00bb16549aa91cd7afb78e053f7a55a4e7807297c13ebdb9f02e6abfa809f2cf

Analysis

max time kernel
133s
max time network
143s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
28/06/2024, 03:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

189feaa3c9590a71cf9eff00274787e4_JaffaCakes118.exe
Size

68KB
MD5

189feaa3c9590a71cf9eff00274787e4
SHA1

f902318c15115b28a6cb5a241985790829a6c108
SHA256

00bb16549aa91cd7afb78e053f7a55a4e7807297c13ebdb9f02e6abfa809f2cf
SHA512

17a283414a15d9372f7ed420072c795d90bf1bca9cfbbcfd53b6bb3c807fd11301a9d3089a0cba0bfc37960b45fb8a93befb99f54e003b25aaab2abfdfcc9939
SSDEEP

1536:mCEGV2Nza32KGFR7Hldqs71dH8q7cD8YBtp9muKgl5K+3:Kza7sqp9mullh

Score

8^/10

evasion execution persistence trojan

Malware Config

Signatures

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002

Executes dropped EXE 2 IoCs

pid	Process
2348	E3X6FPZXGUBV.exe
2624	E3X6FPZXGUBV.exe

Loads dropped DLL 4 IoCs

pid	Process
1768	189feaa3c9590a71cf9eff00274787e4_JaffaCakes118.exe
1768	189feaa3c9590a71cf9eff00274787e4_JaffaCakes118.exe
1768	189feaa3c9590a71cf9eff00274787e4_JaffaCakes118.exe
1768	189feaa3c9590a71cf9eff00274787e4_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OptionalComponents	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	reg.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	189feaa3c9590a71cf9eff00274787e4_JaffaCakes118.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files\E3X6FPZXGUBV.exe	189feaa3c9590a71cf9eff00274787e4_JaffaCakes118.exe
File created	C:\Program Files\7ZRGP.bat	189feaa3c9590a71cf9eff00274787e4_JaffaCakes118.exe
File created	C:\Program Files\C4FSQIOJ\3BB2MXKP.exe	189feaa3c9590a71cf9eff00274787e4_JaffaCakes118.exe
File opened for modification	C:\Program Files\C4FSQIOJ\3BB2MXKP.exe	189feaa3c9590a71cf9eff00274787e4_JaffaCakes118.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\DLECOQ.bat	189feaa3c9590a71cf9eff00274787e4_JaffaCakes118.exe
File created	C:\Windows\0B4I1MMGK.exe	189feaa3c9590a71cf9eff00274787e4_JaffaCakes118.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2868	sc.exe

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 12 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\Play_Animations = "no"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\Display Inline Images = "yes"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\Display Inline Videos = "no"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\DisableScriptDebuggerIE = "yes"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\Disable Script Debugger = "yes"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\Play_Background_Sounds = "no"	reg.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.1\ = "JScript Language"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Compact\OLEScript	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{cc5bbec3-db4a-4bed-828d-08d78ee3e1ed}\OLEScript	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{cc5bbec3-db4a-4bed-828d-08d78ee3e1ed}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{cc5bbec3-db4a-4bed-828d-08d78ee3e1ed}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\LiveScript Author\OLESCRIPT	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript\OLEScript	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript Author	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Compact Author	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\JSFile.HostEncode	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\LiveScript Author\CLSID\ = "{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\ECMAScript\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Compact	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.2\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F414C261-6AC0-11CF-B6D1-00AA00BBBB58}\Implemented Categories\{0AEE2A92-BCBB-11D0-8C72-00C04FC2B085}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}\ProgID	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Compact\CLSID	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\aspfile\SCRIPTHOSTENCODE	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.1\OLEScript	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Compact\ = "JScript Compact Profile (ECMA 327)"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\OLEScript	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Encode\CLSID\ = "{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}\ProgID\ = "JScript.Encode"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F414C261-6AC0-11CF-B6D1-00AA00BBBB58}\Implemented Categories	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\LiveScript\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.2 AuthorJavaScript1.3 Author\ = "JScript Language Authoring"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript Author\OLESCRIPT	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript Author\OLEScript	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.3\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.2\OLEScript	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\Implemented Categories\{F0B7A1A2-9847-11CF-8F20-00805F2CD064}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\LiveScript\OLESCRIPT	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ECMAScript\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Encode\ = "JScript Language Encoding"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Encode\CLSID	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.2	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\LiveScript\OLEScript	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Compact Author\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript Author	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{cc5bbec3-db4a-4bed-828d-08d78ee3e1ed}\Implemented Categories\{F0B7A1A2-9847-11CF-8F20-00805F2CD064}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.2\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.2\ = "JScript Language"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript Author\ = "JScript Language Authoring"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.1 Author	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\aspfile	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\Implemented Categories	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript Author\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.3\OLEScript	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F414C260-6AC0-11CF-B6D1-00AA00BBBB58}\Implemented Categories\{F0B7A1A1-9847-11CF-8F20-00805F2CD064}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}\Implemented Categories\{F0B7A1A3-9847-11CF-8F20-00805F2CD064}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Encode	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\LiveScript	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\ECMAScript	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript Author\OLEScript	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.1 Author\CLSID	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.1\OLESCRIPT	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F414C260-6AC0-11CF-B6D1-00AA00BBBB58}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\ = "JScript Language"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}	regsvr32.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
2480	reg.exe

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
1768	189feaa3c9590a71cf9eff00274787e4_JaffaCakes118.exe
1768	189feaa3c9590a71cf9eff00274787e4_JaffaCakes118.exe
1768	189feaa3c9590a71cf9eff00274787e4_JaffaCakes118.exe
1768	189feaa3c9590a71cf9eff00274787e4_JaffaCakes118.exe
2348	E3X6FPZXGUBV.exe
2348	E3X6FPZXGUBV.exe
2348	E3X6FPZXGUBV.exe
2624	E3X6FPZXGUBV.exe
1768	189feaa3c9590a71cf9eff00274787e4_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1768 wrote to memory of 2348	1768	189feaa3c9590a71cf9eff00274787e4_JaffaCakes118.exe	28
PID 1768 wrote to memory of 2348	1768	189feaa3c9590a71cf9eff00274787e4_JaffaCakes118.exe	28
PID 1768 wrote to memory of 2348	1768	189feaa3c9590a71cf9eff00274787e4_JaffaCakes118.exe	28
PID 1768 wrote to memory of 2348	1768	189feaa3c9590a71cf9eff00274787e4_JaffaCakes118.exe	28
PID 1768 wrote to memory of 2624	1768	189feaa3c9590a71cf9eff00274787e4_JaffaCakes118.exe	29
PID 1768 wrote to memory of 2624	1768	189feaa3c9590a71cf9eff00274787e4_JaffaCakes118.exe	29
PID 1768 wrote to memory of 2624	1768	189feaa3c9590a71cf9eff00274787e4_JaffaCakes118.exe	29
PID 1768 wrote to memory of 2624	1768	189feaa3c9590a71cf9eff00274787e4_JaffaCakes118.exe	29
PID 1768 wrote to memory of 2604	1768	189feaa3c9590a71cf9eff00274787e4_JaffaCakes118.exe	30
PID 1768 wrote to memory of 2604	1768	189feaa3c9590a71cf9eff00274787e4_JaffaCakes118.exe	30
PID 1768 wrote to memory of 2604	1768	189feaa3c9590a71cf9eff00274787e4_JaffaCakes118.exe	30
PID 1768 wrote to memory of 2604	1768	189feaa3c9590a71cf9eff00274787e4_JaffaCakes118.exe	30
PID 2604 wrote to memory of 2868	2604	cmd.exe	32
PID 2604 wrote to memory of 2868	2604	cmd.exe	32
PID 2604 wrote to memory of 2868	2604	cmd.exe	32
PID 2604 wrote to memory of 2868	2604	cmd.exe	32
PID 2604 wrote to memory of 2768	2604	cmd.exe	33
PID 2604 wrote to memory of 2768	2604	cmd.exe	33
PID 2604 wrote to memory of 2768	2604	cmd.exe	33
PID 2604 wrote to memory of 2768	2604	cmd.exe	33
PID 2604 wrote to memory of 2768	2604	cmd.exe	33
PID 2604 wrote to memory of 2768	2604	cmd.exe	33
PID 2604 wrote to memory of 2768	2604	cmd.exe	33
PID 2604 wrote to memory of 2076	2604	cmd.exe	34
PID 2604 wrote to memory of 2076	2604	cmd.exe	34
PID 2604 wrote to memory of 2076	2604	cmd.exe	34
PID 2604 wrote to memory of 2076	2604	cmd.exe	34
PID 2604 wrote to memory of 2076	2604	cmd.exe	34
PID 2604 wrote to memory of 2076	2604	cmd.exe	34
PID 2604 wrote to memory of 2076	2604	cmd.exe	34
PID 2604 wrote to memory of 2688	2604	cmd.exe	35
PID 2604 wrote to memory of 2688	2604	cmd.exe	35
PID 2604 wrote to memory of 2688	2604	cmd.exe	35
PID 2604 wrote to memory of 2688	2604	cmd.exe	35
PID 2604 wrote to memory of 2688	2604	cmd.exe	35
PID 2604 wrote to memory of 2688	2604	cmd.exe	35
PID 2604 wrote to memory of 2688	2604	cmd.exe	35
PID 2604 wrote to memory of 2664	2604	cmd.exe	36
PID 2604 wrote to memory of 2664	2604	cmd.exe	36
PID 2604 wrote to memory of 2664	2604	cmd.exe	36
PID 2604 wrote to memory of 2664	2604	cmd.exe	36
PID 2604 wrote to memory of 2664	2604	cmd.exe	36
PID 2604 wrote to memory of 2664	2604	cmd.exe	36
PID 2604 wrote to memory of 2664	2604	cmd.exe	36
PID 2604 wrote to memory of 2504	2604	cmd.exe	37
PID 2604 wrote to memory of 2504	2604	cmd.exe	37
PID 2604 wrote to memory of 2504	2604	cmd.exe	37
PID 2604 wrote to memory of 2504	2604	cmd.exe	37
PID 2604 wrote to memory of 2504	2604	cmd.exe	37
PID 2604 wrote to memory of 2504	2604	cmd.exe	37
PID 2604 wrote to memory of 2504	2604	cmd.exe	37
PID 2604 wrote to memory of 2372	2604	cmd.exe	38
PID 2604 wrote to memory of 2372	2604	cmd.exe	38
PID 2604 wrote to memory of 2372	2604	cmd.exe	38
PID 2604 wrote to memory of 2372	2604	cmd.exe	38
PID 2604 wrote to memory of 2644	2604	cmd.exe	39
PID 2604 wrote to memory of 2644	2604	cmd.exe	39
PID 2604 wrote to memory of 2644	2604	cmd.exe	39
PID 2604 wrote to memory of 2644	2604	cmd.exe	39
PID 2604 wrote to memory of 2640	2604	cmd.exe	40
PID 2604 wrote to memory of 2640	2604	cmd.exe	40
PID 2604 wrote to memory of 2640	2604	cmd.exe	40
PID 2604 wrote to memory of 2640	2604	cmd.exe	40
PID 2604 wrote to memory of 2588	2604	cmd.exe	41

C:\Users\Admin\AppData\Local\Temp\189feaa3c9590a71cf9eff00274787e4_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\189feaa3c9590a71cf9eff00274787e4_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1768
- C:\Program Files\E3X6FPZXGUBV.exe
  "C:\Program Files\E3X6FPZXGUBV.exe" C:\Users\Admin\AppData\Local\Temp\189feaa3c9590a71cf9eff00274787e4_JaffaCakes118.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2348
- C:\Program Files\E3X6FPZXGUBV.exe
  "C:\Program Files\E3X6FPZXGUBV.exe" rb
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2624
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Program Files\7ZRGP.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2604
- - C:\Windows\SysWOW64\sc.exe
    sc.exe create BURH2BinPath= "C:\Program Files\C4FSQIOJ\3BB2MXKP.exe -start" type= own type= interact start= auto DisplayName= 5G6YN9Z
    3⤵
    - Launches sc.exe
    PID:2868
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /u /s shimgvw.dll
    3⤵
    PID:2768
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /u /s itss.dll
    3⤵
    PID:2076
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /u /s scrrun.dll
    3⤵
    - Modifies registry class
    PID:2688
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /u /s vbscript.dll
    3⤵
    PID:2664
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /s jscript.dll
    3⤵
    - Modifies registry class
    PID:2504
- - C:\Windows\SysWOW64\reg.exe
    reg.exe ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v Play_Background_Sounds /t REG_SZ /d no /F
    3⤵
    - Modifies Internet Explorer settings
    PID:2372
- - C:\Windows\SysWOW64\reg.exe
    reg.exe ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v Play_Animations /t REG_SZ /d no /F
    3⤵
    - Modifies Internet Explorer settings
    PID:2644
- - C:\Windows\SysWOW64\reg.exe
    reg.exe ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Display Inline Videos" /t REG_SZ /d no /F
    3⤵
    - Modifies Internet Explorer settings
    PID:2640
- - C:\Windows\SysWOW64\reg.exe
    reg.exe ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Display Inline Images" /t REG_SZ /d yes /F
    3⤵
    - Modifies Internet Explorer settings
    PID:2588
- - C:\Windows\SysWOW64\reg.exe
    reg.exe ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v DisableScriptDebuggerIE /t REG_SZ /d yes /F
    3⤵
    - Modifies Internet Explorer settings
    PID:2772
- - C:\Windows\SysWOW64\reg.exe
    reg.exe ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Disable Script Debugger" /t REG_SZ /d yes /F
    3⤵
    - Modifies Internet Explorer settings
    PID:2208
- - C:\Windows\SysWOW64\reg.exe
    reg.exe delete HKLM\Software\Microsoft\Windows\CurrentVersion\Run /F
    3⤵
    - Adds Run key to start application
    - Modifies registry key
    PID:2480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7ZRGP.bat

Filesize
1KB

MD5
52b66dc8a0f8da6a623c2c25e1cae70d

SHA1
0b50b79495bb242d1e8c98565bcd1d7157f33387

SHA256
8086ec58d6b4a763e8516c006138dc8aeccb3d82e669b78e025562e127dfca31

SHA512
ae4e4aad265e6746c730423adf678dbb955308d427c37f02d79e88169c97a9e7386828a9491a1eec45296ea92c00b3c3b5ebd495f0a2e3cdd8fd87ef2f5b6079

Download Submit
C:\Program Files\E3X6FPZXGUBV.exe

Filesize
32KB

MD5
5efcd9bd040df3f1a91ccca5e2996f1a

SHA1
cf3b753ccb21a215a716873f0121235611933ba2

SHA256
969e0c9b3947de3e494da83c2ee120ce9dc3b751a74b8f8629b26dc09a736a1d

SHA512
e707bca1dd4760f422d7b98226e95e7fe4482bb5f4fadd9d770322680816e4105c06f16a8af3a00b375df73b9e97086b14c4e2aa03ad4c0558ad36c1e94f0ee7

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads