analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Urgent Request for quotation.doc

Full analysis: https://app.any.run/tasks/08bc96b6-88e6-4c8d-a838-41ce2b425dab
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: December 06, 2018, 08:21:17
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
exploit
CVE-2017-11882
loader
lokibot
Indicators:
MIME: text/plain
File info: ASCII text, with very long lines, with CRLF, CR line terminators, with escape sequences
MD5:

7D951F0CE77B3489252DBBE9D963BCC9

SHA1:

4A97086E689C970212C279CD0F3CFFC29A496E89

SHA256:

69EB2139B321CC9ED2BEB2F2CDDA6BD1B581079019D817E11B445C598F898E5B

SSDEEP:

768:hNcNWNnNnNINININININININTNcNcNcNnN9NGNjuXK2BaBIsasUsQs2sC:f82NN44444445888N7GjMRsasUsQs2sC

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • ticki.exe (PID: 2516)
      • 1.exe (PID: 2444)
      • ticki.exe (PID: 2576)

    • Suspicious connection from the Equation Editor

      • EQNEDT32.EXE (PID: 2248)

    • Equation Editor starts application (CVE-2017-11882)

      • EQNEDT32.EXE (PID: 2248)

    • Downloads executable files from the Internet

      • EQNEDT32.EXE (PID: 2248)

    • Writes to a start menu file

      • ticki.exe (PID: 2516)

    • Detected artifacts of LokiBot

      • ticki.exe (PID: 2576)

    • Connects to CnC server

      • ticki.exe (PID: 2576)

    • Actions looks like stealing of personal data

      • ticki.exe (PID: 2576)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • EQNEDT32.EXE (PID: 2248)
      • 1.exe (PID: 2444)
      • ticki.exe (PID: 2576)

    • Starts itself from another location

      • 1.exe (PID: 2444)

    • Creates files in the user directory

      • 1.exe (PID: 2444)
      • EQNEDT32.EXE (PID: 2248)
      • ticki.exe (PID: 2516)
      • ticki.exe (PID: 2576)

    • Application launched itself

      • ticki.exe (PID: 2516)

    • Loads DLL from Mozilla Firefox

      • ticki.exe (PID: 2576)

  • INFO

    • Creates files in the user directory

      • WINWORD.EXE (PID: 2988)

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 2988)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
39
Monitored processes
5
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start drop and start winword.exe no specs eqnedt32.exe 1.exe ticki.exe #LOKIBOT ticki.exe

Process information

PID
CMD
Path
Indicators
Parent process
2988"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\Urgent Request for quotation.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
0
Version:
14.0.6024.1000
2248"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -EmbeddingC:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
svchost.exe
User:
admin
Company:
Design Science, Inc.
Integrity Level:
MEDIUM
Description:
Microsoft Equation Editor
Exit code:
0
Version:
00110900
2444C:\Users\admin\AppData\Local\Temp\1.exeC:\Users\admin\AppData\Local\Temp\1.exe
EQNEDT32.EXE
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
2516"C:\Users\admin\AppData\Roaming\icig\ticki.exe"C:\Users\admin\AppData\Roaming\icig\ticki.exe
1.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
2576"C:\Users\admin\AppData\Roaming\icig\ticki.exe"C:\Users\admin\AppData\Roaming\icig\ticki.exe
ticki.exe
User:
admin
Integrity Level:
MEDIUM
Total events
1 119
Read events
748
Write events
0
Delete events
0

Modification events

No data
Executable files
4
Suspicious files
1
Text files
5
Unknown types
11

Dropped files

PID
Process
Filename
Type
2988WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR6D41.tmp.cvr
MD5:
SHA256:
24441.exeC:\Users\admin\AppData\Roaming\icig\ticki.exe:ZoneIdentifier
MD5:
SHA256:
2576ticki.exeC:\Users\admin\AppData\Roaming\F63AAA\A71D80.lck
MD5:
SHA256:
2988WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{BBE3DDF4-644F-4094-AD18-C8A79E0D442F}.tmp
MD5:
SHA256:
2988WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{688EE19D-D923-43FF-BEE6-3CB0548B3C91}.tmp
MD5:
SHA256:
2988WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{2C415855-6115-4BBC-9A99-AD7F68188061}.tmp
MD5:
SHA256:
2988WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:1AAFC9B5D9DD2EEB82651492B5B33C06
SHA256:A2AE73172BC06B9584CE0A917E5FF9FE14D4671F6681A1A5F2C91CC59649FEED
2248EQNEDT32.EXEC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@bit[1].txttext
MD5:0136E635340E7D73F21B9FFF426BE7F6
SHA256:09E50123557BEE96C07A447BC29BBAFB40EA81122733313CFDB57C4B65D21F79
2988WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\Urgent Request for quotation.doc.LNKlnk
MD5:2975668A4D4F688BFCF561E6339494C8
SHA256:0972AB3968E220619819660C93668691931007DE53822A5F409572F45A78EDD5
2248EQNEDT32.EXEC:\Users\admin\AppData\Local\Temp\1.exeexecutable
MD5:8683A69C4E8256E6725C498B4DC80C4E
SHA256:0B69258836139DA169690A686D16D6C4F55116B9C48A5DFCE9BE14FEDF4E4EF1
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
8
DNS requests
3
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2576
ticki.exe
POST
45.62.230.95:80
http://tixon.club/33bu1/cat.php
CA
malicious
2248
EQNEDT32.EXE
GET
200
64.137.232.119:80
http://tixon.mooo.com/1/bu156785091.jpg
CA
executable
705 Kb
malicious
POST
45.62.230.95:80
http://tixon.club/33bu1/cat.php
CA
malicious
2248
EQNEDT32.EXE
GET
301
67.199.248.10:80
http://bit.ly/2PmqGsi
US
html
126 b
shared
2576
ticki.exe
POST
45.62.230.95:80
http://tixon.club/33bu1/cat.php
CA
malicious
2576
ticki.exe
POST
45.62.230.95:80
http://tixon.club/33bu1/cat.php
CA
malicious
2576
ticki.exe
POST
45.62.230.95:80
http://tixon.club/33bu1/cat.php
CA
malicious
2576
ticki.exe
POST
45.62.230.95:80
http://tixon.club/33bu1/cat.php
CA
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2248
EQNEDT32.EXE
67.199.248.10:80
bit.ly
Bitly Inc
US
shared
45.62.230.95:80
tixon.club
2267921 ONTARIO LTD
CA
malicious
2576
ticki.exe
45.62.230.95:80
tixon.club
2267921 ONTARIO LTD
CA
malicious
2248
EQNEDT32.EXE
64.137.232.119:80
tixon.mooo.com
2267921 ONTARIO LTD
CA
malicious

DNS requests

Domain
IP
Reputation
bit.ly
  • 67.199.248.10
  • 67.199.248.11
shared
tixon.mooo.com
  • 64.137.232.119
malicious
tixon.club
  • 45.62.230.95
malicious

Threats

PID
Process
Class
Message
Misc activity
ET INFO DYNAMIC_DNS Query to Abused Domain *.mooo.com
2248
EQNEDT32.EXE
Potentially Bad Traffic
ET INFO DYNAMIC_DNS HTTP Request to Abused Domain *.mooo.com
2248
EQNEDT32.EXE
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
2248
EQNEDT32.EXE
A Network Trojan was detected
ET TROJAN JS/WSF Downloader Dec 08 2016 M4
2248
EQNEDT32.EXE
A Network Trojan was detected
ET TROJAN Windows Executable Downloaded With Image Content-Type Header
2248
EQNEDT32.EXE
Misc activity
SUSPICIOUS [PTsecurity] PE as Image Content type mismatch
2576
ticki.exe
A Network Trojan was detected
ET TROJAN LokiBot User-Agent (Charon/Inferno)
2576
ticki.exe
A Network Trojan was detected
ET TROJAN LokiBot Checkin
2576
ticki.exe
A Network Trojan was detected
ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1
2576
ticki.exe
A Network Trojan was detected
ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2
1 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Urgent Request for quotation.doc