File name:

New Order.docx

Full analysis: https://app.any.run/tasks/a07e796d-577e-4124-a760-684bc3e99799
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: April 24, 2019, 04:06:50
OS: Windows 7 Professional Service Pack 1 (build: 7601, 64 bit)
Tags:
loader
exploit
cve-2017-11882
trojan
lokibot
Indicators:
MIME: application/vnd.openxmlformats-officedocument.wordprocessingml.document
File info: Microsoft Word 2007+
MD5:

BF720039AF8EAE108BFE0486459F59A1

SHA1:

D2B1F5E19B8343785C3D7BA1501FB75BF2934FDB

SHA256:

13F1929A1B3FBC77AA6BC5AEA9C48A37740E93F2DE62C9920789194C9511C1A8

SSDEEP:

192:V1/NFN6yhzyMtWNe+0mqQTnhr5OkQT1QLP55OLbFTB8GoA6aYkWROmbj:V1/NeyhzyMtiewLOkQT1QLDOVd8/Ombj

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • Sample.exe (PID: 1128)
      • Sample.exe (PID: 1168)

    • Detected artifacts of LokiBot

      • Sample.exe (PID: 1128)

    • LOKIBOT was detected

      • Sample.exe (PID: 1128)

    • Connects to CnC server

      • Sample.exe (PID: 1128)

    • Actions looks like stealing of personal data

      • Sample.exe (PID: 1128)

    • Downloads executable files from the Internet

      • EQNEDT32.EXE (PID: 788)

    • Equation Editor starts application (CVE-2017-11882)

      • EQNEDT32.EXE (PID: 788)

  • SUSPICIOUS

    • Reads Internet Cache Settings

      • WINWORD.EXE (PID: 2696)

    • Application launched itself

      • Sample.exe (PID: 1168)

    • Creates files in the user directory

      • Sample.exe (PID: 1128)
      • EQNEDT32.EXE (PID: 788)

    • Executable content was dropped or overwritten

      • Sample.exe (PID: 1128)
      • EQNEDT32.EXE (PID: 788)

  • INFO

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 2696)

    • Reads the machine GUID from the registry

      • WINWORD.EXE (PID: 2696)

    • Creates files in the user directory

      • WINWORD.EXE (PID: 2696)

    • Reads settings of System Certificates

      • WINWORD.EXE (PID: 2696)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.docx | Word Microsoft Office Open XML Format document (52.2)
.zip | Open Packaging Conventions container (38.8)
.zip | ZIP compressed archive (8.8)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: 0x0002
ZipCompression: Deflated
ZipModifyDate: 2019:04:18 09:06:18
ZipCRC: 0x82872409
ZipCompressedSize: 358
ZipUncompressedSize: 1422
ZipFileName: [Content_Types].xml

XML

Template: dotm.dotm
TotalEditTime: 1 minute
Pages: 1
Words: 1
Characters: 7
Application: Microsoft Office Word
DocSecurity: None
Lines: 1
Paragraphs: 1
ScaleCrop: No
HeadingPairs:
  • Название
  • 1
TitlesOfParts: -
Company: SPecialiST RePack
LinksUpToDate: No
CharactersWithSpaces: 7
SharedDoc: No
HyperlinksChanged: No
AppVersion: 14
LastModifiedBy: Microsoft
RevisionNumber: 1
CreateDate: 2017:09:24 17:26:00Z
ModifyDate: 2017:09:24 17:27:00Z

XMP

Creator: Microsoft
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
40
Monitored processes
4
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start winword.exe eqnedt32.exe sample.exe #LOKIBOT sample.exe

Process information

PID
CMD
Path
Indicators
Parent process
788"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -EmbeddingC:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
svchost.exe
User:
admin
Company:
Design Science, Inc.
Integrity Level:
MEDIUM
Description:
Microsoft Equation Editor
Exit code:
0
Version:
00110900
Modules
Images
c:\program files\common files\microsoft shared\equation\eqnedt32.exe
c:\systemroot\system32\ntdll.dll
c:\systemroot\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
1128"C:\Users\admin\AppData\Roaming\Sample.exe"C:\Users\admin\AppData\Roaming\Sample.exe
Sample.exe
User:
admin
Company:
Sollows
Integrity Level:
MEDIUM
Description:
God-sent
Exit code:
0
Version:
7.7.5.0
Modules
Images
c:\users\admin\appdata\roaming\sample.exe
c:\systemroot\system32\ntdll.dll
c:\systemroot\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
1168"C:\Users\admin\AppData\Roaming\Sample.exe"C:\Users\admin\AppData\Roaming\Sample.exe
EQNEDT32.EXE
User:
admin
Company:
Sollows
Integrity Level:
MEDIUM
Description:
God-sent
Exit code:
0
Version:
7.7.5.0
Modules
Images
c:\users\admin\appdata\roaming\sample.exe
c:\systemroot\system32\ntdll.dll
c:\systemroot\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
2696"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\New Order.docx"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
0
Version:
14.0.5123.5000
Modules
Images
c:\program files\microsoft office\office14\winword.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_08e61857a83bc251\msvcr90.dll
c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18837_none_a4d981ff711297b6\comctl32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
Total events
1 382
Read events
966
Write events
401
Delete events
15

Modification events

(PID) Process:(2696) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
Operation:writeName:v4=
Value:
76343D00880A0000010000000000000000000000
(PID) Process:(2696) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1033
Value:
Off
(PID) Process:(2696) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1033
Value:
On
(PID) Process:(2696) WINWORD.EXEKey:HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000100000000F01FEC\Usage
Operation:writeName:WORDFiles
Value:
1318584362
(PID) Process:(2696) WINWORD.EXEKey:HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000100000000F01FEC\Usage
Operation:writeName:ProductFiles
Value:
1318584446
(PID) Process:(2696) WINWORD.EXEKey:HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000100000000F01FEC\Usage
Operation:writeName:ProductFiles
Value:
1318584447
(PID) Process:(2696) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word
Operation:writeName:MTTT
Value:
880A0000A8ED6B3453FAD40100000000
(PID) Process:(2696) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
Operation:writeName:u9=
Value:
75393D00880A000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000
(PID) Process:(2696) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
Operation:delete valueName:u9=
Value:
75393D00880A000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000
(PID) Process:(2696) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
Executable files
3
Suspicious files
23
Text files
11
Unknown types
5

Dropped files

PID
Process
Filename
Type
2696WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR4C76.tmp.cvr
MD5:
SHA256:
2696WINWORD.EXEC:\Users\admin\AppData\Local\Temp\{FFB1453D-16F6-4DDC-8025-F9413021745D}
MD5:
SHA256:
2696WINWORD.EXEC:\Users\admin\AppData\Local\Temp\{D2D9C248-1618-4EFD-A95D-05F0C10A9EFB}
MD5:
SHA256:
1128Sample.exeC:\Users\admin\AppData\Roaming\03B51E\EE03AE.lck
MD5:
SHA256:
2696WINWORD.EXEC:\Users\admin\Desktop\~$w Order.docxpgc
MD5:
SHA256:
2696WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-CNRY.FSDbinary
MD5:
SHA256:
2696WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\K78MRVB5\Sample[1].doctext
MD5:
SHA256:
2696WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSDbinary
MD5:
SHA256:
2696WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\Sample.doc.urltext
MD5:
SHA256:
2696WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{82C6C1F1-4015-4141-A620-9235B8E2E618}.FSDbinary
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
20
TCP/UDP connections
12
DNS requests
2
Threats
36

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2696
WINWORD.EXE
HEAD
200
66.206.84.222:443
https://subwaybookreview.com/VL1/Sample.doc
US
malicious
2696
WINWORD.EXE
OPTIONS
200
66.206.84.222:443
https://subwaybookreview.com/VL1/
US
malicious
2696
WINWORD.EXE
HEAD
200
66.206.84.222:443
https://subwaybookreview.com/VL1/Sample.doc
US
malicious
2696
WINWORD.EXE
HEAD
200
66.206.84.222:443
https://subwaybookreview.com/VL1/Sample.doc
US
malicious
2696
WINWORD.EXE
HEAD
200
66.206.84.222:443
https://subwaybookreview.com/VL1/Sample.doc
US
malicious
2696
WINWORD.EXE
HEAD
200
66.206.84.222:443
https://subwaybookreview.com/VL1/Sample.doc
US
malicious
2696
WINWORD.EXE
HEAD
200
66.206.84.222:443
https://subwaybookreview.com/VL1/Sample.doc
US
malicious
2696
WINWORD.EXE
GET
304
66.206.84.222:443
https://subwaybookreview.com/VL1/Sample.doc
US
malicious
832
svchost.exe
OPTIONS
403
66.206.84.222:443
https://subwaybookreview.com/VL1
US
html
331 b
malicious
832
svchost.exe
OPTIONS
403
66.206.84.222:443
https://subwaybookreview.com/VL1
US
html
331 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
832
svchost.exe
66.206.84.222:443
subwaybookreview.com
Silver Star Telecom, LLC
US
malicious
2696
WINWORD.EXE
66.206.84.222:443
subwaybookreview.com
Silver Star Telecom, LLC
US
malicious
788
EQNEDT32.EXE
66.206.84.222:443
subwaybookreview.com
Silver Star Telecom, LLC
US
malicious
1128
Sample.exe
208.79.237.170:80
richiechris.cf
Liquid Web, L.L.C
US
malicious

DNS requests

Domain
IP
Reputation
subwaybookreview.com
  • 66.206.84.222
malicious
richiechris.cf
  • 208.79.237.170
malicious

Threats

PID
Process
Class
Message
368
svchost.exe
Potentially Bad Traffic
ET INFO DNS Query for Suspicious .cf Domain
1128
Sample.exe
A Network Trojan was detected
ET TROJAN LokiBot User-Agent (Charon/Inferno)
1128
Sample.exe
A Network Trojan was detected
ET TROJAN LokiBot Checkin
1128
Sample.exe
Potentially Bad Traffic
ET INFO HTTP POST Request to Suspicious *.cf Domain
1128
Sample.exe
A Network Trojan was detected
ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1
1128
Sample.exe
A Network Trojan was detected
ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2
1128
Sample.exe
A Network Trojan was detected
MALWARE [PTsecurity] Loki Bot Check-in M2
1128
Sample.exe
A Network Trojan was detected
ET TROJAN LokiBot User-Agent (Charon/Inferno)
1128
Sample.exe
A Network Trojan was detected
ET TROJAN LokiBot Checkin
1128
Sample.exe
Potentially Bad Traffic
ET INFO HTTP POST Request to Suspicious *.cf Domain
5 ETPRO signatures available at the full report
Process
Message
Sample.exe
User32.dll
Sample.exe
User32.dll
Sample.exe
User32.dll
Sample.exe
User32.dll
Sample.exe
User32.dll
Sample.exe
User32.dll
Sample.exe
User32.dll
Sample.exe
User32.dll
Sample.exe
User32.dll
Sample.exe
User32.dll
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
New Order.docx