File name: | yiGt-RZXt7eA5v69nyWP_iVHIWlUfQ-SD |
Full analysis: | https://app.any.run/tasks/ec844b74-ec95-461c-bb25-6647aeaad3c4 |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | April 25, 2019, 05:37:42 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v2.0 to extract |
MD5: | 11F1DCF2495E7EB2CF238334C7657357 |
SHA1: | 120752F684893B2322398E076C31C85D2155069B |
SHA256: | 8250D12BFCD40EACD10CD6BA5A4F66D4BBF56D26B9E49099A0BA9E7FBC21E1B5 |
SSDEEP: | 192:H8koDAV86iwRD6fcNOZ6ayphj2q/BXY5DTyZS0mOSm5oQfuwK:ckoDB6DRmENS6Rhj2qoDWS0mOSu2F |
.zip | | | ZIP compressed archive (100) |
---|
ZipRequiredVersion: | 20 |
---|---|
ZipBitFlag: | 0x0002 |
ZipCompression: | Deflated |
ZipModifyDate: | 2019:04:25 08:23:04 |
ZipCRC: | 0x6b18eab8 |
ZipCompressedSize: | 6680 |
ZipUncompressedSize: | 28422 |
ZipFileName: | ID_9949653_04252019.js |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
636 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\yiGt-RZXt7eA5v69nyWP_iVHIWlUfQ-SD.zip" | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 | ||||
832 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\Rar$DIa636.19762\ID_9949653_04252019.js" | C:\Windows\System32\WScript.exe | WinRAR.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 | ||||
1848 | "C:\Users\admin\AppData\Local\Temp\y3w9h9mb2.exe" | C:\Users\admin\AppData\Local\Temp\y3w9h9mb2.exe | — | WScript.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
3532 | --4ba4c94 | C:\Users\admin\AppData\Local\Temp\y3w9h9mb2.exe | y3w9h9mb2.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
1080 | "C:\Users\admin\AppData\Local\soundser\soundser.exe" | C:\Users\admin\AppData\Local\soundser\soundser.exe | y3w9h9mb2.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
3364 | --3ab57678 | C:\Users\admin\AppData\Local\soundser\soundser.exe | soundser.exe | |
User: admin Integrity Level: MEDIUM |
PID | Process | Filename | Type | |
---|---|---|---|---|
832 | WScript.exe | C:\Users\admin\AppData\Local\Temp\y3w9h9mb2.exe | executable | |
MD5:0E7DA3EB5E6D3D0E49C91F2108BB647C | SHA256:358685BD63F4E40864316F226A77E67FA99DA1329FEBA49A6E2D99DD7B6A7A63 | |||
3532 | y3w9h9mb2.exe | C:\Users\admin\AppData\Local\soundser\soundser.exe | executable | |
MD5:0E7DA3EB5E6D3D0E49C91F2108BB647C | SHA256:358685BD63F4E40864316F226A77E67FA99DA1329FEBA49A6E2D99DD7B6A7A63 | |||
636 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DIa636.19762\ID_9949653_04252019.js | text | |
MD5:B4C8024C33C0DEA394C99D0DEF9719AF | SHA256:B7FD23FEB71F19A87E0130334F8DCBC28479DB18FBD6BA0A89E9A64DC525C919 | |||
832 | WScript.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@al-awalcentre[1].txt | text | |
MD5:1A91E20B5E25030A3154D432EA4A19AD | SHA256:EE88079CCA9EB12758EF68F8B023A2F18FF46D13315CBD0BDEBBDA4BC15BF335 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3364 | soundser.exe | POST | — | 24.150.44.53:80 | http://24.150.44.53/vermont/cab/ | CA | — | — | malicious |
832 | WScript.exe | GET | 200 | 108.167.140.175:80 | http://al-awalcentre.com/wp-content/Q2sF/ | US | executable | 78.0 Kb | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3364 | soundser.exe | 24.150.44.53:80 | — | Cogeco Cable | CA | malicious |
832 | WScript.exe | 108.167.140.175:80 | al-awalcentre.com | CyrusOne LLC | US | malicious |
Domain | IP | Reputation |
---|---|---|
al-awalcentre.com |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
832 | WScript.exe | Misc activity | SUSPICIOUS [PTsecurity] Cmd.Powershell.Download HTTP UserAgent (Win7) |
832 | WScript.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
832 | WScript.exe | A Network Trojan was detected | ET CURRENT_EVENTS Likely Evil EXE download from MSXMLHTTP non-exe extension M2 |
832 | WScript.exe | Misc activity | ET INFO EXE - Served Attached HTTP |
3364 | soundser.exe | A Network Trojan was detected | ET CNC Feodo Tracker Reported CnC Server group 17 |