lokibot | 1561b33c7efac0edb9b9a023b04853fe5666c1acd6b9531de5673cc337f86049

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
26/09/2024, 07:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f7e15774ecd0de31e719ef09f2884db6_JaffaCakes118.rtf
Size

504KB
MD5

f7e15774ecd0de31e719ef09f2884db6
SHA1

eb71ab78ade27b21646463175f8509d7ed4cb71e
SHA256

1561b33c7efac0edb9b9a023b04853fe5666c1acd6b9531de5673cc337f86049
SHA512

e624c76ffff63e1f9c141193ee469feff7a7c8512ecd6a1c724100a035940b6182579b44b03f6670a0e4d8c722eb3359104288c456b7f0ae77e5d028cdbe5b7e
SSDEEP

12288:NbYqFZw1M4R9YoB2lqsAdOzGBPAAzmOtHzRrtAYG:tPZ74xBPdOz23pXAYG

Score

10^/10

lokibot collection discovery spyware stealer trojan

Malware Config

Extracted

Family

lokibot

http://mabident.com/de/vga/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot

Process spawned unexpected child process 2 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process	2752	2816	cmd.exe	29
Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process	3032	2816	cmd.exe	29

Executes dropped EXE 2 IoCs

pid	Process
836	exe.exe
1288	exe.exe

Loads dropped DLL 3 IoCs

pid	Process
2004	cmd.exe
836	exe.exe
836	exe.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	exe.exe
Key opened	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	exe.exe
Key opened	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	exe.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 836 set thread context of 1288	836	exe.exe	68

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 36 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	exe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CmD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EQNEDT32.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EQNEDT32.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	exe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral1/files/0x0007000000016d42-36.dat	nsis_installer_1
behavioral1/files/0x0007000000016d42-36.dat	nsis_installer_2

Office loads VBA resources, possible macro or embedded object present

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2640	timeout.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
2284	taskkill.exe

Launches Equation Editor 1 TTPs 2 IoCs

Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

exploit

Exploitation for Client Execution

T1203

pid	Process
2144	EQNEDT32.EXE
1136	EQNEDT32.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
2816	WINWORD.EXE
1736	WINWORD.EXE

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
836	exe.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2284	taskkill.exe
Token: SeDebugPrivilege	1288	exe.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2816	WINWORD.EXE
2816	WINWORD.EXE
2816	WINWORD.EXE
1736	WINWORD.EXE
1736	WINWORD.EXE
1736	WINWORD.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2816 wrote to memory of 2752	2816	WINWORD.EXE	30
PID 2816 wrote to memory of 2752	2816	WINWORD.EXE	30
PID 2816 wrote to memory of 2752	2816	WINWORD.EXE	30
PID 2816 wrote to memory of 2752	2816	WINWORD.EXE	30
PID 2752 wrote to memory of 2004	2752	cmd.exe	32
PID 2752 wrote to memory of 2004	2752	cmd.exe	32
PID 2752 wrote to memory of 2004	2752	cmd.exe	32
PID 2752 wrote to memory of 2004	2752	cmd.exe	32
PID 2816 wrote to memory of 3032	2816	WINWORD.EXE	33
PID 2816 wrote to memory of 3032	2816	WINWORD.EXE	33
PID 2816 wrote to memory of 3032	2816	WINWORD.EXE	33
PID 2816 wrote to memory of 3032	2816	WINWORD.EXE	33
PID 2004 wrote to memory of 2640	2004	cmd.exe	34
PID 2004 wrote to memory of 2640	2004	cmd.exe	34
PID 2004 wrote to memory of 2640	2004	cmd.exe	34
PID 2004 wrote to memory of 2640	2004	cmd.exe	34
PID 2144 wrote to memory of 484	2144	EQNEDT32.EXE	37
PID 2144 wrote to memory of 484	2144	EQNEDT32.EXE	37
PID 2144 wrote to memory of 484	2144	EQNEDT32.EXE	37
PID 2144 wrote to memory of 484	2144	EQNEDT32.EXE	37
PID 2004 wrote to memory of 836	2004	cmd.exe	40
PID 2004 wrote to memory of 836	2004	cmd.exe	40
PID 2004 wrote to memory of 836	2004	cmd.exe	40
PID 2004 wrote to memory of 836	2004	cmd.exe	40
PID 2004 wrote to memory of 836	2004	cmd.exe	40
PID 2004 wrote to memory of 836	2004	cmd.exe	40
PID 2004 wrote to memory of 836	2004	cmd.exe	40
PID 2004 wrote to memory of 2284	2004	cmd.exe	41
PID 2004 wrote to memory of 2284	2004	cmd.exe	41
PID 2004 wrote to memory of 2284	2004	cmd.exe	41
PID 2004 wrote to memory of 2284	2004	cmd.exe	41
PID 2004 wrote to memory of 1112	2004	cmd.exe	43
PID 2004 wrote to memory of 1112	2004	cmd.exe	43
PID 2004 wrote to memory of 1112	2004	cmd.exe	43
PID 2004 wrote to memory of 1112	2004	cmd.exe	43
PID 2004 wrote to memory of 1824	2004	cmd.exe	44
PID 2004 wrote to memory of 1824	2004	cmd.exe	44
PID 2004 wrote to memory of 1824	2004	cmd.exe	44
PID 2004 wrote to memory of 1824	2004	cmd.exe	44
PID 2004 wrote to memory of 1244	2004	cmd.exe	45
PID 2004 wrote to memory of 1244	2004	cmd.exe	45
PID 2004 wrote to memory of 1244	2004	cmd.exe	45
PID 2004 wrote to memory of 1244	2004	cmd.exe	45
PID 2004 wrote to memory of 1616	2004	cmd.exe	46
PID 2004 wrote to memory of 1616	2004	cmd.exe	46
PID 2004 wrote to memory of 1616	2004	cmd.exe	46
PID 2004 wrote to memory of 1616	2004	cmd.exe	46
PID 2004 wrote to memory of 1728	2004	cmd.exe	47
PID 2004 wrote to memory of 1728	2004	cmd.exe	47
PID 2004 wrote to memory of 1728	2004	cmd.exe	47
PID 2004 wrote to memory of 1728	2004	cmd.exe	47
PID 2004 wrote to memory of 2656	2004	cmd.exe	48
PID 2004 wrote to memory of 2656	2004	cmd.exe	48
PID 2004 wrote to memory of 2656	2004	cmd.exe	48
PID 2004 wrote to memory of 2656	2004	cmd.exe	48
PID 2004 wrote to memory of 2872	2004	cmd.exe	49
PID 2004 wrote to memory of 2872	2004	cmd.exe	49
PID 2004 wrote to memory of 2872	2004	cmd.exe	49
PID 2004 wrote to memory of 2872	2004	cmd.exe	49
PID 2004 wrote to memory of 2036	2004	cmd.exe	50
PID 2004 wrote to memory of 2036	2004	cmd.exe	50
PID 2004 wrote to memory of 2036	2004	cmd.exe	50
PID 2004 wrote to memory of 2036	2004	cmd.exe	50
PID 2004 wrote to memory of 2884	2004	cmd.exe	51

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	exe.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	exe.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\f7e15774ecd0de31e719ef09f2884db6_JaffaCakes118.rtf"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2816
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tAsK.bAt
  2⤵
  - Process spawned unexpected child process
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2752
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\2nd.bat
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2004
  - - C:\Windows\SysWOW64\timeout.exe
      TIMEOUT 1
      4⤵
      System Location Discovery: System Language Discovery
      Delays execution with timeout.exe
      PID:2640
  - - C:\Users\Admin\AppData\Local\Temp\exe.exe
      C:\Users\Admin\AppData\Local\Temp\ExE.ExE
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: MapViewOfSection
      PID:836
    - - C:\Users\Admin\AppData\Local\Temp\exe.exe
        
        C:\Users\Admin\AppData\Local\Temp\ExE.ExE
        5⤵
        Executes dropped EXE
        Accesses Microsoft Outlook profiles
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        outlook_office_path
        outlook_win_path
        
        PID:1288
  - - C:\Windows\SysWOW64\taskkill.exe
      TASKKILL /F /IM winword.exe
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2284
  - - C:\Windows\SysWOW64\reg.exe
      reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\8.0\Word\Resiliency /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:1112
  - - C:\Windows\SysWOW64\reg.exe
      reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Resiliency /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:1824
  - - C:\Windows\SysWOW64\reg.exe
      reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Word\Resiliency /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:1244
  - - C:\Windows\SysWOW64\reg.exe
      reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Word\Resiliency /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:1616
  - - C:\Windows\SysWOW64\reg.exe
      reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word\Resiliency /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:1728
  - - C:\Windows\SysWOW64\reg.exe
      reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:2656
  - - C:\Windows\SysWOW64\reg.exe
      reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Word\Resiliency /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:2872
  - - C:\Windows\SysWOW64\reg.exe
      reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Word\Resiliency /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:2036
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\8.0\Word\File MRU" /v "Item 1"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2884
    - - C:\Windows\SysWOW64\reg.exe
        
        REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\8.0\Word\File MRU" /v "Item 1"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2916
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\9.0\Word\File MRU" /v "Item 1"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1864
    - - C:\Windows\SysWOW64\reg.exe
        
        REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\9.0\Word\File MRU" /v "Item 1"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2188
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\10.0\Word\File MRU" /v "Item 1"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3048
    - - C:\Windows\SysWOW64\reg.exe
        
        REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\10.0\Word\File MRU" /v "Item 1"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3044
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\11.0\Word\File MRU" /v "Item 1"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3060
    - - C:\Windows\SysWOW64\reg.exe
        
        REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\11.0\Word\File MRU" /v "Item 1"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2024
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\12.0\Word\File MRU" /v "Item 1"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1228
    - - C:\Windows\SysWOW64\reg.exe
        
        REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\12.0\Word\File MRU" /v "Item 1"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2056
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\14.0\Word\File MRU" /v "Item 1"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1524
    - - C:\Windows\SysWOW64\reg.exe
        
        REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\14.0\Word\File MRU" /v "Item 1"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1276
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Word\File MRU" /v "Item 1"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1632
    - - C:\Windows\SysWOW64\reg.exe
        
        REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Word\File MRU" /v "Item 1"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1280
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\File MRU" /v "Item 1"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2368
    - - C:\Windows\SysWOW64\reg.exe
        
        REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\File MRU" /v "Item 1"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1924
  - - C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\Documents\ResolveInitialize.docx"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: AddClipboardFormatListener
      Suspicious use of SetWindowsHookEx
      PID:1736
    - - C:\Windows\splwow64.exe
        
        C:\Windows\splwow64.exe 12288
        5⤵
        
        PID:2908
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tAsK.bAt
  2⤵
  - Process spawned unexpected child process
  - System Location Discovery: System Language Discovery
  PID:3032

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:2144
- C:\Windows\SysWOW64\CmD.exe
  CmD /C %TmP%\TasK.BaT & UUUUUUUUc
  2⤵
  - System Location Discovery: System Language Discovery
  PID:484

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Launches Equation Editor
PID:1136

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Exploitation for Client Execution

T1203

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2nd.bat

Filesize
2KB

MD5
e28df677ad5c12ae0805a5705e342d4e

SHA1
293a9c3988d1cc5872732de69f760182578d5bd1

SHA256
a604ea8e1b5650fad661c3b397426351f6e0f1961236e0a79822deadd712a413

SHA512
4ba858d5a4fc259a8222192fa8f8aaec13fc095af87a413e6f30646440abbe1d72fe16adcb43799e632c823f5f346903a34e280dee7035a9baee5999b84e7ddf

Download Submit
C:\Users\Admin\AppData\Local\Temp\decoy.doc

Filesize
887B

MD5
0527182a4a0a90cf60edbd78b3258cc5

SHA1
066acf77deb22185ce040bc7ac90cf9022773c50

SHA256
708cf211951f86f8d3a8ef977ebe12ff4442cfd95a831d9ea53859ba48bb4760

SHA512
aadacc6fb9e9e4c08875128706fcfb2eca7facb5c2bf6fa1f9cd5e7f7b59ad3727d16cc0320a8dd6d52e230218c9034a5e95b0f33e921bf9f0665c7a16bc7df9

Download Submit
C:\Users\Admin\AppData\Local\Temp\exe.exe

Filesize
223KB

MD5
3a881900249888b664d19c563c7a86a8

SHA1
a6a1d67d0c8f417efee9c4068ca0981dbda0655b

SHA256
709ab7796bb303ef7710b63dfef067cbc0649dad372c583ba00605ec024f94ea

SHA512
46b4486be6180bdd7ee58ceecf63ab36a000bd475b66700d20c30e58be7896d4edf613a496a0bd4a988a595d78da167c784433ba0cd4e03528706f5fab5c4e81

Download Submit
C:\Users\Admin\AppData\Local\Temp\inteldriverupd1.sct

Filesize
432B

MD5
8decdcaeb92d9f628b6bf95de4c0597a

SHA1
19443ad64921ef01a77619350efcc97cd767a36b

SHA256
e4f6b9def338fe9aca9e8796e79c58c5e42168e697c41bfe149946513765036e

SHA512
d67fee80c9f4884331e476f53de7516d21e926cf2f00094bf310ccd6e875164740b31749ec1ea43c1015037590b9bfebe2bde0065d75e42343bfbd0c46bccf59

Download Submit
C:\Users\Admin\AppData\Local\Temp\task.bat

Filesize
153B

MD5
89896bf3dc684cb01d6c9bd8f2df3694

SHA1
cd34ddbfe29c70d100f506addf4a6f831079dc01

SHA256
429934a64c0d46c46c09c3ccdac2db6801f96e28d072d3dd72ac01c5f023460b

SHA512
0f5371dee4db471524b3d6abf8fa673555b9dc92d596e7f3d73d13f810e899d19741cfebd46b09dfde60b0aee9288e2fac3bb8ec5cba3190dabd3bd87a0a29d1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3434294380-2554721341-1919518612-1000\0f5007522459c86e95ffcc62f32308f1_d9071d2c-e5ad-4187-a976-30114bb93bf6

Filesize
46B

MD5
d898504a722bff1524134c6ab6a5eaa5

SHA1
e0fdc90c2ca2a0219c99d2758e68c18875a3e11e

SHA256
878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9

SHA512
26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3434294380-2554721341-1919518612-1000\0f5007522459c86e95ffcc62f32308f1_d9071d2c-e5ad-4187-a976-30114bb93bf6

Filesize
46B

MD5
c07225d4e7d01d31042965f048728a0a

SHA1
69d70b340fd9f44c89adb9a2278df84faa9906b7

SHA256
8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a

SHA512
23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
19KB

MD5
e381bee7c32cf4f9ccc8350066410953

SHA1
9458a0a67efb26de9a9f18a24c49a65d02bac1dd

SHA256
598ca15277b17e85be7fc585d3fc31ff8f047ab931b2a12d25c4ff9c66fded8b

SHA512
587e83efc9362e116922b9f01142696f2a6845d22dff93688ea79a3bacb75543dc7644d59ba796bd6956aa5a67ffbd63fbddb09a820244875df7ac11de6c131e

Download Submit
\Users\Admin\AppData\Local\Temp\nso6AD5.tmp\System.dll

Filesize
11KB

MD5
3f176d1ee13b0d7d6bd92e1c7a0b9bae

SHA1
fe582246792774c2c9dd15639ffa0aca90d6fd0b

SHA256
fa4ab1d6f79fd677433a31ada7806373a789d34328da46ccb0449bbf347bd73e

SHA512
0a69124819b7568d0dea4e9e85ce8fe61c7ba697c934e3a95e2dcfb9f252b1d9da7faf8774b6e8efd614885507acc94987733eba09a2f5e7098b774dfc8524b6

Download Submit
memory/1288-76-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1288-74-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1288-95-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1736-70-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1736-113-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2816-0-0x000000002FFD1000-0x000000002FFD2000-memory.dmp

Filesize
4KB

Download
memory/2816-43-0x000000007111D000-0x0000000071128000-memory.dmp

Filesize
44KB

Download
memory/2816-2-0x000000007111D000-0x0000000071128000-memory.dmp

Filesize
44KB

Download
memory/2816-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download