b46fdb3a03d6905d241e009a1a6df6352ae79bc3efe0c636fc07eabbe4dc4718

Analysis

max time kernel
121s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
15-05-2024 22:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

486ca2c52e9ef6e7701006e4e45ceb19_JaffaCakes118.rtf
Size

1.8MB
MD5

486ca2c52e9ef6e7701006e4e45ceb19
SHA1

bcd69f245e974b0b81aad616b85444f8bb5fd43e
SHA256

b46fdb3a03d6905d241e009a1a6df6352ae79bc3efe0c636fc07eabbe4dc4718
SHA512

6fa87f7942a5d16b69c0c581586dac7ac86d035373d88a239cac53fc528a86b0dac586de4fc1b1abaee9ec3937bede98e5dc46bac2b7cea0d222278977c30239
SSDEEP

24576:u4rU0hfe+FdiXTu+6Fa53NgvqoqfxAvktJWerB4aEqZpV5:w

Score

10^/10

Malware Config

Signatures

Process spawned unexpected child process 2 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process	2656	360	cmd.exe	27
Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process	2552	360	cmd.exe	27

Executes dropped EXE 1 IoCs

pid	Process
2452	mondi.exe

Loads dropped DLL 2 IoCs

pid	Process
2652	cmd.exe
2652	cmd.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2584	timeout.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
2672	taskkill.exe

Launches Equation Editor 1 TTPs 1 IoCs

Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

exploit

Exploitation for Client Execution

T1203

pid	Process
1040	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE

NTFS ADS 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Temp\hondi.cmd:Zone.Identifier	cmd.exe
File created	C:\Users\Admin\AppData\Local\Temp\mondi.eXe:Zone.Identifier	cmd.exe
File created	C:\Users\Admin\AppData\Local\Temp\gondi.doc:Zone.Identifier	cmd.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
360	WINWORD.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2672	taskkill.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
360	WINWORD.EXE
360	WINWORD.EXE
2452	mondi.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 360 wrote to memory of 2552	360	WINWORD.EXE	28
PID 360 wrote to memory of 2552	360	WINWORD.EXE	28
PID 360 wrote to memory of 2552	360	WINWORD.EXE	28
PID 360 wrote to memory of 2552	360	WINWORD.EXE	28
PID 2552 wrote to memory of 2648	2552	cmd.exe	30
PID 2552 wrote to memory of 2648	2552	cmd.exe	30
PID 2552 wrote to memory of 2648	2552	cmd.exe	30
PID 2552 wrote to memory of 2648	2552	cmd.exe	30
PID 2648 wrote to memory of 2652	2648	cmd.exe	31
PID 2648 wrote to memory of 2652	2648	cmd.exe	31
PID 2648 wrote to memory of 2652	2648	cmd.exe	31
PID 2648 wrote to memory of 2652	2648	cmd.exe	31
PID 2652 wrote to memory of 2584	2652	cmd.exe	32
PID 2652 wrote to memory of 2584	2652	cmd.exe	32
PID 2652 wrote to memory of 2584	2652	cmd.exe	32
PID 2652 wrote to memory of 2584	2652	cmd.exe	32
PID 360 wrote to memory of 2656	360	WINWORD.EXE	33
PID 360 wrote to memory of 2656	360	WINWORD.EXE	33
PID 360 wrote to memory of 2656	360	WINWORD.EXE	33
PID 360 wrote to memory of 2656	360	WINWORD.EXE	33
PID 2656 wrote to memory of 2448	2656	cmd.exe	35
PID 2656 wrote to memory of 2448	2656	cmd.exe	35
PID 2656 wrote to memory of 2448	2656	cmd.exe	35
PID 2656 wrote to memory of 2448	2656	cmd.exe	35
PID 2652 wrote to memory of 2452	2652	cmd.exe	36
PID 2652 wrote to memory of 2452	2652	cmd.exe	36
PID 2652 wrote to memory of 2452	2652	cmd.exe	36
PID 2652 wrote to memory of 2452	2652	cmd.exe	36
PID 2652 wrote to memory of 2672	2652	cmd.exe	37
PID 2652 wrote to memory of 2672	2652	cmd.exe	37
PID 2652 wrote to memory of 2672	2652	cmd.exe	37
PID 2652 wrote to memory of 2672	2652	cmd.exe	37
PID 2652 wrote to memory of 2412	2652	cmd.exe	40
PID 2652 wrote to memory of 2412	2652	cmd.exe	40
PID 2652 wrote to memory of 2412	2652	cmd.exe	40
PID 2652 wrote to memory of 2412	2652	cmd.exe	40
PID 2652 wrote to memory of 2736	2652	cmd.exe	41
PID 2652 wrote to memory of 2736	2652	cmd.exe	41
PID 2652 wrote to memory of 2736	2652	cmd.exe	41
PID 2652 wrote to memory of 2736	2652	cmd.exe	41
PID 2736 wrote to memory of 2720	2736	cmd.exe	42
PID 2736 wrote to memory of 2720	2736	cmd.exe	42
PID 2736 wrote to memory of 2720	2736	cmd.exe	42
PID 2736 wrote to memory of 2720	2736	cmd.exe	42
PID 2652 wrote to memory of 2748	2652	cmd.exe	43
PID 2652 wrote to memory of 2748	2652	cmd.exe	43
PID 2652 wrote to memory of 2748	2652	cmd.exe	43
PID 2652 wrote to memory of 2748	2652	cmd.exe	43
PID 2652 wrote to memory of 2756	2652	cmd.exe	44
PID 2652 wrote to memory of 2756	2652	cmd.exe	44
PID 2652 wrote to memory of 2756	2652	cmd.exe	44
PID 2652 wrote to memory of 2756	2652	cmd.exe	44
PID 2756 wrote to memory of 2600	2756	cmd.exe	45
PID 2756 wrote to memory of 2600	2756	cmd.exe	45
PID 2756 wrote to memory of 2600	2756	cmd.exe	45
PID 2756 wrote to memory of 2600	2756	cmd.exe	45
PID 2652 wrote to memory of 2876	2652	cmd.exe	46
PID 2652 wrote to memory of 2876	2652	cmd.exe	46
PID 2652 wrote to memory of 2876	2652	cmd.exe	46
PID 2652 wrote to memory of 2876	2652	cmd.exe	46
PID 2652 wrote to memory of 920	2652	cmd.exe	47
PID 2652 wrote to memory of 920	2652	cmd.exe	47
PID 2652 wrote to memory of 920	2652	cmd.exe	47
PID 2652 wrote to memory of 920	2652	cmd.exe	47

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\486ca2c52e9ef6e7701006e4e45ceb19_JaffaCakes118.rtf"
1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:360
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C CmD < "C:\Users\Admin\AppData\Local\Temp\dqfm.cMd"
  2⤵
  - Process spawned unexpected child process
  - Suspicious use of WriteProcessMemory
  PID:2552
- - C:\Windows\SysWOW64\cmd.exe
    CmD
    3⤵
    - NTFS ADS
    - Suspicious use of WriteProcessMemory
    PID:2648
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\hondi.cmd
      4⤵
      Loads dropped DLL
      NTFS ADS
      Suspicious use of WriteProcessMemory
      PID:2652
    - - C:\Windows\SysWOW64\timeout.exe
        
        TIMEOUT 1
        5⤵
        Delays execution with timeout.exe
        
        PID:2584
    - - C:\Users\Admin\AppData\Local\Temp\mondi.exe
        
        C:\Users\Admin\AppData\Local\Temp\mondi.eXe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2452
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM winword.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2672
    - - C:\Windows\SysWOW64\reg.exe
        
        reg delete HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\11.0\Word\Resiliency /f
        5⤵
        
        PID:2412
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\11.0\Word\File MRU" /v "Item 1"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2736
      - C:\Windows\SysWOW64\reg.exe
        
        REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\11.0\Word\File MRU" /v "Item 1"
        6⤵
        
        PID:2720
    - - C:\Windows\SysWOW64\reg.exe
        
        reg delete HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\12.0\Word\Resiliency /f
        5⤵
        
        PID:2748
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\12.0\Word\File MRU" /v "Item 1"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2756
      - C:\Windows\SysWOW64\reg.exe
        
        REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\12.0\Word\File MRU" /v "Item 1"
        6⤵
        
        PID:2600
    - - C:\Windows\SysWOW64\reg.exe
        
        reg delete HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\13.0\Word\Resiliency /f
        5⤵
        
        PID:2876
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\13.0\Word\File MRU" /v "Item 1"
        5⤵
        
        PID:920
      - C:\Windows\SysWOW64\reg.exe
        
        REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\13.0\Word\File MRU" /v "Item 1"
        6⤵
        
        PID:1724
    - - C:\Windows\SysWOW64\reg.exe
        
        reg delete HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\14.0\Word\Resiliency /f
        5⤵
        
        PID:2892
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\14.0\Word\File MRU" /v "Item 1"
        5⤵
        
        PID:1860
      - C:\Windows\SysWOW64\reg.exe
        
        REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\14.0\Word\File MRU" /v "Item 1"
        6⤵
        
        PID:2864
    - - C:\Windows\SysWOW64\reg.exe
        
        reg delete HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Word\Resiliency /f
        5⤵
        
        PID:1240
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Word\File MRU" /v "Item 1"
        5⤵
        
        PID:1104
      - C:\Windows\SysWOW64\reg.exe
        
        REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Word\File MRU" /v "Item 1"
        6⤵
        
        PID:844
    - - C:\Windows\SysWOW64\reg.exe
        
        reg delete HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\Resiliency /f
        5⤵
        
        PID:884
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\File MRU" /v "Item 1"
        5⤵
        
        PID:2032
      - C:\Windows\SysWOW64\reg.exe
        
        REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\File MRU" /v "Item 1"
        6⤵
        
        PID:1576
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C CmD < "C:\Users\Admin\AppData\Local\Temp\dqfm.cMd"
  2⤵
  - Process spawned unexpected child process
  - Suspicious use of WriteProcessMemory
  PID:2656
- - C:\Windows\SysWOW64\cmd.exe
    CmD
    3⤵
    PID:2448

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Launches Equation Editor
PID:1040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Exploitation for Client Execution

T1203

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\dqfm.cMd

Filesize
187B

MD5
308d8e82e7adc9279e411f982e6498ee

SHA1
48f2c9dc9fa41bad9d1ea6c01da034110aa9d4a0

SHA256
94eb53c44c0b67b261bff82d58e488de542846aa1e2573be375221ac68bbb00c

SHA512
70b343e48d14686b696d07fd8a1a59e0c89434f52e52074b5ddaee6d289363d4f665f85d813624befa16233dd7d228d543382f96c6f959cc355ab43029f80a9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\mondi.exe

Filesize
536KB

MD5
837a1cb15c54887f081d130f25d58a61

SHA1
b854b99cb06fbba762a6262712d681c121b907e4

SHA256
b697006febf1f45aad2053512692649a0a2f15ed6511612bdff4d2542f1795a9

SHA512
deddef7a0c59d940d14fc0a2d37a588395779afaeadfbf89f977dd2ebdb363f42cfc824502437e0e59745d8bcd06889086a991e601098e1db57017384e6e124b

Download Submit
C:\Users\Admin\AppData\Local\Temp\trbatehtqevyay.ScT

Filesize
599B

MD5
aa71a44bf5dfe09062e37ca88607a62f

SHA1
b4a724e009500eb2c7f18a70cedfda7058ebf488

SHA256
e942325b1059a2aa7ee8b739eb138500fbb669233f3332fe7a79c339d626225c

SHA512
18f75ec35f745a2303ed56b3bc8127021e6894b1172a18a67b7e08a457c3a2755fa270c330bddd50f6fe96904e0abb129601b12985eb4811f8e214cb1364a347

Download Submit
memory/360-0-0x000000002F3D1000-0x000000002F3D2000-memory.dmp

Filesize
4KB

Download
memory/360-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/360-2-0x000000007121D000-0x0000000071228000-memory.dmp

Filesize
44KB

Download
memory/360-43-0x000000007121D000-0x0000000071228000-memory.dmp

Filesize
44KB

Download