File name: | 6423447920214016.zip |
Full analysis: | https://app.any.run/tasks/c64a4120-bcba-4b76-8c93-61681cb410e5 |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | October 20, 2020, 06:02:15 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v2.0 to extract |
MD5: | B2BE54E0906BB478C63D5911DBA22D81 |
SHA1: | D0558D83111578420BCB0990551A86F886C96666 |
SHA256: | 1C2C2FBF738D85ED06C50F96EF677033846B632D9A33D34BAD72F33C95AC9CA0 |
SSDEEP: | 3072:PQ8ur8YjVfgdwGDxH1WrGt2V9OCag5V0JvujmVki0/OJCnYiVFuJImgAQIjpQv/P:oYmVfEwGDxH8Q2esmW+ki0kCnYiVMJIt |
.zip | | | ZIP compressed archive (100) |
---|
ZipFileName: | 75b0a81c1d5eb02216e4d34c43dcf0371d01af39dee87e60287dce4e2aea9109 |
---|---|
ZipUncompressedSize: | 259072 |
ZipCompressedSize: | 172220 |
ZipCRC: | 0x655094de |
ZipModifyDate: | 1980:00:00 00:00:00 |
ZipCompression: | Deflated |
ZipBitFlag: | 0x0009 |
ZipRequiredVersion: | 20 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2940 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\6423447920214016.zip" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 | ||||
2244 | "C:\Users\admin\Desktop\75b0a81c1d5eb02216e4d34c43dcf0371d01af39dee87e60287dce4e2aea9109.exe" | C:\Users\admin\Desktop\75b0a81c1d5eb02216e4d34c43dcf0371d01af39dee87e60287dce4e2aea9109.exe | explorer.exe | |
User: admin Integrity Level: HIGH Exit code: 0 | ||||
608 | "C:\Windows\system32\ieapfltr\tvratings.exe" | C:\Windows\system32\ieapfltr\tvratings.exe | 75b0a81c1d5eb02216e4d34c43dcf0371d01af39dee87e60287dce4e2aea9109.exe | |
User: admin Integrity Level: HIGH |
(PID) Process: | (2940) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
Operation: | write | Name: | ShellExtBMP |
Value: | |||
(PID) Process: | (2940) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
Operation: | write | Name: | ShellExtIcon |
Value: | |||
(PID) Process: | (2940) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\13B\52C64B7E |
Operation: | write | Name: | LanguageList |
Value: en-US | |||
(PID) Process: | (2940) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
Operation: | write | Name: | 0 |
Value: C:\Users\admin\AppData\Local\Temp\6423447920214016.zip | |||
(PID) Process: | (2940) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | name |
Value: 120 | |||
(PID) Process: | (2940) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | size |
Value: 80 | |||
(PID) Process: | (2940) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | type |
Value: 120 | |||
(PID) Process: | (2940) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | mtime |
Value: 100 | |||
(PID) Process: | (2940) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface |
Operation: | write | Name: | ShowPassword |
Value: 0 | |||
(PID) Process: | (608) tvratings.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content |
Operation: | write | Name: | CachePrefix |
Value: |
PID | Process | Filename | Type | |
---|---|---|---|---|
2940 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRb2940.8936\75b0a81c1d5eb02216e4d34c43dcf0371d01af39dee87e60287dce4e2aea9109 | executable | |
MD5:58AC5DD2CD448C56F4C7B40C45DDED6C | SHA256:75B0A81C1D5EB02216E4D34C43DCF0371D01AF39DEE87E60287DCE4E2AEA9109 | |||
2244 | 75b0a81c1d5eb02216e4d34c43dcf0371d01af39dee87e60287dce4e2aea9109.exe | C:\Windows\System32\ieapfltr\tvratings.exe | executable | |
MD5:58AC5DD2CD448C56F4C7B40C45DDED6C | SHA256:75B0A81C1D5EB02216E4D34C43DCF0371D01AF39DEE87E60287DCE4E2AEA9109 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
608 | tvratings.exe | POST | — | 190.192.39.136:80 | http://190.192.39.136/ELDt/xJNNAifHQ/FdFyyrH/ | AR | — | — | malicious |
608 | tvratings.exe | POST | 200 | 190.85.46.52:7080 | http://190.85.46.52:7080/m6qbaEkF/GIsfAgDVasfkBbpb9mG/LpA0Z4ZkmOndMGxAgC/ | CO | binary | 132 b | malicious |
608 | tvratings.exe | POST | — | 5.189.168.53:8080 | http://5.189.168.53:8080/0ZJAV5AfIt4BAfJp1/sRmrHQIVnNVDLKDE2VH/1szEs7FYfqf7NGNyca1/3XHG/N3Av02WEbVVbl7rlKC/9rGJ/ | DE | — | — | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
608 | tvratings.exe | 162.241.41.111:7080 | — | CyrusOne LLC | US | malicious |
608 | tvratings.exe | 190.192.39.136:80 | — | Prima S.A. | AR | malicious |
608 | tvratings.exe | 5.189.168.53:8080 | — | Contabo GmbH | DE | malicious |
608 | tvratings.exe | 190.85.46.52:7080 | — | Telmex Colombia S.A. | CO | malicious |
Domain | IP | Reputation |
---|---|---|
dns.msftncsi.com |
| shared |
PID | Process | Class | Message |
---|---|---|---|
608 | tvratings.exe | A Network Trojan was detected | ET CNC Feodo Tracker Reported CnC Server group 11 |
608 | tvratings.exe | A Network Trojan was detected | ET CNC Feodo Tracker Reported CnC Server group 19 |
608 | tvratings.exe | A Network Trojan was detected | ET CNC Feodo Tracker Reported CnC Server group 5 |
608 | tvratings.exe | A Network Trojan was detected | ET TROJAN Win32/Emotet CnC Activity (POST) M10 |
608 | tvratings.exe | A Network Trojan was detected | ET CNC Feodo Tracker Reported CnC Server group 12 |
608 | tvratings.exe | A Network Trojan was detected | ET TROJAN Win32/Emotet CnC Activity (POST) M10 |
608 | tvratings.exe | A Network Trojan was detected | ET TROJAN Win32/Emotet CnC Activity (POST) M10 |