Malware Analysis Report

2024-11-13 17:17

Sample ID 240824-xhydeatena
Target bf335d340e7bbc13feaf408905eb499b_JaffaCakes118
SHA256 3bd473a0d0ceaafda5293fcea396b160d32ef60d7a083b152b78fcb2a124abdd
Tags
lokibot collection credential_access discovery spyware stealer trojan defense_evasion
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3bd473a0d0ceaafda5293fcea396b160d32ef60d7a083b152b78fcb2a124abdd

Threat Level: Known bad

The file bf335d340e7bbc13feaf408905eb499b_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

lokibot collection credential_access discovery spyware stealer trojan defense_evasion

Lokibot

Process spawned unexpected child process

Credentials from Password Stores: Credentials from Web Browsers

Reads user/profile data of web browsers

Loads dropped DLL

Executes dropped EXE

Accesses Microsoft Outlook profiles

Suspicious use of SetThreadContext

Subvert Trust Controls: Mark-of-the-Web Bypass

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Office loads VBA resources, possible macro or embedded object present

outlook_office_path

Delays execution with timeout.exe

Suspicious use of AdjustPrivilegeToken

Kills process with taskkill

Suspicious use of SetWindowsHookEx

outlook_win_path

NTFS ADS

Suspicious use of WriteProcessMemory

Enumerates system info in registry

Suspicious behavior: AddClipboardFormatListener

Suspicious use of SendNotifyMessage

Launches Equation Editor

Suspicious use of FindShellTrayWindow

Checks processor information in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-24 18:51

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-24 18:51

Reported

2024-08-24 18:54

Platform

win7-20240704-en

Max time kernel

142s

Max time network

124s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Saudi Aramco Purchase Order Ref090418.rtf"

Signatures

Lokibot

trojan spyware stealer lokibot

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\exe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\exe.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\exe.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\exe.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\exe.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\exe.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1552 set thread context of 404 N/A C:\Users\Admin\AppData\Local\Temp\exe.exe C:\Users\Admin\AppData\Local\Temp\exe.exe

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\CmD.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\exe.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\timeout.exe N/A

Office loads VBA resources, possible macro or embedded object present

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\exe.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\exe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\exe.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\exe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\exe.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1048 wrote to memory of 2548 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\SysWOW64\cmd.exe
PID 1048 wrote to memory of 2548 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\SysWOW64\cmd.exe
PID 1048 wrote to memory of 2548 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\SysWOW64\cmd.exe
PID 1048 wrote to memory of 2548 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\SysWOW64\cmd.exe
PID 2548 wrote to memory of 2700 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2548 wrote to memory of 2700 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2548 wrote to memory of 2700 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2548 wrote to memory of 2700 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1048 wrote to memory of 2588 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\SysWOW64\cmd.exe
PID 1048 wrote to memory of 2588 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\SysWOW64\cmd.exe
PID 1048 wrote to memory of 2588 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\SysWOW64\cmd.exe
PID 1048 wrote to memory of 2588 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\SysWOW64\cmd.exe
PID 2700 wrote to memory of 2652 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2700 wrote to memory of 2652 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2700 wrote to memory of 2652 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2700 wrote to memory of 2652 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2556 wrote to memory of 2616 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE C:\Windows\SysWOW64\CmD.exe
PID 2556 wrote to memory of 2616 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE C:\Windows\SysWOW64\CmD.exe
PID 2556 wrote to memory of 2616 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE C:\Windows\SysWOW64\CmD.exe
PID 2556 wrote to memory of 2616 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE C:\Windows\SysWOW64\CmD.exe
PID 2700 wrote to memory of 1552 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\exe.exe
PID 2700 wrote to memory of 1552 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\exe.exe
PID 2700 wrote to memory of 1552 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\exe.exe
PID 2700 wrote to memory of 1552 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\exe.exe
PID 2700 wrote to memory of 2940 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2700 wrote to memory of 2940 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2700 wrote to memory of 2940 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2700 wrote to memory of 2940 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2700 wrote to memory of 2776 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2700 wrote to memory of 2776 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2700 wrote to memory of 2776 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2700 wrote to memory of 2776 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2700 wrote to memory of 2720 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2700 wrote to memory of 2720 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2700 wrote to memory of 2720 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2700 wrote to memory of 2720 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2700 wrote to memory of 2716 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2700 wrote to memory of 2716 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2700 wrote to memory of 2716 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2700 wrote to memory of 2716 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2700 wrote to memory of 2600 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2700 wrote to memory of 2600 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2700 wrote to memory of 2600 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2700 wrote to memory of 2600 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2700 wrote to memory of 2740 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2700 wrote to memory of 2740 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2700 wrote to memory of 2740 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2700 wrote to memory of 2740 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2700 wrote to memory of 2888 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2700 wrote to memory of 2888 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2700 wrote to memory of 2888 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2700 wrote to memory of 2888 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2700 wrote to memory of 2628 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2700 wrote to memory of 2628 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2700 wrote to memory of 2628 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2700 wrote to memory of 2628 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2700 wrote to memory of 1788 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2700 wrote to memory of 1788 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2700 wrote to memory of 1788 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2700 wrote to memory of 1788 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2700 wrote to memory of 1816 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2700 wrote to memory of 1816 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2700 wrote to memory of 1816 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2700 wrote to memory of 1816 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\exe.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\exe.exe N/A

Processes

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Saudi Aramco Purchase Order Ref090418.rtf"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tAsK.bAt

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\2nd.bat

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tAsK.bAt

C:\Windows\SysWOW64\timeout.exe

TIMEOUT 1

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding

C:\Windows\SysWOW64\CmD.exe

CmD /C %TmP%\TasK.BaT & UUUUUUUU c

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding

C:\Users\Admin\AppData\Local\Temp\exe.exe

C:\Users\Admin\AppData\Local\Temp\ExE.ExE

C:\Windows\SysWOW64\taskkill.exe

TASKKILL /F /IM winword.exe

C:\Windows\SysWOW64\reg.exe

reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\8.0\Word\Resiliency /f

C:\Windows\SysWOW64\reg.exe

reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Resiliency /f

C:\Windows\SysWOW64\reg.exe

reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Word\Resiliency /f

C:\Windows\SysWOW64\reg.exe

reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Word\Resiliency /f

C:\Windows\SysWOW64\reg.exe

reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word\Resiliency /f

C:\Windows\SysWOW64\reg.exe

reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency /f

C:\Windows\SysWOW64\reg.exe

reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Word\Resiliency /f

C:\Windows\SysWOW64\reg.exe

reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Word\Resiliency /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\8.0\Word\File MRU" /v "Item 1"

C:\Windows\SysWOW64\reg.exe

REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\8.0\Word\File MRU" /v "Item 1"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\9.0\Word\File MRU" /v "Item 1"

C:\Windows\SysWOW64\reg.exe

REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\9.0\Word\File MRU" /v "Item 1"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\10.0\Word\File MRU" /v "Item 1"

C:\Windows\SysWOW64\reg.exe

REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\10.0\Word\File MRU" /v "Item 1"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\11.0\Word\File MRU" /v "Item 1"

C:\Windows\SysWOW64\reg.exe

REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\11.0\Word\File MRU" /v "Item 1"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\12.0\Word\File MRU" /v "Item 1"

C:\Windows\SysWOW64\reg.exe

REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\12.0\Word\File MRU" /v "Item 1"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\14.0\Word\File MRU" /v "Item 1"

C:\Windows\SysWOW64\reg.exe

REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\14.0\Word\File MRU" /v "Item 1"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Word\File MRU" /v "Item 1"

C:\Windows\SysWOW64\reg.exe

REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Word\File MRU" /v "Item 1"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\File MRU" /v "Item 1"

C:\Windows\SysWOW64\reg.exe

REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\File MRU" /v "Item 1"

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\Documents\ReadGrant.docx"

C:\Users\Admin\AppData\Local\Temp\exe.exe

C:\Users\Admin\AppData\Local\Temp\ExE.ExE

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

Network

Country Destination Domain Proto
US 8.8.8.8:53 test1.ru udp
US 8.8.8.8:53 blaztech.us udp

Files

memory/1048-0-0x000000002F921000-0x000000002F922000-memory.dmp

memory/1048-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/1048-2-0x000000007172D000-0x0000000071738000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\inteldriverupd1.sct

MD5 8decdcaeb92d9f628b6bf95de4c0597a
SHA1 19443ad64921ef01a77619350efcc97cd767a36b
SHA256 e4f6b9def338fe9aca9e8796e79c58c5e42168e697c41bfe149946513765036e
SHA512 d67fee80c9f4884331e476f53de7516d21e926cf2f00094bf310ccd6e875164740b31749ec1ea43c1015037590b9bfebe2bde0065d75e42343bfbd0c46bccf59

C:\Users\Admin\AppData\Local\Temp\task.bat

MD5 89896bf3dc684cb01d6c9bd8f2df3694
SHA1 cd34ddbfe29c70d100f506addf4a6f831079dc01
SHA256 429934a64c0d46c46c09c3ccdac2db6801f96e28d072d3dd72ac01c5f023460b
SHA512 0f5371dee4db471524b3d6abf8fa673555b9dc92d596e7f3d73d13f810e899d19741cfebd46b09dfde60b0aee9288e2fac3bb8ec5cba3190dabd3bd87a0a29d1

C:\Users\Admin\AppData\Local\Temp\2nd.bat

MD5 57ff2666bfc47c63e05d5c182b0f89f3
SHA1 c88b20b249b8f4ff963c897e2ba0028e20b316e2
SHA256 74249727c5d760e91b9277be58b45a03fd89a587cc19e0b42503b50db2e00356
SHA512 a7edf48519bbdf46aee1c5f60e419b4e604d04e3066aa3501e5fe3e81396fc443a4cafe35bdd06770a59e2009d0405dd4c97d8c121cd1bc30987270ad119b8b1

\Users\Admin\AppData\Local\Temp\exe.exe

MD5 066040fbb6784efdd2d55947f7d73954
SHA1 dd7ded0c5e87b1307546f5ea6e6abcebae2a21ad
SHA256 5bc0d71b5eb032cefe7fe9e7268411659ccc88d1d42c9baa47fa6986f6c13cfc
SHA512 313c84a72737a4e6058b64e75f19f71927e3708a79ce5c730a213ec24f217cfb7db7cce7109b7273a21e6c8a449d43c35811e3afdcf2838283a1aebee43484a0

memory/1048-41-0x000000007172D000-0x0000000071738000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\decoy.doc

MD5 5d65bac473774c66544cc2f4062c9b78
SHA1 b2b606f85dd95ff2ab5bcca43966a9c4cbb372b2
SHA256 7697184623cf1ffe94e69db38ca0821d3ff2df5826af38a9f7e244f3a725b042
SHA512 853ad5701b858fd350bbf2171955d84d551260f883ccc25eb403f4b2606b6694d34c62ade98db0761da8ac3cb3250e98e19e54c3ab7c927782a3a0ed10924cd2

memory/2488-66-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/404-70-0x0000000000400000-0x00000000004A2000-memory.dmp

memory/404-72-0x0000000000400000-0x00000000004A2000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3450744190-3404161390-554719085-1000\0f5007522459c86e95ffcc62f32308f1_35dd7637-4d7c-4a57-bd86-689f7bd65008

MD5 d898504a722bff1524134c6ab6a5eaa5
SHA1 e0fdc90c2ca2a0219c99d2758e68c18875a3e11e
SHA256 878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9
SHA512 26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3450744190-3404161390-554719085-1000\0f5007522459c86e95ffcc62f32308f1_35dd7637-4d7c-4a57-bd86-689f7bd65008

MD5 c07225d4e7d01d31042965f048728a0a
SHA1 69d70b340fd9f44c89adb9a2278df84faa9906b7
SHA256 8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a
SHA512 23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b

memory/404-96-0x0000000000400000-0x00000000004A2000-memory.dmp

memory/404-115-0x0000000000400000-0x00000000004A2000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

MD5 b9df9b4024fe8eb8d8b3c7ad277648aa
SHA1 98201e7c3afc85a0a886cf26fbec560949bb1d1b
SHA256 ae5fc479820358323cc47b48e65ccbad5b481b965c204ad436053f0def383128
SHA512 bc201fa42815f66c0282faab83c5e7b551f65c33e777967ec778b384e6f48646d3d8a0d5d97d996b900bf43c2361cab9ea46530f599ca15badbc9cc42dc64e69

memory/2488-151-0x000000005FFF0000-0x0000000060000000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-24 18:51

Reported

2024-08-24 18:54

Platform

win10v2004-20240802-en

Max time kernel

140s

Max time network

135s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Saudi Aramco Purchase Order Ref090418.rtf" /o ""

Signatures

Subvert Trust Controls: Mark-of-the-Web Bypass

defense_evasion
Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Local\Temp\{441B14D9-0E02-42C6-99B7-DA86D2AC83CB}\exe.exe:Zone.Identifier C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

NTFS ADS

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Local\Temp\{441B14D9-0E02-42C6-99B7-DA86D2AC83CB}\decoy.doc:Zone.Identifier C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
File opened for modification C:\Users\Admin\AppData\Local\Temp\{441B14D9-0E02-42C6-99B7-DA86D2AC83CB}\task.bat:Zone.Identifier C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
File opened for modification C:\Users\Admin\AppData\Local\Temp\{441B14D9-0E02-42C6-99B7-DA86D2AC83CB}\exe.exe:Zone.Identifier C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
File opened for modification C:\Users\Admin\AppData\Local\Temp\{441B14D9-0E02-42C6-99B7-DA86D2AC83CB}\2nd.bat:Zone.Identifier C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
File opened for modification C:\Users\Admin\AppData\Local\Temp\{441B14D9-0E02-42C6-99B7-DA86D2AC83CB}\inteldriverupd1.sct:Zone.Identifier C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Saudi Aramco Purchase Order Ref090418.rtf" /o ""

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4360,i,2904906934812054273,11716976550456127484,262144 --variations-seed-version --mojo-platform-channel-handle=944 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 test1.ru udp
US 8.8.8.8:53 roaming.officeapps.live.com udp
FR 52.109.68.129:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 129.68.109.52.in-addr.arpa udp
US 8.8.8.8:53 240.143.123.92.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 5.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 7.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 44.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp

Files

memory/5636-1-0x00007FF9EC6AD000-0x00007FF9EC6AE000-memory.dmp

memory/5636-0-0x00007FF9AC690000-0x00007FF9AC6A0000-memory.dmp

memory/5636-3-0x00007FF9AC690000-0x00007FF9AC6A0000-memory.dmp

memory/5636-5-0x00007FF9EC610000-0x00007FF9EC805000-memory.dmp

memory/5636-7-0x00007FF9EC610000-0x00007FF9EC805000-memory.dmp

memory/5636-8-0x00007FF9AC690000-0x00007FF9AC6A0000-memory.dmp

memory/5636-11-0x00007FF9EC610000-0x00007FF9EC805000-memory.dmp

memory/5636-10-0x00007FF9EC610000-0x00007FF9EC805000-memory.dmp

memory/5636-9-0x00007FF9EC610000-0x00007FF9EC805000-memory.dmp

memory/5636-4-0x00007FF9EC610000-0x00007FF9EC805000-memory.dmp

memory/5636-6-0x00007FF9AC690000-0x00007FF9AC6A0000-memory.dmp

memory/5636-2-0x00007FF9AC690000-0x00007FF9AC6A0000-memory.dmp

memory/5636-12-0x00007FF9AA300000-0x00007FF9AA310000-memory.dmp

memory/5636-13-0x00007FF9AA300000-0x00007FF9AA310000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\{441B14D9-0E02-42C6-99B7-DA86D2AC83CB}\inteldriverupd1.sct:Zone.Identifier

MD5 fbccf14d504b7b2dbcb5a5bda75bd93b
SHA1 d59fc84cdd5217c6cf74785703655f78da6b582b
SHA256 eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913
SHA512 aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

memory/5636-37-0x00007FF9EC610000-0x00007FF9EC805000-memory.dmp

memory/5636-38-0x00007FF9EC6AD000-0x00007FF9EC6AE000-memory.dmp

memory/5636-39-0x00007FF9EC610000-0x00007FF9EC805000-memory.dmp

memory/5636-40-0x00007FF9EC610000-0x00007FF9EC805000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 fd7a8b6861b37f475d7461e9f47b9b4b
SHA1 e45cec5351693ec177605cc35b96ae045c38835f
SHA256 e91699fabb14916334927d9f4793026c067ffcb5cb335f7699bda40747c6503c
SHA512 8215256157c16781af92dd3485a29b30462895c65ec63c18d0ea9bf6debbfb9710f68539b6ba18a3ba7d17ba03184f5db18c1ea650130da77d7cd732e7c897a5

memory/5636-78-0x00007FF9AC690000-0x00007FF9AC6A0000-memory.dmp

memory/5636-79-0x00007FF9AC690000-0x00007FF9AC6A0000-memory.dmp

memory/5636-77-0x00007FF9AC690000-0x00007FF9AC6A0000-memory.dmp

memory/5636-80-0x00007FF9AC690000-0x00007FF9AC6A0000-memory.dmp

memory/5636-81-0x00007FF9EC610000-0x00007FF9EC805000-memory.dmp