download: | K0laIZI |
Full analysis: | https://app.any.run/tasks/5d5e5249-471c-4240-877b-84d0873c4208 |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | November 15, 2018, 10:19:17 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
MD5: | 516F0945009DDC49101D8B60577C529A |
SHA1: | 5B6CCA4EF814BBD604F320A6BB9E5D8286EC5ECB |
SHA256: | C9AAAD2EDD9F727557C3741BBA80832B3B429B7662C146B34F47AE2DDE623423 |
SSDEEP: | 3072:GZNIh5o1F97Ozm4tymWEgGvXObekmjI1cYlWe2VG+eFj+FoY6F9:GZyhq7Ozm4t/WGPOekmjISU+eFSO |
.dll | | | Win32 Dynamic Link Library (generic) (43.5) |
---|---|---|
.exe | | | Win32 Executable (generic) (29.8) |
.exe | | | Generic Win/DOS Executable (13.2) |
.exe | | | DOS Executable Generic (13.2) |
ProductName: | - |
---|---|
LegalTrademarks: | QQQQQqA, Netscape |
InternalName: | esscli |
ProductVersion: | 6.1.7600. |
FileVersion: | 6.1.7600 |
CompanyName: | Mic |
LegalCopyright: | © |
CharacterSet: | Unicode |
LanguageCode: | Neutral |
FileSubtype: | - |
ObjectFileType: | Dynamic link library |
FileOS: | Win32 |
FileFlags: | (none) |
FileFlagsMask: | 0x003f |
ProductVersionNumber: | 1.4.0.0 |
FileVersionNumber: | 1.4.20030.62408 |
Subsystem: | Windows GUI |
SubsystemVersion: | 5 |
ImageVersion: | - |
OSVersion: | 5 |
EntryPoint: | 0xb7e6 |
UninitializedDataSize: | - |
InitializedDataSize: | 102400 |
CodeSize: | 249856 |
LinkerVersion: | 6 |
PEType: | PE32 |
TimeStamp: | 2002:04:01 22:32:30+02:00 |
MachineType: | Intel 386 or later, and compatibles |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3392 | "C:\Users\admin\Desktop\K0laIZI.exe" | C:\Users\admin\Desktop\K0laIZI.exe | — | explorer.exe |
User: admin Company: Mic Integrity Level: MEDIUM Exit code: 0 Version: 6.1.7600 | ||||
2428 | "C:\Users\admin\Desktop\K0laIZI.exe" | C:\Users\admin\Desktop\K0laIZI.exe | K0laIZI.exe | |
User: admin Company: Mic Integrity Level: MEDIUM Exit code: 0 Version: 6.1.7600 | ||||
2528 | "C:\Users\admin\AppData\Local\Microsoft\Windows\lpiograd.exe" | C:\Users\admin\AppData\Local\Microsoft\Windows\lpiograd.exe | K0laIZI.exe | |
User: admin Company: Mic Integrity Level: MEDIUM Exit code: 0 Version: 6.1.7600 | ||||
3220 | "C:\Users\admin\AppData\Local\Microsoft\Windows\lpiograd.exe" | C:\Users\admin\AppData\Local\Microsoft\Windows\lpiograd.exe | lpiograd.exe | |
User: admin Company: Mic Integrity Level: MEDIUM Version: 6.1.7600 |
(PID) Process: | (3220) lpiograd.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\lpiograd_RASAPI32 |
Operation: | write | Name: | EnableFileTracing |
Value: 0 | |||
(PID) Process: | (3220) lpiograd.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\lpiograd_RASAPI32 |
Operation: | write | Name: | EnableConsoleTracing |
Value: 0 | |||
(PID) Process: | (3220) lpiograd.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\lpiograd_RASAPI32 |
Operation: | write | Name: | FileTracingMask |
Value: 4294901760 | |||
(PID) Process: | (3220) lpiograd.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\lpiograd_RASAPI32 |
Operation: | write | Name: | ConsoleTracingMask |
Value: 4294901760 | |||
(PID) Process: | (3220) lpiograd.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\lpiograd_RASAPI32 |
Operation: | write | Name: | MaxFileSize |
Value: 1048576 | |||
(PID) Process: | (3220) lpiograd.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\lpiograd_RASAPI32 |
Operation: | write | Name: | FileDirectory |
Value: %windir%\tracing | |||
(PID) Process: | (3220) lpiograd.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\lpiograd_RASMANCS |
Operation: | write | Name: | EnableFileTracing |
Value: 0 | |||
(PID) Process: | (3220) lpiograd.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\lpiograd_RASMANCS |
Operation: | write | Name: | EnableConsoleTracing |
Value: 0 | |||
(PID) Process: | (3220) lpiograd.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\lpiograd_RASMANCS |
Operation: | write | Name: | FileTracingMask |
Value: 4294901760 | |||
(PID) Process: | (3220) lpiograd.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\lpiograd_RASMANCS |
Operation: | write | Name: | ConsoleTracingMask |
Value: 4294901760 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2428 | K0laIZI.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\lpiograd.exe | executable | |
MD5:516F0945009DDC49101D8B60577C529A | SHA256:C9AAAD2EDD9F727557C3741BBA80832B3B429B7662C146B34F47AE2DDE623423 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3220 | lpiograd.exe | GET | — | 173.19.73.104:443 | http://173.19.73.104:443/ | US | — | — | malicious |
3220 | lpiograd.exe | GET | — | 189.134.18.141:443 | http://189.134.18.141:443/ | MX | — | — | malicious |
3220 | lpiograd.exe | GET | 404 | 50.78.167.65:7080 | http://50.78.167.65:7080/ | US | xml | 345 b | malicious |
3220 | lpiograd.exe | GET | 404 | 173.11.47.169:8080 | http://173.11.47.169:8080/ | US | xml | 345 b | malicious |
3220 | lpiograd.exe | GET | 404 | 37.120.175.15:80 | http://37.120.175.15/ | DE | xml | 345 b | malicious |
3220 | lpiograd.exe | GET | 404 | 173.160.205.161:990 | http://173.160.205.161:990/ | US | xml | 345 b | suspicious |
3220 | lpiograd.exe | GET | — | 49.212.135.76:443 | http://49.212.135.76:443/ | JP | — | — | malicious |
3220 | lpiograd.exe | GET | 404 | 210.2.86.72:8080 | http://210.2.86.72:8080/ | VN | xml | 345 b | malicious |
3220 | lpiograd.exe | GET | 404 | 76.65.158.121:50000 | http://76.65.158.121:50000/ | CA | xml | 345 b | malicious |
3220 | lpiograd.exe | GET | 404 | 186.18.236.83:8080 | http://186.18.236.83:8080/ | AR | xml | 345 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3220 | lpiograd.exe | 50.78.167.65:7080 | — | Comcast Cable Communications, LLC | US | malicious |
3220 | lpiograd.exe | 160.36.66.221:990 | — | University of Tennessee, Knoxville | US | suspicious |
3220 | lpiograd.exe | 189.244.86.184:990 | — | Uninet S.A. de C.V. | MX | suspicious |
3220 | lpiograd.exe | 173.160.205.161:990 | — | Comcast Cable Communications, LLC | US | suspicious |
3220 | lpiograd.exe | 186.18.236.83:8080 | — | Telecentro S.A. | AR | malicious |
3220 | lpiograd.exe | 71.163.171.106:80 | — | MCI Communications Services, Inc. d/b/a Verizon Business | US | malicious |
3220 | lpiograd.exe | 200.127.55.5:80 | — | Prima S.A. | AR | malicious |
3220 | lpiograd.exe | 210.2.86.72:8080 | — | Quang Trung Software City Development Company | VN | malicious |
3220 | lpiograd.exe | 5.9.128.163:8080 | — | Hetzner Online GmbH | DE | malicious |
3220 | lpiograd.exe | 189.134.18.141:443 | — | Uninet S.A. de C.V. | MX | malicious |
PID | Process | Class | Message |
---|---|---|---|
3220 | lpiograd.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo HTTP request |
3220 | lpiograd.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo HTTP request |
3220 | lpiograd.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo HTTP request |
3220 | lpiograd.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo HTTP request |
3220 | lpiograd.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo HTTP request |
3220 | lpiograd.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo HTTP request |
3220 | lpiograd.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo HTTP request |
3220 | lpiograd.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo HTTP request |
3220 | lpiograd.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo HTTP request |
3220 | lpiograd.exe | A Network Trojan was detected | SC BAD_UNKNOWN Malicious behaviour by Trojan-Banker.Win32.Emotet |