Analysis
-
max time kernel
102s -
max time network
94s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
28-07-2021 11:32
Static task
static1
Behavioral task
behavioral1
Sample
AMOUNT RECIEPT.doc.xlsx
Resource
win7v20210408
Behavioral task
behavioral2
Sample
AMOUNT RECIEPT.doc.xlsx
Resource
win10v20210408
General
-
Target
AMOUNT RECIEPT.doc.xlsx
-
Size
1.2MB
-
MD5
a746a19a87ba1b76b2e453c0ac7131e9
-
SHA1
893dba0bd9b59d313207c3e91711988271306a8d
-
SHA256
a60f5da18b43cee8b11581668df2284a37361f16f1994f21e2c9dab8e48f8298
-
SHA512
f2ce5fa31859d2d4b9ba25cc29333eace054e58b5fae466fe3561137b6081a82c61dbce00e1cb0561b6e66f5934cbf517442a572563b0bf72c160c5e1b9dccec
Malware Config
Extracted
lokibot
http://185.227.139.18/dsaicosaicasdi.php/NHNmTUOdS6fzz
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
suricata: ET MALWARE LokiBot Checkin
-
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
CustAttr .NET packer 1 IoCs
Detects CustAttr .NET packer in memory.
Processes:
resource yara_rule behavioral1/memory/1648-78-0x00000000001D0000-0x00000000001DB000-memory.dmp CustAttr -
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 5 804 EQNEDT32.EXE -
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
Processes:
vbc.exevbc.exepid process 1648 vbc.exe 2024 vbc.exe -
Loads dropped DLL 4 IoCs
Processes:
EQNEDT32.EXEpid process 804 EQNEDT32.EXE 804 EQNEDT32.EXE 804 EQNEDT32.EXE 804 EQNEDT32.EXE -
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
vbc.exedescription pid process target process PID 1648 set thread context of 2024 1648 vbc.exe vbc.exe -
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
EXCEL.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 2008 EXCEL.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
vbc.exedescription pid process Token: SeDebugPrivilege 2024 vbc.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
EXCEL.EXEpid process 2008 EXCEL.EXE 2008 EXCEL.EXE 2008 EXCEL.EXE -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
EQNEDT32.EXEvbc.exedescription pid process target process PID 804 wrote to memory of 1648 804 EQNEDT32.EXE vbc.exe PID 804 wrote to memory of 1648 804 EQNEDT32.EXE vbc.exe PID 804 wrote to memory of 1648 804 EQNEDT32.EXE vbc.exe PID 804 wrote to memory of 1648 804 EQNEDT32.EXE vbc.exe PID 1648 wrote to memory of 2024 1648 vbc.exe vbc.exe PID 1648 wrote to memory of 2024 1648 vbc.exe vbc.exe PID 1648 wrote to memory of 2024 1648 vbc.exe vbc.exe PID 1648 wrote to memory of 2024 1648 vbc.exe vbc.exe PID 1648 wrote to memory of 2024 1648 vbc.exe vbc.exe PID 1648 wrote to memory of 2024 1648 vbc.exe vbc.exe PID 1648 wrote to memory of 2024 1648 vbc.exe vbc.exe PID 1648 wrote to memory of 2024 1648 vbc.exe vbc.exe PID 1648 wrote to memory of 2024 1648 vbc.exe vbc.exe PID 1648 wrote to memory of 2024 1648 vbc.exe vbc.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\AMOUNT RECIEPT.doc.xlsx"1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2008
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:804 -
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1648 -
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2024
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Public\vbc.exeMD5
e9f578801e3b556fd931a599d38c58db
SHA144219833ea565412d607cdbc0317ee2331333f9b
SHA2560e4f0d2e0d90b452f22fc886ba7a35ffe11f2645360161a19230562689d43dba
SHA5129f50028cfa79bf04592a900b77f04c9ce2899481fefc7aeebb7b17700025f6909b7ca50162937fd54f3428f16048bf451cebd11a9e9965f42b652bc0f4a9b3a3
-
C:\Users\Public\vbc.exeMD5
e9f578801e3b556fd931a599d38c58db
SHA144219833ea565412d607cdbc0317ee2331333f9b
SHA2560e4f0d2e0d90b452f22fc886ba7a35ffe11f2645360161a19230562689d43dba
SHA5129f50028cfa79bf04592a900b77f04c9ce2899481fefc7aeebb7b17700025f6909b7ca50162937fd54f3428f16048bf451cebd11a9e9965f42b652bc0f4a9b3a3
-
C:\Users\Public\vbc.exeMD5
e9f578801e3b556fd931a599d38c58db
SHA144219833ea565412d607cdbc0317ee2331333f9b
SHA2560e4f0d2e0d90b452f22fc886ba7a35ffe11f2645360161a19230562689d43dba
SHA5129f50028cfa79bf04592a900b77f04c9ce2899481fefc7aeebb7b17700025f6909b7ca50162937fd54f3428f16048bf451cebd11a9e9965f42b652bc0f4a9b3a3
-
\Users\Public\vbc.exeMD5
e9f578801e3b556fd931a599d38c58db
SHA144219833ea565412d607cdbc0317ee2331333f9b
SHA2560e4f0d2e0d90b452f22fc886ba7a35ffe11f2645360161a19230562689d43dba
SHA5129f50028cfa79bf04592a900b77f04c9ce2899481fefc7aeebb7b17700025f6909b7ca50162937fd54f3428f16048bf451cebd11a9e9965f42b652bc0f4a9b3a3
-
\Users\Public\vbc.exeMD5
e9f578801e3b556fd931a599d38c58db
SHA144219833ea565412d607cdbc0317ee2331333f9b
SHA2560e4f0d2e0d90b452f22fc886ba7a35ffe11f2645360161a19230562689d43dba
SHA5129f50028cfa79bf04592a900b77f04c9ce2899481fefc7aeebb7b17700025f6909b7ca50162937fd54f3428f16048bf451cebd11a9e9965f42b652bc0f4a9b3a3
-
\Users\Public\vbc.exeMD5
e9f578801e3b556fd931a599d38c58db
SHA144219833ea565412d607cdbc0317ee2331333f9b
SHA2560e4f0d2e0d90b452f22fc886ba7a35ffe11f2645360161a19230562689d43dba
SHA5129f50028cfa79bf04592a900b77f04c9ce2899481fefc7aeebb7b17700025f6909b7ca50162937fd54f3428f16048bf451cebd11a9e9965f42b652bc0f4a9b3a3
-
\Users\Public\vbc.exeMD5
e9f578801e3b556fd931a599d38c58db
SHA144219833ea565412d607cdbc0317ee2331333f9b
SHA2560e4f0d2e0d90b452f22fc886ba7a35ffe11f2645360161a19230562689d43dba
SHA5129f50028cfa79bf04592a900b77f04c9ce2899481fefc7aeebb7b17700025f6909b7ca50162937fd54f3428f16048bf451cebd11a9e9965f42b652bc0f4a9b3a3
-
memory/804-63-0x00000000760B1000-0x00000000760B3000-memory.dmpFilesize
8KB
-
memory/1648-73-0x0000000000490000-0x0000000000491000-memory.dmpFilesize
4KB
-
memory/1648-78-0x00000000001D0000-0x00000000001DB000-memory.dmpFilesize
44KB
-
memory/1648-80-0x00000000004E0000-0x0000000000501000-memory.dmpFilesize
132KB
-
memory/1648-71-0x00000000012A0000-0x00000000012A1000-memory.dmpFilesize
4KB
-
memory/1648-79-0x0000000004EF0000-0x0000000004F51000-memory.dmpFilesize
388KB
-
memory/1648-68-0x0000000000000000-mapping.dmp
-
memory/2008-74-0x00000000058D0000-0x00000000058D3000-memory.dmpFilesize
12KB
-
memory/2008-77-0x00000000058D7000-0x00000000058DA000-memory.dmpFilesize
12KB
-
memory/2008-76-0x00000000058D5000-0x00000000058D7000-memory.dmpFilesize
8KB
-
memory/2008-75-0x00000000058D3000-0x00000000058D5000-memory.dmpFilesize
8KB
-
memory/2008-60-0x000000002FE31000-0x000000002FE34000-memory.dmpFilesize
12KB
-
memory/2008-62-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/2008-61-0x0000000071141000-0x0000000071143000-memory.dmpFilesize
8KB
-
memory/2008-86-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/2024-82-0x00000000004139DE-mapping.dmp
-
memory/2024-81-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/2024-85-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB