Analysis
-
max time kernel
148s -
max time network
149s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
09-06-2021 02:05
Static task
static1
Behavioral task
behavioral1
Sample
MV Hyundai Integral.docx
Resource
win7v20210408
Behavioral task
behavioral2
Sample
MV Hyundai Integral.docx
Resource
win10v20210408
General
-
Target
MV Hyundai Integral.docx
-
Size
10KB
-
MD5
07daa63f677e63f69bca0379aa80cdf9
-
SHA1
cec0f5a6461e96c1d6b8e87adb15152847558de7
-
SHA256
ef210d65849b76de9d35bbf15a49388f90cc36223fdb50c96d9a5c4d224bcb02
-
SHA512
832e6c834d3bfe6563b0684e3f072f67d7a612a8a54388a110e717d61d4814c67b1af38bf71d95bf63f0fe84df90d97fad206f17158cb7a75ec1b264923bc838
Malware Config
Extracted
lokibot
http://amrp.tw/chud/gate.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 8 1512 EQNEDT32.EXE -
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
Processes:
vbc.exepid process 1580 vbc.exe -
Abuses OpenXML format to download file from external location 2 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Office\Common\Offline\Files\http://103.133.106.72/.----------------_-------_-------------_----------------/--------------------.....................------------------.wbk WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE -
Loads dropped DLL 4 IoCs
Processes:
EQNEDT32.EXEpid process 1512 EQNEDT32.EXE 1512 EQNEDT32.EXE 1512 EQNEDT32.EXE 1512 EQNEDT32.EXE -
Uses the VBS compiler for execution 1 TTPs
-
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Office loads VBA resources, possible macro or embedded object present
-
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
WINWORD.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 1848 WINWORD.EXE -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
vbc.exeWINWORD.EXEdescription pid process Token: SeDebugPrivilege 1580 vbc.exe Token: SeShutdownPrivilege 1848 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 1848 WINWORD.EXE 1848 WINWORD.EXE -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
EQNEDT32.EXEWINWORD.EXEdescription pid process target process PID 1512 wrote to memory of 1580 1512 EQNEDT32.EXE vbc.exe PID 1512 wrote to memory of 1580 1512 EQNEDT32.EXE vbc.exe PID 1512 wrote to memory of 1580 1512 EQNEDT32.EXE vbc.exe PID 1512 wrote to memory of 1580 1512 EQNEDT32.EXE vbc.exe PID 1848 wrote to memory of 1984 1848 WINWORD.EXE splwow64.exe PID 1848 wrote to memory of 1984 1848 WINWORD.EXE splwow64.exe PID 1848 wrote to memory of 1984 1848 WINWORD.EXE splwow64.exe PID 1848 wrote to memory of 1984 1848 WINWORD.EXE splwow64.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\MV Hyundai Integral.docx"1⤵
- Abuses OpenXML format to download file from external location
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Public\vbc.exeMD5
02c0f2b13cac6f3bb29da00bb65c1412
SHA1865ab7a325f9e2bfe3598eeec89a8f5e7a525a62
SHA2565f346572ec0e67b4162e8be108dde0bb567d64bf1e6afb7225e2b5c2618828f6
SHA512c7b748452425e6a2054aeec1a3b2b49f3cf14c2c838fbe49917d04c73dfa6457658d43433a957c4cf820e266e213668b03d76658f8981ce25b31186bc4f21602
-
C:\Users\Public\vbc.exeMD5
02c0f2b13cac6f3bb29da00bb65c1412
SHA1865ab7a325f9e2bfe3598eeec89a8f5e7a525a62
SHA2565f346572ec0e67b4162e8be108dde0bb567d64bf1e6afb7225e2b5c2618828f6
SHA512c7b748452425e6a2054aeec1a3b2b49f3cf14c2c838fbe49917d04c73dfa6457658d43433a957c4cf820e266e213668b03d76658f8981ce25b31186bc4f21602
-
\Users\Public\vbc.exeMD5
02c0f2b13cac6f3bb29da00bb65c1412
SHA1865ab7a325f9e2bfe3598eeec89a8f5e7a525a62
SHA2565f346572ec0e67b4162e8be108dde0bb567d64bf1e6afb7225e2b5c2618828f6
SHA512c7b748452425e6a2054aeec1a3b2b49f3cf14c2c838fbe49917d04c73dfa6457658d43433a957c4cf820e266e213668b03d76658f8981ce25b31186bc4f21602
-
\Users\Public\vbc.exeMD5
02c0f2b13cac6f3bb29da00bb65c1412
SHA1865ab7a325f9e2bfe3598eeec89a8f5e7a525a62
SHA2565f346572ec0e67b4162e8be108dde0bb567d64bf1e6afb7225e2b5c2618828f6
SHA512c7b748452425e6a2054aeec1a3b2b49f3cf14c2c838fbe49917d04c73dfa6457658d43433a957c4cf820e266e213668b03d76658f8981ce25b31186bc4f21602
-
\Users\Public\vbc.exeMD5
02c0f2b13cac6f3bb29da00bb65c1412
SHA1865ab7a325f9e2bfe3598eeec89a8f5e7a525a62
SHA2565f346572ec0e67b4162e8be108dde0bb567d64bf1e6afb7225e2b5c2618828f6
SHA512c7b748452425e6a2054aeec1a3b2b49f3cf14c2c838fbe49917d04c73dfa6457658d43433a957c4cf820e266e213668b03d76658f8981ce25b31186bc4f21602
-
\Users\Public\vbc.exeMD5
02c0f2b13cac6f3bb29da00bb65c1412
SHA1865ab7a325f9e2bfe3598eeec89a8f5e7a525a62
SHA2565f346572ec0e67b4162e8be108dde0bb567d64bf1e6afb7225e2b5c2618828f6
SHA512c7b748452425e6a2054aeec1a3b2b49f3cf14c2c838fbe49917d04c73dfa6457658d43433a957c4cf820e266e213668b03d76658f8981ce25b31186bc4f21602
-
memory/1512-62-0x00000000757C1000-0x00000000757C3000-memory.dmpFilesize
8KB
-
memory/1580-67-0x0000000000000000-mapping.dmp
-
memory/1580-72-0x0000000000220000-0x000000000023B000-memory.dmpFilesize
108KB
-
memory/1580-73-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1848-59-0x0000000072AB1000-0x0000000072AB4000-memory.dmpFilesize
12KB
-
memory/1848-61-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1848-60-0x0000000070531000-0x0000000070533000-memory.dmpFilesize
8KB
-
memory/1848-75-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1984-69-0x0000000000000000-mapping.dmp
-
memory/1984-70-0x000007FEFBF71000-0x000007FEFBF73000-memory.dmpFilesize
8KB