File name:

2023-03-07-Emotet-malspam-143908-UTC.eml

Full analysis: https://app.any.run/tasks/2560254d-9dbf-4843-914a-a936ccde2ed9
Verdict: Malicious activity
Threats:

Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns.

Malware Trends Tracker     >>>
Analysis date: September 20, 2024, 07:10:06
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
attachments
attc-arch
emotet
stealer
Indicators:
MIME: message/rfc822
File info: SMTP mail, ASCII text, with CRLF line terminators
MD5:

B72A53C67A1B64BA6C73808744552F16

SHA1:

8CF1D2EAA5A585CE95456FDC3D11B258783E21F0

SHA256:

FB64D3677A4413623FC21F81BB24B93943238BF626AA8AC14686FDF7AFDD08A0

SSDEEP:

3072:bR2Rnu7qK8PYvBecdx2xcV7g7rZYVk/YjILyyEol0/tn51haTNrghnJRP:eu70vgx2xcOHZxx3UT1qNrg7RP

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • EMOTET has been detected (SURICATA)

      • WINWORD.EXE (PID: 2812)

  • SUSPICIOUS

    • Application launched itself

      • WINWORD.EXE (PID: 2812)

  • INFO

    • Manual execution by a user

      • wmpnscfg.exe (PID: 2448)

    • Checks supported languages

      • wmpnscfg.exe (PID: 2448)

    • Reads the computer name

      • wmpnscfg.exe (PID: 2448)

    • The process uses the downloaded file

      • OUTLOOK.EXE (PID: 2108)
      • WinRAR.exe (PID: 2024)

    • Reads Microsoft Office registry keys

      • WinRAR.exe (PID: 2024)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.eml | E-Mail message (Var. 1) (100)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
41
Monitored processes
5
Malicious processes
2
Suspicious processes
1

Behavior graph

Click at the process to see the details
start outlook.exe wmpnscfg.exe no specs winrar.exe no specs #EMOTET winword.exe winword.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2024"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\G1KNUSE5\PO000206886.zip"C:\Program Files\WinRAR\WinRAR.exeOUTLOOK.EXE
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
2108"C:\PROGRA~1\MICROS~1\Office14\OUTLOOK.EXE" /eml C:\Users\admin\AppData\Local\Temp\2023-03-07-Emotet-malspam-143908-UTC.emlC:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Outlook
Version:
14.0.6025.1000
Modules
Images
c:\program files\microsoft office\office14\outlook.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
2448"C:\Program Files\Windows Media Player\wmpnscfg.exe"C:\Program Files\Windows Media Player\wmpnscfg.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Media Player Network Sharing Service Configuration Application
Exit code:
0
Version:
12.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\windows media player\wmpnscfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
2812"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\Rar$DIa2024.7702\PO 000206886, USA.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
WinRAR.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
Modules
Images
c:\program files\microsoft office\office14\winword.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18837_none_ec86b8d6858ec0bc\comctl32.dll
3720"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /EmbeddingC:\Program Files\Microsoft Office\Office14\WINWORD.EXEWINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Word
Version:
14.0.6024.1000
Modules
Images
c:\program files\microsoft office\office14\winword.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18837_none_ec86b8d6858ec0bc\comctl32.dll
Total events
19 230
Read events
18 013
Write events
1 044
Delete events
173

Modification events

(PID) Process:(2108) OUTLOOK.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1033
Value:
Off
(PID) Process:(2108) OUTLOOK.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1041
Value:
Off
(PID) Process:(2108) OUTLOOK.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1046
Value:
Off
(PID) Process:(2108) OUTLOOK.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1036
Value:
Off
(PID) Process:(2108) OUTLOOK.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1031
Value:
Off
(PID) Process:(2108) OUTLOOK.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1040
Value:
Off
(PID) Process:(2108) OUTLOOK.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1049
Value:
Off
(PID) Process:(2108) OUTLOOK.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:3082
Value:
Off
(PID) Process:(2108) OUTLOOK.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1042
Value:
Off
(PID) Process:(2108) OUTLOOK.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1055
Value:
Off
Executable files
0
Suspicious files
7
Text files
7
Unknown types
1

