analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

_______139.zip.zip

Full analysis: https://app.any.run/tasks/f1b3a36c-29a5-4eba-a059-e83a77db8e97
Verdict: Malicious activity
Threats:

Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns.

Malware Trends Tracker     >>>
Analysis date: May 30, 2020, 14:08:11
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
maldoc-47
emotet-doc
emotet
encrypted
ta505
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

90FFEF827E4F16FD77605755956F6B8E

SHA1:

73C14AE34FFB758A40F0D0F5DEEED36EBCEE07B9

SHA256:

9D0E809B6887201F3E2B950772A36230B8EF79166B73A32E3CBC9557A5BA42EC

SSDEEP:

98304:Fy3bm+CRVuXXbmJiKmH5UU9X068FU/r9a/o/Ww6JAwVTFRpePlXl/YaDX6tvLIxl:FT9wKJiKm5UU506ap/o/J6JzBRpyz/b/

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops known malicious document

      • WinRAR.exe (PID: 788)
      • WinRAR.exe (PID: 788)
      • WinRAR.exe (PID: 788)

    • Actions looks like stealing of personal data

      • WinRAR.exe (PID: 1476)

    • Writes to a start menu file

      • WScript.exe (PID: 2720)
      • WScript.exe (PID: 2340)

  • SUSPICIOUS

    • Application launched itself

      • WinRAR.exe (PID: 1476)

    • Reads Internet Cache Settings

      • WScript.exe (PID: 2340)
      • WScript.exe (PID: 2720)

    • Creates files in the user directory

      • WScript.exe (PID: 2340)

  • INFO

    • Manual execution by user

      • WScript.exe (PID: 2340)
      • WScript.exe (PID: 2720)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipFileName: _______139.zip
ZipUncompressedSize: 5500966
ZipCompressedSize: 5500966
ZipCRC: 0xf72396d0
ZipModifyDate: 2020:05:30 13:06:20
ZipCompression: None
ZipBitFlag: 0x0001
ZipRequiredVersion: 788
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
45
Monitored processes
4
Malicious processes
2
Suspicious processes
2

Behavior graph

Click at the process to see the details
start winrar.exe winrar.exe no specs wscript.exe wscript.exe

Process information

PID
CMD
Path
Indicators
Parent process
1476"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\_______139.zip.zip"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
788"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\AppData\Local\Temp\Rar$DIb1476.5481\_______139.zipC:\Program Files\WinRAR\WinRAR.exeWinRAR.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
2340"C:\Windows\System32\WScript.exe" "C:\Users\admin\Desktop\-·¦++»+e+-_139\7.js" C:\Windows\System32\WScript.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Version:
5.8.7600.16385
2720"C:\Windows\System32\WScript.exe" "C:\Users\admin\Desktop\-·¦++»+e+-_139\7.js" C:\Windows\System32\WScript.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Version:
5.8.7600.16385
Total events
1 097
Read events
1 030
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
15
Text files
4
Unknown types
0

Dropped files

PID
Process
Filename
Type
788WinRAR.exeC:\Users\admin\Desktop\-·¦++»+e+-_139\13.js
MD5:
SHA256:
788WinRAR.exeC:\Users\admin\Desktop\-·¦++»+e+-_139\14.xlsdocument
MD5:D9A7FB184F4A5144578BA478EA4FF2F9
SHA256:EC9F6A70899278D8EECD7C501971B8381B9EF9AFFAE659521F1E5009BE15ABC7
788WinRAR.exeC:\Users\admin\Desktop\-·¦++»+e+-_139\10.xlscompressed
MD5:855E1E1367C0A8D9F2FD46918EB5B3C9
SHA256:D2C589B77D45E0D1F94527FD68C1A7B8AA3CC9D95884CE0FF2206E5C5F3F6BA1
788WinRAR.exeC:\Users\admin\Desktop\-·¦++»+e+-_139\7.jstext
MD5:38707AD3B1CB749110106D584F284709
SHA256:8087DD31C6BE7C64EDB284C328AF2339F639B07F52504CDD92E64E9E65828D9F
788WinRAR.exeC:\Users\admin\Desktop\-·¦++»+e+-_139\15.docdocument
MD5:8A7503E761E88E0A2BD46D9EB0A86671
SHA256:061149355C02F541F47F9EDAF94167D58FA3FBAD72296FED3CA924DCBB6C7299
788WinRAR.exeC:\Users\admin\Desktop\-·¦++»+e+-_139\1.xlsmdocument
MD5:12C9DBBC09DDE8F14C088BC565DD842E
SHA256:B44998299000B6B294573F273F73DA4F12A27F1A0ADC36931EBE547CE80A7E11
788WinRAR.exeC:\Users\admin\Desktop\-·¦++»+e+-_139\12.docdocument
MD5:2639CD53CBC6872A924B25D84144D5F1
SHA256:955352B5116D7DE50DC75377889A495446554779FB768260BE4B23C59A5A967E
788WinRAR.exeC:\Users\admin\Desktop\-·¦++»+e+-_139\4.xlsmdocument
MD5:7906950D3DD3BFF86D65B514418B2910
SHA256:671015570338F52663157DA906EB6F24E1F5298146F07D25B914AF9795984AD4
788WinRAR.exeC:\Users\admin\Desktop\-·¦++»+e+-_139\9.xlsdocument
MD5:BE398CDAA2004EE2A60F37E77C5B24A0
SHA256:8317150244235D7A6CDF2ECA124A369F9310899E372DA624D225967F2091A786
788WinRAR.exeC:\Users\admin\Desktop\-·¦++»+e+-_139\16.docdocument
MD5:B92021CA10AED3046FC3BE5AC1C2A094
SHA256:C378387344E0A552DC065DE6BFA607FD26E0B5C569751C79FBF9C6F2E91C9807
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
10
TCP/UDP connections
10
DNS requests
1
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2340
WScript.exe
POST
192.169.69.25:7000
http://348.duckdns.org:7000/Vre
US
malicious
2340
WScript.exe
POST
192.169.69.25:7000
http://348.duckdns.org:7000/Vre
US
malicious
2340
WScript.exe
POST
192.169.69.25:7000
http://348.duckdns.org:7000/Vre
US
malicious
2340
WScript.exe
POST
192.169.69.25:7000
http://348.duckdns.org:7000/Vre
US
malicious
2340
WScript.exe
POST
192.169.69.25:7000
http://348.duckdns.org:7000/Vre
US
malicious
2720
WScript.exe
POST
192.169.69.25:7000
http://348.duckdns.org:7000/Vre
US
malicious
2720
WScript.exe
POST
192.169.69.25:7000
http://348.duckdns.org:7000/Vre
US
malicious
2340
WScript.exe
POST
192.169.69.25:7000
http://348.duckdns.org:7000/Vre
US
malicious
2720
WScript.exe
POST
192.169.69.25:7000
http://348.duckdns.org:7000/Vre
US
malicious
2720
WScript.exe
POST
192.169.69.25:7000
http://348.duckdns.org:7000/Vre
US
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2720
WScript.exe
192.169.69.25:7000
348.duckdns.org
Wowrack.com
US
malicious
2340
WScript.exe
192.169.69.25:7000
348.duckdns.org
Wowrack.com
US
malicious

DNS requests

Domain
IP
Reputation
348.duckdns.org
  • 192.169.69.25
malicious

Threats

PID
Process
Class
Message
Misc activity
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
_______139.zip.zip