c837308f5d10f2aca13d49e27a415967bdf3c082cab5989ff2d668733a060713

Analysis

max time kernel
144s
max time network
124s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
06/09/2024, 17:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d01a7969e442f29a4f677c1a2fd702af_JaffaCakes118.exe
Size

22KB
MD5

d01a7969e442f29a4f677c1a2fd702af
SHA1

070d960205816a261001fa0aed84dd3884e28099
SHA256

c837308f5d10f2aca13d49e27a415967bdf3c082cab5989ff2d668733a060713
SHA512

13232ab08f3394234b9d30878c1048c852e35e7b354671cd4cbdf316664bceb69ad3d4ab666ed32c41c1c5822309bee9d6a1ec6e3b3cf11e8d79552e82f2057f
SSDEEP

384:JbCEXMMADQIrUeNFwx9E5xtT6fkCMst8AdxIiv4dK8y8KG8szTO4Am7UnwtzwGqy:R1NAUsbxtT6sFst/3IrdlLUw2QLnbcuS

Score

7^/10

discovery upx

Malware Config

Signatures

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2180-0-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral1/memory/2180-23-0x0000000000400000-0x0000000000410000-memory.dmp	upx

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 44 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wordpad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	write.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	POWERPNT.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wordpad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	write.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wordpad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wordpad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	POWERPNT.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	POWERPNT.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	write.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	POWERPNT.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	write.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wordpad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	POWERPNT.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wordpad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	POWERPNT.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	write.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d01a7969e442f29a4f677c1a2fd702af_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	write.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2788	WINWORD.EXE

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2176	cmd.exe
1708	POWERPNT.EXE

Suspicious use of SetWindowsHookEx 50 IoCs

pid	Process
2664	wordpad.exe
2664	wordpad.exe
2664	wordpad.exe
2664	wordpad.exe
2664	wordpad.exe
2068	EXCEL.EXE
2788	WINWORD.EXE
2788	WINWORD.EXE
2068	EXCEL.EXE
2068	EXCEL.EXE
1304	wordpad.exe
1304	wordpad.exe
1304	wordpad.exe
1304	wordpad.exe
1304	wordpad.exe
2104	EXCEL.EXE
2104	EXCEL.EXE
2104	EXCEL.EXE
2848	wordpad.exe
2848	wordpad.exe
2848	wordpad.exe
2848	wordpad.exe
2848	wordpad.exe
1824	EXCEL.EXE
1824	EXCEL.EXE
1824	EXCEL.EXE
1588	wordpad.exe
1588	wordpad.exe
1588	wordpad.exe
1588	wordpad.exe
1588	wordpad.exe
1776	EXCEL.EXE
1776	EXCEL.EXE
1776	EXCEL.EXE
2892	wordpad.exe
2892	wordpad.exe
2892	wordpad.exe
2892	wordpad.exe
2892	wordpad.exe
3036	EXCEL.EXE
3036	EXCEL.EXE
3036	EXCEL.EXE
2432	wordpad.exe
2432	wordpad.exe
2432	wordpad.exe
2432	wordpad.exe
2432	wordpad.exe
1112	EXCEL.EXE
1112	EXCEL.EXE
1112	EXCEL.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2180 wrote to memory of 2176	2180	d01a7969e442f29a4f677c1a2fd702af_JaffaCakes118.exe	31
PID 2180 wrote to memory of 2176	2180	d01a7969e442f29a4f677c1a2fd702af_JaffaCakes118.exe	31
PID 2180 wrote to memory of 2176	2180	d01a7969e442f29a4f677c1a2fd702af_JaffaCakes118.exe	31
PID 2180 wrote to memory of 2176	2180	d01a7969e442f29a4f677c1a2fd702af_JaffaCakes118.exe	31
PID 2180 wrote to memory of 2176	2180	d01a7969e442f29a4f677c1a2fd702af_JaffaCakes118.exe	31
PID 2180 wrote to memory of 2176	2180	d01a7969e442f29a4f677c1a2fd702af_JaffaCakes118.exe	31
PID 2180 wrote to memory of 2176	2180	d01a7969e442f29a4f677c1a2fd702af_JaffaCakes118.exe	31
PID 2176 wrote to memory of 2064	2176	cmd.exe	32
PID 2176 wrote to memory of 2064	2176	cmd.exe	32
PID 2176 wrote to memory of 2064	2176	cmd.exe	32
PID 2176 wrote to memory of 2064	2176	cmd.exe	32
PID 2176 wrote to memory of 2688	2176	cmd.exe	33
PID 2176 wrote to memory of 2688	2176	cmd.exe	33
PID 2176 wrote to memory of 2688	2176	cmd.exe	33
PID 2176 wrote to memory of 2688	2176	cmd.exe	33
PID 2688 wrote to memory of 2664	2688	write.exe	34
PID 2688 wrote to memory of 2664	2688	write.exe	34
PID 2688 wrote to memory of 2664	2688	write.exe	34
PID 2688 wrote to memory of 2664	2688	write.exe	34
PID 2664 wrote to memory of 2200	2664	wordpad.exe	35
PID 2664 wrote to memory of 2200	2664	wordpad.exe	35
PID 2664 wrote to memory of 2200	2664	wordpad.exe	35
PID 2664 wrote to memory of 2200	2664	wordpad.exe	35
PID 2176 wrote to memory of 2572	2176	cmd.exe	36
PID 2176 wrote to memory of 2572	2176	cmd.exe	36
PID 2176 wrote to memory of 2572	2176	cmd.exe	36
PID 2176 wrote to memory of 2572	2176	cmd.exe	36
PID 2176 wrote to memory of 2288	2176	cmd.exe	38
PID 2176 wrote to memory of 2288	2176	cmd.exe	38
PID 2176 wrote to memory of 2288	2176	cmd.exe	38
PID 2176 wrote to memory of 2288	2176	cmd.exe	38
PID 2176 wrote to memory of 2288	2176	cmd.exe	38
PID 2176 wrote to memory of 2288	2176	cmd.exe	38
PID 2176 wrote to memory of 2288	2176	cmd.exe	38
PID 2176 wrote to memory of 2288	2176	cmd.exe	38
PID 2176 wrote to memory of 2288	2176	cmd.exe	38
PID 2176 wrote to memory of 2068	2176	cmd.exe	39
PID 2176 wrote to memory of 2068	2176	cmd.exe	39
PID 2176 wrote to memory of 2068	2176	cmd.exe	39
PID 2176 wrote to memory of 2068	2176	cmd.exe	39
PID 2176 wrote to memory of 2068	2176	cmd.exe	39
PID 2176 wrote to memory of 2068	2176	cmd.exe	39
PID 2176 wrote to memory of 2068	2176	cmd.exe	39
PID 2176 wrote to memory of 2068	2176	cmd.exe	39
PID 2176 wrote to memory of 2068	2176	cmd.exe	39
PID 2176 wrote to memory of 2788	2176	cmd.exe	40
PID 2176 wrote to memory of 2788	2176	cmd.exe	40
PID 2176 wrote to memory of 2788	2176	cmd.exe	40
PID 2176 wrote to memory of 2788	2176	cmd.exe	40
PID 2176 wrote to memory of 1688	2176	cmd.exe	42
PID 2176 wrote to memory of 1688	2176	cmd.exe	42
PID 2176 wrote to memory of 1688	2176	cmd.exe	42
PID 2176 wrote to memory of 1688	2176	cmd.exe	42
PID 2176 wrote to memory of 2044	2176	cmd.exe	43
PID 2176 wrote to memory of 2044	2176	cmd.exe	43
PID 2176 wrote to memory of 2044	2176	cmd.exe	43
PID 2176 wrote to memory of 2044	2176	cmd.exe	43
PID 2044 wrote to memory of 1304	2044	write.exe	44
PID 2044 wrote to memory of 1304	2044	write.exe	44
PID 2044 wrote to memory of 1304	2044	write.exe	44
PID 2044 wrote to memory of 1304	2044	write.exe	44
PID 2176 wrote to memory of 1300	2176	cmd.exe	45
PID 2176 wrote to memory of 1300	2176	cmd.exe	45
PID 2176 wrote to memory of 1300	2176	cmd.exe	45

C:\Users\Admin\AppData\Local\Temp\d01a7969e442f29a4f677c1a2fd702af_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d01a7969e442f29a4f677c1a2fd702af_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2180
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\2A0.tmp\KingPatchByBazuka.bat""
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of WriteProcessMemory
  PID:2176
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2064
- - C:\Windows\SysWOW64\write.exe
    write.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2688
  - - C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe
      "C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2664
    - - C:\Windows\splwow64.exe
        
        C:\Windows\splwow64.exe 12288
        5⤵
        
        PID:2200
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2572
- - C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2288
- - C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"
    3⤵
    - System Location Discovery: System Language Discovery
    - Enumerates system info in registry
    - Suspicious use of SetWindowsHookEx
    PID:2068
- - C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"
    3⤵
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious use of SetWindowsHookEx
    PID:2788
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1688
- - C:\Windows\SysWOW64\write.exe
    write.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2044
  - - C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe
      "C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:1304
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1300
- - C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    PID:1708
- - C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"
    3⤵
    - System Location Discovery: System Language Discovery
    - Enumerates system info in registry
    - Suspicious use of SetWindowsHookEx
    PID:2104
- - C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2512
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2772
- - C:\Windows\SysWOW64\write.exe
    write.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3000
  - - C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe
      "C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2848
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1732
- - C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1572
- - C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"
    3⤵
    - System Location Discovery: System Language Discovery
    - Enumerates system info in registry
    - Suspicious use of SetWindowsHookEx
    PID:1824
- - C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:676
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2500
- - C:\Windows\SysWOW64\write.exe
    write.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2096
  - - C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe
      "C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:1588
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1876
- - C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2316
- - C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"
    3⤵
    - System Location Discovery: System Language Discovery
    - Enumerates system info in registry
    - Suspicious use of SetWindowsHookEx
    PID:1776
- - C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2992
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1472
- - C:\Windows\SysWOW64\write.exe
    write.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2660
  - - C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe
      "C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2892
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2228
- - C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2148
- - C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"
    3⤵
    - System Location Discovery: System Language Discovery
    - Enumerates system info in registry
    - Suspicious use of SetWindowsHookEx
    PID:3036
- - C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2240
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2236
- - C:\Windows\SysWOW64\write.exe
    write.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2224
  - - C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe
      "C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2432
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2328
- - C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1660
- - C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"
    3⤵
    - System Location Discovery: System Language Discovery
    - Enumerates system info in registry
    - Suspicious use of SetWindowsHookEx
    PID:1112
- - C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2A0.tmp\KingPatchByBazuka.bat

Filesize
202B

MD5
32579218473666d775e9bf7bccd4674c

SHA1
e58a8922cc7541b5fec246a665839e4801ae3dd4

SHA256
2944fba0434f1157cf80071cd18d3519a2885bc648e82de0a43a80c37c6ba0a6

SHA512
c1fa40990be97c3c37ac6fcdf790bbab58cba9c2abe404751b8c89f8f22a5b36c96bb3c5f573e633d693275d727c3f0bb7306e74d5bd052ca61cc1538862790d

Download Submit
C:\Users\Admin\AppData\Local\Temp\624C968.tmp

Filesize
40B

MD5
a27bb50a192efc0d703c4fb08dabec41

SHA1
5e20f3412143302969a6acb8ae3a1a0172ce183c

SHA256
187eface3bb704f41dcb5d11d76311ea833eb319f0bd6bb275e084d636e446d6

SHA512
c62d4ebc951b1ee86116050961b1af2fcd3eced630b752b93e27c669205f6abfec35ba102e518fe98105788d07c381ce716d15fd138d771bfa73c02dcd2ea6eb

Download Submit
memory/2180-0-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2180-23-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2288-103-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2788-86-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download