analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

dccdf0e0a479d7abd0c87f717d993cb833cfb9fc8f96c49d7dcc65ae3704d218

Full analysis: https://app.any.run/tasks/56d49dc0-6e97-4cbb-b67d-d7266dd51c35
Verdict: Malicious activity
Threats:

LokiBot was developed in 2015 to steal information from a variety of applications. Despite the age, this malware is still rather popular among cybercriminals.

Malware Trends Tracker     >>>
Analysis date: January 11, 2019, 04:24:10
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
ole-embedded
trojan
lokibot
opendir
Indicators:
MIME: text/rtf
File info: Rich Text Format data, version 1, unknown character set
MD5:

A5D0B8DCFDAB608227EBC26A4C572341

SHA1:

076038F9E6F401C04AB29AC9B2A8EDAA45E0FC8E

SHA256:

DCCDF0E0A479D7ABD0C87F717D993CB833CFB9FC8F96C49D7DCC65AE3704D218

SSDEEP:

12288:bh6jIdvQByarOdnMl6YfoytsBHhoubsJex6oEMePKzIXz1L+9uPQabF:dfdvUyaidnMVoytkZbsAEMoRDwMI0F

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Unusual execution from Microsoft Office

      • WINWORD.EXE (PID: 2924)

    • Starts CMD.EXE for commands execution

      • WINWORD.EXE (PID: 2924)

    • Runs app for hidden code execution

      • cmd.exe (PID: 2704)
      • cmd.exe (PID: 3300)

    • Application was dropped or rewritten from another process

      • saver.scr (PID: 3096)

    • Detected artifacts of LokiBot

      • saver.scr (PID: 3096)

    • LOKIBOT was detected

      • saver.scr (PID: 3096)

    • Connects to CnC server

      • saver.scr (PID: 3096)

    • Actions looks like stealing of personal data

      • saver.scr (PID: 3096)

  • SUSPICIOUS

    • Starts CMD.EXE for commands execution

      • cmd.exe (PID: 2704)
      • cmd.exe (PID: 3168)
      • cmd.exe (PID: 3300)
      • cmd.exe (PID: 3440)

    • Executes scripts

      • cmd.exe (PID: 3440)

    • Uses REG.EXE to modify Windows registry

      • cmd.exe (PID: 3440)
      • cmd.exe (PID: 3468)
      • cmd.exe (PID: 2396)
      • cmd.exe (PID: 2880)
      • cmd.exe (PID: 2460)
      • cmd.exe (PID: 3376)
      • cmd.exe (PID: 2400)

    • Uses TASKKILL.EXE to kill Office Apps

      • cmd.exe (PID: 3440)

    • Executable content was dropped or overwritten

      • cscript.exe (PID: 2572)
      • saver.scr (PID: 3096)

    • Application launched itself

      • cmd.exe (PID: 3440)

    • Starts application with an unusual extension

      • cmd.exe (PID: 3440)

    • Starts Microsoft Office Application

      • cmd.exe (PID: 3440)

    • Creates files in the user directory

      • saver.scr (PID: 3096)

    • Loads DLL from Mozilla Firefox

      • saver.scr (PID: 3096)

  • INFO

    • Creates files in the user directory

      • WINWORD.EXE (PID: 2924)
      • WINWORD.EXE (PID: 3108)

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 2924)
      • WINWORD.EXE (PID: 3108)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rtf | Rich Text Format (100)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
70
Monitored processes
36
Malicious processes
5
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winword.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs timeout.exe no specs timeout.exe no specs timeout.exe no specs cmd.exe no specs timeout.exe no specs timeout.exe no specs cmd.exe no specs timeout.exe no specs timeout.exe no specs timeout.exe no specs cscript.exe taskkill.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs #LOKIBOT saver.scr winword.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2924"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\dccdf0e0a479d7abd0c87f717d993cb833cfb9fc8f96c49d7dcc65ae3704d218.rtf"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
1
Version:
14.0.6024.1000
2704"C:\Windows\System32\cmd.exe" /C CmD < "C:\Users\admin\AppData\Local\Temp\ufFm.cMD"C:\Windows\System32\cmd.exeWINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3168CmD C:\Windows\system32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3440C:\Windows\system32\cmd.exe /K itnqknf5.CMDC:\Windows\system32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3944TIMEOUT /T 1C:\Windows\system32\timeout.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
timeout - pauses command processing
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2348TIMEOUT /T 1 C:\Windows\system32\timeout.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
timeout - pauses command processing
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2840TIMEOUT /T 1 C:\Windows\system32\timeout.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
timeout - pauses command processing
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3300"C:\Windows\System32\cmd.exe" /C CmD < "C:\Users\admin\AppData\Local\Temp\ufFm.cMD"C:\Windows\System32\cmd.exeWINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3592TIMEOUT /T 1 C:\Windows\system32\timeout.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
timeout - pauses command processing
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1820TIMEOUT /T 1 C:\Windows\system32\timeout.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
timeout - pauses command processing
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
2 068
Read events
1 697
Write events
355
Delete events
16

Modification events

(PID) Process:(2924) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
Operation:writeName:3'%
Value:
332725006C0B0000010000000000000000000000
(PID) Process:(2924) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1033
Value:
Off
(PID) Process:(2924) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1033
Value:
On
(PID) Process:(2924) WINWORD.EXEKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
Operation:writeName:WORDFiles
Value:
1311440926
(PID) Process:(2924) WINWORD.EXEKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
Operation:writeName:ProductFiles
Value:
1311441040
(PID) Process:(2924) WINWORD.EXEKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
Operation:writeName:ProductFiles
Value:
1311441041
(PID) Process:(2924) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word
Operation:writeName:MTTT
Value:
6C0B0000E862629065A9D40100000000
(PID) Process:(2924) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
Operation:writeName:d)%
Value:
642925006C0B000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000
(PID) Process:(2924) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
Operation:delete valueName:d)%
Value:
642925006C0B000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000
(PID) Process:(2924) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
Executable files
2
Suspicious files
3
Text files
16
Unknown types
9

Dropped files

PID
Process
Filename
Type
2924WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR9783.tmp.cvr
MD5:
SHA256:
3108WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVRB694.tmp.cvr
MD5:
SHA256:
3096saver.scrC:\Users\admin\AppData\Roaming\F63AAA\A71D80.lck
MD5:
SHA256:
2924WINWORD.EXEC:\Users\admin\AppData\Local\Temp\1.zipcompressed
MD5:57CF8A52B77598C678B8C32513650D38
SHA256:EC201FC53A20B835245B5F7FF3BEBF0C0BA8592127078DD5224790F3F995CC92
2924WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.datini
MD5:E0AE52144CAE690F63DA1DC5BCB5A24B
SHA256:B480D21E02F004D38A1D9ACDBA9931638555C619AF76F3C553598AEAC16CFDEE
2924WINWORD.EXEC:\Users\admin\AppData\Local\Temp\a.ScTxml
MD5:E380FA41BB7B771C908FEA18CF6BDE18
SHA256:1DD5AE0DB7D94DEC0E58041B7D2F253E19F8DA13F9B6C25BB2921057E6C65370
2924WINWORD.EXEC:\Users\admin\AppData\Local\Temp\uffm.cmdtext
MD5:0A329C340B71DBC60D29F2419ABCB9F9
SHA256:42F9DE6445D938BF8797420D9D2649926F23F2583DEC9C022F4E121AAE566519
2924WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\dccdf0e0a479d7abd0c87f717d993cb833cfb9fc8f96c49d7dcc65ae3704d218.rtf.LNKlnk
MD5:74A1A2A0FBFDD71746076C64ACC8A761
SHA256:4AA40A92668E7B9F3EDAFA36CFBA028E4295196E858AA343939B48D9B2842245
2924WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{998421A0-92D3-4CFD-9161-D9B9C7F94A59}.tmpbinary
MD5:7CBE96A9E5F29F56F3DA3E53D3C01224
SHA256:64943047BAC0327DB84E4704BC3B310185212EF1569F642AC49891C6F5DC2D0F
2924WINWORD.EXEC:\Users\admin\Desktop\~$cdf0e0a479d7abd0c87f717d993cb833cfb9fc8f96c49d7dcc65ae3704d218.rtfpgc
MD5:783D7E027579F68C1607A7016F3BFE27
SHA256:5B4D3F4AD9A2177D50F7452DDBD12AD91FA5F1795901E9282AA13C99827793DD
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
3
DNS requests
1
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3096
saver.scr
POST
200.63.40.2:80
http://umbra-diego.com/wp-content/file/log/Panel/five/fre.php
PA
malicious
3096
saver.scr
POST
200.63.40.2:80
http://umbra-diego.com/wp-content/file/log/Panel/five/fre.php
PA
malicious
3096
saver.scr
POST
200.63.40.2:80
http://umbra-diego.com/wp-content/file/log/Panel/five/fre.php
PA
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3096
saver.scr
200.63.40.2:80
umbra-diego.com
Panamaserver.com
PA
malicious

DNS requests

Domain
IP
Reputation
umbra-diego.com
  • 200.63.40.2
malicious

Threats

PID
Process
Class
Message
3096
saver.scr
A Network Trojan was detected
ET TROJAN LokiBot User-Agent (Charon/Inferno)
3096
saver.scr
A Network Trojan was detected
ET TROJAN LokiBot Checkin
3096
saver.scr
A Network Trojan was detected
ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1
3096
saver.scr
A Network Trojan was detected
ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2
3096
saver.scr
A Network Trojan was detected
MALWARE [PTsecurity] Loki Bot Check-in M2
3096
saver.scr
A Network Trojan was detected
ET TROJAN LokiBot User-Agent (Charon/Inferno)
3096
saver.scr
A Network Trojan was detected
ET TROJAN LokiBot Checkin
3096
saver.scr
A Network Trojan was detected
ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1
3096
saver.scr
A Network Trojan was detected
ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2
3096
saver.scr
A Network Trojan was detected
MALWARE [PTsecurity] Loki Bot Check-in M2
3 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
dccdf0e0a479d7abd0c87f717d993cb833cfb9fc8f96c49d7dcc65ae3704d218