Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
04-05-2024 13:26
Static task
static1
Behavioral task
behavioral1
Sample
12eeb15b25510e632e27a0aab98e4ec4_JaffaCakes118.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
12eeb15b25510e632e27a0aab98e4ec4_JaffaCakes118.dll
Resource
win10v2004-20240419-en
General
-
Target
12eeb15b25510e632e27a0aab98e4ec4_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
12eeb15b25510e632e27a0aab98e4ec4
-
SHA1
05e03714369de5050f75bd8fab609f15197743f2
-
SHA256
5f6d6a6548884d0efc29d1019600fabe79dceebdd1eb6f43cd6c6f825c299114
-
SHA512
2fa8dc20f661f90ed8fe52a9fc6383826c93c44791a6aa2aea9abb0815d8b6727faf5ae0f15075ccb78f1682f732b5fbe35a4cefc033a0c5c389b96c5f12c673
-
SSDEEP
49152:CnAQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAAC:uDqPoBhz1aRxcSUDk36SAz
Malware Config
Signatures
-
Modifies firewall policy service 2 TTPs 4 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List mssecsvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile mssecsvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications mssecsvc.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\mssecsvc.exe = "C:\\WINDOWS\\mssecsvc.exe:*:enabled:@shell32.dll,-1" mssecsvc.exe -
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3289) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 2 IoCs
Processes:
mssecsvc.exemssecsvc.exepid process 1348 mssecsvc.exe 2716 mssecsvc.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2456 1348 WerFault.exe mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
mssecsvc.exemssecsvc.exepid process 1348 mssecsvc.exe 1348 mssecsvc.exe 2716 mssecsvc.exe 2716 mssecsvc.exe -
Suspicious behavior: MapViewOfSection 64 IoCs
Processes:
mssecsvc.exepid process 1348 mssecsvc.exe 1348 mssecsvc.exe 1348 mssecsvc.exe 1348 mssecsvc.exe 1348 mssecsvc.exe 1348 mssecsvc.exe 1348 mssecsvc.exe 1348 mssecsvc.exe 1348 mssecsvc.exe 1348 mssecsvc.exe 1348 mssecsvc.exe 1348 mssecsvc.exe 1348 mssecsvc.exe 1348 mssecsvc.exe 1348 mssecsvc.exe 1348 mssecsvc.exe 1348 mssecsvc.exe 1348 mssecsvc.exe 1348 mssecsvc.exe 1348 mssecsvc.exe 1348 mssecsvc.exe 1348 mssecsvc.exe 1348 mssecsvc.exe 1348 mssecsvc.exe 1348 mssecsvc.exe 1348 mssecsvc.exe 1348 mssecsvc.exe 1348 mssecsvc.exe 1348 mssecsvc.exe 1348 mssecsvc.exe 1348 mssecsvc.exe 1348 mssecsvc.exe 1348 mssecsvc.exe 1348 mssecsvc.exe 1348 mssecsvc.exe 1348 mssecsvc.exe 1348 mssecsvc.exe 1348 mssecsvc.exe 1348 mssecsvc.exe 1348 mssecsvc.exe 1348 mssecsvc.exe 1348 mssecsvc.exe 1348 mssecsvc.exe 1348 mssecsvc.exe 1348 mssecsvc.exe 1348 mssecsvc.exe 1348 mssecsvc.exe 1348 mssecsvc.exe 1348 mssecsvc.exe 1348 mssecsvc.exe 1348 mssecsvc.exe 1348 mssecsvc.exe 1348 mssecsvc.exe 1348 mssecsvc.exe 1348 mssecsvc.exe 1348 mssecsvc.exe 1348 mssecsvc.exe 1348 mssecsvc.exe 1348 mssecsvc.exe 1348 mssecsvc.exe 1348 mssecsvc.exe 1348 mssecsvc.exe 1348 mssecsvc.exe 1348 mssecsvc.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
mssecsvc.exemssecsvc.exedescription pid process Token: SeDebugPrivilege 1348 mssecsvc.exe Token: SeDebugPrivilege 2716 mssecsvc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
rundll32.exerundll32.exemssecsvc.exedescription pid process target process PID 2108 wrote to memory of 1244 2108 rundll32.exe rundll32.exe PID 2108 wrote to memory of 1244 2108 rundll32.exe rundll32.exe PID 2108 wrote to memory of 1244 2108 rundll32.exe rundll32.exe PID 1244 wrote to memory of 1348 1244 rundll32.exe mssecsvc.exe PID 1244 wrote to memory of 1348 1244 rundll32.exe mssecsvc.exe PID 1244 wrote to memory of 1348 1244 rundll32.exe mssecsvc.exe PID 1348 wrote to memory of 612 1348 mssecsvc.exe winlogon.exe PID 1348 wrote to memory of 612 1348 mssecsvc.exe winlogon.exe PID 1348 wrote to memory of 612 1348 mssecsvc.exe winlogon.exe PID 1348 wrote to memory of 612 1348 mssecsvc.exe winlogon.exe PID 1348 wrote to memory of 612 1348 mssecsvc.exe winlogon.exe PID 1348 wrote to memory of 612 1348 mssecsvc.exe winlogon.exe PID 1348 wrote to memory of 672 1348 mssecsvc.exe lsass.exe PID 1348 wrote to memory of 672 1348 mssecsvc.exe lsass.exe PID 1348 wrote to memory of 672 1348 mssecsvc.exe lsass.exe PID 1348 wrote to memory of 672 1348 mssecsvc.exe lsass.exe PID 1348 wrote to memory of 672 1348 mssecsvc.exe lsass.exe PID 1348 wrote to memory of 672 1348 mssecsvc.exe lsass.exe PID 1348 wrote to memory of 788 1348 mssecsvc.exe svchost.exe PID 1348 wrote to memory of 788 1348 mssecsvc.exe svchost.exe PID 1348 wrote to memory of 788 1348 mssecsvc.exe svchost.exe PID 1348 wrote to memory of 788 1348 mssecsvc.exe svchost.exe PID 1348 wrote to memory of 788 1348 mssecsvc.exe svchost.exe PID 1348 wrote to memory of 788 1348 mssecsvc.exe svchost.exe PID 1348 wrote to memory of 796 1348 mssecsvc.exe fontdrvhost.exe PID 1348 wrote to memory of 796 1348 mssecsvc.exe fontdrvhost.exe PID 1348 wrote to memory of 796 1348 mssecsvc.exe fontdrvhost.exe PID 1348 wrote to memory of 796 1348 mssecsvc.exe fontdrvhost.exe PID 1348 wrote to memory of 796 1348 mssecsvc.exe fontdrvhost.exe PID 1348 wrote to memory of 796 1348 mssecsvc.exe fontdrvhost.exe PID 1348 wrote to memory of 804 1348 mssecsvc.exe fontdrvhost.exe PID 1348 wrote to memory of 804 1348 mssecsvc.exe fontdrvhost.exe PID 1348 wrote to memory of 804 1348 mssecsvc.exe fontdrvhost.exe PID 1348 wrote to memory of 804 1348 mssecsvc.exe fontdrvhost.exe PID 1348 wrote to memory of 804 1348 mssecsvc.exe fontdrvhost.exe PID 1348 wrote to memory of 804 1348 mssecsvc.exe fontdrvhost.exe PID 1348 wrote to memory of 912 1348 mssecsvc.exe svchost.exe PID 1348 wrote to memory of 912 1348 mssecsvc.exe svchost.exe PID 1348 wrote to memory of 912 1348 mssecsvc.exe svchost.exe PID 1348 wrote to memory of 912 1348 mssecsvc.exe svchost.exe PID 1348 wrote to memory of 912 1348 mssecsvc.exe svchost.exe PID 1348 wrote to memory of 912 1348 mssecsvc.exe svchost.exe PID 1348 wrote to memory of 964 1348 mssecsvc.exe svchost.exe PID 1348 wrote to memory of 964 1348 mssecsvc.exe svchost.exe PID 1348 wrote to memory of 964 1348 mssecsvc.exe svchost.exe PID 1348 wrote to memory of 964 1348 mssecsvc.exe svchost.exe PID 1348 wrote to memory of 964 1348 mssecsvc.exe svchost.exe PID 1348 wrote to memory of 964 1348 mssecsvc.exe svchost.exe PID 1348 wrote to memory of 64 1348 mssecsvc.exe dwm.exe PID 1348 wrote to memory of 64 1348 mssecsvc.exe dwm.exe PID 1348 wrote to memory of 64 1348 mssecsvc.exe dwm.exe PID 1348 wrote to memory of 64 1348 mssecsvc.exe dwm.exe PID 1348 wrote to memory of 64 1348 mssecsvc.exe dwm.exe PID 1348 wrote to memory of 64 1348 mssecsvc.exe dwm.exe PID 1348 wrote to memory of 696 1348 mssecsvc.exe svchost.exe PID 1348 wrote to memory of 696 1348 mssecsvc.exe svchost.exe PID 1348 wrote to memory of 696 1348 mssecsvc.exe svchost.exe PID 1348 wrote to memory of 696 1348 mssecsvc.exe svchost.exe PID 1348 wrote to memory of 696 1348 mssecsvc.exe svchost.exe PID 1348 wrote to memory of 696 1348 mssecsvc.exe svchost.exe PID 1348 wrote to memory of 1020 1348 mssecsvc.exe svchost.exe PID 1348 wrote to memory of 1020 1348 mssecsvc.exe svchost.exe PID 1348 wrote to memory of 1020 1348 mssecsvc.exe svchost.exe PID 1348 wrote to memory of 1020 1348 mssecsvc.exe svchost.exe
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:612
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"2⤵PID:796
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵PID:64
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵PID:672
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p1⤵PID:788
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding2⤵PID:2032
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}2⤵PID:3716
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca2⤵PID:3808
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding2⤵PID:3876
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca2⤵PID:3960
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding2⤵PID:4092
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding2⤵PID:4496
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding2⤵PID:5112
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}2⤵PID:4868
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca2⤵PID:1704
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca2⤵PID:4344
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca2⤵PID:3064
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding2⤵PID:4520
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding2⤵PID:3884
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:804
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS -p1⤵PID:912
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵PID:964
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc1⤵PID:696
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p1⤵PID:1020
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵PID:1064
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵PID:1124
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵PID:1132
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog1⤵PID:1148
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵PID:1160
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}2⤵PID:2736
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc1⤵PID:1284
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s nsi1⤵PID:1316
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵PID:1332
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp1⤵PID:1432
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager1⤵PID:1480
-
C:\Windows\system32\sihost.exesihost.exe2⤵PID:2960
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem1⤵PID:1576
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵PID:1588
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc1⤵PID:1632
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s SENS1⤵PID:1716
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s netprofm1⤵PID:1748
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder1⤵PID:1756
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:1836
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache1⤵PID:1880
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:1888
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection1⤵PID:1988
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository1⤵PID:2016
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵PID:1876
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p1⤵PID:2084
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation1⤵PID:2124
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵PID:2192
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc1⤵PID:2300
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT1⤵PID:2400
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent1⤵PID:2408
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc1⤵PID:2552
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer1⤵PID:2568
-
C:\Windows\sysmon.exeC:\Windows\sysmon.exe1⤵PID:2624
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks1⤵PID:2648
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService1⤵PID:2660
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2948
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker1⤵PID:1508
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc1⤵PID:3300
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3404
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\12eeb15b25510e632e27a0aab98e4ec4_JaffaCakes118.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:2108 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\12eeb15b25510e632e27a0aab98e4ec4_JaffaCakes118.dll,#13⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1244 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe4⤵
- Modifies firewall policy service
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1348 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1348 -s 14245⤵
- Program crash
PID:2456
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3520
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager1⤵PID:2272
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵PID:5020
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc1⤵PID:4900
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵PID:840
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc1⤵PID:880
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵PID:2688
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc1⤵PID:812
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2716
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1348 -ip 13481⤵PID:1120
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5bb8eae4ad5f9b559c23fb37c9bb464b6
SHA1f7b3600b9d14b33df314a6ed2bbd4d04ee9af711
SHA256817bfc770d9cfa26df9e7cf15137c3f9cdd6a3937afa3662e48cb97a0455677e
SHA512645b8b06cd18ad4117ac01dd95807fbed49455729735319f84638624a350d6f74c07775d707a6c5ebd2d51e1dbccc14d86235979f187aa255a79f38c21935e03
-
memory/1348-4-0x0000000000400000-0x0000000000A73000-memory.dmpFilesize
6.4MB
-
memory/1348-5-0x000000007FE40000-0x000000007FE4C000-memory.dmpFilesize
48KB
-
memory/1348-7-0x0000000077393000-0x0000000077394000-memory.dmpFilesize
4KB
-
memory/1348-6-0x0000000077392000-0x0000000077393000-memory.dmpFilesize
4KB
-
memory/1348-8-0x000000007FE40000-0x000000007FE4C000-memory.dmpFilesize
48KB
-
memory/1348-11-0x000000007FE30000-0x000000007FE3C000-memory.dmpFilesize
48KB
-
memory/1348-12-0x000000007FE30000-0x000000007FE3C000-memory.dmpFilesize
48KB
-
memory/1348-14-0x000000007FE30000-0x000000007FE3C000-memory.dmpFilesize
48KB
-
memory/1348-16-0x000000007FE40000-0x000000007FE4C000-memory.dmpFilesize
48KB
-
memory/1348-18-0x0000000000400000-0x0000000000A73000-memory.dmpFilesize
6.4MB
-
memory/2716-10-0x0000000000400000-0x0000000000A73000-memory.dmpFilesize
6.4MB