Analysis
-
max time kernel
157s -
max time network
172s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
10-02-2022 05:51
Static task
static1
Behavioral task
behavioral1
Sample
_2201S_BUSAN_HOCHIMINH_.xlsx
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
_2201S_BUSAN_HOCHIMINH_.xlsx
Resource
win10v2004-en-20220112
General
-
Target
_2201S_BUSAN_HOCHIMINH_.xlsx
-
Size
187KB
-
MD5
cf8b307caa943326ee808bb3cb02deee
-
SHA1
705c25adbdb7b805e47566540b3804eba178e7da
-
SHA256
cbe84e2c523fd51dabb1365df50415ffc51f8159c36798061742f08ba5d31b9b
-
SHA512
cfc3ae790c2e17051a4b03214baefd44eb30e8601bf8afd2d711cd197263854e96c19c2486a8838a1971607e09ad6728f6b9d8d982f6395b1ffc7d9c7eb599aa
Malware Config
Extracted
lokibot
http://asiaoil.bar//bobby/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 4 1040 EQNEDT32.EXE -
Downloads MZ/PE file
-
Executes dropped EXE 3 IoCs
Processes:
vbc.exexmtxpy.exexmtxpy.exepid process 1664 vbc.exe 552 xmtxpy.exe 1996 xmtxpy.exe -
Loads dropped DLL 5 IoCs
Processes:
EQNEDT32.EXEvbc.exexmtxpy.exepid process 1040 EQNEDT32.EXE 1040 EQNEDT32.EXE 1040 EQNEDT32.EXE 1664 vbc.exe 552 xmtxpy.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
xmtxpy.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook xmtxpy.exe Key opened \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook xmtxpy.exe Key opened \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook xmtxpy.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
xmtxpy.exedescription pid process target process PID 552 set thread context of 1996 552 xmtxpy.exe xmtxpy.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
NSIS installer 10 IoCs
Processes:
resource yara_rule \Users\Public\vbc.exe nsis_installer_1 \Users\Public\vbc.exe nsis_installer_2 \Users\Public\vbc.exe nsis_installer_1 \Users\Public\vbc.exe nsis_installer_2 \Users\Public\vbc.exe nsis_installer_1 \Users\Public\vbc.exe nsis_installer_2 C:\Users\Public\vbc.exe nsis_installer_1 C:\Users\Public\vbc.exe nsis_installer_2 C:\Users\Public\vbc.exe nsis_installer_1 C:\Users\Public\vbc.exe nsis_installer_2 -
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
EXCEL.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Toolbar EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\MenuExt EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor EXCEL.EXE -
Modifies registry class 64 IoCs
Processes:
EXCEL.EXEdescription ioc process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14 EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32 EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 1632 EXCEL.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
xmtxpy.exedescription pid process Token: SeDebugPrivilege 1996 xmtxpy.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
Processes:
EXCEL.EXEpid process 1632 EXCEL.EXE 1632 EXCEL.EXE 1632 EXCEL.EXE 1632 EXCEL.EXE 1632 EXCEL.EXE -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
EQNEDT32.EXEvbc.exexmtxpy.exedescription pid process target process PID 1040 wrote to memory of 1664 1040 EQNEDT32.EXE vbc.exe PID 1040 wrote to memory of 1664 1040 EQNEDT32.EXE vbc.exe PID 1040 wrote to memory of 1664 1040 EQNEDT32.EXE vbc.exe PID 1040 wrote to memory of 1664 1040 EQNEDT32.EXE vbc.exe PID 1664 wrote to memory of 552 1664 vbc.exe xmtxpy.exe PID 1664 wrote to memory of 552 1664 vbc.exe xmtxpy.exe PID 1664 wrote to memory of 552 1664 vbc.exe xmtxpy.exe PID 1664 wrote to memory of 552 1664 vbc.exe xmtxpy.exe PID 552 wrote to memory of 1996 552 xmtxpy.exe xmtxpy.exe PID 552 wrote to memory of 1996 552 xmtxpy.exe xmtxpy.exe PID 552 wrote to memory of 1996 552 xmtxpy.exe xmtxpy.exe PID 552 wrote to memory of 1996 552 xmtxpy.exe xmtxpy.exe PID 552 wrote to memory of 1996 552 xmtxpy.exe xmtxpy.exe PID 552 wrote to memory of 1996 552 xmtxpy.exe xmtxpy.exe PID 552 wrote to memory of 1996 552 xmtxpy.exe xmtxpy.exe PID 552 wrote to memory of 1996 552 xmtxpy.exe xmtxpy.exe PID 552 wrote to memory of 1996 552 xmtxpy.exe xmtxpy.exe PID 552 wrote to memory of 1996 552 xmtxpy.exe xmtxpy.exe -
outlook_office_path 1 IoCs
Processes:
xmtxpy.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook xmtxpy.exe -
outlook_win_path 1 IoCs
Processes:
xmtxpy.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook xmtxpy.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\_2201S_BUSAN_HOCHIMINH_.xlsx1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\xmtxpy.exeC:\Users\Admin\AppData\Local\Temp\xmtxpy.exe C:\Users\Admin\AppData\Local\Temp\npotbzd3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\xmtxpy.exeC:\Users\Admin\AppData\Local\Temp\xmtxpy.exe C:\Users\Admin\AppData\Local\Temp\npotbzd4⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\2v0cucir72xMD5
ac8e973d953305b03019cdb74006099c
SHA17976e0be0fc69e238daf16db2bff833340536c4e
SHA2562f62f941918151fced3ad854b37dcda1e40e91432d772781ebc2118e28987b41
SHA5123719354fa157a48c919ac13d1da71df1142d24448462355b83bd52fc3d3b8f8bf39e052fafa3e9a961b3ed200fbbe8bd5c84716b9782392c75eff34adfff38ab
-
C:\Users\Admin\AppData\Local\Temp\npotbzdMD5
cb3fbcc52c7b5805acf1f81d65488d89
SHA1ead5b088da9f7466d9e10537a449a2f8c7505e85
SHA25605fb79420aada2c2199cabad68f4d6483127d2d803a5fd4e755008e78a977931
SHA5129cfb8ea161797f5131ac4780cbee9fb8e56fadeeebec7d39bfc96416f1949d5e0247fa0f7b1e71c415bc9a08cce1aaff4003bba9221cfb7f77a629794f8933cd
-
C:\Users\Admin\AppData\Local\Temp\xmtxpy.exeMD5
1eacd504e4461f9ee286715997d8a9ee
SHA164554fe410bb0b335373e99d2f8aa37800f30fdd
SHA256de398be02d5abe9c8bce84380ac5303ea00fc00820a50cad007220f24538b3de
SHA512a253cec08a167f348d84677f6a992ae306f607c9ad9a10ef6af03288e7d4a158a07056a50a0909e22b1a89b79386ea44c984754018a25817e22ff6167a6a6156
-
C:\Users\Admin\AppData\Local\Temp\xmtxpy.exeMD5
1eacd504e4461f9ee286715997d8a9ee
SHA164554fe410bb0b335373e99d2f8aa37800f30fdd
SHA256de398be02d5abe9c8bce84380ac5303ea00fc00820a50cad007220f24538b3de
SHA512a253cec08a167f348d84677f6a992ae306f607c9ad9a10ef6af03288e7d4a158a07056a50a0909e22b1a89b79386ea44c984754018a25817e22ff6167a6a6156
-
C:\Users\Admin\AppData\Local\Temp\xmtxpy.exeMD5
1eacd504e4461f9ee286715997d8a9ee
SHA164554fe410bb0b335373e99d2f8aa37800f30fdd
SHA256de398be02d5abe9c8bce84380ac5303ea00fc00820a50cad007220f24538b3de
SHA512a253cec08a167f348d84677f6a992ae306f607c9ad9a10ef6af03288e7d4a158a07056a50a0909e22b1a89b79386ea44c984754018a25817e22ff6167a6a6156
-
C:\Users\Public\vbc.exeMD5
7df1896047d9647d818080dd17563d92
SHA1a7c2bc04ec70c0f439e2a0863096fa7d391f79c5
SHA2569cbed5eff56e1c08b6040c8ab4977e76528d59368d9d0550626b5380513ecb7b
SHA5121558b4573f82b4b6f34e96591a5a4cf4533c30bec9d65c3bc1435feb0119f23eb91e5c7e771d58f502199bb3cde272c3135cd8a8f3944d87e8759d23a340d01d
-
C:\Users\Public\vbc.exeMD5
7df1896047d9647d818080dd17563d92
SHA1a7c2bc04ec70c0f439e2a0863096fa7d391f79c5
SHA2569cbed5eff56e1c08b6040c8ab4977e76528d59368d9d0550626b5380513ecb7b
SHA5121558b4573f82b4b6f34e96591a5a4cf4533c30bec9d65c3bc1435feb0119f23eb91e5c7e771d58f502199bb3cde272c3135cd8a8f3944d87e8759d23a340d01d
-
\Users\Admin\AppData\Local\Temp\xmtxpy.exeMD5
1eacd504e4461f9ee286715997d8a9ee
SHA164554fe410bb0b335373e99d2f8aa37800f30fdd
SHA256de398be02d5abe9c8bce84380ac5303ea00fc00820a50cad007220f24538b3de
SHA512a253cec08a167f348d84677f6a992ae306f607c9ad9a10ef6af03288e7d4a158a07056a50a0909e22b1a89b79386ea44c984754018a25817e22ff6167a6a6156
-
\Users\Admin\AppData\Local\Temp\xmtxpy.exeMD5
1eacd504e4461f9ee286715997d8a9ee
SHA164554fe410bb0b335373e99d2f8aa37800f30fdd
SHA256de398be02d5abe9c8bce84380ac5303ea00fc00820a50cad007220f24538b3de
SHA512a253cec08a167f348d84677f6a992ae306f607c9ad9a10ef6af03288e7d4a158a07056a50a0909e22b1a89b79386ea44c984754018a25817e22ff6167a6a6156
-
\Users\Public\vbc.exeMD5
7df1896047d9647d818080dd17563d92
SHA1a7c2bc04ec70c0f439e2a0863096fa7d391f79c5
SHA2569cbed5eff56e1c08b6040c8ab4977e76528d59368d9d0550626b5380513ecb7b
SHA5121558b4573f82b4b6f34e96591a5a4cf4533c30bec9d65c3bc1435feb0119f23eb91e5c7e771d58f502199bb3cde272c3135cd8a8f3944d87e8759d23a340d01d
-
\Users\Public\vbc.exeMD5
7df1896047d9647d818080dd17563d92
SHA1a7c2bc04ec70c0f439e2a0863096fa7d391f79c5
SHA2569cbed5eff56e1c08b6040c8ab4977e76528d59368d9d0550626b5380513ecb7b
SHA5121558b4573f82b4b6f34e96591a5a4cf4533c30bec9d65c3bc1435feb0119f23eb91e5c7e771d58f502199bb3cde272c3135cd8a8f3944d87e8759d23a340d01d
-
\Users\Public\vbc.exeMD5
7df1896047d9647d818080dd17563d92
SHA1a7c2bc04ec70c0f439e2a0863096fa7d391f79c5
SHA2569cbed5eff56e1c08b6040c8ab4977e76528d59368d9d0550626b5380513ecb7b
SHA5121558b4573f82b4b6f34e96591a5a4cf4533c30bec9d65c3bc1435feb0119f23eb91e5c7e771d58f502199bb3cde272c3135cd8a8f3944d87e8759d23a340d01d
-
memory/1040-59-0x0000000076141000-0x0000000076143000-memory.dmpFilesize
8KB
-
memory/1632-55-0x000000002F461000-0x000000002F464000-memory.dmpFilesize
12KB
-
memory/1632-58-0x00000000728BD000-0x00000000728C8000-memory.dmpFilesize
44KB
-
memory/1632-57-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1632-56-0x00000000718D1000-0x00000000718D3000-memory.dmpFilesize
8KB
-
memory/1632-77-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1996-73-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1996-76-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB