xloader | 125234cd945b324a4a334d19481f830c02b90927c5a827ab3fd42a9182f1b6dd

Analysis

max time kernel
153s
max time network
161s
platform
windows7_x64
resource
win7-en-20211208
submitted
14-02-2022 07:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SNO150222.xlsx
Size

187KB
MD5

58e1b7d879a23956e6612da611834ee3
SHA1

2e25c3957c349cf7a3998cce4cb691940f7edc9f
SHA256

125234cd945b324a4a334d19481f830c02b90927c5a827ab3fd42a9182f1b6dd
SHA512

35963f364e1dda2b9c38ed5c609c60e5f8b8f6f268f94aa5164aa5685bef6f1c038c12a4265b24f17bc2e7285ff6fa7e020792e3544638232aee01517735970a

Score

10^/10

xloader ahc8 loader rat suricata

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

ahc8

Decoy

192451.com

wwwripostes.net

sirikhalsalaw.com

bitterbaybay.com

stella-scrubs.com

almanecermezcal.com

goodgood.online

translate-now.online

sincerefilm.com

quadrantforensics.com

johnfrenchart.com

plick-click.com

alnileen.com

tghi.xyz

172711.com

maymakita.com

punnyaseva.com

ukash-online.com

sho-yururi-blog.com

hebergement-solidaire.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata

Xloader Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1844-71-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/1844-78-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/1768-84-0x0000000000080000-0x00000000000A9000-memory.dmp	xloader

Blocklisted process makes network request 1 IoCs

Processes:

EQNEDT32.EXE

flow pid process

4 736 EQNEDT32.EXE
Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

vbc.exeriyrimii.exeriyrimii.exe

pid process

1488 vbc.exe
1184 riyrimii.exe
1844 riyrimii.exe
Loads dropped DLL 5 IoCs

Processes:

EQNEDT32.EXEvbc.exeriyrimii.exe

pid process

736 EQNEDT32.EXE
736 EQNEDT32.EXE
736 EQNEDT32.EXE
1488 vbc.exe
1184 riyrimii.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

flow	pid	process
4	736	EQNEDT32.EXE

pid	process
1488	vbc.exe
1184	riyrimii.exe
1844	riyrimii.exe

pid	process
736	EQNEDT32.EXE
736	EQNEDT32.EXE
736	EQNEDT32.EXE
1488	vbc.exe
1184	riyrimii.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

riyrimii.exeriyrimii.exemsdt.exe

description	pid	process	target process
PID 1184 set thread context of 1844	1184	riyrimii.exe	riyrimii.exe
PID 1844 set thread context of 1404	1844	riyrimii.exe	Explorer.EXE
PID 1844 set thread context of 1404	1844	riyrimii.exe	Explorer.EXE
PID 1768 set thread context of 1404	1768	msdt.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NSIS installer 10 IoCs

installer

Processes:

resource	yara_rule
\Users\Public\vbc.exe	nsis_installer_1
\Users\Public\vbc.exe	nsis_installer_2
\Users\Public\vbc.exe	nsis_installer_1
\Users\Public\vbc.exe	nsis_installer_2
\Users\Public\vbc.exe	nsis_installer_1
\Users\Public\vbc.exe	nsis_installer_2
C:\Users\Public\vbc.exe	nsis_installer_1
C:\Users\Public\vbc.exe	nsis_installer_2
C:\Users\Public\vbc.exe	nsis_installer_1
C:\Users\Public\vbc.exe	nsis_installer_2

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

EXCEL.EXE

description ioc process

Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
exploit

Exploitation for Client Execution
T1203

Processes:

EQNEDT32.EXE

pid process

736 EQNEDT32.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

pid	process
736	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

Processes:

EXCEL.EXE

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE

Modifies registry class 64 IoCs

Processes:

EXCEL.EXE

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\""	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\""	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

1396 EXCEL.EXE

pid	process
1396	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 28 IoCs

Processes:

riyrimii.exemsdt.exe

pid	process
1844	riyrimii.exe
1844	riyrimii.exe
1844	riyrimii.exe
1768	msdt.exe
1768	msdt.exe
1768	msdt.exe
1768	msdt.exe
1768	msdt.exe
1768	msdt.exe
1768	msdt.exe
1768	msdt.exe
1768	msdt.exe
1768	msdt.exe
1768	msdt.exe
1768	msdt.exe
1768	msdt.exe
1768	msdt.exe
1768	msdt.exe
1768	msdt.exe
1768	msdt.exe
1768	msdt.exe
1768	msdt.exe
1768	msdt.exe
1768	msdt.exe
1768	msdt.exe
1768	msdt.exe
1768	msdt.exe
1768	msdt.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1404 Explorer.EXE
Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

riyrimii.exemsdt.exe

pid process

1844 riyrimii.exe
1844 riyrimii.exe
1844 riyrimii.exe
1844 riyrimii.exe
1768 msdt.exe
1768 msdt.exe

pid	process
1404	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 14 IoCs

Processes:

riyrimii.exeExplorer.EXEmsdt.exe

description	pid	process
Token: SeDebugPrivilege	1844	riyrimii.exe
Token: SeShutdownPrivilege	1404	Explorer.EXE
Token: SeShutdownPrivilege	1404	Explorer.EXE
Token: SeShutdownPrivilege	1404	Explorer.EXE
Token: SeShutdownPrivilege	1404	Explorer.EXE
Token: SeShutdownPrivilege	1404	Explorer.EXE
Token: SeShutdownPrivilege	1404	Explorer.EXE
Token: SeShutdownPrivilege	1404	Explorer.EXE
Token: SeShutdownPrivilege	1404	Explorer.EXE
Token: SeShutdownPrivilege	1404	Explorer.EXE
Token: SeDebugPrivilege	1768	msdt.exe
Token: SeShutdownPrivilege	1404	Explorer.EXE
Token: SeShutdownPrivilege	1404	Explorer.EXE
Token: SeShutdownPrivilege	1404	Explorer.EXE

Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

EXCEL.EXE

pid process

1396 EXCEL.EXE
1396 EXCEL.EXE
1396 EXCEL.EXE
1396 EXCEL.EXE
1396 EXCEL.EXE

pid	process
1396	EXCEL.EXE
1396	EXCEL.EXE
1396	EXCEL.EXE
1396	EXCEL.EXE
1396	EXCEL.EXE

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

EQNEDT32.EXEvbc.exeriyrimii.exeExplorer.EXEmsdt.exe

description	pid	process	target process
PID 736 wrote to memory of 1488	736	EQNEDT32.EXE	vbc.exe
PID 736 wrote to memory of 1488	736	EQNEDT32.EXE	vbc.exe
PID 736 wrote to memory of 1488	736	EQNEDT32.EXE	vbc.exe
PID 736 wrote to memory of 1488	736	EQNEDT32.EXE	vbc.exe
PID 1488 wrote to memory of 1184	1488	vbc.exe	riyrimii.exe
PID 1488 wrote to memory of 1184	1488	vbc.exe	riyrimii.exe
PID 1488 wrote to memory of 1184	1488	vbc.exe	riyrimii.exe
PID 1488 wrote to memory of 1184	1488	vbc.exe	riyrimii.exe
PID 1184 wrote to memory of 1844	1184	riyrimii.exe	riyrimii.exe
PID 1184 wrote to memory of 1844	1184	riyrimii.exe	riyrimii.exe
PID 1184 wrote to memory of 1844	1184	riyrimii.exe	riyrimii.exe
PID 1184 wrote to memory of 1844	1184	riyrimii.exe	riyrimii.exe
PID 1184 wrote to memory of 1844	1184	riyrimii.exe	riyrimii.exe
PID 1184 wrote to memory of 1844	1184	riyrimii.exe	riyrimii.exe
PID 1184 wrote to memory of 1844	1184	riyrimii.exe	riyrimii.exe
PID 1404 wrote to memory of 1768	1404	Explorer.EXE	msdt.exe
PID 1404 wrote to memory of 1768	1404	Explorer.EXE	msdt.exe
PID 1404 wrote to memory of 1768	1404	Explorer.EXE	msdt.exe
PID 1404 wrote to memory of 1768	1404	Explorer.EXE	msdt.exe
PID 1768 wrote to memory of 388	1768	msdt.exe	cmd.exe
PID 1768 wrote to memory of 388	1768	msdt.exe	cmd.exe
PID 1768 wrote to memory of 388	1768	msdt.exe	cmd.exe
PID 1768 wrote to memory of 388	1768	msdt.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1404

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\SNO150222.xlsx
2⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1396

C:\Windows\SysWOW64\msdt.exe
"C:\Windows\SysWOW64\msdt.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1768

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\riyrimii.exe"
3⤵
PID:388

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:736

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1488

C:\Users\Admin\AppData\Local\Temp\riyrimii.exe
C:\Users\Admin\AppData\Local\Temp\riyrimii.exe C:\Users\Admin\AppData\Local\Temp\ooasejtpjr
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1184

C:\Users\Admin\AppData\Local\Temp\riyrimii.exe
C:\Users\Admin\AppData\Local\Temp\riyrimii.exe C:\Users\Admin\AppData\Local\Temp\ooasejtpjr
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1844

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Exploitation for Client Execution

T1203

Scripting

T1064

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Scripting

T1064

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\li5cs4llbc6qq94ol
MD5
798cf65a62b6176c7fc9259538015f30

SHA1
64e1f2cd279f2ec174c8fb6c620ed2215d02abbf

SHA256
4d710c468b65426f510301b6a2be45265f161afe4b02010e2b68367baba70821

SHA512
21d81e8ddfa70a3412670cdf7d70ee5c073a92dd4517e802e25381514c04692924df9ee8ec13baf8fd9b680c847f5346e549b6e1b060df3fbd5d15362fc345dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\ooasejtpjr
MD5
e54878285ec362664239fec91b3142f3

SHA1
56b1adbbbeaee7ed12e484474111ff35eba50d15

SHA256
e5a32b6398a8edc362ec0e7e6c085e599664c8eba7464e4c2fbf034b517ad146

SHA512
7b13b25e9670a1b3b15483dd4d0d6c44010d0274a639d092edb04aeb6a6e126127f3bdb4f875d1090acdb2c8f4ecfe1d01c3308d68074d4998f1269fb706d2eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\riyrimii.exe
MD5
637825ffa7abc4405f139d62e89b4f9c

SHA1
9de110fadb05d381a8078e0d0acccd1862de84e6

SHA256
f71395da4764de9693d61268f46128b292a2d97c07b70766dfc712eeb15175a4

SHA512
2a07c000da00da2454b4f8742ebf30c6a08e09fbae560da3cf1a37ebd341630166fc3dd9b353cd7bdcd39f60dfc38bdb26c78c7338557f3c4c97d61fc35d69f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\riyrimii.exe
MD5
637825ffa7abc4405f139d62e89b4f9c

SHA1
9de110fadb05d381a8078e0d0acccd1862de84e6

SHA256
f71395da4764de9693d61268f46128b292a2d97c07b70766dfc712eeb15175a4

SHA512
2a07c000da00da2454b4f8742ebf30c6a08e09fbae560da3cf1a37ebd341630166fc3dd9b353cd7bdcd39f60dfc38bdb26c78c7338557f3c4c97d61fc35d69f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\riyrimii.exe
MD5
637825ffa7abc4405f139d62e89b4f9c

SHA1
9de110fadb05d381a8078e0d0acccd1862de84e6

SHA256
f71395da4764de9693d61268f46128b292a2d97c07b70766dfc712eeb15175a4

SHA512
2a07c000da00da2454b4f8742ebf30c6a08e09fbae560da3cf1a37ebd341630166fc3dd9b353cd7bdcd39f60dfc38bdb26c78c7338557f3c4c97d61fc35d69f4

Download Submit
C:\Users\Public\vbc.exe
MD5
7df43be0deafeb4d6b7941bdbcb967e5

SHA1
aab76a8e344e17db2e89579b5af73243cf7ab184

SHA256
e98ed61fce78971c3dc3a8c3c91635c8977ae0cec721c0d87fa94bf13a53c489

SHA512
8e4ff84427c13eba0abd253b55e0c4a91622d6beb229f70ce1c17e855c207eb13ff6080e5af70dd52ff31327af7b58d3badddca2fafef4e36135c96f8ef2c17c

Download Submit
C:\Users\Public\vbc.exe
MD5
7df43be0deafeb4d6b7941bdbcb967e5

SHA1
aab76a8e344e17db2e89579b5af73243cf7ab184

SHA256
e98ed61fce78971c3dc3a8c3c91635c8977ae0cec721c0d87fa94bf13a53c489

SHA512
8e4ff84427c13eba0abd253b55e0c4a91622d6beb229f70ce1c17e855c207eb13ff6080e5af70dd52ff31327af7b58d3badddca2fafef4e36135c96f8ef2c17c

Download Submit
\Users\Admin\AppData\Local\Temp\riyrimii.exe
MD5
637825ffa7abc4405f139d62e89b4f9c

SHA1
9de110fadb05d381a8078e0d0acccd1862de84e6

SHA256
f71395da4764de9693d61268f46128b292a2d97c07b70766dfc712eeb15175a4

SHA512
2a07c000da00da2454b4f8742ebf30c6a08e09fbae560da3cf1a37ebd341630166fc3dd9b353cd7bdcd39f60dfc38bdb26c78c7338557f3c4c97d61fc35d69f4

Download Submit
\Users\Admin\AppData\Local\Temp\riyrimii.exe
MD5
637825ffa7abc4405f139d62e89b4f9c

SHA1
9de110fadb05d381a8078e0d0acccd1862de84e6

SHA256
f71395da4764de9693d61268f46128b292a2d97c07b70766dfc712eeb15175a4

SHA512
2a07c000da00da2454b4f8742ebf30c6a08e09fbae560da3cf1a37ebd341630166fc3dd9b353cd7bdcd39f60dfc38bdb26c78c7338557f3c4c97d61fc35d69f4

Download Submit
\Users\Public\vbc.exe
MD5
7df43be0deafeb4d6b7941bdbcb967e5

SHA1
aab76a8e344e17db2e89579b5af73243cf7ab184

SHA256
e98ed61fce78971c3dc3a8c3c91635c8977ae0cec721c0d87fa94bf13a53c489

SHA512
8e4ff84427c13eba0abd253b55e0c4a91622d6beb229f70ce1c17e855c207eb13ff6080e5af70dd52ff31327af7b58d3badddca2fafef4e36135c96f8ef2c17c

Download Submit
\Users\Public\vbc.exe
MD5
7df43be0deafeb4d6b7941bdbcb967e5

SHA1
aab76a8e344e17db2e89579b5af73243cf7ab184

SHA256
e98ed61fce78971c3dc3a8c3c91635c8977ae0cec721c0d87fa94bf13a53c489

SHA512
8e4ff84427c13eba0abd253b55e0c4a91622d6beb229f70ce1c17e855c207eb13ff6080e5af70dd52ff31327af7b58d3badddca2fafef4e36135c96f8ef2c17c

Download Submit
\Users\Public\vbc.exe
MD5
7df43be0deafeb4d6b7941bdbcb967e5

SHA1
aab76a8e344e17db2e89579b5af73243cf7ab184

SHA256
e98ed61fce78971c3dc3a8c3c91635c8977ae0cec721c0d87fa94bf13a53c489

SHA512
8e4ff84427c13eba0abd253b55e0c4a91622d6beb229f70ce1c17e855c207eb13ff6080e5af70dd52ff31327af7b58d3badddca2fafef4e36135c96f8ef2c17c

Download Submit
memory/736-58-0x0000000075D61000-0x0000000075D63000-memory.dmp

Filesize
8KB

Download
memory/1396-88-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1396-57-0x000000007285D000-0x0000000072868000-memory.dmp

Filesize
44KB

Download
memory/1396-56-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1396-54-0x000000002F3A1000-0x000000002F3A4000-memory.dmp

Filesize
12KB

Download
memory/1396-55-0x0000000071871000-0x0000000071873000-memory.dmp

Filesize
8KB

Download
memory/1404-81-0x0000000006DB0000-0x0000000006EFB000-memory.dmp

Filesize
1.3MB

Download
memory/1404-87-0x0000000004A20000-0x0000000004ADC000-memory.dmp

Filesize
752KB

Download
memory/1404-77-0x0000000006CF0000-0x0000000006DA3000-memory.dmp

Filesize
716KB

Download
memory/1768-86-0x0000000001F10000-0x0000000001FA0000-memory.dmp

Filesize
576KB

Download
memory/1768-85-0x0000000002340000-0x0000000002643000-memory.dmp

Filesize
3.0MB

Download
memory/1768-83-0x00000000001D0000-0x00000000002C4000-memory.dmp

Filesize
976KB

Download
memory/1768-84-0x0000000000080000-0x00000000000A9000-memory.dmp

Filesize
164KB

Download
memory/1844-71-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1844-80-0x0000000000580000-0x0000000000591000-memory.dmp

Filesize
68KB

Download
memory/1844-79-0x000000000041D000-0x000000000041E000-memory.dmp

Filesize
4KB

Download
memory/1844-78-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1844-76-0x0000000000540000-0x0000000000551000-memory.dmp

Filesize
68KB

Download
memory/1844-74-0x00000000006E0000-0x00000000009E3000-memory.dmp

Filesize
3.0MB

Download
memory/1844-75-0x000000000041D000-0x000000000041E000-memory.dmp

Filesize
4KB

Download