Analysis
-
max time kernel
126s -
max time network
154s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
09-06-2021 11:55
Static task
static1
Behavioral task
behavioral1
Sample
Productlist014560-RFQ1111100010001.jar.docx
Resource
win7v20210408
Behavioral task
behavioral2
Sample
Productlist014560-RFQ1111100010001.jar.docx
Resource
win10v20210410
General
-
Target
Productlist014560-RFQ1111100010001.jar.docx
-
Size
10KB
-
MD5
ffde61c7250f2ad83febb03b28321b4c
-
SHA1
f37ff229c3e22cb00966eeb76d185a826b134fc1
-
SHA256
540b8aee7a87730cd824187ea04de1d6cafc7070ff9009d3aa60a8275cd4cdef
-
SHA512
c7f398a12fe7e27914cfdf45aaf16086dbabb91870ce0249c5122f95eaef432f3b8ea407e342bec8c1476ba6c299b3c630f219955088ee9a4a3091362ea68618
Malware Config
Extracted
lokibot
http://manvim.co/bo/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 13 1340 EQNEDT32.EXE -
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
Processes:
vbc.exevbc.exepid process 112 vbc.exe 1524 vbc.exe -
Abuses OpenXML format to download file from external location 2 IoCs
Processes:
WINWORD.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Key opened \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Office\Common\Offline\Files\http://bit.do/fQZTV WINWORD.EXE -
Loads dropped DLL 4 IoCs
Processes:
EQNEDT32.EXEpid process 1340 EQNEDT32.EXE 1340 EQNEDT32.EXE 1340 EQNEDT32.EXE 1340 EQNEDT32.EXE -
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
vbc.exedescription pid process target process PID 112 set thread context of 1524 112 vbc.exe vbc.exe -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Office loads VBA resources, possible macro or embedded object present
-
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
WINWORD.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 1060 WINWORD.EXE -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
WINWORD.EXEvbc.exedescription pid process Token: SeShutdownPrivilege 1060 WINWORD.EXE Token: SeDebugPrivilege 1524 vbc.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 1060 WINWORD.EXE 1060 WINWORD.EXE -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
EQNEDT32.EXEWINWORD.EXEvbc.exedescription pid process target process PID 1340 wrote to memory of 112 1340 EQNEDT32.EXE vbc.exe PID 1340 wrote to memory of 112 1340 EQNEDT32.EXE vbc.exe PID 1340 wrote to memory of 112 1340 EQNEDT32.EXE vbc.exe PID 1340 wrote to memory of 112 1340 EQNEDT32.EXE vbc.exe PID 1060 wrote to memory of 2028 1060 WINWORD.EXE splwow64.exe PID 1060 wrote to memory of 2028 1060 WINWORD.EXE splwow64.exe PID 1060 wrote to memory of 2028 1060 WINWORD.EXE splwow64.exe PID 1060 wrote to memory of 2028 1060 WINWORD.EXE splwow64.exe PID 112 wrote to memory of 1524 112 vbc.exe vbc.exe PID 112 wrote to memory of 1524 112 vbc.exe vbc.exe PID 112 wrote to memory of 1524 112 vbc.exe vbc.exe PID 112 wrote to memory of 1524 112 vbc.exe vbc.exe PID 112 wrote to memory of 1524 112 vbc.exe vbc.exe PID 112 wrote to memory of 1524 112 vbc.exe vbc.exe PID 112 wrote to memory of 1524 112 vbc.exe vbc.exe PID 112 wrote to memory of 1524 112 vbc.exe vbc.exe PID 112 wrote to memory of 1524 112 vbc.exe vbc.exe PID 112 wrote to memory of 1524 112 vbc.exe vbc.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Productlist014560-RFQ1111100010001.jar.docx"1⤵
- Abuses OpenXML format to download file from external location
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Public\vbc.exeMD5
6e32cd4a3fac5e6b0b5f1c5659182f9e
SHA1936778dec492c66f9249c5be27b13b79abcd7a04
SHA2561dfce723a17d9979985d027a8b4bf09a943153bb9ff23d082b21825c41104f96
SHA512067e97197524bab713b1c6bd1ac5a91086b2a04e781ae2f8efe77fb8a0e40752c8011055298e3a58eebcab67a16ad78bc7653b76250b16a85fcd07c8b79d1fe1
-
C:\Users\Public\vbc.exeMD5
6e32cd4a3fac5e6b0b5f1c5659182f9e
SHA1936778dec492c66f9249c5be27b13b79abcd7a04
SHA2561dfce723a17d9979985d027a8b4bf09a943153bb9ff23d082b21825c41104f96
SHA512067e97197524bab713b1c6bd1ac5a91086b2a04e781ae2f8efe77fb8a0e40752c8011055298e3a58eebcab67a16ad78bc7653b76250b16a85fcd07c8b79d1fe1
-
C:\Users\Public\vbc.exeMD5
6e32cd4a3fac5e6b0b5f1c5659182f9e
SHA1936778dec492c66f9249c5be27b13b79abcd7a04
SHA2561dfce723a17d9979985d027a8b4bf09a943153bb9ff23d082b21825c41104f96
SHA512067e97197524bab713b1c6bd1ac5a91086b2a04e781ae2f8efe77fb8a0e40752c8011055298e3a58eebcab67a16ad78bc7653b76250b16a85fcd07c8b79d1fe1
-
\Users\Public\vbc.exeMD5
6e32cd4a3fac5e6b0b5f1c5659182f9e
SHA1936778dec492c66f9249c5be27b13b79abcd7a04
SHA2561dfce723a17d9979985d027a8b4bf09a943153bb9ff23d082b21825c41104f96
SHA512067e97197524bab713b1c6bd1ac5a91086b2a04e781ae2f8efe77fb8a0e40752c8011055298e3a58eebcab67a16ad78bc7653b76250b16a85fcd07c8b79d1fe1
-
\Users\Public\vbc.exeMD5
6e32cd4a3fac5e6b0b5f1c5659182f9e
SHA1936778dec492c66f9249c5be27b13b79abcd7a04
SHA2561dfce723a17d9979985d027a8b4bf09a943153bb9ff23d082b21825c41104f96
SHA512067e97197524bab713b1c6bd1ac5a91086b2a04e781ae2f8efe77fb8a0e40752c8011055298e3a58eebcab67a16ad78bc7653b76250b16a85fcd07c8b79d1fe1
-
\Users\Public\vbc.exeMD5
6e32cd4a3fac5e6b0b5f1c5659182f9e
SHA1936778dec492c66f9249c5be27b13b79abcd7a04
SHA2561dfce723a17d9979985d027a8b4bf09a943153bb9ff23d082b21825c41104f96
SHA512067e97197524bab713b1c6bd1ac5a91086b2a04e781ae2f8efe77fb8a0e40752c8011055298e3a58eebcab67a16ad78bc7653b76250b16a85fcd07c8b79d1fe1
-
\Users\Public\vbc.exeMD5
6e32cd4a3fac5e6b0b5f1c5659182f9e
SHA1936778dec492c66f9249c5be27b13b79abcd7a04
SHA2561dfce723a17d9979985d027a8b4bf09a943153bb9ff23d082b21825c41104f96
SHA512067e97197524bab713b1c6bd1ac5a91086b2a04e781ae2f8efe77fb8a0e40752c8011055298e3a58eebcab67a16ad78bc7653b76250b16a85fcd07c8b79d1fe1
-
memory/112-78-0x0000000005AF0000-0x0000000005B58000-memory.dmpFilesize
416KB
-
memory/112-68-0x0000000000000000-mapping.dmp
-
memory/112-71-0x0000000000DE0000-0x0000000000DE1000-memory.dmpFilesize
4KB
-
memory/112-79-0x0000000000A50000-0x0000000000A74000-memory.dmpFilesize
144KB
-
memory/112-75-0x0000000004BF0000-0x0000000004BF1000-memory.dmpFilesize
4KB
-
memory/112-76-0x00000000004E0000-0x00000000004FE000-memory.dmpFilesize
120KB
-
memory/1060-60-0x0000000072201000-0x0000000072204000-memory.dmpFilesize
12KB
-
memory/1060-62-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1060-61-0x000000006FC81000-0x000000006FC83000-memory.dmpFilesize
8KB
-
memory/1060-77-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1340-63-0x00000000750C1000-0x00000000750C3000-memory.dmpFilesize
8KB
-
memory/1524-80-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1524-81-0x00000000004139DE-mapping.dmp
-
memory/1524-84-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/2028-74-0x000007FEFB701000-0x000007FEFB703000-memory.dmpFilesize
8KB
-
memory/2028-73-0x0000000000000000-mapping.dmp