739737567f6feb4f680fcc50481a236212f8080d86d209694ca0a859827cf69b

Analysis

max time kernel
118s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
08-04-2024 23:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e8a5429c19fa9ca63f1ad33cc4cb4818_JaffaCakes118.exe
Size

194KB
MD5

e8a5429c19fa9ca63f1ad33cc4cb4818
SHA1

e8d2e1d20838e56809a6b9d1bc2d6bcd7a851520
SHA256

739737567f6feb4f680fcc50481a236212f8080d86d209694ca0a859827cf69b
SHA512

d127463f6b3b73e6a58fddc28c3d3b15f8065da5e85cc086e6f568a0530ccbbe75f0458e4196496c744e2a1a492497d0f307199ead0dd51213d2743cfa22f6eb
SSDEEP

6144:84nf5DAzvOTKJxK/bukwSKuokes7F7Tx//:Ff5DAjOKJxK/lKXkec7R/

Score

8^/10

adware persistence stealer

Malware Config

Signatures

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Iprip\Parameters\ServiceDll = "C:\\Windows\\system32\\niprp.dll"	set.exe

Executes dropped EXE 2 IoCs

pid	Process
2616	set.exe
2552	GLJ5774.tmp

Loads dropped DLL 10 IoCs

pid	Process
2332	e8a5429c19fa9ca63f1ad33cc4cb4818_JaffaCakes118.exe
2332	e8a5429c19fa9ca63f1ad33cc4cb4818_JaffaCakes118.exe
2332	e8a5429c19fa9ca63f1ad33cc4cb4818_JaffaCakes118.exe
2332	e8a5429c19fa9ca63f1ad33cc4cb4818_JaffaCakes118.exe
2332	e8a5429c19fa9ca63f1ad33cc4cb4818_JaffaCakes118.exe
2616	set.exe
2616	set.exe
2616	set.exe
2332	e8a5429c19fa9ca63f1ad33cc4cb4818_JaffaCakes118.exe
2552	GLJ5774.tmp

Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DC888631-57F5-4AF4-86B3-BDE5F854DCBF}	e8a5429c19fa9ca63f1ad33cc4cb4818_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{DC888631-57F5-4AF4-86B3-BDE5F854DCBF}\	e8a5429c19fa9ca63f1ad33cc4cb4818_JaffaCakes118.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\~GLH0000.TMP	e8a5429c19fa9ca63f1ad33cc4cb4818_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\pwfsh.dll	e8a5429c19fa9ca63f1ad33cc4cb4818_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\~GLH0005.TMP	e8a5429c19fa9ca63f1ad33cc4cb4818_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\niprp.dll	e8a5429c19fa9ca63f1ad33cc4cb4818_JaffaCakes118.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File created	C:\Windows\inf\~GLH0002.TMP	e8a5429c19fa9ca63f1ad33cc4cb4818_JaffaCakes118.exe
File opened for modification	C:\Windows\inf\optkec.inf	e8a5429c19fa9ca63f1ad33cc4cb4818_JaffaCakes118.exe
File created	C:\Windows\inf\~GLH0006.TMP	e8a5429c19fa9ca63f1ad33cc4cb4818_JaffaCakes118.exe
File opened for modification	C:\Windows\inf\iplbk.inf	e8a5429c19fa9ca63f1ad33cc4cb4818_JaffaCakes118.exe
File created	C:\Windows\Help\~GLH0008.TMP	e8a5429c19fa9ca63f1ad33cc4cb4818_JaffaCakes118.exe
File opened for modification	C:\Windows\Help\PWREP.CHI	e8a5429c19fa9ca63f1ad33cc4cb4818_JaffaCakes118.exe
File created	C:\Windows\~GLH0001.TMP	e8a5429c19fa9ca63f1ad33cc4cb4818_JaffaCakes118.exe
File opened for modification	C:\Windows\kentgo.log	e8a5429c19fa9ca63f1ad33cc4cb4818_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Version Vector\	GLJ5774.tmp
Key created	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\	GLJ5774.tmp
Set value (int)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\WarnOnClose = "0"	GLJ5774.tmp

Modifies registry class 64 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DC888631-57F5-4AF4-86B3-BDE5F854DCBF}\SJBC = "302"	GLJ5774.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0E5CBF21-D15F-11d0-8301-00AA005B4383}\InProcServer32\	GLJ5774.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DC888631-57F5-4AF4-86B3-BDE5F854DCBF}\Programmable	GLJ5774.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C3F4AE31-32C0-4D31-A90C-7B774CA8683D}\1.0	GLJ5774.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DC888631-57F5-4AF4-86B3-BDE5F854DCBF}\Programmable	e8a5429c19fa9ca63f1ad33cc4cb4818_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PWFlash.PowerFlash\CurVer	e8a5429c19fa9ca63f1ad33cc4cb4818_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DC888631-57F5-4AF4-86B3-BDE5F854DCBF}\Programmable	GLJ5774.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DC888631-57F5-4AF4-86B3-BDE5F854DCBF}	GLJ5774.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DC888631-57F5-4AF4-86B3-BDE5F854DCBF}\InprocServer32\ThreadingModel = "Apartment"	GLJ5774.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C3F4AE31-32C0-4D31-A90C-7B774CA8683D}\1.0\HELPDIR	GLJ5774.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DC888631-57F5-4AF4-86B3-BDE5F854DCBF}\InprocServer32\ThreadingModel = "Apartment"	e8a5429c19fa9ca63f1ad33cc4cb4818_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PWFlash.PowerFlash\ = "PowerFlash Class"	e8a5429c19fa9ca63f1ad33cc4cb4818_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DC888631-57F5-4AF4-86B3-BDE5F854DCBF}\VersionIndependentProgID	GLJ5774.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DC888631-57F5-4AF4-86B3-BDE5F854DCBF}\ProgID\ = "PWFlash.PowerFlash.1"	GLJ5774.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C3F4AE31-32C0-4D31-A90C-7B774CA8683D}\1.0\FLAGS\ = "0"	GLJ5774.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C3F4AE31-32C0-4D31-A90C-7B774CA8683D}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\pwfsh.dll"	GLJ5774.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5ECDAA08-B706-41C6-8F09-C69D1C45C66A}\TypeLib\Version = "1.0"	GLJ5774.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DC888631-57F5-4AF4-86B3-BDE5F854DCBF}\VersionIndependentProgID\ = "PWFlash.PowerFlash"	e8a5429c19fa9ca63f1ad33cc4cb4818_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PWFlash.PowerFlash.1	e8a5429c19fa9ca63f1ad33cc4cb4818_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PWFlash.PowerFlash\ = "PowerFlash Class"	GLJ5774.tmp
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DC888631-57F5-4AF4-86B3-BDE5F854DCBF}\InprocServer32	GLJ5774.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5ECDAA08-B706-41C6-8F09-C69D1C45C66A}\ProxyStubClsid32	GLJ5774.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5ECDAA08-B706-41C6-8F09-C69D1C45C66A}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	GLJ5774.tmp
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DC888631-57F5-4AF4-86B3-BDE5F854DCBF}\FSHS = "0"	GLJ5774.tmp
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DC888631-57F5-4AF4-86B3-BDE5F854DCBF}	GLJ5774.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DC888631-57F5-4AF4-86B3-BDE5F854DCBF}\VersionIndependentProgID\ = "PWFlash.PowerFlash"	GLJ5774.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C3F4AE31-32C0-4D31-A90C-7B774CA8683D}\1.0\ = "PWFlash 1.0 Type Library"	GLJ5774.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C3F4AE31-32C0-4D31-A90C-7B774CA8683D}\1.0\0	GLJ5774.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5ECDAA08-B706-41C6-8F09-C69D1C45C66A}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	GLJ5774.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5ECDAA08-B706-41C6-8F09-C69D1C45C66A}\TypeLib\ = "{C3F4AE31-32C0-4D31-A90C-7B774CA8683D}"	GLJ5774.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5ECDAA08-B706-41C6-8F09-C69D1C45C66A}\TypeLib\ = "{C3F4AE31-32C0-4D31-A90C-7B774CA8683D}"	GLJ5774.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DC888631-57F5-4AF4-86B3-BDE5F854DCBF}\ = "PowerFlash Class"	e8a5429c19fa9ca63f1ad33cc4cb4818_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PWFlash.PowerFlash	e8a5429c19fa9ca63f1ad33cc4cb4818_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PWFlash.PowerFlash.1\CLSID\ = "{DC888631-57F5-4AF4-86B3-BDE5F854DCBF}"	GLJ5774.tmp
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DC888631-57F5-4AF4-86B3-BDE5F854DCBF}\ProgID	GLJ5774.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DC888631-57F5-4AF4-86B3-BDE5F854DCBF}\VersionIndependentProgID	GLJ5774.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C3F4AE31-32C0-4D31-A90C-7B774CA8683D}\1.0\FLAGS	GLJ5774.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5ECDAA08-B706-41C6-8F09-C69D1C45C66A}\ = "IPowerFlash"	GLJ5774.tmp
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DC888631-57F5-4AF4-86B3-BDE5F854DCBF}\CUDA = "3176"	GLJ5774.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5ECDAA08-B706-41C6-8F09-C69D1C45C66A}\ = "IPowerFlash"	GLJ5774.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PWFlash.PowerFlash.1\CLSID\ = "{DC888631-57F5-4AF4-86B3-BDE5F854DCBF}"	e8a5429c19fa9ca63f1ad33cc4cb4818_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PWFlash.PowerFlash.1\ = "PowerFlash Class"	GLJ5774.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DC888631-57F5-4AF4-86B3-BDE5F854DCBF}\InprocServer32	GLJ5774.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DC888631-57F5-4AF4-86B3-BDE5F854DCBF}\InprocServer32\ = "C:\\Windows\\SysWow64\\pwfsh.dll"	GLJ5774.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C3F4AE31-32C0-4D31-A90C-7B774CA8683D}\1.0\0\win32	GLJ5774.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C3F4AE31-32C0-4D31-A90C-7B774CA8683D}\1.0\HELPDIR\ = "C:\\Windows\\System32"	GLJ5774.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5ECDAA08-B706-41C6-8F09-C69D1C45C66A}\ProxyStubClsid32	GLJ5774.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DC888631-57F5-4AF4-86B3-BDE5F854DCBF}\InprocServer32	e8a5429c19fa9ca63f1ad33cc4cb4818_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DC888631-57F5-4AF4-86B3-BDE5F854DCBF}\ProgID\ = "PWFlash.PowerFlash.1"	e8a5429c19fa9ca63f1ad33cc4cb4818_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DC888631-57F5-4AF4-86B3-BDE5F854DCBF}\	GLJ5774.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DC888631-57F5-4AF4-86B3-BDE5F854DCBF}\ = "PowerFlash Class"	GLJ5774.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DC888631-57F5-4AF4-86B3-BDE5F854DCBF}\InprocServer32\ = "C:\\Windows\\SysWow64\\pwfsh.dll"	e8a5429c19fa9ca63f1ad33cc4cb4818_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PWFlash.PowerFlash.1\CLSID	e8a5429c19fa9ca63f1ad33cc4cb4818_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C3F4AE31-32C0-4D31-A90C-7B774CA8683D}	GLJ5774.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5ECDAA08-B706-41C6-8F09-C69D1C45C66A}	GLJ5774.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5ECDAA08-B706-41C6-8F09-C69D1C45C66A}\TypeLib	GLJ5774.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DC888631-57F5-4AF4-86B3-BDE5F854DCBF}	e8a5429c19fa9ca63f1ad33cc4cb4818_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DC888631-57F5-4AF4-86B3-BDE5F854DCBF}\ProgID	e8a5429c19fa9ca63f1ad33cc4cb4818_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DC888631-57F5-4AF4-86B3-BDE5F854DCBF}\VersionIndependentProgID	e8a5429c19fa9ca63f1ad33cc4cb4818_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DC888631-57F5-4AF4-86B3-BDE5F854DCBF}\BLOD = "1"	GLJ5774.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PWFlash.PowerFlash\CurVer\ = "PWFlash.PowerFlash.1"	GLJ5774.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5ECDAA08-B706-41C6-8F09-C69D1C45C66A}\TypeLib	GLJ5774.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5ECDAA08-B706-41C6-8F09-C69D1C45C66A}\TypeLib\Version = "1.0"	GLJ5774.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PWFlash.PowerFlash\CurVer\ = "PWFlash.PowerFlash.1"	e8a5429c19fa9ca63f1ad33cc4cb4818_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2616	set.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2332 wrote to memory of 2616	2332	e8a5429c19fa9ca63f1ad33cc4cb4818_JaffaCakes118.exe	28
PID 2332 wrote to memory of 2616	2332	e8a5429c19fa9ca63f1ad33cc4cb4818_JaffaCakes118.exe	28
PID 2332 wrote to memory of 2616	2332	e8a5429c19fa9ca63f1ad33cc4cb4818_JaffaCakes118.exe	28
PID 2332 wrote to memory of 2616	2332	e8a5429c19fa9ca63f1ad33cc4cb4818_JaffaCakes118.exe	28
PID 2332 wrote to memory of 2616	2332	e8a5429c19fa9ca63f1ad33cc4cb4818_JaffaCakes118.exe	28
PID 2332 wrote to memory of 2616	2332	e8a5429c19fa9ca63f1ad33cc4cb4818_JaffaCakes118.exe	28
PID 2332 wrote to memory of 2616	2332	e8a5429c19fa9ca63f1ad33cc4cb4818_JaffaCakes118.exe	28
PID 2332 wrote to memory of 2552	2332	e8a5429c19fa9ca63f1ad33cc4cb4818_JaffaCakes118.exe	30
PID 2332 wrote to memory of 2552	2332	e8a5429c19fa9ca63f1ad33cc4cb4818_JaffaCakes118.exe	30
PID 2332 wrote to memory of 2552	2332	e8a5429c19fa9ca63f1ad33cc4cb4818_JaffaCakes118.exe	30
PID 2332 wrote to memory of 2552	2332	e8a5429c19fa9ca63f1ad33cc4cb4818_JaffaCakes118.exe	30
PID 2332 wrote to memory of 2552	2332	e8a5429c19fa9ca63f1ad33cc4cb4818_JaffaCakes118.exe	30
PID 2332 wrote to memory of 2552	2332	e8a5429c19fa9ca63f1ad33cc4cb4818_JaffaCakes118.exe	30
PID 2332 wrote to memory of 2552	2332	e8a5429c19fa9ca63f1ad33cc4cb4818_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\e8a5429c19fa9ca63f1ad33cc4cb4818_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e8a5429c19fa9ca63f1ad33cc4cb4818_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2332
- C:\Users\Admin\AppData\Local\Temp\set.exe
  "C:\Users\Admin\AppData\Local\Temp\set.exe"
  2⤵
  - Sets DLL path for service in the registry
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:2616
- C:\Users\Admin\AppData\Local\Temp\GLJ5774.tmp
  "C:\Users\Admin\AppData\Local\Temp\GLJ5774.tmp" C:\Windows\System32\pwfsh.dll
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies Internet Explorer settings
  - Modifies registry class
  PID:2552

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
PID:2136

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Browser Extensions

T1176

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recycled\~GLH0007.TMP

Filesize
72KB

MD5
a4d86b727bd44c30a0ef7ab555aff055

SHA1
f3747d583417b8f38fa719b4c7f8dd9225f30849

SHA256
f87fa66c2af10b4049222993be312f4cd28b7325a1700d282ad7e5d1c5cee958

SHA512
640df3f428bcfc4dc0e57dc06b18b5dac0463415ea0472c25c14ea8c13151468bcd211f694bafab7174df9c6064e3fe5dd419c72eee92238d463e0b6ae3df1cb

Download Submit
C:\Recycled\~GLH0009.TMP

Filesize
20KB

MD5
2b661446b08cdf55521638aae8c62d81

SHA1
01e24f5801293b4525dcf7a6b32e625cbecf0bdb

SHA256
547f4806481f731ccaa54645609a72b4d1051aa511325c9a739a3cb30d50f74c

SHA512
d72fe8b7bbb42b719ff49b27eddeef187e8da78de1ca93bac548d45877ff50cff5da4219ee2dc3a678074a94897dea80a6f2427543abbd8927d5663cdb1177b7

Download Submit
C:\Windows\kentgo.log

Filesize
108KB

MD5
a68c0c80770607bd0fdc9ff8bfdbcb60

SHA1
c0873a1a5ec7dc4daef758b6ee4d16abb07bd574

SHA256
1af499e6e40597f157fb64242a75570d0f675e53e756c3bf3941a4e32791fc83

SHA512
01c04ec100805a576b7edf1484ed01c509d47c3ce52ea1fb230ab19f4de843dc5019330d9a1d94858757525fb4af78e00976bbe9b83c093717ac8ecdc4d67dda

Download Submit
\Users\Admin\AppData\Local\Temp\GLC5754.tmp

Filesize
161KB

MD5
09e59d00df5d2effd8dd9b30385cb9d2

SHA1
0fa0d3f6692f31fdabefb719b0f7a28cbf5d5415

SHA256
1c574eab5e83ccfe5a0bb7b59e028cc5fa2f4e77868051e305d83c709711ff77

SHA512
d73e3832777341a4176dbd9988002ec94a32f162492e869a8c03d9bb10f1833821f99e15710e9fc103a2820c862cf14a0b990d7c7c09150bb14618a7c93ca5fd

Download Submit
\Users\Admin\AppData\Local\Temp\GLJ5774.tmp

Filesize
2KB

MD5
6f608d264503796bebd7cd66b687be92

SHA1
bb82145e86516859dae6d4b3bffb08c727b13c65

SHA256
49833d2820afb1d7409dfbd916480f2cdf5787d2e2d94166725beb9064922d5d

SHA512
c14b7ec747357c232f9d958b44760e3a018df628291e87de52b8174ccc4ada546eba90a0e70172d1db54feca01b40cd3aeaa61b8a2b6f22d414baad1f62e8e54

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads