analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
download:

xfMloEkt6

Full analysis: https://app.any.run/tasks/deaefe23-03d6-4a71-839f-aca8dad39c43
Verdict: Malicious activity
Threats:

Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns.

Analysis date: November 14, 2018, 14:38:54
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
emotet
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

94294089902972AF7740A964BDBD2A39

SHA1:

A532F93EE6EDEF5430629C37DF8D70707EBDF184

SHA256:

AFBB5D83F5C9D104A2E478A05D4350F9AD01AA82B66554F452F1336005461346

SSDEEP:

3072:2YPaZIkyVBiglrmJKS01JNOrjewExnrdBuFgHSqktjXB6vZ67tG:2YSZ78BfmD01GrjXExnHuNtj8vsZG

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Emotet process was detected

      • lpiograd.exe (PID: 3828)
  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • xfMloEkt6.exe (PID: 2860)
    • Application launched itself

      • xfMloEkt6.exe (PID: 844)
      • lpiograd.exe (PID: 3828)
    • Starts itself from another location

      • xfMloEkt6.exe (PID: 2860)
    • Connects to unusual port

      • lpiograd.exe (PID: 2596)
  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.dll | Win32 Dynamic Link Library (generic) (43.5)
.exe | Win32 Executable (generic) (29.8)
.exe | Generic Win/DOS Executable (13.2)
.exe | DOS Executable Generic (13.2)

EXIF

EXE

ProductName: -
LegalTrademarks: QQQQQqA, Netscape
InternalName: apisets
ProductVersion: 6.2.9200.1
FileVersion: 6.2.9200.
CompanyName: Micr
LegalCopyright: © Mic
CharacterSet: Unicode
LanguageCode: Neutral
FileSubtype: -
ObjectFileType: Dynamic link library
FileOS: Win32
FileFlags: (none)
FileFlagsMask: 0x003f
ProductVersionNumber: 1.4.0.0
FileVersionNumber: 1.4.20030.62408
Subsystem: Windows GUI
SubsystemVersion: 5
ImageVersion: -
OSVersion: 5
EntryPoint: 0xb1aa
UninitializedDataSize: -
InitializedDataSize: 413696
CodeSize: 49152
LinkerVersion: 12
PEType: PE32
TimeStamp: 2018:11:14 22:23:22+01:00
MachineType: Intel 386 or later, and compatibles
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
34
Monitored processes
4
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start xfmloekt6.exe no specs xfmloekt6.exe #EMOTET lpiograd.exe no specs lpiograd.exe

Process information

PID
CMD
Path
Indicators
Parent process
844"C:\Users\admin\AppData\Local\Temp\xfMloEkt6.exe" C:\Users\admin\AppData\Local\Temp\xfMloEkt6.exeexplorer.exe
User:
admin
Company:
Micr
Integrity Level:
MEDIUM
Exit code:
0
Version:
6.2.9200.
2860"C:\Users\admin\AppData\Local\Temp\xfMloEkt6.exe"C:\Users\admin\AppData\Local\Temp\xfMloEkt6.exe
xfMloEkt6.exe
User:
admin
Company:
Micr
Integrity Level:
MEDIUM
Exit code:
0
Version:
6.2.9200.
3828"C:\Users\admin\AppData\Local\Microsoft\Windows\lpiograd.exe"C:\Users\admin\AppData\Local\Microsoft\Windows\lpiograd.exe
xfMloEkt6.exe
User:
admin
Company:
Micr
Integrity Level:
MEDIUM
Exit code:
0
Version:
6.2.9200.
2596"C:\Users\admin\AppData\Local\Microsoft\Windows\lpiograd.exe"C:\Users\admin\AppData\Local\Microsoft\Windows\lpiograd.exe
lpiograd.exe
User:
admin
Company:
Micr
Integrity Level:
MEDIUM
Version:
6.2.9200.
Total events
71
Read events
57
Write events
14
Delete events
0

Modification events

(PID) Process:(2596) lpiograd.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\lpiograd_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(2596) lpiograd.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\lpiograd_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(2596) lpiograd.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\lpiograd_RASAPI32
Operation:writeName:FileTracingMask
Value:
4294901760
(PID) Process:(2596) lpiograd.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\lpiograd_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
4294901760
(PID) Process:(2596) lpiograd.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\lpiograd_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(2596) lpiograd.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\lpiograd_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(2596) lpiograd.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\lpiograd_RASMANCS
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(2596) lpiograd.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\lpiograd_RASMANCS
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(2596) lpiograd.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\lpiograd_RASMANCS
Operation:writeName:FileTracingMask
Value:
4294901760
(PID) Process:(2596) lpiograd.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\lpiograd_RASMANCS
Operation:writeName:ConsoleTracingMask
Value:
4294901760
Executable files
1
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
2860xfMloEkt6.exeC:\Users\admin\AppData\Local\Microsoft\Windows\lpiograd.exeexecutable
MD5:94294089902972AF7740A964BDBD2A39
SHA256:AFBB5D83F5C9D104A2E478A05D4350F9AD01AA82B66554F452F1336005461346
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
2
DNS requests
0
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2596
lpiograd.exe
GET
177.242.156.119:80
http://177.242.156.119/
MX
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2596
lpiograd.exe
177.242.156.119:80
SERVICIO Y EQUIPO EN TELEFONÍA INTERNET Y TV S.A. DE C.V.
MX
malicious
2596
lpiograd.exe
50.78.167.65:7080
Comcast Cable Communications, LLC
US
malicious

DNS requests

No data

Threats

No threats detected
No debug info