Dropped files

PID
Process
Filename
Type
2108OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\CVRA364.tmp.cvr
MD5:
SHA256:
2108OUTLOOK.EXEC:\Users\admin\Documents\Outlook Files\Outlook Data File - NoMail.pst
MD5:
SHA256:
2024WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DIa2024.7702\PO 000206886, USA.doc
MD5:
SHA256:
2812WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR8D56.tmp.cvr
MD5:
SHA256:
2812WINWORD.EXEC:\Users\admin\AppData\Local\Temp\OICE_A1DF0F7B-6079-4B0A-BCCF-E53E0C65C3FB.0\71EC6CE7.doc
MD5:
SHA256:
2108OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\G1KNUSE5\PO000206886 (2).zipcompressed
MD5:9118C9FCE73C1E93E50F01D5FEF6C476
SHA256:AFBC2421CD177BF8CA5E42F8B51C0330F1A7BEC7B3214483CE653C691DBBB235
2108OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\G1KNUSE5\PO000206886.zip:Zone.Identifiertext
MD5:FBCCF14D504B7B2DBCB5A5BDA75BD93B
SHA256:EACD09517CE90D34BA562171D15AC40D302F0E691B439F91BE1B6406E25F5913
2812WINWORD.EXEC:\Users\admin\AppData\Local\Temp\OICE_A1DF0F7B-6079-4B0A-BCCF-E53E0C65C3FB.0\71EC6CE7.doc:Zone.Identifiertext
MD5:FBCCF14D504B7B2DBCB5A5BDA75BD93B
SHA256:EACD09517CE90D34BA562171D15AC40D302F0E691B439F91BE1B6406E25F5913
2812WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmbinary
MD5:F3D2CA3247A26708A8A132413B55FEC1
SHA256:166F7DB657E1C3396E075F7B83066A2906E86328033D5FC0AEEA4FCED8E5FAB8
2024WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DIa2024.7702\PO 000206886, USA.doc:Zone.Identifiertext
MD5:FBCCF14D504B7B2DBCB5A5BDA75BD93B
SHA256:EACD09517CE90D34BA562171D15AC40D302F0E691B439F91BE1B6406E25F5913
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
12
DNS requests
10
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2108
OUTLOOK.EXE
POST
302
184.28.89.167:80
http://go.microsoft.com/fwlink/?LinkID=120751
unknown
whitelisted
2108
OUTLOOK.EXE
POST
302
184.28.89.167:80
http://go.microsoft.com/fwlink/?LinkID=120750
unknown
whitelisted
2812
WINWORD.EXE
GET
301
101.99.3.20:80
http://mtp.evotek.vn/wp-content/L/?081147
unknown
unknown
2812
WINWORD.EXE
GET
403
211.149.240.116:80
http://www.189dom.com/xue80/C0aJr5tfI5Pvi8m/?081154
unknown
unknown
2108
OUTLOOK.EXE
POST
302
184.28.89.167:80
http://go.microsoft.com/fwlink/?LinkID=120752
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
224.0.0.252:5355
whitelisted
4
System
192.168.100.255:138
whitelisted
1060
svchost.exe
224.0.0.252:5355
whitelisted
2108
OUTLOOK.EXE
64.4.26.155:80
config.messenger.msn.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
2108
OUTLOOK.EXE
184.28.89.167:80
go.microsoft.com
AKAMAI-AS
US
whitelisted
2108
OUTLOOK.EXE
40.91.76.224:443
activation.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
2812
WINWORD.EXE
27.54.81.161:443
midcoastsupplies.com.au
Dreamscape Networks Limited
AU
unknown
2812
WINWORD.EXE
101.99.3.20:80
mtp.evotek.vn
CMC Telecom Infrastructure Company
VN
malicious
2812
WINWORD.EXE
101.99.3.20:443
mtp.evotek.vn
CMC Telecom Infrastructure Company
VN
malicious

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.185.206
whitelisted
config.messenger.msn.com
  • 64.4.26.155
whitelisted
go.microsoft.com
  • 184.28.89.167
whitelisted
activation.sls.microsoft.com
  • 40.91.76.224
whitelisted
midcoastsupplies.com.au
  • 27.54.81.161
unknown
mtp.evotek.vn
  • 101.99.3.20
unknown
achilles.com.vn
  • 101.99.3.20
unknown
www.189dom.com
  • 211.149.240.116
unknown
esentai-gourmet.kz
  • 94.247.135.151
malicious

Threats

PID
Process
Class
Message
2812
WINWORD.EXE
A Network Trojan was detected
ET MALWARE Observed Emotet Maldoc Retrieving Payload (2023-03-07) M1
2812
WINWORD.EXE
A Network Trojan was detected
ET MALWARE Observed Emotet Maldoc Retrieving Payload (2023-03-07) M1
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2023-03-07-Emotet-malspam-143908-UTC.eml