analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

121805efe00f871c992e69cd5120197d6648715d

Full analysis: https://app.any.run/tasks/ad140a09-d0d7-4188-864f-e3f99259c168
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: March 31, 2020, 09:15:43
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
macros
macros-on-open
loader
trojan
opendir
lokibot
Indicators:
MIME: application/msword
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Author: admin, Template: Normal, Last Saved By: User, Revision Number: 16, Name of Creating Application: Microsoft Office Word, Total Editing Time: 18:00, Create Time/Date: Tue Oct 17 02:08:00 2017, Last Saved Time/Date: Tue Mar 31 00:16:00 2020, Number of Pages: 1, Number of Words: 19, Number of Characters: 113, Security: 0
MD5:

A6C1203BED1CEEB336E6A2FCE5973F5E

SHA1:

121805EFE00F871C992E69CD5120197D6648715D

SHA256:

DF64617A5C44092E1DC09CD1C5E6FCA91A3EADB71C4DD7075EEB96FCDFFAAD2D

SSDEEP:

1536:zDai+WMRgf5D4J8OaTEz07ye4n+6Clty2ra:zf+FRg14J8lT0e4+6R2ra

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Unusual execution from Microsoft Office

      • WINWORD.EXE (PID: 3832)

    • Executable content was dropped or overwritten

      • WINWORD.EXE (PID: 3832)

    • Requests a remote executable file from MS Office

      • WINWORD.EXE (PID: 3832)

    • Changes the autorun value in the registry

      • JNIYVVVXQ.exe (PID: 2464)
      • Elevte.exe (PID: 880)

    • Application was dropped or rewritten from another process

      • JNIYVVVXQ.exe (PID: 2464)
      • JNIYVVVXQ.exe (PID: 2700)
      • Elevte.exe (PID: 880)
      • Elevte.exe (PID: 536)

    • Downloads executable files from IP

      • WINWORD.EXE (PID: 3832)

    • LOKIBOT was detected

      • Elevte.exe (PID: 536)

    • Connects to CnC server

      • Elevte.exe (PID: 536)

    • Actions looks like stealing of personal data

      • Elevte.exe (PID: 536)

  • SUSPICIOUS

    • Unusual connect from Microsoft Office

      • WINWORD.EXE (PID: 3832)

    • Executable content was dropped or overwritten

      • JNIYVVVXQ.exe (PID: 2700)
      • Elevte.exe (PID: 536)

    • Starts itself from another location

      • JNIYVVVXQ.exe (PID: 2700)

    • Reads Internet Cache Settings

      • Elevte.exe (PID: 536)

    • Loads DLL from Mozilla Firefox

      • Elevte.exe (PID: 536)

    • Creates files in the user directory

      • Elevte.exe (PID: 536)

  • INFO

    • Reads Internet Cache Settings

      • WINWORD.EXE (PID: 3832)

    • Creates files in the user directory

      • WINWORD.EXE (PID: 3832)

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 3832)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.doc | Microsoft Word document (54.2)
.doc | Microsoft Word document (old ver.) (32.2)

EXIF

FlashPix

Title: -
Subject: -
Author: admin
Keywords: -
Template: Normal
LastModifiedBy: User
RevisionNumber: 16
Software: Microsoft Office Word
TotalEditTime: 18.0 minutes
CreateDate: 2017:10:17 01:08:00
ModifyDate: 2020:03:30 23:16:00
Pages: 1
Words: 19
Characters: 113
Security: None
CodePage: Windows Latin 1 (Western European)
Company: -
Lines: 1
Paragraphs: 1
CharCountWithSpaces: 131
AppVersion: 14
ScaleCrop: No
LinksUpToDate: No
SharedDoc: No
HyperlinksChanged: No
TitleOfParts: -
HeadingPairs:
  • Title
  • 1
CompObjUserTypeLen: 32
CompObjUserType: Microsoft Word 97-2003 Document
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
40
Monitored processes
5
Malicious processes
5
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start start drop and start winword.exe jniyvvvxq.exe jniyvvvxq.exe elevte.exe #LOKIBOT elevte.exe

Process information

PID
CMD
Path
Indicators
Parent process
3832"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\121805efe00f871c992e69cd5120197d6648715d.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
2464C:\Users\admin\AppData\Roaming\JNIYVVVXQ.exeC:\Users\admin\AppData\Roaming\JNIYVVVXQ.exe
WINWORD.EXE
User:
admin
Company:
Integrity Level:
MEDIUM
Exit code:
0
Version:
1.00.0009
2700C:\Users\admin\AppData\Roaming\JNIYVVVXQ.exeC:\Users\admin\AppData\Roaming\JNIYVVVXQ.exe
JNIYVVVXQ.exe
User:
admin
Company:
Integrity Level:
MEDIUM
Exit code:
0
Version:
1.00.0009
880"C:\Users\admin\BATT\Elevte.exe" C:\Users\admin\BATT\Elevte.exe
JNIYVVVXQ.exe
User:
admin
Company:
Integrity Level:
MEDIUM
Exit code:
0
Version:
1.00.0009
536"C:\Users\admin\BATT\Elevte.exe" C:\Users\admin\BATT\Elevte.exe
Elevte.exe
User:
admin
Company:
Integrity Level:
MEDIUM
Version:
1.00.0009
Total events
1 827
Read events
1 126
Write events
0
Delete events
0

Modification events

No data
Executable files
4
Suspicious files
2
Text files
4
Unknown types
6

Dropped files

PID
Process
Filename
Type
3832WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR6AE7.tmp.cvr
MD5:
SHA256:
536Elevte.exeC:\Users\admin\AppData\Roaming\F63AAA\A71D80.lck
MD5:
SHA256:
2464JNIYVVVXQ.exeC:\Users\admin\AppData\Local\Temp\~DF0D087D5C132830AF.TMPbinary
MD5:FFFCFD45DF64861B19B7B4AC305FBA4F
SHA256:9FEEFBE267982883127137E7FB3BE3C4B58FBDC4CB3EB155B8099490AEB1F5B5
2700JNIYVVVXQ.exeC:\Users\admin\BATT\Elevte.vbstext
MD5:9087E9864E1238D384D1D2C8E3515DD7
SHA256:5740193FB608C8AAE7035911E3E88B2EC2CBC263402D063E1AEB2443F6FD6DEA
3832WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\121805efe00f871c992e69cd5120197d6648715d.doc.LNKlnk
MD5:D4E2630978BAC2318E5ECD1DEC1B4B37
SHA256:C796181A34B5F821E39B0DD237490C3A976D0AE0DE5EE22C33154CD6B43F00C2
3832WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\78RFYB7Z\salles[1].exeexecutable
MD5:53A789EB057876B0F25F9ACE6578018B
SHA256:0DCE71CE0E840022044127BEDC710369F032A61E6CB7B237F2129C6AE08BE26B
3832WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:6A382A764866773FAE15CB7423D809FC
SHA256:2F90B3679A8C28DED16E1F2AB606DC38841C8E16BEE6E3636327BC97C5832C3D
2700JNIYVVVXQ.exeC:\Users\admin\BATT\Elevte.exeexecutable
MD5:53A789EB057876B0F25F9ACE6578018B
SHA256:0DCE71CE0E840022044127BEDC710369F032A61E6CB7B237F2129C6AE08BE26B
3832WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dattext
MD5:B0C6387014FF3EC03347A94B1816F66F
SHA256:DDE0C8E82CBF20E1292E2DB7667BA3C90E166673257BAD0864036ED93260DB0F
3832WINWORD.EXEC:\Users\admin\Desktop\~$1805efe00f871c992e69cd5120197d6648715d.docpgc
MD5:C9F7C127DF4160109D5E027C9EB8FDF9
SHA256:5EDCBF63742B3C76171B708C746F6F55C01D2076CAEB7CEF6FB465CB15A5262F
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
5
DNS requests
1
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
536
Elevte.exe
POST
192.3.202.210:80
http://speedfolks.com.ng/lol/panel/five/fre.php
US
malicious
536
Elevte.exe
POST
192.3.202.210:80
http://speedfolks.com.ng/lol/panel/five/fre.php
US
malicious
3832
WINWORD.EXE
GET
200
46.183.220.117:80
http://46.183.220.117/salles.exe
LV
executable
100 Kb
malicious
536
Elevte.exe
GET
200
46.183.220.117:80
http://46.183.220.117/buildna.bin
LV
binary
104 Kb
malicious
536
Elevte.exe
POST
192.3.202.210:80
http://speedfolks.com.ng/lol/panel/five/fre.php
US
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
536
Elevte.exe
46.183.220.117:80
DataClub S.A.
LV
malicious
536
Elevte.exe
192.3.202.210:80
speedfolks.com.ng
ColoCrossing
US
malicious
3832
WINWORD.EXE
46.183.220.117:80
DataClub S.A.
LV
malicious

DNS requests

Domain
IP
Reputation
speedfolks.com.ng
  • 192.3.202.210
malicious

Threats

PID
Process
Class
Message
3832
WINWORD.EXE
A Network Trojan was detected
ET INFO Executable Download from dotted-quad Host
536
Elevte.exe
A Network Trojan was detected
ET TROJAN Generic .bin download from Dotted Quad
536
Elevte.exe
A Network Trojan was detected
MALWARE [PTsecurity] EJNT_Loader
536
Elevte.exe
A Network Trojan was detected
ET TROJAN LokiBot User-Agent (Charon/Inferno)
536
Elevte.exe
A Network Trojan was detected
ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1
536
Elevte.exe
A Network Trojan was detected
ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2
536
Elevte.exe
A Network Trojan was detected
ET TROJAN LokiBot Checkin
536
Elevte.exe
A Network Trojan was detected
MALWARE [PTsecurity] Loki Bot Check-in M2
536
Elevte.exe
A Network Trojan was detected
ET TROJAN LokiBot User-Agent (Charon/Inferno)
536
Elevte.exe
A Network Trojan was detected
ET TROJAN LokiBot Checkin
3 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
121805efe00f871c992e69cd5120197d6648715d