xloader | a5710d566d75764e63a8669e72f21b5542c234af87a4217cf0415799cbe9c5e1

Analysis

max time kernel
149s
max time network
145s
platform
windows7_x64
resource
win7-20220414-en
submitted
28-04-2022 06:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

BL.xlsx
Size

289KB
MD5

b8e9f95d4fa7c45a88a676e7bb3fc9ae
SHA1

acc6e22cbca2be6226fbddd46ce1ae8304f4f996
SHA256

a5710d566d75764e63a8669e72f21b5542c234af87a4217cf0415799cbe9c5e1
SHA512

27ce1fc0a872ec06fd8cc5ca9d8da3dda05988a887e29b14066648fb855b8977169dca0e0c585c7516359ce10321787de57a682da39eed347f1cdbd922da254e

Score

10^/10

xloader bs8f loader rat suricata

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

bs8f

Decoy

atmospheraglobal.com

dontshootima.com

bestofferusde.club

yourdigitalboss.com

breskizci.com

myarrovacoastwebsite.com

reasclerk.com

efrovida.com

wsmz.net

upneett.com

loefflerforgov.com

noida.info

trndystore.com

arhaldar.online

vivibanca.tech

mykrema.com

vseserialy.online

ridgewayinsua.com

heauxland.com

bestcollegecourses.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata

Xloader Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1492-75-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/1492-76-0x000000000041D440-mapping.dmp	xloader
behavioral1/memory/1032-86-0x0000000000110000-0x0000000000139000-memory.dmp	xloader

Blocklisted process makes network request 1 IoCs

Processes:

EQNEDT32.EXE

flow pid process

3 2032 EQNEDT32.EXE
Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

vbc.exejnifxyk.exejnifxyk.exe

pid process

1448 vbc.exe
2008 jnifxyk.exe
1492 jnifxyk.exe
Loads dropped DLL 5 IoCs

Processes:

EQNEDT32.EXEvbc.exejnifxyk.exe

pid process

2032 EQNEDT32.EXE
2032 EQNEDT32.EXE
2032 EQNEDT32.EXE
1448 vbc.exe
2008 jnifxyk.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

flow	pid	process
3	2032	EQNEDT32.EXE

pid	process
1448	vbc.exe
2008	jnifxyk.exe
1492	jnifxyk.exe

pid	process
2032	EQNEDT32.EXE
2032	EQNEDT32.EXE
2032	EQNEDT32.EXE
1448	vbc.exe
2008	jnifxyk.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

jnifxyk.exejnifxyk.exemsiexec.exe

description	pid	process	target process
PID 2008 set thread context of 1492	2008	jnifxyk.exe	jnifxyk.exe
PID 1492 set thread context of 1320	1492	jnifxyk.exe	Explorer.EXE
PID 1032 set thread context of 1320	1032	msiexec.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

EXCEL.EXE

description ioc process

Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
exploit

Exploitation for Client Execution
T1203

Processes:

EQNEDT32.EXE

pid process

2032 EQNEDT32.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

pid	process
2032	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

Processes:

EXCEL.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	EXCEL.EXE

Modifies registry class 64 IoCs

Processes:

EXCEL.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe"	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

1932 EXCEL.EXE

pid	process
1932	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 25 IoCs

Processes:

jnifxyk.exemsiexec.exe

pid	process
1492	jnifxyk.exe
1492	jnifxyk.exe
1032	msiexec.exe
1032	msiexec.exe
1032	msiexec.exe
1032	msiexec.exe
1032	msiexec.exe
1032	msiexec.exe
1032	msiexec.exe
1032	msiexec.exe
1032	msiexec.exe
1032	msiexec.exe
1032	msiexec.exe
1032	msiexec.exe
1032	msiexec.exe
1032	msiexec.exe
1032	msiexec.exe
1032	msiexec.exe
1032	msiexec.exe
1032	msiexec.exe
1032	msiexec.exe
1032	msiexec.exe
1032	msiexec.exe
1032	msiexec.exe
1032	msiexec.exe

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

jnifxyk.exemsiexec.exe

pid process

1492 jnifxyk.exe
1492 jnifxyk.exe
1492 jnifxyk.exe
1032 msiexec.exe
1032 msiexec.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

jnifxyk.exemsiexec.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	1492	jnifxyk.exe
Token: SeDebugPrivilege	1032	msiexec.exe
Token: SeShutdownPrivilege	1320	Explorer.EXE
Token: SeShutdownPrivilege	1320	Explorer.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1320 Explorer.EXE
1320 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1320 Explorer.EXE
1320 Explorer.EXE
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

EXCEL.EXE

pid process

1932 EXCEL.EXE
1932 EXCEL.EXE
1932 EXCEL.EXE

pid	process
1320	Explorer.EXE
1320	Explorer.EXE

pid	process
1320	Explorer.EXE
1320	Explorer.EXE

pid	process
1932	EXCEL.EXE
1932	EXCEL.EXE
1932	EXCEL.EXE

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

EQNEDT32.EXEvbc.exejnifxyk.exeExplorer.EXEmsiexec.exe

description	pid	process	target process
PID 2032 wrote to memory of 1448	2032	EQNEDT32.EXE	vbc.exe
PID 2032 wrote to memory of 1448	2032	EQNEDT32.EXE	vbc.exe
PID 2032 wrote to memory of 1448	2032	EQNEDT32.EXE	vbc.exe
PID 2032 wrote to memory of 1448	2032	EQNEDT32.EXE	vbc.exe
PID 1448 wrote to memory of 2008	1448	vbc.exe	jnifxyk.exe
PID 1448 wrote to memory of 2008	1448	vbc.exe	jnifxyk.exe
PID 1448 wrote to memory of 2008	1448	vbc.exe	jnifxyk.exe
PID 1448 wrote to memory of 2008	1448	vbc.exe	jnifxyk.exe
PID 2008 wrote to memory of 1492	2008	jnifxyk.exe	jnifxyk.exe
PID 2008 wrote to memory of 1492	2008	jnifxyk.exe	jnifxyk.exe
PID 2008 wrote to memory of 1492	2008	jnifxyk.exe	jnifxyk.exe
PID 2008 wrote to memory of 1492	2008	jnifxyk.exe	jnifxyk.exe
PID 2008 wrote to memory of 1492	2008	jnifxyk.exe	jnifxyk.exe
PID 2008 wrote to memory of 1492	2008	jnifxyk.exe	jnifxyk.exe
PID 2008 wrote to memory of 1492	2008	jnifxyk.exe	jnifxyk.exe
PID 1320 wrote to memory of 1032	1320	Explorer.EXE	msiexec.exe
PID 1320 wrote to memory of 1032	1320	Explorer.EXE	msiexec.exe
PID 1320 wrote to memory of 1032	1320	Explorer.EXE	msiexec.exe
PID 1320 wrote to memory of 1032	1320	Explorer.EXE	msiexec.exe
PID 1320 wrote to memory of 1032	1320	Explorer.EXE	msiexec.exe
PID 1320 wrote to memory of 1032	1320	Explorer.EXE	msiexec.exe
PID 1320 wrote to memory of 1032	1320	Explorer.EXE	msiexec.exe
PID 1032 wrote to memory of 1420	1032	msiexec.exe	cmd.exe
PID 1032 wrote to memory of 1420	1032	msiexec.exe	cmd.exe
PID 1032 wrote to memory of 1420	1032	msiexec.exe	cmd.exe
PID 1032 wrote to memory of 1420	1032	msiexec.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1320

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\BL.xlsx
2⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1932

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\SysWOW64\msiexec.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1032

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\jnifxyk.exe"
3⤵
PID:1420

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:2032

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1448

C:\Users\Admin\AppData\Local\Temp\jnifxyk.exe
C:\Users\Admin\AppData\Local\Temp\jnifxyk.exe C:\Users\Admin\AppData\Local\Temp\lfywgvpfj
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2008

C:\Users\Admin\AppData\Local\Temp\jnifxyk.exe
C:\Users\Admin\AppData\Local\Temp\jnifxyk.exe C:\Users\Admin\AppData\Local\Temp\lfywgvpfj
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1492

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Exploitation for Client Execution

T1203

Persistence

Privilege Escalation

Defense Evasion

Scripting

T1064

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\jnifxyk.exe
Filesize
4KB

MD5
a364b2fc1cd2b3d168d1198a1985f213

SHA1
9a83aacc17e979241ae0f4e78a9155009f348178

SHA256
ab2ef8d0dc932f8ddfad57bab04fddcf09f423092117ee6b52ecffd3342a4ae7

SHA512
666c8e475d92527de0f9046f14c993fdfada209591e125a66b22084e1bf58112af0ab8141b58de152d5fd36a84a38fa0b8fa956f3f6faace50378b688295bd4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\jnifxyk.exe
Filesize
4KB

MD5
a364b2fc1cd2b3d168d1198a1985f213

SHA1
9a83aacc17e979241ae0f4e78a9155009f348178

SHA256
ab2ef8d0dc932f8ddfad57bab04fddcf09f423092117ee6b52ecffd3342a4ae7

SHA512
666c8e475d92527de0f9046f14c993fdfada209591e125a66b22084e1bf58112af0ab8141b58de152d5fd36a84a38fa0b8fa956f3f6faace50378b688295bd4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\jnifxyk.exe
Filesize
4KB

MD5
a364b2fc1cd2b3d168d1198a1985f213

SHA1
9a83aacc17e979241ae0f4e78a9155009f348178

SHA256
ab2ef8d0dc932f8ddfad57bab04fddcf09f423092117ee6b52ecffd3342a4ae7

SHA512
666c8e475d92527de0f9046f14c993fdfada209591e125a66b22084e1bf58112af0ab8141b58de152d5fd36a84a38fa0b8fa956f3f6faace50378b688295bd4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\larqsggzaxrnoz41ty
Filesize
163KB

MD5
695d807909ace36f4b7dd725aede6f8b

SHA1
a07316902ec19b90303df7f7ffec5c63fb9c281c

SHA256
0f2bbef29dc7cc8619e09fb63813533c2a09288fcee4384bd204f957815cd3c8

SHA512
8c9ee076614273165add9f56c68942e96f7e495a1b47dba9596b878792168496cb3c6decc58b2f853b1c5fd4f194d753766a58a2538d01e385f7aeb040c62359

Download Submit
C:\Users\Admin\AppData\Local\Temp\lfywgvpfj
Filesize
4KB

MD5
000d34eb826ab89038029bbfdfaef96f

SHA1
d49823004b3b93906b3740ba4926c03c6c588ef5

SHA256
86e3ed6fa3b40963466348a4cb4abd9343e86eb911beabe08db69ad60c54d8ec

SHA512
9447375b5f4d8c9a9b7b9f848ba87f4a7cb30b4200baab6e7263d083ef8309cfff4843f54a137c74ff9c19d10b0c3c196b6e93528551765fc8013e35efbdd9a2

Download Submit
C:\Users\Public\vbc.exe
Filesize
192KB

MD5
7db1d253bb7b891648716c3b2478366c

SHA1
672f0803734c499a51e269e08acc2db61b9552fa

SHA256
0238855b3d6350c0b01a9f7d0ec8ec28c735ee33e1c77a35e1b87c5ec76017d7

SHA512
37a5fa049a5012de3b3efefe9149e5cd39ee4d04859ee35f8551dfddc3cb00712622d35587cccb8185b0dcddcfe1aaf8e21442abe8b0c3a9ec3487f05e96154d

Download Submit
C:\Users\Public\vbc.exe
Filesize
192KB

MD5
7db1d253bb7b891648716c3b2478366c

SHA1
672f0803734c499a51e269e08acc2db61b9552fa

SHA256
0238855b3d6350c0b01a9f7d0ec8ec28c735ee33e1c77a35e1b87c5ec76017d7

SHA512
37a5fa049a5012de3b3efefe9149e5cd39ee4d04859ee35f8551dfddc3cb00712622d35587cccb8185b0dcddcfe1aaf8e21442abe8b0c3a9ec3487f05e96154d

Download Submit
\Users\Admin\AppData\Local\Temp\jnifxyk.exe
Filesize
4KB

MD5
a364b2fc1cd2b3d168d1198a1985f213

SHA1
9a83aacc17e979241ae0f4e78a9155009f348178

SHA256
ab2ef8d0dc932f8ddfad57bab04fddcf09f423092117ee6b52ecffd3342a4ae7

SHA512
666c8e475d92527de0f9046f14c993fdfada209591e125a66b22084e1bf58112af0ab8141b58de152d5fd36a84a38fa0b8fa956f3f6faace50378b688295bd4f

Download Submit
\Users\Admin\AppData\Local\Temp\jnifxyk.exe
Filesize
4KB

MD5
a364b2fc1cd2b3d168d1198a1985f213

SHA1
9a83aacc17e979241ae0f4e78a9155009f348178

SHA256
ab2ef8d0dc932f8ddfad57bab04fddcf09f423092117ee6b52ecffd3342a4ae7

SHA512
666c8e475d92527de0f9046f14c993fdfada209591e125a66b22084e1bf58112af0ab8141b58de152d5fd36a84a38fa0b8fa956f3f6faace50378b688295bd4f

Download Submit
\Users\Public\vbc.exe
Filesize
192KB

MD5
7db1d253bb7b891648716c3b2478366c

SHA1
672f0803734c499a51e269e08acc2db61b9552fa

SHA256
0238855b3d6350c0b01a9f7d0ec8ec28c735ee33e1c77a35e1b87c5ec76017d7

SHA512
37a5fa049a5012de3b3efefe9149e5cd39ee4d04859ee35f8551dfddc3cb00712622d35587cccb8185b0dcddcfe1aaf8e21442abe8b0c3a9ec3487f05e96154d

Download Submit
\Users\Public\vbc.exe
Filesize
192KB

MD5
7db1d253bb7b891648716c3b2478366c

SHA1
672f0803734c499a51e269e08acc2db61b9552fa

SHA256
0238855b3d6350c0b01a9f7d0ec8ec28c735ee33e1c77a35e1b87c5ec76017d7

SHA512
37a5fa049a5012de3b3efefe9149e5cd39ee4d04859ee35f8551dfddc3cb00712622d35587cccb8185b0dcddcfe1aaf8e21442abe8b0c3a9ec3487f05e96154d

Download Submit
\Users\Public\vbc.exe
Filesize
192KB

MD5
7db1d253bb7b891648716c3b2478366c

SHA1
672f0803734c499a51e269e08acc2db61b9552fa

SHA256
0238855b3d6350c0b01a9f7d0ec8ec28c735ee33e1c77a35e1b87c5ec76017d7

SHA512
37a5fa049a5012de3b3efefe9149e5cd39ee4d04859ee35f8551dfddc3cb00712622d35587cccb8185b0dcddcfe1aaf8e21442abe8b0c3a9ec3487f05e96154d

Download Submit
memory/1032-87-0x0000000002110000-0x0000000002413000-memory.dmp

Filesize
3.0MB

Download
memory/1032-88-0x0000000001F90000-0x0000000002020000-memory.dmp

Filesize
576KB

Download
memory/1032-85-0x0000000000530000-0x0000000000544000-memory.dmp

Filesize
80KB

Download
memory/1032-86-0x0000000000110000-0x0000000000139000-memory.dmp

Filesize
164KB

Download
memory/1032-82-0x0000000000000000-mapping.dmp

Download
memory/1320-81-0x0000000006490000-0x000000000655C000-memory.dmp

Filesize
816KB

Download
memory/1320-89-0x0000000006F00000-0x0000000006FD2000-memory.dmp

Filesize
840KB

Download
memory/1420-84-0x0000000000000000-mapping.dmp

Download
memory/1448-63-0x0000000000000000-mapping.dmp

Download
memory/1492-75-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1492-79-0x0000000000970000-0x0000000000C73000-memory.dmp

Filesize
3.0MB

Download
memory/1492-80-0x00000000003D0000-0x00000000003E1000-memory.dmp

Filesize
68KB

Download
memory/1492-76-0x000000000041D440-mapping.dmp

Download
memory/1932-55-0x0000000070DA1000-0x0000000070DA3000-memory.dmp

Filesize
8KB

Download
memory/1932-56-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1932-57-0x0000000071D8D000-0x0000000071D98000-memory.dmp

Filesize
44KB

Download
memory/1932-58-0x00000000757C1000-0x00000000757C3000-memory.dmp

Filesize
8KB

Download
memory/1932-54-0x000000002F5E1000-0x000000002F5E4000-memory.dmp

Filesize
12KB

Download
memory/1932-90-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2008-68-0x0000000000000000-mapping.dmp

Download