Analysis
-
max time kernel
152s -
max time network
14s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
18-01-2021 07:16
Static task
static1
Behavioral task
behavioral1
Sample
Swift_INV0880021152020.doc
Resource
win7v20201028
Behavioral task
behavioral2
Sample
Swift_INV0880021152020.doc
Resource
win10v20201028
General
-
Target
Swift_INV0880021152020.doc
-
Size
6KB
-
MD5
d7df8a029d7851e26d5ee9115af4b40e
-
SHA1
549f56becc1a13209dc0f240e822794ab6b7592f
-
SHA256
f52b020e86065767d221b34d5aa8c0d794222336cd2c221ec13685e37a50de07
-
SHA512
bd354c9b7f04df8f49a4ab772ca027dfd4c8e77b17cb339a5791b14c53a37d2dcc1b4b286bb68ea92b5d63580366a16c3fd52b3d8ea4877126e4cb3f0f75548e
Malware Config
Extracted
lokibot
http://okpana.com/chief/boss/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 7 1996 EQNEDT32.EXE -
Executes dropped EXE 2 IoCs
Processes:
vbc.exevbc.exepid process 548 vbc.exe 1336 vbc.exe -
Loads dropped DLL 4 IoCs
Processes:
EQNEDT32.EXEpid process 1996 EQNEDT32.EXE 1996 EQNEDT32.EXE 1996 EQNEDT32.EXE 1996 EQNEDT32.EXE -
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
vbc.exedescription pid process target process PID 548 set thread context of 1336 548 vbc.exe vbc.exe -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Office loads VBA resources, possible macro or embedded object present
-
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
WINWORD.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 1668 WINWORD.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
vbc.exedescription pid process Token: SeDebugPrivilege 1336 vbc.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 1668 WINWORD.EXE 1668 WINWORD.EXE -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
EQNEDT32.EXEvbc.exedescription pid process target process PID 1996 wrote to memory of 548 1996 EQNEDT32.EXE vbc.exe PID 1996 wrote to memory of 548 1996 EQNEDT32.EXE vbc.exe PID 1996 wrote to memory of 548 1996 EQNEDT32.EXE vbc.exe PID 1996 wrote to memory of 548 1996 EQNEDT32.EXE vbc.exe PID 548 wrote to memory of 1336 548 vbc.exe vbc.exe PID 548 wrote to memory of 1336 548 vbc.exe vbc.exe PID 548 wrote to memory of 1336 548 vbc.exe vbc.exe PID 548 wrote to memory of 1336 548 vbc.exe vbc.exe PID 548 wrote to memory of 1336 548 vbc.exe vbc.exe PID 548 wrote to memory of 1336 548 vbc.exe vbc.exe PID 548 wrote to memory of 1336 548 vbc.exe vbc.exe PID 548 wrote to memory of 1336 548 vbc.exe vbc.exe PID 548 wrote to memory of 1336 548 vbc.exe vbc.exe PID 548 wrote to memory of 1336 548 vbc.exe vbc.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Swift_INV0880021152020.doc"1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1668
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:1996 -
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:548 -
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1336
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Public\vbc.exeMD5
c6091ddf2745b7edcfa535d727ea7b7a
SHA1769608c06ff9bd184be238b6c92769533eaef750
SHA2561c92e75853c17bb45af6a066b89e395f3e0d1cb07f2f0b1bc61d2e069bba29ae
SHA5129c49f8df4e609552f88f3af71a96ed8829f067b556b02f207165bbe1226350883d690d09af18356eba37973d4a195a98f9741479b90958b971af819351061d75
-
C:\Users\Public\vbc.exeMD5
c6091ddf2745b7edcfa535d727ea7b7a
SHA1769608c06ff9bd184be238b6c92769533eaef750
SHA2561c92e75853c17bb45af6a066b89e395f3e0d1cb07f2f0b1bc61d2e069bba29ae
SHA5129c49f8df4e609552f88f3af71a96ed8829f067b556b02f207165bbe1226350883d690d09af18356eba37973d4a195a98f9741479b90958b971af819351061d75
-
C:\Users\Public\vbc.exeMD5
c6091ddf2745b7edcfa535d727ea7b7a
SHA1769608c06ff9bd184be238b6c92769533eaef750
SHA2561c92e75853c17bb45af6a066b89e395f3e0d1cb07f2f0b1bc61d2e069bba29ae
SHA5129c49f8df4e609552f88f3af71a96ed8829f067b556b02f207165bbe1226350883d690d09af18356eba37973d4a195a98f9741479b90958b971af819351061d75
-
\Users\Public\vbc.exeMD5
c6091ddf2745b7edcfa535d727ea7b7a
SHA1769608c06ff9bd184be238b6c92769533eaef750
SHA2561c92e75853c17bb45af6a066b89e395f3e0d1cb07f2f0b1bc61d2e069bba29ae
SHA5129c49f8df4e609552f88f3af71a96ed8829f067b556b02f207165bbe1226350883d690d09af18356eba37973d4a195a98f9741479b90958b971af819351061d75
-
\Users\Public\vbc.exeMD5
c6091ddf2745b7edcfa535d727ea7b7a
SHA1769608c06ff9bd184be238b6c92769533eaef750
SHA2561c92e75853c17bb45af6a066b89e395f3e0d1cb07f2f0b1bc61d2e069bba29ae
SHA5129c49f8df4e609552f88f3af71a96ed8829f067b556b02f207165bbe1226350883d690d09af18356eba37973d4a195a98f9741479b90958b971af819351061d75
-
\Users\Public\vbc.exeMD5
c6091ddf2745b7edcfa535d727ea7b7a
SHA1769608c06ff9bd184be238b6c92769533eaef750
SHA2561c92e75853c17bb45af6a066b89e395f3e0d1cb07f2f0b1bc61d2e069bba29ae
SHA5129c49f8df4e609552f88f3af71a96ed8829f067b556b02f207165bbe1226350883d690d09af18356eba37973d4a195a98f9741479b90958b971af819351061d75
-
\Users\Public\vbc.exeMD5
c6091ddf2745b7edcfa535d727ea7b7a
SHA1769608c06ff9bd184be238b6c92769533eaef750
SHA2561c92e75853c17bb45af6a066b89e395f3e0d1cb07f2f0b1bc61d2e069bba29ae
SHA5129c49f8df4e609552f88f3af71a96ed8829f067b556b02f207165bbe1226350883d690d09af18356eba37973d4a195a98f9741479b90958b971af819351061d75
-
memory/548-15-0x0000000001100000-0x0000000001101000-memory.dmpFilesize
4KB
-
memory/548-17-0x0000000000F90000-0x0000000000F91000-memory.dmpFilesize
4KB
-
memory/548-11-0x0000000000000000-mapping.dmp
-
memory/548-19-0x0000000004940000-0x00000000049DA000-memory.dmpFilesize
616KB
-
memory/548-14-0x000000006AE70000-0x000000006B55E000-memory.dmpFilesize
6.9MB
-
memory/548-18-0x00000000004C0000-0x00000000004D3000-memory.dmpFilesize
76KB
-
memory/788-6-0x000007FEF7080000-0x000007FEF72FA000-memory.dmpFilesize
2.5MB
-
memory/1336-20-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1336-21-0x00000000004139DE-mapping.dmp
-
memory/1336-24-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1668-2-0x0000000072301000-0x0000000072304000-memory.dmpFilesize
12KB
-
memory/1668-4-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1668-3-0x000000006FD81000-0x000000006FD83000-memory.dmpFilesize
8KB
-
memory/1996-5-0x0000000074B31000-0x0000000074B33000-memory.dmpFilesize
8KB