e7ccb818b4b93a355302324a6abfedc99d38aa6db3464a3fbcce0b7903b06032

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
27/04/2024, 02:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

022e4768ba89476aa337f533e80fa0f0_JaffaCakes118.exe
Size

262KB
MD5

022e4768ba89476aa337f533e80fa0f0
SHA1

259682aee68710e452c0136920991dd71bc54b80
SHA256

e7ccb818b4b93a355302324a6abfedc99d38aa6db3464a3fbcce0b7903b06032
SHA512

fa2f6568350a114f35c0a5d2b00dd6bec93f6d4cc08e48a32b5b9e27fa58e9a3ef27c3c26b422b341a2affc891ec412791ac9b4516dac8adaaa6245ea2b86f07
SSDEEP

6144:MdZU6ZyznmkfANv494D83X5DAzMUVOv0KEEMHHEMH:Ka6Z+nmkfANv494D83X28nMEM

Score

7^/10

persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1780	more files.exe

Executes dropped EXE 6 IoCs

pid	Process
1780	more files.exe
2608	wmiintegrator.exe
2644	wmihostwin.exe
2972	wmimic.exe
2600	wmisecure.exe
2472	wmisecure64.exe

Loads dropped DLL 6 IoCs

pid	Process
1948	022e4768ba89476aa337f533e80fa0f0_JaffaCakes118.exe
1780	more files.exe
2608	wmiintegrator.exe
2644	wmihostwin.exe
2972	wmimic.exe
2972	wmimic.exe

Adds Run key to start application 2 TTPs 29 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1948	022e4768ba89476aa337f533e80fa0f0_JaffaCakes118.exe
1948	022e4768ba89476aa337f533e80fa0f0_JaffaCakes118.exe
1948	022e4768ba89476aa337f533e80fa0f0_JaffaCakes118.exe
1948	022e4768ba89476aa337f533e80fa0f0_JaffaCakes118.exe
1948	022e4768ba89476aa337f533e80fa0f0_JaffaCakes118.exe
1948	022e4768ba89476aa337f533e80fa0f0_JaffaCakes118.exe
1780	more files.exe
2608	wmiintegrator.exe
2644	wmihostwin.exe
2608	wmiintegrator.exe
2972	wmimic.exe
2972	wmimic.exe
2644	wmihostwin.exe
2608	wmiintegrator.exe
2644	wmihostwin.exe
2608	wmiintegrator.exe
2972	wmimic.exe
2972	wmimic.exe
2644	wmihostwin.exe
2608	wmiintegrator.exe
2972	wmimic.exe
2972	wmimic.exe
2644	wmihostwin.exe
2608	wmiintegrator.exe
2972	wmimic.exe
2972	wmimic.exe
2644	wmihostwin.exe
2608	wmiintegrator.exe
2972	wmimic.exe
2972	wmimic.exe
2644	wmihostwin.exe
2608	wmiintegrator.exe
2972	wmimic.exe
2972	wmimic.exe
2644	wmihostwin.exe
2608	wmiintegrator.exe
2972	wmimic.exe
2972	wmimic.exe
2644	wmihostwin.exe
2608	wmiintegrator.exe
2972	wmimic.exe
2972	wmimic.exe
2644	wmihostwin.exe
2608	wmiintegrator.exe
2972	wmimic.exe
2972	wmimic.exe
2644	wmihostwin.exe
2608	wmiintegrator.exe
2972	wmimic.exe
2972	wmimic.exe
2644	wmihostwin.exe
2608	wmiintegrator.exe
2600	wmisecure.exe
2600	wmisecure.exe
2600	wmisecure.exe
2600	wmisecure.exe
2600	wmisecure.exe
2972	wmimic.exe
2972	wmimic.exe
2644	wmihostwin.exe
2608	wmiintegrator.exe
2972	wmimic.exe
2972	wmimic.exe
2644	wmihostwin.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1948 wrote to memory of 1780	1948	022e4768ba89476aa337f533e80fa0f0_JaffaCakes118.exe	28
PID 1948 wrote to memory of 1780	1948	022e4768ba89476aa337f533e80fa0f0_JaffaCakes118.exe	28
PID 1948 wrote to memory of 1780	1948	022e4768ba89476aa337f533e80fa0f0_JaffaCakes118.exe	28
PID 1948 wrote to memory of 1780	1948	022e4768ba89476aa337f533e80fa0f0_JaffaCakes118.exe	28
PID 1780 wrote to memory of 2608	1780	more files.exe	29
PID 1780 wrote to memory of 2608	1780	more files.exe	29
PID 1780 wrote to memory of 2608	1780	more files.exe	29
PID 1780 wrote to memory of 2608	1780	more files.exe	29
PID 2608 wrote to memory of 2644	2608	wmiintegrator.exe	30
PID 2608 wrote to memory of 2644	2608	wmiintegrator.exe	30
PID 2608 wrote to memory of 2644	2608	wmiintegrator.exe	30
PID 2608 wrote to memory of 2644	2608	wmiintegrator.exe	30
PID 2644 wrote to memory of 2972	2644	wmihostwin.exe	31
PID 2644 wrote to memory of 2972	2644	wmihostwin.exe	31
PID 2644 wrote to memory of 2972	2644	wmihostwin.exe	31
PID 2644 wrote to memory of 2972	2644	wmihostwin.exe	31
PID 2972 wrote to memory of 2600	2972	wmimic.exe	32
PID 2972 wrote to memory of 2600	2972	wmimic.exe	32
PID 2972 wrote to memory of 2600	2972	wmimic.exe	32
PID 2972 wrote to memory of 2600	2972	wmimic.exe	32
PID 2972 wrote to memory of 2472	2972	wmimic.exe	33
PID 2972 wrote to memory of 2472	2972	wmimic.exe	33
PID 2972 wrote to memory of 2472	2972	wmimic.exe	33
PID 2972 wrote to memory of 2472	2972	wmimic.exe	33
PID 2472 wrote to memory of 1072	2472	wmisecure64.exe	35
PID 2472 wrote to memory of 1072	2472	wmisecure64.exe	35
PID 2472 wrote to memory of 1072	2472	wmisecure64.exe	35
PID 2472 wrote to memory of 1072	2472	wmisecure64.exe	35
PID 2472 wrote to memory of 1220	2472	wmisecure64.exe	37
PID 2472 wrote to memory of 1220	2472	wmisecure64.exe	37
PID 2472 wrote to memory of 1220	2472	wmisecure64.exe	37
PID 2472 wrote to memory of 1220	2472	wmisecure64.exe	37
PID 2472 wrote to memory of 1316	2472	wmisecure64.exe	39
PID 2472 wrote to memory of 1316	2472	wmisecure64.exe	39
PID 2472 wrote to memory of 1316	2472	wmisecure64.exe	39
PID 2472 wrote to memory of 1316	2472	wmisecure64.exe	39
PID 2472 wrote to memory of 540	2472	wmisecure64.exe	41
PID 2472 wrote to memory of 540	2472	wmisecure64.exe	41
PID 2472 wrote to memory of 540	2472	wmisecure64.exe	41
PID 2472 wrote to memory of 540	2472	wmisecure64.exe	41
PID 2472 wrote to memory of 592	2472	wmisecure64.exe	43
PID 2472 wrote to memory of 592	2472	wmisecure64.exe	43
PID 2472 wrote to memory of 592	2472	wmisecure64.exe	43
PID 2472 wrote to memory of 592	2472	wmisecure64.exe	43
PID 2472 wrote to memory of 1596	2472	wmisecure64.exe	45
PID 2472 wrote to memory of 1596	2472	wmisecure64.exe	45
PID 2472 wrote to memory of 1596	2472	wmisecure64.exe	45
PID 2472 wrote to memory of 1596	2472	wmisecure64.exe	45
PID 2472 wrote to memory of 1524	2472	wmisecure64.exe	47
PID 2472 wrote to memory of 1524	2472	wmisecure64.exe	47
PID 2472 wrote to memory of 1524	2472	wmisecure64.exe	47
PID 2472 wrote to memory of 1524	2472	wmisecure64.exe	47
PID 2472 wrote to memory of 2296	2472	wmisecure64.exe	51
PID 2472 wrote to memory of 2296	2472	wmisecure64.exe	51
PID 2472 wrote to memory of 2296	2472	wmisecure64.exe	51
PID 2472 wrote to memory of 2296	2472	wmisecure64.exe	51
PID 2472 wrote to memory of 2300	2472	wmisecure64.exe	53
PID 2472 wrote to memory of 2300	2472	wmisecure64.exe	53
PID 2472 wrote to memory of 2300	2472	wmisecure64.exe	53
PID 2472 wrote to memory of 2300	2472	wmisecure64.exe	53
PID 2472 wrote to memory of 2456	2472	wmisecure64.exe	55
PID 2472 wrote to memory of 2456	2472	wmisecure64.exe	55
PID 2472 wrote to memory of 2456	2472	wmisecure64.exe	55
PID 2472 wrote to memory of 2456	2472	wmisecure64.exe	55

C:\Users\Admin\AppData\Local\Temp\022e4768ba89476aa337f533e80fa0f0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\022e4768ba89476aa337f533e80fa0f0_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1948
- C:\Users\Admin\AppData\Roaming\more files.exe
  "C:\Users\Admin\AppData\Roaming\more files.exe" C:\Users\Admin\AppData\Local\Temp\022e4768ba89476aa337f533e80fa0f0_JaffaCakes118.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1780
- - C:\Users\Admin\AppData\Roaming\Windows Objects\wmiintegrator.exe
    "C:\Users\Admin\AppData\Roaming\Windows Objects\wmiintegrator.exe" unk
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2608
  - - C:\Users\Admin\AppData\Roaming\Windows Objects\wmihostwin.exe
      "C:\Users\Admin\AppData\Roaming\Windows Objects\wmihostwin.exe" unk2
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2644
    - - C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe" unk3
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2972
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe" execute
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:2600
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe" autorun
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2472
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        7⤵
        Adds Run key to start application
        
        PID:1072
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        7⤵
        Adds Run key to start application
        
        PID:1220
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        7⤵
        Adds Run key to start application
        
        PID:1316
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        7⤵
        Adds Run key to start application
        
        PID:540
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        7⤵
        Adds Run key to start application
        
        PID:592
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        7⤵
        Adds Run key to start application
        
        PID:1596
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        7⤵
        Adds Run key to start application
        
        PID:1524
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        7⤵
        Adds Run key to start application
        
        PID:2296
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        7⤵
        Adds Run key to start application
        
        PID:2300
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        7⤵
        Adds Run key to start application
        
        PID:2456
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        7⤵
        Adds Run key to start application
        
        PID:452
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        7⤵
        Adds Run key to start application
        
        PID:3004
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        7⤵
        Adds Run key to start application
        
        PID:1660
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        7⤵
        Adds Run key to start application
        
        PID:1612
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        7⤵
        Adds Run key to start application
        
        PID:1636
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        7⤵
        Adds Run key to start application
        
        PID:940
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        7⤵
        Adds Run key to start application
        
        PID:2804
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        7⤵
        Adds Run key to start application
        
        PID:1764
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        7⤵
        Adds Run key to start application
        
        PID:1716
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        7⤵
        Adds Run key to start application
        
        PID:2676
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        7⤵
        Adds Run key to start application
        
        PID:1804
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        7⤵
        Adds Run key to start application
        
        PID:2832
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        7⤵
        Adds Run key to start application
        
        PID:2980
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        7⤵
        Adds Run key to start application
        
        PID:2264
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        7⤵
        Adds Run key to start application
        
        PID:2568
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        7⤵
        Adds Run key to start application
        
        PID:2548
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        7⤵
        Adds Run key to start application
        
        PID:2652
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        7⤵
        Adds Run key to start application
        
        PID:2704
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        7⤵
        Adds Run key to start application
        
        PID:2740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe

Filesize
262KB

MD5
3046e58e13e09a8fb93224ab63e6bfdf

SHA1
85179306479fd18689a43685fed3312722288f2f

SHA256
d1d651fe43a9059247b61c32a905cbf8361f88edcbde33a78b6381971013837c

SHA512
709998d5bc56868ba6ccceeba747cd899673db8fc635a80bf26ed57175130bcf0f7d33dfa04d25652151c4962b24ca6135deb8b2d29483aaa4f003c9c6a5dafd

Download Submit
\Users\Admin\AppData\Roaming\Windows Objects\wmiintegrator.exe

Filesize
262KB

MD5
94f0fcfeaae58914639ca0c16811bbab

SHA1
86113a452ec1b981cbe1f856173a79bd1a7a5a9b

SHA256
a330bc2812e6285c0e83d238994eb2ced1b6a61f769182c452fa878b61a993f1

SHA512
1f70b43661f30d650d38a8b85309fa523d32a4c08e1cf8d85a50f5c2ed4d9a0bb7cf8750758ed97252b9b2e80c9a0ca77b3d5b37b8b0847b15f779b90316f19a

Download Submit
\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe

Filesize
262KB

MD5
5d82a5a1f50c85475233c77fa7289ccc

SHA1
f99d8f69fcf37ff3d50abda95c1c87b0eecdd00e

SHA256
0aefe804a7c94440fa6c38b8041181213da0e9c63516a67f239c4b562e66fbeb

SHA512
941ec0127bb68a5a4dae8de9d8bfa6cd896f4d2af006f0ee033153f616e2c164292de85f2e36a8bb211e7dfc338bc580ff705e127da07722c63a0b6c59a94956

Download Submit
\Users\Admin\AppData\Roaming\more files.exe

Filesize
262KB

MD5
8d8e479ca58788aee7ca09d853617852

SHA1
300277eedd472a55b2f7ec0c76374daaf08d59d9

SHA256
7803fe7e051d867ec52c6cb96548021a570368fc73b0caa3cdf60041ab0e6568

SHA512
db485019419513b1da764458f2203e76c031a6763519deb79dc5b0a3fb05067bec29e7642a454e9cfefa3124ac8a3fa503aa6d6385df5fe08d59d03e5f2ed2c3

Download Submit
memory/1780-18-0x0000000074580000-0x0000000074B2B000-memory.dmp

Filesize
5.7MB

Download
memory/1780-20-0x0000000074580000-0x0000000074B2B000-memory.dmp

Filesize
5.7MB

Download
memory/1780-19-0x0000000002330000-0x0000000002370000-memory.dmp

Filesize
256KB

Download
memory/1780-34-0x0000000074580000-0x0000000074B2B000-memory.dmp

Filesize
5.7MB

Download
memory/1804-69-0x00000000771B0000-0x00000000772AA000-memory.dmp

Filesize
1000KB

Download
memory/1948-11-0x0000000074580000-0x0000000074B2B000-memory.dmp

Filesize
5.7MB

Download
memory/1948-1-0x0000000000600000-0x0000000000640000-memory.dmp

Filesize
256KB

Download
memory/1948-0-0x0000000074580000-0x0000000074B2B000-memory.dmp

Filesize
5.7MB

Download
memory/1948-2-0x0000000074580000-0x0000000074B2B000-memory.dmp

Filesize
5.7MB

Download
memory/1948-3-0x0000000000600000-0x0000000000640000-memory.dmp

Filesize
256KB

Download