download: | u |
Full analysis: | https://app.any.run/tasks/623da160-ffa3-4d1d-bd6f-4840deb55040 |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | November 14, 2018, 14:29:04 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
MD5: | 11F20E9364EF5099187B3445629888D3 |
SHA1: | 6BA5298AE64DCCBD30A17C915428038AB67F1988 |
SHA256: | 412D5F1887C34FE7EE92A3FA9328C6003EDFD345AD9020F1AED42A4A81341E37 |
SSDEEP: | 3072:zt17ybOENdXAMKz+3LxbGp9uRFCv1VvQia23Q80nOgNo:2bOEnXATzoNTrCvnQ+QZOgm |
.dll | | | Win32 Dynamic Link Library (generic) (43.5) |
---|---|---|
.exe | | | Win32 Executable (generic) (29.8) |
.exe | | | Generic Win/DOS Executable (13.2) |
.exe | | | DOS Executable Generic (13.2) |
ProductName: | - |
---|---|
LegalTrademarks: | QQQQQqA, Netscape |
InternalName: | apisets |
ProductVersion: | 6.2.9200.1 |
FileVersion: | 6.2.9200. |
CompanyName: | Micr |
LegalCopyright: | © Mic |
CharacterSet: | Unicode |
LanguageCode: | Neutral |
FileSubtype: | - |
ObjectFileType: | Dynamic link library |
FileOS: | Win32 |
FileFlags: | (none) |
FileFlagsMask: | 0x003f |
ProductVersionNumber: | 1.4.0.0 |
FileVersionNumber: | 1.4.20030.62408 |
Subsystem: | Windows GUI |
SubsystemVersion: | 5 |
ImageVersion: | - |
OSVersion: | 5 |
EntryPoint: | 0xb16f |
UninitializedDataSize: | - |
InitializedDataSize: | 413696 |
CodeSize: | 49152 |
LinkerVersion: | 12 |
PEType: | PE32 |
TimeStamp: | 2018:11:14 23:00:42+01:00 |
MachineType: | Intel 386 or later, and compatibles |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
456 | "C:\Users\admin\u.exe" | C:\Users\admin\u.exe | — | explorer.exe |
User: admin Company: Micr Integrity Level: MEDIUM Exit code: 0 Version: 6.2.9200. | ||||
3572 | "C:\Users\admin\u.exe" | C:\Users\admin\u.exe | u.exe | |
User: admin Company: Micr Integrity Level: MEDIUM Exit code: 0 Version: 6.2.9200. | ||||
2648 | "C:\Users\admin\AppData\Local\Microsoft\Windows\lpiograd.exe" | C:\Users\admin\AppData\Local\Microsoft\Windows\lpiograd.exe | u.exe | |
User: admin Company: Micr Integrity Level: MEDIUM Exit code: 0 Version: 6.2.9200. | ||||
3684 | "C:\Users\admin\AppData\Local\Microsoft\Windows\lpiograd.exe" | C:\Users\admin\AppData\Local\Microsoft\Windows\lpiograd.exe | lpiograd.exe | |
User: admin Company: Micr Integrity Level: MEDIUM Version: 6.2.9200. |
(PID) Process: | (3684) lpiograd.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\lpiograd_RASAPI32 |
Operation: | write | Name: | EnableFileTracing |
Value: 0 | |||
(PID) Process: | (3684) lpiograd.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\lpiograd_RASAPI32 |
Operation: | write | Name: | EnableConsoleTracing |
Value: 0 | |||
(PID) Process: | (3684) lpiograd.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\lpiograd_RASAPI32 |
Operation: | write | Name: | FileTracingMask |
Value: 4294901760 | |||
(PID) Process: | (3684) lpiograd.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\lpiograd_RASAPI32 |
Operation: | write | Name: | ConsoleTracingMask |
Value: 4294901760 | |||
(PID) Process: | (3684) lpiograd.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\lpiograd_RASAPI32 |
Operation: | write | Name: | MaxFileSize |
Value: 1048576 | |||
(PID) Process: | (3684) lpiograd.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\lpiograd_RASAPI32 |
Operation: | write | Name: | FileDirectory |
Value: %windir%\tracing | |||
(PID) Process: | (3684) lpiograd.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\lpiograd_RASMANCS |
Operation: | write | Name: | EnableFileTracing |
Value: 0 | |||
(PID) Process: | (3684) lpiograd.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\lpiograd_RASMANCS |
Operation: | write | Name: | EnableConsoleTracing |
Value: 0 | |||
(PID) Process: | (3684) lpiograd.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\lpiograd_RASMANCS |
Operation: | write | Name: | FileTracingMask |
Value: 4294901760 | |||
(PID) Process: | (3684) lpiograd.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\lpiograd_RASMANCS |
Operation: | write | Name: | ConsoleTracingMask |
Value: 4294901760 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3572 | u.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\lpiograd.exe | executable | |
MD5:11F20E9364EF5099187B3445629888D3 | SHA256:412D5F1887C34FE7EE92A3FA9328C6003EDFD345AD9020F1AED42A4A81341E37 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3684 | lpiograd.exe | GET | — | 104.229.109.97:443 | http://104.229.109.97:443/ | US | — | — | malicious |
3684 | lpiograd.exe | GET | — | 24.166.75.5:443 | http://24.166.75.5:443/ | US | — | — | malicious |
3684 | lpiograd.exe | GET | — | 45.123.3.54:443 | http://45.123.3.54:443/ | IN | — | — | malicious |
3684 | lpiograd.exe | GET | — | 24.76.123.171:443 | http://24.76.123.171:443/ | CA | — | — | malicious |
3684 | lpiograd.exe | GET | — | 67.205.149.117:443 | http://67.205.149.117:443/ | US | — | — | malicious |
3684 | lpiograd.exe | GET | — | 83.110.100.209:443 | http://83.110.100.209:443/ | AE | — | — | malicious |
3684 | lpiograd.exe | GET | — | 217.174.206.181:443 | http://217.174.206.181:443/ | FR | — | — | malicious |
3684 | lpiograd.exe | GET | — | 64.19.32.70:443 | http://64.19.32.70:443/ | US | — | — | malicious |
3684 | lpiograd.exe | GET | 404 | 24.220.80.37:80 | http://24.220.80.37/ | US | xml | 345 b | malicious |
3684 | lpiograd.exe | GET | 404 | 67.254.71.72:8443 | http://67.254.71.72:8443/ | US | xml | 345 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3684 | lpiograd.exe | 68.102.169.43:8080 | — | Cox Communications Inc. | US | malicious |
3684 | lpiograd.exe | 83.110.100.209:443 | — | Emirates Telecommunications Corporation | AE | malicious |
3684 | lpiograd.exe | 71.71.126.201:8080 | — | Time Warner Cable Internet LLC | US | malicious |
3684 | lpiograd.exe | 24.166.75.5:443 | — | Time Warner Cable Internet LLC | US | malicious |
3684 | lpiograd.exe | 24.220.80.37:80 | — | Midcontinent Communications | US | malicious |
3684 | lpiograd.exe | 75.110.190.86:80 | — | Suddenlink Communications | US | malicious |
3684 | lpiograd.exe | 24.234.221.236:7080 | — | Cox Communications Inc. | US | malicious |
3684 | lpiograd.exe | 24.76.123.171:443 | — | Shaw Communications Inc. | CA | malicious |
3684 | lpiograd.exe | 67.254.71.72:8443 | — | Time Warner Cable Internet LLC | US | malicious |
3684 | lpiograd.exe | 45.123.3.54:443 | — | Blue Lotus Support Services Pvt Ltd | IN | malicious |
PID | Process | Class | Message |
---|---|---|---|
3684 | lpiograd.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo HTTP request |
3684 | lpiograd.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo HTTP request |
3684 | lpiograd.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo HTTP request |
3684 | lpiograd.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo HTTP request |
3684 | lpiograd.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo HTTP request |
3684 | lpiograd.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo HTTP request |
3684 | lpiograd.exe | A Network Trojan was detected | SC SPYWARE Trojan-Banker.Win32.Emotet |
3684 | lpiograd.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo HTTP request |
3684 | lpiograd.exe | A Network Trojan was detected | SC TROJAN Malicious behavior by Trojan-Banker.Win32.Emotet |
3684 | lpiograd.exe | A Network Trojan was detected | SC SPYWARE Trojan-Banker.Win32.Emotet |