Overview

overview

10

Static

static

1

DOC PO155362A.xls

windows7-x64

10

DOC PO155362A.xls

windows10-2004-x64

1

Analysis

  • max time kernel
    145s
  • max time network
    145s
  • platform
    windows7_x64
  • resource
    win7-20230621-en
  • resource tags

    arch:x64arch:x86image:win7-20230621-enlocale:en-usos:windows7-x64system
  • submitted
    28/06/2023, 12:34

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    DOC PO155362A.xls

  • Size

    2.1MB

  • MD5

    cc405078446d5ea6ce484877138cb735

  • SHA1

    aff96898f713888fc18d843729e3350f697ef8e0

  • SHA256

    5c6cc2867e0257627d62b4af6e6dd845321e31b383b26796fe82db3a8636ce91

  • SHA512

    c1999a61469e18500570e6a0e249e7f081d0c9db929bdc9bd71556da746386fe7e6831df7eeeb684be69829277603b729c1cdc9f155bb01c86dca3f9784cc113

  • SSDEEP

    49152:djH+MXV9Qp/in668MXxN757J+MXV9qp/in668MXxN757edNYKf:IEvyi5HhN79EEvEi5HhN79ez

Score
10/10
guloaderlokibotcollectiondiscoverydownloaderspywarestealertrojan

Malware Config

Signatures

  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

    downloaderguloader
  • Lokibot

    Lokibot is a Password and CryptoCoin Wallet Stealer.

    trojanspywarestealerlokibot
  • Blocklisted process makes network request 1 IoCs
  • Downloads MZ/PE file
  • Checks QEMU agent file 2 TTPs 2 IoCs

    Checks presence of QEMU agent, possibly to detect virtualization.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Launches Equation Editor 1 TTPs 1 IoCs

    Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

    exploit
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Modifies system certificate store 2 TTPs 2 IoCs
    evasionspywaretrojan
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\DOC PO155362A.xls"
    1⤵
    • Enumerates system info in registry
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:836
  • C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
    "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
    1⤵
    • Blocklisted process makes network request
    • Loads dropped DLL
    • Launches Equation Editor
    • Suspicious use of WriteProcessMemory
    PID:764
    • C:\Users\Admin\AppData\Local\Temp\Ibs_pps.exe
      "C:\Users\Admin\AppData\Local\Temp\Ibs_pps.exe"
      2⤵
      • Checks QEMU agent file
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious use of SetThreadContext
      • Drops file in Windows directory
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:684
      • C:\Users\Admin\AppData\Local\Temp\Ibs_pps.exe
        "C:\Users\Admin\AppData\Local\Temp\Ibs_pps.exe"
        3⤵
        • Checks QEMU agent file
        • Loads dropped DLL
        • Accesses Microsoft Outlook profiles
        • Suspicious use of NtCreateThreadExHideFromDebugger
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Modifies system certificate store
        • Suspicious use of AdjustPrivilegeToken
        • outlook_office_path
        • outlook_win_path
        PID:1640

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\267BF647.emf
          Filesize

          147KB

          MD5

          ec9b9448137d8577dab5b72374ee6847

          SHA1

          a7cf561c315645a8a42e1deb9de3ab83f0a06009

          SHA256

          60759889d8ee26a6f79aee664cfad13e61389b0488a31f4a0804eec8810de69e

          SHA512

          07945499b6af6dc3d5b96c1de779cf4a689170788311ae9adf3249daa4486502d3467daf4566f9dbbc7f156288299564754b709f76fb282f4ae426b069a8659e

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\34F87EED.emf
          Filesize

          1.4MB

          MD5

          6133d46413b5030ef0cc491bd686580c

          SHA1

          aacc826c0dc3084947f553029b2a5bee8f022f94

          SHA256

          31775e2b4c5e077b7cc2367813e2cbe804eaeed9c332ce918af8d77c645e6c52

          SHA512

          760a2eefd8beb43aea842f290e6c096d36e8ba9c0f38cd17fed82d0e7662384b569ab01fef8580fa7538c70aae9927165ecd33784d5b56d0659dd9f065139a7d

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\Ibs_pps.exe
          Filesize

          505KB

          MD5

          899eacd4bbe1ad8d2503a9aba92c685a

          SHA1

          e59e6641603f684c14f0d6bdb5475468586ade7f

          SHA256

          82c928bd012d1188bc38674fa48134723ff61a198a47a69b47e00c51efdaee0a

          SHA512

          a47d69ffc779e09e71adf3f672f6c7680aa051ee84484fe4712b8fde6de8558c604c2cbcb119a6a2ea401fde13e5f77057c3f36d4c937c51a32a1fa9ab8e916a

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\Ibs_pps.exe
          Filesize

          505KB

          MD5

          899eacd4bbe1ad8d2503a9aba92c685a

          SHA1

          e59e6641603f684c14f0d6bdb5475468586ade7f

          SHA256

          82c928bd012d1188bc38674fa48134723ff61a198a47a69b47e00c51efdaee0a

          SHA512

          a47d69ffc779e09e71adf3f672f6c7680aa051ee84484fe4712b8fde6de8558c604c2cbcb119a6a2ea401fde13e5f77057c3f36d4c937c51a32a1fa9ab8e916a

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\Ibs_pps.exe
          Filesize

          505KB

          MD5

          899eacd4bbe1ad8d2503a9aba92c685a

          SHA1

          e59e6641603f684c14f0d6bdb5475468586ade7f

          SHA256

          82c928bd012d1188bc38674fa48134723ff61a198a47a69b47e00c51efdaee0a

          SHA512

          a47d69ffc779e09e71adf3f672f6c7680aa051ee84484fe4712b8fde6de8558c604c2cbcb119a6a2ea401fde13e5f77057c3f36d4c937c51a32a1fa9ab8e916a

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\Ibs_pps.exe
          Filesize

          505KB

          MD5

          899eacd4bbe1ad8d2503a9aba92c685a

          SHA1

          e59e6641603f684c14f0d6bdb5475468586ade7f

          SHA256

          82c928bd012d1188bc38674fa48134723ff61a198a47a69b47e00c51efdaee0a

          SHA512

          a47d69ffc779e09e71adf3f672f6c7680aa051ee84484fe4712b8fde6de8558c604c2cbcb119a6a2ea401fde13e5f77057c3f36d4c937c51a32a1fa9ab8e916a

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3950455397-3229124517-1686476975-1000\0f5007522459c86e95ffcc62f32308f1_367959e9-746e-4f36-9532-24b01d1269f0
          Filesize

          46B

          MD5

          d898504a722bff1524134c6ab6a5eaa5

          SHA1

          e0fdc90c2ca2a0219c99d2758e68c18875a3e11e

          SHA256

          878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9

          SHA512

          26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3950455397-3229124517-1686476975-1000\0f5007522459c86e95ffcc62f32308f1_367959e9-746e-4f36-9532-24b01d1269f0
          Filesize

          46B

          MD5

          c07225d4e7d01d31042965f048728a0a

          SHA1

          69d70b340fd9f44c89adb9a2278df84faa9906b7

          SHA256

          8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a

          SHA512

          23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b

          Download Submit

        • \Users\Admin\AppData\Local\Temp\Ibs_pps.exe
          Filesize

          505KB

          MD5

          899eacd4bbe1ad8d2503a9aba92c685a

          SHA1

          e59e6641603f684c14f0d6bdb5475468586ade7f

          SHA256

          82c928bd012d1188bc38674fa48134723ff61a198a47a69b47e00c51efdaee0a

          SHA512

          a47d69ffc779e09e71adf3f672f6c7680aa051ee84484fe4712b8fde6de8558c604c2cbcb119a6a2ea401fde13e5f77057c3f36d4c937c51a32a1fa9ab8e916a

          Download Submit

        • \Users\Admin\AppData\Local\Temp\Ibs_pps.exe
          Filesize

          505KB

          MD5

          899eacd4bbe1ad8d2503a9aba92c685a

          SHA1

          e59e6641603f684c14f0d6bdb5475468586ade7f

          SHA256

          82c928bd012d1188bc38674fa48134723ff61a198a47a69b47e00c51efdaee0a

          SHA512

          a47d69ffc779e09e71adf3f672f6c7680aa051ee84484fe4712b8fde6de8558c604c2cbcb119a6a2ea401fde13e5f77057c3f36d4c937c51a32a1fa9ab8e916a

          Download Submit

        • \Users\Admin\AppData\Local\Temp\nso98A9.tmp\System.dll
          Filesize

          11KB

          MD5

          a4dd044bcd94e9b3370ccf095b31f896

          SHA1

          17c78201323ab2095bc53184aa8267c9187d5173

          SHA256

          2e226715419a5882e2e14278940ee8ef0aa648a3ef7af5b3dc252674111962bc

          SHA512

          87335a43b9ca13e1300c7c23e702e87c669e2bcf4f6065f0c684fc53165e9c1f091cc4d79a3eca3910f0518d3b647120ac0be1a68eaade2e75eaa64adfc92c5a

          Download Submit

        • memory/684-81-0x0000000002F40000-0x0000000004B61000-memory.dmp

          Filesize

          28.1MB

          Download

        • memory/684-86-0x0000000002F40000-0x0000000004B61000-memory.dmp

          Filesize

          28.1MB

          Download

        • memory/836-54-0x000000005FFF0000-0x0000000060000000-memory.dmp

          Filesize

          64KB

          Download

        • memory/836-135-0x000000005FFF0000-0x0000000060000000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1640-85-0x0000000001470000-0x0000000003091000-memory.dmp

          Filesize

          28.1MB

          Download

        • memory/1640-104-0x0000000001470000-0x0000000003091000-memory.dmp

          Filesize

          28.1MB

          Download

        • memory/1640-103-0x0000000001470000-0x0000000003091000-memory.dmp

          Filesize

          28.1MB

          Download

        • memory/1640-102-0x0000000001470000-0x0000000003091000-memory.dmp

          Filesize

          28.1MB

          Download

        • memory/1640-87-0x0000000000400000-0x0000000001462000-memory.dmp

          Filesize

          16.4MB

          Download

        • memory/1640-84-0x0000000000400000-0x0000000001462000-memory.dmp

          Filesize

          16.4MB

          Download