File name:	14074102.doc
Full analysis:	https://app.any.run/tasks/5b6a307f-dfda-4523-9a51-d24c1ff9c6af
Verdict:	Malicious activity
Threats:	A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. LokiBot was developed in 2015 to steal information from a variety of applications. Despite the age, this malware is still rather popular among cybercriminals. LokiBot wurde im Jahr 2015 entwickelt, um Informationen aus einer Vielzahl von Anwendungen zu stehlen. Trotz ihres Alters ist diese Malware bei Cyberkriminellen immer noch recht beliebt. Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email. Malware Trends Tracker >>>
Analysis date:	February 19, 2019, 07:46:47
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:	ole-embedded generated-doc trojan exploit cve-2017-11882 loader lokibot
Indicators:
MIME:	text/rtf
File info:	Rich Text Format data, unknown version
MD5:	E7263DD6CA07DD6E6EB7DE6555CE6E05
SHA1:	6F8A1033AD6D1A20731ED648D9E05AD42D3D2EEB
SHA256:	A516F106B25393F2097E26593A2C63D491FA22C0F461FBE9719C0E151E47977E
SSDEEP:	1536:aBsG2OiYC8XnxdHoP13Gm+xaA2KUm4MSRh2radcn4a:alhiYC8T5

Author:	Windows User
LastModifiedBy:	Windows User
CreateDate:	2019:01:20 14:19:00
ModifyDate:	2019:01:20 14:19:00
RevisionNumber:	2
TotalEditTime:	-
Pages:	1
Words:	-
Characters:	4
CharactersWithSpaces:	4
InternalVersionNumber:	85


(PID) Process:	(2868) WINWORD.EXE	Key:	HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
Operation:	write	Name:	n.,
Value: 6E2E2C00340B0000010000000000000000000000
(PID) Process:	(2868) WINWORD.EXE	Key:	HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:	write	Name:	1033
Value: Off
(PID) Process:	(2868) WINWORD.EXE	Key:	HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:	write	Name:	1033
Value: On
(PID) Process:	(2868) WINWORD.EXE	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
Operation:	write	Name:	WORDFiles
Value: 1314062359
(PID) Process:	(2868) WINWORD.EXE	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
Operation:	write	Name:	ProductFiles
Value: 1314062480
(PID) Process:	(2868) WINWORD.EXE	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
Operation:	write	Name:	ProductFiles
Value: 1314062481
(PID) Process:	(2868) WINWORD.EXE	Key:	HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word
Operation:	write	Name:	MTTT
Value: 340B00009840AD4A27C8D40100000000
(PID) Process:	(2868) WINWORD.EXE	Key:	HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
Operation:	write	Name:	x/,
Value: 782F2C00340B000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000
(PID) Process:	(2868) WINWORD.EXE	Key:	HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
Operation:	delete value	Name:	x/,
Value: 782F2C00340B000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000
(PID) Process:	(2868) WINWORD.EXE	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	UNCAsIntranet
Value: 0

PID	Process	Filename		Type
2868	WINWORD.EXE	C:\Users\admin\AppData\Local\Temp\CVRD65F.tmp.cvr		—
		MD5:—	SHA256:—
3460	3.exe	C:\Users\admin\AppData\Roaming\sthe\yysg.exe:ZoneIdentifier		—
		MD5:—	SHA256:—
2868	WINWORD.EXE	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{AB74A03E-9C9D-4D97-B0D7-9B44865742E8}.tmp		—
		MD5:—	SHA256:—
2868	WINWORD.EXE	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{822D647E-E416-4006-992F-C560E9589ABF}.tmp		—
		MD5:—	SHA256:—
2868	WINWORD.EXE	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{ABB9A413-25EB-4C71-B647-76942E713A55}.tmp		—
		MD5:—	SHA256:—
3240	yysg.exe	C:\Users\admin\AppData\Roaming\F63AAA\A71D80.lck		—
		MD5:—	SHA256:—
2868	WINWORD.EXE	C:\Users\admin\Desktop\~$074102.doc		pgc
		MD5:—	SHA256:—
2868	WINWORD.EXE	C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm		pgc
		MD5:—	SHA256:—
3796	EQNEDT32.EXE	C:\Users\Public\3.exe		executable
		MD5:—	SHA256:—
3796	EQNEDT32.EXE	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@bit[1].txt		text
		MD5:—	SHA256:—

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
3240	yysg.exe	POST	—	185.195.236.149:80	http://etruht.ml/LL0/200g-xz/cat.php	AT	—	—	malicious
3796	EQNEDT32.EXE	GET	301	67.199.248.10:80	http://bit.ly/2V3j8hn	US	html	132 b	shared
3796	EQNEDT32.EXE	GET	200	107.180.27.166:80	http://mincoindia.com/wp-content/14074102.jpg	US	executable	632 Kb	malicious
3240	yysg.exe	POST	—	185.195.236.149:80	http://etruht.ml/LL0/200g-xz/cat.php	AT	—	—	malicious
3240	yysg.exe	POST	—	185.195.236.149:80	http://etruht.ml/LL0/200g-xz/cat.php	AT	—	—	malicious
3240	yysg.exe	POST	—	185.195.236.149:80	http://etruht.ml/LL0/200g-xz/cat.php	AT	—	—	malicious
3240	yysg.exe	POST	—	185.195.236.149:80	http://etruht.ml/LL0/200g-xz/cat.php	AT	—	—	malicious
3240	yysg.exe	POST	—	185.195.236.149:80	http://etruht.ml/LL0/200g-xz/cat.php	AT	—	—	malicious
3240	yysg.exe	POST	—	185.195.236.149:80	http://etruht.ml/LL0/200g-xz/cat.php	AT	—	—	malicious
3240	yysg.exe	POST	—	185.195.236.149:80	http://etruht.ml/LL0/200g-xz/cat.php	AT	—	—	malicious

Domain	IP	Reputation
bit.ly	67.199.248.10 67.199.248.11	shared
mincoindia.com	107.180.27.166	malicious
etruht.ml	185.195.236.149	malicious

PID	Process	Class	Message
3796	EQNEDT32.EXE	Misc activity	SUSPICIOUS [PTsecurity] Cmd.Powershell.Download HTTP UserAgent (Win7)
3796	EQNEDT32.EXE	A Network Trojan was detected	ET TROJAN JS/WSF Downloader Dec 08 2016 M4
3796	EQNEDT32.EXE	A Network Trojan was detected	ET TROJAN Windows Executable Downloaded With Image Content-Type Header
3796	EQNEDT32.EXE	Misc activity	SUSPICIOUS [PTsecurity] PE as Image Content type mismatch
1052	svchost.exe	Potentially Bad Traffic	ET INFO DNS Query for Suspicious .ml Domain
3240	yysg.exe	A Network Trojan was detected	ET TROJAN LokiBot User-Agent (Charon/Inferno)
3240	yysg.exe	A Network Trojan was detected	ET TROJAN LokiBot Checkin
3240	yysg.exe	Potentially Bad Traffic	ET INFO HTTP POST Request to Suspicious *.ml Domain
3240	yysg.exe	A Network Trojan was detected	ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1
3240	yysg.exe	A Network Trojan was detected	ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2

General Info

14074102.doc

E7263DD6CA07DD6E6EB7DE6555CE6E05

6F8A1033AD6D1A20731ED648D9E05AD42D3D2EEB

A516F106B25393F2097E26593A2C63D491FA22C0F461FBE9719C0E151E47977E

1536:aBsG2OiYC8XnxdHoP13Gm+xaA2KUm4MSRh2radcn4a:alhiYC8T5

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Application was dropped or rewritten from another process

Suspicious connection from the Equation Editor

Writes to a start menu file

LOKIBOT was detected

Connects to CnC server

LokiBot was detected

Actions looks like stealing of personal data

Downloads executable files from the Internet

Equation Editor starts application (CVE-2017-11882)

SUSPICIOUS

Starts itself from another location

Application launched itself

Creates files in the user directory

Executable content was dropped or overwritten

Loads DLL from Mozilla Firefox

INFO

Creates files in the user directory

Reads Microsoft Office registry keys

Malware configuration

Static information

TRiD

EXIF

RTF

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings