analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

New Order.docx

Full analysis: https://app.any.run/tasks/a07e796d-577e-4124-a760-684bc3e99799
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: April 24, 2019, 04:06:50
OS: Windows 7 Professional Service Pack 1 (build: 7601, 64 bit)
Tags:
loader
exploit
CVE-2017-11882
trojan
lokibot
Indicators:
MIME: application/vnd.openxmlformats-officedocument.wordprocessingml.document
File info: Microsoft Word 2007+
MD5:

BF720039AF8EAE108BFE0486459F59A1

SHA1:

D2B1F5E19B8343785C3D7BA1501FB75BF2934FDB

SHA256:

13F1929A1B3FBC77AA6BC5AEA9C48A37740E93F2DE62C9920789194C9511C1A8

SSDEEP:

192:V1/NFN6yhzyMtWNe+0mqQTnhr5OkQT1QLP55OLbFTB8GoA6aYkWROmbj:V1/NeyhzyMtiewLOkQT1QLDOVd8/Ombj

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • Sample.exe (PID: 1168)
      • Sample.exe (PID: 1128)

    • Equation Editor starts application (CVE-2017-11882)

      • EQNEDT32.EXE (PID: 788)

    • Downloads executable files from the Internet

      • EQNEDT32.EXE (PID: 788)

    • Detected artifacts of LokiBot

      • Sample.exe (PID: 1128)

    • LOKIBOT was detected

      • Sample.exe (PID: 1128)

    • Connects to CnC server

      • Sample.exe (PID: 1128)

    • Actions looks like stealing of personal data

      • Sample.exe (PID: 1128)

  • SUSPICIOUS

    • Application launched itself

      • Sample.exe (PID: 1168)

    • Reads Internet Cache Settings

      • WINWORD.EXE (PID: 2696)

    • Executable content was dropped or overwritten

      • EQNEDT32.EXE (PID: 788)
      • Sample.exe (PID: 1128)

    • Creates files in the user directory

      • Sample.exe (PID: 1128)
      • EQNEDT32.EXE (PID: 788)

  • INFO

    • Creates files in the user directory

      • WINWORD.EXE (PID: 2696)

    • Reads the machine GUID from the registry

      • WINWORD.EXE (PID: 2696)

    • Reads settings of System Certificates

      • WINWORD.EXE (PID: 2696)

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 2696)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.docx | Word Microsoft Office Open XML Format document (52.2)
.zip | Open Packaging Conventions container (38.8)
.zip | ZIP compressed archive (8.8)

EXIF

XMP

Creator: Microsoft

XML

ModifyDate: 2017:09:24 17:27:00Z
CreateDate: 2017:09:24 17:26:00Z
RevisionNumber: 1
LastModifiedBy: Microsoft
AppVersion: 14
HyperlinksChanged: No
SharedDoc: No
CharactersWithSpaces: 7
LinksUpToDate: No
Company: SPecialiST RePack
TitlesOfParts: -
HeadingPairs:
  • Название
  • 1
ScaleCrop: No
Paragraphs: 1
Lines: 1
DocSecurity: None
Application: Microsoft Office Word
Characters: 7
Words: 1
Pages: 1
TotalEditTime: 1 minute
Template: dotm.dotm

ZIP

ZipFileName: [Content_Types].xml
ZipUncompressedSize: 1422
ZipCompressedSize: 358
ZipCRC: 0x82872409
ZipModifyDate: 2019:04:18 09:06:18
ZipCompression: Deflated
ZipBitFlag: 0x0002
ZipRequiredVersion: 20
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
40
Monitored processes
4
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start winword.exe eqnedt32.exe sample.exe #LOKIBOT sample.exe

Process information

PID
CMD
Path
Indicators
Parent process
2696"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\New Order.docx"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.5123.5000
788"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -EmbeddingC:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
svchost.exe
User:
admin
Company:
Design Science, Inc.
Integrity Level:
MEDIUM
Description:
Microsoft Equation Editor
Exit code:
0
Version:
00110900
1168"C:\Users\admin\AppData\Roaming\Sample.exe"C:\Users\admin\AppData\Roaming\Sample.exe
EQNEDT32.EXE
User:
admin
Company:
Sollows
Integrity Level:
MEDIUM
Description:
God-sent
Exit code:
0
Version:
7.7.5.0
1128"C:\Users\admin\AppData\Roaming\Sample.exe"C:\Users\admin\AppData\Roaming\Sample.exe
Sample.exe
User:
admin
Company:
Sollows
Integrity Level:
MEDIUM
Description:
God-sent
Version:
7.7.5.0
Total events
1 382
Read events
966
Write events
0
Delete events
0

Modification events

No data
Executable files
3
Suspicious files
23
Text files
11
Unknown types
5

Dropped files

PID
Process
Filename
Type
2696WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR4C76.tmp.cvr
MD5:
SHA256:
2696WINWORD.EXEC:\Users\admin\AppData\Local\Temp\{FFB1453D-16F6-4DDC-8025-F9413021745D}
MD5:
SHA256:
2696WINWORD.EXEC:\Users\admin\AppData\Local\Temp\{D2D9C248-1618-4EFD-A95D-05F0C10A9EFB}
MD5:
SHA256:
2696WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSF-CTBL.FSFbinary
MD5:6F94F73D39796D837F0A11A321DB5BC4
SHA256:AFA9089B063407A5E4F071FF6165042C451C3B9CDB83549D643559D22787BCDC
1128Sample.exeC:\Users\admin\AppData\Roaming\03B51E\EE03AE.lck
MD5:
SHA256:
2696WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSDbinary
MD5:23EA07C29BE6B6CA47738D1525A1EFDE
SHA256:55BC1BC424EA3AD2EAF2C1980CF2686383E42638FDAB91BCDEC5D825FFEA9C21
2696WINWORD.EXEC:\Users\admin\Desktop\~$w Order.docxpgc
MD5:A2255ECC36EF9BB22EBAB5A61C3DCAA1
SHA256:9876CFD86781DD1520B44C2F8362AD7BAF6855ECD41433BACC182929A690E59D
2696WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-CNRY.FSDbinary
MD5:0F31A3BFD8EAD903112456915659C549
SHA256:1EBED79059258D830429ABC41F634CD631F4528B25297B29992825EC38C4EECB
2696WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{82C6C1F1-4015-4141-A620-9235B8E2E618}.FSDbinary
MD5:AD23F251277711472688915BAD39CBED
SHA256:25E70B69AEF52F4658773D600CFB51F2676F848FE9065722B3A7209335CF4226
2696WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\2183533B.doctext
MD5:C2B01566D1C109BB80EE4A9BA84B522A
SHA256:8C40E8CE30BD7C25BD02E5DB3A7B32FFA5BAA029E88E038C21DEB04CAA767FB6
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
20
TCP/UDP connections
12
DNS requests
2
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2696
WINWORD.EXE
HEAD
200
66.206.84.222:443
https://subwaybookreview.com/VL1/Sample.doc
US
malicious
2696
WINWORD.EXE
HEAD
200
66.206.84.222:443
https://subwaybookreview.com/VL1/Sample.doc
US
malicious
2696
WINWORD.EXE
OPTIONS
200
66.206.84.222:443
https://subwaybookreview.com/VL1/
US
malicious
2696
WINWORD.EXE
HEAD
200
66.206.84.222:443
https://subwaybookreview.com/VL1/Sample.doc
US
malicious
2696
WINWORD.EXE
HEAD
200
66.206.84.222:443
https://subwaybookreview.com/VL1/Sample.doc
US
malicious
2696
WINWORD.EXE
HEAD
200
66.206.84.222:443
https://subwaybookreview.com/VL1/Sample.doc
US
malicious
2696
WINWORD.EXE
GET
304
66.206.84.222:443
https://subwaybookreview.com/VL1/Sample.doc
US
malicious
2696
WINWORD.EXE
HEAD
200
66.206.84.222:443
https://subwaybookreview.com/VL1/Sample.doc
US
malicious
2696
WINWORD.EXE
GET
304
66.206.84.222:443
https://subwaybookreview.com/VL1/Sample.doc
US
malicious
788
EQNEDT32.EXE
GET
200
66.206.84.222:443
https://subwaybookreview.com/VL/Sample.exe
US
executable
476 Kb
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2696
WINWORD.EXE
66.206.84.222:443
subwaybookreview.com
Silver Star Telecom, LLC
US
malicious
788
EQNEDT32.EXE
66.206.84.222:443
subwaybookreview.com
Silver Star Telecom, LLC
US
malicious
1128
Sample.exe
208.79.237.170:80
richiechris.cf
Liquid Web, L.L.C
US
malicious
832
svchost.exe
66.206.84.222:443
subwaybookreview.com
Silver Star Telecom, LLC
US
malicious

DNS requests

Domain
IP
Reputation
subwaybookreview.com
  • 66.206.84.222
malicious
richiechris.cf
  • 208.79.237.170
malicious

Threats

PID
Process
Class
Message
Potentially Bad Traffic
ET INFO DNS Query for Suspicious .cf Domain
1128
Sample.exe
A Network Trojan was detected
ET TROJAN LokiBot User-Agent (Charon/Inferno)
1128
Sample.exe
A Network Trojan was detected
ET TROJAN LokiBot Checkin
1128
Sample.exe
Potentially Bad Traffic
ET INFO HTTP POST Request to Suspicious *.cf Domain
1128
Sample.exe
A Network Trojan was detected
ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1
1128
Sample.exe
A Network Trojan was detected
ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2
1128
Sample.exe
A Network Trojan was detected
MALWARE [PTsecurity] Loki Bot Check-in M2
1128
Sample.exe
A Network Trojan was detected
ET TROJAN LokiBot User-Agent (Charon/Inferno)
1128
Sample.exe
A Network Trojan was detected
ET TROJAN LokiBot Checkin
1128
Sample.exe
Potentially Bad Traffic
ET INFO HTTP POST Request to Suspicious *.cf Domain
5 ETPRO signatures available at the full report
Process
Message
Sample.exe
User32.dll
Sample.exe
User32.dll
Sample.exe
User32.dll
Sample.exe
User32.dll
Sample.exe
User32.dll
Sample.exe
User32.dll
Sample.exe
User32.dll
Sample.exe
User32.dll
Sample.exe
User32.dll
Sample.exe
User32.dll
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
New Order.docx