fb60e255e3a52d014d7c5bb989c8da72a41df683661d0c6850ec330ed4b63957

Analysis

max time kernel
149s
max time network
123s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
05/05/2024, 06:42

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

1672ec10129465f6ef5ad40ec05a365c_JaffaCakes118.exe
Size

512KB
MD5

1672ec10129465f6ef5ad40ec05a365c
SHA1

68b9af713ea930b5f2a4f1295d8af4435fd5efcb
SHA256

fb60e255e3a52d014d7c5bb989c8da72a41df683661d0c6850ec330ed4b63957
SHA512

9a46c62e87a5d7ec34bf9abd3d4c962ee5c8a8716e306e9cbdbf4a645e8b6f682acfd52d52b9a55631a86c4231b717df6b33d3e15fb95cf6d5f26558b3b6c983
SSDEEP

6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj69:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5M

Score

10^/10

evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	tdxxtbnlqx.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	tdxxtbnlqx.exe

Windows security bypass 2 TTPs 5 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	tdxxtbnlqx.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	tdxxtbnlqx.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	tdxxtbnlqx.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	tdxxtbnlqx.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	tdxxtbnlqx.exe

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	tdxxtbnlqx.exe

Executes dropped EXE 6 IoCs

pid	Process
2536	tdxxtbnlqx.exe
2608	uphhbkwcjtujigw.exe
2552	cwopwddf.exe
2184	qnblwypcrjvpw.exe
2656	cwopwddf.exe
2460	qnblwypcrjvpw.exe

Loads dropped DLL 6 IoCs

pid	Process
1728	1672ec10129465f6ef5ad40ec05a365c_JaffaCakes118.exe
1728	1672ec10129465f6ef5ad40ec05a365c_JaffaCakes118.exe
1728	1672ec10129465f6ef5ad40ec05a365c_JaffaCakes118.exe
1728	1672ec10129465f6ef5ad40ec05a365c_JaffaCakes118.exe
2536	tdxxtbnlqx.exe
2568	cmd.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Windows security modification 2 TTPs 6 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	tdxxtbnlqx.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	tdxxtbnlqx.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	tdxxtbnlqx.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1"	tdxxtbnlqx.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	tdxxtbnlqx.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	tdxxtbnlqx.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\oxcxrgvm = "uphhbkwcjtujigw.exe"	uphhbkwcjtujigw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "qnblwypcrjvpw.exe"	uphhbkwcjtujigw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\senfjzgc = "tdxxtbnlqx.exe"	uphhbkwcjtujigw.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\h:	tdxxtbnlqx.exe
File opened (read-only)	\??\o:	cwopwddf.exe
File opened (read-only)	\??\u:	cwopwddf.exe
File opened (read-only)	\??\p:	tdxxtbnlqx.exe
File opened (read-only)	\??\o:	cwopwddf.exe
File opened (read-only)	\??\o:	tdxxtbnlqx.exe
File opened (read-only)	\??\q:	cwopwddf.exe
File opened (read-only)	\??\a:	cwopwddf.exe
File opened (read-only)	\??\g:	cwopwddf.exe
File opened (read-only)	\??\t:	cwopwddf.exe
File opened (read-only)	\??\a:	tdxxtbnlqx.exe
File opened (read-only)	\??\u:	tdxxtbnlqx.exe
File opened (read-only)	\??\g:	cwopwddf.exe
File opened (read-only)	\??\j:	cwopwddf.exe
File opened (read-only)	\??\n:	cwopwddf.exe
File opened (read-only)	\??\t:	cwopwddf.exe
File opened (read-only)	\??\i:	cwopwddf.exe
File opened (read-only)	\??\p:	cwopwddf.exe
File opened (read-only)	\??\s:	cwopwddf.exe
File opened (read-only)	\??\b:	tdxxtbnlqx.exe
File opened (read-only)	\??\e:	tdxxtbnlqx.exe
File opened (read-only)	\??\x:	tdxxtbnlqx.exe
File opened (read-only)	\??\k:	cwopwddf.exe
File opened (read-only)	\??\j:	cwopwddf.exe
File opened (read-only)	\??\l:	tdxxtbnlqx.exe
File opened (read-only)	\??\t:	tdxxtbnlqx.exe
File opened (read-only)	\??\e:	cwopwddf.exe
File opened (read-only)	\??\x:	cwopwddf.exe
File opened (read-only)	\??\y:	cwopwddf.exe
File opened (read-only)	\??\m:	tdxxtbnlqx.exe
File opened (read-only)	\??\n:	tdxxtbnlqx.exe
File opened (read-only)	\??\h:	cwopwddf.exe
File opened (read-only)	\??\n:	cwopwddf.exe
File opened (read-only)	\??\z:	cwopwddf.exe
File opened (read-only)	\??\i:	tdxxtbnlqx.exe
File opened (read-only)	\??\s:	tdxxtbnlqx.exe
File opened (read-only)	\??\v:	tdxxtbnlqx.exe
File opened (read-only)	\??\l:	cwopwddf.exe
File opened (read-only)	\??\w:	cwopwddf.exe
File opened (read-only)	\??\z:	tdxxtbnlqx.exe
File opened (read-only)	\??\u:	cwopwddf.exe
File opened (read-only)	\??\y:	cwopwddf.exe
File opened (read-only)	\??\v:	cwopwddf.exe
File opened (read-only)	\??\b:	cwopwddf.exe
File opened (read-only)	\??\y:	tdxxtbnlqx.exe
File opened (read-only)	\??\s:	cwopwddf.exe
File opened (read-only)	\??\v:	cwopwddf.exe
File opened (read-only)	\??\w:	cwopwddf.exe
File opened (read-only)	\??\w:	tdxxtbnlqx.exe
File opened (read-only)	\??\m:	cwopwddf.exe
File opened (read-only)	\??\k:	cwopwddf.exe
File opened (read-only)	\??\e:	cwopwddf.exe
File opened (read-only)	\??\q:	cwopwddf.exe
File opened (read-only)	\??\g:	tdxxtbnlqx.exe
File opened (read-only)	\??\j:	tdxxtbnlqx.exe
File opened (read-only)	\??\h:	cwopwddf.exe
File opened (read-only)	\??\z:	cwopwddf.exe
File opened (read-only)	\??\p:	cwopwddf.exe
File opened (read-only)	\??\r:	cwopwddf.exe
File opened (read-only)	\??\k:	tdxxtbnlqx.exe
File opened (read-only)	\??\r:	tdxxtbnlqx.exe
File opened (read-only)	\??\a:	cwopwddf.exe
File opened (read-only)	\??\b:	cwopwddf.exe
File opened (read-only)	\??\r:	cwopwddf.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0"	tdxxtbnlqx.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197"	tdxxtbnlqx.exe

AutoIT Executable 7 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/1728-0-0x0000000000400000-0x0000000000496000-memory.dmp	autoit_exe
behavioral1/files/0x0030000000014eb9-5.dat	autoit_exe
behavioral1/files/0x000c00000001480e-17.dat	autoit_exe
behavioral1/files/0x000700000001540d-28.dat	autoit_exe
behavioral1/files/0x00070000000155f6-35.dat	autoit_exe
behavioral1/files/0x0006000000016a6f-66.dat	autoit_exe
behavioral1/files/0x0006000000016c1d-75.dat	autoit_exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\cwopwddf.exe	1672ec10129465f6ef5ad40ec05a365c_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\cwopwddf.exe	1672ec10129465f6ef5ad40ec05a365c_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\qnblwypcrjvpw.exe	1672ec10129465f6ef5ad40ec05a365c_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	tdxxtbnlqx.exe
File created	C:\Windows\SysWOW64\tdxxtbnlqx.exe	1672ec10129465f6ef5ad40ec05a365c_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\uphhbkwcjtujigw.exe	1672ec10129465f6ef5ad40ec05a365c_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\uphhbkwcjtujigw.exe	1672ec10129465f6ef5ad40ec05a365c_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\tdxxtbnlqx.exe	1672ec10129465f6ef5ad40ec05a365c_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\qnblwypcrjvpw.exe	1672ec10129465f6ef5ad40ec05a365c_JaffaCakes118.exe

Drops file in Program Files directory 15 IoCs

description	ioc	Process
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	cwopwddf.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal	cwopwddf.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	cwopwddf.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	cwopwddf.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	cwopwddf.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	cwopwddf.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal	cwopwddf.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	cwopwddf.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	cwopwddf.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	cwopwddf.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	cwopwddf.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	cwopwddf.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal	cwopwddf.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal	cwopwddf.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	cwopwddf.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\mydoc.rtf	1672ec10129465f6ef5ad40ec05a365c_JaffaCakes118.exe
File opened for modification	C:\Windows\mydoc.rtf	WINWORD.EXE
File created	C:\Windows\~$mydoc.rtf	WINWORD.EXE
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE
File opened for modification	C:\Windows\~$mydoc.rtf	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile"	tdxxtbnlqx.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.reg	tdxxtbnlqx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FB1B02D47E138E252C9BAD632EAD7B9"	1672ec10129465f6ef5ad40ec05a365c_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.bat	tdxxtbnlqx.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs	tdxxtbnlqx.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2868	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1728	1672ec10129465f6ef5ad40ec05a365c_JaffaCakes118.exe
1728	1672ec10129465f6ef5ad40ec05a365c_JaffaCakes118.exe
1728	1672ec10129465f6ef5ad40ec05a365c_JaffaCakes118.exe
1728	1672ec10129465f6ef5ad40ec05a365c_JaffaCakes118.exe
1728	1672ec10129465f6ef5ad40ec05a365c_JaffaCakes118.exe
1728	1672ec10129465f6ef5ad40ec05a365c_JaffaCakes118.exe
1728	1672ec10129465f6ef5ad40ec05a365c_JaffaCakes118.exe
2536	tdxxtbnlqx.exe
2536	tdxxtbnlqx.exe
2536	tdxxtbnlqx.exe
2536	tdxxtbnlqx.exe
2536	tdxxtbnlqx.exe
1728	1672ec10129465f6ef5ad40ec05a365c_JaffaCakes118.exe
2608	uphhbkwcjtujigw.exe
2608	uphhbkwcjtujigw.exe
2608	uphhbkwcjtujigw.exe
2608	uphhbkwcjtujigw.exe
2608	uphhbkwcjtujigw.exe
2552	cwopwddf.exe
2552	cwopwddf.exe
2552	cwopwddf.exe
2552	cwopwddf.exe
2184	qnblwypcrjvpw.exe
2184	qnblwypcrjvpw.exe
2184	qnblwypcrjvpw.exe
2184	qnblwypcrjvpw.exe
2184	qnblwypcrjvpw.exe
2184	qnblwypcrjvpw.exe
2656	cwopwddf.exe
2656	cwopwddf.exe
2656	cwopwddf.exe
2656	cwopwddf.exe
2608	uphhbkwcjtujigw.exe
2460	qnblwypcrjvpw.exe
2460	qnblwypcrjvpw.exe
2460	qnblwypcrjvpw.exe
2460	qnblwypcrjvpw.exe
2460	qnblwypcrjvpw.exe
2460	qnblwypcrjvpw.exe
2608	uphhbkwcjtujigw.exe
2184	qnblwypcrjvpw.exe
2184	qnblwypcrjvpw.exe
2460	qnblwypcrjvpw.exe
2460	qnblwypcrjvpw.exe
2608	uphhbkwcjtujigw.exe
2184	qnblwypcrjvpw.exe
2184	qnblwypcrjvpw.exe
2460	qnblwypcrjvpw.exe
2460	qnblwypcrjvpw.exe
2608	uphhbkwcjtujigw.exe
2184	qnblwypcrjvpw.exe
2184	qnblwypcrjvpw.exe
2460	qnblwypcrjvpw.exe
2460	qnblwypcrjvpw.exe
2608	uphhbkwcjtujigw.exe
2184	qnblwypcrjvpw.exe
2184	qnblwypcrjvpw.exe
2460	qnblwypcrjvpw.exe
2460	qnblwypcrjvpw.exe
2608	uphhbkwcjtujigw.exe
2184	qnblwypcrjvpw.exe
2184	qnblwypcrjvpw.exe
2460	qnblwypcrjvpw.exe
2460	qnblwypcrjvpw.exe

Suspicious use of FindShellTrayWindow 21 IoCs

pid	Process
1728	1672ec10129465f6ef5ad40ec05a365c_JaffaCakes118.exe
1728	1672ec10129465f6ef5ad40ec05a365c_JaffaCakes118.exe
1728	1672ec10129465f6ef5ad40ec05a365c_JaffaCakes118.exe
2536	tdxxtbnlqx.exe
2536	tdxxtbnlqx.exe
2536	tdxxtbnlqx.exe
2608	uphhbkwcjtujigw.exe
2608	uphhbkwcjtujigw.exe
2608	uphhbkwcjtujigw.exe
2552	cwopwddf.exe
2552	cwopwddf.exe
2552	cwopwddf.exe
2184	qnblwypcrjvpw.exe
2184	qnblwypcrjvpw.exe
2184	qnblwypcrjvpw.exe
2656	cwopwddf.exe
2656	cwopwddf.exe
2656	cwopwddf.exe
2460	qnblwypcrjvpw.exe
2460	qnblwypcrjvpw.exe
2460	qnblwypcrjvpw.exe

Suspicious use of SendNotifyMessage 21 IoCs

pid	Process
1728	1672ec10129465f6ef5ad40ec05a365c_JaffaCakes118.exe
1728	1672ec10129465f6ef5ad40ec05a365c_JaffaCakes118.exe
1728	1672ec10129465f6ef5ad40ec05a365c_JaffaCakes118.exe
2536	tdxxtbnlqx.exe
2536	tdxxtbnlqx.exe
2536	tdxxtbnlqx.exe
2608	uphhbkwcjtujigw.exe
2608	uphhbkwcjtujigw.exe
2608	uphhbkwcjtujigw.exe
2552	cwopwddf.exe
2552	cwopwddf.exe
2552	cwopwddf.exe
2184	qnblwypcrjvpw.exe
2184	qnblwypcrjvpw.exe
2184	qnblwypcrjvpw.exe
2656	cwopwddf.exe
2656	cwopwddf.exe
2656	cwopwddf.exe
2460	qnblwypcrjvpw.exe
2460	qnblwypcrjvpw.exe
2460	qnblwypcrjvpw.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2868	WINWORD.EXE
2868	WINWORD.EXE

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 1728 wrote to memory of 2536	1728	1672ec10129465f6ef5ad40ec05a365c_JaffaCakes118.exe	28
PID 1728 wrote to memory of 2536	1728	1672ec10129465f6ef5ad40ec05a365c_JaffaCakes118.exe	28
PID 1728 wrote to memory of 2536	1728	1672ec10129465f6ef5ad40ec05a365c_JaffaCakes118.exe	28
PID 1728 wrote to memory of 2536	1728	1672ec10129465f6ef5ad40ec05a365c_JaffaCakes118.exe	28
PID 1728 wrote to memory of 2608	1728	1672ec10129465f6ef5ad40ec05a365c_JaffaCakes118.exe	29
PID 1728 wrote to memory of 2608	1728	1672ec10129465f6ef5ad40ec05a365c_JaffaCakes118.exe	29
PID 1728 wrote to memory of 2608	1728	1672ec10129465f6ef5ad40ec05a365c_JaffaCakes118.exe	29
PID 1728 wrote to memory of 2608	1728	1672ec10129465f6ef5ad40ec05a365c_JaffaCakes118.exe	29
PID 1728 wrote to memory of 2552	1728	1672ec10129465f6ef5ad40ec05a365c_JaffaCakes118.exe	30
PID 1728 wrote to memory of 2552	1728	1672ec10129465f6ef5ad40ec05a365c_JaffaCakes118.exe	30
PID 1728 wrote to memory of 2552	1728	1672ec10129465f6ef5ad40ec05a365c_JaffaCakes118.exe	30
PID 1728 wrote to memory of 2552	1728	1672ec10129465f6ef5ad40ec05a365c_JaffaCakes118.exe	30
PID 1728 wrote to memory of 2184	1728	1672ec10129465f6ef5ad40ec05a365c_JaffaCakes118.exe	31
PID 1728 wrote to memory of 2184	1728	1672ec10129465f6ef5ad40ec05a365c_JaffaCakes118.exe	31
PID 1728 wrote to memory of 2184	1728	1672ec10129465f6ef5ad40ec05a365c_JaffaCakes118.exe	31
PID 1728 wrote to memory of 2184	1728	1672ec10129465f6ef5ad40ec05a365c_JaffaCakes118.exe	31
PID 2536 wrote to memory of 2656	2536	tdxxtbnlqx.exe	32
PID 2536 wrote to memory of 2656	2536	tdxxtbnlqx.exe	32
PID 2536 wrote to memory of 2656	2536	tdxxtbnlqx.exe	32
PID 2536 wrote to memory of 2656	2536	tdxxtbnlqx.exe	32
PID 2608 wrote to memory of 2568	2608	uphhbkwcjtujigw.exe	33
PID 2608 wrote to memory of 2568	2608	uphhbkwcjtujigw.exe	33
PID 2608 wrote to memory of 2568	2608	uphhbkwcjtujigw.exe	33
PID 2608 wrote to memory of 2568	2608	uphhbkwcjtujigw.exe	33
PID 2568 wrote to memory of 2460	2568	cmd.exe	35
PID 2568 wrote to memory of 2460	2568	cmd.exe	35
PID 2568 wrote to memory of 2460	2568	cmd.exe	35
PID 2568 wrote to memory of 2460	2568	cmd.exe	35
PID 1728 wrote to memory of 2868	1728	1672ec10129465f6ef5ad40ec05a365c_JaffaCakes118.exe	36
PID 1728 wrote to memory of 2868	1728	1672ec10129465f6ef5ad40ec05a365c_JaffaCakes118.exe	36
PID 1728 wrote to memory of 2868	1728	1672ec10129465f6ef5ad40ec05a365c_JaffaCakes118.exe	36
PID 1728 wrote to memory of 2868	1728	1672ec10129465f6ef5ad40ec05a365c_JaffaCakes118.exe	36
PID 2868 wrote to memory of 2040	2868	WINWORD.EXE	39
PID 2868 wrote to memory of 2040	2868	WINWORD.EXE	39
PID 2868 wrote to memory of 2040	2868	WINWORD.EXE	39
PID 2868 wrote to memory of 2040	2868	WINWORD.EXE	39

C:\Users\Admin\AppData\Local\Temp\1672ec10129465f6ef5ad40ec05a365c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1672ec10129465f6ef5ad40ec05a365c_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1728
- C:\Windows\SysWOW64\tdxxtbnlqx.exe
  tdxxtbnlqx.exe
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Windows security bypass
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Loads dropped DLL
  - Windows security modification
  - Enumerates connected drives
  - Modifies WinLogon
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2536
- - C:\Windows\SysWOW64\cwopwddf.exe
    C:\Windows\system32\cwopwddf.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:2656
- C:\Windows\SysWOW64\uphhbkwcjtujigw.exe
  uphhbkwcjtujigw.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2608
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c qnblwypcrjvpw.exe
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2568
  - - C:\Windows\SysWOW64\qnblwypcrjvpw.exe
      qnblwypcrjvpw.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:2460
- C:\Windows\SysWOW64\cwopwddf.exe
  cwopwddf.exe
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2552
- C:\Windows\SysWOW64\qnblwypcrjvpw.exe
  qnblwypcrjvpw.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2184
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
  2⤵
  - Drops file in Windows directory
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2868
- - C:\Windows\splwow64.exe
    C:\Windows\splwow64.exe 12288
    3⤵
    PID:2040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe

Filesize
512KB

MD5
9371035cdb1d286ab0f9fc6e198f3dec

SHA1
ef4f20b5d30b8e8406dce4cdc914285d9ebea153

SHA256
9beec4f05954f412d45e1d1f009e3cc3a88338c76a1dd7c3e3e9e9c109277b04

SHA512
94d015555189f67559752c379fc107995c8382a3d388f97c361fa2f916b8613b296413d091b48103bda8f33eb8851e501ef8e249805f5d433cc2bcb672b12b0a

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe

Filesize
512KB

MD5
32473aaea0fc6e3d599af12c57b3c8ea

SHA1
35fd7b46f7983d6c9feda39612edd747308f9bfe

SHA256
ea0a2cb8e066a5fe62f98a5004fe7eec1abb776e24f2115d115527d569c7662a

SHA512
4bef489fb083d2a70e3e5631eba3f7c51508c6caec3e297bff82b1615d663271617aee6ac3c2775a6e728135185e1628e355f818962c7a5f1e0e46088409dfb9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
20KB

MD5
46d98607c35c114ab1e61101e421dfcb

SHA1
14422ad8dc58e5e53b226206dc29fd555f8a870b

SHA256
746ebf0ef76670b2afa6f03e2f732bac60a5274fcb3688d3a6b22d572467800c

SHA512
20b77072311995a005390140623b7d7b61753859a290bd47f5b8900076c563f862e03f654c7c86c222f1a386f7c6230c024ad1a7437e0f373568b31704340de8

Download Submit
C:\Windows\SysWOW64\uphhbkwcjtujigw.exe

Filesize
512KB

MD5
e4f3c8aeaed1820e37b75ea57cb76d37

SHA1
ab8aafbfbb2e0aba27305942be468a71af87e2d3

SHA256
70b4a758968e5c2d333554f9ab48d6ff812ec0512a78077dff5e9e2c27749af0

SHA512
a3c73995653f63fcc023a70648c4f201f8c18daf38ed6adad128220fd59fab5f3a659472fdf76115c6802a57be00b973d2e29ea74f7bb5fc851cc4994657a88e

Download Submit
C:\Windows\mydoc.rtf

Filesize
223B

MD5
06604e5941c126e2e7be02c5cd9f62ec

SHA1
4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

SHA256
85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

SHA512
803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

Download Submit
\Windows\SysWOW64\cwopwddf.exe

Filesize
512KB

MD5
1e2745c8585e21a807bff4e2998b2041

SHA1
a55d3c80e0b968237b3006c05bd6264c714f9e3e

SHA256
3a33877fecf1e121a36d6297fd31b4930fe97e7bdf637653b54fc4c1881a5834

SHA512
8c8ca54089c1cfdcc6a9993eee129d44a6d3caf49d84fcf21376c920f7c252d3071f11dff3fa4ee02238d5bc83793c1b857e0349e512def342474e7883264840

Download Submit
\Windows\SysWOW64\qnblwypcrjvpw.exe

Filesize
512KB

MD5
a18475b23798067b98799150347480e9

SHA1
11f66f061d094212df8e3f42d0d9f7632142aec7

SHA256
944221ab43aec85a430a62a7413264e0e9801af4cdbd894d10fd38d1ea09a986

SHA512
97edc66a5ad95411688e03968d7f3f809d92156ef95400268ccc729aa8f2d168bfa4078a793b30a48d1e42e15611505e06610e9c029ef3c7c8a5bec6989e04b9

Download Submit
\Windows\SysWOW64\tdxxtbnlqx.exe

Filesize
512KB

MD5
2eee965cbf096cf0efc3bc98551d1c38

SHA1
5e7cc7d74179472f65c03aa7bd4709cab11a7f15

SHA256
c6a71aa719dc5f6e1b855f13d51042d87efed992de0e02a7f55b7fc8fcad228f

SHA512
4e5b679bb4921a523a152320b0cccf16ff3801920c80ff134fcc06ae1cd709d3393202d911e0323a1076284d14158ac021358a2f9a594fc7b0f4521a13182fe3

Download Submit
memory/1728-0-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download
memory/2868-48-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2868-102-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download