lokibot | 0d9a51628cb6ef7cfa6074d8c6e89f61e2321bfbb39b7ce9a2e2d1972e0e163e

Analysis

max time kernel
111s
max time network
103s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
20-02-2023 20:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PO-20-02-2023.docx
Size

11KB
MD5

c94062b9a586d15cd884246aefb0a75b
SHA1

22a13b5db65f00a9e91e8c37e496df25b5276e77
SHA256

0d9a51628cb6ef7cfa6074d8c6e89f61e2321bfbb39b7ce9a2e2d1972e0e163e
SHA512

18c9d7f96317d483093b5966cadb82e45a2310eea351b54f928554bef8c439cfd454a5a9ba0e1fe3ea1322d798e4d3c5cb9ed7496c545af3e5d822ecdba36fdb
SSDEEP

192:CtNCWUyn0i13pNXqkOcPiYFLwzvdX6Ptpwjnw+umHBCusiWVd:aNxUyn0i13LROEiOLkX6Ujnw+3VyVd

Score

10^/10

lokibot collection spyware stealer trojan

Malware Config

Extracted

Family

lokibot

http://208.67.105.148/okuma/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
Blocklisted process makes network request 1 IoCs

Processes:

EQNEDT32.EXE

flow pid process

7 1244 EQNEDT32.EXE
Downloads MZ/PE file

flow	pid	process
7	1244	EQNEDT32.EXE

Abuses OpenXML format to download file from external location 2 IoCs

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Office\14.0\Common	WINWORD.EXE
Key opened	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Office\Common\Offline\Files\http://1332625038/O--OO.DOC	WINWORD.EXE

Executes dropped EXE 2 IoCs

Processes:

vbc.exevbc.exe

pid process

1544 vbc.exe
1624 vbc.exe
Loads dropped DLL 5 IoCs

Processes:

EQNEDT32.EXE

pid process

1244 EQNEDT32.EXE
1244 EQNEDT32.EXE
1244 EQNEDT32.EXE
1244 EQNEDT32.EXE
1244 EQNEDT32.EXE
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
1544	vbc.exe
1624	vbc.exe

pid	process
1244	EQNEDT32.EXE
1244	EQNEDT32.EXE
1244	EQNEDT32.EXE
1244	EQNEDT32.EXE
1244	EQNEDT32.EXE

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

vbc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	vbc.exe
Key opened	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	vbc.exe
Key opened	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	vbc.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

vbc.exe

description pid process target process

PID 1544 set thread context of 1624 1544 vbc.exe vbc.exe
Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE
Office loads VBA resources, possible macro or embedded object present
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
exploit

Exploitation for Client Execution
T1203

Processes:

EQNEDT32.EXE

pid process

1244 EQNEDT32.EXE

description	pid	process	target process
PID 1544 set thread context of 1624	1544	vbc.exe	vbc.exe

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

pid	process
1244	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE

Modifies registry class 64 IoCs

Processes:

WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

752 WINWORD.EXE
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

vbc.exeWINWORD.EXE

description pid process

Token: SeDebugPrivilege 1624 vbc.exe
Token: SeShutdownPrivilege 752 WINWORD.EXE
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WINWORD.EXE

pid process

752 WINWORD.EXE
752 WINWORD.EXE

pid	process
752	WINWORD.EXE

description	pid	process
Token: SeDebugPrivilege	1624	vbc.exe
Token: SeShutdownPrivilege	752	WINWORD.EXE

pid	process
752	WINWORD.EXE
752	WINWORD.EXE

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

EQNEDT32.EXEWINWORD.EXEvbc.exe

description	pid	process	target process
PID 1244 wrote to memory of 1544	1244	EQNEDT32.EXE	vbc.exe
PID 1244 wrote to memory of 1544	1244	EQNEDT32.EXE	vbc.exe
PID 1244 wrote to memory of 1544	1244	EQNEDT32.EXE	vbc.exe
PID 1244 wrote to memory of 1544	1244	EQNEDT32.EXE	vbc.exe
PID 752 wrote to memory of 320	752	WINWORD.EXE	splwow64.exe
PID 752 wrote to memory of 320	752	WINWORD.EXE	splwow64.exe
PID 752 wrote to memory of 320	752	WINWORD.EXE	splwow64.exe
PID 752 wrote to memory of 320	752	WINWORD.EXE	splwow64.exe
PID 1544 wrote to memory of 1624	1544	vbc.exe	vbc.exe
PID 1544 wrote to memory of 1624	1544	vbc.exe	vbc.exe
PID 1544 wrote to memory of 1624	1544	vbc.exe	vbc.exe
PID 1544 wrote to memory of 1624	1544	vbc.exe	vbc.exe
PID 1544 wrote to memory of 1624	1544	vbc.exe	vbc.exe
PID 1544 wrote to memory of 1624	1544	vbc.exe	vbc.exe
PID 1544 wrote to memory of 1624	1544	vbc.exe	vbc.exe
PID 1544 wrote to memory of 1624	1544	vbc.exe	vbc.exe
PID 1544 wrote to memory of 1624	1544	vbc.exe	vbc.exe
PID 1544 wrote to memory of 1624	1544	vbc.exe	vbc.exe

outlook_office_path 1 IoCs

Processes:

vbc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	vbc.exe

outlook_win_path 1 IoCs

Processes:

vbc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	vbc.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\PO-20-02-2023.docx"
1⤵
- Abuses OpenXML format to download file from external location
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:752

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:320

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:1244

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1544

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:1624

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Exploitation for Client Execution

T1203

Persistence

Privilege Escalation

Defense Evasion

Scripting

T1064

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{16B091FB-3DF6-42A3-8A9D-A6A4D207775F}.FSD
Filesize
128KB

MD5
23939c07d655672a77bc761c27a8c181

SHA1
73ae2205a1861d5a64adfa5ac502cb0ddc4a3229

SHA256
1cb8073b9f8db73edfd8b4b39baea0ea585d6b18a6ebf563bd4798bc45f0ed80

SHA512
f70149c554c1208385994c76de6b5b7c30f6431c0060e6e4dd0165c89b6068639a988f2dd308630243e360958fd023352d17f96910af224231198422557f1cc2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD
Filesize
128KB

MD5
104005c01170d309813a409ff66b31d5

SHA1
f535215fd450483a4a52a8396a074920c869ecc8

SHA256
f06240d218058df30c4b05d6fa90bf70255ca139f463c0dd9a769998dfcc56bd

SHA512
617bbb7a6c27eebd0730de758bab473b37e4d133868cb69dbb5598287b7c6b313844bf225e7546fd136a325670617ed327c740213e99d4e48422cb6cbe663658

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD
Filesize
128KB

MD5
fadc138eb9875d337b28ed39a0fb0b7f

SHA1
0586b6483fa3c49a3d4a21589e9961e6a75945b7

SHA256
dd941ae7d626c1d969bd0862ae60c7662da08a8e8ebc2193e03986f17ac380ac

SHA512
0b3250f2aecb865c78efa9cfcc73a60a51aff26bbad776c436a018c6d013c9c23a88fdaa095e95ae3c1944af8aa2d4a4d63577aad1a27848f3fa6b7263223bf4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{14D1A1FD-6852-4AEC-BF10-19CD9B5C8F80}.FSD
Filesize
128KB

MD5
02498d807165d40e7bb7b4596305d221

SHA1
76a0199cda0e5a57fa8ace80d88cbb41f9bfadee

SHA256
3e0ee6704db134098cc0528037179a747ae00023e3320961d097a502876b6597

SHA512
db758a344729743d149ec23cd8c472047742c206f9bc7f0167a56c89357a361c5f1a52254a027b15c9748edfa4e9d875e26099e951b547aa447559f65a47c488

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XB6YKGN8\O--OO[1].doc
Filesize
15KB

MD5
b889ba28933af645637ca6036ad1ccc2

SHA1
8d06387e577ef13546aab1c4888c3d9109e7da64

SHA256
f9f5920a5e9235d1ee4ed4a225f95654689cfd7fa34150672055a499ab13a25d

SHA512
923be81c2ec40d003b25b6d4087414a968676720122201d7aa372168f8680e5917f49870853a934670510c90ff78878e577e048070b9125bb520864f35ba5543

Download Submit
C:\Users\Admin\AppData\Local\Temp\{19A15DB8-E675-4A1E-AC79-E1F3062D85A3}
Filesize
128KB

MD5
e40184fbe55f748259be4d3d6484f88f

SHA1
f93fd61f6c41a9669c8ce946c889c73157b46c5e

SHA256
f590ac485401a6e80899edf6c24aa2280a165752b25cbe375ac84c1ade723378

SHA512
d53b9f4359bd6b34ed12e06ebcec17171848d9e40a1d63b5b0b50a18cf62538b4098654d1e39ac61acf26c27614cae669cc6c0a67e051273fb77334fe9c66fb3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
Filesize
20KB

MD5
76e02470bd581ff47e75b958200c3cdf

SHA1
2975b5f64b634c635e581218c1f17a602d14da33

SHA256
21f50cfc73a0d4167f2896ab9d81d325b056fa92f7681c996f5702192eb98bc7

SHA512
4759eaa01cd1741a0ca0a7f491f8020f35f234a50d4f489ae45fcaf773b47fa81902632a61381cce0d25affbe22384070db37ba26574ebd45eea534b22883448

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex
Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Public\vbc.exe
Filesize
951KB

MD5
1bf9b73c459e8a0703e006716dd8222d

SHA1
33a7fee50dd8fb25b7fc21e5a4c49a3df201f7da

SHA256
8c76ca8a535aed705742cbf7619e7c5acff6e21c427d50bb4733d604536f909b

SHA512
d33f6ee0f40412852a015b7699fc8bab583c7b8ad71e207a6853304a9f09140632f8b9b65d21316b13c01830989bf4d1817a2b226fa2dc49e24016141c163da3

Download Submit
C:\Users\Public\vbc.exe
Filesize
951KB

MD5
1bf9b73c459e8a0703e006716dd8222d

SHA1
33a7fee50dd8fb25b7fc21e5a4c49a3df201f7da

SHA256
8c76ca8a535aed705742cbf7619e7c5acff6e21c427d50bb4733d604536f909b

SHA512
d33f6ee0f40412852a015b7699fc8bab583c7b8ad71e207a6853304a9f09140632f8b9b65d21316b13c01830989bf4d1817a2b226fa2dc49e24016141c163da3

Download Submit
C:\Users\Public\vbc.exe
Filesize
951KB

MD5
1bf9b73c459e8a0703e006716dd8222d

SHA1
33a7fee50dd8fb25b7fc21e5a4c49a3df201f7da

SHA256
8c76ca8a535aed705742cbf7619e7c5acff6e21c427d50bb4733d604536f909b

SHA512
d33f6ee0f40412852a015b7699fc8bab583c7b8ad71e207a6853304a9f09140632f8b9b65d21316b13c01830989bf4d1817a2b226fa2dc49e24016141c163da3

Download Submit
C:\Users\Public\vbc.exe
Filesize
951KB

MD5
1bf9b73c459e8a0703e006716dd8222d

SHA1
33a7fee50dd8fb25b7fc21e5a4c49a3df201f7da

SHA256
8c76ca8a535aed705742cbf7619e7c5acff6e21c427d50bb4733d604536f909b

SHA512
d33f6ee0f40412852a015b7699fc8bab583c7b8ad71e207a6853304a9f09140632f8b9b65d21316b13c01830989bf4d1817a2b226fa2dc49e24016141c163da3

Download Submit
\Users\Public\vbc.exe
Filesize
951KB

MD5
1bf9b73c459e8a0703e006716dd8222d

SHA1
33a7fee50dd8fb25b7fc21e5a4c49a3df201f7da

SHA256
8c76ca8a535aed705742cbf7619e7c5acff6e21c427d50bb4733d604536f909b

SHA512
d33f6ee0f40412852a015b7699fc8bab583c7b8ad71e207a6853304a9f09140632f8b9b65d21316b13c01830989bf4d1817a2b226fa2dc49e24016141c163da3

Download Submit
\Users\Public\vbc.exe
Filesize
951KB

MD5
1bf9b73c459e8a0703e006716dd8222d

SHA1
33a7fee50dd8fb25b7fc21e5a4c49a3df201f7da

SHA256
8c76ca8a535aed705742cbf7619e7c5acff6e21c427d50bb4733d604536f909b

SHA512
d33f6ee0f40412852a015b7699fc8bab583c7b8ad71e207a6853304a9f09140632f8b9b65d21316b13c01830989bf4d1817a2b226fa2dc49e24016141c163da3

Download Submit
\Users\Public\vbc.exe
Filesize
951KB

MD5
1bf9b73c459e8a0703e006716dd8222d

SHA1
33a7fee50dd8fb25b7fc21e5a4c49a3df201f7da

SHA256
8c76ca8a535aed705742cbf7619e7c5acff6e21c427d50bb4733d604536f909b

SHA512
d33f6ee0f40412852a015b7699fc8bab583c7b8ad71e207a6853304a9f09140632f8b9b65d21316b13c01830989bf4d1817a2b226fa2dc49e24016141c163da3

Download Submit
\Users\Public\vbc.exe
Filesize
951KB

MD5
1bf9b73c459e8a0703e006716dd8222d

SHA1
33a7fee50dd8fb25b7fc21e5a4c49a3df201f7da

SHA256
8c76ca8a535aed705742cbf7619e7c5acff6e21c427d50bb4733d604536f909b

SHA512
d33f6ee0f40412852a015b7699fc8bab583c7b8ad71e207a6853304a9f09140632f8b9b65d21316b13c01830989bf4d1817a2b226fa2dc49e24016141c163da3

Download Submit
\Users\Public\vbc.exe
Filesize
951KB

MD5
1bf9b73c459e8a0703e006716dd8222d

SHA1
33a7fee50dd8fb25b7fc21e5a4c49a3df201f7da

SHA256
8c76ca8a535aed705742cbf7619e7c5acff6e21c427d50bb4733d604536f909b

SHA512
d33f6ee0f40412852a015b7699fc8bab583c7b8ad71e207a6853304a9f09140632f8b9b65d21316b13c01830989bf4d1817a2b226fa2dc49e24016141c163da3

Download Submit
memory/752-216-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/752-54-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1544-153-0x0000000000830000-0x0000000000924000-memory.dmp

Filesize
976KB

Download
memory/1544-155-0x0000000004D20000-0x0000000004D60000-memory.dmp

Filesize
256KB

Download
memory/1544-160-0x00000000003C0000-0x00000000003D6000-memory.dmp

Filesize
88KB

Download
memory/1544-170-0x0000000004D20000-0x0000000004D60000-memory.dmp

Filesize
256KB

Download
memory/1544-171-0x00000000003D0000-0x00000000003DC000-memory.dmp

Filesize
48KB

Download
memory/1544-172-0x0000000008030000-0x00000000080D8000-memory.dmp

Filesize
672KB

Download
memory/1544-173-0x00000000005E0000-0x0000000000604000-memory.dmp

Filesize
144KB

Download
memory/1624-175-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1624-178-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1624-179-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1624-180-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1624-177-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1624-183-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1624-184-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1624-188-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1624-176-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1624-174-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download