analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

http://securehub.top/files/DLK.msi

Full analysis: https://app.any.run/tasks/34532eb7-ddb5-4883-aad6-e8594444b15d
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: November 08, 2019, 16:36:51
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
exe-to-msi
loader
trojan
lokibot
Indicators:
MD5:

D375C55BB3DF3E35523A26D11D7A0A7F

SHA1:

DB90DA12FA0C9BEFE6C0F695DF4F304BAE1649A5

SHA256:

955F11B7F87DA24C0E743365323A318D7D6C36542090D0C93B18930FBADFF9FC

SSDEEP:

3:N1KNAGCoQr0YMON/usn:CSGCovOFus

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Downloads executable files from the Internet

      • iexplore.exe (PID: 3744)
      • Hyp.exe (PID: 3080)

    • Changes the autorun value in the registry

      • Hyp.exe (PID: 3924)
      • Uha.exe (PID: 2552)

    • Application was dropped or rewritten from another process

      • Hyp.exe (PID: 3924)
      • Hyp.exe (PID: 3080)
      • Kkzec93.exe (PID: 3832)
      • Kkzec93.exe (PID: 616)
      • Uha.exe (PID: 2468)
      • Uha.exe (PID: 2552)

    • Detected artifacts of LokiBot

      • Hyp.exe (PID: 3080)

    • LOKIBOT was detected

      • Hyp.exe (PID: 3080)

    • Connects to CnC server

      • Hyp.exe (PID: 3080)

    • Actions looks like stealing of personal data

      • Hyp.exe (PID: 3080)

  • SUSPICIOUS

    • Drop ExeToMSI Application

      • iexplore.exe (PID: 3744)
      • iexplore.exe (PID: 1296)
      • msiexec.exe (PID: 2788)

    • Executable content was dropped or overwritten

      • iexplore.exe (PID: 3744)
      • iexplore.exe (PID: 1296)
      • MSIFC2F.tmp (PID: 460)
      • msiexec.exe (PID: 2788)
      • Kkzec93.exe (PID: 616)
      • Hyp.exe (PID: 3080)

    • Starts Microsoft Installer

      • iexplore.exe (PID: 1296)

    • Executed as Windows Service

      • vssvc.exe (PID: 1160)

    • Starts itself from another location

      • MSIFC2F.tmp (PID: 460)
      • Kkzec93.exe (PID: 616)

    • Loads DLL from Mozilla Firefox

      • Hyp.exe (PID: 3080)

    • Creates files in the program directory

      • Hyp.exe (PID: 3080)

    • Creates files in the user directory

      • Hyp.exe (PID: 3080)
      • Uha.exe (PID: 2468)

    • Application launched itself

      • Kkzec93.exe (PID: 3832)

  • INFO

    • Changes internet zones settings

      • iexplore.exe (PID: 1296)

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 3744)
      • iexplore.exe (PID: 1296)

    • Application launched itself

      • iexplore.exe (PID: 1296)

    • Starts application with an unusual extension

      • MSIFC2F.tmp (PID: 2280)
      • msiexec.exe (PID: 2788)

    • Low-level read access rights to disk partition

      • vssvc.exe (PID: 1160)

    • Application was dropped or rewritten from another process

      • MSIFC2F.tmp (PID: 2280)
      • MSIFC2F.tmp (PID: 460)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
48
Monitored processes
13
Malicious processes
7
Suspicious processes
3

Behavior graph

Click at the process to see the details
start drop and start drop and start drop and start drop and start iexplore.exe iexplore.exe msiexec.exe no specs msiexec.exe vssvc.exe no specs msifc2f.tmp no specs msifc2f.tmp hyp.exe #LOKIBOT hyp.exe kkzec93.exe no specs kkzec93.exe uha.exe uha.exe

Process information

PID
CMD
Path
Indicators
Parent process
1296"C:\Program Files\Internet Explorer\iexplore.exe" "http://securehub.top/files/DLK.msi"C:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
1
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
3744"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:1296 CREDAT:71937C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
2184"C:\Windows\System32\msiexec.exe" /i "C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\DLK[1].msi" C:\Windows\System32\msiexec.exeiexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
0
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
2788C:\Windows\system32\msiexec.exe /VC:\Windows\system32\msiexec.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
1160C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Volume Shadow Copy Service
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2280"C:\Windows\Installer\MSIFC2F.tmp"C:\Windows\Installer\MSIFC2F.tmpmsiexec.exe
User:
admin
Company:
Bitcore
Integrity Level:
MEDIUM
Description:
BES
Exit code:
0
Version:
1.00
460"C:\Windows\Installer\MSIFC2F.tmp"C:\Windows\Installer\MSIFC2F.tmp
MSIFC2F.tmp
User:
SYSTEM
Company:
Bitcore
Integrity Level:
SYSTEM
Description:
BES
Exit code:
0
Version:
1.00
3924"C:\Users\admin\eph\Hyp.exe" C:\Users\admin\eph\Hyp.exe
MSIFC2F.tmp
User:
SYSTEM
Company:
Bitcore
Integrity Level:
SYSTEM
Description:
BES
Exit code:
0
Version:
1.00
3080"C:\Users\admin\eph\Hyp.exe" C:\Users\admin\eph\Hyp.exe
Hyp.exe
User:
SYSTEM
Company:
Bitcore
Integrity Level:
SYSTEM
Description:
BES
Version:
1.00
3832"C:\Users\admin\AppData\Roaming\Kkzec93.exe"C:\Users\admin\AppData\Roaming\Kkzec93.exeHyp.exe
User:
SYSTEM
Company:
alcATEL
Integrity Level:
SYSTEM
Description:
FAC
Exit code:
0
Version:
1.00
Total events
1 286
Read events
1 038
Write events
0
Delete events
0

Modification events

No data
Executable files
9
Suspicious files
14
Text files
18
Unknown types
6

Dropped files

PID
Process
Filename
Type
1296iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\favicon[1].ico
MD5:
SHA256:
1296iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
1296iexplore.exeC:\Users\admin\AppData\Local\Temp\~DF8124A34CB63CFED1.TMP
MD5:
SHA256:
1296iexplore.exeC:\Users\admin\AppData\Local\Temp\~DF1FAD2BA99275A5FE.TMP
MD5:
SHA256:
1296iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{FFE04711-0245-11EA-AB41-5254004A04AF}.dat
MD5:
SHA256:
2788msiexec.exeC:\System Volume Information\SPP\metadata-2
MD5:
SHA256:
2788msiexec.exeC:\Users\admin\AppData\Local\Temp\~DFC48E9324BDF9B4D8.TMP
MD5:
SHA256:
1296iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\DLK[1].msiexecutable
MD5:AE5052AD78AC7B8910F9CE603A885693
SHA256:657FC1CA4004E7AB2A01C9E6A1668AEBB3AA43386164121B3272393E628007A0
1296iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\{FFE04712-0245-11EA-AB41-5254004A04AF}.datbinary
MD5:15FB16FBB1D3FC6A8761FC9799826AB6
SHA256:28A04C296D7E209FF0BB911E62D4B5B4A8C754E89EAC8B6A9DE66673B75893CD
3744iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\I7JXM3DQ\DLK[1].msiexecutable
MD5:AE5052AD78AC7B8910F9CE603A885693
SHA256:657FC1CA4004E7AB2A01C9E6A1668AEBB3AA43386164121B3272393E628007A0
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
14
DNS requests
9
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3744
iexplore.exe
GET
200
162.212.13.240:80
http://securehub.top/files/DLK.msi
GD
executable
936 Kb
malicious
3080
Hyp.exe
POST
404
186.195.126.144:80
http://securehub.top/basex/Panel/fre.php
BR
binary
80 b
malicious
3080
Hyp.exe
GET
200
45.171.122.28:80
http://mpsoren.cc/RTX.exe???????????????
unknown
executable
1.05 Mb
malicious
1296
iexplore.exe
GET
200
204.79.197.200:80
http://www.bing.com/favicon.ico
US
image
237 b
whitelisted
3080
Hyp.exe
POST
404
186.195.126.144:80
http://securehub.top/basex/Panel/fre.php
BR
text
15 b
malicious
3080
Hyp.exe
POST
404
186.195.126.144:80
http://securehub.top/basex/Panel/fre.php
BR
text
15 b
malicious
3080
Hyp.exe
POST
404
186.195.126.144:80
http://securehub.top/basex/Panel/fre.php
BR
binary
23 b
malicious
3080
Hyp.exe
POST
404
45.171.122.28:80
http://securehub.top/basex/Panel/fre.php
unknown
binary
23 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3080
Hyp.exe
186.195.126.144:80
securehub.top
Provnet Ltda.
BR
malicious
1296
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
3744
iexplore.exe
162.212.13.240:80
securehub.top
Digicel Jamaica
GD
suspicious
3080
Hyp.exe
45.171.122.28:80
securehub.top
malicious
2468
Uha.exe
142.44.161.51:6464
plunder.nsupdate.info
OVH SAS
CA
malicious
2468
Uha.exe
142.44.161.51:7076
plunder.nsupdate.info
OVH SAS
CA
malicious

DNS requests

Domain
IP
Reputation
securehub.top
  • 162.212.13.240
  • 189.3.140.163
  • 93.78.122.243
  • 175.42.159.110
  • 45.171.122.28
  • 152.204.0.133
  • 186.195.126.144
malicious
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
mpsoren.cc
  • 45.171.122.28
  • 162.212.13.240
  • 175.42.159.110
  • 93.78.122.243
  • 189.3.140.163
  • 152.204.0.133
  • 186.195.126.144
malicious
plunder.nsupdate.info
  • 142.44.161.51
malicious
dns.msftncsi.com
  • 131.107.255.255
shared

Threats

PID
Process
Class
Message
Potentially Bad Traffic
ET DNS Query to a *.top domain - Likely Hostile
3744
iexplore.exe
Potentially Bad Traffic
ET INFO HTTP Request to a *.top domain
3744
iexplore.exe
Potential Corporate Privacy Violation
POLICY [PTsecurity] Executable application_x-msi Download
3744
iexplore.exe
Misc activity
SUSPICIOUS [PTsecurity] Executable ExeToMSI Download
3080
Hyp.exe
A Network Trojan was detected
MALWARE [PTsecurity] Loki/Pony Bot Artifact Check-in
3080
Hyp.exe
A Network Trojan was detected
ET TROJAN LokiBot User-Agent (Charon/Inferno)
3080
Hyp.exe
A Network Trojan was detected
ET TROJAN LokiBot Checkin
3080
Hyp.exe
A Network Trojan was detected
ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1
3080
Hyp.exe
A Network Trojan was detected
ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2
3080
Hyp.exe
A Network Trojan was detected
MALWARE [PTsecurity] Loki Bot Check-in M2
5 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
http://securehub.top/files/DLK.msi