File name: | dontrun.ps1 |
Full analysis: | https://app.any.run/tasks/bc0b7f20-c4f6-44ef-ac42-5c366be0652c |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | May 15, 2019, 01:36:56 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | text/plain |
File info: | ASCII text, with very long lines |
MD5: | 6AD2F0761DA9B6785288C8C40D58F047 |
SHA1: | 17D8BB3BA1640F9C75E7E4B339EC0F598E830D61 |
SHA256: | 2A4C30BFCEF64BC4C41B86866C9D61BFED9411121F2DA23BEAB10F9CCEBE1AC8 |
SSDEEP: | 12:fDcecTDOOctZh4dcgo3AMoZ0u+vmocJUq/R+RIZoyBgmvfTyhl8fQDiran:7crTDOOcedcgowrCmoO8hyymvehmQDLn |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
1892 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "-file" "C:\Users\admin\AppData\Local\Temp\dontrun.ps1" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3600 | "C:\Users\admin\235.exe" | C:\Users\admin\235.exe | — | powershell.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
3668 | --ebe2cb72 | C:\Users\admin\235.exe | 235.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
3008 | "C:\Users\admin\AppData\Local\soundser\soundser.exe" | C:\Users\admin\AppData\Local\soundser\soundser.exe | 235.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
2344 | --3ab57678 | C:\Users\admin\AppData\Local\soundser\soundser.exe | soundser.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
3700 | "C:\Users\admin\AppData\Local\soundser\erb3BgsB1N8khltH3k.exe" | C:\Users\admin\AppData\Local\soundser\erb3BgsB1N8khltH3k.exe | — | soundser.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
3644 | --d45c70d9 | C:\Users\admin\AppData\Local\soundser\erb3BgsB1N8khltH3k.exe | erb3BgsB1N8khltH3k.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
3560 | "C:\Users\admin\AppData\Local\soundser\soundser.exe" | C:\Users\admin\AppData\Local\soundser\soundser.exe | erb3BgsB1N8khltH3k.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
3352 | --3ab57678 | C:\Users\admin\AppData\Local\soundser\soundser.exe | soundser.exe | |
User: admin Integrity Level: MEDIUM |
PID | Process | Filename | Type | |
---|---|---|---|---|
1892 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\EW722YM7E7GDIWD5CE72.temp | — | |
MD5:— | SHA256:— | |||
1892 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF133de7.TMP | binary | |
MD5:33B4C42BAF9E3CA295E3BDCD51C02EAF | SHA256:B4273C31A01B0B90869574075D54D52E8098519587F61AE756B69729D0AF86A5 | |||
2344 | soundser.exe | C:\Users\admin\AppData\Local\soundser\erb3BgsB1N8khltH3k.exe | executable | |
MD5:4F755FEF4A94EECBFCE7AB4FC5D70391 | SHA256:71DD8C35448FA4D479A2A4AB4582FE7B95E9BE7517BC5D049D10BB79B26A45EA | |||
1892 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:33B4C42BAF9E3CA295E3BDCD51C02EAF | SHA256:B4273C31A01B0B90869574075D54D52E8098519587F61AE756B69729D0AF86A5 | |||
1892 | powershell.exe | C:\Users\admin\235.exe | executable | |
MD5:CB9026E269F6A2BF6DB1C923A3451A16 | SHA256:12BA09D1FB95A170E4FDCB28F1DC36882D2CB47E4A6D8219899ABDC2005DB6D4 | |||
3668 | 235.exe | C:\Users\admin\AppData\Local\soundser\soundser.exe | executable | |
MD5:CB9026E269F6A2BF6DB1C923A3451A16 | SHA256:12BA09D1FB95A170E4FDCB28F1DC36882D2CB47E4A6D8219899ABDC2005DB6D4 | |||
3644 | erb3BgsB1N8khltH3k.exe | C:\Users\admin\AppData\Local\soundser\soundser.exe | executable | |
MD5:4F755FEF4A94EECBFCE7AB4FC5D70391 | SHA256:71DD8C35448FA4D479A2A4AB4582FE7B95E9BE7517BC5D049D10BB79B26A45EA |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3352 | soundser.exe | POST | — | 200.85.46.122:80 | http://200.85.46.122/cab/enabled/ringin/merge/ | PY | — | — | malicious |
2344 | soundser.exe | POST | 200 | 200.85.46.122:80 | http://200.85.46.122/schema/site/ | PY | binary | 65.8 Kb | malicious |
1892 | powershell.exe | GET | 200 | 99.198.101.186:80 | http://riversoftbd.com/wp-content/vFikaQjYg/ | US | executable | 74.5 Kb | suspicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
1892 | powershell.exe | 99.198.101.186:80 | riversoftbd.com | SingleHop, Inc. | US | suspicious |
— | — | 200.85.46.122:80 | — | Telecel S.A. | PY | malicious |
2344 | soundser.exe | 200.85.46.122:80 | — | Telecel S.A. | PY | malicious |
Domain | IP | Reputation |
---|---|---|
riversoftbd.com |
| suspicious |
PID | Process | Class | Message |
---|---|---|---|
1892 | powershell.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
1892 | powershell.exe | Potentially Bad Traffic | ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download |
1892 | powershell.exe | Misc activity | ET INFO EXE - Served Attached HTTP |
2344 | soundser.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo/Emotet |
3352 | soundser.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo/Emotet |