Analysis
-
max time kernel
124s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
26-06-2024 18:19
Behavioral task
behavioral1
Sample
12f2ae873e891c0b2b43ffdac7f7d43e_JaffaCakes118.doc
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
12f2ae873e891c0b2b43ffdac7f7d43e_JaffaCakes118.doc
Resource
win10v2004-20240508-en
General
-
Target
12f2ae873e891c0b2b43ffdac7f7d43e_JaffaCakes118.doc
-
Size
238KB
-
MD5
12f2ae873e891c0b2b43ffdac7f7d43e
-
SHA1
d0f481f1a01470a68c0cb81ce3e491689c741dcd
-
SHA256
330145ed03e314fa9939713c886f49ed7670ea82efd3de2c2263f1529736f469
-
SHA512
f9d99d6039437715720d32dcc86eb99e3ce20cfcf0bd3fa6c34de0215c93bc64dd1e7000758cb8d67c0bf034a83e7076d3376617f2ae94b078e765e014c44a7a
-
SSDEEP
3072:HAw1vPEfOgnPJceKBDaUGdSa9/LS1HPzVV:HAKvPEfrPJBAyU8mLL
Malware Config
Signatures
-
Abuses OpenXML format to download file from external location 3 IoCs
Processes:
WINWORD.EXEEXCEL.EXEEXCEL.EXEdescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Office\14.0\Common WINWORD.EXE Key opened \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Office\Common\Offline\Files\https://kholoq.com/khol.php?cTe5jaE7x6WR6gVyXYQ2zfpCXxa9nSt7:LO788978 EXCEL.EXE Key opened \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Office\Common\Offline\Files\https://kholoq.com/khol.php?cTe5jaE7x6WR6gVyXYQ2zfpCXxa9nSt7:LO788978 EXCEL.EXE -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Office loads VBA resources, possible macro or embedded object present
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEEXCEL.EXEEXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Processes:
WINWORD.EXEdescription ioc process Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE -
Modifies registry class 64 IoCs
Processes:
WINWORD.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Interface\{47FF8FE8-6198-11CF-8CE8-00AA006CB389} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Interface\{8BD21D62-EC42-11CE-9E0D-00AA006002F3} WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BAE2C200-5FA3-4C0F-9531-1955AFF6524F}\2.0\0 WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Interface\{8BD21D33-EC42-11CE-9E0D-00AA006002F3} WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Interface\{04598FC4-866C-11CF-AB7C-00AA00C08FCF} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Wow6432Node\Interface\{8BD21D52-EC42-11CE-9E0D-00AA006002F3} WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Wow6432Node\Interface\{8A683C90-BA84-11CF-8110-00A0C9030074}\ = "IReturnSingle" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Wow6432Node\Interface\{CF3F94A0-F546-11CE-9BCE-00AA00608E01} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Wow6432Node\Interface\{8BD21D43-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcCheckBox" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Interface\{47FF8FE9-6198-11CF-8CE8-00AA006CB389} WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Wow6432Node\Interface\{CF3F94A0-F546-11CE-9BCE-00AA00608E01}\ = "OptionFrameEvents" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Interface\{5512D11B-5CC6-11CF-8D67-00AA00BDCE1D} WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Wow6432Node\Interface\{EC72F590-F375-11CE-B9E8-00AA006B1A69} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Interface\{04598FC1-866C-11CF-AB7C-00AA00C08FCF}\ = "ILabelControl" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Wow6432Node\Interface\{978C9E22-D4B0-11CE-BF2D-00AA003F40D0} WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Interface\{82B02371-B5BC-11CF-810F-00A0C9030074}\ = "IReturnBoolean" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Interface\{8BD21D22-EC42-11CE-9E0D-00AA006002F3}\ = "MdcListEvents" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Wow6432Node\Interface\{7B020EC7-AF6C-11CE-9F46-00AA00574A4F} WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Interface\{8BD21D13-EC42-11CE-9E0D-00AA006002F3} WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BAE2C200-5FA3-4C0F-9531-1955AFF6524F}\2.0 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BAE2C200-5FA3-4C0F-9531-1955AFF6524F}\2.0\ = "Microsoft Forms 2.0 Object Library" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Interface\{EC72F590-F375-11CE-B9E8-00AA006B1A69}\ = "IDataAutoWrapper" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Interface\{8BD21D43-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcCheckBox" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Wow6432Node\Interface\{4C599243-6926-101B-9992-00000B65C6F9} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Wow6432Node\Interface\{5512D115-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLReset" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597} WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\"" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Wow6432Node\Interface\{82B02372-B5BC-11CF-810F-00A0C9030074}\ = "IReturnString" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Wow6432Node\Interface\{8BD21D13-EC42-11CE-9E0D-00AA006002F3} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Interface\{4C599243-6926-101B-9992-00000B65C6F9}\ = "IImage" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Interface\{5512D111-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLSubmitButton" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Wow6432Node\Interface\{82B02371-B5BC-11CF-810F-00A0C9030074} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Interface\{04598FC3-866C-11CF-AB7C-00AA00C08FCF} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Wow6432Node\Interface\{5512D115-5CC6-11CF-8D67-00AA00BDCE1D} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Interface\{47FF8FE3-6198-11CF-8CE8-00AA006CB389} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Interface\{8BD21D63-EC42-11CE-9E0D-00AA006002F3} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Wow6432Node\Interface\{8BD21D32-EC42-11CE-9E0D-00AA006002F3} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Interface\{47FF8FE5-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents6" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Interface\{5B9D8FC8-4A71-101B-97A6-00000B65C08B}\ = "FormEvents" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Wow6432Node\Interface\{8BD21D53-EC42-11CE-9E0D-00AA006002F3} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Wow6432Node\Interface\{944ACF93-A1E6-11CE-8104-00AA00611080}\ = "Tabs" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Wow6432Node\Interface\{5512D117-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLCheckbox" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Wow6432Node\Interface\{82B02370-B5BC-11CF-810F-00A0C9030074}\ = "IReturnInteger" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Wow6432Node\Interface\{04598FC8-866C-11CF-AB7C-00AA00C08FCF} WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEWINWORD.EXEpid process 2432 WINWORD.EXE 692 WINWORD.EXE -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
EXCEL.EXEEXCEL.EXEdescription pid process Token: SeShutdownPrivilege 1324 EXCEL.EXE Token: SeShutdownPrivilege 3832 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 11 IoCs
Processes:
WINWORD.EXEEXCEL.EXEWINWORD.EXEEXCEL.EXEEXCEL.EXEpid process 2432 WINWORD.EXE 2432 WINWORD.EXE 1324 EXCEL.EXE 1324 EXCEL.EXE 1324 EXCEL.EXE 692 WINWORD.EXE 692 WINWORD.EXE 2252 EXCEL.EXE 3832 EXCEL.EXE 3832 EXCEL.EXE 3832 EXCEL.EXE -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
WINWORD.EXEdescription pid process target process PID 2432 wrote to memory of 2536 2432 WINWORD.EXE splwow64.exe PID 2432 wrote to memory of 2536 2432 WINWORD.EXE splwow64.exe PID 2432 wrote to memory of 2536 2432 WINWORD.EXE splwow64.exe PID 2432 wrote to memory of 2536 2432 WINWORD.EXE splwow64.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\12f2ae873e891c0b2b43ffdac7f7d43e_JaffaCakes118.doc"1⤵
- Abuses OpenXML format to download file from external location
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2432 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:2536
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding1⤵
- Abuses OpenXML format to download file from external location
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1324
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:692
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding1⤵
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
PID:2252
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding1⤵
- Abuses OpenXML format to download file from external location
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3832
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
128KB
MD559f86316edc0ca681fda0a15b36d468c
SHA195f05309d8a0d4ef3fa44a33f52e06f7e7a177ae
SHA256906fe52e005d9cbb77ec030d2cc2ad68eb30ebb4d22d1e06bf8654224020dea4
SHA512e013563800e05ce05350101fe718a51536133d25803aa7b468f450052ed2dfe801b5b0b53c9bf22694c2e112215695d99f1eb4d21bdc0cb449dda9ddc809e65c
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{0145E18E-3BF7-4AFD-A2B5-E620020F09B5}.FSD
Filesize128KB
MD501fe571c7b100d299046aac00c2f61fb
SHA1e734b94c88ac8e6e99ac5663aacd26bf55f0895b
SHA2560e0cfe882e2989673c6bf664ad65781163648a7fd0954e9b3cf142b1163cad79
SHA51288855a7096d50f24b801a3deafdeff62f3f81927f80a32b2d677b744822f96de0e17e9629aa1f4caf5a4a2f95f2b35a7e604af08515cce3b25216153e55197fc
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{0145E18E-3BF7-4AFD-A2B5-E620020F09B5}.FSD
Filesize128KB
MD583a364b08760da91f4d38cb7357c0254
SHA1b085be0fae5841afc60bedcc33343ffe47dc5273
SHA25695709051c5cf67510ebe66fb3f88ddfd7ccb802cfdbe99eb59070d25f86e3631
SHA5126629800db3cc2a4ff05feae95d14fa15f9b73ccc20463050a464ba05773ac4a8d5f31178063c3da6d1f15d50fcb9c65f55d84295c1d58342a7e03a27709ce235
-
Filesize
114B
MD5f854c8e0a2581f482ad3be59990bb2d9
SHA19b8f4fadbb12582e6946fecee120d3ef8e3ccfcc
SHA256155f854568afd226f76b0277267e71ae3f81e6cd736f551d60138fd675e2868a
SHA5124dadd3aee2ca7b3a7d7c07ce4b2ec9e39977f0fb5c64739629b9bda87c0bbfac64570954f2829b4c2c2e8a8f631a3b96e003186126391d80fff9044dd7c5641d
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD
Filesize128KB
MD5620e31db01cf967eae893ac063d0013e
SHA121f9a243db6e89f237e896255793123741ede381
SHA2562e4dae8f73371e534a8c52fdce2ca6502324d7a0526659ef9918227d0cf7b25d
SHA51293536eb5379a5e4735a526eda15a9bba8cb6f9d693179b88ccde7c47a906f598551de3a368a4ef78278b45454ae7fbef2f6d3164ece36cc3392a1f3b7bdd9bf7
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD
Filesize128KB
MD5b1911becade22a983b7e5a46f39d3bb8
SHA1cf2e3e3e5e10722e468b511b563ceb97e431e71f
SHA2561cc44616247bebb70cc9c1eb592bc8db5191f3c7ffc111281246b336aad1b905
SHA5127f981d535d67cd684cc994a4d58f4c6450fef8f908875b1c58a2c941c8339ee4d0a58c67ec62b24ba0fd44e1c53d1acbb110ec75af995bb8f5c4e9ce074941dd
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{37FCC202-CD3F-4464-B54E-E8FDD5C1E91B}.FSD
Filesize128KB
MD578113eea24cd557d6a45e39f52f4fb97
SHA1ea32e9d23dd4c9119cd111a7aad371ac4e21d8fd
SHA256285f43fb79ff7f3350ab47390c9dde54c2a816f712ec5884683fde4ff8c901a8
SHA5128f68e2421338df024c415c51d8be3c5729e58edc8fd1c4b1f25e371d2e34f57f715c250351f38e3eeff6a814d602e5639a9c7e9aae1b827a2bac25be1e467ef5
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{37FCC202-CD3F-4464-B54E-E8FDD5C1E91B}.FSD
Filesize128KB
MD578c0f69d39e08b86704de036d4310776
SHA13305a39316a85279de3db4ac1c1db197bc159eaa
SHA2560c08ef4e2b11d9ec62b4c74d6d9c1947327d5652586a0756b612f55ff65441a8
SHA512c2916e40515e9b7f54797262efd405a6ec90aec20594f6ef9f369a358dcdbb553063c5e7eb833b2867a8a98e0b8ff7ebc30ecdaaf5bd9ba02aff05152b486a73
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSF-{0E1EEE64-E8C6-4E2A-9759-63CF07FD8988}.FSF
Filesize114B
MD5c0346354fc75ef39f61cf239695c3360
SHA136944d2cca7e701f5e6f928f2bcd425e6ffb2c69
SHA256370b44504054760ad8e7e13dd658317826c3b8c08bab8dd7f6893629ef88c315
SHA51209f440f88a3e102bdd055287abf071cd40309feed907b9884509126a56b845c56e9b8ddc13fc7c07bb83f46ebeb12fde99f167bde90d48e14dd9aa6a8dff8f49
-
Filesize
143KB
MD5cff6bcbd8c108eda7a35b38c7d54f171
SHA169e5d5db88bb299f7eb787a8a1ad217595220419
SHA256a02ff216aaf9c0cf65c85c878856e37755c5f377be9711cab2256dc996ef66b8
SHA512ef9b1ac205d98fc33f993db59ddaee403324da29f45137ca86d26f7bc6d53acf39e02497a2f17d662f4d8cd207ba685205efe362ad62f3dab80a3980b58244aa
-
Filesize
128KB
MD5c9787a24422158a2a13469bfa7549d80
SHA1c81061afa6220c4b7785d6af9550c145de8f4fd8
SHA25695161efda3f0ccf8d482675590477b9c181917c83f99e5da69394b4a901c7bc9
SHA5128df4d92a0aa05c1044d130437b6fd74b027e808b94e838f1898aa32886de969374f77d006b41addd70ba865ed9adae00e49a4e5b0ebf693a20724d8809869a21
-
Filesize
36KB
MD565f83ca895707335115aea86826ec197
SHA19e2aa75cffe198859c2a57255073404a74908f80
SHA256b037fb4d8f3e266206e04e43aea18f4568b1f18cfcc5118ff73e78820c7ab9eb
SHA5121596bb7be6f51b4c3d7e24d14495853b89bc23611457ffa3b06f05afe2e29b02a175e399e0c7275c553bd5baf86ab9a04fd9dc6231018ede390b9da046cf6b8a
-
Filesize
74B
MD549b09ed076efa2f38c2b3fd2aeb2c925
SHA166646e0143266be702e9e31fb7ce6de3f2fc3724
SHA256b9ce5aa004828447a1b7171017e850d83b4a129d6f3ea51d4ec2debe95aa1862
SHA512dd4b1639d722eb6bcb28c5c5fdb0d1d5f0f2df4d113b5182e9fb1928368c303a44ac5687ac41e6c07a09e688a16a247dcc68e3ee24a3f83df687c02b0acf6d1c
-
Filesize
20KB
MD5bbbbc38b2b990731418119e6fc3b3be8
SHA11572c14438edb66e691cacb4fc5c013f97d8023b
SHA256e842d4cf99ea62043189be4a19ce59b258b68abbb2ea86ae67feac42d8d20c49
SHA51202d8e77406ec697df7f127865bd15fb5b0f68b2b10a2637fb6b0248a8f95f35aa36811297e257597ceaddfe21f391db5fa4ef11413b1f8fb6ca305f3d7abd3cf
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84