Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
26-06-2024 18:00
Behavioral task
behavioral1
Sample
12e470cf2ab1d4b29fd6ffbdbb77a2b3_JaffaCakes118.doc
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
12e470cf2ab1d4b29fd6ffbdbb77a2b3_JaffaCakes118.doc
Resource
win10v2004-20240508-en
General
-
Target
12e470cf2ab1d4b29fd6ffbdbb77a2b3_JaffaCakes118.doc
-
Size
238KB
-
MD5
12e470cf2ab1d4b29fd6ffbdbb77a2b3
-
SHA1
d8b50f5e29aa03e86f4ea379603bbdaf3100f56d
-
SHA256
9c7c3e7884ef015412487f4715467908ac7a53b9d757ad7f059b8b9c9bf2d3fe
-
SHA512
51057c30d58e98316bcb54b5ecd8f8fa41281365ffae39375eb53b00a9418eff36f0a73c8241648f3e2e1101a36febb827792bc08da4574089922b3e8ff34fb0
-
SSDEEP
1536:YterT1w1vN8M/EfOgnPJceKBCwbacKHrTPKyzK/dRYwT5mlG6JZbCAPonGy4msV:YAw1vPEfOgnPJceKBDa1wdSAmlHbCMV
Malware Config
Signatures
-
Abuses OpenXML format to download file from external location 5 IoCs
Processes:
WINWORD.EXEEXCEL.EXEEXCEL.EXEEXCEL.EXEEXCEL.EXEdescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Office\14.0\Common WINWORD.EXE Key opened \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Office\Common\Offline\Files\https://kholoq.com/khol.php?ELPQUzyIs5ak6d68zJwoxTFayBpmj4OP:F1987740 EXCEL.EXE Key opened \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Office\Common\Offline\Files\https://kholoq.com/khol.php?ELPQUzyIs5ak6d68zJwoxTFayBpmj4OP:F1987740 EXCEL.EXE Key opened \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Office\Common\Offline\Files\https://kholoq.com/khol.php?ELPQUzyIs5ak6d68zJwoxTFayBpmj4OP:F1987740 EXCEL.EXE Key opened \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Office\Common\Offline\Files\https://kholoq.com/khol.php?ELPQUzyIs5ak6d68zJwoxTFayBpmj4OP:F1987740 EXCEL.EXE -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Office loads VBA resources, possible macro or embedded object present
-
Enumerates system info in registry 2 TTPs 4 IoCs
Processes:
EXCEL.EXEEXCEL.EXEEXCEL.EXEEXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Processes:
WINWORD.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command WINWORD.EXE -
Modifies registry class 64 IoCs
Processes:
WINWORD.EXEdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Interface\{8BD21D52-EC42-11CE-9E0D-00AA006002F3} WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Interface\{5B9D8FC8-4A71-101B-97A6-00000B65C08B}\ = "FormEvents" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Wow6432Node\Interface\{5512D119-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLOption" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Wow6432Node\Interface\{82B02371-B5BC-11CF-810F-00A0C9030074} WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Interface WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Interface\{47FF8FE4-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents5" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Interface\{04598FC2-866C-11CF-AB7C-00AA00C08FCF}\ = "ITabStrip" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Interface\{5512D113-5CC6-11CF-8D67-00AA00BDCE1D} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Interface\{79176FB2-B7F2-11CE-97EF-00AA006D2776} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Wow6432Node\Interface\{8BD21D62-EC42-11CE-9E0D-00AA006002F3} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Interface\{47FF8FE1-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents2" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Interface\{A38BFFC3-A5A0-11CE-8107-00AA00611080}\ = "Tab" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Interface\{5512D11B-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLText" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Wow6432Node\Interface\{7B020EC1-AF6C-11CE-9F46-00AA00574A4F} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Wow6432Node\Interface\{8BD21D42-EC42-11CE-9E0D-00AA006002F3} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Wow6432Node\Interface\{04598FC3-866C-11CF-AB7C-00AA00C08FCF}\ = "IScrollbar" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Interface\{5512D117-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLCheckbox" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Interface\{5512D11F-5CC6-11CF-8D67-00AA00BDCE1D} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Interface\{7B020EC7-AF6C-11CE-9F46-00AA00574A4F}\ = "TabStripEvents" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\TypeLib\{02A22829-3DBF-480B-8C28-08EF9B007322}\2.0 WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Wow6432Node\Interface\{BEF6E003-A874-101A-8BBA-00AA00300CAB}\ = "Font" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Wow6432Node\Interface\{7B020EC2-AF6C-11CE-9F46-00AA00574A4F} WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{02A22829-3DBF-480B-8C28-08EF9B007322}\2.0\FLAGS\ = "6" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Interface\{47FF8FE4-6198-11CF-8CE8-00AA006CB389} WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Interface\{8BD21D63-EC42-11CE-9E0D-00AA006002F3} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Interface\{944ACF93-A1E6-11CE-8104-00AA00611080} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Wow6432Node\Interface\{7B020EC1-AF6C-11CE-9F46-00AA00574A4F}\ = "CommandButtonEvents" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Interface\{A38BFFC3-A5A0-11CE-8107-00AA00611080} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Interface\{796ED650-5FE9-11CF-8D68-00AA00BDCE1D}\ = "WHTMLControlEvents" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Wow6432Node\Interface\{5512D11B-5CC6-11CF-8D67-00AA00BDCE1D} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Interface\{978C9E22-D4B0-11CE-BF2D-00AA003F40D0} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Wow6432Node\Interface\{796ED650-5FE9-11CF-8D68-00AA00BDCE1D}\ = "WHTMLControlEvents" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Interface\{79176FB3-B7F2-11CE-97EF-00AA006D2776} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Wow6432Node\Interface\{796ED650-5FE9-11CF-8D68-00AA00BDCE1D} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Wow6432Node\Interface\{04598FC9-866C-11CF-AB7C-00AA00C08FCF} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Interface\{EC72F590-F375-11CE-B9E8-00AA006B1A69} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Interface\{82B02372-B5BC-11CF-810F-00A0C9030074}\ = "IReturnString" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Wow6432Node\Interface\{4C599243-6926-101B-9992-00000B65C6F9} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Wow6432Node\Interface\{82B02372-B5BC-11CF-810F-00A0C9030074} WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEWINWORD.EXEpid process 2864 WINWORD.EXE 1264 WINWORD.EXE -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
EXCEL.EXEEXCEL.EXEEXCEL.EXEdescription pid process Token: SeShutdownPrivilege 2808 EXCEL.EXE Token: SeShutdownPrivilege 472 EXCEL.EXE Token: SeShutdownPrivilege 1544 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 14 IoCs
Processes:
WINWORD.EXEEXCEL.EXEWINWORD.EXEEXCEL.EXEEXCEL.EXEEXCEL.EXEpid process 2864 WINWORD.EXE 2864 WINWORD.EXE 2808 EXCEL.EXE 2808 EXCEL.EXE 2808 EXCEL.EXE 1264 WINWORD.EXE 1264 WINWORD.EXE 472 EXCEL.EXE 472 EXCEL.EXE 472 EXCEL.EXE 1544 EXCEL.EXE 1544 EXCEL.EXE 1544 EXCEL.EXE 1440 EXCEL.EXE -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
WINWORD.EXEdescription pid process target process PID 2864 wrote to memory of 2636 2864 WINWORD.EXE splwow64.exe PID 2864 wrote to memory of 2636 2864 WINWORD.EXE splwow64.exe PID 2864 wrote to memory of 2636 2864 WINWORD.EXE splwow64.exe PID 2864 wrote to memory of 2636 2864 WINWORD.EXE splwow64.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\12e470cf2ab1d4b29fd6ffbdbb77a2b3_JaffaCakes118.doc"1⤵
- Abuses OpenXML format to download file from external location
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:2636
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding1⤵
- Abuses OpenXML format to download file from external location
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2808
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1264
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding1⤵
- Abuses OpenXML format to download file from external location
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:472
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding1⤵
- Abuses OpenXML format to download file from external location
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1544
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding1⤵
- Abuses OpenXML format to download file from external location
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
PID:1440
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
128KB
MD5662f5c3d7f371eb9aecb20fe8371a49c
SHA163c9c2f03cdd7adbfddf7543ef40645aad555c88
SHA2569e0fc9fda7d1764d590f920f84086e772eef716f8223abbc41c6699286f340f2
SHA51213e66fab093dcd0f79d3e833abb4ab96cfb7acde04aaac41131c93e497179df72e37cc4f1e852814e470c8034eae52363e5cdaa697abbfd2d6e108e4d1c62eac
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{734C1BDC-4891-4BB8-AC41-E2FEC5E86DF7}.FSD
Filesize128KB
MD5da031888f7eb366ac1bb3332d389469a
SHA1b9d00782e64ada4c28b686ccb1b147ecc640253c
SHA256992245f6f0484b7cfa29670506eb7454ca6130aef9a2d5e4dd8e7e72c393e0bb
SHA51235d4f3799bba974eebbd07e709b8f17c61e7c8b6a01572e44833f8908ea024c5c4ab4253e6db18773f4ae726998a2233b4b5dfffec21b5955e40600a15492e88
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{734C1BDC-4891-4BB8-AC41-E2FEC5E86DF7}.FSD
Filesize128KB
MD506ee387fe972805c622ac3db735c524c
SHA1f47ae5f4b08afa489a083a9ec464140d093a6176
SHA256d258b5d0690f6f623160ef0f76543820daf34e90371e9faeb399122f179d0491
SHA51217da544418553b093feebbc286019dd4c565c196ec2c66d998fea661341a865669608094128393b783b477cb4e21d07152d18301b36fca552d0fbb987e9d364b
-
Filesize
114B
MD508664bb8dbd9344cdcd1ec9909646730
SHA11e765baf6a51f865a296065e3329321fb3ee07de
SHA256c2e47c35e0eaf762115ad08ddbb0c48117ab9618f82e74b589f675f7caa43ca9
SHA5128b579d69a87fb7776cc05945c4246a021a2cd026dda2d4a2bd9780b1c0c8e4a2f0211eecf9b674d4e6431ac0a6c7267dcd582ae2ada3ccc83798351fa0015205
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD
Filesize128KB
MD543d10d66e005786ef1eadff84bd12b0e
SHA1065a78d6fcef3aac2319fbd3f1b65f160431db6a
SHA25636d1d80101b5664998a672c485f42e79e751733a33c6006e4cd670b26bbc08db
SHA51210b75ba29a7256ae980363967a715cdf5bcde5e8ef0d438248b8771cc6c922c498e3904404ebee8f7b5017d9b9cfcb9bb5b4b799ef1a698f4377a252efd946fd
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD
Filesize128KB
MD519e51af02f9bf1f59bb29716812f3d7c
SHA1d8959c4f0c76fe77bddafc802f3f7d6034415532
SHA2562cbcc29b0b6614ec69598e053bbd208a4323f659f306fd32b33b055c244c9f02
SHA5126515fb6453db90c7fe60bfb2fcd66d575b6223bbdd2fef981733ae28102b985c5e6ef2a309c023626e3012ce2c2a3c5d6799873fc448874fb958ff85f2b3c218
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{F386B4AC-5074-46C2-A6BE-3F1D71D2FC5D}.FSD
Filesize128KB
MD52a04f105b4630d3f705228b040d4e5c0
SHA17e5993ed9bd7c63a1e4f1b5d7e29974ef0d524e0
SHA25694a1dd00ef388545883e88a1845569bffd2321562f788669eefe9476c2a6f946
SHA512f5daca9c4d133d0eb184dfdfc7d21a3d92a406e5be1bb997272b0697423ef8d6856b6ccef12b13ef8e19ff5924d6eb4c5c2101e6bfeea50fbc95445eb5e2fece
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{F386B4AC-5074-46C2-A6BE-3F1D71D2FC5D}.FSD
Filesize128KB
MD5dfef2753e1c4a6172c76ee5dbf3b5369
SHA1b5b3827033058932931803faab8594f2d2d37f76
SHA256bab1bd483054d08ba469c1430f5166e28900bb164fb607cae60a036ef7d8fb41
SHA51208a95a9ae21723a5e01eda72b61219b7560dc5ffd82aca0829d38e59cedd4109c2effad41098e7a73629006be094c1f683b6a642a61e26ae95f5b4adc6ebe01b
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSF-{0E1EEE64-E8C6-4E2A-9759-63CF07FD8988}.FSF
Filesize114B
MD59dd5c5e5bd7a031599507e179c52738b
SHA164dbb3a2117e12fba06e83acd15c2e8cb16edd70
SHA256602550d31080c69d779257299a46308c95053e3fd786b14761ba8461b16ba408
SHA512ecdefc828e5ee67dbeda3bab2fb417c26c9a87f8fc7c758cf8b51d32fc18428faa0f8b13db95b9a2709ecfb3149dd399b2dd92def2df11419298bb6bb926d464
-
Filesize
143KB
MD5445a31ad906635beb41a17f6ef1f1485
SHA1910d3b19eb6b018ba97b76c32efe0124106359aa
SHA25603ca906cbdc9bcd391a62f6fceab5a9ccb252330198b87e4874e8223d0af0507
SHA5125446f1558457efd65ce2bf5587c55dcd46de04a43536458815a2ebb302713c259f93543d26185332809b0d1fa126586728f2384b5361c618929e1eb881825a48
-
Filesize
128KB
MD5e5cd8c6a8442506d666f4a8e1e25d7b0
SHA19ea935ea71ab99d12b09086a0626e448ecb0cd05
SHA2567800d190f0c4bb0c0e5049f8df49f28f501c1d9c736eaa3cbbb154fde8620416
SHA512dd40e57db66eb41df7bea63e93b7fb94e0569bd9fbe471f07cbeb2dfc5722daabd41c231f85da92240adc72c8dd6cc2d05261072be9eb6a467c455cac6005a11
-
Filesize
36KB
MD559c5549d9ca27f7a86ef45b21bb904d0
SHA1fd5e9cae9088306c78595889f0b95403da1a366c
SHA25612f089168ed38da440450b59598a5618c97393ca2ab92d118381c52ac7eb8698
SHA512eded8b78ab6cf34cbdc98518540a9bd0739e376d76e27d97a4f93003cce2761447b0b942f289bf2e248973782d8a9bdf96186e1409d2cc6993045efaa397b43a
-
Filesize
20KB
MD5461e8a1d95e5de6b764d5b213fe4f05c
SHA1f7769d8722d920e8228befd1d890256af5aec049
SHA256f50e7f6387361b644d27676793fa4c1124a8f887f2d614a8dacbd811876b97f0
SHA5124105a19bdf72cd8f505b9c5173fe98e52494e9a6af3acfabff38434ffa9651cb726b7727fe5cff0cf63207402a41bb081fc0397e669390546dbefe398baa8c01
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84