File name: | report_QP80943.doc |
Full analysis: | https://app.any.run/tasks/afa037b9-06e1-4d16-bb1a-b5aece421412 |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | September 19, 2019, 01:10:57 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/vnd.openxmlformats-officedocument.wordprocessingml.document |
File info: | Microsoft Word 2007+ |
MD5: | B02834D9C8FE29F0B54EB1CEF148F86C |
SHA1: | 335FDD5A40EC06D82C9C7040A94C11AF3D00944F |
SHA256: | B5A9B073C35BE4462F63E39F9D1A5DF88AA146AE8A74978C624073B4DBE8BEF8 |
SSDEEP: | 3072:IZ1uxC2aghrksuWUYs65XpyTOIIAy/7WHkjdIqzWQ:WqhrkvWU2iE1IEH |
.docm | | | Word Microsoft Office Open XML Format document (with Macro) (53.6) |
---|---|---|
.docx | | | Word Microsoft Office Open XML Format document (24.2) |
.zip | | | Open Packaging Conventions container (18) |
.zip | | | ZIP compressed archive (4.1) |
ZipRequiredVersion: | 10 |
---|---|
ZipBitFlag: | - |
ZipCompression: | None |
ZipModifyDate: | 1980:01:01 00:00:00 |
ZipCRC: | 0x0c0cc35b |
ZipCompressedSize: | 1505 |
ZipUncompressedSize: | 1505 |
ZipFileName: | [Content_Types].xml |
Title: | - |
---|---|
Subject: | - |
Creator: | user |
Description: | - |
Keywords: | - |
---|---|
LastModifiedBy: | user |
RevisionNumber: | 10 |
CreateDate: | 2019:09:18 19:03:00Z |
ModifyDate: | 2019:09:18 19:34:00Z |
Template: | Normal.dotm |
TotalEditTime: | 12 minutes |
Pages: | 1 |
Words: | 3 |
Characters: | 21 |
Application: | Microsoft Office Word |
DocSecurity: | None |
Lines: | 1 |
Paragraphs: | 1 |
ScaleCrop: | No |
HeadingPairs: |
|
TitlesOfParts: | - |
Company: | - |
LinksUpToDate: | No |
CharactersWithSpaces: | 23 |
SharedDoc: | No |
HyperlinksChanged: | No |
AppVersion: | 16 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3468 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\report_QP80943.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Exit code: 0 Version: 14.0.6024.1000 | ||||
3960 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\0.7055475.jse" | C:\Windows\System32\WScript.exe | WINWORD.EXE | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 | ||||
3692 | "C:\Users\admin\AppData\Local\Temp\bj3xllt2g.exe" | C:\Users\admin\AppData\Local\Temp\bj3xllt2g.exe | — | WScript.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
2568 | "C:\Users\admin\AppData\Local\Temp\bj3xllt2g.exe" | C:\Users\admin\AppData\Local\Temp\bj3xllt2g.exe | — | bj3xllt2g.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
2692 | --64e6c5c0 | C:\Users\admin\AppData\Local\Temp\bj3xllt2g.exe | — | bj3xllt2g.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
3504 | --64e6c5c0 | C:\Users\admin\AppData\Local\Temp\bj3xllt2g.exe | bj3xllt2g.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
2876 | "C:\Users\admin\AppData\Local\easywindow\easywindow.exe" | C:\Users\admin\AppData\Local\easywindow\easywindow.exe | — | bj3xllt2g.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
3800 | "C:\Users\admin\AppData\Local\easywindow\easywindow.exe" | C:\Users\admin\AppData\Local\easywindow\easywindow.exe | — | easywindow.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
3900 | --fd47f3b8 | C:\Users\admin\AppData\Local\easywindow\easywindow.exe | — | easywindow.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
2548 | --fd47f3b8 | C:\Users\admin\AppData\Local\easywindow\easywindow.exe | easywindow.exe | |
User: admin Integrity Level: MEDIUM Exit code: 1 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3468 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR9B5A.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3468 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~DF4F633F2CDBE1AB30.TMP | — | |
MD5:— | SHA256:— | |||
3468 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~DFF385D3B8794DAC42.TMP | — | |
MD5:— | SHA256:— | |||
3468 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~DF46E5CDB167E0094F.TMP | — | |
MD5:— | SHA256:— | |||
3960 | WScript.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\036buvvrzyxv8o[1].exe | — | |
MD5:— | SHA256:— | |||
3468 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\12997D3F.jpeg | — | |
MD5:— | SHA256:— | |||
3468 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{FD991DD3-49C4-4FB9-B278-D11D535C6765}.tmp | — | |
MD5:— | SHA256:— | |||
3468 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{FEAFD573-A489-4DC6-8AAD-62001ED858F0}.tmp | — | |
MD5:— | SHA256:— | |||
3468 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~DF4DF8B59D8765B64C.TMP | — | |
MD5:— | SHA256:— | |||
3468 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{7563F4AC-DF99-406B-94E5-761D1CCE7761}.tmp | — | |
MD5:— | SHA256:— |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2548 | easywindow.exe | POST | 200 | 114.79.134.129:443 | http://114.79.134.129:443/loadan/publish/ | IN | binary | 132 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3960 | WScript.exe | 39.106.43.41:443 | www.cityvisualization.com | Hangzhou Alibaba Advertising Co.,Ltd. | CN | unknown |
2548 | easywindow.exe | 114.79.134.129:443 | — | D-Vois Broadband Pvt Ltd | IN | malicious |
Domain | IP | Reputation |
---|---|---|
www.cityvisualization.com |
| unknown |
PID | Process | Class | Message |
---|---|---|---|
2548 | easywindow.exe | A Network Trojan was detected | AV TROJAN W32/Emotet CnC Checkin (Apr 2019) |
2548 | easywindow.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo/Emotet |
2548 | easywindow.exe | Potentially Bad Traffic | ET POLICY HTTP traffic on port 443 (POST) |