File name: | BE-852223497-04232019.js |
Full analysis: | https://app.any.run/tasks/f8a20687-7bb5-4716-a0fd-981a5096040d |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | April 23, 2019, 20:29:36 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | text/plain |
File info: | ASCII text, with very long lines |
MD5: | 0048F1B910697EB8B5F1C0AC9985F102 |
SHA1: | AEEE2E8F15AEE2C1AEAF193EAEC3666A34FD5A1F |
SHA256: | 8870927B7FCB804322779608FABF59E1C019245DF08AAAF5F9202D131E92EFDA |
SSDEEP: | 768:SeftiG5S0FRVA0sH6Qttk6ueJvKA2bE1SImBtYTl5sQBpt+T+TJrrVZdEDS1TEis:SeFiG5S0FPA0sH6v7oX/E |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3796 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\BE-852223497-04232019.js" | C:\Windows\System32\WScript.exe | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 | ||||
2480 | "C:\Users\admin\AppData\Local\Temp\1xg8vi2k0.exe" | C:\Users\admin\AppData\Local\Temp\1xg8vi2k0.exe | — | WScript.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
3908 | --ee8884d0 | C:\Users\admin\AppData\Local\Temp\1xg8vi2k0.exe | 1xg8vi2k0.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
3528 | "C:\Users\admin\AppData\Local\soundser\soundser.exe" | C:\Users\admin\AppData\Local\soundser\soundser.exe | 1xg8vi2k0.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
1572 | --3ab57678 | C:\Users\admin\AppData\Local\soundser\soundser.exe | soundser.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
2436 | "C:\Users\admin\AppData\Local\soundser\pa1s2EuRDI66Zb.exe" | C:\Users\admin\AppData\Local\soundser\pa1s2EuRDI66Zb.exe | — | soundser.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Memory Diagnostic Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2124 | --be5389d7 | C:\Users\admin\AppData\Local\soundser\pa1s2EuRDI66Zb.exe | pa1s2EuRDI66Zb.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Memory Diagnostic Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
304 | "C:\Users\admin\AppData\Local\soundser\soundser.exe" | C:\Users\admin\AppData\Local\soundser\soundser.exe | pa1s2EuRDI66Zb.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Memory Diagnostic Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3604 | --3ab57678 | C:\Users\admin\AppData\Local\soundser\soundser.exe | — | soundser.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Memory Diagnostic Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
3796 | WScript.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@potterspots[1].txt | text | |
MD5:BB40AA492ECBDC8F14F63CFDC66A0946 | SHA256:53D24396154DF7C57EE3F425BC3B78A1480CE400B02DC9FBC346EC5604D9D7A0 | |||
2124 | pa1s2EuRDI66Zb.exe | C:\Users\admin\AppData\Local\soundser\soundser.exe | executable | |
MD5:53CA86317121A4FB5FA3FA89C1002B50 | SHA256:430F01B590C70F2AEB85CC083736B09B4B465B13D8D8D08DA2EBFEC0F876D952 | |||
3908 | 1xg8vi2k0.exe | C:\Users\admin\AppData\Local\soundser\soundser.exe | executable | |
MD5:0AEB9510C0D69B04E492CE32360F1BFB | SHA256:D192E212101C718C80A36A991D3E967F0E9934A6844CE4907B8B5846693E015A | |||
3796 | WScript.exe | C:\Users\admin\AppData\Local\Temp\1xg8vi2k0.exe | executable | |
MD5:0AEB9510C0D69B04E492CE32360F1BFB | SHA256:D192E212101C718C80A36A991D3E967F0E9934A6844CE4907B8B5846693E015A | |||
1572 | soundser.exe | C:\Users\admin\AppData\Local\soundser\pa1s2EuRDI66Zb.exe | executable | |
MD5:53CA86317121A4FB5FA3FA89C1002B50 | SHA256:430F01B590C70F2AEB85CC083736B09B4B465B13D8D8D08DA2EBFEC0F876D952 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
1572 | soundser.exe | POST | 200 | 24.150.44.53:80 | http://24.150.44.53/merge/acquire/ringin/merge/ | CA | binary | 118 Kb | malicious |
3796 | WScript.exe | GET | 200 | 164.52.146.13:80 | http://potterspots.com/cgi-bin/8MnY/ | US | executable | 78.0 Kb | suspicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
1572 | soundser.exe | 24.150.44.53:80 | — | Cogeco Cable | CA | malicious |
3796 | WScript.exe | 164.52.146.13:80 | potterspots.com | Latisys-Denver, LLC | US | suspicious |
Domain | IP | Reputation |
---|---|---|
potterspots.com |
| suspicious |
PID | Process | Class | Message |
---|---|---|---|
3796 | WScript.exe | Misc activity | SUSPICIOUS [PTsecurity] Cmd.Powershell.Download HTTP UserAgent (Win7) |
3796 | WScript.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
3796 | WScript.exe | A Network Trojan was detected | ET CURRENT_EVENTS Likely Evil EXE download from MSXMLHTTP non-exe extension M2 |
3796 | WScript.exe | Misc activity | ET INFO EXE - Served Attached HTTP |
1572 | soundser.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo/Emotet |