analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

5739-5739-5739.xls.zip

Full analysis: https://app.any.run/tasks/89d09250-05e5-4145-9c4f-fc8c288471d6
Verdict: Malicious activity
Threats:

Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns.

Malware Trends Tracker     >>>
Analysis date: May 30, 2020, 10:56:37
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
emotet-doc
emotet
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

EC7988488BAC99DA468307696B910BF7

SHA1:

7AF28481F30FA37BAEE5AAFBDED045D81EB8E1E5

SHA256:

51A0EF23467136D86F68FE60F45BEA54B69AB95C41B8D13A6B0B2FBEA6E6A53A

SSDEEP:

768:bbIIuuCz4cIu9QO6zB2UWB4UafMidSGNEhYxf43ZFCRzgA1hWD5q:bbZpcImpkNMiMG0Yxf0Ez/1hR

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Actions looks like stealing of personal data

      • WinRAR.exe (PID: 1344)

    • Unusual execution from Microsoft Office

      • EXCEL.EXE (PID: 4016)

  • SUSPICIOUS

    • Starts Microsoft Office Application

      • WinRAR.exe (PID: 1344)
      • dwwin.exe (PID: 2892)

  • INFO

    • Creates files in the user directory

      • EXCEL.EXE (PID: 4016)

    • Reads Internet Cache Settings

      • EXCEL.EXE (PID: 4016)

    • Reads settings of System Certificates

      • EXCEL.EXE (PID: 4016)

    • Reads Microsoft Office registry keys

      • EXCEL.EXE (PID: 2768)
      • EXCEL.EXE (PID: 4016)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 788
ZipBitFlag: 0x0001
ZipCompression: Deflated
ZipModifyDate: 2020:05:29 01:07:02
ZipCRC: 0x7f45caaa
ZipCompressedSize: 46566
ZipUncompressedSize: 99840
ZipFileName: 5739-5739-5739.xls
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
38
Monitored processes
5
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe excel.exe dw20.exe no specs dwwin.exe excel.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1344"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\5739-5739-5739.xls.zip"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
4016"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /ddeC:\Program Files\Microsoft Office\Office14\EXCEL.EXE
WinRAR.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Excel
Exit code:
2
Version:
14.0.6024.1000
2436"C:\PROGRA~1\COMMON~1\MICROS~1\DW\DW20.EXE" -x -s 1608C:\PROGRA~1\COMMON~1\MICROS~1\DW\DW20.EXEEXCEL.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Application Error Reporting
Exit code:
0
Version:
14.0.6015.1000
2892C:\Windows\system32\dwwin.exe -x -s 1608C:\Windows\system32\dwwin.exe
DW20.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Watson Client
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2768"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files\Microsoft Office\Office14\EXCEL.EXEdwwin.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Excel
Version:
14.0.6024.1000
Total events
24 143
Read events
8 655
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
7
Text files
2
Unknown types
1

Dropped files

PID
Process
Filename
Type
4016EXCEL.EXEC:\Users\admin\AppData\Local\Temp\CVRD1BB.tmp.cvr
MD5:
SHA256:
4016EXCEL.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\78RFYB7Z\config14[1].xml
MD5:
SHA256:
4016EXCEL.EXEC:\Users\admin\AppData\Local\Temp\CabAB69.tmp
MD5:
SHA256:
4016EXCEL.EXEC:\Users\admin\AppData\Local\Temp\TarAB6A.tmp
MD5:
SHA256:
4016EXCEL.EXEC:\Users\admin\AppData\Local\Temp\~DF3651937B9BAB7022.TMP
MD5:
SHA256:
4016EXCEL.EXEC:\Users\admin\AppData\Local\Temp\Rar$DIb1344.4686\C7B42000
MD5:
SHA256:
4016EXCEL.EXEC:\Users\admin\AppData\Local\Temp\~DF7E1BFEEA1F32DCE2.TMP
MD5:
SHA256:
2768EXCEL.EXEC:\Users\admin\AppData\Local\Temp\CVR125B.tmp.cvr
MD5:
SHA256:
4016EXCEL.EXEC:\Users\admin\AppData\Local\Temp\Rar$DIb1344.4686\5739-5739-5739.xlsdocument
MD5:60B4816827B8066CB442A6481E7B8688
SHA256:903EFAA0D1E5323A303179B8292509F869836070B99F7D947CA9584130839137
4016EXCEL.EXEC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_C9FB72B5AE80778A08024D8B0FDECC6Fbinary
MD5:780E6916ED20FEC2F59041AEC4DF5225
SHA256:A012B3CB112CB1D41C955AAB7720294DD7E4C094212088012DB9A1FD26F3341E
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
4
DNS requests
3
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4016
EXCEL.EXE
GET
200
52.109.88.8:80
http://office14client.microsoft.com/config14?UILCID=1033&CLCID=1033&ILCID=1033&HelpLCID=1033&App={538F6C89-2AD5-4006-8154-C6670774E980}&build=14.0.6023
NL
xml
1.99 Kb
whitelisted
4016
EXCEL.EXE
POST
52.109.120.29:443
http://rr.office.microsoft.com:443/Research/query.asmx
HK
whitelisted
4016
EXCEL.EXE
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAtqs7A%2Bsan2xGCSaqjN%2FrM%3D
US
der
1.47 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4016
EXCEL.EXE
52.109.120.29:443
rr.office.microsoft.com
Microsoft Corporation
HK
whitelisted
4016
EXCEL.EXE
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
4016
EXCEL.EXE
52.109.88.8:80
office14client.microsoft.com
Microsoft Corporation
NL
whitelisted

DNS requests

Domain
IP
Reputation
office14client.microsoft.com
  • 52.109.88.8
whitelisted
rr.office.microsoft.com
  • 52.109.120.29
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted

Threats

PID
Process
Class
Message
4016
EXCEL.EXE
Potentially Bad Traffic
ET POLICY HTTP traffic on port 443 (POST)
Process
Message
dwwin.exe
Error -
dwwin.exe
ReadProcessMemory failed while trying to read PebBaseAddress
dwwin.exe
dwwin.exe
Error -
dwwin.exe
dwwin.exe
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
5739-5739-5739.xls.zip