URL: | http://dkw-engineering.net/menu_2018/QJWz-v4cTcjX6m5sMSSb_zpnebAmY-kj/ |
Full analysis: | https://app.any.run/tasks/f0c5f3c7-cc26-489e-9790-391bb70ca2a2 |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | April 15, 2019, 14:10:31 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MD5: | DF1803275DE864D8F202792F9525166C |
SHA1: | F2C6D6C49BDF4EC1BE1869B03C806335DDF12EEE |
SHA256: | 2D90BD40C4389DEBB67C1982A0EAFFDB7985ADDA111A0A165F2CEDA7FA9E3DB8 |
SSDEEP: | 3:N1KaOiCbj2Id6Mh0Vshn:Ca6bEMh0Vshn |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
2664 | "C:\Program Files\Internet Explorer\iexplore.exe" http://dkw-engineering.net/menu_2018/QJWz-v4cTcjX6m5sMSSb_zpnebAmY-kj/ | C:\Program Files\Internet Explorer\iexplore.exe | explorer.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Exit code: 1 Version: 8.00.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
2884 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2664 CREDAT:71937 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Exit code: 0 Version: 8.00.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
1756 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\QJWz-v4cTcjX6m5sMSSb_zpnebAmY-kj[1].js" | C:\Windows\System32\WScript.exe | iexplore.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 Modules
| |||||||||||||||
2960 | "C:\Users\admin\AppData\Local\Temp\yufu4vwhm.exe" | C:\Users\admin\AppData\Local\Temp\yufu4vwhm.exe | — | WScript.exe | |||||||||||
User: admin Company: 360. cn Integrity Level: MEDIUM Description: 360 FirstAid Exit code: 0 Version: 1, 0, 0, 1007 Modules
| |||||||||||||||
2912 | --aa344313 | C:\Users\admin\AppData\Local\Temp\yufu4vwhm.exe | yufu4vwhm.exe | ||||||||||||
User: admin Company: 360. cn Integrity Level: MEDIUM Description: 360 FirstAid Exit code: 0 Version: 1, 0, 0, 1007 Modules
| |||||||||||||||
3308 | "C:\Users\admin\AppData\Local\soundser\soundser.exe" | C:\Users\admin\AppData\Local\soundser\soundser.exe | yufu4vwhm.exe | ||||||||||||
User: admin Company: 360. cn Integrity Level: MEDIUM Description: 360 FirstAid Exit code: 0 Version: 1, 0, 0, 1007 Modules
| |||||||||||||||
3264 | --3ab57678 | C:\Users\admin\AppData\Local\soundser\soundser.exe | soundser.exe | ||||||||||||
User: admin Company: 360. cn Integrity Level: MEDIUM Description: 360 FirstAid Exit code: 0 Version: 1, 0, 0, 1007 Modules
| |||||||||||||||
2804 | "C:\Users\admin\AppData\Local\soundser\MS5gLI.exe" | C:\Users\admin\AppData\Local\soundser\MS5gLI.exe | — | soundser.exe | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
2580 | --137ad6dc | C:\Users\admin\AppData\Local\soundser\MS5gLI.exe | MS5gLI.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
2248 | "C:\Users\admin\AppData\Local\soundser\soundser.exe" | C:\Users\admin\AppData\Local\soundser\soundser.exe | MS5gLI.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
|
(PID) Process: | (2664) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main |
Operation: | write | Name: | CompatibilityFlags |
Value: 0 | |||
(PID) Process: | (2664) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 0 | |||
(PID) Process: | (2664) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | AutoDetect |
Value: 1 | |||
(PID) Process: | (2664) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones |
Operation: | write | Name: | SecuritySafe |
Value: 1 | |||
(PID) Process: | (2664) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings |
Operation: | write | Name: | ProxyEnable |
Value: 0 | |||
(PID) Process: | (2664) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections |
Operation: | write | Name: | SavedLegacySettings |
Value: 4600000071000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000 | |||
(PID) Process: | (2664) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Recovery\Active |
Operation: | write | Name: | {431B4A69-5F88-11E9-B63D-5254004A04AF} |
Value: 0 | |||
(PID) Process: | (2664) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore |
Operation: | write | Name: | Type |
Value: 4 | |||
(PID) Process: | (2664) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore |
Operation: | write | Name: | Count |
Value: 1 | |||
(PID) Process: | (2664) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore |
Operation: | write | Name: | Time |
Value: E307040001000F000E000A002F002500 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2664 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\favicon[1].ico | — | |
MD5:— | SHA256:— | |||
2664 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico | — | |
MD5:— | SHA256:— | |||
2664 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\~DF9DC775052D606246.TMP | — | |
MD5:— | SHA256:— | |||
2664 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\~DF48B59789492E4F3B.TMP | — | |
MD5:— | SHA256:— | |||
2664 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{431B4A69-5F88-11E9-B63D-5254004A04AF}.dat | — | |
MD5:— | SHA256:— | |||
2884 | iexplore.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\index.dat | dat | |
MD5:6A16DAE9874E32FB3A7F84E39B80D18E | SHA256:B87087B78BFB2F62652139240EEB91CEACEB0589B4C17ABB6C2820652B1DE4B5 | |||
2664 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\{431B4A6A-5F88-11E9-B63D-5254004A04AF}.dat | binary | |
MD5:36D1763F259E8E648653882CCA1B0F8D | SHA256:2C063E03BF4A412A8BD735846EC431B5B56B71DD182C56A77889CA464030C80E | |||
2884 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\desktop.ini | ini | |
MD5:4A3DEB274BB5F0212C2419D3D8D08612 | SHA256:2842973D15A14323E08598BE1DFB87E54BF88A76BE8C7BC94C56B079446EDF38 | |||
2884 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\19Q8GQ6S\8405060468_Apr_14_2019[1].js | text | |
MD5:3D584A5B6CEC11D3ED873AB96021EF3E | SHA256:D0819ED578BEB38C8875532613FF761B6B4816F653EE41042F853FB87CDB592D | |||
2664 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\QJWz-v4cTcjX6m5sMSSb_zpnebAmY-kj[1].js | text | |
MD5:3D584A5B6CEC11D3ED873AB96021EF3E | SHA256:D0819ED578BEB38C8875532613FF761B6B4816F653EE41042F853FB87CDB592D |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3264 | soundser.exe | POST | — | 117.193.28.115:80 | http://117.193.28.115/pdf/balloon/ | IN | — | — | malicious |
1756 | WScript.exe | GET | 200 | 77.92.74.1:80 | http://1roof.ltd.uk/creationmaintenance.co.uk/FC_W/ | GB | executable | 130 Kb | malicious |
2884 | iexplore.exe | GET | 200 | 113.53.228.69:80 | http://dkw-engineering.net/menu_2018/QJWz-v4cTcjX6m5sMSSb_zpnebAmY-kj/ | TH | text | 13.7 Kb | suspicious |
3264 | soundser.exe | POST | 200 | 94.11.25.255:80 | http://94.11.25.255/srvc/window/ | GB | binary | 90.7 Kb | malicious |
3012 | soundser.exe | POST | — | 82.0.19.40:80 | http://82.0.19.40/img/ | GB | — | — | malicious |
3012 | soundser.exe | POST | — | 165.255.52.192:80 | http://165.255.52.192/jit/ringin/ | ZA | — | — | malicious |
3012 | soundser.exe | POST | — | 201.248.5.197:80 | http://201.248.5.197/publish/iplk/ | VE | — | — | malicious |
2664 | iexplore.exe | GET | 200 | 204.79.197.200:80 | http://www.bing.com/favicon.ico | US | image | 237 b | whitelisted |
3012 | soundser.exe | POST | — | 216.98.148.156:8080 | http://216.98.148.156:8080/vermont/pdf/ringin/ | US | — | — | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2664 | iexplore.exe | 204.79.197.200:80 | www.bing.com | Microsoft Corporation | US | whitelisted |
3264 | soundser.exe | 117.193.28.115:80 | — | National Internet Backbone | IN | malicious |
2884 | iexplore.exe | 113.53.228.69:80 | dkw-engineering.net | TOT Public Company Limited | TH | suspicious |
1756 | WScript.exe | 77.92.74.1:80 | 1roof.ltd.uk | UK-2 Limited | GB | malicious |
3264 | soundser.exe | 94.11.25.255:80 | — | Sky UK Limited | GB | malicious |
3012 | soundser.exe | 201.248.5.197:80 | — | CANTV Servicios, Venezuela | VE | malicious |
3012 | soundser.exe | 82.0.19.40:80 | — | Virgin Media Limited | GB | malicious |
3012 | soundser.exe | 216.98.148.156:8080 | — | CariNet, Inc. | US | malicious |
3012 | soundser.exe | 165.255.52.192:80 | — | Afrihost | ZA | malicious |
Domain | IP | Reputation |
---|---|---|
dkw-engineering.net |
| suspicious |
www.bing.com |
| whitelisted |
1roof.ltd.uk |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
1756 | WScript.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
1756 | WScript.exe | A Network Trojan was detected | ET CURRENT_EVENTS Likely Evil EXE download from MSXMLHTTP non-exe extension M2 |
1756 | WScript.exe | Misc activity | ET INFO EXE - Served Attached HTTP |
3264 | soundser.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo/Emotet |
3264 | soundser.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo/Emotet |
3012 | soundser.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo/Emotet |
3012 | soundser.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo/Emotet |
3012 | soundser.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo/Emotet |