analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Quotation Order.doc

Full analysis: https://app.any.run/tasks/754fc5e4-7cae-407e-85de-487bfd294883
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: February 18, 2019, 06:04:12
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
exploit
CVE-2017-11882
loader
opendir
trojan
lokibot
Indicators:
MIME: text/rtf
File info: Rich Text Format data, version 1, unknown character set
MD5:

D9D90A514547B9F9E1FB7019CAAF6641

SHA1:

D81C2FC6B99BCF446ABB86AD0D56394C02FAE23C

SHA256:

A94B14E16CAC619550A71E6A6C89C81380E71DF3DE695EECAD7D0ED09F75A109

SSDEEP:

96:mcB6vkrOYEi//cLpkaDm8r1NCeBkLVfEarB/IElkNePT416:X6kr5IlDhrXqxfEadQQPk16

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • Quotation Order.exe (PID: 2900)
      • Quotation Order.exe (PID: 2172)

    • Downloads executable files from the Internet

      • EQNEDT32.EXE (PID: 3196)

    • Suspicious connection from the Equation Editor

      • EQNEDT32.EXE (PID: 3196)

    • Equation Editor starts application (CVE-2017-11882)

      • EQNEDT32.EXE (PID: 3196)

    • Detected artifacts of LokiBot

      • Quotation Order.exe (PID: 2172)

    • Actions looks like stealing of personal data

      • Quotation Order.exe (PID: 2172)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • EQNEDT32.EXE (PID: 3196)
      • Quotation Order.exe (PID: 2172)

    • Creates files in the user directory

      • EQNEDT32.EXE (PID: 3196)
      • Quotation Order.exe (PID: 2172)

    • Application launched itself

      • Quotation Order.exe (PID: 2900)

    • Loads DLL from Mozilla Firefox

      • Quotation Order.exe (PID: 2172)

  • INFO

    • Creates files in the user directory

      • WINWORD.EXE (PID: 2972)

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 2972)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rtf | Rich Text Format (100)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
34
Monitored processes
4
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start winword.exe no specs eqnedt32.exe quotation order.exe #LOKIBOT quotation order.exe

Process information

PID
CMD
Path
Indicators
Parent process
2972"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Roaming\Quotation Order.doc.rtf"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
0
Version:
14.0.6024.1000
3196"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -EmbeddingC:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
svchost.exe
User:
admin
Company:
Design Science, Inc.
Integrity Level:
MEDIUM
Description:
Microsoft Equation Editor
Exit code:
0
Version:
00110900
2900"C:\Users\admin\AppData\Roaming\Quotation Order.exe"C:\Users\admin\AppData\Roaming\Quotation Order.exe
EQNEDT32.EXE
User:
admin
Company:
syphilophobic
Integrity Level:
MEDIUM
Description:
blennorrhoea
Exit code:
1
Version:
8.7.7.1
2172"C:\Users\admin\AppData\Roaming\Quotation Order.exe"C:\Users\admin\AppData\Roaming\Quotation Order.exe
Quotation Order.exe
User:
admin
Company:
syphilophobic
Integrity Level:
MEDIUM
Description:
blennorrhoea
Version:
8.7.7.1
Total events
967
Read events
889
Write events
0
Delete events
0

Modification events

No data
Executable files
3
Suspicious files
1
Text files
2
Unknown types
6

Dropped files

PID
Process
Filename
Type
2972WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVRE7C4.tmp.cvr
MD5:
SHA256:
2172Quotation Order.exeC:\Users\admin\AppData\Roaming\F63AAA\A71D80.lck
MD5:
SHA256:
2972WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{8C0B1440-D46D-47B6-877C-7F40D0ADDC95}.tmp
MD5:
SHA256:
2972WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{0392520D-58D2-48D6-A7A2-53DA8C6EE22B}.tmp
MD5:
SHA256:
2972WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\Quotation Order.doc.rtf.LNKlnk
MD5:1C65853E45782D7F85EF01DF4769882F
SHA256:69C032026B639FB2E42D20E14B29BBD09F22C26393509A7B73282EE2D26E32B0
2972WINWORD.EXEC:\Users\admin\AppData\Roaming\~$otation Order.doc.rtfpgc
MD5:542D63C8533F7DE3DAA5046832800D2D
SHA256:318F084E176D39854DE962DBA773048EFB08821E730BB923AF83DDF1F4D1FA4F
2972WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:2F778CCCCEFC881595E02404ED7E04FB
SHA256:2DC8F82D637DF1C2EB793718FFEDAAA61D9DD48F1AA2E8E25C5F5D6D2C812042
2172Quotation Order.exeC:\Users\admin\AppData\Roaming\F63AAA\A71D80.exeexecutable
MD5:192119D6A2C5D209D48EDACF25289CBE
SHA256:149481BDEDE500F019000D6C36A7C80888F72C199A1046B14ECA3D3CDD8D7109
3196EQNEDT32.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RB73MZ6Y\Quotation%20Order[1].exeexecutable
MD5:192119D6A2C5D209D48EDACF25289CBE
SHA256:149481BDEDE500F019000D6C36A7C80888F72C199A1046B14ECA3D3CDD8D7109
3196EQNEDT32.EXEC:\Users\admin\AppData\Roaming\Quotation Order.exeexecutable
MD5:192119D6A2C5D209D48EDACF25289CBE
SHA256:149481BDEDE500F019000D6C36A7C80888F72C199A1046B14ECA3D3CDD8D7109
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
1
DNS requests
7
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3196
EQNEDT32.EXE
GET
200
103.112.244.113:80
http://deluvis.net/key/Quotation%20Order.exe
unknown
executable
192 Kb
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3196
EQNEDT32.EXE
103.112.244.113:80
deluvis.net
malicious

DNS requests

Domain
IP
Reputation
deluvis.net
  • 103.112.244.113
malicious
alfacollege.website
malicious

Threats

PID
Process
Class
Message
3196
EQNEDT32.EXE
A Network Trojan was detected
ET CURRENT_EVENTS Possible Malicious Macro DL EXE Feb 2016
3196
EQNEDT32.EXE
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
Process
Message
Quotation Order.exe
User32.dll
Quotation Order.exe
User32.dll
Quotation Order.exe
User32.dll
Quotation Order.exe
User32.dll
Quotation Order.exe
User32.dll
Quotation Order.exe
User32.dll
Quotation Order.exe
User32.dll
Quotation Order.exe
User32.dll
Quotation Order.exe
User32.dll
Quotation Order.exe
User32.dll
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Quotation Order.doc