Analysis
-
max time kernel
151s -
max time network
153s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
28-07-2021 00:53
Static task
static1
Behavioral task
behavioral1
Sample
Quotation.xlsx
Resource
win7v20210408
Behavioral task
behavioral2
Sample
Quotation.xlsx
Resource
win10v20210410
General
-
Target
Quotation.xlsx
-
Size
1.2MB
-
MD5
7d4d448a7d403b6d949868b89edc010d
-
SHA1
99c431853b504296c448035ba44d38426572063a
-
SHA256
e9228a345f2d9e7f0fcb8fe091c41e678f743295d723f6141769af47d4d8e082
-
SHA512
56e71a502ab779eda9615f3b594d6384dc8397816fc6a04b3278dbc9b51fb14f50a00ba662f9bf88cf297ee9e0a78f6a1171fdf4d4b9d7f93e06560e32f31ee9
Malware Config
Extracted
lokibot
http://manvim.co/fd14/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
suricata: ET MALWARE LokiBot Checkin
-
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
-
CustAttr .NET packer 1 IoCs
Detects CustAttr .NET packer in memory.
Processes:
resource yara_rule behavioral1/memory/760-77-0x0000000000540000-0x000000000054B000-memory.dmp CustAttr -
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 6 1996 EQNEDT32.EXE -
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
Processes:
vbc.exevbc.exepid process 760 vbc.exe 1008 vbc.exe -
Loads dropped DLL 4 IoCs
Processes:
EQNEDT32.EXEpid process 1996 EQNEDT32.EXE 1996 EQNEDT32.EXE 1996 EQNEDT32.EXE 1996 EQNEDT32.EXE -
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
vbc.exedescription pid process target process PID 760 set thread context of 1008 760 vbc.exe vbc.exe -
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
EXCEL.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 784 EXCEL.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
vbc.exedescription pid process Token: SeDebugPrivilege 1008 vbc.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
EXCEL.EXEpid process 784 EXCEL.EXE 784 EXCEL.EXE 784 EXCEL.EXE -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
EQNEDT32.EXEvbc.exedescription pid process target process PID 1996 wrote to memory of 760 1996 EQNEDT32.EXE vbc.exe PID 1996 wrote to memory of 760 1996 EQNEDT32.EXE vbc.exe PID 1996 wrote to memory of 760 1996 EQNEDT32.EXE vbc.exe PID 1996 wrote to memory of 760 1996 EQNEDT32.EXE vbc.exe PID 760 wrote to memory of 1008 760 vbc.exe vbc.exe PID 760 wrote to memory of 1008 760 vbc.exe vbc.exe PID 760 wrote to memory of 1008 760 vbc.exe vbc.exe PID 760 wrote to memory of 1008 760 vbc.exe vbc.exe PID 760 wrote to memory of 1008 760 vbc.exe vbc.exe PID 760 wrote to memory of 1008 760 vbc.exe vbc.exe PID 760 wrote to memory of 1008 760 vbc.exe vbc.exe PID 760 wrote to memory of 1008 760 vbc.exe vbc.exe PID 760 wrote to memory of 1008 760 vbc.exe vbc.exe PID 760 wrote to memory of 1008 760 vbc.exe vbc.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\Quotation.xlsx1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Public\vbc.exeMD5
f5ee0c1e0e3dce98edc75024d9dc0d8a
SHA188a12fc23d3563d7b3077111da551fc00fbb464a
SHA256bc3155d96b1b3ea6a925a96ab13abec98fd056b75adbc4ff2a802ac8fda7e6c8
SHA512e8ea09ba2d87259ebdf7c6446d56d2e14627e536c5f707edb26427e754a091093763bae9f4101b7e839c570a04151aa6139b5938059145fbb35a4691f6544272
-
C:\Users\Public\vbc.exeMD5
f5ee0c1e0e3dce98edc75024d9dc0d8a
SHA188a12fc23d3563d7b3077111da551fc00fbb464a
SHA256bc3155d96b1b3ea6a925a96ab13abec98fd056b75adbc4ff2a802ac8fda7e6c8
SHA512e8ea09ba2d87259ebdf7c6446d56d2e14627e536c5f707edb26427e754a091093763bae9f4101b7e839c570a04151aa6139b5938059145fbb35a4691f6544272
-
C:\Users\Public\vbc.exeMD5
f5ee0c1e0e3dce98edc75024d9dc0d8a
SHA188a12fc23d3563d7b3077111da551fc00fbb464a
SHA256bc3155d96b1b3ea6a925a96ab13abec98fd056b75adbc4ff2a802ac8fda7e6c8
SHA512e8ea09ba2d87259ebdf7c6446d56d2e14627e536c5f707edb26427e754a091093763bae9f4101b7e839c570a04151aa6139b5938059145fbb35a4691f6544272
-
\Users\Public\vbc.exeMD5
f5ee0c1e0e3dce98edc75024d9dc0d8a
SHA188a12fc23d3563d7b3077111da551fc00fbb464a
SHA256bc3155d96b1b3ea6a925a96ab13abec98fd056b75adbc4ff2a802ac8fda7e6c8
SHA512e8ea09ba2d87259ebdf7c6446d56d2e14627e536c5f707edb26427e754a091093763bae9f4101b7e839c570a04151aa6139b5938059145fbb35a4691f6544272
-
\Users\Public\vbc.exeMD5
f5ee0c1e0e3dce98edc75024d9dc0d8a
SHA188a12fc23d3563d7b3077111da551fc00fbb464a
SHA256bc3155d96b1b3ea6a925a96ab13abec98fd056b75adbc4ff2a802ac8fda7e6c8
SHA512e8ea09ba2d87259ebdf7c6446d56d2e14627e536c5f707edb26427e754a091093763bae9f4101b7e839c570a04151aa6139b5938059145fbb35a4691f6544272
-
\Users\Public\vbc.exeMD5
f5ee0c1e0e3dce98edc75024d9dc0d8a
SHA188a12fc23d3563d7b3077111da551fc00fbb464a
SHA256bc3155d96b1b3ea6a925a96ab13abec98fd056b75adbc4ff2a802ac8fda7e6c8
SHA512e8ea09ba2d87259ebdf7c6446d56d2e14627e536c5f707edb26427e754a091093763bae9f4101b7e839c570a04151aa6139b5938059145fbb35a4691f6544272
-
\Users\Public\vbc.exeMD5
f5ee0c1e0e3dce98edc75024d9dc0d8a
SHA188a12fc23d3563d7b3077111da551fc00fbb464a
SHA256bc3155d96b1b3ea6a925a96ab13abec98fd056b75adbc4ff2a802ac8fda7e6c8
SHA512e8ea09ba2d87259ebdf7c6446d56d2e14627e536c5f707edb26427e754a091093763bae9f4101b7e839c570a04151aa6139b5938059145fbb35a4691f6544272
-
memory/760-73-0x0000000004340000-0x0000000004341000-memory.dmpFilesize
4KB
-
memory/760-77-0x0000000000540000-0x000000000054B000-memory.dmpFilesize
44KB
-
memory/760-79-0x00000000005B0000-0x00000000005D1000-memory.dmpFilesize
132KB
-
memory/760-78-0x0000000004E20000-0x0000000004E85000-memory.dmpFilesize
404KB
-
memory/760-71-0x00000000002F0000-0x00000000002F1000-memory.dmpFilesize
4KB
-
memory/760-68-0x0000000000000000-mapping.dmp
-
memory/784-60-0x000000002FCF1000-0x000000002FCF4000-memory.dmpFilesize
12KB
-
memory/784-75-0x00000000060B0000-0x0000000006CFA000-memory.dmpFilesize
12.3MB
-
memory/784-76-0x00000000060B0000-0x0000000006CFA000-memory.dmpFilesize
12.3MB
-
memory/784-74-0x00000000060B0000-0x0000000006CFA000-memory.dmpFilesize
12.3MB
-
memory/784-62-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/784-61-0x0000000071091000-0x0000000071093000-memory.dmpFilesize
8KB
-
memory/784-85-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1008-81-0x00000000004139DE-mapping.dmp
-
memory/1008-80-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1008-84-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1996-63-0x0000000075AA1000-0x0000000075AA3000-memory.dmpFilesize
8KB