Resubmissions
06-07-2024 06:07
240706-gvgcnazhrf 10Analysis
-
max time kernel
143s -
max time network
128s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
06-07-2024 06:07
Static task
static1
Behavioral task
behavioral1
Sample
277f441499c1fb9ddf4d462c3b443b9e_JaffaCakes118.exe
Resource
win7-20240704-en
General
-
Target
277f441499c1fb9ddf4d462c3b443b9e_JaffaCakes118.exe
-
Size
4.2MB
-
MD5
277f441499c1fb9ddf4d462c3b443b9e
-
SHA1
5cf5da3598e4cf139f6e6ffb9a4d32e49ac9321a
-
SHA256
05263375ffe64e8586c78e8e435007bff1f2a42684d48378eee68c07ba54a80e
-
SHA512
0ce74ab987eaf7371f79c22afcc16e319781ee7a7fcdcd995fff402788fbaa0e132df529db6e804549556f332ad8d8828e48b7ca8b27a7da22feadc21c09f871
-
SSDEEP
98304:pKHcMsDndy6iiHrjZE2/mkCUGP18szyTJr:w8dDlNLjpmkC/18ouJr
Malware Config
Extracted
metasploit
encoder/fnstenv_mov
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Modifies security service 2 TTPs 20 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" regedit.exe -
Executes dropped EXE 13 IoCs
pid Process 2632 install.exe 2360 Jerm's.exe 2676 irsetup.exe 1752 windows_update.exe 1860 windows_update.exe 2420 windows_update.exe 2160 windows_update.exe 1788 windows_update.exe 2876 windows_update.exe 1928 windows_update.exe 1936 windows_update.exe 836 windows_update.exe 1088 windows_update.exe -
Identifies Wine through registry keys 2 TTPs 11 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Wine Jerm's.exe Key opened \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Wine windows_update.exe Key opened \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Wine windows_update.exe Key opened \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Wine windows_update.exe Key opened \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Wine windows_update.exe Key opened \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Wine windows_update.exe Key opened \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Wine windows_update.exe Key opened \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Wine windows_update.exe Key opened \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Wine windows_update.exe Key opened \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Wine windows_update.exe Key opened \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Wine windows_update.exe -
Loads dropped DLL 52 IoCs
pid Process 2624 277f441499c1fb9ddf4d462c3b443b9e_JaffaCakes118.exe 2624 277f441499c1fb9ddf4d462c3b443b9e_JaffaCakes118.exe 2624 277f441499c1fb9ddf4d462c3b443b9e_JaffaCakes118.exe 2632 install.exe 2632 install.exe 2632 install.exe 2632 install.exe 2676 irsetup.exe 2676 irsetup.exe 2676 irsetup.exe 2676 irsetup.exe 2676 irsetup.exe 2360 Jerm's.exe 1752 windows_update.exe 1752 windows_update.exe 1752 windows_update.exe 1752 windows_update.exe 1860 windows_update.exe 1860 windows_update.exe 1860 windows_update.exe 1860 windows_update.exe 2420 windows_update.exe 2420 windows_update.exe 2420 windows_update.exe 2420 windows_update.exe 2160 windows_update.exe 2160 windows_update.exe 2160 windows_update.exe 2160 windows_update.exe 1788 windows_update.exe 1788 windows_update.exe 1788 windows_update.exe 1788 windows_update.exe 2876 windows_update.exe 2876 windows_update.exe 2876 windows_update.exe 2876 windows_update.exe 1928 windows_update.exe 1928 windows_update.exe 1928 windows_update.exe 1928 windows_update.exe 1936 windows_update.exe 1936 windows_update.exe 1936 windows_update.exe 1936 windows_update.exe 836 windows_update.exe 836 windows_update.exe 836 windows_update.exe 836 windows_update.exe 1088 windows_update.exe 1088 windows_update.exe 1088 windows_update.exe -
resource yara_rule behavioral1/files/0x00070000000186e9-13.dat themida behavioral1/memory/2360-19-0x0000000000400000-0x00000000007BD000-memory.dmp themida behavioral1/memory/2360-49-0x0000000000400000-0x00000000007BD000-memory.dmp themida behavioral1/memory/2360-45-0x0000000000400000-0x00000000007BD000-memory.dmp themida behavioral1/memory/2360-164-0x0000000000400000-0x00000000007BD000-memory.dmp themida behavioral1/memory/1752-176-0x0000000000400000-0x00000000007BD000-memory.dmp themida behavioral1/memory/2360-161-0x0000000000400000-0x00000000007BD000-memory.dmp themida behavioral1/memory/1752-183-0x0000000000400000-0x00000000007BD000-memory.dmp themida behavioral1/memory/1860-191-0x0000000000400000-0x00000000007BD000-memory.dmp themida behavioral1/memory/1752-196-0x0000000000400000-0x00000000007BD000-memory.dmp themida behavioral1/memory/1860-313-0x0000000000400000-0x00000000007BD000-memory.dmp themida behavioral1/memory/2420-323-0x0000000000400000-0x00000000007BD000-memory.dmp themida behavioral1/memory/1860-324-0x0000000000400000-0x00000000007BD000-memory.dmp themida behavioral1/memory/2420-441-0x0000000000400000-0x00000000007BD000-memory.dmp themida behavioral1/memory/2160-448-0x0000000000400000-0x00000000007BD000-memory.dmp themida behavioral1/memory/2420-453-0x0000000000400000-0x00000000007BD000-memory.dmp themida behavioral1/memory/2160-571-0x0000000000400000-0x00000000007BD000-memory.dmp themida behavioral1/memory/2160-573-0x00000000051A0000-0x000000000555D000-memory.dmp themida behavioral1/memory/1788-578-0x0000000000400000-0x00000000007BD000-memory.dmp themida behavioral1/memory/2160-579-0x0000000000400000-0x00000000007BD000-memory.dmp themida behavioral1/memory/1788-696-0x0000000000400000-0x00000000007BD000-memory.dmp themida behavioral1/memory/1788-703-0x0000000000400000-0x00000000007BD000-memory.dmp themida behavioral1/memory/2876-821-0x0000000000400000-0x00000000007BD000-memory.dmp themida behavioral1/memory/2876-938-0x0000000000400000-0x00000000007BD000-memory.dmp themida behavioral1/memory/1928-940-0x0000000000400000-0x00000000007BD000-memory.dmp themida behavioral1/memory/1928-1055-0x0000000000400000-0x00000000007BD000-memory.dmp themida behavioral1/memory/1936-1057-0x0000000000400000-0x00000000007BD000-memory.dmp themida behavioral1/memory/1936-1171-0x0000000000400000-0x00000000007BD000-memory.dmp themida behavioral1/memory/836-1173-0x0000000000400000-0x00000000007BD000-memory.dmp themida behavioral1/memory/836-1288-0x0000000000400000-0x00000000007BD000-memory.dmp themida -
resource yara_rule behavioral1/files/0x0006000000018736-26.dat upx behavioral1/memory/2676-31-0x0000000000400000-0x0000000000527000-memory.dmp upx behavioral1/memory/2676-182-0x0000000000400000-0x0000000000527000-memory.dmp upx behavioral1/memory/1860-320-0x0000000005250000-0x000000000560D000-memory.dmp upx -
Drops file in System32 directory 22 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\windows_update.exe windows_update.exe File created C:\Windows\SysWOW64\windows_update.exe windows_update.exe File opened for modification C:\Windows\SysWOW64\windows_update.exe windows_update.exe File created C:\Windows\SysWOW64\windows_update.exe Jerm's.exe File opened for modification C:\Windows\SysWOW64\windows_update.exe windows_update.exe File created C:\Windows\SysWOW64\windows_update.exe windows_update.exe File opened for modification C:\Windows\SysWOW64\windows_update.exe windows_update.exe File created C:\Windows\SysWOW64\windows_update.exe windows_update.exe File created C:\Windows\SysWOW64\windows_update.exe windows_update.exe File created C:\Windows\SysWOW64\windows_update.exe windows_update.exe File created C:\Windows\SysWOW64\windows_update.exe windows_update.exe File opened for modification C:\Windows\SysWOW64\windows_update.exe windows_update.exe File opened for modification C:\Windows\SysWOW64\windows_update.exe windows_update.exe File opened for modification C:\Windows\SysWOW64\windows_update.exe windows_update.exe File opened for modification C:\Windows\SysWOW64\windows_update.exe windows_update.exe File created C:\Windows\SysWOW64\windows_update.exe windows_update.exe File created C:\Windows\SysWOW64\windows_update.exe windows_update.exe File opened for modification C:\Windows\SysWOW64\windows_update.exe windows_update.exe File created C:\Windows\SysWOW64\windows_update.exe windows_update.exe File opened for modification C:\Windows\SysWOW64\windows_update.exe Jerm's.exe File opened for modification C:\Windows\SysWOW64\windows_update.exe windows_update.exe File created C:\Windows\SysWOW64\windows_update.exe windows_update.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\Easy Rapidshare Points Setup Log.txt irsetup.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs .reg file with regedit 10 IoCs
pid Process 2652 regedit.exe 2740 regedit.exe 1468 regedit.exe 924 regedit.exe 1056 regedit.exe 2316 regedit.exe 1776 regedit.exe 1872 regedit.exe 1504 regedit.exe 2176 regedit.exe -
Suspicious behavior: EnumeratesProcesses 11 IoCs
pid Process 2360 Jerm's.exe 1752 windows_update.exe 1860 windows_update.exe 2420 windows_update.exe 2160 windows_update.exe 1788 windows_update.exe 2876 windows_update.exe 1928 windows_update.exe 1936 windows_update.exe 836 windows_update.exe 1088 windows_update.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2676 irsetup.exe 2676 irsetup.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2624 wrote to memory of 2632 2624 277f441499c1fb9ddf4d462c3b443b9e_JaffaCakes118.exe 30 PID 2624 wrote to memory of 2632 2624 277f441499c1fb9ddf4d462c3b443b9e_JaffaCakes118.exe 30 PID 2624 wrote to memory of 2632 2624 277f441499c1fb9ddf4d462c3b443b9e_JaffaCakes118.exe 30 PID 2624 wrote to memory of 2632 2624 277f441499c1fb9ddf4d462c3b443b9e_JaffaCakes118.exe 30 PID 2624 wrote to memory of 2632 2624 277f441499c1fb9ddf4d462c3b443b9e_JaffaCakes118.exe 30 PID 2624 wrote to memory of 2632 2624 277f441499c1fb9ddf4d462c3b443b9e_JaffaCakes118.exe 30 PID 2624 wrote to memory of 2632 2624 277f441499c1fb9ddf4d462c3b443b9e_JaffaCakes118.exe 30 PID 2624 wrote to memory of 2360 2624 277f441499c1fb9ddf4d462c3b443b9e_JaffaCakes118.exe 31 PID 2624 wrote to memory of 2360 2624 277f441499c1fb9ddf4d462c3b443b9e_JaffaCakes118.exe 31 PID 2624 wrote to memory of 2360 2624 277f441499c1fb9ddf4d462c3b443b9e_JaffaCakes118.exe 31 PID 2624 wrote to memory of 2360 2624 277f441499c1fb9ddf4d462c3b443b9e_JaffaCakes118.exe 31 PID 2632 wrote to memory of 2676 2632 install.exe 32 PID 2632 wrote to memory of 2676 2632 install.exe 32 PID 2632 wrote to memory of 2676 2632 install.exe 32 PID 2632 wrote to memory of 2676 2632 install.exe 32 PID 2632 wrote to memory of 2676 2632 install.exe 32 PID 2632 wrote to memory of 2676 2632 install.exe 32 PID 2632 wrote to memory of 2676 2632 install.exe 32 PID 2360 wrote to memory of 2572 2360 Jerm's.exe 33 PID 2360 wrote to memory of 2572 2360 Jerm's.exe 33 PID 2360 wrote to memory of 2572 2360 Jerm's.exe 33 PID 2360 wrote to memory of 2572 2360 Jerm's.exe 33 PID 2572 wrote to memory of 2740 2572 cmd.exe 34 PID 2572 wrote to memory of 2740 2572 cmd.exe 34 PID 2572 wrote to memory of 2740 2572 cmd.exe 34 PID 2572 wrote to memory of 2740 2572 cmd.exe 34 PID 2360 wrote to memory of 1752 2360 Jerm's.exe 35 PID 2360 wrote to memory of 1752 2360 Jerm's.exe 35 PID 2360 wrote to memory of 1752 2360 Jerm's.exe 35 PID 2360 wrote to memory of 1752 2360 Jerm's.exe 35 PID 2360 wrote to memory of 1752 2360 Jerm's.exe 35 PID 2360 wrote to memory of 1752 2360 Jerm's.exe 35 PID 2360 wrote to memory of 1752 2360 Jerm's.exe 35 PID 1752 wrote to memory of 1860 1752 windows_update.exe 36 PID 1752 wrote to memory of 1860 1752 windows_update.exe 36 PID 1752 wrote to memory of 1860 1752 windows_update.exe 36 PID 1752 wrote to memory of 1860 1752 windows_update.exe 36 PID 1752 wrote to memory of 1860 1752 windows_update.exe 36 PID 1752 wrote to memory of 1860 1752 windows_update.exe 36 PID 1752 wrote to memory of 1860 1752 windows_update.exe 36 PID 1860 wrote to memory of 2480 1860 windows_update.exe 37 PID 1860 wrote to memory of 2480 1860 windows_update.exe 37 PID 1860 wrote to memory of 2480 1860 windows_update.exe 37 PID 1860 wrote to memory of 2480 1860 windows_update.exe 37 PID 1860 wrote to memory of 2480 1860 windows_update.exe 37 PID 1860 wrote to memory of 2480 1860 windows_update.exe 37 PID 1860 wrote to memory of 2480 1860 windows_update.exe 37 PID 2480 wrote to memory of 1776 2480 cmd.exe 38 PID 2480 wrote to memory of 1776 2480 cmd.exe 38 PID 2480 wrote to memory of 1776 2480 cmd.exe 38 PID 2480 wrote to memory of 1776 2480 cmd.exe 38 PID 2480 wrote to memory of 1776 2480 cmd.exe 38 PID 2480 wrote to memory of 1776 2480 cmd.exe 38 PID 2480 wrote to memory of 1776 2480 cmd.exe 38 PID 1860 wrote to memory of 2420 1860 windows_update.exe 39 PID 1860 wrote to memory of 2420 1860 windows_update.exe 39 PID 1860 wrote to memory of 2420 1860 windows_update.exe 39 PID 1860 wrote to memory of 2420 1860 windows_update.exe 39 PID 1860 wrote to memory of 2420 1860 windows_update.exe 39 PID 1860 wrote to memory of 2420 1860 windows_update.exe 39 PID 1860 wrote to memory of 2420 1860 windows_update.exe 39 PID 2420 wrote to memory of 304 2420 windows_update.exe 40 PID 2420 wrote to memory of 304 2420 windows_update.exe 40 PID 2420 wrote to memory of 304 2420 windows_update.exe 40
Processes
-
C:\Users\Admin\AppData\Local\Temp\277f441499c1fb9ddf4d462c3b443b9e_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\277f441499c1fb9ddf4d462c3b443b9e_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2624 -
C:\Users\Admin\AppData\Local\Temp\install.exe"C:\Users\Admin\AppData\Local\Temp\install.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Users\Admin\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exe__IRAOFF:520716 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\install.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2676
-
-
-
C:\Users\Admin\AppData\Local\Temp\Jerm's.exe"C:\Users\Admin\AppData\Local\Temp\Jerm's.exe"2⤵
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2360 -
C:\Windows\SysWOW64\cmd.execmd /c c:\a.bat3⤵
- Suspicious use of WriteProcessMemory
PID:2572 -
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg4⤵
- Modifies security service
- Runs .reg file with regedit
PID:2740
-
-
-
C:\Windows\SysWOW64\windows_update.exeC:\Windows\system32\windows_update.exe 648 "C:\Users\Admin\AppData\Local\Temp\Jerm's.exe"3⤵
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1752 -
C:\Windows\SysWOW64\windows_update.exeC:\Windows\system32\windows_update.exe 776 "C:\Windows\SysWOW64\windows_update.exe"4⤵
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1860 -
C:\Windows\SysWOW64\cmd.execmd /c c:\a.bat5⤵
- Suspicious use of WriteProcessMemory
PID:2480 -
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg6⤵
- Modifies security service
- Runs .reg file with regedit
PID:1776
-
-
-
C:\Windows\SysWOW64\windows_update.exeC:\Windows\system32\windows_update.exe 788 "C:\Windows\SysWOW64\windows_update.exe"5⤵
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2420 -
C:\Windows\SysWOW64\cmd.execmd /c c:\a.bat6⤵PID:304
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg7⤵
- Modifies security service
- Runs .reg file with regedit
PID:1872
-
-
-
C:\Windows\SysWOW64\windows_update.exeC:\Windows\system32\windows_update.exe 792 "C:\Windows\SysWOW64\windows_update.exe"6⤵
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2160 -
C:\Windows\SysWOW64\cmd.execmd /c c:\a.bat7⤵PID:1004
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg8⤵
- Modifies security service
- Runs .reg file with regedit
PID:1468
-
-
-
C:\Windows\SysWOW64\windows_update.exeC:\Windows\system32\windows_update.exe 796 "C:\Windows\SysWOW64\windows_update.exe"7⤵
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1788 -
C:\Windows\SysWOW64\cmd.execmd /c c:\a.bat8⤵PID:2980
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg9⤵
- Modifies security service
- Runs .reg file with regedit
PID:924
-
-
-
C:\Windows\SysWOW64\windows_update.exeC:\Windows\system32\windows_update.exe 800 "C:\Windows\SysWOW64\windows_update.exe"8⤵
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2876 -
C:\Windows\SysWOW64\cmd.execmd /c c:\a.bat9⤵PID:2060
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg10⤵
- Modifies security service
- Runs .reg file with regedit
PID:1504
-
-
-
C:\Windows\SysWOW64\windows_update.exeC:\Windows\system32\windows_update.exe 804 "C:\Windows\SysWOW64\windows_update.exe"9⤵
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1928 -
C:\Windows\SysWOW64\cmd.execmd /c c:\a.bat10⤵PID:3024
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg11⤵
- Modifies security service
- Runs .reg file with regedit
PID:2176
-
-
-
C:\Windows\SysWOW64\windows_update.exeC:\Windows\system32\windows_update.exe 808 "C:\Windows\SysWOW64\windows_update.exe"10⤵
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1936 -
C:\Windows\SysWOW64\cmd.execmd /c c:\a.bat11⤵PID:2340
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg12⤵
- Modifies security service
- Runs .reg file with regedit
PID:1056
-
-
-
C:\Windows\SysWOW64\windows_update.exeC:\Windows\system32\windows_update.exe 812 "C:\Windows\SysWOW64\windows_update.exe"11⤵
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:836 -
C:\Windows\SysWOW64\cmd.execmd /c c:\a.bat12⤵PID:1804
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg13⤵
- Modifies security service
- Runs .reg file with regedit
PID:2316
-
-
-
C:\Windows\SysWOW64\windows_update.exeC:\Windows\system32\windows_update.exe 816 "C:\Windows\SysWOW64\windows_update.exe"12⤵
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1088 -
C:\Windows\SysWOW64\cmd.execmd /c c:\a.bat13⤵PID:1648
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg14⤵
- Modifies security service
- Runs .reg file with regedit
PID:2652
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD59e5db93bd3302c217b15561d8f1e299d
SHA195a5579b336d16213909beda75589fd0a2091f30
SHA256f360fb5740172b6b4dd59c1ac30b480511665ae991196f833167e275d91f943e
SHA512b5547e5047a3c43397ee846ff9d5979cba45ba44671db5c5df5536d9dc26262e27a8645a08e0cf35960a3601dc0f6f5fe8d47ae232c9ca44d6899e97d36fb25a
-
Filesize
1.4MB
MD584579454f55893badae4774a5ba1e3e5
SHA1b06fc13d8d1cbd1ac6d8ffe06fbe08383424490c
SHA25628053322a4bf87685897135790d15d4f1dffb26055e70a949f8a66ae3e72dcf1
SHA51282fdadf376459fa6e9fabe322e76ea356ecdad00cf05a037ff703038285715ea0cf8439f30117c3d61fa7f6a04238b4e0c4f7497357b8c450b46d05899c88c16
-
Filesize
5KB
MD50019a0451cc6b9659762c3e274bc04fb
SHA15259e256cc0908f2846e532161b989f1295f479b
SHA256ce4674afd978d1401596d22a0961f90c8fb53c5bd55649684e1a999c8cf77876
SHA512314c23ec37cb0cd4443213c019c4541df968447353b422ef6fff1e7ddf6c983c80778787408b7ca9b81e580a6a7f1589ca7f43c022e6fc16182973580ed4d904
-
Filesize
440KB
MD575ca7ff96bf5a316c3af2de6a412bd54
SHA10a093950790ff0dddff6f5f29c6b02c10997e0c5
SHA256d95b5bf9ca97c1900de5357743282bab655d61d616606485088e1708559b7cf1
SHA512b8da86f2f1e908955254e5168d0447f479cec7815a8b081a7b38eb87187cb2eb992109c67e006361b96bc1529ee8abc9dc477d78e9ca565e43f5415b492771d4
-
Filesize
2.8MB
MD521668854182822616124c714c5cb9c50
SHA10316c84cc63015398d7e8bd970099f80e8a1be3b
SHA2562a9662c3c2af7916419a306d86b4b7fe82f87e3f770336c926cf40dfd5f088ef
SHA5127b540a1b18eb9b9561fda051b78976ddcee4885be46deee5eccfbdd460159bca18b99a14164af16110cd736ba16e116d10d25a2871a6aadd31e8ffd69f631c29