File name:

URGENT_PURCHASE_ORDER.iso

Full analysis: https://app.any.run/tasks/b8cffbde-4f3b-474e-8d34-168663ab0dc2
Verdict: Malicious activity
Threats:

LokiBot was developed in 2015 to steal information from a variety of applications. Despite the age, this malware is still rather popular among cybercriminals.

Malware Trends Tracker     >>>
Analysis date: April 15, 2019, 11:36:21
OS: Windows 7 Professional Service Pack 1 (build: 7601, 64 bit)
Tags:
trojan
lokibot
Indicators:
MIME: application/x-iso9660-image
File info: ISO 9660 CD-ROM filesystem data 'URGENT_PURCHASE_ORDER'
MD5:

509021604D8C9648046ACBDF6D55F4F6

SHA1:

7B1CF38DCEA541A805A08CC585F7FE93A126662F

SHA256:

B81BF76207DABD51F4C70158B606B6853986C4BF6D47E75F11F3D4D2C43B7B52

SSDEEP:

6144:gIZmbSIK23Yqw9cA1cGj92z3LgKL4xRjSSYIinroX9oB5wp+lgg6/31Z:gBbHbYqw67Gpy3LghxJ+IwGM5wpMKH

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • URGENT_PURCHASE_ORDER.exe (PID: 2840)
      • URGENT_PURCHASE_ORDER.exe (PID: 2792)
      • objectAfgrsninger4.exe (PID: 2572)
      • objectAfgrsninger4.exe (PID: 1436)
      • objectAfgrsninger4.exe (PID: 3000)

    • LOKIBOT was detected

      • objectAfgrsninger4.exe (PID: 3000)

    • Changes the autorun value in the registry

      • objectAfgrsninger4.exe (PID: 1436)

    • LokiBot was detected

      • objectAfgrsninger4.exe (PID: 3000)

    • Connects to CnC server

      • objectAfgrsninger4.exe (PID: 3000)

    • Actions looks like stealing of personal data

      • objectAfgrsninger4.exe (PID: 3000)

  • SUSPICIOUS

    • Application launched itself

      • URGENT_PURCHASE_ORDER.exe (PID: 2840)
      • objectAfgrsninger4.exe (PID: 1436)
      • objectAfgrsninger4.exe (PID: 2572)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2856)
      • URGENT_PURCHASE_ORDER.exe (PID: 2792)
      • objectAfgrsninger4.exe (PID: 3000)

    • Reads the machine GUID from the registry

      • WinRAR.exe (PID: 2856)

    • Creates files in the user directory

      • objectAfgrsninger4.exe (PID: 3000)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.iso | ISO 9660 CD image (27.6)
.atn | Photoshop Action (27.1)
.gmc | Game Music Creator Music (6.1)

EXIF

ISO

System: Win32
VolumeName: URGENT_PURCHASE_ORDER
VolumeBlockCount: 320
VolumeBlockSize: 2048
RootDirectoryCreateDate: 2019:04:15 10:17:20+01:00
Software: PowerISO
VolumeCreateDate: 2019:04:15 10:17:20.00+01:00
VolumeModifyDate: 2019:04:15 10:17:20.00+01:00

Composite

VolumeSize: 640 kB
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
37
Monitored processes
6
Malicious processes
5
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start winrar.exe urgent_purchase_order.exe no specs urgent_purchase_order.exe objectafgrsninger4.exe objectafgrsninger4.exe no specs #LOKIBOT objectafgrsninger4.exe

Process information

PID
CMD
Path
Indicators
Parent process
1436"C:\Users\admin\AppData\Local\Temp\objectAfgrsninger4.exe" C:\Users\admin\AppData\Local\Temp\objectAfgrsninger4.exe
URGENT_PURCHASE_ORDER.exe
User:
admin
Company:
alcATEl
Integrity Level:
MEDIUM
Exit code:
0
Version:
1.00
Modules
Images
c:\users\admin\appdata\local\temp\objectafgrsninger4.exe
c:\systemroot\system32\ntdll.dll
c:\systemroot\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
2572"C:\Users\admin\AppData\Local\Temp\objectAfgrsninger4.exe" C:\Users\admin\AppData\Local\Temp\objectAfgrsninger4.exeobjectAfgrsninger4.exe
User:
admin
Company:
alcATEl
Integrity Level:
MEDIUM
Exit code:
0
Version:
1.00
Modules
Images
c:\users\admin\appdata\local\temp\objectafgrsninger4.exe
c:\systemroot\system32\ntdll.dll
c:\systemroot\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
2792"C:\Users\admin\Desktop\URGENT_PURCHASE_ORDER.exe" C:\Users\admin\Desktop\URGENT_PURCHASE_ORDER.exe
URGENT_PURCHASE_ORDER.exe
User:
admin
Company:
alcATEl
Integrity Level:
MEDIUM
Exit code:
0
Version:
1.00
Modules
Images
c:\users\admin\desktop\urgent_purchase_order.exe
c:\systemroot\syswow64\ntdll.dll
c:\systemroot\system32\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
2840"C:\Users\admin\Desktop\URGENT_PURCHASE_ORDER.exe" C:\Users\admin\Desktop\URGENT_PURCHASE_ORDER.exeexplorer.exe
User:
admin
Company:
alcATEl
Integrity Level:
MEDIUM
Exit code:
0
Version:
1.00
Modules
Images
c:\users\admin\desktop\urgent_purchase_order.exe
c:\systemroot\system32\ntdll.dll
c:\systemroot\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
2856"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\URGENT_PURCHASE_ORDER.iso"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
3000"C:\Users\admin\AppData\Local\Temp\objectAfgrsninger4.exe" C:\Users\admin\AppData\Local\Temp\objectAfgrsninger4.exe
objectAfgrsninger4.exe
User:
admin
Company:
alcATEl
Integrity Level:
MEDIUM
Exit code:
0
Version:
1.00
Modules
Images
c:\users\admin\appdata\local\temp\objectafgrsninger4.exe
c:\systemroot\system32\ntdll.dll
c:\systemroot\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
Total events
459
Read events
427
Write events
32
Delete events
0

Modification events

(PID) Process:(2856) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(2856) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(2856) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\65\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2856) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\URGENT_PURCHASE_ORDER.iso
(PID) Process:(2856) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(2856) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(2856) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(2856) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(2856) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\MainWin
Operation:writeName:Placement
Value:
2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF1600000016000000D60300000B020000
(PID) Process:(2856) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\General
Operation:writeName:LastFolder
Value:
C:\Users\admin\Desktop
Executable files
3
Suspicious files
4
Text files
7
Unknown types
2

Dropped files

PID
Process
Filename
Type
3000objectAfgrsninger4.exeC:\Users\admin\AppData\Roaming\03B51E\EE03AE.lck
MD5:
SHA256:
2856WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2856.21000\URGENT_PURCHASE_ORDER.exeexecutable
MD5:
SHA256:
2792URGENT_PURCHASE_ORDER.exeC:\Users\admin\AppData\Local\Temp\objectAfgrsninger4.exeexecutable
MD5:
SHA256:
2792URGENT_PURCHASE_ORDER.exeC:\Users\admin\AppData\Local\Temp\objectAfgrsninger4.vbstext
MD5:
SHA256:
2840URGENT_PURCHASE_ORDER.exeC:\Users\admin\AppData\Local\Temp\~DF34628A174ABAA20A.TMPbinary
MD5:
SHA256:
2572objectAfgrsninger4.exeC:\Users\admin\AppData\Local\Temp\~DF984F7CA2BE5DC59C.TMPbinary
MD5:
SHA256:
1436objectAfgrsninger4.exeC:\Users\admin\AppData\Local\Temp\~DF748C214B97A61B8B.TMPbinary
MD5:
SHA256:
2792URGENT_PURCHASE_ORDER.exeC:\Users\admin\AppData\Local\Temp\~DFFD4299A0482DB5C4.TMPbinary
MD5:
SHA256:
3000objectAfgrsninger4.exeC:\Users\admin\AppData\Roaming\03B51E\EE03AE.exeexecutable
MD5:
SHA256:
3000objectAfgrsninger4.exeC:\Users\admin\AppData\Roaming\03B51E\EE03AE.hdbtext
MD5:220587F98330ADC8265A38DEF5AE6698
SHA256:06EADF590BA1AC74617FA0D4F21733155826DD72D0F0EFFD068F308182B78E8F
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
8
DNS requests
2
Threats
58

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3000
objectAfgrsninger4.exe
POST
104.28.15.65:80
http://tiwasavage.tk/anyi/fre.php
US
malicious
3000
objectAfgrsninger4.exe
POST
104.28.15.65:80
http://tiwasavage.tk/anyi/fre.php
US
malicious
3000
objectAfgrsninger4.exe
POST
104.28.14.65:80
http://tiwasavage.tk/anyi/fre.php
US
malicious
3000
objectAfgrsninger4.exe
POST
104.28.15.65:80
http://tiwasavage.tk/anyi/fre.php
US
malicious
3000
objectAfgrsninger4.exe
POST
104.28.15.65:80
http://tiwasavage.tk/anyi/fre.php
US
malicious
3000
objectAfgrsninger4.exe
POST
104.28.15.65:80
http://tiwasavage.tk/anyi/fre.php
US
malicious
3000
objectAfgrsninger4.exe
POST
104.28.15.65:80
http://tiwasavage.tk/anyi/fre.php
US
malicious
3000
objectAfgrsninger4.exe
POST
104.28.15.65:80
http://tiwasavage.tk/anyi/fre.php
US
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3000
objectAfgrsninger4.exe
104.28.14.65:80
tiwasavage.tk
Cloudflare Inc
US
shared
104.28.15.65:80
tiwasavage.tk
Cloudflare Inc
US
shared
3000
objectAfgrsninger4.exe
104.28.15.65:80
tiwasavage.tk
Cloudflare Inc
US
shared

DNS requests

Domain
IP
Reputation
tiwasavage.tk
  • 104.28.15.65
  • 104.28.14.65
malicious

Threats

PID
Process
Class
Message
3000
objectAfgrsninger4.exe
A Network Trojan was detected
ET TROJAN LokiBot User-Agent (Charon/Inferno)
3000
objectAfgrsninger4.exe
A Network Trojan was detected
ET TROJAN LokiBot Checkin
3000
objectAfgrsninger4.exe
Potentially Bad Traffic
ET POLICY HTTP Request to a *.tk domain
3000
objectAfgrsninger4.exe
A Network Trojan was detected
ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1
3000
objectAfgrsninger4.exe
A Network Trojan was detected
ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2
3000
objectAfgrsninger4.exe
A Network Trojan was detected
MALWARE [PTsecurity] Loki Bot Check-in M2
3000
objectAfgrsninger4.exe
A Network Trojan was detected
ET TROJAN LokiBot User-Agent (Charon/Inferno)
3000
objectAfgrsninger4.exe
A Network Trojan was detected
ET TROJAN LokiBot Checkin
3000
objectAfgrsninger4.exe
Potentially Bad Traffic
ET POLICY HTTP Request to a *.tk domain
3000
objectAfgrsninger4.exe
A Network Trojan was detected
ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1
8 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
URGENT_PURCHASE_ORDER.iso