trickbot | b84b5ffa65552140676968d0bafc52a00cd0fd9a5f7b70809d11a2b321ac834b

Analysis

max time kernel
136s
max time network
149s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
21-12-2024 23:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_b84b5ffa65552140676968d0bafc52a00cd0fd9a5f7b70809d11a2b321ac834b.doc
Size

2.1MB
MD5

3bc400ab428b5c6f229b6158a4c084e9
SHA1

76b70d96c464f68b531f3c040aabc4b5d8a8ffde
SHA256

b84b5ffa65552140676968d0bafc52a00cd0fd9a5f7b70809d11a2b321ac834b
SHA512

8be8e08b756e6d3c3ce0702ea5028fd8d4357e21472374276184f3e4e876fdff1929f34a07322f49154f04a488c2cf43f4addc56e4faea391e304c2abf4149c1
SSDEEP

24576:mOIFcmtE7voEOJ4wDEeKKeD0qxDRQ85THxfOl1zEEVQW/b06UKQwZ7IPN/ewItlZ:mHIQBJKKULx+9EEhg6tZsUf+Mz

Score

10^/10

trickbot banker discovery trojan

Malware Config

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process	2820	2904	cmd.exe	28

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot
Trickbot family
trickbot

Loads dropped DLL 4 IoCs

pid	Process
2568	rundll32.exe
2568	rundll32.exe
2568	rundll32.exe
2568	rundll32.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 3 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2268	PING.EXE
968	PING.EXE
972	PING.EXE

Office loads VBA resources, possible macro or embedded object present

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\TypeLib\{599462E8-7900-4CBD-9766-E52BB6E6E374}\2.0\FLAGS	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Wow6432Node\Interface\{82B02372-B5BC-11CF-810F-00A0C9030074}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Wow6432Node\Interface\{04598FC6-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Interface\{8BD21D22-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Wow6432Node\Interface\{7B020EC2-AF6C-11CE-9F46-00AA00574A4F}\ = "ScrollbarEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Wow6432Node\Interface\{5CEF5613-713D-11CE-80C9-00AA00611080}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Wow6432Node\Interface\{7B020EC8-AF6C-11CE-9F46-00AA00574A4F}\ = "MultiPageEvents"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\TypeLib\{599462E8-7900-4CBD-9766-E52BB6E6E374}\2.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VBE"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Wow6432Node\Interface\{79176FB3-B7F2-11CE-97EF-00AA006D2776}\ = "ISpinbutton"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Interface\{5512D111-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLSubmitButton"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Wow6432Node\Interface\{8BD21D32-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Wow6432Node\Interface\{79176FB2-B7F2-11CE-97EF-00AA006D2776}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Interface\{79176FB2-B7F2-11CE-97EF-00AA006D2776}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Interface\{8BD21D23-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcList"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Interface\{5512D123-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLSelect"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Wow6432Node\Interface\{8BD21D52-EC42-11CE-9E0D-00AA006002F3}\ = "MdcOptionButtonEvents"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Wow6432Node\Interface\{A38BFFC3-A5A0-11CE-8107-00AA00611080}\ = "Tab"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Wow6432Node\Interface\{5512D117-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLCheckbox"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Interface\{8BD21D42-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Wow6432Node\Interface\{04598FC1-866C-11CF-AB7C-00AA00C08FCF}\ = "ILabelControl"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Interface\{04598FC2-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Interface\{8BD21D32-EC42-11CE-9E0D-00AA006002F3}\ = "MdcComboEvents"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Wow6432Node\Interface\{5512D111-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLSubmitButton"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Wow6432Node\Interface\{5512D117-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Wow6432Node\Interface\{4C5992A5-6926-101B-9992-00000B65C6F9}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Wow6432Node\Interface\{47FF8FE3-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents4"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Interface\{8BD21D32-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Wow6432Node\Interface\{8BD21D62-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Interface\{82B02370-B5BC-11CF-810F-00A0C9030074}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Wow6432Node\Interface\{A38BFFC3-A5A0-11CE-8107-00AA00611080}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Wow6432Node\Interface\{5512D119-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLOption"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Interface\{5512D119-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLOption"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Wow6432Node\Interface\{5512D11F-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLPassword"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Interface\{5512D125-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLTextArea"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Interface\{796ED650-5FE9-11CF-8D68-00AA00BDCE1D}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Wow6432Node\Interface\{47FF8FE2-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Interface	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Interface\{8BD21D13-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Interface\{5512D11D-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLHidden"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Wow6432Node\Interface\{9A4BBF53-4E46-101B-8BBD-00AA003E3B29}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Interface\{CF3F94A0-F546-11CE-9BCE-00AA00608E01}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Interface\{47FF8FE0-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents1"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Interface\{47FF8FE4-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents5"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Wow6432Node\Interface\{92E11A03-7358-11CE-80CB-00AA00611080}\ = "Pages"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Wow6432Node\Interface\{82B02371-B5BC-11CF-810F-00A0C9030074}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Wow6432Node\Interface\{5512D115-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Interface\{47FF8FE9-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents10"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{599462E8-7900-4CBD-9766-E52BB6E6E374}\2.0\0	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Interface\{29B86A70-F52E-11CE-9BCE-00AA00608E01}\ = "IOptionFrame"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Interface\{5B9D8FC8-4A71-101B-97A6-00000B65C08B}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Interface\{4C599243-6926-101B-9992-00000B65C6F9}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Wow6432Node\Interface\{4C5992A5-6926-101B-9992-00000B65C6F9}\ = "ImageEvents"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Interface\{8BD21D63-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcToggleButton"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Interface\{5512D11F-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLPassword"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Interface\{8BD21D12-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Wow6432Node\Interface\{7B020EC7-AF6C-11CE-9F46-00AA00574A4F}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Interface\{92E11A03-7358-11CE-80CB-00AA00611080}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Wow6432Node\Interface\{04598FC7-866C-11CF-AB7C-00AA00C08FCF}\ = "Controls"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Interface\{8BD21D33-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcCombo"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Interface\{5512D11F-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Wow6432Node\Interface\{8BD21D12-EC42-11CE-9E0D-00AA006002F3}\ = "MdcTextEvents"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Wow6432Node\Interface\{04598FC9-866C-11CF-AB7C-00AA00C08FCF}\ = "IMultiPage"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Wow6432Node	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Interface\{BEF6E003-A874-101A-8BBA-00AA00300CAB}\ = "Font"	WINWORD.EXE

Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery

T1018

pid	Process
2268	PING.EXE
968	PING.EXE
972	PING.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2904	WINWORD.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2964	wermgr.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2904	WINWORD.EXE
2904	WINWORD.EXE

Suspicious use of WriteProcessMemory 41 IoCs

description	pid	Process	procid_target
PID 2904 wrote to memory of 2820	2904	WINWORD.EXE	29
PID 2904 wrote to memory of 2820	2904	WINWORD.EXE	29
PID 2904 wrote to memory of 2820	2904	WINWORD.EXE	29
PID 2904 wrote to memory of 2820	2904	WINWORD.EXE	29
PID 2820 wrote to memory of 2560	2820	cmd.exe	32
PID 2820 wrote to memory of 2560	2820	cmd.exe	32
PID 2820 wrote to memory of 2560	2820	cmd.exe	32
PID 2820 wrote to memory of 2560	2820	cmd.exe	32
PID 2820 wrote to memory of 2268	2820	cmd.exe	33
PID 2820 wrote to memory of 2268	2820	cmd.exe	33
PID 2820 wrote to memory of 2268	2820	cmd.exe	33
PID 2820 wrote to memory of 2268	2820	cmd.exe	33
PID 2904 wrote to memory of 1720	2904	WINWORD.EXE	34
PID 2904 wrote to memory of 1720	2904	WINWORD.EXE	34
PID 2904 wrote to memory of 1720	2904	WINWORD.EXE	34
PID 2904 wrote to memory of 1720	2904	WINWORD.EXE	34
PID 2820 wrote to memory of 968	2820	cmd.exe	35
PID 2820 wrote to memory of 968	2820	cmd.exe	35
PID 2820 wrote to memory of 968	2820	cmd.exe	35
PID 2820 wrote to memory of 968	2820	cmd.exe	35
PID 2820 wrote to memory of 2568	2820	cmd.exe	36
PID 2820 wrote to memory of 2568	2820	cmd.exe	36
PID 2820 wrote to memory of 2568	2820	cmd.exe	36
PID 2820 wrote to memory of 2568	2820	cmd.exe	36
PID 2820 wrote to memory of 2568	2820	cmd.exe	36
PID 2820 wrote to memory of 2568	2820	cmd.exe	36
PID 2820 wrote to memory of 2568	2820	cmd.exe	36
PID 2568 wrote to memory of 2924	2568	rundll32.exe	37
PID 2568 wrote to memory of 2924	2568	rundll32.exe	37
PID 2568 wrote to memory of 2924	2568	rundll32.exe	37
PID 2568 wrote to memory of 2924	2568	rundll32.exe	37
PID 2568 wrote to memory of 2964	2568	rundll32.exe	38
PID 2568 wrote to memory of 2964	2568	rundll32.exe	38
PID 2568 wrote to memory of 2964	2568	rundll32.exe	38
PID 2568 wrote to memory of 2964	2568	rundll32.exe	38
PID 2568 wrote to memory of 2964	2568	rundll32.exe	38
PID 2568 wrote to memory of 2964	2568	rundll32.exe	38
PID 2820 wrote to memory of 972	2820	cmd.exe	39
PID 2820 wrote to memory of 972	2820	cmd.exe	39
PID 2820 wrote to memory of 972	2820	cmd.exe	39
PID 2820 wrote to memory of 972	2820	cmd.exe	39

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b84b5ffa65552140676968d0bafc52a00cd0fd9a5f7b70809d11a2b321ac834b.doc"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2904
- C:\Windows\SysWOW64\cmd.exe
  cmd /c c:\programdata\HighScores.bat
  2⤵
  - Process spawned unexpected child process
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2820
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\trone\altogether4127453.vbs"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2560
- - C:\Windows\SysWOW64\PING.EXE
    ping w 5000 ya.fr
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2268
- - C:\Windows\SysWOW64\PING.EXE
    ping w 5000 htr-oi.io
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:968
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32 c:\trone\1\ExistingExcel.dll,DllRegisterServer1
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2568
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe
      4⤵
      PID:2924
  - - C:\Windows\system32\wermgr.exe
      C:\Windows\system32\wermgr.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2964
- - C:\Windows\SysWOW64\PING.EXE
    ping w 5000 htr-oi.io
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:972
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:1720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\trone\altogether4127453.vbs

Filesize
815KB

MD5
12b35355d1b3d54916aeec7f3c25aa9c

SHA1
6304b01173e6fc6af5d15f70b2da7ef00af01b20

SHA256
ab877698827bb56c10819d32a74c7b9e632b759c2b5a85c5921e17b892cfb716

SHA512
59812d65b76b56fc0adc1237a8e68058acc9ad65c3a3a993e09cd44f29218c8d83bcfc2c6f2de3e04835e2ce23acf9a4db31d59c6e74144f6aa1eb0193e8eef1

Download Submit
\??\c:\programdata\HighScores.bat

Filesize
883KB

MD5
3826c75e009858f82f7ad8342116a34b

SHA1
bc60b40dbbd4360b203ba5f1cf7229264214c957

SHA256
40337427a39cb76487f4c450a4f36f2a94489995199f3df0de906bfeaa570dad

SHA512
cc42356930b9147717a00d55315b2c02e36c85a0317da7684a4b2eda37218f26c1accae0914ada6173b5f3366323ff65a62cb50b0c84d1a16f81be898320a803

Download Submit
\??\c:\trone\1\ExistingExcel.dll

Filesize
483KB

MD5
1da055b46fb0698f80a4404b3a3a63b3

SHA1
97609b1d447453fa5e431f90668678ac8c090730

SHA256
71b4913ef363073f0ecc4b4c5af3ad4b4889ac7f22a3e34d54c9b6572b83c483

SHA512
ddebd8487dc0dfd936f65377b7cc072dfc28ecb90943c4fea0e6f0c1ad7563964998d1ba56edce60f64fe076558d43618fb789c2278631f289e6a6cf5a936e23

Download Submit
memory/2568-49-0x0000000002010000-0x0000000002053000-memory.dmp

Filesize
268KB

Download
memory/2568-47-0x0000000002010000-0x0000000002053000-memory.dmp

Filesize
268KB

Download
memory/2904-9-0x0000000000480000-0x0000000000580000-memory.dmp

Filesize
1024KB

Download
memory/2904-5-0x0000000000480000-0x0000000000580000-memory.dmp

Filesize
1024KB

Download
memory/2904-11-0x0000000000480000-0x0000000000580000-memory.dmp

Filesize
1024KB

Download
memory/2904-14-0x0000000000480000-0x0000000000580000-memory.dmp

Filesize
1024KB

Download
memory/2904-13-0x0000000000480000-0x0000000000580000-memory.dmp

Filesize
1024KB

Download
memory/2904-0-0x000000002FE91000-0x000000002FE92000-memory.dmp

Filesize
4KB

Download
memory/2904-15-0x0000000000480000-0x0000000000580000-memory.dmp

Filesize
1024KB

Download
memory/2904-8-0x0000000005E00000-0x0000000005F00000-memory.dmp

Filesize
1024KB

Download
memory/2904-19-0x00000000737BD000-0x00000000737C8000-memory.dmp

Filesize
44KB

Download
memory/2904-6-0x0000000000480000-0x0000000000580000-memory.dmp

Filesize
1024KB

Download
memory/2904-39-0x0000000000480000-0x0000000000580000-memory.dmp

Filesize
1024KB

Download
memory/2904-41-0x0000000000480000-0x0000000000580000-memory.dmp

Filesize
1024KB

Download
memory/2904-7-0x0000000000480000-0x0000000000580000-memory.dmp

Filesize
1024KB

Download
memory/2904-2-0x00000000737BD000-0x00000000737C8000-memory.dmp

Filesize
44KB

Download
memory/2904-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2964-48-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download