Analysis
-
max time kernel
101s -
max time network
97s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
27-07-2021 14:44
Static task
static1
Behavioral task
behavioral1
Sample
Invoice PG 008946.xlsx
Resource
win7v20210408
Behavioral task
behavioral2
Sample
Invoice PG 008946.xlsx
Resource
win10v20210408
General
-
Target
Invoice PG 008946.xlsx
-
Size
1.2MB
-
MD5
84ea29c7d6a9ed32225d28bb8f54aa9c
-
SHA1
c75c6394dfa978671c5ed147ce93a2beec1f097d
-
SHA256
66896b1e0185fe478676b2efc089442230577e7b7b3d62eed4604adbe829f8d9
-
SHA512
9bf2f046d7dc821df3342b072ace1ebf5321af72807a4e0100df4fd698e4d2e9459690a987437779493544c9c4dff1332b2332958a36022ab4c54a0cd3946432
Malware Config
Extracted
lokibot
http://185.227.139.18/dsaicosaicasdi.php/jRbn3g7uWVTsx
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
suricata: ET MALWARE LokiBot Checkin
-
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
-
CustAttr .NET packer 1 IoCs
Detects CustAttr .NET packer in memory.
Processes:
resource yara_rule behavioral1/memory/1076-75-0x0000000000210000-0x000000000021B000-memory.dmp CustAttr -
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 5 812 EQNEDT32.EXE -
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
Processes:
vbc.exevbc.exepid process 1076 vbc.exe 2028 vbc.exe -
Loads dropped DLL 4 IoCs
Processes:
EQNEDT32.EXEpid process 812 EQNEDT32.EXE 812 EQNEDT32.EXE 812 EQNEDT32.EXE 812 EQNEDT32.EXE -
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
vbc.exedescription pid process target process PID 1076 set thread context of 2028 1076 vbc.exe vbc.exe -
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
EXCEL.EXEdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 1908 EXCEL.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
vbc.exedescription pid process Token: SeDebugPrivilege 2028 vbc.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
EXCEL.EXEpid process 1908 EXCEL.EXE 1908 EXCEL.EXE 1908 EXCEL.EXE -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
EQNEDT32.EXEvbc.exedescription pid process target process PID 812 wrote to memory of 1076 812 EQNEDT32.EXE vbc.exe PID 812 wrote to memory of 1076 812 EQNEDT32.EXE vbc.exe PID 812 wrote to memory of 1076 812 EQNEDT32.EXE vbc.exe PID 812 wrote to memory of 1076 812 EQNEDT32.EXE vbc.exe PID 1076 wrote to memory of 2028 1076 vbc.exe vbc.exe PID 1076 wrote to memory of 2028 1076 vbc.exe vbc.exe PID 1076 wrote to memory of 2028 1076 vbc.exe vbc.exe PID 1076 wrote to memory of 2028 1076 vbc.exe vbc.exe PID 1076 wrote to memory of 2028 1076 vbc.exe vbc.exe PID 1076 wrote to memory of 2028 1076 vbc.exe vbc.exe PID 1076 wrote to memory of 2028 1076 vbc.exe vbc.exe PID 1076 wrote to memory of 2028 1076 vbc.exe vbc.exe PID 1076 wrote to memory of 2028 1076 vbc.exe vbc.exe PID 1076 wrote to memory of 2028 1076 vbc.exe vbc.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\Invoice PG 008946.xlsx"1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Public\vbc.exeMD5
66da45ed268a07990768ee03d70e4502
SHA13cef4bb7af1179eabd38cd1e1989dc9c41f5c69c
SHA256b90e3f203d5736096b41b710e1fa0ab10f26025e84e4fcf1e4bc760a0306ed72
SHA512ffb07451f68ac863c803407d5081f07aec97824cbe15390b4e658e4f455b2635769f53d375d497aa4e493364458b8f85aa6539e45dbaa31aab4cca347e0f0ee9
-
C:\Users\Public\vbc.exeMD5
66da45ed268a07990768ee03d70e4502
SHA13cef4bb7af1179eabd38cd1e1989dc9c41f5c69c
SHA256b90e3f203d5736096b41b710e1fa0ab10f26025e84e4fcf1e4bc760a0306ed72
SHA512ffb07451f68ac863c803407d5081f07aec97824cbe15390b4e658e4f455b2635769f53d375d497aa4e493364458b8f85aa6539e45dbaa31aab4cca347e0f0ee9
-
C:\Users\Public\vbc.exeMD5
66da45ed268a07990768ee03d70e4502
SHA13cef4bb7af1179eabd38cd1e1989dc9c41f5c69c
SHA256b90e3f203d5736096b41b710e1fa0ab10f26025e84e4fcf1e4bc760a0306ed72
SHA512ffb07451f68ac863c803407d5081f07aec97824cbe15390b4e658e4f455b2635769f53d375d497aa4e493364458b8f85aa6539e45dbaa31aab4cca347e0f0ee9
-
\Users\Public\vbc.exeMD5
66da45ed268a07990768ee03d70e4502
SHA13cef4bb7af1179eabd38cd1e1989dc9c41f5c69c
SHA256b90e3f203d5736096b41b710e1fa0ab10f26025e84e4fcf1e4bc760a0306ed72
SHA512ffb07451f68ac863c803407d5081f07aec97824cbe15390b4e658e4f455b2635769f53d375d497aa4e493364458b8f85aa6539e45dbaa31aab4cca347e0f0ee9
-
\Users\Public\vbc.exeMD5
66da45ed268a07990768ee03d70e4502
SHA13cef4bb7af1179eabd38cd1e1989dc9c41f5c69c
SHA256b90e3f203d5736096b41b710e1fa0ab10f26025e84e4fcf1e4bc760a0306ed72
SHA512ffb07451f68ac863c803407d5081f07aec97824cbe15390b4e658e4f455b2635769f53d375d497aa4e493364458b8f85aa6539e45dbaa31aab4cca347e0f0ee9
-
\Users\Public\vbc.exeMD5
66da45ed268a07990768ee03d70e4502
SHA13cef4bb7af1179eabd38cd1e1989dc9c41f5c69c
SHA256b90e3f203d5736096b41b710e1fa0ab10f26025e84e4fcf1e4bc760a0306ed72
SHA512ffb07451f68ac863c803407d5081f07aec97824cbe15390b4e658e4f455b2635769f53d375d497aa4e493364458b8f85aa6539e45dbaa31aab4cca347e0f0ee9
-
\Users\Public\vbc.exeMD5
66da45ed268a07990768ee03d70e4502
SHA13cef4bb7af1179eabd38cd1e1989dc9c41f5c69c
SHA256b90e3f203d5736096b41b710e1fa0ab10f26025e84e4fcf1e4bc760a0306ed72
SHA512ffb07451f68ac863c803407d5081f07aec97824cbe15390b4e658e4f455b2635769f53d375d497aa4e493364458b8f85aa6539e45dbaa31aab4cca347e0f0ee9
-
memory/812-63-0x0000000075B31000-0x0000000075B33000-memory.dmpFilesize
8KB
-
memory/1076-75-0x0000000000210000-0x000000000021B000-memory.dmpFilesize
44KB
-
memory/1076-77-0x00000000003D0000-0x00000000003F1000-memory.dmpFilesize
132KB
-
memory/1076-68-0x0000000000000000-mapping.dmp
-
memory/1076-71-0x0000000001390000-0x0000000001391000-memory.dmpFilesize
4KB
-
memory/1076-73-0x00000000004A0000-0x00000000004A1000-memory.dmpFilesize
4KB
-
memory/1076-76-0x0000000004EA0000-0x0000000004F06000-memory.dmpFilesize
408KB
-
memory/1908-62-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1908-74-0x0000000005C50000-0x0000000005DAC000-memory.dmpFilesize
1.4MB
-
memory/1908-60-0x000000002FA71000-0x000000002FA74000-memory.dmpFilesize
12KB
-
memory/1908-61-0x0000000071AE1000-0x0000000071AE3000-memory.dmpFilesize
8KB
-
memory/1908-83-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/2028-79-0x00000000004139DE-mapping.dmp
-
memory/2028-78-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/2028-82-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB