download: | W61Td2h |
Full analysis: | https://app.any.run/tasks/295212ae-9764-4531-98fe-72626d0f581b |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | November 14, 2018, 09:24:19 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
MD5: | 405E905529DCD6817485CF4322C6B4F1 |
SHA1: | 903E3DA98D5C3CDB57A0ED40AE5359C4566C7B2C |
SHA256: | 8F3F1DDAD7C13B3757CA200FA93D2AFD33C52B1C7DC2F27CAA8ECD989291F748 |
SSDEEP: | 3072:oDGkQ1uAdlGPx/aRk1LMtiYpmo38euVDe6xkLSwyYn06SAu1fVFfG:XpGda6d+iWmDeuRHx3wx0DAu19Ff |
.dll | | | Win32 Dynamic Link Library (generic) (43.5) |
---|---|---|
.exe | | | Win32 Executable (generic) (29.8) |
.exe | | | Generic Win/DOS Executable (13.2) |
.exe | | | DOS Executable Generic (13.2) |
MachineType: | Intel 386 or later, and compatibles |
---|---|
TimeStamp: | 2018:11:14 17:01:15+01:00 |
PEType: | PE32 |
LinkerVersion: | 12 |
CodeSize: | 53248 |
InitializedDataSize: | 417792 |
UninitializedDataSize: | - |
EntryPoint: | 0xba27 |
OSVersion: | 5 |
ImageVersion: | - |
SubsystemVersion: | 5 |
Subsystem: | Windows GUI |
FileVersionNumber: | 1.4.20030.62408 |
ProductVersionNumber: | 1.4.0.0 |
FileFlagsMask: | 0x003f |
FileFlags: | (none) |
FileOS: | Win32 |
ObjectFileType: | Dynamic link library |
FileSubtype: | - |
LanguageCode: | Neutral |
CharacterSet: | Unicode |
LegalCopyright: | © Micros |
CompanyName: | Micro |
FileVersion: | 6.1.7600.1 |
ProductVersion: | 6.1.7600.16 |
InternalName: | OLESVR32 |
LegalTrademarks: | QQQQQqA, Netscape |
ProductName: | - |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
4032 | "C:\Users\admin\W61Td2h.exe" | C:\Users\admin\W61Td2h.exe | — | explorer.exe |
User: admin Company: Micro Integrity Level: MEDIUM Exit code: 0 Version: 6.1.7600.1 | ||||
2668 | "C:\Users\admin\W61Td2h.exe" | C:\Users\admin\W61Td2h.exe | W61Td2h.exe | |
User: admin Company: Micro Integrity Level: MEDIUM Exit code: 0 Version: 6.1.7600.1 | ||||
1532 | "C:\Users\admin\AppData\Local\Microsoft\Windows\lpiograd.exe" | C:\Users\admin\AppData\Local\Microsoft\Windows\lpiograd.exe | W61Td2h.exe | |
User: admin Company: Micro Integrity Level: MEDIUM Exit code: 0 Version: 6.1.7600.1 | ||||
3492 | "C:\Users\admin\AppData\Local\Microsoft\Windows\lpiograd.exe" | C:\Users\admin\AppData\Local\Microsoft\Windows\lpiograd.exe | lpiograd.exe | |
User: admin Company: Micro Integrity Level: MEDIUM Version: 6.1.7600.1 |
(PID) Process: | (3492) lpiograd.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\lpiograd_RASAPI32 |
Operation: | write | Name: | EnableFileTracing |
Value: 0 | |||
(PID) Process: | (3492) lpiograd.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\lpiograd_RASAPI32 |
Operation: | write | Name: | EnableConsoleTracing |
Value: 0 | |||
(PID) Process: | (3492) lpiograd.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\lpiograd_RASAPI32 |
Operation: | write | Name: | FileTracingMask |
Value: 4294901760 | |||
(PID) Process: | (3492) lpiograd.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\lpiograd_RASAPI32 |
Operation: | write | Name: | ConsoleTracingMask |
Value: 4294901760 | |||
(PID) Process: | (3492) lpiograd.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\lpiograd_RASAPI32 |
Operation: | write | Name: | MaxFileSize |
Value: 1048576 | |||
(PID) Process: | (3492) lpiograd.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\lpiograd_RASAPI32 |
Operation: | write | Name: | FileDirectory |
Value: %windir%\tracing | |||
(PID) Process: | (3492) lpiograd.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\lpiograd_RASMANCS |
Operation: | write | Name: | EnableFileTracing |
Value: 0 | |||
(PID) Process: | (3492) lpiograd.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\lpiograd_RASMANCS |
Operation: | write | Name: | EnableConsoleTracing |
Value: 0 | |||
(PID) Process: | (3492) lpiograd.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\lpiograd_RASMANCS |
Operation: | write | Name: | FileTracingMask |
Value: 4294901760 | |||
(PID) Process: | (3492) lpiograd.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\lpiograd_RASMANCS |
Operation: | write | Name: | ConsoleTracingMask |
Value: 4294901760 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2668 | W61Td2h.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\lpiograd.exe | executable | |
MD5:405E905529DCD6817485CF4322C6B4F1 | SHA256:8F3F1DDAD7C13B3757CA200FA93D2AFD33C52B1C7DC2F27CAA8ECD989291F748 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3492 | lpiograd.exe | GET | — | 207.255.59.231:443 | http://207.255.59.231:443/ | US | — | — | malicious |
3492 | lpiograd.exe | GET | — | 187.207.72.201:443 | http://187.207.72.201:443/ | MX | — | — | malicious |
3492 | lpiograd.exe | GET | — | 49.212.135.76:443 | http://49.212.135.76:443/ | JP | — | — | malicious |
3492 | lpiograd.exe | GET | — | 159.65.76.245:443 | http://159.65.76.245:443/ | US | — | — | malicious |
3492 | lpiograd.exe | GET | 404 | 210.2.86.72:8080 | http://210.2.86.72:8080/ | VN | xml | 345 b | malicious |
3492 | lpiograd.exe | GET | 404 | 216.176.21.143:80 | http://216.176.21.143/ | US | xml | 345 b | malicious |
3492 | lpiograd.exe | GET | — | 198.199.185.25:443 | http://198.199.185.25:443/ | US | — | — | malicious |
3492 | lpiograd.exe | GET | 404 | 70.60.50.60:8080 | http://70.60.50.60:8080/ | US | xml | 345 b | malicious |
3492 | lpiograd.exe | GET | 404 | 192.155.90.90:7080 | http://192.155.90.90:7080/ | US | xml | 345 b | malicious |
3492 | lpiograd.exe | GET | 404 | 210.2.86.94:8080 | http://210.2.86.94:8080/ | VN | xml | 345 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3492 | lpiograd.exe | 187.163.174.149:8080 | — | Axtel, S.A.B. de C.V. | MX | malicious |
3492 | lpiograd.exe | 70.60.50.60:8080 | — | Time Warner Cable Internet LLC | US | malicious |
3492 | lpiograd.exe | 207.255.59.231:443 | — | Atlantic Broadband Finance, LLC | US | malicious |
3492 | lpiograd.exe | 118.69.186.155:8080 | — | The Corporation for Financing & Promoting Technology | VN | malicious |
3492 | lpiograd.exe | 5.32.65.50:8080 | — | Emirates Integrated Telecommunications Company PJSC (EITC-DU) | AE | malicious |
3492 | lpiograd.exe | 216.176.21.143:80 | — | Great Lakes Comnet, Inc. | US | malicious |
3492 | lpiograd.exe | 50.21.147.8:8090 | — | Otelco Telephone, LLC | US | malicious |
3492 | lpiograd.exe | 187.163.49.123:8090 | — | Axtel, S.A.B. de C.V. | MX | malicious |
3492 | lpiograd.exe | 96.246.206.16:80 | — | MCI Communications Services, Inc. d/b/a Verizon Business | US | malicious |
3492 | lpiograd.exe | 210.2.86.72:8080 | — | Quang Trung Software City Development Company | VN | malicious |
PID | Process | Class | Message |
---|---|---|---|
3492 | lpiograd.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo HTTP request |
3492 | lpiograd.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo HTTP request |
3492 | lpiograd.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo HTTP request |
3492 | lpiograd.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo HTTP request |
3492 | lpiograd.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo HTTP request |
3492 | lpiograd.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo HTTP request |
3492 | lpiograd.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo HTTP request |
3492 | lpiograd.exe | A Network Trojan was detected | SC SPYWARE Trojan-Banker.Win32.Emotet |
3492 | lpiograd.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo HTTP request |
3492 | lpiograd.exe | A Network Trojan was detected | SC SPYWARE Trojan-Banker.Win32.Emotet |