059ef3149d0f85af58acdcf8f40ba36a01a896242d88bf8de1683fcb2601e4e0

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
14/05/2024, 03:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3db836ed96f78d4973f3a4378fd14ff3_JaffaCakes118.exe
Size

1.1MB
MD5

3db836ed96f78d4973f3a4378fd14ff3
SHA1

83ed2e829f3a144efc9155351c5bee95ac9806bb
SHA256

059ef3149d0f85af58acdcf8f40ba36a01a896242d88bf8de1683fcb2601e4e0
SHA512

a5cf923e4f8302778354e5b91ce267f00f32a7910995177031489c097bea10c237bd8d3d3a6ef175f3455be4fa013600ef3952f97a8a9b729cbd785771a84625
SSDEEP

24576:nbSaE4mvt/Z79+k6U2JLkIwZhlqoOl/HODurbrgL:nbSv4mvzZB6Ublq7/HOKrQL

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2488	File.exe
2800	1431367319.exe

Loads dropped DLL 11 IoCs

pid	Process
2488	File.exe
2488	File.exe
2488	File.exe
2488	File.exe
684	WerFault.exe
684	WerFault.exe
684	WerFault.exe
684	WerFault.exe
684	WerFault.exe
684	WerFault.exe
684	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
684	2800	WerFault.exe	30

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral1/files/0x0008000000015ca6-66.dat	nsis_installer_1
behavioral1/files/0x0008000000015ca6-66.dat	nsis_installer_2

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81\Blob = 190000000100000010000000dc73f9b71e16d51d26527d32b11a6a3d03000000010000001400000091c6d6ee3e8ac86384e548c299295c756c817b810b000000010000000e00000074006800610077007400650000001d00000001000000100000005b3b67000eeb80022e42605b6b3b72401400000001000000140000007b5b45cfafcecb7afd31921a6ab6f346eb57485053000000010000002500000030233021060b6086480186f8450107300130123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b060105050703030f000000010000001400000085fef11b4f47fe3952f98301c9f98976fefee0ce2000000001000000240400003082042030820308a0030201020210344ed55720d5edec49f42fce37db2b6d300d06092a864886f70d01010505003081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f74204341301e170d3036313131373030303030305a170d3336303731363233353935395a3081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100aca0f0fb8059d49cc7a4cf9da159730910450c0d2c6e68f16c5b4868495937fc0b3319c2777fcc102d95341ce6eb4d09a71cd2b8c9973602b789d4245f06c0cc4494948d02626feb5add118d289a5c8490107a0dbd74662f6a38a0e2d55444eb1d079f07ba6feee9fd4e0b29f53e84a001f19cabf81c7e89a4e8a1d871650da3517beebcd222600db95b9ddfbafc515b0baf98b2e92ee904e86287de2bc8d74ec14c641eddcf8758ba4a4fca68071d1c9d4ac6d52f91cc7c71721cc5c067eb32fdc9925c94da85c09bbf537d2b09f48c9d911f976a52cbde0936a477d87b875044d53e6e2969fb3949261e09a5807b402debe82785c9fe61fd7ee67c971dd59d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147b5b45cfafcecb7afd31921a6ab6f346eb574850300d06092a864886f70d010105050003820101007911c04bb391b6fcf0e967d40d6e45be55e893d2ce033fedda25b01d57cb1e3a76a04cec5076e864720ca4a9f1b88bd6d68784bb32e54111c077d9b3609deb1bd5d16e4444a9a601ec55621d77b85c8e48497c9c3b5711acad73378e2f785c906847d96060e6fc073d222017c4f716e9c4d872f9c8737cdf162f15a93efd6a27b6a1eb5aba981fd5e34d640a9d13c861baf5391c87bab8bd7b227ff6feac4079e5ac106f3d8f1b79768bc437b3211884e53600eb632099b9e9fe3304bb41c8c102f94463209e81ce42d3d63f2c76d3639c59dd8fa6e10ea02e41f72e9547cfbcfd33f3f60b617e7e912b8147c22730eea7105d378f5c392be404f07b8d568c68	3db836ed96f78d4973f3a4378fd14ff3_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81\Blob = 0400000001000000100000008ccadc0b22cef5be72ac411a11a8d8120f000000010000001400000085fef11b4f47fe3952f98301c9f98976fefee0ce09000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000002500000030233021060b6086480186f8450107300130123010060a2b0601040182373c0101030200c01400000001000000140000007b5b45cfafcecb7afd31921a6ab6f346eb5748501d00000001000000100000005b3b67000eeb80022e42605b6b3b72400b000000010000000e000000740068006100770074006500000003000000010000001400000091c6d6ee3e8ac86384e548c299295c756c817b81190000000100000010000000dc73f9b71e16d51d26527d32b11a6a3d2000000001000000240400003082042030820308a0030201020210344ed55720d5edec49f42fce37db2b6d300d06092a864886f70d01010505003081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f74204341301e170d3036313131373030303030305a170d3336303731363233353935395a3081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100aca0f0fb8059d49cc7a4cf9da159730910450c0d2c6e68f16c5b4868495937fc0b3319c2777fcc102d95341ce6eb4d09a71cd2b8c9973602b789d4245f06c0cc4494948d02626feb5add118d289a5c8490107a0dbd74662f6a38a0e2d55444eb1d079f07ba6feee9fd4e0b29f53e84a001f19cabf81c7e89a4e8a1d871650da3517beebcd222600db95b9ddfbafc515b0baf98b2e92ee904e86287de2bc8d74ec14c641eddcf8758ba4a4fca68071d1c9d4ac6d52f91cc7c71721cc5c067eb32fdc9925c94da85c09bbf537d2b09f48c9d911f976a52cbde0936a477d87b875044d53e6e2969fb3949261e09a5807b402debe82785c9fe61fd7ee67c971dd59d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147b5b45cfafcecb7afd31921a6ab6f346eb574850300d06092a864886f70d010105050003820101007911c04bb391b6fcf0e967d40d6e45be55e893d2ce033fedda25b01d57cb1e3a76a04cec5076e864720ca4a9f1b88bd6d68784bb32e54111c077d9b3609deb1bd5d16e4444a9a601ec55621d77b85c8e48497c9c3b5711acad73378e2f785c906847d96060e6fc073d222017c4f716e9c4d872f9c8737cdf162f15a93efd6a27b6a1eb5aba981fd5e34d640a9d13c861baf5391c87bab8bd7b227ff6feac4079e5ac106f3d8f1b79768bc437b3211884e53600eb632099b9e9fe3304bb41c8c102f94463209e81ce42d3d63f2c76d3639c59dd8fa6e10ea02e41f72e9547cfbcfd33f3f60b617e7e912b8147c22730eea7105d378f5c392be404f07b8d568c68	3db836ed96f78d4973f3a4378fd14ff3_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81	3db836ed96f78d4973f3a4378fd14ff3_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81\Blob = 0f000000010000001400000085fef11b4f47fe3952f98301c9f98976fefee0ce09000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000002500000030233021060b6086480186f8450107300130123010060a2b0601040182373c0101030200c01400000001000000140000007b5b45cfafcecb7afd31921a6ab6f346eb5748501d00000001000000100000005b3b67000eeb80022e42605b6b3b72400b000000010000000e000000740068006100770074006500000003000000010000001400000091c6d6ee3e8ac86384e548c299295c756c817b812000000001000000240400003082042030820308a0030201020210344ed55720d5edec49f42fce37db2b6d300d06092a864886f70d01010505003081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f74204341301e170d3036313131373030303030305a170d3336303731363233353935395a3081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100aca0f0fb8059d49cc7a4cf9da159730910450c0d2c6e68f16c5b4868495937fc0b3319c2777fcc102d95341ce6eb4d09a71cd2b8c9973602b789d4245f06c0cc4494948d02626feb5add118d289a5c8490107a0dbd74662f6a38a0e2d55444eb1d079f07ba6feee9fd4e0b29f53e84a001f19cabf81c7e89a4e8a1d871650da3517beebcd222600db95b9ddfbafc515b0baf98b2e92ee904e86287de2bc8d74ec14c641eddcf8758ba4a4fca68071d1c9d4ac6d52f91cc7c71721cc5c067eb32fdc9925c94da85c09bbf537d2b09f48c9d911f976a52cbde0936a477d87b875044d53e6e2969fb3949261e09a5807b402debe82785c9fe61fd7ee67c971dd59d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147b5b45cfafcecb7afd31921a6ab6f346eb574850300d06092a864886f70d010105050003820101007911c04bb391b6fcf0e967d40d6e45be55e893d2ce033fedda25b01d57cb1e3a76a04cec5076e864720ca4a9f1b88bd6d68784bb32e54111c077d9b3609deb1bd5d16e4444a9a601ec55621d77b85c8e48497c9c3b5711acad73378e2f785c906847d96060e6fc073d222017c4f716e9c4d872f9c8737cdf162f15a93efd6a27b6a1eb5aba981fd5e34d640a9d13c861baf5391c87bab8bd7b227ff6feac4079e5ac106f3d8f1b79768bc437b3211884e53600eb632099b9e9fe3304bb41c8c102f94463209e81ce42d3d63f2c76d3639c59dd8fa6e10ea02e41f72e9547cfbcfd33f3f60b617e7e912b8147c22730eea7105d378f5c392be404f07b8d568c68	3db836ed96f78d4973f3a4378fd14ff3_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
3016	3db836ed96f78d4973f3a4378fd14ff3_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3016	3db836ed96f78d4973f3a4378fd14ff3_JaffaCakes118.exe
Token: SeIncreaseQuotaPrivilege	2804	wmic.exe
Token: SeSecurityPrivilege	2804	wmic.exe
Token: SeTakeOwnershipPrivilege	2804	wmic.exe
Token: SeLoadDriverPrivilege	2804	wmic.exe
Token: SeSystemProfilePrivilege	2804	wmic.exe
Token: SeSystemtimePrivilege	2804	wmic.exe
Token: SeProfSingleProcessPrivilege	2804	wmic.exe
Token: SeIncBasePriorityPrivilege	2804	wmic.exe
Token: SeCreatePagefilePrivilege	2804	wmic.exe
Token: SeBackupPrivilege	2804	wmic.exe
Token: SeRestorePrivilege	2804	wmic.exe
Token: SeShutdownPrivilege	2804	wmic.exe
Token: SeDebugPrivilege	2804	wmic.exe
Token: SeSystemEnvironmentPrivilege	2804	wmic.exe
Token: SeRemoteShutdownPrivilege	2804	wmic.exe
Token: SeUndockPrivilege	2804	wmic.exe
Token: SeManageVolumePrivilege	2804	wmic.exe
Token: 33	2804	wmic.exe
Token: 34	2804	wmic.exe
Token: 35	2804	wmic.exe
Token: SeIncreaseQuotaPrivilege	2804	wmic.exe
Token: SeSecurityPrivilege	2804	wmic.exe
Token: SeTakeOwnershipPrivilege	2804	wmic.exe
Token: SeLoadDriverPrivilege	2804	wmic.exe
Token: SeSystemProfilePrivilege	2804	wmic.exe
Token: SeSystemtimePrivilege	2804	wmic.exe
Token: SeProfSingleProcessPrivilege	2804	wmic.exe
Token: SeIncBasePriorityPrivilege	2804	wmic.exe
Token: SeCreatePagefilePrivilege	2804	wmic.exe
Token: SeBackupPrivilege	2804	wmic.exe
Token: SeRestorePrivilege	2804	wmic.exe
Token: SeShutdownPrivilege	2804	wmic.exe
Token: SeDebugPrivilege	2804	wmic.exe
Token: SeSystemEnvironmentPrivilege	2804	wmic.exe
Token: SeRemoteShutdownPrivilege	2804	wmic.exe
Token: SeUndockPrivilege	2804	wmic.exe
Token: SeManageVolumePrivilege	2804	wmic.exe
Token: 33	2804	wmic.exe
Token: 34	2804	wmic.exe
Token: 35	2804	wmic.exe
Token: SeIncreaseQuotaPrivilege	2236	wmic.exe
Token: SeSecurityPrivilege	2236	wmic.exe
Token: SeTakeOwnershipPrivilege	2236	wmic.exe
Token: SeLoadDriverPrivilege	2236	wmic.exe
Token: SeSystemProfilePrivilege	2236	wmic.exe
Token: SeSystemtimePrivilege	2236	wmic.exe
Token: SeProfSingleProcessPrivilege	2236	wmic.exe
Token: SeIncBasePriorityPrivilege	2236	wmic.exe
Token: SeCreatePagefilePrivilege	2236	wmic.exe
Token: SeBackupPrivilege	2236	wmic.exe
Token: SeRestorePrivilege	2236	wmic.exe
Token: SeShutdownPrivilege	2236	wmic.exe
Token: SeDebugPrivilege	2236	wmic.exe
Token: SeSystemEnvironmentPrivilege	2236	wmic.exe
Token: SeRemoteShutdownPrivilege	2236	wmic.exe
Token: SeUndockPrivilege	2236	wmic.exe
Token: SeManageVolumePrivilege	2236	wmic.exe
Token: 33	2236	wmic.exe
Token: 34	2236	wmic.exe
Token: 35	2236	wmic.exe
Token: SeIncreaseQuotaPrivilege	1984	wmic.exe
Token: SeSecurityPrivilege	1984	wmic.exe
Token: SeTakeOwnershipPrivilege	1984	wmic.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 3016 wrote to memory of 2488	3016	3db836ed96f78d4973f3a4378fd14ff3_JaffaCakes118.exe	29
PID 3016 wrote to memory of 2488	3016	3db836ed96f78d4973f3a4378fd14ff3_JaffaCakes118.exe	29
PID 3016 wrote to memory of 2488	3016	3db836ed96f78d4973f3a4378fd14ff3_JaffaCakes118.exe	29
PID 3016 wrote to memory of 2488	3016	3db836ed96f78d4973f3a4378fd14ff3_JaffaCakes118.exe	29
PID 2488 wrote to memory of 2800	2488	File.exe	30
PID 2488 wrote to memory of 2800	2488	File.exe	30
PID 2488 wrote to memory of 2800	2488	File.exe	30
PID 2488 wrote to memory of 2800	2488	File.exe	30
PID 2800 wrote to memory of 2804	2800	1431367319.exe	31
PID 2800 wrote to memory of 2804	2800	1431367319.exe	31
PID 2800 wrote to memory of 2804	2800	1431367319.exe	31
PID 2800 wrote to memory of 2804	2800	1431367319.exe	31
PID 2800 wrote to memory of 2236	2800	1431367319.exe	34
PID 2800 wrote to memory of 2236	2800	1431367319.exe	34
PID 2800 wrote to memory of 2236	2800	1431367319.exe	34
PID 2800 wrote to memory of 2236	2800	1431367319.exe	34
PID 2800 wrote to memory of 1984	2800	1431367319.exe	36
PID 2800 wrote to memory of 1984	2800	1431367319.exe	36
PID 2800 wrote to memory of 1984	2800	1431367319.exe	36
PID 2800 wrote to memory of 1984	2800	1431367319.exe	36
PID 2800 wrote to memory of 2660	2800	1431367319.exe	38
PID 2800 wrote to memory of 2660	2800	1431367319.exe	38
PID 2800 wrote to memory of 2660	2800	1431367319.exe	38
PID 2800 wrote to memory of 2660	2800	1431367319.exe	38
PID 2800 wrote to memory of 1252	2800	1431367319.exe	40
PID 2800 wrote to memory of 1252	2800	1431367319.exe	40
PID 2800 wrote to memory of 1252	2800	1431367319.exe	40
PID 2800 wrote to memory of 1252	2800	1431367319.exe	40
PID 2800 wrote to memory of 684	2800	1431367319.exe	42
PID 2800 wrote to memory of 684	2800	1431367319.exe	42
PID 2800 wrote to memory of 684	2800	1431367319.exe	42
PID 2800 wrote to memory of 684	2800	1431367319.exe	42

C:\Users\Admin\AppData\Local\Temp\3db836ed96f78d4973f3a4378fd14ff3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3db836ed96f78d4973f3a4378fd14ff3_JaffaCakes118.exe"
1⤵
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3016
- C:\Users\Admin\AppData\Local\Temp\File.exe
  "C:\Users\Admin\AppData\Local\Temp\File.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2488
- - C:\Users\Admin\AppData\Local\Temp\1431367319.exe
    C:\Users\Admin\AppData\Local\Temp\1431367319.exe 9)1)8)6)1)5)6)1)0)5)5 Jk9BPjwvMjUzGypKVDpKSD83LyAqSTxTT0lRRkNDPSwbJkNBTVNEPjw2MDEwHyc9SD83LyAqS0lOPE9CT1lIRDgxKDQxGi5OP1FWQE1WVEpGPGNuc3A1KiZyanAtPz9SSyhPRk8lO09LKEhOQUoXLjtGSD5FSEQ4GyZDKTcsLBouRC04JDAYKUMuNywxGyo7MzUnMBspQzU4KCgfJ0pRSj5UQ09aR1FBUEA+UzwgKktJTjxPQk9ZRFVHPDQfJ0pRSj5UQ09aRUBFPzw8bGNhaFxvLUNfeGdpZmdgbSUzJi0tNChFdWdnFy49UkRaT1FMOBsmRFA/Xj5HQ0xESTw8GClHSk1TXz1NRlZLP1E4LB8vT0M4TUNTTlBZVFJHOBcuTkc8LRouRE4sNB8nTFRJTkhNQFpOREQ9Tkg/SE08QjxUSkY8GylIU1pNTE1MQ0xAN3NycGAXLko/U1BMTUlJQlZUSz9RWj5AWU44KR8nQkg/P1c9LBsmSEtZQ1RIQE1EPlZERj1RVEpTRT84XWBkbWQbKUNPUklDTjk+XkRKPDMsKSk0JisyNCgwMi8bJlNBR0Q4KzMzLC4uLy4rNhspQ09SSUNOOT5eT0NMRTgwJjApKTErKzQqMTUsNTIvNiVKTCAqUDg8RWl5ZGZrYSAtXTQmKiojUWhuX2puciNIUyYwLTMgLlkqT0lWMS4oKzxrZ2tdUWRdRWh0IC1dNCsxLS4wKihGQ0tMRB8xXiVraWZgIkZdXWpqIypDY21mbF0fMWEtNS4rKSg4MC8tLCw0K05cXWBqYyQtYDQzMikqNRgpVE1GPGhvb2ckK1skLWAkMmFiXHNqKC8sKjV0YF5fLWFoZWofMWZNcGVTYWdkP2l2bmdqWGNFW21cYWRyWl9cb2RpeCAsZTEvLigyLyo1LCwkMmEsKzIpLTYrMDAyIC1dMCwtMC4xLzYsLRwyXjMzMS8zOS0yJzEsUmxBb0xEQC1ZaVEqTWVDcElnLytMYXEvSGNZcUpOJ3NEdFBkVFNzbEVkSSlUVSxoWUY0Z08xUmZOdStvWUFvZldPMnJNQVUzXEJRaVFRQXBEU0lpSHB2KURURXBZMmJfUUZCbVgtalhhUTMrT09maFJnMGZfPk1HUC1RalRsVmJVT0BpRXhqbkpUUGdJRi1tYGREZlgtZ2dOS2VqXixrdUpOYg==
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2800
  - - C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic /output:C:\Users\Admin\AppData\Local\Temp\81715657360.txt bios get serialnumber
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2804
  - - C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic /output:C:\Users\Admin\AppData\Local\Temp\81715657360.txt bios get version
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2236
  - - C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic /output:C:\Users\Admin\AppData\Local\Temp\81715657360.txt bios get version
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1984
  - - C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic /output:C:\Users\Admin\AppData\Local\Temp\81715657360.txt bios get version
      4⤵
      PID:2660
  - - C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic /output:C:\Users\Admin\AppData\Local\Temp\81715657360.txt bios get version
      4⤵
      PID:1252
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2800 -s 368
      4⤵
      Loads dropped DLL
      Program crash
      PID:684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\81715657360.txt

Filesize
66B

MD5
9025468f85256136f923096b01375964

SHA1
7fcd174999661594fa5f88890ffb195e9858cc52

SHA256
d5418014fa8e6e17d8992fd12c0dfecac8a34855603ea58133e87ea09c2130df

SHA512
92cac37c332e6e276a963d659986a79a79867df44682bfc2d77ed7784ffa5e2c149e5960a83d03ef4cf171be40a73e93a110aaa53b95152fa9a9da6b41d31e51

Download Submit
C:\Users\Admin\AppData\Local\Temp\File.exe

Filesize
581KB

MD5
3cd4d44d420f747cc484c84979c0b6e8

SHA1
0733c1e45d63a17d03a23bae6bda6a99728a0197

SHA256
1935cc5b6f2efbd3e9c0f4fa59ef2f0d6f4624dc88d29f022b3923441d89c830

SHA512
d1d0d379627cc5a0363c3b327c1854ebeb126385dcba1fcdc0b4ec1f8e7ef6afccc7ecbfae617e4eed82a6893bd8a7a0dd39d75e6af39612bec36a57ac0f00e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar24D6.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
\Users\Admin\AppData\Local\Temp\1431367319.exe

Filesize
788KB

MD5
9127080ebba1d3ca64bd5bbacd179d80

SHA1
50c1e3c22d5ccb063d56c6d4a3c8ea43fb9b23a8

SHA256
c10ddbd43ea745d5e0a255db3c4eb441f03676d440239fc0ae5d89b1e9e89c66

SHA512
4e25a6f6cfee901f99c1b0724334e3915ede7950c495fd034b29232852e6ed9967cd446565d239257300be44cdeb32133e82a47d1b989053ec8c7f3fc5426cf0

Download Submit
\Users\Admin\AppData\Local\Temp\nsd2A4C.tmp\beasvwu.dll

Filesize
153KB

MD5
c8d0bb6d01ce9fd845bafa95d23b9815

SHA1
03216c5b333e06dd283c7b4b4e59f0d24574010e

SHA256
b356f45e360d75eac5ed02b3fc1dbbcd52ce89c622f35d9ab238c154888fda85

SHA512
c19501b059c9e523cb72afbe4545fa420450db45ff5502073a2a21f328a2101250ba11ce1c4e18caa6b39ac4be218a98b63903c98851133bced30f154e7d3155

Download Submit
\Users\Admin\AppData\Local\Temp\nsd2A4C.tmp\nsisunz.dll

Filesize
40KB

MD5
5f13dbc378792f23e598079fc1e4422b

SHA1
5813c05802f15930aa860b8363af2b58426c8adf

SHA256
6e87ecb7f62039fbb6e7676422d1a5e75a32b90dde6865dcb68ee658ba8df61d

SHA512
9270635a5294482f49e0292e26d45dd103b85fe27dc163d44531b095c5f9dbde6b904adaf1a888ba3c112a094380394713c796f5195b2566a20f00b42b6578e5

Download Submit
memory/3016-0-0x000007FEF59FE000-0x000007FEF59FF000-memory.dmp

Filesize
4KB

Download
memory/3016-8-0x000007FEF5740000-0x000007FEF60DD000-memory.dmp

Filesize
9.6MB

Download
memory/3016-61-0x000000001AEF0000-0x000000001AF68000-memory.dmp

Filesize
480KB

Download
memory/3016-109-0x000007FEF5740000-0x000007FEF60DD000-memory.dmp

Filesize
9.6MB

Download