| File name: | XO_I18M3A2DI_GWX.doc |
| Full analysis: | https://app.any.run/tasks/f81126d7-ff8e-4be2-b180-52e2c2921f3e |
| Verdict: | Malicious activity |
| Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
| Analysis date: | September 19, 2019, 07:56:22 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/vnd.openxmlformats-officedocument.wordprocessingml.document |
| File info: | Microsoft Word 2007+ |
| MD5: | 24DE6A890799E3188EA982EE537083D3 |
| SHA1: | DF5F1907A59E3F46DFD6432877321C76DE07483C |
| SHA256: | 0E58A2042BD7AAA9275DEF98061A44D95088A2376D523D4C2BECA4DD7F5B093F |
| SSDEEP: | 3072:JrWDLuWUYs65XpyTOIIAy/7WHkjdIqzen:lW2WU2iE1IEQ |
MALICIOUS
Unusual execution from Microsoft Office
- WINWORD.EXE (PID: 3436)
Executes scripts
- WINWORD.EXE (PID: 3436)
Application was dropped or rewritten from another process
- u27nh6yhq.exe (PID: 3980)
- u27nh6yhq.exe (PID: 2948)
- u27nh6yhq.exe (PID: 3092)
- u27nh6yhq.exe (PID: 3872)
- easywindow.exe (PID: 3276)
- easywindow.exe (PID: 3148)
- easywindow.exe (PID: 2976)
- easywindow.exe (PID: 2112)
Emotet process was detected
- u27nh6yhq.exe (PID: 3872)
SUSPICIOUS
Executable content was dropped or overwritten
- WScript.exe (PID: 3044)
- u27nh6yhq.exe (PID: 3872)
Creates files in the user directory
- WScript.exe (PID: 3044)
Starts itself from another location
- u27nh6yhq.exe (PID: 3872)
Application launched itself
- easywindow.exe (PID: 3148)
Connects to server without host name
- easywindow.exe (PID: 2976)
INFO
Reads Microsoft Office registry keys
- WINWORD.EXE (PID: 3436)
Creates files in the user directory
- WINWORD.EXE (PID: 3436)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .docm | | | Word Microsoft Office Open XML Format document (with Macro) (53.6) |
|---|---|---|
| .docx | | | Word Microsoft Office Open XML Format document (24.2) |
| .zip | | | Open Packaging Conventions container (18) |
| .zip | | | ZIP compressed archive (4.1) |
EXIF
ZIP
| ZipRequiredVersion: | 10 |
|---|---|
| ZipBitFlag: | - |
| ZipCompression: | None |
| ZipModifyDate: | 1980:01:01 00:00:00 |
| ZipCRC: | 0x0c0cc35b |
| ZipCompressedSize: | 1505 |
| ZipUncompressedSize: | 1505 |
| ZipFileName: | [Content_Types].xml |
XMP
| Title: | - |
|---|---|
| Subject: | - |
| Creator: | user |
| Description: | - |
XML
| Keywords: | - |
|---|---|
| LastModifiedBy: | user |
| RevisionNumber: | 12 |
| CreateDate: | 2019:09:18 19:03:00Z |
| ModifyDate: | 2019:09:18 19:49:00Z |
| Template: | Normal.dotm |
| TotalEditTime: | 12 minutes |
| Pages: | 1 |
| Words: | 3 |
| Characters: | 21 |
| Application: | Microsoft Office Word |
| DocSecurity: | None |
| Lines: | 1 |
| Paragraphs: | 1 |
| ScaleCrop: | No |
| HeadingPairs: |
|
| TitlesOfParts: | - |
| Company: | - |
| LinksUpToDate: | No |
| CharactersWithSpaces: | 23 |
| SharedDoc: | No |
| HyperlinksChanged: | No |
| AppVersion: | 16 |
Total processes
42
Monitored processes
10
Malicious processes
4
Suspicious processes
3
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2112 | --fd47f3b8 | C:\Users\admin\AppData\Local\easywindow\easywindow.exe | — | easywindow.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Display Control Panel Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 2948 | "C:\Users\admin\AppData\Local\Temp\u27nh6yhq.exe" | C:\Users\admin\AppData\Local\Temp\u27nh6yhq.exe | — | u27nh6yhq.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Display Control Panel Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 2976 | --fd47f3b8 | C:\Users\admin\AppData\Local\easywindow\easywindow.exe | easywindow.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Display Control Panel Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 3044 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\0.7055475.jse" | C:\Windows\System32\WScript.exe | WINWORD.EXE | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 Modules
| |||||||||||||||
| 3092 | --3344de24 | C:\Users\admin\AppData\Local\Temp\u27nh6yhq.exe | — | u27nh6yhq.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Display Control Panel Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 3148 | "C:\Users\admin\AppData\Local\easywindow\easywindow.exe" | C:\Users\admin\AppData\Local\easywindow\easywindow.exe | — | easywindow.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Display Control Panel Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 3276 | "C:\Users\admin\AppData\Local\easywindow\easywindow.exe" | C:\Users\admin\AppData\Local\easywindow\easywindow.exe | — | u27nh6yhq.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Display Control Panel Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 3436 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\XO_I18M3A2DI_GWX.doc.docm" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Exit code: 0 Version: 14.0.6024.1000 Modules
| |||||||||||||||
| 3872 | --3344de24 | C:\Users\admin\AppData\Local\Temp\u27nh6yhq.exe | u27nh6yhq.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Display Control Panel Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 3980 | "C:\Users\admin\AppData\Local\Temp\u27nh6yhq.exe" | C:\Users\admin\AppData\Local\Temp\u27nh6yhq.exe | — | WScript.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Display Control Panel Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
Total events
1 934
Read events
1 215
Write events
714
Delete events
5
Modification events
| (PID) Process: | (3436) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems |
| Operation: | write | Name: | j+$ |
Value: 6A2B24006C0D0000010000000000000000000000 | |||
| (PID) Process: | (3436) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
| Operation: | write | Name: | 1033 |
Value: Off | |||
| (PID) Process: | (3436) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
| Operation: | write | Name: | 1033 |
Value: On | |||
| (PID) Process: | (3436) WINWORD.EXE | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage |
| Operation: | write | Name: | WORDFiles |
Value: 1328742430 | |||
| (PID) Process: | (3436) WINWORD.EXE | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage |
| Operation: | write | Name: | ProductFiles |
Value: 1328742544 | |||
| (PID) Process: | (3436) WINWORD.EXE | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage |
| Operation: | write | Name: | ProductFiles |
Value: 1328742545 | |||
| (PID) Process: | (3436) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word |
| Operation: | write | Name: | MTTT |
Value: 6C0D000004CF80C4BF6ED50100000000 | |||
| (PID) Process: | (3436) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems |
| Operation: | write | Name: | s,$ |
Value: 732C24006C0D000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000 | |||
| (PID) Process: | (3436) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems |
| Operation: | delete value | Name: | s,$ |
Value: 732C24006C0D000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000 | |||
| (PID) Process: | (3436) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | UNCAsIntranet |
Value: 0 | |||
Executable files
2
Suspicious files
9
Text files
2
Unknown types
4
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 3436 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR9B4A.tmp.cvr | — | |
MD5:— | SHA256:— | |||
| 3436 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~DF4749CB0D3F9F93E9.TMP | — | |
MD5:— | SHA256:— | |||
| 3436 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~DF9F36C71D2DAE9DB9.TMP | — | |
MD5:— | SHA256:— | |||
| 3436 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~DF3D4D3B2755B51C9F.TMP | — | |
MD5:— | SHA256:— | |||
| 3436 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Forms\WINWORD.box | binary | |
MD5:— | SHA256:— | |||
| 3436 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$_I18M3A2DI_GWX.doc.docm | pgc | |
MD5:— | SHA256:— | |||
| 3436 | WINWORD.EXE | C:\Users\admin\0.7055475.jse | text | |
MD5:— | SHA256:— | |||
| 3044 | WScript.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@www.wuus.org[1].txt | text | |
MD5:— | SHA256:— | |||
| 3980 | u27nh6yhq.exe | C:\Users\admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1302019708-1500728564-335382590-1000\0f5007522459c86e95ffcc62f32308f1_90059c37-1320-41a4-b58d-2b75a9850d2f | binary | |
MD5:— | SHA256:— | |||
| 3276 | easywindow.exe | C:\Users\admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1302019708-1500728564-335382590-1000\0f5007522459c86e95ffcc62f32308f1_90059c37-1320-41a4-b58d-2b75a9850d2f | binary | |
MD5:— | SHA256:— | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
2
DNS requests
1
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
2976 | easywindow.exe | POST | — | 190.18.146.70:80 | http://190.18.146.70/site/add/ | AR | — | — | malicious |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
— | — | 190.18.146.70:80 | — | CABLEVISION S.A. | AR | malicious |
3044 | WScript.exe | 47.101.216.114:443 | www.wuus.org.cn | Hangzhou Alibaba Advertising Co.,Ltd. | CN | unknown |
DNS requests
Domain | IP | Reputation |
|---|---|---|
www.wuus.org.cn |
| unknown |