Analysis
-
max time kernel
148s -
max time network
195s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
15-09-2021 06:13
Static task
static1
Behavioral task
behavioral1
Sample
New Order List 16092021.xlsx
Resource
win7v20210408
Behavioral task
behavioral2
Sample
New Order List 16092021.xlsx
Resource
win10-en
General
-
Target
New Order List 16092021.xlsx
-
Size
590KB
-
MD5
4a1d13469a6c817242e8b567bf34ab9a
-
SHA1
a0d54f6c1205defad5f31cadf3393880e7c4c862
-
SHA256
65514d1bcd58f206fbc6339c7893a4dc5fb3e7de39177038eac73906ec5c622c
-
SHA512
a89649b90fe5900f3a014d84cee247df5ee514066bc2b58b968eea203d5290db6964aa5e6f5169cd4830121b0044c620c55db1089bb6c73c1af18f7a82729bf8
Malware Config
Extracted
lokibot
http://136.243.159.53/~element/page.php?id=475
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot Checkin
-
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 6 320 EQNEDT32.EXE -
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
Processes:
vbc.exepid process 284 vbc.exe -
Checks QEMU agent file 2 TTPs 2 IoCs
Checks presence of QEMU agent, possibly to detect virtualization.
Processes:
vbc.exevbc.exedescription ioc process File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe vbc.exe File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe vbc.exe -
Loads dropped DLL 3 IoCs
Processes:
EQNEDT32.EXEvbc.exepid process 320 EQNEDT32.EXE 320 EQNEDT32.EXE 944 vbc.exe -
Uses the VBS compiler for execution 1 TTPs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
Processes:
vbc.exevbc.exepid process 284 vbc.exe 944 vbc.exe 944 vbc.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
vbc.exedescription pid process target process PID 284 set thread context of 944 284 vbc.exe vbc.exe -
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
EXCEL.EXEdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" EXCEL.EXE -
Processes:
vbc.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C vbc.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802025300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000001600000047006c006f00620061006c005300690067006e000000140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 vbc.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b0b000000010000001600000047006c006f00620061006c005300690067006e0000005300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802020f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 vbc.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802025300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000001600000047006c006f00620061006c005300690067006e000000140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c190000000100000010000000a823b4a20180beb460cab955c24d7e21200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 vbc.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 1092 EXCEL.EXE -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
vbc.exepid process 284 vbc.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
vbc.exedescription pid process Token: SeDebugPrivilege 944 vbc.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
EXCEL.EXEvbc.exepid process 1092 EXCEL.EXE 1092 EXCEL.EXE 1092 EXCEL.EXE 284 vbc.exe 1092 EXCEL.EXE 1092 EXCEL.EXE -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
EQNEDT32.EXEvbc.exedescription pid process target process PID 320 wrote to memory of 284 320 EQNEDT32.EXE vbc.exe PID 320 wrote to memory of 284 320 EQNEDT32.EXE vbc.exe PID 320 wrote to memory of 284 320 EQNEDT32.EXE vbc.exe PID 320 wrote to memory of 284 320 EQNEDT32.EXE vbc.exe PID 284 wrote to memory of 944 284 vbc.exe vbc.exe PID 284 wrote to memory of 944 284 vbc.exe vbc.exe PID 284 wrote to memory of 944 284 vbc.exe vbc.exe PID 284 wrote to memory of 944 284 vbc.exe vbc.exe PID 284 wrote to memory of 944 284 vbc.exe vbc.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\New Order List 16092021.xlsx"1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"2⤵
- Executes dropped EXE
- Checks QEMU agent file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"3⤵
- Checks QEMU agent file
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Public\vbc.exeMD5
451e4cd68c69c2c8b8fc93ad02e8754a
SHA1b87d041383fa59a21bff9666756efa2784282199
SHA256e406c6674e19f2f3368e26ad4e6d672b190ea5df8cb1b5e95c9e22fb8c80738b
SHA512fe42a6afbd37ec5d20ec0c22153489ee0ca4a636fe8312dbf9554bebe7c6d3d0e9ad602c3a746304f150561650fb2a887cfc10b3ad727a2fab0a72a5a9d11911
-
C:\Users\Public\vbc.exeMD5
451e4cd68c69c2c8b8fc93ad02e8754a
SHA1b87d041383fa59a21bff9666756efa2784282199
SHA256e406c6674e19f2f3368e26ad4e6d672b190ea5df8cb1b5e95c9e22fb8c80738b
SHA512fe42a6afbd37ec5d20ec0c22153489ee0ca4a636fe8312dbf9554bebe7c6d3d0e9ad602c3a746304f150561650fb2a887cfc10b3ad727a2fab0a72a5a9d11911
-
C:\Users\Public\vbc.exeMD5
451e4cd68c69c2c8b8fc93ad02e8754a
SHA1b87d041383fa59a21bff9666756efa2784282199
SHA256e406c6674e19f2f3368e26ad4e6d672b190ea5df8cb1b5e95c9e22fb8c80738b
SHA512fe42a6afbd37ec5d20ec0c22153489ee0ca4a636fe8312dbf9554bebe7c6d3d0e9ad602c3a746304f150561650fb2a887cfc10b3ad727a2fab0a72a5a9d11911
-
\Users\Public\vbc.exeMD5
451e4cd68c69c2c8b8fc93ad02e8754a
SHA1b87d041383fa59a21bff9666756efa2784282199
SHA256e406c6674e19f2f3368e26ad4e6d672b190ea5df8cb1b5e95c9e22fb8c80738b
SHA512fe42a6afbd37ec5d20ec0c22153489ee0ca4a636fe8312dbf9554bebe7c6d3d0e9ad602c3a746304f150561650fb2a887cfc10b3ad727a2fab0a72a5a9d11911
-
\Users\Public\vbc.exeMD5
451e4cd68c69c2c8b8fc93ad02e8754a
SHA1b87d041383fa59a21bff9666756efa2784282199
SHA256e406c6674e19f2f3368e26ad4e6d672b190ea5df8cb1b5e95c9e22fb8c80738b
SHA512fe42a6afbd37ec5d20ec0c22153489ee0ca4a636fe8312dbf9554bebe7c6d3d0e9ad602c3a746304f150561650fb2a887cfc10b3ad727a2fab0a72a5a9d11911
-
memory/284-73-0x0000000000380000-0x000000000038F000-memory.dmpFilesize
60KB
-
memory/284-82-0x0000000077200000-0x00000000772D6000-memory.dmpFilesize
856KB
-
memory/284-81-0x00000000771F0000-0x0000000077370000-memory.dmpFilesize
1.5MB
-
memory/284-66-0x0000000000000000-mapping.dmp
-
memory/284-80-0x0000000077010000-0x00000000771B9000-memory.dmpFilesize
1.7MB
-
memory/320-63-0x0000000075AA1000-0x0000000075AA3000-memory.dmpFilesize
8KB
-
memory/944-79-0x0000000000400000-0x0000000000553000-memory.dmpFilesize
1.3MB
-
memory/944-77-0x00000000004017AC-mapping.dmp
-
memory/944-83-0x00000000001B0000-0x00000000002B0000-memory.dmpFilesize
1024KB
-
memory/944-87-0x0000000077010000-0x00000000771B9000-memory.dmpFilesize
1.7MB
-
memory/944-88-0x0000000000401000-0x00000000004FD000-memory.dmpFilesize
1008KB
-
memory/1092-72-0x0000000005D60000-0x00000000069AA000-memory.dmpFilesize
12.3MB
-
memory/1092-71-0x0000000005D60000-0x00000000069AA000-memory.dmpFilesize
12.3MB
-
memory/1092-60-0x000000002F7E1000-0x000000002F7E4000-memory.dmpFilesize
12KB
-
memory/1092-70-0x0000000005D60000-0x00000000069AA000-memory.dmpFilesize
12.3MB
-
memory/1092-62-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1092-61-0x0000000071091000-0x0000000071093000-memory.dmpFilesize
8KB
-
memory/1092-84-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB