File name: | 2018-02-16-Emotet-Maldoc.zip |
Full analysis: | https://app.any.run/tasks/1ba85248-e576-480e-b57b-4c13b03574e9 |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | December 05, 2022, 17:14:49 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v2.0 to extract |
MD5: | C7242C9A64E0093A00BCAE1378C8BA62 |
SHA1: | 8E03F467648321B8E2ECC4D0B99C9089F9CF3555 |
SHA256: | 6C9F44451E76EA2A9685C2E70AA4F6533B201BE5B9C6E45EA445F47BFC9159DC |
SSDEEP: | 3072:ZMYfWjFi6J4LbKW9CfunNzU11X0if/1NUrcgIvhyJHgCtm4bk7zfx:ZJ7+4LbV9vNQtjLnP8JHhtm4o7Tx |
.zip | | | ZIP compressed archive (100) |
---|
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
1752 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\2018-02-16-Emotet-Maldoc.zip" | C:\Program Files\WinRAR\WinRAR.exe | — | Explorer.EXE | |||||||||||
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.91.0 Modules
| |||||||||||||||
2928 | "C:\Users\admin\AppData\Local\Temp\Rar$EXb1752.240\wlanwin.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXb1752.240\wlanwin.exe | — | WinRAR.exe | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
3436 | "C:\Users\admin\AppData\Local\Temp\Rar$EXb1752.240\wlanwin.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXb1752.240\wlanwin.exe | wlanwin.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
2592 | "C:\Users\admin\AppData\Local\Microsoft\Windows\secmsi.exe" | C:\Users\admin\AppData\Local\Microsoft\Windows\secmsi.exe | wlanwin.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
2364 | "C:\Users\admin\AppData\Local\Microsoft\Windows\secmsi.exe" | C:\Users\admin\AppData\Local\Microsoft\Windows\secmsi.exe | secmsi.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Modules
|
PID | Process | Filename | Type | |
---|---|---|---|---|
1752 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXb1752.240\wlanwin.exe | executable | |
MD5:B4B768B594A7A999743B203B80CF2D14 | SHA256:E0D69A6E9B4ABFB79954DD73EAC0AEC0D4F3B3FC5A9DD5AF9202B621949748CA | |||
1752 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXb1752.240\Maldoc extracted script files\VZaYbmG | text | |
MD5:98697AD593E3D8AC3BD40627A76CE431 | SHA256:69292833366A8D3EF1D1E2E8D7B75574292212F573B282F6A17F2B01E79C2819 | |||
1752 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXb1752.240\322-64-058762-618 & 322-64-058762-233.doc | document | |
MD5:F435BF778F96DE1131A714C3EFA78058 | SHA256:BEA874DCAEEB584EBC8CBF157FB9DBC3FF0DB8E39F9A645D10BDCCF3AF7E3FB5 | |||
1752 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXb1752.240\Maldoc extracted script files\SWznfnhP | text | |
MD5:1782148F84BB2B5E0A2225CD6D6D3FD0 | SHA256:0A4C45EC704D04727B07742157328AEC92CC237E6CE0811A2DDEC127EB42099D | |||
3436 | wlanwin.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\secmsi.exe | executable | |
MD5:B4B768B594A7A999743B203B80CF2D14 | SHA256:E0D69A6E9B4ABFB79954DD73EAC0AEC0D4F3B3FC5A9DD5AF9202B621949748CA | |||
1752 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXb1752.240\Maldoc extracted script files\ThisDocument | text | |
MD5:C598C45B0D9D3090599FF1DF77C5D612 | SHA256:76F615001478CC8D4CCE6FE76F75B2CA62880736645E205DFCE15FC20F92E650 | |||
1752 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXb1752.240\Maldoc extracted script files\BzisiPADm | text | |
MD5:03E3F0C8A48EB20926E464E5638633E4 | SHA256:E1FB4A07AB82860DF5B13EC4ACB5C6A83584C0F12C3F302E4BCA26D69609B4CE | |||
1752 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXb1752.240\Maldoc extracted script files\LLcZCRPldJXTn | text | |
MD5:E5369BC45CBFE61CC2E502B7E92EB374 | SHA256:788E73086DB623A6F87F16B22312DBE75A7C356CBA91028647564D524F84C12C |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2364 | secmsi.exe | POST | — | 37.187.57.57:443 | http://37.187.57.57:443/ | FR | — | — | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
— | — | 37.97.135.82:4143 | — | Signet B.V. | NL | suspicious |
2364 | secmsi.exe | 37.97.135.82:4143 | — | Signet B.V. | NL | suspicious |
2364 | secmsi.exe | 37.187.57.57:443 | — | OVH SAS | FR | malicious |
2364 | secmsi.exe | 69.45.19.251:4143 | — | LEVEL3 | US | suspicious |
Domain | IP | Reputation |
---|---|---|
dns.msftncsi.com |
| shared |
PID | Process | Class | Message |
---|---|---|---|
2364 | secmsi.exe | A Network Trojan was detected | ET TROJAN Win32/Emotet CnC Checkin (POST) |
2364 | secmsi.exe | A Network Trojan was detected | ET TROJAN W32/Emotet.v4 Checkin |
2364 | secmsi.exe | Potentially Bad Traffic | ET POLICY HTTP traffic on port 443 (POST) |
2364 | secmsi.exe | Potentially Bad Traffic | ET INFO GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1 |
2364 | secmsi.exe | Potentially Bad Traffic | AV POLICY HTTP traffic on port 443 to IP host (POST) |