lokibot | 22688ff9e157c182349eb229dd249290461fa14697355057774dfd45d6aa2eda

Analysis

max time kernel
144s
max time network
147s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
19-01-2023 12:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Sales Contract.rtf
Size

32KB
MD5

06eaf94652a2911e162a9f2539068fde
SHA1

0b5d67194a23ca8e383adea70805475b493e00b4
SHA256

22688ff9e157c182349eb229dd249290461fa14697355057774dfd45d6aa2eda
SHA512

367d58564b4428e431a7aaa3ae65dd8686ee9660b09256817cd03471b64949970dc5937d2f5e94eb3a78c79467e5aa91536b89cfc9c558a8971ee40f39075a2d
SSDEEP

768:gFx0XaIsnPRIa4fwJMi8kXCxQJnoncHdJBRLZ3Jt4xc:gf0Xvx3EMi8aDAiLt4K

Score

10^/10

lokibot collection spyware stealer trojan

Malware Config

Extracted

Family

lokibot

http://171.22.30.147/kelly/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
Blocklisted process makes network request 1 IoCs

Processes:

EQNEDT32.EXE

flow pid process

3 1496 EQNEDT32.EXE
Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

kellyllerpru658.exexyehut.exexyehut.exe

pid process

1052 kellyllerpru658.exe
1720 xyehut.exe
1636 xyehut.exe
Loads dropped DLL 4 IoCs

Processes:

EQNEDT32.EXEkellyllerpru658.exexyehut.exe

pid process

1496 EQNEDT32.EXE
1052 kellyllerpru658.exe
1052 kellyllerpru658.exe
1720 xyehut.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

flow	pid	process
3	1496	EQNEDT32.EXE

pid	process
1052	kellyllerpru658.exe
1720	xyehut.exe
1636	xyehut.exe

pid	process
1496	EQNEDT32.EXE
1052	kellyllerpru658.exe
1052	kellyllerpru658.exe
1720	xyehut.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

xyehut.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	xyehut.exe
Key opened	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	xyehut.exe
Key opened	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	xyehut.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

xyehut.exe

description pid process target process

PID 1720 set thread context of 1636 1720 xyehut.exe xyehut.exe
Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
exploit

Exploitation for Client Execution
T1203

Processes:

EQNEDT32.EXE

pid process

1496 EQNEDT32.EXE

description	pid	process	target process
PID 1720 set thread context of 1636	1720	xyehut.exe	xyehut.exe

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

pid	process
1496	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE

Modifies registry class 64 IoCs

Processes:

WINWORD.EXE

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

1736 WINWORD.EXE
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

xyehut.exe

pid process

1720 xyehut.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

xyehut.exe

description pid process

Token: SeDebugPrivilege 1636 xyehut.exe
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

WINWORD.EXE

pid process

1736 WINWORD.EXE
1736 WINWORD.EXE
1736 WINWORD.EXE

pid	process
1736	WINWORD.EXE

pid	process
1720	xyehut.exe

description	pid	process
Token: SeDebugPrivilege	1636	xyehut.exe

pid	process
1736	WINWORD.EXE
1736	WINWORD.EXE
1736	WINWORD.EXE

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

EQNEDT32.EXEkellyllerpru658.exexyehut.exeWINWORD.EXE

description	pid	process	target process
PID 1496 wrote to memory of 1052	1496	EQNEDT32.EXE	kellyllerpru658.exe
PID 1496 wrote to memory of 1052	1496	EQNEDT32.EXE	kellyllerpru658.exe
PID 1496 wrote to memory of 1052	1496	EQNEDT32.EXE	kellyllerpru658.exe
PID 1496 wrote to memory of 1052	1496	EQNEDT32.EXE	kellyllerpru658.exe
PID 1052 wrote to memory of 1720	1052	kellyllerpru658.exe	xyehut.exe
PID 1052 wrote to memory of 1720	1052	kellyllerpru658.exe	xyehut.exe
PID 1052 wrote to memory of 1720	1052	kellyllerpru658.exe	xyehut.exe
PID 1052 wrote to memory of 1720	1052	kellyllerpru658.exe	xyehut.exe
PID 1720 wrote to memory of 1636	1720	xyehut.exe	xyehut.exe
PID 1720 wrote to memory of 1636	1720	xyehut.exe	xyehut.exe
PID 1720 wrote to memory of 1636	1720	xyehut.exe	xyehut.exe
PID 1720 wrote to memory of 1636	1720	xyehut.exe	xyehut.exe
PID 1720 wrote to memory of 1636	1720	xyehut.exe	xyehut.exe
PID 1736 wrote to memory of 2020	1736	WINWORD.EXE	splwow64.exe
PID 1736 wrote to memory of 2020	1736	WINWORD.EXE	splwow64.exe
PID 1736 wrote to memory of 2020	1736	WINWORD.EXE	splwow64.exe
PID 1736 wrote to memory of 2020	1736	WINWORD.EXE	splwow64.exe

outlook_office_path 1 IoCs

Processes:

xyehut.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	xyehut.exe

outlook_win_path 1 IoCs

Processes:

xyehut.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	xyehut.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Sales Contract.rtf"
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1736

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:2020

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:1496

C:\Users\Admin\AppData\Roaming\kellyllerpru658.exe
"C:\Users\Admin\AppData\Roaming\kellyllerpru658.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1052

C:\Users\Admin\AppData\Local\Temp\xyehut.exe
"C:\Users\Admin\AppData\Local\Temp\xyehut.exe" C:\Users\Admin\AppData\Local\Temp\ryuqv.c
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1720

C:\Users\Admin\AppData\Local\Temp\xyehut.exe
"C:\Users\Admin\AppData\Local\Temp\xyehut.exe"
4⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:1636

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Exploitation for Client Execution

T1203

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\mchwbuxishg.rxx

Filesize
124KB

MD5
5ce226ee80999807d36a689fddd23c18

SHA1
3e07db379afe660bdaf6d0019ab426d2f614f146

SHA256
83ecc3467fda59b66f6afcaae807ca59ee7417a6231c10142af985b331b74b4d

SHA512
a8f89278d8e4a8d58301d7699dcc40e2a88d2de559adaa4190083917998f6f23edf70705b2dd6a8a83d855587b30e25a218a379ca01bfc583807c13002d1e396

Download Submit
C:\Users\Admin\AppData\Local\Temp\ryuqv.c

Filesize
5KB

MD5
54c82dda4b3234657943a6903f109457

SHA1
326f769fa37fb1d8c6f2945d13e589f38d0bbdb9

SHA256
d70cd11f2045fb28c78406af45cd22afdc700df825be66aa52c1d78ec2c2b8d9

SHA512
7e7b5063904ad3068908cd5b5766179536b2b218a4c30390b2376697afd2503460c297b1a248222e0a92f1dcc47fab9b166a40a447ccf5fa43571c027895c3eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\xyehut.exe

Filesize
50KB

MD5
9ffac85cea4f6e3d704ca8daf251a048

SHA1
028ce840052541c88d9353a909a6c59167d4aef7

SHA256
f461452702d985cfaa61c4fa4f93eb017fc19c6c6f6d0b93512204c4fabf0067

SHA512
52880a9d76e13e718d0c7711fb1cb51d4b5ed4efbfd1f1b1d918f1c4242b9b2d8aac3b89a497331ecace6fcb0dacb754cf1decde898ed6ba1b9520235179684b

Download Submit
C:\Users\Admin\AppData\Local\Temp\xyehut.exe

Filesize
50KB

MD5
9ffac85cea4f6e3d704ca8daf251a048

SHA1
028ce840052541c88d9353a909a6c59167d4aef7

SHA256
f461452702d985cfaa61c4fa4f93eb017fc19c6c6f6d0b93512204c4fabf0067

SHA512
52880a9d76e13e718d0c7711fb1cb51d4b5ed4efbfd1f1b1d918f1c4242b9b2d8aac3b89a497331ecace6fcb0dacb754cf1decde898ed6ba1b9520235179684b

Download Submit
C:\Users\Admin\AppData\Local\Temp\xyehut.exe

Filesize
50KB

MD5
9ffac85cea4f6e3d704ca8daf251a048

SHA1
028ce840052541c88d9353a909a6c59167d4aef7

SHA256
f461452702d985cfaa61c4fa4f93eb017fc19c6c6f6d0b93512204c4fabf0067

SHA512
52880a9d76e13e718d0c7711fb1cb51d4b5ed4efbfd1f1b1d918f1c4242b9b2d8aac3b89a497331ecace6fcb0dacb754cf1decde898ed6ba1b9520235179684b

Download Submit
C:\Users\Admin\AppData\Roaming\kellyllerpru658.exe

Filesize
365KB

MD5
25dd292aa9580bbbd9592cb6b665dbfc

SHA1
121da4ae670a29924f2e9606ba0b59cef8891a43

SHA256
61fbde7746915c8226cae278e4194426b1b7211cb1c6755667d86f02a05594de

SHA512
ee38d84efe3389f6db199f0fbb3d0c7a1c582822d0c8bee6dce2bd13b23ce7490fc95ea1055cd0f4a429d72279604e9ecb4708ed061458dc2ca85f2916ad8231

Download Submit
C:\Users\Admin\AppData\Roaming\kellyllerpru658.exe

Filesize
365KB

MD5
25dd292aa9580bbbd9592cb6b665dbfc

SHA1
121da4ae670a29924f2e9606ba0b59cef8891a43

SHA256
61fbde7746915c8226cae278e4194426b1b7211cb1c6755667d86f02a05594de

SHA512
ee38d84efe3389f6db199f0fbb3d0c7a1c582822d0c8bee6dce2bd13b23ce7490fc95ea1055cd0f4a429d72279604e9ecb4708ed061458dc2ca85f2916ad8231

Download Submit
\Users\Admin\AppData\Local\Temp\xyehut.exe

Filesize
50KB

MD5
9ffac85cea4f6e3d704ca8daf251a048

SHA1
028ce840052541c88d9353a909a6c59167d4aef7

SHA256
f461452702d985cfaa61c4fa4f93eb017fc19c6c6f6d0b93512204c4fabf0067

SHA512
52880a9d76e13e718d0c7711fb1cb51d4b5ed4efbfd1f1b1d918f1c4242b9b2d8aac3b89a497331ecace6fcb0dacb754cf1decde898ed6ba1b9520235179684b

Download Submit
\Users\Admin\AppData\Local\Temp\xyehut.exe

Filesize
50KB

MD5
9ffac85cea4f6e3d704ca8daf251a048

SHA1
028ce840052541c88d9353a909a6c59167d4aef7

SHA256
f461452702d985cfaa61c4fa4f93eb017fc19c6c6f6d0b93512204c4fabf0067

SHA512
52880a9d76e13e718d0c7711fb1cb51d4b5ed4efbfd1f1b1d918f1c4242b9b2d8aac3b89a497331ecace6fcb0dacb754cf1decde898ed6ba1b9520235179684b

Download Submit
\Users\Admin\AppData\Local\Temp\xyehut.exe

Filesize
50KB

MD5
9ffac85cea4f6e3d704ca8daf251a048

SHA1
028ce840052541c88d9353a909a6c59167d4aef7

SHA256
f461452702d985cfaa61c4fa4f93eb017fc19c6c6f6d0b93512204c4fabf0067

SHA512
52880a9d76e13e718d0c7711fb1cb51d4b5ed4efbfd1f1b1d918f1c4242b9b2d8aac3b89a497331ecace6fcb0dacb754cf1decde898ed6ba1b9520235179684b

Download Submit
\Users\Admin\AppData\Roaming\kellyllerpru658.exe

Filesize
365KB

MD5
25dd292aa9580bbbd9592cb6b665dbfc

SHA1
121da4ae670a29924f2e9606ba0b59cef8891a43

SHA256
61fbde7746915c8226cae278e4194426b1b7211cb1c6755667d86f02a05594de

SHA512
ee38d84efe3389f6db199f0fbb3d0c7a1c582822d0c8bee6dce2bd13b23ce7490fc95ea1055cd0f4a429d72279604e9ecb4708ed061458dc2ca85f2916ad8231

Download Submit
memory/1052-61-0x0000000000000000-mapping.dmp

Download
memory/1636-74-0x00000000004139DE-mapping.dmp

Download
memory/1636-79-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1636-77-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1720-67-0x0000000000000000-mapping.dmp

Download
memory/1736-54-0x0000000072931000-0x0000000072934000-memory.dmp

Filesize
12KB

Download
memory/1736-55-0x00000000703B1000-0x00000000703B3000-memory.dmp

Filesize
8KB

Download
memory/1736-56-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1736-57-0x000000007139D000-0x00000000713A8000-memory.dmp

Filesize
44KB

Download
memory/1736-78-0x000000007139D000-0x00000000713A8000-memory.dmp

Filesize
44KB

Download
memory/1736-58-0x0000000075F01000-0x0000000075F03000-memory.dmp

Filesize
8KB

Download
memory/1736-82-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1736-83-0x000000007139D000-0x00000000713A8000-memory.dmp

Filesize
44KB

Download
memory/2020-80-0x0000000000000000-mapping.dmp

Download
memory/2020-81-0x000007FEFBE41000-0x000007FEFBE43000-memory.dmp

Filesize
8KB

Download