Analysis
-
max time kernel
127s -
max time network
136s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
14-01-2021 15:27
Static task
static1
Behavioral task
behavioral1
Sample
TT Copy.doc
Resource
win7v20201028
Behavioral task
behavioral2
Sample
TT Copy.doc
Resource
win10v20201028
General
-
Target
TT Copy.doc
-
Size
957KB
-
MD5
0d1f1658ad83475a2a3ba248f22b511d
-
SHA1
47f8a624486c5b3e689de2613ff2f25fedba8060
-
SHA256
9932116b510401de52801ebac79b9e4dac52e3389415c02fb8d861ec39a8156d
-
SHA512
f7c91978949e16cd7ce4d922917d0e8bf69004e77f913d2d8c8f60e5709dbf5b3fb6c88d43c370642e60831ef8f3f9ad2104940ec74d87179f7b78ef1e920b20
Malware Config
Extracted
lokibot
http://51.195.53.221/p.php/cfOoZYb0LXPms
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
NetWire RAT payload 6 IoCs
Processes:
resource yara_rule behavioral1/memory/1648-28-0x0000000000400000-0x0000000000447000-memory.dmp netwire behavioral1/memory/1648-29-0x0000000000401190-mapping.dmp netwire behavioral1/memory/1648-31-0x0000000000400000-0x0000000000447000-memory.dmp netwire \Users\Admin\AppData\Local\Temp\FB_847C.tmp.exe netwire C:\Users\Admin\AppData\Local\Temp\FB_847C.tmp.exe netwire \Users\Admin\AppData\Local\Temp\FB_847C.tmp.exe netwire -
Blocklisted process makes network request 2 IoCs
Processes:
EQNEDT32.EXEflow pid process 6 1776 EQNEDT32.EXE 7 1776 EQNEDT32.EXE -
Executes dropped EXE 5 IoCs
Processes:
69577.exefileu.exeAddInProcess32.exeFB_83B1.tmp.exeFB_847C.tmp.exepid process 1324 69577.exe 592 fileu.exe 1648 AddInProcess32.exe 1780 FB_83B1.tmp.exe 316 FB_847C.tmp.exe -
Loads dropped DLL 7 IoCs
Processes:
EQNEDT32.EXE69577.exefileu.exeAddInProcess32.exepid process 1776 EQNEDT32.EXE 1324 69577.exe 592 fileu.exe 1648 AddInProcess32.exe 1648 AddInProcess32.exe 1648 AddInProcess32.exe 1648 AddInProcess32.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
reg.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\fine = "C:\\Users\\Admin\\fileu.exe" reg.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
fileu.exedescription pid process target process PID 592 set thread context of 1648 592 fileu.exe AddInProcess32.exe -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Office loads VBA resources, possible macro or embedded object present
-
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
WINWORD.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 848 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
69577.exefileu.exepid process 1324 69577.exe 1324 69577.exe 1324 69577.exe 1324 69577.exe 1324 69577.exe 592 fileu.exe 592 fileu.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
69577.exefileu.exeFB_83B1.tmp.exedescription pid process Token: SeDebugPrivilege 1324 69577.exe Token: SeDebugPrivilege 592 fileu.exe Token: SeDebugPrivilege 1780 FB_83B1.tmp.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 848 WINWORD.EXE 848 WINWORD.EXE -
Suspicious use of WriteProcessMemory 38 IoCs
Processes:
WINWORD.EXEEQNEDT32.EXE69577.execmd.exefileu.exeAddInProcess32.exedescription pid process target process PID 848 wrote to memory of 1972 848 WINWORD.EXE splwow64.exe PID 848 wrote to memory of 1972 848 WINWORD.EXE splwow64.exe PID 848 wrote to memory of 1972 848 WINWORD.EXE splwow64.exe PID 848 wrote to memory of 1972 848 WINWORD.EXE splwow64.exe PID 1776 wrote to memory of 1324 1776 EQNEDT32.EXE 69577.exe PID 1776 wrote to memory of 1324 1776 EQNEDT32.EXE 69577.exe PID 1776 wrote to memory of 1324 1776 EQNEDT32.EXE 69577.exe PID 1776 wrote to memory of 1324 1776 EQNEDT32.EXE 69577.exe PID 1324 wrote to memory of 1232 1324 69577.exe cmd.exe PID 1324 wrote to memory of 1232 1324 69577.exe cmd.exe PID 1324 wrote to memory of 1232 1324 69577.exe cmd.exe PID 1324 wrote to memory of 1232 1324 69577.exe cmd.exe PID 1232 wrote to memory of 1772 1232 cmd.exe reg.exe PID 1232 wrote to memory of 1772 1232 cmd.exe reg.exe PID 1232 wrote to memory of 1772 1232 cmd.exe reg.exe PID 1232 wrote to memory of 1772 1232 cmd.exe reg.exe PID 1324 wrote to memory of 592 1324 69577.exe fileu.exe PID 1324 wrote to memory of 592 1324 69577.exe fileu.exe PID 1324 wrote to memory of 592 1324 69577.exe fileu.exe PID 1324 wrote to memory of 592 1324 69577.exe fileu.exe PID 592 wrote to memory of 1648 592 fileu.exe AddInProcess32.exe PID 592 wrote to memory of 1648 592 fileu.exe AddInProcess32.exe PID 592 wrote to memory of 1648 592 fileu.exe AddInProcess32.exe PID 592 wrote to memory of 1648 592 fileu.exe AddInProcess32.exe PID 592 wrote to memory of 1648 592 fileu.exe AddInProcess32.exe PID 592 wrote to memory of 1648 592 fileu.exe AddInProcess32.exe PID 592 wrote to memory of 1648 592 fileu.exe AddInProcess32.exe PID 592 wrote to memory of 1648 592 fileu.exe AddInProcess32.exe PID 592 wrote to memory of 1648 592 fileu.exe AddInProcess32.exe PID 592 wrote to memory of 1648 592 fileu.exe AddInProcess32.exe PID 1648 wrote to memory of 1780 1648 AddInProcess32.exe FB_83B1.tmp.exe PID 1648 wrote to memory of 1780 1648 AddInProcess32.exe FB_83B1.tmp.exe PID 1648 wrote to memory of 1780 1648 AddInProcess32.exe FB_83B1.tmp.exe PID 1648 wrote to memory of 1780 1648 AddInProcess32.exe FB_83B1.tmp.exe PID 1648 wrote to memory of 316 1648 AddInProcess32.exe FB_847C.tmp.exe PID 1648 wrote to memory of 316 1648 AddInProcess32.exe FB_847C.tmp.exe PID 1648 wrote to memory of 316 1648 AddInProcess32.exe FB_847C.tmp.exe PID 1648 wrote to memory of 316 1648 AddInProcess32.exe FB_847C.tmp.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\TT Copy.doc"1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\69577.exe"C:\Users\Public\69577.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "fine" /t REG_SZ /d "C:\Users\Admin\fileu.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "fine" /t REG_SZ /d "C:\Users\Admin\fileu.exe"4⤵
- Adds Run key to start application
-
C:\Users\Admin\fileu.exe"C:\Users\Admin\fileu.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe"C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\FB_83B1.tmp.exe"C:\Users\Admin\AppData\Local\Temp\FB_83B1.tmp.exe"5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\FB_847C.tmp.exe"C:\Users\Admin\AppData\Local\Temp\FB_847C.tmp.exe"5⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exeMD5
6a673bfc3b67ae9782cb31af2f234c68
SHA17544e89566d91e84e3cd437b9a073e5f6b56566e
SHA256978a4093058aa2ebf05dc353897d90d950324389879b57741b64160825b5ec0e
SHA51272c302372ce87ceda2a3c70a6005d3f9c112f1641bc7fe6824c718971233e66c07e2996d2785fa358566c38714c25ea812c05c7cfd2f588284849d495fd24f39
-
C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exeMD5
6a673bfc3b67ae9782cb31af2f234c68
SHA17544e89566d91e84e3cd437b9a073e5f6b56566e
SHA256978a4093058aa2ebf05dc353897d90d950324389879b57741b64160825b5ec0e
SHA51272c302372ce87ceda2a3c70a6005d3f9c112f1641bc7fe6824c718971233e66c07e2996d2785fa358566c38714c25ea812c05c7cfd2f588284849d495fd24f39
-
C:\Users\Admin\AppData\Local\Temp\FB_83B1.tmp.exeMD5
0144accd439cb4d05d547bc226306a90
SHA1be9ccb630380f6a45b07a85bdc28700e01f9a599
SHA2561bf2641e0004d676d699746eaf1b488a3573e06abcd4cd7fa81c67a2154ca7ed
SHA5129edb13afab8300e771067bc93141dcb08a52268d7f408e712e5be84de7913174510d2f2b81e1db2dad4ccb7acd876e242c9969653824e46fa07fa942bd9bef97
-
C:\Users\Admin\AppData\Local\Temp\FB_847C.tmp.exeMD5
669c3ae5b4730a47e198541a91d6d0ac
SHA1b682abe4a0bc4f6d0869e4f14cf36bff6a6c1768
SHA256239f0d532fcd06fea5ca5c838fde41a30971c8ca3e0f5db0c2cd935860b8b640
SHA51227ad5521a16eed565afd98df752ddf9b74bf6439b6fed7f23e236f1dd63b0333c2bad6d268f736f88da03399184860ce7e5571a6c7f17c002f0869065fa13fdc
-
C:\Users\Admin\AppData\Local\Temp\fb_83b1.tmp.exeMD5
0144accd439cb4d05d547bc226306a90
SHA1be9ccb630380f6a45b07a85bdc28700e01f9a599
SHA2561bf2641e0004d676d699746eaf1b488a3573e06abcd4cd7fa81c67a2154ca7ed
SHA5129edb13afab8300e771067bc93141dcb08a52268d7f408e712e5be84de7913174510d2f2b81e1db2dad4ccb7acd876e242c9969653824e46fa07fa942bd9bef97
-
C:\Users\Admin\fileu.exeMD5
f8938b5c44ddb8c25bf1c976a6d2b627
SHA1d356067d79d709e25b7b5aefcc8fd5e8b9c5f342
SHA256e2ca1d708de42fa96bf9f6b4ae7059af755ad2b694bc91f59b4e696ddf6a81fb
SHA51200898e944b2dfc1c61c2bfd066107364ecff4e03fae613fd4b1e8771e229659b4282cac1f88a26c16d57ee49472688f28c7fb16ce2458b56f9d9b36c11c53bd7
-
C:\Users\Admin\fileu.exeMD5
f8938b5c44ddb8c25bf1c976a6d2b627
SHA1d356067d79d709e25b7b5aefcc8fd5e8b9c5f342
SHA256e2ca1d708de42fa96bf9f6b4ae7059af755ad2b694bc91f59b4e696ddf6a81fb
SHA51200898e944b2dfc1c61c2bfd066107364ecff4e03fae613fd4b1e8771e229659b4282cac1f88a26c16d57ee49472688f28c7fb16ce2458b56f9d9b36c11c53bd7
-
C:\Users\Public\69577.exeMD5
f8938b5c44ddb8c25bf1c976a6d2b627
SHA1d356067d79d709e25b7b5aefcc8fd5e8b9c5f342
SHA256e2ca1d708de42fa96bf9f6b4ae7059af755ad2b694bc91f59b4e696ddf6a81fb
SHA51200898e944b2dfc1c61c2bfd066107364ecff4e03fae613fd4b1e8771e229659b4282cac1f88a26c16d57ee49472688f28c7fb16ce2458b56f9d9b36c11c53bd7
-
C:\Users\Public\69577.exeMD5
f8938b5c44ddb8c25bf1c976a6d2b627
SHA1d356067d79d709e25b7b5aefcc8fd5e8b9c5f342
SHA256e2ca1d708de42fa96bf9f6b4ae7059af755ad2b694bc91f59b4e696ddf6a81fb
SHA51200898e944b2dfc1c61c2bfd066107364ecff4e03fae613fd4b1e8771e229659b4282cac1f88a26c16d57ee49472688f28c7fb16ce2458b56f9d9b36c11c53bd7
-
\Users\Admin\AppData\Local\Temp\AddInProcess32.exeMD5
6a673bfc3b67ae9782cb31af2f234c68
SHA17544e89566d91e84e3cd437b9a073e5f6b56566e
SHA256978a4093058aa2ebf05dc353897d90d950324389879b57741b64160825b5ec0e
SHA51272c302372ce87ceda2a3c70a6005d3f9c112f1641bc7fe6824c718971233e66c07e2996d2785fa358566c38714c25ea812c05c7cfd2f588284849d495fd24f39
-
\Users\Admin\AppData\Local\Temp\FB_83B1.tmp.exeMD5
