File name: | F_5470386_04252019.js |
Full analysis: | https://app.any.run/tasks/6fdd1ea1-5572-4ddd-814e-6ff68c1daed4 |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | April 25, 2019, 19:10:47 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | text/plain |
File info: | ASCII text, with very long lines |
MD5: | 946BA70FCB91888981E6FC5A81D9E7AE |
SHA1: | E27FC7F1E81F0B451E99C2D96974A4823205205B |
SHA256: | EDAB37A0304B9B8CB7C0140043B1C41DE464928D5835545575E593B95F5F9295 |
SSDEEP: | 768:oN8JZ9V6GVltl5jYRwV/Y7Ct5NwLMbJdu682DllC9oVx6G/l5t5s25clXCPWtATt:o+JZ9V6GVltl5jYReb5 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
1460 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\F_5470386_04252019.js" | C:\Windows\System32\WScript.exe | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 | ||||
2784 | "C:\Users\admin\AppData\Local\Temp\zn56wzg55.exe" | C:\Users\admin\AppData\Local\Temp\zn56wzg55.exe | — | WScript.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
944 | --f62aab13 | C:\Users\admin\AppData\Local\Temp\zn56wzg55.exe | zn56wzg55.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
2604 | "C:\Users\admin\AppData\Local\soundser\soundser.exe" | C:\Users\admin\AppData\Local\soundser\soundser.exe | zn56wzg55.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
1836 | --3ab57678 | C:\Users\admin\AppData\Local\soundser\soundser.exe | soundser.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
4012 | "C:\Users\admin\AppData\Local\soundser\YSbZI50fdx.exe" | C:\Users\admin\AppData\Local\soundser\YSbZI50fdx.exe | — | soundser.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
2888 | --2de6e34f | C:\Users\admin\AppData\Local\soundser\YSbZI50fdx.exe | — | YSbZI50fdx.exe |
User: admin Integrity Level: MEDIUM |
PID | Process | Filename | Type | |
---|---|---|---|---|
1460 | WScript.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\fMsEqjm30T[1].exe | — | |
MD5:— | SHA256:— | |||
944 | zn56wzg55.exe | C:\Users\admin\AppData\Local\soundser\soundser.exe | executable | |
MD5:3F5A7865E0EE668A2BFFCA64CBF127CD | SHA256:9C38B0B64EB091EB10521EE5A602940020AFA164615CC93898E771DFF24C97CE | |||
1460 | WScript.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@lotuspolymers[1].txt | text | |
MD5:628F4D86CA2711C3B47C4848EB998DCF | SHA256:004B2CBA996412F056475EDAB48E134F31E28920165913240183260F9D7FE2B6 | |||
1836 | soundser.exe | C:\Users\admin\AppData\Local\soundser\YSbZI50fdx.exe | executable | |
MD5:C269F0952FD0EE6C8AAA2C895B51F1CE | SHA256:C5A51343901F1FA017AA35CA81D3D3894513377FE3FC3637EAEF90159BCAF384 | |||
1460 | WScript.exe | C:\Users\admin\AppData\Local\Temp\zn56wzg55.exe | executable | |
MD5:3F5A7865E0EE668A2BFFCA64CBF127CD | SHA256:9C38B0B64EB091EB10521EE5A602940020AFA164615CC93898E771DFF24C97CE |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
1836 | soundser.exe | POST | — | 24.150.44.53:80 | http://24.150.44.53/devices/prov/ringin/merge/ | CA | — | — | malicious |
1460 | WScript.exe | GET | 200 | 107.180.14.32:80 | http://lotuspolymers.com/wp-includes/GacU/ | US | executable | 78.5 Kb | malicious |
1836 | soundser.exe | POST | — | 181.142.29.90:80 | http://181.142.29.90/tlb/ban/ringin/merge/ | CO | — | — | malicious |
1836 | soundser.exe | POST | 200 | 185.94.252.249:443 | http://185.94.252.249:443/arizona/psec/ringin/ | DE | binary | 67.6 Kb | malicious |
1836 | soundser.exe | POST | — | 177.225.175.199:80 | http://177.225.175.199/vermont/entries/ | MX | — | — | malicious |
1836 | soundser.exe | POST | — | 185.94.252.27:443 | http://185.94.252.27:443/symbols/pdf/ringin/merge/ | DE | — | — | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
1836 | soundser.exe | 24.150.44.53:80 | — | Cogeco Cable | CA | malicious |
1460 | WScript.exe | 107.180.14.32:80 | lotuspolymers.com | GoDaddy.com, LLC | US | malicious |
1460 | WScript.exe | 103.84.194.226:443 | dolanmbakboyo.com | PT. Drupadi Prima | ID | suspicious |
1836 | soundser.exe | 185.94.252.27:443 | — | Andreas Fahl trading as Megaservers.de | DE | malicious |
1836 | soundser.exe | 177.225.175.199:80 | — | — | MX | malicious |
1836 | soundser.exe | 181.142.29.90:80 | — | EPM Telecomunicaciones S.A. E.S.P. | CO | malicious |
1836 | soundser.exe | 185.94.252.249:443 | — | Andreas Fahl trading as Megaservers.de | DE | malicious |
Domain | IP | Reputation |
---|---|---|
dolanmbakboyo.com |
| malicious |
lotuspolymers.com |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
1460 | WScript.exe | Generic Protocol Command Decode | SURICATA TLS invalid record type |
1460 | WScript.exe | Generic Protocol Command Decode | SURICATA TLS invalid record type |
1460 | WScript.exe | Generic Protocol Command Decode | SURICATA TLS invalid record type |
1460 | WScript.exe | Generic Protocol Command Decode | SURICATA TLS invalid record type |
1460 | WScript.exe | Generic Protocol Command Decode | SURICATA TLS invalid record type |
1460 | WScript.exe | Generic Protocol Command Decode | SURICATA TLS invalid record type |
1460 | WScript.exe | Misc activity | SUSPICIOUS [PTsecurity] Cmd.Powershell.Download HTTP UserAgent (Win7) |
1460 | WScript.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
1460 | WScript.exe | A Network Trojan was detected | ET CURRENT_EVENTS Likely Evil EXE download from MSXMLHTTP non-exe extension M2 |
1460 | WScript.exe | Misc activity | ET INFO EXE - Served Attached HTTP |