Analysis
-
max time kernel
149s -
max time network
141s -
platform
windows10-2004_x64 -
resource
win10v2004-20240704-en -
resource tags
arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system -
submitted
08/07/2024, 05:37
Static task
static1
Behavioral task
behavioral1
Sample
2b2a2d9a5bd0d9c5e35ddbb6a75083d3_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
2b2a2d9a5bd0d9c5e35ddbb6a75083d3_JaffaCakes118.exe
Resource
win10v2004-20240704-en
General
-
Target
2b2a2d9a5bd0d9c5e35ddbb6a75083d3_JaffaCakes118.exe
-
Size
54KB
-
MD5
2b2a2d9a5bd0d9c5e35ddbb6a75083d3
-
SHA1
d2dcc6e1f26de4d8013bd5cccd1b7c2cfbb7ae77
-
SHA256
49dc20ca33f09e4725a349d9ef854616c244139182a79f4a374cac135b546cb2
-
SHA512
745004bcfdaf546fc2f7fc6ab2804d5c460c543bfa2211182790200489b1db81c8d9eac8f8295649ea9e89e74d4887a2676695d00364e7dd584e510a7cd6448e
-
SSDEEP
1536:uroWtPdPosz4fSb8OkGy5BCvXaI3HS8hP3iUc:WdFQsUfBUQIvXPH/Prc
Malware Config
Signatures
-
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
pid Process 2864 attrib.exe 4316 attrib.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\Control Panel\International\Geo\Nation 2b2a2d9a5bd0d9c5e35ddbb6a75083d3_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\Control Panel\International\Geo\Nation inlD9C3.tmp -
Executes dropped EXE 1 IoCs
pid Process 2612 inlD9C3.tmp -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\hsdfasd = "\"C:\\Users\\Admin\\AppData\\Roaming\\PPLive\\tmp.\\a.{971C5380-92A0-5A69-B3EE-C3002B33309E}\" hh.exe" rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o" rundll32.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\PROGRA~1\INTERN~1\ieframe.dll cmd.exe File opened for modification C:\PROGRA~1\INTERN~1\ieframe.dll cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 runonce.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz runonce.exe -
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\cnkankan.com\Total = "63" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31117608" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3948704064" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31117608" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3955267184" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "63" IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\Software\Microsoft\Internet Explorer\Main reg.exe Key created \REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\Software\Microsoft\Internet Explorer\GPU IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "126" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\cnkankan.com\Total = "126" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Main reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\Software\Microsoft\Internet Explorer\IESettingSync IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\cnkankan.com\NumberOfSubdomains = "1" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3948704064" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31117608" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.cnkankan.com IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\cnkankan.com IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.cnkankan.com\ = "63" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.cnkankan.com\ = "126" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\Software\Microsoft\Internet Explorer\DOMStorage\cnkankan.com IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{1705F97D-3D1C-11EF-A01A-52A74EE36D85} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe -
Modifies Internet Explorer start page 1 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Start Page = "http://www.82133.com/?o" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.82133.com/?o" reg.exe -
Modifies registry class 9 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E} reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell\open(&H)\Command reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E} reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell\open(&H)\Command\ = "wscript -e:vbs \"C:\\Users\\Admin\\AppData\\Roaming\\PPLive\\3.bat\"" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\IsShortCut reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell\open(&H) reg.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 2676 2b2a2d9a5bd0d9c5e35ddbb6a75083d3_JaffaCakes118.exe Token: SeIncBasePriorityPrivilege 2612 inlD9C3.tmp -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 748 iexplore.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 748 iexplore.exe 748 iexplore.exe 740 IEXPLORE.EXE 740 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 59 IoCs
description pid Process procid_target PID 2676 wrote to memory of 3580 2676 2b2a2d9a5bd0d9c5e35ddbb6a75083d3_JaffaCakes118.exe 89 PID 2676 wrote to memory of 3580 2676 2b2a2d9a5bd0d9c5e35ddbb6a75083d3_JaffaCakes118.exe 89 PID 2676 wrote to memory of 3580 2676 2b2a2d9a5bd0d9c5e35ddbb6a75083d3_JaffaCakes118.exe 89 PID 3580 wrote to memory of 1888 3580 cmd.exe 91 PID 3580 wrote to memory of 1888 3580 cmd.exe 91 PID 3580 wrote to memory of 1888 3580 cmd.exe 91 PID 1888 wrote to memory of 748 1888 cmd.exe 93 PID 1888 wrote to memory of 748 1888 cmd.exe 93 PID 1888 wrote to memory of 2376 1888 cmd.exe 94 PID 1888 wrote to memory of 2376 1888 cmd.exe 94 PID 1888 wrote to memory of 2376 1888 cmd.exe 94 PID 1888 wrote to memory of 2732 1888 cmd.exe 95 PID 1888 wrote to memory of 2732 1888 cmd.exe 95 PID 1888 wrote to memory of 2732 1888 cmd.exe 95 PID 748 wrote to memory of 740 748 iexplore.exe 97 PID 748 wrote to memory of 740 748 iexplore.exe 97 PID 748 wrote to memory of 740 748 iexplore.exe 97 PID 2732 wrote to memory of 2096 2732 cmd.exe 98 PID 2732 wrote to memory of 2096 2732 cmd.exe 98 PID 2732 wrote to memory of 2096 2732 cmd.exe 98 PID 2732 wrote to memory of 3264 2732 cmd.exe 99 PID 2732 wrote to memory of 3264 2732 cmd.exe 99 PID 2732 wrote to memory of 3264 2732 cmd.exe 99 PID 2732 wrote to memory of 5000 2732 cmd.exe 100 PID 2732 wrote to memory of 5000 2732 cmd.exe 100 PID 2732 wrote to memory of 5000 2732 cmd.exe 100 PID 2732 wrote to memory of 4520 2732 cmd.exe 102 PID 2732 wrote to memory of 4520 2732 cmd.exe 102 PID 2732 wrote to memory of 4520 2732 cmd.exe 102 PID 2676 wrote to memory of 2612 2676 2b2a2d9a5bd0d9c5e35ddbb6a75083d3_JaffaCakes118.exe 101 PID 2676 wrote to memory of 2612 2676 2b2a2d9a5bd0d9c5e35ddbb6a75083d3_JaffaCakes118.exe 101 PID 2676 wrote to memory of 2612 2676 2b2a2d9a5bd0d9c5e35ddbb6a75083d3_JaffaCakes118.exe 101 PID 2732 wrote to memory of 4080 2732 cmd.exe 103 PID 2732 wrote to memory of 4080 2732 cmd.exe 103 PID 2732 wrote to memory of 4080 2732 cmd.exe 103 PID 2732 wrote to memory of 2864 2732 cmd.exe 104 PID 2732 wrote to memory of 2864 2732 cmd.exe 104 PID 2732 wrote to memory of 2864 2732 cmd.exe 104 PID 2676 wrote to memory of 372 2676 2b2a2d9a5bd0d9c5e35ddbb6a75083d3_JaffaCakes118.exe 105 PID 2676 wrote to memory of 372 2676 2b2a2d9a5bd0d9c5e35ddbb6a75083d3_JaffaCakes118.exe 105 PID 2676 wrote to memory of 372 2676 2b2a2d9a5bd0d9c5e35ddbb6a75083d3_JaffaCakes118.exe 105 PID 2732 wrote to memory of 4316 2732 cmd.exe 106 PID 2732 wrote to memory of 4316 2732 cmd.exe 106 PID 2732 wrote to memory of 4316 2732 cmd.exe 106 PID 2732 wrote to memory of 4900 2732 cmd.exe 108 PID 2732 wrote to memory of 4900 2732 cmd.exe 108 PID 2732 wrote to memory of 4900 2732 cmd.exe 108 PID 2732 wrote to memory of 2572 2732 cmd.exe 109 PID 2732 wrote to memory of 2572 2732 cmd.exe 109 PID 2732 wrote to memory of 2572 2732 cmd.exe 109 PID 4900 wrote to memory of 3104 4900 rundll32.exe 110 PID 4900 wrote to memory of 3104 4900 rundll32.exe 110 PID 4900 wrote to memory of 3104 4900 rundll32.exe 110 PID 3104 wrote to memory of 1268 3104 runonce.exe 111 PID 3104 wrote to memory of 1268 3104 runonce.exe 111 PID 3104 wrote to memory of 1268 3104 runonce.exe 111 PID 2612 wrote to memory of 2492 2612 inlD9C3.tmp 113 PID 2612 wrote to memory of 2492 2612 inlD9C3.tmp 113 PID 2612 wrote to memory of 2492 2612 inlD9C3.tmp 113 -
Views/modifies file attributes 1 TTPs 2 IoCs
pid Process 2864 attrib.exe 4316 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2b2a2d9a5bd0d9c5e35ddbb6a75083d3_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\2b2a2d9a5bd0d9c5e35ddbb6a75083d3_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\x5_20_ml.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:3580 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Roaming\PPLive\1.bat3⤵
- Suspicious use of WriteProcessMemory
PID:1888 -
C:\PROGRA~1\INTERN~1\iexplore.exeC:\PROGRA~1\INTERN~1\IEXPLORE.EXE http://wWW.cnkankan.com/?821334⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:748 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:748 CREDAT:17410 /prefetch:25⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:740
-
-
-
C:\Windows\SysWOW64\rundll32.exerundll32 syssetup,SetupInfObjectInstallAction DefaultInstall 128 C:\Users\Admin\AppData\Roaming\PPLive\1.inf4⤵PID:2376
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Roaming\PPLive\2.bat4⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Windows\SysWOW64\reg.exereg add "HKLM\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /d ""http://www.82133.com/?o"" /f5⤵
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
PID:2096
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /d ""http://www.82133.com/?o"" /f5⤵
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
PID:3264
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\tmp" /v "key" /d ""http://www.82133.com/?o"" /f5⤵PID:5000
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCR\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}" /v "IsShortCut" /d "" /f5⤵
- Modifies registry class
PID:4520
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCR\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell\open(&H)\Command" /v "" /d "wscript -e:vbs ""C:\Users\Admin\AppData\Roaming\PPLive\3.bat""" /f5⤵
- Modifies registry class
PID:4080
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h C:\Users\Admin\AppData\Roaming\PPLive\tmp\a.{971C5380-92A0-5A69-B3EE-C3002B33309E}5⤵
- Sets file to hidden
- Views/modifies file attributes
PID:2864
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h C:\Users\Admin\AppData\Roaming\PPLive\tmp5⤵
- Sets file to hidden
- Views/modifies file attributes
PID:4316
-
-
C:\Windows\SysWOW64\rundll32.exerundll32 syssetup,SetupInfObjectInstallAction DefaultInstall 128 C:\Users\Admin\AppData\Roaming\PPLive\2.inf5⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4900 -
C:\Windows\SysWOW64\runonce.exe"C:\Windows\system32\runonce.exe" -r6⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:3104 -
C:\Windows\SysWOW64\grpconv.exe"C:\Windows\System32\grpconv.exe" -o7⤵PID:1268
-
-
-
-
C:\Windows\SysWOW64\rundll32.exerundll32 D:\VolumeDH\inj.dat,MainLoad5⤵PID:2572
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\inlD9C3.tmpC:\Users\Admin\AppData\Local\Temp\inlD9C3.tmp2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\inlD9C3.tmp > nul3⤵PID:2492
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\2B2A2D~1.EXE > nul2⤵PID:372
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
802B
MD5b4f7d6a0d3f6605440a1f5574f90a30c
SHA19d91801562174d73d77f1f10a049c594f969172a
SHA256e3b1510526757baa753c916ababce951be64146e04f74c631c6503531d83c6cd
SHA512c852ff3b51db00184bcfb0d6609a2791cb81efdb0d8d5aaed1c5b9e576b17b19804affe6ea7b5db575179c166543db5dcd828b3fcbd90e8baabb47c166da7c3f
-
Filesize
794B
MD51bc415b31cdff50d79ea2a3d7b4ff2c1
SHA1f5ebab61deebc3d7a4a6676a23b982f1418ae6a6
SHA256582ea6421c80adc1de2dcb34fb8db1926e34b49219d99306693166a6b268d412
SHA512ee9718e829fa7c6b2e3b208fe99acd390d704a4ad037fd9b5ae231db184f48146792fb1ac028a69224ddca2c3195ef2aa5353ee6bc7abe01157773f4a6e50e84
-
Filesize
645B
MD54cafe2ab2ae87e0e3a16f6bd99e92437
SHA145757e5b258e3190ea4d4b092375bded4d5ea4fd
SHA25690896bc5f40509bc3ed86e17cae17da22b4f4ab0e424dc4557b24eccc53429ce
SHA512123a945a361a07a356361e796159406bff31dbfbe68afaa1f22e144dc2b4025d23112844db70e651b9ee41f674d8efb4cd10b23ee4992d9538de7ada6534f2ac
-
Filesize
53B
MD523962a245f75fe25510051582203aff1
SHA120832a3a1179bb2730194d2f7738d41d5d669a43
SHA2561abcea214b9b2bd76cc04be07ae2d4d70371e6ca443d99f4f1327afe7a5fc647
SHA512dc36b64f2dbb710652900a31295c148760b0c44eae13515aa29613916c9dffe3d8e55ba61568f7c27b43bf0c341f7dcd4b9c721f81627fc6bb915b15c358fe80
-
Filesize
3KB
MD5b21e4f653320b34a01a860b1cf00c861
SHA13de8c41f014512ec793c3452b3c96f832644b0f0
SHA25629a23c064b35e49d619825b67bf8b01ad6ba4c65e50e167bd69416cdca92d4bf
SHA5126f791ca6c1929779e8c72b4c5c3ec79c8bd134845679e17915a4758a03b847efe5454fefe3af8be1eb17277ba73612d1534d09734c171f82b7ac351893cd8d9c
-
Filesize
410B
MD566a1f0147fed7ddd19e9bb7ff93705c5
SHA19d803c81ea2195617379b880b227892ba30b0bf6
SHA2564f45ce85e221352f7fe26e04968c7f7267dc24b55cf2b72b929b4c90e48cb764
SHA512cfe51756ddec75d240249980a4d27870d15983add25058e4d0da4d8a3ea11384d4d228d6cbc95091f91e516e1ab4dfb1e315941dbd95bf717d4b31936311d597
-
Filesize
3KB
MD56b78cb8ced798ca5df5612dd62ce0965
SHA15a9c299393b96b0bf8f6770e3c7b0318a9e2e0cf
SHA25681f64f42edfac2863a55db8fabd528c4eefc67f7e658cad6a57eeec862e444e3
SHA512b387ba10021f3284d1406d520a2c8b3ba0c87922d67c79394c1aa50c631194519ac6bb5b898956533f040d48e1c7b202734e0075f8fc8c8bfab82c8ef359b28e
-
Filesize
247B
MD5ca436f6f187bc049f9271ecdcbf348fa
SHA1bf8a548071cfc150f7affb802538edf03d281106
SHA2566cdfa9b7f0e1e4ee16bc8ce5d7448d47ea8866c1f55f3e56be5c2a4d183ca534
SHA512d19e20aabddad6b0284f8c1d473e9180f30b49d4d8b54f26e7c8630228e16b1f6ba04023c5e8b1993d8a10d97adcfff683b216f79b9981bf16181641aebdd591
-
Filesize
5.8MB
MD5a472857530ce75b85097e0bd022d853a
SHA16df538fc0d1bc97f9711128a8f5ebddb1a936a47
SHA256f35c3a663ee7dc18eff0cb77213add91febd87fa40b408efa70764160ab77a47
SHA512d438ce771aee16b9a836d6643066cbe224cbd99e21ccb4e2649aa6bb1665b8627b4069aa11496b0c988be45538a68b3ec9afd652bb2354dd1a108e1d560169bf