analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

PI_11152018.doc

Full analysis: https://app.any.run/tasks/9ecbb7e1-0436-4740-8c21-ece87aefd038
Verdict: Malicious activity
Threats:

LokiBot was developed in 2015 to steal information from a variety of applications. Despite the age, this malware is still rather popular among cybercriminals.

Malware Trends Tracker     >>>
Analysis date: November 15, 2018, 13:49:12
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
ole-embedded
exploit
CVE-2017-11882
trojan
lokibot
Indicators:
MIME: text/rtf
File info: Rich Text Format data, version 1, ANSI
MD5:

D9A1391FF4A86DBC75880B730D7F89C7

SHA1:

7731ECB08A690F8D7AD2CAB15F6DB0952961A937

SHA256:

744973A916FA338B607524B01860BB6C56C44983ECF197F8279F8CC6430CFE7C

SSDEEP:

3072:RZA+9//lhNin/zy8YfRQV7inpKhpZb3Rf/usKNzwePcb6EyLalD:I+9//lhNin/zyhRLKRh6Nu6ExlD

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Equation Editor starts application (CVE-2017-11882)

      • EQNEDT32.EXE (PID: 2840)

    • Runs app for hidden code execution

      • CmD.exe (PID: 3492)

    • Loads dropped or rewritten executable

      • 25239.exe (PID: 2220)

    • Application was dropped or rewritten from another process

      • 25239.exe (PID: 2220)
      • 25239.exe (PID: 2596)

    • Detected artifacts of LokiBot

      • 25239.exe (PID: 2596)

    • LOKIBOT was detected

      • 25239.exe (PID: 2596)

    • Connects to CnC server

      • 25239.exe (PID: 2596)

    • Changes the login/logoff helper path in the registry

      • 25239.exe (PID: 2596)

    • Actions looks like stealing of personal data

      • 25239.exe (PID: 2596)

  • SUSPICIOUS

    • Starts CMD.EXE for commands execution

      • CmD.exe (PID: 3492)
      • EQNEDT32.EXE (PID: 2840)

    • Uses TASKKILL.EXE to kill Office Apps

      • cmd.exe (PID: 3952)

    • Uses TASKKILL.EXE to kill process

      • cmd.exe (PID: 3952)

    • Creates files in the user directory

      • cmstp.exe (PID: 3860)
      • 25239.exe (PID: 2220)
      • 25239.exe (PID: 2596)

    • Executable content was dropped or overwritten

      • cmstp.exe (PID: 3860)
      • 25239.exe (PID: 2220)
      • 25239.exe (PID: 2596)

    • Application launched itself

      • 25239.exe (PID: 2220)

    • Loads DLL from Mozilla Firefox

      • 25239.exe (PID: 2596)

  • INFO

    • Creates files in the user directory

      • WINWORD.EXE (PID: 2932)

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 2932)

    • Application was crashed

      • EQNEDT32.EXE (PID: 2840)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rtf | Rich Text Format (100)

EXIF

RTF

Author: Admin
LastModifiedBy: Admin
CreateDate: 2017:11:23 01:05:00
ModifyDate: 2017:11:23 01:06:00
RevisionNumber: 1
TotalEditTime: 5 minutes
Pages: 1
Words: -
Characters: 1
Company:
CharactersWithSpaces: 1
InternalVersionNumber: 49167
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
45
Monitored processes
10
Malicious processes
6
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start drop and start winword.exe no specs eqnedt32.exe cmd.exe no specs cmd.exe no specs taskkill.exe no specs taskkill.exe no specs cmstp.exe 25239.exe msiexec.exe no specs #LOKIBOT 25239.exe

Process information

PID
CMD
Path
Indicators
Parent process
2932"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\PI_11152018.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
1
Version:
14.0.6024.1000
2840"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -EmbeddingC:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
svchost.exe
User:
admin
Company:
Design Science, Inc.
Integrity Level:
MEDIUM
Description:
Microsoft Equation Editor
Version:
00110900
3492CmD /c CmD < "%tmP%\aaaaaaaaaa.txt" & exit  cC:\Windows\system32\CmD.exeEQNEDT32.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3952CmD C:\Windows\system32\cmd.exeCmD.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2324taskkill /F /IM winword.exeC:\Windows\system32\taskkill.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Terminates Processes
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3028taskkill /F /IM cmstp.exeC:\Windows\system32\taskkill.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Terminates Processes
Exit code:
128
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3860"C:\Windows\System32\cmstp.exe" /s /ns "C:\Users\admin\AppData\Local\Temp\qPBakYNiRUQoT.txt"C:\Windows\System32\cmstp.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Connection Manager Profile Installer
Exit code:
0
Version:
7.02.7600.16385 (win7_rtm.090713-1255)
2220"C:\Users\admin\25239.exe" C:\Users\admin\25239.exe
cmstp.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
2356C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe25239.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
2596"C:\Users\admin\25239.exe" C:\Users\admin\25239.exe
25239.exe
User:
admin
Integrity Level:
MEDIUM
Total events
1 014
Read events
966
Write events
0
Delete events
0

Modification events

No data
Executable files
5
Suspicious files
2
Text files
16
Unknown types
6

Dropped files

PID
Process
Filename
Type
2932WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR8801.tmp.cvr
MD5:
SHA256:
2932WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\FEC06FB7.jpg
MD5:
SHA256:
3860cmstp.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RB73MZ6Y\2018TR[1].txtxml
MD5:BDA574013A23B043E5A1CE27BB4EBD70
SHA256:7E8AE57C059F836C108CE4791F6AAA8B5370C8E80C8EB39C12D3D22E2E04F00E
2932WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:724B2BABB97861CFFA7C01F0D529D936
SHA256:550520424017155BED437C00FF940118A4E6158C01AA4BB925719FBF4FA7D5E3
2932WINWORD.EXEC:\Users\admin\AppData\Local\Temp\aaaaaaaaaa.txttext
MD5:69A9561DE7D6D92DDACAB9AB3E9DC01A
SHA256:30DED616568BEBD5CFA4E749BE1291C9F01B50DDD0906A92CC0469AADA659465
2932WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{75DDE7BA-3C04-4E2E-B4FA-CCA670AE4252}.tmpbinary
MD5:77ABF0EDC395F4058388B05DC0EDAA8E
SHA256:CAF7418F14E34BBB73AE610DF43235A0C0D20A1C3CE44E9383E250F5DDEC3366
222025239.exeC:\Users\admin\AppData\Local\Temp\Subabbotbinary
MD5:EF0B087FB036A6C25497C093303F747A
SHA256:C10F47D387688A3F9132BE2E023FC955FC98C2443B254A9D485853976B89D228
2932WINWORD.EXEC:\Users\admin\AppData\Local\Temp\ceMfUgnNYcfcDHx.sctxml
MD5:9BCC0424CAF51A5F24E37A97BD704742
SHA256:0AA19CB1443365FF03F36A397E585A37B2E2B262DB6981EC115221A96B91B8E3
222025239.exeC:\Users\admin\AppData\Local\Temp\twtT08Lt_normal.jpgimage
MD5:2A0026EE5B718A6842B3ABAC0826A4FD
SHA256:2E7FBC49380ED5F34FE8390480B076CAFCDABF8FC48632DA9C1CF5DBAAC3F44E
222025239.exeC:\Users\admin\AppData\Local\Temp\MM8Ph4qR_bigger.jpgimage
MD5:6658C57A435F818314D4FA9A17188754
SHA256:687687D60DD5FEAAF4AE33CB261C4288767000C3163A9BD399E95330FE630B1B
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
4
DNS requests
1
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3860
cmstp.exe
GET
200
62.108.34.89:80
http://62.108.34.89/2018/2018TR.txt
DE
xml
308 Kb
malicious
2596
25239.exe
POST
208.91.199.152:80
http://solaremc.com/admin/danley/Panel/five/fre.php
US
malicious
2596
25239.exe
POST
208.91.199.152:80
http://solaremc.com/admin/danley/Panel/five/fre.php
US
malicious
2596
25239.exe
POST
208.91.199.152:80
http://solaremc.com/admin/danley/Panel/five/fre.php
US
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3860
cmstp.exe
62.108.34.89:80
comtrance GmbH
DE
malicious
2596
25239.exe
208.91.199.152:80
solaremc.com
PDR
US
malicious

DNS requests

Domain
IP
Reputation
solaremc.com
  • 208.91.199.152
malicious

Threats

PID
Process
Class
Message
3860
cmstp.exe
A Network Trojan was detected
MALWARE [PTsecurity] Squiblydoo Scriptlet
2596
25239.exe
A Network Trojan was detected
ET TROJAN LokiBot User-Agent (Charon/Inferno)
2596
25239.exe
A Network Trojan was detected
ET TROJAN LokiBot Checkin
2596
25239.exe
A Network Trojan was detected
ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1
2596
25239.exe
A Network Trojan was detected
MALWARE [PTsecurity] Loki Bot Check-in M2
2596
25239.exe
A Network Trojan was detected
ET TROJAN LokiBot User-Agent (Charon/Inferno)
2596
25239.exe
A Network Trojan was detected
ET TROJAN LokiBot Checkin
2596
25239.exe
A Network Trojan was detected
ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1
2596
25239.exe
A Network Trojan was detected
MALWARE [PTsecurity] Loki Bot Check-in M2
2596
25239.exe
A Network Trojan was detected
ET TROJAN LokiBot User-Agent (Charon/Inferno)
4 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
PI_11152018.doc