analyze malware
- Huge database of samples and IOCs
- Custom VM setup
- Unlimited submissions
- Interactive approach
| File name: | Info 11_10_2019 RGI196834.doc |
| Full analysis: | https://app.any.run/tasks/1bef2810-be08-41d8-a547-39f81d679263 |
| Verdict: | Malicious activity |
| Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
| Analysis date: | October 14, 2019, 13:34:03 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/msword |
| File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Title: Sleek, Subject: pricing structure, Author: Braxton Botsford, Keywords: Philippines, Comments: Customer, Template: Normal.dotm, Last Saved By: Derek Schumm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Fri Oct 11 13:56:00 2019, Last Saved Time/Date: Fri Oct 11 13:56:00 2019, Number of Pages: 1, Number of Words: 29, Number of Characters: 170, Security: 0 |
| MD5: | 1A64E2F045F2CF61F28426253CEA43B4 |
| SHA1: | EF319B05D5F528B7C79E6A3DFD59A782C8D84BD1 |
| SHA256: | 90058D25E6C6E4BA484FE743E883C741FC8188D58C716C36DD850B1DB8BFC2B0 |
| SSDEEP: | 1536:bGTmkaHArkKPubsYwKjtrzu5rGFmRoHynvwMMITLxQO1xrt:bGTmkqBKgdzSrG8KyIwLx3r |
MALICIOUS
No malicious indicators.SUSPICIOUS
No suspicious indicators.INFO
Manual execution by user
- iexplore.exe (PID: 1788)
Reads Internet Cache Settings
- iexplore.exe (PID: 2160)
- iexplore.exe (PID: 1788)
Reads internet explorer settings
- iexplore.exe (PID: 2160)
Creates files in the user directory
- iexplore.exe (PID: 2160)
- WINWORD.EXE (PID: 600)
Changes internet zones settings
- iexplore.exe (PID: 1788)
Application launched itself
- iexplore.exe (PID: 1788)
Reads Microsoft Office registry keys
- WINWORD.EXE (PID: 600)
Reads settings of System Certificates
- iexplore.exe (PID: 1788)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .doc | | | Microsoft Word document (54.2) |
|---|---|---|
| .doc | | | Microsoft Word document (old ver.) (32.2) |
EXIF
FlashPix
| CompObjUserType: | Microsoft Word 97-2003 Document |
|---|---|
| CompObjUserTypeLen: | 32 |
| Manager: | Bartell |
| HeadingPairs: |
|
| TitleOfParts: | - |
| HyperlinksChanged: | No |
| SharedDoc: | No |
| LinksUpToDate: | No |
| ScaleCrop: | No |
| AppVersion: | 16 |
| CharCountWithSpaces: | 198 |
| Paragraphs: | 1 |
| Lines: | 1 |
| Company: | Gerhold - Schamberger |
| CodePage: | Windows Latin 1 (Western European) |
| Security: | None |
| Characters: | 170 |
| Words: | 29 |
| Pages: | 1 |
| ModifyDate: | 2019:10:11 12:56:00 |
| CreateDate: | 2019:10:11 12:56:00 |
| TotalEditTime: | - |
| Software: | Microsoft Office Word |
| RevisionNumber: | 1 |
| LastModifiedBy: | Derek Schumm |
| Template: | Normal.dotm |
| Comments: | Customer |
| Keywords: | Philippines |
| Author: | Braxton Botsford |
| Subject: | pricing structure |
| Title: | Sleek |
Total processes
39
Monitored processes
3
Malicious processes
0
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process |
|---|---|---|---|---|
| 600 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\Info 11_10_2019 RGI196834.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Exit code: 0 Version: 14.0.6024.1000 | ||||
| 1788 | "C:\Program Files\Internet Explorer\iexplore.exe" | C:\Program Files\Internet Explorer\iexplore.exe | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Exit code: 1 Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
| 2160 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:1788 CREDAT:71937 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | |
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Exit code: 0 Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
Total events
2 242
Read events
1 392
Write events
0
Delete events
0
Modification events
Executable files
0
Suspicious files
2
Text files
15
Unknown types
22
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 600 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRB3E9.tmp.cvr | — | |
MD5:— | SHA256:— | |||
| 600 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\9678268C.wmf | wmf | |
MD5:3E386D8C6C26288070B0B5868EC73142 | SHA256:129F9207742E5A75C9696C98D28C32C0FEFBCD1CA9353535ED5539FD98BAFE74 | |||
| 600 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:6DBE070D96D029B3945F29C3F53EA1E1 | SHA256:30094595AD76DCF7E2C2FD7837F14A7052A128361169276C97B994187DA305B2 | |||
| 600 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\85E5287A.wmf | wmf | |
MD5:D39BBCAE6037A3FE3D462E291C100464 | SHA256:D74156D86C0C0B2481FC11C358ABD892BB19F10AC3C046778B73E46254DF2317 | |||
| 1788 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\favicon[1].ico | — | |
MD5:— | SHA256:— | |||
| 600 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\Word8.0\MSForms.exd | tlb | |
MD5:94A4E1AB1B5E0704C5376653E0A56798 | SHA256:BD344EDF01C6E1504173EF0AC609A91402D074EFE09EE7634D961207DC3D5CB2 | |||
| 1788 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico | — | |
MD5:— | SHA256:— | |||
| 2160 | iexplore.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\admin@google[1].txt | — | |
MD5:— | SHA256:— | |||
| 600 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$fo 11_10_2019 RGI196834.doc | pgc | |
MD5:186C3BC477E3A088438BFB6801628374 | SHA256:D281ED1A919575ACFF31BBAD52D48071F34AF763C0FA04584728C97D1F27639F | |||
| 600 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\8F9CF698.wmf | wmf | |
MD5:88C998CBA2EE359EB00DE3FEAD26BD25 | SHA256:B565CE0E1C400314EAC0D49554EE1E28AA818CF54DF2B7CF8AE33649A1437023 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
7
DNS requests
3
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
1788 | iexplore.exe | GET | 200 | 204.79.197.200:80 | http://www.bing.com/favicon.ico | US | image | 237 b | whitelisted |
2160 | iexplore.exe | GET | 301 | 172.217.22.46:80 | http://google.com/ | US | html | 219 b | whitelisted |
2160 | iexplore.exe | GET | 302 | 172.217.18.164:80 | http://www.google.com/ | US | html | 231 b | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
1788 | iexplore.exe | 172.217.18.164:443 | www.google.com | Google Inc. | US | whitelisted |
2160 | iexplore.exe | 172.217.18.164:443 | www.google.com | Google Inc. | US | whitelisted |
1788 | iexplore.exe | 204.79.197.200:80 | www.bing.com | Microsoft Corporation | US | whitelisted |
2160 | iexplore.exe | 172.217.22.46:80 | google.com | Google Inc. | US | whitelisted |
2160 | iexplore.exe | 172.217.18.164:80 | www.google.com | Google Inc. | US | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
www.bing.com |
| whitelisted |
google.com |
| whitelisted |
www.google.com |
| whitelisted |