5b9b8e1d76d1ff23d8c7002b7337a6021a859dd767c5d321a7c7e48bbb7e49ac

Analysis

max time kernel
112s
max time network
134s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
09/09/2024, 23:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d7477feb312f9f76ea3c9273e4a01ca8_JaffaCakes118.doc
Size

205KB
MD5

d7477feb312f9f76ea3c9273e4a01ca8
SHA1

3b0312e9bee594b784c65295c547e4a5218f7aa7
SHA256

5b9b8e1d76d1ff23d8c7002b7337a6021a859dd767c5d321a7c7e48bbb7e49ac
SHA512

ff73b0c5a8472dc522c5d50022df80abd2106e0ffb26e110ef6c3966c126d7841b0785f233609ae9b69b06a537648bd541d2a731330045d9c42f9d89316ed4dc
SSDEEP

1536:JtPrT8wrLT0NeXxz1DweCHrTPayY5J8bOf27VH3gkoUNFqsENgb:J2w3keXxz1Df6yr2JwkxkRNgb

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 12 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 12 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 4 IoCs

pid	Process
1564	WINWORD.EXE
1564	WINWORD.EXE
3772	WINWORD.EXE
3772	WINWORD.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeAuditPrivilege	2156	EXCEL.EXE
Token: SeAuditPrivilege	3304	EXCEL.EXE

Suspicious use of SetWindowsHookEx 25 IoCs

pid	Process
1564	WINWORD.EXE
1564	WINWORD.EXE
1564	WINWORD.EXE
1564	WINWORD.EXE
1564	WINWORD.EXE
1564	WINWORD.EXE
1564	WINWORD.EXE
2156	EXCEL.EXE
2156	EXCEL.EXE
2156	EXCEL.EXE
2156	EXCEL.EXE
3772	WINWORD.EXE
3772	WINWORD.EXE
3772	WINWORD.EXE
3772	WINWORD.EXE
3772	WINWORD.EXE
3772	WINWORD.EXE
3772	WINWORD.EXE
3772	WINWORD.EXE
3772	WINWORD.EXE
3772	WINWORD.EXE
3304	EXCEL.EXE
3304	EXCEL.EXE
3304	EXCEL.EXE
3304	EXCEL.EXE

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\d7477feb312f9f76ea3c9273e4a01ca8_JaffaCakes118.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1564

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2156

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3772

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3304

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9

Filesize
471B

MD5
fb6d48dad9b7772689e7f825b3774772

SHA1
be3ec403f876cc98263290a8fd1c1b5e55649098

SHA256
d21e170115828f1cab36a101f06c2212596bfbc6bcdae8ec2cf34e48fbbe6f19

SHA512
ac808ab2652e911fea4a3177102bca8e24245be005e49960c8dbce32a061c264551e33bbf7396ad120342d7e7fc9d8d9c9bcbbd182a5537d803b6cc18de63afe

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9

Filesize
420B

MD5
777af549f3f92ca78a6beacfde748273

SHA1
3f08bf4bf980040ca14c5e8e09ce4767b0c26e7f

SHA256
d664b5a69bdd35aa35687b7c819f6702f697bc7fe8bbae2aacf52962e633dbc6

SHA512
606d80d913c1f92340a0ef80961277f42c7b9dacf8cc2bec5798b8c2445098208dea7cefb550822f22794e01c1d4d56e562feba7315e5779e19111ec637b9c62

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.CampaignStates.json

Filesize
21B

MD5
f1b59332b953b3c99b3c95a44249c0d2

SHA1
1b16a2ca32bf8481e18ff8b7365229b598908991

SHA256
138e49660d259061d8152137abd8829acdfb78b69179890beb489fe3ffe23e0c

SHA512
3c1f99ecc394df3741be875fbe8d95e249d1d9ac220805794a22caf81620d5fdd3cce19260d94c0829b3160b28a2b4042e46b56398e60f72134e49254e9679a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.GovernedChannelStates.json

Filesize
417B

MD5
c56ff60fbd601e84edd5a0ff1010d584

SHA1
342abb130dabeacde1d8ced806d67a3aef00a749

SHA256
200e8cc8dd12e22c9720be73092eafb620435d4569dbdcdba9404ace2aa4343c

SHA512
acd2054fddb33b55b58b870edd4eb6a3cdd3131dfe6139cb3d27054ac2b2a460694c9be9c2a1da0f85606e95e7f393cf16868b6c654e78a664799bc3418da86e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.Settings.json

Filesize
87B

MD5
e4e83f8123e9740b8aa3c3dfa77c1c04

SHA1
5281eae96efde7b0e16a1d977f005f0d3bd7aad0

SHA256
6034f27b0823b2a6a76fe296e851939fd05324d0af9d55f249c79af118b0eb31

SHA512
bd6b33fd2bbce4a46991bc0d877695d16f7e60b1959a0defc79b627e569e5c6cac7b4ad4e3e1d8389a08584602a51cf84d44cf247f03beb95f7d307fbba12bb9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.SurveyHistoryStats.json

Filesize
14B

MD5
6ca4960355e4951c72aa5f6364e459d5

SHA1
2fd90b4ec32804dff7a41b6e63c8b0a40b592113

SHA256
88301f0b7e96132a2699a8bce47d120855c7f0a37054540019e3204d6bcbaba3

SHA512
8544cd778717788b7484faf2001f463320a357db63cb72715c1395ef19d32eec4278bab07f15de3f4fed6af7e4f96c41908a0c45be94d5cdd8121877eccf310d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\OfficeFileCache\CentralTable.accdb

Filesize
512KB

MD5
745a156fdf7a1507a1c140e72eee5a6b

SHA1
9d224b29d01b9dde35afb087e2f4fd5661487e77

SHA256
da5307f90535e5783a5214740307c16eeb192f6de4be8b8f55cc351d2f0ca736

SHA512
a673d44692cfdf80e142dc5e9c120863e14bf626a5f92849f8bf1c898921d675e9db2752aa25c47418d764768abb503c75c833ba52c135be2e696d33b2b604ba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\FCE3EBF0-9CF4-4FB9-AA28-B0C144CCA4AC

Filesize
170KB

MD5
0cf56d950e350ae78f066e600aaada87

SHA1
d1b5eacc9f10734ab79f0b786962818fe16f82d8

SHA256
580610fa8819b15bd107ac89393c3d651998bd33aa656dca90279e807ca13f1b

SHA512
5e04f87fe6462bea52d210586aecd56cc3305eeb0106062be2b34484500afd9f6b5023cd62b5cea5e298b897678631ab36ca2c7f15b74e5992630e0ac7b5f382

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

Filesize
322KB

MD5
aaab46ac900b23961504757d0718d4e8

SHA1
ddbb93f370d3a260b16b2afe555d3fa70ae6f4c5

SHA256
97dc24790886a58d2cad724888edbfc0fec87d22fd6b06c3d3b9129e38760245

SHA512
023a0acd1361b8976ca71f3bd6934ef42ef4d93b815b0824192dab6c2b643eb5e80c37920e7351794099b0a734b2befea53ad5bac7000b8615330d78a5e122a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\winword.exe_Rules.xml

Filesize
332KB

MD5
42a5cdb04beaebba9dd98180c00b4ec3

SHA1
591781c3fd5645ed5f1c76160a2a44afacd98517

SHA256
53c122d27c4b7ed32b046a8073b25d61b6728aaae8a734f028c5fb4d395ba1a9

SHA512
fa5cb573e660b0a88dd8e1b54640501c2777a51925e180c4357da24628d1ec65b958eb441ad8474c9c8df1f276d7ccb8a29259791289727cc533143b92d174c8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\DLP\mip\logs\mip_sdk.miplog

