Analysis Overview
SHA256
3bd473a0d0ceaafda5293fcea396b160d32ef60d7a083b152b78fcb2a124abdd
Threat Level: Known bad
The file bf335d340e7bbc13feaf408905eb499b_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Lokibot
Process spawned unexpected child process
Credentials from Password Stores: Credentials from Web Browsers
Reads user/profile data of web browsers
Loads dropped DLL
Executes dropped EXE
Accesses Microsoft Outlook profiles
Suspicious use of SetThreadContext
Subvert Trust Controls: Mark-of-the-Web Bypass
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Office loads VBA resources, possible macro or embedded object present
outlook_office_path
Delays execution with timeout.exe
Suspicious use of AdjustPrivilegeToken
Kills process with taskkill
Suspicious use of SetWindowsHookEx
outlook_win_path
NTFS ADS
Suspicious use of WriteProcessMemory
Enumerates system info in registry
Suspicious behavior: AddClipboardFormatListener
Suspicious use of SendNotifyMessage
Launches Equation Editor
Suspicious use of FindShellTrayWindow
Checks processor information in registry
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-24 18:51
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-24 18:51
Reported
2024-08-24 18:54
Platform
win7-20240704-en
Max time kernel
142s
Max time network
124s
Command Line
Signatures
Lokibot
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE |
| Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE |
Credentials from Password Stores: Credentials from Web Browsers
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\exe.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\exe.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\exe.exe | N/A |
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\exe.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\exe.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\exe.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1552 set thread context of 404 | N/A | C:\Users\Admin\AppData\Local\Temp\exe.exe | C:\Users\Admin\AppData\Local\Temp\exe.exe |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\CmD.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\exe.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\timeout.exe | N/A |
Office loads VBA resources, possible macro or embedded object present
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Launches Equation Editor
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\exe.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\exe.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\exe.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\exe.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\exe.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\exe.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\exe.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\exe.exe | N/A |
Processes
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Saudi Aramco Purchase Order Ref090418.rtf"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tAsK.bAt
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\2nd.bat
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tAsK.bAt
C:\Windows\SysWOW64\timeout.exe
TIMEOUT 1
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
C:\Windows\SysWOW64\CmD.exe
CmD /C %TmP%\TasK.BaT & UUUUUUUUc
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
C:\Users\Admin\AppData\Local\Temp\exe.exe
C:\Users\Admin\AppData\Local\Temp\ExE.ExE
C:\Windows\SysWOW64\taskkill.exe
TASKKILL /F /IM winword.exe
C:\Windows\SysWOW64\reg.exe
reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\8.0\Word\Resiliency /f
C:\Windows\SysWOW64\reg.exe
reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Resiliency /f
C:\Windows\SysWOW64\reg.exe
reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Word\Resiliency /f
C:\Windows\SysWOW64\reg.exe
reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Word\Resiliency /f
C:\Windows\SysWOW64\reg.exe
reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word\Resiliency /f
C:\Windows\SysWOW64\reg.exe
reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency /f
C:\Windows\SysWOW64\reg.exe
reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Word\Resiliency /f
C:\Windows\SysWOW64\reg.exe
reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Word\Resiliency /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\8.0\Word\File MRU" /v "Item 1"
C:\Windows\SysWOW64\reg.exe
REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\8.0\Word\File MRU" /v "Item 1"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\9.0\Word\File MRU" /v "Item 1"
C:\Windows\SysWOW64\reg.exe
REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\9.0\Word\File MRU" /v "Item 1"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\10.0\Word\File MRU" /v "Item 1"
C:\Windows\SysWOW64\reg.exe
REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\10.0\Word\File MRU" /v "Item 1"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\11.0\Word\File MRU" /v "Item 1"
C:\Windows\SysWOW64\reg.exe
REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\11.0\Word\File MRU" /v "Item 1"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\12.0\Word\File MRU" /v "Item 1"
C:\Windows\SysWOW64\reg.exe
REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\12.0\Word\File MRU" /v "Item 1"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\14.0\Word\File MRU" /v "Item 1"
C:\Windows\SysWOW64\reg.exe
REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\14.0\Word\File MRU" /v "Item 1"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Word\File MRU" /v "Item 1"
C:\Windows\SysWOW64\reg.exe
REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Word\File MRU" /v "Item 1"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\File MRU" /v "Item 1"
C:\Windows\SysWOW64\reg.exe
REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\File MRU" /v "Item 1"
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\Documents\ReadGrant.docx"
C:\Users\Admin\AppData\Local\Temp\exe.exe
C:\Users\Admin\AppData\Local\Temp\ExE.ExE
C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | test1.ru | udp |
| US | 8.8.8.8:53 | blaztech.us | udp |
Files
memory/1048-0-0x000000002F921000-0x000000002F922000-memory.dmp
memory/1048-1-0x000000005FFF0000-0x0000000060000000-memory.dmp
memory/1048-2-0x000000007172D000-0x0000000071738000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\inteldriverupd1.sct
| MD5 | 8decdcaeb92d9f628b6bf95de4c0597a |
| SHA1 | 19443ad64921ef01a77619350efcc97cd767a36b |
| SHA256 | e4f6b9def338fe9aca9e8796e79c58c5e42168e697c41bfe149946513765036e |
| SHA512 | d67fee80c9f4884331e476f53de7516d21e926cf2f00094bf310ccd6e875164740b31749ec1ea43c1015037590b9bfebe2bde0065d75e42343bfbd0c46bccf59 |
C:\Users\Admin\AppData\Local\Temp\task.bat
| MD5 | 89896bf3dc684cb01d6c9bd8f2df3694 |
| SHA1 | cd34ddbfe29c70d100f506addf4a6f831079dc01 |
| SHA256 | 429934a64c0d46c46c09c3ccdac2db6801f96e28d072d3dd72ac01c5f023460b |
| SHA512 | 0f5371dee4db471524b3d6abf8fa673555b9dc92d596e7f3d73d13f810e899d19741cfebd46b09dfde60b0aee9288e2fac3bb8ec5cba3190dabd3bd87a0a29d1 |
C:\Users\Admin\AppData\Local\Temp\2nd.bat
| MD5 | 57ff2666bfc47c63e05d5c182b0f89f3 |
| SHA1 | c88b20b249b8f4ff963c897e2ba0028e20b316e2 |
| SHA256 | 74249727c5d760e91b9277be58b45a03fd89a587cc19e0b42503b50db2e00356 |
| SHA512 | a7edf48519bbdf46aee1c5f60e419b4e604d04e3066aa3501e5fe3e81396fc443a4cafe35bdd06770a59e2009d0405dd4c97d8c121cd1bc30987270ad119b8b1 |
\Users\Admin\AppData\Local\Temp\exe.exe
| MD5 | 066040fbb6784efdd2d55947f7d73954 |
| SHA1 | dd7ded0c5e87b1307546f5ea6e6abcebae2a21ad |
| SHA256 | 5bc0d71b5eb032cefe7fe9e7268411659ccc88d1d42c9baa47fa6986f6c13cfc |
| SHA512 | 313c84a72737a4e6058b64e75f19f71927e3708a79ce5c730a213ec24f217cfb7db7cce7109b7273a21e6c8a449d43c35811e3afdcf2838283a1aebee43484a0 |
memory/1048-41-0x000000007172D000-0x0000000071738000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\decoy.doc
| MD5 | 5d65bac473774c66544cc2f4062c9b78 |
| SHA1 | b2b606f85dd95ff2ab5bcca43966a9c4cbb372b2 |
| SHA256 | 7697184623cf1ffe94e69db38ca0821d3ff2df5826af38a9f7e244f3a725b042 |
| SHA512 | 853ad5701b858fd350bbf2171955d84d551260f883ccc25eb403f4b2606b6694d34c62ade98db0761da8ac3cb3250e98e19e54c3ab7c927782a3a0ed10924cd2 |
memory/2488-66-0x000000005FFF0000-0x0000000060000000-memory.dmp
memory/404-70-0x0000000000400000-0x00000000004A2000-memory.dmp
memory/404-72-0x0000000000400000-0x00000000004A2000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3450744190-3404161390-554719085-1000\0f5007522459c86e95ffcc62f32308f1_35dd7637-4d7c-4a57-bd86-689f7bd65008
| MD5 | d898504a722bff1524134c6ab6a5eaa5 |
| SHA1 | e0fdc90c2ca2a0219c99d2758e68c18875a3e11e |
| SHA256 | 878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9 |
| SHA512 | 26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61 |
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3450744190-3404161390-554719085-1000\0f5007522459c86e95ffcc62f32308f1_35dd7637-4d7c-4a57-bd86-689f7bd65008
| MD5 | c07225d4e7d01d31042965f048728a0a |
| SHA1 | 69d70b340fd9f44c89adb9a2278df84faa9906b7 |
| SHA256 | 8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a |
| SHA512 | 23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b |
memory/404-96-0x0000000000400000-0x00000000004A2000-memory.dmp
memory/404-115-0x0000000000400000-0x00000000004A2000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
| MD5 | b9df9b4024fe8eb8d8b3c7ad277648aa |
| SHA1 | 98201e7c3afc85a0a886cf26fbec560949bb1d1b |
| SHA256 | ae5fc479820358323cc47b48e65ccbad5b481b965c204ad436053f0def383128 |
| SHA512 | bc201fa42815f66c0282faab83c5e7b551f65c33e777967ec778b384e6f48646d3d8a0d5d97d996b900bf43c2361cab9ea46530f599ca15badbc9cc42dc64e69 |
memory/2488-151-0x000000005FFF0000-0x0000000060000000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-24 18:51
Reported
2024-08-24 18:54
Platform
win10v2004-20240802-en
Max time kernel
140s
Max time network
135s
Command Line
Signatures
Subvert Trust Controls: Mark-of-the-Web Bypass
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Local\Temp\{441B14D9-0E02-42C6-99B7-DA86D2AC83CB}\exe.exe:Zone.Identifier | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Local\Temp\{441B14D9-0E02-42C6-99B7-DA86D2AC83CB}\decoy.doc:Zone.Identifier | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Temp\{441B14D9-0E02-42C6-99B7-DA86D2AC83CB}\task.bat:Zone.Identifier | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Temp\{441B14D9-0E02-42C6-99B7-DA86D2AC83CB}\exe.exe:Zone.Identifier | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Temp\{441B14D9-0E02-42C6-99B7-DA86D2AC83CB}\2nd.bat:Zone.Identifier | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Temp\{441B14D9-0E02-42C6-99B7-DA86D2AC83CB}\inteldriverupd1.sct:Zone.Identifier | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Processes
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Saudi Aramco Purchase Order Ref090418.rtf" /o ""
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4360,i,2904906934812054273,11716976550456127484,262144 --variations-seed-version --mojo-platform-channel-handle=944 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | test1.ru | udp |
| US | 8.8.8.8:53 | roaming.officeapps.live.com | udp |
| FR | 52.109.68.129:443 | roaming.officeapps.live.com | tcp |
| US | 8.8.8.8:53 | 129.68.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.143.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 5.181.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 7.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 44.56.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
Files
memory/5636-1-0x00007FF9EC6AD000-0x00007FF9EC6AE000-memory.dmp
memory/5636-0-0x00007FF9AC690000-0x00007FF9AC6A0000-memory.dmp
memory/5636-3-0x00007FF9AC690000-0x00007FF9AC6A0000-memory.dmp
memory/5636-5-0x00007FF9EC610000-0x00007FF9EC805000-memory.dmp
memory/5636-7-0x00007FF9EC610000-0x00007FF9EC805000-memory.dmp
memory/5636-8-0x00007FF9AC690000-0x00007FF9AC6A0000-memory.dmp
memory/5636-11-0x00007FF9EC610000-0x00007FF9EC805000-memory.dmp
memory/5636-10-0x00007FF9EC610000-0x00007FF9EC805000-memory.dmp
memory/5636-9-0x00007FF9EC610000-0x00007FF9EC805000-memory.dmp
memory/5636-4-0x00007FF9EC610000-0x00007FF9EC805000-memory.dmp
memory/5636-6-0x00007FF9AC690000-0x00007FF9AC6A0000-memory.dmp
memory/5636-2-0x00007FF9AC690000-0x00007FF9AC6A0000-memory.dmp
memory/5636-12-0x00007FF9AA300000-0x00007FF9AA310000-memory.dmp
memory/5636-13-0x00007FF9AA300000-0x00007FF9AA310000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\{441B14D9-0E02-42C6-99B7-DA86D2AC83CB}\inteldriverupd1.sct:Zone.Identifier
| MD5 | fbccf14d504b7b2dbcb5a5bda75bd93b |
| SHA1 | d59fc84cdd5217c6cf74785703655f78da6b582b |
| SHA256 | eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913 |
| SHA512 | aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98 |
memory/5636-37-0x00007FF9EC610000-0x00007FF9EC805000-memory.dmp
memory/5636-38-0x00007FF9EC6AD000-0x00007FF9EC6AE000-memory.dmp
memory/5636-39-0x00007FF9EC610000-0x00007FF9EC805000-memory.dmp
memory/5636-40-0x00007FF9EC610000-0x00007FF9EC805000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
| MD5 | fd7a8b6861b37f475d7461e9f47b9b4b |
| SHA1 | e45cec5351693ec177605cc35b96ae045c38835f |
| SHA256 | e91699fabb14916334927d9f4793026c067ffcb5cb335f7699bda40747c6503c |
| SHA512 | 8215256157c16781af92dd3485a29b30462895c65ec63c18d0ea9bf6debbfb9710f68539b6ba18a3ba7d17ba03184f5db18c1ea650130da77d7cd732e7c897a5 |
memory/5636-78-0x00007FF9AC690000-0x00007FF9AC6A0000-memory.dmp
memory/5636-79-0x00007FF9AC690000-0x00007FF9AC6A0000-memory.dmp
memory/5636-77-0x00007FF9AC690000-0x00007FF9AC6A0000-memory.dmp
memory/5636-80-0x00007FF9AC690000-0x00007FF9AC6A0000-memory.dmp
memory/5636-81-0x00007FF9EC610000-0x00007FF9EC805000-memory.dmp