04a810ffcaf4ab849bb2b7a4bdfbcb9aabd9e85513e3a7f0861c770001146bd1

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
01/05/2024, 01:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0ad61c4f369ef91a0a8afeaae1844032_JaffaCakes118.exe
Size

527KB
MD5

0ad61c4f369ef91a0a8afeaae1844032
SHA1

3aacba35e18d73e6bf22eb3aed1f20d611ee3875
SHA256

04a810ffcaf4ab849bb2b7a4bdfbcb9aabd9e85513e3a7f0861c770001146bd1
SHA512

a68d5e76d59a0375025868ad4d1a7cf8fc80205d3475b6875d39993e81c5e52350196801710e27d2497e9bca8ed4b2343d95d46ed14253398ca12576e27c104b
SSDEEP

12288:/quErHF6xC9D6DmR1J98w4oknqOOCyQfQJXzaVqfENFSmFZ6:Grl6kD68JmlotQf+eVzNFxFZ6

Score

8^/10

discovery exploit upx

Malware Config

Signatures

Possible privilege escalation attempt 6 IoCs

exploit

pid	Process
3088	takeown.exe
2600	icacls.exe
3248	takeown.exe
1956	icacls.exe
3924	takeown.exe
3656	icacls.exe

Executes dropped EXE 1 IoCs

pid	Process
1988	~dbomfgw.tmp

Loads dropped DLL 64 IoCs

pid	Process
1988	~dbomfgw.tmp
1988	~dbomfgw.tmp
1988	~dbomfgw.tmp
1988	~dbomfgw.tmp
1988	~dbomfgw.tmp
1988	~dbomfgw.tmp
1988	~dbomfgw.tmp
1988	~dbomfgw.tmp
1988	~dbomfgw.tmp
1988	~dbomfgw.tmp
1988	~dbomfgw.tmp
1988	~dbomfgw.tmp
1988	~dbomfgw.tmp
1988	~dbomfgw.tmp
1988	~dbomfgw.tmp
1988	~dbomfgw.tmp
1988	~dbomfgw.tmp
1988	~dbomfgw.tmp
1988	~dbomfgw.tmp
1988	~dbomfgw.tmp
1988	~dbomfgw.tmp
1988	~dbomfgw.tmp
1988	~dbomfgw.tmp
1988	~dbomfgw.tmp
1988	~dbomfgw.tmp
1988	~dbomfgw.tmp
1988	~dbomfgw.tmp
1988	~dbomfgw.tmp
1988	~dbomfgw.tmp
1988	~dbomfgw.tmp
1988	~dbomfgw.tmp
1988	~dbomfgw.tmp
1988	~dbomfgw.tmp
1988	~dbomfgw.tmp
1988	~dbomfgw.tmp
1988	~dbomfgw.tmp
1988	~dbomfgw.tmp
1988	~dbomfgw.tmp
1988	~dbomfgw.tmp
1988	~dbomfgw.tmp
1988	~dbomfgw.tmp
1988	~dbomfgw.tmp
1988	~dbomfgw.tmp
1988	~dbomfgw.tmp
1988	~dbomfgw.tmp
1988	~dbomfgw.tmp
1988	~dbomfgw.tmp
1988	~dbomfgw.tmp
1988	~dbomfgw.tmp
1988	~dbomfgw.tmp
1988	~dbomfgw.tmp
1988	~dbomfgw.tmp
1988	~dbomfgw.tmp
1988	~dbomfgw.tmp
1988	~dbomfgw.tmp
1988	~dbomfgw.tmp
1988	~dbomfgw.tmp
1988	~dbomfgw.tmp
1988	~dbomfgw.tmp
1988	~dbomfgw.tmp
1988	~dbomfgw.tmp
1988	~dbomfgw.tmp
1988	~dbomfgw.tmp
1988	~dbomfgw.tmp

Modifies file permissions 1 TTPs 6 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
3924	takeown.exe
3656	icacls.exe
3088	takeown.exe
2600	icacls.exe
3248	takeown.exe
1956	icacls.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2356-0-0x0000000000160000-0x0000000000293000-memory.dmp	upx
behavioral1/memory/2356-25027-0x0000000000160000-0x0000000000293000-memory.dmp	upx
behavioral1/memory/2356-25058-0x0000000000160000-0x0000000000293000-memory.dmp	upx
behavioral1/memory/2356-25059-0x0000000000160000-0x0000000000293000-memory.dmp	upx

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

AutoIT Executable 3 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/2356-25027-0x0000000000160000-0x0000000000293000-memory.dmp	autoit_exe
behavioral1/memory/2356-25058-0x0000000000160000-0x0000000000293000-memory.dmp	autoit_exe
behavioral1/memory/2356-25059-0x0000000000160000-0x0000000000293000-memory.dmp	autoit_exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File created	C:\Windows\System32\uxtheme.dll.backup	~dbomfgw.tmp
File opened for modification	C:\Windows\system32\uxtheme.dll.new	~dbomfgw.tmp
File opened for modification	C:\Windows\system32\themeui.dll.new	~dbomfgw.tmp
File opened for modification	C:\Windows\system32\themeui.dll.old	~dbomfgw.tmp
File opened for modification	C:\Windows\system32\themeservice.dll.new	~dbomfgw.tmp
File created	C:\Windows\System32\themeservice.dll.backup	~dbomfgw.tmp
File opened for modification	C:\Windows\system32\themeservice.dll.old	~dbomfgw.tmp
File created	C:\Windows\System32\uxtheme.dll.new	~dbomfgw.tmp
File opened for modification	C:\Windows\system32\uxtheme.dll.old	~dbomfgw.tmp
File created	C:\Windows\System32\themeui.dll.new	~dbomfgw.tmp
File created	C:\Windows\System32\themeui.dll.backup	~dbomfgw.tmp
File created	C:\Windows\System32\themeservice.dll.new	~dbomfgw.tmp

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\UltraUXThemePatcher\Uninstall.exe	~dbomfgw.tmp

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 43 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2356	0ad61c4f369ef91a0a8afeaae1844032_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeBackupPrivilege	4000	vssvc.exe
Token: SeRestorePrivilege	4000	vssvc.exe
Token: SeAuditPrivilege	4000	vssvc.exe
Token: SeRestorePrivilege	2408	DrvInst.exe
Token: SeRestorePrivilege	2408	DrvInst.exe
Token: SeRestorePrivilege	2408	DrvInst.exe
Token: SeRestorePrivilege	2408	DrvInst.exe
Token: SeRestorePrivilege	2408	DrvInst.exe
Token: SeRestorePrivilege	2408	DrvInst.exe
Token: SeRestorePrivilege	2408	DrvInst.exe
Token: SeLoadDriverPrivilege	2408	DrvInst.exe
Token: SeLoadDriverPrivilege	2408	DrvInst.exe
Token: SeLoadDriverPrivilege	2408	DrvInst.exe
Token: SeTakeOwnershipPrivilege	3088	takeown.exe
Token: SeTakeOwnershipPrivilege	3248	takeown.exe
Token: SeTakeOwnershipPrivilege	3924	takeown.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
2356	0ad61c4f369ef91a0a8afeaae1844032_JaffaCakes118.exe
2356	0ad61c4f369ef91a0a8afeaae1844032_JaffaCakes118.exe
2356	0ad61c4f369ef91a0a8afeaae1844032_JaffaCakes118.exe
2356	0ad61c4f369ef91a0a8afeaae1844032_JaffaCakes118.exe
2356	0ad61c4f369ef91a0a8afeaae1844032_JaffaCakes118.exe
2356	0ad61c4f369ef91a0a8afeaae1844032_JaffaCakes118.exe
2356	0ad61c4f369ef91a0a8afeaae1844032_JaffaCakes118.exe
2356	0ad61c4f369ef91a0a8afeaae1844032_JaffaCakes118.exe
2356	0ad61c4f369ef91a0a8afeaae1844032_JaffaCakes118.exe
2356	0ad61c4f369ef91a0a8afeaae1844032_JaffaCakes118.exe
2356	0ad61c4f369ef91a0a8afeaae1844032_JaffaCakes118.exe
2356	0ad61c4f369ef91a0a8afeaae1844032_JaffaCakes118.exe
2356	0ad61c4f369ef91a0a8afeaae1844032_JaffaCakes118.exe
2356	0ad61c4f369ef91a0a8afeaae1844032_JaffaCakes118.exe
2356	0ad61c4f369ef91a0a8afeaae1844032_JaffaCakes118.exe
2356	0ad61c4f369ef91a0a8afeaae1844032_JaffaCakes118.exe
2356	0ad61c4f369ef91a0a8afeaae1844032_JaffaCakes118.exe
2356	0ad61c4f369ef91a0a8afeaae1844032_JaffaCakes118.exe
2356	0ad61c4f369ef91a0a8afeaae1844032_JaffaCakes118.exe
2356	0ad61c4f369ef91a0a8afeaae1844032_JaffaCakes118.exe
2356	0ad61c4f369ef91a0a8afeaae1844032_JaffaCakes118.exe
2356	0ad61c4f369ef91a0a8afeaae1844032_JaffaCakes118.exe
2356	0ad61c4f369ef91a0a8afeaae1844032_JaffaCakes118.exe
2356	0ad61c4f369ef91a0a8afeaae1844032_JaffaCakes118.exe
2356	0ad61c4f369ef91a0a8afeaae1844032_JaffaCakes118.exe
2356	0ad61c4f369ef91a0a8afeaae1844032_JaffaCakes118.exe
2356	0ad61c4f369ef91a0a8afeaae1844032_JaffaCakes118.exe
2356	0ad61c4f369ef91a0a8afeaae1844032_JaffaCakes118.exe
2356	0ad61c4f369ef91a0a8afeaae1844032_JaffaCakes118.exe
2356	0ad61c4f369ef91a0a8afeaae1844032_JaffaCakes118.exe
2356	0ad61c4f369ef91a0a8afeaae1844032_JaffaCakes118.exe
2356	0ad61c4f369ef91a0a8afeaae1844032_JaffaCakes118.exe
2356	0ad61c4f369ef91a0a8afeaae1844032_JaffaCakes118.exe
2356	0ad61c4f369ef91a0a8afeaae1844032_JaffaCakes118.exe
2356	0ad61c4f369ef91a0a8afeaae1844032_JaffaCakes118.exe

Suspicious use of SendNotifyMessage 35 IoCs

pid	Process
2356	0ad61c4f369ef91a0a8afeaae1844032_JaffaCakes118.exe
2356	0ad61c4f369ef91a0a8afeaae1844032_JaffaCakes118.exe
2356	0ad61c4f369ef91a0a8afeaae1844032_JaffaCakes118.exe
2356	0ad61c4f369ef91a0a8afeaae1844032_JaffaCakes118.exe
2356	0ad61c4f369ef91a0a8afeaae1844032_JaffaCakes118.exe
2356	0ad61c4f369ef91a0a8afeaae1844032_JaffaCakes118.exe
2356	0ad61c4f369ef91a0a8afeaae1844032_JaffaCakes118.exe
2356	0ad61c4f369ef91a0a8afeaae1844032_JaffaCakes118.exe
2356	0ad61c4f369ef91a0a8afeaae1844032_JaffaCakes118.exe
2356	0ad61c4f369ef91a0a8afeaae1844032_JaffaCakes118.exe
2356	0ad61c4f369ef91a0a8afeaae1844032_JaffaCakes118.exe
2356	0ad61c4f369ef91a0a8afeaae1844032_JaffaCakes118.exe
2356	0ad61c4f369ef91a0a8afeaae1844032_JaffaCakes118.exe
2356	0ad61c4f369ef91a0a8afeaae1844032_JaffaCakes118.exe
2356	0ad61c4f369ef91a0a8afeaae1844032_JaffaCakes118.exe
2356	0ad61c4f369ef91a0a8afeaae1844032_JaffaCakes118.exe
2356	0ad61c4f369ef91a0a8afeaae1844032_JaffaCakes118.exe
2356	0ad61c4f369ef91a0a8afeaae1844032_JaffaCakes118.exe
2356	0ad61c4f369ef91a0a8afeaae1844032_JaffaCakes118.exe
2356	0ad61c4f369ef91a0a8afeaae1844032_JaffaCakes118.exe
2356	0ad61c4f369ef91a0a8afeaae1844032_JaffaCakes118.exe
2356	0ad61c4f369ef91a0a8afeaae1844032_JaffaCakes118.exe
2356	0ad61c4f369ef91a0a8afeaae1844032_JaffaCakes118.exe
2356	0ad61c4f369ef91a0a8afeaae1844032_JaffaCakes118.exe
2356	0ad61c4f369ef91a0a8afeaae1844032_JaffaCakes118.exe
2356	0ad61c4f369ef91a0a8afeaae1844032_JaffaCakes118.exe
2356	0ad61c4f369ef91a0a8afeaae1844032_JaffaCakes118.exe
2356	0ad61c4f369ef91a0a8afeaae1844032_JaffaCakes118.exe
2356	0ad61c4f369ef91a0a8afeaae1844032_JaffaCakes118.exe
2356	0ad61c4f369ef91a0a8afeaae1844032_JaffaCakes118.exe
2356	0ad61c4f369ef91a0a8afeaae1844032_JaffaCakes118.exe
2356	0ad61c4f369ef91a0a8afeaae1844032_JaffaCakes118.exe
2356	0ad61c4f369ef91a0a8afeaae1844032_JaffaCakes118.exe
2356	0ad61c4f369ef91a0a8afeaae1844032_JaffaCakes118.exe
2356	0ad61c4f369ef91a0a8afeaae1844032_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2356 wrote to memory of 1988	2356	0ad61c4f369ef91a0a8afeaae1844032_JaffaCakes118.exe	28
PID 2356 wrote to memory of 1988	2356	0ad61c4f369ef91a0a8afeaae1844032_JaffaCakes118.exe	28
PID 2356 wrote to memory of 1988	2356	0ad61c4f369ef91a0a8afeaae1844032_JaffaCakes118.exe	28
PID 2356 wrote to memory of 1988	2356	0ad61c4f369ef91a0a8afeaae1844032_JaffaCakes118.exe	28
PID 1988 wrote to memory of 3088	1988	~dbomfgw.tmp	33
PID 1988 wrote to memory of 3088	1988	~dbomfgw.tmp	33
PID 1988 wrote to memory of 3088	1988	~dbomfgw.tmp	33
PID 1988 wrote to memory of 3088	1988	~dbomfgw.tmp	33
PID 1988 wrote to memory of 2600	1988	~dbomfgw.tmp	35
PID 1988 wrote to memory of 2600	1988	~dbomfgw.tmp	35
PID 1988 wrote to memory of 2600	1988	~dbomfgw.tmp	35
PID 1988 wrote to memory of 2600	1988	~dbomfgw.tmp	35
PID 1988 wrote to memory of 3248	1988	~dbomfgw.tmp	37
PID 1988 wrote to memory of 3248	1988	~dbomfgw.tmp	37
PID 1988 wrote to memory of 3248	1988	~dbomfgw.tmp	37
PID 1988 wrote to memory of 3248	1988	~dbomfgw.tmp	37
PID 1988 wrote to memory of 1956	1988	~dbomfgw.tmp	39
PID 1988 wrote to memory of 1956	1988	~dbomfgw.tmp	39
PID 1988 wrote to memory of 1956	1988	~dbomfgw.tmp	39
PID 1988 wrote to memory of 1956	1988	~dbomfgw.tmp	39
PID 1988 wrote to memory of 3924	1988	~dbomfgw.tmp	41
PID 1988 wrote to memory of 3924	1988	~dbomfgw.tmp	41
PID 1988 wrote to memory of 3924	1988	~dbomfgw.tmp	41
PID 1988 wrote to memory of 3924	1988	~dbomfgw.tmp	41
PID 1988 wrote to memory of 3656	1988	~dbomfgw.tmp	43
PID 1988 wrote to memory of 3656	1988	~dbomfgw.tmp	43
PID 1988 wrote to memory of 3656	1988	~dbomfgw.tmp	43
PID 1988 wrote to memory of 3656	1988	~dbomfgw.tmp	43

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\0ad61c4f369ef91a0a8afeaae1844032_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0ad61c4f369ef91a0a8afeaae1844032_JaffaCakes118.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2356
- C:\~dbomfgw.tmp
  C:\~dbomfgw.tmp /S
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:1988
- - C:\Windows\system32\takeown.exe
    "C:\Windows\system32\takeown.exe" /f "C:\Windows\system32\uxtheme.dll"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:3088
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" "C:\Windows\system32\uxtheme.dll" /grant Admin:f
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2600
- - C:\Windows\system32\takeown.exe
    "C:\Windows\system32\takeown.exe" /f "C:\Windows\system32\themeui.dll"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:3248
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" "C:\Windows\system32\themeui.dll" /grant Admin:f
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:1956
- - C:\Windows\system32\takeown.exe
    "C:\Windows\system32\takeown.exe" /f "C:\Windows\system32\themeservice.dll"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:3924
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" "C:\Windows\system32\themeservice.dll" /grant Admin:f
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:3656

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4000

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000004D4" "00000000000005AC"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nso2030.tmp\SysRestore.dll

Filesize
5KB

MD5
4310bd09fc2300b106f0437b6e995330

SHA1
c6790a68e410d4a619b9b59e7540b702a98ad661

SHA256
c686b4df9b4db50fc1ddb7be4cd50d4b1d75894288f4dc50571b79937d7c0d7e

SHA512
49e286ccd285871db74867810c9cf243e3c1522ce7b4c0d1d01bafe72552692234cf4b4d787b900e9c041b8a2c12f193b36a6a35c64ffd5deef0e1be9958b1f7

Download Submit
C:\Windows\System32\themeservice.dll.new

Filesize
43KB

MD5
bf69cdedb4f36015e43dc8117134f058

SHA1
717b59942919209a01dc88218bb9e28517ff63c5

SHA256
b9737b8b11687bc241e150a1a9eceee0fa979dd4ab30c01e335f970564f0c3c7

SHA512
2cfce2abcd9806275f44ad2df6f5259a9e02e88802e7c4359665ae415dfa88d478447eea80d81c12f130c544c8a8a71a2706d95ce4cccf5e5d0180b464a3629c

Download Submit
C:\Windows\System32\themeui.dll.new

Filesize
2.7MB

MD5
274c75ff99e6bc973232dfb4d450cdcd

SHA1
e000812516d3d60d6fcf340f34d13f51e4d23912

SHA256
35415d2a7d97ac2fd9ccfe28a93c3aff0f4fa9d83636699b4d89139dc9d23f34

SHA512
f1e922c74725e29f980a63c369c86f8d56e91e7f83652830633941f918777207ec2941ba91fe2a3e259851f45d92defde538f31324788aba4cce051247a674a2

Download Submit
C:\Windows\System32\uxtheme.dll.new

Filesize
324KB

MD5
2e08363a75712e753f4d5b3b34531584

SHA1
323190cd2c21152df3dedfee1ca701f11e355a01

SHA256
66fd0a342d0c56f2d73edc7ee4c0f7dc3c8ab3ab77be1a8f5083f6984f4be754

SHA512
b8c00275a61236de4145007f7301dff452300ba3d7807684ac226ab2a61e3712223f31c6f431346a5e452ddd5585aa867d2e2b6b1b7c147b24ce110ca6615dc3

Download Submit
C:\~dbomfgw.tmp

Filesize
158KB

MD5
63f97f0f83d525d798596963a41426e0

SHA1
e20f5011669a3aa5e54826add72d507c182be334

SHA256
f0ee8f91b19d7070c6a29298c2649b1f14ce6a4d88ae799477a033e8119b6af1

SHA512
a73413961fa3c81200eca1fd92fc4ba125bdb7f62c6a9173bf8df23aff2e03a57da47f71f32b52df6cfdcd149a60330bf9a5b27b1b45b032b89d8969ab948dcf

Download Submit
\Users\Admin\AppData\Local\Temp\nso2030.tmp\System.dll

Filesize
11KB

MD5
3e6bf00b3ac976122f982ae2aadb1c51

SHA1
caab188f7fdc84d3fdcb2922edeeb5ed576bd31d

SHA256
4ff9b2678d698677c5d9732678f9cf53f17290e09d053691aac4cc6e6f595cbe

SHA512
1286f05e6a7e6b691f6e479638e7179897598e171b52eb3a3dc0e830415251069d29416b6d1ffc6d7dce8da5625e1479be06db9b7179e7776659c5c1ad6aa706

Download Submit
\Users\Admin\AppData\Local\Temp\nso2030.tmp\nsisFile.dll

Filesize
5KB

MD5
b7d0d765c151d235165823b48554e442

SHA1
fe530e6c6fd60392d4ce611b21ec9daad3f1bc84

SHA256
a820a32e5ce89e3e336afc71aa1bf42a357ec542c2bc6e50c6255c1333812587

SHA512
5d801c24dfa1b7326f72f9c0acf3a330ef0cc3fce25ceee200bb12eab8c2b653025602e610e0cecda1e7cbd851ce1b66252531220b557a378ddb0b4a1741fa66

Download Submit
memory/2356-0-0x0000000000160000-0x0000000000293000-memory.dmp

Filesize
1.2MB

Download
memory/2356-25027-0x0000000000160000-0x0000000000293000-memory.dmp

Filesize
1.2MB

Download
memory/2356-25058-0x0000000000160000-0x0000000000293000-memory.dmp

Filesize
1.2MB

Download
memory/2356-25059-0x0000000000160000-0x0000000000293000-memory.dmp

Filesize
1.2MB

Download