lumma | b115b3a04f746a1a4b7a0b9e10c8b66d96b835f1b3c900852671a41e977d6271

Analysis

max time kernel
150s
max time network
126s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
20-04-2024 00:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fb80fd969cdba54de7aa33d969d181e8_JaffaCakes118.exe
Size

95KB
MD5

fb80fd969cdba54de7aa33d969d181e8
SHA1

6770bee0cd1aecd022307ea6b6f4c708efe410fb
SHA256

b115b3a04f746a1a4b7a0b9e10c8b66d96b835f1b3c900852671a41e977d6271
SHA512

ff0efe77e739f4b896c04917ba8b5e67c824dc73caecdc22d5c0abc189e15741837a2cf28b565bfb686b272179daf9d393cb83770a96412c42b2670f37bb59be
SSDEEP

1536:/BjlOyJwqVSW/uMKHAiU7kkqbM8vlxhdvf9DbQrMrOS6fKZ4J27Js7z5:tvwlZdU7kkSvbrf9DUrMrt6t2Nw

Score

10^/10

lumma evasion stealer upx

Malware Config

Signatures

Detect Lumma Stealer payload V4 22 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2300-1-0x0000000000400000-0x000000000046C000-memory.dmp	family_lumma_v4
behavioral1/memory/1956-127-0x0000000000400000-0x000000000046C000-memory.dmp	family_lumma_v4
behavioral1/memory/2300-235-0x0000000000400000-0x000000000046C000-memory.dmp	family_lumma_v4
behavioral1/memory/1956-238-0x0000000000400000-0x000000000046C000-memory.dmp	family_lumma_v4
behavioral1/memory/1668-250-0x0000000000400000-0x000000000046C000-memory.dmp	family_lumma_v4
behavioral1/memory/1668-360-0x0000000000400000-0x000000000046C000-memory.dmp	family_lumma_v4
behavioral1/memory/2640-364-0x0000000000400000-0x000000000046C000-memory.dmp	family_lumma_v4
behavioral1/memory/2640-481-0x0000000000400000-0x000000000046C000-memory.dmp	family_lumma_v4
behavioral1/memory/1460-494-0x0000000000400000-0x000000000046C000-memory.dmp	family_lumma_v4
behavioral1/memory/1460-604-0x0000000000400000-0x000000000046C000-memory.dmp	family_lumma_v4
behavioral1/memory/1460-607-0x0000000002330000-0x000000000239C000-memory.dmp	family_lumma_v4
behavioral1/memory/1740-615-0x0000000000400000-0x000000000046C000-memory.dmp	family_lumma_v4
behavioral1/memory/1740-726-0x0000000000400000-0x000000000046C000-memory.dmp	family_lumma_v4
behavioral1/memory/1740-730-0x0000000000610000-0x000000000067C000-memory.dmp	family_lumma_v4
behavioral1/memory/1328-738-0x0000000000400000-0x000000000046C000-memory.dmp	family_lumma_v4
behavioral1/memory/1328-848-0x0000000000400000-0x000000000046C000-memory.dmp	family_lumma_v4
behavioral1/memory/1328-853-0x0000000002620000-0x000000000268C000-memory.dmp	family_lumma_v4
behavioral1/memory/1328-850-0x0000000002620000-0x000000000268C000-memory.dmp	family_lumma_v4
behavioral1/memory/940-970-0x0000000000400000-0x000000000046C000-memory.dmp	family_lumma_v4
behavioral1/memory/2596-1092-0x0000000000400000-0x000000000046C000-memory.dmp	family_lumma_v4
behavioral1/memory/1896-1212-0x0000000000400000-0x000000000046C000-memory.dmp	family_lumma_v4
behavioral1/memory/608-1332-0x0000000000400000-0x000000000046C000-memory.dmp	family_lumma_v4

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma

Modifies security service 2 TTPs 22 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Processes:

regedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	regedit.exe

Executes dropped EXE 10 IoCs

Processes:

service.exeservice.exeservice.exeservice.exeservice.exeservice.exeservice.exeservice.exeservice.exeservice.exe

pid	process
1956	service.exe
1668	service.exe
2640	service.exe
1460	service.exe
1740	service.exe
1328	service.exe
940	service.exe
2596	service.exe
1896	service.exe
608	service.exe

Loads dropped DLL 20 IoCs

Processes:

fb80fd969cdba54de7aa33d969d181e8_JaffaCakes118.exeservice.exeservice.exeservice.exeservice.exeservice.exeservice.exeservice.exeservice.exeservice.exe

pid	process
2300	fb80fd969cdba54de7aa33d969d181e8_JaffaCakes118.exe
2300	fb80fd969cdba54de7aa33d969d181e8_JaffaCakes118.exe
1956	service.exe
1956	service.exe
1668	service.exe
1668	service.exe
2640	service.exe
2640	service.exe
1460	service.exe
1460	service.exe
1740	service.exe
1740	service.exe
1328	service.exe
1328	service.exe
940	service.exe
940	service.exe
2596	service.exe
2596	service.exe
1896	service.exe
1896	service.exe

UPX packed file 23 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2300-1-0x0000000000400000-0x000000000046C000-memory.dmp	upx
\Windows\SysWOW64\service.exe	upx
behavioral1/memory/2300-125-0x00000000005A0000-0x000000000060C000-memory.dmp	upx
behavioral1/memory/1956-127-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/2300-235-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/1956-238-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/1668-250-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/1668-360-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/2640-364-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/2640-481-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/2640-483-0x0000000000710000-0x000000000077C000-memory.dmp	upx
behavioral1/memory/1460-494-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/1460-604-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/1740-615-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/1740-726-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/1328-738-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/1328-848-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/1328-853-0x0000000002620000-0x000000000268C000-memory.dmp	upx
behavioral1/memory/940-970-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/2596-975-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/2596-1092-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/1896-1212-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/608-1332-0x0000000000400000-0x000000000046C000-memory.dmp	upx

Drops file in System32 directory 22 IoCs

Processes:

fb80fd969cdba54de7aa33d969d181e8_JaffaCakes118.exeservice.exeservice.exeservice.exeservice.exeservice.exeservice.exeservice.exeservice.exeservice.exeservice.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\service.exe	fb80fd969cdba54de7aa33d969d181e8_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\service.exe	service.exe
File opened for modification	C:\Windows\SysWOW64\service.exe	service.exe
File opened for modification	C:\Windows\SysWOW64\service.exe	service.exe
File opened for modification	C:\Windows\SysWOW64\service.exe	service.exe
File created	C:\Windows\SysWOW64\service.exe	fb80fd969cdba54de7aa33d969d181e8_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\service.exe	service.exe
File created	C:\Windows\SysWOW64\service.exe	service.exe
File created	C:\Windows\SysWOW64\service.exe	service.exe
File opened for modification	C:\Windows\SysWOW64\service.exe	service.exe
File created	C:\Windows\SysWOW64\service.exe	service.exe
File opened for modification	C:\Windows\SysWOW64\service.exe	service.exe
File opened for modification	C:\Windows\SysWOW64\service.exe	service.exe
File created	C:\Windows\SysWOW64\service.exe	service.exe
File opened for modification	C:\Windows\SysWOW64\service.exe	service.exe
File opened for modification	C:\Windows\SysWOW64\service.exe	service.exe
File created	C:\Windows\SysWOW64\service.exe	service.exe
File created	C:\Windows\SysWOW64\service.exe	service.exe
File created	C:\Windows\SysWOW64\service.exe	service.exe
File created	C:\Windows\SysWOW64\service.exe	service.exe
File created	C:\Windows\SysWOW64\service.exe	service.exe
File created	C:\Windows\SysWOW64\service.exe	service.exe

Runs .reg file with regedit 11 IoCs

Processes:

regedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exe

pid	process
1068	regedit.exe
1172	regedit.exe
1940	regedit.exe
2576	regedit.exe
2312	regedit.exe
1704	regedit.exe
1980	regedit.exe
2960	regedit.exe
860	regedit.exe
2972	regedit.exe
2392	regedit.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

fb80fd969cdba54de7aa33d969d181e8_JaffaCakes118.execmd.exeservice.execmd.exeservice.execmd.exeservice.execmd.exeservice.execmd.exeservice.exe

description	pid	process	target process
PID 2300 wrote to memory of 1936	2300	fb80fd969cdba54de7aa33d969d181e8_JaffaCakes118.exe	cmd.exe
PID 2300 wrote to memory of 1936	2300	fb80fd969cdba54de7aa33d969d181e8_JaffaCakes118.exe	cmd.exe
PID 2300 wrote to memory of 1936	2300	fb80fd969cdba54de7aa33d969d181e8_JaffaCakes118.exe	cmd.exe
PID 2300 wrote to memory of 1936	2300	fb80fd969cdba54de7aa33d969d181e8_JaffaCakes118.exe	cmd.exe
PID 1936 wrote to memory of 2312	1936	cmd.exe	regedit.exe
PID 1936 wrote to memory of 2312	1936	cmd.exe	regedit.exe
PID 1936 wrote to memory of 2312	1936	cmd.exe	regedit.exe
PID 1936 wrote to memory of 2312	1936	cmd.exe	regedit.exe
PID 2300 wrote to memory of 1956	2300	fb80fd969cdba54de7aa33d969d181e8_JaffaCakes118.exe	service.exe
PID 2300 wrote to memory of 1956	2300	fb80fd969cdba54de7aa33d969d181e8_JaffaCakes118.exe	service.exe
PID 2300 wrote to memory of 1956	2300	fb80fd969cdba54de7aa33d969d181e8_JaffaCakes118.exe	service.exe
PID 2300 wrote to memory of 1956	2300	fb80fd969cdba54de7aa33d969d181e8_JaffaCakes118.exe	service.exe
PID 1956 wrote to memory of 2684	1956	service.exe	cmd.exe
PID 1956 wrote to memory of 2684	1956	service.exe	cmd.exe
PID 1956 wrote to memory of 2684	1956	service.exe	cmd.exe
PID 1956 wrote to memory of 2684	1956	service.exe	cmd.exe
PID 2684 wrote to memory of 2972	2684	cmd.exe	regedit.exe
PID 2684 wrote to memory of 2972	2684	cmd.exe	regedit.exe
PID 2684 wrote to memory of 2972	2684	cmd.exe	regedit.exe
PID 2684 wrote to memory of 2972	2684	cmd.exe	regedit.exe
PID 1956 wrote to memory of 1668	1956	service.exe	service.exe
PID 1956 wrote to memory of 1668	1956	service.exe	service.exe
PID 1956 wrote to memory of 1668	1956	service.exe	service.exe
PID 1956 wrote to memory of 1668	1956	service.exe	service.exe
PID 1668 wrote to memory of 628	1668	service.exe	cmd.exe
PID 1668 wrote to memory of 628	1668	service.exe	cmd.exe
PID 1668 wrote to memory of 628	1668	service.exe	cmd.exe
PID 1668 wrote to memory of 628	1668	service.exe	cmd.exe
PID 628 wrote to memory of 1704	628	cmd.exe	regedit.exe
PID 628 wrote to memory of 1704	628	cmd.exe	regedit.exe
PID 628 wrote to memory of 1704	628	cmd.exe	regedit.exe
PID 628 wrote to memory of 1704	628	cmd.exe	regedit.exe
PID 1668 wrote to memory of 2640	1668	service.exe	service.exe
PID 1668 wrote to memory of 2640	1668	service.exe	service.exe
PID 1668 wrote to memory of 2640	1668	service.exe	service.exe
PID 1668 wrote to memory of 2640	1668	service.exe	service.exe
PID 2640 wrote to memory of 2512	2640	service.exe	cmd.exe
PID 2640 wrote to memory of 2512	2640	service.exe	cmd.exe
PID 2640 wrote to memory of 2512	2640	service.exe	cmd.exe
PID 2640 wrote to memory of 2512	2640	service.exe	cmd.exe
PID 2512 wrote to memory of 2392	2512	cmd.exe	regedit.exe
PID 2512 wrote to memory of 2392	2512	cmd.exe	regedit.exe
PID 2512 wrote to memory of 2392	2512	cmd.exe	regedit.exe
PID 2512 wrote to memory of 2392	2512	cmd.exe	regedit.exe
PID 2640 wrote to memory of 1460	2640	service.exe	service.exe
PID 2640 wrote to memory of 1460	2640	service.exe	service.exe
PID 2640 wrote to memory of 1460	2640	service.exe	service.exe
PID 2640 wrote to memory of 1460	2640	service.exe	service.exe
PID 1460 wrote to memory of 1104	1460	service.exe	cmd.exe
PID 1460 wrote to memory of 1104	1460	service.exe	cmd.exe
PID 1460 wrote to memory of 1104	1460	service.exe	cmd.exe
PID 1460 wrote to memory of 1104	1460	service.exe	cmd.exe
PID 1104 wrote to memory of 1068	1104	cmd.exe	regedit.exe
PID 1104 wrote to memory of 1068	1104	cmd.exe	regedit.exe
PID 1104 wrote to memory of 1068	1104	cmd.exe	regedit.exe
PID 1104 wrote to memory of 1068	1104	cmd.exe	regedit.exe
PID 1460 wrote to memory of 1740	1460	service.exe	service.exe
PID 1460 wrote to memory of 1740	1460	service.exe	service.exe
PID 1460 wrote to memory of 1740	1460	service.exe	service.exe
PID 1460 wrote to memory of 1740	1460	service.exe	service.exe
PID 1740 wrote to memory of 2164	1740	service.exe	cmd.exe
PID 1740 wrote to memory of 2164	1740	service.exe	cmd.exe
PID 1740 wrote to memory of 2164	1740	service.exe	cmd.exe
PID 1740 wrote to memory of 2164	1740	service.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\fb80fd969cdba54de7aa33d969d181e8_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fb80fd969cdba54de7aa33d969d181e8_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2300
- C:\Windows\SysWOW64\cmd.exe
  cmd /c c:\a.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1936
- - C:\Windows\SysWOW64\regedit.exe
    REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
    3⤵
    - Modifies security service
    - Runs .reg file with regedit
    PID:2312
- C:\Windows\SysWOW64\service.exe
  C:\Windows\system32\service.exe 516 "C:\Users\Admin\AppData\Local\Temp\fb80fd969cdba54de7aa33d969d181e8_JaffaCakes118.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1956
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c c:\a.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2684
  - - C:\Windows\SysWOW64\regedit.exe
      REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
      4⤵
      Modifies security service
      Runs .reg file with regedit
      PID:2972
- - C:\Windows\SysWOW64\service.exe
    C:\Windows\system32\service.exe 528 "C:\Windows\SysWOW64\service.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:1668
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c c:\a.bat
      4⤵
      Suspicious use of WriteProcessMemory
      PID:628
    - - C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        5⤵
        Modifies security service
        Runs .reg file with regedit
        
        PID:1704
  - - C:\Windows\SysWOW64\service.exe
      C:\Windows\system32\service.exe 540 "C:\Windows\SysWOW64\service.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:2640
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2512
      - C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        6⤵
        Modifies security service
        Runs .reg file with regedit
        
        PID:2392
    - - C:\Windows\SysWOW64\service.exe
        
        C:\Windows\system32\service.exe 544 "C:\Windows\SysWOW64\service.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1460
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1104
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        7⤵
        Modifies security service
        Runs .reg file with regedit
        
        PID:1068
      - C:\Windows\SysWOW64\service.exe
        
        C:\Windows\system32\service.exe 548 "C:\Windows\SysWOW64\service.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1740
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        7⤵
        
        PID:2164
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        8⤵
        Modifies security service
        Runs .reg file with regedit
        
        PID:1172
        
        C:\Windows\SysWOW64\service.exe
        
        C:\Windows\system32\service.exe 552 "C:\Windows\SysWOW64\service.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:1328
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        8⤵
        
        PID:2932
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        9⤵
        Modifies security service
        Runs .reg file with regedit
        
        PID:1980
        
        C:\Windows\SysWOW64\service.exe
        
        C:\Windows\system32\service.exe 556 "C:\Windows\SysWOW64\service.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:940
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        9⤵
        
        PID:1788
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        10⤵
        Modifies security service
        Runs .reg file with regedit
        
        PID:2960
        
        C:\Windows\SysWOW64\service.exe
        
        C:\Windows\system32\service.exe 560 "C:\Windows\SysWOW64\service.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:2596
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        10⤵
        
        PID:2340
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        11⤵
        Modifies security service
        Runs .reg file with regedit
        
        PID:860
        
        C:\Windows\SysWOW64\service.exe
        
        C:\Windows\system32\service.exe 564 "C:\Windows\SysWOW64\service.exe"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:1896
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        11⤵
        
        PID:2804
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        12⤵
        Modifies security service
        Runs .reg file with regedit
        
        PID:1940
        
        C:\Windows\SysWOW64\service.exe
        
        C:\Windows\system32\service.exe 532 "C:\Windows\SysWOW64\service.exe"
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:608
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        12⤵
        
        PID:2020
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        13⤵
        Modifies security service
        Runs .reg file with regedit
        
        PID:2576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
449B

MD5
c6b0028a6f5508ef564d624eda0e72bc

SHA1
18901c9856a9af672c2e27383c15d2da41f27b6b

SHA256
b41f477ecd348b1c3e12ef410d67b712627ed0696769c2c8cc2f087d02121d06

SHA512
5d5f6fb437767096562f2ab9aac2cb75611afcc090b0a65ea63dfbadb3c4a73a3d45bbe139e43a7beea889370c76ac2eb2aa0fdffa92b69cfe47dd1ffbf10a71

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
701B

MD5
e427a32326a6a806e7b7b4fdbbe0ed4c

SHA1
b10626953332aeb7c524f2a29f47ca8b0bee38b1

SHA256
b5cfd1100679c495202229aede417b8a385405cb9d467d2d89b936fc99245839

SHA512
6bd679341bec6b224962f3d0d229cff2d400e568e10b7764eb4e0903c66819a8fa99927249ab9b4c447b2d09ea0d98eb9823fb2c5f7462112036049795a5d8bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
3KB

MD5
ad9e5e67282bb74482c05e3bf2eb188b

SHA1
10b02442ea4b1151a2334645c3e290a82ecfad1f

SHA256
7af82efceff1e9221d76472e6ffd6aa78ca00ccbb5fa32cb2238ed08812b931f

SHA512
b0ca37f35618547b4e5ab94eb367940a9d5a500b5c91cf2bbdddba8d1725bcc619c5acd2365711a970c307bbe0aa539b50803d119963b9f0c6da198e3157ded7

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
3KB

MD5
9e5db93bd3302c217b15561d8f1e299d

SHA1
95a5579b336d16213909beda75589fd0a2091f30

SHA256
f360fb5740172b6b4dd59c1ac30b480511665ae991196f833167e275d91f943e

SHA512
b5547e5047a3c43397ee846ff9d5979cba45ba44671db5c5df5536d9dc26262e27a8645a08e0cf35960a3601dc0f6f5fe8d47ae232c9ca44d6899e97d36fb25a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
3KB

MD5
8d6eb64e58d3f14686110fcaf1363269

SHA1
d85c0b208716b400894ba4cb569a5af4aa178a2f

SHA256
c2a1a92cfa466fb5697626723b448c1730634ae4e0e533ad6cf11e8e8ebf2cf5

SHA512
5022856e8efeab2cdda3d653c4c520f5b6bf5dfa841ffc224a3338acfa8a41fd16321a765077973be46dd6296c6a9bf8341a42c22fe4b0a7fc6edabbcbf16ee7

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
110B

MD5
b6b8b04c60361e2df1d3e29fc4fc3138

SHA1
bd732238f8d5894ca6020081adef617dabadf94e

SHA256
f255a5447d3a3eda8715938993357971faeabf92eecf172e2fc0dfbdaa239c1b

SHA512
16e7247fdc0c1191229ea44b4f6584dce588255e775642c343cffb2030c05bd77f4eb716d87d21defb0fe7edcc62a7a2e12ecbebbd72bc9a5247934fdd02fe40

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
2KB

MD5
b79d7c7385eb2936ecd5681762227a9b

SHA1
c2a21fb49bd3cc8be9baac1bf6f6389453ad785d

SHA256
fd1be29f1f4b9fc4a8d9b583c4d2114f17c062998c833b2085960ac02ef82019

SHA512
7ea049afca363ff483f57b9fff1e213006d689eb4406cefe7f1e096c46b41e7908f1e4d69e1411ae56eb1c4e19489c9322176ffdd8ea2f1c37213eb51f03ef5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
298B

MD5
4117e5a9c995bab9cd3bce3fc2b99a46

SHA1
80144ccbad81c2efb1df64e13d3d5f59ca4486da

SHA256
37b58c2d66ab2f896316ee0cdba30dcc9aac15a51995b8ba6c143c8ba34bf292

SHA512
bdb721bd3dea641a9b1f26b46311c05199de01c6b0d7ea2b973aa71a4f796b292a6964ddef32ba9dfc4a545768943d105f110c5d60716e0ff6f82914affb507c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
2KB

MD5
bef09dc596b7b91eec4f38765e0965b7

SHA1
b8bb8d2eb918e0979b08fd1967dac127874b9de5

SHA256
8dab724d5941eb7becff35ce1a76e8525dcdca024900e70758300dcdddf8e265

SHA512
0bbce4150b47bafb674f2074fdfc20df86edadb85037f93c541d1d53f721ed52e37a49d14522dac56e9d2e9ce801bcdb701509fa02285778a086d547f1be966a

Download Submit
C:\a.bat

Filesize
5KB

MD5
0019a0451cc6b9659762c3e274bc04fb

SHA1
5259e256cc0908f2846e532161b989f1295f479b

SHA256
ce4674afd978d1401596d22a0961f90c8fb53c5bd55649684e1a999c8cf77876

SHA512
314c23ec37cb0cd4443213c019c4541df968447353b422ef6fff1e7ddf6c983c80778787408b7ca9b81e580a6a7f1589ca7f43c022e6fc16182973580ed4d904

Download Submit
\Windows\SysWOW64\service.exe

Filesize
95KB

MD5
fb80fd969cdba54de7aa33d969d181e8

SHA1
6770bee0cd1aecd022307ea6b6f4c708efe410fb

SHA256
b115b3a04f746a1a4b7a0b9e10c8b66d96b835f1b3c900852671a41e977d6271

SHA512
ff0efe77e739f4b896c04917ba8b5e67c824dc73caecdc22d5c0abc189e15741837a2cf28b565bfb686b272179daf9d393cb83770a96412c42b2670f37bb59be

Download Submit
memory/608-1332-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/940-970-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/940-973-0x0000000002350000-0x00000000023BC000-memory.dmp

Filesize
432KB

Download
memory/1328-848-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1328-853-0x0000000002620000-0x000000000268C000-memory.dmp

Filesize
432KB

Download
memory/1328-850-0x0000000002620000-0x000000000268C000-memory.dmp

Filesize
432KB

Download
memory/1328-738-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1460-604-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1460-494-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1460-607-0x0000000002330000-0x000000000239C000-memory.dmp

Filesize
432KB

Download
memory/1668-250-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1668-360-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1740-726-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1740-730-0x0000000000610000-0x000000000067C000-memory.dmp

Filesize
432KB

Download
memory/1740-615-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1896-1212-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1956-127-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1956-248-0x0000000000620000-0x000000000068C000-memory.dmp

Filesize
432KB

Download
memory/1956-238-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2300-235-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2300-125-0x00000000005A0000-0x000000000060C000-memory.dmp

Filesize
432KB

Download
memory/2300-1-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2300-234-0x00000000005A0000-0x000000000060C000-memory.dmp

Filesize
432KB

Download
memory/2596-1092-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2596-975-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2640-485-0x0000000000710000-0x000000000077C000-memory.dmp

Filesize
432KB

Download
memory/2640-364-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2640-481-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2640-483-0x0000000000710000-0x000000000077C000-memory.dmp

Filesize
432KB

Download