Automated Malware Analysis IOC Report for

Files

File Path

Type

Processes

Path

Cmdline

Malicious

C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding

Details

Is windows:	true
Is dropped:	false
PID:	2984
Target ID:	2
Parent PID:	596
Name:	EQNEDT32.EXE
Path:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Commandline:	"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Size:	543304
MD5:	A87236E214F6D42A65F5DEDAC816AEC8
Time:	10:21:38
Date:	10/02/2022
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x400000
Modulesize:	581632
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Droppers Exploiting CVE-2017-11882	System Summary
Sigma detected: EQNEDT32.EXE connecting to internet	Exploits
Sigma detected: File Dropped By EQNEDT32EXE	Exploits
Sigma detected: Execution from Suspicious Folder	System Summary
Office Equation Editor has been started	Exploits
Sigma detected: Use IE Registry for Persistence	System Summary
Spawns processes	System Summary	Process Injection

C:\Users\Public\vbc.exe

"C:\Users\Public\vbc.exe"

Details

Is windows:	false
Is dropped:	true
PID:	1712
Target ID:	4
Parent PID:	2984
Name:	vbc.exe
Path:	C:\Users\Public\vbc.exe
Commandline:	"C:\Users\Public\vbc.exe"
Size:	295124
MD5:	7DF1896047D9647D818080DD17563D92
Time:	10:21:40
Date:	10/02/2022
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x400000
Modulesize:	184320
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Droppers Exploiting CVE-2017-11882	System Summary
Drops PE files to the user root directory	Boot Survival	Masquerading
Office equation editor drops PE file	System Summary
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)	Exploits	Exploitation for Client Execution
Sigma detected: Execution from Suspicious Folder	System Summary
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Drops PE files	Persistence and Installation Behavior
Drops PE files to the user directory	Persistence and Installation Behavior	Masquerading
Spawns processes	System Summary	Process Injection

C:\Users\user\AppData\Local\Temp\xmtxpy.exe

C:\Users\user\AppData\Local\Temp\xmtxpy.exe C:\Users\user\AppData\Local\Temp\npotbzd

Details

Is windows:	false
Is dropped:	true
PID:	2260
Target ID:	5
Parent PID:	1712
Name:	xmtxpy.exe
Path:	C:\Users\user\AppData\Local\Temp\xmtxpy.exe
Commandline:	C:\Users\user\AppData\Local\Temp\xmtxpy.exe C:\Users\user\AppData\Local\Temp\npotbzd
Size:	125440
MD5:	1EACD504E4461F9EE286715997D8A9EE
Time:	10:21:41
Date:	10/02/2022
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x8a0000
Modulesize:	147456
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Yara detected Lokibot	Stealing of Sensitive Information
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Yara detected aPLib compressed binary	Data Obfuscation
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Dropped file seen in connection with other malware	System Summary
Drops PE files	Persistence and Installation Behavior
Yara detected Credential Stealer	Stealing of Sensitive Information
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary

C:\Users\user\AppData\Local\Temp\xmtxpy.exe

C:\Users\user\AppData\Local\Temp\xmtxpy.exe C:\Users\user\AppData\Local\Temp\npotbzd

Details

Is windows:	false
Is dropped:	true
PID:	2556
Target ID:	6
Parent PID:	2260
Name:	xmtxpy.exe
Path:	C:\Users\user\AppData\Local\Temp\xmtxpy.exe
Commandline:	C:\Users\user\AppData\Local\Temp\xmtxpy.exe C:\Users\user\AppData\Local\Temp\npotbzd
Size:	125440
MD5:	1EACD504E4461F9EE286715997D8A9EE
Time:	10:21:41
Date:	10/02/2022
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x8a0000
Modulesize:	147456
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Yara detected Lokibot	Stealing of Sensitive Information
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Yara detected aPLib compressed binary	Data Obfuscation
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Dropped file seen in connection with other malware	System Summary
Drops PE files	Persistence and Installation Behavior
Yara detected Credential Stealer	Stealing of Sensitive Information
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding

Details

Is windows:	true
Is dropped:	false
PID:	2580
Target ID:	0
Parent PID:	596
Name:	EXCEL.EXE
Class:	excel
Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Commandline:	"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Size:	28253536
MD5:	D53B85E21886D2AF9815C377537BCAC3
Time:	10:21:15
Date:	10/02/2022
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x13f770000
Modulesize:	28282880
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Allocates a big amount of memory (probably used for heap spraying)	Software Vulnerabilities	Extra Window Memory Injection
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

http://198.46.132.195/windowSSH/.win32.exe

198.46.132.195

Details

Name:	http://198.46.132.195/windowSSH/.win32.exe
IP:	198.46.132.195
TargetID:	2
From Memory:	false
Current Path:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Source:	network

Signature Hits	Behavior Group	Mitre Attack
Antivirus detection for URL or domain	AV Detection
Multi AV Scanner detection for domain / URL	AV Detection
Sigma detected: EQNEDT32.EXE connecting to internet	Exploits
IP address seen in connection with other malware	Networking
Potential document exploit detected (performs HTTP gets)	Software Vulnerabilities	Exploitation for Client Execution
Potential document exploit detected (unknown TCP traffic)	Software Vulnerabilities	Exploitation for Client Execution
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Connects to IPs without corresponding DNS lookups	Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer

http://kbfvzoboss.bid/alien/fre.php

Details

Name:	http://kbfvzoboss.bid/alien/fre.php
TargetID:	0
From Memory:	false
Current Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Source:	config extactor

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol

http://alphastand.win/alien/fre.php

Details

Name:	http://alphastand.win/alien/fre.php
TargetID:	0
From Memory:	false
Current Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Source:	config extactor

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol

http://alphastand.trade/alien/fre.php

Details

Name:	http://alphastand.trade/alien/fre.php
TargetID:	0
From Memory:	false
Current Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Source:	config extactor

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol

http://alphastand.top/alien/fre.php

Details

Name:	http://alphastand.top/alien/fre.php
TargetID:	0
From Memory:	false
Current Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Source:	config extactor

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol

http://asiaoil.bar//bobby/five/fre.php

172.67.197.66

Details

Name:	http://asiaoil.bar//bobby/five/fre.php
IP:	172.67.197.66
TargetID:	6
From Memory:	false
Current Path:	C:\Users\user\AppData\Local\Temp\xmtxpy.exe
Source:	network

Signature Hits	Behavior Group	Mitre Attack
Antivirus detection for URL or domain	AV Detection
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)	Networking

http://nsis.sf.net/NSIS_Error

unknown

Details

Name:	http://nsis.sf.net/NSIS_Error
TargetID:	-1
From Memory:	true
Source:	vbc.exe, vbc.exe, 00000004.00000002.465324475.0000000000409000.00000004.00000001.01000000.00000003.sdmp, vbc.exe, 00000004.00000000.452029619.0000000000409000.00000008.00000001.01000000.00000003.sdmp, vbc.exe.2.dr, .win32[1].exe.2.dr
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

http://nsis.sf.net/NSIS_ErrorError

unknown

Details

Name:	http://nsis.sf.net/NSIS_ErrorError
TargetID:	-1
From Memory:	true
Source:	vbc.exe, 00000004.00000002.465324475.0000000000409000.00000004.00000001.01000000.00000003.sdmp, vbc.exe, 00000004.00000000.452029619.0000000000409000.00000008.00000001.01000000.00000003.sdmp, vbc.exe.2.dr, .win32[1].exe.2.dr
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

http://www.ibsensoftware.com/

unknown

Domains

Name

Malicious

asiaoil.bar

172.67.197.66

Details

Name:	asiaoil.bar
IP:	172.67.197.66
TargetID:	6
Current Path:	C:\Users\user\AppData\Local\Temp\xmtxpy.exe
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)	Networking
Potential document exploit detected (performs DNS queries)	Software Vulnerabilities	Exploitation for Client Execution
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
Posts data to webserver	Networking	Application Layer Protocol Non-Application Layer Protocol

IPs

Domain

Country

Malicious

198.46.132.195

unknown

United States

Details

IP:	198.46.132.195
TargetID:	2
Current Path:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Country:	United States
Countrycode:	USA
ASN number:	36352
ASN name:	AS-COLOCROSSINGUS
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: EQNEDT32.EXE connecting to internet	Exploits
Potential document exploit detected (performs HTTP gets)	Software Vulnerabilities	Exploitation for Client Execution
Potential document exploit detected (unknown TCP traffic)	Software Vulnerabilities	Exploitation for Client Execution
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Connects to IPs without corresponding DNS lookups	Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer

104.21.49.244

unknown

United States

Details

IP:	104.21.49.244
TargetID:	6
Current Path:	C:\Users\user\AppData\Local\Temp\xmtxpy.exe
Country:	United States
Countrycode:	USA
ASN number:	13335
ASN name:	CLOUDFLARENETUS
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)	Networking

172.67.197.66

asiaoil.bar

United States

Details

IP:	172.67.197.66
TargetID:	6
Current Path:	C:\Users\user\AppData\Local\Temp\xmtxpy.exe
Country:	United States
Countrycode:	USA
ASN number:	13335
ASN name:	CLOUDFLARENETUS
Private:	false
Domain:	asiaoil.bar

Signature Hits	Behavior Group	Mitre Attack
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)	Networking

Registry

Path

Value

Malicious

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

3"-

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel

MTTT

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\ReviewCycle

ReviewToken

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery\2DAF4

2DAF4

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000100000000F01FEC\Usage

VBAFiles

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

**-

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery\326B3

326B3

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery\3365C

3365C

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Place MRU

Max Display

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Place MRU

Item 1