8cd1b8dbc81743bdb16ccf836273f582bcc93f8183494b3cabefe18fd340e0da

Analysis

max time kernel
146s
max time network
119s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
20-06-2024 08:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0474165119c989c50e9508659a9f8363_JaffaCakes118.exe
Size

184KB
MD5

0474165119c989c50e9508659a9f8363
SHA1

b43a1847cb7d780115573cc78555ccc17a23c780
SHA256

8cd1b8dbc81743bdb16ccf836273f582bcc93f8183494b3cabefe18fd340e0da
SHA512

7045c51b47935824714dbd31faffad8635a8bc35d49b6c0adef5a49f56ffbf82177c0204ae3a8b3c7328f2a15defcb3e1569efe0773004854df4cf704ae75c45
SSDEEP

3072:qzXbgj5jPFlRbOhIVa5IF49EFTcNH8Yf/BBEt6ymy+aeC7q:UXbwzFlRaOFw7NcYnBO6xt4

Score

10^/10

evasion persistence upx

Malware Config

Signatures

Modifies firewall policy service 3 TTPs 64 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\	windowsalert.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\msapps\msinfo\Iexplorer.exe = "C:\\WINDOWS\\msapps\\msinfo\\Iexplorer.exe:*:Enabled:Iexplorer.exe"	windowsalert.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	windowsalert.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\msapps\msinfo\Iexplorer.exe = "C:\\WINDOWS\\msapps\\msinfo\\Iexplorer.exe:*:Enabled:Iexplorer.exe"	windowsalert.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\system32\windowsalert.exe = "C:\\WINDOWS\\system32\\windowsalert.exe:*:Enabled:windowsalert.exe"	0474165119c989c50e9508659a9f8363_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\	windowsalert.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	windowsalert.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\Outlook\outlooks.exe = "C:\\WINDOWS\\Outlook\\outlooks.exe:*:Enabled:outlooks.exe"	windowsalert.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\system32\Pplgu.exe = "C:\\WINDOWS\\system32\\Pplgu.exe:*:Enabled:Pplgu.exe"	windowsalert.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\msapps\msinfo\Iexplorer.exe = "C:\\WINDOWS\\msapps\\msinfo\\Iexplorer.exe:*:Enabled:Iexplorer.exe"	windowsalert.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\Outlook\outlooks.exe = "C:\\WINDOWS\\Outlook\\outlooks.exe:*:Enabled:outlooks.exe"	0474165119c989c50e9508659a9f8363_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\msapps\msinfo\Iexplorer.exe = "C:\\WINDOWS\\msapps\\msinfo\\Iexplorer.exe:*:Enabled:Iexplorer.exe"	0474165119c989c50e9508659a9f8363_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\	windowsalert.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\msapps\msinfo\Iexplorer.exe = "C:\\WINDOWS\\msapps\\msinfo\\Iexplorer.exe:*:Enabled:Iexplorer.exe"	windowsalert.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\system32\svchosts.exe = "C:\\WINDOWS\\system32\\svchosts.exe:*:Enabled:svchosts.exe"	windowsalert.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\Outlook\outlooks.exe = "C:\\WINDOWS\\Outlook\\outlooks.exe:*:Enabled:outlooks.exe"	windowsalert.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	windowsalert.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\Outlook\outlooks.exe = "C:\\WINDOWS\\Outlook\\outlooks.exe:*:Enabled:outlooks.exe"	windowsalert.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\system32\windowsalert.exe = "C:\\WINDOWS\\system32\\windowsalert.exe:*:Enabled:windowsalert.exe"	windowsalert.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\system32\calcs.exe = "C:\\WINDOWS\\system32\\calcs.exe:*:Enabled:calcs.exe"	windowsalert.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\system32\svchosts.exe = "C:\\WINDOWS\\system32\\svchosts.exe:*:Enabled:svchosts.exe"	windowsalert.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\system32\calcs.exe = "C:\\WINDOWS\\system32\\calcs.exe:*:Enabled:calcs.exe"	windowsalert.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\system32\svchosts.exe = "C:\\WINDOWS\\system32\\svchosts.exe:*:Enabled:svchosts.exe"	windowsalert.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\system32\Pplgu.exe = "C:\\WINDOWS\\system32\\Pplgu.exe:*:Enabled:Pplgu.exe"	windowsalert.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\system32\calcs.exe = "C:\\WINDOWS\\system32\\calcs.exe:*:Enabled:calcs.exe"	windowsalert.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\system32\windowsalert.exe = "C:\\WINDOWS\\system32\\windowsalert.exe:*:Enabled:windowsalert.exe"	windowsalert.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\	windowsalert.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\	windowsalert.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\system32\windowsalert.exe = "C:\\WINDOWS\\system32\\windowsalert.exe:*:Enabled:windowsalert.exe"	windowsalert.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\system32\calcs.exe = "C:\\WINDOWS\\system32\\calcs.exe:*:Enabled:calcs.exe"	windowsalert.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	windowsalert.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\system32\calcs.exe = "C:\\WINDOWS\\system32\\calcs.exe:*:Enabled:calcs.exe"	windowsalert.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\	windowsalert.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\	windowsalert.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\	windowsalert.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\system32\calcs.exe = "C:\\WINDOWS\\system32\\calcs.exe:*:Enabled:calcs.exe"	windowsalert.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\msapps\msinfo\Iexplorer.exe = "C:\\WINDOWS\\msapps\\msinfo\\Iexplorer.exe:*:Enabled:Iexplorer.exe"	windowsalert.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	windowsalert.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\system32\calcs.exe = "C:\\WINDOWS\\system32\\calcs.exe:*:Enabled:calcs.exe"	windowsalert.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\system32\calcs.exe = "C:\\WINDOWS\\system32\\calcs.exe:*:Enabled:calcs.exe"	windowsalert.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\Outlook\outlooks.exe = "C:\\WINDOWS\\Outlook\\outlooks.exe:*:Enabled:outlooks.exe"	windowsalert.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	windowsalert.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\msapps\msinfo\Iexplorer.exe = "C:\\WINDOWS\\msapps\\msinfo\\Iexplorer.exe:*:Enabled:Iexplorer.exe"	windowsalert.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\system32\calcs.exe = "C:\\WINDOWS\\system32\\calcs.exe:*:Enabled:calcs.exe"	0474165119c989c50e9508659a9f8363_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\system32\Pplgu.exe = "C:\\WINDOWS\\system32\\Pplgu.exe:*:Enabled:Pplgu.exe"	windowsalert.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\	windowsalert.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\system32\svchosts.exe = "C:\\WINDOWS\\system32\\svchosts.exe:*:Enabled:svchosts.exe"	windowsalert.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	windowsalert.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\	windowsalert.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	windowsalert.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\system32\Pplgu.exe = "C:\\WINDOWS\\system32\\Pplgu.exe:*:Enabled:Pplgu.exe"	windowsalert.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\system32\windowsalert.exe = "C:\\WINDOWS\\system32\\windowsalert.exe:*:Enabled:windowsalert.exe"	windowsalert.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\system32\Pplgu.exe = "C:\\WINDOWS\\system32\\Pplgu.exe:*:Enabled:Pplgu.exe"	windowsalert.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\system32\Pplgu.exe = "C:\\WINDOWS\\system32\\Pplgu.exe:*:Enabled:Pplgu.exe"	windowsalert.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\system32\calcs.exe = "C:\\WINDOWS\\system32\\calcs.exe:*:Enabled:calcs.exe"	windowsalert.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\msapps\msinfo\Iexplorer.exe = "C:\\WINDOWS\\msapps\\msinfo\\Iexplorer.exe:*:Enabled:Iexplorer.exe"	windowsalert.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\Outlook\outlooks.exe = "C:\\WINDOWS\\Outlook\\outlooks.exe:*:Enabled:outlooks.exe"	windowsalert.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\system32\calcs.exe = "C:\\WINDOWS\\system32\\calcs.exe:*:Enabled:calcs.exe"	windowsalert.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	windowsalert.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\system32\windowsalert.exe = "C:\\WINDOWS\\system32\\windowsalert.exe:*:Enabled:windowsalert.exe"	windowsalert.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\	windowsalert.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\system32\calcs.exe = "C:\\WINDOWS\\system32\\calcs.exe:*:Enabled:calcs.exe"	windowsalert.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\	windowsalert.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\	windowsalert.exe

Executes dropped EXE 23 IoCs

pid	Process
2024	windowsalert.exe
2588	windowsalert.exe
2660	windowsalert.exe
2696	windowsalert.exe
2812	windowsalert.exe
2444	windowsalert.exe
2568	windowsalert.exe
2944	windowsalert.exe
2972	windowsalert.exe
2268	windowsalert.exe
1476	windowsalert.exe
2016	windowsalert.exe
1220	windowsalert.exe
1728	windowsalert.exe
1380	windowsalert.exe
2080	windowsalert.exe
2644	windowsalert.exe
1620	windowsalert.exe
612	windowsalert.exe
584	windowsalert.exe
1824	windowsalert.exe
2148	windowsalert.exe
2276	windowsalert.exe

Loads dropped DLL 46 IoCs

pid	Process
3020	0474165119c989c50e9508659a9f8363_JaffaCakes118.exe
3020	0474165119c989c50e9508659a9f8363_JaffaCakes118.exe
2024	windowsalert.exe
2024	windowsalert.exe
2588	windowsalert.exe
2588	windowsalert.exe
2660	windowsalert.exe
2660	windowsalert.exe
2696	windowsalert.exe
2696	windowsalert.exe
2812	windowsalert.exe
2812	windowsalert.exe
2444	windowsalert.exe
2444	windowsalert.exe
2568	windowsalert.exe
2568	windowsalert.exe
2944	windowsalert.exe
2944	windowsalert.exe
2972	windowsalert.exe
2972	windowsalert.exe
2268	windowsalert.exe
2268	windowsalert.exe
1476	windowsalert.exe
1476	windowsalert.exe
2016	windowsalert.exe
2016	windowsalert.exe
1220	windowsalert.exe
1220	windowsalert.exe
1728	windowsalert.exe
1728	windowsalert.exe
1380	windowsalert.exe
1380	windowsalert.exe
2080	windowsalert.exe
2080	windowsalert.exe
2644	windowsalert.exe
2644	windowsalert.exe
1620	windowsalert.exe
1620	windowsalert.exe
612	windowsalert.exe
612	windowsalert.exe
584	windowsalert.exe
584	windowsalert.exe
1824	windowsalert.exe
1824	windowsalert.exe
2148	windowsalert.exe
2148	windowsalert.exe

UPX packed file 37 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3020-0-0x0000000000400000-0x000000000047E000-memory.dmp	upx
behavioral1/files/0x0009000000014b27-3.dat	upx
behavioral1/memory/3020-4-0x0000000002F90000-0x000000000300E000-memory.dmp	upx
behavioral1/memory/3020-13-0x0000000000400000-0x000000000047E000-memory.dmp	upx
behavioral1/memory/2588-17-0x0000000000400000-0x000000000047E000-memory.dmp	upx
behavioral1/memory/2024-19-0x0000000000400000-0x000000000047E000-memory.dmp	upx
behavioral1/memory/2660-23-0x0000000000400000-0x000000000047E000-memory.dmp	upx
behavioral1/memory/2588-24-0x0000000000400000-0x000000000047E000-memory.dmp	upx
behavioral1/memory/2660-29-0x0000000000400000-0x000000000047E000-memory.dmp	upx
behavioral1/memory/2812-33-0x0000000000400000-0x000000000047E000-memory.dmp	upx
behavioral1/memory/2696-35-0x0000000000400000-0x000000000047E000-memory.dmp	upx
behavioral1/memory/2812-39-0x0000000000400000-0x000000000047E000-memory.dmp	upx
behavioral1/memory/2444-43-0x0000000000400000-0x000000000047E000-memory.dmp	upx
behavioral1/memory/2568-47-0x0000000000400000-0x000000000047E000-memory.dmp	upx
behavioral1/memory/2944-51-0x0000000000400000-0x000000000047E000-memory.dmp	upx
behavioral1/memory/2972-55-0x0000000000400000-0x000000000047E000-memory.dmp	upx
behavioral1/memory/1476-59-0x0000000000400000-0x000000000047E000-memory.dmp	upx
behavioral1/memory/2268-60-0x0000000000400000-0x000000000047E000-memory.dmp	upx
behavioral1/memory/1476-65-0x0000000002F80000-0x0000000002FFE000-memory.dmp	upx
behavioral1/memory/1476-66-0x0000000000400000-0x000000000047E000-memory.dmp	upx
behavioral1/memory/1220-70-0x0000000000400000-0x000000000047E000-memory.dmp	upx
behavioral1/memory/2016-71-0x0000000000400000-0x000000000047E000-memory.dmp	upx
behavioral1/memory/1220-75-0x0000000000400000-0x000000000047E000-memory.dmp	upx
behavioral1/memory/1380-79-0x0000000000400000-0x000000000047E000-memory.dmp	upx
behavioral1/memory/1728-80-0x0000000000400000-0x000000000047E000-memory.dmp	upx
behavioral1/memory/1380-84-0x0000000000400000-0x000000000047E000-memory.dmp	upx
behavioral1/memory/2080-88-0x0000000000400000-0x000000000047E000-memory.dmp	upx
behavioral1/memory/2644-92-0x0000000000400000-0x000000000047E000-memory.dmp	upx
behavioral1/memory/612-96-0x0000000000400000-0x000000000047E000-memory.dmp	upx
behavioral1/memory/1620-97-0x0000000000400000-0x000000000047E000-memory.dmp	upx
behavioral1/memory/584-101-0x0000000000400000-0x000000000047E000-memory.dmp	upx
behavioral1/memory/612-102-0x0000000000400000-0x000000000047E000-memory.dmp	upx
behavioral1/memory/584-106-0x0000000000400000-0x000000000047E000-memory.dmp	upx
behavioral1/memory/2148-107-0x0000000000400000-0x000000000047E000-memory.dmp	upx
behavioral1/memory/1824-108-0x0000000000400000-0x000000000047E000-memory.dmp	upx
behavioral1/memory/2276-109-0x0000000000400000-0x000000000047E000-memory.dmp	upx
behavioral1/memory/2148-110-0x0000000000400000-0x000000000047E000-memory.dmp	upx

Adds Run key to start application 2 TTPs 48 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Iexplorer.exe = "C:\\WINDOWS\\msapps\\msinfo\\Iexplorer.exe"	windowsalert.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\windowsalert.exe = "C:\\WINDOWS\\system32\\windowsalert.exe"	windowsalert.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\windowsalert.exe = "C:\\WINDOWS\\system32\\windowsalert.exe"	windowsalert.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\windowsalert.exe = "C:\\WINDOWS\\system32\\windowsalert.exe"	windowsalert.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Iexplorer.exe = "C:\\WINDOWS\\msapps\\msinfo\\Iexplorer.exe"	windowsalert.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\windowsalert.exe = "C:\\WINDOWS\\system32\\windowsalert.exe"	windowsalert.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Iexplorer.exe = "C:\\WINDOWS\\msapps\\msinfo\\Iexplorer.exe"	windowsalert.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\windowsalert.exe = "C:\\WINDOWS\\system32\\windowsalert.exe"	windowsalert.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\windowsalert.exe = "C:\\WINDOWS\\system32\\windowsalert.exe"	windowsalert.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Iexplorer.exe = "C:\\WINDOWS\\msapps\\msinfo\\Iexplorer.exe"	windowsalert.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\windowsalert.exe = "C:\\WINDOWS\\system32\\windowsalert.exe"	windowsalert.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\windowsalert.exe = "C:\\WINDOWS\\system32\\windowsalert.exe"	windowsalert.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Iexplorer.exe = "C:\\WINDOWS\\msapps\\msinfo\\Iexplorer.exe"	windowsalert.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\windowsalert.exe = "C:\\WINDOWS\\system32\\windowsalert.exe"	0474165119c989c50e9508659a9f8363_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Iexplorer.exe = "C:\\WINDOWS\\msapps\\msinfo\\Iexplorer.exe"	windowsalert.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\windowsalert.exe = "C:\\WINDOWS\\system32\\windowsalert.exe"	windowsalert.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\windowsalert.exe = "C:\\WINDOWS\\system32\\windowsalert.exe"	windowsalert.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\windowsalert.exe = "C:\\WINDOWS\\system32\\windowsalert.exe"	windowsalert.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Iexplorer.exe = "C:\\WINDOWS\\msapps\\msinfo\\Iexplorer.exe"	windowsalert.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Iexplorer.exe = "C:\\WINDOWS\\msapps\\msinfo\\Iexplorer.exe"	windowsalert.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\windowsalert.exe = "C:\\WINDOWS\\system32\\windowsalert.exe"	windowsalert.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Iexplorer.exe = "C:\\WINDOWS\\msapps\\msinfo\\Iexplorer.exe"	windowsalert.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Iexplorer.exe = "C:\\WINDOWS\\msapps\\msinfo\\Iexplorer.exe"	windowsalert.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Iexplorer.exe = "C:\\WINDOWS\\msapps\\msinfo\\Iexplorer.exe"	windowsalert.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\windowsalert.exe = "C:\\WINDOWS\\system32\\windowsalert.exe"	windowsalert.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Iexplorer.exe = "C:\\WINDOWS\\msapps\\msinfo\\Iexplorer.exe"	windowsalert.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Iexplorer.exe = "C:\\WINDOWS\\msapps\\msinfo\\Iexplorer.exe"	windowsalert.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\windowsalert.exe = "C:\\WINDOWS\\system32\\windowsalert.exe"	windowsalert.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Iexplorer.exe = "C:\\WINDOWS\\msapps\\msinfo\\Iexplorer.exe"	windowsalert.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\windowsalert.exe = "C:\\WINDOWS\\system32\\windowsalert.exe"	windowsalert.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Iexplorer.exe = "C:\\WINDOWS\\msapps\\msinfo\\Iexplorer.exe"	windowsalert.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\windowsalert.exe = "C:\\WINDOWS\\system32\\windowsalert.exe"	windowsalert.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\windowsalert.exe = "C:\\WINDOWS\\system32\\windowsalert.exe"	windowsalert.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\windowsalert.exe = "C:\\WINDOWS\\system32\\windowsalert.exe"	windowsalert.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Iexplorer.exe = "C:\\WINDOWS\\msapps\\msinfo\\Iexplorer.exe"	0474165119c989c50e9508659a9f8363_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\windowsalert.exe = "C:\\WINDOWS\\system32\\windowsalert.exe"	windowsalert.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Iexplorer.exe = "C:\\WINDOWS\\msapps\\msinfo\\Iexplorer.exe"	windowsalert.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Iexplorer.exe = "C:\\WINDOWS\\msapps\\msinfo\\Iexplorer.exe"	windowsalert.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Iexplorer.exe = "C:\\WINDOWS\\msapps\\msinfo\\Iexplorer.exe"	windowsalert.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Iexplorer.exe = "C:\\WINDOWS\\msapps\\msinfo\\Iexplorer.exe"	windowsalert.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\windowsalert.exe = "C:\\WINDOWS\\system32\\windowsalert.exe"	windowsalert.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\windowsalert.exe = "C:\\WINDOWS\\system32\\windowsalert.exe"	windowsalert.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\windowsalert.exe = "C:\\WINDOWS\\system32\\windowsalert.exe"	windowsalert.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Iexplorer.exe = "C:\\WINDOWS\\msapps\\msinfo\\Iexplorer.exe"	windowsalert.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Iexplorer.exe = "C:\\WINDOWS\\msapps\\msinfo\\Iexplorer.exe"	windowsalert.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Iexplorer.exe = "C:\\WINDOWS\\msapps\\msinfo\\Iexplorer.exe"	windowsalert.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Iexplorer.exe = "C:\\WINDOWS\\msapps\\msinfo\\Iexplorer.exe"	windowsalert.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\windowsalert.exe = "C:\\WINDOWS\\system32\\windowsalert.exe"	windowsalert.exe

Drops file in System32 directory 25 IoCs

description	ioc	Process
File created	C:\WINDOWS\SysWOW64\windowsalert.exe	windowsalert.exe
File created	C:\WINDOWS\SysWOW64\windowsalert.exe	windowsalert.exe
File created	C:\WINDOWS\SysWOW64\windowsalert.exe	windowsalert.exe
File created	C:\WINDOWS\SysWOW64\windowsalert.exe	windowsalert.exe
File created	C:\WINDOWS\SysWOW64\windowsalert.exe	windowsalert.exe
File created	C:\WINDOWS\SysWOW64\windowsalert.exe	windowsalert.exe
File created	C:\WINDOWS\SysWOW64\windowsalert.exe	windowsalert.exe
File created	C:\WINDOWS\SysWOW64\windowsalert.exe	windowsalert.exe
File created	C:\WINDOWS\SysWOW64\windowsalert.exe	windowsalert.exe
File created	C:\WINDOWS\SysWOW64\windowsalert.exe	windowsalert.exe
File created	C:\WINDOWS\SysWOW64\windowsalert.exe	windowsalert.exe
File created	C:\WINDOWS\SysWOW64\windowsalert.exe	windowsalert.exe
File created	C:\WINDOWS\SysWOW64\windowsalert.exe	windowsalert.exe
File created	C:\WINDOWS\SysWOW64\windowsalert.exe	windowsalert.exe
File created	C:\WINDOWS\SysWOW64\windowsalert.exe	0474165119c989c50e9508659a9f8363_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\windowsalert.exe	windowsalert.exe
File created	C:\WINDOWS\SysWOW64\windowsalert.exe	windowsalert.exe
File created	C:\WINDOWS\SysWOW64\windowsalert.exe	windowsalert.exe
File created	C:\WINDOWS\SysWOW64\windowsalert.exe	windowsalert.exe
File created	C:\WINDOWS\SysWOW64\windowsalert.exe	windowsalert.exe
File created	C:\WINDOWS\SysWOW64\windowsalert.exe	windowsalert.exe
File created	C:\WINDOWS\SysWOW64\windowsalert.exe	windowsalert.exe
File created	C:\WINDOWS\SysWOW64\windowsalert.exe	windowsalert.exe
File opened for modification	C:\WINDOWS\SysWOW64\windowsalert.exe	0474165119c989c50e9508659a9f8363_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\windowsalert.exe	windowsalert.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3020 wrote to memory of 2024	3020	0474165119c989c50e9508659a9f8363_JaffaCakes118.exe	28
PID 3020 wrote to memory of 2024	3020	0474165119c989c50e9508659a9f8363_JaffaCakes118.exe	28
PID 3020 wrote to memory of 2024	3020	0474165119c989c50e9508659a9f8363_JaffaCakes118.exe	28
PID 3020 wrote to memory of 2024	3020	0474165119c989c50e9508659a9f8363_JaffaCakes118.exe	28
PID 2024 wrote to memory of 2588	2024	windowsalert.exe	29
PID 2024 wrote to memory of 2588	2024	windowsalert.exe	29
PID 2024 wrote to memory of 2588	2024	windowsalert.exe	29
PID 2024 wrote to memory of 2588	2024	windowsalert.exe	29
PID 2588 wrote to memory of 2660	2588	windowsalert.exe	30
PID 2588 wrote to memory of 2660	2588	windowsalert.exe	30
PID 2588 wrote to memory of 2660	2588	windowsalert.exe	30
PID 2588 wrote to memory of 2660	2588	windowsalert.exe	30
PID 2660 wrote to memory of 2696	2660	windowsalert.exe	31
PID 2660 wrote to memory of 2696	2660	windowsalert.exe	31
PID 2660 wrote to memory of 2696	2660	windowsalert.exe	31
PID 2660 wrote to memory of 2696	2660	windowsalert.exe	31
PID 2696 wrote to memory of 2812	2696	windowsalert.exe	32
PID 2696 wrote to memory of 2812	2696	windowsalert.exe	32
PID 2696 wrote to memory of 2812	2696	windowsalert.exe	32
PID 2696 wrote to memory of 2812	2696	windowsalert.exe	32
PID 2812 wrote to memory of 2444	2812	windowsalert.exe	33
PID 2812 wrote to memory of 2444	2812	windowsalert.exe	33
PID 2812 wrote to memory of 2444	2812	windowsalert.exe	33
PID 2812 wrote to memory of 2444	2812	windowsalert.exe	33
PID 2444 wrote to memory of 2568	2444	windowsalert.exe	34
PID 2444 wrote to memory of 2568	2444	windowsalert.exe	34
PID 2444 wrote to memory of 2568	2444	windowsalert.exe	34
PID 2444 wrote to memory of 2568	2444	windowsalert.exe	34
PID 2568 wrote to memory of 2944	2568	windowsalert.exe	37
PID 2568 wrote to memory of 2944	2568	windowsalert.exe	37
PID 2568 wrote to memory of 2944	2568	windowsalert.exe	37
PID 2568 wrote to memory of 2944	2568	windowsalert.exe	37
PID 2944 wrote to memory of 2972	2944	windowsalert.exe	38
PID 2944 wrote to memory of 2972	2944	windowsalert.exe	38
PID 2944 wrote to memory of 2972	2944	windowsalert.exe	38
PID 2944 wrote to memory of 2972	2944	windowsalert.exe	38
PID 2972 wrote to memory of 2268	2972	windowsalert.exe	39
PID 2972 wrote to memory of 2268	2972	windowsalert.exe	39
PID 2972 wrote to memory of 2268	2972	windowsalert.exe	39
PID 2972 wrote to memory of 2268	2972	windowsalert.exe	39
PID 2268 wrote to memory of 1476	2268	windowsalert.exe	40
PID 2268 wrote to memory of 1476	2268	windowsalert.exe	40
PID 2268 wrote to memory of 1476	2268	windowsalert.exe	40
PID 2268 wrote to memory of 1476	2268	windowsalert.exe	40
PID 1476 wrote to memory of 2016	1476	windowsalert.exe	41
PID 1476 wrote to memory of 2016	1476	windowsalert.exe	41
PID 1476 wrote to memory of 2016	1476	windowsalert.exe	41
PID 1476 wrote to memory of 2016	1476	windowsalert.exe	41
PID 2016 wrote to memory of 1220	2016	windowsalert.exe	42
PID 2016 wrote to memory of 1220	2016	windowsalert.exe	42
PID 2016 wrote to memory of 1220	2016	windowsalert.exe	42
PID 2016 wrote to memory of 1220	2016	windowsalert.exe	42
PID 1220 wrote to memory of 1728	1220	windowsalert.exe	43
PID 1220 wrote to memory of 1728	1220	windowsalert.exe	43
PID 1220 wrote to memory of 1728	1220	windowsalert.exe	43
PID 1220 wrote to memory of 1728	1220	windowsalert.exe	43
PID 1728 wrote to memory of 1380	1728	windowsalert.exe	44
PID 1728 wrote to memory of 1380	1728	windowsalert.exe	44
PID 1728 wrote to memory of 1380	1728	windowsalert.exe	44
PID 1728 wrote to memory of 1380	1728	windowsalert.exe	44
PID 1380 wrote to memory of 2080	1380	windowsalert.exe	45
PID 1380 wrote to memory of 2080	1380	windowsalert.exe	45
PID 1380 wrote to memory of 2080	1380	windowsalert.exe	45
PID 1380 wrote to memory of 2080	1380	windowsalert.exe	45

C:\Users\Admin\AppData\Local\Temp\0474165119c989c50e9508659a9f8363_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0474165119c989c50e9508659a9f8363_JaffaCakes118.exe"
1⤵
- Modifies firewall policy service
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3020
- C:\WINDOWS\SysWOW64\windowsalert.exe
  C:\WINDOWS\system32\windowsalert.exe
  2⤵
  - Modifies firewall policy service
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2024
- - C:\WINDOWS\SysWOW64\windowsalert.exe
    C:\WINDOWS\system32\windowsalert.exe
    3⤵
    - Modifies firewall policy service
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:2588
  - - C:\WINDOWS\SysWOW64\windowsalert.exe
      C:\WINDOWS\system32\windowsalert.exe
      4⤵
      Modifies firewall policy service
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:2660
    - - C:\WINDOWS\SysWOW64\windowsalert.exe
        
        C:\WINDOWS\system32\windowsalert.exe
        5⤵
        Modifies firewall policy service
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2696
      - C:\WINDOWS\SysWOW64\windowsalert.exe
        
        C:\WINDOWS\system32\windowsalert.exe
        6⤵
        Modifies firewall policy service
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2812
        
        C:\WINDOWS\SysWOW64\windowsalert.exe
        
        C:\WINDOWS\system32\windowsalert.exe
        7⤵
        Modifies firewall policy service
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2444
        
        C:\WINDOWS\SysWOW64\windowsalert.exe
        
        C:\WINDOWS\system32\windowsalert.exe
        8⤵
        Modifies firewall policy service
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2568
        
        C:\WINDOWS\SysWOW64\windowsalert.exe
        
        C:\WINDOWS\system32\windowsalert.exe
        9⤵
        Modifies firewall policy service
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2944
        
        C:\WINDOWS\SysWOW64\windowsalert.exe
        
        C:\WINDOWS\system32\windowsalert.exe
        10⤵
        Modifies firewall policy service
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2972
        
        C:\WINDOWS\SysWOW64\windowsalert.exe
        
        C:\WINDOWS\system32\windowsalert.exe
        11⤵
        Modifies firewall policy service
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2268
        
        C:\WINDOWS\SysWOW64\windowsalert.exe
        
        C:\WINDOWS\system32\windowsalert.exe
        12⤵
        Modifies firewall policy service
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1476
        
        C:\WINDOWS\SysWOW64\windowsalert.exe
        
        C:\WINDOWS\system32\windowsalert.exe
        13⤵
        Modifies firewall policy service
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2016
        
        C:\WINDOWS\SysWOW64\windowsalert.exe
        
        C:\WINDOWS\system32\windowsalert.exe
        14⤵
        Modifies firewall policy service
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1220
        
        C:\WINDOWS\SysWOW64\windowsalert.exe
        
        C:\WINDOWS\system32\windowsalert.exe
        15⤵
        Modifies firewall policy service
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1728
        
        C:\WINDOWS\SysWOW64\windowsalert.exe
        
        C:\WINDOWS\system32\windowsalert.exe
        16⤵
        Modifies firewall policy service
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1380
        
        C:\WINDOWS\SysWOW64\windowsalert.exe
        
        C:\WINDOWS\system32\windowsalert.exe
        17⤵
        Modifies firewall policy service
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2080
        
        C:\WINDOWS\SysWOW64\windowsalert.exe
        
        C:\WINDOWS\system32\windowsalert.exe
        18⤵
        Modifies firewall policy service
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2644
        
        C:\WINDOWS\SysWOW64\windowsalert.exe
        
        C:\WINDOWS\system32\windowsalert.exe
        19⤵
        Modifies firewall policy service
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1620
        
        C:\WINDOWS\SysWOW64\windowsalert.exe
        
        C:\WINDOWS\system32\windowsalert.exe
        20⤵
        Modifies firewall policy service
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:612
        
        C:\WINDOWS\SysWOW64\windowsalert.exe
        
        C:\WINDOWS\system32\windowsalert.exe
        21⤵
        Modifies firewall policy service
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:584
        
        C:\WINDOWS\SysWOW64\windowsalert.exe
        
        C:\WINDOWS\system32\windowsalert.exe
        22⤵
        Modifies firewall policy service
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1824
        
        C:\WINDOWS\SysWOW64\windowsalert.exe
        
        C:\WINDOWS\system32\windowsalert.exe
        23⤵
        Modifies firewall policy service
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2148
        
        C:\WINDOWS\SysWOW64\windowsalert.exe
        
        C:\WINDOWS\system32\windowsalert.exe
        24⤵
        Modifies firewall policy service
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2276

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\windowsalert.exe

Filesize
184KB

MD5
0474165119c989c50e9508659a9f8363

SHA1
b43a1847cb7d780115573cc78555ccc17a23c780

SHA256
8cd1b8dbc81743bdb16ccf836273f582bcc93f8183494b3cabefe18fd340e0da

SHA512
7045c51b47935824714dbd31faffad8635a8bc35d49b6c0adef5a49f56ffbf82177c0204ae3a8b3c7328f2a15defcb3e1569efe0773004854df4cf704ae75c45

Download Submit
memory/584-106-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/584-101-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/612-102-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/612-96-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/1220-70-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/1220-75-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/1380-84-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/1380-79-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/1476-59-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/1476-64-0x0000000002F80000-0x0000000002FFE000-memory.dmp

Filesize
504KB

Download
memory/1476-66-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/1476-65-0x0000000002F80000-0x0000000002FFE000-memory.dmp

Filesize
504KB

Download
memory/1620-97-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/1728-80-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/1824-108-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2016-71-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2024-19-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2024-12-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2080-88-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2148-110-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2148-107-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2268-60-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2276-109-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2444-43-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2568-47-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2588-24-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2588-18-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2588-17-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2644-92-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2660-23-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2660-29-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2696-35-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2696-28-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/2812-39-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2812-33-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2944-51-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2972-55-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/3020-13-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/3020-4-0x0000000002F90000-0x000000000300E000-memory.dmp

Filesize
504KB

Download
memory/3020-1-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/3020-0-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads