lokibot | 3fb7fa64211d1a218fc59ad674642205960982542f9796cc792e983c8145b9ef

Analysis

max time kernel
141s
max time network
126s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
17/09/2024, 13:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e6e617104652143d836afe8d61366a17_JaffaCakes118.rtf
Size

519KB
MD5

e6e617104652143d836afe8d61366a17
SHA1

27afd3fc8aaa43b82a15366c05f8130a573aef78
SHA256

3fb7fa64211d1a218fc59ad674642205960982542f9796cc792e983c8145b9ef
SHA512

3a69f5719dc29f832484a2e413f0b2addd542c579c39b0fe300568fe25ce4e28777672da2d16469f4a0fe007f212056e0f4859b56740bf5b3fe06d313f6d8504
SSDEEP

12288:FDPhnwaTe1Mx/MF3ObXAdnT5vzwDEZpxkS3d:xhnTTeeEqYlvOm

Score

10^/10

lokibot collection credential_access discovery spyware stealer trojan

Malware Config

Extracted

Family

lokibot

http://185.24.233.117/~zadmin/frb/cache.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot

Process spawned unexpected child process 2 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process	2284	3032	cmd.exe	30
Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process	2792	3032	cmd.exe	30

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Executes dropped EXE 2 IoCs

pid	Process
2616	exe.exe
2096	exe.exe

Loads dropped DLL 3 IoCs

pid	Process
2660	cmd.exe
2660	cmd.exe
2616	exe.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	exe.exe
Key opened	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	exe.exe
Key opened	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	exe.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2616 set thread context of 2096	2616	exe.exe	69

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 35 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CmD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EQNEDT32.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EQNEDT32.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	exe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Office loads VBA resources, possible macro or embedded object present

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2876	timeout.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
2572	taskkill.exe

Launches Equation Editor 1 TTPs 2 IoCs

Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

exploit

Exploitation for Client Execution

T1203

pid	Process
2696	EQNEDT32.EXE
2604	EQNEDT32.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
3032	WINWORD.EXE
1532	WINWORD.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2572	taskkill.exe
Token: SeDebugPrivilege	2096	exe.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2616	exe.exe
2616	exe.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2616	exe.exe
2616	exe.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
3032	WINWORD.EXE
3032	WINWORD.EXE
3032	WINWORD.EXE
2616	exe.exe
1532	WINWORD.EXE
1532	WINWORD.EXE
1532	WINWORD.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3032 wrote to memory of 2284	3032	WINWORD.EXE	31
PID 3032 wrote to memory of 2284	3032	WINWORD.EXE	31
PID 3032 wrote to memory of 2284	3032	WINWORD.EXE	31
PID 3032 wrote to memory of 2284	3032	WINWORD.EXE	31
PID 2284 wrote to memory of 2660	2284	cmd.exe	33
PID 2284 wrote to memory of 2660	2284	cmd.exe	33
PID 2284 wrote to memory of 2660	2284	cmd.exe	33
PID 2284 wrote to memory of 2660	2284	cmd.exe	33
PID 3032 wrote to memory of 2792	3032	WINWORD.EXE	34
PID 3032 wrote to memory of 2792	3032	WINWORD.EXE	34
PID 3032 wrote to memory of 2792	3032	WINWORD.EXE	34
PID 3032 wrote to memory of 2792	3032	WINWORD.EXE	34
PID 2660 wrote to memory of 2876	2660	cmd.exe	35
PID 2660 wrote to memory of 2876	2660	cmd.exe	35
PID 2660 wrote to memory of 2876	2660	cmd.exe	35
PID 2660 wrote to memory of 2876	2660	cmd.exe	35
PID 2696 wrote to memory of 2684	2696	EQNEDT32.EXE	38
PID 2696 wrote to memory of 2684	2696	EQNEDT32.EXE	38
PID 2696 wrote to memory of 2684	2696	EQNEDT32.EXE	38
PID 2696 wrote to memory of 2684	2696	EQNEDT32.EXE	38
PID 2660 wrote to memory of 2616	2660	cmd.exe	41
PID 2660 wrote to memory of 2616	2660	cmd.exe	41
PID 2660 wrote to memory of 2616	2660	cmd.exe	41
PID 2660 wrote to memory of 2616	2660	cmd.exe	41
PID 2660 wrote to memory of 2572	2660	cmd.exe	42
PID 2660 wrote to memory of 2572	2660	cmd.exe	42
PID 2660 wrote to memory of 2572	2660	cmd.exe	42
PID 2660 wrote to memory of 2572	2660	cmd.exe	42
PID 2660 wrote to memory of 3060	2660	cmd.exe	44
PID 2660 wrote to memory of 3060	2660	cmd.exe	44
PID 2660 wrote to memory of 3060	2660	cmd.exe	44
PID 2660 wrote to memory of 3060	2660	cmd.exe	44
PID 2660 wrote to memory of 2924	2660	cmd.exe	45
PID 2660 wrote to memory of 2924	2660	cmd.exe	45
PID 2660 wrote to memory of 2924	2660	cmd.exe	45
PID 2660 wrote to memory of 2924	2660	cmd.exe	45
PID 2660 wrote to memory of 2960	2660	cmd.exe	46
PID 2660 wrote to memory of 2960	2660	cmd.exe	46
PID 2660 wrote to memory of 2960	2660	cmd.exe	46
PID 2660 wrote to memory of 2960	2660	cmd.exe	46
PID 2660 wrote to memory of 1872	2660	cmd.exe	47
PID 2660 wrote to memory of 1872	2660	cmd.exe	47
PID 2660 wrote to memory of 1872	2660	cmd.exe	47
PID 2660 wrote to memory of 1872	2660	cmd.exe	47
PID 2660 wrote to memory of 1976	2660	cmd.exe	48
PID 2660 wrote to memory of 1976	2660	cmd.exe	48
PID 2660 wrote to memory of 1976	2660	cmd.exe	48
PID 2660 wrote to memory of 1976	2660	cmd.exe	48
PID 2660 wrote to memory of 1912	2660	cmd.exe	49
PID 2660 wrote to memory of 1912	2660	cmd.exe	49
PID 2660 wrote to memory of 1912	2660	cmd.exe	49
PID 2660 wrote to memory of 1912	2660	cmd.exe	49
PID 2660 wrote to memory of 1776	2660	cmd.exe	50
PID 2660 wrote to memory of 1776	2660	cmd.exe	50
PID 2660 wrote to memory of 1776	2660	cmd.exe	50
PID 2660 wrote to memory of 1776	2660	cmd.exe	50
PID 2660 wrote to memory of 1960	2660	cmd.exe	51
PID 2660 wrote to memory of 1960	2660	cmd.exe	51
PID 2660 wrote to memory of 1960	2660	cmd.exe	51
PID 2660 wrote to memory of 1960	2660	cmd.exe	51
PID 2660 wrote to memory of 2816	2660	cmd.exe	52
PID 2660 wrote to memory of 2816	2660	cmd.exe	52
PID 2660 wrote to memory of 2816	2660	cmd.exe	52
PID 2660 wrote to memory of 2816	2660	cmd.exe	52

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	exe.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	exe.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\e6e617104652143d836afe8d61366a17_JaffaCakes118.rtf"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3032
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\TaSk.BaT
  2⤵
  - Process spawned unexpected child process
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2284
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\2nd.bat
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2660
  - - C:\Windows\SysWOW64\timeout.exe
      TIMEOUT 1
      4⤵
      System Location Discovery: System Language Discovery
      Delays execution with timeout.exe
      PID:2876
  - - C:\Users\Admin\AppData\Local\Temp\exe.exe
      C:\Users\Admin\AppData\Local\Temp\exe.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of SetWindowsHookEx
      PID:2616
    - - C:\Users\Admin\AppData\Local\Temp\exe.exe
        
        C:\Users\Admin\AppData\Local\Temp\exe.exe
        5⤵
        Executes dropped EXE
        Accesses Microsoft Outlook profiles
        Suspicious use of AdjustPrivilegeToken
        outlook_office_path
        outlook_win_path
        
        PID:2096
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im winword.exe
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2572
  - - C:\Windows\SysWOW64\reg.exe
      reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\8.0\Word\Resiliency /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:3060
  - - C:\Windows\SysWOW64\reg.exe
      reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Resiliency /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:2924
  - - C:\Windows\SysWOW64\reg.exe
      reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Word\Resiliency /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:2960
  - - C:\Windows\SysWOW64\reg.exe
      reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Word\Resiliency /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:1872
  - - C:\Windows\SysWOW64\reg.exe
      reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word\Resiliency /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:1976
  - - C:\Windows\SysWOW64\reg.exe
      reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:1912
  - - C:\Windows\SysWOW64\reg.exe
      reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Word\Resiliency /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:1776
  - - C:\Windows\SysWOW64\reg.exe
      reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Word\Resiliency /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:1960
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\8.0\Word\File MRU" /v "Item 1"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2816
    - - C:\Windows\SysWOW64\reg.exe
        
        REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\8.0\Word\File MRU" /v "Item 1"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2944
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\9.0\Word\File MRU" /v "Item 1"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1892
    - - C:\Windows\SysWOW64\reg.exe
        
        REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\9.0\Word\File MRU" /v "Item 1"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2556
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\10.0\Word\File MRU" /v "Item 1"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2832
    - - C:\Windows\SysWOW64\reg.exe
        
        REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\10.0\Word\File MRU" /v "Item 1"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2804
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\11.0\Word\File MRU" /v "Item 1"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2896
    - - C:\Windows\SysWOW64\reg.exe
        
        REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\11.0\Word\File MRU" /v "Item 1"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2928
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\12.0\Word\File MRU" /v "Item 1"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2752
    - - C:\Windows\SysWOW64\reg.exe
        
        REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\12.0\Word\File MRU" /v "Item 1"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2908
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\14.0\Word\File MRU" /v "Item 1"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2932
    - - C:\Windows\SysWOW64\reg.exe
        
        REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\14.0\Word\File MRU" /v "Item 1"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2940
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Word\File MRU" /v "Item 1"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2628
    - - C:\Windows\SysWOW64\reg.exe
        
        REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Word\File MRU" /v "Item 1"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1984
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\File MRU" /v "Item 1"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1228
    - - C:\Windows\SysWOW64\reg.exe
        
        REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\File MRU" /v "Item 1"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:624
  - - C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\Desktop\LimitInstall.docx"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: AddClipboardFormatListener
      Suspicious use of SetWindowsHookEx
      PID:1532
    - - C:\Windows\splwow64.exe
        
        C:\Windows\splwow64.exe 12288
        5⤵
        
        PID:2080
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\TaSk.BaT
  2⤵
  - Process spawned unexpected child process
  - System Location Discovery: System Language Discovery
  PID:2792

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:2696
- C:\Windows\SysWOW64\CmD.exe
  CmD /C %tmp%\task.bat & UUUUUUUUc
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2684

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Launches Equation Editor
PID:2604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Exploitation for Client Execution

T1203

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2nd.bat

Filesize
2KB

MD5
07fbf92580a91f32c5c96c156ccb3fa9

SHA1
f70cdd08113e9cd4c2bc3d91dee526e634089c23

SHA256
d1d7d1dfc3980b56620e8fe6af0358e676a4dbd6288a3e3bf0712191d5bf0b69

SHA512
4acb7b4bbe0ca72c6233605bc356c90a501039c32c03d4e4783a840bfd3a97aab06e0dc8b15546e6840cce412ed89b943744e4e9281afafd2de9be03e1ac1abd

Download Submit
C:\Users\Admin\AppData\Local\Temp\decoy.doc

Filesize
9KB

MD5
c463af2be5752a2e345ffe110cd93d31

SHA1
bb5cf6cd2801c58afe29002baa9ace348fcbd14b

SHA256
ab89cb877fdeeebbf3d75559cc3d9bbbf0c4dfcd3295bfcf7269d7d14e716445

SHA512
bc60f4deb50289547c872570eb4ed85aa75c8bc513e7be6153bcaee1c29c84e5d3445925561f2caab48c338b71bb83c7a51c666f55f15e8a15b65eb73131565e

Download Submit
C:\Users\Admin\AppData\Local\Temp\exe.exe

Filesize
216KB

MD5
f483dea41b06ae8c6b541bf681d919ca

SHA1
e9c15d92d4696d1557f1eddae0c28a3897d41d38

SHA256
67b232f09e84176355b1a828c58e33d8bc21fe2732d59fcee162735575041f79

SHA512
5736fde814c5a25a77cbe39eac70cb55480a91f546f65ce7d41c0f95c75895723bb322b9b3ca45e7fc812b0232443955eb8f87b79dc2720294d4ed0d5fd46a68

Download Submit
C:\Users\Admin\AppData\Local\Temp\inteldriverupd1.sct

Filesize
423B

MD5
36ad6d953da9665f7ff59e4145d5278a

SHA1
d6b7685ec25b5a40b3d40c945df56b3dee4a580e

SHA256
002394c515bc0df787f99f565b6c032bef239a5e40a33ac710395bf264520df7

SHA512
afdbf8ffb330d2f4b3893adecd7153be7ce2b53c1635ca0f506d7a71354e576d70cfd5ff0787e2d61915525ed26a0dd729696be32c202e4acc2b4854dec4229f

Download Submit
C:\Users\Admin\AppData\Local\Temp\task.bat

Filesize
150B

MD5
418334ad7eb95ff82969646a7bf5a164

SHA1
4cefdfad3fee1412e1aa5b1ae0057ad0b4126db7

SHA256
731abba49e150da730d1b94879ce42b7f89f2a16c2b3d6f1e8d4c7d31546d35d

SHA512
38eeec94e6495c06161dac7f3bf832ac91a200a8dd958d8849e3191b3dcdc36cdbb3d186ad8fe5ad175dc56d355973741ee027987615a244f587911e09dc0640

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3434294380-2554721341-1919518612-1000\0f5007522459c86e95ffcc62f32308f1_d9071d2c-e5ad-4187-a976-30114bb93bf6

Filesize
46B

MD5
d898504a722bff1524134c6ab6a5eaa5

SHA1
e0fdc90c2ca2a0219c99d2758e68c18875a3e11e

SHA256
878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9

SHA512
26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3434294380-2554721341-1919518612-1000\0f5007522459c86e95ffcc62f32308f1_d9071d2c-e5ad-4187-a976-30114bb93bf6

Filesize
46B

MD5
c07225d4e7d01d31042965f048728a0a

SHA1
69d70b340fd9f44c89adb9a2278df84faa9906b7

SHA256
8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a

SHA512
23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
19KB

MD5
3cda4d79184f4d08c156532c1600c90f

SHA1
c315b6c2828331eb44d30f5bf5f0a159d8bb0145

SHA256
5000224748e9e9d08e116f7a5d347121bf17154a1df617ec7bb98a418a10b7e5

SHA512
29a6cc3520e5274c762c27c6b9a63d5af85741da867157b354d4ef2ad9b4c723936ac39b01114d4e594180c54065084ea8b92c92b3b16b25a26c0e14345c6bfa

Download Submit
memory/1532-123-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1532-61-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2096-64-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2096-70-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2096-66-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2096-88-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2096-110-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/3032-0-0x000000002FE51000-0x000000002FE52000-memory.dmp

Filesize
4KB

Download
memory/3032-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/3032-41-0x000000007091D000-0x0000000070928000-memory.dmp

Filesize
44KB

Download
memory/3032-2-0x000000007091D000-0x0000000070928000-memory.dmp

Filesize
44KB

Download