lokibot | 5edd994e9db5ecd49caea2db2d0372ab4b6f5acd01ad876a806f33f9a0f491d7

Analysis

max time kernel
149s
max time network
153s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
20-01-2023 13:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0f87271f442528f2631a92b0cf0d1f37e145f5cfc0c6c29bb5a6042657f14878.rtf
Size

32KB
MD5

155e4d6d2481e2e2fa2947bbb0cf1a73
SHA1

cc1e9b7f845116548045c17b455b33bcd36229e9
SHA256

0f87271f442528f2631a92b0cf0d1f37e145f5cfc0c6c29bb5a6042657f14878
SHA512

584c0f4a6d30da70db994aa82cbebadc810f344631d40bde4faaed5ab6ea33240401fd6af25ff6ad1adaef4f51c871b3fa67b61d59915e0e37c8d29a1505f1e4
SSDEEP

768:SFx0XaIsnPRIa4fwJMgotSfNTxAXqh9s53M33J:Sf0Xvx3EMgoUfs53MJ

Score

10^/10

lokibot collection spyware stealer trojan

Malware Config

Extracted

Family

lokibot

http://171.22.30.147/kelly/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
Blocklisted process makes network request 1 IoCs

Processes:

EQNEDT32.EXE

flow pid process

3 1780 EQNEDT32.EXE
Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

kellyncru65.exehtswjzibj.exehtswjzibj.exe

pid process

2032 kellyncru65.exe
1720 htswjzibj.exe
1260 htswjzibj.exe
Loads dropped DLL 4 IoCs

Processes:

EQNEDT32.EXEkellyncru65.exehtswjzibj.exe

pid process

1780 EQNEDT32.EXE
2032 kellyncru65.exe
2032 kellyncru65.exe
1720 htswjzibj.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

flow	pid	process
3	1780	EQNEDT32.EXE

pid	process
2032	kellyncru65.exe
1720	htswjzibj.exe
1260	htswjzibj.exe

pid	process
1780	EQNEDT32.EXE
2032	kellyncru65.exe
2032	kellyncru65.exe
1720	htswjzibj.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

htswjzibj.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	htswjzibj.exe
Key opened	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	htswjzibj.exe
Key opened	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	htswjzibj.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

htswjzibj.exe

description pid process target process

PID 1720 set thread context of 1260 1720 htswjzibj.exe htswjzibj.exe
Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
exploit

Exploitation for Client Execution
T1203

Processes:

EQNEDT32.EXE

pid process

1780 EQNEDT32.EXE

description	pid	process	target process
PID 1720 set thread context of 1260	1720	htswjzibj.exe	htswjzibj.exe

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

pid	process
1780	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE

Modifies registry class 64 IoCs

Processes:

WINWORD.EXE

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

1268 WINWORD.EXE
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

htswjzibj.exe

pid process

1720 htswjzibj.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

htswjzibj.exe

description pid process

Token: SeDebugPrivilege 1260 htswjzibj.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WINWORD.EXE

pid process

1268 WINWORD.EXE
1268 WINWORD.EXE

pid	process
1268	WINWORD.EXE

pid	process
1720	htswjzibj.exe

description	pid	process
Token: SeDebugPrivilege	1260	htswjzibj.exe

pid	process
1268	WINWORD.EXE
1268	WINWORD.EXE

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

EQNEDT32.EXEkellyncru65.exehtswjzibj.exeWINWORD.EXE

description	pid	process	target process
PID 1780 wrote to memory of 2032	1780	EQNEDT32.EXE	kellyncru65.exe
PID 1780 wrote to memory of 2032	1780	EQNEDT32.EXE	kellyncru65.exe
PID 1780 wrote to memory of 2032	1780	EQNEDT32.EXE	kellyncru65.exe
PID 1780 wrote to memory of 2032	1780	EQNEDT32.EXE	kellyncru65.exe
PID 2032 wrote to memory of 1720	2032	kellyncru65.exe	htswjzibj.exe
PID 2032 wrote to memory of 1720	2032	kellyncru65.exe	htswjzibj.exe
PID 2032 wrote to memory of 1720	2032	kellyncru65.exe	htswjzibj.exe
PID 2032 wrote to memory of 1720	2032	kellyncru65.exe	htswjzibj.exe
PID 1720 wrote to memory of 1260	1720	htswjzibj.exe	htswjzibj.exe
PID 1720 wrote to memory of 1260	1720	htswjzibj.exe	htswjzibj.exe
PID 1720 wrote to memory of 1260	1720	htswjzibj.exe	htswjzibj.exe
PID 1720 wrote to memory of 1260	1720	htswjzibj.exe	htswjzibj.exe
PID 1720 wrote to memory of 1260	1720	htswjzibj.exe	htswjzibj.exe
PID 1268 wrote to memory of 1368	1268	WINWORD.EXE	splwow64.exe
PID 1268 wrote to memory of 1368	1268	WINWORD.EXE	splwow64.exe
PID 1268 wrote to memory of 1368	1268	WINWORD.EXE	splwow64.exe
PID 1268 wrote to memory of 1368	1268	WINWORD.EXE	splwow64.exe

outlook_office_path 1 IoCs

Processes:

htswjzibj.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	htswjzibj.exe

outlook_win_path 1 IoCs

Processes:

htswjzibj.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	htswjzibj.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\0f87271f442528f2631a92b0cf0d1f37e145f5cfc0c6c29bb5a6042657f14878.rtf"
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1268

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:1368

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:1780

C:\Users\Admin\AppData\Roaming\kellyncru65.exe
"C:\Users\Admin\AppData\Roaming\kellyncru65.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2032

C:\Users\Admin\AppData\Local\Temp\htswjzibj.exe
"C:\Users\Admin\AppData\Local\Temp\htswjzibj.exe" C:\Users\Admin\AppData\Local\Temp\glfgey.x
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1720

C:\Users\Admin\AppData\Local\Temp\htswjzibj.exe
"C:\Users\Admin\AppData\Local\Temp\htswjzibj.exe"
4⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:1260

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Exploitation for Client Execution

T1203

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\glfgey.x

Filesize
5KB

MD5
a42b830e7f0b24eb20cf8e3b094d58a0

SHA1
dbe8f24a22eed093dde962d34c885221cbd5f2ff

SHA256
3fc1e155e27025025b0de03e6b87bb3f95a85dcb8dc991bd3d6faef4bc8d0b3b

SHA512
35c6861269c29d357701b2f1af19026b1f394cd1572dc2a130a667767f75dd3b08c98a3e96e726d053a726e7bd78684017c207a0e2c4a3485fc186ab476605d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\htswjzibj.exe

Filesize
46KB

MD5
b00cbf42af2854abc61831064c299444

SHA1
009f9841f2dedc76b8290bb2cd2a2ac3cdce9266

SHA256
8953068d800c517c752bf72292f28cc7c839b42cbf3b5b86407bf34fd5f57216

SHA512
294203a78e4b81405b01a88467fc5bef28b7201b5064d5bc35789b5e29918b871b4c0c989c68e6ccd3890cdd7488c12b45ac1d2c22b433ddbd21733cb7777b4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\htswjzibj.exe

Filesize
46KB

MD5
b00cbf42af2854abc61831064c299444

SHA1
009f9841f2dedc76b8290bb2cd2a2ac3cdce9266

SHA256
8953068d800c517c752bf72292f28cc7c839b42cbf3b5b86407bf34fd5f57216

SHA512
294203a78e4b81405b01a88467fc5bef28b7201b5064d5bc35789b5e29918b871b4c0c989c68e6ccd3890cdd7488c12b45ac1d2c22b433ddbd21733cb7777b4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\htswjzibj.exe

Filesize
46KB

MD5
b00cbf42af2854abc61831064c299444

SHA1
009f9841f2dedc76b8290bb2cd2a2ac3cdce9266

SHA256
8953068d800c517c752bf72292f28cc7c839b42cbf3b5b86407bf34fd5f57216

SHA512
294203a78e4b81405b01a88467fc5bef28b7201b5064d5bc35789b5e29918b871b4c0c989c68e6ccd3890cdd7488c12b45ac1d2c22b433ddbd21733cb7777b4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\mkryvaw.isw

Filesize
124KB

MD5
a40c9a5d877bc7f6d1ad700ee81ed3fa

SHA1
413d79badc76f78e7dfffdacaf2e39beb38f08c4

SHA256
3c8265e96df8d86b117573de349d2bbbc7ecd73000238ddc3a703644eac9b45c

SHA512
3ab6df34ed16808de3d06dc41696bce57c107bb1f8b0fcdcce00e8129b38fba99234a4de4085467d2996b16871f3830df78eff3b222c55d95c3f8ed788a36a8b

Download Submit
C:\Users\Admin\AppData\Roaming\kellyncru65.exe

Filesize
361KB

MD5
e66d99ac51923a4464514e0efd451da8

SHA1
315a824fa28e1a6cf758fa7a7addd2af19b44084

SHA256
9b5f04b58d83c067c57bd8fc882566c2d11e082e7fcfc80bb235d7ad1fb2753c

SHA512
e30dc4d3a0ba98b73f7e8e81c431a3393ec046a1e7e69003cf967d7ff3259f906006e3a02a43dbced3d684096517a60d2df929807f76d07f23086944a2c3fe2c

Download Submit
C:\Users\Admin\AppData\Roaming\kellyncru65.exe

Filesize
361KB

MD5
e66d99ac51923a4464514e0efd451da8

SHA1
315a824fa28e1a6cf758fa7a7addd2af19b44084

SHA256
9b5f04b58d83c067c57bd8fc882566c2d11e082e7fcfc80bb235d7ad1fb2753c

SHA512
e30dc4d3a0ba98b73f7e8e81c431a3393ec046a1e7e69003cf967d7ff3259f906006e3a02a43dbced3d684096517a60d2df929807f76d07f23086944a2c3fe2c

Download Submit
\Users\Admin\AppData\Local\Temp\htswjzibj.exe

Filesize
46KB

MD5
b00cbf42af2854abc61831064c299444

SHA1
009f9841f2dedc76b8290bb2cd2a2ac3cdce9266

SHA256
8953068d800c517c752bf72292f28cc7c839b42cbf3b5b86407bf34fd5f57216

SHA512
294203a78e4b81405b01a88467fc5bef28b7201b5064d5bc35789b5e29918b871b4c0c989c68e6ccd3890cdd7488c12b45ac1d2c22b433ddbd21733cb7777b4b

Download Submit
\Users\Admin\AppData\Local\Temp\htswjzibj.exe

Filesize
46KB

MD5
b00cbf42af2854abc61831064c299444

SHA1
009f9841f2dedc76b8290bb2cd2a2ac3cdce9266

SHA256
8953068d800c517c752bf72292f28cc7c839b42cbf3b5b86407bf34fd5f57216

SHA512
294203a78e4b81405b01a88467fc5bef28b7201b5064d5bc35789b5e29918b871b4c0c989c68e6ccd3890cdd7488c12b45ac1d2c22b433ddbd21733cb7777b4b

Download Submit
\Users\Admin\AppData\Local\Temp\htswjzibj.exe

Filesize
46KB

MD5
b00cbf42af2854abc61831064c299444

SHA1
009f9841f2dedc76b8290bb2cd2a2ac3cdce9266

SHA256
8953068d800c517c752bf72292f28cc7c839b42cbf3b5b86407bf34fd5f57216

SHA512
294203a78e4b81405b01a88467fc5bef28b7201b5064d5bc35789b5e29918b871b4c0c989c68e6ccd3890cdd7488c12b45ac1d2c22b433ddbd21733cb7777b4b

Download Submit
\Users\Admin\AppData\Roaming\kellyncru65.exe

Filesize
361KB

MD5
e66d99ac51923a4464514e0efd451da8

SHA1
315a824fa28e1a6cf758fa7a7addd2af19b44084

SHA256
9b5f04b58d83c067c57bd8fc882566c2d11e082e7fcfc80bb235d7ad1fb2753c

SHA512
e30dc4d3a0ba98b73f7e8e81c431a3393ec046a1e7e69003cf967d7ff3259f906006e3a02a43dbced3d684096517a60d2df929807f76d07f23086944a2c3fe2c

Download Submit
memory/1260-79-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1260-74-0x00000000004139DE-mapping.dmp

Download
memory/1260-77-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1268-82-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1268-58-0x00000000757A1000-0x00000000757A3000-memory.dmp

Filesize
8KB

Download
memory/1268-57-0x0000000070C6D000-0x0000000070C78000-memory.dmp

Filesize
44KB

Download
memory/1268-54-0x0000000072201000-0x0000000072204000-memory.dmp

Filesize
12KB

Download
memory/1268-56-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1268-55-0x000000006FC81000-0x000000006FC83000-memory.dmp

Filesize
8KB

Download
memory/1268-78-0x0000000070C6D000-0x0000000070C78000-memory.dmp

Filesize
44KB

Download
memory/1268-83-0x0000000070C6D000-0x0000000070C78000-memory.dmp

Filesize
44KB

Download
memory/1368-80-0x0000000000000000-mapping.dmp

Download
memory/1368-81-0x000007FEFB8B1000-0x000007FEFB8B3000-memory.dmp

Filesize
8KB

Download
memory/1720-67-0x0000000000000000-mapping.dmp

Download
memory/2032-61-0x0000000000000000-mapping.dmp

Download