URL: | http://subwaybookreview.com/nso2/nso.doc |
Full analysis: | https://app.any.run/tasks/c0ea3022-2925-414d-a4f6-0a3d63df9dff |
Verdict: | Malicious activity |
Threats: | LokiBot was developed in 2015 to steal information from a variety of applications. Despite the age, this malware is still rather popular among cybercriminals. |
Analysis date: | April 25, 2019, 07:55:37 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MD5: | F310285E58F816E9A421D4001A87BE6D |
SHA1: | 3B25FADAF9EFC75CB30B091719BEBBF7F3A303AE |
SHA256: | 9CFC75B7B783CE44394E4027438E6FB30BCFA36FC843B6C87D3AAFB8EEEF7709 |
SSDEEP: | 3:N1KNQHSEcqVX2wJWjn:CCy1IX2zn |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2580 | "C:\Program Files\Internet Explorer\iexplore.exe" -nohome | C:\Program Files\Internet Explorer\iexplore.exe | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Exit code: 1 Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
3000 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2580 CREDAT:71937 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | |
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Exit code: 0 Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
3616 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" -Embedding | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | svchost.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
1336 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Embedding | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | WINWORD.EXE |
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Word Exit code: 0 Version: 14.0.6024.1000 | ||||
2604 | "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding | C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | svchost.exe | |
User: admin Company: Design Science, Inc. Integrity Level: MEDIUM Description: Microsoft Equation Editor Exit code: 0 Version: 00110900 | ||||
1672 | "C:\Users\admin\AppData\Roaming\nso.exe" | C:\Users\admin\AppData\Roaming\nso.exe | EQNEDT32.EXE | |
User: admin Company: Actium Integrity Level: MEDIUM Description: DILOG Exit code: 0 Version: 7.6.6.0 | ||||
3672 | "C:\Users\admin\AppData\Roaming\nso.exe" | C:\Users\admin\AppData\Roaming\nso.exe | nso.exe | |
User: admin Company: Actium Integrity Level: MEDIUM Description: DILOG Version: 7.6.6.0 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2580 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\favicon[1].ico | — | |
MD5:— | SHA256:— | |||
2580 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico | — | |
MD5:— | SHA256:— | |||
3616 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR731E.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3616 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\{F9E7ADCF-E1CC-4097-A65A-71463D69A6BB} | — | |
MD5:— | SHA256:— | |||
3616 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\{E045CEB5-C185-4BD2-B66A-FB491BE6B53A} | — | |
MD5:— | SHA256:— | |||
3616 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSF-CTBL.FSF | binary | |
MD5:EB2B1E7BB587EA7EAB4ECCA35E5E0081 | SHA256:4F3198D6579DFC4F38BA8E856FDB8175D4814FF90B1DD425D9959F1E321EB1A2 | |||
3000 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat | dat | |
MD5:D922790926B1183AD260EEFB805DE02A | SHA256:A074AE8FF1D511509DB90E0634F95F79DFC7E99C63385FF2F9E6334C57DA9A47 | |||
3616 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:3A528B888A26C0DC4FC142A9F5A6926F | SHA256:417D2506ECABE98A1956E4BFC5AACC45AD8FD6096657B1F16B7B6DE912111C7E | |||
3000 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\ZJPRIDD8\desktop.ini | ini | |
MD5:4A3DEB274BB5F0212C2419D3D8D08612 | SHA256:2842973D15A14323E08598BE1DFB87E54BF88A76BE8C7BC94C56B079446EDF38 | |||
3000 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.dat | dat | |
MD5:1DBCDF6B3A4BAC8C0DB719918B98167F | SHA256:31B15E0E49D7841710C9C8ACC871903E55FEA73C7B69412086A01FB2904F2AF9 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3616 | WINWORD.EXE | OPTIONS | 200 | 66.206.84.222:80 | http://subwaybookreview.com/nso2/ | US | — | — | malicious |
3616 | WINWORD.EXE | HEAD | 200 | 66.206.84.222:80 | http://subwaybookreview.com/nso2/nso.doc | US | — | — | malicious |
980 | svchost.exe | OPTIONS | 403 | 66.206.84.222:80 | http://subwaybookreview.com/nso2 | US | html | 332 b | malicious |
980 | svchost.exe | OPTIONS | 403 | 66.206.84.222:80 | http://subwaybookreview.com/nso2 | US | html | 332 b | malicious |
3616 | WINWORD.EXE | HEAD | 200 | 66.206.84.222:80 | http://subwaybookreview.com/nso2/nso.doc | US | — | — | malicious |
3000 | iexplore.exe | GET | 200 | 66.206.84.222:80 | http://subwaybookreview.com/nso2/nso.doc | US | text | 8.34 Kb | malicious |
2580 | iexplore.exe | GET | 200 | 204.79.197.200:80 | http://www.bing.com/favicon.ico | US | image | 237 b | whitelisted |
980 | svchost.exe | OPTIONS | 403 | 66.206.84.222:80 | http://subwaybookreview.com/nso2 | US | html | 332 b | malicious |
980 | svchost.exe | OPTIONS | 403 | 66.206.84.222:80 | http://subwaybookreview.com/nso2 | US | html | 332 b | malicious |
3616 | WINWORD.EXE | GET | 200 | 66.206.84.222:80 | http://subwaybookreview.com/nso2/nso.doc | US | text | 8.34 Kb | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2604 | EQNEDT32.EXE | 66.206.84.222:443 | subwaybookreview.com | Silver Star Telecom, LLC | US | malicious |
3616 | WINWORD.EXE | 66.206.84.222:80 | subwaybookreview.com | Silver Star Telecom, LLC | US | malicious |
3000 | iexplore.exe | 66.206.84.222:80 | subwaybookreview.com | Silver Star Telecom, LLC | US | malicious |
2580 | iexplore.exe | 204.79.197.200:80 | www.bing.com | Microsoft Corporation | US | whitelisted |
980 | svchost.exe | 66.206.84.222:80 | subwaybookreview.com | Silver Star Telecom, LLC | US | malicious |
Domain | IP | Reputation |
---|---|---|
subwaybookreview.com |
| malicious |
www.bing.com |
| whitelisted |
richiechris.cf |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
— | — | Potentially Bad Traffic | ET INFO DNS Query for Suspicious .cf Domain |
Process | Message |
---|---|
nso.exe | User32.dll |
nso.exe | User32.dll |
nso.exe | User32.dll |
nso.exe | User32.dll |
nso.exe | User32.dll |
nso.exe | User32.dll |
nso.exe | User32.dll |
nso.exe | User32.dll |
nso.exe | User32.dll |
nso.exe | User32.dll |