fba955bfc7b53fa25c90e9dbcac244330ce899ac7a81bffd1f842d0f3f61f4bf

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
03/06/2024, 14:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9211a9c880aa525e9063514445413024_JaffaCakes118.exe
Size

512KB
MD5

9211a9c880aa525e9063514445413024
SHA1

581a343695aa68366ce73adf0b9729bd4ee52f74
SHA256

fba955bfc7b53fa25c90e9dbcac244330ce899ac7a81bffd1f842d0f3f61f4bf
SHA512

3dd0d647cf835367db06a339530b5d6754ba5a3cc3987ca77323de7fa9ae8c3aad7055ed4f9df74b36b29c5956913b8f5229da989770ff64aee3d996626b2f10
SSDEEP

6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6F:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5A

Score

10^/10

evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	mhrjvtpsuk.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	mhrjvtpsuk.exe

Windows security bypass 2 TTPs 5 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	mhrjvtpsuk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	mhrjvtpsuk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	mhrjvtpsuk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	mhrjvtpsuk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	mhrjvtpsuk.exe

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	mhrjvtpsuk.exe

Modifies Installed Components in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Executes dropped EXE 5 IoCs

pid	Process
1156	mhrjvtpsuk.exe
2644	dxfssrpkxomkjqd.exe
2748	wigffenq.exe
2668	fjedkbvckmqst.exe
2560	wigffenq.exe

Loads dropped DLL 5 IoCs

pid	Process
2964	9211a9c880aa525e9063514445413024_JaffaCakes118.exe
2964	9211a9c880aa525e9063514445413024_JaffaCakes118.exe
2964	9211a9c880aa525e9063514445413024_JaffaCakes118.exe
2964	9211a9c880aa525e9063514445413024_JaffaCakes118.exe
1156	mhrjvtpsuk.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Windows security modification 2 TTPs 6 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	mhrjvtpsuk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	mhrjvtpsuk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	mhrjvtpsuk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	mhrjvtpsuk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	mhrjvtpsuk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1"	mhrjvtpsuk.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\tgzrkcxb = "dxfssrpkxomkjqd.exe"	dxfssrpkxomkjqd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "fjedkbvckmqst.exe"	dxfssrpkxomkjqd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\jllolcza = "mhrjvtpsuk.exe"	dxfssrpkxomkjqd.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\m:	wigffenq.exe
File opened (read-only)	\??\a:	mhrjvtpsuk.exe
File opened (read-only)	\??\i:	mhrjvtpsuk.exe
File opened (read-only)	\??\j:	mhrjvtpsuk.exe
File opened (read-only)	\??\k:	mhrjvtpsuk.exe
File opened (read-only)	\??\v:	mhrjvtpsuk.exe
File opened (read-only)	\??\k:	wigffenq.exe
File opened (read-only)	\??\w:	wigffenq.exe
File opened (read-only)	\??\z:	wigffenq.exe
File opened (read-only)	\??\u:	wigffenq.exe
File opened (read-only)	\??\x:	wigffenq.exe
File opened (read-only)	\??\h:	mhrjvtpsuk.exe
File opened (read-only)	\??\e:	wigffenq.exe
File opened (read-only)	\??\h:	wigffenq.exe
File opened (read-only)	\??\u:	wigffenq.exe
File opened (read-only)	\??\s:	wigffenq.exe
File opened (read-only)	\??\w:	wigffenq.exe
File opened (read-only)	\??\l:	wigffenq.exe
File opened (read-only)	\??\k:	wigffenq.exe
File opened (read-only)	\??\m:	wigffenq.exe
File opened (read-only)	\??\o:	wigffenq.exe
File opened (read-only)	\??\z:	mhrjvtpsuk.exe
File opened (read-only)	\??\e:	mhrjvtpsuk.exe
File opened (read-only)	\??\s:	mhrjvtpsuk.exe
File opened (read-only)	\??\i:	wigffenq.exe
File opened (read-only)	\??\s:	wigffenq.exe
File opened (read-only)	\??\y:	wigffenq.exe
File opened (read-only)	\??\n:	mhrjvtpsuk.exe
File opened (read-only)	\??\b:	wigffenq.exe
File opened (read-only)	\??\j:	wigffenq.exe
File opened (read-only)	\??\x:	wigffenq.exe
File opened (read-only)	\??\g:	wigffenq.exe
File opened (read-only)	\??\i:	wigffenq.exe
File opened (read-only)	\??\n:	wigffenq.exe
File opened (read-only)	\??\a:	wigffenq.exe
File opened (read-only)	\??\l:	wigffenq.exe
File opened (read-only)	\??\n:	wigffenq.exe
File opened (read-only)	\??\t:	wigffenq.exe
File opened (read-only)	\??\l:	mhrjvtpsuk.exe
File opened (read-only)	\??\v:	wigffenq.exe
File opened (read-only)	\??\e:	wigffenq.exe
File opened (read-only)	\??\r:	wigffenq.exe
File opened (read-only)	\??\z:	wigffenq.exe
File opened (read-only)	\??\p:	mhrjvtpsuk.exe
File opened (read-only)	\??\t:	mhrjvtpsuk.exe
File opened (read-only)	\??\w:	mhrjvtpsuk.exe
File opened (read-only)	\??\o:	wigffenq.exe
File opened (read-only)	\??\h:	wigffenq.exe
File opened (read-only)	\??\y:	mhrjvtpsuk.exe
File opened (read-only)	\??\b:	wigffenq.exe
File opened (read-only)	\??\q:	mhrjvtpsuk.exe
File opened (read-only)	\??\a:	wigffenq.exe
File opened (read-only)	\??\y:	wigffenq.exe
File opened (read-only)	\??\g:	mhrjvtpsuk.exe
File opened (read-only)	\??\m:	mhrjvtpsuk.exe
File opened (read-only)	\??\r:	mhrjvtpsuk.exe
File opened (read-only)	\??\x:	mhrjvtpsuk.exe
File opened (read-only)	\??\g:	wigffenq.exe
File opened (read-only)	\??\r:	wigffenq.exe
File opened (read-only)	\??\p:	wigffenq.exe
File opened (read-only)	\??\q:	wigffenq.exe
File opened (read-only)	\??\v:	wigffenq.exe
File opened (read-only)	\??\q:	wigffenq.exe
File opened (read-only)	\??\b:	mhrjvtpsuk.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0"	mhrjvtpsuk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197"	mhrjvtpsuk.exe

AutoIT Executable 7 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/2964-0-0x0000000000400000-0x0000000000496000-memory.dmp	autoit_exe
behavioral1/files/0x0036000000015c7f-5.dat	autoit_exe
behavioral1/files/0x000e00000001226b-17.dat	autoit_exe
behavioral1/files/0x0008000000015cc7-28.dat	autoit_exe
behavioral1/files/0x0007000000015ce3-39.dat	autoit_exe
behavioral1/files/0x0006000000016ce7-71.dat	autoit_exe
behavioral1/files/0x0006000000016d1b-73.dat	autoit_exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\wigffenq.exe	9211a9c880aa525e9063514445413024_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\fjedkbvckmqst.exe	9211a9c880aa525e9063514445413024_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	mhrjvtpsuk.exe
File created	C:\Windows\SysWOW64\mhrjvtpsuk.exe	9211a9c880aa525e9063514445413024_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\mhrjvtpsuk.exe	9211a9c880aa525e9063514445413024_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\dxfssrpkxomkjqd.exe	9211a9c880aa525e9063514445413024_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\dxfssrpkxomkjqd.exe	9211a9c880aa525e9063514445413024_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\wigffenq.exe	9211a9c880aa525e9063514445413024_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\fjedkbvckmqst.exe	9211a9c880aa525e9063514445413024_JaffaCakes118.exe

Drops file in Program Files directory 14 IoCs

description	ioc	Process
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	wigffenq.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal	wigffenq.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	wigffenq.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	wigffenq.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	wigffenq.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal	wigffenq.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal	wigffenq.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	wigffenq.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	wigffenq.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	wigffenq.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	wigffenq.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal	wigffenq.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	wigffenq.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	wigffenq.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\mydoc.rtf	9211a9c880aa525e9063514445413024_JaffaCakes118.exe
File opened for modification	C:\Windows\mydoc.rtf	WINWORD.EXE
File created	C:\Windows\~$mydoc.rtf	WINWORD.EXE
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_Classes\Local Settings	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2EB5B1584790399D53C8BAD7329BD4BC"	9211a9c880aa525e9063514445413024_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7806BB9FE6821AED27CD0D48B08916B"	9211a9c880aa525e9063514445413024_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile"	mhrjvtpsuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.wsh	mhrjvtpsuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.wsc	mhrjvtpsuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7E8CFF8D485C856E9133D75A7E93BDEEE146594A66466246D690"	9211a9c880aa525e9063514445413024_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile"	mhrjvtpsuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2700	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2964	9211a9c880aa525e9063514445413024_JaffaCakes118.exe
2964	9211a9c880aa525e9063514445413024_JaffaCakes118.exe
2964	9211a9c880aa525e9063514445413024_JaffaCakes118.exe
2964	9211a9c880aa525e9063514445413024_JaffaCakes118.exe
2964	9211a9c880aa525e9063514445413024_JaffaCakes118.exe
2964	9211a9c880aa525e9063514445413024_JaffaCakes118.exe
2964	9211a9c880aa525e9063514445413024_JaffaCakes118.exe
2964	9211a9c880aa525e9063514445413024_JaffaCakes118.exe
1156	mhrjvtpsuk.exe
1156	mhrjvtpsuk.exe
1156	mhrjvtpsuk.exe
1156	mhrjvtpsuk.exe
1156	mhrjvtpsuk.exe
2644	dxfssrpkxomkjqd.exe
2644	dxfssrpkxomkjqd.exe
2644	dxfssrpkxomkjqd.exe
2644	dxfssrpkxomkjqd.exe
2644	dxfssrpkxomkjqd.exe
2748	wigffenq.exe
2748	wigffenq.exe
2748	wigffenq.exe
2748	wigffenq.exe
2668	fjedkbvckmqst.exe
2668	fjedkbvckmqst.exe
2668	fjedkbvckmqst.exe
2668	fjedkbvckmqst.exe
2668	fjedkbvckmqst.exe
2668	fjedkbvckmqst.exe
2560	wigffenq.exe
2560	wigffenq.exe
2560	wigffenq.exe
2560	wigffenq.exe
2644	dxfssrpkxomkjqd.exe
2668	fjedkbvckmqst.exe
2668	fjedkbvckmqst.exe
2644	dxfssrpkxomkjqd.exe
2644	dxfssrpkxomkjqd.exe
2668	fjedkbvckmqst.exe
2668	fjedkbvckmqst.exe
2644	dxfssrpkxomkjqd.exe
2668	fjedkbvckmqst.exe
2668	fjedkbvckmqst.exe
2644	dxfssrpkxomkjqd.exe
2668	fjedkbvckmqst.exe
2668	fjedkbvckmqst.exe
2644	dxfssrpkxomkjqd.exe
2668	fjedkbvckmqst.exe
2668	fjedkbvckmqst.exe
2644	dxfssrpkxomkjqd.exe
2668	fjedkbvckmqst.exe
2668	fjedkbvckmqst.exe
2644	dxfssrpkxomkjqd.exe
2668	fjedkbvckmqst.exe
2668	fjedkbvckmqst.exe
2644	dxfssrpkxomkjqd.exe
2668	fjedkbvckmqst.exe
2668	fjedkbvckmqst.exe
2644	dxfssrpkxomkjqd.exe
2668	fjedkbvckmqst.exe
2668	fjedkbvckmqst.exe
2644	dxfssrpkxomkjqd.exe
2668	fjedkbvckmqst.exe
2668	fjedkbvckmqst.exe
2644	dxfssrpkxomkjqd.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1036	explorer.exe
Token: SeShutdownPrivilege	1036	explorer.exe
Token: SeShutdownPrivilege	1036	explorer.exe
Token: SeShutdownPrivilege	1036	explorer.exe
Token: SeShutdownPrivilege	1036	explorer.exe
Token: SeShutdownPrivilege	1036	explorer.exe
Token: SeShutdownPrivilege	1036	explorer.exe
Token: SeShutdownPrivilege	1036	explorer.exe
Token: SeShutdownPrivilege	1036	explorer.exe
Token: SeShutdownPrivilege	1036	explorer.exe
Token: SeShutdownPrivilege	1036	explorer.exe
Token: SeShutdownPrivilege	1036	explorer.exe

Suspicious use of FindShellTrayWindow 47 IoCs

pid	Process
2964	9211a9c880aa525e9063514445413024_JaffaCakes118.exe
2964	9211a9c880aa525e9063514445413024_JaffaCakes118.exe
2964	9211a9c880aa525e9063514445413024_JaffaCakes118.exe
1156	mhrjvtpsuk.exe
1156	mhrjvtpsuk.exe
1156	mhrjvtpsuk.exe
2644	dxfssrpkxomkjqd.exe
2644	dxfssrpkxomkjqd.exe
2644	dxfssrpkxomkjqd.exe
2748	wigffenq.exe
2748	wigffenq.exe
2748	wigffenq.exe
2668	fjedkbvckmqst.exe
2668	fjedkbvckmqst.exe
2668	fjedkbvckmqst.exe
2560	wigffenq.exe
2560	wigffenq.exe
2560	wigffenq.exe
1036	explorer.exe
1036	explorer.exe
1036	explorer.exe
1036	explorer.exe
1036	explorer.exe
1036	explorer.exe
1036	explorer.exe
1036	explorer.exe
1036	explorer.exe
1036	explorer.exe
1036	explorer.exe
1036	explorer.exe
1036	explorer.exe
1036	explorer.exe
1036	explorer.exe
1036	explorer.exe
1036	explorer.exe
1036	explorer.exe
1036	explorer.exe
1036	explorer.exe
1036	explorer.exe
1036	explorer.exe
1036	explorer.exe
1036	explorer.exe
1036	explorer.exe
1036	explorer.exe
1036	explorer.exe
1036	explorer.exe
1036	explorer.exe

Suspicious use of SendNotifyMessage 33 IoCs

pid	Process
2964	9211a9c880aa525e9063514445413024_JaffaCakes118.exe
2964	9211a9c880aa525e9063514445413024_JaffaCakes118.exe
2964	9211a9c880aa525e9063514445413024_JaffaCakes118.exe
1156	mhrjvtpsuk.exe
1156	mhrjvtpsuk.exe
1156	mhrjvtpsuk.exe
2644	dxfssrpkxomkjqd.exe
2644	dxfssrpkxomkjqd.exe
2644	dxfssrpkxomkjqd.exe
2748	wigffenq.exe
2748	wigffenq.exe
2748	wigffenq.exe
2668	fjedkbvckmqst.exe
2668	fjedkbvckmqst.exe
2668	fjedkbvckmqst.exe
1036	explorer.exe
1036	explorer.exe
1036	explorer.exe
1036	explorer.exe
1036	explorer.exe
1036	explorer.exe
1036	explorer.exe
1036	explorer.exe
1036	explorer.exe
1036	explorer.exe
1036	explorer.exe
1036	explorer.exe
1036	explorer.exe
1036	explorer.exe
1036	explorer.exe
1036	explorer.exe
1036	explorer.exe
1036	explorer.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2700	WINWORD.EXE
2700	WINWORD.EXE

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2964 wrote to memory of 1156	2964	9211a9c880aa525e9063514445413024_JaffaCakes118.exe	28
PID 2964 wrote to memory of 1156	2964	9211a9c880aa525e9063514445413024_JaffaCakes118.exe	28
PID 2964 wrote to memory of 1156	2964	9211a9c880aa525e9063514445413024_JaffaCakes118.exe	28
PID 2964 wrote to memory of 1156	2964	9211a9c880aa525e9063514445413024_JaffaCakes118.exe	28
PID 2964 wrote to memory of 2644	2964	9211a9c880aa525e9063514445413024_JaffaCakes118.exe	29
PID 2964 wrote to memory of 2644	2964	9211a9c880aa525e9063514445413024_JaffaCakes118.exe	29
PID 2964 wrote to memory of 2644	2964	9211a9c880aa525e9063514445413024_JaffaCakes118.exe	29
PID 2964 wrote to memory of 2644	2964	9211a9c880aa525e9063514445413024_JaffaCakes118.exe	29
PID 2964 wrote to memory of 2748	2964	9211a9c880aa525e9063514445413024_JaffaCakes118.exe	30
PID 2964 wrote to memory of 2748	2964	9211a9c880aa525e9063514445413024_JaffaCakes118.exe	30
PID 2964 wrote to memory of 2748	2964	9211a9c880aa525e9063514445413024_JaffaCakes118.exe	30
PID 2964 wrote to memory of 2748	2964	9211a9c880aa525e9063514445413024_JaffaCakes118.exe	30
PID 2964 wrote to memory of 2668	2964	9211a9c880aa525e9063514445413024_JaffaCakes118.exe	31
PID 2964 wrote to memory of 2668	2964	9211a9c880aa525e9063514445413024_JaffaCakes118.exe	31
PID 2964 wrote to memory of 2668	2964	9211a9c880aa525e9063514445413024_JaffaCakes118.exe	31
PID 2964 wrote to memory of 2668	2964	9211a9c880aa525e9063514445413024_JaffaCakes118.exe	31
PID 1156 wrote to memory of 2560	1156	mhrjvtpsuk.exe	32
PID 1156 wrote to memory of 2560	1156	mhrjvtpsuk.exe	32
PID 1156 wrote to memory of 2560	1156	mhrjvtpsuk.exe	32
PID 1156 wrote to memory of 2560	1156	mhrjvtpsuk.exe	32
PID 2964 wrote to memory of 2700	2964	9211a9c880aa525e9063514445413024_JaffaCakes118.exe	33
PID 2964 wrote to memory of 2700	2964	9211a9c880aa525e9063514445413024_JaffaCakes118.exe	33
PID 2964 wrote to memory of 2700	2964	9211a9c880aa525e9063514445413024_JaffaCakes118.exe	33
PID 2964 wrote to memory of 2700	2964	9211a9c880aa525e9063514445413024_JaffaCakes118.exe	33
PID 2700 wrote to memory of 2088	2700	WINWORD.EXE	38
PID 2700 wrote to memory of 2088	2700	WINWORD.EXE	38
PID 2700 wrote to memory of 2088	2700	WINWORD.EXE	38
PID 2700 wrote to memory of 2088	2700	WINWORD.EXE	38

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\9211a9c880aa525e9063514445413024_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\9211a9c880aa525e9063514445413024_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2964
- C:\Windows\SysWOW64\mhrjvtpsuk.exe
  mhrjvtpsuk.exe
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Windows security bypass
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Loads dropped DLL
  - Windows security modification
  - Enumerates connected drives
  - Modifies WinLogon
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:1156
- - C:\Windows\SysWOW64\wigffenq.exe
    C:\Windows\system32\wigffenq.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    PID:2560
- C:\Windows\SysWOW64\dxfssrpkxomkjqd.exe
  dxfssrpkxomkjqd.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2644
- C:\Windows\SysWOW64\wigffenq.exe
  wigffenq.exe
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2748
- C:\Windows\SysWOW64\fjedkbvckmqst.exe
  fjedkbvckmqst.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2668
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
  2⤵
  - Drops file in Windows directory
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2700
- - C:\Windows\splwow64.exe
    C:\Windows\splwow64.exe 12288
    3⤵
    PID:2088

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe

Filesize
512KB

MD5
124130c3cc1d6caa884363db91f91869

SHA1
15f8f177fdfea13b411fceb1414805bc64f0826d

SHA256
6bcd841811dfddebd9d57c3aec9a44b7a88f13aeeda2939eac3b00240ffd6bd7

SHA512
40a223913d36e943c240c350fc3c38c70faa633982e24840356a7a79e2a2fb778b2e0462f0c905cfd2a3e4cae6642f53797a33ce4bd3380b4613e7a6742ac401

Download Submit
C:\Users\Admin\AppData\Roaming\CompressFind.doc.exe

Filesize
512KB

MD5
ad5abb8a468b66529def6f53e4f3387f

SHA1
8c702c524dabfefbffa5061075bed1eb16049b70

SHA256
86ab8d29e92d1592be5045de077b1525980ee9f61d16b2f4da70cffef14dd474

SHA512
9dbb7de21265e822a63fe19fdaa1761c09d4fbdca8903ad32f098d7c943dd8802b949686fcaa9398c7d7fd5b04def4c6628000b0e26677f6edc090ed4272c832

Download Submit
C:\Windows\SysWOW64\dxfssrpkxomkjqd.exe

Filesize
512KB

MD5
f5ebadedab603ce0718a0fa854a58d9a

SHA1
77c093d758bb14f0e55d4e85a745e1de9489c178

SHA256
927fad73ad6ed206dae588e6c51f3d78ac56f86844eaa97647552b2bc16d982f

SHA512
6d91e50b11ac49a425f132b24c90c68e1d8d2e140f3bc17db0743b589900df4a999ce422c409340ff36d9fb14819d474d3207bbcf29dc4928d9fd8f1b5b4ff2f

Download Submit
C:\Windows\SysWOW64\fjedkbvckmqst.exe

Filesize
512KB

MD5
b7e3d54a8a34046960c1329a1b464a36

SHA1
59b7a7b3780dc477bdd2e58f7998c8d0597bd888

SHA256
5ca624c3cc9d8d1a27474a9bcd30c3ae53f2dd24fd9de2ab7bd238b096d6b387

SHA512
1fc9e319bf00432d89d64ace2668f6e7e5b0c2ead1014a51ee0633e696523388b7f19d9d5fd08f43c5b1506ee46a6a52cdff1f36c44642335fc2cc5c1b906615

Download Submit
C:\Windows\mydoc.rtf

Filesize
223B

MD5
06604e5941c126e2e7be02c5cd9f62ec

SHA1
4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

SHA256
85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

SHA512
803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

Download Submit
\Windows\SysWOW64\mhrjvtpsuk.exe

Filesize
512KB

MD5
be8d35e1107e713b2de2d73e8d87fa7a

SHA1
1b6a0eec5ef5ee882a28317b781e28559c44f676

SHA256
44cbee1c570b2b677229f63329df25369e5aa7f53be5fa355ab4e7e707606b24

SHA512
4891712c3a04444048f0d9f54fc34212b54c435e6814fff2a30f13340a000a896f8b6a4c178862367fc01874275b1f1d052e9ed40cb82c1bcbb4ffd876430015

Download Submit
\Windows\SysWOW64\wigffenq.exe

Filesize
512KB

MD5
8e3acc55c54e0938475d8dc3f9a21ce8

SHA1
bbaa1c1407717f1afa1ab9890f16b5d4ac4fbaf7

SHA256
49bf4ea6b89465f65cc9c41006d5bcd63b3b6329781b24cf3e6ccad7e2db717e

SHA512
3733386e9381e933fab4d9f03abf29bf82daa3e38b3b63d0078e3dedf81a8aab5bff1b22e82be6dd32484b6b824c77db76d6665817840d86fd1e5b7469421c9a

Download Submit
memory/1036-84-0x0000000003D40000-0x0000000003D50000-memory.dmp

Filesize
64KB

Download
memory/2700-45-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2964-0-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download