Malware analysis Zeskanowany_dokument-9983653-18-09-2019(1).doc Malicious activity

Add for printing

File name:	Zeskanowany_dokument-9983653-18-09-2019(1).doc
Full analysis:	https://app.any.run/tasks/564d0f6d-af48-4676-ae8c-e7d51314e5ed
Verdict:	Malicious activity
Threats:	Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. Malware Trends Tracker >>>
Analysis date:	September 19, 2019, 12:14:45
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:	generated-doc emotet-doc emotet
MIME:	application/msword
File info:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Title: Down-sized, Subject: Berkshire, Author: Ryleigh Rodriguez, Comments: Operations Cambridgeshire, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Wed Sep 18 07:22:00 2019, Last Saved Time/Date: Wed Sep 18 07:22:00 2019, Number of Pages: 1, Number of Words: 95, Number of Characters: 547, Security: 0
MD5:	BBC81A42114835B2A6EE504E7B050793
SHA1:	AE4FD83B66823E2CA159CCF32E38BC2AD6DA0E7D
SHA256:	6B809D22892E58C1A222ED140906D44869BBE10756B8D57AF8907229C49E1DDA
SSDEEP:	6144:mPqZiq86MofT1K82zw1qWaWPLkIp7NSU4jJntATfDL:mPqZiq86MofT1K82zw1qWaEXp7NSU4Vo

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 240 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: 180 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 8.0.7601.17514 undefined
Adobe Acrobat Reader DC MUI (15.023.20070)
Adobe Flash Player 26 ActiveX (26.0.0.131)
Adobe Flash Player 26 NPAPI (26.0.0.131)
Adobe Flash Player 26 PPAPI (26.0.0.131)
Adobe Refresh Manager (1.8.0)
CCleaner (5.35)
FileZilla Client 3.36.0 (3.36.0)
Google Chrome (75.0.3770.100)
Google Update Helper (1.3.34.7)
Java 8 Update 92 (8.0.920.14)
Java Auto Updater (2.8.92.14)
Microsoft .NET Framework 4.7.2 (4.7.03062)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.21.27702 (14.21.27702.2)
Microsoft Visual C++ 2019 X86 Additional Runtime - 14.21.27702 (14.21.27702)
Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.21.27702 (14.21.27702)
Mozilla Firefox 68.0.1 (x86 en-US) (68.0.1)
Notepad++ (32-bit x86) (7.5.1)
Opera 12.15 (12.15.1748)
Skype version 8.29 (8.29)
Update for Microsoft .NET Framework 4.7.2 (KB4087364) (1)
VLC media player (2.2.6)
WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

Client LanguagePack Package
Client Refresh LanguagePack Package
CodecPack Basic Package
Foundation Package
IE Troubleshooters Package
InternetExplorer Optional Package
KB2534111
KB2999226
KB4019990
KB976902
LocalPack AU Package
LocalPack CA Package
LocalPack GB Package
LocalPack US Package
LocalPack ZA Package
ProfessionalEdition
UltimateEdition

Add for printing

MALICIOUS
No malicious indicators.
SUSPICIOUS
No suspicious indicators.
INFO
- Reads Microsoft Office registry keys
  - WINWORD.EXE (PID: 3000)
- Creates files in the user directory
  - WINWORD.EXE (PID: 3000)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.doc	\|	Microsoft Word document (54.2)
.doc	\|	Microsoft Word document (old ver.) (32.2)

EXIF

FlashPix

CompObjUserType:	Microsoft Word 97-2003 Document
CompObjUserTypeLen:	32
Manager:	Reilly
HeadingPairs:	Title 1
TitleOfParts:	-
HyperlinksChanged:	No
SharedDoc:	No
LinksUpToDate:	No
ScaleCrop:	No
AppVersion:	16
CharCountWithSpaces:	641
Paragraphs:	1
Lines:	4
Company:	Huel, Nienow and Stehr
CodePage:	Windows Latin 1 (Western European)
Security:	None
Characters:	547
Words:	95
Pages:	1
ModifyDate:	2019:09:18 06:22:00
CreateDate:	2019:09:18 06:22:00
TotalEditTime:	-
Software:	Microsoft Office Word
RevisionNumber:	1
LastModifiedBy:	-
Template:	Normal.dotm
Comments:	Operations Cambridgeshire
Keywords:	-
Author:	Ryleigh Rodriguez
Subject:	Berkshire
Title:	Down-sized

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

33

Monitored processes

1

Malicious processes

0

Suspicious processes

0

Behavior graph

Click at the process to see the details

Process information

PID	CMD	Path	Indicators	Parent process
3000	"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\Zeskanowany_dokument-9983653-18-09-2019(1).doc"	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	—	explorer.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000

Add for printing

Total events

1 231

Read events

833

Write events

0

Delete events

0

Modification events

No data

Add for printing

Executable files

0

Suspicious files

0

Text files

0

Unknown types

43

Dropped files

PID	Process	Filename		Type
3000	WINWORD.EXE	C:\Users\admin\AppData\Local\Temp\CVRAC13.tmp.cvr		—
		MD5:—	SHA256:—
3000	WINWORD.EXE	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\4EE2FE80.wmf		wmf
		MD5:4609BF8554CB32D063F37171D7BAE478	SHA256:FE80411C066E2380B4B7B56FF300C28FB2DDAC549EF6C8D115219E44C93B41B5
3000	WINWORD.EXE	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F1E0E337.wmf		wmf
		MD5:1B6E196535F371F21CE9011806CF9C56	SHA256:EB7221C54B76290DBB8E962CB3C10A4F69CB2093C5FF8D1EE92687C8646523F0
3000	WINWORD.EXE	C:\Users\admin\AppData\Local\Temp\Word8.0\MSForms.exd		tlb
		MD5:2F4D676B7BA49B05F123ED7961CC827D	SHA256:8735931E672320038066E93003A31E26920BBF7C21ADAF1BF6E545DDDD9158ED
3000	WINWORD.EXE	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\1D5B1365.wmf		wmf
		MD5:1A2C5846FDBB3EE8145258C4AAC904E0	SHA256:688EE3468FA0EA5A5729F36669A1DBFCCE62DE84BCF0492B565061A1764E917E
3000	WINWORD.EXE	C:\Users\admin\AppData\Local\Temp\~$skanowany_dokument-9983653-18-09-2019(1).doc		pgc
		MD5:7963D51BDE2AA0744C2E95F13E0C06CD	SHA256:A0F29EC7D391F91E2A345B72E386B99596208A928B4D669FCF8C64752051A7AF
3000	WINWORD.EXE	C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm		pgc
		MD5:62F2DA178DD59EBA6B61EE250E55F925	SHA256:8CF938206B83D51659082A32A71F3A9F077217F5A2E07A98541350C60245A244
3000	WINWORD.EXE	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D369688E.wmf		wmf
		MD5:8BC8DFCEB298E702BF9B025FED5168C5	SHA256:2110F3551238A949DC92B6A3DBE7FE13C64D2672C0DA3D547EC08EA4850520E8
3000	WINWORD.EXE	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\335F9FF.wmf		wmf
		MD5:51EA3C4ACA7F04B3DB6CF71A1E84388F	SHA256:8FE120AC905129B55F0F00CE4E0EEE5A874B8F160AAF3089207C08E9E2C26D3F
3000	WINWORD.EXE	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\C8B8B076.wmf		wmf
		MD5:AABF0BE179732C7EA576E54D4376BFD0	SHA256:D07AE2B5A2AC604EB315C30BC1F615814D5DB4AF1ADAB2C1E20FE71ED5275DD8

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

0

TCP/UDP connections

0

DNS requests

0

Threats

0

HTTP requests

No HTTP requests

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected

Add for printing

No debug info

General Info

Zeskanowany_dokument-9983653-18-09-2019(1).doc

BBC81A42114835B2A6EE504E7B050793

AE4FD83B66823E2CA159CCF32E38BC2AD6DA0E7D

6B809D22892E58C1A222ED140906D44869BBE10756B8D57AF8907229C49E1DDA

6144:mPqZiq86MofT1K82zw1qWaWPLkIp7NSU4jJntATfDL:mPqZiq86MofT1K82zw1qWaEXp7NSU4Vo

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

SUSPICIOUS

INFO

Reads Microsoft Office registry keys

Creates files in the user directory

Malware configuration

Static information

TRiD

EXIF

FlashPix

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings