3c87127f6ac12f31aa8fe405087144d48495f1c2f7f2d7380b29870bc3e1dce8

Analysis

max time kernel
143s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
10-08-2024 00:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

842031979d838c7c4c9f58028723f6bd_JaffaCakes118.doc
Size

205KB
MD5

842031979d838c7c4c9f58028723f6bd
SHA1

feeedec9dd0b47cc5b5145448cbdd8e24eed9fb0
SHA256

3c87127f6ac12f31aa8fe405087144d48495f1c2f7f2d7380b29870bc3e1dce8
SHA512

14aacf4e44f8e8f060a7698de079aeacdd93c31631a5ce1e2a6b334e730abe0c4a20fb8f11bc1dddd14dbf01e22e9b8bfe579ca642f62537d2441fdd3e836472
SSDEEP

1536:KterT8wKLcCmXwGe1G0ppHrTPJyn5J8bRs5F+QlOwQf1Yc7uWDMOhY:KRwycXwGe1GMpIxCQlkfH7JQ

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 12 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 12 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 4 IoCs

pid	Process
4932	WINWORD.EXE
4932	WINWORD.EXE
1136	WINWORD.EXE
3296	EXCEL.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeAuditPrivilege	4564	EXCEL.EXE
Token: SeAuditPrivilege	3296	EXCEL.EXE

Suspicious use of SetWindowsHookEx 25 IoCs

pid	Process
4932	WINWORD.EXE
4932	WINWORD.EXE
4932	WINWORD.EXE
4932	WINWORD.EXE
4932	WINWORD.EXE
4932	WINWORD.EXE
4932	WINWORD.EXE
4564	EXCEL.EXE
4564	EXCEL.EXE
4564	EXCEL.EXE
4564	EXCEL.EXE
1136	WINWORD.EXE
1136	WINWORD.EXE
1136	WINWORD.EXE
1136	WINWORD.EXE
1136	WINWORD.EXE
1136	WINWORD.EXE
1136	WINWORD.EXE
1136	WINWORD.EXE
1136	WINWORD.EXE
1136	WINWORD.EXE
3296	EXCEL.EXE
3296	EXCEL.EXE
3296	EXCEL.EXE
3296	EXCEL.EXE

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\842031979d838c7c4c9f58028723f6bd_JaffaCakes118.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4932

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4564

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1136

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3296

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A

Filesize
471B

MD5
e531567acf604fa1e9d9b8667a8f74c8

SHA1
4188dd9336616e684c107a8efcb19774a2a88943

SHA256
543665a0e6ef9c6fc073139cf7ef2e7e27b0cd4590cf5bdd41ff6f6307675e77

SHA512
58cc26e79eacc74a44d43efd04f00d85610a1cf66af7b11b72b55a474ec2c4149b64d30e03c5505b48fa9d45fc81968344077963bca4d631a70e7f089de9f04c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A

Filesize
412B

MD5
9e7ceecbdea31e79080794e2ccc07faa

SHA1
bc20dbea3c5f29c626fca5d5d0a026c062f4ff8c

SHA256
03d980ec419e873dfb8e07d0d18a1c538c48a2a553dcd42fb6381e74a2deaebd

SHA512
5a587da85d22eed836c9247449a9be66bf9b1ce088d2a70c8f280b65e29b03be42c288a8e0ead7862ebe1bad0f5b11ce9bfbf8f545e9889c8ca2e935dee96f6b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.CampaignStates.json

Filesize
21B

MD5
f1b59332b953b3c99b3c95a44249c0d2

SHA1
1b16a2ca32bf8481e18ff8b7365229b598908991

SHA256
138e49660d259061d8152137abd8829acdfb78b69179890beb489fe3ffe23e0c

SHA512
3c1f99ecc394df3741be875fbe8d95e249d1d9ac220805794a22caf81620d5fdd3cce19260d94c0829b3160b28a2b4042e46b56398e60f72134e49254e9679a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.GovernedChannelStates.json

Filesize
417B

MD5
c56ff60fbd601e84edd5a0ff1010d584

SHA1
342abb130dabeacde1d8ced806d67a3aef00a749

SHA256
200e8cc8dd12e22c9720be73092eafb620435d4569dbdcdba9404ace2aa4343c

SHA512
acd2054fddb33b55b58b870edd4eb6a3cdd3131dfe6139cb3d27054ac2b2a460694c9be9c2a1da0f85606e95e7f393cf16868b6c654e78a664799bc3418da86e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.Settings.json

Filesize
87B

MD5
e4e83f8123e9740b8aa3c3dfa77c1c04

SHA1
5281eae96efde7b0e16a1d977f005f0d3bd7aad0

SHA256
6034f27b0823b2a6a76fe296e851939fd05324d0af9d55f249c79af118b0eb31

SHA512
bd6b33fd2bbce4a46991bc0d877695d16f7e60b1959a0defc79b627e569e5c6cac7b4ad4e3e1d8389a08584602a51cf84d44cf247f03beb95f7d307fbba12bb9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.SurveyEventActivityStats.json

Filesize
14B

MD5
6ca4960355e4951c72aa5f6364e459d5

SHA1
2fd90b4ec32804dff7a41b6e63c8b0a40b592113

SHA256
88301f0b7e96132a2699a8bce47d120855c7f0a37054540019e3204d6bcbaba3

SHA512
8544cd778717788b7484faf2001f463320a357db63cb72715c1395ef19d32eec4278bab07f15de3f4fed6af7e4f96c41908a0c45be94d5cdd8121877eccf310d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\OfficeFileCache\CentralTable.accdb

Filesize
512KB

MD5
5d5f4a3355f5a44a55b8addc1b00a8ae

SHA1
907faa5e802d3b4289a6c90a808284c88cb27ef4

SHA256
a4d0861412e4e63bf2fb0fd960c415b8d5c190cac48dec04e1c681be8791a87d

SHA512
99dc5766c9c7ad999fea6259694143191d4a84a4509bd7ffd2a50171f603c75ea0d6bcb9a3e31ddec7516cc3d3ae90cb2f82b7b05fb3165a61ddd433e192dd02

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\03DFDC98-ACF2-4512-B8ED-4EC666F50F97

Filesize
170KB

MD5
68f69d5a1ceab3e68922ea4554e08e01

SHA1
50787feec04dfe163a869922df83b243b0a36d72

SHA256
ea885ca1ed1e73f91d13cf7e73c117af45dd79ed8e0b28df2d908dd6b1bb17b2

SHA512
d3349ab06acd9c2a9f1838384f53a2b151fc74e83bdcb96773068a1fea64c63eca90b6f7f9c73e1f85295bf30d1d901342ab781dcbe7ef382ac9b0b7ce2a01fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

Filesize
323KB

MD5
bb97ab5350ef263853ae7d90fd3ea6de

SHA1
076ea1224dd33178df9be9d4cf46d85265c2fac8

SHA256
a3ce2aacc13e8159464f7690393a52c210b266a51f1eedb66427dfd25c4d5b9c

SHA512
969e100de969d76f4a4b2efc252bdd7c52aa8e5fccdf98cf71fc80f37d652fb62aeffca61e651b53093cb8b00a061cc31ab73ed3f6ad6ed9cc404cf6fbce1483

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\winword.exe_Rules.xml

Filesize
332KB

MD5
de7f3a643f43a00f3c7f8d6eb0d2596d

SHA1
c2592f88bead5bafad5bac37e9a6bf1d64faf4bd

SHA256
86fa2103aad0cebf3bc4f3f3f54174d0dc071ef68604cb16477a346b4c272adc

SHA512
0403a01f4bc80ebd5ab7c126156305227eea1c5dc1478f3b709a5a012fa79918aa18045346790057eacf8e0c470967f019ea389a7bb38e1f61269c4c8a0f9503

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\DLP\mip\logs\mip_sdk.miplog

Filesize
11KB

MD5
4beb40a7743dcf290e158bfb18524432

SHA1
fdf1b8703b09a8fadc26f999d0f5bdbcb902e480

SHA256
7ec9634cb858f3e169455aae90eef42bab5a93945dc9837bbe18e36c768d8147

SHA512
8269aa5d4c1ad937d2c05730e62381447c62b0d1b8f36c5c3a86d95515ed3d1c514461221a8ff7f85eea6f658d99ca1f40d9ea796fbc50fee56e286b53a2a69b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db

Filesize
24KB

MD5
085ebd119f5fc6b8f63720fac1166ff5

SHA1
af066018aadec31b8e70a124a158736aca897306

SHA256
b8411fe8ec499074fca9047f6983d920279e84ddf3b02b2dd5c08cf07ec44687

SHA512
adb0522830db26123347cb485c43b156f5c888510e52091ba0fafc22b650ad29630c027746c920321905c28259dce7ff63dded93a79efddd5567c68312117875

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\winword.exe.db-wal

Filesize
8KB

MD5
5ee340bd23df6359ccdbd7c54e7b907a

SHA1
4b59806a05f2c0e1424ab597448287d6a9e9f3ac

SHA256
16d64c9ed6d3ead3a79dd751a581b06674bf0781046325d980ac418e5c2803f8

SHA512
ed4a73019b6482d595424ef0010d430ab7a94337ee08a44127e5f9c709525bf8d7bc9d0bf4a9aef2d39e4b8e3acf3d734bf67e1acb4bc738e8b2759c077b985d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

Filesize
2KB

MD5
41784fd4e0617e09536aac959111ba3c

SHA1
46a8bc76e1b2eaeb4bd8afb2385469fc9bf6c736

SHA256
23fe800d277cecf4b50a25f536f29dbd839f407bacdd00d4b3a3b83fcafe04a7

SHA512
b2db4cea3ffcf31964313ecd73ba9a346a42765d421daa3ecfe442a295e84d5f8944788bc20ac5e359939f969b332c5cf609f04180224c82c242c4889fed6a9c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres

Filesize
2KB

MD5
02775242078ab5e5d4416d574b04e229

SHA1
11fa393c9120b283867a0c709094b25ca227838a

SHA256
2e359e5ec6696a8035326945627abd327a5031016e300c556b4ac826b9298fe9

SHA512
39eab86efe71df8e512aebdc6149a3032b50561b830c82dc88d92be462c51fd503eef2d97a2b6f627f71020456f43d6937055277a15a503094a439df024e8d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\TCDB42D.tmp\iso690.xsl

Filesize
263KB

MD5
ff0e07eff1333cdf9fc2523d323dd654

SHA1
77a1ae0dd8dbc3fee65dd6266f31e2a564d088a4

SHA256
3f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5

SHA512
b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\VBE\MSForms.exd

Filesize
148KB

MD5
9080baffda79be08190fda7673e1c4b0

SHA1
5cef07eb0ea493086362a1bec815731870e2e91d

SHA256
f0a78780ff1fb1aa4cae0574948ce9a1b25b20c59426172df4c7e4be29a27b48

SHA512
08212efd11adbf31783de5831da74ebf949d02b9a17b9f5237cc6c1529a79750a0ea8f6f37127c2f1eedf17bfcde6fb9d4e243947b81490fba34dfd3855467c4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

Filesize
16B

MD5
d29962abc88624befc0135579ae485ec

SHA1
e40a6458296ec6a2427bcb280572d023a9862b31

SHA256
a91a702aab9b8dd722843d3d208a21bcfa6556dfc64e2ded63975de4511eb866

SHA512
4311e87d8d5559248d4174908817a4ddc917bf7378114435cf12da8ccb7a1542c851812afbaf7dc106771bdb2e2d05f52e7d0c50d110fc7fffe4395592492c2f

Download Submit
memory/4564-1915-0x00007FFF0AC30000-0x00007FFF0AC40000-memory.dmp

Filesize
64KB

Download
memory/4564-1918-0x00007FFF0AC30000-0x00007FFF0AC40000-memory.dmp

Filesize
64KB

Download
memory/4564-1917-0x00007FFF0AC30000-0x00007FFF0AC40000-memory.dmp

Filesize
64KB

Download
memory/4564-1916-0x00007FFF0AC30000-0x00007FFF0AC40000-memory.dmp

Filesize
64KB

Download
memory/4932-16-0x00007FFF08720000-0x00007FFF08730000-memory.dmp

Filesize
64KB

Download
memory/4932-0-0x00007FFF0AC30000-0x00007FFF0AC40000-memory.dmp

Filesize
64KB

Download
memory/4932-521-0x00007FFF4ABB0000-0x00007FFF4ADA5000-memory.dmp

Filesize
2.0MB

Download
memory/4932-576-0x00007FFF4ABB0000-0x00007FFF4ADA5000-memory.dmp

Filesize
2.0MB

Download
memory/4932-6-0x00007FFF4ABB0000-0x00007FFF4ADA5000-memory.dmp

Filesize
2.0MB

Download
memory/4932-7-0x00007FFF4ABB0000-0x00007FFF4ADA5000-memory.dmp

Filesize
2.0MB

Download
memory/4932-8-0x00007FFF4ABB0000-0x00007FFF4ADA5000-memory.dmp

Filesize
2.0MB

Download
memory/4932-19-0x00007FFF4ABB0000-0x00007FFF4ADA5000-memory.dmp

Filesize
2.0MB

Download
memory/4932-21-0x00007FFF4ABB0000-0x00007FFF4ADA5000-memory.dmp

Filesize
2.0MB

Download
memory/4932-20-0x00007FFF4ABB0000-0x00007FFF4ADA5000-memory.dmp

Filesize
2.0MB

Download
memory/4932-18-0x00007FFF4ABB0000-0x00007FFF4ADA5000-memory.dmp

Filesize
2.0MB

Download
memory/4932-17-0x00007FFF4ABB0000-0x00007FFF4ADA5000-memory.dmp

Filesize
2.0MB

Download
memory/4932-11-0x00007FFF4ABB0000-0x00007FFF4ADA5000-memory.dmp

Filesize
2.0MB

Download
memory/4932-23-0x00007FFF4ABB0000-0x00007FFF4ADA5000-memory.dmp

Filesize
2.0MB

Download
memory/4932-15-0x00007FFF4ABB0000-0x00007FFF4ADA5000-memory.dmp

Filesize
2.0MB

Download
memory/4932-14-0x00007FFF4ABB0000-0x00007FFF4ADA5000-memory.dmp

Filesize
2.0MB

Download
memory/4932-13-0x00007FFF08720000-0x00007FFF08730000-memory.dmp

Filesize
64KB

Download
memory/4932-12-0x00007FFF4ABB0000-0x00007FFF4ADA5000-memory.dmp

Filesize
2.0MB

Download
memory/4932-2135-0x00007FFF4ABB0000-0x00007FFF4ADA5000-memory.dmp

Filesize
2.0MB

Download
memory/4932-9-0x00007FFF4ABB0000-0x00007FFF4ADA5000-memory.dmp

Filesize
2.0MB

Download
memory/4932-10-0x00007FFF4ABB0000-0x00007FFF4ADA5000-memory.dmp

Filesize
2.0MB

Download
memory/4932-5-0x00007FFF4AC4D000-0x00007FFF4AC4E000-memory.dmp

Filesize
4KB

Download
memory/4932-3-0x00007FFF0AC30000-0x00007FFF0AC40000-memory.dmp

Filesize
64KB

Download
memory/4932-4-0x00007FFF0AC30000-0x00007FFF0AC40000-memory.dmp

Filesize
64KB

Download
memory/4932-2-0x00007FFF0AC30000-0x00007FFF0AC40000-memory.dmp

Filesize
64KB

Download
memory/4932-1-0x00007FFF0AC30000-0x00007FFF0AC40000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads