File name: | 2IrAyU7Em9kB.bin.zip |
Full analysis: | https://app.any.run/tasks/0c168a3e-9fee-41f6-9cb9-af51d1d99bb8 |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | November 15, 2018, 16:04:07 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v2.0 to extract |
MD5: | 072633C5002FE80530C72B7D51CADCCF |
SHA1: | 63A8A375B6DD5696BED2B11E8A70BF3BFFAA2AB7 |
SHA256: | C8B02DA81D75C8FDB7201E49660381A6663BCAAD7FF475660586F5EA4E0AFA62 |
SSDEEP: | 3072:ImTks4RQSQIzQjxkUmoAtmG2AydQ2SW0otDne27N2+:ImCzQDmoA43dQ26oJne2x2+ |
.zip | | | ZIP compressed archive (100) |
---|
ZipRequiredVersion: | 788 |
---|---|
ZipBitFlag: | 0x0001 |
ZipCompression: | Deflated |
ZipModifyDate: | 2018:11:15 15:40:21 |
ZipCRC: | 0x7a94a06d |
ZipCompressedSize: | 122713 |
ZipUncompressedSize: | 454656 |
ZipFileName: | 2IrAyU7Em9kB.bin |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3044 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\2IrAyU7Em9kB.bin.zip" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0 | ||||
3488 | "C:\Users\admin\AppData\Local\Temp\Rar$EXb3044.37764\2IrAyU7Em9kB.bin.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXb3044.37764\2IrAyU7Em9kB.bin.exe | — | WinRAR.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
3944 | "C:\Users\admin\AppData\Local\Temp\Rar$EXb3044.37764\2IrAyU7Em9kB.bin.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXb3044.37764\2IrAyU7Em9kB.bin.exe | 2IrAyU7Em9kB.bin.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
3500 | "C:\Users\admin\AppData\Local\Microsoft\Windows\lpiograd.exe" | C:\Users\admin\AppData\Local\Microsoft\Windows\lpiograd.exe | 2IrAyU7Em9kB.bin.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
2228 | "C:\Users\admin\AppData\Local\Microsoft\Windows\lpiograd.exe" | C:\Users\admin\AppData\Local\Microsoft\Windows\lpiograd.exe | lpiograd.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
1548 | "C:\Users\admin\AppData\Local\Microsoft\Windows\o6Vq9Z1.exe" | C:\Users\admin\AppData\Local\Microsoft\Windows\o6Vq9Z1.exe | — | lpiograd.exe |
User: admin Company: Microsoft Corpora Integrity Level: MEDIUM Description: Microsoft SQL Exit code: 0 Version: 3.00. | ||||
2764 | "C:\Users\admin\AppData\Local\Microsoft\Windows\o6Vq9Z1.exe" | C:\Users\admin\AppData\Local\Microsoft\Windows\o6Vq9Z1.exe | o6Vq9Z1.exe | |
User: admin Company: Microsoft Corpora Integrity Level: MEDIUM Description: Microsoft SQL Exit code: 0 Version: 3.00. | ||||
3976 | "C:\Users\admin\AppData\Local\Microsoft\Windows\lpiograd.exe" | C:\Users\admin\AppData\Local\Microsoft\Windows\lpiograd.exe | o6Vq9Z1.exe | |
User: admin Company: Microsoft Corpora Integrity Level: MEDIUM Description: Microsoft SQL Exit code: 0 Version: 3.00. | ||||
2188 | "C:\Users\admin\AppData\Local\Microsoft\Windows\lpiograd.exe" | C:\Users\admin\AppData\Local\Microsoft\Windows\lpiograd.exe | lpiograd.exe | |
User: admin Company: Microsoft Corpora Integrity Level: MEDIUM Description: Microsoft SQL Version: 3.00. |
(PID) Process: | (3044) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
Operation: | write | Name: | ShellExtBMP |
Value: | |||
(PID) Process: | (3044) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
Operation: | write | Name: | ShellExtIcon |
Value: | |||
(PID) Process: | (3044) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E |
Operation: | write | Name: | LanguageList |
Value: en-US | |||
(PID) Process: | (3044) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
Operation: | write | Name: | 0 |
Value: C:\Users\admin\AppData\Local\Temp\2IrAyU7Em9kB.bin.zip | |||
(PID) Process: | (3044) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | name |
Value: 120 | |||
(PID) Process: | (3044) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | size |
Value: 80 | |||
(PID) Process: | (3044) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | type |
Value: 120 | |||
(PID) Process: | (3044) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | mtime |
Value: 100 | |||
(PID) Process: | (3044) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths |
Operation: | write | Name: | name |
Value: 120 | |||
(PID) Process: | (3044) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths |
Operation: | write | Name: | size |
Value: 80 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3044 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\__rzi_3044.37609 | — | |
MD5:— | SHA256:— | |||
3044 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRb3044.38453\2IrAyU7Em9kB.bin.exe | — | |
MD5:— | SHA256:— | |||
3944 | 2IrAyU7Em9kB.bin.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\lpiograd.exe | executable | |
MD5:8847D577D3CA8475E2B53E5A3C5E9AE4 | SHA256:C40E8A646B27F544ADF46130A314D9079B2F2DAE6A73C64109C669D1BE5A6B36 | |||
3044 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXb3044.37764\2IrAyU7Em9kB.bin.exe | executable | |
MD5:8847D577D3CA8475E2B53E5A3C5E9AE4 | SHA256:C40E8A646B27F544ADF46130A314D9079B2F2DAE6A73C64109C669D1BE5A6B36 | |||
3044 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\2IrAyU7Em9kB.bin.zip | compressed | |
MD5:CE47B78F950F96B5A1010F384CB03BC4 | SHA256:C848511CCE3AF3592C22FA80C38E3A5474B917D91E79BED29323DDB7F4694A47 | |||
2764 | o6Vq9Z1.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\lpiograd.exe | executable | |
MD5:49C2DE01488106B728698C1E05184FC4 | SHA256:141C5F862C723AB68CA3FA253178EA5F49BCC619F20A147260C2135C221845DC | |||
2228 | lpiograd.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\o6Vq9Z1.exe | executable | |
MD5:49C2DE01488106B728698C1E05184FC4 | SHA256:141C5F862C723AB68CA3FA253178EA5F49BCC619F20A147260C2135C221845DC |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2188 | lpiograd.exe | GET | — | 173.11.47.169:8080 | http://173.11.47.169:8080/ | US | — | — | malicious |
2188 | lpiograd.exe | GET | — | 177.242.156.119:80 | http://177.242.156.119/ | MX | — | — | malicious |
2228 | lpiograd.exe | GET | 200 | 50.78.167.65:7080 | http://50.78.167.65:7080/ | US | binary | 157 Kb | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2228 | lpiograd.exe | 50.78.167.65:7080 | — | Comcast Cable Communications, LLC | US | malicious |
2188 | lpiograd.exe | 177.242.156.119:80 | — | SERVICIO Y EQUIPO EN TELEFONÍA INTERNET Y TV S.A. DE C.V. | MX | malicious |
2188 | lpiograd.exe | 50.78.167.65:7080 | — | Comcast Cable Communications, LLC | US | malicious |
2188 | lpiograd.exe | 189.244.86.184:990 | — | Uninet S.A. de C.V. | MX | suspicious |
2188 | lpiograd.exe | 173.11.47.169:8080 | — | Comcast Cable Communications, LLC | US | malicious |
2188 | lpiograd.exe | 12.222.134.10:7080 | — | AT&T Services, Inc. | US | malicious |
Domain | IP | Reputation |
---|---|---|
dns.msftncsi.com |
| shared |
PID | Process | Class | Message |
---|---|---|---|
2228 | lpiograd.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo HTTP request |
2188 | lpiograd.exe | A Network Trojan was detected | SC SPYWARE Trojan-Banker.Win32.Emotet |
2188 | lpiograd.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo HTTP request |
2188 | lpiograd.exe | A Network Trojan was detected | SC SPYWARE Trojan-Banker.Win32.Emotet |
2188 | lpiograd.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo HTTP request |