Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
147s -
max time network
143s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
27/08/2024, 09:16
Static task
static1
Behavioral task
behavioral1
Sample
c4b5c435640c8d3ff617c26aedc1ec71_JaffaCakes118.rtf
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
c4b5c435640c8d3ff617c26aedc1ec71_JaffaCakes118.rtf
Resource
win10v2004-20240802-en
General
-
Target
c4b5c435640c8d3ff617c26aedc1ec71_JaffaCakes118.rtf
-
Size
2.0MB
-
MD5
c4b5c435640c8d3ff617c26aedc1ec71
-
SHA1
7e0fb054a5e79c923de01262b603d3bf3da06c25
-
SHA256
8cc49c2ec80f755f0301768a32fd5ba3ba84d21d9a5c4737137f5d1c28211c4e
-
SHA512
f83687805172194210e8aff9a9bf32d968a6cedf79159be75bbb9b239260bbd605a08056d2424023aa547b36d7f994ae2257ca5c46fd5a37e8a186fb6aded944
-
SSDEEP
24576:gopSTEOUpl4BSSJQ3x1JKzpYP9zr7gR4mRSc02IcFN8pKKx72vQ7Tt2tQRn1f6MQ:2
Malware Config
Signatures
-
Modifies firewall policy service 3 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" explorer.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0" explorer.exe -
Process spawned unexpected child process 2 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process 2592 2764 cmd.exe 29 Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process 2516 2764 cmd.exe 29 -
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "ctn.exe" explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\1yc3qws13.exe svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\1yc3qws13.exe\DisableExceptionChainValidation svchost.exe -
Looks for VMWare services registry key. 1 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VMware WINWORD.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VMware cmd.exe -
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorer.exe -
Drops startup file 2 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\app.exe exe.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\app.exe exe.exe -
Executes dropped EXE 2 IoCs
pid Process 2860 exe.exe 576 app.exe -
Loads dropped DLL 1 IoCs
pid Process 2600 cmd.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\Application = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\app.exe -boot" app.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cmd.exe -
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\1yc3qws13.exe\DisableExceptionChainValidation svchost.exe -
Maps connected drives based on registry 3 TTPs 4 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum WINWORD.EXE Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 WINWORD.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum cmd.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 cmd.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 17 IoCs
pid Process 1872 svchost.exe 1352 explorer.exe 1352 explorer.exe 1352 explorer.exe 1352 explorer.exe 1352 explorer.exe 1352 explorer.exe 1352 explorer.exe 1352 explorer.exe 2116 WINWORD.EXE 2116 WINWORD.EXE 2116 WINWORD.EXE 2116 WINWORD.EXE 2600 cmd.exe 2600 cmd.exe 2600 cmd.exe 2600 cmd.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 576 set thread context of 1872 576 app.exe 71 -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch.new exe.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch.new exe.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch.new app.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch.new app.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 39 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WINWORD.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CmD.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language exe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language app.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EQNEDT32.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EQNEDT32.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WINWORD.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2116 WINWORD.EXE -
Office loads VBA resources, possible macro or embedded object present
-
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString explorer.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString svchost.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 2628 timeout.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer explorer.exe -
Kills process with taskkill 1 IoCs
pid Process 2876 taskkill.exe -
Launches Equation Editor 1 TTPs 2 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
pid Process 2500 EQNEDT32.EXE 1680 EQNEDT32.EXE -
Modifies Internet Explorer Protected Mode 1 TTPs 4 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500 = "3" explorer.exe -
Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1" explorer.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main explorer.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 2764 WINWORD.EXE 2116 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 13 IoCs
pid Process 1352 explorer.exe 1352 explorer.exe 1352 explorer.exe 1352 explorer.exe 1352 explorer.exe 1352 explorer.exe 1352 explorer.exe 1352 explorer.exe 1352 explorer.exe 1352 explorer.exe 1352 explorer.exe 1352 explorer.exe 1352 explorer.exe -
Suspicious behavior: MapViewOfSection 10 IoCs
pid Process 1872 svchost.exe 1872 svchost.exe 1352 explorer.exe 1352 explorer.exe 1352 explorer.exe 1352 explorer.exe 1352 explorer.exe 1352 explorer.exe 1352 explorer.exe 1352 explorer.exe -
Suspicious use of AdjustPrivilegeToken 31 IoCs
description pid Process Token: SeDebugPrivilege 2876 taskkill.exe Token: SeDebugPrivilege 2860 exe.exe Token: SeDebugPrivilege 576 app.exe Token: SeDebugPrivilege 1872 svchost.exe Token: SeRestorePrivilege 1872 svchost.exe Token: SeBackupPrivilege 1872 svchost.exe Token: SeLoadDriverPrivilege 1872 svchost.exe Token: SeCreatePagefilePrivilege 1872 svchost.exe Token: SeShutdownPrivilege 1872 svchost.exe Token: SeTakeOwnershipPrivilege 1872 svchost.exe Token: SeChangeNotifyPrivilege 1872 svchost.exe Token: SeCreateTokenPrivilege 1872 svchost.exe Token: SeMachineAccountPrivilege 1872 svchost.exe Token: SeSecurityPrivilege 1872 svchost.exe Token: SeAssignPrimaryTokenPrivilege 1872 svchost.exe Token: SeCreateGlobalPrivilege 1872 svchost.exe Token: 33 1872 svchost.exe Token: SeDebugPrivilege 1352 explorer.exe Token: SeRestorePrivilege 1352 explorer.exe Token: SeBackupPrivilege 1352 explorer.exe Token: SeLoadDriverPrivilege 1352 explorer.exe Token: SeCreatePagefilePrivilege 1352 explorer.exe Token: SeShutdownPrivilege 1352 explorer.exe Token: SeTakeOwnershipPrivilege 1352 explorer.exe Token: SeChangeNotifyPrivilege 1352 explorer.exe Token: SeCreateTokenPrivilege 1352 explorer.exe Token: SeMachineAccountPrivilege 1352 explorer.exe Token: SeSecurityPrivilege 1352 explorer.exe Token: SeAssignPrimaryTokenPrivilege 1352 explorer.exe Token: SeCreateGlobalPrivilege 1352 explorer.exe Token: 33 1352 explorer.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 2764 WINWORD.EXE 2764 WINWORD.EXE 2764 WINWORD.EXE 2116 WINWORD.EXE 2116 WINWORD.EXE 2116 WINWORD.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2764 wrote to memory of 2592 2764 WINWORD.EXE 30 PID 2764 wrote to memory of 2592 2764 WINWORD.EXE 30 PID 2764 wrote to memory of 2592 2764 WINWORD.EXE 30 PID 2764 wrote to memory of 2592 2764 WINWORD.EXE 30 PID 2592 wrote to memory of 2600 2592 cmd.exe 32 PID 2592 wrote to memory of 2600 2592 cmd.exe 32 PID 2592 wrote to memory of 2600 2592 cmd.exe 32 PID 2592 wrote to memory of 2600 2592 cmd.exe 32 PID 2600 wrote to memory of 2628 2600 cmd.exe 33 PID 2600 wrote to memory of 2628 2600 cmd.exe 33 PID 2600 wrote to memory of 2628 2600 cmd.exe 33 PID 2600 wrote to memory of 2628 2600 cmd.exe 33 PID 2764 wrote to memory of 2516 2764 WINWORD.EXE 34 PID 2764 wrote to memory of 2516 2764 WINWORD.EXE 34 PID 2764 wrote to memory of 2516 2764 WINWORD.EXE 34 PID 2764 wrote to memory of 2516 2764 WINWORD.EXE 34 PID 2500 wrote to memory of 2568 2500 EQNEDT32.EXE 37 PID 2500 wrote to memory of 2568 2500 EQNEDT32.EXE 37 PID 2500 wrote to memory of 2568 2500 EQNEDT32.EXE 37 PID 2500 wrote to memory of 2568 2500 EQNEDT32.EXE 37 PID 2600 wrote to memory of 2860 2600 cmd.exe 40 PID 2600 wrote to memory of 2860 2600 cmd.exe 40 PID 2600 wrote to memory of 2860 2600 cmd.exe 40 PID 2600 wrote to memory of 2860 2600 cmd.exe 40 PID 2600 wrote to memory of 2876 2600 cmd.exe 41 PID 2600 wrote to memory of 2876 2600 cmd.exe 41 PID 2600 wrote to memory of 2876 2600 cmd.exe 41 PID 2600 wrote to memory of 2876 2600 cmd.exe 41 PID 2600 wrote to memory of 2928 2600 cmd.exe 43 PID 2600 wrote to memory of 2928 2600 cmd.exe 43 PID 2600 wrote to memory of 2928 2600 cmd.exe 43 PID 2600 wrote to memory of 2928 2600 cmd.exe 43 PID 2600 wrote to memory of 2944 2600 cmd.exe 44 PID 2600 wrote to memory of 2944 2600 cmd.exe 44 PID 2600 wrote to memory of 2944 2600 cmd.exe 44 PID 2600 wrote to memory of 2944 2600 cmd.exe 44 PID 2600 wrote to memory of 2960 2600 cmd.exe 45 PID 2600 wrote to memory of 2960 2600 cmd.exe 45 PID 2600 wrote to memory of 2960 2600 cmd.exe 45 PID 2600 wrote to memory of 2960 2600 cmd.exe 45 PID 2600 wrote to memory of 3048 2600 cmd.exe 46 PID 2600 wrote to memory of 3048 2600 cmd.exe 46 PID 2600 wrote to memory of 3048 2600 cmd.exe 46 PID 2600 wrote to memory of 3048 2600 cmd.exe 46 PID 2600 wrote to memory of 2084 2600 cmd.exe 47 PID 2600 wrote to memory of 2084 2600 cmd.exe 47 PID 2600 wrote to memory of 2084 2600 cmd.exe 47 PID 2600 wrote to memory of 2084 2600 cmd.exe 47 PID 2600 wrote to memory of 3060 2600 cmd.exe 48 PID 2600 wrote to memory of 3060 2600 cmd.exe 48 PID 2600 wrote to memory of 3060 2600 cmd.exe 48 PID 2600 wrote to memory of 3060 2600 cmd.exe 48 PID 2600 wrote to memory of 3036 2600 cmd.exe 49 PID 2600 wrote to memory of 3036 2600 cmd.exe 49 PID 2600 wrote to memory of 3036 2600 cmd.exe 49 PID 2600 wrote to memory of 3036 2600 cmd.exe 49 PID 2600 wrote to memory of 1272 2600 cmd.exe 50 PID 2600 wrote to memory of 1272 2600 cmd.exe 50 PID 2600 wrote to memory of 1272 2600 cmd.exe 50 PID 2600 wrote to memory of 1272 2600 cmd.exe 50 PID 2600 wrote to memory of 1724 2600 cmd.exe 51 PID 2600 wrote to memory of 1724 2600 cmd.exe 51 PID 2600 wrote to memory of 1724 2600 cmd.exe 51 PID 2600 wrote to memory of 1724 2600 cmd.exe 51
Processes
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1164
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1200
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\c4b5c435640c8d3ff617c26aedc1ec71_JaffaCakes118.rtf"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tAsK.bAt3⤵
- Process spawned unexpected child process
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2592 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\2nd.bat4⤵
- Looks for VMWare services registry key.
- Loads dropped DLL
- Checks whether UAC is enabled
- Maps connected drives based on registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Windows\SysWOW64\timeout.exeTIMEOUT 15⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:2628
-
-
C:\Users\Admin\AppData\Local\Temp\exe.exeC:\Users\Admin\AppData\Local\Temp\ExE.ExE5⤵
- Drops startup file
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2860 -
C:\Windows\SysWOW64\explorer.exe"C:\Windows\System32\explorer.exe" /c select, C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\app.exe6⤵
- System Location Discovery: System Language Discovery
PID:2000
-
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /F /IM winword.exe5⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2876
-
-
C:\Windows\SysWOW64\reg.exereg delete HKEY_CURRENT_USER\Software\Microsoft\Office\8.0\Word\Resiliency /f5⤵
- System Location Discovery: System Language Discovery
PID:2928
-
-
C:\Windows\SysWOW64\reg.exereg delete HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Resiliency /f5⤵
- System Location Discovery: System Language Discovery
PID:2944
-
-
C:\Windows\SysWOW64\reg.exereg delete HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Word\Resiliency /f5⤵
- System Location Discovery: System Language Discovery
PID:2960
-
-
C:\Windows\SysWOW64\reg.exereg delete HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Word\Resiliency /f5⤵
- System Location Discovery: System Language Discovery
PID:3048
-
-
C:\Windows\SysWOW64\reg.exereg delete HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word\Resiliency /f5⤵
- System Location Discovery: System Language Discovery
PID:2084
-
-
C:\Windows\SysWOW64\reg.exereg delete HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency /f5⤵
- System Location Discovery: System Language Discovery
PID:3060
-
-
C:\Windows\SysWOW64\reg.exereg delete HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Word\Resiliency /f5⤵
- System Location Discovery: System Language Discovery
PID:3036
-
-
C:\Windows\SysWOW64\reg.exereg delete HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Word\Resiliency /f5⤵
- System Location Discovery: System Language Discovery
PID:1272
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\8.0\Word\File MRU" /v "Item 1"5⤵
- System Location Discovery: System Language Discovery
PID:1724 -
C:\Windows\SysWOW64\reg.exeREG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\8.0\Word\File MRU" /v "Item 1"6⤵
- System Location Discovery: System Language Discovery
PID:1420
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\9.0\Word\File MRU" /v "Item 1"5⤵
- System Location Discovery: System Language Discovery
PID:1636 -
C:\Windows\SysWOW64\reg.exeREG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\9.0\Word\File MRU" /v "Item 1"6⤵
- System Location Discovery: System Language Discovery
PID:2480
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\10.0\Word\File MRU" /v "Item 1"5⤵
- System Location Discovery: System Language Discovery
PID:1124 -
C:\Windows\SysWOW64\reg.exeREG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\10.0\Word\File MRU" /v "Item 1"6⤵
- System Location Discovery: System Language Discovery
PID:2540
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\11.0\Word\File MRU" /v "Item 1"5⤵
- System Location Discovery: System Language Discovery
PID:2892 -
C:\Windows\SysWOW64\reg.exeREG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\11.0\Word\File MRU" /v "Item 1"6⤵
- System Location Discovery: System Language Discovery
PID:592
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\12.0\Word\File MRU" /v "Item 1"5⤵
- System Location Discovery: System Language Discovery
PID:1492 -
C:\Windows\SysWOW64\reg.exeREG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\12.0\Word\File MRU" /v "Item 1"6⤵
- System Location Discovery: System Language Discovery
PID:560
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\14.0\Word\File MRU" /v "Item 1"5⤵
- System Location Discovery: System Language Discovery
PID:1148 -
C:\Windows\SysWOW64\reg.exeREG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\14.0\Word\File MRU" /v "Item 1"6⤵
- System Location Discovery: System Language Discovery
PID:1484
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Word\File MRU" /v "Item 1"5⤵
- System Location Discovery: System Language Discovery
PID:2428 -
C:\Windows\SysWOW64\reg.exeREG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Word\File MRU" /v "Item 1"6⤵
- System Location Discovery: System Language Discovery
PID:2136
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\File MRU" /v "Item 1"5⤵
- System Location Discovery: System Language Discovery
PID:2352 -
C:\Windows\SysWOW64\reg.exeREG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\File MRU" /v "Item 1"6⤵
- System Location Discovery: System Language Discovery
PID:2376
-
-
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\Documents\RestorePing.docx"5⤵
- Looks for VMWare services registry key.
- Maps connected drives based on registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2116 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122886⤵PID:2880
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tAsK.bAt3⤵
- Process spawned unexpected child process
- System Location Discovery: System Language Discovery
PID:2516
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:1340
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-401897851-683933480-588613960-345291276-21185956541746666654-2138751-578542688"1⤵PID:1984
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- System Location Discovery: System Language Discovery
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:2500 -
C:\Windows\SysWOW64\CmD.exeCmD /C %TmP%\TasK.BaT & UUUUUUUUc2⤵
- System Location Discovery: System Language Discovery
PID:2568
-
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- System Location Discovery: System Language Discovery
- Launches Equation Editor
PID:1680
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵PID:1080
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\app.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\app.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:576 -
C:\Windows\SysWOW64\svchost.exe"C:\Windows\system32\svchost.exe"3⤵
- Event Triggered Execution: Image File Execution Options Injection
- Indicator Removal: Clear Persistence
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1872 -
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe4⤵
- Modifies firewall policy service
- Event Triggered Execution: Image File Execution Options Injection
- Checks BIOS information in registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Modifies Internet Explorer Protected Mode
- Modifies Internet Explorer Protected Mode Banner
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1352
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Image File Execution Options Injection
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Image File Execution Options Injection
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Indicator Removal
1Clear Persistence
1Modify Registry
5Virtualization/Sandbox Evasion
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5042a85703b16f6204b77947e223ca8d8
SHA1748c78444785ba150c7b59f69d83fbea02d3ac08
SHA256b2142ce20a5abca30228f0e4c9cf5d37b5e63bc172e0212c0cb36c97dfe65bd4
SHA512670e5e33cd8180c28e9927e90ff0ed1bb642bda9b59b6c589d444f22b1ee8a64052d43f2fbe224e5ef24bf5d75aa276291fb0ba3d6bd96657926372fc5ae9bc2
-
Filesize
191B
MD55d65bac473774c66544cc2f4062c9b78
SHA1b2b606f85dd95ff2ab5bcca43966a9c4cbb372b2
SHA2567697184623cf1ffe94e69db38ca0821d3ff2df5826af38a9f7e244f3a725b042
SHA512853ad5701b858fd350bbf2171955d84d551260f883ccc25eb403f4b2606b6694d34c62ade98db0761da8ac3cb3250e98e19e54c3ab7c927782a3a0ed10924cd2
-
Filesize
432B
MD58decdcaeb92d9f628b6bf95de4c0597a
SHA119443ad64921ef01a77619350efcc97cd767a36b
SHA256e4f6b9def338fe9aca9e8796e79c58c5e42168e697c41bfe149946513765036e
SHA512d67fee80c9f4884331e476f53de7516d21e926cf2f00094bf310ccd6e875164740b31749ec1ea43c1015037590b9bfebe2bde0065d75e42343bfbd0c46bccf59
-
Filesize
149B
MD5c42b20e49a3b093e2d0c9d6b3051cfc7
SHA15fc1f968c7285c8b0c5f25e839e14d77df7e28f3
SHA25683935da79d6a4dcfd28121b5c0dd01b40e66da125971ac49e65221efb91a65a6
SHA51201881572adbe471797fd901057fabb1d631fc675dacd33c59876b9bb163deb1b9f8f82ed49c8a19bf69d871abe8e241beba8dcddc84ca4caf13ee4d4be9ac1fe
-
Filesize
19KB
MD57c067644485dc1858149faff351d32cb
SHA1c15168cdfc63a97e0d72df6af00a0692cbb018b7
SHA25653bb78d6c83d7fe1d8985292586d23bd2f03fd061a3e2124e7ab99d5c7e69144
SHA512fb8a6a82cda76bbf6aee76668571794800caf2f35c9db7480040ba11f57712d331681f91413971f7652680335d1bf6e4c2a52e6a078d7684a46f73f14fe7fcd9
-
Filesize
392B
MD5f2919796198e267a150ed86173156733
SHA15a5a5fb489bbb1c95d01b3f6aef234d9ca520be4
SHA256af54491527986b27210c92e5e62cd0aa0605c49593b0d273a04af077af7aab17
SHA512cc0b410b1b37ff41e2ad06b88cf12af424d022a8de5ceb267b3648f7a7bcd3e82314675652c0373181634a1003727e681f87c3e7d3ba253ef74fd4d35479804a
-
Filesize
1016KB
MD58587dc282627173f41a46f4b96ef27c8
SHA1752735704695a6f074cb3e58a5baf1e8c4607a4a
SHA256bfb3fa4796436cda2f3b37537cc7c0a125c03ea2aba57241f2239b9c4904ed94
SHA512c8d2a7ccf6b997e73039d82a7978232c6f16b4fb0064502ad83b811a6047678de969fc54b55b4b9bfd316019b1dbb256c7447170822ba5d1da38770dffdc915b