50652e512a4945c812eb1ad37f23f89fb004b95468568baf3d09daff99ed1ccf

Analysis

max time kernel
135s
max time network
136s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
20/06/2024, 02:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

01f360a1cca0f5ddad97cc3abc3006e4_JaffaCakes118.exe
Size

236KB
MD5

01f360a1cca0f5ddad97cc3abc3006e4
SHA1

faa57b7525d42071a32cbadd9f6be8e03fe6d11d
SHA256

50652e512a4945c812eb1ad37f23f89fb004b95468568baf3d09daff99ed1ccf
SHA512

8fd257c495e1f056e1d8c4d6ec8f0419b0b2ba72d192627823befcc0507ee58b772ef9073c16cc5272bfb73bc7880353a62b652b0287dd193a7dbd7bf88e13c4
SSDEEP

6144:9Z5PmYk+XlDKZD+0J4VXdkJlOeSLZJ7kPu8+:9aYk+1CdCVtilONn

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2696	BcTool.exe
2560	GfxAcc.exe
2400	WinNetw.exe

Loads dropped DLL 4 IoCs

pid	Process
2064	Regsvr32.exe
2696	BcTool.exe
2560	GfxAcc.exe
2400	WinNetw.exe

Drops file in System32 directory 17 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\MSWinsck.ocx	01f360a1cca0f5ddad97cc3abc3006e4_JaffaCakes118.exe
File created	C:\Windows\system32\perfc007.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh007.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc00A.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh00C.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh009.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc00C.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc011.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh011.dat	OUTLOOK.EXE
File created	C:\Windows\SysWOW64\vtnmsccd.dll	01f360a1cca0f5ddad97cc3abc3006e4_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\PerfStringBackup.INI	OUTLOOK.EXE
File created	C:\Windows\system32\perfh00A.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc010.dat	OUTLOOK.EXE
File opened for modification	C:\Windows\SysWOW64\vtnmsccd.dll	01f360a1cca0f5ddad97cc3abc3006e4_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\PerfStringBackup.TMP	OUTLOOK.EXE
File created	C:\Windows\system32\perfc009.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh010.dat	OUTLOOK.EXE

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\GfxAcc.exe	01f360a1cca0f5ddad97cc3abc3006e4_JaffaCakes118.exe
File created	C:\Windows\inf\Outlook\outlperf.h	OUTLOOK.EXE
File opened for modification	C:\Windows\TempRes.dat	01f360a1cca0f5ddad97cc3abc3006e4_JaffaCakes118.exe
File created	C:\Windows\BcTool.exe	01f360a1cca0f5ddad97cc3abc3006e4_JaffaCakes118.exe
File created	C:\Windows\WinNetw.exe	01f360a1cca0f5ddad97cc3abc3006e4_JaffaCakes118.exe
File created	C:\Windows\inf\Outlook\0009\outlperf.ini	OUTLOOK.EXE
File created	C:\Windows\q216309.exe	01f360a1cca0f5ddad97cc3abc3006e4_JaffaCakes118.exe
File opened for modification	C:\Windows\q216309.exe	01f360a1cca0f5ddad97cc3abc3006e4_JaffaCakes118.exe
File opened for modification	C:\Windows\inf\Outlook\outlperf.h	OUTLOOK.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	OUTLOOK.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	OUTLOOK.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt	OUTLOOK.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	OUTLOOK.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	OUTLOOK.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672ED-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D7-0000-0000-C000-000000000046}	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063073-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063023-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063042-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630F8-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063080-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006300B-0000-0000-C000-000000000046}\ = "Search"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063072-0000-0000-C000-000000000046}\ = "_OutlookBarGroups"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063096-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D6-0000-0000-C000-000000000046}	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063062-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063077-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ToolboxBitmap32	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630C4-0000-0000-C000-000000000046}	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630C6-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006308D-0000-0000-C000-000000000046}\ = "_Views"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063039-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063046-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D4-0000-0000-C000-000000000046}\ = "_AssignToCategoryRuleAction"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630FB-0000-0000-C000-000000000046}\ = "_FromRssFeedRuleCondition"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063048-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D3-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D3-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006307A-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063007-0000-0000-C000-000000000046}	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672FA-0000-0000-C000-000000000046}	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006302D-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32\ThreadingModel = "Apartment"	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630FA-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630F3-0000-0000-C000-000000000046}\ = "NavigationPaneEvents_12"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006F025-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672EC-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630F3-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630C6-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E6-0000-0000-C000-000000000046}\ = "_NavigationPane"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063048-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630A0-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E9-0000-0000-C000-000000000046}	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063099-0000-0000-C000-000000000046}	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D2-0000-0000-C000-000000000046}	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063103-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630FC-0000-0000-C000-000000000046}	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630EA-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630FC-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063033-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063039-0000-0000-C000-000000000046}\ = "_TaskRequestDeclineItem"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672DF-0000-0000-C000-000000000046}	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630A8-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630A5-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630A0-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063023-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E3-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672DB-0000-0000-C000-000000000046}	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063048-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672E6-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063045-0000-0000-C000-000000000046}\ = "Recipient"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006302F-0000-0000-C000-000000000046}	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D87E7E17-6897-11CE-A6C0-00AA00608FAA}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006300C-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630B0-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630EB-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2568	OUTLOOK.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2568	OUTLOOK.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	1684	01f360a1cca0f5ddad97cc3abc3006e4_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	1684	01f360a1cca0f5ddad97cc3abc3006e4_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2568	OUTLOOK.EXE
2568	OUTLOOK.EXE
2568	OUTLOOK.EXE

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2568	OUTLOOK.EXE
2568	OUTLOOK.EXE

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
1684	01f360a1cca0f5ddad97cc3abc3006e4_JaffaCakes118.exe
2696	BcTool.exe
2560	GfxAcc.exe
2400	WinNetw.exe
2568	OUTLOOK.EXE

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 1684 wrote to memory of 2064	1684	01f360a1cca0f5ddad97cc3abc3006e4_JaffaCakes118.exe	28
PID 1684 wrote to memory of 2064	1684	01f360a1cca0f5ddad97cc3abc3006e4_JaffaCakes118.exe	28
PID 1684 wrote to memory of 2064	1684	01f360a1cca0f5ddad97cc3abc3006e4_JaffaCakes118.exe	28
PID 1684 wrote to memory of 2064	1684	01f360a1cca0f5ddad97cc3abc3006e4_JaffaCakes118.exe	28
PID 1684 wrote to memory of 2064	1684	01f360a1cca0f5ddad97cc3abc3006e4_JaffaCakes118.exe	28
PID 1684 wrote to memory of 2064	1684	01f360a1cca0f5ddad97cc3abc3006e4_JaffaCakes118.exe	28
PID 1684 wrote to memory of 2064	1684	01f360a1cca0f5ddad97cc3abc3006e4_JaffaCakes118.exe	28
PID 1684 wrote to memory of 2696	1684	01f360a1cca0f5ddad97cc3abc3006e4_JaffaCakes118.exe	29
PID 1684 wrote to memory of 2696	1684	01f360a1cca0f5ddad97cc3abc3006e4_JaffaCakes118.exe	29
PID 1684 wrote to memory of 2696	1684	01f360a1cca0f5ddad97cc3abc3006e4_JaffaCakes118.exe	29
PID 1684 wrote to memory of 2696	1684	01f360a1cca0f5ddad97cc3abc3006e4_JaffaCakes118.exe	29
PID 1684 wrote to memory of 2696	1684	01f360a1cca0f5ddad97cc3abc3006e4_JaffaCakes118.exe	29
PID 1684 wrote to memory of 2696	1684	01f360a1cca0f5ddad97cc3abc3006e4_JaffaCakes118.exe	29
PID 1684 wrote to memory of 2696	1684	01f360a1cca0f5ddad97cc3abc3006e4_JaffaCakes118.exe	29
PID 1684 wrote to memory of 2560	1684	01f360a1cca0f5ddad97cc3abc3006e4_JaffaCakes118.exe	30
PID 1684 wrote to memory of 2560	1684	01f360a1cca0f5ddad97cc3abc3006e4_JaffaCakes118.exe	30
PID 1684 wrote to memory of 2560	1684	01f360a1cca0f5ddad97cc3abc3006e4_JaffaCakes118.exe	30
PID 1684 wrote to memory of 2560	1684	01f360a1cca0f5ddad97cc3abc3006e4_JaffaCakes118.exe	30
PID 1684 wrote to memory of 2560	1684	01f360a1cca0f5ddad97cc3abc3006e4_JaffaCakes118.exe	30
PID 1684 wrote to memory of 2560	1684	01f360a1cca0f5ddad97cc3abc3006e4_JaffaCakes118.exe	30
PID 1684 wrote to memory of 2560	1684	01f360a1cca0f5ddad97cc3abc3006e4_JaffaCakes118.exe	30
PID 2696 wrote to memory of 2400	2696	BcTool.exe	32
PID 2696 wrote to memory of 2400	2696	BcTool.exe	32
PID 2696 wrote to memory of 2400	2696	BcTool.exe	32
PID 2696 wrote to memory of 2400	2696	BcTool.exe	32

C:\Users\Admin\AppData\Local\Temp\01f360a1cca0f5ddad97cc3abc3006e4_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\01f360a1cca0f5ddad97cc3abc3006e4_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1684
- C:\Windows\SysWOW64\Regsvr32.exe
  Regsvr32.exe /s C:\Windows\system32\MSWinsck.ocx
  2⤵
  - Loads dropped DLL
  - Modifies registry class
  PID:2064
- C:\Windows\BcTool.exe
  C:\Windows\BcTool.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2696
- - C:\Windows\WinNetw.exe
    C:\Windows\WinNetw.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:2400
- C:\Windows\GfxAcc.exe
  C:\Windows\GfxAcc.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:2560

C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE" -Embedding
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Outlook\mapisvc.inf

Filesize
1KB

MD5
48dd6cae43ce26b992c35799fcd76898

SHA1
8e600544df0250da7d634599ce6ee50da11c0355

SHA256
7bfe1f3691e2b4fb4d61fbf5e9f7782fbe49da1342dbd32201c2cc8e540dbd1a

SHA512
c1b9322c900f5be0ad166ddcfec9146918fb2589a17607d61490fd816602123f3af310a3e6d98a37d16000d4acbbcd599236f03c3c7f9376aeba7a489b329f31

Download Submit
C:\Windows\BcTool.exe

Filesize
32KB

MD5
55d096cf235ae6c4868e8c5efc207a28

SHA1
ebb5d7aecf9b33f7f8f1926568162347fc992956

SHA256
34d3083234954f1eef4dd4539ca094fa6d98da4043a4653a3c55b0d5e456fbbe

SHA512
1867aa49e854afc0dd005e12b4e666a0c44f28947fbc3c7692bb004f9ff081b4fd1af7459407a3536847d4c8f3244be8705e35998b40aef258dff290b4ee4c44

Download Submit
C:\Windows\GfxAcc.exe

Filesize
20KB

MD5
0a84b270ec2fc29715069b8aeec1d444

SHA1
7dfc7d42771fecd85f71fcb1fa44c88d56ca45df

SHA256
13d2942c348c260b87ab0b8b518593c5872156db3e0fd8f80927f750de71f308

SHA512
a4777d73c4be925974f283fbac4a025128dca0a3923ead207eb6f078ecc5e4bd17b636bea455b46c67821df8f928462d3b70388317d1abe3e5c132f37e00322f

Download Submit
C:\Windows\SysWOW64\MSWinsck.ocx

Filesize
106KB

MD5
851f34233b9ec424695815cad2a909d8

SHA1
05235076e55b1bfdf4f834d398c1044af5a734dd

SHA256
78dcd52e2311d08fc405ac2b54686ee66dda4fa68994819ae3315172b27e1f7f

SHA512
ee24454128b64883c324b00133af1f2814a023195907f0cb8b3a51300233fa27ebb02d68a7f41067f209837e6f7fa0ee1dcc7f7bf40a48fee9318cb335e38727

Download Submit
C:\Windows\WinNetw.exe

Filesize
20KB

MD5
3648c5a44c2df334a91557d34f7fd42e

SHA1
ee3a7c066857754512189781ffc31953be1a815d

SHA256
8d9dfcfdd8b37bf1a7f69d0476b5cd99f232a44d8de9e895c7d2c4f7e6bb3a61

SHA512
178b644f8f6cb93a72d44d0ddcd23c6159b087b701d25e517b81da60e165c25e0bf12dd4235c1b44da45533d1fa80cbc0064fdfb8948a719036222e4c8e502bd

Download Submit
memory/1684-0-0x00000000003C0000-0x00000000003E1000-memory.dmp

Filesize
132KB

Download
memory/1684-7-0x00000000003C0000-0x00000000003E1000-memory.dmp

Filesize
132KB

Download
memory/2568-48-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download