Analysis
-
max time kernel
300s -
max time network
257s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
21-01-2021 20:37
Static task
static1
Behavioral task
behavioral1
Sample
USD_Overdue Payment Schedule.xls
Resource
win10v20201028
General
-
Target
USD_Overdue Payment Schedule.xls
-
Size
335KB
-
MD5
1fac3e86ffe8869e8ad09c2402bed823
-
SHA1
ff278c78160f967cd7b2e7446ed609f6b2bc69ba
-
SHA256
cf92772879795211f5ec41488fc4e7ec6932c047b0941f56eee5208be702040f
-
SHA512
d081765012d56a30aa72f233fa7c8b8ccd8eecd6350e7406e82585e710ccaed029f6d06a9481825b7e10bf8b793e69bd5a40b31ad1df6478c49126934e0cd8ae
Malware Config
Extracted
lokibot
http://104.223.170.100/pgoldie/Panel/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader First Stage 3 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\PFUCSVF.exe modiloader_stage1 C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\PFUCSVF.exe modiloader_stage1 C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\PFUCSVF.exe modiloader_stage1 -
Executes dropped EXE 2 IoCs
Processes:
PFUCSVF.exePFUCSVF.exepid process 4508 PFUCSVF.exe 384 PFUCSVF.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
PFUCSVF.exedescription pid process target process PID 4508 set thread context of 384 4508 PFUCSVF.exe PFUCSVF.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 25 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 4768 EXCEL.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
PFUCSVF.exedescription pid process Token: SeDebugPrivilege 384 PFUCSVF.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
EXCEL.EXEpid process 4768 EXCEL.EXE 4768 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 14 IoCs
Processes:
EXCEL.EXEPFUCSVF.exepid process 4768 EXCEL.EXE 4768 EXCEL.EXE 4768 EXCEL.EXE 4768 EXCEL.EXE 4768 EXCEL.EXE 4768 EXCEL.EXE 4768 EXCEL.EXE 4768 EXCEL.EXE 4768 EXCEL.EXE 4768 EXCEL.EXE 4768 EXCEL.EXE 4768 EXCEL.EXE 4508 PFUCSVF.exe 4508 PFUCSVF.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
EXCEL.EXEPFUCSVF.exedescription pid process target process PID 4768 wrote to memory of 4508 4768 EXCEL.EXE PFUCSVF.exe PID 4768 wrote to memory of 4508 4768 EXCEL.EXE PFUCSVF.exe PID 4768 wrote to memory of 4508 4768 EXCEL.EXE PFUCSVF.exe PID 4508 wrote to memory of 384 4508 PFUCSVF.exe PFUCSVF.exe PID 4508 wrote to memory of 384 4508 PFUCSVF.exe PFUCSVF.exe PID 4508 wrote to memory of 384 4508 PFUCSVF.exe PFUCSVF.exe PID 4508 wrote to memory of 384 4508 PFUCSVF.exe PFUCSVF.exe PID 4508 wrote to memory of 384 4508 PFUCSVF.exe PFUCSVF.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\USD_Overdue Payment Schedule.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\PFUCSVF.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\PFUCSVF.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\PFUCSVF.exeC:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\PFUCSVF.exe3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\PFUCSVF.exeMD5
31afdd6543e96f41f7c600de3735baf1
SHA15cfc8b7c618640b12e8b9edb205c73892ddc7577
SHA256feb2ac44d02663e418da7928c23f5042b1393e0636e3bc3149c09a91dc8c0209
SHA512c0b2979597c86ef35e6d010b2ba08943e67a2834102f1a706700d6959af18829464bda588cccf5910c84eeae306283dfdc54663c106783e32b5512424b3be4c6
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\PFUCSVF.exeMD5
31afdd6543e96f41f7c600de3735baf1
SHA15cfc8b7c618640b12e8b9edb205c73892ddc7577
SHA256feb2ac44d02663e418da7928c23f5042b1393e0636e3bc3149c09a91dc8c0209
SHA512c0b2979597c86ef35e6d010b2ba08943e67a2834102f1a706700d6959af18829464bda588cccf5910c84eeae306283dfdc54663c106783e32b5512424b3be4c6
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\PFUCSVF.exeMD5
31afdd6543e96f41f7c600de3735baf1
SHA15cfc8b7c618640b12e8b9edb205c73892ddc7577
SHA256feb2ac44d02663e418da7928c23f5042b1393e0636e3bc3149c09a91dc8c0209
SHA512c0b2979597c86ef35e6d010b2ba08943e67a2834102f1a706700d6959af18829464bda588cccf5910c84eeae306283dfdc54663c106783e32b5512424b3be4c6
-
memory/384-12-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/384-13-0x00000000004139DE-mapping.dmp
-
memory/384-15-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/4508-7-0x0000000000000000-mapping.dmp
-
memory/4508-10-0x0000000000680000-0x0000000000681000-memory.dmpFilesize
4KB
-
memory/4768-6-0x00007FFBC05B0000-0x00007FFBC05C0000-memory.dmpFilesize
64KB
-
memory/4768-5-0x00007FFBE3C00000-0x00007FFBE4237000-memory.dmpFilesize
6.2MB
-
memory/4768-4-0x00007FFBC05B0000-0x00007FFBC05C0000-memory.dmpFilesize
64KB
-
memory/4768-2-0x00007FFBC05B0000-0x00007FFBC05C0000-memory.dmpFilesize
64KB
-
memory/4768-3-0x00007FFBC05B0000-0x00007FFBC05C0000-memory.dmpFilesize
64KB