Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
05-05-2024 18:11
Static task
static1
Behavioral task
behavioral1
Sample
18c5c1b72a7764010ddb0c29f6104eaf_JaffaCakes118.msi
Resource
win7-20240215-en
windows7-x64
16 signatures
150 seconds
General
-
Target
18c5c1b72a7764010ddb0c29f6104eaf_JaffaCakes118.msi
-
Size
2.1MB
-
MD5
18c5c1b72a7764010ddb0c29f6104eaf
-
SHA1
c0897b37b631fac818e31aac6fbd76cdbe24d131
-
SHA256
73a921d79c629a62d12cb03c5474b59f2e47fba3cd134d9c297bf6caa9d29be8
-
SHA512
635d3f9f13217147daa06938d84998acec57ee81203d4a69ef3eb2154dc1cb79b8696d59e0c585b8fa43d38c2d3aa1a7f2dd1fe2dbab60978c9bc0d9abeb52ed
-
SSDEEP
49152:H5EVRAJdD1Z/cusQrWxE/J92+DA4sqOo7/z:ZEVRUdDb0+yEB5DKA
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SynmatecProcessor.lnk SynmatecProcessor.exe -
Obfuscated with Agile.Net obfuscator 1 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
resource yara_rule behavioral1/memory/1836-135-0x0000000000E50000-0x0000000000E5A000-memory.dmp agile_net -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\S: msiexec.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1836 set thread context of 288 1836 SynmatecProcessor.exe 51 -
Drops file in Windows directory 13 IoCs
description ioc Process File opened for modification C:\Windows\Installer\f7631ea.ipi msiexec.exe File opened for modification C:\Windows\INF\setupapi.ev1 DrvInst.exe File created C:\Windows\Installer\f7631e9.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI3276.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI764C.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI75FC.tmp msiexec.exe File created C:\Windows\Installer\f7631ea.ipi msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Logs\DPX\setuperr.log expand.exe File opened for modification C:\Windows\Logs\DPX\setupact.log expand.exe File opened for modification C:\Windows\INF\setupapi.ev3 DrvInst.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File opened for modification C:\Windows\Installer\f7631e9.msi msiexec.exe -
Executes dropped EXE 4 IoCs
pid Process 2664 IMSynTPHelper.exe 2164 Synmatec.exe 1836 SynmatecProcessor.exe 288 SynmatecProcessor.exe -
Loads dropped DLL 8 IoCs
pid Process 2652 MsiExec.exe 2652 MsiExec.exe 2652 MsiExec.exe 2652 MsiExec.exe 2652 MsiExec.exe 1264 MsiExec.exe 1652 cmd.exe 1836 SynmatecProcessor.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies data under HKEY_USERS 46 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust DrvInst.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D msiexec.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E msiexec.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2756 msiexec.exe 2756 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 2836 msiexec.exe Token: SeIncreaseQuotaPrivilege 2836 msiexec.exe Token: SeRestorePrivilege 2756 msiexec.exe Token: SeTakeOwnershipPrivilege 2756 msiexec.exe Token: SeSecurityPrivilege 2756 msiexec.exe Token: SeCreateTokenPrivilege 2836 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2836 msiexec.exe Token: SeLockMemoryPrivilege 2836 msiexec.exe Token: SeIncreaseQuotaPrivilege 2836 msiexec.exe Token: SeMachineAccountPrivilege 2836 msiexec.exe Token: SeTcbPrivilege 2836 msiexec.exe Token: SeSecurityPrivilege 2836 msiexec.exe Token: SeTakeOwnershipPrivilege 2836 msiexec.exe Token: SeLoadDriverPrivilege 2836 msiexec.exe Token: SeSystemProfilePrivilege 2836 msiexec.exe Token: SeSystemtimePrivilege 2836 msiexec.exe Token: SeProfSingleProcessPrivilege 2836 msiexec.exe Token: SeIncBasePriorityPrivilege 2836 msiexec.exe Token: SeCreatePagefilePrivilege 2836 msiexec.exe Token: SeCreatePermanentPrivilege 2836 msiexec.exe Token: SeBackupPrivilege 2836 msiexec.exe Token: SeRestorePrivilege 2836 msiexec.exe Token: SeShutdownPrivilege 2836 msiexec.exe Token: SeDebugPrivilege 2836 msiexec.exe Token: SeAuditPrivilege 2836 msiexec.exe Token: SeSystemEnvironmentPrivilege 2836 msiexec.exe Token: SeChangeNotifyPrivilege 2836 msiexec.exe Token: SeRemoteShutdownPrivilege 2836 msiexec.exe Token: SeUndockPrivilege 2836 msiexec.exe Token: SeSyncAgentPrivilege 2836 msiexec.exe Token: SeEnableDelegationPrivilege 2836 msiexec.exe Token: SeManageVolumePrivilege 2836 msiexec.exe Token: SeImpersonatePrivilege 2836 msiexec.exe Token: SeCreateGlobalPrivilege 2836 msiexec.exe Token: SeBackupPrivilege 2436 vssvc.exe Token: SeRestorePrivilege 2436 vssvc.exe Token: SeAuditPrivilege 2436 vssvc.exe Token: SeBackupPrivilege 2756 msiexec.exe Token: SeRestorePrivilege 2756 msiexec.exe Token: SeRestorePrivilege 2384 DrvInst.exe Token: SeRestorePrivilege 2384 DrvInst.exe Token: SeRestorePrivilege 2384 DrvInst.exe Token: SeRestorePrivilege 2384 DrvInst.exe Token: SeRestorePrivilege 2384 DrvInst.exe Token: SeRestorePrivilege 2384 DrvInst.exe Token: SeRestorePrivilege 2384 DrvInst.exe Token: SeLoadDriverPrivilege 2384 DrvInst.exe Token: SeLoadDriverPrivilege 2384 DrvInst.exe Token: SeLoadDriverPrivilege 2384 DrvInst.exe Token: SeRestorePrivilege 2756 msiexec.exe Token: SeTakeOwnershipPrivilege 2756 msiexec.exe Token: SeRestorePrivilege 2756 msiexec.exe Token: SeTakeOwnershipPrivilege 2756 msiexec.exe Token: SeDebugPrivilege 2664 IMSynTPHelper.exe Token: 33 2664 IMSynTPHelper.exe Token: SeIncBasePriorityPrivilege 2664 IMSynTPHelper.exe Token: SeRestorePrivilege 2756 msiexec.exe Token: SeTakeOwnershipPrivilege 2756 msiexec.exe Token: SeRestorePrivilege 2756 msiexec.exe Token: SeTakeOwnershipPrivilege 2756 msiexec.exe Token: SeRestorePrivilege 2756 msiexec.exe Token: SeTakeOwnershipPrivilege 2756 msiexec.exe Token: SeRestorePrivilege 2756 msiexec.exe Token: SeTakeOwnershipPrivilege 2756 msiexec.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 2836 msiexec.exe 2836 msiexec.exe 1216 DllHost.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 288 SynmatecProcessor.exe -
Suspicious use of WriteProcessMemory 55 IoCs
description pid Process procid_target PID 2756 wrote to memory of 2652 2756 msiexec.exe 32 PID 2756 wrote to memory of 2652 2756 msiexec.exe 32 PID 2756 wrote to memory of 2652 2756 msiexec.exe 32 PID 2756 wrote to memory of 2652 2756 msiexec.exe 32 PID 2756 wrote to memory of 2652 2756 msiexec.exe 32 PID 2756 wrote to memory of 2652 2756 msiexec.exe 32 PID 2756 wrote to memory of 2652 2756 msiexec.exe 32 PID 2652 wrote to memory of 2744 2652 MsiExec.exe 33 PID 2652 wrote to memory of 2744 2652 MsiExec.exe 33 PID 2652 wrote to memory of 2744 2652 MsiExec.exe 33 PID 2652 wrote to memory of 2744 2652 MsiExec.exe 33 PID 2652 wrote to memory of 2664 2652 MsiExec.exe 35 PID 2652 wrote to memory of 2664 2652 MsiExec.exe 35 PID 2652 wrote to memory of 2664 2652 MsiExec.exe 35 PID 2652 wrote to memory of 2664 2652 MsiExec.exe 35 PID 2664 wrote to memory of 1572 2664 IMSynTPHelper.exe 36 PID 2664 wrote to memory of 1572 2664 IMSynTPHelper.exe 36 PID 2664 wrote to memory of 1572 2664 IMSynTPHelper.exe 36 PID 2664 wrote to memory of 1572 2664 IMSynTPHelper.exe 36 PID 1572 wrote to memory of 2164 1572 cmd.exe 38 PID 1572 wrote to memory of 2164 1572 cmd.exe 38 PID 1572 wrote to memory of 2164 1572 cmd.exe 38 PID 1572 wrote to memory of 2164 1572 cmd.exe 38 PID 2756 wrote to memory of 1264 2756 msiexec.exe 39 PID 2756 wrote to memory of 1264 2756 msiexec.exe 39 PID 2756 wrote to memory of 1264 2756 msiexec.exe 39 PID 2756 wrote to memory of 1264 2756 msiexec.exe 39 PID 2756 wrote to memory of 1264 2756 msiexec.exe 39 PID 2756 wrote to memory of 1264 2756 msiexec.exe 39 PID 2756 wrote to memory of 1264 2756 msiexec.exe 39 PID 2164 wrote to memory of 1436 2164 Synmatec.exe 40 PID 2164 wrote to memory of 1436 2164 Synmatec.exe 40 PID 2164 wrote to memory of 1436 2164 Synmatec.exe 40 PID 2164 wrote to memory of 1436 2164 Synmatec.exe 40 PID 2164 wrote to memory of 2124 2164 Synmatec.exe 46 PID 2164 wrote to memory of 2124 2164 Synmatec.exe 46 PID 2164 wrote to memory of 2124 2164 Synmatec.exe 46 PID 2164 wrote to memory of 2124 2164 Synmatec.exe 46 PID 2164 wrote to memory of 1652 2164 Synmatec.exe 48 PID 2164 wrote to memory of 1652 2164 Synmatec.exe 48 PID 2164 wrote to memory of 1652 2164 Synmatec.exe 48 PID 2164 wrote to memory of 1652 2164 Synmatec.exe 48 PID 1652 wrote to memory of 1836 1652 cmd.exe 50 PID 1652 wrote to memory of 1836 1652 cmd.exe 50 PID 1652 wrote to memory of 1836 1652 cmd.exe 50 PID 1652 wrote to memory of 1836 1652 cmd.exe 50 PID 1836 wrote to memory of 288 1836 SynmatecProcessor.exe 51 PID 1836 wrote to memory of 288 1836 SynmatecProcessor.exe 51 PID 1836 wrote to memory of 288 1836 SynmatecProcessor.exe 51 PID 1836 wrote to memory of 288 1836 SynmatecProcessor.exe 51 PID 1836 wrote to memory of 288 1836 SynmatecProcessor.exe 51 PID 1836 wrote to memory of 288 1836 SynmatecProcessor.exe 51 PID 1836 wrote to memory of 288 1836 SynmatecProcessor.exe 51 PID 1836 wrote to memory of 288 1836 SynmatecProcessor.exe 51 PID 1836 wrote to memory of 288 1836 SynmatecProcessor.exe 51 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\18c5c1b72a7764010ddb0c29f6104eaf_JaffaCakes118.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2836
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 24A0DD38AD8127D7A5C9B7A3B2337D962⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2652 -
C:\Windows\SysWOW64\expand.exe"C:\Windows\System32\expand.exe" -R files.cab -F:* files3⤵
- Drops file in Windows directory
PID:2744
-
-
C:\Users\Admin\AppData\Local\Temp\MW-7e294171-ee62-405c-bd6f-f2865071ff0c\files\IMSynTPHelper.exe"C:\Users\Admin\AppData\Local\Temp\MW-7e294171-ee62-405c-bd6f-f2865071ff0c\files\IMSynTPHelper.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\SysWOW64\cmd.exe" /c, "C:\Users\Admin\AppData\Local\Temp\Synmatec.exe"4⤵
- Suspicious use of WriteProcessMemory
PID:1572 -
C:\Users\Admin\AppData\Local\Temp\Synmatec.exe"C:\Users\Admin\AppData\Local\Temp\Synmatec.exe"5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2164 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\SysWOW64\cmd.exe" /c, "C:\Users\Admin\Documents\b106484eb915e4ad6df697dc1442cbff-EDITED.jpg"6⤵PID:1436
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\SysWOW64\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\Synmatec.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\SynmatecProcessor.exe"6⤵PID:2124
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\SysWOW64\cmd.exe" /c, "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\SynmatecProcessor.exe"6⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1652 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\SynmatecProcessor.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\SynmatecProcessor.exe"7⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1836 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\SynmatecProcessor.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\SynmatecProcessor.exe"8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:288
-
-
-
-
-
-
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 858EF8ADDB2017635F51DF434E29FC2E M Global\MSI00002⤵
- Loads dropped DLL
PID:1264
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2436
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000005B4" "00000000000005A8"1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2384
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}1⤵
- Suspicious use of FindShellTrayWindow
PID:1216
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵PID:1404
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.9MB
MD5a9fb9b6b482719cbd7a086cb8091f35a
SHA1d70c9e4b290df43a28f72f303fb3ee7dc6897400
SHA256c2d7cab5b45230fb343f200e02427b4c75bbd22817d00f90537b7d242b610d37
SHA512f9a680eefd943f2c7324df32b70b400065a968fb87e39092e29d994478a638c60fa4a683f7ddfcfbb6ad100e2e463e9a80f877bb14c938da4c15fa1ebdbd403f
-
Filesize
1.9MB
MD540706d9e08a34f0167faa803aad1d4a6
SHA1b0a958964f6037bc9dbac43124332844902d4c32
SHA25642ecb43af4bf31dab0599ffdd1156a88347a00e9940b7a984a5533a6c1a5be57
SHA512e3790550d7d77de24aad3e7f57c525b42069829d3e324e289bd66dc31d8d9365df44ba7e9a48750b648f215312dcf50356a513dfb5e7095c323c22c6eaee5ef7
-
Filesize
488B
MD517d069458615d485b300d2b3c6ca1ef9
SHA1c894c4bf1dcdf83fd3e6098461fa1e3dfb150893
SHA2561caac545e7f6c4187635f31a8c860082c1ce68a982c90036f65ddef0faec469d
SHA5123d73b9bbda075f65c2682bb6e224d3b4f0ebdf61f139f9f93cb2e7345e1390d00d31477d63b5d3c3e8568bd07e9862e00ebe04c8a63420ac57ca38a30516e1d7
-
Filesize
1.2MB
MD55b9849e016ab5210cbc8e78a1fdd3671
SHA1560091b2bdf518dd892016722da62fa613d5e958
SHA25676a430452cf0bbb0e429675afd0bf1ff9bb9391f6d41dc293afd6ef06abb7c15
SHA5127975184dadbbb612cad14d01fa03d6ece12d28d9dbd1ba5ccc05b1c10f52b866693354d25c8b667c709ad345ac4a8715ec6e425702d0e3a73d606026bcaba659
-
Filesize
32B
MD55487dd5ec11b05c9f40df10892a2be77
SHA1f280495646fbe745db0a59d4c4d9c4529a205321
SHA2569dbd45db8495aeb79115856938096941222a3860c642a9c42f0c0f186683909a
SHA512d9128a6bb1534915cc2737d64145fb0e243a5cf709b03d3703570cd3fa6d5d703e02b056b371787288225a7225a3d8f16aee0831ad30e433c2d3110121101945
-
Filesize
131KB
MD5a06ba919e980d32e0ebe80ddfa099524
SHA12a1c0cbec1cbf5774a6d00fc3a14d2ce979026d1
SHA256b8074d53c56f7deb5832af3894ec20a21d1162252f177984807eb30fc1152fc8
SHA512c8be0aa247baec6c2a7061086c0bbec166099de3dd0f40e50558fb1515dbe9324662ea7c80797208e4eb2f2243c96067702edf385602773e7b3ccc36896f1d13
