Analysis
-
max time kernel
102s -
max time network
105s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
11-01-2021 11:22
Static task
static1
Behavioral task
behavioral1
Sample
swift 0182021.xls
Resource
win7v20201028
Behavioral task
behavioral2
Sample
swift 0182021.xls
Resource
win10v20201028
General
-
Target
swift 0182021.xls
-
Size
215KB
-
MD5
d5185ca33c490e907fc4fa6b22558890
-
SHA1
151f729d65c4241ccde8e7055b57d1176d29198d
-
SHA256
eaa14ff5cdf3ec428bd1b0c2689272996741a4c93f3c1289934057c3c5cafc78
-
SHA512
b214da4e9284615faebdd60fd45f8f161aabc06428ac40f0cd8ec83a870dd225dfbe9795a6d8e1e192734f748a92b5d7da6f436325e8de60ed4e46fcd41dcbbf
Malware Config
Extracted
lokibot
http://worldpackmx.com/fretyuil/Panel/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader First Stage 8 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\CLIDSXX.exe modiloader_stage1 \Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\CLIDSXX.exe modiloader_stage1 \Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\CLIDSXX.exe modiloader_stage1 \Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\CLIDSXX.exe modiloader_stage1 \Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\CLIDSXX.exe modiloader_stage1 C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\CLIDSXX.exe modiloader_stage1 C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\CLIDSXX.exe modiloader_stage1 C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\CLIDSXX.exe modiloader_stage1 -
Executes dropped EXE 2 IoCs
Processes:
CLIDSXX.exeCLIDSXX.exepid process 1480 CLIDSXX.exe 1604 CLIDSXX.exe -
Loads dropped DLL 5 IoCs
Processes:
EXCEL.EXEpid process 1204 EXCEL.EXE 1204 EXCEL.EXE 1204 EXCEL.EXE 1204 EXCEL.EXE 1204 EXCEL.EXE -
Suspicious use of SetThreadContext 1 IoCs
Processes:
CLIDSXX.exedescription pid process target process PID 1480 set thread context of 1604 1480 CLIDSXX.exe CLIDSXX.exe -
Office loads VBA resources, possible macro or embedded object present
-
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Processes:
EXCEL.EXEdescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt EXCEL.EXE -
Script User-Agent 2 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 20 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 19 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 1204 EXCEL.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
CLIDSXX.exedescription pid process Token: SeDebugPrivilege 1604 CLIDSXX.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
EXCEL.EXEpid process 1204 EXCEL.EXE 1204 EXCEL.EXE 1204 EXCEL.EXE -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
EXCEL.EXECLIDSXX.exedescription pid process target process PID 1204 wrote to memory of 1480 1204 EXCEL.EXE CLIDSXX.exe PID 1204 wrote to memory of 1480 1204 EXCEL.EXE CLIDSXX.exe PID 1204 wrote to memory of 1480 1204 EXCEL.EXE CLIDSXX.exe PID 1204 wrote to memory of 1480 1204 EXCEL.EXE CLIDSXX.exe PID 1480 wrote to memory of 1604 1480 CLIDSXX.exe CLIDSXX.exe PID 1480 wrote to memory of 1604 1480 CLIDSXX.exe CLIDSXX.exe PID 1480 wrote to memory of 1604 1480 CLIDSXX.exe CLIDSXX.exe PID 1480 wrote to memory of 1604 1480 CLIDSXX.exe CLIDSXX.exe PID 1480 wrote to memory of 1604 1480 CLIDSXX.exe CLIDSXX.exe PID 1480 wrote to memory of 1604 1480 CLIDSXX.exe CLIDSXX.exe PID 1480 wrote to memory of 1604 1480 CLIDSXX.exe CLIDSXX.exe PID 1480 wrote to memory of 1604 1480 CLIDSXX.exe CLIDSXX.exe PID 1480 wrote to memory of 1604 1480 CLIDSXX.exe CLIDSXX.exe PID 1480 wrote to memory of 1604 1480 CLIDSXX.exe CLIDSXX.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\swift 0182021.xls"1⤵
- Loads dropped DLL
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\CLIDSXX.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\CLIDSXX.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\CLIDSXX.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\CLIDSXX.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\644B8874112055B5E195ECB0E8F243A4MD5
360fbabd1b026cecf94e2727287b802a
SHA10f4e121a315d0fe1ff85b8252d3d863a4d828f49
SHA256da6164e0668bfc439fb6f2f94070fed5f8cf8fe278cff65902f3a560c9b7efe2
SHA5122de4e4c0147c74e59b39fc6bcc4c036e59946cbb4214f23af49846f036cd323f8ca176532e4e6d21470923e9133783195743965fe7aae14abf5649b1edee6431
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\644B8874112055B5E195ECB0E8F243A4MD5
8d992c425fa55e2fcec09bb8199a895f
SHA15a1ac03435e38dfa00d3380c54565066a1da5b35
SHA256f00fc8f94be3c245c1b9894124bac03d19699591b9962dbdf2a869ac61e8203d
SHA5123b19a18b6ee00d494ee79ab78f7f5703005852604127360fad3f7d400f149e6a7e38012b00cc8c8acdcaabf429fa7eaa12d64ca3f3351c2ec5440ac626072e2f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015MD5
4ac33d00da36f9c1961591e9d7a750ec
SHA1d4300a15203814f6786978ba689e8e2e3971c4a7
SHA2564e3a6ab30a9a7eddd33c6493df6fe2022c96061030d2f94001a1e746667651b0
SHA512be971edf3f7a39a1c0f476bee6588f3448c69eeb269520ee6df4224b417cdb068c4300897bb3a29c054cc3865b4f45d85cdf38f8c6dc8fa14067e9deecbc8781
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\CLIDSXX.exeMD5
d684fa1626b63d9a17c8818a63a23975
SHA158b118874ca88dc269d7345fa84fb33e3e42aab7
SHA25602944dc72a15e92ec94c453c74c9564cb59ac7717dffcb25fa854a2e587fb737
SHA5125f3a889a73b8ace63b9d48518871a0effb65d3581d4fce0bea28576ffdccef6a5d4f8d974f87bf6047ea514748ed88f52572eea8053b4bf4e17e373725ade20b
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\CLIDSXX.exeMD5
d684fa1626b63d9a17c8818a63a23975
SHA158b118874ca88dc269d7345fa84fb33e3e42aab7
SHA25602944dc72a15e92ec94c453c74c9564cb59ac7717dffcb25fa854a2e587fb737
SHA5125f3a889a73b8ace63b9d48518871a0effb65d3581d4fce0bea28576ffdccef6a5d4f8d974f87bf6047ea514748ed88f52572eea8053b4bf4e17e373725ade20b
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\CLIDSXX.exeMD5
d684fa1626b63d9a17c8818a63a23975
SHA158b118874ca88dc269d7345fa84fb33e3e42aab7
SHA25602944dc72a15e92ec94c453c74c9564cb59ac7717dffcb25fa854a2e587fb737
SHA5125f3a889a73b8ace63b9d48518871a0effb65d3581d4fce0bea28576ffdccef6a5d4f8d974f87bf6047ea514748ed88f52572eea8053b4bf4e17e373725ade20b
-
\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\CLIDSXX.exeMD5
d684fa1626b63d9a17c8818a63a23975
SHA158b118874ca88dc269d7345fa84fb33e3e42aab7
SHA25602944dc72a15e92ec94c453c74c9564cb59ac7717dffcb25fa854a2e587fb737
SHA5125f3a889a73b8ace63b9d48518871a0effb65d3581d4fce0bea28576ffdccef6a5d4f8d974f87bf6047ea514748ed88f52572eea8053b4bf4e17e373725ade20b
-
\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\CLIDSXX.exeMD5
d684fa1626b63d9a17c8818a63a23975
SHA158b118874ca88dc269d7345fa84fb33e3e42aab7
SHA25602944dc72a15e92ec94c453c74c9564cb59ac7717dffcb25fa854a2e587fb737
SHA5125f3a889a73b8ace63b9d48518871a0effb65d3581d4fce0bea28576ffdccef6a5d4f8d974f87bf6047ea514748ed88f52572eea8053b4bf4e17e373725ade20b
-
\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\CLIDSXX.exeMD5
d684fa1626b63d9a17c8818a63a23975
SHA158b118874ca88dc269d7345fa84fb33e3e42aab7
SHA25602944dc72a15e92ec94c453c74c9564cb59ac7717dffcb25fa854a2e587fb737
SHA5125f3a889a73b8ace63b9d48518871a0effb65d3581d4fce0bea28576ffdccef6a5d4f8d974f87bf6047ea514748ed88f52572eea8053b4bf4e17e373725ade20b
-
\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\CLIDSXX.exeMD5
d684fa1626b63d9a17c8818a63a23975
SHA158b118874ca88dc269d7345fa84fb33e3e42aab7
SHA25602944dc72a15e92ec94c453c74c9564cb59ac7717dffcb25fa854a2e587fb737
SHA5125f3a889a73b8ace63b9d48518871a0effb65d3581d4fce0bea28576ffdccef6a5d4f8d974f87bf6047ea514748ed88f52572eea8053b4bf4e17e373725ade20b
-
\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\CLIDSXX.exeMD5
d684fa1626b63d9a17c8818a63a23975
SHA158b118874ca88dc269d7345fa84fb33e3e42aab7
SHA25602944dc72a15e92ec94c453c74c9564cb59ac7717dffcb25fa854a2e587fb737
SHA5125f3a889a73b8ace63b9d48518871a0effb65d3581d4fce0bea28576ffdccef6a5d4f8d974f87bf6047ea514748ed88f52572eea8053b4bf4e17e373725ade20b
-
memory/1204-23-0x0000000001F70000-0x0000000001F71000-memory.dmpFilesize
4KB
-
memory/1480-8-0x0000000000000000-mapping.dmp
-
memory/1604-14-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1604-15-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1604-16-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1604-18-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1604-19-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1604-20-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1604-21-0x00000000004139DE-mapping.dmp
-
memory/1956-2-0x000007FEF7510000-0x000007FEF778A000-memory.dmpFilesize
2.5MB