Analysis
-
max time kernel
121s -
max time network
154s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
27-07-2021 13:23
Static task
static1
Behavioral task
behavioral1
Sample
Invoice_PG_008946.xlsx
Resource
win7v20210408
Behavioral task
behavioral2
Sample
Invoice_PG_008946.xlsx
Resource
win10v20210410
General
-
Target
Invoice_PG_008946.xlsx
-
Size
1.1MB
-
MD5
1dffded46a39053ed2e4c5d178cb1a87
-
SHA1
51fb859291867bdba9dea197f4788f8ffcb76f8d
-
SHA256
3964f3eb14c348d5578e1b758c9cb25d792aa287c24b57f8371729996dc118fc
-
SHA512
cc004416d43fae81ece3b09a0f41f29d022f0a0b7cb64d1363eaf5ad6a798213ef740108a9b56660fd853a6bfcbfe56fbe842cd7ce6ae4e54bf7ee63d8230804
Malware Config
Extracted
lokibot
http://185.227.139.18/dsaicosaicasdi.php/jRbn3g7uWVTsx
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
suricata: ET MALWARE LokiBot Checkin
-
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
-
CustAttr .NET packer 1 IoCs
Detects CustAttr .NET packer in memory.
Processes:
resource yara_rule behavioral1/memory/1768-73-0x00000000004A0000-0x00000000004AB000-memory.dmp CustAttr -
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 6 648 EQNEDT32.EXE -
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
Processes:
vbc.exevbc.exepid process 1768 vbc.exe 344 vbc.exe -
Loads dropped DLL 4 IoCs
Processes:
EQNEDT32.EXEpid process 648 EQNEDT32.EXE 648 EQNEDT32.EXE 648 EQNEDT32.EXE 648 EQNEDT32.EXE -
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
vbc.exedescription pid process target process PID 1768 set thread context of 344 1768 vbc.exe vbc.exe -
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
EXCEL.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 1652 EXCEL.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
vbc.exedescription pid process Token: SeDebugPrivilege 344 vbc.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
EXCEL.EXEpid process 1652 EXCEL.EXE 1652 EXCEL.EXE 1652 EXCEL.EXE -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
EQNEDT32.EXEvbc.exedescription pid process target process PID 648 wrote to memory of 1768 648 EQNEDT32.EXE vbc.exe PID 648 wrote to memory of 1768 648 EQNEDT32.EXE vbc.exe PID 648 wrote to memory of 1768 648 EQNEDT32.EXE vbc.exe PID 648 wrote to memory of 1768 648 EQNEDT32.EXE vbc.exe PID 1768 wrote to memory of 344 1768 vbc.exe vbc.exe PID 1768 wrote to memory of 344 1768 vbc.exe vbc.exe PID 1768 wrote to memory of 344 1768 vbc.exe vbc.exe PID 1768 wrote to memory of 344 1768 vbc.exe vbc.exe PID 1768 wrote to memory of 344 1768 vbc.exe vbc.exe PID 1768 wrote to memory of 344 1768 vbc.exe vbc.exe PID 1768 wrote to memory of 344 1768 vbc.exe vbc.exe PID 1768 wrote to memory of 344 1768 vbc.exe vbc.exe PID 1768 wrote to memory of 344 1768 vbc.exe vbc.exe PID 1768 wrote to memory of 344 1768 vbc.exe vbc.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\Invoice_PG_008946.xlsx1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1652
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:648 -
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1768 -
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:344
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Public\vbc.exeMD5
66da45ed268a07990768ee03d70e4502
SHA13cef4bb7af1179eabd38cd1e1989dc9c41f5c69c
SHA256b90e3f203d5736096b41b710e1fa0ab10f26025e84e4fcf1e4bc760a0306ed72
SHA512ffb07451f68ac863c803407d5081f07aec97824cbe15390b4e658e4f455b2635769f53d375d497aa4e493364458b8f85aa6539e45dbaa31aab4cca347e0f0ee9
-
C:\Users\Public\vbc.exeMD5
66da45ed268a07990768ee03d70e4502
SHA13cef4bb7af1179eabd38cd1e1989dc9c41f5c69c
SHA256b90e3f203d5736096b41b710e1fa0ab10f26025e84e4fcf1e4bc760a0306ed72
SHA512ffb07451f68ac863c803407d5081f07aec97824cbe15390b4e658e4f455b2635769f53d375d497aa4e493364458b8f85aa6539e45dbaa31aab4cca347e0f0ee9
-
C:\Users\Public\vbc.exeMD5
66da45ed268a07990768ee03d70e4502
SHA13cef4bb7af1179eabd38cd1e1989dc9c41f5c69c
SHA256b90e3f203d5736096b41b710e1fa0ab10f26025e84e4fcf1e4bc760a0306ed72
SHA512ffb07451f68ac863c803407d5081f07aec97824cbe15390b4e658e4f455b2635769f53d375d497aa4e493364458b8f85aa6539e45dbaa31aab4cca347e0f0ee9
-
\Users\Public\vbc.exeMD5
66da45ed268a07990768ee03d70e4502
SHA13cef4bb7af1179eabd38cd1e1989dc9c41f5c69c
SHA256b90e3f203d5736096b41b710e1fa0ab10f26025e84e4fcf1e4bc760a0306ed72
SHA512ffb07451f68ac863c803407d5081f07aec97824cbe15390b4e658e4f455b2635769f53d375d497aa4e493364458b8f85aa6539e45dbaa31aab4cca347e0f0ee9
-
\Users\Public\vbc.exeMD5
66da45ed268a07990768ee03d70e4502
SHA13cef4bb7af1179eabd38cd1e1989dc9c41f5c69c
SHA256b90e3f203d5736096b41b710e1fa0ab10f26025e84e4fcf1e4bc760a0306ed72
SHA512ffb07451f68ac863c803407d5081f07aec97824cbe15390b4e658e4f455b2635769f53d375d497aa4e493364458b8f85aa6539e45dbaa31aab4cca347e0f0ee9
-
\Users\Public\vbc.exeMD5
66da45ed268a07990768ee03d70e4502
SHA13cef4bb7af1179eabd38cd1e1989dc9c41f5c69c
SHA256b90e3f203d5736096b41b710e1fa0ab10f26025e84e4fcf1e4bc760a0306ed72
SHA512ffb07451f68ac863c803407d5081f07aec97824cbe15390b4e658e4f455b2635769f53d375d497aa4e493364458b8f85aa6539e45dbaa31aab4cca347e0f0ee9
-
\Users\Public\vbc.exeMD5
66da45ed268a07990768ee03d70e4502
SHA13cef4bb7af1179eabd38cd1e1989dc9c41f5c69c
SHA256b90e3f203d5736096b41b710e1fa0ab10f26025e84e4fcf1e4bc760a0306ed72
SHA512ffb07451f68ac863c803407d5081f07aec97824cbe15390b4e658e4f455b2635769f53d375d497aa4e493364458b8f85aa6539e45dbaa31aab4cca347e0f0ee9
-
memory/344-83-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/344-79-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/344-80-0x00000000004139DE-mapping.dmp
-
memory/648-62-0x0000000076641000-0x0000000076643000-memory.dmpFilesize
8KB
-
memory/1652-84-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1652-59-0x000000002FDB1000-0x000000002FDB4000-memory.dmpFilesize
12KB
-
memory/1652-61-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1652-76-0x0000000005E20000-0x0000000006A6A000-memory.dmpFilesize
12.3MB
-
memory/1652-75-0x0000000005E20000-0x0000000006A6A000-memory.dmpFilesize
12.3MB
-
memory/1652-74-0x0000000005E20000-0x0000000006A6A000-memory.dmpFilesize
12.3MB
-
memory/1652-60-0x00000000716D1000-0x00000000716D3000-memory.dmpFilesize
8KB
-
memory/1768-72-0x0000000004CF0000-0x0000000004CF1000-memory.dmpFilesize
4KB
-
memory/1768-78-0x00000000008E0000-0x0000000000901000-memory.dmpFilesize
132KB
-
memory/1768-77-0x0000000004DA0000-0x0000000004E06000-memory.dmpFilesize
408KB
-
memory/1768-73-0x00000000004A0000-0x00000000004AB000-memory.dmpFilesize
44KB
-
memory/1768-70-0x00000000013D0000-0x00000000013D1000-memory.dmpFilesize
4KB
-
memory/1768-67-0x0000000000000000-mapping.dmp