File name: | Invoice.41032.xls.zip |
Full analysis: | https://app.any.run/tasks/05af787b-2657-428d-ab82-cd7f71902eec |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | February 21, 2020, 16:35:50 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v2.0 to extract |
MD5: | 7B1764EAFA411E820F9FBC737AB7B4DD |
SHA1: | B560F2D936BF0D9F798FFE61F2B2C3A050662841 |
SHA256: | 91CDE62FBAB942A7DC511314799F0EDCE6BE6E0D24FF60F68FFFC509315D809F |
SSDEEP: | 3072:l0k3hbdlylKsgqopeJBWhZFGkE+cL2NdHzyF0Vi4m+Oi9l1isYgmNWl1oH2HUU:Kk3hbdlylKsgqopeJBWhZFVE+W2Nd+Fm |
.zip | | | Open Packaging Conventions container (81.3) |
---|---|---|
.zip | | | ZIP compressed archive (18.6) |
ZipRequiredVersion: | 20 |
---|---|
ZipBitFlag: | - |
ZipCompression: | None |
ZipModifyDate: | 2020:02:17 12:38:26 |
ZipCRC: | 0x15e991ff |
ZipCompressedSize: | 185344 |
ZipUncompressedSize: | 185344 |
ZipFileName: | Invoice.41032.xls |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2564 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Invoice.41032.xls.zip" | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 | ||||
3552 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | WinRAR.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Exit code: 0 Version: 14.0.6024.1000 | ||||
2576 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\independentkids.rtf" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Exit code: 0 Version: 14.0.6024.1000 | ||||
3356 | "C:\Program Files\Google\Chrome\Application\chrome.exe" | C:\Program Files\Google\Chrome\Application\chrome.exe | explorer.exe | |
User: admin Company: Google LLC Integrity Level: MEDIUM Description: Google Chrome Version: 75.0.3770.100 | ||||
3776 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win32 --annotation=prod=Chrome --annotation=ver=75.0.3770.100 --initial-client-data=0x7c,0x80,0x84,0x78,0x88,0x6d50a9d0,0x6d50a9e0,0x6d50a9ec | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe |
User: admin Company: Google LLC Integrity Level: MEDIUM Description: Google Chrome Version: 75.0.3770.100 | ||||
1400 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=3484 --on-initialized-event-handle=324 --parent-handle=328 /prefetch:6 | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe |
User: admin Company: Google LLC Integrity Level: MEDIUM Description: Google Chrome Version: 75.0.3770.100 | ||||
2208 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1036,7684710814361207776,1555017648007056136,131072 --enable-features=PasswordImport --gpu-preferences=KAAAAAAAAADgAAAgAQAAAAAAAAAAAGAAAAAAAAAAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --service-request-channel-token=8249593036155825805 --mojo-platform-channel-handle=1052 --ignored=" --type=renderer " /prefetch:2 | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe |
User: admin Company: Google LLC Integrity Level: LOW Description: Google Chrome Version: 75.0.3770.100 | ||||
3108 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --field-trial-handle=1036,7684710814361207776,1555017648007056136,131072 --enable-features=PasswordImport --lang=en-US --service-sandbox-type=network --service-request-channel-token=8959311196807588429 --mojo-platform-channel-handle=1648 /prefetch:8 | C:\Program Files\Google\Chrome\Application\chrome.exe | chrome.exe | |
User: admin Company: Google LLC Integrity Level: MEDIUM Description: Google Chrome Version: 75.0.3770.100 | ||||
1904 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1036,7684710814361207776,1555017648007056136,131072 --enable-features=PasswordImport --lang=en-US --instant-process --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=8190731428150196079 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2272 /prefetch:1 | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe |
User: admin Company: Google LLC Integrity Level: LOW Description: Google Chrome Exit code: 0 Version: 75.0.3770.100 | ||||
2692 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1036,7684710814361207776,1555017648007056136,131072 --enable-features=PasswordImport --lang=en-US --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=12437796557633793317 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2468 /prefetch:1 | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe |
User: admin Company: Google LLC Integrity Level: LOW Description: Google Chrome Exit code: 0 Version: 75.0.3770.100 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3552 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVRA1D6.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3552 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CabE103.tmp | — | |
MD5:— | SHA256:— | |||
3552 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\TarE104.tmp | — | |
MD5:— | SHA256:— | |||
3552 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\{72BCF0BC-2379-45AA-9636-92EC9340F8EA} | — | |
MD5:— | SHA256:— | |||
3552 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\{643E34A0-BB19-4C1A-BF08-4F2117704E0C} | — | |
MD5:— | SHA256:— | |||
3552 | EXCEL.EXE | C:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{F0275925-9A67-4B1D-AC14-FCCB25EF8221}.FSD | binary | |
MD5:53F48D52D4248034A65BD903795A130A | SHA256:6F66B077BC52048159B15CAD096121F33C2CF7ADC75F87917E3A190DFD97054A | |||
2564 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DIa2564.48174\Invoice.41032.xls | document | |
MD5:142633FAFBB732E99EC17C51B557DB39 | SHA256:CA64C6DBECD1AD97A63A9430D34BAED2C1BBD74E74A9E4B3353C22DEDDADF1B5 | |||
3552 | EXCEL.EXE | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\D6DE0D5EE92F9F75D3B57BBF6B0702FA | binary | |
MD5:CD042AABDD388A06FCA9D904F5AAC2BA | SHA256:30DE2A67EC6C4DEC6AD11E37C4E5F62142E2A9672FD668D0E4B566C4C6ACB7A0 | |||
3552 | EXCEL.EXE | C:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-CNRY.FSD | binary | |
MD5:89BF062181F7A40B14C18ACB613D3350 | SHA256:18898D8A627CBE7360BF8ED5F0F178085168BA8E934D01C7490BC9DC87886058 | |||
3552 | EXCEL.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\KQ1NN4Y4.txt | — | |
MD5:— | SHA256:— |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3552 | EXCEL.EXE | GET | 200 | 216.58.205.227:80 | http://ocsp.pki.goog/gsr2/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBTgXIsxbvr2lBkPpoIEVRE6gHlCnAQUm%2BIHV2ccHsBqBt5ZtJot39wZhi4CDQHjtJqhjYqpgSVpULg%3D | US | der | 468 b | whitelisted |
3552 | EXCEL.EXE | GET | 200 | 2.16.186.11:80 | http://isrg.trustid.ocsp.identrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRv9GhNQxLSSGKBnMArPUcsHYovpgQUxKexpHsscfrb4UuQdf%2FEFWCFiRACEAoBQUIAAAFThXNqC4Xspwg%3D | unknown | der | 1.37 Kb | whitelisted |
3552 | EXCEL.EXE | GET | 200 | 216.58.205.227:80 | http://ocsp.pki.goog/gts1o1/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRCRjDCJxnb3nDwj%2Fxz5aZfZjgXvAQUmNH4bhDrz5vsYJ8YkBug630J%2FSsCEQDu3mVgzTXArwIAAAAAWXG3 | US | der | 472 b | whitelisted |
3108 | chrome.exe | GET | 200 | 173.194.183.134:80 | http://r1---sn-aigl6ner.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvOTRmQUFXVHlhaGJaUTdMLWtCSkNJUl9ZQQ/1.0.0.5_nmmhkkegccagdldgiimedpiccmgmieda.crx?cms_redirect=yes&mip=185.217.117.157&mm=28&mn=sn-aigl6ner&ms=nvh&mt=1582303035&mv=m&mvi=0&pl=24&shardbypass=yes | US | crx | 293 Kb | whitelisted |
3552 | EXCEL.EXE | GET | 200 | 216.58.205.227:80 | http://ocsp.pki.goog/gts1o1/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRCRjDCJxnb3nDwj%2Fxz5aZfZjgXvAQUmNH4bhDrz5vsYJ8YkBug630J%2FSsCEQDvdxhhS3x8DggAAAAALnGY | US | der | 472 b | whitelisted |
3108 | chrome.exe | GET | 302 | 172.217.16.142:80 | http://redirector.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvOWVmQUFXS041NV9ZVXlJVWwxbGc5TUM4dw/7519.422.0.3_pkedcjkdefgpdelpbcmbmeomcjbeemfm.crx | US | html | 516 b | whitelisted |
3552 | EXCEL.EXE | GET | 200 | 52.109.76.6:80 | http://office14client.microsoft.com/config14?UILCID=1033&CLCID=1033&ILCID=1033&HelpLCID=1033&App={538F6C89-2AD5-4006-8154-C6670774E980}&build=14.0.6023 | IE | xml | 1.99 Kb | whitelisted |
3108 | chrome.exe | GET | 302 | 172.217.16.142:80 | http://redirector.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvOTRmQUFXVHlhaGJaUTdMLWtCSkNJUl9ZQQ/1.0.0.5_nmmhkkegccagdldgiimedpiccmgmieda.crx | US | html | 511 b | whitelisted |
3552 | EXCEL.EXE | GET | 200 | 2.16.186.27:80 | http://ocsp.int-x3.letsencrypt.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBR%2B5mrncpqz%2FPiiIGRsFqEtYHEIXQQUqEpqYwR93brm0Tm3pkVl7%2FOo7KECEgPUFGc9jG53plGcZxTtYusmrA%3D%3D | unknown | der | 527 b | whitelisted |
3552 | EXCEL.EXE | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAtqs7A%2Bsan2xGCSaqjN%2FrM%3D | US | der | 1.47 Kb | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3108 | chrome.exe | 216.58.208.35:443 | clientservices.googleapis.com | Google Inc. | US | whitelisted |
3552 | EXCEL.EXE | 161.117.177.248:443 | merystol.xyz | — | SG | suspicious |
3552 | EXCEL.EXE | 216.58.205.227:80 | ocsp.pki.goog | Google Inc. | US | whitelisted |
3552 | EXCEL.EXE | 2.16.186.27:80 | ocsp.int-x3.letsencrypt.org | Akamai International B.V. | — | whitelisted |
3552 | EXCEL.EXE | 172.217.22.100:443 | www.google.com | Google Inc. | US | whitelisted |
3108 | chrome.exe | 216.58.205.227:443 | ocsp.pki.goog | Google Inc. | US | whitelisted |
3108 | chrome.exe | 172.217.23.170:443 | fonts.googleapis.com | Google Inc. | US | whitelisted |
3552 | EXCEL.EXE | 2.16.186.11:80 | isrg.trustid.ocsp.identrust.com | Akamai International B.V. | — | whitelisted |
3552 | EXCEL.EXE | 172.217.23.110:443 | google.com | Google Inc. | US | whitelisted |
3108 | chrome.exe | 172.217.22.3:443 | www.google.com.ua | Google Inc. | US | whitelisted |
Domain | IP | Reputation |
---|---|---|
merystol.xyz |
| suspicious |
isrg.trustid.ocsp.identrust.com |
| whitelisted |
ocsp.int-x3.letsencrypt.org |
| whitelisted |
google.com |
| whitelisted |
ocsp.pki.goog |
| whitelisted |
www.google.com |
| whitelisted |
clientservices.googleapis.com |
| whitelisted |
accounts.google.com |
| shared |
www.google.com.ua |
| whitelisted |
fonts.googleapis.com |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
3552 | EXCEL.EXE | Potentially Bad Traffic | ET INFO Observed Let's Encrypt Certificate for Suspicious TLD (.xyz) |
1248 | EXCEL.EXE | Potentially Bad Traffic | ET INFO Observed Let's Encrypt Certificate for Suspicious TLD (.xyz) |