lokibot | 0fc64d847655fe5a6f90a06fbb2ca5f5e4848701c4f18c1d2cda39aca390952e

Analysis

max time kernel
102s
max time network
105s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
22-02-2023 18:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RE PO02366.docx
Size

10KB
MD5

352573ea247c865918062df15a57fd90
SHA1

69699e27cfc37916b60c5b63340c550f1750810d
SHA256

0fc64d847655fe5a6f90a06fbb2ca5f5e4848701c4f18c1d2cda39aca390952e
SHA512

8ef10f279da88da64d69d58843d875d4d922438e09eb3896a2392ebc91b1b9dcca27fa3acaba52cc2d0403c365dac139a583378cd4ecdcc41471e7227ad13f8b
SSDEEP

192:ScIMmtP0xfUW70vG/b3kgOi4OUdVuus+1pReDnc37yCdt:SPX+si10ni4OiVMyeDnMuCr

Score

10^/10

lokibot collection spyware stealer trojan

Malware Config

Extracted

Family

lokibot

http://208.67.105.148/sung/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
Blocklisted process makes network request 1 IoCs

Processes:

EQNEDT32.EXE

flow pid process

7 924 EQNEDT32.EXE
Downloads MZ/PE file

flow	pid	process
7	924	EQNEDT32.EXE

Abuses OpenXML format to download file from external location 2 IoCs

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Office\Common\Offline\Files\http://3235029245/OO-OO-OO.DOC	WINWORD.EXE
Key opened	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Office\14.0\Common	WINWORD.EXE

Executes dropped EXE 6 IoCs

Processes:

vbc.exevbc.exevbc.exevbc.exevbc.exevbc.exe

pid process

1756 vbc.exe
1832 vbc.exe
1812 vbc.exe
1828 vbc.exe
1892 vbc.exe
1612 vbc.exe
Loads dropped DLL 5 IoCs

Processes:

EQNEDT32.EXE

pid process

924 EQNEDT32.EXE
924 EQNEDT32.EXE
924 EQNEDT32.EXE
924 EQNEDT32.EXE
924 EQNEDT32.EXE
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
1756	vbc.exe
1832	vbc.exe
1812	vbc.exe
1828	vbc.exe
1892	vbc.exe
1612	vbc.exe

pid	process
924	EQNEDT32.EXE
924	EQNEDT32.EXE
924	EQNEDT32.EXE
924	EQNEDT32.EXE
924	EQNEDT32.EXE

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

vbc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	vbc.exe
Key opened	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	vbc.exe
Key opened	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	vbc.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

vbc.exe

description pid process target process

PID 1756 set thread context of 1612 1756 vbc.exe vbc.exe
Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE
Office loads VBA resources, possible macro or embedded object present
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
exploit

Exploitation for Client Execution
T1203

Processes:

EQNEDT32.EXE

pid process

924 EQNEDT32.EXE

description	pid	process	target process
PID 1756 set thread context of 1612	1756	vbc.exe	vbc.exe

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

pid	process
924	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE

Modifies registry class 64 IoCs

Processes:

WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

2016 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

vbc.exe

pid process

1756 vbc.exe
1756 vbc.exe
1756 vbc.exe
1756 vbc.exe
1756 vbc.exe
1756 vbc.exe
1756 vbc.exe
1756 vbc.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

vbc.exevbc.exeWINWORD.EXE

description pid process

Token: SeDebugPrivilege 1756 vbc.exe
Token: SeDebugPrivilege 1612 vbc.exe
Token: SeShutdownPrivilege 2016 WINWORD.EXE
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WINWORD.EXE

pid process

2016 WINWORD.EXE
2016 WINWORD.EXE

pid	process
2016	WINWORD.EXE

pid	process
1756	vbc.exe
1756	vbc.exe
1756	vbc.exe
1756	vbc.exe
1756	vbc.exe
1756	vbc.exe
1756	vbc.exe
1756	vbc.exe

description	pid	process
Token: SeDebugPrivilege	1756	vbc.exe
Token: SeDebugPrivilege	1612	vbc.exe
Token: SeShutdownPrivilege	2016	WINWORD.EXE

pid	process
2016	WINWORD.EXE
2016	WINWORD.EXE

Suspicious use of WriteProcessMemory 34 IoCs

Processes:

EQNEDT32.EXEWINWORD.EXEvbc.exe

description	pid	process	target process
PID 924 wrote to memory of 1756	924	EQNEDT32.EXE	vbc.exe
PID 924 wrote to memory of 1756	924	EQNEDT32.EXE	vbc.exe
PID 924 wrote to memory of 1756	924	EQNEDT32.EXE	vbc.exe
PID 924 wrote to memory of 1756	924	EQNEDT32.EXE	vbc.exe
PID 2016 wrote to memory of 1616	2016	WINWORD.EXE	splwow64.exe
PID 2016 wrote to memory of 1616	2016	WINWORD.EXE	splwow64.exe
PID 2016 wrote to memory of 1616	2016	WINWORD.EXE	splwow64.exe
PID 2016 wrote to memory of 1616	2016	WINWORD.EXE	splwow64.exe
PID 1756 wrote to memory of 1832	1756	vbc.exe	vbc.exe
PID 1756 wrote to memory of 1832	1756	vbc.exe	vbc.exe
PID 1756 wrote to memory of 1832	1756	vbc.exe	vbc.exe
PID 1756 wrote to memory of 1832	1756	vbc.exe	vbc.exe
PID 1756 wrote to memory of 1812	1756	vbc.exe	vbc.exe
PID 1756 wrote to memory of 1812	1756	vbc.exe	vbc.exe
PID 1756 wrote to memory of 1812	1756	vbc.exe	vbc.exe
PID 1756 wrote to memory of 1812	1756	vbc.exe	vbc.exe
PID 1756 wrote to memory of 1828	1756	vbc.exe	vbc.exe
PID 1756 wrote to memory of 1828	1756	vbc.exe	vbc.exe
PID 1756 wrote to memory of 1828	1756	vbc.exe	vbc.exe
PID 1756 wrote to memory of 1828	1756	vbc.exe	vbc.exe
PID 1756 wrote to memory of 1892	1756	vbc.exe	vbc.exe
PID 1756 wrote to memory of 1892	1756	vbc.exe	vbc.exe
PID 1756 wrote to memory of 1892	1756	vbc.exe	vbc.exe
PID 1756 wrote to memory of 1892	1756	vbc.exe	vbc.exe
PID 1756 wrote to memory of 1612	1756	vbc.exe	vbc.exe
PID 1756 wrote to memory of 1612	1756	vbc.exe	vbc.exe
PID 1756 wrote to memory of 1612	1756	vbc.exe	vbc.exe
PID 1756 wrote to memory of 1612	1756	vbc.exe	vbc.exe
PID 1756 wrote to memory of 1612	1756	vbc.exe	vbc.exe
PID 1756 wrote to memory of 1612	1756	vbc.exe	vbc.exe
PID 1756 wrote to memory of 1612	1756	vbc.exe	vbc.exe
PID 1756 wrote to memory of 1612	1756	vbc.exe	vbc.exe
PID 1756 wrote to memory of 1612	1756	vbc.exe	vbc.exe
PID 1756 wrote to memory of 1612	1756	vbc.exe	vbc.exe

outlook_office_path 1 IoCs

Processes:

vbc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	vbc.exe

outlook_win_path 1 IoCs

Processes:

vbc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	vbc.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\RE PO02366.docx"
1⤵
- Abuses OpenXML format to download file from external location
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2016

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:1616

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:924

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1756

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
3⤵
- Executes dropped EXE
PID:1832

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
3⤵
- Executes dropped EXE
PID:1812

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
3⤵
- Executes dropped EXE
PID:1828

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
3⤵
- Executes dropped EXE
PID:1892

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:1612

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Exploitation for Client Execution

T1203

Persistence

Privilege Escalation

Defense Evasion

Scripting

T1064

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{FB18CB5E-E65C-47E2-A617-3285658E63B3}.FSD
Filesize
128KB

MD5
9a70af619a8080c02ce54f610fd1b5bb

SHA1
dcb24cba40ba306fbdb8716ea94c6300f6901d1b

SHA256
fc6721ed809b91b21b5c7013591aa090c99e6dd27901be87d3e0ab4ee181f3d0

SHA512
faca554477336bf0a17528215e0b063ed4e34c79b28425201a5f532462852da98c63b6f73ea59a6913336690cc506665ea27da5aa30c3aac5103e10e66cbc347

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD
Filesize
128KB

MD5
6278d74fd51e9b07f006c296e8cf40a6

SHA1
5be082522a0b01a8369659f04d9f1a6dcbf6d38a

SHA256
90598574e4634262a2b438f7c99aac7188a83f06470088db40f29a98add0601f

SHA512
9f8ff6a0e4a4d88a0743f5da24b0f99d87afafdb38180611f27f278ccba7d5acacd47e1040d007e5128168048e548d822672def64af0f4d5fe801110cd9c02d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TOS3MI7U\OO-OO-OO[1].doc
Filesize
13KB

MD5
12592e047d6a24925a0f71e84618c828

SHA1
d808fc6c513b301f65ff83ca258ed83d04bc3ce0

SHA256
8952a605589e5137455aa1b31c6d3be650f920dc090e82e090e3951e249d6acc

SHA512
3e598a3f6783c46ae4f71aa3c07a3519a2a71522607063390618faede79235a0c7070b49b2ba9a8de92c0770beb2ece2c769f6d8983b64ccaddca073557d6192

Download Submit
C:\Users\Admin\AppData\Local\Temp\{D26A27C0-A766-44F9-96B0-CC2BF6ADCAC7}
Filesize
128KB

MD5
735e9bc0fa888919616b58475a8a1bf2

SHA1
18eb1fdf65135a246a554f478b1b68cfa4702396

SHA256
58bd2cdc46a54bb79b65df20f9680fe424a6ca5b8a6c3417f29f54dfc950d611

SHA512
2d01abaf2099c7939c96907c514c95ed4225fa5b4ea252aaa307a83634bf362f3a9133dc39c0bd91b7eece89bd6ce1f5db5fbc259e1d7e13d2c358da69ceeb26

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
Filesize
20KB

MD5
e8e662a0a48ea03170d1fd4e8a9dd848

SHA1
eb8f97e4f1cd06ce07596fc8e5a17f67d42d2dea

SHA256
84d452418b9cd212f2249860faf5b250662820c22f33fb27a5268356a09a7a38

SHA512
a209fd98c67f930b14ca12ea177494a1cbba5bc0ba18778567f43791bb2dee0090c1d3fdb8e88f64810464b59bb1ffcc9d02474914ab39bf0bd0a989d56d3371

Download Submit
C:\Users\Public\vbc.exe
Filesize
847KB

MD5
04c980db0dbdf3b2a2b93e02a1797754

SHA1
49046b40bba2937ff84dce8a63d8793279a64c43

SHA256
bf53b54b9edea2783c305fa6d1fd87e298b4d4506c587068dd6e6dd268c80424

SHA512
54cdc011152815d8950a832add0448927d25450d38cd1d079ebf8936d2229a9d4c757b88b4871ccfaa8c23f7708c3fe6f3f7b2ece9eae75c4820786e5af125db

Download Submit
C:\Users\Public\vbc.exe
Filesize
847KB

MD5
04c980db0dbdf3b2a2b93e02a1797754

SHA1
49046b40bba2937ff84dce8a63d8793279a64c43

SHA256
bf53b54b9edea2783c305fa6d1fd87e298b4d4506c587068dd6e6dd268c80424

SHA512
54cdc011152815d8950a832add0448927d25450d38cd1d079ebf8936d2229a9d4c757b88b4871ccfaa8c23f7708c3fe6f3f7b2ece9eae75c4820786e5af125db

Download Submit
C:\Users\Public\vbc.exe
Filesize
847KB

MD5
04c980db0dbdf3b2a2b93e02a1797754

SHA1
49046b40bba2937ff84dce8a63d8793279a64c43

SHA256
bf53b54b9edea2783c305fa6d1fd87e298b4d4506c587068dd6e6dd268c80424

SHA512
54cdc011152815d8950a832add0448927d25450d38cd1d079ebf8936d2229a9d4c757b88b4871ccfaa8c23f7708c3fe6f3f7b2ece9eae75c4820786e5af125db

Download Submit
C:\Users\Public\vbc.exe
Filesize
847KB

MD5
04c980db0dbdf3b2a2b93e02a1797754

SHA1
49046b40bba2937ff84dce8a63d8793279a64c43

SHA256
bf53b54b9edea2783c305fa6d1fd87e298b4d4506c587068dd6e6dd268c80424

SHA512
54cdc011152815d8950a832add0448927d25450d38cd1d079ebf8936d2229a9d4c757b88b4871ccfaa8c23f7708c3fe6f3f7b2ece9eae75c4820786e5af125db

Download Submit
C:\Users\Public\vbc.exe
Filesize
847KB

MD5
04c980db0dbdf3b2a2b93e02a1797754

SHA1
49046b40bba2937ff84dce8a63d8793279a64c43

SHA256
bf53b54b9edea2783c305fa6d1fd87e298b4d4506c587068dd6e6dd268c80424

SHA512
54cdc011152815d8950a832add0448927d25450d38cd1d079ebf8936d2229a9d4c757b88b4871ccfaa8c23f7708c3fe6f3f7b2ece9eae75c4820786e5af125db

Download Submit
C:\Users\Public\vbc.exe
Filesize
847KB

MD5
04c980db0dbdf3b2a2b93e02a1797754

SHA1
49046b40bba2937ff84dce8a63d8793279a64c43

SHA256
bf53b54b9edea2783c305fa6d1fd87e298b4d4506c587068dd6e6dd268c80424

SHA512
54cdc011152815d8950a832add0448927d25450d38cd1d079ebf8936d2229a9d4c757b88b4871ccfaa8c23f7708c3fe6f3f7b2ece9eae75c4820786e5af125db

Download Submit
C:\Users\Public\vbc.exe
Filesize
847KB

MD5
04c980db0dbdf3b2a2b93e02a1797754

SHA1
49046b40bba2937ff84dce8a63d8793279a64c43

SHA256
bf53b54b9edea2783c305fa6d1fd87e298b4d4506c587068dd6e6dd268c80424

SHA512
54cdc011152815d8950a832add0448927d25450d38cd1d079ebf8936d2229a9d4c757b88b4871ccfaa8c23f7708c3fe6f3f7b2ece9eae75c4820786e5af125db

Download Submit
C:\Users\Public\vbc.exe
Filesize
847KB

MD5
04c980db0dbdf3b2a2b93e02a1797754

SHA1
49046b40bba2937ff84dce8a63d8793279a64c43

SHA256
bf53b54b9edea2783c305fa6d1fd87e298b4d4506c587068dd6e6dd268c80424

SHA512
54cdc011152815d8950a832add0448927d25450d38cd1d079ebf8936d2229a9d4c757b88b4871ccfaa8c23f7708c3fe6f3f7b2ece9eae75c4820786e5af125db

Download Submit
\Users\Public\vbc.exe
Filesize
847KB

MD5
04c980db0dbdf3b2a2b93e02a1797754

SHA1
49046b40bba2937ff84dce8a63d8793279a64c43

SHA256
bf53b54b9edea2783c305fa6d1fd87e298b4d4506c587068dd6e6dd268c80424

SHA512
54cdc011152815d8950a832add0448927d25450d38cd1d079ebf8936d2229a9d4c757b88b4871ccfaa8c23f7708c3fe6f3f7b2ece9eae75c4820786e5af125db

Download Submit
\Users\Public\vbc.exe
Filesize
847KB

MD5
04c980db0dbdf3b2a2b93e02a1797754

SHA1
49046b40bba2937ff84dce8a63d8793279a64c43

SHA256
bf53b54b9edea2783c305fa6d1fd87e298b4d4506c587068dd6e6dd268c80424

SHA512
54cdc011152815d8950a832add0448927d25450d38cd1d079ebf8936d2229a9d4c757b88b4871ccfaa8c23f7708c3fe6f3f7b2ece9eae75c4820786e5af125db

Download Submit
\Users\Public\vbc.exe
Filesize
847KB

MD5
04c980db0dbdf3b2a2b93e02a1797754

SHA1
49046b40bba2937ff84dce8a63d8793279a64c43

SHA256
bf53b54b9edea2783c305fa6d1fd87e298b4d4506c587068dd6e6dd268c80424

SHA512
54cdc011152815d8950a832add0448927d25450d38cd1d079ebf8936d2229a9d4c757b88b4871ccfaa8c23f7708c3fe6f3f7b2ece9eae75c4820786e5af125db

Download Submit
\Users\Public\vbc.exe
Filesize
847KB

MD5
04c980db0dbdf3b2a2b93e02a1797754

SHA1
49046b40bba2937ff84dce8a63d8793279a64c43

SHA256
bf53b54b9edea2783c305fa6d1fd87e298b4d4506c587068dd6e6dd268c80424

SHA512
54cdc011152815d8950a832add0448927d25450d38cd1d079ebf8936d2229a9d4c757b88b4871ccfaa8c23f7708c3fe6f3f7b2ece9eae75c4820786e5af125db

Download Submit
\Users\Public\vbc.exe
Filesize
847KB

MD5
04c980db0dbdf3b2a2b93e02a1797754

SHA1
49046b40bba2937ff84dce8a63d8793279a64c43

SHA256
bf53b54b9edea2783c305fa6d1fd87e298b4d4506c587068dd6e6dd268c80424

SHA512
54cdc011152815d8950a832add0448927d25450d38cd1d079ebf8936d2229a9d4c757b88b4871ccfaa8c23f7708c3fe6f3f7b2ece9eae75c4820786e5af125db

Download Submit
memory/1612-172-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1612-173-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1612-184-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1612-179-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1612-178-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1612-175-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1612-169-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1612-170-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1612-171-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1612-174-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1756-155-0x00000000003E0000-0x00000000003F6000-memory.dmp

Filesize
88KB

Download
memory/1756-156-0x0000000004DD0000-0x0000000004E10000-memory.dmp

Filesize
256KB

Download
memory/1756-164-0x0000000000720000-0x0000000000742000-memory.dmp

Filesize
136KB

Download
memory/1756-161-0x0000000004DD0000-0x0000000004E10000-memory.dmp

Filesize
256KB

Download
memory/1756-162-0x0000000000570000-0x000000000057C000-memory.dmp

Filesize
48KB

Download
memory/1756-163-0x00000000077F0000-0x0000000007898000-memory.dmp

Filesize
672KB

Download
memory/1756-153-0x0000000000110000-0x00000000001EA000-memory.dmp

Filesize
872KB

Download
memory/2016-54-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2016-211-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download