0144accd439cb4d05d547bc226306a90
SHA1be9ccb630380f6a45b07a85bdc28700e01f9a599
SHA2561bf2641e0004d676d699746eaf1b488a3573e06abcd4cd7fa81c67a2154ca7ed
SHA5129edb13afab8300e771067bc93141dcb08a52268d7f408e712e5be84de7913174510d2f2b81e1db2dad4ccb7acd876e242c9969653824e46fa07fa942bd9bef97
-
\Users\Admin\AppData\Local\Temp\FB_83B1.tmp.exeMD5
0144accd439cb4d05d547bc226306a90
SHA1be9ccb630380f6a45b07a85bdc28700e01f9a599
SHA2561bf2641e0004d676d699746eaf1b488a3573e06abcd4cd7fa81c67a2154ca7ed
SHA5129edb13afab8300e771067bc93141dcb08a52268d7f408e712e5be84de7913174510d2f2b81e1db2dad4ccb7acd876e242c9969653824e46fa07fa942bd9bef97
-
\Users\Admin\AppData\Local\Temp\FB_847C.tmp.exeMD5
669c3ae5b4730a47e198541a91d6d0ac
SHA1b682abe4a0bc4f6d0869e4f14cf36bff6a6c1768
SHA256239f0d532fcd06fea5ca5c838fde41a30971c8ca3e0f5db0c2cd935860b8b640
SHA51227ad5521a16eed565afd98df752ddf9b74bf6439b6fed7f23e236f1dd63b0333c2bad6d268f736f88da03399184860ce7e5571a6c7f17c002f0869065fa13fdc
-
\Users\Admin\AppData\Local\Temp\FB_847C.tmp.exeMD5
669c3ae5b4730a47e198541a91d6d0ac
SHA1b682abe4a0bc4f6d0869e4f14cf36bff6a6c1768
SHA256239f0d532fcd06fea5ca5c838fde41a30971c8ca3e0f5db0c2cd935860b8b640
SHA51227ad5521a16eed565afd98df752ddf9b74bf6439b6fed7f23e236f1dd63b0333c2bad6d268f736f88da03399184860ce7e5571a6c7f17c002f0869065fa13fdc
-
\Users\Admin\fileu.exeMD5
f8938b5c44ddb8c25bf1c976a6d2b627
SHA1d356067d79d709e25b7b5aefcc8fd5e8b9c5f342
SHA256e2ca1d708de42fa96bf9f6b4ae7059af755ad2b694bc91f59b4e696ddf6a81fb
SHA51200898e944b2dfc1c61c2bfd066107364ecff4e03fae613fd4b1e8771e229659b4282cac1f88a26c16d57ee49472688f28c7fb16ce2458b56f9d9b36c11c53bd7
-
\Users\Public\69577.exeMD5
f8938b5c44ddb8c25bf1c976a6d2b627
SHA1d356067d79d709e25b7b5aefcc8fd5e8b9c5f342
SHA256e2ca1d708de42fa96bf9f6b4ae7059af755ad2b694bc91f59b4e696ddf6a81fb
SHA51200898e944b2dfc1c61c2bfd066107364ecff4e03fae613fd4b1e8771e229659b4282cac1f88a26c16d57ee49472688f28c7fb16ce2458b56f9d9b36c11c53bd7
-
memory/316-38-0x0000000000000000-mapping.dmp
-
memory/592-19-0x000000006B4C0000-0x000000006BBAE000-memory.dmpFilesize
6.9MB
-
memory/592-20-0x0000000000120000-0x0000000000121000-memory.dmpFilesize
4KB
-
memory/592-24-0x0000000001F70000-0x0000000001F7B000-memory.dmpFilesize
44KB
-
memory/592-25-0x00000000040C0000-0x00000000040C1000-memory.dmpFilesize
4KB
-
memory/592-16-0x0000000000000000-mapping.dmp
-
memory/1232-13-0x0000000000000000-mapping.dmp
-
memory/1324-11-0x00000000004B0000-0x00000000004CE000-memory.dmpFilesize
120KB
-
memory/1324-12-0x0000000000520000-0x0000000000521000-memory.dmpFilesize
4KB
-
memory/1324-9-0x0000000000F30000-0x0000000000F31000-memory.dmpFilesize
4KB
-
memory/1324-8-0x000000006B4C0000-0x000000006BBAE000-memory.dmpFilesize
6.9MB
-
memory/1324-5-0x0000000000000000-mapping.dmp
-
memory/1648-29-0x0000000000401190-mapping.dmp
-
memory/1648-31-0x0000000000400000-0x0000000000447000-memory.dmpFilesize
284KB
-
memory/1648-28-0x0000000000400000-0x0000000000447000-memory.dmpFilesize
284KB
-
memory/1688-3-0x000007FEF6580000-0x000007FEF67FA000-memory.dmpFilesize
2.5MB
-
memory/1772-14-0x0000000000000000-mapping.dmp
-
memory/1780-34-0x0000000000000000-mapping.dmp
-
memory/1972-2-0x0000000000000000-mapping.dmp