analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

http://subwaybookreview.com/nso2/nso.doc

Full analysis: https://app.any.run/tasks/c0ea3022-2925-414d-a4f6-0a3d63df9dff
Verdict: Malicious activity
Threats:

LokiBot was developed in 2015 to steal information from a variety of applications. Despite the age, this malware is still rather popular among cybercriminals.

Malware Trends Tracker     >>>
Analysis date: April 25, 2019, 07:55:37
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
opendir
exploit
CVE-2017-11882
trojan
lokibot
Indicators:
MD5:

F310285E58F816E9A421D4001A87BE6D

SHA1:

3B25FADAF9EFC75CB30B091719BEBBF7F3A303AE

SHA256:

9CFC75B7B783CE44394E4027438E6FB30BCFA36FC843B6C87D3AAFB8EEEF7709

SSDEEP:

3:N1KNQHSEcqVX2wJWjn:CCy1IX2zn

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Equation Editor starts application (CVE-2017-11882)

      • EQNEDT32.EXE (PID: 2604)

    • Application was dropped or rewritten from another process

      • nso.exe (PID: 1672)
      • nso.exe (PID: 3672)

    • Detected artifacts of LokiBot

      • nso.exe (PID: 3672)

    • Actions looks like stealing of personal data

      • nso.exe (PID: 3672)

  • SUSPICIOUS

    • Application launched itself

      • WINWORD.EXE (PID: 3616)
      • nso.exe (PID: 1672)

    • Starts Microsoft Office Application

      • WINWORD.EXE (PID: 3616)

    • Reads Internet Cache Settings

      • WINWORD.EXE (PID: 3616)

    • Creates files in the user directory

      • EQNEDT32.EXE (PID: 2604)
      • nso.exe (PID: 3672)

    • Executable content was dropped or overwritten

      • EQNEDT32.EXE (PID: 2604)
      • nso.exe (PID: 3672)

    • Loads DLL from Mozilla Firefox

      • nso.exe (PID: 3672)

  • INFO

    • Application launched itself

      • iexplore.exe (PID: 2580)

    • Changes internet zones settings

      • iexplore.exe (PID: 2580)

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 3000)
      • iexplore.exe (PID: 2580)

    • Creates files in the user directory

      • iexplore.exe (PID: 3000)
      • WINWORD.EXE (PID: 3616)

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 3616)
      • WINWORD.EXE (PID: 1336)

    • Reads internet explorer settings

      • iexplore.exe (PID: 3000)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
39
Monitored processes
7
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start iexplore.exe iexplore.exe winword.exe winword.exe no specs eqnedt32.exe nso.exe #LOKIBOT nso.exe

Process information

PID
CMD
Path
Indicators
Parent process
2580"C:\Program Files\Internet Explorer\iexplore.exe" -nohomeC:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
1
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
3000"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2580 CREDAT:71937C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
3616"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" -EmbeddingC:\Program Files\Microsoft Office\Office14\WINWORD.EXE
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
1336"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /EmbeddingC:\Program Files\Microsoft Office\Office14\WINWORD.EXEWINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Word
Exit code:
0
Version:
14.0.6024.1000
2604"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -EmbeddingC:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
svchost.exe
User:
admin
Company:
Design Science, Inc.
Integrity Level:
MEDIUM
Description:
Microsoft Equation Editor
Exit code:
0
Version:
00110900
1672"C:\Users\admin\AppData\Roaming\nso.exe"C:\Users\admin\AppData\Roaming\nso.exe
EQNEDT32.EXE
User:
admin
Company:
Actium
Integrity Level:
MEDIUM
Description:
DILOG
Exit code:
0
Version:
7.6.6.0
3672"C:\Users\admin\AppData\Roaming\nso.exe"C:\Users\admin\AppData\Roaming\nso.exe
nso.exe
User:
admin
Company:
Actium
Integrity Level:
MEDIUM
Description:
DILOG
Version:
7.6.6.0
Total events
1 897
Read events
1 446
Write events
0
Delete events
0

Modification events

No data
Executable files
3
Suspicious files
26
Text files
20
Unknown types
8

Dropped files

PID
Process
Filename
Type
2580iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\favicon[1].ico
MD5:
SHA256:
2580iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
3616WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR731E.tmp.cvr
MD5:
SHA256:
3616WINWORD.EXEC:\Users\admin\AppData\Local\Temp\{F9E7ADCF-E1CC-4097-A65A-71463D69A6BB}
MD5:
SHA256:
3616WINWORD.EXEC:\Users\admin\AppData\Local\Temp\{E045CEB5-C185-4BD2-B66A-FB491BE6B53A}
MD5:
SHA256:
3616WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSF-CTBL.FSFbinary
MD5:EB2B1E7BB587EA7EAB4ECCA35E5E0081
SHA256:4F3198D6579DFC4F38BA8E856FDB8175D4814FF90B1DD425D9959F1E321EB1A2
3000iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.datdat
MD5:D922790926B1183AD260EEFB805DE02A
SHA256:A074AE8FF1D511509DB90E0634F95F79DFC7E99C63385FF2F9E6334C57DA9A47
3616WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:3A528B888A26C0DC4FC142A9F5A6926F
SHA256:417D2506ECABE98A1956E4BFC5AACC45AD8FD6096657B1F16B7B6DE912111C7E
3000iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\ZJPRIDD8\desktop.iniini
MD5:4A3DEB274BB5F0212C2419D3D8D08612
SHA256:2842973D15A14323E08598BE1DFB87E54BF88A76BE8C7BC94C56B079446EDF38
3000iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.datdat
MD5:1DBCDF6B3A4BAC8C0DB719918B98167F
SHA256:31B15E0E49D7841710C9C8ACC871903E55FEA73C7B69412086A01FB2904F2AF9
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
11
TCP/UDP connections
8
DNS requests
3
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3616
WINWORD.EXE
OPTIONS
200
66.206.84.222:80
http://subwaybookreview.com/nso2/
US
malicious
3616
WINWORD.EXE
HEAD
200
66.206.84.222:80
http://subwaybookreview.com/nso2/nso.doc
US
malicious
980
svchost.exe
OPTIONS
403
66.206.84.222:80
http://subwaybookreview.com/nso2
US
html
332 b
malicious
980
svchost.exe
OPTIONS
403
66.206.84.222:80
http://subwaybookreview.com/nso2
US
html
332 b
malicious
3616
WINWORD.EXE
HEAD
200
66.206.84.222:80
http://subwaybookreview.com/nso2/nso.doc
US
malicious
3000
iexplore.exe
GET
200
66.206.84.222:80
http://subwaybookreview.com/nso2/nso.doc
US
text
8.34 Kb
malicious
2580
iexplore.exe
GET
200
204.79.197.200:80
http://www.bing.com/favicon.ico
US
image
237 b
whitelisted
980
svchost.exe
OPTIONS
403
66.206.84.222:80
http://subwaybookreview.com/nso2
US
html
332 b
malicious
980
svchost.exe
OPTIONS
403
66.206.84.222:80
http://subwaybookreview.com/nso2
US
html
332 b
malicious
3616
WINWORD.EXE
GET
200
66.206.84.222:80
http://subwaybookreview.com/nso2/nso.doc
US
text
8.34 Kb
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2604
EQNEDT32.EXE
66.206.84.222:443
subwaybookreview.com
Silver Star Telecom, LLC
US
malicious
3616
WINWORD.EXE
66.206.84.222:80
subwaybookreview.com
Silver Star Telecom, LLC
US
malicious
3000
iexplore.exe
66.206.84.222:80
subwaybookreview.com
Silver Star Telecom, LLC
US
malicious
2580
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
980
svchost.exe
66.206.84.222:80
subwaybookreview.com
Silver Star Telecom, LLC
US
malicious

DNS requests

Domain
IP
Reputation
subwaybookreview.com
  • 66.206.84.222
malicious
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
richiechris.cf
malicious

Threats

PID
Process
Class
Message
Potentially Bad Traffic
ET INFO DNS Query for Suspicious .cf Domain
Process
Message
nso.exe
User32.dll
nso.exe
User32.dll
nso.exe
User32.dll
nso.exe
User32.dll
nso.exe
User32.dll
nso.exe
User32.dll
nso.exe
User32.dll
nso.exe
User32.dll
nso.exe
User32.dll
nso.exe
User32.dll
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
http://subwaybookreview.com/nso2/nso.doc