Filesize
10KB

MD5
5e49baa6be1f03a9904b456bc2b78a48

SHA1
d85702a70d30edaa18701b294a97f26bbbbb6588

SHA256
7abe61dbc66154905d7c3e2c88e0b97d89d6d964d1d034e1453756d28ab7594f

SHA512
ac0a3b4bb4435da65c37b95634427be5f516e93c0e7ba34502661cc12e3b5bfc533740d73fd748ab3ad5b283de5ba9a745cb8df0eb8c218f9a987f1a02e3b69c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db

Filesize
24KB

MD5
085ebd119f5fc6b8f63720fac1166ff5

SHA1
af066018aadec31b8e70a124a158736aca897306

SHA256
b8411fe8ec499074fca9047f6983d920279e84ddf3b02b2dd5c08cf07ec44687

SHA512
adb0522830db26123347cb485c43b156f5c888510e52091ba0fafc22b650ad29630c027746c920321905c28259dce7ff63dded93a79efddd5567c68312117875

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\winword.exe.db-wal

Filesize
8KB

MD5
737c13c9a62cba46191b585e36af82ca

SHA1
fe2de628517ea9c695d8fdfc1b524b97564eef08

SHA256
32583bb440864b4a514de614f44d4964c2ea356af73d7ffdbbd15815a3c307c8

SHA512
505d6c0e85e62c8f7b603f17230000162faa81269aff6da871d5d25f4be204c3ca99e4efac7e5ee9d1bdfc5ee958b6def2136783324995591783f5fa1c001f38

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

Filesize
2KB

MD5
d7790821385f568636cfaea73c209737

SHA1
b16aa6757a64ea4cf62fa5c3b993878f3f351e54

SHA256
1fd0b33293879d1ad61ad7a2e990ffff8bd003756fb3a7cc440b1dddd5d502a4

SHA512
12d36ac96dab6e0d7823f06afcf9113e07b3640beb416e5fc242ab0471eed103f775c83a90444d1aa799732887e17af7795b7fb003718ddc3bd0384ca44eeb6a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres

Filesize
2KB

MD5
3c293f56aebeb7c020f334b28a673a9c

SHA1
e08ce753d60904df9b9d3bcebd02e05409c8ed7e

SHA256
157e9a3587185aadcedc7e94d9915dcae96b436186de5e0d40506888aa0b9ef4

SHA512
3509db09923e4f7d951ac15d35fd298b07b952be578227a6c88e8d4f230a06a3f82d038c86bb37e8cdce382e0a9dc14592c1d8f56caf5ab1668388990d750172

Download Submit
C:\Users\Admin\AppData\Local\Temp\TCDE715.tmp\sist02.xsl

Filesize
245KB

MD5
f883b260a8d67082ea895c14bf56dd56

SHA1
7954565c1f243d46ad3b1e2f1baf3281451fc14b

SHA256
ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353

SHA512
d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e

Download Submit
C:\Users\Admin\AppData\Local\Temp\VBE\MSForms.exd

Filesize
148KB

MD5
49103ed175035380cb2e1f1ceb923e11

SHA1
6e25f41dc88b87b942561f13f93fff790160e3ab

SHA256
09c703b0aa1eeda3a4420ac7604eedea02ff4968b74d83225b3664f8b3d3569f

SHA512
d71d966528dd1bad8d6dbd1c976a5b8567f358dc1a3c3948e013246472963a3834626786185a360ead88df5dae498ed9560efd9f429eeb0f694af9b40b6711db

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
4KB

MD5
925a6c4643ce020d2dedba2bcc06a3f7

SHA1
e53c718536c223386c46b64320a15ebb3a8493ec

SHA256
d023108db2674a8080e842ce00eb239dc0229334226c4d180127142b13c61c82

SHA512
80541f81c053e39243afc80956c920aed0d210ca62195ac1073e055a4f52f05a3e3137e00e175cf255e3132514a6d6d757a8e6d0bb06909bb7028b92ab51299a

