File name: | 48xxpn1_Malicious_Services_DO_NOT_RUN.zip |
Full analysis: | https://app.any.run/tasks/c0b6b582-a320-42bb-8261-c0d838e69ebe |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | November 14, 2018, 20:50:21 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v2.0 to extract |
MD5: | 86D088D8EC7BD9F93FFEDD1FCF8AF3AA |
SHA1: | D36D03836E893DF065F90E866E4852B30509000B |
SHA256: | 10DCFC17BF9FE9E66FAA25D722B3451F5ADF2D5AA8F2E0F66C87C68442AA43D6 |
SSDEEP: | 98304:3Pg4l6l3jfl+APE/2zu6YdBYJYYTHCaJYYTHCzJYYTHCQJYYTHCYJYYTHCQJYYTH:3SlNEoCBYRTiaRTizRTiQRTiYRTiQRTH |
.zip | | | ZIP compressed archive (100) |
---|
ZipRequiredVersion: | 20 |
---|---|
ZipBitFlag: | - |
ZipCompression: | Deflated |
ZipModifyDate: | 2018:11:13 15:39:06 |
ZipCRC: | 0x36cb4ade |
ZipCompressedSize: | 103650 |
ZipUncompressedSize: | 151552 |
ZipFileName: | 18082264.exe |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2456 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\48xxpn1_Malicious_Services_DO_NOT_RUN.zip" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 | ||||
2168 | "C:\Users\admin\AppData\Local\Temp\Rar$EXa2456.16750\23978616.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXa2456.16750\23978616.exe | — | WinRAR.exe |
User: admin Company: Micro Integrity Level: MEDIUM Description: Windows M Exit code: 0 Version: 6. | ||||
3096 | "C:\Users\admin\AppData\Local\Temp\Rar$EXa2456.16750\23978616.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXa2456.16750\23978616.exe | 23978616.exe | |
User: admin Company: Micro Integrity Level: MEDIUM Description: Windows M Exit code: 0 Version: 6. | ||||
996 | "C:\Users\admin\AppData\Local\Microsoft\Windows\lpiograd.exe" | C:\Users\admin\AppData\Local\Microsoft\Windows\lpiograd.exe | 23978616.exe | |
User: admin Company: Micro Integrity Level: MEDIUM Description: Windows M Exit code: 0 Version: 6. | ||||
2620 | "C:\Users\admin\AppData\Local\Microsoft\Windows\lpiograd.exe" | C:\Users\admin\AppData\Local\Microsoft\Windows\lpiograd.exe | lpiograd.exe | |
User: admin Company: Micro Integrity Level: MEDIUM Description: Windows M Exit code: 0 Version: 6. | ||||
2372 | "C:\Users\admin\AppData\Local\Temp\Rar$EXa2456.18494\27126232.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXa2456.18494\27126232.exe | — | WinRAR.exe |
User: admin Company: AbanSoft / Sun Microsystems, Inc. Integrity Level: MEDIUM Description: Window I Stub Exit code: 0 Version: 1, 4, 2, 50 | ||||
1380 | "C:\Users\admin\AppData\Local\Temp\Rar$EXa2456.18494\27126232.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXa2456.18494\27126232.exe | — | 27126232.exe |
User: admin Company: AbanSoft / Sun Microsystems, Inc. Integrity Level: MEDIUM Description: Window I Stub Exit code: 0 Version: 1, 4, 2, 50 | ||||
1724 | "C:\Users\admin\AppData\Local\Microsoft\Windows\zAzxlPZwwPUeVPzzH.exe" | C:\Users\admin\AppData\Local\Microsoft\Windows\zAzxlPZwwPUeVPzzH.exe | — | lpiograd.exe |
User: admin Company: Borland Corporation Integrity Level: MEDIUM Description: Borland C++ Multi-thread RTL (WIN/VCL MT) Exit code: 0 Version: 8.0.0.0 | ||||
2160 | "C:\Users\admin\AppData\Local\Microsoft\Windows\zAzxlPZwwPUeVPzzH.exe" | C:\Users\admin\AppData\Local\Microsoft\Windows\zAzxlPZwwPUeVPzzH.exe | zAzxlPZwwPUeVPzzH.exe | |
User: admin Company: Borland Corporation Integrity Level: MEDIUM Description: Borland C++ Multi-thread RTL (WIN/VCL MT) Exit code: 0 Version: 8.0.0.0 | ||||
676 | "C:\Users\admin\AppData\Local\Microsoft\Windows\lpiograd.exe" | C:\Users\admin\AppData\Local\Microsoft\Windows\lpiograd.exe | zAzxlPZwwPUeVPzzH.exe | |
User: admin Company: Borland Corporation Integrity Level: MEDIUM Description: Borland C++ Multi-thread RTL (WIN/VCL MT) Exit code: 0 Version: 8.0.0.0 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2456 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa2456.16750\18082264.exe | executable | |
MD5:6BC11D11B642AD3E6CEB68CE9448401B | SHA256:F2CBB164DD9DEFB79C2BC94F075DFAA84CD9FD285F44B8EA1D7CA1C81A537C22 | |||
2456 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa2456.16750\23194072.exe | executable | |
MD5:6BC11D11B642AD3E6CEB68CE9448401B | SHA256:F2CBB164DD9DEFB79C2BC94F075DFAA84CD9FD285F44B8EA1D7CA1C81A537C22 | |||
2456 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa2456.16750\23914968.exe | executable | |
MD5:21CB99552041A78363CB62502040823F | SHA256:0EA0D10DAA8441022AFE01BC1BDAE16D5A858B77311C3F71A6D1C535E645E623 | |||
2456 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa2456.16750\17033688.exe | executable | |
MD5:331B9300CC432410489A702251D97016 | SHA256:C7819F07A42E9443EB2FCCD80A8AF0025FE3880A8CDAB5C36C6ACCEBBEEDAD4E | |||
2456 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa2456.16750\21817816.exe | executable | |
MD5:B19CC478A0136F7137A9A4FBF147926C | SHA256:7AC3ACEE59D8A016474F32307D64EA20903D6E6A695D87D79B2A5098D6996C15 | |||
2456 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa2456.16750\31648064.exe | executable | |
MD5:236E6AB971A79FB1527539ED362F665D | SHA256:8A08D166DE154BB0FC1F8967E5CD532C8E220467E3C500C26E80678C89CE4999 | |||
2456 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa2456.16750\26273984.exe | executable | |
MD5:1B046FA80EE82864C1B2F07758BE925F | SHA256:17BE2B8B04F05FC00177B3F239FF7766CF36576C2102067ADADA7BDCB2146E8B | |||
2456 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa2456.16750\40298968.exe | executable | |
MD5:A9737C92B02E1518D57B7E7A375824FD | SHA256:683536B72BB8E19E95A70164AD30BC466D229ED08F91B004E2D8C412A76EC969 | |||
2456 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa2456.16750\27191504.exe | executable | |
MD5:1B046FA80EE82864C1B2F07758BE925F | SHA256:17BE2B8B04F05FC00177B3F239FF7766CF36576C2102067ADADA7BDCB2146E8B | |||
2456 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa2456.16750\21162456.exe | executable | |
MD5:086E742C411903C6BCCA773AB97B1ABD | SHA256:C99753DDFCBA80EC89BAB83C59F074322CECDEA193FDD3ADEEBCBD4E21D3D4E6 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
1388 | lpiograd.exe | GET | — | 83.110.100.209:443 | http://83.110.100.209:443/ | AE | — | — | malicious |
3464 | lpiograd.exe | GET | — | 73.32.166.189:443 | http://73.32.166.189:443/ | US | — | — | malicious |
3464 | lpiograd.exe | GET | — | 83.110.100.209:443 | http://83.110.100.209:443/ | AE | — | — | malicious |
3320 | lpiograd.exe | GET | — | 83.110.100.209:443 | http://83.110.100.209:443/ | AE | — | — | malicious |
3464 | lpiograd.exe | GET | 200 | 68.102.169.43:8080 | http://68.102.169.43:8080/ | US | binary | 148 Kb | malicious |
2620 | lpiograd.exe | GET | 200 | 136.56.103.201:80 | http://136.56.103.201/ | US | binary | 148 Kb | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
1388 | lpiograd.exe | 83.110.100.209:443 | — | Emirates Telecommunications Corporation | AE | malicious |
3464 | lpiograd.exe | 69.112.171.184:8443 | — | Cablevision Systems Corp. | US | malicious |
3464 | lpiograd.exe | 83.110.100.209:443 | — | Emirates Telecommunications Corporation | AE | malicious |
3464 | lpiograd.exe | 73.32.166.189:443 | — | Comcast Cable Communications, LLC | US | malicious |
2620 | lpiograd.exe | 136.56.103.201:80 | — | Google Fiber Inc. | US | malicious |
3464 | lpiograd.exe | 68.102.169.43:8080 | — | Cox Communications Inc. | US | malicious |
3320 | lpiograd.exe | 83.110.100.209:443 | — | Emirates Telecommunications Corporation | AE | malicious |
PID | Process | Class | Message |
---|---|---|---|
2620 | lpiograd.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo HTTP request |
1388 | lpiograd.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo HTTP request |
3464 | lpiograd.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo HTTP request |
3464 | lpiograd.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo HTTP request |
3464 | lpiograd.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo HTTP request |