95c3212ceba92fcd3603232f23b6748bd24bc2575ee1047170ac0d1ca44fcd13

Analysis

max time kernel
147s
max time network
142s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
16-04-2024 01:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f25897326beee04afba384bc50e0c35b_JaffaCakes118.exe
Size

36KB
MD5

f25897326beee04afba384bc50e0c35b
SHA1

5085a4d48444be7f4a7ec1dd4f4810d3ce5869cb
SHA256

95c3212ceba92fcd3603232f23b6748bd24bc2575ee1047170ac0d1ca44fcd13
SHA512

85def6bc6209971cf42efac5f62112a086e9f85b15a49142d335eb6093ded27962a952bf03801ee09a210bad45d7a008202031b135ff02770ee715708a7d56e0
SSDEEP

768:Qi/8POyOVXow3UVnnK9Fi9k13ebvMSPIl1C3T:QNPlOVXow3UVnKKOMb0PU3T

Score

8^/10

evasion persistence

Malware Config

Signatures

Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

2136 netsh.exe
Executes dropped EXE 1 IoCs

Processes:

$77-System.exe

pid process

2884 $77-System.exe

pid	process
2136	netsh.exe

pid	process
2884	$77-System.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

f25897326beee04afba384bc50e0c35b_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\$77-System = "\\System\\$77-System.exe"	f25897326beee04afba384bc50e0c35b_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\$77-System = "\\System\\$77-System.exe"	f25897326beee04afba384bc50e0c35b_JaffaCakes118.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs

Web Service
T1102

Processes:

flow ioc

19 discord.com
20 discord.com
14 raw.githubusercontent.com
15 raw.githubusercontent.com
16 raw.githubusercontent.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	ioc
19	discord.com
20	discord.com
14	raw.githubusercontent.com
15	raw.githubusercontent.com
16	raw.githubusercontent.com

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

$77-System.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	$77-System.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	$77-System.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	$77-System.exe

Suspicious behavior: EnumeratesProcesses 46 IoCs

Processes:

powershell.exe$77-System.exepowershell.exepowershell.exepowershell.exe

pid	process
1704	powershell.exe
2884	$77-System.exe
2884	$77-System.exe
2884	$77-System.exe
716	powershell.exe
2884	$77-System.exe
2884	$77-System.exe
2884	$77-System.exe
972	powershell.exe
2884	$77-System.exe
2884	$77-System.exe
2884	$77-System.exe
1300	powershell.exe
2884	$77-System.exe
2884	$77-System.exe
2884	$77-System.exe
2884	$77-System.exe
2884	$77-System.exe
2884	$77-System.exe
2884	$77-System.exe
2884	$77-System.exe
2884	$77-System.exe
2884	$77-System.exe
2884	$77-System.exe
2884	$77-System.exe
2884	$77-System.exe
2884	$77-System.exe
2884	$77-System.exe
2884	$77-System.exe
2884	$77-System.exe
2884	$77-System.exe
2884	$77-System.exe
2884	$77-System.exe
2884	$77-System.exe
2884	$77-System.exe
2884	$77-System.exe
2884	$77-System.exe
2884	$77-System.exe
2884	$77-System.exe
2884	$77-System.exe
2884	$77-System.exe
2884	$77-System.exe
2884	$77-System.exe
2884	$77-System.exe
2884	$77-System.exe
2884	$77-System.exe

Suspicious use of AdjustPrivilegeToken 27 IoCs

Processes:

powershell.exe$77-System.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1704	powershell.exe
Token: SeDebugPrivilege	2884	$77-System.exe
Token: SeDebugPrivilege	716	powershell.exe
Token: SeDebugPrivilege	972	powershell.exe
Token: SeDebugPrivilege	1300	powershell.exe
Token: 33	2884	$77-System.exe
Token: SeIncBasePriorityPrivilege	2884	$77-System.exe
Token: 33	2884	$77-System.exe
Token: SeIncBasePriorityPrivilege	2884	$77-System.exe
Token: 33	2884	$77-System.exe
Token: SeIncBasePriorityPrivilege	2884	$77-System.exe
Token: 33	2884	$77-System.exe
Token: SeIncBasePriorityPrivilege	2884	$77-System.exe
Token: 33	2884	$77-System.exe
Token: SeIncBasePriorityPrivilege	2884	$77-System.exe
Token: 33	2884	$77-System.exe
Token: SeIncBasePriorityPrivilege	2884	$77-System.exe
Token: 33	2884	$77-System.exe
Token: SeIncBasePriorityPrivilege	2884	$77-System.exe
Token: 33	2884	$77-System.exe
Token: SeIncBasePriorityPrivilege	2884	$77-System.exe
Token: 33	2884	$77-System.exe
Token: SeIncBasePriorityPrivilege	2884	$77-System.exe
Token: 33	2884	$77-System.exe
Token: SeIncBasePriorityPrivilege	2884	$77-System.exe
Token: 33	2884	$77-System.exe
Token: SeIncBasePriorityPrivilege	2884	$77-System.exe

Suspicious use of WriteProcessMemory 60 IoCs

Processes:

f25897326beee04afba384bc50e0c35b_JaffaCakes118.exe$77-System.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 2236 wrote to memory of 2884	2236	f25897326beee04afba384bc50e0c35b_JaffaCakes118.exe	$77-System.exe
PID 2236 wrote to memory of 2884	2236	f25897326beee04afba384bc50e0c35b_JaffaCakes118.exe	$77-System.exe
PID 2236 wrote to memory of 2884	2236	f25897326beee04afba384bc50e0c35b_JaffaCakes118.exe	$77-System.exe
PID 2884 wrote to memory of 840	2884	$77-System.exe	cmd.exe
PID 2884 wrote to memory of 840	2884	$77-System.exe	cmd.exe
PID 2884 wrote to memory of 840	2884	$77-System.exe	cmd.exe
PID 840 wrote to memory of 1704	840	cmd.exe	powershell.exe
PID 840 wrote to memory of 1704	840	cmd.exe	powershell.exe
PID 840 wrote to memory of 1704	840	cmd.exe	powershell.exe
PID 2884 wrote to memory of 2368	2884	$77-System.exe	cmd.exe
PID 2884 wrote to memory of 2368	2884	$77-System.exe	cmd.exe
PID 2884 wrote to memory of 2368	2884	$77-System.exe	cmd.exe
PID 2368 wrote to memory of 716	2368	cmd.exe	powershell.exe
PID 2368 wrote to memory of 716	2368	cmd.exe	powershell.exe
PID 2368 wrote to memory of 716	2368	cmd.exe	powershell.exe
PID 2884 wrote to memory of 2356	2884	$77-System.exe	cmd.exe
PID 2884 wrote to memory of 2356	2884	$77-System.exe	cmd.exe
PID 2884 wrote to memory of 2356	2884	$77-System.exe	cmd.exe
PID 2356 wrote to memory of 972	2356	cmd.exe	powershell.exe
PID 2356 wrote to memory of 972	2356	cmd.exe	powershell.exe
PID 2356 wrote to memory of 972	2356	cmd.exe	powershell.exe
PID 2884 wrote to memory of 1488	2884	$77-System.exe	cmd.exe
PID 2884 wrote to memory of 1488	2884	$77-System.exe	cmd.exe
PID 2884 wrote to memory of 1488	2884	$77-System.exe	cmd.exe
PID 1488 wrote to memory of 1300	1488	cmd.exe	powershell.exe
PID 1488 wrote to memory of 1300	1488	cmd.exe	powershell.exe
PID 1488 wrote to memory of 1300	1488	cmd.exe	powershell.exe
PID 2884 wrote to memory of 2220	2884	$77-System.exe	cmd.exe
PID 2884 wrote to memory of 2220	2884	$77-System.exe	cmd.exe
PID 2884 wrote to memory of 2220	2884	$77-System.exe	cmd.exe
PID 2220 wrote to memory of 1932	2220	cmd.exe	attrib.exe
PID 2220 wrote to memory of 1932	2220	cmd.exe	attrib.exe
PID 2220 wrote to memory of 1932	2220	cmd.exe	attrib.exe
PID 2884 wrote to memory of 572	2884	$77-System.exe	cmd.exe
PID 2884 wrote to memory of 572	2884	$77-System.exe	cmd.exe
PID 2884 wrote to memory of 572	2884	$77-System.exe	cmd.exe
PID 572 wrote to memory of 1984	572	cmd.exe	attrib.exe
PID 572 wrote to memory of 1984	572	cmd.exe	attrib.exe
PID 572 wrote to memory of 1984	572	cmd.exe	attrib.exe
PID 2884 wrote to memory of 1692	2884	$77-System.exe	cmd.exe
PID 2884 wrote to memory of 1692	2884	$77-System.exe	cmd.exe
PID 2884 wrote to memory of 1692	2884	$77-System.exe	cmd.exe
PID 1692 wrote to memory of 1544	1692	cmd.exe	attrib.exe
PID 1692 wrote to memory of 1544	1692	cmd.exe	attrib.exe
PID 1692 wrote to memory of 1544	1692	cmd.exe	attrib.exe
PID 2884 wrote to memory of 2168	2884	$77-System.exe	cmd.exe
PID 2884 wrote to memory of 2168	2884	$77-System.exe	cmd.exe
PID 2884 wrote to memory of 2168	2884	$77-System.exe	cmd.exe
PID 2168 wrote to memory of 2820	2168	cmd.exe	attrib.exe
PID 2168 wrote to memory of 2820	2168	cmd.exe	attrib.exe
PID 2168 wrote to memory of 2820	2168	cmd.exe	attrib.exe
PID 2884 wrote to memory of 1660	2884	$77-System.exe	cmd.exe
PID 2884 wrote to memory of 1660	2884	$77-System.exe	cmd.exe
PID 2884 wrote to memory of 1660	2884	$77-System.exe	cmd.exe
PID 1660 wrote to memory of 2264	1660	cmd.exe	attrib.exe
PID 1660 wrote to memory of 2264	1660	cmd.exe	attrib.exe
PID 1660 wrote to memory of 2264	1660	cmd.exe	attrib.exe
PID 2884 wrote to memory of 2136	2884	$77-System.exe	netsh.exe
PID 2884 wrote to memory of 2136	2884	$77-System.exe	netsh.exe
PID 2884 wrote to memory of 2136	2884	$77-System.exe	netsh.exe

Views/modifies file attributes 1 TTPs 5 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exeattrib.exeattrib.exeattrib.exeattrib.exe

pid process

2264 attrib.exe
1932 attrib.exe
1984 attrib.exe
1544 attrib.exe
2820 attrib.exe

pid	process
2264	attrib.exe
1932	attrib.exe
1984	attrib.exe
1544	attrib.exe
2820	attrib.exe

C:\Users\Admin\AppData\Local\Temp\f25897326beee04afba384bc50e0c35b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f25897326beee04afba384bc50e0c35b_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2236
- C:\System\$77-System.exe
  "C:\System\$77-System.exe"
  2⤵
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2884
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath '\System'
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:840
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath '\System'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1704
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\$77-System.exe'
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2368
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\$77-System.exe'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:716
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath '\System\r77-x64.dll'
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2356
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath '\System\r77-x64.dll'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:972
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath '\System\r77-x86.dll'
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1488
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath '\System\r77-x86.dll'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1300
- - C:\Windows\system32\cmd.exe
    cmd.exe /c attrib +h +r +s "\System"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2220
  - - C:\Windows\system32\attrib.exe
      attrib +h +r +s "\System"
      4⤵
      Views/modifies file attributes
      PID:1932
- - C:\Windows\system32\cmd.exe
    cmd.exe /c attrib +h +r +s "\System\$77-System.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:572
  - - C:\Windows\system32\attrib.exe
      attrib +h +r +s "\System\$77-System.exe"
      4⤵
      Views/modifies file attributes
      PID:1984
- - C:\Windows\system32\cmd.exe
    cmd.exe /c attrib +h +r +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\$77-System.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1692
  - - C:\Windows\system32\attrib.exe
      attrib +h +r +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\$77-System.exe"
      4⤵
      Views/modifies file attributes
      PID:1544
- - C:\Windows\system32\cmd.exe
    cmd.exe /c attrib +h +r +s "\System\r77-x64.dll"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2168
  - - C:\Windows\system32\attrib.exe
      attrib +h +r +s "\System\r77-x64.dll"
      4⤵
      Views/modifies file attributes
      PID:2820
- - C:\Windows\system32\cmd.exe
    cmd.exe /c attrib +h +r +s "\System\r77-x86.dll"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1660
  - - C:\Windows\system32\attrib.exe
      attrib +h +r +s "\System\r77-x86.dll"
      4⤵
      Views/modifies file attributes
      PID:2264
- - C:\Windows\system32\netsh.exe
    netsh firewall delete allowedprogram "C:\System\$77-System.exe"
    3⤵
    - Modifies Windows Firewall
    PID:2136

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\System\$77-System.exe

Filesize
36KB

MD5
f25897326beee04afba384bc50e0c35b

SHA1
5085a4d48444be7f4a7ec1dd4f4810d3ce5869cb

SHA256
95c3212ceba92fcd3603232f23b6748bd24bc2575ee1047170ac0d1ca44fcd13

SHA512
85def6bc6209971cf42efac5f62112a086e9f85b15a49142d335eb6093ded27962a952bf03801ee09a210bad45d7a008202031b135ff02770ee715708a7d56e0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar3C0E.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
f17c3672194ed59e312fa45530c2e881

SHA1
bd685f28bf11cab71585ab1e3571e815496a625f

SHA256
9ffce4ca70a06685c87016ab85175a7827d2ed03246c3367011a5420d44ac304

SHA512
02a1f757d3b0d4c61811506d147aad135195b02708aee933b51c3dbce23423e56816b742ebd8623ea0d773ed82ceb7ac55bc8937938425e01de9ef795e071990

Download Submit
\??\PIPE\srvsvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/716-454-0x000007FEEDA40000-0x000007FEEE3DD000-memory.dmp

Filesize
9.6MB

Download
memory/716-448-0x0000000002AE0000-0x0000000002B60000-memory.dmp

Filesize
512KB

Download
memory/716-453-0x0000000002AE0000-0x0000000002B60000-memory.dmp

Filesize
512KB

Download
memory/716-450-0x000007FEEDA40000-0x000007FEEE3DD000-memory.dmp

Filesize
9.6MB

Download
memory/716-451-0x0000000002AE0000-0x0000000002B60000-memory.dmp

Filesize
512KB

Download
memory/716-452-0x0000000002AE0000-0x0000000002B60000-memory.dmp

Filesize
512KB

Download
memory/716-449-0x0000000001FD0000-0x0000000001FD8000-memory.dmp

Filesize
32KB

Download
memory/716-446-0x000000001B520000-0x000000001B802000-memory.dmp

Filesize
2.9MB

Download
memory/716-447-0x000007FEEDA40000-0x000007FEEE3DD000-memory.dmp

Filesize
9.6MB

Download
memory/972-464-0x00000000028F0000-0x0000000002970000-memory.dmp

Filesize
512KB

Download
memory/972-460-0x000007FEED0A0000-0x000007FEEDA3D000-memory.dmp

Filesize
9.6MB

Download
memory/972-466-0x000007FEED0A0000-0x000007FEEDA3D000-memory.dmp

Filesize
9.6MB

Download
memory/972-465-0x00000000028FB000-0x0000000002962000-memory.dmp

Filesize
412KB

Download
memory/972-463-0x00000000028F0000-0x0000000002970000-memory.dmp

Filesize
512KB

Download
memory/972-462-0x000007FEED0A0000-0x000007FEEDA3D000-memory.dmp

Filesize
9.6MB

Download
memory/972-461-0x00000000028F0000-0x0000000002970000-memory.dmp

Filesize
512KB

Download
memory/1300-473-0x000007FEEDA40000-0x000007FEEE3DD000-memory.dmp

Filesize
9.6MB

Download
memory/1300-476-0x0000000002BF0000-0x0000000002C70000-memory.dmp

Filesize
512KB

Download
memory/1300-474-0x0000000002BF0000-0x0000000002C70000-memory.dmp

Filesize
512KB

Download
memory/1300-479-0x0000000002BF0000-0x0000000002C70000-memory.dmp

Filesize
512KB

Download
memory/1300-480-0x000007FEEDA40000-0x000007FEEE3DD000-memory.dmp

Filesize
9.6MB

Download
memory/1300-475-0x000007FEEDA40000-0x000007FEEE3DD000-memory.dmp

Filesize
9.6MB

Download
memory/1300-478-0x0000000002BF0000-0x0000000002C70000-memory.dmp

Filesize
512KB

Download
memory/1704-434-0x0000000002DC0000-0x0000000002E40000-memory.dmp

Filesize
512KB

Download
memory/1704-436-0x000007FEEE2D0000-0x000007FEEEC6D000-memory.dmp

Filesize
9.6MB

Download
memory/1704-437-0x0000000002DCB000-0x0000000002E32000-memory.dmp

Filesize
412KB

Download
memory/1704-435-0x0000000002DC4000-0x0000000002DC7000-memory.dmp

Filesize
12KB

Download
memory/1704-438-0x000007FEEE2D0000-0x000007FEEEC6D000-memory.dmp

Filesize
9.6MB

Download
memory/1704-433-0x000007FEEE2D0000-0x000007FEEEC6D000-memory.dmp

Filesize
9.6MB

Download
memory/1704-431-0x000000001B5D0000-0x000000001B8B2000-memory.dmp

Filesize
2.9MB

Download
memory/1704-432-0x0000000002290000-0x0000000002298000-memory.dmp

Filesize
32KB

Download
memory/2236-8-0x000007FEF5C70000-0x000007FEF665C000-memory.dmp

Filesize
9.9MB

Download
memory/2236-1-0x000007FEF5C70000-0x000007FEF665C000-memory.dmp

Filesize
9.9MB

Download
memory/2236-0-0x0000000000A60000-0x0000000000A70000-memory.dmp

Filesize
64KB

Download
memory/2884-439-0x000007FEF5C70000-0x000007FEF665C000-memory.dmp

Filesize
9.9MB

Download
memory/2884-477-0x000000001BC10000-0x000000001BC90000-memory.dmp

Filesize
512KB

Download
memory/2884-440-0x000000001BC10000-0x000000001BC90000-memory.dmp

Filesize
512KB

Download
memory/2884-7-0x0000000000B90000-0x0000000000BA0000-memory.dmp

Filesize
64KB

Download
memory/2884-9-0x000007FEF5C70000-0x000007FEF665C000-memory.dmp

Filesize
9.9MB

Download