Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
01/05/2024, 01:33
Behavioral task
behavioral1
Sample
0ad61c4f369ef91a0a8afeaae1844032_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
0ad61c4f369ef91a0a8afeaae1844032_JaffaCakes118.exe
Resource
win10v2004-20240419-en
General
-
Target
0ad61c4f369ef91a0a8afeaae1844032_JaffaCakes118.exe
-
Size
527KB
-
MD5
0ad61c4f369ef91a0a8afeaae1844032
-
SHA1
3aacba35e18d73e6bf22eb3aed1f20d611ee3875
-
SHA256
04a810ffcaf4ab849bb2b7a4bdfbcb9aabd9e85513e3a7f0861c770001146bd1
-
SHA512
a68d5e76d59a0375025868ad4d1a7cf8fc80205d3475b6875d39993e81c5e52350196801710e27d2497e9bca8ed4b2343d95d46ed14253398ca12576e27c104b
-
SSDEEP
12288:/quErHF6xC9D6DmR1J98w4oknqOOCyQfQJXzaVqfENFSmFZ6:Grl6kD68JmlotQf+eVzNFxFZ6
Malware Config
Signatures
-
Possible privilege escalation attempt 6 IoCs
pid Process 3088 takeown.exe 2600 icacls.exe 3248 takeown.exe 1956 icacls.exe 3924 takeown.exe 3656 icacls.exe -
Executes dropped EXE 1 IoCs
pid Process 1988 ~dbomfgw.tmp -
Loads dropped DLL 64 IoCs
pid Process 1988 ~dbomfgw.tmp 1988 ~dbomfgw.tmp 1988 ~dbomfgw.tmp 1988 ~dbomfgw.tmp 1988 ~dbomfgw.tmp 1988 ~dbomfgw.tmp 1988 ~dbomfgw.tmp 1988 ~dbomfgw.tmp 1988 ~dbomfgw.tmp 1988 ~dbomfgw.tmp 1988 ~dbomfgw.tmp 1988 ~dbomfgw.tmp 1988 ~dbomfgw.tmp 1988 ~dbomfgw.tmp 1988 ~dbomfgw.tmp 1988 ~dbomfgw.tmp 1988 ~dbomfgw.tmp 1988 ~dbomfgw.tmp 1988 ~dbomfgw.tmp 1988 ~dbomfgw.tmp 1988 ~dbomfgw.tmp 1988 ~dbomfgw.tmp 1988 ~dbomfgw.tmp 1988 ~dbomfgw.tmp 1988 ~dbomfgw.tmp 1988 ~dbomfgw.tmp 1988 ~dbomfgw.tmp 1988 ~dbomfgw.tmp 1988 ~dbomfgw.tmp 1988 ~dbomfgw.tmp 1988 ~dbomfgw.tmp 1988 ~dbomfgw.tmp 1988 ~dbomfgw.tmp 1988 ~dbomfgw.tmp 1988 ~dbomfgw.tmp 1988 ~dbomfgw.tmp 1988 ~dbomfgw.tmp 1988 ~dbomfgw.tmp 1988 ~dbomfgw.tmp 1988 ~dbomfgw.tmp 1988 ~dbomfgw.tmp 1988 ~dbomfgw.tmp 1988 ~dbomfgw.tmp 1988 ~dbomfgw.tmp 1988 ~dbomfgw.tmp 1988 ~dbomfgw.tmp 1988 ~dbomfgw.tmp 1988 ~dbomfgw.tmp 1988 ~dbomfgw.tmp 1988 ~dbomfgw.tmp 1988 ~dbomfgw.tmp 1988 ~dbomfgw.tmp 1988 ~dbomfgw.tmp 1988 ~dbomfgw.tmp 1988 ~dbomfgw.tmp 1988 ~dbomfgw.tmp 1988 ~dbomfgw.tmp 1988 ~dbomfgw.tmp 1988 ~dbomfgw.tmp 1988 ~dbomfgw.tmp 1988 ~dbomfgw.tmp 1988 ~dbomfgw.tmp 1988 ~dbomfgw.tmp 1988 ~dbomfgw.tmp -
Modifies file permissions 1 TTPs 6 IoCs
pid Process 3924 takeown.exe 3656 icacls.exe 3088 takeown.exe 2600 icacls.exe 3248 takeown.exe 1956 icacls.exe -
resource yara_rule behavioral1/memory/2356-0-0x0000000000160000-0x0000000000293000-memory.dmp upx behavioral1/memory/2356-25027-0x0000000000160000-0x0000000000293000-memory.dmp upx behavioral1/memory/2356-25058-0x0000000000160000-0x0000000000293000-memory.dmp upx behavioral1/memory/2356-25059-0x0000000000160000-0x0000000000293000-memory.dmp upx -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
AutoIT Executable 3 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/memory/2356-25027-0x0000000000160000-0x0000000000293000-memory.dmp autoit_exe behavioral1/memory/2356-25058-0x0000000000160000-0x0000000000293000-memory.dmp autoit_exe behavioral1/memory/2356-25059-0x0000000000160000-0x0000000000293000-memory.dmp autoit_exe -
Drops file in System32 directory 12 IoCs
description ioc Process File created C:\Windows\System32\uxtheme.dll.backup ~dbomfgw.tmp File opened for modification C:\Windows\system32\uxtheme.dll.new ~dbomfgw.tmp File opened for modification C:\Windows\system32\themeui.dll.new ~dbomfgw.tmp File opened for modification C:\Windows\system32\themeui.dll.old ~dbomfgw.tmp File opened for modification C:\Windows\system32\themeservice.dll.new ~dbomfgw.tmp File created C:\Windows\System32\themeservice.dll.backup ~dbomfgw.tmp File opened for modification C:\Windows\system32\themeservice.dll.old ~dbomfgw.tmp File created C:\Windows\System32\uxtheme.dll.new ~dbomfgw.tmp File opened for modification C:\Windows\system32\uxtheme.dll.old ~dbomfgw.tmp File created C:\Windows\System32\themeui.dll.new ~dbomfgw.tmp File created C:\Windows\System32\themeui.dll.backup ~dbomfgw.tmp File created C:\Windows\System32\themeservice.dll.new ~dbomfgw.tmp -
Drops file in Program Files directory 1 IoCs
description ioc Process File created C:\Program Files (x86)\UltraUXThemePatcher\Uninstall.exe ~dbomfgw.tmp -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\INF\setupapi.ev3 DrvInst.exe File opened for modification C:\Windows\INF\setupapi.ev1 DrvInst.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies data under HKEY_USERS 43 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust DrvInst.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2356 0ad61c4f369ef91a0a8afeaae1844032_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
description pid Process Token: SeBackupPrivilege 4000 vssvc.exe Token: SeRestorePrivilege 4000 vssvc.exe Token: SeAuditPrivilege 4000 vssvc.exe Token: SeRestorePrivilege 2408 DrvInst.exe Token: SeRestorePrivilege 2408 DrvInst.exe Token: SeRestorePrivilege 2408 DrvInst.exe Token: SeRestorePrivilege 2408 DrvInst.exe Token: SeRestorePrivilege 2408 DrvInst.exe Token: SeRestorePrivilege 2408 DrvInst.exe Token: SeRestorePrivilege 2408 DrvInst.exe Token: SeLoadDriverPrivilege 2408 DrvInst.exe Token: SeLoadDriverPrivilege 2408 DrvInst.exe Token: SeLoadDriverPrivilege 2408 DrvInst.exe Token: SeTakeOwnershipPrivilege 3088 takeown.exe Token: SeTakeOwnershipPrivilege 3248 takeown.exe Token: SeTakeOwnershipPrivilege 3924 takeown.exe -
Suspicious use of FindShellTrayWindow 35 IoCs
pid Process 2356 0ad61c4f369ef91a0a8afeaae1844032_JaffaCakes118.exe 2356 0ad61c4f369ef91a0a8afeaae1844032_JaffaCakes118.exe 2356 0ad61c4f369ef91a0a8afeaae1844032_JaffaCakes118.exe 2356 0ad61c4f369ef91a0a8afeaae1844032_JaffaCakes118.exe 2356 0ad61c4f369ef91a0a8afeaae1844032_JaffaCakes118.exe 2356 0ad61c4f369ef91a0a8afeaae1844032_JaffaCakes118.exe 2356 0ad61c4f369ef91a0a8afeaae1844032_JaffaCakes118.exe 2356 0ad61c4f369ef91a0a8afeaae1844032_JaffaCakes118.exe 2356 0ad61c4f369ef91a0a8afeaae1844032_JaffaCakes118.exe 2356 0ad61c4f369ef91a0a8afeaae1844032_JaffaCakes118.exe 2356 0ad61c4f369ef91a0a8afeaae1844032_JaffaCakes118.exe 2356 0ad61c4f369ef91a0a8afeaae1844032_JaffaCakes118.exe 2356 0ad61c4f369ef91a0a8afeaae1844032_JaffaCakes118.exe 2356 0ad61c4f369ef91a0a8afeaae1844032_JaffaCakes118.exe 2356 0ad61c4f369ef91a0a8afeaae1844032_JaffaCakes118.exe 2356 0ad61c4f369ef91a0a8afeaae1844032_JaffaCakes118.exe 2356 0ad61c4f369ef91a0a8afeaae1844032_JaffaCakes118.exe 2356 0ad61c4f369ef91a0a8afeaae1844032_JaffaCakes118.exe 2356 0ad61c4f369ef91a0a8afeaae1844032_JaffaCakes118.exe 2356 0ad61c4f369ef91a0a8afeaae1844032_JaffaCakes118.exe 2356 0ad61c4f369ef91a0a8afeaae1844032_JaffaCakes118.exe 2356 0ad61c4f369ef91a0a8afeaae1844032_JaffaCakes118.exe 2356 0ad61c4f369ef91a0a8afeaae1844032_JaffaCakes118.exe 2356 0ad61c4f369ef91a0a8afeaae1844032_JaffaCakes118.exe 2356 0ad61c4f369ef91a0a8afeaae1844032_JaffaCakes118.exe 2356 0ad61c4f369ef91a0a8afeaae1844032_JaffaCakes118.exe 2356 0ad61c4f369ef91a0a8afeaae1844032_JaffaCakes118.exe 2356 0ad61c4f369ef91a0a8afeaae1844032_JaffaCakes118.exe 2356 0ad61c4f369ef91a0a8afeaae1844032_JaffaCakes118.exe 2356 0ad61c4f369ef91a0a8afeaae1844032_JaffaCakes118.exe 2356 0ad61c4f369ef91a0a8afeaae1844032_JaffaCakes118.exe 2356 0ad61c4f369ef91a0a8afeaae1844032_JaffaCakes118.exe 2356 0ad61c4f369ef91a0a8afeaae1844032_JaffaCakes118.exe 2356 0ad61c4f369ef91a0a8afeaae1844032_JaffaCakes118.exe 2356 0ad61c4f369ef91a0a8afeaae1844032_JaffaCakes118.exe -
Suspicious use of SendNotifyMessage 35 IoCs
pid Process 2356 0ad61c4f369ef91a0a8afeaae1844032_JaffaCakes118.exe 2356 0ad61c4f369ef91a0a8afeaae1844032_JaffaCakes118.exe 2356 0ad61c4f369ef91a0a8afeaae1844032_JaffaCakes118.exe 2356 0ad61c4f369ef91a0a8afeaae1844032_JaffaCakes118.exe 2356 0ad61c4f369ef91a0a8afeaae1844032_JaffaCakes118.exe 2356 0ad61c4f369ef91a0a8afeaae1844032_JaffaCakes118.exe 2356 0ad61c4f369ef91a0a8afeaae1844032_JaffaCakes118.exe 2356 0ad61c4f369ef91a0a8afeaae1844032_JaffaCakes118.exe 2356 0ad61c4f369ef91a0a8afeaae1844032_JaffaCakes118.exe 2356 0ad61c4f369ef91a0a8afeaae1844032_JaffaCakes118.exe 2356 0ad61c4f369ef91a0a8afeaae1844032_JaffaCakes118.exe 2356 0ad61c4f369ef91a0a8afeaae1844032_JaffaCakes118.exe 2356 0ad61c4f369ef91a0a8afeaae1844032_JaffaCakes118.exe 2356 0ad61c4f369ef91a0a8afeaae1844032_JaffaCakes118.exe 2356 0ad61c4f369ef91a0a8afeaae1844032_JaffaCakes118.exe 2356 0ad61c4f369ef91a0a8afeaae1844032_JaffaCakes118.exe 2356 0ad61c4f369ef91a0a8afeaae1844032_JaffaCakes118.exe 2356 0ad61c4f369ef91a0a8afeaae1844032_JaffaCakes118.exe 2356 0ad61c4f369ef91a0a8afeaae1844032_JaffaCakes118.exe 2356 0ad61c4f369ef91a0a8afeaae1844032_JaffaCakes118.exe 2356 0ad61c4f369ef91a0a8afeaae1844032_JaffaCakes118.exe 2356 0ad61c4f369ef91a0a8afeaae1844032_JaffaCakes118.exe 2356 0ad61c4f369ef91a0a8afeaae1844032_JaffaCakes118.exe 2356 0ad61c4f369ef91a0a8afeaae1844032_JaffaCakes118.exe 2356 0ad61c4f369ef91a0a8afeaae1844032_JaffaCakes118.exe 2356 0ad61c4f369ef91a0a8afeaae1844032_JaffaCakes118.exe 2356 0ad61c4f369ef91a0a8afeaae1844032_JaffaCakes118.exe 2356 0ad61c4f369ef91a0a8afeaae1844032_JaffaCakes118.exe 2356 0ad61c4f369ef91a0a8afeaae1844032_JaffaCakes118.exe 2356 0ad61c4f369ef91a0a8afeaae1844032_JaffaCakes118.exe 2356 0ad61c4f369ef91a0a8afeaae1844032_JaffaCakes118.exe 2356 0ad61c4f369ef91a0a8afeaae1844032_JaffaCakes118.exe 2356 0ad61c4f369ef91a0a8afeaae1844032_JaffaCakes118.exe 2356 0ad61c4f369ef91a0a8afeaae1844032_JaffaCakes118.exe 2356 0ad61c4f369ef91a0a8afeaae1844032_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 2356 wrote to memory of 1988 2356 0ad61c4f369ef91a0a8afeaae1844032_JaffaCakes118.exe 28 PID 2356 wrote to memory of 1988 2356 0ad61c4f369ef91a0a8afeaae1844032_JaffaCakes118.exe 28 PID 2356 wrote to memory of 1988 2356 0ad61c4f369ef91a0a8afeaae1844032_JaffaCakes118.exe 28 PID 2356 wrote to memory of 1988 2356 0ad61c4f369ef91a0a8afeaae1844032_JaffaCakes118.exe 28 PID 1988 wrote to memory of 3088 1988 ~dbomfgw.tmp 33 PID 1988 wrote to memory of 3088 1988 ~dbomfgw.tmp 33 PID 1988 wrote to memory of 3088 1988 ~dbomfgw.tmp 33 PID 1988 wrote to memory of 3088 1988 ~dbomfgw.tmp 33 PID 1988 wrote to memory of 2600 1988 ~dbomfgw.tmp 35 PID 1988 wrote to memory of 2600 1988 ~dbomfgw.tmp 35 PID 1988 wrote to memory of 2600 1988 ~dbomfgw.tmp 35 PID 1988 wrote to memory of 2600 1988 ~dbomfgw.tmp 35 PID 1988 wrote to memory of 3248 1988 ~dbomfgw.tmp 37 PID 1988 wrote to memory of 3248 1988 ~dbomfgw.tmp 37 PID 1988 wrote to memory of 3248 1988 ~dbomfgw.tmp 37 PID 1988 wrote to memory of 3248 1988 ~dbomfgw.tmp 37 PID 1988 wrote to memory of 1956 1988 ~dbomfgw.tmp 39 PID 1988 wrote to memory of 1956 1988 ~dbomfgw.tmp 39 PID 1988 wrote to memory of 1956 1988 ~dbomfgw.tmp 39 PID 1988 wrote to memory of 1956 1988 ~dbomfgw.tmp 39 PID 1988 wrote to memory of 3924 1988 ~dbomfgw.tmp 41 PID 1988 wrote to memory of 3924 1988 ~dbomfgw.tmp 41 PID 1988 wrote to memory of 3924 1988 ~dbomfgw.tmp 41 PID 1988 wrote to memory of 3924 1988 ~dbomfgw.tmp 41 PID 1988 wrote to memory of 3656 1988 ~dbomfgw.tmp 43 PID 1988 wrote to memory of 3656 1988 ~dbomfgw.tmp 43 PID 1988 wrote to memory of 3656 1988 ~dbomfgw.tmp 43 PID 1988 wrote to memory of 3656 1988 ~dbomfgw.tmp 43 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\0ad61c4f369ef91a0a8afeaae1844032_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\0ad61c4f369ef91a0a8afeaae1844032_JaffaCakes118.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2356 -
C:\~dbomfgw.tmpC:\~dbomfgw.tmp /S2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1988 -
C:\Windows\system32\takeown.exe"C:\Windows\system32\takeown.exe" /f "C:\Windows\system32\uxtheme.dll"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3088
-
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" "C:\Windows\system32\uxtheme.dll" /grant Admin:f3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2600
-
-
C:\Windows\system32\takeown.exe"C:\Windows\system32\takeown.exe" /f "C:\Windows\system32\themeui.dll"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3248
-
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" "C:\Windows\system32\themeui.dll" /grant Admin:f3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1956
-
-
C:\Windows\system32\takeown.exe"C:\Windows\system32\takeown.exe" /f "C:\Windows\system32\themeservice.dll"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3924
-
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" "C:\Windows\system32\themeservice.dll" /grant Admin:f3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3656
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4000
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000004D4" "00000000000005AC"1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2408
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5KB
MD54310bd09fc2300b106f0437b6e995330
SHA1c6790a68e410d4a619b9b59e7540b702a98ad661
SHA256c686b4df9b4db50fc1ddb7be4cd50d4b1d75894288f4dc50571b79937d7c0d7e
SHA51249e286ccd285871db74867810c9cf243e3c1522ce7b4c0d1d01bafe72552692234cf4b4d787b900e9c041b8a2c12f193b36a6a35c64ffd5deef0e1be9958b1f7
-
Filesize
43KB
MD5bf69cdedb4f36015e43dc8117134f058
SHA1717b59942919209a01dc88218bb9e28517ff63c5
SHA256b9737b8b11687bc241e150a1a9eceee0fa979dd4ab30c01e335f970564f0c3c7
SHA5122cfce2abcd9806275f44ad2df6f5259a9e02e88802e7c4359665ae415dfa88d478447eea80d81c12f130c544c8a8a71a2706d95ce4cccf5e5d0180b464a3629c
-
Filesize
2.7MB
MD5274c75ff99e6bc973232dfb4d450cdcd
SHA1e000812516d3d60d6fcf340f34d13f51e4d23912
SHA25635415d2a7d97ac2fd9ccfe28a93c3aff0f4fa9d83636699b4d89139dc9d23f34
SHA512f1e922c74725e29f980a63c369c86f8d56e91e7f83652830633941f918777207ec2941ba91fe2a3e259851f45d92defde538f31324788aba4cce051247a674a2
-
Filesize
324KB
MD52e08363a75712e753f4d5b3b34531584
SHA1323190cd2c21152df3dedfee1ca701f11e355a01
SHA25666fd0a342d0c56f2d73edc7ee4c0f7dc3c8ab3ab77be1a8f5083f6984f4be754
SHA512b8c00275a61236de4145007f7301dff452300ba3d7807684ac226ab2a61e3712223f31c6f431346a5e452ddd5585aa867d2e2b6b1b7c147b24ce110ca6615dc3
-
Filesize
158KB
MD563f97f0f83d525d798596963a41426e0
SHA1e20f5011669a3aa5e54826add72d507c182be334
SHA256f0ee8f91b19d7070c6a29298c2649b1f14ce6a4d88ae799477a033e8119b6af1
SHA512a73413961fa3c81200eca1fd92fc4ba125bdb7f62c6a9173bf8df23aff2e03a57da47f71f32b52df6cfdcd149a60330bf9a5b27b1b45b032b89d8969ab948dcf
-
Filesize
11KB
MD53e6bf00b3ac976122f982ae2aadb1c51
SHA1caab188f7fdc84d3fdcb2922edeeb5ed576bd31d
SHA2564ff9b2678d698677c5d9732678f9cf53f17290e09d053691aac4cc6e6f595cbe
SHA5121286f05e6a7e6b691f6e479638e7179897598e171b52eb3a3dc0e830415251069d29416b6d1ffc6d7dce8da5625e1479be06db9b7179e7776659c5c1ad6aa706
-
Filesize
5KB
MD5b7d0d765c151d235165823b48554e442
SHA1fe530e6c6fd60392d4ce611b21ec9daad3f1bc84
SHA256a820a32e5ce89e3e336afc71aa1bf42a357ec542c2bc6e50c6255c1333812587
SHA5125d801c24dfa1b7326f72f9c0acf3a330ef0cc3fce25ceee200bb12eab8c2b653025602e610e0cecda1e7cbd851ce1b66252531220b557a378ddb0b4a1741fa66