Analysis
-
max time kernel
150s -
max time network
35s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
-
submitted
20-03-2023 09:04
General
-
Target
NEW ORDER IMP.xls
-
Size
1.3MB
-
MD5
beff0a43acfbdadee4b778952a27cc28
-
SHA1
a4598522d27ec5027c3e9b29690c8e6392e5fe1a
-
SHA256
dc54de15c8615d5523ba7ef2debf9a93ff76661f5c2f6e6d9f5cb594e753ee3e
-
SHA512
8d376e2ae51ea9652ed27ed9b88486949a909dd23f96ecaa28b4c54e1a664cd648629afc326b4c8e18b6195311ddc1e5b832216de9be6504a1c53f9cb45bd9e6
-
SSDEEP
24576:5LKKWQmmav30xl+MXUl3bVt3bVE+MXUu9O3bVf+MXUu9t3bVr1FYVCnSGmV:5LKvQmmQ30b+MXe3bVt3bVE+MXV9O3bc
Malware Config
Extracted
lokibot
http://185.246.220.60/chang/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
-
Blocklisted process makes network request 1 IoCs
-
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 4 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates system info in registry 2 TTPs 1 IoCs
-
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Modifies Internet Explorer settings 1 TTPs 31 IoCs
-
Modifies registry class 64 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of SetWindowsHookEx 3 IoCs
-
Suspicious use of WriteProcessMemory 14 IoCs
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\NEW ORDER IMP.xls"1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.4MB
MD5fdebfd1c0d731bf56a398abeb7f221a5
SHA17864f45ca62bc727a332ded751442b99265e065f
SHA25619b8c1d2bffb4feac1bdeb2fb14d79ac6d50b4ceb566c1f3c8e233a088c30eb2
SHA5125747fd24d92139f6cfec2ee7832ab44af1daee3b1eedb98fec07e521e69a769ab1eebcc91feb94fe0292835bd32c034eca545b7422e75fb67d3c3653ae76d83e
-
Filesize
654KB
MD5506b8329e83dc58c82c251756ca342b7
SHA15c1b8d5f41eb2ec5c5d77b2578fe1b88e7e4fff7
SHA256c7caec412a7c08eaf935fb9a2fab9f96123183b7b7ba428128146bee677a3097
SHA5125857966d299434292ea1cb305a11abc1aa1e0706f0433a5cd2aa51e3c04302224bc3f9419c3a96d59943580dee4b1ba8cc3aa5db0d99701323cd9228029cde15
-
Filesize
654KB
MD5506b8329e83dc58c82c251756ca342b7
SHA15c1b8d5f41eb2ec5c5d77b2578fe1b88e7e4fff7
SHA256c7caec412a7c08eaf935fb9a2fab9f96123183b7b7ba428128146bee677a3097
SHA5125857966d299434292ea1cb305a11abc1aa1e0706f0433a5cd2aa51e3c04302224bc3f9419c3a96d59943580dee4b1ba8cc3aa5db0d99701323cd9228029cde15
-
Filesize
654KB
MD5506b8329e83dc58c82c251756ca342b7
SHA15c1b8d5f41eb2ec5c5d77b2578fe1b88e7e4fff7
SHA256c7caec412a7c08eaf935fb9a2fab9f96123183b7b7ba428128146bee677a3097
SHA5125857966d299434292ea1cb305a11abc1aa1e0706f0433a5cd2aa51e3c04302224bc3f9419c3a96d59943580dee4b1ba8cc3aa5db0d99701323cd9228029cde15
-
Filesize
654KB
MD5506b8329e83dc58c82c251756ca342b7
SHA15c1b8d5f41eb2ec5c5d77b2578fe1b88e7e4fff7
SHA256c7caec412a7c08eaf935fb9a2fab9f96123183b7b7ba428128146bee677a3097
SHA5125857966d299434292ea1cb305a11abc1aa1e0706f0433a5cd2aa51e3c04302224bc3f9419c3a96d59943580dee4b1ba8cc3aa5db0d99701323cd9228029cde15
-
Filesize
654KB
MD5506b8329e83dc58c82c251756ca342b7
SHA15c1b8d5f41eb2ec5c5d77b2578fe1b88e7e4fff7
SHA256c7caec412a7c08eaf935fb9a2fab9f96123183b7b7ba428128146bee677a3097
SHA5125857966d299434292ea1cb305a11abc1aa1e0706f0433a5cd2aa51e3c04302224bc3f9419c3a96d59943580dee4b1ba8cc3aa5db0d99701323cd9228029cde15
-
Filesize
654KB
MD5506b8329e83dc58c82c251756ca342b7
SHA15c1b8d5f41eb2ec5c5d77b2578fe1b88e7e4fff7
SHA256c7caec412a7c08eaf935fb9a2fab9f96123183b7b7ba428128146bee677a3097
SHA5125857966d299434292ea1cb305a11abc1aa1e0706f0433a5cd2aa51e3c04302224bc3f9419c3a96d59943580dee4b1ba8cc3aa5db0d99701323cd9228029cde15
-
Filesize
654KB
MD5506b8329e83dc58c82c251756ca342b7
SHA15c1b8d5f41eb2ec5c5d77b2578fe1b88e7e4fff7
SHA256c7caec412a7c08eaf935fb9a2fab9f96123183b7b7ba428128146bee677a3097
SHA5125857966d299434292ea1cb305a11abc1aa1e0706f0433a5cd2aa51e3c04302224bc3f9419c3a96d59943580dee4b1ba8cc3aa5db0d99701323cd9228029cde15
-
Filesize
654KB
MD5506b8329e83dc58c82c251756ca342b7
SHA15c1b8d5f41eb2ec5c5d77b2578fe1b88e7e4fff7
SHA256c7caec412a7c08eaf935fb9a2fab9f96123183b7b7ba428128146bee677a3097
SHA5125857966d299434292ea1cb305a11abc1aa1e0706f0433a5cd2aa51e3c04302224bc3f9419c3a96d59943580dee4b1ba8cc3aa5db0d99701323cd9228029cde15
-
Filesize
136KB
-
Filesize
256KB
-
Filesize
256KB
-
Filesize
48KB
-
Filesize
608KB
-
Filesize
80KB
-
Filesize
680KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
648KB
-
Filesize
648KB
-
Filesize
648KB
-
Filesize
4KB
-
Filesize
648KB
-
Filesize
648KB
-
Filesize
648KB
-
Filesize
648KB
-
Filesize
648KB
-
Filesize
648KB