Malware analysis Dok_7918737646_275062031171.doc Malicious activity

Add for printing

File name:	Dok_7918737646_275062031171.doc
Full analysis:	https://app.any.run/tasks/0498bc12-9ae7-4d59-98cd-348a7b18edd1
Verdict:	Malicious activity
Threats:	Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. Malware Trends Tracker >>>
Analysis date:	October 09, 2019, 14:40:37
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:	emotet-doc emotet generated-doc
MIME:	application/msword
File info:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Title: Marketing, Subject: Small Soft Pizza, Author: Orin Littel, Keywords: Consultant, Comments: fuchsia, Template: Normal.dotm, Last Saved By: Eleonore Wisozk, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Wed Oct 9 07:21:00 2019, Last Saved Time/Date: Wed Oct 9 07:21:00 2019, Number of Pages: 1, Number of Words: 30, Number of Characters: 172, Security: 0
MD5:	C48BC5376CB7DBA8AA5FB0AE9030D74B
SHA1:	F515452C39EC00ABA5E97A8FFA6E85DABFC88784
SHA256:	9BAD271E422E1FD8D4504B370E458E884DBAD25C398A70A2D04DD61CF8AF00C4
SSDEEP:	1536:s7YEVyOLYoP8jJV0f8YTrkKPubsYwKjtrzu5rGumRoHynvwMMITLxQODxrt:REVyOLYB60KgdzSrGjKyIwLx31

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 60 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: off
Network:: on

Software preset

Internet Explorer 8.0.7601.17514 undefined
Adobe Acrobat Reader DC MUI (15.023.20070)
Adobe Flash Player 26 ActiveX (26.0.0.131)
Adobe Flash Player 26 NPAPI (26.0.0.131)
Adobe Flash Player 26 PPAPI (26.0.0.131)
Adobe Refresh Manager (1.8.0)
CCleaner (5.35)
FileZilla Client 3.36.0 (3.36.0)
Google Chrome (75.0.3770.100)
Google Update Helper (1.3.34.7)
Java 8 Update 92 (8.0.920.14)
Java Auto Updater (2.8.92.14)
Microsoft .NET Framework 4.7.2 (4.7.03062)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.21.27702 (14.21.27702.2)
Microsoft Visual C++ 2019 X86 Additional Runtime - 14.21.27702 (14.21.27702)
Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.21.27702 (14.21.27702)
Mozilla Firefox 68.0.1 (x86 en-US) (68.0.1)
Notepad++ (32-bit x86) (7.5.1)
Opera 12.15 (12.15.1748)
Skype version 8.29 (8.29)
Update for Microsoft .NET Framework 4.7.2 (KB4087364) (1)
VLC media player (2.2.6)
WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

Client LanguagePack Package
Client Refresh LanguagePack Package
CodecPack Basic Package
Foundation Package
IE Troubleshooters Package
InternetExplorer Optional Package
KB2534111
KB2999226
KB4019990
KB976902
LocalPack AU Package
LocalPack CA Package
LocalPack GB Package
LocalPack US Package
LocalPack ZA Package
ProfessionalEdition
UltimateEdition

Add for printing

MALICIOUS
No malicious indicators.
SUSPICIOUS
No suspicious indicators.
INFO
- Creates files in the user directory
  - WINWORD.EXE (PID: 2820)
- Reads Microsoft Office registry keys
  - WINWORD.EXE (PID: 2820)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.doc	\|	Microsoft Word document (54.2)
.doc	\|	Microsoft Word document (old ver.) (32.2)

EXIF

FlashPix

CompObjUserType:	Microsoft Word 97-2003 Document
CompObjUserTypeLen:	32
Manager:	Dach
HeadingPairs:	Title 1
TitleOfParts:	-
HyperlinksChanged:	No
SharedDoc:	No
LinksUpToDate:	No
ScaleCrop:	No
AppVersion:	16
CharCountWithSpaces:	201
Paragraphs:	1
Lines:	1
Company:	Jenkins, Steuber and Dickens
CodePage:	Windows Latin 1 (Western European)
Security:	None
Characters:	172
Words:	30
Pages:	1
ModifyDate:	2019:10:09 06:21:00
CreateDate:	2019:10:09 06:21:00
TotalEditTime:	-
Software:	Microsoft Office Word
RevisionNumber:	1
LastModifiedBy:	Eleonore Wisozk
Template:	Normal.dotm
Comments:	fuchsia
Keywords:	Consultant
Author:	Orin Littel
Subject:	Small Soft Pizza
Title:	Marketing

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID	CMD	Path	Indicators	Parent process
2820	"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\Dok_7918737646_275062031171.doc"	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	—	explorer.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000

Add for printing

Total events

1 113

Read events

699

Write events

398

Delete events

Modification events


(PID) Process:	(2820) WINWORD.EXE	Key:	HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
Operation:	write	Name:	t(:
Value: 74283A00040B0000010000000000000000000000
(PID) Process:	(2820) WINWORD.EXE	Key:	HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:	write	Name:	1033
Value: Off
(PID) Process:	(2820) WINWORD.EXE	Key:	HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:	write	Name:	1033
Value: On
(PID) Process:	(2820) WINWORD.EXE	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
Operation:	write	Name:	WORDFiles
Value: 1330184243
(PID) Process:	(2820) WINWORD.EXE	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
Operation:	write	Name:	ProductFiles
Value: 1330184359
(PID) Process:	(2820) WINWORD.EXE	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
Operation:	write	Name:	ProductFiles
Value: 1330184360
(PID) Process:	(2820) WINWORD.EXE	Key:	HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word
Operation:	write	Name:	MTTT
Value: 040B00004CC8DF8DAF7ED50100000000
(PID) Process:	(2820) WINWORD.EXE	Key:	HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
Operation:	write	Name:	l):
Value: 6C293A00040B000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000
(PID) Process:	(2820) WINWORD.EXE	Key:	HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
Operation:	delete value	Name:	l):
Value: 6C293A00040B000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000
(PID) Process:	(2820) WINWORD.EXE	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	UNCAsIntranet
Value: 0

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
2820	WINWORD.EXE	C:\Users\admin\AppData\Local\Temp\CVR74.tmp.cvr		—
		MD5:—	SHA256:—
2820	WINWORD.EXE	C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm		pgc
		MD5:7968429B263575F5EC02AEDD8D6FAEB0	SHA256:B673BF6E2022FA4D4AD3974A548042CB8CE4FC4D8A1C247A08C8737F5FECEFDF
2820	WINWORD.EXE	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E57C2FC8.wmf		wmf
		MD5:0A1357B3D736EA58F001B227D582A6CD	SHA256:993993FD088D9B962D165578F980A715F5111E3DF92E260CA33A00B2EC0248D5
2820	WINWORD.EXE	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\350414BC.wmf		wmf
		MD5:CF914E8766059FCEBA285A7A6B459D1D	SHA256:512A1572D41DF610F54667BC6B9C1F413FC42F00ADA7E6FFA7FCE852F421656E
2820	WINWORD.EXE	C:\Users\admin\AppData\Local\Temp\Word8.0\MSForms.exd		tlb
		MD5:E1B22F56192C49E6505231BA74C267BE	SHA256:2AE0AB51887BE50E83E04840A8A75D1B6DE6BAD9031C35144BBAD68EB3335637
2820	WINWORD.EXE	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\5172AA92.wmf		wmf
		MD5:9697867F657350C9A71C22E1DAC2E6EA	SHA256:87FAF16DBB975B71FBC956B08CF606A753FA79388E6B6990FFE03CD8C0584346
2820	WINWORD.EXE	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\68087870.wmf		wmf
		MD5:27F869B5D8784FC9F6E11E802EA35754	SHA256:DEEFA8278542070F9E78F3D0F79B318794DD0A9ABDD71CC95AF465C91B383085
2820	WINWORD.EXE	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E45EA62A.wmf		wmf
		MD5:033948E7E058890ECA9E0A4A8D5AF8FB	SHA256:6343B984A293E38E4824598103F3A21143043F4498979FFA80F51A67E8C4B941
2820	WINWORD.EXE	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\217927FE.wmf		wmf
		MD5:FADF87233317358B48FBA126DE8082CB	SHA256:FBF31FA828539148133A75805F17BFD75C0544A089EA9B0E05B739ED6FF56478
2820	WINWORD.EXE	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\57D3F58D.wmf		wmf
		MD5:3ED22CD0145C0429280FE1B26D816EF2	SHA256:CF7199F8297E4FCA2F003AE5A82551742DD12F43745C9FFEFBB93A05D99D966E

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

No HTTP requests

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected

Add for printing

No debug info

General Info

Dok_7918737646_275062031171.doc

C48BC5376CB7DBA8AA5FB0AE9030D74B

F515452C39EC00ABA5E97A8FFA6E85DABFC88784

9BAD271E422E1FD8D4504B370E458E884DBAD25C398A70A2D04DD61CF8AF00C4

1536:s7YEVyOLYoP8jJV0f8YTrkKPubsYwKjtrzu5rGumRoHynvwMMITLxQODxrt:REVyOLYB60KgdzSrGjKyIwLx31

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

SUSPICIOUS

INFO

Creates files in the user directory

Reads Microsoft Office registry keys

Malware configuration

Static information

TRiD

EXIF

FlashPix

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings