File name: | 197317892741346 |
Full analysis: | https://app.any.run/tasks/5e426874-f4eb-494c-b3aa-5b73cede5e3e |
Verdict: | Malicious activity |
Threats: | LokiBot was developed in 2015 to steal information from a variety of applications. Despite the age, this malware is still rather popular among cybercriminals. |
Analysis date: | June 19, 2019, 07:18:30 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | text/rtf |
File info: | Rich Text Format data, version 1, unknown character set |
MD5: | 947189A64260E7A11F18869AB5A646B8 |
SHA1: | 50D1BE5525B03D2DF080F027DD3BADEF97B69820 |
SHA256: | 98BC0D42361AD3348B60B0B271764C5A9D923FD6A828D8C489961D3DA6D1168F |
SSDEEP: | 24576:P/2bdUSiDsenjQENdVb6wQjJuW4DdhwKhHHhHYhHihHhiiazVYkLiqbU:R |
.rtf | | | Rich Text Format (100) |
---|
InternalVersionNumber: | 57435 |
---|---|
CharactersWithSpaces: | 27 |
Characters: | 24 |
Words: | 4 |
Pages: | 1 |
TotalEditTime: | 1 minute |
RevisionNumber: | 3 |
ModifyDate: | 2019:01:03 16:34:00 |
CreateDate: | 2019:01:03 16:14:00 |
LastModifiedBy: | wuyan |
Author: | wuyan |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3124 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\197317892741346.rtf" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
1208 | "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding | C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | svchost.exe | |
User: admin Company: Design Science, Inc. Integrity Level: MEDIUM Description: Microsoft Equation Editor Exit code: 0 Version: 00110900 | ||||
3452 | CmD /c %tMp%\A.R | C:\Windows\system32\CmD.exe | — | EQNEDT32.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2980 | C:\Users\admin\AppData\Local\Temp\A.R | C:\Users\admin\AppData\Local\Temp\A.R | CmD.exe | |
User: admin Company: TODO: <Company name> Integrity Level: MEDIUM Description: TODO: <File description> Version: 1.0.0.1 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3124 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRF2D9.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2980 | A.R | C:\Users\admin\AppData\Roaming\F63AAA\A71D80.lck | — | |
MD5:— | SHA256:— | |||
3124 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:C111F99CD469831004E4547E39009B06 | SHA256:3479C3CB813B5D1C331B8400A690378D71DF89F98184E62788F05713D903F6AF | |||
3124 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D3F56DBC.emf | emf | |
MD5:F7961E44FE51CEEE06391905162E18E0 | SHA256:DCD5C765BCCFAC9339A8985357B391A3FAC1AE571AC0E5A971938573742F306D | |||
2980 | A.R | C:\Users\admin\AppData\Roaming\F63AAA\A71D80.exe | executable | |
MD5:ED6D9F434DB43FA2DD9B057AD6B0374A | SHA256:E69E6A3D54E77AEBB4E9C90CAE383D989DEECBEFF1B6C4A99D3E12F955738BB6 | |||
3124 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\A.R | executable | |
MD5:ED6D9F434DB43FA2DD9B057AD6B0374A | SHA256:E69E6A3D54E77AEBB4E9C90CAE383D989DEECBEFF1B6C4A99D3E12F955738BB6 | |||
3124 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$7317892741346.rtf | pgc | |
MD5:D0CF81C58CBA169451508E55D9F76E21 | SHA256:FC2F936620CE94837697862D258436D850DC4600729CAA3B5724F32B720490B2 | |||
2980 | A.R | C:\Users\admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1302019708-1500728564-335382590-1000\0f5007522459c86e95ffcc62f32308f1_90059c37-1320-41a4-b58d-2b75a9850d2f | dbf | |
MD5:18B8CFC0185C50383AAC0A4F30A9DAC8 | SHA256:913E8CED6A447FE791954D382ABA52D490513C5D2F689B391866C7E561F89A03 |
Domain | IP | Reputation |
---|---|---|
pd2i.pw |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
— | — | Potentially Bad Traffic | ET DNS Query to a *.pw domain - Likely Hostile |