Analysis
-
max time kernel
144s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
09/04/2024, 12:31
Behavioral task
behavioral1
Sample
e9ff47123f87724ec5f5b190b3f11abb_JaffaCakes118.exe
Resource
win7-20240221-en
General
-
Target
e9ff47123f87724ec5f5b190b3f11abb_JaffaCakes118.exe
-
Size
751KB
-
MD5
e9ff47123f87724ec5f5b190b3f11abb
-
SHA1
8da923eac576cf70b752d7c002dc779a0d96e984
-
SHA256
fa33ef25404444f65328a5acc9e59ab100da3c0b3008d8a4a7a7e3656df910e7
-
SHA512
6501381b8ecd52fb22e9c07276e7de2b2253e069128e80b1cefb3754bc9359532879ab53397e754251a829e2eb5f73eb0ef4b81af43e80fcb5c44063690aca25
-
SSDEEP
12288:/B3+NbhYZpXnrVjXrZOHVv1/8PlFm9fCh3vwKOzPc4K291N0R4j/tH6JX+pd1678:/BOsf7NbcVd0DeCurc20R4jQE6EhJ
Malware Config
Signatures
-
Modifies security service 2 TTPs 22 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" regedit.exe -
Executes dropped EXE 10 IoCs
pid Process 2324 winupdate.exe 2744 winupdate.exe 2432 winupdate.exe 956 winupdate.exe 3008 winupdate.exe 1960 winupdate.exe 3004 winupdate.exe 2144 winupdate.exe 2056 winupdate.exe 2612 winupdate.exe -
Identifies Wine through registry keys 2 TTPs 11 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Wine e9ff47123f87724ec5f5b190b3f11abb_JaffaCakes118.exe Key opened \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Wine winupdate.exe Key opened \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Wine winupdate.exe Key opened \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Wine winupdate.exe Key opened \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Wine winupdate.exe Key opened \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Wine winupdate.exe Key opened \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Wine winupdate.exe Key opened \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Wine winupdate.exe Key opened \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Wine winupdate.exe Key opened \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Wine winupdate.exe Key opened \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Wine winupdate.exe -
Loads dropped DLL 40 IoCs
pid Process 1136 e9ff47123f87724ec5f5b190b3f11abb_JaffaCakes118.exe 2324 winupdate.exe 2324 winupdate.exe 2324 winupdate.exe 2324 winupdate.exe 2744 winupdate.exe 2744 winupdate.exe 2744 winupdate.exe 2744 winupdate.exe 2432 winupdate.exe 2432 winupdate.exe 2432 winupdate.exe 2432 winupdate.exe 956 winupdate.exe 956 winupdate.exe 956 winupdate.exe 956 winupdate.exe 3008 winupdate.exe 3008 winupdate.exe 3008 winupdate.exe 3008 winupdate.exe 1960 winupdate.exe 1960 winupdate.exe 1960 winupdate.exe 1960 winupdate.exe 3004 winupdate.exe 3004 winupdate.exe 3004 winupdate.exe 3004 winupdate.exe 2144 winupdate.exe 2144 winupdate.exe 2144 winupdate.exe 2144 winupdate.exe 2056 winupdate.exe 2056 winupdate.exe 2056 winupdate.exe 2056 winupdate.exe 2612 winupdate.exe 2612 winupdate.exe 2612 winupdate.exe -
resource yara_rule behavioral1/memory/1136-0-0x0000000000400000-0x000000000067D000-memory.dmp themida behavioral1/memory/1136-16-0x0000000000400000-0x000000000067D000-memory.dmp themida behavioral1/files/0x000c000000014fe1-134.dat themida behavioral1/memory/1136-145-0x0000000000400000-0x000000000067D000-memory.dmp themida behavioral1/memory/2324-139-0x0000000000400000-0x000000000067D000-memory.dmp themida behavioral1/memory/2324-156-0x0000000000400000-0x000000000067D000-memory.dmp themida behavioral1/memory/2324-265-0x0000000000400000-0x000000000067D000-memory.dmp themida behavioral1/memory/2324-271-0x0000000000400000-0x000000000067D000-memory.dmp themida behavioral1/memory/2324-273-0x0000000000400000-0x000000000067D000-memory.dmp themida behavioral1/memory/2744-277-0x0000000000400000-0x000000000067D000-memory.dmp themida behavioral1/memory/2744-293-0x0000000000400000-0x000000000067D000-memory.dmp themida behavioral1/memory/2744-396-0x0000000000400000-0x000000000067D000-memory.dmp themida behavioral1/memory/2432-403-0x0000000000400000-0x000000000067D000-memory.dmp themida behavioral1/memory/2744-406-0x0000000000400000-0x000000000067D000-memory.dmp themida behavioral1/memory/2432-416-0x0000000000400000-0x000000000067D000-memory.dmp themida behavioral1/memory/2432-525-0x0000000000400000-0x000000000067D000-memory.dmp themida behavioral1/memory/2432-527-0x0000000005100000-0x000000000537D000-memory.dmp themida behavioral1/memory/956-534-0x0000000000400000-0x000000000067D000-memory.dmp themida behavioral1/memory/2432-532-0x0000000000400000-0x000000000067D000-memory.dmp themida behavioral1/memory/956-652-0x0000000000400000-0x000000000067D000-memory.dmp themida behavioral1/memory/956-655-0x0000000000400000-0x000000000067D000-memory.dmp themida behavioral1/memory/3008-667-0x0000000000400000-0x000000000067D000-memory.dmp themida behavioral1/memory/956-657-0x0000000000400000-0x000000000067D000-memory.dmp themida behavioral1/memory/3008-784-0x0000000000400000-0x000000000067D000-memory.dmp themida behavioral1/memory/3008-786-0x0000000000400000-0x000000000067D000-memory.dmp themida behavioral1/memory/3008-792-0x0000000004FB0000-0x000000000522D000-memory.dmp themida behavioral1/memory/3008-797-0x0000000000400000-0x000000000067D000-memory.dmp themida behavioral1/memory/1960-799-0x0000000000400000-0x000000000067D000-memory.dmp themida behavioral1/memory/1960-918-0x0000000000400000-0x000000000067D000-memory.dmp themida behavioral1/memory/1960-927-0x0000000000400000-0x000000000067D000-memory.dmp themida behavioral1/memory/3004-1047-0x0000000000400000-0x000000000067D000-memory.dmp themida behavioral1/memory/3004-1056-0x0000000000400000-0x000000000067D000-memory.dmp themida behavioral1/memory/2144-1179-0x0000000000400000-0x000000000067D000-memory.dmp themida behavioral1/memory/2144-1186-0x0000000000400000-0x000000000067D000-memory.dmp themida behavioral1/memory/2056-1305-0x0000000000400000-0x000000000067D000-memory.dmp themida -
Drops file in System32 directory 22 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\winupdate.exe winupdate.exe File opened for modification C:\Windows\SysWOW64\winupdate.exe winupdate.exe File created C:\Windows\SysWOW64\winupdate.exe winupdate.exe File opened for modification C:\Windows\SysWOW64\winupdate.exe winupdate.exe File created C:\Windows\SysWOW64\winupdate.exe winupdate.exe File created C:\Windows\SysWOW64\winupdate.exe e9ff47123f87724ec5f5b190b3f11abb_JaffaCakes118.exe File created C:\Windows\SysWOW64\winupdate.exe winupdate.exe File opened for modification C:\Windows\SysWOW64\winupdate.exe winupdate.exe File created C:\Windows\SysWOW64\winupdate.exe winupdate.exe File opened for modification C:\Windows\SysWOW64\winupdate.exe winupdate.exe File opened for modification C:\Windows\SysWOW64\winupdate.exe winupdate.exe File created C:\Windows\SysWOW64\winupdate.exe winupdate.exe File created C:\Windows\SysWOW64\winupdate.exe winupdate.exe File created C:\Windows\SysWOW64\winupdate.exe winupdate.exe File created C:\Windows\SysWOW64\winupdate.exe winupdate.exe File opened for modification C:\Windows\SysWOW64\winupdate.exe winupdate.exe File created C:\Windows\SysWOW64\winupdate.exe winupdate.exe File opened for modification C:\Windows\SysWOW64\winupdate.exe e9ff47123f87724ec5f5b190b3f11abb_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\winupdate.exe winupdate.exe File opened for modification C:\Windows\SysWOW64\winupdate.exe winupdate.exe File created C:\Windows\SysWOW64\winupdate.exe winupdate.exe File opened for modification C:\Windows\SysWOW64\winupdate.exe winupdate.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 11 IoCs
pid Process 1136 e9ff47123f87724ec5f5b190b3f11abb_JaffaCakes118.exe 2324 winupdate.exe 2744 winupdate.exe 2432 winupdate.exe 956 winupdate.exe 3008 winupdate.exe 1960 winupdate.exe 3004 winupdate.exe 2144 winupdate.exe 2056 winupdate.exe 2612 winupdate.exe -
Runs .reg file with regedit 11 IoCs
pid Process 1968 regedit.exe 2064 regedit.exe 2824 regedit.exe 1948 regedit.exe 1484 regedit.exe 2564 regedit.exe 1316 regedit.exe 2316 regedit.exe 2156 regedit.exe 2052 regedit.exe 2556 regedit.exe -
Suspicious behavior: EnumeratesProcesses 11 IoCs
pid Process 1136 e9ff47123f87724ec5f5b190b3f11abb_JaffaCakes118.exe 2324 winupdate.exe 2744 winupdate.exe 2432 winupdate.exe 956 winupdate.exe 3008 winupdate.exe 1960 winupdate.exe 3004 winupdate.exe 2144 winupdate.exe 2056 winupdate.exe 2612 winupdate.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1136 wrote to memory of 1744 1136 e9ff47123f87724ec5f5b190b3f11abb_JaffaCakes118.exe 28 PID 1136 wrote to memory of 1744 1136 e9ff47123f87724ec5f5b190b3f11abb_JaffaCakes118.exe 28 PID 1136 wrote to memory of 1744 1136 e9ff47123f87724ec5f5b190b3f11abb_JaffaCakes118.exe 28 PID 1136 wrote to memory of 1744 1136 e9ff47123f87724ec5f5b190b3f11abb_JaffaCakes118.exe 28 PID 1744 wrote to memory of 1968 1744 cmd.exe 29 PID 1744 wrote to memory of 1968 1744 cmd.exe 29 PID 1744 wrote to memory of 1968 1744 cmd.exe 29 PID 1744 wrote to memory of 1968 1744 cmd.exe 29 PID 1136 wrote to memory of 2324 1136 e9ff47123f87724ec5f5b190b3f11abb_JaffaCakes118.exe 30 PID 1136 wrote to memory of 2324 1136 e9ff47123f87724ec5f5b190b3f11abb_JaffaCakes118.exe 30 PID 1136 wrote to memory of 2324 1136 e9ff47123f87724ec5f5b190b3f11abb_JaffaCakes118.exe 30 PID 1136 wrote to memory of 2324 1136 e9ff47123f87724ec5f5b190b3f11abb_JaffaCakes118.exe 30 PID 1136 wrote to memory of 2324 1136 e9ff47123f87724ec5f5b190b3f11abb_JaffaCakes118.exe 30 PID 1136 wrote to memory of 2324 1136 e9ff47123f87724ec5f5b190b3f11abb_JaffaCakes118.exe 30 PID 1136 wrote to memory of 2324 1136 e9ff47123f87724ec5f5b190b3f11abb_JaffaCakes118.exe 30 PID 2324 wrote to memory of 1436 2324 winupdate.exe 31 PID 2324 wrote to memory of 1436 2324 winupdate.exe 31 PID 2324 wrote to memory of 1436 2324 winupdate.exe 31 PID 2324 wrote to memory of 1436 2324 winupdate.exe 31 PID 2324 wrote to memory of 1436 2324 winupdate.exe 31 PID 2324 wrote to memory of 1436 2324 winupdate.exe 31 PID 2324 wrote to memory of 1436 2324 winupdate.exe 31 PID 1436 wrote to memory of 2064 1436 cmd.exe 32 PID 1436 wrote to memory of 2064 1436 cmd.exe 32 PID 1436 wrote to memory of 2064 1436 cmd.exe 32 PID 1436 wrote to memory of 2064 1436 cmd.exe 32 PID 1436 wrote to memory of 2064 1436 cmd.exe 32 PID 1436 wrote to memory of 2064 1436 cmd.exe 32 PID 1436 wrote to memory of 2064 1436 cmd.exe 32 PID 2324 wrote to memory of 2744 2324 winupdate.exe 33 PID 2324 wrote to memory of 2744 2324 winupdate.exe 33 PID 2324 wrote to memory of 2744 2324 winupdate.exe 33 PID 2324 wrote to memory of 2744 2324 winupdate.exe 33 PID 2324 wrote to memory of 2744 2324 winupdate.exe 33 PID 2324 wrote to memory of 2744 2324 winupdate.exe 33 PID 2324 wrote to memory of 2744 2324 winupdate.exe 33 PID 2744 wrote to memory of 2604 2744 winupdate.exe 34 PID 2744 wrote to memory of 2604 2744 winupdate.exe 34 PID 2744 wrote to memory of 2604 2744 winupdate.exe 34 PID 2744 wrote to memory of 2604 2744 winupdate.exe 34 PID 2744 wrote to memory of 2604 2744 winupdate.exe 34 PID 2744 wrote to memory of 2604 2744 winupdate.exe 34 PID 2744 wrote to memory of 2604 2744 winupdate.exe 34 PID 2604 wrote to memory of 1316 2604 cmd.exe 35 PID 2604 wrote to memory of 1316 2604 cmd.exe 35 PID 2604 wrote to memory of 1316 2604 cmd.exe 35 PID 2604 wrote to memory of 1316 2604 cmd.exe 35 PID 2604 wrote to memory of 1316 2604 cmd.exe 35 PID 2604 wrote to memory of 1316 2604 cmd.exe 35 PID 2604 wrote to memory of 1316 2604 cmd.exe 35 PID 2744 wrote to memory of 2432 2744 winupdate.exe 38 PID 2744 wrote to memory of 2432 2744 winupdate.exe 38 PID 2744 wrote to memory of 2432 2744 winupdate.exe 38 PID 2744 wrote to memory of 2432 2744 winupdate.exe 38 PID 2744 wrote to memory of 2432 2744 winupdate.exe 38 PID 2744 wrote to memory of 2432 2744 winupdate.exe 38 PID 2744 wrote to memory of 2432 2744 winupdate.exe 38 PID 2432 wrote to memory of 528 2432 winupdate.exe 39 PID 2432 wrote to memory of 528 2432 winupdate.exe 39 PID 2432 wrote to memory of 528 2432 winupdate.exe 39 PID 2432 wrote to memory of 528 2432 winupdate.exe 39 PID 2432 wrote to memory of 528 2432 winupdate.exe 39 PID 2432 wrote to memory of 528 2432 winupdate.exe 39 PID 2432 wrote to memory of 528 2432 winupdate.exe 39
Processes
-
C:\Users\Admin\AppData\Local\Temp\e9ff47123f87724ec5f5b190b3f11abb_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e9ff47123f87724ec5f5b190b3f11abb_JaffaCakes118.exe"1⤵
- Identifies Wine through registry keys
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1136 -
C:\Windows\SysWOW64\cmd.execmd /c c:\a.bat2⤵
- Suspicious use of WriteProcessMemory
PID:1744 -
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg3⤵
- Modifies security service
- Runs .reg file with regedit
PID:1968
-
-
-
C:\Windows\SysWOW64\winupdate.exeC:\Windows\system32\winupdate.exe 736 "C:\Users\Admin\AppData\Local\Temp\e9ff47123f87724ec5f5b190b3f11abb_JaffaCakes118.exe"2⤵
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2324 -
C:\Windows\SysWOW64\cmd.execmd /c c:\a.bat3⤵
- Suspicious use of WriteProcessMemory
PID:1436 -
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg4⤵
- Modifies security service
- Runs .reg file with regedit
PID:2064
-
-
-
C:\Windows\SysWOW64\winupdate.exeC:\Windows\system32\winupdate.exe 808 "C:\Windows\SysWOW64\winupdate.exe"3⤵
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Windows\SysWOW64\cmd.execmd /c c:\a.bat4⤵
- Suspicious use of WriteProcessMemory
PID:2604 -
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg5⤵
- Modifies security service
- Runs .reg file with regedit
PID:1316
-
-
-
C:\Windows\SysWOW64\winupdate.exeC:\Windows\system32\winupdate.exe 804 "C:\Windows\SysWOW64\winupdate.exe"4⤵
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2432 -
C:\Windows\SysWOW64\cmd.execmd /c c:\a.bat5⤵PID:528
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg6⤵
- Modifies security service
- Runs .reg file with regedit
PID:2824
-
-
-
C:\Windows\SysWOW64\winupdate.exeC:\Windows\system32\winupdate.exe 816 "C:\Windows\SysWOW64\winupdate.exe"5⤵
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:956 -
C:\Windows\SysWOW64\cmd.execmd /c c:\a.bat6⤵PID:2484
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg7⤵
- Modifies security service
- Runs .reg file with regedit
PID:2316
-
-
-
C:\Windows\SysWOW64\winupdate.exeC:\Windows\system32\winupdate.exe 812 "C:\Windows\SysWOW64\winupdate.exe"6⤵
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3008 -
C:\Windows\SysWOW64\cmd.execmd /c c:\a.bat7⤵PID:596
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg8⤵
- Modifies security service
- Runs .reg file with regedit
PID:1948
-
-
-
C:\Windows\SysWOW64\winupdate.exeC:\Windows\system32\winupdate.exe 820 "C:\Windows\SysWOW64\winupdate.exe"7⤵
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1960 -
C:\Windows\SysWOW64\cmd.execmd /c c:\a.bat8⤵PID:2128
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg9⤵
- Modifies security service
- Runs .reg file with regedit
PID:2156
-
-
-
C:\Windows\SysWOW64\winupdate.exeC:\Windows\system32\winupdate.exe 828 "C:\Windows\SysWOW64\winupdate.exe"8⤵
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3004 -
C:\Windows\SysWOW64\cmd.execmd /c c:\a.bat9⤵PID:1996
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg10⤵
- Modifies security service
- Runs .reg file with regedit
PID:1484
-
-
-
C:\Windows\SysWOW64\winupdate.exeC:\Windows\system32\winupdate.exe 824 "C:\Windows\SysWOW64\winupdate.exe"9⤵
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2144 -
C:\Windows\SysWOW64\cmd.execmd /c c:\a.bat10⤵PID:2924
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg11⤵
- Modifies security service
- Runs .reg file with regedit
PID:2564
-
-
-
C:\Windows\SysWOW64\winupdate.exeC:\Windows\system32\winupdate.exe 836 "C:\Windows\SysWOW64\winupdate.exe"10⤵
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2056 -
C:\Windows\SysWOW64\cmd.execmd /c c:\a.bat11⤵PID:780
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg12⤵
- Modifies security service
- Runs .reg file with regedit
PID:2052
-
-
-
C:\Windows\SysWOW64\winupdate.exeC:\Windows\system32\winupdate.exe 840 "C:\Windows\SysWOW64\winupdate.exe"11⤵
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2612 -
C:\Windows\SysWOW64\cmd.execmd /c c:\a.bat12⤵PID:1808
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg13⤵
- Modifies security service
- Runs .reg file with regedit
PID:2556
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD59e5db93bd3302c217b15561d8f1e299d
SHA195a5579b336d16213909beda75589fd0a2091f30
SHA256f360fb5740172b6b4dd59c1ac30b480511665ae991196f833167e275d91f943e
SHA512b5547e5047a3c43397ee846ff9d5979cba45ba44671db5c5df5536d9dc26262e27a8645a08e0cf35960a3601dc0f6f5fe8d47ae232c9ca44d6899e97d36fb25a
-
Filesize
449B
MD5c6b0028a6f5508ef564d624eda0e72bc
SHA118901c9856a9af672c2e27383c15d2da41f27b6b
SHA256b41f477ecd348b1c3e12ef410d67b712627ed0696769c2c8cc2f087d02121d06
SHA5125d5f6fb437767096562f2ab9aac2cb75611afcc090b0a65ea63dfbadb3c4a73a3d45bbe139e43a7beea889370c76ac2eb2aa0fdffa92b69cfe47dd1ffbf10a71
-
Filesize
3KB
MD5558e454bc2d99d7949719cf24f540dd2
SHA1e9c772bcee4ae780cdc28b0b4876385639e59b39
SHA256677ec2cfe2ae99352aa12ac658d01a7bb0b51cf3cd2c568e94a78754326ca43a
SHA5125bb10dcf81ccab0b7e2274d3ccdbda5a38014576096fef71725cfa6e16a4bfd29f481f3bc5ad15426fb9918eeca67fff11291a88caf10974433214674c1c1b64
-
Filesize
2KB
MD55575ef034e791d4d3b09da6c0c4ee764
SHA150a0851ddf4b0c4014ad91f976e953baffe30951
SHA2569697ec584ef188873daa789eb779bb95dd3efa2c4c98a55dffa30cac4d156c14
SHA512ecf52614d3a16d8e558751c799fde925650ef3e6d254d172217e1b0ed76a983d45b74688616d3e3432a16cec98b986b17eaecd319a18df9a67e4d47f17380756
-
Filesize
3KB
MD56b0182442d6e09100c34904ae6d8ee0c
SHA16255e65587505629521ea048a4e40cc48b512f2c
SHA256cb34af7065e6c95f33fee397991045dae5dfae9d510660e6981ee6263542f9a4
SHA51264395a0c6fce50a64a2067522b798f9b27c577da96e8d68f830a075ba833f1d644af27a9c6fc941ebb3d79999ac31576763378c9997a5b38eb5fdf075918eb46
-
Filesize
751KB
MD5e9ff47123f87724ec5f5b190b3f11abb
SHA18da923eac576cf70b752d7c002dc779a0d96e984
SHA256fa33ef25404444f65328a5acc9e59ab100da3c0b3008d8a4a7a7e3656df910e7
SHA5126501381b8ecd52fb22e9c07276e7de2b2253e069128e80b1cefb3754bc9359532879ab53397e754251a829e2eb5f73eb0ef4b81af43e80fcb5c44063690aca25
-
Filesize
5KB
MD50019a0451cc6b9659762c3e274bc04fb
SHA15259e256cc0908f2846e532161b989f1295f479b
SHA256ce4674afd978d1401596d22a0961f90c8fb53c5bd55649684e1a999c8cf77876
SHA512314c23ec37cb0cd4443213c019c4541df968447353b422ef6fff1e7ddf6c983c80778787408b7ca9b81e580a6a7f1589ca7f43c022e6fc16182973580ed4d904