Analysis
-
max time kernel
129s -
max time network
128s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
22-01-2021 07:15
Static task
static1
Behavioral task
behavioral1
Sample
HSBC Payment copy.xlsx
Resource
win7v20201028
Behavioral task
behavioral2
Sample
HSBC Payment copy.xlsx
Resource
win10v20201028
General
-
Target
HSBC Payment copy.xlsx
-
Size
2.1MB
-
MD5
4202a6f44d40ec7811ac7fa371360f62
-
SHA1
53b5dc8875711fc8782a5e688125489a0596ab4f
-
SHA256
c1846570bb0f165cbf376b88cf51fd8bc54dd055facdd992e8c7e0c28cbc238a
-
SHA512
a1d8865d45f9217d7015705b9ce7d41b3f4d342b9f573c4468f469591bea1d02675e958b3cd27fb31126ebfddb5bee0f7fdb170c8333249ae02743e17b4ace3f
Malware Config
Extracted
lokibot
http://zunlen.com/chief/jojo/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 6 1972 EQNEDT32.EXE -
Executes dropped EXE 2 IoCs
Processes:
vbc.exevbc.exepid process 1540 vbc.exe 1776 vbc.exe -
Loads dropped DLL 4 IoCs
Processes:
EQNEDT32.EXEpid process 1972 EQNEDT32.EXE 1972 EQNEDT32.EXE 1972 EQNEDT32.EXE 1972 EQNEDT32.EXE -
Uses the VBS compiler for execution 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
vbc.exedescription pid process target process PID 1540 set thread context of 1776 1540 vbc.exe vbc.exe -
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
EXCEL.EXEdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 1336 EXCEL.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
vbc.exedescription pid process Token: SeDebugPrivilege 1776 vbc.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
EXCEL.EXEpid process 1336 EXCEL.EXE 1336 EXCEL.EXE 1336 EXCEL.EXE -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
EQNEDT32.EXEvbc.exedescription pid process target process PID 1972 wrote to memory of 1540 1972 EQNEDT32.EXE vbc.exe PID 1972 wrote to memory of 1540 1972 EQNEDT32.EXE vbc.exe PID 1972 wrote to memory of 1540 1972 EQNEDT32.EXE vbc.exe PID 1972 wrote to memory of 1540 1972 EQNEDT32.EXE vbc.exe PID 1540 wrote to memory of 1776 1540 vbc.exe vbc.exe PID 1540 wrote to memory of 1776 1540 vbc.exe vbc.exe PID 1540 wrote to memory of 1776 1540 vbc.exe vbc.exe PID 1540 wrote to memory of 1776 1540 vbc.exe vbc.exe PID 1540 wrote to memory of 1776 1540 vbc.exe vbc.exe PID 1540 wrote to memory of 1776 1540 vbc.exe vbc.exe PID 1540 wrote to memory of 1776 1540 vbc.exe vbc.exe PID 1540 wrote to memory of 1776 1540 vbc.exe vbc.exe PID 1540 wrote to memory of 1776 1540 vbc.exe vbc.exe PID 1540 wrote to memory of 1776 1540 vbc.exe vbc.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\HSBC Payment copy.xlsx"1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Public\vbc.exeMD5
209a9397bb6c68626ff785164388a65d
SHA1a3d1b6a707b971638ff56f7470daecdf7b93a346
SHA256fa27c16596dc5c39fafe2a14e459db8ae0bae2be3d5222d6df7331215c04efaf
SHA5122186aa67a1eb8a295622b8aaa00938bba387304f8662dd91a1c0d6c2b738fb6533b4613d461b1e0bab2b63375c7739dc8439338339c6f89c7ff07a1667b87aa6
-
C:\Users\Public\vbc.exeMD5
209a9397bb6c68626ff785164388a65d
SHA1a3d1b6a707b971638ff56f7470daecdf7b93a346
SHA256fa27c16596dc5c39fafe2a14e459db8ae0bae2be3d5222d6df7331215c04efaf
SHA5122186aa67a1eb8a295622b8aaa00938bba387304f8662dd91a1c0d6c2b738fb6533b4613d461b1e0bab2b63375c7739dc8439338339c6f89c7ff07a1667b87aa6
-
C:\Users\Public\vbc.exeMD5
209a9397bb6c68626ff785164388a65d
SHA1a3d1b6a707b971638ff56f7470daecdf7b93a346
SHA256fa27c16596dc5c39fafe2a14e459db8ae0bae2be3d5222d6df7331215c04efaf
SHA5122186aa67a1eb8a295622b8aaa00938bba387304f8662dd91a1c0d6c2b738fb6533b4613d461b1e0bab2b63375c7739dc8439338339c6f89c7ff07a1667b87aa6
-
\Users\Public\vbc.exeMD5
209a9397bb6c68626ff785164388a65d
SHA1a3d1b6a707b971638ff56f7470daecdf7b93a346
SHA256fa27c16596dc5c39fafe2a14e459db8ae0bae2be3d5222d6df7331215c04efaf
SHA5122186aa67a1eb8a295622b8aaa00938bba387304f8662dd91a1c0d6c2b738fb6533b4613d461b1e0bab2b63375c7739dc8439338339c6f89c7ff07a1667b87aa6
-
\Users\Public\vbc.exeMD5
209a9397bb6c68626ff785164388a65d
SHA1a3d1b6a707b971638ff56f7470daecdf7b93a346
SHA256fa27c16596dc5c39fafe2a14e459db8ae0bae2be3d5222d6df7331215c04efaf
SHA5122186aa67a1eb8a295622b8aaa00938bba387304f8662dd91a1c0d6c2b738fb6533b4613d461b1e0bab2b63375c7739dc8439338339c6f89c7ff07a1667b87aa6
-
\Users\Public\vbc.exeMD5
209a9397bb6c68626ff785164388a65d
SHA1a3d1b6a707b971638ff56f7470daecdf7b93a346
SHA256fa27c16596dc5c39fafe2a14e459db8ae0bae2be3d5222d6df7331215c04efaf
SHA5122186aa67a1eb8a295622b8aaa00938bba387304f8662dd91a1c0d6c2b738fb6533b4613d461b1e0bab2b63375c7739dc8439338339c6f89c7ff07a1667b87aa6
-
\Users\Public\vbc.exeMD5
209a9397bb6c68626ff785164388a65d
SHA1a3d1b6a707b971638ff56f7470daecdf7b93a346
SHA256fa27c16596dc5c39fafe2a14e459db8ae0bae2be3d5222d6df7331215c04efaf
SHA5122186aa67a1eb8a295622b8aaa00938bba387304f8662dd91a1c0d6c2b738fb6533b4613d461b1e0bab2b63375c7739dc8439338339c6f89c7ff07a1667b87aa6
-
memory/1336-4-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1336-3-0x0000000070ED1000-0x0000000070ED3000-memory.dmpFilesize
8KB
-
memory/1336-2-0x000000002F581000-0x000000002F584000-memory.dmpFilesize
12KB
-
memory/1540-15-0x0000000000060000-0x0000000000061000-memory.dmpFilesize
4KB
-
memory/1540-14-0x000000006B7D0000-0x000000006BEBE000-memory.dmpFilesize
6.9MB
-
memory/1540-11-0x0000000000000000-mapping.dmp
-
memory/1540-17-0x00000000004B0000-0x00000000004D3000-memory.dmpFilesize
140KB
-
memory/1540-18-0x0000000004DC0000-0x0000000004DC1000-memory.dmpFilesize
4KB
-
memory/1540-19-0x0000000004D30000-0x0000000004D89000-memory.dmpFilesize
356KB
-
memory/1772-6-0x000007FEF7020000-0x000007FEF729A000-memory.dmpFilesize
2.5MB
-
memory/1776-20-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1776-21-0x00000000004139DE-mapping.dmp
-
memory/1776-24-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1972-5-0x0000000075DE1000-0x0000000075DE3000-memory.dmpFilesize
8KB