download: | w8hVYpn53es |
Full analysis: | https://app.any.run/tasks/2871ae5e-3192-4f68-85f1-edc16da3a7bc |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | April 25, 2019, 10:11:14 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v2.0 to extract |
MD5: | 2D35F55AAAFCC32B501C71DF3E241BD6 |
SHA1: | 41F7A0914B99112BEB34AA4B7B74325FB751FB36 |
SHA256: | B4664BF01A545B92B5FF125B8FDF22E32BF26F85C63AF60B4D02E3EF54C19D3F |
SSDEEP: | 192:JitolUPQ8ZKNLZyJTm9nA2FAekiRE+D4c66xOUEz+LYgOgqBnoibo69XVWlxH7Nt:cTZyIiRF4c6HzM3Y39yHZy3Gb |
.zip | | | ZIP compressed archive (100) |
---|
ZipRequiredVersion: | 20 |
---|---|
ZipBitFlag: | 0x0002 |
ZipCompression: | Deflated |
ZipModifyDate: | 2019:04:25 12:55:00 |
ZipCRC: | 0xd227da86 |
ZipCompressedSize: | 13734 |
ZipUncompressedSize: | 47164 |
ZipFileName: | FILE_35760556291US_Apr_25_2019.js |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
1700 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\w8hVYpn53es.zip" | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0 | ||||
2688 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\Rar$DIa1700.9445\FILE_35760556291US_Apr_25_2019.js" | C:\Windows\System32\WScript.exe | WinRAR.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 | ||||
2164 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\Rar$DIa1700.9826\FILE_35760556291US_Apr_25_2019.js" | C:\Windows\System32\WScript.exe | WinRAR.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 | ||||
2672 | "C:\Users\admin\AppData\Local\Temp\c6v4pihlc.exe" | C:\Users\admin\AppData\Local\Temp\c6v4pihlc.exe | — | WScript.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
1832 | --965284f9 | C:\Users\admin\AppData\Local\Temp\c6v4pihlc.exe | — | c6v4pihlc.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
592 | "C:\Users\admin\AppData\Local\Temp\ui2i260hh.exe" | C:\Users\admin\AppData\Local\Temp\ui2i260hh.exe | — | WScript.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
2248 | --8f882865 | C:\Users\admin\AppData\Local\Temp\ui2i260hh.exe | ui2i260hh.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
1344 | "C:\Users\admin\AppData\Local\soundser\soundser.exe" | C:\Users\admin\AppData\Local\soundser\soundser.exe | ui2i260hh.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
3308 | --3ab57678 | C:\Users\admin\AppData\Local\soundser\soundser.exe | soundser.exe | |
User: admin Integrity Level: MEDIUM |
PID | Process | Filename | Type | |
---|---|---|---|---|
1700 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DIa1700.9826\FILE_35760556291US_Apr_25_2019.js | text | |
MD5:DCA68FFB6BA8C0B6F5F61C865F43DD76 | SHA256:EE65C61941B260403E66E0B141CD9BA307540F8BDC79375C8F4609148E5F6CEF | |||
2164 | WScript.exe | C:\Users\admin\AppData\Local\Temp\c6v4pihlc.exe | executable | |
MD5:F0EF0F3A77E75C08855269D092AB5A35 | SHA256:26D3B33686B7A4440A986D56200D53D680A2D2643ADF30DFCE629F6F5FD24AF1 | |||
2248 | ui2i260hh.exe | C:\Users\admin\AppData\Local\soundser\soundser.exe | executable | |
MD5:F0EF0F3A77E75C08855269D092AB5A35 | SHA256:26D3B33686B7A4440A986D56200D53D680A2D2643ADF30DFCE629F6F5FD24AF1 | |||
1700 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DIa1700.9445\FILE_35760556291US_Apr_25_2019.js | text | |
MD5:DCA68FFB6BA8C0B6F5F61C865F43DD76 | SHA256:EE65C61941B260403E66E0B141CD9BA307540F8BDC79375C8F4609148E5F6CEF | |||
2688 | WScript.exe | C:\Users\admin\AppData\Local\Temp\ui2i260hh.exe | executable | |
MD5:F0EF0F3A77E75C08855269D092AB5A35 | SHA256:26D3B33686B7A4440A986D56200D53D680A2D2643ADF30DFCE629F6F5FD24AF1 | |||
2164 | WScript.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@tcmnow[2].txt | text | |
MD5:A112AAA41C4C0DFF6BADDA8D8EBEBBCF | SHA256:A7B5C282075C10CE9833301CB35624515E8A18976D43BDA7589FA6C0193AB9C2 | |||
2688 | WScript.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@tcmnow[1].txt | text | |
MD5:35C81E7724A88F8501E01AEE0D6E5388 | SHA256:C5E3DC77993B9A22E7B9E4013A5F585ABDFE24ADCDFE08357AC145931FFCED7E |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2688 | WScript.exe | GET | 200 | 69.65.3.176:80 | http://tcmnow.com/cgi-bin/J4_5/ | US | executable | 78.0 Kb | suspicious |
2164 | WScript.exe | GET | 200 | 69.65.3.176:80 | http://tcmnow.com/cgi-bin/J4_5/ | US | executable | 78.0 Kb | suspicious |
3308 | soundser.exe | POST | — | 68.229.130.39:80 | http://68.229.130.39/splash/ | US | — | — | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2688 | WScript.exe | 69.65.3.176:80 | tcmnow.com | GigeNET | US | malicious |
3308 | soundser.exe | 68.229.130.39:80 | — | Cox Communications Inc. | US | malicious |
2164 | WScript.exe | 69.65.3.176:80 | tcmnow.com | GigeNET | US | malicious |
Domain | IP | Reputation |
---|---|---|
tcmnow.com |
| suspicious |
PID | Process | Class | Message |
---|---|---|---|
2688 | WScript.exe | Misc activity | SUSPICIOUS [PTsecurity] Cmd.Powershell.Download HTTP UserAgent (Win7) |
2688 | WScript.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
2688 | WScript.exe | A Network Trojan was detected | ET CURRENT_EVENTS Likely Evil EXE download from MSXMLHTTP non-exe extension M2 |
2688 | WScript.exe | Misc activity | ET INFO EXE - Served Attached HTTP |
2164 | WScript.exe | Misc activity | SUSPICIOUS [PTsecurity] Cmd.Powershell.Download HTTP UserAgent (Win7) |
2164 | WScript.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
2164 | WScript.exe | Misc activity | ET INFO EXE - Served Attached HTTP |