63a12d00df51a39449cdd29f34ca128bad0d39852783b8ad1fbcfad23f74325d

Analysis

max time kernel
121s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
20-05-2024 00:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5c595e6e7a518e6e59781233b9f0a0fa_JaffaCakes118.exe
Size

6.0MB
MD5

5c595e6e7a518e6e59781233b9f0a0fa
SHA1

58f9482895a688ae3acff3e6f1f72351025dbafb
SHA256

63a12d00df51a39449cdd29f34ca128bad0d39852783b8ad1fbcfad23f74325d
SHA512

a17e18528d9083366c3b87e9b5fca2021d05fa1afad9a01859f5af325d5040ecebbf65cd8a1751153dbf8e90682addb789ebb9832c287c6db94a4513e623786d
SSDEEP

98304:Rj0roU/xc9qrYL0hQgQAAQQxDZU62y7MsUwzEIdbGMlUq72fCsVoDxXioQ6Q3P:Rj0roU/O9kC0CGDYUxIdp72fQX8

Score

8^/10

discovery evasion execution persistence spyware stealer

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
7	2908	rundll32.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\System32\drivers\Lace_wpf_x64.sys	5c595e6e7a518e6e59781233b9f0a0fa_JaffaCakes118.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Executes dropped EXE 2 IoCs

pid	Process
456	slite.exe
2860	slite.exe

Loads dropped DLL 31 IoCs

pid	Process
1752	5c595e6e7a518e6e59781233b9f0a0fa_JaffaCakes118.exe
1752	5c595e6e7a518e6e59781233b9f0a0fa_JaffaCakes118.exe
1752	5c595e6e7a518e6e59781233b9f0a0fa_JaffaCakes118.exe
1752	5c595e6e7a518e6e59781233b9f0a0fa_JaffaCakes118.exe
1752	5c595e6e7a518e6e59781233b9f0a0fa_JaffaCakes118.exe
1752	5c595e6e7a518e6e59781233b9f0a0fa_JaffaCakes118.exe
1752	5c595e6e7a518e6e59781233b9f0a0fa_JaffaCakes118.exe
1752	5c595e6e7a518e6e59781233b9f0a0fa_JaffaCakes118.exe
1752	5c595e6e7a518e6e59781233b9f0a0fa_JaffaCakes118.exe
1752	5c595e6e7a518e6e59781233b9f0a0fa_JaffaCakes118.exe
1752	5c595e6e7a518e6e59781233b9f0a0fa_JaffaCakes118.exe
1752	5c595e6e7a518e6e59781233b9f0a0fa_JaffaCakes118.exe
2908	rundll32.exe
2908	rundll32.exe
2908	rundll32.exe
2908	rundll32.exe
1752	5c595e6e7a518e6e59781233b9f0a0fa_JaffaCakes118.exe
1752	5c595e6e7a518e6e59781233b9f0a0fa_JaffaCakes118.exe
1752	5c595e6e7a518e6e59781233b9f0a0fa_JaffaCakes118.exe
1752	5c595e6e7a518e6e59781233b9f0a0fa_JaffaCakes118.exe
1752	5c595e6e7a518e6e59781233b9f0a0fa_JaffaCakes118.exe
1752	5c595e6e7a518e6e59781233b9f0a0fa_JaffaCakes118.exe
1752	5c595e6e7a518e6e59781233b9f0a0fa_JaffaCakes118.exe
1752	5c595e6e7a518e6e59781233b9f0a0fa_JaffaCakes118.exe
1752	5c595e6e7a518e6e59781233b9f0a0fa_JaffaCakes118.exe
1752	5c595e6e7a518e6e59781233b9f0a0fa_JaffaCakes118.exe
1752	5c595e6e7a518e6e59781233b9f0a0fa_JaffaCakes118.exe
1752	5c595e6e7a518e6e59781233b9f0a0fa_JaffaCakes118.exe
1752	5c595e6e7a518e6e59781233b9f0a0fa_JaffaCakes118.exe
1752	5c595e6e7a518e6e59781233b9f0a0fa_JaffaCakes118.exe
1752	5c595e6e7a518e6e59781233b9f0a0fa_JaffaCakes118.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 31 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\yb8THXku76\kl.dll	5c595e6e7a518e6e59781233b9f0a0fa_JaffaCakes118.exe
File created	C:\Program Files (x86)\yb8THXku76\nss\softokn3.dll	rundll32.exe
File created	C:\Program Files (x86)\yb8THXku76\SSL\cert.db	rundll32.exe
File opened for modification	C:\Program Files (x86)\yb8THXku76\SSL\x.db	rundll32.exe
File created	C:\Program Files (x86)\yb8THXku76\nss\nspr4.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\yb8THXku76	rundll32.exe
File opened for modification	C:\Program Files (x86)\yb8THXku76\out.txt	5c595e6e7a518e6e59781233b9f0a0fa_JaffaCakes118.exe
File created	C:\Program Files (x86)\yb8THXku76\updengine.exe	5c595e6e7a518e6e59781233b9f0a0fa_JaffaCakes118.exe
File created	C:\Program Files (x86)\yb8THXku76\nss.zip	rundll32.exe
File created	C:\Program Files (x86)\yb8THXku76\nss\smime3.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\yb8THXku76\SSL\xv.db	rundll32.exe
File created	C:\Program Files (x86)\yb8THXku76\s.xml	5c595e6e7a518e6e59781233b9f0a0fa_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\yb8THXku76\History	slite.exe
File opened for modification	C:\Program Files (x86)\yb8THXku76\History	5c595e6e7a518e6e59781233b9f0a0fa_JaffaCakes118.exe
File created	C:\Program Files (x86)\yb8THXku76\uninstall.exe	5c595e6e7a518e6e59781233b9f0a0fa_JaffaCakes118.exe
File created	C:\Program Files (x86)\yb8THXku76\nss\nss3.dll	rundll32.exe
File created	C:\Program Files (x86)\yb8THXku76\out.txt	5c595e6e7a518e6e59781233b9f0a0fa_JaffaCakes118.exe
File created	C:\Program Files (x86)\yb8THXku76\History	5c595e6e7a518e6e59781233b9f0a0fa_JaffaCakes118.exe
File created	C:\Program Files (x86)\yb8THXku76\upd.dt	5c595e6e7a518e6e59781233b9f0a0fa_JaffaCakes118.exe
File created	C:\Program Files (x86)\yb8THXku76\slite.exe	5c595e6e7a518e6e59781233b9f0a0fa_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\yb8THXku76\SSL	rundll32.exe
File opened for modification	C:\Program Files (x86)\yb8THXku76\SSL\cert.db	rundll32.exe
File created	C:\Program Files (x86)\yb8THXku76\output.txt	5c595e6e7a518e6e59781233b9f0a0fa_JaffaCakes118.exe
File created	C:\Program Files (x86)\yb8THXku76\data.dt	5c595e6e7a518e6e59781233b9f0a0fa_JaffaCakes118.exe
File created	C:\Program Files (x86)\yb8THXku76\nss\mozcrt19.dll	rundll32.exe
File created	C:\Program Files (x86)\yb8THXku76\nss\plc4.dll	rundll32.exe
File created	C:\Program Files (x86)\yb8THXku76\nss\plds4.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\yb8THXku76\SSL\xtls.db	rundll32.exe
File opened for modification	C:\Program Files (x86)\yb8THXku76\SSL\OtherSearch Inc CA 2.cer	rundll32.exe
File created	C:\Program Files (x86)\yb8THXku76\kl.ecf	5c595e6e7a518e6e59781233b9f0a0fa_JaffaCakes118.exe
File created	C:\Program Files (x86)\yb8THXku76\nss\certutil.exe	rundll32.exe

Launches sc.exe 7 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3040	sc.exe
2808	sc.exe
2616	sc.exe
2624	sc.exe
2684	sc.exe
2972	sc.exe
1152	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1964	SchTasks.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\70D7E62D4D33EDD33E44AE7F4E263A1121295E9B	rundll32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\70D7E62D4D33EDD33E44AE7F4E263A1121295E9B\Blob = 03000000010000001400000070d7e62d4d33edd33e44ae7f4e263a1121295e9b20000000010000000c03000030820308308201f0a003020102021100eb553e8911375577d3f8898c9794b407300d06092a864886f70d01010b0500302c310b300906035504061302454e311d301b06035504030c144f7468657253656172636820496e6320434120323020170d3034303532353030353332365a180f32303634303531303030353332365a302c310b300906035504061302454e311d301b06035504030c144f7468657253656172636820496e63204341203230820122300d06092a864886f70d01010105000382010f003082010a0282010100d102fac59471f2454e80b9ee0861ed6bc62c3adfc79948a74cab6431221d7b71df61aa005a245e6c3327cda20d5c08adb0d221feb6341439cede4d10d764e688b7eabc1894335631312cf2bb7018c589ba265131a95e54f5632f511c7f64f87025a21b0f37aaf37258301de0e6985740c2bc17b760f47b6ce2abce7c04bff132729f8d8813a4a627589f2add6ff03882c301b842988c8437cf996bac4b8052ba490037f68e5c534c9ede75ed439b281ad72ce839e02e73464b10929aa8d1b67302beb4e67d5bb38bfca987818ffe16130e77dc73b89a042671727239f9c7b1dad7e1b249c30f51a713dd9dd7f7eba4617c90ae2c806af2cec304d8759e219fe10203010001a3233021300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106300d06092a864886f70d01010b05000382010100945b3fff883599d285718e960133b6b72ca6e250ae86996d66b8ae4b6be31bfef6b4cdeba09a18fba55a7011146adda9ccd52439219f29b0f536c35833ede93d4a5859fb71d911232ed938512a6c0b2be42c76b0179fe431412336b3a4e92eb22541f8f877dd8825249658882fc9107895524b79415abc41953fe48e9d06af0e14e655fbbf67ed75b44d274bd81a971e749ba39eab6625785f8fedbc48be0f7ea08822f84c411f687214840e3525308084ffab36c971e74dbc99a96243a287b8cc1dfd02d3fe4abbe1fc5c71d9e34108ca9b6eac1a49a83de4dec5a2637729cf6448b99792999f8b908efb8b9f639e22c21491d8556f795bfe368d36d41339ac	rundll32.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
1752	5c595e6e7a518e6e59781233b9f0a0fa_JaffaCakes118.exe
1752	5c595e6e7a518e6e59781233b9f0a0fa_JaffaCakes118.exe
1752	5c595e6e7a518e6e59781233b9f0a0fa_JaffaCakes118.exe
1752	5c595e6e7a518e6e59781233b9f0a0fa_JaffaCakes118.exe
1752	5c595e6e7a518e6e59781233b9f0a0fa_JaffaCakes118.exe
1752	5c595e6e7a518e6e59781233b9f0a0fa_JaffaCakes118.exe
1752	5c595e6e7a518e6e59781233b9f0a0fa_JaffaCakes118.exe
1752	5c595e6e7a518e6e59781233b9f0a0fa_JaffaCakes118.exe
1752	5c595e6e7a518e6e59781233b9f0a0fa_JaffaCakes118.exe
1752	5c595e6e7a518e6e59781233b9f0a0fa_JaffaCakes118.exe
1752	5c595e6e7a518e6e59781233b9f0a0fa_JaffaCakes118.exe
1752	5c595e6e7a518e6e59781233b9f0a0fa_JaffaCakes118.exe
1752	5c595e6e7a518e6e59781233b9f0a0fa_JaffaCakes118.exe
1752	5c595e6e7a518e6e59781233b9f0a0fa_JaffaCakes118.exe
2908	rundll32.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
484	Process not Found
484	Process not Found

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2908	rundll32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1752	5c595e6e7a518e6e59781233b9f0a0fa_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1752 wrote to memory of 2616	1752	5c595e6e7a518e6e59781233b9f0a0fa_JaffaCakes118.exe	28
PID 1752 wrote to memory of 2616	1752	5c595e6e7a518e6e59781233b9f0a0fa_JaffaCakes118.exe	28
PID 1752 wrote to memory of 2616	1752	5c595e6e7a518e6e59781233b9f0a0fa_JaffaCakes118.exe	28
PID 1752 wrote to memory of 2616	1752	5c595e6e7a518e6e59781233b9f0a0fa_JaffaCakes118.exe	28
PID 1752 wrote to memory of 2624	1752	5c595e6e7a518e6e59781233b9f0a0fa_JaffaCakes118.exe	30
PID 1752 wrote to memory of 2624	1752	5c595e6e7a518e6e59781233b9f0a0fa_JaffaCakes118.exe	30
PID 1752 wrote to memory of 2624	1752	5c595e6e7a518e6e59781233b9f0a0fa_JaffaCakes118.exe	30
PID 1752 wrote to memory of 2624	1752	5c595e6e7a518e6e59781233b9f0a0fa_JaffaCakes118.exe	30
PID 1752 wrote to memory of 2240	1752	5c595e6e7a518e6e59781233b9f0a0fa_JaffaCakes118.exe	32
PID 1752 wrote to memory of 2240	1752	5c595e6e7a518e6e59781233b9f0a0fa_JaffaCakes118.exe	32
PID 1752 wrote to memory of 2240	1752	5c595e6e7a518e6e59781233b9f0a0fa_JaffaCakes118.exe	32
PID 1752 wrote to memory of 2240	1752	5c595e6e7a518e6e59781233b9f0a0fa_JaffaCakes118.exe	32
PID 2240 wrote to memory of 2948	2240	net.exe	34
PID 2240 wrote to memory of 2948	2240	net.exe	34
PID 2240 wrote to memory of 2948	2240	net.exe	34
PID 2240 wrote to memory of 2948	2240	net.exe	34
PID 1752 wrote to memory of 2684	1752	5c595e6e7a518e6e59781233b9f0a0fa_JaffaCakes118.exe	35
PID 1752 wrote to memory of 2684	1752	5c595e6e7a518e6e59781233b9f0a0fa_JaffaCakes118.exe	35
PID 1752 wrote to memory of 2684	1752	5c595e6e7a518e6e59781233b9f0a0fa_JaffaCakes118.exe	35
PID 1752 wrote to memory of 2684	1752	5c595e6e7a518e6e59781233b9f0a0fa_JaffaCakes118.exe	35
PID 1752 wrote to memory of 2972	1752	5c595e6e7a518e6e59781233b9f0a0fa_JaffaCakes118.exe	37
PID 1752 wrote to memory of 2972	1752	5c595e6e7a518e6e59781233b9f0a0fa_JaffaCakes118.exe	37
PID 1752 wrote to memory of 2972	1752	5c595e6e7a518e6e59781233b9f0a0fa_JaffaCakes118.exe	37
PID 1752 wrote to memory of 2972	1752	5c595e6e7a518e6e59781233b9f0a0fa_JaffaCakes118.exe	37
PID 1752 wrote to memory of 2908	1752	5c595e6e7a518e6e59781233b9f0a0fa_JaffaCakes118.exe	39
PID 1752 wrote to memory of 2908	1752	5c595e6e7a518e6e59781233b9f0a0fa_JaffaCakes118.exe	39
PID 1752 wrote to memory of 2908	1752	5c595e6e7a518e6e59781233b9f0a0fa_JaffaCakes118.exe	39
PID 1752 wrote to memory of 2908	1752	5c595e6e7a518e6e59781233b9f0a0fa_JaffaCakes118.exe	39
PID 1752 wrote to memory of 2908	1752	5c595e6e7a518e6e59781233b9f0a0fa_JaffaCakes118.exe	39
PID 1752 wrote to memory of 2908	1752	5c595e6e7a518e6e59781233b9f0a0fa_JaffaCakes118.exe	39
PID 1752 wrote to memory of 2908	1752	5c595e6e7a518e6e59781233b9f0a0fa_JaffaCakes118.exe	39
PID 1752 wrote to memory of 2560	1752	5c595e6e7a518e6e59781233b9f0a0fa_JaffaCakes118.exe	40
PID 1752 wrote to memory of 2560	1752	5c595e6e7a518e6e59781233b9f0a0fa_JaffaCakes118.exe	40
PID 1752 wrote to memory of 2560	1752	5c595e6e7a518e6e59781233b9f0a0fa_JaffaCakes118.exe	40
PID 1752 wrote to memory of 2560	1752	5c595e6e7a518e6e59781233b9f0a0fa_JaffaCakes118.exe	40
PID 2560 wrote to memory of 544	2560	cmd.exe	42
PID 2560 wrote to memory of 544	2560	cmd.exe	42
PID 2560 wrote to memory of 544	2560	cmd.exe	42
PID 2560 wrote to memory of 544	2560	cmd.exe	42
PID 2560 wrote to memory of 684	2560	cmd.exe	43
PID 2560 wrote to memory of 684	2560	cmd.exe	43
PID 2560 wrote to memory of 684	2560	cmd.exe	43
PID 2560 wrote to memory of 684	2560	cmd.exe	43
PID 1752 wrote to memory of 1152	1752	5c595e6e7a518e6e59781233b9f0a0fa_JaffaCakes118.exe	44
PID 1752 wrote to memory of 1152	1752	5c595e6e7a518e6e59781233b9f0a0fa_JaffaCakes118.exe	44
PID 1752 wrote to memory of 1152	1752	5c595e6e7a518e6e59781233b9f0a0fa_JaffaCakes118.exe	44
PID 1752 wrote to memory of 1152	1752	5c595e6e7a518e6e59781233b9f0a0fa_JaffaCakes118.exe	44
PID 1752 wrote to memory of 1964	1752	5c595e6e7a518e6e59781233b9f0a0fa_JaffaCakes118.exe	46
PID 1752 wrote to memory of 1964	1752	5c595e6e7a518e6e59781233b9f0a0fa_JaffaCakes118.exe	46
PID 1752 wrote to memory of 1964	1752	5c595e6e7a518e6e59781233b9f0a0fa_JaffaCakes118.exe	46
PID 1752 wrote to memory of 1964	1752	5c595e6e7a518e6e59781233b9f0a0fa_JaffaCakes118.exe	46
PID 1752 wrote to memory of 2324	1752	5c595e6e7a518e6e59781233b9f0a0fa_JaffaCakes118.exe	49
PID 1752 wrote to memory of 2324	1752	5c595e6e7a518e6e59781233b9f0a0fa_JaffaCakes118.exe	49
PID 1752 wrote to memory of 2324	1752	5c595e6e7a518e6e59781233b9f0a0fa_JaffaCakes118.exe	49
PID 1752 wrote to memory of 2324	1752	5c595e6e7a518e6e59781233b9f0a0fa_JaffaCakes118.exe	49
PID 2324 wrote to memory of 1156	2324	cmd.exe	51
PID 2324 wrote to memory of 1156	2324	cmd.exe	51
PID 2324 wrote to memory of 1156	2324	cmd.exe	51
PID 2324 wrote to memory of 1156	2324	cmd.exe	51
PID 2324 wrote to memory of 1444	2324	cmd.exe	52
PID 2324 wrote to memory of 1444	2324	cmd.exe	52
PID 2324 wrote to memory of 1444	2324	cmd.exe	52
PID 2324 wrote to memory of 1444	2324	cmd.exe	52
PID 1752 wrote to memory of 2808	1752	5c595e6e7a518e6e59781233b9f0a0fa_JaffaCakes118.exe	53

C:\Users\Admin\AppData\Local\Temp\5c595e6e7a518e6e59781233b9f0a0fa_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5c595e6e7a518e6e59781233b9f0a0fa_JaffaCakes118.exe"
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1752
- C:\Windows\SysWOW64\sc.exe
  sc.exe query
  2⤵
  - Launches sc.exe
  PID:2616
- C:\Windows\SysWOW64\sc.exe
  sc stop OtherSearch
  2⤵
  - Launches sc.exe
  PID:2624
- C:\Windows\SysWOW64\net.exe
  net stop Lace514
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2240
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop Lace514
    3⤵
    PID:2948
- C:\Windows\SysWOW64\sc.exe
  sc create Lace514 binpath= %SystemRoot%\System32\drivers\Lace_wpf_x64.sys DisplayName= Lace514 type= kernel start= system group= PNP_TDI
  2⤵
  - Launches sc.exe
  PID:2684
- C:\Windows\SysWOW64\sc.exe
  sc start Lace514
  2⤵
  - Launches sc.exe
  PID:2972
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Program Files (x86)\yb8THXku76\kl.dll" Install
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2908
- C:\Windows\SysWOW64\cmd.exe
  cmd /S /C "schTasks.exe /QUERY /FO TABLE /V | find "updengine.exe" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2560
- - C:\Windows\SysWOW64\schtasks.exe
    schTasks.exe /QUERY /FO TABLE /V
    3⤵
    PID:544
- - C:\Windows\SysWOW64\find.exe
    find "updengine.exe"
    3⤵
    PID:684
- C:\Windows\SysWOW64\sc.exe
  sc start OtherSearch
  2⤵
  - Launches sc.exe
  PID:1152
- C:\Windows\SysWOW64\SchTasks.exe
  "SchTasks.exe" /CREATE /TN "uM7uzBM3hg" /XML "C:\Program Files (x86)\yb8THXku76\s.xml"
  2⤵
  - Creates scheduled task(s)
  PID:1964
- C:\Windows\SysWOW64\cmd.exe
  cmd /S /C "schTasks.exe /QUERY /FO TABLE /V | find "C:\Program Files (x86)\yb8THXku76" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2324
- - C:\Windows\SysWOW64\schtasks.exe
    schTasks.exe /QUERY /FO TABLE /V
    3⤵
    PID:1156
- - C:\Windows\SysWOW64\find.exe
    find "C:\Program Files (x86)\yb8THXku76"
    3⤵
    PID:1444
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" failure OtherSearch reset= 60 actions= restart/30000/restart/30000/restart/30000
  2⤵
  - Launches sc.exe
  PID:2808
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" failure Lace514 reset= 60 actions= restart/30000/restart/30000/restart/30000
  2⤵
  - Launches sc.exe
  PID:3040
- C:\Program Files (x86)\yb8THXku76\slite.exe
  slite.exe "C:\Program Files (x86)\yb8THXku76\History" "select url,datetime(last_visit_time/1000000-11644473600,'unixepoch','localtime') from urls order by id DESC limit 0,3"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:456
- C:\Program Files (x86)\yb8THXku76\slite.exe
  slite.exe "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0rowjuc9.Admin\places.sqlite" "select url,datetime(last_visit_date/1000000, 'unixepoch','utc') from moz_places order by id DESC limit 0,3"
  2⤵
  - Executes dropped EXE
  PID:2860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\yb8THXku76\History

Filesize
148KB

MD5
90a1d4b55edf36fa8b4cc6974ed7d4c4

SHA1
aba1b8d0e05421e7df5982899f626211c3c4b5c1

SHA256
7cf3e9e8619904e72ea6608cc43e9b6c9f8aa2af02476f60c2b3daf33075981c

SHA512
ea0838be754e1258c230111900c5937d2b0788f90bbf7c5f82b2ceda7868e50afb86c301f313267eaa912778da45755560b5434885521bf915967a7863922ae2

Download Submit
C:\Program Files (x86)\yb8THXku76\data.dt

Filesize
3.5MB

MD5
edffdbed03c1314970b030126d1c9247

SHA1
0a39be3b057aa71c667281d22278599f65360eac

SHA256
a434dbb9abf4e94c4dbe804a617de4b54b8c14b2a6b676903cc78c1c9645fbb2

SHA512
6572c11af077df8581429248e2767a67fb5554e00bc0832195907b34e7bd3caa4c04f9d69b92f58f6483e9b0d845557e5646d6ad6ca5313d73d473f37784691a

Download Submit
C:\Program Files (x86)\yb8THXku76\kl.ecf

Filesize
12KB

MD5
2008c1db87cf4117da7441cdb1be471c

SHA1
e092db5743b83aaa27b0b12530a4308f07b69595

SHA256
5411d9cab12b600993beb8861e089eeddfc4667298179dee9c45580bb532098e

SHA512
66ed3a3686d7040f209a4803ee687d19a573290d6a819131fdb48248849f3706be8130d7df140d7643a214fea6e010208b0e2aacfad97c1a40cf30818c8ed770

Download Submit
C:\Program Files (x86)\yb8THXku76\s.xml

Filesize
771B

MD5
9cbd16becfd5dcb53a82342275ba1642

SHA1
4edbdaa600142b13e6f1c70445c47ad9b45b518a

SHA256
ecd94255597862183f8fdb10123dbed53ad287a770aa2b0497aee4bd77fa4a73

SHA512
1807b7f362c05d0229c5295ea4eb24f87713c4ac8b33858b791964162d8e5aab56dcbfb9572ec0a2163f8f794901e4594829d15e6b7f985e671be571fc323e29

Download Submit
C:\Program Files (x86)\yb8THXku76\slite.exe

Filesize
454KB

MD5
8d03b10f0dced524a88a3ff4b370f50d

SHA1
b6a221e3502c7f2e1d2a19f2142ce028a1fd21d5

SHA256
f7b2783b68e6b991eedab07f6b2bff0e6594e19ad470edaa89618bc9ed367b3c

SHA512
6bb291d3f2fe004b71526858b3d15d7c0997a786c9793a83e99279a04e34c59bdaccf9be7847d6fdcfff7c26060bad08922cd0b4c4e178ddc1468e15a673dd20

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso2C12.tmp\GetVersion.dll

Filesize
10KB

MD5
d1c6553f6072c5b470db592dc70bd76c

SHA1
de3879252aecf835267e98395eef07680a3f8f49

SHA256
2f0f2eee13f48f392ef52ef13f3dcc3265d903f9b748981caa0a43c9c8457f33

SHA512
9a778309a2f15d60d35d9a91fc379ff7710576de99b72a7a4bd757760b5084d76a143484c87e41125a74497ac24d1df2cb552f39a8ba33bcff39cdfa8bdd5afb

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso2C12.tmp\nsProcess.dll

Filesize
4KB

MD5
05450face243b3a7472407b999b03a72

SHA1
ffd88af2e338ae606c444390f7eaaf5f4aef2cd9

SHA256
95fe9d92512ff2318cc2520311ef9145b2cee01209ab0e1b6e45c7ce1d4d0e89

SHA512
f4cbe30166aff20a226a7150d93a876873ba699d80d7e9f46f32a9b4753fa7966c3113a3124340b39ca67a13205463a413e740e541e742903e3f89af5a53ad3b

Download Submit
\Program Files (x86)\yb8THXku76\kl.dll

Filesize
601KB

MD5
595cfac71b17ff098577c8d806fe4a53

SHA1
6dafccb9f5ebe5be64c3971dd435eed7b69e30c3

SHA256
2e7d3050b4929ca2ff0abfea1b7fd3f8aa8f50683a1d299805a5bad647a227d1

SHA512
5f3151d85724b374418304c4e0ebe3cb2f6ba5bf3f9f6ce1ce2e891e7f35f2065576dabb1ff8880e16102cb0ecbd4dcf680b117698a45872b2241f8e303ae607

Download Submit
\Users\Admin\AppData\Local\Temp\nso2C12.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
\Users\Admin\AppData\Local\Temp\nso2C12.tmp\inetc.dll

Filesize
21KB

MD5
d7a3fa6a6c738b4a3c40d5602af20b08

SHA1
34fc75d97f640609cb6cadb001da2cb2c0b3538a

SHA256
67eff17c53a78c8ec9a28f392b9bb93df3e74f96f6ecd87a333a482c36546b3e

SHA512
75cf123448567806be5f852ebf70f398da881e89994b82442a1f4bc6799894e799f979f5ab1cc9ba12617e48620e6c34f71e23259da498da37354e5fd3c0f934

Download Submit
\Users\Admin\AppData\Local\Temp\nso2C12.tmp\nsExec.dll

Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
memory/456-165-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1752-0-0x0000000000A00000-0x0000000000A72000-memory.dmp

Filesize
456KB

Download
memory/1752-209-0x0000000000A00000-0x0000000000A72000-memory.dmp

Filesize
456KB

Download
memory/1752-210-0x0000000000400000-0x0000000000A82000-memory.dmp

Filesize
6.5MB

Download
memory/1752-156-0x0000000000400000-0x0000000000A82000-memory.dmp

Filesize
6.5MB

Download
memory/2860-175-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2908-109-0x00000000029C0000-0x0000000002D4C000-memory.dmp

Filesize
3.5MB

Download
memory/2908-93-0x00000000029C0000-0x0000000002D4C000-memory.dmp

Filesize
3.5MB

Download
memory/2908-106-0x00000000029C0000-0x0000000002D4C000-memory.dmp

Filesize
3.5MB

Download
memory/2908-87-0x00000000029C0000-0x0000000002D4C000-memory.dmp

Filesize
3.5MB

Download
memory/2908-92-0x00000000029C0000-0x0000000002D4C000-memory.dmp

Filesize
3.5MB

Download
memory/2908-111-0x00000000029C0000-0x0000000002D4C000-memory.dmp

Filesize
3.5MB

Download