File name:	emotet.doc
Full analysis:	https://app.any.run/tasks/3363fde4-111b-4aaa-b73d-e4144433c284
Verdict:	Malicious activity
Threats:	Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email. Malware Trends Tracker >>>
Analysis date:	September 16, 2019, 13:54:48
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:	macros macros-on-open emotet-doc emotet generated-doc trojan loader
Indicators:
MIME:	application/vnd.openxmlformats-officedocument.wordprocessingml.document
File info:	Microsoft Word 2007+
MD5:	B92021CA10AED3046FC3BE5AC1C2A094
SHA1:	0FB1AD5B53CDD09A7268C823EC796A6E623F086F
SHA256:	C378387344E0A552DC065DE6BFA607FD26E0B5C569751C79FBF9C6F2E91C9807
SSDEEP:	3072:/Msknok2er/yR5DpQKajNDu1CkBwN0pqJfWSq:zkoRoKDpQZqQkmN0scR

.docm	\|	Word Microsoft Office Open XML Format document (with Macro) (53.6)
.docx	\|	Word Microsoft Office Open XML Format document (24.2)
.zip	\|	Open Packaging Conventions container (18)
.zip	\|	ZIP compressed archive (4.1)

AppVersion:	16
HyperlinksChanged:	No
SharedDoc:	No
CharactersWithSpaces:	445
LinksUpToDate:	No
Company:	-
ScaleCrop:	No
Paragraphs:	1
Lines:	3
DocSecurity:	None
Application:	Microsoft Office Word
Characters:	380
Words:	66
Pages:	1
TotalEditTime:	-
Template:	Normal.dotm
ModifyDate:	2019:09:16 12:22:00Z
CreateDate:	2019:09:16 12:22:00Z
RevisionNumber:	1
LastModifiedBy:	-
Keywords:	-

ZipFileName:	[Content_Types].xml
ZipUncompressedSize:	3939
ZipCompressedSize:	524
ZipCRC:	0x247a0b47
ZipModifyDate:	1980:01:01 00:00:00
ZipCompression:	Deflated
ZipBitFlag:	0x0006
ZipRequiredVersion:	20


(PID) Process:	(2848) WINWORD.EXE	Key:	HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
Operation:	write	Name:	d`!
Value: 64602100200B0000010000000000000000000000
(PID) Process:	(2848) WINWORD.EXE	Key:	HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:	write	Name:	1033
Value: Off
(PID) Process:	(2848) WINWORD.EXE	Key:	HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:	write	Name:	1033
Value: On
(PID) Process:	(2848) WINWORD.EXE	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
Operation:	write	Name:	WORDFiles
Value: 1328545822
(PID) Process:	(2848) WINWORD.EXE	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
Operation:	write	Name:	ProductFiles
Value: 1328545936
(PID) Process:	(2848) WINWORD.EXE	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
Operation:	write	Name:	ProductFiles
Value: 1328545937
(PID) Process:	(2848) WINWORD.EXE	Key:	HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word
Operation:	write	Name:	MTTT
Value: 200B00006E190A58966CD50100000000
(PID) Process:	(2848) WINWORD.EXE	Key:	HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
Operation:	write	Name:	;a!
Value: 3B612100200B000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000
(PID) Process:	(2848) WINWORD.EXE	Key:	HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
Operation:	delete value	Name:	;a!
Value: 3B612100200B000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000
(PID) Process:	(2848) WINWORD.EXE	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	UNCAsIntranet
Value: 0

PID	Process	Filename		Type
2848	WINWORD.EXE	C:\Users\admin\AppData\Local\Temp\CVR9C64.tmp.cvr		—
		MD5:—	SHA256:—
2848	WINWORD.EXE	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\6D04752C.wmf		—
		MD5:—	SHA256:—
2848	WINWORD.EXE	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\27C6901A.wmf		—
		MD5:—	SHA256:—
2848	WINWORD.EXE	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\79A7DF38.wmf		—
		MD5:—	SHA256:—
2848	WINWORD.EXE	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\8063E206.wmf		—
		MD5:—	SHA256:—
2848	WINWORD.EXE	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\A293C404.wmf		—
		MD5:—	SHA256:—
2848	WINWORD.EXE	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\AAF73CB2.wmf		—
		MD5:—	SHA256:—
2848	WINWORD.EXE	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\FC106F90.wmf		—
		MD5:—	SHA256:—
2848	WINWORD.EXE	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\A68ACC1E.wmf		—
		MD5:—	SHA256:—
2848	WINWORD.EXE	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\2BA4EDDC.wmf		—
		MD5:—	SHA256:—

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
3560	easywindow.exe	POST	—	5.67.96.120:8080	http://5.67.96.120:8080/prov/walk/	GB	—	—	malicious
3560	easywindow.exe	POST	—	203.130.0.67:80	http://203.130.0.67/rtm/devices/	PK	—	—	malicious
3560	easywindow.exe	POST	—	143.0.245.169:8080	http://143.0.245.169:8080/schema/cone/nsip/merge/	AR	—	—	malicious
3560	easywindow.exe	POST	—	181.188.149.134:80	http://181.188.149.134/raster/img/ringin/	BO	—	—	malicious
2748	powershell.exe	GET	200	104.27.132.137:80	http://blockchainjoblist.com/wp-admin/014080/	US	executable	477 Kb	malicious

PID	Process	Class	Message
—	—	Potential Corporate Privacy Violation	ET POLICY PE EXE or DLL Windows file download HTTP
—	—	A Network Trojan was detected	AV INFO Suspicious EXE download from WordPress folder
—	—	Potentially Bad Traffic	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
—	—	Misc activity	ET INFO EXE - Served Attached HTTP
—	—	A Network Trojan was detected	AV TROJAN W32/Emotet CnC Checkin (Apr 2019)
—	—	A Network Trojan was detected	MALWARE [PTsecurity] Feodo/Emotet
—	—	A Network Trojan was detected	ET CNC Feodo Tracker Reported CnC Server group 15
—	—	A Network Trojan was detected	MALWARE [PTsecurity] Feodo/Emotet
—	—	A Network Trojan was detected	ET CNC Feodo Tracker Reported CnC Server group 20
—	—	A Network Trojan was detected	MALWARE [PTsecurity] Feodo/Emotet

Description:	-
Creator:	-
Subject:	-
Title:	-

General Info

emotet.doc

B92021CA10AED3046FC3BE5AC1C2A094

0FB1AD5B53CDD09A7268C823EC796A6E623F086F

C378387344E0A552DC065DE6BFA607FD26E0B5C569751C79FBF9C6F2E91C9807

3072:/Msknok2er/yR5DpQKajNDu1CkBwN0pqJfWSq:zkoRoKDpQZqQkmN0scR

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Application was dropped or rewritten from another process

Emotet process was detected

EMOTET was detected

Connects to CnC server

Downloads executable files from the Internet

SUSPICIOUS

Creates files in the user directory

Starts itself from another location

Executed via WMI

PowerShell script executed

Executable content was dropped or overwritten

Application launched itself

Connects to server without host name

INFO

Creates files in the user directory

Reads Microsoft Office registry keys

Malware configuration

Static information

TRiD

EXIF

XML

XMP

ZIP

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings