6438a69ffb139cff501e2f669abb517715dea485fe9a591a2e5545fd4430a1a8

Analysis

max time kernel
100s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
15-09-2024 05:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e1ca6f61c23df9799053446fa05d8ef4_JaffaCakes118.doc
Size

158KB
MD5

e1ca6f61c23df9799053446fa05d8ef4
SHA1

77f70d6b160537099f96736749f461417def33a9
SHA256

6438a69ffb139cff501e2f669abb517715dea485fe9a591a2e5545fd4430a1a8
SHA512

627f71f98fc2f99c71f19795f350caee63b505eee4fcdc485c323ed9e5bc0568e85f25a01a839b1c4ae0da0872418d31d9b063e82d6b7ece77b061a53cc3b05f
SSDEEP

3072:O6IBe4V8VwlbE7OEYrL9J0hLaGTC3jvg/kVa1U:eBsmlwOPrL9J06M/kVa1U

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\{886CA060-D56D-4130-91F7-B3AECE39308F}\f4.tmp:Zone.Identifier	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 3 IoCs

pid	Process
2252	WINWORD.EXE
2252	WINWORD.EXE
3124	WINWORD.EXE

Suspicious use of SetWindowsHookEx 23 IoCs

pid	Process
2252	WINWORD.EXE
2252	WINWORD.EXE
2252	WINWORD.EXE
2252	WINWORD.EXE
2252	WINWORD.EXE
2252	WINWORD.EXE
2252	WINWORD.EXE
2252	WINWORD.EXE
2252	WINWORD.EXE
2252	WINWORD.EXE
3124	WINWORD.EXE
3124	WINWORD.EXE
3124	WINWORD.EXE
3124	WINWORD.EXE
3124	WINWORD.EXE
3124	WINWORD.EXE
3124	WINWORD.EXE
3124	WINWORD.EXE
3124	WINWORD.EXE
3124	WINWORD.EXE
2252	WINWORD.EXE
2252	WINWORD.EXE
2252	WINWORD.EXE

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 2252 wrote to memory of 1072	2252	WINWORD.EXE	86
PID 2252 wrote to memory of 1072	2252	WINWORD.EXE	86

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\e1ca6f61c23df9799053446fa05d8ef4_JaffaCakes118.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2252
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:1072

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3124

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A

Filesize
471B

MD5
f4e6062cf17ef3b29dc422c6ca271d21

SHA1
16562f4043d5356dfdbbd78f38069594f13e7186

SHA256
2b8477fc96925ebb10660826dcd6345bad44ef2b2acc268a274f99335ad81403

SHA512
711c2cd99b26ef8a9dbcba96ead034ca885ca7df7d3b64a14ca84327df54675df962c10b1ec4ce39add2cd5dafbad4b06f914aebffab0d6a1300edf65893975d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A

Filesize
412B

MD5
2ae3e003e32b1900dcd794ffcfaeec4d

SHA1
ea2f2b77bca60876b5a97d62abf157ad134aa005

SHA256
22e8a6c553247463bba6c25cc5dbc5ff22bd28b4a7f4f974a54c11b4f5ad6baa

SHA512
e634a9456e905968abc9f189a236ee51368285177a3e930ff0ae5d84675544c147d56cfbcf1abd4cb15802b656bb088af00bcd52c9e3aa71b16309796e74326a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.CampaignStates.json

Filesize
21B

MD5
f1b59332b953b3c99b3c95a44249c0d2

SHA1
1b16a2ca32bf8481e18ff8b7365229b598908991

SHA256
138e49660d259061d8152137abd8829acdfb78b69179890beb489fe3ffe23e0c

SHA512
3c1f99ecc394df3741be875fbe8d95e249d1d9ac220805794a22caf81620d5fdd3cce19260d94c0829b3160b28a2b4042e46b56398e60f72134e49254e9679a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.GovernedChannelStates.json

Filesize
417B

MD5
c56ff60fbd601e84edd5a0ff1010d584

SHA1
342abb130dabeacde1d8ced806d67a3aef00a749

SHA256
200e8cc8dd12e22c9720be73092eafb620435d4569dbdcdba9404ace2aa4343c

SHA512
acd2054fddb33b55b58b870edd4eb6a3cdd3131dfe6139cb3d27054ac2b2a460694c9be9c2a1da0f85606e95e7f393cf16868b6c654e78a664799bc3418da86e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.Settings.json

Filesize
87B

MD5
e4e83f8123e9740b8aa3c3dfa77c1c04

SHA1
5281eae96efde7b0e16a1d977f005f0d3bd7aad0

SHA256
6034f27b0823b2a6a76fe296e851939fd05324d0af9d55f249c79af118b0eb31

SHA512
bd6b33fd2bbce4a46991bc0d877695d16f7e60b1959a0defc79b627e569e5c6cac7b4ad4e3e1d8389a08584602a51cf84d44cf247f03beb95f7d307fbba12bb9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.SurveyEventActivityStats.json

Filesize
14B

MD5
6ca4960355e4951c72aa5f6364e459d5

SHA1
2fd90b4ec32804dff7a41b6e63c8b0a40b592113

SHA256
88301f0b7e96132a2699a8bce47d120855c7f0a37054540019e3204d6bcbaba3

SHA512
8544cd778717788b7484faf2001f463320a357db63cb72715c1395ef19d32eec4278bab07f15de3f4fed6af7e4f96c41908a0c45be94d5cdd8121877eccf310d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\AB37B20F-4246-4915-905B-84BE426EA008

Filesize
171KB

MD5
32b301bb9b83a759c2ca118b607a44b3

SHA1
3a4b40e84335ae636b7861cb3329ab9f32aec832

SHA256
685413dc5e62ff94b5b94ba50607419b94e3982e069e24eeb18740d1d3be9f39

SHA512
0eb6d2fd81b189535c6486ed68305fa7cf0914b40c19475b3dc49ea01449ed5fde468f63bda4db1088508c1d0ad243f6609654bfedab92e90c9e07163e2085b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\DLP\mip\logs\mip_sdk.miplog

Filesize
10KB

MD5
09ac547aadfdc55884f11c24a7486ab7

SHA1
e6371d15304651fb361c429102a0eabe5f2fd1af

SHA256
4344b566de67027f74b8aa8108226cd70d24ae7fd26042b30d9210ba37d1f4ce

SHA512
5afe1386ddcfd2856f59a558e21fd005cef946f4a5ab5f94711789c1d1ad60d9aec1fce4b1bd6c9eefc02497f6004072d7983fba9608be2b44a2822546094576

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\winword.exe.db-wal

Filesize
8KB

MD5
d88889ea47bf0790386a9eb372ad872c

SHA1
cfb7fda8d64e7edb0dcb8fb9508d657b80aa2e1a

SHA256
37f245de381602492dea881e409e88aa5da1413c92591520577045596c97a56c

SHA512
a42ed7e62d69363366dbe37b3542614f2e042dd4e0e801a0826472f3afb141249bc037c3ab98a29db6b364b93e0cea6545dcb10e2bdde89a2742163d17a6f319

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

Filesize
2KB

MD5
f0bfcacdaa95f206ba0cad64188323bc

SHA1
a5b92d997c157173e1a9f46c7ceddecfd0a3922e

SHA256
a634e2a52afe832ffff428990c67e1c363dc4e32498e2584a774a605f6bda43f

SHA512
d42be5861864f3cec2d9b53231fe92ece1e189ca3d7bca84cc190f819511e87ee6dd82f52fe8d4a99bd0a5181e62b80fd4d767a1e2c2a6e1049773bdc77bf08f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres

Filesize
2KB

MD5
e2e609a23ec5b9dc386eb6a93302aea5

SHA1
66040b36bcec5fa90d42edfbb1be06cfcad57ed4

SHA256
2c73ce981a3f6dbc63a82c1c30b69894b5566ee98426cbd1c75a916f1cb0e061

SHA512
0ec4d2a3c1329151a0dcf1a2e6588334c3144184c891663df7dfbf3e3e4423297b77daca5cf9245161f48ef819e55cb9c2cde56ecbf8818fd3a2b50876428b04

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\76F4B9F1.emf

Filesize
5KB

MD5
9e93c25028290ed27c190beba24f371e

SHA1
b0388d5310a669aaa0399c4a061fbb46a9d501ad

SHA256
a548eeb99161b0c130c9d6c29e656c95c8b66062f1361d5582d74dfce0035b82

SHA512
cc67ceaa9f1fc65e181522e56fb3129c66634208c0ab2f4301163a26a14668950837fe3c49a8213228b1ec7ca70cc7d8387b94677817ac07785172eecf114cd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\TCDD39D.tmp\sist02.xsl

Filesize
245KB

MD5
f883b260a8d67082ea895c14bf56dd56

SHA1
7954565c1f243d46ad3b1e2f1baf3281451fc14b

SHA256
ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353

SHA512
d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e

Download Submit
C:\Users\Admin\AppData\Local\Temp\jebq.rtf

Filesize
702KB

MD5
52c4e7c273276bd43cff145ffba8b11d

SHA1
8642dd51c9d89049cf3c62d3dc23cdc1dea053b6

SHA256
64ea78a6fc97192c049f35507e7f47f76ac0dd6b8d1e53eb636bab9aa3e2508c

SHA512
a59934ef2369f116e21f337f3c4ca3a171754dff33fc9bc6a88bc2d10c5198455870f932396ea4e1d0b6648146e919af0dba08dfd3181468d51fa8258a19704c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
1KB

MD5
7b3df576f470bf53d2802b3f44bdfabf

SHA1
89a7bbb797defbcf2547744a3f509609c1f8cdaf

SHA256
a342584940de664a39e8764eb5489cfab0d003c5e7ee33149a02939727dad117

SHA512
d4c34683815733f5c72869a806e45ffc4c61c780ff1ab397faa5b22fb9277b7458485d91cb16321ae72b72a06c438535cf085f3e885fedacb9a57e488c091a12

Download Submit
memory/2252-9-0x00007FFD0E150000-0x00007FFD0E345000-memory.dmp

Filesize
2.0MB

Download
memory/2252-4-0x00007FFCCE1D0000-0x00007FFCCE1E0000-memory.dmp

Filesize
64KB

Download
memory/2252-14-0x00007FFCCC170000-0x00007FFCCC180000-memory.dmp

Filesize
64KB

Download
memory/2252-11-0x00007FFD0E150000-0x00007FFD0E345000-memory.dmp

Filesize
2.0MB

Download
memory/2252-13-0x00007FFCCC170000-0x00007FFCCC180000-memory.dmp

Filesize
64KB

Download
memory/2252-12-0x00007FFD0E150000-0x00007FFD0E345000-memory.dmp

Filesize
2.0MB

Download
memory/2252-0-0x00007FFCCE1D0000-0x00007FFCCE1E0000-memory.dmp

Filesize
64KB

Download
memory/2252-10-0x00007FFD0E150000-0x00007FFD0E345000-memory.dmp

Filesize
2.0MB

Download
memory/2252-133-0x00007FFD0E150000-0x00007FFD0E345000-memory.dmp

Filesize
2.0MB

Download
memory/2252-135-0x00007FFD0E1ED000-0x00007FFD0E1EE000-memory.dmp

Filesize
4KB

Download
memory/2252-136-0x00007FFD0E150000-0x00007FFD0E345000-memory.dmp

Filesize
2.0MB

Download
memory/2252-8-0x00007FFD0E150000-0x00007FFD0E345000-memory.dmp

Filesize
2.0MB

Download
memory/2252-7-0x00007FFCCE1D0000-0x00007FFCCE1E0000-memory.dmp

Filesize
64KB

Download
memory/2252-48-0x00007FFD0E150000-0x00007FFD0E345000-memory.dmp

Filesize
2.0MB

Download
memory/2252-166-0x00007FFD0E150000-0x00007FFD0E345000-memory.dmp

Filesize
2.0MB

Download
memory/2252-542-0x00007FFD0E150000-0x00007FFD0E345000-memory.dmp

Filesize
2.0MB

Download
memory/2252-2-0x00007FFCCE1D0000-0x00007FFCCE1E0000-memory.dmp

Filesize
64KB

Download
memory/2252-3-0x00007FFCCE1D0000-0x00007FFCCE1E0000-memory.dmp

Filesize
64KB

Download
memory/2252-1-0x00007FFD0E1ED000-0x00007FFD0E1EE000-memory.dmp

Filesize
4KB

Download
memory/2252-6-0x00007FFD0E150000-0x00007FFD0E345000-memory.dmp

Filesize
2.0MB

Download
memory/2252-5-0x00007FFD0E150000-0x00007FFD0E345000-memory.dmp

Filesize
2.0MB

Download
memory/3124-178-0x00007FFCCE1D0000-0x00007FFCCE1E0000-memory.dmp

Filesize
64KB

Download
memory/3124-179-0x00007FFCCE1D0000-0x00007FFCCE1E0000-memory.dmp

Filesize
64KB

Download
memory/3124-180-0x00007FFCCE1D0000-0x00007FFCCE1E0000-memory.dmp

Filesize
64KB

Download
memory/3124-181-0x00007FFCCE1D0000-0x00007FFCCE1E0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads