File name: | DHL BL SHIP ADVISE.doc |
Full analysis: | https://app.any.run/tasks/686d1bd2-a9bf-44c9-9b2d-377e051def54 |
Verdict: | Malicious activity |
Threats: | LokiBot was developed in 2015 to steal information from a variety of applications. Despite the age, this malware is still rather popular among cybercriminals. |
Analysis date: | November 14, 2018, 06:29:33 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | text/rtf |
File info: | Rich Text Format data, version 1, unknown character set |
MD5: | 63E627A0B949996DDA195CCDC7FCCC50 |
SHA1: | 8809FD478BD383FCDF81320DF071ECA5B8B107FC |
SHA256: | 2A39CD8E11C99BF3DA948C9C65261C5FF9891906FF9AF76A06E1995AEA512F0E |
SSDEEP: | 6144:6ZPlziWKSBKvk76w+Raa1ilZmQqpd3/ZUSrZiUgftQIPeKHrG/MgXYXNBDmg/c+v:6ZPl+88MuhZWZI7xXsfth21RIXbito |
.rtf | | | Rich Text Format (100) |
---|
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3428 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\DHL BL SHIP ADVISE.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Exit code: 1 Version: 14.0.6024.1000 | ||||
2612 | "C:\Windows\System32\cmd.exe" /C CmD < "C:\Users\admin\AppData\Local\Temp\DqFm.cMD" | C:\Windows\System32\cmd.exe | — | WINWORD.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3460 | CmD | C:\Windows\system32\cmd.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3508 | C:\Windows\system32\cmd.exe /K C:\Users\admin\appdata\local\temp\hondi.cmD | C:\Windows\system32\cmd.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3824 | "C:\Windows\System32\cmd.exe" /C CmD < "C:\Users\admin\AppData\Local\Temp\DqFm.cMD" | C:\Windows\System32\cmd.exe | — | WINWORD.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3868 | TIMEOUT /T 1 | C:\Windows\system32\timeout.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: timeout - pauses command processing Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2212 | CmD | C:\Windows\system32\cmd.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3948 | TASkKILL /F /IM winword.exe | C:\Windows\system32\taskkill.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Terminates Processes Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3196 | reg delete HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\11.0\Word\Resiliency /f | C:\Windows\system32\reg.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Registry Console Tool Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3656 | C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\11.0\Word\File MRU" /v "Item 1" | C:\Windows\system32\cmd.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 1 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) |
(PID) Process: | (3428) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems |
Operation: | write | Name: | f>b |
Value: 663E6200640D0000010000000000000000000000 | |||
(PID) Process: | (3428) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1033 |
Value: Off | |||
(PID) Process: | (3428) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1033 |
Value: On | |||
(PID) Process: | (3428) WINWORD.EXE | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage |
Operation: | write | Name: | WORDFiles |
Value: 1299054607 | |||
(PID) Process: | (3428) WINWORD.EXE | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage |
Operation: | write | Name: | ProductFiles |
Value: 1299054720 | |||
(PID) Process: | (3428) WINWORD.EXE | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage |
Operation: | write | Name: | ProductFiles |
Value: 1299054721 | |||
(PID) Process: | (3428) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word |
Operation: | write | Name: | MTTT |
Value: 640D0000709BF677E37BD40100000000 | |||
(PID) Process: | (3428) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems |
Operation: | write | Name: | o?b |
Value: 6F3F6200640D000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000 | |||
(PID) Process: | (3428) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems |
Operation: | delete value | Name: | o?b |
Value: 6F3F6200640D000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000 | |||
(PID) Process: | (3428) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 0 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3428 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRA246.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3780 | saver.scr | C:\Users\admin\AppData\Local\Temp\nsyB67B.tmp | — | |
MD5:— | SHA256:— | |||
3288 | saver.scr | C:\Users\admin\AppData\Roaming\F63AAA\A71D80.lck | — | |
MD5:— | SHA256:— | |||
3428 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\saver.scr | executable | |
MD5:AAFD0EBFE1AFBCAE1834430FEEBD5A31 | SHA256:F3E05B16CB75926122DDE9FD9497BC850F40C26849103DDC3B7ABE9AFEFC6DFC | |||
3428 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{00F081DF-F240-45D7-9D5B-DA6E76F29B1D}.tmp | binary | |
MD5:CD484D87067C0EAE1F01CC1B57FD5DE4 | SHA256:36FCF6FBE35073F3BC11CB56E9B427275D1E4DF2A44A07F00770BF81E0E5250E | |||
3428 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$L BL SHIP ADVISE.doc | pgc | |
MD5:65E7CF6AA57BCC53A624FB88FEE02874 | SHA256:2280D7D10C7C5CECB6A3B8AE820F82011F8DD8801AE37EBF99BCE1CEC6066AA0 | |||
3428 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\dqfm.cmd | text | |
MD5:5740ADF9C82F3E3DD45C1E815225513E | SHA256:59DB1A2F817CE03FA778063E462E4FC55F492EF8249249836A7464AF34ACC199 | |||
3428 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{82619B76-9E00-4F66-B8FA-2DABC42AE26C}.tmp | binary | |
MD5:EB943A7BE09A835B1F3C0699C3958F57 | SHA256:D609C3DF812CBCE5FC3E974965D0AF3133AD9EBB3A299B47366E8B7BE3716295 | |||
3428 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\trbatehtqevyay.ScT | xml | |
MD5:27E6587D23B77DFE6684C2E1BDF6CE94 | SHA256:6F7BBFF3E39A4BB0820498BF0B5AE93750C0A290FB062B9545C1970F28258BEA | |||
3428 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:C5E36A02406B827705F68C849903DEB1 | SHA256:7361DAA019FE25BF596A718C6EB45109D46152053A914DD69F760F14120AC20D |
Domain | IP | Reputation |
---|---|---|
monochromestr.site |
| malicious |