rms | 72b8ae8a48ac728a53bc503473d1ef244e830fbb7e20e451fb85999177c91754

Analysis

max time kernel
149s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
14-06-2024 01:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a79ab104e6460c53f606ed19adba0f8d_JaffaCakes118.exe
Size

3.8MB
MD5

a79ab104e6460c53f606ed19adba0f8d
SHA1

6d43166366e7c0ca0be382222fb28e4b8eccc116
SHA256

72b8ae8a48ac728a53bc503473d1ef244e830fbb7e20e451fb85999177c91754
SHA512

e66cc91122441285205a4fb01698b1e0e6ccf83a6e78a0a9d56128036711bee3e298bf8e0f73ed421bff3ff906db45cbc6f8c086089d32f77aba292c7c773e09
SSDEEP

98304:/Ft/3rN7Yu/5hx4EU7Ddl4LP9gYsFCJVVZE8EorPdq3BF:nbN7Yg5cEUfdGzRsFCJzGHxRF

Score

10^/10

rms evasion rat trojan upx

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 8 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0"	regedit.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	regedit.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0"	regedit.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	regedit.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile	regedit.exe

RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms

UAC bypass 3 TTPs 6 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	regedit.exe

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
3668	netsh.exe

Sets file to hidden 1 TTPs 3 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
4036	attrib.exe
3236	attrib.exe
4484	attrib.exe

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x00070000000235f1-45.dat	acprotect

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation	a79ab104e6460c53f606ed19adba0f8d_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation	WScript.exe

Executes dropped EXE 8 IoCs

pid	Process
2684	Rar.exe
2020	lnlvbpt.exe
392	lnlvbpt.exe
2600	lnlvbpt.exe
2432	lnlvbpt.exe
5088	edylafnzjw.exe
4944	edylafnzjw.exe
1028	edylafnzjw.exe

UPX packed file 22 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x00070000000235f3-39.dat	upx
behavioral2/files/0x00070000000235f4-42.dat	upx
behavioral2/files/0x00070000000235f1-45.dat	upx
behavioral2/memory/2020-55-0x0000000000400000-0x0000000000AB2000-memory.dmp	upx
behavioral2/memory/2020-56-0x0000000000400000-0x0000000000AB2000-memory.dmp	upx
behavioral2/memory/392-58-0x0000000000400000-0x0000000000AB2000-memory.dmp	upx
behavioral2/memory/5088-66-0x0000000000400000-0x00000000009B6000-memory.dmp	upx
behavioral2/memory/2600-67-0x0000000000400000-0x0000000000AB2000-memory.dmp	upx
behavioral2/memory/1028-72-0x0000000000400000-0x00000000009B6000-memory.dmp	upx
behavioral2/memory/1028-73-0x0000000000400000-0x00000000009B6000-memory.dmp	upx
behavioral2/memory/5088-75-0x0000000000400000-0x00000000009B6000-memory.dmp	upx
behavioral2/memory/4944-76-0x0000000000400000-0x00000000009B6000-memory.dmp	upx
behavioral2/memory/2432-74-0x0000000000400000-0x0000000000AB2000-memory.dmp	upx
behavioral2/memory/4944-79-0x0000000000400000-0x00000000009B6000-memory.dmp	upx
behavioral2/memory/2432-81-0x0000000000400000-0x0000000000AB2000-memory.dmp	upx
behavioral2/memory/4944-83-0x0000000000400000-0x00000000009B6000-memory.dmp	upx
behavioral2/memory/2432-84-0x0000000000400000-0x0000000000AB2000-memory.dmp	upx
behavioral2/memory/4944-87-0x0000000000400000-0x00000000009B6000-memory.dmp	upx
behavioral2/memory/2432-88-0x0000000000400000-0x0000000000AB2000-memory.dmp	upx
behavioral2/memory/2432-94-0x0000000000400000-0x0000000000AB2000-memory.dmp	upx
behavioral2/memory/2432-98-0x0000000000400000-0x0000000000AB2000-memory.dmp	upx
behavioral2/memory/4944-100-0x0000000000400000-0x00000000009B6000-memory.dmp	upx

Launches sc.exe 3 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
412	sc.exe
2552	sc.exe
4952	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 5 IoCs

evasion

pid	Process
2936	timeout.exe
1428	timeout.exe
4180	timeout.exe
4064	timeout.exe
4016	timeout.exe

Kills process with taskkill 10 IoCs

evasion

pid	Process
916	taskkill.exe
4592	taskkill.exe
224	taskkill.exe
2316	taskkill.exe
3736	taskkill.exe
4448	taskkill.exe
2968	taskkill.exe
2856	taskkill.exe
4936	taskkill.exe
4248	taskkill.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings	a79ab104e6460c53f606ed19adba0f8d_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings	cmd.exe

Runs .reg file with regedit 2 IoCs

pid	Process
3500	regedit.exe
4084	regedit.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
2020	lnlvbpt.exe
2020	lnlvbpt.exe
2020	lnlvbpt.exe
2020	lnlvbpt.exe
2020	lnlvbpt.exe
2020	lnlvbpt.exe
392	lnlvbpt.exe
392	lnlvbpt.exe
2600	lnlvbpt.exe
2600	lnlvbpt.exe
2432	lnlvbpt.exe
2432	lnlvbpt.exe
2432	lnlvbpt.exe
2432	lnlvbpt.exe
2432	lnlvbpt.exe
2432	lnlvbpt.exe
5088	edylafnzjw.exe
5088	edylafnzjw.exe

Suspicious behavior: SetClipboardViewer 1 IoCs

pid	Process
1028	edylafnzjw.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	2968	taskkill.exe
Token: SeDebugPrivilege	224	taskkill.exe
Token: SeDebugPrivilege	2856	taskkill.exe
Token: SeDebugPrivilege	4936	taskkill.exe
Token: SeDebugPrivilege	2316	taskkill.exe
Token: SeDebugPrivilege	3736	taskkill.exe
Token: SeDebugPrivilege	4448	taskkill.exe
Token: SeDebugPrivilege	916	taskkill.exe
Token: SeDebugPrivilege	2020	lnlvbpt.exe
Token: SeDebugPrivilege	2600	lnlvbpt.exe
Token: SeTakeOwnershipPrivilege	2432	lnlvbpt.exe
Token: SeTcbPrivilege	2432	lnlvbpt.exe
Token: SeTcbPrivilege	2432	lnlvbpt.exe
Token: SeDebugPrivilege	4592	taskkill.exe
Token: SeDebugPrivilege	4248	taskkill.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2020	lnlvbpt.exe
392	lnlvbpt.exe
2600	lnlvbpt.exe
2432	lnlvbpt.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2440 wrote to memory of 2464	2440	a79ab104e6460c53f606ed19adba0f8d_JaffaCakes118.exe	91
PID 2440 wrote to memory of 2464	2440	a79ab104e6460c53f606ed19adba0f8d_JaffaCakes118.exe	91
PID 2440 wrote to memory of 2464	2440	a79ab104e6460c53f606ed19adba0f8d_JaffaCakes118.exe	91
PID 2464 wrote to memory of 896	2464	WScript.exe	92
PID 2464 wrote to memory of 896	2464	WScript.exe	92
PID 2464 wrote to memory of 896	2464	WScript.exe	92
PID 896 wrote to memory of 2684	896	cmd.exe	95
PID 896 wrote to memory of 2684	896	cmd.exe	95
PID 896 wrote to memory of 2684	896	cmd.exe	95
PID 896 wrote to memory of 2936	896	cmd.exe	96
PID 896 wrote to memory of 2936	896	cmd.exe	96
PID 896 wrote to memory of 2936	896	cmd.exe	96
PID 896 wrote to memory of 5048	896	cmd.exe	101
PID 896 wrote to memory of 5048	896	cmd.exe	101
PID 896 wrote to memory of 5048	896	cmd.exe	101
PID 896 wrote to memory of 1428	896	cmd.exe	102
PID 896 wrote to memory of 1428	896	cmd.exe	102
PID 896 wrote to memory of 1428	896	cmd.exe	102
PID 5048 wrote to memory of 1988	5048	WScript.exe	103
PID 5048 wrote to memory of 1988	5048	WScript.exe	103
PID 5048 wrote to memory of 1988	5048	WScript.exe	103
PID 1988 wrote to memory of 3668	1988	cmd.exe	105
PID 1988 wrote to memory of 3668	1988	cmd.exe	105
PID 1988 wrote to memory of 3668	1988	cmd.exe	105
PID 1988 wrote to memory of 2968	1988	cmd.exe	106
PID 1988 wrote to memory of 2968	1988	cmd.exe	106
PID 1988 wrote to memory of 2968	1988	cmd.exe	106
PID 1988 wrote to memory of 224	1988	cmd.exe	108
PID 1988 wrote to memory of 224	1988	cmd.exe	108
PID 1988 wrote to memory of 224	1988	cmd.exe	108
PID 1988 wrote to memory of 2856	1988	cmd.exe	109
PID 1988 wrote to memory of 2856	1988	cmd.exe	109
PID 1988 wrote to memory of 2856	1988	cmd.exe	109
PID 1988 wrote to memory of 4936	1988	cmd.exe	110
PID 1988 wrote to memory of 4936	1988	cmd.exe	110
PID 1988 wrote to memory of 4936	1988	cmd.exe	110
PID 1988 wrote to memory of 2316	1988	cmd.exe	111
PID 1988 wrote to memory of 2316	1988	cmd.exe	111
PID 1988 wrote to memory of 2316	1988	cmd.exe	111
PID 1988 wrote to memory of 3736	1988	cmd.exe	112
PID 1988 wrote to memory of 3736	1988	cmd.exe	112
PID 1988 wrote to memory of 3736	1988	cmd.exe	112
PID 1988 wrote to memory of 4448	1988	cmd.exe	113
PID 1988 wrote to memory of 4448	1988	cmd.exe	113
PID 1988 wrote to memory of 4448	1988	cmd.exe	113
PID 1988 wrote to memory of 916	1988	cmd.exe	114
PID 1988 wrote to memory of 916	1988	cmd.exe	114
PID 1988 wrote to memory of 916	1988	cmd.exe	114
PID 1988 wrote to memory of 2248	1988	cmd.exe	115
PID 1988 wrote to memory of 2248	1988	cmd.exe	115
PID 1988 wrote to memory of 2248	1988	cmd.exe	115
PID 896 wrote to memory of 2208	896	cmd.exe	116
PID 896 wrote to memory of 2208	896	cmd.exe	116
PID 896 wrote to memory of 2208	896	cmd.exe	116
PID 2248 wrote to memory of 4264	2248	net.exe	117
PID 2248 wrote to memory of 4264	2248	net.exe	117
PID 2248 wrote to memory of 4264	2248	net.exe	117
PID 1988 wrote to memory of 820	1988	cmd.exe	118
PID 1988 wrote to memory of 820	1988	cmd.exe	118
PID 1988 wrote to memory of 820	1988	cmd.exe	118
PID 1988 wrote to memory of 3436	1988	cmd.exe	119
PID 1988 wrote to memory of 3436	1988	cmd.exe	119
PID 1988 wrote to memory of 3436	1988	cmd.exe	119
PID 2208 wrote to memory of 2332	2208	WScript.exe	120

Views/modifies file attributes 1 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
4036	attrib.exe
3236	attrib.exe
4484	attrib.exe

C:\Users\Admin\AppData\Local\Temp\a79ab104e6460c53f606ed19adba0f8d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a79ab104e6460c53f606ed19adba0f8d_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2440
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Log\run.vbs"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:2464
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Log\pause.bat" "
    3⤵
    - Checks computer location settings
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:896
  - - C:\Log\Rar.exe
      "Rar.exe" e -p74449175 db.rar
      4⤵
      Executes dropped EXE
      PID:2684
  - - C:\Windows\SysWOW64\timeout.exe
      timeout 5
      4⤵
      Delays execution with timeout.exe
      PID:2936
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Log\install.vbs"
      4⤵
      Checks computer location settings
      Suspicious use of WriteProcessMemory
      PID:5048
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Log\install.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1988
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall set allprofiles state off
        6⤵
        Modifies Windows Firewall
        
        PID:3668
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im rutserv.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2968
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im rfusclient.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:224
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im systemc.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2856
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im drivemanag.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4936
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im dumprep.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2316
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im winlogs.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:3736
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im lnlvbpt.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4448
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im edylafnzjw.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:916
      - C:\Windows\SysWOW64\net.exe
        
        net stop RManService
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2248
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop RManService
        7⤵
        
        PID:4264
      - C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKLM\SYSTEM\Remote Manipulator System" /f
        6⤵
        
        PID:820
      - C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\DEVICEMAP" /f
        6⤵
        
        PID:3436
      - C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKEY_CURRENT_USER\Software\TektonIT\Remote Manipulator System" /f
        6⤵
        
        PID:4956
      - C:\Windows\SysWOW64\regedit.exe
        
        regedit /s "regedit.reg"
        6⤵
        Modifies firewall policy service
        UAC bypass
        Runs .reg file with regedit
        
        PID:3500
      - C:\Windows\SysWOW64\timeout.exe
        
        timeout 1
        6⤵
        Delays execution with timeout.exe
        
        PID:4180
      - C:\Folder58\lnlvbpt.exe
        
        lnlvbpt.exe /silentinstall
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2020
      - C:\Folder58\lnlvbpt.exe
        
        lnlvbpt.exe /firewall
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:392
      - C:\Windows\SysWOW64\regedit.exe
        
        regedit /s regedit.reg
        6⤵
        Modifies firewall policy service
        UAC bypass
        Runs .reg file with regedit
        
        PID:4084
      - C:\Folder58\lnlvbpt.exe
        
        lnlvbpt.exe /start
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2600
      - C:\Windows\SysWOW64\sc.exe
        
        sc failure RManService reset= 0 actions= restart/1000/restart/1000/restart/1000
        6⤵
        Launches sc.exe
        
        PID:412
      - C:\Windows\SysWOW64\sc.exe
        
        sc config RManService obj= LocalSystem type= interact type= own
        6⤵
        Launches sc.exe
        
        PID:2552
      - C:\Windows\SysWOW64\sc.exe
        
        sc config RManService DisplayName= "RManService"
        6⤵
        Launches sc.exe
        
        PID:4952
      - C:\Windows\SysWOW64\timeout.exe
        
        timeout 2
        6⤵
        Delays execution with timeout.exe
        
        PID:4016
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "C:\Folder58\*.*"
        6⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:4036
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "C:\Folder58"
        6⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:3236
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "C:\Log"
        6⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:4484
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im rar.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4592
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im rar.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4248
  - - C:\Windows\SysWOW64\timeout.exe
      timeout 2
      4⤵
      Delays execution with timeout.exe
      PID:1428
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Log\del.vbs"
      4⤵
      Checks computer location settings
      Suspicious use of WriteProcessMemory
      PID:2208
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Log\del.bat" "
        5⤵
        
        PID:2332
      - C:\Windows\SysWOW64\chcp.com
        
        chcp 1251
        6⤵
        
        PID:4608
      - C:\Windows\SysWOW64\timeout.exe
        
        timeout 15
        6⤵
        Delays execution with timeout.exe
        
        PID:4064

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3808,i,11751898164297348119,13021661521765644467,262144 --variations-seed-version --mojo-platform-channel-handle=4120 /prefetch:8
1⤵
PID:4088

C:\Folder58\lnlvbpt.exe
C:\Folder58\lnlvbpt.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2432
- C:\Folder58\edylafnzjw.exe
  C:\Folder58\edylafnzjw.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:5088
- - C:\Folder58\edylafnzjw.exe
    C:\Folder58\edylafnzjw.exe /tray
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: SetClipboardViewer
    PID:1028
- C:\Folder58\edylafnzjw.exe
  C:\Folder58\edylafnzjw.exe /tray
  2⤵
  - Executes dropped EXE
  PID:4944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Log\Rar.exe

Filesize
370KB

MD5
2e86a9862257a0cf723ceef3868a1a12

SHA1
a4324281823f0800132bf13f5ad3860e6b5532c6

SHA256
2356220cfa9159b463d762e2833f647a04fa58b4c627fcb4fb1773d199656ab8

SHA512
3a8e0389637fc8a3f8bab130326fe091ead8c0575a1a3861622466d4e3c37818c928bc74af4d14b5bb3080dfae46e41fee2c362a7093b5aa3b9df39110c8e9de

Download Submit
C:\Log\db.rar

Filesize
3.4MB

MD5
e67c1e16896a5bf46db982ef0a964a5e

SHA1
06e6a756a34f13651139843965811782bf9eb4f2

SHA256
2830b03f610fd029775a39c852d62c65135b9d159a3404210fce61c47899289d

SHA512
559db3f04edb5f4f73354260400bbbe2e7dfccf2449da3dc6cd6f778787116514eedb93f3d98eee156376e9283a838f1386c74d87a1a91eae1667065aa317d14

Download Submit
C:\Log\del.bat

Filesize
103B

MD5
00a1287d2fee5eb67a15b9db4e5410f6

SHA1
52fe326b86c112a23e5a7ab1d5017f01042e55a4

SHA256
138ff861033ef88c1ac1b7d3c69e207cb160aa7d0b9773df6496c1efdc29aaa3

SHA512
e3ef7a8d0b36aeaa0c41d720680d948f31a7873b656984e065d4af3138e12d66095e6db7d38913abdf2468ac8b7fc254c66f51dae000aeb8dc7e91d0734980c0

Download Submit
C:\Log\del.vbs

Filesize
80B

MD5
2130b30813709d5150e4b13d50f9779e

SHA1
94dd1a873f2c9ceb990fce6027f6a18a175465f5

SHA256
d2b02b775b3f29dfa0508e9243f1ca85a1c8c86bc30ca7f4651b2ddcc6c7bea3

SHA512
a04983c5fd57f21b5b0680132e51a8d28b0ceb3b42fab2de301b4ca8f236f892709159b0f4eda4801f9f712febb468d87ae3b59e573de990d4e6f2e055b4d68e

Download Submit
C:\Log\edylafnzjw.exe

Filesize
1.3MB

MD5
a2b60a6296d0b1ef68e1a278ff325c48

SHA1
28c29abdac82d4d2f32d79d46290af6913df6b62

SHA256
193ccbcbcbcdf92525532daee0f99c029e67f5210ba85a858c64d8b6f9b263b7

SHA512
c4c0ffabdc23aeed68d3d39525b8d23c327694b9e994f408e10cf4f4a6dfc446e1a9abbfea90386f47d1c21d6760b93c87fed17ed78dd70b7e03b372b067dad3

Download Submit
C:\Log\install.bat

Filesize
1KB

MD5
1657ec254bd530d720feb95f733208f2

SHA1
06063279be64fa2c326776d655a013e74c3fdc2a

SHA256
9bbd15b2fe0f66e68ee7fc98056ee9a6e38a21b77e99e4a3980927c42e0b58f7

SHA512
161722a982846641648db7fcfffe62424948fcd8c9981c581d46502aeda2f12f48fbadde3f7f5cfa49b66a1136a6f083ac65c9cb333ed55aefdfccef654e0222

Download Submit
C:\Log\install.vbs

Filesize
91B

MD5
1f2c79274a03a035333b15ed68fee8e4

SHA1
2e87549734e5a9e48d4ef75fa9fb06e9cfda2a5b

SHA256
50ec14a13ee65068dc43b7d884fc4d6fa7baa0e5a6095a469ce658dd8d78452f

SHA512
8ddec880f4af6ac1a066c5fa4fc0f57a9c97f038a8098a8a073bfe06bd2353b0ba7dc106ab6eaba5f36e057acb54b023b2a56cfc37df5b04bf5263f12f92b750

Download Submit
C:\Log\lnlvbpt.exe

Filesize
1.5MB

MD5
e8bbb2b910f98b95d4636d4e6adb83a5

SHA1
42a2236e59349256ad69ff85203147da244a77fb

SHA256
89e2089c247364f0ee4f66effb08ed25f94d2cb4825185269cd089bb2298a4cf

SHA512
876c7250e132c5383ea793edb691067d2745d4b1db2d72215e8177d6176f4fec8376d3735893a02e0ff6bb25cb79ba2fd82f00264efc6ba44b23f7b4efcf37cd

Download Submit
C:\Log\pause.bat

Filesize
304B

MD5
58dcf7bf33288f8e6ecc0a6c6145e9df

SHA1
0adc27888d7781281082f701085bee10cdeb7d31

SHA256
a80a58f075bd1868e481766e159584d4d8033c06558e39bbd93b089ce3661b86

SHA512
70ff386708564aad7b54f503e510d737d110c6ec6e7ef64599238efafa02073ed436851cf23c642952d3a8b311ca47332c8409fb8face5aea2f9f3f9c4334c9b

Download Submit
C:\Log\regedit.reg

Filesize
12KB

MD5
c3d8b8e22bfd840ad896ec9783198193

SHA1
f7cb4382f3581aae90e3ac731d76ef8423a4719d

SHA256
53aa65cb59b600d73373532923132eea30e773179eb85637fc874634d28c1657

SHA512
17bdba91ff68b5630ee8f6fd64dbf700ffbdae9d2be028ab02cfb7e768f2a3de0c0deecd26c8d3ee6414f5394f88e53d3a82234dbacbafff072e660f36310806

Download Submit
C:\Log\run.vbs

Filesize
84B

MD5
6a5f5a48072a1adae96d2bd88848dcff

SHA1
b381fa864db6c521cbf1133a68acf1db4baa7005

SHA256
c7758bb2fdf207306a5b83c9916bfffcc5e85efe14c8f00d18e2b6639b9780fe

SHA512
d11101b11a95d39a2b23411955e869f92451e1613b150c15d953cccf0f741fb6c3cf082124af8b67d4eb40feb112e1167a1e25bdeab9e433af3ccc5384ccb90c

Download Submit
C:\Log\vp8encoder.dll

Filesize
593KB

MD5
6298c0af3d1d563834a218a9cc9f54bd

SHA1
0185cd591e454ed072e5a5077b25c612f6849dc9

SHA256
81af82019d9f45a697a8ca1788f2c5c0205af9892efd94879dedf4bc06db4172

SHA512
389d89053689537cdb582c0e8a7951a84549f0c36484db4346c31bdbe7cb93141f6a354069eb13e550297dc8ec35cd6899746e0c16abc876a0fe542cc450fffe

Download Submit
memory/392-58-0x0000000000400000-0x0000000000AB2000-memory.dmp

Filesize
6.7MB

Download
memory/1028-72-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/1028-73-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/2020-55-0x0000000000400000-0x0000000000AB2000-memory.dmp

Filesize
6.7MB

Download
memory/2020-56-0x0000000000400000-0x0000000000AB2000-memory.dmp

Filesize
6.7MB

Download
memory/2432-74-0x0000000000400000-0x0000000000AB2000-memory.dmp

Filesize
6.7MB

Download
memory/2432-98-0x0000000000400000-0x0000000000AB2000-memory.dmp

Filesize
6.7MB

Download
memory/2432-94-0x0000000000400000-0x0000000000AB2000-memory.dmp

Filesize
6.7MB

Download
memory/2432-88-0x0000000000400000-0x0000000000AB2000-memory.dmp

Filesize
6.7MB

Download
memory/2432-84-0x0000000000400000-0x0000000000AB2000-memory.dmp

Filesize
6.7MB

Download
memory/2432-81-0x0000000000400000-0x0000000000AB2000-memory.dmp

Filesize
6.7MB

Download
memory/2600-67-0x0000000000400000-0x0000000000AB2000-memory.dmp

Filesize
6.7MB

Download
memory/4944-83-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/4944-79-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/4944-87-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/4944-76-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/4944-100-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/5088-66-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/5088-75-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download