download: | amH5RVYp3 |
Full analysis: | https://app.any.run/tasks/21fd6915-38b4-4912-95b4-5f2b43f9a76d |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | April 24, 2019, 21:17:54 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v2.0 to extract |
MD5: | 35C07B626E34E7E20B79D35E057FE37A |
SHA1: | 48E91B9E48344558D22ACB41D22373FBB4922DDF |
SHA256: | 7ABCF751DD70C9198F45236627D791645915AED10F6E4389CB5C9FB08A53BDF1 |
SSDEEP: | 192:+8jvYReq6QYqBBIB8Ey76LhIfYd/riJCBhEPC+t+EHE+osbshLppu2U3TNTgabE:vzYgB1y+LhIOreCUj+EkDhLppFU35BbE |
.zip | | | ZIP compressed archive (100) |
---|
ZipRequiredVersion: | 20 |
---|---|
ZipBitFlag: | 0x0002 |
ZipCompression: | Deflated |
ZipModifyDate: | 2019:04:25 00:03:00 |
ZipCRC: | 0x29136b2e |
ZipCompressedSize: | 12377 |
ZipUncompressedSize: | 41962 |
ZipFileName: | FILE_963898697032US_Apr_25_2019.js |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2560 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\amH5RVYp3.zip" | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 | ||||
2808 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\Rar$DIa2560.20065\FILE_963898697032US_Apr_25_2019.js" | C:\Windows\System32\WScript.exe | WinRAR.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 | ||||
2508 | "C:\Users\admin\AppData\Local\Temp\blyud59cn.exe" | C:\Users\admin\AppData\Local\Temp\blyud59cn.exe | — | WScript.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
592 | --9556f411 | C:\Users\admin\AppData\Local\Temp\blyud59cn.exe | blyud59cn.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
2652 | "C:\Users\admin\AppData\Local\soundser\soundser.exe" | C:\Users\admin\AppData\Local\soundser\soundser.exe | blyud59cn.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
2888 | --3ab57678 | C:\Users\admin\AppData\Local\soundser\soundser.exe | soundser.exe | |
User: admin Integrity Level: MEDIUM | ||||
3560 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\Rar$DIa2560.23396\FILE_963898697032US_Apr_25_2019.js" | C:\Windows\System32\WScript.exe | WinRAR.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Version: 5.8.7600.16385 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2560 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DIa2560.20065\FILE_963898697032US_Apr_25_2019.js | text | |
MD5:37F92C5312F3183A6E5F3203C526DACC | SHA256:6F785ECC79F5CA6AC6410EED4FA59BBE13CA49CC2E1F3E2BEE9412811A6E3036 | |||
592 | blyud59cn.exe | C:\Users\admin\AppData\Local\soundser\soundser.exe | executable | |
MD5:47D756D2FDAD3DDB836EFE9854BCE526 | SHA256:A9F333B29971AFF0DE5B070BE765E3E81135F6477F02AFBA879BD2638183D563 | |||
3560 | WScript.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt | text | |
MD5:260A1059A0DE2F76ED2417C93D9D5B21 | SHA256:B9669B12F7447B72FF1B1C3BA48644D61DB7CA4721C339A91F635DB48C52308A | |||
2808 | WScript.exe | C:\Users\admin\AppData\Local\Temp\blyud59cn.exe | executable | |
MD5:47D756D2FDAD3DDB836EFE9854BCE526 | SHA256:A9F333B29971AFF0DE5B070BE765E3E81135F6477F02AFBA879BD2638183D563 | |||
2808 | WScript.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat | dat | |
MD5:D7A950FEFD60DBAA01DF2D85FEFB3862 | SHA256:75D0B1743F61B76A35B1FEDD32378837805DE58D79FA950CB6E8164BFA72073A | |||
2560 | WinRAR.exe | C:\Users\admin\Desktop\FILE_963898697032US_Apr_25_2019.js | text | |
MD5:37F92C5312F3183A6E5F3203C526DACC | SHA256:6F785ECC79F5CA6AC6410EED4FA59BBE13CA49CC2E1F3E2BEE9412811A6E3036 | |||
2808 | WScript.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt | text | |
MD5:7BF3100EA457B35654CEB50D5E2C5C1C | SHA256:AE06B8617665E4CD7BF1B0510489B9204AD3E34F790797FF9C15931AABCB465E | |||
2560 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DIa2560.23396\FILE_963898697032US_Apr_25_2019.js | text | |
MD5:37F92C5312F3183A6E5F3203C526DACC | SHA256:6F785ECC79F5CA6AC6410EED4FA59BBE13CA49CC2E1F3E2BEE9412811A6E3036 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3560 | WScript.exe | GET | 200 | 106.14.207.212:80 | http://www.whwzyy.cn/wp-includes/KV_R4/ | CN | executable | 104 Kb | suspicious |
2888 | soundser.exe | POST | — | 68.229.130.39:80 | http://68.229.130.39/schema/iplk/ringin/ | US | — | — | malicious |
2808 | WScript.exe | GET | 200 | 106.14.207.212:80 | http://www.whwzyy.cn/wp-includes/KV_R4/ | CN | executable | 104 Kb | suspicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
— | — | 106.14.207.212:80 | www.whwzyy.cn | Hangzhou Alibaba Advertising Co.,Ltd. | CN | suspicious |
2808 | WScript.exe | 106.14.207.212:80 | www.whwzyy.cn | Hangzhou Alibaba Advertising Co.,Ltd. | CN | suspicious |
2888 | soundser.exe | 68.229.130.39:80 | — | Cox Communications Inc. | US | malicious |
Domain | IP | Reputation |
---|---|---|
www.whwzyy.cn |
| suspicious |
PID | Process | Class | Message |
---|---|---|---|
2808 | WScript.exe | Misc activity | SUSPICIOUS [PTsecurity] Cmd.Powershell.Download HTTP UserAgent (Win7) |
2808 | WScript.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
2808 | WScript.exe | A Network Trojan was detected | ET CURRENT_EVENTS Likely Evil EXE download from MSXMLHTTP non-exe extension M2 |
2808 | WScript.exe | Misc activity | ET INFO EXE - Served Attached HTTP |
3560 | WScript.exe | Misc activity | SUSPICIOUS [PTsecurity] Cmd.Powershell.Download HTTP UserAgent (Win7) |
3560 | WScript.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
3560 | WScript.exe | Misc activity | ET INFO EXE - Served Attached HTTP |