71d7c7dbd1e3c3053da20948ec26d9f4f523d598a75b5552a026d7a5f2dbce70

Analysis

max time kernel
135s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
25/06/2024, 15:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0e83d13c4760d6780bdf61df96615446_JaffaCakes118.exe
Size

799KB
MD5

0e83d13c4760d6780bdf61df96615446
SHA1

08b09de9147697adaaa66df1ca5a828c48e69f0f
SHA256

71d7c7dbd1e3c3053da20948ec26d9f4f523d598a75b5552a026d7a5f2dbce70
SHA512

6d2daeae984eb2e4586c98600f69d177b24de032a18bde7b825d986c4eafc5a8985bc6989a3ec4ded3229a91bcb0d556cb94b8f3152ecbf73800a48e9462d3c8
SSDEEP

24576:UQvPrOqokz3NBA7T/jjTYwqRrzPMpVraLVwdFUZZog:bvTO6BA7TMBRPIVraLVw4Zj

Score

7^/10

evasion persistence trojan upx

Malware Config

Signatures

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4108-1-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral2/memory/4488-2-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/4940-0-0x0000000000400000-0x0000000000423000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\svchost.exe = "C:\\Windows\\system32\\svchost.exe"	0e83d13c4760d6780bdf61df96615446_JaffaCakes118.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	0e83d13c4760d6780bdf61df96615446_JaffaCakes118.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\svchost.exe	0e83d13c4760d6780bdf61df96615446_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe	0e83d13c4760d6780bdf61df96615446_JaffaCakes118.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1688 set thread context of 4940	1688	0e83d13c4760d6780bdf61df96615446_JaffaCakes118.exe	82
PID 1688 set thread context of 4108	1688	0e83d13c4760d6780bdf61df96615446_JaffaCakes118.exe	83
PID 1688 set thread context of 4488	1688	0e83d13c4760d6780bdf61df96615446_JaffaCakes118.exe	84
PID 1688 set thread context of 3220	1688	0e83d13c4760d6780bdf61df96615446_JaffaCakes118.exe	85

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31115025"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{7E66DCC2-3304-11EF-B1BC-5A352D2CFE47} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1392826728"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "426092961"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31115025"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31115025"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{7E6B9FD4-3304-11EF-B1BC-5A352D2CFE47} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1392826728"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1390483158"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1392826728"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31115025"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1390483158"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31115025"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1390483158"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31115025"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{7E69647C-3304-11EF-B1BC-5A352D2CFE47} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{7E693D6C-3304-11EF-B1BC-5A352D2CFE47} = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31115025"	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
4108	IEXPLORE.EXE
3220	IEXPLORE.EXE
4488	IEXPLORE.EXE
4940	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 18 IoCs

pid	Process
3220	IEXPLORE.EXE
3220	IEXPLORE.EXE
4488	IEXPLORE.EXE
4488	IEXPLORE.EXE
4108	IEXPLORE.EXE
4108	IEXPLORE.EXE
4940	IEXPLORE.EXE
4940	IEXPLORE.EXE
700	IEXPLORE.EXE
700	IEXPLORE.EXE
2708	IEXPLORE.EXE
2708	IEXPLORE.EXE
748	IEXPLORE.EXE
748	IEXPLORE.EXE
508	IEXPLORE.EXE
508	IEXPLORE.EXE
700	IEXPLORE.EXE
700	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 41 IoCs

description	pid	Process	procid_target
PID 1688 wrote to memory of 4940	1688	0e83d13c4760d6780bdf61df96615446_JaffaCakes118.exe	82
PID 1688 wrote to memory of 4940	1688	0e83d13c4760d6780bdf61df96615446_JaffaCakes118.exe	82
PID 1688 wrote to memory of 4940	1688	0e83d13c4760d6780bdf61df96615446_JaffaCakes118.exe	82
PID 1688 wrote to memory of 4940	1688	0e83d13c4760d6780bdf61df96615446_JaffaCakes118.exe	82
PID 1688 wrote to memory of 4940	1688	0e83d13c4760d6780bdf61df96615446_JaffaCakes118.exe	82
PID 1688 wrote to memory of 4940	1688	0e83d13c4760d6780bdf61df96615446_JaffaCakes118.exe	82
PID 1688 wrote to memory of 4940	1688	0e83d13c4760d6780bdf61df96615446_JaffaCakes118.exe	82
PID 1688 wrote to memory of 4108	1688	0e83d13c4760d6780bdf61df96615446_JaffaCakes118.exe	83
PID 1688 wrote to memory of 4108	1688	0e83d13c4760d6780bdf61df96615446_JaffaCakes118.exe	83
PID 1688 wrote to memory of 4108	1688	0e83d13c4760d6780bdf61df96615446_JaffaCakes118.exe	83
PID 1688 wrote to memory of 4108	1688	0e83d13c4760d6780bdf61df96615446_JaffaCakes118.exe	83
PID 1688 wrote to memory of 4108	1688	0e83d13c4760d6780bdf61df96615446_JaffaCakes118.exe	83
PID 1688 wrote to memory of 4108	1688	0e83d13c4760d6780bdf61df96615446_JaffaCakes118.exe	83
PID 1688 wrote to memory of 4108	1688	0e83d13c4760d6780bdf61df96615446_JaffaCakes118.exe	83
PID 1688 wrote to memory of 4488	1688	0e83d13c4760d6780bdf61df96615446_JaffaCakes118.exe	84
PID 1688 wrote to memory of 4488	1688	0e83d13c4760d6780bdf61df96615446_JaffaCakes118.exe	84
PID 1688 wrote to memory of 4488	1688	0e83d13c4760d6780bdf61df96615446_JaffaCakes118.exe	84
PID 1688 wrote to memory of 4488	1688	0e83d13c4760d6780bdf61df96615446_JaffaCakes118.exe	84
PID 1688 wrote to memory of 4488	1688	0e83d13c4760d6780bdf61df96615446_JaffaCakes118.exe	84
PID 1688 wrote to memory of 4488	1688	0e83d13c4760d6780bdf61df96615446_JaffaCakes118.exe	84
PID 1688 wrote to memory of 4488	1688	0e83d13c4760d6780bdf61df96615446_JaffaCakes118.exe	84
PID 1688 wrote to memory of 3220	1688	0e83d13c4760d6780bdf61df96615446_JaffaCakes118.exe	85
PID 1688 wrote to memory of 3220	1688	0e83d13c4760d6780bdf61df96615446_JaffaCakes118.exe	85
PID 1688 wrote to memory of 3220	1688	0e83d13c4760d6780bdf61df96615446_JaffaCakes118.exe	85
PID 1688 wrote to memory of 3220	1688	0e83d13c4760d6780bdf61df96615446_JaffaCakes118.exe	85
PID 1688 wrote to memory of 3220	1688	0e83d13c4760d6780bdf61df96615446_JaffaCakes118.exe	85
PID 1688 wrote to memory of 3220	1688	0e83d13c4760d6780bdf61df96615446_JaffaCakes118.exe	85
PID 1688 wrote to memory of 3220	1688	0e83d13c4760d6780bdf61df96615446_JaffaCakes118.exe	85
PID 1688 wrote to memory of 3220	1688	0e83d13c4760d6780bdf61df96615446_JaffaCakes118.exe	85
PID 3220 wrote to memory of 2708	3220	IEXPLORE.EXE	88
PID 3220 wrote to memory of 2708	3220	IEXPLORE.EXE	88
PID 3220 wrote to memory of 2708	3220	IEXPLORE.EXE	88
PID 4488 wrote to memory of 748	4488	IEXPLORE.EXE	86
PID 4488 wrote to memory of 748	4488	IEXPLORE.EXE	86
PID 4488 wrote to memory of 748	4488	IEXPLORE.EXE	86
PID 4108 wrote to memory of 700	4108	IEXPLORE.EXE	87
PID 4108 wrote to memory of 700	4108	IEXPLORE.EXE	87
PID 4108 wrote to memory of 700	4108	IEXPLORE.EXE	87
PID 4940 wrote to memory of 508	4940	IEXPLORE.EXE	89
PID 4940 wrote to memory of 508	4940	IEXPLORE.EXE	89
PID 4940 wrote to memory of 508	4940	IEXPLORE.EXE	89

C:\Users\Admin\AppData\Local\Temp\0e83d13c4760d6780bdf61df96615446_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0e83d13c4760d6780bdf61df96615446_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1688
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4940
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4940 CREDAT:17410 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:508
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4108
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4108 CREDAT:17410 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:700
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4488
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4488 CREDAT:17410 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:748
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3220
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3220 CREDAT:17410 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
b9b9f42ce6d2b20bf169d05480d239d4

SHA1
32b094cc2ff79f07fcd68d585846b919bc350e4d

SHA256
4d16bb8c9a34d4de9d39bb5f0e87095617b5ad551112db17b38b6cb752fbdae4

SHA512
36b45c544439c6b1fab4c2fa58712475a65ad467e3da61086c4a953d6587d35f5c6ae7de740863295ae0d3534cbf67d0bed6843d95b6786b50431bfeebcf1010

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
404B

MD5
2234c47f2a65f8f5013e5b0c28692066

SHA1
2a10b9623ac8e867af4dc2d5f11f44fda06eb6f5

SHA256
5a5f0218e789e2516d9a71c2de3883995395bf9471d8e4fcdcc954d68ff4b57e

SHA512
f5c6eb7afc1e4a0f03afdfd5f439ec21210d1672213dab9a902b2350190b1718f19faa135b6cd122e8f030d04665b4fe30296440d31c094948cebc41db792185

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
404B

MD5
aa06d6c3eb1024b401ee4c73d39d8ffd

SHA1
e8a34351fafef3a471aa42e46419d61c3f0875db

SHA256
59cd7c58e8dfa6c8a2477845f5009e613f56335b8be0c042d64abfad58a1c503

SHA512
594946697d75ca8f0c3c0ee944d4e3a465c6920e61e16cc87637c69d2b30f77131c5cd87997db650beb96f5335beab47b134fefbc0e2daa02aae5f6bab425b1e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{7E66DCC2-3304-11EF-B1BC-5A352D2CFE47}.dat

Filesize
3KB

MD5
e3c72c48f7d0d3a806d4ddcc9459b191

SHA1
9c6cbe4d337b33d67aba27e55e829561dabe001f

SHA256
42e9ff65a1a0962bb05c7082382e7fd44cc23a2f87f094572bf64563c3022fdd

SHA512
c3332469689b5c3aef876e495b23b1d732f71a87c3c1d4ef834177c5416087ea41c98926a9c8d1095e92f9dfbd304d51be2070632fdcd1b44409907989fb61e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{7E693D6C-3304-11EF-B1BC-5A352D2CFE47}.dat

Filesize
5KB

MD5
278a2f9b250701e6541dc1a53c5f23bc

SHA1
e02dd22896dabe57d1c9e803941e927218002af8

SHA256
89a54fa7f418982db42f8cb4ddd2c651e95ae566bf23b84a3d613d8e91048ee0

SHA512
ac8b3dc7ccbdc64e3ea757d285414644de80720df37bbea4d9841ccec121703b76c5999e86be8b5a7ef068b6f0546fb0d7dc15db7ae6c730b983aaeddc7e808f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{7E69647C-3304-11EF-B1BC-5A352D2CFE47}.dat

Filesize
3KB

MD5
3d70374cf0ddd0c6fa9317ab24495223

SHA1
0e021a28b7195428692c7ffdd135fcd6a508309d

SHA256
fd4a461e18a38d6578853263b753f3dd9f98d1e3723bbea0dc0a56824140cd6a

SHA512
2076f772485b8fad51f82ca49414317ff01f10dbafd7e1a88311fd4074950c52a9fecfdb446b144a4288ed9d55a50c5438c8a8851efbf76cd14b7288f9c095c9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{7E69647C-3304-11EF-B1BC-5A352D2CFE47}.dat

Filesize
5KB

MD5
ffdb057aef59797ba45c76930e3df8f4

SHA1
14dade45611587efd2843953847e793fe7d9ac26

SHA256
6ff8882554a691a483bf3e3bad5fd87a5e9082ae6be18bdb4ccde9a05dba7b4b

SHA512
58765e23c7c021d4147bb0516d566186b4b2ef51e4d51d165da0fd337870dc8cff81b6ae6d0319d69277f14335cdfea611e54efe5bbd7da5d932e65033cb7fb8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\verAEBE.tmp

Filesize
15KB

MD5
1a545d0052b581fbb2ab4c52133846bc

SHA1
62f3266a9b9925cd6d98658b92adec673cbe3dd3

SHA256
557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1

SHA512
bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0K2PF59Z\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
memory/3220-3-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4108-1-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4488-2-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4940-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads