lokibot | 22688ff9e157c182349eb229dd249290461fa14697355057774dfd45d6aa2eda

Analysis

max time kernel
150s
max time network
154s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
18-01-2023 11:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

22688ff9e157c182349eb229dd249290461fa14697355057774dfd45d6aa2eda.rtf
Size

32KB
MD5

06eaf94652a2911e162a9f2539068fde
SHA1

0b5d67194a23ca8e383adea70805475b493e00b4
SHA256

22688ff9e157c182349eb229dd249290461fa14697355057774dfd45d6aa2eda
SHA512

367d58564b4428e431a7aaa3ae65dd8686ee9660b09256817cd03471b64949970dc5937d2f5e94eb3a78c79467e5aa91536b89cfc9c558a8971ee40f39075a2d
SSDEEP

768:gFx0XaIsnPRIa4fwJMi8kXCxQJnoncHdJBRLZ3Jt4xc:gf0Xvx3EMi8aDAiLt4K

Score

10^/10

lokibot collection spyware stealer trojan

Malware Config

Extracted

Family

lokibot

http://171.22.30.147/kelly/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
Blocklisted process makes network request 1 IoCs

Processes:

EQNEDT32.EXE

flow pid process

3 1792 EQNEDT32.EXE
Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

kellyllerpru658.exelpubwzrt.exelpubwzrt.exe

pid process

1548 kellyllerpru658.exe
1068 lpubwzrt.exe
1748 lpubwzrt.exe
Loads dropped DLL 4 IoCs

Processes:

EQNEDT32.EXEkellyllerpru658.exelpubwzrt.exe

pid process

1792 EQNEDT32.EXE
1548 kellyllerpru658.exe
1548 kellyllerpru658.exe
1068 lpubwzrt.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

flow	pid	process
3	1792	EQNEDT32.EXE

pid	process
1548	kellyllerpru658.exe
1068	lpubwzrt.exe
1748	lpubwzrt.exe

pid	process
1792	EQNEDT32.EXE
1548	kellyllerpru658.exe
1548	kellyllerpru658.exe
1068	lpubwzrt.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

lpubwzrt.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	lpubwzrt.exe
Key opened	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	lpubwzrt.exe
Key opened	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	lpubwzrt.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

lpubwzrt.exe

description pid process target process

PID 1068 set thread context of 1748 1068 lpubwzrt.exe lpubwzrt.exe
Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
exploit

Exploitation for Client Execution
T1203

Processes:

EQNEDT32.EXE

pid process

1792 EQNEDT32.EXE

description	pid	process	target process
PID 1068 set thread context of 1748	1068	lpubwzrt.exe	lpubwzrt.exe

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

pid	process
1792	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE

Modifies registry class 64 IoCs

Processes:

WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

1008 WINWORD.EXE
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

lpubwzrt.exe

pid process

1068 lpubwzrt.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

lpubwzrt.exe

description pid process

Token: SeDebugPrivilege 1748 lpubwzrt.exe
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

WINWORD.EXE

pid process

1008 WINWORD.EXE
1008 WINWORD.EXE
1008 WINWORD.EXE

pid	process
1008	WINWORD.EXE

pid	process
1068	lpubwzrt.exe

description	pid	process
Token: SeDebugPrivilege	1748	lpubwzrt.exe

pid	process
1008	WINWORD.EXE
1008	WINWORD.EXE
1008	WINWORD.EXE

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

EQNEDT32.EXEkellyllerpru658.exelpubwzrt.exeWINWORD.EXE

description	pid	process	target process
PID 1792 wrote to memory of 1548	1792	EQNEDT32.EXE	kellyllerpru658.exe
PID 1792 wrote to memory of 1548	1792	EQNEDT32.EXE	kellyllerpru658.exe
PID 1792 wrote to memory of 1548	1792	EQNEDT32.EXE	kellyllerpru658.exe
PID 1792 wrote to memory of 1548	1792	EQNEDT32.EXE	kellyllerpru658.exe
PID 1548 wrote to memory of 1068	1548	kellyllerpru658.exe	lpubwzrt.exe
PID 1548 wrote to memory of 1068	1548	kellyllerpru658.exe	lpubwzrt.exe
PID 1548 wrote to memory of 1068	1548	kellyllerpru658.exe	lpubwzrt.exe
PID 1548 wrote to memory of 1068	1548	kellyllerpru658.exe	lpubwzrt.exe
PID 1068 wrote to memory of 1748	1068	lpubwzrt.exe	lpubwzrt.exe
PID 1068 wrote to memory of 1748	1068	lpubwzrt.exe	lpubwzrt.exe
PID 1068 wrote to memory of 1748	1068	lpubwzrt.exe	lpubwzrt.exe
PID 1068 wrote to memory of 1748	1068	lpubwzrt.exe	lpubwzrt.exe
PID 1068 wrote to memory of 1748	1068	lpubwzrt.exe	lpubwzrt.exe
PID 1008 wrote to memory of 1228	1008	WINWORD.EXE	splwow64.exe
PID 1008 wrote to memory of 1228	1008	WINWORD.EXE	splwow64.exe
PID 1008 wrote to memory of 1228	1008	WINWORD.EXE	splwow64.exe
PID 1008 wrote to memory of 1228	1008	WINWORD.EXE	splwow64.exe

outlook_office_path 1 IoCs

Processes:

lpubwzrt.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	lpubwzrt.exe

outlook_win_path 1 IoCs

Processes:

lpubwzrt.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	lpubwzrt.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\22688ff9e157c182349eb229dd249290461fa14697355057774dfd45d6aa2eda.rtf"
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1008

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:1228

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:1792

C:\Users\Admin\AppData\Roaming\kellyllerpru658.exe
"C:\Users\Admin\AppData\Roaming\kellyllerpru658.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1548

C:\Users\Admin\AppData\Local\Temp\lpubwzrt.exe
"C:\Users\Admin\AppData\Local\Temp\lpubwzrt.exe" C:\Users\Admin\AppData\Local\Temp\dqzmvns.g
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1068

C:\Users\Admin\AppData\Local\Temp\lpubwzrt.exe
"C:\Users\Admin\AppData\Local\Temp\lpubwzrt.exe"
4⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:1748

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Exploitation for Client Execution

T1203

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\bvlfwhldw.fdl

Filesize
124KB

MD5
61abf3581a3e06a83eea49025d16fc93

SHA1
e12e72a053fc908c218172ede2eb0c8b341661d2

SHA256
f86753be7afbe8b3b89179dd283459b00914367c19bbd89a6fad112117af93c9

SHA512
c90d6220d935a879895d2480c4ed9d2506b2a28c8891e35790523a09e76965481aef7e6d30b634cdf49cb91640cf56257dcac0cb7b5e00f40777c67ff951d6a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\dqzmvns.g

Filesize
5KB

MD5
1150f13d89e2a0154b11a2f20e9df7e6

SHA1
5cf36041f5721c64dd8e1fa8ff25fd29c456eb25

SHA256
496366e6c6d3a2b4e624962b0c97788c6b5a419963f4668a001fd6c1642e1c4c

SHA512
8889c9b97dbc6b8d9b975c1320977d8c91697069b510f7fa65df97da211d5008f9a646ff98f9bbf21241bd7a76c5af81a742b817007b94f530f840c152382007

Download Submit
C:\Users\Admin\AppData\Local\Temp\lpubwzrt.exe

Filesize
100KB

MD5
7e0a3613230aaf331bc7afc9e46ba7c1

SHA1
d364d6b1cad9f4bef2518ed78ab66c55c411bcc4

SHA256
83f1f7e25cd82d66a8dfcb1a427f61d4c8d856300fc2df248d70d0dab560bfd9

SHA512
06b9e5bbf8194cccfa80c71682746f8f1af4e76457713e3a86e6b650266e1f8f5378affde3618c9d3fa087bffbbcf872e5c03cad2b4a222c402c1e4faa962f2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\lpubwzrt.exe

Filesize
100KB

MD5
7e0a3613230aaf331bc7afc9e46ba7c1

SHA1
d364d6b1cad9f4bef2518ed78ab66c55c411bcc4

SHA256
83f1f7e25cd82d66a8dfcb1a427f61d4c8d856300fc2df248d70d0dab560bfd9

SHA512
06b9e5bbf8194cccfa80c71682746f8f1af4e76457713e3a86e6b650266e1f8f5378affde3618c9d3fa087bffbbcf872e5c03cad2b4a222c402c1e4faa962f2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\lpubwzrt.exe

Filesize
100KB

MD5
7e0a3613230aaf331bc7afc9e46ba7c1

SHA1
d364d6b1cad9f4bef2518ed78ab66c55c411bcc4

SHA256
83f1f7e25cd82d66a8dfcb1a427f61d4c8d856300fc2df248d70d0dab560bfd9

SHA512
06b9e5bbf8194cccfa80c71682746f8f1af4e76457713e3a86e6b650266e1f8f5378affde3618c9d3fa087bffbbcf872e5c03cad2b4a222c402c1e4faa962f2d

Download Submit
C:\Users\Admin\AppData\Roaming\kellyllerpru658.exe

Filesize
418KB

MD5
64756e8f5c253a58f8fc8e95a708f647

SHA1
7e28c11a713061bcad93b8faf2e238a552668bee

SHA256
59181328ea5b20dbebffa92c11f3ffa3616cdc8529ae91c3794186055867c6e3

SHA512
ae977d3ee77ad647f8ddd28bbf05c88c94afd07c188564065905618d4d74c3696c237e969bda2a0b1b5b1cf05744a914515b6bf7cb9d8ced55913ee7c5f742b0

Download Submit
C:\Users\Admin\AppData\Roaming\kellyllerpru658.exe

Filesize
418KB

MD5
64756e8f5c253a58f8fc8e95a708f647

SHA1
7e28c11a713061bcad93b8faf2e238a552668bee

SHA256
59181328ea5b20dbebffa92c11f3ffa3616cdc8529ae91c3794186055867c6e3

SHA512
ae977d3ee77ad647f8ddd28bbf05c88c94afd07c188564065905618d4d74c3696c237e969bda2a0b1b5b1cf05744a914515b6bf7cb9d8ced55913ee7c5f742b0

Download Submit
\Users\Admin\AppData\Local\Temp\lpubwzrt.exe

Filesize
100KB

MD5
7e0a3613230aaf331bc7afc9e46ba7c1

SHA1
d364d6b1cad9f4bef2518ed78ab66c55c411bcc4

SHA256
83f1f7e25cd82d66a8dfcb1a427f61d4c8d856300fc2df248d70d0dab560bfd9

SHA512
06b9e5bbf8194cccfa80c71682746f8f1af4e76457713e3a86e6b650266e1f8f5378affde3618c9d3fa087bffbbcf872e5c03cad2b4a222c402c1e4faa962f2d

Download Submit
\Users\Admin\AppData\Local\Temp\lpubwzrt.exe

Filesize
100KB

MD5
7e0a3613230aaf331bc7afc9e46ba7c1

SHA1
d364d6b1cad9f4bef2518ed78ab66c55c411bcc4

SHA256
83f1f7e25cd82d66a8dfcb1a427f61d4c8d856300fc2df248d70d0dab560bfd9

SHA512
06b9e5bbf8194cccfa80c71682746f8f1af4e76457713e3a86e6b650266e1f8f5378affde3618c9d3fa087bffbbcf872e5c03cad2b4a222c402c1e4faa962f2d

Download Submit
\Users\Admin\AppData\Local\Temp\lpubwzrt.exe

Filesize
100KB

MD5
7e0a3613230aaf331bc7afc9e46ba7c1

SHA1
d364d6b1cad9f4bef2518ed78ab66c55c411bcc4

SHA256
83f1f7e25cd82d66a8dfcb1a427f61d4c8d856300fc2df248d70d0dab560bfd9

SHA512
06b9e5bbf8194cccfa80c71682746f8f1af4e76457713e3a86e6b650266e1f8f5378affde3618c9d3fa087bffbbcf872e5c03cad2b4a222c402c1e4faa962f2d

Download Submit
\Users\Admin\AppData\Roaming\kellyllerpru658.exe

Filesize
418KB

MD5
64756e8f5c253a58f8fc8e95a708f647

SHA1
7e28c11a713061bcad93b8faf2e238a552668bee

SHA256
59181328ea5b20dbebffa92c11f3ffa3616cdc8529ae91c3794186055867c6e3

SHA512
ae977d3ee77ad647f8ddd28bbf05c88c94afd07c188564065905618d4d74c3696c237e969bda2a0b1b5b1cf05744a914515b6bf7cb9d8ced55913ee7c5f742b0

Download Submit
memory/1008-57-0x0000000075C51000-0x0000000075C53000-memory.dmp

Filesize
8KB

Download
memory/1008-58-0x0000000070E5D000-0x0000000070E68000-memory.dmp

Filesize
44KB

Download
memory/1008-56-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1008-55-0x000000006FE71000-0x000000006FE73000-memory.dmp

Filesize
8KB

Download
memory/1008-54-0x00000000723F1000-0x00000000723F4000-memory.dmp

Filesize
12KB

Download
memory/1008-78-0x0000000070E5D000-0x0000000070E68000-memory.dmp

Filesize
44KB

Download
memory/1068-67-0x0000000000000000-mapping.dmp

Download
memory/1228-79-0x0000000000000000-mapping.dmp

Download
memory/1228-80-0x000007FEFB901000-0x000007FEFB903000-memory.dmp

Filesize
8KB

Download
memory/1548-61-0x0000000000000000-mapping.dmp

Download
memory/1748-74-0x00000000004139DE-mapping.dmp

Download
memory/1748-77-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1748-81-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download