lokibot | 82f786b26b47b6e60bed7d7aacf0dc221c6ad426554fec30fab21d59549e949c

Analysis

max time kernel
102s
max time network
105s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
20-02-2023 02:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SOA #00776122.docx
Size

11KB
MD5

92c58afe23acd76e5f0ab0c8f0f0394e
SHA1

319c1720352e2924c6630428b691ef8706731530
SHA256

82f786b26b47b6e60bed7d7aacf0dc221c6ad426554fec30fab21d59549e949c
SHA512

0b329608717007c410df29cf83d8b56f382e419499e8304ae5a91f5fc465a8399d932562f5e2d98fb863e78a3b20b4dda74e51665944823add61c5f2bcb8fb27
SSDEEP

192:CtNCWUyn0i13pNXqkOcPiYFLwzvdX6Ptpwjnw+umHBC0nVj:aNxUyn0i13LROEiOLkX6Ujnw+35Vj

Score

10^/10

lokibot collection spyware stealer trojan

Malware Config

Extracted

Family

lokibot

http://208.67.105.148/sung/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
Blocklisted process makes network request 1 IoCs

Processes:

EQNEDT32.EXE

flow pid process

7 1732 EQNEDT32.EXE
Downloads MZ/PE file

flow	pid	process
7	1732	EQNEDT32.EXE

Abuses OpenXML format to download file from external location 2 IoCs

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Office\14.0\Common	WINWORD.EXE
Key opened	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Office\Common\Offline\Files\http://3235029245/O__O.DOC	WINWORD.EXE

Executes dropped EXE 3 IoCs

Processes:

vb.exexcxdwxkm.exexcxdwxkm.exe

pid process

1872 vb.exe
1080 xcxdwxkm.exe
1948 xcxdwxkm.exe
Loads dropped DLL 6 IoCs

Processes:

EQNEDT32.EXEvb.exexcxdwxkm.exe

pid process

1732 EQNEDT32.EXE
1732 EQNEDT32.EXE
1732 EQNEDT32.EXE
1732 EQNEDT32.EXE
1872 vb.exe
1080 xcxdwxkm.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1872	vb.exe
1080	xcxdwxkm.exe
1948	xcxdwxkm.exe

pid	process
1732	EQNEDT32.EXE
1732	EQNEDT32.EXE
1732	EQNEDT32.EXE
1732	EQNEDT32.EXE
1872	vb.exe
1080	xcxdwxkm.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

xcxdwxkm.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	xcxdwxkm.exe
Key opened	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	xcxdwxkm.exe
Key opened	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	xcxdwxkm.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

xcxdwxkm.exe

description pid process target process

PID 1080 set thread context of 1948 1080 xcxdwxkm.exe xcxdwxkm.exe
Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
exploit

Exploitation for Client Execution
T1203

Processes:

EQNEDT32.EXE

pid process

1732 EQNEDT32.EXE

description	pid	process	target process
PID 1080 set thread context of 1948	1080	xcxdwxkm.exe	xcxdwxkm.exe

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

pid	process
1732	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE

Modifies registry class 64 IoCs

Processes:

WINWORD.EXE

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

1900 WINWORD.EXE
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

xcxdwxkm.exe

pid process

1080 xcxdwxkm.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

xcxdwxkm.exeWINWORD.EXE

description pid process

Token: SeDebugPrivilege 1948 xcxdwxkm.exe
Token: SeShutdownPrivilege 1900 WINWORD.EXE
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WINWORD.EXE

pid process

1900 WINWORD.EXE
1900 WINWORD.EXE

pid	process
1900	WINWORD.EXE

pid	process
1080	xcxdwxkm.exe

description	pid	process
Token: SeDebugPrivilege	1948	xcxdwxkm.exe
Token: SeShutdownPrivilege	1900	WINWORD.EXE

pid	process
1900	WINWORD.EXE
1900	WINWORD.EXE

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

EQNEDT32.EXEvb.exexcxdwxkm.exeWINWORD.EXE

description	pid	process	target process
PID 1732 wrote to memory of 1872	1732	EQNEDT32.EXE	vb.exe
PID 1732 wrote to memory of 1872	1732	EQNEDT32.EXE	vb.exe
PID 1732 wrote to memory of 1872	1732	EQNEDT32.EXE	vb.exe
PID 1732 wrote to memory of 1872	1732	EQNEDT32.EXE	vb.exe
PID 1872 wrote to memory of 1080	1872	vb.exe	xcxdwxkm.exe
PID 1872 wrote to memory of 1080	1872	vb.exe	xcxdwxkm.exe
PID 1872 wrote to memory of 1080	1872	vb.exe	xcxdwxkm.exe
PID 1872 wrote to memory of 1080	1872	vb.exe	xcxdwxkm.exe
PID 1080 wrote to memory of 1948	1080	xcxdwxkm.exe	xcxdwxkm.exe
PID 1080 wrote to memory of 1948	1080	xcxdwxkm.exe	xcxdwxkm.exe
PID 1080 wrote to memory of 1948	1080	xcxdwxkm.exe	xcxdwxkm.exe
PID 1080 wrote to memory of 1948	1080	xcxdwxkm.exe	xcxdwxkm.exe
PID 1080 wrote to memory of 1948	1080	xcxdwxkm.exe	xcxdwxkm.exe
PID 1900 wrote to memory of 2044	1900	WINWORD.EXE	splwow64.exe
PID 1900 wrote to memory of 2044	1900	WINWORD.EXE	splwow64.exe
PID 1900 wrote to memory of 2044	1900	WINWORD.EXE	splwow64.exe
PID 1900 wrote to memory of 2044	1900	WINWORD.EXE	splwow64.exe

outlook_office_path 1 IoCs

Processes:

xcxdwxkm.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	xcxdwxkm.exe

outlook_win_path 1 IoCs

Processes:

xcxdwxkm.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	xcxdwxkm.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\SOA #00776122.docx"
1⤵
- Abuses OpenXML format to download file from external location
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1900

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:2044

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:1732

C:\Users\Public\vb.exe
"C:\Users\Public\vb.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1872

C:\Users\Admin\AppData\Local\Temp\xcxdwxkm.exe
"C:\Users\Admin\AppData\Local\Temp\xcxdwxkm.exe" C:\Users\Admin\AppData\Local\Temp\oftjgpiwbws.fkh
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1080

C:\Users\Admin\AppData\Local\Temp\xcxdwxkm.exe
"C:\Users\Admin\AppData\Local\Temp\xcxdwxkm.exe"
4⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:1948

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Exploitation for Client Execution

T1203

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\oftjgpiwbws.fkh
Filesize
5KB

MD5
7071418811056a8b9316df83d09bd45b

SHA1
bec9934a85d60e4b63337174eeda42325e64b357

SHA256
e66259a954b1a5da824edceff70fe92ab696a9b02235bd71fa7b03eefdc4510e

SHA512
c7e90b8d66daf8addace6961e38d796355339f9bf66379addea395f4766f1a534bcfeb018cf1af606eafc582095198a6062fa53b3acec7bd303bddb96039b7eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\tupdbh.t
Filesize
124KB

MD5
386b4b27835117f5adfe8aa7fc64b8b8

SHA1
7abc537bd604a454749643f26d4b8bb9ccb60f09

SHA256
a1dc56a70c5ed09175ed50ed7b5a373bc99f85fa0cb9135f0129f41b81cd05c6

SHA512
03da267f65bd0ec66fec1a6ce11786c7fa50d26e15f4f18a4c896b970a8cff8014239d87246d0677322ebf10e0d30e97253853d9cc8c095216005af98c96574e

Download Submit
C:\Users\Admin\AppData\Local\Temp\xcxdwxkm.exe
Filesize
297KB

MD5
3c9d96268b12420a2e022e8827968e85

SHA1
7c507eaa473ec3b6fe35d6a2236d2efab99c4a7a

SHA256
5239fc89c8a2246a3a8972e76366bbb46d72e127b14d3250a0ca654aa272f185

SHA512
25e013bf42ffc836c7c8a3c0b85339c88e12b1c3b668dfa954673e7a9a32aae61152924f0660ff115a135b62c225c208dae49da116e114e2f04b9771deb95fc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\xcxdwxkm.exe
Filesize
297KB

MD5
3c9d96268b12420a2e022e8827968e85

SHA1
7c507eaa473ec3b6fe35d6a2236d2efab99c4a7a

SHA256
5239fc89c8a2246a3a8972e76366bbb46d72e127b14d3250a0ca654aa272f185

SHA512
25e013bf42ffc836c7c8a3c0b85339c88e12b1c3b668dfa954673e7a9a32aae61152924f0660ff115a135b62c225c208dae49da116e114e2f04b9771deb95fc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\xcxdwxkm.exe
Filesize
297KB

MD5
3c9d96268b12420a2e022e8827968e85

SHA1
7c507eaa473ec3b6fe35d6a2236d2efab99c4a7a

SHA256
5239fc89c8a2246a3a8972e76366bbb46d72e127b14d3250a0ca654aa272f185

SHA512
25e013bf42ffc836c7c8a3c0b85339c88e12b1c3b668dfa954673e7a9a32aae61152924f0660ff115a135b62c225c208dae49da116e114e2f04b9771deb95fc8

Download Submit
C:\Users\Public\vb.exe
Filesize
266KB

MD5
894ebe041d7580e494ed9c158ab59e47

SHA1
85a829f1ee7e1332887d490629d9e4b8156f1c31

SHA256
5ebdd970919074345053d4cd4d16f52efd564e9b73515c0688192cb37f325169

SHA512
9ddae11fb29d92ffcd0cad5f950d57b1f83ab8991d8a21d584608f2ad7c01134d50a9da629abe53b9ebbd65dfe4c209cf49e73b1660dcee716a13a89af9d60fe

Download Submit
C:\Users\Public\vb.exe
Filesize
266KB

MD5
894ebe041d7580e494ed9c158ab59e47

SHA1
85a829f1ee7e1332887d490629d9e4b8156f1c31

SHA256
5ebdd970919074345053d4cd4d16f52efd564e9b73515c0688192cb37f325169

SHA512
9ddae11fb29d92ffcd0cad5f950d57b1f83ab8991d8a21d584608f2ad7c01134d50a9da629abe53b9ebbd65dfe4c209cf49e73b1660dcee716a13a89af9d60fe

Download Submit
\Users\Admin\AppData\Local\Temp\xcxdwxkm.exe
Filesize
297KB

MD5
3c9d96268b12420a2e022e8827968e85

SHA1
7c507eaa473ec3b6fe35d6a2236d2efab99c4a7a

SHA256
5239fc89c8a2246a3a8972e76366bbb46d72e127b14d3250a0ca654aa272f185

SHA512
25e013bf42ffc836c7c8a3c0b85339c88e12b1c3b668dfa954673e7a9a32aae61152924f0660ff115a135b62c225c208dae49da116e114e2f04b9771deb95fc8

Download Submit
\Users\Admin\AppData\Local\Temp\xcxdwxkm.exe
Filesize
297KB

MD5
3c9d96268b12420a2e022e8827968e85

SHA1
7c507eaa473ec3b6fe35d6a2236d2efab99c4a7a

SHA256
5239fc89c8a2246a3a8972e76366bbb46d72e127b14d3250a0ca654aa272f185

SHA512
25e013bf42ffc836c7c8a3c0b85339c88e12b1c3b668dfa954673e7a9a32aae61152924f0660ff115a135b62c225c208dae49da116e114e2f04b9771deb95fc8

Download Submit
\Users\Public\vb.exe
Filesize
266KB

MD5
894ebe041d7580e494ed9c158ab59e47

SHA1
85a829f1ee7e1332887d490629d9e4b8156f1c31

SHA256
5ebdd970919074345053d4cd4d16f52efd564e9b73515c0688192cb37f325169

SHA512
9ddae11fb29d92ffcd0cad5f950d57b1f83ab8991d8a21d584608f2ad7c01134d50a9da629abe53b9ebbd65dfe4c209cf49e73b1660dcee716a13a89af9d60fe

Download Submit
\Users\Public\vb.exe
Filesize
266KB

MD5
894ebe041d7580e494ed9c158ab59e47

SHA1
85a829f1ee7e1332887d490629d9e4b8156f1c31

SHA256
5ebdd970919074345053d4cd4d16f52efd564e9b73515c0688192cb37f325169

SHA512
9ddae11fb29d92ffcd0cad5f950d57b1f83ab8991d8a21d584608f2ad7c01134d50a9da629abe53b9ebbd65dfe4c209cf49e73b1660dcee716a13a89af9d60fe

Download Submit
\Users\Public\vb.exe
Filesize
266KB

MD5
894ebe041d7580e494ed9c158ab59e47

SHA1
85a829f1ee7e1332887d490629d9e4b8156f1c31

SHA256
5ebdd970919074345053d4cd4d16f52efd564e9b73515c0688192cb37f325169

SHA512
9ddae11fb29d92ffcd0cad5f950d57b1f83ab8991d8a21d584608f2ad7c01134d50a9da629abe53b9ebbd65dfe4c209cf49e73b1660dcee716a13a89af9d60fe

Download Submit
\Users\Public\vb.exe
Filesize
266KB

MD5
894ebe041d7580e494ed9c158ab59e47

SHA1
85a829f1ee7e1332887d490629d9e4b8156f1c31

SHA256
5ebdd970919074345053d4cd4d16f52efd564e9b73515c0688192cb37f325169

SHA512
9ddae11fb29d92ffcd0cad5f950d57b1f83ab8991d8a21d584608f2ad7c01134d50a9da629abe53b9ebbd65dfe4c209cf49e73b1660dcee716a13a89af9d60fe

Download Submit
memory/1080-69-0x0000000000000000-mapping.dmp

Download
memory/1872-64-0x0000000000000000-mapping.dmp

Download
memory/1900-56-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1900-57-0x0000000075A81000-0x0000000075A83000-memory.dmp

Filesize
8KB

Download
memory/1900-58-0x0000000070F0D000-0x0000000070F18000-memory.dmp

Filesize
44KB

Download
memory/1900-54-0x00000000724A1000-0x00000000724A4000-memory.dmp

Filesize
12KB

Download
memory/1900-55-0x000000006FF21000-0x000000006FF23000-memory.dmp

Filesize
8KB

Download
memory/1900-83-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1900-84-0x0000000070F0D000-0x0000000070F18000-memory.dmp

Filesize
44KB

Download
memory/1948-76-0x00000000004139DE-mapping.dmp

Download
memory/1948-81-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1948-82-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2044-79-0x0000000000000000-mapping.dmp

Download
memory/2044-80-0x000007FEFB9B1000-0x000007FEFB9B3000-memory.dmp

Filesize
8KB

Download