xloader | 17f71f787c12cec37909e4355791ab91c28710248769c1b39a1ac819c04c3d8a

Analysis

max time kernel
150s
max time network
148s
platform
windows7_x64
resource
win7-en-20211208
submitted
09-02-2022 08:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Payment Advice.xlsx
Size

187KB
MD5

dc01121346f71cb161d7f643235effd1
SHA1

4d0e5c5a56a86d049e815e1c8939066aea4fc592
SHA256

17f71f787c12cec37909e4355791ab91c28710248769c1b39a1ac819c04c3d8a
SHA512

fdcdfa5c44cfb776b2ffa11d200c14fccc3b8d25611bc93e40e87583ce953f3e156fbfcb2dcdb0447e64a3d43a1573023199b65af5eb82d48bc0998115b30b4b

Score

10^/10

xloader o6tg loader rat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

o6tg

Decoy

turkscaicosonline.com

novelfoodtech.com

zgrmfww.com

gestionalcliente24hrs.store

postrojka.com

tapissier-uzes.com

tobytram.one

preamblegames.com

clicklinkzs.com

franksenen.com

beautygateway.net

foils-online.com

aout.us

promarkoperations.com

alignatura.com

changemylifefast.info

minbex.icu

internethustlersociety.com

chinacqn.com

fibsh.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1608-72-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/1608-80-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/1240-85-0x0000000000080000-0x00000000000A9000-memory.dmp	xloader

Blocklisted process makes network request 1 IoCs

Processes:

EQNEDT32.EXE

flow pid process

4 552 EQNEDT32.EXE
Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

vbc.exexbtzqwy.exexbtzqwy.exe

pid process

1036 vbc.exe
1504 xbtzqwy.exe
1608 xbtzqwy.exe
Loads dropped DLL 6 IoCs

Processes:

EQNEDT32.EXEvbc.exexbtzqwy.exe

pid process

552 EQNEDT32.EXE
552 EQNEDT32.EXE
552 EQNEDT32.EXE
1036 vbc.exe
1036 vbc.exe
1504 xbtzqwy.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

flow	pid	process
4	552	EQNEDT32.EXE

pid	process
1036	vbc.exe
1504	xbtzqwy.exe
1608	xbtzqwy.exe

pid	process
552	EQNEDT32.EXE
552	EQNEDT32.EXE
552	EQNEDT32.EXE
1036	vbc.exe
1036	vbc.exe
1504	xbtzqwy.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

xbtzqwy.exexbtzqwy.execmd.exe

description	pid	process	target process
PID 1504 set thread context of 1608	1504	xbtzqwy.exe	xbtzqwy.exe
PID 1608 set thread context of 1412	1608	xbtzqwy.exe	Explorer.EXE
PID 1608 set thread context of 1412	1608	xbtzqwy.exe	Explorer.EXE
PID 1240 set thread context of 1412	1240	cmd.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NSIS installer 10 IoCs

installer

Processes:

resource	yara_rule
\Users\Public\vbc.exe	nsis_installer_1
\Users\Public\vbc.exe	nsis_installer_2
\Users\Public\vbc.exe	nsis_installer_1
\Users\Public\vbc.exe	nsis_installer_2
\Users\Public\vbc.exe	nsis_installer_1
\Users\Public\vbc.exe	nsis_installer_2
C:\Users\Public\vbc.exe	nsis_installer_1
C:\Users\Public\vbc.exe	nsis_installer_2
C:\Users\Public\vbc.exe	nsis_installer_1
C:\Users\Public\vbc.exe	nsis_installer_2

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

EXCEL.EXE

description ioc process

Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
exploit

Exploitation for Client Execution
T1203

Processes:

EQNEDT32.EXE

pid process

552 EQNEDT32.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

pid	process
552	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

Processes:

EXCEL.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE

Modifies registry class 64 IoCs

Processes:

EXCEL.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\""	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll"	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe"	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

1636 EXCEL.EXE

pid	process
1636	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 27 IoCs

Processes:

xbtzqwy.execmd.exe

pid	process
1608	xbtzqwy.exe
1608	xbtzqwy.exe
1608	xbtzqwy.exe
1240	cmd.exe
1240	cmd.exe
1240	cmd.exe
1240	cmd.exe
1240	cmd.exe
1240	cmd.exe
1240	cmd.exe
1240	cmd.exe
1240	cmd.exe
1240	cmd.exe
1240	cmd.exe
1240	cmd.exe
1240	cmd.exe
1240	cmd.exe
1240	cmd.exe
1240	cmd.exe
1240	cmd.exe
1240	cmd.exe
1240	cmd.exe
1240	cmd.exe
1240	cmd.exe
1240	cmd.exe
1240	cmd.exe
1240	cmd.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1412 Explorer.EXE
Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

xbtzqwy.execmd.exe

pid process

1608 xbtzqwy.exe
1608 xbtzqwy.exe
1608 xbtzqwy.exe
1608 xbtzqwy.exe
1240 cmd.exe
1240 cmd.exe

pid	process
1412	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

xbtzqwy.exeExplorer.EXEcmd.exe

description	pid	process
Token: SeDebugPrivilege	1608	xbtzqwy.exe
Token: SeShutdownPrivilege	1412	Explorer.EXE
Token: SeShutdownPrivilege	1412	Explorer.EXE
Token: SeDebugPrivilege	1240	cmd.exe
Token: SeShutdownPrivilege	1412	Explorer.EXE
Token: SeShutdownPrivilege	1412	Explorer.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1412 Explorer.EXE
1412 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1412 Explorer.EXE
1412 Explorer.EXE
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

EXCEL.EXE

pid process

1636 EXCEL.EXE
1636 EXCEL.EXE
1636 EXCEL.EXE

pid	process
1412	Explorer.EXE
1412	Explorer.EXE

pid	process
1412	Explorer.EXE
1412	Explorer.EXE

pid	process
1636	EXCEL.EXE
1636	EXCEL.EXE
1636	EXCEL.EXE

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

EQNEDT32.EXEvbc.exexbtzqwy.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 552 wrote to memory of 1036	552	EQNEDT32.EXE	vbc.exe
PID 552 wrote to memory of 1036	552	EQNEDT32.EXE	vbc.exe
PID 552 wrote to memory of 1036	552	EQNEDT32.EXE	vbc.exe
PID 552 wrote to memory of 1036	552	EQNEDT32.EXE	vbc.exe
PID 1036 wrote to memory of 1504	1036	vbc.exe	xbtzqwy.exe
PID 1036 wrote to memory of 1504	1036	vbc.exe	xbtzqwy.exe
PID 1036 wrote to memory of 1504	1036	vbc.exe	xbtzqwy.exe
PID 1036 wrote to memory of 1504	1036	vbc.exe	xbtzqwy.exe
PID 1504 wrote to memory of 1608	1504	xbtzqwy.exe	xbtzqwy.exe
PID 1504 wrote to memory of 1608	1504	xbtzqwy.exe	xbtzqwy.exe
PID 1504 wrote to memory of 1608	1504	xbtzqwy.exe	xbtzqwy.exe
PID 1504 wrote to memory of 1608	1504	xbtzqwy.exe	xbtzqwy.exe
PID 1504 wrote to memory of 1608	1504	xbtzqwy.exe	xbtzqwy.exe
PID 1504 wrote to memory of 1608	1504	xbtzqwy.exe	xbtzqwy.exe
PID 1504 wrote to memory of 1608	1504	xbtzqwy.exe	xbtzqwy.exe
PID 1412 wrote to memory of 1240	1412	Explorer.EXE	cmd.exe
PID 1412 wrote to memory of 1240	1412	Explorer.EXE	cmd.exe
PID 1412 wrote to memory of 1240	1412	Explorer.EXE	cmd.exe
PID 1412 wrote to memory of 1240	1412	Explorer.EXE	cmd.exe
PID 1240 wrote to memory of 1912	1240	cmd.exe	cmd.exe
PID 1240 wrote to memory of 1912	1240	cmd.exe	cmd.exe
PID 1240 wrote to memory of 1912	1240	cmd.exe	cmd.exe
PID 1240 wrote to memory of 1912	1240	cmd.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1412

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\Payment Advice.xlsx"
2⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1636

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1240

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\xbtzqwy.exe"
3⤵
PID:1912

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:552

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1036

C:\Users\Admin\AppData\Local\Temp\xbtzqwy.exe
C:\Users\Admin\AppData\Local\Temp\xbtzqwy.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1504

C:\Users\Admin\AppData\Local\Temp\xbtzqwy.exe
C:\Users\Admin\AppData\Local\Temp\xbtzqwy.exe
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1608

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Exploitation for Client Execution

T1203

Persistence

Privilege Escalation

Defense Evasion

Scripting

T1064

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\mxfvylv3nr1jewbbtgj
MD5
dc04ad8e4791cf708485b7f60a473b86

SHA1
22132be7a1ec306b1f64160f8ad60a356fd32a97

SHA256
78f28dfbd256f5e157b5283dc8f69cde31a009921dc71e746dd5214657e792e4

SHA512
0bf9b150a250d7905c0827140a44e6275edbcbdf269e68ca7076b583b3fc7e934c2c547b4466da0dbb2bad359c512c2d3108bb907f98211e96b4ee3b64ed204a

Download Submit
C:\Users\Admin\AppData\Local\Temp\qawjd
MD5
ec1e2c88be91e24c2a50a0a09ef4037c

SHA1
05948db24552f61edfc0968e3a0cd8e259c8a8da

SHA256
116f73a63062c31e54f19d2733b223b9e47c4a998806fb2e9266d22d069311d0

SHA512
71a1beaaa8d1afd70b5aa1aa045f1e6c9d2f609ecf96379bdc08c6208ed049d1e62317129893302089120f48a08678dcd87f0030d926361d65e81cdd2082fff7

Download Submit
C:\Users\Admin\AppData\Local\Temp\xbtzqwy.exe
MD5
b5e54ee9c196c5dc3327426f2f883771

SHA1
940df73d290c823bdb8f2d91f034e30ab5efe895

SHA256
ec42e375e505ab31d26a08a1ea510b646c7254c665cd0a01a6aad9c5577ade64

SHA512
b9fac4c21af79f5c9ed2d33fae01577a9a53afe3c6c71b424504f11a8b97e9b7c8ddcf7465ce53dc7fa08d0e421a0a533c1078ca82f659c279fda4874359c405

Download Submit
C:\Users\Admin\AppData\Local\Temp\xbtzqwy.exe
MD5
b5e54ee9c196c5dc3327426f2f883771

SHA1
940df73d290c823bdb8f2d91f034e30ab5efe895

SHA256
ec42e375e505ab31d26a08a1ea510b646c7254c665cd0a01a6aad9c5577ade64

SHA512
b9fac4c21af79f5c9ed2d33fae01577a9a53afe3c6c71b424504f11a8b97e9b7c8ddcf7465ce53dc7fa08d0e421a0a533c1078ca82f659c279fda4874359c405

Download Submit
C:\Users\Admin\AppData\Local\Temp\xbtzqwy.exe
MD5
b5e54ee9c196c5dc3327426f2f883771

SHA1
940df73d290c823bdb8f2d91f034e30ab5efe895

SHA256
ec42e375e505ab31d26a08a1ea510b646c7254c665cd0a01a6aad9c5577ade64

SHA512
b9fac4c21af79f5c9ed2d33fae01577a9a53afe3c6c71b424504f11a8b97e9b7c8ddcf7465ce53dc7fa08d0e421a0a533c1078ca82f659c279fda4874359c405

Download Submit
C:\Users\Public\vbc.exe
MD5
e0f1e3b823d0cddfa31461ab72ea9406

SHA1
d13ac912867e46b4a88abc1ea35516fc95759a96

SHA256
af7abd08a5752f55f59e38b2bd9568943ada7d2b23ddc3324b735beebd8846ce

SHA512
57b1019dbeade18f07be6ee66662f501e7b210ac74bbd0e2a78ba7e0d0c655c90409dfc6c64b31b32ceab44404279f20f7d1a621b64e651556f1d44dde6c20d0

Download Submit
C:\Users\Public\vbc.exe
MD5
e0f1e3b823d0cddfa31461ab72ea9406

SHA1
d13ac912867e46b4a88abc1ea35516fc95759a96

SHA256
af7abd08a5752f55f59e38b2bd9568943ada7d2b23ddc3324b735beebd8846ce

SHA512
57b1019dbeade18f07be6ee66662f501e7b210ac74bbd0e2a78ba7e0d0c655c90409dfc6c64b31b32ceab44404279f20f7d1a621b64e651556f1d44dde6c20d0

Download Submit
\Users\Admin\AppData\Local\Temp\xbtzqwy.exe
MD5
b5e54ee9c196c5dc3327426f2f883771

SHA1
940df73d290c823bdb8f2d91f034e30ab5efe895

SHA256
ec42e375e505ab31d26a08a1ea510b646c7254c665cd0a01a6aad9c5577ade64

SHA512
b9fac4c21af79f5c9ed2d33fae01577a9a53afe3c6c71b424504f11a8b97e9b7c8ddcf7465ce53dc7fa08d0e421a0a533c1078ca82f659c279fda4874359c405

Download Submit
\Users\Admin\AppData\Local\Temp\xbtzqwy.exe
MD5
b5e54ee9c196c5dc3327426f2f883771

SHA1
940df73d290c823bdb8f2d91f034e30ab5efe895

SHA256
ec42e375e505ab31d26a08a1ea510b646c7254c665cd0a01a6aad9c5577ade64

SHA512
b9fac4c21af79f5c9ed2d33fae01577a9a53afe3c6c71b424504f11a8b97e9b7c8ddcf7465ce53dc7fa08d0e421a0a533c1078ca82f659c279fda4874359c405

Download Submit
\Users\Admin\AppData\Local\Temp\xbtzqwy.exe
MD5
b5e54ee9c196c5dc3327426f2f883771

SHA1
940df73d290c823bdb8f2d91f034e30ab5efe895

SHA256
ec42e375e505ab31d26a08a1ea510b646c7254c665cd0a01a6aad9c5577ade64

SHA512
b9fac4c21af79f5c9ed2d33fae01577a9a53afe3c6c71b424504f11a8b97e9b7c8ddcf7465ce53dc7fa08d0e421a0a533c1078ca82f659c279fda4874359c405

Download Submit
\Users\Public\vbc.exe
MD5
e0f1e3b823d0cddfa31461ab72ea9406

SHA1
d13ac912867e46b4a88abc1ea35516fc95759a96

SHA256
af7abd08a5752f55f59e38b2bd9568943ada7d2b23ddc3324b735beebd8846ce

SHA512
57b1019dbeade18f07be6ee66662f501e7b210ac74bbd0e2a78ba7e0d0c655c90409dfc6c64b31b32ceab44404279f20f7d1a621b64e651556f1d44dde6c20d0

Download Submit
\Users\Public\vbc.exe
MD5
e0f1e3b823d0cddfa31461ab72ea9406

SHA1
d13ac912867e46b4a88abc1ea35516fc95759a96

SHA256
af7abd08a5752f55f59e38b2bd9568943ada7d2b23ddc3324b735beebd8846ce

SHA512
57b1019dbeade18f07be6ee66662f501e7b210ac74bbd0e2a78ba7e0d0c655c90409dfc6c64b31b32ceab44404279f20f7d1a621b64e651556f1d44dde6c20d0

Download Submit
\Users\Public\vbc.exe
MD5
e0f1e3b823d0cddfa31461ab72ea9406

SHA1
d13ac912867e46b4a88abc1ea35516fc95759a96

SHA256
af7abd08a5752f55f59e38b2bd9568943ada7d2b23ddc3324b735beebd8846ce

SHA512
57b1019dbeade18f07be6ee66662f501e7b210ac74bbd0e2a78ba7e0d0c655c90409dfc6c64b31b32ceab44404279f20f7d1a621b64e651556f1d44dde6c20d0

Download Submit
memory/552-58-0x0000000076921000-0x0000000076923000-memory.dmp

Filesize
8KB

Download
memory/1240-87-0x0000000001DF0000-0x0000000001E80000-memory.dmp

Filesize
576KB

Download
memory/1240-86-0x0000000001E90000-0x0000000002193000-memory.dmp

Filesize
3.0MB

Download
memory/1240-85-0x0000000000080000-0x00000000000A9000-memory.dmp

Filesize
164KB

Download
memory/1240-84-0x000000004A900000-0x000000004A94C000-memory.dmp

Filesize
304KB

Download
memory/1412-88-0x0000000009B10000-0x0000000009C60000-memory.dmp

Filesize
1.3MB

Download
memory/1412-83-0x0000000007670000-0x00000000077A4000-memory.dmp

Filesize
1.2MB

Download
memory/1412-79-0x0000000007200000-0x000000000734A000-memory.dmp

Filesize
1.3MB

Download
memory/1504-74-0x00000000003D0000-0x00000000003D2000-memory.dmp

Filesize
8KB

Download
memory/1608-78-0x0000000000330000-0x0000000000341000-memory.dmp

Filesize
68KB

Download
memory/1608-76-0x0000000000900000-0x0000000000C03000-memory.dmp

Filesize
3.0MB

Download
memory/1608-80-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1608-81-0x000000000041D000-0x000000000041E000-memory.dmp

Filesize
4KB

Download
memory/1608-82-0x0000000000380000-0x0000000000391000-memory.dmp

Filesize
68KB

Download
memory/1608-77-0x000000000041D000-0x000000000041E000-memory.dmp

Filesize
4KB

Download
memory/1608-72-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1636-55-0x0000000071BA1000-0x0000000071BA3000-memory.dmp

Filesize
8KB

Download
memory/1636-54-0x000000002FC51000-0x000000002FC54000-memory.dmp

Filesize
12KB

Download
memory/1636-56-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1636-57-0x0000000072B8D000-0x0000000072B98000-memory.dmp

Filesize
44KB

Download
memory/1636-89-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download