app.twinwave.io
Open in
urlscan Pro
2600:9000:21c7:600:f:6228:3e80:93a1
Public Scan
URL:
https://app.twinwave.io/shared/d831574e-fe4a-4d33-a20f-2730b8264a1c/ec9613af0e2434ccda1c87805a2cfd0fa4cc9d992ce324826fcd...
Submission: On March 09 via manual from US — Scanned from DE
Submission: On March 09 via manual from US — Scanned from DE
Form analysis
0 forms found in the DOMText Content
You need to enable JavaScript to run this app. Attack Analyzer W-9 DT 03.07.2023 CAPITALPREMIUM.ZIP Score100VerdictMalwareMalware FamilyEmotetSubmitted3/8/2023, 12:50:00 AMSHA256: da79a750dbe6537e41a1662c5ae5ab340e65f6fce2df450da7f75677d58861ee MD5:703891f37d4d63546684abcef4e07197File Type:Zip archive data, at least v?[0x314] to extractFile Size693 KB Resources Analyzed * W-9 Dt 03.07.2023 Capitalpremium.zip * trimmed_1678236635_W-9 Dt 03.07.2023.doc Summary CompletedConsolidated 100 W-9 Dt 03.07.2023 Capitalpremium.zip CompletedArchive Extraction 0 CompletedStatic File Analysis 0 CompletedVirusTotal 0 CompletedClamAV 0 CompletedYARA 0 trimmed_1678236635_W-9 Dt 03.07.2023.doc CompletedStatic File Analysis 0 CompletedVirusTotal 0 CompletedClamAV 0 CompletedYARA 100 CompletedStatic Doc Analysis 100 CompletedTwinWave Sandbox (win7) Microsoft Word Document 100 CompletedTwinWave Sandbox (win10) 0 * Task Results * Normalized Forensics Download File Initial Submission W-9 Dt 03.07.2023 Capitalpremium.zip Job Duration19 minutesResources Analyzed0 URLs, 2 filesVerdictMalwareMalware FamilyEmotet Processing Exceptions (2) EngineResourceExceptionArchive Extraction * W-9 Dt 03.07.2023 Capitalpremium.zip * trimmed_1678236635_W-9 Dt 03.07.2023.doc File was carved/modified from input to aid downstream analysisArchive Extraction * W-9 Dt 03.07.2023 Capitalpremium.zip * W-9 Dt 03.07.2023.doc File exceeded internal size limit Detections (47) EngineSignature / AlertScore Static Doc Analysis PROCESS DETONATOR AND ENABLE CONTENT OCR SCORE: 100 Process Detonator and Enable Content OCR 100 Static Doc Analysis PROCESS DETONATOR AND ENABLE EDITING OCR SCORE: 100 Process Detonator and Enable Editing OCR 100 Static Doc Analysis PROTECTED DOCUMENT LURE OCR AND MACRO WITH EXTERNAL PROCESS DETONATOR SCORE: 100 Protected Document Lure OCR And Macro with External Process Detonator 100 TwinWave Sandbox (win7) INSTALLS ITSELF FOR AUTORUN AT WINDOWS STARTUP SCORE: 90 Installs itself for autorun at Windows startup 90 Static Doc Analysis COMMON LURE ARTIFACT OFFICE CUBE LOGO OBJECT DETECTED AND SECONDARY INDICATOR SCORE: 80 Common Lure Artifact Office Cube Logo Object Detected And Secondary Indicator 80 Static Doc Analysis COMMON LURE ARTIFACT MICROSOFT-SQUARE OBJECT DETECTED AND SECONDARY INDICATOR SCORE: 80 Common Lure Artifact microsoft-square Object Detected And Secondary Indicator 80 Static Doc Analysis DOCUMENT HAS BEEN OR IS ENCRYPTED/SECURED/PROTECTED AND SECONDARY INDICATOR SCORE: 80 Document has been or is encrypted/secured/protected and secondary indicator 80 Static Doc Analysis EMOTET LURE TEXT RIPPED AND USED BY A FEW OTHER ACTORS SCORE: 80 Emotet Lure Text Ripped And Used By A few Other Actors 80 Static Doc Analysis EMOTET LURE TEXT AND SECONDARY INDICATOR SCORE: 80 TAGS: Malware FamilyEmotet Emotet Lure Text and Secondary Indicator Emotet 80 TwinWave Sandbox (win7) ESTABLISHES ENCRYPTED HTTPS CONNECTION EMOTET C2 FORMAT SCORE: 80 TAGS: Malware FamilyEmotet Establishes encrypted HTTPS connection Emotet C2 Format Emotet 80 Static Doc Analysis MACROS AND CHAR ENCODED HTTP FOUND SCORE: 80 Macros and Char encoded HTTP found 80 TwinWave Sandbox (win7) MARTIAN SUBPROCESS STARTED BY OFFICE PROCESS SCORE: 80 Martian Subprocess Started By Office Process 80 TwinWave Sandbox (win7) MARTIAN SUBPROCESS STARTED BY OFFICE PROCESS ALTERNATIVE DETECTION METHOD SCORE: 80 Martian Subprocess Started By Office Process Alternative Detection Method 80 Static Doc Analysis SELF REFERENCED ASSINGMENT OF CREATEOBJECT FROM ARGUMENT PASSED TO FUNCTION SCORE: 80 Self Referenced Assingment of CreateObject From Argument Passed to Function 80 TwinWave Sandbox (win7) SIGMA ALERTS SCORE: 80 Sigma Alerts 80 TwinWave Sandbox (win7) SUSPICIOUS CLSID LOADS SCORE: 80 Suspicious CLSID Loads 80 Static Doc Analysis ENABLE THIS/THEN CONTENT LURE TEXT AND DETONATORS SCORE: 70 Enable This/Then Content Lure Text and Detonators 70 Static Doc Analysis MACRO LIKELY CALLBYNAME OBFUSCATION ATTEMPT SCORE: 70 Macro Likely CallByName Obfuscation Attempt 70 TwinWave Sandbox (win7) CREATED NETWORK TRAFFIC INDICATIVE OF MALICIOUS ACTIVITY SCORE: 64 Created network traffic indicative of malicious activity 64 TwinWave Sandbox (win7) CAPE DETECTED THE EMOTET MALWARE FAMILY SCORE: 60 CAPE detected the Emotet malware family 60 Static Doc Analysis SCREENSHOT MATCH - POTENTIAL DOCUMENT DETECTED: EMOTET RED LURE SCORE: 50 TAGS: Malware FamilyEmotet Screenshot Match - Potential document detected: Emotet Red Lure Emotet 50 YARA YARA RULE MATCH: OFFICE_BINARY_PUTWRITE SCORE: 15 YARA rule match: Office_Binary_PutWrite 15 YARA YARA RULE MATCH: OFFICE_MACRO_AUTOBEHAVIOR_IMAGE SCORE: 15 YARA rule match: Office_Macro_AutoBehavior_Image 15 YARA YARA RULE MATCH: OFFICE_MAXSTONKSNOTSTONKS SCORE: 15 YARA rule match: Office_MaxStonksNotStonks 15 YARA YARA RULE MATCH: OFFICE_STDOLE_CALLBYNAME_ACTIVEDOCUMENT SCORE: 15 YARA rule match: Office_stdole_CallByName_ActiveDocument 15 YARA YARA RULE MATCH: PEPE_SILVIA_V2_EXTREME_EDITION SCORE: 15 YARA rule match: PEPE_Silvia_v2_Extreme_Edition 15 YARA YARA RULE MATCH: ULTIMATE_PEPE_SILVIA SCORE: 15 YARA rule match: Ultimate_PEPE_Silvia 15 YARA YARA RULE MATCH: URSNIF_MALDOC_DROPPER_128BYTE SCORE: 15 YARA rule match: ursnif_maldoc_dropper_128byte 15 Static Doc Analysis ENABLE CONTENT OCR SCORE: 10 Enable Content OCR 10 Static Doc Analysis ENABLE EDITING OCR SCORE: 10 Enable Editing OCR 10 TwinWave Sandbox (win7) ENUMERATES RUNNING PROCESSES SCORE: 10 Enumerates running processes 10 TwinWave Sandbox (win7) ESTABLISHES AN ENCRYPTED HTTPS CONNECTION SCORE: 10 Establishes an encrypted HTTPS connection 10 TwinWave Sandbox (win7) EXPRESSES INTEREST IN SPECIFIC RUNNING PROCESSES SCORE: 10 Expresses interest in specific running processes 10 TwinWave Sandbox (win7) OFFICE LOADS VB DLLS, INDICATIVE OF OFFICE MACROS SCORE: 10 Office loads VB DLLs, indicative of Office Macros 10 TwinWave Sandbox (win7) THE OFFICE FILE CONTAINS A MACRO SCORE: 10 The office file contains a macro 10 TwinWave Sandbox (win7) THE OFFICE FILE CONTAINS A MACRO WITH AUTO EXECUTION SCORE: 10 The office file contains a macro with auto execution 10 TwinWave Sandbox (win7) THE OFFICE FILE CONTAINS A MACRO WITH SUSPICIOUS STRINGS SCORE: 10 The office file contains a macro with suspicious strings 10 TwinWave Sandbox (win7) PERFORMS SOME HTTP REQUESTS SCORE: 5 Performs some HTTP requests 5 TwinWave Sandbox (win7) YARA RULE DETECTIONS OBSERVED FROM A PROCESS MEMORY DUMP/DROPPED FILES/CAPE SCORE: 5 Yara rule detections observed from a process memory dump/dropped files/CAPE 5 TwinWave Sandbox (win7) DYNAMIC (IMPORTED) FUNCTION LOADING DETECTED SCORE: 0 Dynamic (imported) function loading detected 0 Expand Screenshots (5) Static Doc Analysis (1) trimmed_1678236635_W-9 Dt 03.07.2023.doc Labels:microsoft-square, office-cube Hashes:818181ffffffffff | 070f030000000000 | af2f7e7ad0d09081 TwinWave Sandbox (win7) (4) trimmed_1678236635_W.doc trimmed_1678236635_W.doc trimmed_1678236635_W.doc trimmed_1678236635_W.doc Extracted Images (1) Static Doc Analysis (1) trimmed_1678236635_W-9 Dt 03.07.2023.doc Labels:microsoft-square, office-cube Hashes:00ffffffc7ffffff | 238ccc960f618080 | a0751d3d2d6d3722