c799a2f9f3d554cc01e9c12fed8aec397ecd663da49a8fa9fc5602ca89f7a3e3

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
04/06/2024, 02:03

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

935a05dce4292f91c043c664d8bb7dc0_JaffaCakes118.exe
Size

5.7MB
MD5

935a05dce4292f91c043c664d8bb7dc0
SHA1

f404f03b0799e02b10118607d6fc02f8b8a0827c
SHA256

c799a2f9f3d554cc01e9c12fed8aec397ecd663da49a8fa9fc5602ca89f7a3e3
SHA512

f3d68f3f4af70103bba3cc6de5f1f0021a2d4944451a4b8e60701a4b3182cbeeffa819cc943eeeedba5cffe13df0ab3fcc40517e43cd7d74026aa0f0f5bf80db
SSDEEP

98304:4BvbXfzWTApdgdhqazCdhFKPuZc2Jxa5n58nQM12nQIv1:cXIXqJhgPuZc2a5n50PMQ

Score

8^/10

discovery evasion execution persistence spyware stealer

Malware Config

Signatures

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\System32\drivers\Lace_wpf_x64.sys	935a05dce4292f91c043c664d8bb7dc0_JaffaCakes118.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Executes dropped EXE 2 IoCs

pid	Process
1632	slite.exe
1604	slite.exe

Loads dropped DLL 31 IoCs

pid	Process
2068	935a05dce4292f91c043c664d8bb7dc0_JaffaCakes118.exe
2068	935a05dce4292f91c043c664d8bb7dc0_JaffaCakes118.exe
2068	935a05dce4292f91c043c664d8bb7dc0_JaffaCakes118.exe
2068	935a05dce4292f91c043c664d8bb7dc0_JaffaCakes118.exe
2068	935a05dce4292f91c043c664d8bb7dc0_JaffaCakes118.exe
2068	935a05dce4292f91c043c664d8bb7dc0_JaffaCakes118.exe
2068	935a05dce4292f91c043c664d8bb7dc0_JaffaCakes118.exe
2068	935a05dce4292f91c043c664d8bb7dc0_JaffaCakes118.exe
2068	935a05dce4292f91c043c664d8bb7dc0_JaffaCakes118.exe
2068	935a05dce4292f91c043c664d8bb7dc0_JaffaCakes118.exe
2068	935a05dce4292f91c043c664d8bb7dc0_JaffaCakes118.exe
2068	935a05dce4292f91c043c664d8bb7dc0_JaffaCakes118.exe
1012	rundll32.exe
1012	rundll32.exe
1012	rundll32.exe
1012	rundll32.exe
2068	935a05dce4292f91c043c664d8bb7dc0_JaffaCakes118.exe
2068	935a05dce4292f91c043c664d8bb7dc0_JaffaCakes118.exe
2068	935a05dce4292f91c043c664d8bb7dc0_JaffaCakes118.exe
2068	935a05dce4292f91c043c664d8bb7dc0_JaffaCakes118.exe
2068	935a05dce4292f91c043c664d8bb7dc0_JaffaCakes118.exe
2068	935a05dce4292f91c043c664d8bb7dc0_JaffaCakes118.exe
2068	935a05dce4292f91c043c664d8bb7dc0_JaffaCakes118.exe
2068	935a05dce4292f91c043c664d8bb7dc0_JaffaCakes118.exe
2068	935a05dce4292f91c043c664d8bb7dc0_JaffaCakes118.exe
2068	935a05dce4292f91c043c664d8bb7dc0_JaffaCakes118.exe
2068	935a05dce4292f91c043c664d8bb7dc0_JaffaCakes118.exe
2068	935a05dce4292f91c043c664d8bb7dc0_JaffaCakes118.exe
2068	935a05dce4292f91c043c664d8bb7dc0_JaffaCakes118.exe
2068	935a05dce4292f91c043c664d8bb7dc0_JaffaCakes118.exe
2068	935a05dce4292f91c043c664d8bb7dc0_JaffaCakes118.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 30 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\iHyKoQZyme\nss\mozcrt19.dll	rundll32.exe
File created	C:\Program Files (x86)\iHyKoQZyme\nss\nss3.dll	rundll32.exe
File created	C:\Program Files (x86)\iHyKoQZyme\nss\softokn3.dll	rundll32.exe
File created	C:\Program Files (x86)\iHyKoQZyme\s.xml	935a05dce4292f91c043c664d8bb7dc0_JaffaCakes118.exe
File created	C:\Program Files (x86)\iHyKoQZyme\out.txt	935a05dce4292f91c043c664d8bb7dc0_JaffaCakes118.exe
File created	C:\Program Files (x86)\iHyKoQZyme\History	935a05dce4292f91c043c664d8bb7dc0_JaffaCakes118.exe
File created	C:\Program Files (x86)\iHyKoQZyme\slite.exe	935a05dce4292f91c043c664d8bb7dc0_JaffaCakes118.exe
File created	C:\Program Files (x86)\iHyKoQZyme\nss\plc4.dll	rundll32.exe
File created	C:\Program Files (x86)\iHyKoQZyme\data.dt	935a05dce4292f91c043c664d8bb7dc0_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\iHyKoQZyme\History	935a05dce4292f91c043c664d8bb7dc0_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\iHyKoQZyme\SSL\OtherSearch Inc CA 2.cer	rundll32.exe
File created	C:\Program Files (x86)\iHyKoQZyme\nss\smime3.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\iHyKoQZyme\SSL\cert.db	rundll32.exe
File created	C:\Program Files (x86)\iHyKoQZyme\nss.zip	rundll32.exe
File created	C:\Program Files (x86)\iHyKoQZyme\nss\nspr4.dll	rundll32.exe
File created	C:\Program Files (x86)\iHyKoQZyme\updengine.exe	935a05dce4292f91c043c664d8bb7dc0_JaffaCakes118.exe
File created	C:\Program Files (x86)\iHyKoQZyme\nss\certutil.exe	rundll32.exe
File opened for modification	C:\Program Files (x86)\iHyKoQZyme\SSL	rundll32.exe
File opened for modification	C:\Program Files (x86)\iHyKoQZyme\History	slite.exe
File created	C:\Program Files (x86)\iHyKoQZyme\kl.dll	935a05dce4292f91c043c664d8bb7dc0_JaffaCakes118.exe
File created	C:\Program Files (x86)\iHyKoQZyme\SSL\cert.db	rundll32.exe
File opened for modification	C:\Program Files (x86)\iHyKoQZyme\SSL\x.db	rundll32.exe
File opened for modification	C:\Program Files (x86)\iHyKoQZyme\SSL\xv.db	rundll32.exe
File created	C:\Program Files (x86)\iHyKoQZyme\nss\plds4.dll	rundll32.exe
File created	C:\Program Files (x86)\iHyKoQZyme\uninstall.exe	935a05dce4292f91c043c664d8bb7dc0_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\iHyKoQZyme	rundll32.exe
File opened for modification	C:\Program Files (x86)\iHyKoQZyme\SSL\xtls.db	rundll32.exe
File created	C:\Program Files (x86)\iHyKoQZyme\output.txt	935a05dce4292f91c043c664d8bb7dc0_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\iHyKoQZyme\out.txt	935a05dce4292f91c043c664d8bb7dc0_JaffaCakes118.exe
File created	C:\Program Files (x86)\iHyKoQZyme\kl.ecf	935a05dce4292f91c043c664d8bb7dc0_JaffaCakes118.exe

Launches sc.exe 7 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2360	sc.exe
2912	sc.exe
1956	sc.exe
2244	sc.exe
444	sc.exe
2364	sc.exe
2652	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1048	SchTasks.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\EA027DC954E9FC8EB098CC52012640EA3DD5AB6C\Blob = 030000000100000014000000ea027dc954e9fc8eb098cc52012640ea3dd5ab6c20000000010000000c03000030820308308201f0a003020102021100d77bfa68f25bedc9922b8c655ccba671300d06092a864886f70d01010b0500302c310b300906035504061302454e311d301b06035504030c144f7468657253656172636820496e6320434120323020170d3034303630393032303333345a180f32303634303532353032303333345a302c310b300906035504061302454e311d301b06035504030c144f7468657253656172636820496e63204341203230820122300d06092a864886f70d01010105000382010f003082010a0282010100d102fac59471f2454e80b9ee0861ed6bc62c3adfc79948a74cab6431221d7b71df61aa005a245e6c3327cda20d5c08adb0d221feb6341439cede4d10d764e688b7eabc1894335631312cf2bb7018c589ba265131a95e54f5632f511c7f64f87025a21b0f37aaf37258301de0e6985740c2bc17b760f47b6ce2abce7c04bff132729f8d8813a4a627589f2add6ff03882c301b842988c8437cf996bac4b8052ba490037f68e5c534c9ede75ed439b281ad72ce839e02e73464b10929aa8d1b67302beb4e67d5bb38bfca987818ffe16130e77dc73b89a042671727239f9c7b1dad7e1b249c30f51a713dd9dd7f7eba4617c90ae2c806af2cec304d8759e219fe10203010001a3233021300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106300d06092a864886f70d01010b05000382010100378d9ff36ac41a286eec1e3e7544773c827e300dd5a8a82734fb8c51fe39f0e871b39ebaec14fa5ca8e0d590e185ae2568c72daf0812410a916043c9977fcbb243dbf270622c546ee2726cc9d625929e3d0eafdc43bc48fe834cc3c97d7d81c67ebcaa443357f5c0d4a205f2dc1c05017d6bbb3000b6d0f1fe1da851f52adb9679173269f5bbb3e13e9a5d197b505d8ed79a7be2211f11df3f4f260e1c3a8289db5ca8cbe8cf9dad51b46a738388de46b082c0f75f386b4e5f64a5424c08c3c288ce082f2be5fcedc5832d0d76bee051693499f98f1f80e476137e48dae4a85c4bf73d8fe3e897ac0416823796e50432949bb985f760c74161ed72b0d3e82123	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\EA027DC954E9FC8EB098CC52012640EA3DD5AB6C	rundll32.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
2068	935a05dce4292f91c043c664d8bb7dc0_JaffaCakes118.exe
2068	935a05dce4292f91c043c664d8bb7dc0_JaffaCakes118.exe
2068	935a05dce4292f91c043c664d8bb7dc0_JaffaCakes118.exe
2068	935a05dce4292f91c043c664d8bb7dc0_JaffaCakes118.exe
2068	935a05dce4292f91c043c664d8bb7dc0_JaffaCakes118.exe
2068	935a05dce4292f91c043c664d8bb7dc0_JaffaCakes118.exe
2068	935a05dce4292f91c043c664d8bb7dc0_JaffaCakes118.exe
2068	935a05dce4292f91c043c664d8bb7dc0_JaffaCakes118.exe
2068	935a05dce4292f91c043c664d8bb7dc0_JaffaCakes118.exe
2068	935a05dce4292f91c043c664d8bb7dc0_JaffaCakes118.exe
2068	935a05dce4292f91c043c664d8bb7dc0_JaffaCakes118.exe
2068	935a05dce4292f91c043c664d8bb7dc0_JaffaCakes118.exe
2068	935a05dce4292f91c043c664d8bb7dc0_JaffaCakes118.exe
2068	935a05dce4292f91c043c664d8bb7dc0_JaffaCakes118.exe
1012	rundll32.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
476	Process not Found
476	Process not Found

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1012	rundll32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2068	935a05dce4292f91c043c664d8bb7dc0_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2068 wrote to memory of 2652	2068	935a05dce4292f91c043c664d8bb7dc0_JaffaCakes118.exe	28
PID 2068 wrote to memory of 2652	2068	935a05dce4292f91c043c664d8bb7dc0_JaffaCakes118.exe	28
PID 2068 wrote to memory of 2652	2068	935a05dce4292f91c043c664d8bb7dc0_JaffaCakes118.exe	28
PID 2068 wrote to memory of 2652	2068	935a05dce4292f91c043c664d8bb7dc0_JaffaCakes118.exe	28
PID 2068 wrote to memory of 2360	2068	935a05dce4292f91c043c664d8bb7dc0_JaffaCakes118.exe	30
PID 2068 wrote to memory of 2360	2068	935a05dce4292f91c043c664d8bb7dc0_JaffaCakes118.exe	30
PID 2068 wrote to memory of 2360	2068	935a05dce4292f91c043c664d8bb7dc0_JaffaCakes118.exe	30
PID 2068 wrote to memory of 2360	2068	935a05dce4292f91c043c664d8bb7dc0_JaffaCakes118.exe	30
PID 2068 wrote to memory of 2476	2068	935a05dce4292f91c043c664d8bb7dc0_JaffaCakes118.exe	32
PID 2068 wrote to memory of 2476	2068	935a05dce4292f91c043c664d8bb7dc0_JaffaCakes118.exe	32
PID 2068 wrote to memory of 2476	2068	935a05dce4292f91c043c664d8bb7dc0_JaffaCakes118.exe	32
PID 2068 wrote to memory of 2476	2068	935a05dce4292f91c043c664d8bb7dc0_JaffaCakes118.exe	32
PID 2476 wrote to memory of 856	2476	net.exe	34
PID 2476 wrote to memory of 856	2476	net.exe	34
PID 2476 wrote to memory of 856	2476	net.exe	34
PID 2476 wrote to memory of 856	2476	net.exe	34
PID 2068 wrote to memory of 2912	2068	935a05dce4292f91c043c664d8bb7dc0_JaffaCakes118.exe	35
PID 2068 wrote to memory of 2912	2068	935a05dce4292f91c043c664d8bb7dc0_JaffaCakes118.exe	35
PID 2068 wrote to memory of 2912	2068	935a05dce4292f91c043c664d8bb7dc0_JaffaCakes118.exe	35
PID 2068 wrote to memory of 2912	2068	935a05dce4292f91c043c664d8bb7dc0_JaffaCakes118.exe	35
PID 2068 wrote to memory of 1956	2068	935a05dce4292f91c043c664d8bb7dc0_JaffaCakes118.exe	37
PID 2068 wrote to memory of 1956	2068	935a05dce4292f91c043c664d8bb7dc0_JaffaCakes118.exe	37
PID 2068 wrote to memory of 1956	2068	935a05dce4292f91c043c664d8bb7dc0_JaffaCakes118.exe	37
PID 2068 wrote to memory of 1956	2068	935a05dce4292f91c043c664d8bb7dc0_JaffaCakes118.exe	37
PID 2068 wrote to memory of 1012	2068	935a05dce4292f91c043c664d8bb7dc0_JaffaCakes118.exe	39
PID 2068 wrote to memory of 1012	2068	935a05dce4292f91c043c664d8bb7dc0_JaffaCakes118.exe	39
PID 2068 wrote to memory of 1012	2068	935a05dce4292f91c043c664d8bb7dc0_JaffaCakes118.exe	39
PID 2068 wrote to memory of 1012	2068	935a05dce4292f91c043c664d8bb7dc0_JaffaCakes118.exe	39
PID 2068 wrote to memory of 1012	2068	935a05dce4292f91c043c664d8bb7dc0_JaffaCakes118.exe	39
PID 2068 wrote to memory of 1012	2068	935a05dce4292f91c043c664d8bb7dc0_JaffaCakes118.exe	39
PID 2068 wrote to memory of 1012	2068	935a05dce4292f91c043c664d8bb7dc0_JaffaCakes118.exe	39
PID 2068 wrote to memory of 2296	2068	935a05dce4292f91c043c664d8bb7dc0_JaffaCakes118.exe	40
PID 2068 wrote to memory of 2296	2068	935a05dce4292f91c043c664d8bb7dc0_JaffaCakes118.exe	40
PID 2068 wrote to memory of 2296	2068	935a05dce4292f91c043c664d8bb7dc0_JaffaCakes118.exe	40
PID 2068 wrote to memory of 2296	2068	935a05dce4292f91c043c664d8bb7dc0_JaffaCakes118.exe	40
PID 2296 wrote to memory of 3040	2296	cmd.exe	42
PID 2296 wrote to memory of 3040	2296	cmd.exe	42
PID 2296 wrote to memory of 3040	2296	cmd.exe	42
PID 2296 wrote to memory of 3040	2296	cmd.exe	42
PID 2296 wrote to memory of 2264	2296	cmd.exe	43
PID 2296 wrote to memory of 2264	2296	cmd.exe	43
PID 2296 wrote to memory of 2264	2296	cmd.exe	43
PID 2296 wrote to memory of 2264	2296	cmd.exe	43
PID 2068 wrote to memory of 2244	2068	935a05dce4292f91c043c664d8bb7dc0_JaffaCakes118.exe	45
PID 2068 wrote to memory of 2244	2068	935a05dce4292f91c043c664d8bb7dc0_JaffaCakes118.exe	45
PID 2068 wrote to memory of 2244	2068	935a05dce4292f91c043c664d8bb7dc0_JaffaCakes118.exe	45
PID 2068 wrote to memory of 2244	2068	935a05dce4292f91c043c664d8bb7dc0_JaffaCakes118.exe	45
PID 2068 wrote to memory of 1048	2068	935a05dce4292f91c043c664d8bb7dc0_JaffaCakes118.exe	47
PID 2068 wrote to memory of 1048	2068	935a05dce4292f91c043c664d8bb7dc0_JaffaCakes118.exe	47
PID 2068 wrote to memory of 1048	2068	935a05dce4292f91c043c664d8bb7dc0_JaffaCakes118.exe	47
PID 2068 wrote to memory of 1048	2068	935a05dce4292f91c043c664d8bb7dc0_JaffaCakes118.exe	47
PID 2068 wrote to memory of 2648	2068	935a05dce4292f91c043c664d8bb7dc0_JaffaCakes118.exe	49
PID 2068 wrote to memory of 2648	2068	935a05dce4292f91c043c664d8bb7dc0_JaffaCakes118.exe	49
PID 2068 wrote to memory of 2648	2068	935a05dce4292f91c043c664d8bb7dc0_JaffaCakes118.exe	49
PID 2068 wrote to memory of 2648	2068	935a05dce4292f91c043c664d8bb7dc0_JaffaCakes118.exe	49
PID 2648 wrote to memory of 1696	2648	cmd.exe	51
PID 2648 wrote to memory of 1696	2648	cmd.exe	51
PID 2648 wrote to memory of 1696	2648	cmd.exe	51
PID 2648 wrote to memory of 1696	2648	cmd.exe	51
PID 2648 wrote to memory of 956	2648	cmd.exe	52
PID 2648 wrote to memory of 956	2648	cmd.exe	52
PID 2648 wrote to memory of 956	2648	cmd.exe	52
PID 2648 wrote to memory of 956	2648	cmd.exe	52
PID 2068 wrote to memory of 444	2068	935a05dce4292f91c043c664d8bb7dc0_JaffaCakes118.exe	53

C:\Users\Admin\AppData\Local\Temp\935a05dce4292f91c043c664d8bb7dc0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\935a05dce4292f91c043c664d8bb7dc0_JaffaCakes118.exe"
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2068
- C:\Windows\SysWOW64\sc.exe
  sc.exe query
  2⤵
  - Launches sc.exe
  PID:2652
- C:\Windows\SysWOW64\sc.exe
  sc stop OtherSearch
  2⤵
  - Launches sc.exe
  PID:2360
- C:\Windows\SysWOW64\net.exe
  net stop Lace514
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2476
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop Lace514
    3⤵
    PID:856
- C:\Windows\SysWOW64\sc.exe
  sc create Lace514 binpath= %SystemRoot%\System32\drivers\Lace_wpf_x64.sys DisplayName= Lace514 type= kernel start= system group= PNP_TDI
  2⤵
  - Launches sc.exe
  PID:2912
- C:\Windows\SysWOW64\sc.exe
  sc start Lace514
  2⤵
  - Launches sc.exe
  PID:1956
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Program Files (x86)\iHyKoQZyme\kl.dll" Install
  2⤵
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1012
- C:\Windows\SysWOW64\cmd.exe
  cmd /S /C "schTasks.exe /QUERY /FO TABLE /V | find "updengine.exe" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2296
- - C:\Windows\SysWOW64\schtasks.exe
    schTasks.exe /QUERY /FO TABLE /V
    3⤵
    PID:3040
- - C:\Windows\SysWOW64\find.exe
    find "updengine.exe"
    3⤵
    PID:2264
- C:\Windows\SysWOW64\sc.exe
  sc start OtherSearch
  2⤵
  - Launches sc.exe
  PID:2244
- C:\Windows\SysWOW64\SchTasks.exe
  "SchTasks.exe" /CREATE /TN "jqsW9jsrIy" /XML "C:\Program Files (x86)\iHyKoQZyme\s.xml"
  2⤵
  - Creates scheduled task(s)
  PID:1048
- C:\Windows\SysWOW64\cmd.exe
  cmd /S /C "schTasks.exe /QUERY /FO TABLE /V | find "C:\Program Files (x86)\iHyKoQZyme" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2648
- - C:\Windows\SysWOW64\schtasks.exe
    schTasks.exe /QUERY /FO TABLE /V
    3⤵
    PID:1696
- - C:\Windows\SysWOW64\find.exe
    find "C:\Program Files (x86)\iHyKoQZyme"
    3⤵
    PID:956
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" failure OtherSearch reset= 60 actions= restart/30000/restart/30000/restart/30000
  2⤵
  - Launches sc.exe
  PID:444
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" failure Lace514 reset= 60 actions= restart/30000/restart/30000/restart/30000
  2⤵
  - Launches sc.exe
  PID:2364
- C:\Program Files (x86)\iHyKoQZyme\slite.exe
  slite.exe "C:\Program Files (x86)\iHyKoQZyme\History" "select url,datetime(last_visit_time/1000000-11644473600,'unixepoch','localtime') from urls order by id DESC limit 0,3"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:1632
- C:\Program Files (x86)\iHyKoQZyme\slite.exe
  slite.exe "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uu0g08su.Admin\places.sqlite" "select url,datetime(last_visit_date/1000000, 'unixepoch','utc') from moz_places order by id DESC limit 0,3"
  2⤵
  - Executes dropped EXE
  PID:1604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\iHyKoQZyme\History

Filesize
148KB

MD5
90a1d4b55edf36fa8b4cc6974ed7d4c4

SHA1
aba1b8d0e05421e7df5982899f626211c3c4b5c1

SHA256
7cf3e9e8619904e72ea6608cc43e9b6c9f8aa2af02476f60c2b3daf33075981c

SHA512
ea0838be754e1258c230111900c5937d2b0788f90bbf7c5f82b2ceda7868e50afb86c301f313267eaa912778da45755560b5434885521bf915967a7863922ae2

Download Submit
C:\Program Files (x86)\iHyKoQZyme\data.dt

Filesize
3.4MB

MD5
e2db7c4e21c8c39e3827f51da90380ad

SHA1
e76428df6769ddf47c5a9ce24b47a7b00bfb3cad

SHA256
6058e17cab136c4ed4a51a8861ab9ff6346c6389e34ff8fe1ddca1dc79a9ad0c

SHA512
8884791336349941479783c4c69cc6378d4bba339b7cb08ff07822111d03d127b8e4809d3fa11efaeb895038506c2b7360212f2acc217322127794aa3c0d6fe6

Download Submit
C:\Program Files (x86)\iHyKoQZyme\kl.dll

Filesize
570KB

MD5
0d110b9eaf5aa0f84a6d657f65af71a7

SHA1
59b963296a99f7b515faed670fe5f0f2a04d5a2e

SHA256
09dc8afa0c700ce2aaa31543c78e1b02014090f32f9d7243d73dec94c60118a6

SHA512
5d6fcf119589a09dca3424ff5e4156d2d23d4b5f10aaac91b7a542ac4a0ff10ff725b4538fddc719ea760e8251dc0b4fbc49721d5966e44f297cef89682383fb

Download Submit
C:\Program Files (x86)\iHyKoQZyme\kl.ecf

Filesize
5KB

MD5
099b429a9476fab7b31687a5ea26d97b

SHA1
0eb2ec1cf2224536e12925c63ff3b9b399665837

SHA256
b79ae8bb28925f49e72c21205eb60c375a563ca5935d539a3326a8e8df3aabd0

SHA512
0ae92eb6a4451629587a91f4b26104aa68875235a59c7d08a55a061d3a071b22f66a2a6de97d750c766a390ccf2275fcaf272c751e87b1ed5e13cd136f4d6367

Download Submit
C:\Program Files (x86)\iHyKoQZyme\s.xml

Filesize
771B

MD5
16f39c43ad96b7727373e2c3880da42b

SHA1
b368e15bafd82a4322211fd686bf6a30f2151fa0

SHA256
fa3d01fff295c210ffdec1ad062d620f9545118676b80e928ee9b9ae4583056b

SHA512
679fea7472db3b2c8795e8bfaebf3aed26fa8d1552b56716da174a44586b246355d9b4e2c5f02b66b04c34d0d84c6322532a028c4871804213728c5967c67150

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsi20AC.tmp\GetVersion.dll

Filesize
10KB

MD5
d1c6553f6072c5b470db592dc70bd76c

SHA1
de3879252aecf835267e98395eef07680a3f8f49

SHA256
2f0f2eee13f48f392ef52ef13f3dcc3265d903f9b748981caa0a43c9c8457f33

SHA512
9a778309a2f15d60d35d9a91fc379ff7710576de99b72a7a4bd757760b5084d76a143484c87e41125a74497ac24d1df2cb552f39a8ba33bcff39cdfa8bdd5afb

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsi20AC.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsi20AC.tmp\inetc.dll

Filesize
21KB

MD5
d7a3fa6a6c738b4a3c40d5602af20b08

SHA1
34fc75d97f640609cb6cadb001da2cb2c0b3538a

SHA256
67eff17c53a78c8ec9a28f392b9bb93df3e74f96f6ecd87a333a482c36546b3e

SHA512
75cf123448567806be5f852ebf70f398da881e89994b82442a1f4bc6799894e799f979f5ab1cc9ba12617e48620e6c34f71e23259da498da37354e5fd3c0f934

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsi20AC.tmp\nsExec.dll

Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsi20AC.tmp\nsProcess.dll

Filesize
4KB

MD5
05450face243b3a7472407b999b03a72

SHA1
ffd88af2e338ae606c444390f7eaaf5f4aef2cd9

SHA256
95fe9d92512ff2318cc2520311ef9145b2cee01209ab0e1b6e45c7ce1d4d0e89

SHA512
f4cbe30166aff20a226a7150d93a876873ba699d80d7e9f46f32a9b4753fa7966c3113a3124340b39ca67a13205463a413e740e541e742903e3f89af5a53ad3b

Download Submit
\Program Files (x86)\iHyKoQZyme\slite.exe

Filesize
454KB

MD5
8d03b10f0dced524a88a3ff4b370f50d

SHA1
b6a221e3502c7f2e1d2a19f2142ce028a1fd21d5

SHA256
f7b2783b68e6b991eedab07f6b2bff0e6594e19ad470edaa89618bc9ed367b3c

SHA512
6bb291d3f2fe004b71526858b3d15d7c0997a786c9793a83e99279a04e34c59bdaccf9be7847d6fdcfff7c26060bad08922cd0b4c4e178ddc1468e15a673dd20

Download Submit
memory/1012-129-0x0000000010000000-0x000000001036A000-memory.dmp

Filesize
3.4MB

Download
memory/1012-132-0x0000000010000000-0x000000001036A000-memory.dmp

Filesize
3.4MB

Download
memory/1012-110-0x0000000010000000-0x000000001036A000-memory.dmp

Filesize
3.4MB

Download
memory/1604-218-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1632-206-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2068-0-0x0000000000A00000-0x0000000000A42000-memory.dmp

Filesize
264KB

Download
memory/2068-254-0x0000000000A00000-0x0000000000A42000-memory.dmp

Filesize
264KB

Download