,131072 --enable-features=PasswordImport --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1856 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
86.0.4240.198
2664"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1052,6310239344549221109,16280871944150092008,131072 --enable-features=PasswordImport --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2148 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
86.0.4240.198
1368"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1052,6310239344549221109,16280871944150092008,131072 --enable-features=PasswordImport --gpu-preferences=MAAAAAAAAADgACAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=980 /prefetch:2C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
86.0.4240.198
2608"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1052,6310239344549221109,16280871944150092008,131072 --enable-features=PasswordImport --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3156 /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
86.0.4240.198
1320"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1052,6310239344549221109,16280871944150092008,131072 --enable-features=PasswordImport --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2964 /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
86.0.4240.198
Total events
23 843
Read events
23 489
Write events
0
Delete events
0

Modification events

No data
Executable files
3
Suspicious files
49
Text files
99
Unknown types
13

Dropped files

PID
Process
Filename
Type
1056chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\BrowserMetrics\BrowserMetrics-61E24045-420.pma
MD5:
SHA256:
1056chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\4d02395e-3427-4e6a-a512-de32b1d53e5b.tmptext
MD5:A45B361EE83818ED6F3B3EED79C6DE40
SHA256:8A697ACF5525DD619CCE1F3450E65146669DF010377E94FB3E3FE250D9D5367F
1056chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Preferencestext
MD5:A45B361EE83818ED6F3B3EED79C6DE40
SHA256:8A697ACF5525DD619CCE1F3450E65146669DF010377E94FB3E3FE250D9D5367F
1056chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.datbinary
MD5:9C016064A1F864C8140915D77CF3389A
SHA256:0E7265D4A8C16223538EDD8CD620B8820611C74538E420A88E333BE7F62AC787
1056chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\pkedcjkdefgpdelpbcmbmeomcjbeemfm\LOG.old~RF1134d8.TMPtext
MD5:D0BA19096D6C8F8DE58312E8D938E893
SHA256:AADE90A7B0984F3C719D528E4E6FAE3854E28B30363BDD4DF65037E69784A078
1056chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\pkedcjkdefgpdelpbcmbmeomcjbeemfm\LOG.oldtext
MD5:5202CA4D6AF0C37DAEC0D528CC7F2986
SHA256:8F5B8FF94B14C36EA0CBE8FA0A4D165A632B45F834BBB7239E1A6CF6685F256C
1056chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOG.oldtext
MD5:7721CDA9F5B73CE8A135471EB53B4E0E
SHA256:DD730C576766A46FFC84E682123248ECE1FF1887EC0ACAB22A5CE93A450F4500
1056chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOG.old~RF11319c.TMPtext
MD5:81F483F77EE490F35306A4F94DB2286B
SHA256:82434CE3C9D13F509EBEEBE3A7A1A1DE9AB4557629D9FC855761E0CFA45E8BCE
1056chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\LOG.old~RF11316d.TMPtext
MD5:936EB7280DA791E6DD28EF3A9B46D39C
SHA256:CBAF2AFD831B32F6D1C12337EE5D2F090D6AE1F4DCB40B08BEF49BF52AD9721F
1056chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Platform Notifications\LOG.old~RF113296.TMPtext
MD5:109A25C32EE1132ECD6D9F3ED9ADF01A
SHA256:DA6028DB9485C65E683643658326F02B1D0A1566DE14914EF28E5248EB94F0DD
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
14
DNS requests
9
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
380
EXCEL.EXE
GET
200
162.241.158.87:80
http://mail.emilyanncain.com/cgi-bin/A7NT3ENvn/
US
executable
574 Kb
suspicious
4092
chrome.exe
GET
200
217.160.0.236:80
http://bricolambert.com/wp-admin/8716_84622/
DE
html
45.9 Kb
malicious
4092
chrome.exe
GET
200
217.160.0.236:80
http://bricolambert.com/wp-admin/8716_84622/?i=1
DE
document
83.3 Kb
malicious
4092
chrome.exe
GET
200
217.160.0.236:80
http://bricolambert.com/wp-admin/8716_84622/?i=1
DE
document
83.3 Kb
malicious
3592
rundll32.exe
GET
200
95.140.236.128:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?caf612e6b37d2b31
GB
compressed
4.70 Kb
whitelisted
3592
rundll32.exe
GET
200
95.140.236.128:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?11ecff985e0a5f27
GB
compressed
59.9 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4092
chrome.exe
142.250.185.174:443
clients2.google.com
Google Inc.
US
whitelisted
4092
chrome.exe
142.250.186.163:443
ssl.gstatic.com
Google Inc.
US
whitelisted
4092
chrome.exe
142.250.185.228:443
www.google.com
Google Inc.
US
whitelisted
4092
chrome.exe
142.250.184.237:443
accounts.google.com
Google Inc.
US
suspicious
4092
chrome.exe
216.58.212.163:443
update.googleapis.com
Google Inc.
US
whitelisted
4092
chrome.exe
142.250.185.110:443
sb-ssl.google.com
Google Inc.
US
whitelisted
3592
rundll32.exe
69.16.218.101:8080
Liquid Web, L.L.C
US
malicious
4092
chrome.exe
217.160.0.236:80
bricolambert.com
1&1 Internet SE
DE
malicious
3592
rundll32.exe
45.138.98.34:80
malicious
3592
rundll32.exe
95.140.236.128:80
ctldl.windowsupdate.com
Limelight Networks, Inc.
GB
malicious

DNS requests

Domain
IP
Reputation
accounts.google.com
  • 142.250.184.237
shared
bricolambert.com
  • 217.160.0.236
malicious
clients2.google.com
  • 142.250.185.174
whitelisted
www.google.com
  • 142.250.185.228
whitelisted
ssl.gstatic.com
  • 142.250.186.163
whitelisted
sb-ssl.google.com
  • 142.250.185.110
whitelisted
mail.emilyanncain.com
  • 162.241.158.87
suspicious
ctldl.windowsupdate.com
  • 95.140.236.128
  • 178.79.242.128
whitelisted
update.googleapis.com
  • 216.58.212.163
whitelisted

Threats

PID
Process
Class
Message
4092
chrome.exe
A Network Trojan was detected
ET TROJAN Win32/Emotet HTML Template Response
380
EXCEL.EXE
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
380
EXCEL.EXE
A Network Trojan was detected
ET CURRENT_EVENTS Likely Evil EXE download from MSXMLHTTP non-exe extension M2
380
EXCEL.EXE
Misc activity
ET INFO EXE - Served Attached HTTP
3592
rundll32.exe
A Network Trojan was detected
ET CNC Feodo Tracker Reported CnC Server group 17
3592
rundll32.exe
A Network Trojan was detected
ET CNC Feodo Tracker Reported CnC Server group 20
2 ETPRO signatures available at the full report
Process
Message
mmc.exe
Constructor: Microsoft.TaskScheduler.SnapIn.TaskSchedulerSnapIn
mmc.exe
OnInitialize: Microsoft.TaskScheduler.SnapIn.TaskSchedulerSnapIn
mmc.exe
AddIcons: Microsoft.TaskScheduler.SnapIn.TaskSchedulerSnapIn
mmc.exe
ProcessCommandLineArguments: Microsoft.TaskScheduler.SnapIn.TaskSchedulerSnapIn