analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

LOIC-1.0.8-binary.zip

Full analysis: https://app.any.run/tasks/8324a472-fc6d-48a7-83f9-fed28fbbb1df
Verdict: Malicious activity
Analysis date: January 24, 2022, 21:05:54
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

C615DA1584CF050CF81A08D40309D735

SHA1:

FF00F68B03F7BBC785284ABD95A54D5B98F7DB9B

SHA256:

B6D6E0D1DCE867836A684A0AF278E46ED4A50BE49A784AB7BFCB3ED59841C9D0

SSDEEP:

3072:n1sQ9BKWms487f1j/XjSGrJmjJ7cAs1QRls:nuQ9Tmd41jfD0lgXQRG

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • LOIC.exe (PID: 4064)

  • SUSPICIOUS

    • Reads the computer name

      • WinRAR.exe (PID: 2984)
      • LOIC.exe (PID: 4064)

    • Checks supported languages

      • WinRAR.exe (PID: 2984)
      • LOIC.exe (PID: 4064)

    • Reads CPU info

      • LOIC.exe (PID: 4064)

    • Reads internet explorer settings

      • LOIC.exe (PID: 4064)

    • Drops a file that was compiled in debug mode

      • WinRAR.exe (PID: 2984)

    • Reads Microsoft Outlook installation path

      • LOIC.exe (PID: 4064)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2984)

    • Creates files in the user directory

      • LOIC.exe (PID: 4064)

  • INFO

    • Reads settings of System Certificates

      • LOIC.exe (PID: 4064)

    • Manual execution by user

      • LOIC.exe (PID: 4064)

    • Checks Windows Trust Settings

      • LOIC.exe (PID: 4064)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: Deflated
ZipModifyDate: 2014:12:12 21:09:00
ZipCRC: 0x3aef8268
ZipCompressedSize: 103047
ZipUncompressedSize: 136192
ZipFileName: LOIC.exe
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
37
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe loic.exe

Process information

PID
CMD
Path
Indicators
Parent process
2984"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\LOIC-1.0.8-binary.zip"C:\Program Files\WinRAR\WinRAR.exe
Explorer.EXE
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
4064"C:\Users\admin\Desktop\LOIC.exe" C:\Users\admin\Desktop\LOIC.exe
Explorer.EXE
User:
admin
Integrity Level:
MEDIUM
Description:
Low Orbit Ion Cannon
Version:
1.0.8.0
Modules
Images
c:\windows\system32\ntdll.dll
c:\users\admin\desktop\loic.exe
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\system32\rpcrt4.dll
Total events
6 380
Read events
6 315
Write events
65
Delete events
0

Modification events

(PID) Process:(2984) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(2984) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(2984) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\16C\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2984) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip
(PID) Process:(2984) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(2984) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\LOIC-1.0.8-binary.zip
(PID) Process:(2984) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(2984) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(2984) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(2984) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
Executable files
1
Suspicious files
9
Text files
9
Unknown types
7

Dropped files

PID
Process
Filename
Type
4064LOIC.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_0E3E47DCB79A5C90729CD0F4FD50E1CFder
MD5:A046980829EA2D1D76263E972EBA0BD5
SHA256:F7B5584CF8C5BEBF833E9C002E0F7AB06272B3652D75EE88AADF320CECE7669A
4064LOIC.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04binary
MD5:49246AAFADB8BD2030BAC9668A15FC0F
SHA256:2A4CC46040049DE8959C58B6EFB90A019C5029B594327F8CF75D909FD2FF1EE5
4064LOIC.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157binary
MD5:BA82804ED61F77B3C9D306838674B0FD
SHA256:51A619D1F52C1F3182F1B93810FA938296034BECA0F9D1931E21BB0029A8D1E6
4064LOIC.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E573CDF4C6D731D56A665145182FD759_6B24471AF7D42D8A96573B48B6B5FC54binary
MD5:20503E05A10E285CE656E8533AA46220
SHA256:B4B9741C17BE82BCB298263A6C37827DDDDA867863D985FBA09B2BFD575855C1
4064LOIC.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_D975BBA8033175C8D112023D8A7A8AD6binary
MD5:CFA1F5B345CB066C02C07DF1B9866BDA
SHA256:5D948714951B55987A9ABEAD72902387E242986E8B394404170BDA6415F25532
4064LOIC.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBAder
MD5:64E9B8BB98E2303717538CE259BEC57D
SHA256:76BD459EC8E467EFC3E3FB94CB21B9C77A2AA73C9D4C0F3FAF823677BE756331
4064LOIC.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_1DC6D7385EA816C957BA2B715AC5C442der
MD5:A5076A60FF4D331B4609DE91B658E675
SHA256:B1F5B421AD5B4A133ED6F8BDCA9767B9D7A11FC97EED75C9945AF28F5DE030BA
4064LOIC.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_0E3E47DCB79A5C90729CD0F4FD50E1CFbinary
MD5:C0E83D4AC39CDA9806C9BD7990E45463
SHA256:66F7CF6A86F1465A61D030099FEBF0070AD2457C95FD788D542DF9230B2FC6DF
4064LOIC.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EAder
MD5:0213524244EAF6A7E638BB1910432065
SHA256:2CCB09AE116851A6DFF4849062A18092D522A05897CECB74DFCA383AA2DEA296
4064LOIC.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_D975BBA8033175C8D112023D8A7A8AD6der
MD5:D94C08EB9C2992C5D8CFE12C5E185A6B
SHA256:56B861E5117B8E08800AFD24DB0133D298E11E478ADB1D17DFE7654DBA08D5A5
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
22 405
TCP/UDP connections
24 132
DNS requests
8
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4064
LOIC.exe
GET
200
142.250.186.67:80
http://ocsp.pki.goog/gsr1/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6%2BMgGqMQQUYHtmGkUNl8qJUC99BM00qP%2F8%2FUsCEHe9DWzbNvka6iEPxPBY0w0%3D
US
der
1.41 Kb
whitelisted
4064
LOIC.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTk45WiKdPUwcMf8JgMC07ACYqr2AQUt2ui6qiqhIx56rTaD5iyxZV2ufQCEAJzDa4XzkALssaw0g2b64k%3D
US
der
471 b
whitelisted
4064
LOIC.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA%2BnRyLFPYjID1ie%2Bx%2BdSjo%3D
US
der
1.47 Kb
whitelisted
4064
LOIC.exe
GET
200
142.250.186.67:80
http://ocsp.pki.goog/gtsr1/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBQwkcLWD4LqGJ7bE7B1XZsEbmfwUAQU5K8rJnEaK0gnhS9SZizv8IkTcT4CDQIDvFNZazTHGPUBUGY%3D
US
der
724 b
whitelisted
4064
LOIC.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAbY2QTVWENG9oovp1QifsQ%3D
US
der
471 b
whitelisted
4064
LOIC.exe
GET
104.143.9.210:80
http://104.143.9.210:80/
US
malicious
4064
LOIC.exe
GET
104.143.9.210:80
http://104.143.9.210:80/
US
malicious
4064
LOIC.exe
GET
104.143.9.210:80
http://104.143.9.210:80/
US
malicious
4064
LOIC.exe
GET
104.143.9.210:80
http://104.143.9.210:80/
US
malicious
4064
LOIC.exe
GET
104.143.9.210:80
http://104.143.9.210:80/
US
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4064
LOIC.exe
142.250.186.67:80
ocsp.pki.goog
Google Inc.
US
whitelisted
4064
LOIC.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
4064
LOIC.exe
67.199.248.16:443
j.mp
Bitly Inc
US
shared
4064
LOIC.exe
216.58.212.174:443
www.google-analytics.com
Google Inc.
US
whitelisted
4064
LOIC.exe
104.143.9.210:80
noctu.com
VegasNAP, LLC
US
malicious
4064
LOIC.exe
152.199.21.175:443
az416426.vo.msecnd.net
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
4064
LOIC.exe
52.179.188.206:443
loicweb.azurewebsites.net
Microsoft Corporation
US
unknown
4064
LOIC.exe
93.184.221.240:80
ctldl.windowsupdate.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
104.143.9.210:80
noctu.com
VegasNAP, LLC
US
malicious

DNS requests

Domain
IP
Reputation
j.mp
  • 67.199.248.16
  • 67.199.248.17
shared
ctldl.windowsupdate.com
  • 93.184.221.240
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted
loicweb.azurewebsites.net
  • 52.179.188.206
whitelisted
az416426.vo.msecnd.net
  • 152.199.21.175
whitelisted
www.google-analytics.com
  • 216.58.212.174
whitelisted
ocsp.pki.goog
  • 142.250.186.67
whitelisted
noctu.com
  • 104.143.9.210
unknown

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
LOIC-1.0.8-binary.zip