lokibot | 2fe07388d4fb59ade682b9553b4fee971d77a18018cbe7af052d880c2211c559

Analysis

max time kernel
150s
max time network
155s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
18-01-2023 02:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Statement Of Account .xls
Size

883KB
MD5

7b35fd3ea67e7ab049ba760c0bbf03e7
SHA1

e0e3665311627b00580f3ff72c502e6e3779afd2
SHA256

2fe07388d4fb59ade682b9553b4fee971d77a18018cbe7af052d880c2211c559
SHA512

bdd45fb16e63d5eca8e957a057e272abddcc0be5326f729c6c260617f1a6128d5dd085625e35f59eef6bb681feb1eabb7ad564409c2a55ced7db3ebc455ce0b2
SSDEEP

12288:Us02NM0ry+1wFZBDF4BSFLBJFKBsx02NM0ry+1ZFTBHFxBaFJBiFBBnuoSIAB1WP:KZy6Z9lsZyrX4ILSIAvQv

Score

10^/10

lokibot collection spyware stealer trojan

Malware Config

Extracted

Family

lokibot

https://sempersim.su/ha1/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
Blocklisted process makes network request 1 IoCs

Processes:

EQNEDT32.EXE

flow pid process

3 792 EQNEDT32.EXE
Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

vbc.exenkdvifms.exenkdvifms.exe

pid process

1676 vbc.exe
292 nkdvifms.exe
2012 nkdvifms.exe
Loads dropped DLL 4 IoCs

Processes:

EQNEDT32.EXEvbc.exenkdvifms.exe

pid process

792 EQNEDT32.EXE
1676 vbc.exe
1676 vbc.exe
292 nkdvifms.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

flow	pid	process
3	792	EQNEDT32.EXE

pid	process
1676	vbc.exe
292	nkdvifms.exe
2012	nkdvifms.exe

pid	process
792	EQNEDT32.EXE
1676	vbc.exe
1676	vbc.exe
292	nkdvifms.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

nkdvifms.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	nkdvifms.exe
Key opened	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	nkdvifms.exe
Key opened	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	nkdvifms.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

nkdvifms.exe

description pid process target process

PID 292 set thread context of 2012 292 nkdvifms.exe nkdvifms.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

EXCEL.EXE

description ioc process

Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
exploit

Exploitation for Client Execution
T1203

Processes:

EQNEDT32.EXE

pid process

792 EQNEDT32.EXE

description	pid	process	target process
PID 292 set thread context of 2012	292	nkdvifms.exe	nkdvifms.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

pid	process
792	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

Processes:

EXCEL.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	EXCEL.EXE

Modifies registry class 64 IoCs

Processes:

EXCEL.EXE

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\""	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\""	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

1808 EXCEL.EXE
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

nkdvifms.exe

pid process

292 nkdvifms.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

nkdvifms.exe

description pid process

Token: SeDebugPrivilege 2012 nkdvifms.exe
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

EXCEL.EXE

pid process

1808 EXCEL.EXE
1808 EXCEL.EXE
1808 EXCEL.EXE

pid	process
1808	EXCEL.EXE

pid	process
292	nkdvifms.exe

description	pid	process
Token: SeDebugPrivilege	2012	nkdvifms.exe

pid	process
1808	EXCEL.EXE
1808	EXCEL.EXE
1808	EXCEL.EXE

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

EQNEDT32.EXEvbc.exenkdvifms.exe

description	pid	process	target process
PID 792 wrote to memory of 1676	792	EQNEDT32.EXE	vbc.exe
PID 792 wrote to memory of 1676	792	EQNEDT32.EXE	vbc.exe
PID 792 wrote to memory of 1676	792	EQNEDT32.EXE	vbc.exe
PID 792 wrote to memory of 1676	792	EQNEDT32.EXE	vbc.exe
PID 1676 wrote to memory of 292	1676	vbc.exe	nkdvifms.exe
PID 1676 wrote to memory of 292	1676	vbc.exe	nkdvifms.exe
PID 1676 wrote to memory of 292	1676	vbc.exe	nkdvifms.exe
PID 1676 wrote to memory of 292	1676	vbc.exe	nkdvifms.exe
PID 292 wrote to memory of 2012	292	nkdvifms.exe	nkdvifms.exe
PID 292 wrote to memory of 2012	292	nkdvifms.exe	nkdvifms.exe
PID 292 wrote to memory of 2012	292	nkdvifms.exe	nkdvifms.exe
PID 292 wrote to memory of 2012	292	nkdvifms.exe	nkdvifms.exe
PID 292 wrote to memory of 2012	292	nkdvifms.exe	nkdvifms.exe

outlook_office_path 1 IoCs

Processes:

nkdvifms.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	nkdvifms.exe

outlook_win_path 1 IoCs

Processes:

nkdvifms.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	nkdvifms.exe

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\Statement Of Account .xls"
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1808

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:792

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1676

C:\Users\Admin\AppData\Local\Temp\nkdvifms.exe
"C:\Users\Admin\AppData\Local\Temp\nkdvifms.exe" C:\Users\Admin\AppData\Local\Temp\hmedw.p
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:292

C:\Users\Admin\AppData\Local\Temp\nkdvifms.exe
"C:\Users\Admin\AppData\Local\Temp\nkdvifms.exe"
4⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:2012

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Exploitation for Client Execution

T1203

Scripting

T1064

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Scripting

T1064

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hmedw.p

Filesize
6KB

MD5
fd51be72426c39dc00f2b205f6833842

SHA1
57b2789688d6f661560a04ade85b93da51157d27

SHA256
b896a8708e886a084f33b9121ba0c706d8c49fe20ea5ee9a12d3d8607d891506

SHA512
55d20776296db0fdd81df8ea70f601ec249cfc3ec87f69151c51ab2934c426a02b1acc66a2a8f0d9281e074c13a919ee4f9ad89d0070786c6747523d540b3baf

Download Submit
C:\Users\Admin\AppData\Local\Temp\nkdvifms.exe

Filesize
100KB

MD5
7a42faf6b143e8fdb37b2a5b81e6c12e

SHA1
6387197a404e96da47dd4aa6d288fed647146514

SHA256
aeb928e5e4d606bea2a22740a0bfbf8d32250107af71f1aa5ad53f6ea9c15e4f

SHA512
0d39585c2ae20878af9e42d9d33cdb8f5fb6cac72a01ccb245d478b66a92bf55ab924d8cf7b349b17e62e8122b528b08a0562f0fc01013d30d47acfe9c412637

Download Submit
C:\Users\Admin\AppData\Local\Temp\nkdvifms.exe

Filesize
100KB

MD5
7a42faf6b143e8fdb37b2a5b81e6c12e

SHA1
6387197a404e96da47dd4aa6d288fed647146514

SHA256
aeb928e5e4d606bea2a22740a0bfbf8d32250107af71f1aa5ad53f6ea9c15e4f

SHA512
0d39585c2ae20878af9e42d9d33cdb8f5fb6cac72a01ccb245d478b66a92bf55ab924d8cf7b349b17e62e8122b528b08a0562f0fc01013d30d47acfe9c412637

Download Submit
C:\Users\Admin\AppData\Local\Temp\nkdvifms.exe

Filesize
100KB

MD5
7a42faf6b143e8fdb37b2a5b81e6c12e

SHA1
6387197a404e96da47dd4aa6d288fed647146514

SHA256
aeb928e5e4d606bea2a22740a0bfbf8d32250107af71f1aa5ad53f6ea9c15e4f

SHA512
0d39585c2ae20878af9e42d9d33cdb8f5fb6cac72a01ccb245d478b66a92bf55ab924d8cf7b349b17e62e8122b528b08a0562f0fc01013d30d47acfe9c412637

Download Submit
C:\Users\Admin\AppData\Local\Temp\nxxmjmgo.k

Filesize
124KB

MD5
ace55a7b52c7d502500c8c47650dd135

SHA1
aa370c3828ae5aa80e78fe6ed0bd8cebf22f68f3

SHA256
5ad2b3d31c912c02a656c49b681fe8d6d5b49eb77d19a07858392c88a61bd1bf

SHA512
84ac3071e813cc1acdb27b0e90984e16774f89239c7d1389385a2c1eab4b86531e357fb1b82fe6677a5a82234cec73426f1e94fff619b2bdac2c2255ab8c082d

Download Submit
C:\Users\Public\vbc.exe

Filesize
410KB

MD5
8e3f5686982c6fb28ca05be8afa2945c

SHA1
a07552b36fb3446c1bf933839aac0c5c2ac85413

SHA256
be6c4deb16404e0a19816416d4b40cca5343115fc2fe3cf0d63ebc9821d628e7

SHA512
9618d5fba1fe3923d4b9bdc18fd54fd9f2b41db43b9b9b2829eb70f7dee889e33d3844cb9517bcba85d5105571fcf46dfcab1a9872f965cfdedd7250498daaaf

Download Submit
C:\Users\Public\vbc.exe

Filesize
410KB

MD5
8e3f5686982c6fb28ca05be8afa2945c

SHA1
a07552b36fb3446c1bf933839aac0c5c2ac85413

SHA256
be6c4deb16404e0a19816416d4b40cca5343115fc2fe3cf0d63ebc9821d628e7

SHA512
9618d5fba1fe3923d4b9bdc18fd54fd9f2b41db43b9b9b2829eb70f7dee889e33d3844cb9517bcba85d5105571fcf46dfcab1a9872f965cfdedd7250498daaaf

Download Submit
\Users\Admin\AppData\Local\Temp\nkdvifms.exe

Filesize
100KB

MD5
7a42faf6b143e8fdb37b2a5b81e6c12e

SHA1
6387197a404e96da47dd4aa6d288fed647146514

SHA256
aeb928e5e4d606bea2a22740a0bfbf8d32250107af71f1aa5ad53f6ea9c15e4f

SHA512
0d39585c2ae20878af9e42d9d33cdb8f5fb6cac72a01ccb245d478b66a92bf55ab924d8cf7b349b17e62e8122b528b08a0562f0fc01013d30d47acfe9c412637

Download Submit
\Users\Admin\AppData\Local\Temp\nkdvifms.exe

Filesize
100KB

MD5
7a42faf6b143e8fdb37b2a5b81e6c12e

SHA1
6387197a404e96da47dd4aa6d288fed647146514

SHA256
aeb928e5e4d606bea2a22740a0bfbf8d32250107af71f1aa5ad53f6ea9c15e4f

SHA512
0d39585c2ae20878af9e42d9d33cdb8f5fb6cac72a01ccb245d478b66a92bf55ab924d8cf7b349b17e62e8122b528b08a0562f0fc01013d30d47acfe9c412637

Download Submit
\Users\Admin\AppData\Local\Temp\nkdvifms.exe

Filesize
100KB

MD5
7a42faf6b143e8fdb37b2a5b81e6c12e

SHA1
6387197a404e96da47dd4aa6d288fed647146514

SHA256
aeb928e5e4d606bea2a22740a0bfbf8d32250107af71f1aa5ad53f6ea9c15e4f

SHA512
0d39585c2ae20878af9e42d9d33cdb8f5fb6cac72a01ccb245d478b66a92bf55ab924d8cf7b349b17e62e8122b528b08a0562f0fc01013d30d47acfe9c412637

Download Submit
\Users\Public\vbc.exe

Filesize
410KB

MD5
8e3f5686982c6fb28ca05be8afa2945c

SHA1
a07552b36fb3446c1bf933839aac0c5c2ac85413

SHA256
be6c4deb16404e0a19816416d4b40cca5343115fc2fe3cf0d63ebc9821d628e7

SHA512
9618d5fba1fe3923d4b9bdc18fd54fd9f2b41db43b9b9b2829eb70f7dee889e33d3844cb9517bcba85d5105571fcf46dfcab1a9872f965cfdedd7250498daaaf

Download Submit
memory/292-67-0x0000000000000000-mapping.dmp

Download
memory/1676-61-0x0000000000000000-mapping.dmp

Download
memory/1808-54-0x000000002F841000-0x000000002F844000-memory.dmp

Filesize
12KB

Download
memory/1808-58-0x00000000759F1000-0x00000000759F3000-memory.dmp

Filesize
8KB

Download
memory/1808-57-0x0000000072C4D000-0x0000000072C58000-memory.dmp

Filesize
44KB

Download
memory/1808-56-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1808-55-0x0000000071C61000-0x0000000071C63000-memory.dmp

Filesize
8KB

Download
memory/1808-78-0x0000000072C4D000-0x0000000072C58000-memory.dmp

Filesize
44KB

Download
memory/1808-80-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1808-81-0x0000000072C4D000-0x0000000072C58000-memory.dmp

Filesize
44KB

Download
memory/2012-74-0x00000000004139DE-mapping.dmp

Download
memory/2012-77-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2012-79-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download