trickbot | 26343fd2691b9e8b902d17f0a8a61038f61a983fda5e91f10aa0a30f85fcd2d6

General

Target

97e0a1bccab5eff8f2e8603a7057c17a_JaffaCakes118.docm
Size

388KB
MD5

97e0a1bccab5eff8f2e8603a7057c17a
SHA1

ea679b0b00e5ae45c92557a7036421db90fead81
SHA256

26343fd2691b9e8b902d17f0a8a61038f61a983fda5e91f10aa0a30f85fcd2d6
SHA512

b92ec3647eef95b49f0da361e0cda5b06074fef2f7b4a640e1ca898ac1cf0764e2dccec3b72b227ec4bcec0aa0b51e520cac5deee44a6d1f2eba9c5a530aaa4f
SSDEEP

12288:11Q1aakI08iey8aa2BCQ8IzllQwLfVaR+SvB63:n5IDieBBIzlllfVQBM

Score

10^/10

trickbot banker trojan

Malware Config

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot
Executes dropped EXE 1 IoCs

Processes:

usingdll32.com

pid process

2592 usingdll32.com
Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE
Office loads VBA resources, possible macro or embedded object present

pid	process
2592	usingdll32.com

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE

Modifies registry class 64 IoCs

Processes:

WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Wow6432Node\Interface\{8A683C90-BA84-11CF-8110-00A0C9030074}\ = "IReturnSingle"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Wow6432Node\Interface\{944ACF93-A1E6-11CE-8104-00AA00611080}\ = "Tabs"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Wow6432Node\Interface\{8A683C90-BA84-11CF-8110-00A0C9030074}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Interface\{8A683C91-BA84-11CF-8110-00A0C9030074}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Interface\{8BD21D63-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Interface\{8BD21D43-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Wow6432Node\Interface\{978C9E22-D4B0-11CE-BF2D-00AA003F40D0}\ = "LabelControlEvents"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Wow6432Node\Interface\{04598FC7-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Interface\{04598FC1-866C-11CF-AB7C-00AA00C08FCF}\ = "ILabelControl"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Interface\{8BD21D43-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcCheckBox"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Wow6432Node\Interface\{8BD21D32-EC42-11CE-9E0D-00AA006002F3}\ = "MdcComboEvents"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Wow6432Node\Interface\{8BD21D42-EC42-11CE-9E0D-00AA006002F3}\ = "MdcCheckBoxEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Wow6432Node\Interface\{47FF8FE8-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Interface\{47FF8FE9-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Interface\{29B86A70-F52E-11CE-9BCE-00AA00608E01}\ = "IOptionFrame"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Interface\{5512D11D-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Interface\{5512D11F-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Interface\{8BD21D52-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Interface\{7B020EC2-AF6C-11CE-9F46-00AA00574A4F}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Interface\{92E11A03-7358-11CE-80CB-00AA00611080}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Wow6432Node\Interface\{29B86A70-F52E-11CE-9BCE-00AA00608E01}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Interface\{7B020EC7-AF6C-11CE-9F46-00AA00574A4F}	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\TypeLib\{16CBB548-E692-4F7B-9F7A-123F972005E3}\2.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Word8.0\\MSForms.exd"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Interface\{5B9D8FC8-4A71-101B-97A6-00000B65C08B}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Wow6432Node\Interface\{A38BFFC3-A5A0-11CE-8107-00AA00611080}	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Wow6432Node\Interface\{04598FC3-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Wow6432Node\Interface\{8BD21D33-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Wow6432Node\Interface\{8BD21D62-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Wow6432Node\Interface	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Wow6432Node\Interface\{4C599243-6926-101B-9992-00000B65C6F9}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Wow6432Node\Interface\{8BD21D12-EC42-11CE-9E0D-00AA006002F3}\ = "MdcTextEvents"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Wow6432Node\Interface\{7B020EC2-AF6C-11CE-9F46-00AA00574A4F}\ = "ScrollbarEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Wow6432Node\Interface\{4C5992A5-6926-101B-9992-00000B65C6F9}	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Interface\{CF3F94A0-F546-11CE-9BCE-00AA00608E01}\ = "OptionFrameEvents"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Wow6432Node\Interface\{8A683C91-BA84-11CF-8110-00A0C9030074}\ = "IReturnEffect"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Interface\{4C599243-6926-101B-9992-00000B65C6F9}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Wow6432Node\Interface\{7B020EC1-AF6C-11CE-9F46-00AA00574A4F}	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Interface\{8A683C90-BA84-11CF-8110-00A0C9030074}\ = "IReturnSingle"	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

1384 WINWORD.EXE
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

wermgr.exe

description pid process

Token: SeDebugPrivilege 2348 wermgr.exe
Token: SeDebugPrivilege 2348 wermgr.exe
Token: SeDebugPrivilege 2348 wermgr.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WINWORD.EXE

pid process

1384 WINWORD.EXE
1384 WINWORD.EXE

pid	process
1384	WINWORD.EXE

description	pid	process
Token: SeDebugPrivilege	2348	wermgr.exe
Token: SeDebugPrivilege	2348	wermgr.exe
Token: SeDebugPrivilege	2348	wermgr.exe

pid	process
1384	WINWORD.EXE
1384	WINWORD.EXE

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

WINWORD.EXEusingdll32.com

description	pid	process	target process
PID 1384 wrote to memory of 2816	1384	WINWORD.EXE	splwow64.exe
PID 1384 wrote to memory of 2816	1384	WINWORD.EXE	splwow64.exe
PID 1384 wrote to memory of 2816	1384	WINWORD.EXE	splwow64.exe
PID 1384 wrote to memory of 2816	1384	WINWORD.EXE	splwow64.exe
PID 2592 wrote to memory of 2348	2592	usingdll32.com	wermgr.exe
PID 2592 wrote to memory of 2348	2592	usingdll32.com	wermgr.exe
PID 2592 wrote to memory of 2348	2592	usingdll32.com	wermgr.exe
PID 2592 wrote to memory of 2348	2592	usingdll32.com	wermgr.exe
PID 2592 wrote to memory of 2348	2592	usingdll32.com	wermgr.exe
PID 2592 wrote to memory of 2348	2592	usingdll32.com	wermgr.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\97e0a1bccab5eff8f2e8603a7057c17a_JaffaCakes118.docm"
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1384

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:2816

\??\c:\begginers\usingdll32.com
c:\begginers\usingdll32.com
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2592

C:\Windows\system32\wermgr.exe
C:\Windows\system32\wermgr.exe
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2348

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\DDDF54FB.wmf

Filesize
330B

MD5
dd14c1b5e9171d4a2d0a8cf1f6c9ec5d

SHA1
31b2c6aba0b3af901f92ea1ac82e7e795046dffb

SHA256
5c824b8908a5e8dca5bfbd6a50daa2f6fe81838f441104c423751b9ed2327a09

SHA512
c0060351d2d5b60c81c1d4067a072d91a396b1c1a2de39b402c341570c77649e7365a2bfee80159146949cc9a8c999c549f36d514c33f4b7088beba8f3019576

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{8EAB81F6-F80B-4F9C-AAE5-E7883A4787A9}.tmp

Filesize
1KB

MD5
d23d4fbf99ac52b08d556192db1c98f5

SHA1
5024d8358e12f71d68b58afe6bacde664b42521b

SHA256
35a527dc232a7077c9f65b00c538f389f264e7929d62c3fdff541b1fa64dbbb8

SHA512
0affbe12d5f561c012f4e24fdd49ee0c7de91615a6886d6f1efe9617763bfda475a4385af818004894d3565d62d3b03afb351e1841e9147a353de3306c431141

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{DB2B4F42-7CF1-439F-867B-30650645D2E9}.tmp

Filesize
1024B

MD5
1d0cd2b51ffa563908039e07a2b08430

SHA1
5d5a655b08681c801e369510694367f4152e51fc

SHA256
3511c0055abe0d5220a296ecde1599045c4d1f1a1fbc931f6600d341a010ad5d

SHA512
2ade08c7cdfd7763ac7df2b558be2e74e5f701437330d60ca97021acc0c8a6758db02b2b82f0b762815dc8bcbcf37b34a9cedd7d81566be626cfbdc0c2edc185

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
20KB

MD5
6ba8695832991decfdcc8e109a105b7a

SHA1
9f31f0fb6db65149eaaa8f6caa22745834c6bdc6

SHA256
9b302e9946ff46bc4190ce00241bf848464c5c361d5903fabeb5596bb37f1451

SHA512
b1eab521cac23a7aea46d71cd02570180513d2f360cdcf10d9aa8b4a32d9935e3fc8f91ac5fa04e622a7efb6019b84369ac3d74cd144baeaa61f6505c5168ec0

Download Submit
C:\begginers\usingdll32.com

Filesize
336KB

MD5
7fb93f501722d46e233325c2dbe6e329

SHA1
c719c204582d363ac697ec3e3bf4754e1147a9ff

SHA256
34a2ebbb2b0ca11b97e136fdb21677aa1222c13ea0dbd78f4469e95e2cb9f6ae

SHA512
a1c100a7154cee1f0aeddd6fee9f8a31092dd59b63ef0b4a331157af535249400930e1df01bce96b6e025c3fc037c9d71cace07f6dbdbf3aa530c47af37cec13

Download Submit
memory/1384-42-0x0000000005170000-0x0000000005270000-memory.dmp

Filesize
1024KB

Download
memory/1384-22-0x0000000005170000-0x0000000005270000-memory.dmp

Filesize
1024KB

Download
memory/1384-38-0x000000007170D000-0x0000000071718000-memory.dmp

Filesize
44KB

Download
memory/1384-0-0x000000002FA61000-0x000000002FA62000-memory.dmp

Filesize
4KB

Download
memory/1384-11-0x0000000006500000-0x0000000006600000-memory.dmp

Filesize
1024KB

Download
memory/1384-2-0x000000007170D000-0x0000000071718000-memory.dmp

Filesize
44KB

Download
memory/1384-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1384-111-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1384-116-0x000000007170D000-0x0000000071718000-memory.dmp

Filesize
44KB

Download
memory/2592-41-0x0000000000370000-0x00000000003A1000-memory.dmp

Filesize
196KB

Download
memory/2592-40-0x00000000002F0000-0x0000000000321000-memory.dmp

Filesize
196KB

Download
memory/2592-39-0x0000000000370000-0x00000000003A1000-memory.dmp

Filesize
196KB

Download
memory/2592-92-0x0000000000370000-0x00000000003A1000-memory.dmp

Filesize
196KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads