91e9e889927ed93e95baf92d1d56570824c6c4a00998d43f02d193d04f06b91c

Analysis

max time kernel
149s
max time network
119s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
24-05-2024 02:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6d0ee4af41a8ee2139a4e3bcfe862e27_JaffaCakes118.exe
Size

512KB
MD5

6d0ee4af41a8ee2139a4e3bcfe862e27
SHA1

6d6b28a1da461971e9efb095625c7c12d6b99b24
SHA256

91e9e889927ed93e95baf92d1d56570824c6c4a00998d43f02d193d04f06b91c
SHA512

c4ca7f3c8907be0355b0a4c67b6078f9984685d6033a7c87f4307fac64f0b27320f12bae6b5fda8a9290d922703480444c83b07b010923886002568c32c34fa6
SSDEEP

6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6G:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5Z

Score

10^/10

evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

dlsulngkio.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	dlsulngkio.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

dlsulngkio.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	dlsulngkio.exe

Windows security bypass 2 TTPs 5 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

dlsulngkio.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	dlsulngkio.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	dlsulngkio.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	dlsulngkio.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	dlsulngkio.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	dlsulngkio.exe

Disables RegEdit via registry modification 1 IoCs

evasion

Processes:

dlsulngkio.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	dlsulngkio.exe

Executes dropped EXE 5 IoCs

Processes:

dlsulngkio.exeuzqnukouhrmyntg.exealajmlhv.exeacokjqjemuami.exealajmlhv.exe

pid process

2324 dlsulngkio.exe
2708 uzqnukouhrmyntg.exe
2972 alajmlhv.exe
2820 acokjqjemuami.exe
2540 alajmlhv.exe

pid	process
2324	dlsulngkio.exe
2708	uzqnukouhrmyntg.exe
2972	alajmlhv.exe
2820	acokjqjemuami.exe
2540	alajmlhv.exe

Loads dropped DLL 5 IoCs

Processes:

6d0ee4af41a8ee2139a4e3bcfe862e27_JaffaCakes118.exedlsulngkio.exe

pid	process
2244	6d0ee4af41a8ee2139a4e3bcfe862e27_JaffaCakes118.exe
2244	6d0ee4af41a8ee2139a4e3bcfe862e27_JaffaCakes118.exe
2244	6d0ee4af41a8ee2139a4e3bcfe862e27_JaffaCakes118.exe
2244	6d0ee4af41a8ee2139a4e3bcfe862e27_JaffaCakes118.exe
2324	dlsulngkio.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Windows security modification 2 TTPs 6 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

dlsulngkio.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	dlsulngkio.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1"	dlsulngkio.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	dlsulngkio.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	dlsulngkio.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	dlsulngkio.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	dlsulngkio.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

uzqnukouhrmyntg.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ohfmiwjd = "uzqnukouhrmyntg.exe"	uzqnukouhrmyntg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "acokjqjemuami.exe"	uzqnukouhrmyntg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mcvxmnew = "dlsulngkio.exe"	uzqnukouhrmyntg.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

alajmlhv.exedlsulngkio.exealajmlhv.exe

description	ioc	process
File opened (read-only)	\??\t:	alajmlhv.exe
File opened (read-only)	\??\h:	dlsulngkio.exe
File opened (read-only)	\??\z:	alajmlhv.exe
File opened (read-only)	\??\v:	dlsulngkio.exe
File opened (read-only)	\??\u:	alajmlhv.exe
File opened (read-only)	\??\k:	alajmlhv.exe
File opened (read-only)	\??\m:	alajmlhv.exe
File opened (read-only)	\??\y:	alajmlhv.exe
File opened (read-only)	\??\v:	alajmlhv.exe
File opened (read-only)	\??\i:	alajmlhv.exe
File opened (read-only)	\??\w:	dlsulngkio.exe
File opened (read-only)	\??\a:	alajmlhv.exe
File opened (read-only)	\??\b:	alajmlhv.exe
File opened (read-only)	\??\e:	alajmlhv.exe
File opened (read-only)	\??\x:	dlsulngkio.exe
File opened (read-only)	\??\b:	alajmlhv.exe
File opened (read-only)	\??\s:	alajmlhv.exe
File opened (read-only)	\??\j:	alajmlhv.exe
File opened (read-only)	\??\l:	alajmlhv.exe
File opened (read-only)	\??\n:	alajmlhv.exe
File opened (read-only)	\??\u:	alajmlhv.exe
File opened (read-only)	\??\l:	alajmlhv.exe
File opened (read-only)	\??\g:	alajmlhv.exe
File opened (read-only)	\??\h:	alajmlhv.exe
File opened (read-only)	\??\r:	alajmlhv.exe
File opened (read-only)	\??\r:	alajmlhv.exe
File opened (read-only)	\??\y:	dlsulngkio.exe
File opened (read-only)	\??\o:	alajmlhv.exe
File opened (read-only)	\??\h:	alajmlhv.exe
File opened (read-only)	\??\n:	alajmlhv.exe
File opened (read-only)	\??\s:	dlsulngkio.exe
File opened (read-only)	\??\q:	alajmlhv.exe
File opened (read-only)	\??\t:	alajmlhv.exe
File opened (read-only)	\??\x:	alajmlhv.exe
File opened (read-only)	\??\x:	alajmlhv.exe
File opened (read-only)	\??\r:	dlsulngkio.exe
File opened (read-only)	\??\j:	dlsulngkio.exe
File opened (read-only)	\??\o:	dlsulngkio.exe
File opened (read-only)	\??\a:	alajmlhv.exe
File opened (read-only)	\??\g:	alajmlhv.exe
File opened (read-only)	\??\z:	alajmlhv.exe
File opened (read-only)	\??\e:	dlsulngkio.exe
File opened (read-only)	\??\g:	dlsulngkio.exe
File opened (read-only)	\??\o:	alajmlhv.exe
File opened (read-only)	\??\v:	alajmlhv.exe
File opened (read-only)	\??\p:	alajmlhv.exe
File opened (read-only)	\??\y:	alajmlhv.exe
File opened (read-only)	\??\k:	dlsulngkio.exe
File opened (read-only)	\??\l:	dlsulngkio.exe
File opened (read-only)	\??\m:	dlsulngkio.exe
File opened (read-only)	\??\z:	dlsulngkio.exe
File opened (read-only)	\??\j:	alajmlhv.exe
File opened (read-only)	\??\i:	alajmlhv.exe
File opened (read-only)	\??\s:	alajmlhv.exe
File opened (read-only)	\??\q:	alajmlhv.exe
File opened (read-only)	\??\e:	alajmlhv.exe
File opened (read-only)	\??\q:	dlsulngkio.exe
File opened (read-only)	\??\t:	dlsulngkio.exe
File opened (read-only)	\??\w:	alajmlhv.exe
File opened (read-only)	\??\a:	dlsulngkio.exe
File opened (read-only)	\??\i:	dlsulngkio.exe
File opened (read-only)	\??\p:	dlsulngkio.exe
File opened (read-only)	\??\u:	dlsulngkio.exe
File opened (read-only)	\??\m:	alajmlhv.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

dlsulngkio.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0"	dlsulngkio.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197"	dlsulngkio.exe

AutoIT Executable 7 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
behavioral1/memory/2244-0-0x0000000000400000-0x0000000000496000-memory.dmp	autoit_exe
C:\Windows\SysWOW64\uzqnukouhrmyntg.exe	autoit_exe
\Windows\SysWOW64\dlsulngkio.exe	autoit_exe
\Windows\SysWOW64\alajmlhv.exe	autoit_exe
\Windows\SysWOW64\acokjqjemuami.exe	autoit_exe
C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	autoit_exe
C:\Users\Admin\Desktop\EnterWrite.doc.exe	autoit_exe

Drops file in System32 directory 9 IoCs

Processes:

6d0ee4af41a8ee2139a4e3bcfe862e27_JaffaCakes118.exedlsulngkio.exe

description	ioc	process
File created	C:\Windows\SysWOW64\dlsulngkio.exe	6d0ee4af41a8ee2139a4e3bcfe862e27_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\uzqnukouhrmyntg.exe	6d0ee4af41a8ee2139a4e3bcfe862e27_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\alajmlhv.exe	6d0ee4af41a8ee2139a4e3bcfe862e27_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\alajmlhv.exe	6d0ee4af41a8ee2139a4e3bcfe862e27_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\acokjqjemuami.exe	6d0ee4af41a8ee2139a4e3bcfe862e27_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	dlsulngkio.exe
File opened for modification	C:\Windows\SysWOW64\dlsulngkio.exe	6d0ee4af41a8ee2139a4e3bcfe862e27_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\uzqnukouhrmyntg.exe	6d0ee4af41a8ee2139a4e3bcfe862e27_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\acokjqjemuami.exe	6d0ee4af41a8ee2139a4e3bcfe862e27_JaffaCakes118.exe

Drops file in Program Files directory 14 IoCs

Processes:

alajmlhv.exealajmlhv.exe

description	ioc	process
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	alajmlhv.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	alajmlhv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	alajmlhv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	alajmlhv.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	alajmlhv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	alajmlhv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal	alajmlhv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal	alajmlhv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal	alajmlhv.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	alajmlhv.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	alajmlhv.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	alajmlhv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	alajmlhv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal	alajmlhv.exe

Drops file in Windows directory 5 IoCs

Processes:

6d0ee4af41a8ee2139a4e3bcfe862e27_JaffaCakes118.exeWINWORD.EXE

description	ioc	process
File opened for modification	C:\Windows\mydoc.rtf	6d0ee4af41a8ee2139a4e3bcfe862e27_JaffaCakes118.exe
File opened for modification	C:\Windows\mydoc.rtf	WINWORD.EXE
File created	C:\Windows\~$mydoc.rtf	WINWORD.EXE
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE
File opened for modification	C:\Windows\~$mydoc.rtf	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE

Modifies registry class 64 IoCs

Processes:

WINWORD.EXE6d0ee4af41a8ee2139a4e3bcfe862e27_JaffaCakes118.exedlsulngkio.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BCFF9BEFE17F19784753B4A86ED3E94B0FE038F4365024BE1BF459D08D4"	6d0ee4af41a8ee2139a4e3bcfe862e27_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile"	dlsulngkio.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.wsh	dlsulngkio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FCAB15F47EF39E853BABAA5329DD4B9"	6d0ee4af41a8ee2139a4e3bcfe862e27_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile"	dlsulngkio.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.wsc	dlsulngkio.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7E89FFFF482F851A9132D65F7DE6BD93E144584267466333D79D"	6d0ee4af41a8ee2139a4e3bcfe862e27_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.bat	dlsulngkio.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

2560 WINWORD.EXE

pid	process
2560	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

6d0ee4af41a8ee2139a4e3bcfe862e27_JaffaCakes118.exedlsulngkio.exealajmlhv.exeuzqnukouhrmyntg.exeacokjqjemuami.exealajmlhv.exe

pid	process
2244	6d0ee4af41a8ee2139a4e3bcfe862e27_JaffaCakes118.exe
2244	6d0ee4af41a8ee2139a4e3bcfe862e27_JaffaCakes118.exe
2244	6d0ee4af41a8ee2139a4e3bcfe862e27_JaffaCakes118.exe
2244	6d0ee4af41a8ee2139a4e3bcfe862e27_JaffaCakes118.exe
2244	6d0ee4af41a8ee2139a4e3bcfe862e27_JaffaCakes118.exe
2244	6d0ee4af41a8ee2139a4e3bcfe862e27_JaffaCakes118.exe
2244	6d0ee4af41a8ee2139a4e3bcfe862e27_JaffaCakes118.exe
2324	dlsulngkio.exe
2324	dlsulngkio.exe
2324	dlsulngkio.exe
2324	dlsulngkio.exe
2324	dlsulngkio.exe
2244	6d0ee4af41a8ee2139a4e3bcfe862e27_JaffaCakes118.exe
2972	alajmlhv.exe
2972	alajmlhv.exe
2972	alajmlhv.exe
2972	alajmlhv.exe
2708	uzqnukouhrmyntg.exe
2708	uzqnukouhrmyntg.exe
2708	uzqnukouhrmyntg.exe
2708	uzqnukouhrmyntg.exe
2708	uzqnukouhrmyntg.exe
2820	acokjqjemuami.exe
2820	acokjqjemuami.exe
2820	acokjqjemuami.exe
2820	acokjqjemuami.exe
2820	acokjqjemuami.exe
2820	acokjqjemuami.exe
2540	alajmlhv.exe
2540	alajmlhv.exe
2540	alajmlhv.exe
2540	alajmlhv.exe
2708	uzqnukouhrmyntg.exe
2820	acokjqjemuami.exe
2820	acokjqjemuami.exe
2708	uzqnukouhrmyntg.exe
2708	uzqnukouhrmyntg.exe
2820	acokjqjemuami.exe
2820	acokjqjemuami.exe
2708	uzqnukouhrmyntg.exe
2820	acokjqjemuami.exe
2820	acokjqjemuami.exe
2708	uzqnukouhrmyntg.exe
2820	acokjqjemuami.exe
2820	acokjqjemuami.exe
2708	uzqnukouhrmyntg.exe
2820	acokjqjemuami.exe
2820	acokjqjemuami.exe
2708	uzqnukouhrmyntg.exe
2820	acokjqjemuami.exe
2820	acokjqjemuami.exe
2708	uzqnukouhrmyntg.exe
2820	acokjqjemuami.exe
2820	acokjqjemuami.exe
2708	uzqnukouhrmyntg.exe
2820	acokjqjemuami.exe
2820	acokjqjemuami.exe
2708	uzqnukouhrmyntg.exe
2820	acokjqjemuami.exe
2820	acokjqjemuami.exe
2708	uzqnukouhrmyntg.exe
2820	acokjqjemuami.exe
2820	acokjqjemuami.exe
2708	uzqnukouhrmyntg.exe

Suspicious use of FindShellTrayWindow 18 IoCs

Processes:

6d0ee4af41a8ee2139a4e3bcfe862e27_JaffaCakes118.exedlsulngkio.exealajmlhv.exeuzqnukouhrmyntg.exeacokjqjemuami.exealajmlhv.exe

pid	process
2244	6d0ee4af41a8ee2139a4e3bcfe862e27_JaffaCakes118.exe
2244	6d0ee4af41a8ee2139a4e3bcfe862e27_JaffaCakes118.exe
2244	6d0ee4af41a8ee2139a4e3bcfe862e27_JaffaCakes118.exe
2324	dlsulngkio.exe
2324	dlsulngkio.exe
2324	dlsulngkio.exe
2972	alajmlhv.exe
2972	alajmlhv.exe
2972	alajmlhv.exe
2708	uzqnukouhrmyntg.exe
2708	uzqnukouhrmyntg.exe
2708	uzqnukouhrmyntg.exe
2820	acokjqjemuami.exe
2820	acokjqjemuami.exe
2820	acokjqjemuami.exe
2540	alajmlhv.exe
2540	alajmlhv.exe
2540	alajmlhv.exe

Suspicious use of SendNotifyMessage 18 IoCs

Processes:

6d0ee4af41a8ee2139a4e3bcfe862e27_JaffaCakes118.exedlsulngkio.exealajmlhv.exeuzqnukouhrmyntg.exeacokjqjemuami.exealajmlhv.exe

pid	process
2244	6d0ee4af41a8ee2139a4e3bcfe862e27_JaffaCakes118.exe
2244	6d0ee4af41a8ee2139a4e3bcfe862e27_JaffaCakes118.exe
2244	6d0ee4af41a8ee2139a4e3bcfe862e27_JaffaCakes118.exe
2324	dlsulngkio.exe
2324	dlsulngkio.exe
2324	dlsulngkio.exe
2972	alajmlhv.exe
2972	alajmlhv.exe
2972	alajmlhv.exe
2708	uzqnukouhrmyntg.exe
2708	uzqnukouhrmyntg.exe
2708	uzqnukouhrmyntg.exe
2820	acokjqjemuami.exe
2820	acokjqjemuami.exe
2820	acokjqjemuami.exe
2540	alajmlhv.exe
2540	alajmlhv.exe
2540	alajmlhv.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WINWORD.EXE

pid process

2560 WINWORD.EXE
2560 WINWORD.EXE

pid	process
2560	WINWORD.EXE
2560	WINWORD.EXE

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

6d0ee4af41a8ee2139a4e3bcfe862e27_JaffaCakes118.exedlsulngkio.exeWINWORD.EXE

description	pid	process	target process
PID 2244 wrote to memory of 2324	2244	6d0ee4af41a8ee2139a4e3bcfe862e27_JaffaCakes118.exe	dlsulngkio.exe
PID 2244 wrote to memory of 2324	2244	6d0ee4af41a8ee2139a4e3bcfe862e27_JaffaCakes118.exe	dlsulngkio.exe
PID 2244 wrote to memory of 2324	2244	6d0ee4af41a8ee2139a4e3bcfe862e27_JaffaCakes118.exe	dlsulngkio.exe
PID 2244 wrote to memory of 2324	2244	6d0ee4af41a8ee2139a4e3bcfe862e27_JaffaCakes118.exe	dlsulngkio.exe
PID 2244 wrote to memory of 2708	2244	6d0ee4af41a8ee2139a4e3bcfe862e27_JaffaCakes118.exe	uzqnukouhrmyntg.exe
PID 2244 wrote to memory of 2708	2244	6d0ee4af41a8ee2139a4e3bcfe862e27_JaffaCakes118.exe	uzqnukouhrmyntg.exe
PID 2244 wrote to memory of 2708	2244	6d0ee4af41a8ee2139a4e3bcfe862e27_JaffaCakes118.exe	uzqnukouhrmyntg.exe
PID 2244 wrote to memory of 2708	2244	6d0ee4af41a8ee2139a4e3bcfe862e27_JaffaCakes118.exe	uzqnukouhrmyntg.exe
PID 2244 wrote to memory of 2972	2244	6d0ee4af41a8ee2139a4e3bcfe862e27_JaffaCakes118.exe	alajmlhv.exe
PID 2244 wrote to memory of 2972	2244	6d0ee4af41a8ee2139a4e3bcfe862e27_JaffaCakes118.exe	alajmlhv.exe
PID 2244 wrote to memory of 2972	2244	6d0ee4af41a8ee2139a4e3bcfe862e27_JaffaCakes118.exe	alajmlhv.exe
PID 2244 wrote to memory of 2972	2244	6d0ee4af41a8ee2139a4e3bcfe862e27_JaffaCakes118.exe	alajmlhv.exe
PID 2244 wrote to memory of 2820	2244	6d0ee4af41a8ee2139a4e3bcfe862e27_JaffaCakes118.exe	acokjqjemuami.exe
PID 2244 wrote to memory of 2820	2244	6d0ee4af41a8ee2139a4e3bcfe862e27_JaffaCakes118.exe	acokjqjemuami.exe
PID 2244 wrote to memory of 2820	2244	6d0ee4af41a8ee2139a4e3bcfe862e27_JaffaCakes118.exe	acokjqjemuami.exe
PID 2244 wrote to memory of 2820	2244	6d0ee4af41a8ee2139a4e3bcfe862e27_JaffaCakes118.exe	acokjqjemuami.exe
PID 2324 wrote to memory of 2540	2324	dlsulngkio.exe	alajmlhv.exe
PID 2324 wrote to memory of 2540	2324	dlsulngkio.exe	alajmlhv.exe
PID 2324 wrote to memory of 2540	2324	dlsulngkio.exe	alajmlhv.exe
PID 2324 wrote to memory of 2540	2324	dlsulngkio.exe	alajmlhv.exe
PID 2244 wrote to memory of 2560	2244	6d0ee4af41a8ee2139a4e3bcfe862e27_JaffaCakes118.exe	WINWORD.EXE
PID 2244 wrote to memory of 2560	2244	6d0ee4af41a8ee2139a4e3bcfe862e27_JaffaCakes118.exe	WINWORD.EXE
PID 2244 wrote to memory of 2560	2244	6d0ee4af41a8ee2139a4e3bcfe862e27_JaffaCakes118.exe	WINWORD.EXE
PID 2244 wrote to memory of 2560	2244	6d0ee4af41a8ee2139a4e3bcfe862e27_JaffaCakes118.exe	WINWORD.EXE
PID 2560 wrote to memory of 804	2560	WINWORD.EXE	splwow64.exe
PID 2560 wrote to memory of 804	2560	WINWORD.EXE	splwow64.exe
PID 2560 wrote to memory of 804	2560	WINWORD.EXE	splwow64.exe
PID 2560 wrote to memory of 804	2560	WINWORD.EXE	splwow64.exe

C:\Users\Admin\AppData\Local\Temp\6d0ee4af41a8ee2139a4e3bcfe862e27_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\6d0ee4af41a8ee2139a4e3bcfe862e27_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2244

C:\Windows\SysWOW64\dlsulngkio.exe
dlsulngkio.exe
2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2324

C:\Windows\SysWOW64\alajmlhv.exe
C:\Windows\system32\alajmlhv.exe
3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2540

C:\Windows\SysWOW64\uzqnukouhrmyntg.exe
uzqnukouhrmyntg.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2708

C:\Windows\SysWOW64\alajmlhv.exe
alajmlhv.exe
2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2972

C:\Windows\SysWOW64\acokjqjemuami.exe
acokjqjemuami.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2820

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
2⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2560

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
3⤵
PID:804

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe
Filesize
512KB

MD5
95e6e18463957131e11e04a19ce2e889

SHA1
526b76aaef3e1227bdfa14f8b7c2e3d5b9e735d7

SHA256
d16ce4df6c1b24450bf9f90618cb7a486b3b84e9daa2de9c93d18df8bd90861c

SHA512
7d0ae98612d537f18959debc19d8503ace3ca09931c96408b26033ce659a091bbfa74dad1269ef75332b8409c057174ee82803074eba6f81e76b624de1a90baf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
Filesize
20KB

MD5
75b19e87614eb881f2d20762df3369b9

SHA1
c11920d713402ffaa61146c0da7318074621c23a

SHA256
e5b87eff5a87a0f7f96c6af2cd76b5f58ec422b3394c9482a90c3d5187b5f53a

SHA512
b84df98195c98f2c244e224f5f4e8b8f70cf0f77b767381e490caa23af2557d8a1f58820f3ae87b47ed0cebd8a03d5fc6781274124337c3ac47772ba271368b9

Download Submit
C:\Users\Admin\Desktop\EnterWrite.doc.exe
Filesize
512KB

MD5
c0f3adf80ecd0055c0ddbf5743676b04

SHA1
8908db0eed7c8c3b226cfdc27c3252c5ea8e48b2

SHA256
2ad99d049fed1ba82caa9f87d93343b4bf17fdc8b5311ea21170a2a542ef0d54

SHA512
2feca2558f3b26faa8fea43dc0cc34b27de6742b337d261c6082c2a4aad09bb7c1b51409d2846973140803ce707e775fdddfbd4177c376463fa68063f4334603

Download Submit
C:\Windows\SysWOW64\uzqnukouhrmyntg.exe
Filesize
512KB

MD5
f331e47c44baabd9fbce6a22d6df4c19

SHA1
5db16023fc5c9bae34bf66cc3dae24eeab6301fd

SHA256
eabf7bd5f7b2623a4a6a81425c0ca5a6cbbd9b1c3c0d3c79208a3f5d3ed6533e

SHA512
3083efa7fb7a1686e202401c6f96860dc5ea7ca53f242f99a2570e2cc3b0a7ead3c669c5aaceb9c64380c1ba3f46e012aaf284345a429fb4a3b7a1fb9a4b3fa6

Download Submit
C:\Windows\mydoc.rtf
Filesize
223B

MD5
06604e5941c126e2e7be02c5cd9f62ec

SHA1
4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

SHA256
85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

SHA512
803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

Download Submit
\Windows\SysWOW64\acokjqjemuami.exe
Filesize
512KB

MD5
051aff36be46d3ebed2ae63c7dafd289

SHA1
30cf7afc4ebbc16ea37595ee97a2148aa8a5f168

SHA256
5fd356fb23f5f8124c8f4e876ba502612813d8fdc077bafb1cfc7f630740d37c

SHA512
db956d453d17c2b610cc803495a9329679129fcc50d5504d55b1370ad25d9673698e89bc408722d64c682306ecaefffbfca233b9a674faae02f2f1c68499e67c

Download Submit
\Windows\SysWOW64\alajmlhv.exe
Filesize
512KB

MD5
0ecca09ece0ebe4d9a109e7ad4ff3a4a

SHA1
5c9bf0b4ffb9b64ece3ceb8549ffe5edfa9e4ddf

SHA256
5544b4b4235414cc2cb206cda8c3d1628ceed43f0de983f34f79d4da1d2be6c6

SHA512
1be8e87f3d56c99b8a4f450295ed95d625c844a99c73a73f3305b6d99ef25587b331eddacb4fb359acf88170ebdfc7e6c567ecb272c0ea0dab2fdaecfa50d236

Download Submit
\Windows\SysWOW64\dlsulngkio.exe
Filesize
512KB

MD5
4ecff865a7a0ce40b01448a674f79791

SHA1
7611d39eb3403d3ad1c3d924839ef75eeb4559e9

SHA256
2651fbefe767c3e30c2b7e078d8cc8e5a867c2055654fce72fd4d87020bf295f

SHA512
6d015ad09cbab4ed5896d7e1d0a411c2a75ae2b6dbf6e9d34380d253aae465232dfbb3839b1fdba2be77a610efbb3842524fb3e31aec154f4363e2936ebc39d7

Download Submit
memory/2244-0-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download
memory/2560-45-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2560-104-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads