Analysis
-
max time kernel
131s -
max time network
179s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
04-06-2021 18:28
Static task
static1
Behavioral task
behavioral1
Sample
uwa.docx
Resource
win7v20210410
Behavioral task
behavioral2
Sample
uwa.docx
Resource
win10v20210408
General
-
Target
uwa.docx
-
Size
10KB
-
MD5
3eb620f82132d7715cde30887fa24ed5
-
SHA1
cf9fe04fa0e778e800e2e9bd681e831a95af1e09
-
SHA256
07ffbabb575117c731872d2d6cda388f2343fdee55d700f8357263a48c0edabc
-
SHA512
32d48ec3545c0384e35fcf168342e15ace224c45032548ae3375a379baa18a2b090380f17ca2a5326b62f592c3de3dc6d6f48cd3c70ca1293dd72f80a7d522c6
Malware Config
Extracted
lokibot
http://173.208.204.37/k.php/mvM4bZPtu0I2s
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 14 288 EQNEDT32.EXE -
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
Processes:
vbc.exevbc.exepid process 1348 vbc.exe 768 vbc.exe -
Abuses OpenXML format to download file from external location 2 IoCs
Processes:
WINWORD.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Key opened \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Office\Common\Offline\Files\http://bit.do/fQXx8 WINWORD.EXE -
Loads dropped DLL 4 IoCs
Processes:
EQNEDT32.EXEpid process 288 EQNEDT32.EXE 288 EQNEDT32.EXE 288 EQNEDT32.EXE 288 EQNEDT32.EXE -
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
vbc.exedescription pid process target process PID 1348 set thread context of 768 1348 vbc.exe vbc.exe -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Office loads VBA resources, possible macro or embedded object present
-
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
WINWORD.EXEdescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 1212 WINWORD.EXE -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
WINWORD.EXEvbc.exedescription pid process Token: SeShutdownPrivilege 1212 WINWORD.EXE Token: SeDebugPrivilege 768 vbc.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 1212 WINWORD.EXE 1212 WINWORD.EXE -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
EQNEDT32.EXEWINWORD.EXEvbc.exedescription pid process target process PID 288 wrote to memory of 1348 288 EQNEDT32.EXE vbc.exe PID 288 wrote to memory of 1348 288 EQNEDT32.EXE vbc.exe PID 288 wrote to memory of 1348 288 EQNEDT32.EXE vbc.exe PID 288 wrote to memory of 1348 288 EQNEDT32.EXE vbc.exe PID 1212 wrote to memory of 1424 1212 WINWORD.EXE splwow64.exe PID 1212 wrote to memory of 1424 1212 WINWORD.EXE splwow64.exe PID 1212 wrote to memory of 1424 1212 WINWORD.EXE splwow64.exe PID 1212 wrote to memory of 1424 1212 WINWORD.EXE splwow64.exe PID 1348 wrote to memory of 768 1348 vbc.exe vbc.exe PID 1348 wrote to memory of 768 1348 vbc.exe vbc.exe PID 1348 wrote to memory of 768 1348 vbc.exe vbc.exe PID 1348 wrote to memory of 768 1348 vbc.exe vbc.exe PID 1348 wrote to memory of 768 1348 vbc.exe vbc.exe PID 1348 wrote to memory of 768 1348 vbc.exe vbc.exe PID 1348 wrote to memory of 768 1348 vbc.exe vbc.exe PID 1348 wrote to memory of 768 1348 vbc.exe vbc.exe PID 1348 wrote to memory of 768 1348 vbc.exe vbc.exe PID 1348 wrote to memory of 768 1348 vbc.exe vbc.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\uwa.docx"1⤵
- Abuses OpenXML format to download file from external location
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Public\vbc.exeMD5
fe29a7011c5da172c6686eb9efcd4532
SHA120401afd0e49a0bf1abc98f2109c28f171470118
SHA256efe7e1f65f546efe84e8e1e89261211c204718006bc954620e80b3ea44e155fc
SHA512cc50e827cd9c6b9e70d574894d6fc908c51b890941535d33fdfbfd43ec9affcffea2fe5b3d53e4a8bf6ef1376a7a37f5ce95d90ed571f7ddec445696f9fbbe17
-
C:\Users\Public\vbc.exeMD5
fe29a7011c5da172c6686eb9efcd4532
SHA120401afd0e49a0bf1abc98f2109c28f171470118
SHA256efe7e1f65f546efe84e8e1e89261211c204718006bc954620e80b3ea44e155fc
SHA512cc50e827cd9c6b9e70d574894d6fc908c51b890941535d33fdfbfd43ec9affcffea2fe5b3d53e4a8bf6ef1376a7a37f5ce95d90ed571f7ddec445696f9fbbe17
-
C:\Users\Public\vbc.exeMD5
fe29a7011c5da172c6686eb9efcd4532
SHA120401afd0e49a0bf1abc98f2109c28f171470118
SHA256efe7e1f65f546efe84e8e1e89261211c204718006bc954620e80b3ea44e155fc
SHA512cc50e827cd9c6b9e70d574894d6fc908c51b890941535d33fdfbfd43ec9affcffea2fe5b3d53e4a8bf6ef1376a7a37f5ce95d90ed571f7ddec445696f9fbbe17
-
\Users\Public\vbc.exeMD5
fe29a7011c5da172c6686eb9efcd4532
SHA120401afd0e49a0bf1abc98f2109c28f171470118
SHA256efe7e1f65f546efe84e8e1e89261211c204718006bc954620e80b3ea44e155fc
SHA512cc50e827cd9c6b9e70d574894d6fc908c51b890941535d33fdfbfd43ec9affcffea2fe5b3d53e4a8bf6ef1376a7a37f5ce95d90ed571f7ddec445696f9fbbe17
-
\Users\Public\vbc.exeMD5
fe29a7011c5da172c6686eb9efcd4532
SHA120401afd0e49a0bf1abc98f2109c28f171470118
SHA256efe7e1f65f546efe84e8e1e89261211c204718006bc954620e80b3ea44e155fc
SHA512cc50e827cd9c6b9e70d574894d6fc908c51b890941535d33fdfbfd43ec9affcffea2fe5b3d53e4a8bf6ef1376a7a37f5ce95d90ed571f7ddec445696f9fbbe17
-
\Users\Public\vbc.exeMD5
fe29a7011c5da172c6686eb9efcd4532
SHA120401afd0e49a0bf1abc98f2109c28f171470118
SHA256efe7e1f65f546efe84e8e1e89261211c204718006bc954620e80b3ea44e155fc
SHA512cc50e827cd9c6b9e70d574894d6fc908c51b890941535d33fdfbfd43ec9affcffea2fe5b3d53e4a8bf6ef1376a7a37f5ce95d90ed571f7ddec445696f9fbbe17
-
\Users\Public\vbc.exeMD5
fe29a7011c5da172c6686eb9efcd4532
SHA120401afd0e49a0bf1abc98f2109c28f171470118
SHA256efe7e1f65f546efe84e8e1e89261211c204718006bc954620e80b3ea44e155fc
SHA512cc50e827cd9c6b9e70d574894d6fc908c51b890941535d33fdfbfd43ec9affcffea2fe5b3d53e4a8bf6ef1376a7a37f5ce95d90ed571f7ddec445696f9fbbe17
-
memory/288-62-0x0000000076661000-0x0000000076663000-memory.dmpFilesize
8KB
-
memory/768-83-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/768-80-0x00000000004139DE-mapping.dmp
-
memory/768-79-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1212-76-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1212-61-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1212-60-0x00000000703F1000-0x00000000703F3000-memory.dmpFilesize
8KB
-
memory/1212-59-0x0000000072971000-0x0000000072974000-memory.dmpFilesize
12KB
-
memory/1348-77-0x0000000004FC0000-0x0000000005026000-memory.dmpFilesize
408KB
-
memory/1348-75-0x0000000004F80000-0x0000000004F81000-memory.dmpFilesize
4KB
-
memory/1348-74-0x00000000003D0000-0x00000000003E4000-memory.dmpFilesize
80KB
-
memory/1348-78-0x00000000007C0000-0x00000000007E3000-memory.dmpFilesize
140KB
-
memory/1348-70-0x0000000000E40000-0x0000000000E41000-memory.dmpFilesize
4KB
-
memory/1348-67-0x0000000000000000-mapping.dmp
-
memory/1424-73-0x000007FEFBDC1000-0x000007FEFBDC3000-memory.dmpFilesize
8KB
-
memory/1424-72-0x0000000000000000-mapping.dmp