lokibot | cde127d66368c03e3e6b564eb4b28ad03314ad956d4f8e4eda1b5d9f35910674

Analysis

max time kernel
115s
max time network
120s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
19-01-2023 09:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PO19-003219.docx
Size

10KB
MD5

9d29fe2f2a17ed895175dd589f28179c
SHA1

fca9f01cb1f2671731316052c4f681b22a8b458e
SHA256

cde127d66368c03e3e6b564eb4b28ad03314ad956d4f8e4eda1b5d9f35910674
SHA512

2acc073048ce529eca1853c6b9e9602787ac6cc9034c7cd7e2256fd837ee2d0c14d7e7b6840b41a805b26ba35c7a8f4018075a21afb2f80a8c9100112da8d345
SSDEEP

192:ScIMmtP8ar5G/bfIdTOBnT8namWBX8ex6y3vkLN:SPXt4ATOVT8nosM85

Score

10^/10

lokibot collection spyware stealer trojan

Malware Config

Extracted

Family

lokibot

https://sempersim.su/ha1/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
Blocklisted process makes network request 1 IoCs

Processes:

EQNEDT32.EXE

flow pid process

7 1728 EQNEDT32.EXE
Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

vbc.exegriomhv.exegriomhv.exe

pid process

1852 vbc.exe
316 griomhv.exe
848 griomhv.exe

flow	pid	process
7	1728	EQNEDT32.EXE

pid	process
1852	vbc.exe
316	griomhv.exe
848	griomhv.exe

Abuses OpenXML format to download file from external location 2 IoCs

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Office\14.0\Common	WINWORD.EXE
Key opened	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Office\Common\Offline\Files\http://392097655/_--00_o______---0o0_00_0oo_0-o_o0-__________o0o-__________/ozzwerdfdghjfdggsahfhfghf.doc	WINWORD.EXE

Loads dropped DLL 4 IoCs

Processes:

EQNEDT32.EXEvbc.exegriomhv.exe

pid process

1728 EQNEDT32.EXE
1852 vbc.exe
1852 vbc.exe
316 griomhv.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
1728	EQNEDT32.EXE
1852	vbc.exe
1852	vbc.exe
316	griomhv.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

griomhv.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	griomhv.exe
Key opened	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	griomhv.exe
Key opened	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	griomhv.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

griomhv.exe

description pid process target process

PID 316 set thread context of 848 316 griomhv.exe griomhv.exe
Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
exploit

Exploitation for Client Execution
T1203

Processes:

EQNEDT32.EXE

pid process

1728 EQNEDT32.EXE

description	pid	process	target process
PID 316 set thread context of 848	316	griomhv.exe	griomhv.exe

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

pid	process
1728	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE

Modifies registry class 64 IoCs

Processes:

WINWORD.EXE

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

900 WINWORD.EXE
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

griomhv.exe

pid process

316 griomhv.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

griomhv.exeWINWORD.EXE

description pid process

Token: SeDebugPrivilege 848 griomhv.exe
Token: SeShutdownPrivilege 900 WINWORD.EXE
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WINWORD.EXE

pid process

900 WINWORD.EXE
900 WINWORD.EXE

pid	process
900	WINWORD.EXE

pid	process
316	griomhv.exe

description	pid	process
Token: SeDebugPrivilege	848	griomhv.exe
Token: SeShutdownPrivilege	900	WINWORD.EXE

pid	process
900	WINWORD.EXE
900	WINWORD.EXE

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

EQNEDT32.EXEvbc.exeWINWORD.EXEgriomhv.exe

description	pid	process	target process
PID 1728 wrote to memory of 1852	1728	EQNEDT32.EXE	vbc.exe
PID 1728 wrote to memory of 1852	1728	EQNEDT32.EXE	vbc.exe
PID 1728 wrote to memory of 1852	1728	EQNEDT32.EXE	vbc.exe
PID 1728 wrote to memory of 1852	1728	EQNEDT32.EXE	vbc.exe
PID 1852 wrote to memory of 316	1852	vbc.exe	griomhv.exe
PID 1852 wrote to memory of 316	1852	vbc.exe	griomhv.exe
PID 1852 wrote to memory of 316	1852	vbc.exe	griomhv.exe
PID 1852 wrote to memory of 316	1852	vbc.exe	griomhv.exe
PID 900 wrote to memory of 1612	900	WINWORD.EXE	splwow64.exe
PID 900 wrote to memory of 1612	900	WINWORD.EXE	splwow64.exe
PID 900 wrote to memory of 1612	900	WINWORD.EXE	splwow64.exe
PID 900 wrote to memory of 1612	900	WINWORD.EXE	splwow64.exe
PID 316 wrote to memory of 848	316	griomhv.exe	griomhv.exe
PID 316 wrote to memory of 848	316	griomhv.exe	griomhv.exe
PID 316 wrote to memory of 848	316	griomhv.exe	griomhv.exe
PID 316 wrote to memory of 848	316	griomhv.exe	griomhv.exe
PID 316 wrote to memory of 848	316	griomhv.exe	griomhv.exe

outlook_office_path 1 IoCs

Processes:

griomhv.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	griomhv.exe

outlook_win_path 1 IoCs

Processes:

griomhv.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	griomhv.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\PO19-003219.docx"
1⤵
- Abuses OpenXML format to download file from external location
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:900

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:1612

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:1728

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1852

C:\Users\Admin\AppData\Local\Temp\griomhv.exe
"C:\Users\Admin\AppData\Local\Temp\griomhv.exe" C:\Users\Admin\AppData\Local\Temp\ocezwxbaws.tnb
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:316

C:\Users\Admin\AppData\Local\Temp\griomhv.exe
"C:\Users\Admin\AppData\Local\Temp\griomhv.exe"
4⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:848

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Exploitation for Client Execution

T1203

Persistence

Privilege Escalation

Defense Evasion

Scripting

T1064

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\griomhv.exe
Filesize
50KB

MD5
1e615c9c0c88c482c37312c4d4dd21ad

SHA1
d39ff54b50c39a65aab93ba6c2f0973352acc17c

SHA256
f95916898fe7344320b8b8e48ed7a02ec4b4093772be338da5dd3d4ba4326397

SHA512
c179195f66f889fd9467deffb10d4cc32e12c3d121079a173d991549bb43cce096892c13892cf25be4e0c0c1545c1d0f3d2eabdaeb38ed5bec9664b363236496

Download Submit
C:\Users\Admin\AppData\Local\Temp\griomhv.exe
Filesize
50KB

MD5
1e615c9c0c88c482c37312c4d4dd21ad

SHA1
d39ff54b50c39a65aab93ba6c2f0973352acc17c

SHA256
f95916898fe7344320b8b8e48ed7a02ec4b4093772be338da5dd3d4ba4326397

SHA512
c179195f66f889fd9467deffb10d4cc32e12c3d121079a173d991549bb43cce096892c13892cf25be4e0c0c1545c1d0f3d2eabdaeb38ed5bec9664b363236496

Download Submit
C:\Users\Admin\AppData\Local\Temp\griomhv.exe
Filesize
50KB

MD5
1e615c9c0c88c482c37312c4d4dd21ad

SHA1
d39ff54b50c39a65aab93ba6c2f0973352acc17c

SHA256
f95916898fe7344320b8b8e48ed7a02ec4b4093772be338da5dd3d4ba4326397

SHA512
c179195f66f889fd9467deffb10d4cc32e12c3d121079a173d991549bb43cce096892c13892cf25be4e0c0c1545c1d0f3d2eabdaeb38ed5bec9664b363236496

Download Submit
C:\Users\Admin\AppData\Local\Temp\ocezwxbaws.tnb
Filesize
5KB

MD5
736c032772b93b60ae1e2067052cadb1

SHA1
a7e78bc73ce87b809a3d37653f1922720b183114

SHA256
d4ee48c3fafdea592df4f1de273497e2a15e0a86fa45d5608f61f6d764049ccd

SHA512
ba175ed6e56513877d0ba31e38e351927319d5db57ddaeb52b960b55660cf6414af5b1c19cf059eb3048b0e080f3b0bdb8abedd61c96a02552d5980f326d4b38

Download Submit
C:\Users\Admin\AppData\Local\Temp\ulamxtxdx.dn
Filesize
124KB

MD5
22286bcaafac73cc45e5d1cf19945c42

SHA1
b6b687b63da60b27a08547ab631b98496e00319f

SHA256
6b0abe65ad494fd2a39e1ed8799e60a45e3ebeb72136adca4eeeb575ec897c1e

SHA512
c16ff1af55bbde8bd07c7d252595c7778fe97284d9927ea5b441e4aef4e31df3f23187c501f22d8a294bbe21422a1715363b026eb41fff7a1a5b3d67f0412f7c

Download Submit
C:\Users\Public\vbc.exe
Filesize
354KB

MD5
58dbd12561b26a53ecf30b37a0c4060d

SHA1
3e1c7d108c4d672b2bf226727485a163a8fa70a9

SHA256
adc6a50e5985c31f0ed5ea885edd73e787f893f709591e5cf795fd78403d1430

SHA512
d83112639e95ea70a98dadb4d6875536380c45baec9d6b4dd00dd0b7d9dee8a1e68611fdd43820d5f0cca9591a47a2e5fa7d0f56e5b4d80d286f37e0d311d92d

Download Submit
C:\Users\Public\vbc.exe
Filesize
354KB

MD5
58dbd12561b26a53ecf30b37a0c4060d

SHA1
3e1c7d108c4d672b2bf226727485a163a8fa70a9

SHA256
adc6a50e5985c31f0ed5ea885edd73e787f893f709591e5cf795fd78403d1430

SHA512
d83112639e95ea70a98dadb4d6875536380c45baec9d6b4dd00dd0b7d9dee8a1e68611fdd43820d5f0cca9591a47a2e5fa7d0f56e5b4d80d286f37e0d311d92d

Download Submit
\Users\Admin\AppData\Local\Temp\griomhv.exe
Filesize
50KB

MD5
1e615c9c0c88c482c37312c4d4dd21ad

SHA1
d39ff54b50c39a65aab93ba6c2f0973352acc17c

SHA256
f95916898fe7344320b8b8e48ed7a02ec4b4093772be338da5dd3d4ba4326397

SHA512
c179195f66f889fd9467deffb10d4cc32e12c3d121079a173d991549bb43cce096892c13892cf25be4e0c0c1545c1d0f3d2eabdaeb38ed5bec9664b363236496

Download Submit
\Users\Admin\AppData\Local\Temp\griomhv.exe
Filesize
50KB

MD5
1e615c9c0c88c482c37312c4d4dd21ad

SHA1
d39ff54b50c39a65aab93ba6c2f0973352acc17c

SHA256
f95916898fe7344320b8b8e48ed7a02ec4b4093772be338da5dd3d4ba4326397

SHA512
c179195f66f889fd9467deffb10d4cc32e12c3d121079a173d991549bb43cce096892c13892cf25be4e0c0c1545c1d0f3d2eabdaeb38ed5bec9664b363236496

Download Submit
\Users\Admin\AppData\Local\Temp\griomhv.exe
Filesize
50KB

MD5
1e615c9c0c88c482c37312c4d4dd21ad

SHA1
d39ff54b50c39a65aab93ba6c2f0973352acc17c

SHA256
f95916898fe7344320b8b8e48ed7a02ec4b4093772be338da5dd3d4ba4326397

SHA512
c179195f66f889fd9467deffb10d4cc32e12c3d121079a173d991549bb43cce096892c13892cf25be4e0c0c1545c1d0f3d2eabdaeb38ed5bec9664b363236496

Download Submit
\Users\Public\vbc.exe
Filesize
354KB

MD5
58dbd12561b26a53ecf30b37a0c4060d

SHA1
3e1c7d108c4d672b2bf226727485a163a8fa70a9

SHA256
adc6a50e5985c31f0ed5ea885edd73e787f893f709591e5cf795fd78403d1430

SHA512
d83112639e95ea70a98dadb4d6875536380c45baec9d6b4dd00dd0b7d9dee8a1e68611fdd43820d5f0cca9591a47a2e5fa7d0f56e5b4d80d286f37e0d311d92d

Download Submit
memory/316-68-0x0000000000000000-mapping.dmp

Download
memory/848-81-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/848-80-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/848-77-0x00000000004139DE-mapping.dmp

Download
memory/900-54-0x0000000072A71000-0x0000000072A74000-memory.dmp

Filesize
12KB

Download
memory/900-58-0x00000000714DD000-0x00000000714E8000-memory.dmp

Filesize
44KB

Download
memory/900-57-0x0000000075E11000-0x0000000075E13000-memory.dmp

Filesize
8KB

Download
memory/900-56-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/900-55-0x00000000704F1000-0x00000000704F3000-memory.dmp

Filesize
8KB

Download
memory/900-59-0x00000000714DD000-0x00000000714E8000-memory.dmp

Filesize
44KB

Download
memory/900-82-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/900-83-0x00000000714DD000-0x00000000714E8000-memory.dmp

Filesize
44KB

Download
memory/1612-72-0x000007FEFBF81000-0x000007FEFBF83000-memory.dmp

Filesize
8KB

Download
memory/1612-71-0x0000000000000000-mapping.dmp

Download
memory/1852-62-0x0000000000000000-mapping.dmp

Download