Analysis
-
max time kernel
138s -
max time network
134s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
28-12-2020 17:43
Static task
static1
Behavioral task
behavioral1
Sample
Pago Fecha 2021.xls
Resource
win7v20201028
Behavioral task
behavioral2
Sample
Pago Fecha 2021.xls
Resource
win10v20201028
General
-
Target
Pago Fecha 2021.xls
-
Size
126KB
-
MD5
35c9dbe44c092a5ebb101e1600736228
-
SHA1
21083aa36e32aea90469131690c3d93f0f7f6c85
-
SHA256
c66970bdd757e643f76b613a6302a14c6ea6eb6032aebc6b4cfc84fc265c485f
-
SHA512
ed78404ea84ac4023e8c9459cef3178e8c5bea8fcddecef49d31a4fc01699f6203f9af11ffe13f66d4ca060e5a1412465b8411cb2df86d858788651ca2958103
Malware Config
Extracted
lokibot
http://45.81.7.81/filopkm/Panel/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Executes dropped EXE 2 IoCs
Processes:
RNUZQQ.exeRNUZQQ.exepid process 3448 RNUZQQ.exe 3660 RNUZQQ.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
RNUZQQ.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\jxfU = "C:\\Users\\Admin\\AppData\\Local\\jxfU.url" RNUZQQ.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
RNUZQQ.exedescription pid process target process PID 3448 set thread context of 3660 3448 RNUZQQ.exe RNUZQQ.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 1048 EXCEL.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RNUZQQ.exedescription pid process Token: SeDebugPrivilege 3660 RNUZQQ.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
Processes:
EXCEL.EXEpid process 1048 EXCEL.EXE 1048 EXCEL.EXE 1048 EXCEL.EXE 1048 EXCEL.EXE 1048 EXCEL.EXE 1048 EXCEL.EXE 1048 EXCEL.EXE 1048 EXCEL.EXE 1048 EXCEL.EXE 1048 EXCEL.EXE 1048 EXCEL.EXE 1048 EXCEL.EXE -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
EXCEL.EXERNUZQQ.exedescription pid process target process PID 1048 wrote to memory of 3448 1048 EXCEL.EXE RNUZQQ.exe PID 1048 wrote to memory of 3448 1048 EXCEL.EXE RNUZQQ.exe PID 1048 wrote to memory of 3448 1048 EXCEL.EXE RNUZQQ.exe PID 3448 wrote to memory of 3660 3448 RNUZQQ.exe RNUZQQ.exe PID 3448 wrote to memory of 3660 3448 RNUZQQ.exe RNUZQQ.exe PID 3448 wrote to memory of 3660 3448 RNUZQQ.exe RNUZQQ.exe PID 3448 wrote to memory of 3660 3448 RNUZQQ.exe RNUZQQ.exe PID 3448 wrote to memory of 3660 3448 RNUZQQ.exe RNUZQQ.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Pago Fecha 2021.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\RNUZQQ.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\RNUZQQ.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\RNUZQQ.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\RNUZQQ.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0C69B3EC323321743CE66F959E80BAB4MD5
caac01419b320ba251fe4a72086f7036
SHA15ec02ecb48895bc20889e0edf6089cb7d8ec55b4
SHA25618cbf78539febda1b4874c87f344281882ecc7601af3c4241227644f5a9603a2
SHA5125298d065396ef1b00959fb18b9168c43dcf40a2d103d0be9bc38dc5aaa61310f77a3951a16be3f67789d58fc23e0e790b21295271a62180161ac712867396fe1
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\644B8874112055B5E195ECB0E8F243A4MD5
953f2125a88eced630fa3f95e287b02f
SHA1441e0e319ee73efd0621095d74e75b6a16239c48
SHA256251e9ca5f4e6580fe9014e843ac3e054aa45d6a8e7cef4f5c7512fc31fc354fa
SHA512b685e7d725dc2bf210c906b744445f1ad59a54a4ee251825f39b12522d98f02be49f4bce3fa1832bb7e08f8e118bfc1ed7c1bd76cb054b24223eb863103c0050
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\0C69B3EC323321743CE66F959E80BAB4MD5
1892b605724f52b33ebc67600be591a6
SHA11815b89e112723e90da7d1313c9b4530721c0297
SHA2561341b4e31e120ede02ba9790dbbd5beecd115242fde5fa0750e5624554b8402c
SHA512ec4445374ab3dccfda583211e54b323de18a6779efc4a7ff94c6f1beee847876d632531f9c1b02552c0c179582af85a6aa1c48107ecc90decfc68811e8c7b754
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\644B8874112055B5E195ECB0E8F243A4MD5
046ec60355c832add3a6fc4ef6d20903
SHA17f8eac8a78114a32e6d1dc48e32c2028ef41d2e6
SHA256918f154fa6e4e6711243be7fdd0c2cb77fa1a0b9bbfa9efbaa21daaac636b3f0
SHA51286dd8fa7e5c18fecde97f5c58323fe2ffbcc99d36610220f89651eea8964dc278c77604891b60973031492ea530d35b456d48c990e4ef7c05171836739b106ae
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\RNUZQQ.exeMD5
906fa6e4a672e38a8baa367e53b2e45d
SHA1307394cf29f2569747c52903fc7f6c02aabc9c1b
SHA25607d8c65abd0cec498fb44c61779a15b436bd0cb3f8be404435589d8aeb3bbe4d
SHA512e99cff4e957ad38c204edc7e68dcf17e6c57006c26b9bf68a34230bf65614e817dd46c6070f7dbadd9890ffc7281fd0a3ce94e9f8f49198fdb4fa68a4a566b01
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\RNUZQQ.exeMD5
906fa6e4a672e38a8baa367e53b2e45d
SHA1307394cf29f2569747c52903fc7f6c02aabc9c1b
SHA25607d8c65abd0cec498fb44c61779a15b436bd0cb3f8be404435589d8aeb3bbe4d
SHA512e99cff4e957ad38c204edc7e68dcf17e6c57006c26b9bf68a34230bf65614e817dd46c6070f7dbadd9890ffc7281fd0a3ce94e9f8f49198fdb4fa68a4a566b01
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\RNUZQQ.exeMD5
906fa6e4a672e38a8baa367e53b2e45d
SHA1307394cf29f2569747c52903fc7f6c02aabc9c1b
SHA25607d8c65abd0cec498fb44c61779a15b436bd0cb3f8be404435589d8aeb3bbe4d
SHA512e99cff4e957ad38c204edc7e68dcf17e6c57006c26b9bf68a34230bf65614e817dd46c6070f7dbadd9890ffc7281fd0a3ce94e9f8f49198fdb4fa68a4a566b01
-
memory/1048-2-0x00007FFEA4270000-0x00007FFEA48A7000-memory.dmpFilesize
6.2MB
-
memory/3448-6-0x00000000743C0000-0x0000000074453000-memory.dmpFilesize
588KB
-
memory/3448-3-0x0000000000000000-mapping.dmp
-
memory/3660-11-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/3660-12-0x00000000004139DE-mapping.dmp
-
memory/3660-14-0x00000000743C0000-0x0000000074453000-memory.dmpFilesize
588KB
-
memory/3660-15-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB