lokibot | ee87371ff74c24235fb99de41971f23185587ee25030fe4abf0a6142101cfb6e

Analysis

max time kernel
100s
max time network
103s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
16-01-2023 17:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0011INV-PBS-BPPXI22.xls
Size

1.2MB
MD5

33a75ae52baa059c946ce63343977318
SHA1

3f9a8c9b845e25c823236f55e803261611b7ada1
SHA256

ee87371ff74c24235fb99de41971f23185587ee25030fe4abf0a6142101cfb6e
SHA512

3dfff19d8d8eb90400773272e7e40095b299b8040e9f3b324a26e176f01929a934ce049c48544a268fa1418a8878f0863e888e69e0e9e3c8c5f7d43e2fe21c33
SSDEEP

24576:YZyg5mMZyu1m35QsTYh2TDXXXXXXXXXXXXUXXXXXXXXXX7XXXXXCK8VIvsSXOJv6:KbQDTXK8xSeJvb

Score

10^/10

lokibot collection spyware stealer trojan

Malware Config

Extracted

Family

lokibot

https://sempersim.su/ha3/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
Blocklisted process makes network request 1 IoCs

Processes:

EQNEDT32.EXE

flow pid process

3 2032 EQNEDT32.EXE
Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

vbc.exedvgxyu.exedvgxyu.exe

pid process

524 vbc.exe
1756 dvgxyu.exe
1572 dvgxyu.exe
Loads dropped DLL 4 IoCs

Processes:

EQNEDT32.EXEvbc.exedvgxyu.exe

pid process

2032 EQNEDT32.EXE
524 vbc.exe
524 vbc.exe
1756 dvgxyu.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

flow	pid	process
3	2032	EQNEDT32.EXE

pid	process
524	vbc.exe
1756	dvgxyu.exe
1572	dvgxyu.exe

pid	process
2032	EQNEDT32.EXE
524	vbc.exe
524	vbc.exe
1756	dvgxyu.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

dvgxyu.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	dvgxyu.exe
Key opened	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	dvgxyu.exe
Key opened	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	dvgxyu.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

dvgxyu.exe

description pid process target process

PID 1756 set thread context of 1572 1756 dvgxyu.exe dvgxyu.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

EXCEL.EXE

description ioc process

Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
exploit

Exploitation for Client Execution
T1203

Processes:

EQNEDT32.EXE

pid process

2032 EQNEDT32.EXE

description	pid	process	target process
PID 1756 set thread context of 1572	1756	dvgxyu.exe	dvgxyu.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

pid	process
2032	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

Processes:

EXCEL.EXE

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE

Modifies registry class 64 IoCs

Processes:

EXCEL.EXE

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

1952 EXCEL.EXE
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

dvgxyu.exe

pid process

1756 dvgxyu.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

dvgxyu.exe

description pid process

Token: SeDebugPrivilege 1572 dvgxyu.exe
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

EXCEL.EXE

pid process

1952 EXCEL.EXE
1952 EXCEL.EXE
1952 EXCEL.EXE

pid	process
1952	EXCEL.EXE

pid	process
1756	dvgxyu.exe

description	pid	process
Token: SeDebugPrivilege	1572	dvgxyu.exe

pid	process
1952	EXCEL.EXE
1952	EXCEL.EXE
1952	EXCEL.EXE

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

EQNEDT32.EXEvbc.exedvgxyu.exe

description	pid	process	target process
PID 2032 wrote to memory of 524	2032	EQNEDT32.EXE	vbc.exe
PID 2032 wrote to memory of 524	2032	EQNEDT32.EXE	vbc.exe
PID 2032 wrote to memory of 524	2032	EQNEDT32.EXE	vbc.exe
PID 2032 wrote to memory of 524	2032	EQNEDT32.EXE	vbc.exe
PID 524 wrote to memory of 1756	524	vbc.exe	dvgxyu.exe
PID 524 wrote to memory of 1756	524	vbc.exe	dvgxyu.exe
PID 524 wrote to memory of 1756	524	vbc.exe	dvgxyu.exe
PID 524 wrote to memory of 1756	524	vbc.exe	dvgxyu.exe
PID 1756 wrote to memory of 1572	1756	dvgxyu.exe	dvgxyu.exe
PID 1756 wrote to memory of 1572	1756	dvgxyu.exe	dvgxyu.exe
PID 1756 wrote to memory of 1572	1756	dvgxyu.exe	dvgxyu.exe
PID 1756 wrote to memory of 1572	1756	dvgxyu.exe	dvgxyu.exe
PID 1756 wrote to memory of 1572	1756	dvgxyu.exe	dvgxyu.exe

outlook_office_path 1 IoCs

Processes:

dvgxyu.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	dvgxyu.exe

outlook_win_path 1 IoCs

Processes:

dvgxyu.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	dvgxyu.exe

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\0011INV-PBS-BPPXI22.xls
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1952

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:2032

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:524

C:\Users\Admin\AppData\Local\Temp\dvgxyu.exe
"C:\Users\Admin\AppData\Local\Temp\dvgxyu.exe" C:\Users\Admin\AppData\Local\Temp\qqzfykljr.euv
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1756

C:\Users\Admin\AppData\Local\Temp\dvgxyu.exe
"C:\Users\Admin\AppData\Local\Temp\dvgxyu.exe"
4⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:1572

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Exploitation for Client Execution

T1203

Scripting

T1064

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Scripting

T1064

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\dvgxyu.exe

Filesize
53KB

MD5
ec4ee3046babbdde2b727200fe57e249

SHA1
4b2e0a80947bf22fae5d36e42672e2001f0925f6

SHA256
525ac1b4fb934952919058b94afd5760c5e1fc489410d33d969d78962a06f753

SHA512
9186a8f6e7b775057331fede1a9efe803869a97a904276df5c46fda9c2946dda6d80f27cec6e9499ef50ec225efff066dd8b0bda69c2a3e46cf74c215136a64b

Download Submit
C:\Users\Admin\AppData\Local\Temp\dvgxyu.exe

Filesize
53KB

MD5
ec4ee3046babbdde2b727200fe57e249

SHA1
4b2e0a80947bf22fae5d36e42672e2001f0925f6

SHA256
525ac1b4fb934952919058b94afd5760c5e1fc489410d33d969d78962a06f753

SHA512
9186a8f6e7b775057331fede1a9efe803869a97a904276df5c46fda9c2946dda6d80f27cec6e9499ef50ec225efff066dd8b0bda69c2a3e46cf74c215136a64b

Download Submit
C:\Users\Admin\AppData\Local\Temp\dvgxyu.exe

Filesize
53KB

MD5
ec4ee3046babbdde2b727200fe57e249

SHA1
4b2e0a80947bf22fae5d36e42672e2001f0925f6

SHA256
525ac1b4fb934952919058b94afd5760c5e1fc489410d33d969d78962a06f753

SHA512
9186a8f6e7b775057331fede1a9efe803869a97a904276df5c46fda9c2946dda6d80f27cec6e9499ef50ec225efff066dd8b0bda69c2a3e46cf74c215136a64b

Download Submit
C:\Users\Admin\AppData\Local\Temp\htumj.tgq

Filesize
124KB

MD5
efc554754a187541e8796eb668035bb3

SHA1
97f32f178cb14870ca365a0087e695058ace851d

SHA256
9ad33fcd12dc3d5ea791eea89a43690923204d3f264cf90821427b60cc5a526e

SHA512
47efd06e5c00786513ad92fc05e97cd41bcb68bc42b2c6ee72dd0fc600da22d3edef00a95784b1d0952893e841578a775375dba569e1c30c9288769986268e9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\qqzfykljr.euv

Filesize
5KB

MD5
ecb37cd6ee8b9db9885ba717d4adb214

SHA1
c851738f41f381fb68ff02d4407c66a40674ac55

SHA256
5fc04ff9019f6cba12e94c9961b6c94487ad0173ad097c66b868f6cbdc5696ac

SHA512
11d1832f232790ceb0faea2f373654e3a91c2d028431692908d6de4c50bfe0664ae9ee4cc55ee5b106f68eb94c9f3547ae15b1a2e1e38fdded1a4c6a3fd7ab8d

Download Submit
C:\Users\Public\vbc.exe

Filesize
339KB

MD5
21f218355048519cbfe30b197a9ed5bb

SHA1
ccb176d3bbea60567dc52439ffc0c127fa6eacc4

SHA256
de05f9c2ad13c543d4425f070e4608b37aac0b6d25c3816a8fd683cd8795a4b9

SHA512
33e88f9b1f374c0c0ac4230876c661a2b4cf05de5b2d1dea46e5f55e4a6644532a95442b74d1e854e9036f9acd2f3c8c1825defcd450cf72fa468529e1feafdf

Download Submit
C:\Users\Public\vbc.exe

Filesize
339KB

MD5
21f218355048519cbfe30b197a9ed5bb

SHA1
ccb176d3bbea60567dc52439ffc0c127fa6eacc4

SHA256
de05f9c2ad13c543d4425f070e4608b37aac0b6d25c3816a8fd683cd8795a4b9

SHA512
33e88f9b1f374c0c0ac4230876c661a2b4cf05de5b2d1dea46e5f55e4a6644532a95442b74d1e854e9036f9acd2f3c8c1825defcd450cf72fa468529e1feafdf

Download Submit
\Users\Admin\AppData\Local\Temp\dvgxyu.exe

Filesize
53KB

MD5
ec4ee3046babbdde2b727200fe57e249

SHA1
4b2e0a80947bf22fae5d36e42672e2001f0925f6

SHA256
525ac1b4fb934952919058b94afd5760c5e1fc489410d33d969d78962a06f753

SHA512
9186a8f6e7b775057331fede1a9efe803869a97a904276df5c46fda9c2946dda6d80f27cec6e9499ef50ec225efff066dd8b0bda69c2a3e46cf74c215136a64b

Download Submit
\Users\Admin\AppData\Local\Temp\dvgxyu.exe

Filesize
53KB

MD5
ec4ee3046babbdde2b727200fe57e249

SHA1
4b2e0a80947bf22fae5d36e42672e2001f0925f6

SHA256
525ac1b4fb934952919058b94afd5760c5e1fc489410d33d969d78962a06f753

SHA512
9186a8f6e7b775057331fede1a9efe803869a97a904276df5c46fda9c2946dda6d80f27cec6e9499ef50ec225efff066dd8b0bda69c2a3e46cf74c215136a64b

Download Submit
\Users\Admin\AppData\Local\Temp\dvgxyu.exe

Filesize
53KB

MD5
ec4ee3046babbdde2b727200fe57e249

SHA1
4b2e0a80947bf22fae5d36e42672e2001f0925f6

SHA256
525ac1b4fb934952919058b94afd5760c5e1fc489410d33d969d78962a06f753

SHA512
9186a8f6e7b775057331fede1a9efe803869a97a904276df5c46fda9c2946dda6d80f27cec6e9499ef50ec225efff066dd8b0bda69c2a3e46cf74c215136a64b

Download Submit
\Users\Public\vbc.exe

Filesize
339KB

MD5
21f218355048519cbfe30b197a9ed5bb

SHA1
ccb176d3bbea60567dc52439ffc0c127fa6eacc4

SHA256
de05f9c2ad13c543d4425f070e4608b37aac0b6d25c3816a8fd683cd8795a4b9

SHA512
33e88f9b1f374c0c0ac4230876c661a2b4cf05de5b2d1dea46e5f55e4a6644532a95442b74d1e854e9036f9acd2f3c8c1825defcd450cf72fa468529e1feafdf

Download Submit
memory/524-61-0x0000000000000000-mapping.dmp

Download
memory/1572-79-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1572-77-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1572-74-0x00000000004139DE-mapping.dmp

Download
memory/1756-67-0x0000000000000000-mapping.dmp

Download
memory/1952-55-0x0000000071001000-0x0000000071003000-memory.dmp

Filesize
8KB

Download
memory/1952-56-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1952-57-0x0000000075981000-0x0000000075983000-memory.dmp

Filesize
8KB

Download
memory/1952-58-0x0000000071FED000-0x0000000071FF8000-memory.dmp

Filesize
44KB

Download
memory/1952-78-0x0000000071FED000-0x0000000071FF8000-memory.dmp

Filesize
44KB

Download
memory/1952-54-0x000000002F671000-0x000000002F674000-memory.dmp

Filesize
12KB

Download
memory/1952-80-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1952-81-0x0000000071FED000-0x0000000071FF8000-memory.dmp

Filesize
44KB

Download