Download Submit
memory/1564-15-0x00007FFBE4C90000-0x00007FFBE4E85000-memory.dmp

Filesize
2.0MB

Download
memory/1564-13-0x00007FFBE4C90000-0x00007FFBE4E85000-memory.dmp

Filesize
2.0MB

Download
memory/1564-33-0x00007FFBE4C90000-0x00007FFBE4E85000-memory.dmp

Filesize
2.0MB

Download
memory/1564-34-0x00007FFBE4D2D000-0x00007FFBE4D2E000-memory.dmp

Filesize
4KB

Download
memory/1564-35-0x00007FFBE4C90000-0x00007FFBE4E85000-memory.dmp

Filesize
2.0MB

Download
memory/1564-36-0x00007FFBE4C90000-0x00007FFBE4E85000-memory.dmp

Filesize
2.0MB

Download
memory/1564-8-0x00007FFBE4C90000-0x00007FFBE4E85000-memory.dmp

Filesize
2.0MB

Download
memory/1564-10-0x00007FFBE4C90000-0x00007FFBE4E85000-memory.dmp

Filesize
2.0MB

Download
memory/1564-213-0x00007FFBE4C90000-0x00007FFBE4E85000-memory.dmp

Filesize
2.0MB

Download
memory/1564-12-0x00007FFBE4C90000-0x00007FFBE4E85000-memory.dmp

Filesize
2.0MB

Download
memory/1564-14-0x00007FFBA2CB0000-0x00007FFBA2CC0000-memory.dmp

Filesize
64KB

Download
memory/1564-17-0x00007FFBE4C90000-0x00007FFBE4E85000-memory.dmp

Filesize
2.0MB

Download
memory/1564-18-0x00007FFBE4C90000-0x00007FFBE4E85000-memory.dmp

Filesize
2.0MB

Download
memory/1564-3-0x00007FFBA4D10000-0x00007FFBA4D20000-memory.dmp

Filesize
64KB

Download
memory/1564-16-0x00007FFBE4C90000-0x00007FFBE4E85000-memory.dmp

Filesize
2.0MB

Download
memory/1564-19-0x00007FFBA2CB0000-0x00007FFBA2CC0000-memory.dmp

Filesize
64KB

Download
memory/1564-11-0x00007FFBE4C90000-0x00007FFBE4E85000-memory.dmp

Filesize
2.0MB

Download
memory/1564-1556-0x00007FFBA4D10000-0x00007FFBA4D20000-memory.dmp

Filesize
64KB

Download
memory/1564-1555-0x00007FFBA4D10000-0x00007FFBA4D20000-memory.dmp

Filesize
64KB

Download
memory/1564-1554-0x00007FFBA4D10000-0x00007FFBA4D20000-memory.dmp

Filesize
64KB

Download
memory/1564-1553-0x00007FFBA4D10000-0x00007FFBA4D20000-memory.dmp

Filesize
64KB

Download
memory/1564-1557-0x00007FFBE4C90000-0x00007FFBE4E85000-memory.dmp

Filesize
2.0MB

Download
memory/1564-9-0x00007FFBE4C90000-0x00007FFBE4E85000-memory.dmp

Filesize
2.0MB

Download
memory/1564-6-0x00007FFBE4C90000-0x00007FFBE4E85000-memory.dmp

Filesize
2.0MB

Download
memory/1564-7-0x00007FFBE4C90000-0x00007FFBE4E85000-memory.dmp

Filesize
2.0MB

Download
memory/1564-5-0x00007FFBA4D10000-0x00007FFBA4D20000-memory.dmp

Filesize
64KB

Download
memory/1564-2-0x00007FFBA4D10000-0x00007FFBA4D20000-memory.dmp

Filesize
64KB

Download
memory/1564-4-0x00007FFBA4D10000-0x00007FFBA4D20000-memory.dmp

Filesize
64KB

Download
memory/1564-0-0x00007FFBA4D10000-0x00007FFBA4D20000-memory.dmp

Filesize
64KB

Download
memory/1564-1-0x00007FFBE4D2D000-0x00007FFBE4D2E000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads