Analysis
-
max time kernel
1760s -
max time network
1759s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
15-01-2021 20:53
Static task
static1
General
-
Target
Swift_INV0880021152020.xlsx
-
Size
2.3MB
-
MD5
4b4cee24aa613f71e4c48f872fcde74e
-
SHA1
5e720a0637ef8395ab5ef2656a5c9732828ee731
-
SHA256
619a1fe68a1abdabd1b77f4bf3be91d5b5df789d9d941f3fe69ac201935cc1e6
-
SHA512
1403b862fa5da81373443ac1510455ebaa61102f7c3a5fee694adcfc77993adfc67861a393a5ee15ef9e7a0a266936979700bf7d441c953a18c6519af9ed14c2
Malware Config
Extracted
lokibot
http://lmpulsefashion.net/chief/boss/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 7 1936 EQNEDT32.EXE -
Executes dropped EXE 2 IoCs
Processes:
vbc.exevbc.exepid process 428 vbc.exe 1780 vbc.exe -
Loads dropped DLL 4 IoCs
Processes:
EQNEDT32.EXEpid process 1936 EQNEDT32.EXE 1936 EQNEDT32.EXE 1936 EQNEDT32.EXE 1936 EQNEDT32.EXE -
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
vbc.exedescription pid process target process PID 428 set thread context of 1780 428 vbc.exe vbc.exe -
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
EXCEL.EXEdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 1844 EXCEL.EXE -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
vbc.exeEXCEL.EXEdescription pid process Token: SeDebugPrivilege 1780 vbc.exe Token: SeShutdownPrivilege 1844 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
EXCEL.EXEpid process 1844 EXCEL.EXE 1844 EXCEL.EXE 1844 EXCEL.EXE -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
EQNEDT32.EXEvbc.exedescription pid process target process PID 1936 wrote to memory of 428 1936 EQNEDT32.EXE vbc.exe PID 1936 wrote to memory of 428 1936 EQNEDT32.EXE vbc.exe PID 1936 wrote to memory of 428 1936 EQNEDT32.EXE vbc.exe PID 1936 wrote to memory of 428 1936 EQNEDT32.EXE vbc.exe PID 428 wrote to memory of 1780 428 vbc.exe vbc.exe PID 428 wrote to memory of 1780 428 vbc.exe vbc.exe PID 428 wrote to memory of 1780 428 vbc.exe vbc.exe PID 428 wrote to memory of 1780 428 vbc.exe vbc.exe PID 428 wrote to memory of 1780 428 vbc.exe vbc.exe PID 428 wrote to memory of 1780 428 vbc.exe vbc.exe PID 428 wrote to memory of 1780 428 vbc.exe vbc.exe PID 428 wrote to memory of 1780 428 vbc.exe vbc.exe PID 428 wrote to memory of 1780 428 vbc.exe vbc.exe PID 428 wrote to memory of 1780 428 vbc.exe vbc.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\Swift_INV0880021152020.xlsx1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Public\vbc.exeMD5
c08c591f773ecee016ad60496e99ac49
SHA16326dac07e8db5d9c4b328e81e806cd9449eca9a
SHA256eb2734125424d8e94e2d58e988c7edd9aee7e35bea03c884a0336d93e5ac29de
SHA512834ef514a5e7e1a06cb38fbadc04b62caf80f0a31feb06ad9534799e99ba90a92c6d04bba31c878df84ee9d5f1af35562a533ded54c37d003f9a16009f07d6e8
-
C:\Users\Public\vbc.exeMD5
c08c591f773ecee016ad60496e99ac49
SHA16326dac07e8db5d9c4b328e81e806cd9449eca9a
SHA256eb2734125424d8e94e2d58e988c7edd9aee7e35bea03c884a0336d93e5ac29de
SHA512834ef514a5e7e1a06cb38fbadc04b62caf80f0a31feb06ad9534799e99ba90a92c6d04bba31c878df84ee9d5f1af35562a533ded54c37d003f9a16009f07d6e8
-
C:\Users\Public\vbc.exeMD5
c08c591f773ecee016ad60496e99ac49
SHA16326dac07e8db5d9c4b328e81e806cd9449eca9a
SHA256eb2734125424d8e94e2d58e988c7edd9aee7e35bea03c884a0336d93e5ac29de
SHA512834ef514a5e7e1a06cb38fbadc04b62caf80f0a31feb06ad9534799e99ba90a92c6d04bba31c878df84ee9d5f1af35562a533ded54c37d003f9a16009f07d6e8
-
\Users\Public\vbc.exeMD5
c08c591f773ecee016ad60496e99ac49
SHA16326dac07e8db5d9c4b328e81e806cd9449eca9a
SHA256eb2734125424d8e94e2d58e988c7edd9aee7e35bea03c884a0336d93e5ac29de
SHA512834ef514a5e7e1a06cb38fbadc04b62caf80f0a31feb06ad9534799e99ba90a92c6d04bba31c878df84ee9d5f1af35562a533ded54c37d003f9a16009f07d6e8
-
\Users\Public\vbc.exeMD5
c08c591f773ecee016ad60496e99ac49
SHA16326dac07e8db5d9c4b328e81e806cd9449eca9a
SHA256eb2734125424d8e94e2d58e988c7edd9aee7e35bea03c884a0336d93e5ac29de
SHA512834ef514a5e7e1a06cb38fbadc04b62caf80f0a31feb06ad9534799e99ba90a92c6d04bba31c878df84ee9d5f1af35562a533ded54c37d003f9a16009f07d6e8
-
\Users\Public\vbc.exeMD5
c08c591f773ecee016ad60496e99ac49
SHA16326dac07e8db5d9c4b328e81e806cd9449eca9a
SHA256eb2734125424d8e94e2d58e988c7edd9aee7e35bea03c884a0336d93e5ac29de
SHA512834ef514a5e7e1a06cb38fbadc04b62caf80f0a31feb06ad9534799e99ba90a92c6d04bba31c878df84ee9d5f1af35562a533ded54c37d003f9a16009f07d6e8
-
\Users\Public\vbc.exeMD5
c08c591f773ecee016ad60496e99ac49
SHA16326dac07e8db5d9c4b328e81e806cd9449eca9a
SHA256eb2734125424d8e94e2d58e988c7edd9aee7e35bea03c884a0336d93e5ac29de
SHA512834ef514a5e7e1a06cb38fbadc04b62caf80f0a31feb06ad9534799e99ba90a92c6d04bba31c878df84ee9d5f1af35562a533ded54c37d003f9a16009f07d6e8
-
memory/268-2-0x000007FEF7900000-0x000007FEF7B7A000-memory.dmpFilesize
2.5MB
-
memory/428-10-0x000000006BEB0000-0x000000006C59E000-memory.dmpFilesize
6.9MB
-
memory/428-11-0x0000000000FD0000-0x0000000000FD1000-memory.dmpFilesize
4KB
-
memory/428-13-0x00000000002D0000-0x00000000002E2000-memory.dmpFilesize
72KB
-
memory/428-14-0x0000000000C60000-0x0000000000CB2000-memory.dmpFilesize
328KB
-
memory/428-7-0x0000000000000000-mapping.dmp
-
memory/1780-15-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1780-16-0x00000000004139DE-mapping.dmp
-
memory/1780-18-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB