Analysis
-
max time kernel
146s -
max time network
174s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
24-06-2021 08:48
Static task
static1
Behavioral task
behavioral1
Sample
83caf8c3bb6dad10656c6452d070a17e71a030cb.docx
Resource
win7v20210410
Behavioral task
behavioral2
Sample
83caf8c3bb6dad10656c6452d070a17e71a030cb.docx
Resource
win10v20210408
General
-
Target
83caf8c3bb6dad10656c6452d070a17e71a030cb.docx
-
Size
10KB
-
MD5
9e7b6d8be08b8b2557cb87a90cd931b9
-
SHA1
83caf8c3bb6dad10656c6452d070a17e71a030cb
-
SHA256
e003fb7de75319cb0d30397adbf89bef53d8ccd44af2e9813c219b2571bad2d2
-
SHA512
31d563862adc199c0bcba52325264502e357a6e786835d3865ad916adb3ecb5cf3271b63d4e45a6becfe2521fc6abfa637f02cc76729ac9e2c28dc04c5ac3fdf
Malware Config
Extracted
lokibot
http://manvim.co/fd6/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 13 684 EQNEDT32.EXE -
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
Processes:
vbc.exepid process 920 vbc.exe -
Abuses OpenXML format to download file from external location 2 IoCs
Processes:
WINWORD.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Key opened \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Office\Common\Offline\Files\https://itsssl.com/rzuDW WINWORD.EXE -
Loads dropped DLL 4 IoCs
Processes:
EQNEDT32.EXEpid process 684 EQNEDT32.EXE 684 EQNEDT32.EXE 684 EQNEDT32.EXE 684 EQNEDT32.EXE -
Uses the VBS compiler for execution 1 TTPs
-
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Office loads VBA resources, possible macro or embedded object present
-
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
WINWORD.EXEdescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 1632 WINWORD.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
vbc.exedescription pid process Token: SeDebugPrivilege 920 vbc.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 1632 WINWORD.EXE 1632 WINWORD.EXE -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
EQNEDT32.EXEWINWORD.EXEdescription pid process target process PID 684 wrote to memory of 920 684 EQNEDT32.EXE vbc.exe PID 684 wrote to memory of 920 684 EQNEDT32.EXE vbc.exe PID 684 wrote to memory of 920 684 EQNEDT32.EXE vbc.exe PID 684 wrote to memory of 920 684 EQNEDT32.EXE vbc.exe PID 1632 wrote to memory of 296 1632 WINWORD.EXE splwow64.exe PID 1632 wrote to memory of 296 1632 WINWORD.EXE splwow64.exe PID 1632 wrote to memory of 296 1632 WINWORD.EXE splwow64.exe PID 1632 wrote to memory of 296 1632 WINWORD.EXE splwow64.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\83caf8c3bb6dad10656c6452d070a17e71a030cb.docx"1⤵
- Abuses OpenXML format to download file from external location
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Public\vbc.exeMD5
9962660f061cfa2cc47527ab5a7e87f0
SHA1ccc0ecaeb700427d8f2435457598b4fab27f029d
SHA256e1797184663ac087b1641a5f2313f1d7dc2d9d0a0f5d0099a478dd52531bf13b
SHA512419a71717d33a956367c64210fcfa2a638bf3803532306417cb527215e9ec620f8798f47dccad18ee313d1b1aace22dd0e2f7aab1dc22e1390c3021eaccddc58
-
C:\Users\Public\vbc.exeMD5
9962660f061cfa2cc47527ab5a7e87f0
SHA1ccc0ecaeb700427d8f2435457598b4fab27f029d
SHA256e1797184663ac087b1641a5f2313f1d7dc2d9d0a0f5d0099a478dd52531bf13b
SHA512419a71717d33a956367c64210fcfa2a638bf3803532306417cb527215e9ec620f8798f47dccad18ee313d1b1aace22dd0e2f7aab1dc22e1390c3021eaccddc58
-
\Users\Public\vbc.exeMD5
9962660f061cfa2cc47527ab5a7e87f0
SHA1ccc0ecaeb700427d8f2435457598b4fab27f029d
SHA256e1797184663ac087b1641a5f2313f1d7dc2d9d0a0f5d0099a478dd52531bf13b
SHA512419a71717d33a956367c64210fcfa2a638bf3803532306417cb527215e9ec620f8798f47dccad18ee313d1b1aace22dd0e2f7aab1dc22e1390c3021eaccddc58
-
\Users\Public\vbc.exeMD5
9962660f061cfa2cc47527ab5a7e87f0
SHA1ccc0ecaeb700427d8f2435457598b4fab27f029d
SHA256e1797184663ac087b1641a5f2313f1d7dc2d9d0a0f5d0099a478dd52531bf13b
SHA512419a71717d33a956367c64210fcfa2a638bf3803532306417cb527215e9ec620f8798f47dccad18ee313d1b1aace22dd0e2f7aab1dc22e1390c3021eaccddc58
-
\Users\Public\vbc.exeMD5
9962660f061cfa2cc47527ab5a7e87f0
SHA1ccc0ecaeb700427d8f2435457598b4fab27f029d
SHA256e1797184663ac087b1641a5f2313f1d7dc2d9d0a0f5d0099a478dd52531bf13b
SHA512419a71717d33a956367c64210fcfa2a638bf3803532306417cb527215e9ec620f8798f47dccad18ee313d1b1aace22dd0e2f7aab1dc22e1390c3021eaccddc58
-
\Users\Public\vbc.exeMD5
9962660f061cfa2cc47527ab5a7e87f0
SHA1ccc0ecaeb700427d8f2435457598b4fab27f029d
SHA256e1797184663ac087b1641a5f2313f1d7dc2d9d0a0f5d0099a478dd52531bf13b
SHA512419a71717d33a956367c64210fcfa2a638bf3803532306417cb527215e9ec620f8798f47dccad18ee313d1b1aace22dd0e2f7aab1dc22e1390c3021eaccddc58
-
memory/296-70-0x0000000000000000-mapping.dmp
-
memory/296-71-0x000007FEFBAB1000-0x000007FEFBAB3000-memory.dmpFilesize
8KB
-
memory/684-63-0x0000000075411000-0x0000000075413000-memory.dmpFilesize
8KB
-
memory/920-68-0x0000000000000000-mapping.dmp
-
memory/920-73-0x0000000000220000-0x000000000023B000-memory.dmpFilesize
108KB
-
memory/920-74-0x0000000000400000-0x00000000008F8000-memory.dmpFilesize
5.0MB
-
memory/1632-60-0x0000000072661000-0x0000000072664000-memory.dmpFilesize
12KB
-
memory/1632-62-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1632-61-0x00000000700E1000-0x00000000700E3000-memory.dmpFilesize
8KB