File name: | dccdf0e0a479d7abd0c87f717d993cb833cfb9fc8f96c49d7dcc65ae3704d218 |
Full analysis: | https://app.any.run/tasks/56d49dc0-6e97-4cbb-b67d-d7266dd51c35 |
Verdict: | Malicious activity |
Threats: | LokiBot was developed in 2015 to steal information from a variety of applications. Despite the age, this malware is still rather popular among cybercriminals. |
Analysis date: | January 11, 2019, 04:24:10 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | text/rtf |
File info: | Rich Text Format data, version 1, unknown character set |
MD5: | A5D0B8DCFDAB608227EBC26A4C572341 |
SHA1: | 076038F9E6F401C04AB29AC9B2A8EDAA45E0FC8E |
SHA256: | DCCDF0E0A479D7ABD0C87F717D993CB833CFB9FC8F96C49D7DCC65AE3704D218 |
SSDEEP: | 12288:bh6jIdvQByarOdnMl6YfoytsBHhoubsJex6oEMePKzIXz1L+9uPQabF:dfdvUyaidnMVoytkZbsAEMoRDwMI0F |
.rtf | | | Rich Text Format (100) |
---|
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2924 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\dccdf0e0a479d7abd0c87f717d993cb833cfb9fc8f96c49d7dcc65ae3704d218.rtf" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Exit code: 1 Version: 14.0.6024.1000 | ||||
2704 | "C:\Windows\System32\cmd.exe" /C CmD < "C:\Users\admin\AppData\Local\Temp\ufFm.cMD" | C:\Windows\System32\cmd.exe | — | WINWORD.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3168 | CmD | C:\Windows\system32\cmd.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3440 | C:\Windows\system32\cmd.exe /K itnqknf5.CMD | C:\Windows\system32\cmd.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3944 | TIMEOUT /T 1 | C:\Windows\system32\timeout.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: timeout - pauses command processing Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2348 | TIMEOUT /T 1 | C:\Windows\system32\timeout.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: timeout - pauses command processing Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2840 | TIMEOUT /T 1 | C:\Windows\system32\timeout.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: timeout - pauses command processing Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3300 | "C:\Windows\System32\cmd.exe" /C CmD < "C:\Users\admin\AppData\Local\Temp\ufFm.cMD" | C:\Windows\System32\cmd.exe | — | WINWORD.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3592 | TIMEOUT /T 1 | C:\Windows\system32\timeout.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: timeout - pauses command processing Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
1820 | TIMEOUT /T 1 | C:\Windows\system32\timeout.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: timeout - pauses command processing Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
(PID) Process: | (2924) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems |
Operation: | write | Name: | 3'% |
Value: 332725006C0B0000010000000000000000000000 | |||
(PID) Process: | (2924) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1033 |
Value: Off | |||
(PID) Process: | (2924) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1033 |
Value: On | |||
(PID) Process: | (2924) WINWORD.EXE | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage |
Operation: | write | Name: | WORDFiles |
Value: 1311440926 | |||
(PID) Process: | (2924) WINWORD.EXE | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage |
Operation: | write | Name: | ProductFiles |
Value: 1311441040 | |||
(PID) Process: | (2924) WINWORD.EXE | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage |
Operation: | write | Name: | ProductFiles |
Value: 1311441041 | |||
(PID) Process: | (2924) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word |
Operation: | write | Name: | MTTT |
Value: 6C0B0000E862629065A9D40100000000 | |||
(PID) Process: | (2924) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems |
Operation: | write | Name: | d)% |
Value: 642925006C0B000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000 | |||
(PID) Process: | (2924) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems |
Operation: | delete value | Name: | d)% |
Value: 642925006C0B000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000 | |||
(PID) Process: | (2924) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 0 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2924 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR9783.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3108 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRB694.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3096 | saver.scr | C:\Users\admin\AppData\Roaming\F63AAA\A71D80.lck | — | |
MD5:— | SHA256:— | |||
2924 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\1.zip | compressed | |
MD5:57CF8A52B77598C678B8C32513650D38 | SHA256:EC201FC53A20B835245B5F7FF3BEBF0C0BA8592127078DD5224790F3F995CC92 | |||
2924 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dat | ini | |
MD5:E0AE52144CAE690F63DA1DC5BCB5A24B | SHA256:B480D21E02F004D38A1D9ACDBA9931638555C619AF76F3C553598AEAC16CFDEE | |||
2924 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\a.ScT | xml | |
MD5:E380FA41BB7B771C908FEA18CF6BDE18 | SHA256:1DD5AE0DB7D94DEC0E58041B7D2F253E19F8DA13F9B6C25BB2921057E6C65370 | |||
2924 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\uffm.cmd | text | |
MD5:0A329C340B71DBC60D29F2419ABCB9F9 | SHA256:42F9DE6445D938BF8797420D9D2649926F23F2583DEC9C022F4E121AAE566519 | |||
2924 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\dccdf0e0a479d7abd0c87f717d993cb833cfb9fc8f96c49d7dcc65ae3704d218.rtf.LNK | lnk | |
MD5:74A1A2A0FBFDD71746076C64ACC8A761 | SHA256:4AA40A92668E7B9F3EDAFA36CFBA028E4295196E858AA343939B48D9B2842245 | |||
2924 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{998421A0-92D3-4CFD-9161-D9B9C7F94A59}.tmp | binary | |
MD5:7CBE96A9E5F29F56F3DA3E53D3C01224 | SHA256:64943047BAC0327DB84E4704BC3B310185212EF1569F642AC49891C6F5DC2D0F | |||
2924 | WINWORD.EXE | C:\Users\admin\Desktop\~$cdf0e0a479d7abd0c87f717d993cb833cfb9fc8f96c49d7dcc65ae3704d218.rtf | pgc | |
MD5:783D7E027579F68C1607A7016F3BFE27 | SHA256:5B4D3F4AD9A2177D50F7452DDBD12AD91FA5F1795901E9282AA13C99827793DD |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3096 | saver.scr | POST | — | 200.63.40.2:80 | http://umbra-diego.com/wp-content/file/log/Panel/five/fre.php | PA | — | — | malicious |
3096 | saver.scr | POST | — | 200.63.40.2:80 | http://umbra-diego.com/wp-content/file/log/Panel/five/fre.php | PA | — | — | malicious |
3096 | saver.scr | POST | — | 200.63.40.2:80 | http://umbra-diego.com/wp-content/file/log/Panel/five/fre.php | PA | — | — | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3096 | saver.scr | 200.63.40.2:80 | umbra-diego.com | Panamaserver.com | PA | malicious |
Domain | IP | Reputation |
---|---|---|
umbra-diego.com |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
3096 | saver.scr | A Network Trojan was detected | ET TROJAN LokiBot User-Agent (Charon/Inferno) |
3096 | saver.scr | A Network Trojan was detected | ET TROJAN LokiBot Checkin |
3096 | saver.scr | A Network Trojan was detected | ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 |
3096 | saver.scr | A Network Trojan was detected | ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 |
3096 | saver.scr | A Network Trojan was detected | MALWARE [PTsecurity] Loki Bot Check-in M2 |
3096 | saver.scr | A Network Trojan was detected | ET TROJAN LokiBot User-Agent (Charon/Inferno) |
3096 | saver.scr | A Network Trojan was detected | ET TROJAN LokiBot Checkin |
3096 | saver.scr | A Network Trojan was detected | ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 |
3096 | saver.scr | A Network Trojan was detected | ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 |
3096 | saver.scr | A Network Trojan was detected | MALWARE [PTsecurity] Loki Bot Check-in M2 |