lokibot | 15479d24a288ccce5ac421de34259518026761dde5f452bc1756fb557b09cfee

Analysis

max time kernel
138s
max time network
139s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
21-06-2024 05:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PurchaseXOrderXNo.4036041334.docx
Size

16KB
MD5

e1d91cae0bc5e4510f6a07c38ed9db1f
SHA1

0d1288b1c6ca2e30910712c5e0d881a8b54caaa2
SHA256

15479d24a288ccce5ac421de34259518026761dde5f452bc1756fb557b09cfee
SHA512

37a8b983183ba1acba1254b3c323d8a1becace5a0d305ed977fa2f85df93184b5a24c57b861a8952a808b1932ce75353133b5a30fff218d382caf23227215d8b
SSDEEP

384:tyXLyi0WVs8PL8wi4OEwH8TIbE91r2fRXJYsvi1x3egCy:tcLm65P3DOqnYJ5Zvcx3eg7

Score

10^/10

lokibot collection execution spyware stealer trojan

Malware Config

Extracted

Family

lokibot

http://midwestsoil.top/alpha/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot

Blocklisted process makes network request 1 IoCs

flow	pid	Process
11	2352	EQNEDT32.EXE

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2496	powershell.exe
844	powershell.exe

Downloads MZ/PE file
Abuses OpenXML format to download file from external location

Executes dropped EXE 3 IoCs

pid	Process
2328	alpha87654.scr
968	alpha87654.scr
892	alpha87654.scr

Loads dropped DLL 1 IoCs

pid	Process
2352	EQNEDT32.EXE

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	alpha87654.scr
Key opened	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	alpha87654.scr
Key opened	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	alpha87654.scr

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2328 set thread context of 892	2328	alpha87654.scr	42

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present

Launches Equation Editor 1 TTPs 1 IoCs

Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

exploit

Exploitation for Client Execution

T1203

pid	Process
2352	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1356	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2128	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2328	alpha87654.scr
2328	alpha87654.scr
2328	alpha87654.scr
2328	alpha87654.scr
2496	powershell.exe
844	powershell.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2328	alpha87654.scr
Token: SeDebugPrivilege	2496	powershell.exe
Token: SeDebugPrivilege	844	powershell.exe
Token: SeDebugPrivilege	892	alpha87654.scr
Token: SeShutdownPrivilege	2128	WINWORD.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2128	WINWORD.EXE
2128	WINWORD.EXE

Suspicious use of WriteProcessMemory 34 IoCs

description	pid	Process	procid_target
PID 2352 wrote to memory of 2328	2352	EQNEDT32.EXE	30
PID 2352 wrote to memory of 2328	2352	EQNEDT32.EXE	30
PID 2352 wrote to memory of 2328	2352	EQNEDT32.EXE	30
PID 2352 wrote to memory of 2328	2352	EQNEDT32.EXE	30
PID 2128 wrote to memory of 1868	2128	WINWORD.EXE	34
PID 2128 wrote to memory of 1868	2128	WINWORD.EXE	34
PID 2128 wrote to memory of 1868	2128	WINWORD.EXE	34
PID 2128 wrote to memory of 1868	2128	WINWORD.EXE	34
PID 2328 wrote to memory of 2496	2328	alpha87654.scr	35
PID 2328 wrote to memory of 2496	2328	alpha87654.scr	35
PID 2328 wrote to memory of 2496	2328	alpha87654.scr	35
PID 2328 wrote to memory of 2496	2328	alpha87654.scr	35
PID 2328 wrote to memory of 844	2328	alpha87654.scr	37
PID 2328 wrote to memory of 844	2328	alpha87654.scr	37
PID 2328 wrote to memory of 844	2328	alpha87654.scr	37
PID 2328 wrote to memory of 844	2328	alpha87654.scr	37
PID 2328 wrote to memory of 1356	2328	alpha87654.scr	38
PID 2328 wrote to memory of 1356	2328	alpha87654.scr	38
PID 2328 wrote to memory of 1356	2328	alpha87654.scr	38
PID 2328 wrote to memory of 1356	2328	alpha87654.scr	38
PID 2328 wrote to memory of 968	2328	alpha87654.scr	41
PID 2328 wrote to memory of 968	2328	alpha87654.scr	41
PID 2328 wrote to memory of 968	2328	alpha87654.scr	41
PID 2328 wrote to memory of 968	2328	alpha87654.scr	41
PID 2328 wrote to memory of 892	2328	alpha87654.scr	42
PID 2328 wrote to memory of 892	2328	alpha87654.scr	42
PID 2328 wrote to memory of 892	2328	alpha87654.scr	42
PID 2328 wrote to memory of 892	2328	alpha87654.scr	42
PID 2328 wrote to memory of 892	2328	alpha87654.scr	42
PID 2328 wrote to memory of 892	2328	alpha87654.scr	42
PID 2328 wrote to memory of 892	2328	alpha87654.scr	42
PID 2328 wrote to memory of 892	2328	alpha87654.scr	42
PID 2328 wrote to memory of 892	2328	alpha87654.scr	42
PID 2328 wrote to memory of 892	2328	alpha87654.scr	42

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	alpha87654.scr

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	alpha87654.scr

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\PurchaseXOrderXNo.4036041334.docx"
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2128
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:1868

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:2352
- C:\Users\Admin\AppData\Roaming\alpha87654.scr
  "C:\Users\Admin\AppData\Roaming\alpha87654.scr"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2328
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\alpha87654.scr"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2496
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\JngWsweB.exe"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:844
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JngWsweB" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5C43.tmp"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1356
- - C:\Users\Admin\AppData\Roaming\alpha87654.scr
    "C:\Users\Admin\AppData\Roaming\alpha87654.scr"
    3⤵
    - Executes dropped EXE
    PID:968
- - C:\Users\Admin\AppData\Roaming\alpha87654.scr
    "C:\Users\Admin\AppData\Roaming\alpha87654.scr"
    3⤵
    - Executes dropped EXE
    - Accesses Microsoft Outlook profiles
    - Suspicious use of AdjustPrivilegeToken
    - outlook_office_path
    - outlook_win_path
    PID:892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Exploitation for Client Execution

T1203

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
1KB

MD5
2365869258df7a66a2121b802ca4afd9

SHA1
73acc30a2edeb9d6830de559bb8a74f35168135d

SHA256
d6b1932822bbd72a8e78c771717d992142348f67d625a42393719fefbe59b0ed

SHA512
795004bab536e128dbd81c188976d37c7b650efbfa5a80374df4c65a1049c27658f4620b7605583928eb167fcb69b4c99e4c8730c507b824a7bde9c7fb0e21f4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8

Filesize
436B

MD5
1bfe0a81db078ea084ff82fe545176fe

SHA1
50b116f578bd272922fa8eae94f7b02fd3b88384

SHA256
5ba8817f13eee00e75158bad93076ab474a068c6b52686579e0f728fda68499f

SHA512
37c582f3f09f8d80529608c09041295d1644bcc9de6fb8c4669b05339b0dd870f9525abc5eed53ad06a94b51441275504bc943c336c5beb63b53460ba836ca8d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
174B

MD5
c295ff9474d8d4c59ea69a634ad76f9d

SHA1
4924175e331b7958b051709c18d42589236d5ea7

SHA256
7edb5d566fb6cc7b6204b5015e1f70723c05f6fcbaa9808116eacd463e515ad0

SHA512
f9841bb6a75cf33a9fdc82f90e5e141682310b37fde79e51370369008955fad71c018df965882649253b9faa95e100b84c16b4cae6923ba938378dd590e2775f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b6de31b12ce3b142fc30dcd9bd45a78a

SHA1
962b8e1ef7c9e993c4fbfbcbbc8fe9022e02d192

SHA256
5ac9c1c0aced9767b989ca38a2fa7dedad092563fc622e1e82186bafd00f8060

SHA512
243aa84520c17bcdfd042fdcb248dab5900589b6a2c9e64249051f91d8ce02e25ad3b2f96d4c5ff82af6d5d5aacfcca25d76fcf5313066def7fa7dc7be9d33b8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8

Filesize
170B

MD5
054a438217a547101b6c81e6453c52c6

SHA1
74922875fd4efde34aa8e0b88d2d0b0be05847d6

SHA256
530157c13400a1b3025a6d9aaff6671178a623d7bdb4a80040b594f24b98e207

SHA512
e49ff11879408a024fb5a98330866a5b54110ed32caad2635a07e8d1cf4429f12593aebb7cfd67d2b5ffb341c97f03b1c5c548dc8f6691cbcf621378c3e8a255

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{0C509573-85C5-4C45-B4ED-2D9AAA2B0100}.FSD

Filesize
128KB

MD5
8ec19a95dc6ed9adecf87e5ea7548eb2

SHA1
7a8b4389334572329e48d1af977f811df1d304d9

SHA256
c50470ac5ed802a69070817064a4cd44b4a968a151d175f6e3955bb50c1fd66f

SHA512
dde30a1a292338c540b1f0d01a03591ca2c4c6d1d4441e55919dc6409445845a62c5cbdbece55b184e38f36e16cdf3c67e87b1fb756a1bd01ca51d522963593c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

Filesize
128KB

MD5
63f648be0ae96349fa475c9179af4cd6

SHA1
116df1bdb658bbdfb1659a28e6373a3eafb75132

SHA256
7eb39b9337003b9c0273a452eed8cc46aafcaa4611ea08d140579dbc4bc6b95f

SHA512
6e2334b5e750c30c85c4076bb61245e1c021800c66b7c1b847fc3cc8a843d45ea7bba1cb99b37e6eea8c400e1b48ea9450c3d656d427c84610cc1d879da92168

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

Filesize
128KB

MD5
bf9db29fcc0d88a3fed4e546dbc1b6f2

SHA1
5730a74ebbbf0b3ea2054c523fc482e8d5a8b210

SHA256
73c48784556d1357334d5411de2ba618c160cb344960b2c3e6c93346909111e4

SHA512
a0c518fcee6db028908ad1b965e65816200535b4949d6f320557176c884f6598426376a92c3b1a6dddbfd0d7b5b643f440e3085c1102969f408334824e7e090d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{BEB7A6CA-7886-450A-BE49-AE4B9EED420F}.FSD

Filesize
128KB

MD5
2073e15fdbe332efd6cf4b5c1cf4b5a2

SHA1
1517e7360111717d16d03d692ab795b51b4be725

SHA256
6e846b87c2ed17a1d071e05304107fa454f0015e914a20717df6a5b041eded5b

SHA512
18c2bd75e7ffbcc3a6e28f64d5ec69473cff69a96fbfd79f3b01c04f06a602682df94f8ffbdf28312ce90c516ff7f79134355cf427e3a51f5a035a6f1df1bddf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TTL9DZJ3\alphaa[1].doc

Filesize
385KB

MD5
b0443b806419dfe7d868eb614bb4ffd7

SHA1
db99ccfc2004bac4ea84df1e6a1340ea6630e925

SHA256
b5e8ed2845884a89d023f7eac745aab4cfe0ce933ccd97fd5773918292d65e27

SHA512
262436ffe9f0e1035877b80e922dddadc248bb6a215153abf28fd4b6a2a11c404f0aba4bce09de4553421cfaa0b06b254f52791900f7fbf9ad4ffad8c2564405

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab2EDD.tmp

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5C43.tmp

Filesize
1KB

MD5
5ebf8efb6b97864823304f90fc7e199f

SHA1
b754d44f0a1355ec438186b1665bf84e2f21f255

SHA256
4eec332664627147df2ac18f3e2ec724f3c66b64f56b8faea3624df08276f7cc

SHA512
5bb44c3182725e39451fc4073566ab3069614687d9923fa39b1455d91fab75085359d4e42adf47ee37080959e43137db4eca98b60e48931100f44d8b85c9f524

Download Submit
C:\Users\Admin\AppData\Local\Temp\{5C1EEF1C-B555-4B03-927E-F01564A23AAC}

Filesize
128KB

MD5
8ec88d252aa83a64b93509e4f5649e11

SHA1
49026d99592901d27154df419ef7572c6b45a4f0

SHA256
c5dd1fe334912a29c031214bdb9b24ac13472258fbdf7ce8989aba525f5c2805

SHA512
b53d9208b03b21597268c177d6baa75bed1432a2f935861c7c9b8cd0bc58f4dd1dafa240e9c00195ecd453eda828c08072f2f7f42c4b93a9473fbe7d1be76815

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3691908287-3775019229-3534252667-1000\0f5007522459c86e95ffcc62f32308f1_a42634aa-f501-41cf-bed1-b8158857da02

Filesize
46B

MD5
d898504a722bff1524134c6ab6a5eaa5

SHA1
e0fdc90c2ca2a0219c99d2758e68c18875a3e11e

SHA256
878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9

SHA512
26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3691908287-3775019229-3534252667-1000\0f5007522459c86e95ffcc62f32308f1_a42634aa-f501-41cf-bed1-b8158857da02

Filesize
46B

MD5
c07225d4e7d01d31042965f048728a0a

SHA1
69d70b340fd9f44c89adb9a2278df84faa9906b7

SHA256
8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a

SHA512
23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
61B

MD5
2b2ae70d9fcf7d01d81bdf12d543bbe9

SHA1
7c3416aef6a093b19bf771ce223c9e77d76776a6

SHA256
59760808cf517aaff8cf54229d2d5d7f51977f7cf2d844b5a8f26214e2a777c0

SHA512
607d67099f186cf63070e27ae0e4f7235b5201f4088b0810be883c1331385acd106c63b61a4dd99e13805e3f31fe27fcaa22f3e2e2beb8b5fce140f995c13f3f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
20KB

MD5
67e5b7c7ebbceb6c1cc6e55b58e42143

SHA1
750a40a42f44312c4c99de8c821372461f0abd1e

SHA256
c4fac354f13385d2261c12b861d84c71f2ebe6d848b355054f3d24a89cabc95a

SHA512
98236f38d7949ed8e066de12dd8a6354eb66cdaec2a0a27c22caf7b63b45e9ec74d66f50f3fd719efb7eb8c81cf9d8a531038635fe0700e0201b96880fd2aaaf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
5f5753b883f2376acd538fd2c641495c

SHA1
e8c8bfd568c6aa6f7cb623ce395c50b477d48667

SHA256
61f2930007614c640006f6eabfc03982a1b44307425f283f16a00ce8666946b9

SHA512
03d36e3bcc168d5199756e285bd5b1e02f772503ad19aef624fb0dcbbb161ae1312f0c6fa41eb9b1351a3916f8a1f27fc0e9c01fbca11d598cfacaab4b50e2cd

Download Submit
\Users\Admin\AppData\Roaming\alpha87654.scr

Filesize
542KB

MD5
2bd4f77791b796e6545d64eff9eae819

SHA1
92d1a30075154c4b42dbb9b97b875528e5d0d70c

SHA256
7cf8d155f123798b10846b4c8b4d029a38db08df32342687acd47dc6867e36b6

SHA512
756d96ac0cee6b41a3923dd45a6dfc3b40f5f333b403f473cabf7a35b2eeac387e9f323740231f9c8a5ead8bf5169ec1ddcc7ecbf23557809f168f45bd5d8b59

Download Submit
memory/892-188-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/892-166-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/892-160-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/892-162-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/892-198-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/892-156-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/892-169-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/892-167-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/892-158-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/892-164-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2128-223-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2128-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2128-224-0x000000007194D000-0x0000000071958000-memory.dmp

Filesize
44KB

Download
memory/2128-0-0x000000002F4C1000-0x000000002F4C2000-memory.dmp

Filesize
4KB

Download
memory/2128-190-0x000000007194D000-0x0000000071958000-memory.dmp

Filesize
44KB

Download
memory/2128-2-0x000000007194D000-0x0000000071958000-memory.dmp

Filesize
44KB

Download
memory/2328-141-0x00000000004E0000-0x00000000004EC000-memory.dmp

Filesize
48KB

Download
memory/2328-128-0x0000000004E10000-0x0000000004E86000-memory.dmp

Filesize
472KB

Download
memory/2328-129-0x0000000000260000-0x0000000000272000-memory.dmp

Filesize
72KB

Download
memory/2328-140-0x00000000004D0000-0x00000000004D8000-memory.dmp

Filesize
32KB

Download
memory/2328-123-0x0000000000E40000-0x0000000000ECA000-memory.dmp

Filesize
552KB

Download
memory/2328-142-0x0000000004E90000-0x0000000004EF2000-memory.dmp

Filesize
392KB

Download