download: | fn52rnc7hgdplcindmcds_trdxjy-539488147329 |
Full analysis: | https://app.any.run/tasks/fd908b56-e9c8-46a7-8a8f-dce2401b0b44 |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | May 24, 2019, 12:11:54 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v2.0 to extract |
MD5: | AA9B75A469D37E768D61E006506FB2DD |
SHA1: | F7A898354C47790B2714A9C0E0D7ECA3EFC18F69 |
SHA256: | C029C9672644980EBD866E249B9CCAB8514E4AE035461A7196B4659C2AC6994E |
SSDEEP: | 24:9ePTFdS9P5IItOApueMqRaiA2mh8myTetjAF0Zr3ve/Cq1lcIb:9iTFcR5/tOBeMKaiZhbOZUCpK |
.zip | | | ZIP compressed archive (100) |
---|
ZipFileName: | Document_4529559288US_May_24_2019.js |
---|---|
ZipUncompressedSize: | 5860 |
ZipCompressedSize: | 1325 |
ZipCRC: | 0xcb334b68 |
ZipModifyDate: | 2019:05:24 15:10:00 |
ZipCompression: | Deflated |
ZipBitFlag: | 0x0002 |
ZipRequiredVersion: | 20 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3280 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\fn52rnc7hgdplcindmcds_trdxjy-539488147329.zip" | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0 | ||||
3276 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\Desktop\Document_4529559288US_May_24_2019.js" | C:\Windows\System32\WScript.exe | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 | ||||
3728 | "C:\Users\admin\AppData\Local\Temp\5020kbvkj.exe" | C:\Users\admin\AppData\Local\Temp\5020kbvkj.exe | — | WScript.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
408 | --67ecefa9 | C:\Users\admin\AppData\Local\Temp\5020kbvkj.exe | 5020kbvkj.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
3944 | "C:\Users\admin\AppData\Local\soundser\soundser.exe" | C:\Users\admin\AppData\Local\soundser\soundser.exe | 5020kbvkj.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
3452 | --3ab57678 | C:\Users\admin\AppData\Local\soundser\soundser.exe | soundser.exe | |
User: admin Integrity Level: MEDIUM |
PID | Process | Filename | Type | |
---|---|---|---|---|
3276 | WScript.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@dnmartin[1].txt | text | |
MD5:0D34EDD0819E130C937D576A8BE8305B | SHA256:C65DD87DAC5E6D63C4A2B10FFF38B2F46046ADAE7B838976BD006824F7E908FA | |||
408 | 5020kbvkj.exe | C:\Users\admin\AppData\Local\soundser\soundser.exe | executable | |
MD5:DD424B112F023D97C2CF437B75338E21 | SHA256:90AD956E082F45F7DE26F3FF5BCEEE1A56BCFF73DD9A489472E9290ECAD0B320 | |||
3280 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa3280.45723\Document_4529559288US_May_24_2019.js | text | |
MD5:C9D5DE7473863F848564594AD13C8143 | SHA256:E42BB3EA7886FD0AA806848672EE171D78627C3230B7A6DD997A170E9161C370 | |||
3276 | WScript.exe | C:\Users\admin\AppData\Local\Temp\5020kbvkj.exe | executable | |
MD5:DD424B112F023D97C2CF437B75338E21 | SHA256:90AD956E082F45F7DE26F3FF5BCEEE1A56BCFF73DD9A489472E9290ECAD0B320 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3452 | soundser.exe | POST | — | 5.67.205.99:80 | http://5.67.205.99/symbols/ringin/ringin/ | GB | — | — | malicious |
3452 | soundser.exe | POST | — | 76.86.20.103:80 | http://76.86.20.103/guids/img/ | US | — | — | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3452 | soundser.exe | 5.67.205.99:80 | — | Sky UK Limited | GB | malicious |
3276 | WScript.exe | 51.38.185.91:443 | dnmartin.net | — | GB | unknown |
3452 | soundser.exe | 76.86.20.103:80 | — | Time Warner Cable Internet LLC | US | malicious |
Domain | IP | Reputation |
---|---|---|
dnmartin.net |
| unknown |