Analysis
-
max time kernel
102s -
max time network
105s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
20-02-2023 02:30
Static task
static1
Behavioral task
behavioral1
Sample
SOA #00776122.docx
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
SOA #00776122.docx
Resource
win10v2004-20220812-en
General
-
Target
SOA #00776122.docx
-
Size
11KB
-
MD5
92c58afe23acd76e5f0ab0c8f0f0394e
-
SHA1
319c1720352e2924c6630428b691ef8706731530
-
SHA256
82f786b26b47b6e60bed7d7aacf0dc221c6ad426554fec30fab21d59549e949c
-
SHA512
0b329608717007c410df29cf83d8b56f382e419499e8304ae5a91f5fc465a8399d932562f5e2d98fb863e78a3b20b4dda74e51665944823add61c5f2bcb8fb27
-
SSDEEP
192:CtNCWUyn0i13pNXqkOcPiYFLwzvdX6Ptpwjnw+umHBC0nVj:aNxUyn0i13LROEiOLkX6Ujnw+35Vj
Malware Config
Extracted
lokibot
http://208.67.105.148/sung/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 7 1732 EQNEDT32.EXE -
Downloads MZ/PE file
-
Abuses OpenXML format to download file from external location 2 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Office\14.0\Common WINWORD.EXE Key opened \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Office\Common\Offline\Files\http://3235029245/O__O.DOC WINWORD.EXE -
Executes dropped EXE 3 IoCs
Processes:
vb.exexcxdwxkm.exexcxdwxkm.exepid process 1872 vb.exe 1080 xcxdwxkm.exe 1948 xcxdwxkm.exe -
Loads dropped DLL 6 IoCs
Processes:
EQNEDT32.EXEvb.exexcxdwxkm.exepid process 1732 EQNEDT32.EXE 1732 EQNEDT32.EXE 1732 EQNEDT32.EXE 1732 EQNEDT32.EXE 1872 vb.exe 1080 xcxdwxkm.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
xcxdwxkm.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook xcxdwxkm.exe Key opened \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook xcxdwxkm.exe Key opened \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook xcxdwxkm.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
xcxdwxkm.exedescription pid process target process PID 1080 set thread context of 1948 1080 xcxdwxkm.exe xcxdwxkm.exe -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Office loads VBA resources, possible macro or embedded object present
-
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
WINWORD.EXEdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE -
Modifies registry class 64 IoCs
Processes:
WINWORD.EXEdescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597} WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 1900 WINWORD.EXE -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
xcxdwxkm.exepid process 1080 xcxdwxkm.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
xcxdwxkm.exeWINWORD.EXEdescription pid process Token: SeDebugPrivilege 1948 xcxdwxkm.exe Token: SeShutdownPrivilege 1900 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 1900 WINWORD.EXE 1900 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
EQNEDT32.EXEvb.exexcxdwxkm.exeWINWORD.EXEdescription pid process target process PID 1732 wrote to memory of 1872 1732 EQNEDT32.EXE vb.exe PID 1732 wrote to memory of 1872 1732 EQNEDT32.EXE vb.exe PID 1732 wrote to memory of 1872 1732 EQNEDT32.EXE vb.exe PID 1732 wrote to memory of 1872 1732 EQNEDT32.EXE vb.exe PID 1872 wrote to memory of 1080 1872 vb.exe xcxdwxkm.exe PID 1872 wrote to memory of 1080 1872 vb.exe xcxdwxkm.exe PID 1872 wrote to memory of 1080 1872 vb.exe xcxdwxkm.exe PID 1872 wrote to memory of 1080 1872 vb.exe xcxdwxkm.exe PID 1080 wrote to memory of 1948 1080 xcxdwxkm.exe xcxdwxkm.exe PID 1080 wrote to memory of 1948 1080 xcxdwxkm.exe xcxdwxkm.exe PID 1080 wrote to memory of 1948 1080 xcxdwxkm.exe xcxdwxkm.exe PID 1080 wrote to memory of 1948 1080 xcxdwxkm.exe xcxdwxkm.exe PID 1080 wrote to memory of 1948 1080 xcxdwxkm.exe xcxdwxkm.exe PID 1900 wrote to memory of 2044 1900 WINWORD.EXE splwow64.exe PID 1900 wrote to memory of 2044 1900 WINWORD.EXE splwow64.exe PID 1900 wrote to memory of 2044 1900 WINWORD.EXE splwow64.exe PID 1900 wrote to memory of 2044 1900 WINWORD.EXE splwow64.exe -
outlook_office_path 1 IoCs
Processes:
xcxdwxkm.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook xcxdwxkm.exe -
outlook_win_path 1 IoCs
Processes:
xcxdwxkm.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook xcxdwxkm.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\SOA #00776122.docx"1⤵
- Abuses OpenXML format to download file from external location
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\vb.exe"C:\Users\Public\vb.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\xcxdwxkm.exe"C:\Users\Admin\AppData\Local\Temp\xcxdwxkm.exe" C:\Users\Admin\AppData\Local\Temp\oftjgpiwbws.fkh3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\xcxdwxkm.exe"C:\Users\Admin\AppData\Local\Temp\xcxdwxkm.exe"4⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\oftjgpiwbws.fkhFilesize
5KB
MD57071418811056a8b9316df83d09bd45b
SHA1bec9934a85d60e4b63337174eeda42325e64b357
SHA256e66259a954b1a5da824edceff70fe92ab696a9b02235bd71fa7b03eefdc4510e
SHA512c7e90b8d66daf8addace6961e38d796355339f9bf66379addea395f4766f1a534bcfeb018cf1af606eafc582095198a6062fa53b3acec7bd303bddb96039b7eb
-
C:\Users\Admin\AppData\Local\Temp\tupdbh.tFilesize
124KB
MD5386b4b27835117f5adfe8aa7fc64b8b8
SHA17abc537bd604a454749643f26d4b8bb9ccb60f09
SHA256a1dc56a70c5ed09175ed50ed7b5a373bc99f85fa0cb9135f0129f41b81cd05c6
SHA51203da267f65bd0ec66fec1a6ce11786c7fa50d26e15f4f18a4c896b970a8cff8014239d87246d0677322ebf10e0d30e97253853d9cc8c095216005af98c96574e
-
C:\Users\Admin\AppData\Local\Temp\xcxdwxkm.exeFilesize
297KB
MD53c9d96268b12420a2e022e8827968e85
SHA17c507eaa473ec3b6fe35d6a2236d2efab99c4a7a
SHA2565239fc89c8a2246a3a8972e76366bbb46d72e127b14d3250a0ca654aa272f185
SHA51225e013bf42ffc836c7c8a3c0b85339c88e12b1c3b668dfa954673e7a9a32aae61152924f0660ff115a135b62c225c208dae49da116e114e2f04b9771deb95fc8
-
C:\Users\Admin\AppData\Local\Temp\xcxdwxkm.exeFilesize
297KB
MD53c9d96268b12420a2e022e8827968e85
SHA17c507eaa473ec3b6fe35d6a2236d2efab99c4a7a
SHA2565239fc89c8a2246a3a8972e76366bbb46d72e127b14d3250a0ca654aa272f185
SHA51225e013bf42ffc836c7c8a3c0b85339c88e12b1c3b668dfa954673e7a9a32aae61152924f0660ff115a135b62c225c208dae49da116e114e2f04b9771deb95fc8
-
C:\Users\Admin\AppData\Local\Temp\xcxdwxkm.exeFilesize
297KB
MD53c9d96268b12420a2e022e8827968e85
SHA17c507eaa473ec3b6fe35d6a2236d2efab99c4a7a
SHA2565239fc89c8a2246a3a8972e76366bbb46d72e127b14d3250a0ca654aa272f185
SHA51225e013bf42ffc836c7c8a3c0b85339c88e12b1c3b668dfa954673e7a9a32aae61152924f0660ff115a135b62c225c208dae49da116e114e2f04b9771deb95fc8
-
C:\Users\Public\vb.exeFilesize
266KB
MD5894ebe041d7580e494ed9c158ab59e47
SHA185a829f1ee7e1332887d490629d9e4b8156f1c31
SHA2565ebdd970919074345053d4cd4d16f52efd564e9b73515c0688192cb37f325169
SHA5129ddae11fb29d92ffcd0cad5f950d57b1f83ab8991d8a21d584608f2ad7c01134d50a9da629abe53b9ebbd65dfe4c209cf49e73b1660dcee716a13a89af9d60fe
-
C:\Users\Public\vb.exeFilesize
266KB
MD5894ebe041d7580e494ed9c158ab59e47
SHA185a829f1ee7e1332887d490629d9e4b8156f1c31
SHA2565ebdd970919074345053d4cd4d16f52efd564e9b73515c0688192cb37f325169
SHA5129ddae11fb29d92ffcd0cad5f950d57b1f83ab8991d8a21d584608f2ad7c01134d50a9da629abe53b9ebbd65dfe4c209cf49e73b1660dcee716a13a89af9d60fe
-
\Users\Admin\AppData\Local\Temp\xcxdwxkm.exeFilesize
297KB
MD53c9d96268b12420a2e022e8827968e85
SHA17c507eaa473ec3b6fe35d6a2236d2efab99c4a7a
SHA2565239fc89c8a2246a3a8972e76366bbb46d72e127b14d3250a0ca654aa272f185
SHA51225e013bf42ffc836c7c8a3c0b85339c88e12b1c3b668dfa954673e7a9a32aae61152924f0660ff115a135b62c225c208dae49da116e114e2f04b9771deb95fc8
-
\Users\Admin\AppData\Local\Temp\xcxdwxkm.exeFilesize
297KB
MD53c9d96268b12420a2e022e8827968e85
SHA17c507eaa473ec3b6fe35d6a2236d2efab99c4a7a
SHA2565239fc89c8a2246a3a8972e76366bbb46d72e127b14d3250a0ca654aa272f185
SHA51225e013bf42ffc836c7c8a3c0b85339c88e12b1c3b668dfa954673e7a9a32aae61152924f0660ff115a135b62c225c208dae49da116e114e2f04b9771deb95fc8
-
\Users\Public\vb.exeFilesize
266KB
MD5894ebe041d7580e494ed9c158ab59e47
SHA185a829f1ee7e1332887d490629d9e4b8156f1c31
SHA2565ebdd970919074345053d4cd4d16f52efd564e9b73515c0688192cb37f325169
SHA5129ddae11fb29d92ffcd0cad5f950d57b1f83ab8991d8a21d584608f2ad7c01134d50a9da629abe53b9ebbd65dfe4c209cf49e73b1660dcee716a13a89af9d60fe
-
\Users\Public\vb.exeFilesize
266KB
MD5894ebe041d7580e494ed9c158ab59e47
SHA185a829f1ee7e1332887d490629d9e4b8156f1c31
SHA2565ebdd970919074345053d4cd4d16f52efd564e9b73515c0688192cb37f325169
SHA5129ddae11fb29d92ffcd0cad5f950d57b1f83ab8991d8a21d584608f2ad7c01134d50a9da629abe53b9ebbd65dfe4c209cf49e73b1660dcee716a13a89af9d60fe
-
\Users\Public\vb.exeFilesize
266KB
MD5894ebe041d7580e494ed9c158ab59e47
SHA185a829f1ee7e1332887d490629d9e4b8156f1c31
SHA2565ebdd970919074345053d4cd4d16f52efd564e9b73515c0688192cb37f325169
SHA5129ddae11fb29d92ffcd0cad5f950d57b1f83ab8991d8a21d584608f2ad7c01134d50a9da629abe53b9ebbd65dfe4c209cf49e73b1660dcee716a13a89af9d60fe
-
\Users\Public\vb.exeFilesize
266KB
MD5894ebe041d7580e494ed9c158ab59e47
SHA185a829f1ee7e1332887d490629d9e4b8156f1c31
SHA2565ebdd970919074345053d4cd4d16f52efd564e9b73515c0688192cb37f325169
SHA5129ddae11fb29d92ffcd0cad5f950d57b1f83ab8991d8a21d584608f2ad7c01134d50a9da629abe53b9ebbd65dfe4c209cf49e73b1660dcee716a13a89af9d60fe
-
memory/1080-69-0x0000000000000000-mapping.dmp
-
memory/1872-64-0x0000000000000000-mapping.dmp
-
memory/1900-56-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1900-57-0x0000000075A81000-0x0000000075A83000-memory.dmpFilesize
8KB
-
memory/1900-58-0x0000000070F0D000-0x0000000070F18000-memory.dmpFilesize
44KB
-
memory/1900-54-0x00000000724A1000-0x00000000724A4000-memory.dmpFilesize
12KB
-
memory/1900-55-0x000000006FF21000-0x000000006FF23000-memory.dmpFilesize
8KB
-
memory/1900-83-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1900-84-0x0000000070F0D000-0x0000000070F18000-memory.dmpFilesize
44KB
-
memory/1948-76-0x00000000004139DE-mapping.dmp
-
memory/1948-81-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1948-82-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/2044-79-0x0000000000000000-mapping.dmp
-
memory/2044-80-0x000007FEFB9B1000-0x000007FEFB9B3000-memory.dmpFilesize
8KB