analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

emotet_e1_6c5cd60a70032ea2892dc5214516d14a18ec6e4d15f025b4c904acc8fffd3c2e_._zip

Full analysis: https://app.any.run/tasks/bf07be94-1e62-4eab-ac2a-e22eb0bcc6d0
Verdict: Malicious activity
Analysis date: May 24, 2019, 12:23:21
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

86682ACD72BDF8F2618F340CC1243215

SHA1:

DB7BA045B3B99E0B543D148A849BAA7B0D605C5A

SHA256:

6C5CD60A70032EA2892DC5214516D14A18EC6E4D15F025B4C904ACC8FFFD3C2E

SSDEEP:

192:aaQ2fNH700tel5ucRtJU3iCuU6RsW65OWPGSIMrn:9Q2ftluRUyChW65OYIen

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes settings of System certificates

      • WScript.exe (PID: 3220)

  • SUSPICIOUS

    • Executes scripts

      • WinRAR.exe (PID: 3848)

    • Adds / modifies Windows certificates

      • WScript.exe (PID: 3220)

  • INFO

    • Modifies the open verb of a shell class

      • rundll32.exe (PID: 2940)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipFileName: A_30095553_04292019.js
ZipUncompressedSize: 37205
ZipCompressedSize: 7887
ZipCRC: 0x1f198e42
ZipModifyDate: 2019:04:29 02:03:00
ZipCompression: Deflated
ZipBitFlag: 0x0002
ZipRequiredVersion: 20
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
35
Monitored processes
3
Malicious processes
0
Suspicious processes
2

Behavior graph

Click at the process to see the details
start rundll32.exe no specs winrar.exe no specs wscript.exe

Process information

PID
CMD
Path
Indicators
Parent process
2940"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\admin\AppData\Local\Temp\emotet_e1_6c5cd60a70032ea2892dc5214516d14a18ec6e4d15f025b4c904acc8fffd3c2e_._zipC:\Windows\system32\rundll32.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3848"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\emotet_e1_6c5cd60a70032ea2892dc5214516d14a18ec6e4d15f025b4c904acc8fffd3c2e_._zip"C:\Program Files\WinRAR\WinRAR.exerundll32.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
3220"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\Rar$DIa3848.14426\A_30095553_04292019.js" C:\Windows\System32\WScript.exe
WinRAR.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Version:
5.8.7600.16385
Total events
1 263
Read events
1 065
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
0
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
3848WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DIa3848.14426\A_30095553_04292019.jstext
MD5:FEE53BD7429AC6FF5BFA17D5264364EF
SHA256:A95B13778F1D7907C0F5E836597F056BABE04CF50A24143CBD0227F595C6A9BE
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
5
DNS requests
5
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3220
WScript.exe
GET
404
104.196.22.72:80
http://asharqiya.com/ar/Ith/
US
xml
345 b
suspicious
3220
WScript.exe
GET
404
202.92.6.35:80
http://autmont.com/wp/rZzwq/
VN
xml
345 b
unknown
3220
WScript.exe
GET
404
104.24.123.71:80
http://608design.com/mainto/6Cgy/
US
xml
345 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3220
WScript.exe
52.220.199.21:443
beutify.com
Amazon.com, Inc.
SG
unknown
3220
WScript.exe
104.24.123.71:80
608design.com
Cloudflare Inc
US
shared
3220
WScript.exe
202.92.6.35:80
autmont.com
VNPT Corp
VN
unknown
3220
WScript.exe
104.196.22.72:80
asharqiya.com
Google Inc.
US
suspicious
3220
WScript.exe
139.159.158.121:443
cssshk.com
CN
unknown

DNS requests

Domain
IP
Reputation
cssshk.com
  • 139.159.158.121
malicious
beutify.com
  • 52.220.199.21
unknown
608design.com
  • 104.24.123.71
  • 104.24.122.71
malicious
asharqiya.com
  • 104.196.22.72
suspicious
autmont.com
  • 202.92.6.35
unknown

Threats

PID
Process
Class
Message
3220
WScript.exe
Misc activity
SUSPICIOUS [PTsecurity] Cmd.Powershell.Download HTTP UserAgent (Win7)
3220
WScript.exe
Misc activity
SUSPICIOUS [PTsecurity] Cmd.Powershell.Download HTTP UserAgent (Win7)
3220
WScript.exe
Misc activity
SUSPICIOUS [PTsecurity] Cmd.Powershell.Download HTTP UserAgent (Win7)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
emotet_e1_6c5cd60a70032ea2892dc5214516d14a18ec6e4d15f025b4c904acc8fffd3c2e_._zip