analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

RFQ # 3151.xlsx

Full analysis: https://app.any.run/tasks/21824b5e-652c-48f7-960d-3d1961084c17
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: December 18, 2018, 09:15:20
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
opendir
exploit
CVE-2017-11882
loader
trojan
lokibot
Indicators:
MIME: application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
File info: Microsoft Excel 2007+
MD5:

33C36850EE8DE211C0B8AD5A26FBAAEB

SHA1:

B8D4C963254B295463BB6452C6995CA4CEDE1B4E

SHA256:

A2E224F5AC8BEB51427445010D2EB42CB318C2FB76F30B9D1E8F0BCCC4AC7ED4

SSDEEP:

768:hf6JVxqmjXAPQODPxsvWITTKosiG5F6Xuw8duqeAUNQ:hIeZPQODPxsvWIaosdsR8dzwK

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Suspicious connection from the Equation Editor

      • EQNEDT32.EXE (PID: 3984)

    • Equation Editor starts application (CVE-2017-11882)

      • EQNEDT32.EXE (PID: 3984)

    • Application was dropped or rewritten from another process

      • kenys.exe (PID: 3312)
      • project392812.exe (PID: 3696)
      • kenys.exe (PID: 924)

    • Downloads executable files from the Internet

      • EQNEDT32.EXE (PID: 3984)

    • LOKIBOT was detected

      • kenys.exe (PID: 924)

    • Detected artifacts of LokiBot

      • kenys.exe (PID: 924)

    • Connects to CnC server

      • kenys.exe (PID: 924)

    • Actions looks like stealing of personal data

      • kenys.exe (PID: 924)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • EQNEDT32.EXE (PID: 3984)
      • project392812.exe (PID: 3696)
      • kenys.exe (PID: 924)

    • Creates files in the user directory

      • EQNEDT32.EXE (PID: 3984)
      • project392812.exe (PID: 3696)
      • kenys.exe (PID: 924)

    • Starts itself from another location

      • project392812.exe (PID: 3696)

    • Application launched itself

      • kenys.exe (PID: 3312)

    • Loads DLL from Mozilla Firefox

      • kenys.exe (PID: 924)

  • INFO

    • Reads Microsoft Office registry keys

      • EXCEL.EXE (PID: 2844)
      • WINWORD.EXE (PID: 2248)
      • WINWORD.EXE (PID: 4052)
      • WINWORD.EXE (PID: 2148)

    • Creates files in the user directory

      • EXCEL.EXE (PID: 2844)
      • WINWORD.EXE (PID: 2248)
      • WINWORD.EXE (PID: 2148)
      • WINWORD.EXE (PID: 4052)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.xlsx | Excel Microsoft Office Open XML Format document (61.2)
.zip | Open Packaging Conventions container (31.5)
.zip | ZIP compressed archive (7.2)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: 0x0002
ZipCompression: Deflated
ZipModifyDate: 2018:12:17 00:36:12
ZipCRC: 0x6096dbee
ZipCompressedSize: 405
ZipUncompressedSize: 1811
ZipFileName: [Content_Types].xml

XMP

Creator: Modey

XML

LastModifiedBy: Modey
CreateDate: 2018:11:29 09:50:53Z
ModifyDate: 2018:11:29 09:53:26Z
Application: Microsoft Excel
DocSecurity: None
ScaleCrop: No
HeadingPairs:
  • Worksheets
  • 3
TitlesOfParts:
  • Sheet1
  • Sheet2
  • Sheet3
LinksUpToDate: No
SharedDoc: No
HyperlinksChanged: No
AppVersion: 12
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
42
Monitored processes
8
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start drop and start excel.exe no specs eqnedt32.exe project392812.exe kenys.exe no specs #LOKIBOT kenys.exe winword.exe no specs winword.exe no specs winword.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2844"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /ddeC:\Program Files\Microsoft Office\Office14\EXCEL.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Excel
Exit code:
0
Version:
14.0.6024.1000
3984"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -EmbeddingC:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
svchost.exe
User:
admin
Company:
Design Science, Inc.
Integrity Level:
MEDIUM
Description:
Microsoft Equation Editor
Exit code:
0
Version:
00110900
3696"C:\Users\admin\AppData\Roaming\project392812.exe"C:\Users\admin\AppData\Roaming\project392812.exe
EQNEDT32.EXE
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
3312"C:\Users\admin\AppData\Roaming\knloe\kenys.exe"C:\Users\admin\AppData\Roaming\knloe\kenys.exeproject392812.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
924"C:\Users\admin\AppData\Roaming\knloe\kenys.exe"C:\Users\admin\AppData\Roaming\knloe\kenys.exe
kenys.exe
User:
admin
Integrity Level:
MEDIUM
4052"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\televisionholidays.rtf"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
2148"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\alwaysclass.rtf"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
2248"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\visitpercent.rtf"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
Total events
2 806
Read events
2 050
Write events
0
Delete events
0

Modification events

No data
Executable files
4
Suspicious files
0
Text files
9
Unknown types
13

Dropped files

PID
Process
Filename
Type
2844EXCEL.EXEC:\Users\admin\AppData\Local\Temp\CVR89A8.tmp.cvr
MD5:
SHA256:
3696project392812.exeC:\Users\admin\AppData\Roaming\knloe\kenys.exe:ZoneIdentifier
MD5:
SHA256:
2844EXCEL.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\171C5EEC.png
MD5:
SHA256:
2844EXCEL.EXEC:\Users\admin\Desktop\~$RFQ # 3151.xlsx
MD5:
SHA256:
2248WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR95B4.tmp.cvr
MD5:
SHA256:
4052WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR95B5.tmp.cvr
MD5:
SHA256:
2148WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR95B4.tmp.cvr
MD5:
SHA256:
924kenys.exeC:\Users\admin\AppData\Roaming\F63AAA\A71D80.lck
MD5:
SHA256:
2844EXCEL.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\RFQ # 3151.xlsx.LNKlnk
MD5:3BB60AB42FFCB6EA9722093FA83C05FD
SHA256:41EF2C63928513CE0AFE740735FEF8732A7284D210BBDC350F313B1D0B48A8A2
2844EXCEL.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dattext
MD5:2EE34A0BE9C8CF1248616AA5ED7E70FE
SHA256:352904FB526E802C0DE7457A22206C21FBFC9D3B807C06D32AC6F46C7E3D64D5
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
4
DNS requests
2
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
924
kenys.exe
POST
185.126.200.141:80
http://jage.us/kendrick/five/fre.php
IR
malicious
3984
EQNEDT32.EXE
GET
200
23.94.188.246:80
http://mcjm.me/kendrick/kendrick.exe
US
executable
638 Kb
malicious
924
kenys.exe
POST
185.126.200.141:80
http://jage.us/kendrick/five/fre.php
IR
malicious
924
kenys.exe
POST
185.126.200.141:80
http://jage.us/kendrick/five/fre.php
IR
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
924
kenys.exe
185.126.200.141:80
jage.us
Tebyan-e-Noor Cultural-Artistic Institute
IR
malicious
3984
EQNEDT32.EXE
23.94.188.246:80
mcjm.me
ColoCrossing
US
suspicious

DNS requests

Domain
IP
Reputation
mcjm.me
  • 23.94.188.246
malicious
jage.us
  • 185.126.200.141
malicious

Threats

PID
Process
Class
Message
3984
EQNEDT32.EXE
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
924
kenys.exe
A Network Trojan was detected
ET TROJAN LokiBot User-Agent (Charon/Inferno)
924
kenys.exe
A Network Trojan was detected
ET TROJAN LokiBot Checkin
924
kenys.exe
A Network Trojan was detected
ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1
924
kenys.exe
A Network Trojan was detected
ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2
924
kenys.exe
A Network Trojan was detected
MALWARE [PTsecurity] Loki Bot Check-in M2
924
kenys.exe
A Network Trojan was detected
ET TROJAN LokiBot User-Agent (Charon/Inferno)
924
kenys.exe
A Network Trojan was detected
ET TROJAN LokiBot Checkin
924
kenys.exe
A Network Trojan was detected
ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1
924
kenys.exe
A Network Trojan was detected
ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2
2 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
RFQ # 3151.xlsx