File name: | PI_11152018.doc |
Full analysis: | https://app.any.run/tasks/9ecbb7e1-0436-4740-8c21-ece87aefd038 |
Verdict: | Malicious activity |
Threats: | LokiBot was developed in 2015 to steal information from a variety of applications. Despite the age, this malware is still rather popular among cybercriminals. |
Analysis date: | November 15, 2018, 13:49:12 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | text/rtf |
File info: | Rich Text Format data, version 1, ANSI |
MD5: | D9A1391FF4A86DBC75880B730D7F89C7 |
SHA1: | 7731ECB08A690F8D7AD2CAB15F6DB0952961A937 |
SHA256: | 744973A916FA338B607524B01860BB6C56C44983ECF197F8279F8CC6430CFE7C |
SSDEEP: | 3072:RZA+9//lhNin/zy8YfRQV7inpKhpZb3Rf/usKNzwePcb6EyLalD:I+9//lhNin/zyhRLKRh6Nu6ExlD |
.rtf | | | Rich Text Format (100) |
---|
Author: | Admin |
---|---|
LastModifiedBy: | Admin |
CreateDate: | 2017:11:23 01:05:00 |
ModifyDate: | 2017:11:23 01:06:00 |
RevisionNumber: | 1 |
TotalEditTime: | 5 minutes |
Pages: | 1 |
Words: | - |
Characters: | 1 |
Company: | |
CharactersWithSpaces: | 1 |
InternalVersionNumber: | 49167 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2932 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\PI_11152018.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Exit code: 1 Version: 14.0.6024.1000 | ||||
2840 | "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding | C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | svchost.exe | |
User: admin Company: Design Science, Inc. Integrity Level: MEDIUM Description: Microsoft Equation Editor Version: 00110900 | ||||
3492 | CmD /c CmD < "%tmP%\aaaaaaaaaa.txt" & exit c | C:\Windows\system32\CmD.exe | — | EQNEDT32.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3952 | CmD | C:\Windows\system32\cmd.exe | — | CmD.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2324 | taskkill /F /IM winword.exe | C:\Windows\system32\taskkill.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Terminates Processes Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3028 | taskkill /F /IM cmstp.exe | C:\Windows\system32\taskkill.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Terminates Processes Exit code: 128 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3860 | "C:\Windows\System32\cmstp.exe" /s /ns "C:\Users\admin\AppData\Local\Temp\qPBakYNiRUQoT.txt" | C:\Windows\System32\cmstp.exe | cmd.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Connection Manager Profile Installer Exit code: 0 Version: 7.02.7600.16385 (win7_rtm.090713-1255) | ||||
2220 | "C:\Users\admin\25239.exe" | C:\Users\admin\25239.exe | cmstp.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
2356 | C:\Windows\system32\msiexec.exe | C:\Windows\system32\msiexec.exe | — | 25239.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows® installer Version: 5.0.7600.16385 (win7_rtm.090713-1255) | ||||
2596 | "C:\Users\admin\25239.exe" | C:\Users\admin\25239.exe | 25239.exe | |
User: admin Integrity Level: MEDIUM |
PID | Process | Filename | Type | |
---|---|---|---|---|
2932 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR8801.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2932 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\FEC06FB7.jpg | — | |
MD5:— | SHA256:— | |||
3860 | cmstp.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RB73MZ6Y\2018TR[1].txt | xml | |
MD5:BDA574013A23B043E5A1CE27BB4EBD70 | SHA256:7E8AE57C059F836C108CE4791F6AAA8B5370C8E80C8EB39C12D3D22E2E04F00E | |||
2932 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:724B2BABB97861CFFA7C01F0D529D936 | SHA256:550520424017155BED437C00FF940118A4E6158C01AA4BB925719FBF4FA7D5E3 | |||
2932 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\aaaaaaaaaa.txt | text | |
MD5:69A9561DE7D6D92DDACAB9AB3E9DC01A | SHA256:30DED616568BEBD5CFA4E749BE1291C9F01B50DDD0906A92CC0469AADA659465 | |||
2932 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{75DDE7BA-3C04-4E2E-B4FA-CCA670AE4252}.tmp | binary | |
MD5:77ABF0EDC395F4058388B05DC0EDAA8E | SHA256:CAF7418F14E34BBB73AE610DF43235A0C0D20A1C3CE44E9383E250F5DDEC3366 | |||
2220 | 25239.exe | C:\Users\admin\AppData\Local\Temp\Subabbot | binary | |
MD5:EF0B087FB036A6C25497C093303F747A | SHA256:C10F47D387688A3F9132BE2E023FC955FC98C2443B254A9D485853976B89D228 | |||
2932 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\ceMfUgnNYcfcDHx.sct | xml | |
MD5:9BCC0424CAF51A5F24E37A97BD704742 | SHA256:0AA19CB1443365FF03F36A397E585A37B2E2B262DB6981EC115221A96B91B8E3 | |||
2220 | 25239.exe | C:\Users\admin\AppData\Local\Temp\twtT08Lt_normal.jpg | image | |
MD5:2A0026EE5B718A6842B3ABAC0826A4FD | SHA256:2E7FBC49380ED5F34FE8390480B076CAFCDABF8FC48632DA9C1CF5DBAAC3F44E | |||
2220 | 25239.exe | C:\Users\admin\AppData\Local\Temp\MM8Ph4qR_bigger.jpg | image | |
MD5:6658C57A435F818314D4FA9A17188754 | SHA256:687687D60DD5FEAAF4AE33CB261C4288767000C3163A9BD399E95330FE630B1B |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3860 | cmstp.exe | GET | 200 | 62.108.34.89:80 | http://62.108.34.89/2018/2018TR.txt | DE | xml | 308 Kb | malicious |
2596 | 25239.exe | POST | — | 208.91.199.152:80 | http://solaremc.com/admin/danley/Panel/five/fre.php | US | — | — | malicious |
2596 | 25239.exe | POST | — | 208.91.199.152:80 | http://solaremc.com/admin/danley/Panel/five/fre.php | US | — | — | malicious |
2596 | 25239.exe | POST | — | 208.91.199.152:80 | http://solaremc.com/admin/danley/Panel/five/fre.php | US | — | — | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3860 | cmstp.exe | 62.108.34.89:80 | — | comtrance GmbH | DE | malicious |
2596 | 25239.exe | 208.91.199.152:80 | solaremc.com | PDR | US | malicious |
Domain | IP | Reputation |
---|---|---|
solaremc.com |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
3860 | cmstp.exe | A Network Trojan was detected | MALWARE [PTsecurity] Squiblydoo Scriptlet |
2596 | 25239.exe | A Network Trojan was detected | ET TROJAN LokiBot User-Agent (Charon/Inferno) |
2596 | 25239.exe | A Network Trojan was detected | ET TROJAN LokiBot Checkin |
2596 | 25239.exe | A Network Trojan was detected | ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 |
2596 | 25239.exe | A Network Trojan was detected | MALWARE [PTsecurity] Loki Bot Check-in M2 |
2596 | 25239.exe | A Network Trojan was detected | ET TROJAN LokiBot User-Agent (Charon/Inferno) |
2596 | 25239.exe | A Network Trojan was detected | ET TROJAN LokiBot Checkin |
2596 | 25239.exe | A Network Trojan was detected | ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 |
2596 | 25239.exe | A Network Trojan was detected | MALWARE [PTsecurity] Loki Bot Check-in M2 |
2596 | 25239.exe | A Network Trojan was detected | ET TROJAN LokiBot User-Agent (Charon/Inferno) |