File name: | 5739-5739-5739.xls.zip |
Full analysis: | https://app.any.run/tasks/89d09250-05e5-4145-9c4f-fc8c288471d6 |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | May 30, 2020, 10:56:37 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v2.0 to extract |
MD5: | EC7988488BAC99DA468307696B910BF7 |
SHA1: | 7AF28481F30FA37BAEE5AAFBDED045D81EB8E1E5 |
SHA256: | 51A0EF23467136D86F68FE60F45BEA54B69AB95C41B8D13A6B0B2FBEA6E6A53A |
SSDEEP: | 768:bbIIuuCz4cIu9QO6zB2UWB4UafMidSGNEhYxf43ZFCRzgA1hWD5q:bbZpcImpkNMiMG0Yxf0Ez/1hR |
.zip | | | ZIP compressed archive (100) |
---|
ZipRequiredVersion: | 788 |
---|---|
ZipBitFlag: | 0x0001 |
ZipCompression: | Deflated |
ZipModifyDate: | 2020:05:29 01:07:02 |
ZipCRC: | 0x7f45caaa |
ZipCompressedSize: | 46566 |
ZipUncompressedSize: | 99840 |
ZipFileName: | 5739-5739-5739.xls |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
1344 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\5739-5739-5739.xls.zip" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0 | ||||
4016 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | WinRAR.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Exit code: 2 Version: 14.0.6024.1000 | ||||
2436 | "C:\PROGRA~1\COMMON~1\MICROS~1\DW\DW20.EXE" -x -s 1608 | C:\PROGRA~1\COMMON~1\MICROS~1\DW\DW20.EXE | — | EXCEL.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Application Error Reporting Exit code: 0 Version: 14.0.6015.1000 | ||||
2892 | C:\Windows\system32\dwwin.exe -x -s 1608 | C:\Windows\system32\dwwin.exe | DW20.EXE | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Watson Client Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2768 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | — | dwwin.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Version: 14.0.6024.1000 |
PID | Process | Filename | Type | |
---|---|---|---|---|
4016 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVRD1BB.tmp.cvr | — | |
MD5:— | SHA256:— | |||
4016 | EXCEL.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\78RFYB7Z\config14[1].xml | — | |
MD5:— | SHA256:— | |||
4016 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CabAB69.tmp | — | |
MD5:— | SHA256:— | |||
4016 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\TarAB6A.tmp | — | |
MD5:— | SHA256:— | |||
4016 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\~DF3651937B9BAB7022.TMP | — | |
MD5:— | SHA256:— | |||
4016 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\Rar$DIb1344.4686\C7B42000 | — | |
MD5:— | SHA256:— | |||
4016 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\~DF7E1BFEEA1F32DCE2.TMP | — | |
MD5:— | SHA256:— | |||
2768 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVR125B.tmp.cvr | — | |
MD5:— | SHA256:— | |||
4016 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\Rar$DIb1344.4686\5739-5739-5739.xls | document | |
MD5:60B4816827B8066CB442A6481E7B8688 | SHA256:903EFAA0D1E5323A303179B8292509F869836070B99F7D947CA9584130839137 | |||
4016 | EXCEL.EXE | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_C9FB72B5AE80778A08024D8B0FDECC6F | binary | |
MD5:780E6916ED20FEC2F59041AEC4DF5225 | SHA256:A012B3CB112CB1D41C955AAB7720294DD7E4C094212088012DB9A1FD26F3341E |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
4016 | EXCEL.EXE | GET | 200 | 52.109.88.8:80 | http://office14client.microsoft.com/config14?UILCID=1033&CLCID=1033&ILCID=1033&HelpLCID=1033&App={538F6C89-2AD5-4006-8154-C6670774E980}&build=14.0.6023 | NL | xml | 1.99 Kb | whitelisted |
4016 | EXCEL.EXE | POST | — | 52.109.120.29:443 | http://rr.office.microsoft.com:443/Research/query.asmx | HK | — | — | whitelisted |
4016 | EXCEL.EXE | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAtqs7A%2Bsan2xGCSaqjN%2FrM%3D | US | der | 1.47 Kb | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
4016 | EXCEL.EXE | 52.109.120.29:443 | rr.office.microsoft.com | Microsoft Corporation | HK | whitelisted |
4016 | EXCEL.EXE | 93.184.220.29:80 | ocsp.digicert.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
4016 | EXCEL.EXE | 52.109.88.8:80 | office14client.microsoft.com | Microsoft Corporation | NL | whitelisted |
Domain | IP | Reputation |
---|---|---|
office14client.microsoft.com |
| whitelisted |
rr.office.microsoft.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
4016 | EXCEL.EXE | Potentially Bad Traffic | ET POLICY HTTP traffic on port 443 (POST) |
Process | Message |
---|---|
dwwin.exe | Error - |
dwwin.exe | ReadProcessMemory failed while trying to read PebBaseAddress |
dwwin.exe | |
dwwin.exe | Error - |
dwwin.exe | |
dwwin.exe |