new_order.doc.docx

General
Target

new_order.doc.docx

Filesize

10KB

Completed

21-04-2021 18:06

Score
10 /10
MD5

eb9b4decb03b5c81b5f4c0cc9dd5758f

SHA1

22ee73cf80deaf3122cc4e9fd45b062f71b4e2f4

SHA256

ce47c3f3359a2f2dd2de306544df0e10cf5cefebfccf8d556432918622487f25

Malware Config

Extracted

Family lokibot
C2

http://amrp.tw/kayo/gate.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures 17

Filter: none

Defense Evasion
Execution
  • Lokibot

    Description

    Lokibot is a Password and CryptoCoin Wallet Stealer.

  • Blocklisted process makes network request
    EQNEDT32.EXE

    Reported IOCs

    flowpidprocess
    13456EQNEDT32.EXE
  • Downloads MZ/PE file
  • Executes dropped EXE
    vbc.exevbc.exe

    Reported IOCs

    pidprocess
    916vbc.exe
    1956vbc.exe
  • Abuses OpenXML format to download file from external location
    WINWORD.EXE

    Reported IOCs

    descriptioniocprocess
    Key created\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\ToolbarWINWORD.EXE
    Key opened\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Office\Common\Offline\Files\http://bit.do/fQyhAWINWORD.EXE
  • Loads dropped DLL
    EQNEDT32.EXE

    Reported IOCs

    pidprocess
    456EQNEDT32.EXE
    456EQNEDT32.EXE
    456EQNEDT32.EXE
    456EQNEDT32.EXE
  • Uses the VBS compiler for execution

    TTPs

    Scripting
  • Suspicious use of SetThreadContext
    vbc.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 916 set thread context of 1956916vbc.exevbc.exe
  • Drops file in Windows directory
    WINWORD.EXE

    Reported IOCs

    descriptioniocprocess
    File opened for modificationC:\Windows\Debug\WIA\wiatrace.logWINWORD.EXE
  • Office loads VBA resources, possible macro or embedded object present
  • Launches Equation Editor
    EQNEDT32.EXE

    Description

    Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

    Tags

    TTPs

    Exploitation for Client Execution

    Reported IOCs

    pidprocess
    456EQNEDT32.EXE
  • Modifies Internet Explorer settings
    WINWORD.EXE

    TTPs

    Modify Registry

    Reported IOCs

    descriptioniocprocess
    Set value (int)\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"WINWORD.EXE
    Key created\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\ToolbarWINWORD.EXE
    Set value (str)\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"WINWORD.EXE
    Set value (str)\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"WINWORD.EXE
    Key created\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft ExcelWINWORD.EXE
    Set value (str)\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"WINWORD.EXE
    Set value (int)\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"WINWORD.EXE
    Key created\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExtWINWORD.EXE
    Key created\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNoteWINWORD.EXE
  • Suspicious behavior: AddClipboardFormatListener
    WINWORD.EXE

    Reported IOCs

    pidprocess
    1748WINWORD.EXE
  • Suspicious behavior: EnumeratesProcesses
    vbc.exe

    Reported IOCs

    pidprocess
    916vbc.exe
    916vbc.exe
  • Suspicious use of AdjustPrivilegeToken
    WINWORD.EXEvbc.exevbc.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeShutdownPrivilege1748WINWORD.EXE
    Token: SeDebugPrivilege916vbc.exe
    Token: SeDebugPrivilege1956vbc.exe
  • Suspicious use of SetWindowsHookEx
    WINWORD.EXE

    Reported IOCs

    pidprocess
    1748WINWORD.EXE
    1748WINWORD.EXE
  • Suspicious use of WriteProcessMemory
    EQNEDT32.EXEWINWORD.EXEvbc.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 456 wrote to memory of 916456EQNEDT32.EXEvbc.exe
    PID 456 wrote to memory of 916456EQNEDT32.EXEvbc.exe
    PID 456 wrote to memory of 916456EQNEDT32.EXEvbc.exe
    PID 456 wrote to memory of 916456EQNEDT32.EXEvbc.exe
    PID 1748 wrote to memory of 16361748WINWORD.EXEsplwow64.exe
    PID 1748 wrote to memory of 16361748WINWORD.EXEsplwow64.exe
    PID 1748 wrote to memory of 16361748WINWORD.EXEsplwow64.exe
    PID 1748 wrote to memory of 16361748WINWORD.EXEsplwow64.exe
    PID 916 wrote to memory of 1956916vbc.exevbc.exe
    PID 916 wrote to memory of 1956916vbc.exevbc.exe
    PID 916 wrote to memory of 1956916vbc.exevbc.exe
    PID 916 wrote to memory of 1956916vbc.exevbc.exe
    PID 916 wrote to memory of 1956916vbc.exevbc.exe
    PID 916 wrote to memory of 1956916vbc.exevbc.exe
    PID 916 wrote to memory of 1956916vbc.exevbc.exe
    PID 916 wrote to memory of 1956916vbc.exevbc.exe
    PID 916 wrote to memory of 1956916vbc.exevbc.exe
    PID 916 wrote to memory of 1956916vbc.exevbc.exe
Processes 5
  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\new_order.doc.docx"
    Abuses OpenXML format to download file from external location
    Drops file in Windows directory
    Modifies Internet Explorer settings
    Suspicious behavior: AddClipboardFormatListener
    Suspicious use of AdjustPrivilegeToken
    Suspicious use of SetWindowsHookEx
    Suspicious use of WriteProcessMemory
    PID:1748
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      PID:1636
  • C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
    "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
    Blocklisted process makes network request
    Loads dropped DLL
    Launches Equation Editor
    Suspicious use of WriteProcessMemory
    PID:456
    • C:\Users\Public\vbc.exe
      "C:\Users\Public\vbc.exe"
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:916
      • C:\Users\Public\vbc.exe
        "C:\Users\Public\vbc.exe"
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        PID:1956
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
        Discovery
          Exfiltration
            Impact
              Initial Access
                Lateral Movement
                  Persistence
                    Privilege Escalation
                      Replay Monitor
                      00:00 00:00
                      Downloads
                      • C:\Users\Public\vbc.exe

                        MD5

                        71a14ce0723e4de96846bf22eed49d20

                        SHA1

                        14340d510faa92bd38ef6ec98e74f5845d37a451

                        SHA256

                        57d6ee60faf10320d9fd37d58aeec59e6735366afece642579ab6d9743c1731b

                        SHA512

                        4ff0b16cfe84f3c1b57638617f1eb9c332df95a531cd33f84dfde1987dc53d4ef1298dbfec33edac69d87844fefdb7d7f55519ae1c27ead2568551f50b27d728

                      • C:\Users\Public\vbc.exe

                        MD5

                        71a14ce0723e4de96846bf22eed49d20

                        SHA1

                        14340d510faa92bd38ef6ec98e74f5845d37a451

                        SHA256

                        57d6ee60faf10320d9fd37d58aeec59e6735366afece642579ab6d9743c1731b

                        SHA512

                        4ff0b16cfe84f3c1b57638617f1eb9c332df95a531cd33f84dfde1987dc53d4ef1298dbfec33edac69d87844fefdb7d7f55519ae1c27ead2568551f50b27d728

                      • C:\Users\Public\vbc.exe

                        MD5

                        71a14ce0723e4de96846bf22eed49d20

                        SHA1

                        14340d510faa92bd38ef6ec98e74f5845d37a451

                        SHA256

                        57d6ee60faf10320d9fd37d58aeec59e6735366afece642579ab6d9743c1731b

                        SHA512

                        4ff0b16cfe84f3c1b57638617f1eb9c332df95a531cd33f84dfde1987dc53d4ef1298dbfec33edac69d87844fefdb7d7f55519ae1c27ead2568551f50b27d728

                      • \Users\Public\vbc.exe

                        MD5

                        71a14ce0723e4de96846bf22eed49d20

                        SHA1

                        14340d510faa92bd38ef6ec98e74f5845d37a451

                        SHA256

                        57d6ee60faf10320d9fd37d58aeec59e6735366afece642579ab6d9743c1731b

                        SHA512

                        4ff0b16cfe84f3c1b57638617f1eb9c332df95a531cd33f84dfde1987dc53d4ef1298dbfec33edac69d87844fefdb7d7f55519ae1c27ead2568551f50b27d728

                      • \Users\Public\vbc.exe

                        MD5

                        71a14ce0723e4de96846bf22eed49d20

                        SHA1

                        14340d510faa92bd38ef6ec98e74f5845d37a451

                        SHA256

                        57d6ee60faf10320d9fd37d58aeec59e6735366afece642579ab6d9743c1731b

                        SHA512

                        4ff0b16cfe84f3c1b57638617f1eb9c332df95a531cd33f84dfde1987dc53d4ef1298dbfec33edac69d87844fefdb7d7f55519ae1c27ead2568551f50b27d728

                      • \Users\Public\vbc.exe

                        MD5

                        71a14ce0723e4de96846bf22eed49d20

                        SHA1

                        14340d510faa92bd38ef6ec98e74f5845d37a451

                        SHA256

                        57d6ee60faf10320d9fd37d58aeec59e6735366afece642579ab6d9743c1731b

                        SHA512

                        4ff0b16cfe84f3c1b57638617f1eb9c332df95a531cd33f84dfde1987dc53d4ef1298dbfec33edac69d87844fefdb7d7f55519ae1c27ead2568551f50b27d728

                      • \Users\Public\vbc.exe

                        MD5

                        71a14ce0723e4de96846bf22eed49d20

                        SHA1

                        14340d510faa92bd38ef6ec98e74f5845d37a451

                        SHA256

                        57d6ee60faf10320d9fd37d58aeec59e6735366afece642579ab6d9743c1731b

                        SHA512

                        4ff0b16cfe84f3c1b57638617f1eb9c332df95a531cd33f84dfde1987dc53d4ef1298dbfec33edac69d87844fefdb7d7f55519ae1c27ead2568551f50b27d728

                      • memory/456-62-0x00000000757E1000-0x00000000757E3000-memory.dmp

                      • memory/916-78-0x0000000004E20000-0x0000000004E84000-memory.dmp

                      • memory/916-67-0x0000000000000000-mapping.dmp

                      • memory/916-79-0x00000000007C0000-0x00000000007E0000-memory.dmp

                      • memory/916-70-0x0000000001070000-0x0000000001071000-memory.dmp

                      • memory/916-75-0x0000000004970000-0x0000000004971000-memory.dmp

                      • memory/916-74-0x0000000000750000-0x0000000000759000-memory.dmp

                      • memory/916-76-0x000000007EF40000-0x000000007EF41000-memory.dmp

                      • memory/1636-73-0x000007FEFB8F1000-0x000007FEFB8F3000-memory.dmp

                      • memory/1636-72-0x0000000000000000-mapping.dmp

                      • memory/1748-59-0x0000000072251000-0x0000000072254000-memory.dmp

                      • memory/1748-77-0x000000005FFF0000-0x0000000060000000-memory.dmp

                      • memory/1748-61-0x000000005FFF0000-0x0000000060000000-memory.dmp

                      • memory/1748-60-0x000000006FCD1000-0x000000006FCD3000-memory.dmp

                      • memory/1956-80-0x0000000000400000-0x00000000004A2000-memory.dmp

                      • memory/1956-81-0x00000000004139DE-mapping.dmp

                      • memory/1956-84-0x0000000000400000-0x00000000004A2000-memory.dmp